Re: Openrsync -v option

[Antonino Sidoti]

Hello,

Many thanks, that is working. 

---
Antonino Sidoti




> On 21 Oct 2021, at 7:39 am, Omar Polo  wrote:
> 
> 
> Antonino Sidoti  writes:
> 
>> Hello,
>> 
>> I am using openrsync to copy some data to cloud based share and I am
>> using ‘-trv’ as my switches. I want to pipe out the verbose contents
>> to a file but it will not collect any data and is always zero bytes.
>> 
>> e.g
>> 
>> openrsync -trv --exclude “myfile” --delete /mydir/ 1234:Test > dump
>> 
>> Is there something wrong with how I am using openrsync? The file ‘dump’ 
>> contains no data.
> 
> the fact that
> 
> $ openrsync ... > dump
> 
> still logs the output to the terminal should be a clue that maybe the
> redirect is wrong.
> 
> openrsync logs on stderr, so you need to redirect that
> 
> $ openrsync ... 2> dump
> 
>> Thanks
>> 
>> ---
>> Antonino Sidoti
> 

Re: Openrsync -v option

[Antonino Sidoti]

HI Jan,

Here is the output in full with no redirection;

fw2$ date
Thu Oct 21 07:29:44 AEDT 2021
fw2$ openrsync -trv tools/ 3175:Test
  
Transfer starting: 17 files
created directory Test
./
mibs/
adblock.sh
geoban.sh
logcheck.sh
mibs/OPENBSD-BASE-MIB.txt
mibs/OPENBSD-CARP-MIB.txt
mibs/OPENBSD-MEM-MIB.txt
mibs/OPENBSD-PF-MIB.txt
mibs/OPENBSD-RELAYD-MIB.txt
mibs/OPENBSD-SENSORS-MIB.txt
mibs/OPENBSD-SNMPD-CONF.txt
orsync-bck.sh
rsync-bck.sh
shodan.sh
ubtype.sh
ubtype.xml
Transfer complete: 316 B sent, 87.0 KB read, 85.8 KB file size
fw2$ 

Thanks 

---
Antonino Sidoti




> On 20 Oct 2021, at 7:04 pm, Jan Stary  wrote:
> 
> On Oct 20 15:25:31, n...@sidoti.id.au wrote:
>> Hello,
>> 
>> I am using openrsync to copy some data to cloud based share and I am using 
>> ‘-trv’ as my switches. I want to pipe out the verbose contents to a file but 
>> it will not collect any data and is always zero bytes.
>> 
>> e.g
>> 
>> openrsync -trv --exclude “myfile” --delete /mydir/ 1234:Test > dump
>> 
>> Is there something wrong with how I am using openrsync? The file ‘dump’ 
>> contains no data.
> 
> That is not the actual command line, is it?
> First show us the actual command line, and openrsync's actual output,
> in full, without the redirection.
> 
>   Jan
> 

Openrsync -v option

[Antonino Sidoti]

Hello,

I am using openrsync to copy some data to cloud based share and I am using 
‘-trv’ as my switches. I want to pipe out the verbose contents to a file but it 
will not collect any data and is always zero bytes.

e.g

openrsync -trv --exclude “myfile” --delete /mydir/ 1234:Test > dump

Is there something wrong with how I am using openrsync? The file ‘dump’ 
contains no data.

Thanks

---
Antonino Sidoti

Re: Ifconfig error - SIOCSETPFLOW

[Antonino Sidoti]

HI,

I added ‘!dhclient \$if’ to the /etc/hostname.em0 and removed ‘dhcp’. It is 
working now with no errors on startup and the interface ‘pflow0’ now working 
properly.

pf enabled
net.inet.ip.forwarding: 0 -> 1
net.inet6.ip6.forwarding: 0 -> 1
starting network
em0: no linkgot link
em0: no lease.got lease
em0: 122.199.32.172 lease accepted from 116.255.18.1 (3c:fd:fe:bd:95:13)
reordering libraries: done.
starting early daemons: syslogd pflogd unbound ntpd.
starting RPC daemons:.
savecore: no core dump
checking quotas: done.
clearing /tmp
kern.securelevel: 0 -> 1
creating runtime link editor directory cache.
preserving editor files.
starting network daemons: sshd snmpd dhcpd rad smtpd.
starting package daemons: dhcpcd.
starting local daemons: cron.
Sun Oct 17 12:24:00 AEDT 2021


Many thanks for your help

Antonino Sidoti




> On 17 Oct 2021, at 1:12 am, Brian Brombacher  wrote:
> 
> 
> 
>> On Oct 15, 2021, at 10:56 PM, Antonino Sidoti  wrote:
>> 
>> HI,
>> 
>> Yes, on my em0 interface I am using ‘dhcp’ and this is the source IP for 
>> pflow. The setup is a basic firewall as described in the PF example 
>> firewall. 
>> 
>> Interface em0 = external using dhcp (Static IP assigned by carrier)
>> Interface em1 = internal with static IP (Lan using 10.0.x.x/24)
>> 
>> Output from /etc/hostname.pflow0 (Not real IPs)
>> flowdst 203.0.113.1:3001 flowsrc 198.51.100.1
>> pflowproto 10
>> 
>> Thanks
>> 
>> Antonino Sidoti
>> 
>> 
> 
> Thanks for the details.  A recent change in 7.0 introduced a change in 
> behavior for DHCP configured interfaces.  The IP could be assigned after 
> other interfaces are configured.  You may need to assign the static IP in 
> hostname.em0 before the dhcp line, or run dhclient directly from hostname.em0 
> and avoid using “dhcp” in there.
> 
>> 
>>>> On 16 Oct 2021, at 10:39 am, Brian Brombacher  wrote:
>>>> 
>>>> 
>>>> 
>>>>> On Oct 15, 2021, at 7:09 PM, Antonino Sidoti  wrote:
>>>> 
>>>> HI,
>>>> 
>>>> I am getting this error since upgrading to v7.0;
>>>> 
>>>> pf enabled
>>>> net.inet.ip.forwarding: 0 -> 1
>>>> net.inet6.ip6.forwarding: 0 -> 1
>>>> starting network
>>>> 
>>>> ifconfig: SIOCSETPFLOW: Can't assign requested address
>>>> ifconfig: SIOCSETPFLOW: Can't assign requested address
>>>> 
>>>> reordering libraries: done.
>>>> starting early daemons: syslogd pflogd unbound ntpd.
>>>> starting RPC daemons:.
>>>> savecore: no core dump
>>>> checking quotas: done.
>>>> clearing /tmp
>>>> kern.securelevel: 0 -> 1
>>>> creating runtime link editor directory cache.
>>>> preserving editor files.
>>>> starting network daemons: sshd snmpd dhcpd rad smtpd.
>>>> starting package daemons: dhcpcd.
>>>> starting local daemons: cron.
>>>> Sat Oct 16 08:06:39 AEDT 2021
>>>> 
>>>> I am assuming it is related to the interface ‘pflow0’ which was working 
>>>> fine in version 6.9. The /etc/hostname.pflow0 is exactly the same as the 
>>>> examples in the man pages only that the source and destination IP 
>>>> addresses are different.
>>>> 
>>>> Many thanks
>>>> 
>>>> Antonino Sidoti
>>>> 
>>>> 
>>>> 
>>> 
>>> Are you using DHCP to configure the interface the source IP is on?  Provide 
>>> some more details of the network setup.

Re: Ifconfig error - SIOCSETPFLOW

[Antonino Sidoti]

HI,

Yes, on my em0 interface I am using ‘dhcp’ and this is the source IP for pflow. 
The setup is a basic firewall as described in the PF example firewall. 

Interface em0 = external using dhcp (Static IP assigned by carrier)
Interface em1 = internal with static IP (Lan using 10.0.x.x/24)

Output from /etc/hostname.pflow0 (Not real IPs)
flowdst 203.0.113.1:3001 flowsrc 198.51.100.1
pflowproto 10

Thanks

Antonino Sidoti




> On 16 Oct 2021, at 10:39 am, Brian Brombacher  wrote:
> 
> 
> 
>> On Oct 15, 2021, at 7:09 PM, Antonino Sidoti  wrote:
>> 
>> HI,
>> 
>> I am getting this error since upgrading to v7.0;
>> 
>> pf enabled
>> net.inet.ip.forwarding: 0 -> 1
>> net.inet6.ip6.forwarding: 0 -> 1
>> starting network
>> 
>> ifconfig: SIOCSETPFLOW: Can't assign requested address
>> ifconfig: SIOCSETPFLOW: Can't assign requested address
>> 
>> reordering libraries: done.
>> starting early daemons: syslogd pflogd unbound ntpd.
>> starting RPC daemons:.
>> savecore: no core dump
>> checking quotas: done.
>> clearing /tmp
>> kern.securelevel: 0 -> 1
>> creating runtime link editor directory cache.
>> preserving editor files.
>> starting network daemons: sshd snmpd dhcpd rad smtpd.
>> starting package daemons: dhcpcd.
>> starting local daemons: cron.
>> Sat Oct 16 08:06:39 AEDT 2021
>> 
>> I am assuming it is related to the interface ‘pflow0’ which was working fine 
>> in version 6.9. The /etc/hostname.pflow0 is exactly the same as the examples 
>> in the man pages only that the source and destination IP addresses are 
>> different.
>> 
>> Many thanks
>> 
>> Antonino Sidoti
>> 
>> 
>> 
> 
> Are you using DHCP to configure the interface the source IP is on?  Provide 
> some more details of the network setup.

Ifconfig error - SIOCSETPFLOW

[Antonino Sidoti]

HI,

I am getting this error since upgrading to v7.0;

pf enabled
net.inet.ip.forwarding: 0 -> 1
net.inet6.ip6.forwarding: 0 -> 1
starting network

ifconfig: SIOCSETPFLOW: Can't assign requested address
ifconfig: SIOCSETPFLOW: Can't assign requested address

reordering libraries: done.
starting early daemons: syslogd pflogd unbound ntpd.
starting RPC daemons:.
savecore: no core dump
checking quotas: done.
clearing /tmp
kern.securelevel: 0 -> 1
creating runtime link editor directory cache.
preserving editor files.
starting network daemons: sshd snmpd dhcpd rad smtpd.
starting package daemons: dhcpcd.
starting local daemons: cron.
Sat Oct 16 08:06:39 AEDT 2021

I am assuming it is related to the interface ‘pflow0’ which was working fine in 
version 6.9. The /etc/hostname.pflow0 is exactly the same as the examples in 
the man pages only that the source and destination IP addresses are different.

Many thanks

Antonino Sidoti

Re: 6.9 + 001: uvm_fault

[Antonino Sidoti]

Hi,

I also have this issue on a fresh install of 6.9 amd64. I reported it as a bug 
last week to “bugs” mail list with all appropriate information. I can confirm 
that plugging in a monitor will allow my system to boot. I did not have the 001 
patch installed.


Antonino Sidoti



> On 16 May 2021, at 8:35 pm, Jonathan Gray  wrote:
> 
> On Sun, May 16, 2021 at 12:10:33PM +0200, Harald Dunkel wrote:
>> And another attempt, see attachment.
>> 
>> Seems I have to power cycle to make it boot.
> 
> There have been a few reports of this in the last few weeks.
> An initial workaround patch is in
> https://marc.info/?l=openbsd-bugs=162012367130138=2
> 
> If you can plug in a display does this still occur afterwards?
> 
>> 
>> 
>> Regards
>> Harri
> 
>> OpenBSD/amd64 (redgatea.red.aixigo.de) (tty00)
>> 
>> login: root
>> Password:
>> Last login: Sun May 16 11:45:27 on ttyp0 from 2a00:fe0:30:60::7a
>> OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021
>> 
>> Welcome to OpenBSD: The proactively secure Unix-like operating system.
>> 
>> Please use the sendbug(1) utility to report bugs in the system.
>> Before reporting a bug, please try to reproduce it with the latest
>> version of the code.  With bug reports, please try to ensure that
>> enough information to reproduce the problem is enclosed, and if a
>> known fix for it exists, include that as well.
>> 
>> You have mail.
>> redgatea# sysupgrade
>> Fetching from https://cdn.openbsd.org/pub/OpenBSD/6.9/amd64/
>> SHA256.sig   100% |*|  2144   00:00  
>>   
>> Signature Verified
>> INSTALL.amd64 100% || 43523   00:00  
>>   
>> base69.tgz   100% |*|   291 MB00:16  
>>   
>> bsd  100% |*| 20423 KB00:02  
>>   
>> bsd.mp   100% |*| 20515 KB00:02  
>>   
>> bsd.rd   100% |*|  4107 KB00:01  
>>   
>> comp69.tgz   100% |*| 85958 KB00:06  
>>   
>> game69.tgz   100% |*|  2741 KB00:00  
>>   
>> man69.tgz100% |*|  7560 KB00:01  
>>   
>> xbase69.tgz  100% |*| 29789 KB00:03  
>>   
>> xfont69.tgz  100% |*| 39342 KB00:04  
>>   
>> xserv69.tgz  100% |*| 18351 KB00:02  
>>   
>> xshare69.tgz 100% |*|  4502 KB00:01  
>>   
>> Verifying sets.
>> Fetching updated firmware.
>> Upgrading.
>> stopping package daemons: dnsmasq zabbix_agentd.
>> syncing disks... done
>> carp: carp0 demoted group carp by 1 to 1 (carpdev)
>> carp: carp0 demoted group external by 1 to 1 (carpdev)
>> carp: carp0 demoted group externalcarp by 1 to 1 (carpdev)
>> carp: carp0 demoted group egress by 1 to 1 (carpdev)
>> carp: carp1 demoted group carp by 1 to 2 (carpdev)
>> carp: carp1 demoted group internal by 1 to 1 (carpdev)
>> carp: carp2 demoted group carp by 1 to 3 (carpdev)
>> carp: carp2 demoted group yellow by 1 to 1 (carpdev)
>> rebooting...
>> 919 3939
>> 19 99   19³¹)   391919  219993  39
>> 932192921   219919219
>> 21939931
>> 919  91921¹þÞWÞ×Þ1BBBÂB"BBBÂBBBRBÂ>> OpenBSD/amd64 BOOT 3.52
>> boot> 
>> booting hd0a:/bsd.upgrade: 3818189+1590272+3878376+0+704512 
>> [109+288+28]=0x989530
>> entry point at 0x81001000
>> Copyright (c) 1982, 1986, 1989, 1991, 1993
>>The Regents of the University of California.  All rights reserved.
>> Copyright (c) 1995-2021 OpenBSD. All rights reserved.  
>> https://www.OpenBSD.org
>> 
>> OpenBSD 6.9 (RAMDISK_CD) #456: Mon Apr 19 10:47:37 MDT 2021
>>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
>> real mem = 8478871552 (8086MB)
>> avail mem = 8217878528 (7837MB)
>> random: good seed from bootblocks
>> mainbus0 at root
>> bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xecef0 (51 entries)
>> bios0: vendor American Megatrends Inc. version "5.11" date 04/08/2016
>> bios0: Default string Default string
>> acpi0 at bios0: ACPI 5.0
>> acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT CSRT
>>

Re: Protecting entire LAN subnet with Wiregaurd

[Antonino Sidoti]

Many thanks, I will check out the article.

Antonino Sidoti




> On 22 Mar 2021, at 3:27 pm, Daniel Jakots  wrote:
> 
> On Sun, 21 Mar 2021 23:49:37 -0400, Daniel Jakots  wrote:
> 
>> On Mon, 22 Mar 2021 14:34:00 +1100, Antonino Sidoti
>>  wrote:
>> 
>>> I am confused on how to force all lan clients in my home network to
>>> use wireguard tunnel via local firewall. Do I need to add routes and
>>> if so how do I do this on my local firewall if the public IP is
>>> dynamic and the default gateway changes regularly.   
>> 
>> To make all the traffic goes through Wireguard®, you can do
>> # route add default -link -iface wg0
>> 
>> Having a dynamic IP at home means that if the IP changes, the server
>> won't be able to initiate the tunnel but AFAIK, that's the only
>> problem.
> 
> After thinking more about it, I see what the problem is.
> 
> So maybe using some rdomains/rtables as described in
> https://codimd.laas.fr/s/NMc3qt5PQ#
> 

Protecting entire LAN subnet with Wiregaurd

[Antonino Sidoti]

Hi,

Is it possible to protect an entire Lan subnet with a Wireguard tunnel? I have 
a OpenBSD server hosted at Vultr with static public IP and a local home 
firewall (OpenBSD) with wireguard configured. Both local firewall and server 
can ping each other using Wireguard tunnel. 

I am confused on how to force all lan clients in my home network to use 
wireguard tunnel via local firewall. Do I need to add routes and if so how do I 
do this on my local firewall if the public IP is dynamic and the default 
gateway changes regularly. 

Server wg0
wg0: flags=80c3 mtu 1420
index 6 priority 0 llprio 3
wgport 51820
wgpubkey some key
wgpeer some key
wgendpoint 1.144.105.149 14051
tx: 178864, rx: 625268
last handshake: 12 seconds ago
wgaip 10.128.1.0/24
groups: wg
inet 10.128.1.1 netmask 0xff00 broadcast 10.128.1.255

Local home Firewall wg0
wg0: flags=80c3 mtu 1420
index 5 priority 0 llprio 3
wgport 6589
wgpubkey some key
wgpeer some key
wgpka 25 (sec)
wgendpoint 192.0.2.1 51820
tx: 218300, rx: 82640
last handshake: 41 seconds ago
wgaip 0.0.0.0/0
groups: wg egress
inet 10.128.1.2 netmask 0xff00 broadcast 10.128.1.255

Route table
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default22.230.51.1UGS6 9188 - 8 em0  
224/4  127.0.0.1  URS00 32768 8 lo0  
10.99.1/24 10.99.1.1  UCn0   10 - 4 em1  
10.99.1.1  00:e0:67:15:e7:83  UHLl   0  949 - 1 em1  
10.99.1.25510.99.1.1  UHb0   60 - 1 em1  
10.128.1/2410.128.1.2 UCn10 - 4 wg0  
10.128.1.1 link#0 UHc09 - 3 wg0  
10.128.1.2 wg0UHl0  150 - 1 wg0  
10.128.1.255   10.128.1.2 UHb00 - 1 wg0  
22.230.51/24   22.230.51.123  UCn10 - 4 em0  
22.230.51.182:63:9c:36:23:a2  UHLch  1 3639 - 3 em0  
22.230.51.123  00:e0:67:15:e7:82  UHLl   0 1955 - 1 em0  
22.230.51.255  22.230.51.123  UHb00 - 1 em0  
127/8  127.0.0.1  UGRS   00 32768 8 lo0  
127.0.0.1  127.0.0.1  UHhl   2   48 32768 1 lo0

Regards

Antonino Sidoti

Re: IPv6 NDP Confusion with PF enabled

[Antonino Sidoti]

Hi,

There is no blocking showing up when I examine the pflog0, hence the confusion 
is what is blocking traffic when the firewall is enabled. I find it strange 
that the “ndp” output has two LLA for the same Mac address. The MAC address of 
the remote device 82:63:9c:36:23:a2 is listed twice. Is that actually correct. 
Only one of those LLA is reachable with “ping”. 

The WAN link is a 4G link and the ISP only hands out a /64 address and it does 
not do Prefix Delegation. So I am not ruling out that my ISP is doing some 
strange things. When the firewall is disabled I can ping remote Ipv6 sites, I 
get an Ipv6 public address. When the firewall is enabled I cannot ping other 
sites and my Public IP address is Ipv4.

Ndp output with firewall disabled.
Neighbor Linklayer Address   Netif ExpireS Flags
2001:8004:1420:194b:c4a9:f2c3:3403:36ed 00:e0:67:15:e7:82  em0 permanent R l
fe80::2e0:67ff:fe15:e782%em0 00:e0:67:15:e7:82 em0 permanent R l
fe80::803a:feff:fe38:a754%em082:63:9c:36:23:a2 em0 37s   R R
fe80::e98a:6028:3c19:5fc%em0 82:63:9c:36:23:a2 em0 32s   R R
fe80::2e0:67ff:fe15:e783%em1 00:e0:67:15:e7:83 em1 permanent R l
fe80::1c32:1698:96d9:35fb%em138:f9:d3:e0:fa:db em1 20h53m3s  S

Antonino Sidoti




> On 8 Mar 2021, at 8:11 pm, Stuart Henderson  <mailto:s...@spacehopper.org>> wrote:
> 
> On 2021-03-08, Antonino Sidoti mailto:n...@sidoti.id.au>> 
> wrote:
>> I am confused about how Neighbor Discovery is not working when the firewall 
>> is on.
> 
> Check your blocked packets. You already have "log" on mpst block rules,
> so look at either /var/log/pflog or live with tcpdump -e on the pflog0
> interface.
> 

IPv6 NDP Confusion with PF enabled

[Antonino Sidoti]

Hello,

I am confused about how Neighbor Discovery is not working when the firewall is 
on. If I have “pf” disabled then the doing an ndp -an will result is an 
complete discovery;

ndp With firewall disabled (pfctl -d)
Neighbor Linklayer Address   Netif ExpireS Flags
2001:8004:1420:194b:c4a9:f2c3:3403:36ed 00:e0:67:15:e7:82  em0 permanent R l
fe80::2e0:67ff:fe15:e782%em0 00:e0:67:15:e7:82 em0 permanent R l
fe80::803a:feff:fe38:a754%em082:63:9c:36:23:a2 em0 37s   R R
fe80::e98a:6028:3c19:5fc%em0 82:63:9c:36:23:a2 em0 32s   R R
fe80::2e0:67ff:fe15:e783%em1 00:e0:67:15:e7:83 em1 permanent R l
fe80::1c32:1698:96d9:35fb%em138:f9:d3:e0:fa:db em1 20h53m3s  S 

ndp with firewall enabled (pfctl -e), the discovery is incomplete;
Neighbor Linklayer Address   Netif ExpireS Flags
2001:8004:1420:194b:c4a9:f2c3:3403:36ed 00:e0:67:15:e7:82  em0 permanent R l
fe80::2e0:67ff:fe15:e782%em0 00:e0:67:15:e7:82 em0 permanent R l
fe80::803a:feff:fe38:a754%em082:63:9c:36:23:a2 em0 23h40m37s S R
fe80::e98a:6028:3c19:5fc%em0 (incomplete)  em0 expired   I R
fe80::2e0:67ff:fe15:e783%em1 00:e0:67:15:e7:83 em1 permanent R l
fe80::1c32:1698:96d9:35fb%em138:f9:d3:e0:fa:db em1 20h55m18s S 

Interface em0, I am using dhcpcd to get the Ipv6 address.
em0: flags=808843 mtu 1500
lladdr 00:e0:67:15:e7:82
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT 
full-duplex,master,rxpause,txpause)
status: active
inet 10.121.101.56 netmask 0xff00 broadcast 10.121.101.255
inet6 fe80::2e0:67ff:fe15:e782%em0 prefixlen 64 scopeid 0x1
inet6 2001:8004:1420:194b:c4a9:f2c3:3403:36ed prefixlen 64 autoconf

I cannot see anything blocking “ndp” from pflog so I am confused as what is 
going on here. I have attached my firewall configuration;

# Macros
ext_if = "em0"
int_if = "em1"
icmp_types = "{echoreq unreach}"
icmp6_types = "{echoreq unreach toobig routersol routeradv neighbrsol 
neighbradv}"

# Tables
table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 \
169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 \
192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 \
198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 \
224.0.0.0/4 240.0.0.0/4 255.255.255.255/32 }

# Options
set skip on lo 
set block-policy drop
set loginterface egress
set reassemble yes

# Scrub rule
match in all scrub (no-df random-id max-mss 1440)

# NAT Rule
match out on egress inet from !(egress:network) to any nat-to (egress:0)

# Block Unicast reverse path Forwarding
block in quick log from urpf-failed

# Block martians rule
block in quick on egress from  to any
# block return out quick on egress from any to 

# Default block all
block log all

# Allow ipv6 NDP
pass out quick on egress inet6 proto icmp6 from fe80::/10 to any icmp6-type 
{neighbrsol} keep state
pass out quick on egress inet6 proto icmp6 from fe80::/10 to any icmp6-type 
{neighbradv} keep state

# Allow icmp6
pass in quick on egress inet6 proto icmp6 all icmp6-type $icmp6_types keep 
state label "ICMP6-TRAFFIC"

# Allow dhcp6 traffic
pass in quick on egress inet6 proto udp from fe80::/10 port dhcpv6-server to 
fe80::/10 port dhcpv6-client 

# Pass all other traffic out
pass out quick 

# Pass in all traffic on internal network
pass in on { $int_if } 

At present I am interested in getting a working Ipv6 on interface em0 only with 
the firewall enabled. Any ideas would be appreciated.

Many thanks

Antonino Sidoti

Re: IPv6 - Using 4G Wan

[Antonino Sidoti]

Thank you Stuart. I did actually have ICMP6 allowed in the firewall, though 
turning it off made the IPv6 connection come alive. I will troubleshoot 
firewall further.

Thanks 

Antonino Sidoti



> On 9 Feb 2021, at 9:15 am, Stuart Henderson  wrote:
> 
> On 2021-02-08, Antonino Sidoti  wrote:
>> Hello,
>> 
>> Can anyone confirm if they have a working IPv6 connection with a 4G service? 
>> I cannot get my connection to work with IPv6. Happy to provide more 
>> information if what I have provided below is not enough. I would like to get 
>> a working IPv6 connection with network interface em0 only.
> 
> Your ndp output shows that the MAC address of the gateway has not
> been resolved.
> 
> Try disabling PF (pfctl -d) for a test. If that works then check
> you haven't blocked the ICMPv6 messages needed for address resolution
> (unlike v4 where this is done by ARP which is always permitted, with
> v6 it is done by ICMPv6 neighbour discovery messages).
> 
> 

Re: IPv6 - Using 4G Wan

[Antonino Sidoti]

Hello,

Can anyone confirm if they have a working IPv6 connection with a 4G service? I 
cannot get my connection to work with IPv6. Happy to provide more information 
if what I have provided below is not enough. I would like to get a working IPv6 
connection with network interface em0 only.

Thanks,

Antonino Sidoti



> On 4 Feb 2021, at 11:49 am, Antonino Sidoti  wrote:
> 
> Hello,
> 
> I have a 4G Wan Service which is IPv6 enabled. I get an IPv6 address and it 
> will populate the route table automatically, though I am unable to connect to 
> sites using IPv6, "test-ipv6.com" will say I have no IPv6 address. Also, I 
> cannot ping the IPv6 default gateway address or any IPv6 sites, e.g. 
> google.com. I am using “ping6”.
> 
> I know the 4G connection is working as I can connect my MacBook directly to 
> the 4G Modem (configured in Bridge Mode) and my MacBook gets an IPv6 address 
> and I a have working Internet connection with no issues.
> 
> I have provided some information below regarding my setup. I am using openbsd 
> 6.8 (release) with latest patches installed. Any hints will be appreciated.
> 
> /etc/hostname.em0
> dhcp
> inet6 autoconf
> 
> Ifconfig
> ofw$ ifconfig  
> lo0: flags=8049 mtu 32768
>   index 4 priority 0 llprio 3
>   groups: lo
>   inet6 ::1 prefixlen 128
>   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
>   inet 127.0.0.1 netmask 0xff00
> em0: flags=a08843 
> mtu 1500
>   lladdr 00:e0:67:15:e7:82
>   index 1 priority 0 llprio 3
>   groups: egress
>   media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
>   status: active
>   inet6 fe80::2e0:67ff:fe15:e782%em0 prefixlen 64 scopeid 0x1
>   inet 22.208.0.133 netmask 0xff00 broadcast 22.208.0.255
>   inet6 2001:8004:1420:58d8:72b0:a75d:c8db:22f5 prefixlen 64 autoconf
>   inet6 2001:8004:1420:58d8:7705:d6c3:8775:babe prefixlen 64 autoconf 
> autoconfprivacy pltime 84436 vltime 171336
> em1: flags=8843 mtu 1500
>   lladdr 00:e0:67:15:e7:83
>   index 2 priority 0 llprio 3
>   media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
>   status: active
>   inet 10.99.1.1 netmask 0xff00 broadcast 10.99.1.255
> enc0: flags=0<>
>   index 3 priority 0 llprio 3
>   groups: enc
>   status: active
> pflog0: flags=141 mtu 33136
>   index 5 priority 0 llprio 3
>   groups: pflog
> 
> Ndp output
> ofw$ ndp -a
> Neighbor Linklayer Address   Netif ExpireS 
> Flags
> 2001:8004:1420:58d8:72b0:a75d:c8db:22f5 00:e0:67:15:e7:82  em0 permanent R l
> 2001:8004:1420:58d8:7705:d6c3:8775:babe 00:e0:67:15:e7:82  em0 permanent R l
> fe80::2e0:67ff:fe15:e782%em0 00:e0:67:15:e7:82 em0 permanent R l
> fe80::54b0:dcff:fe43:f656%em082:63:9c:36:23:a2 em0 23h35m6s  S R
> fe80::81f8:3655:c614:449c%em0(incomplete)  em0 expired   I R
> 
> Route Table
> 
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
> default22.208.0.1 UGS5 9360 - 8 em0  
> base-address.mcast localhost  URS00 32768 8 lo0  
> 10.99.1/24 ofwUCn10 - 4 em1  
> ofw00:e0:67:15:e7:83  UHLl   0  440 - 1 em1  
> 10.99.1.10320:c9:d0:2c:09:22  UHLc   2 9374 - 3 em1  
> 10.99.1.255ofwUHb0   22 - 1 em1  
> 22.208.0/2422.208.0.133   UCn10 - 4 em0  
> 22.208.0.1 82:63:9c:36:23:a2  UHLch  1  277 - 3 em0  
> 22.208.0.133   00:e0:67:15:e7:82  UHLl   0  419 - 1 em0  
> 22.208.0.255   22.208.0.133   UHb00 - 1 em0  
> 127/8  localhost  UGRS   00 32768 8 lo0  
> localhost  localhost  UHhl   12 32768 1 lo0  
> 
> Internet6:
> DestinationGatewayFlags   
> Refs  Use   Mtu  Prio Iface
> defaultfe80::81f8:3655:c614:449c%em0  UGS
> 0   14 - 8 em0  
> ::/96  localhost  UGRS   
> 00 32768 8 lo0  
> localhost  localhost  UHhl  
> 10   20 32768 1 lo0  
> :::0.0.0.0/96  localhost  UGRS   
> 00 32768 8 lo0  
> 2001:8004:1420:58d8::/64   2001:8004:1420:58d8:72b0:a75d: UCPn   
> 01 - 4 em0  
> 2001:8004:1420:58d8::/64

IPv6 - Using 4G Wan

[Antonino Sidoti]

  
  1 32768 8 lo0  
fec0::/10  localhost  UGRS   0  
  0 32768 8 lo0  
fe80::%em0/64  fe80::2e0:67ff:fe15:e782%em0   UCn2  
  3 - 4 em0  
fe80::2e0:67ff:fe15:e782%em0   00:e0:67:15:e7:82  UHLl   0  
 13 - 1 em0  
fe80::54b0:dcff:fe43:f656%em0  82:63:9c:36:23:a2  UHLc   0  
 25 - 3 em0  
fe80::81f8:3655:c614:449c%em0  link#1 UHLch  1  
 18 - 3 em0  
fe80::1%lo0fe80::1%lo0UHl0  
  0 32768 1 lo0  
ff01::/16  localhost  UGRS   0  
  1 32768 8 lo0  
ff01::%em0/32  fe80::2e0:67ff:fe15:e782%em0   Um 0  
  2 - 4 em0  
ff01::%lo0/32  fe80::1%lo0Um 0  
  1 32768 4 lo0  
ff02::/16  localhost  UGRS   0  
  1 32768 8 lo0  
ff02::%em0/32  fe80::2e0:67ff:fe15:e782%em0   Um 0  
 17 - 4 em0  
ff02::%lo0/32  fe80::1%lo0Um 0  
  1 32768 4 lo0


Antonino Sidoti

Re: no flows with my iked vpn

[Antonino Sidoti]

Hi,

I think you need to look at the PF configuration on your setup. My 
configuration is as follows,

(Not my full pf.conf)

# Allow iked
pass in quick log on egress proto esp from any to egress label "IKED-ESP"
pass in quick log on egress proto udp from any to egress port $iked_ports label 
"IKED-IN"

# Block all
block log all

# Pass traffic on interface enc0
pass log on enc0 tagged IKED label "IKED-ENC-TAG"

# Pass out all
pass out

Check the PF traffic using tcpdump, "doas tcpdump -n -e -ttt -I pflog0"


> On 13 Feb 2020, at 10:07 pm, Shadrock Uhuru  wrote:
> 
> On 13.02.2020 08:43, Robert Paschedag wrote:
>> 
>> sent from my mobile device
>> 
>> Am 12. Februar 2020 15:07:46 schrieb Shadrock Uhuru :
>> 
>>> hi everyone
>>> i have setup iked on my firewall and laptop as a roadwarrior setup
>>> following https://www.openbsd.org/faq/faq17.html
>>> i.ve tested from within the local network
>>> but no flows are started.
>>> could someone have a look at the following files to see where i have
>>> erred.
>> 
>> Looks like your client cert (pegasus) is missing a subjectAltName.
>> 
>> Robert
>> 
>>> 
>>> 
>>> # my iked config method
>>> http://paste.openstack.org/show/789464/
>>> 
>>> imhoptep iked logs (responder)
>>> http://paste.openstack.org/show/789465/
>>> 
>>> pegasus iked logs (initiator)
>>> http://paste.openstack.org/show/789466/
>>> 
>>> thanks shadrock
>> 
>> 
> 
> As https://www.openbsd.org/faq/faq17.html does not mention anything
> about subjectAltName i've researched across the net and found the following 
> information :-
> 
> IKEv2 VPN server certificate must contain either the server's IP address
> or its FQDN as the subjectAltName,
> Roadwarriors usually have dynamic IP addresses assigned by the ISP they are 
> currently attached to. In order to simplify the routing from my-net 
> (tissisat.co.uk) back to the roadwarrior (pegasus) it would be desirable if 
> the roadwarrior had an inner IP address chosen from a pre-assigned pool.
> 
> if this is the way to deal with subjectAltName
> what are the steps to achieve this ?
> 
> shadrock

Re: Thinking of changing DNS Service provider, looking for recommendations

[Antonino Sidoti]

Hi,
I am used DuckDNS with my OpenBSD system. It works fine for me.

Mind you it is for Dynamic DNS updates , not a full blown DNS Server Solution. 

> On 2 Jan 2020, at 11:26 pm, Jay Hart  wrote:
> 
> Hey all, and Happy New Years!!!
> 
> I am currently using DYN.COM for DNS service. A few months back they changed 
> there payment
> methodology and I am now considering finding another solution. DYN charges me 
> $5 US monthly so its
> not a huge financial burden. That said, if I could find a free service 
> provider, all the better.
> 
> My only real requirement is they must be able to support OpenBSD based 
> system.  Currently using
> DDclient. It works fine, has been for years.
> 
> This would be for a residential connection.
> 
> Guess what I'm really looking for, from the list, is a OpenBSD friendly 
> provider, and a brief
> write up on how you are connected.  I've looked over a few sites but nothing 
> stood out as being
> OpenBSD friendly.
> 
> Thanks in Advance,
> 
> Jay
> 

Re: Iked/unbound ~ more info.

[Antonino Sidoti]

Hi Dale,

I had unbound working with iked for a short time. I actually configured the 
interface enc0 like so;

** Server hostname.enc0
inet 10.0.5.1 255.255.255.0 10.0.5.255

---
** Server iked.conf
ikev2 “roaming" passive esp \
  from 0.0.0.0/0 to 0.0.0.0/0 \
  local egress peer any \
  psk "---" \
  config protected-subnet 0.0.0.0/0 \
  config address 10.0.5.0/24 \
  config name-server 10.0.5.1 \
  tag "IKED"

As you can see I then added the IP of the enc0 interface in iked.conf "config 
name-server 10.0.5.1”.
I then added the subnet 10.0.5.0/24 as an “allow “ in the unbound.conf

access-control: 10.0.5.0/24 allow

Though I too am not sure if this is a good way of using iked and unbound. 
In fact I actually stopped using this and just added a Public DNS server like 
1.1.1.1. 
>From all my reading, I think it is not required to configure the enc0 
>interface. 

Further testing using an OpenBSD iked client, I had very little success is 
making that work. 
For my scenario I have iPhones and MacBooks using the native ikev2 Apple client 
and they work fine.
All the clients get the Public IP of the iked Server when they connect.

Nino

> On 19 Nov 2019, at 7:46 am, Dale C.  wrote:
> 
> I'm thinking you're correct Chuck, I can't route traffic for localhost
> through iked...
> 
> So... "It might be necessary to exclude this traffic from the
> flows to ensure connections to services running locally (such as a
> local resolver)
> 
> ^ Then I'd have local dns while connected to my VPN?
> 
> OH... queries to external nameservers will still go through the VPN
> though? So it should be alright?
> 
> I'd much rather be doing DNS on the responder localhost though...
> isn't that the correct way here?
> 
> So, I'll try that, but any better solution for openbsd -> openbsd iked
> when both are using unbound localhost DNS would be appreciated :)
> 
> It works.
> 
> Thanks Chuck ;)
> 
> On 11/18/19, Dale C. mailto:maatk...@gmail.com>> wrote:
>> Chuck,
>> 
>> Hey thanks for the information. Yeah I've tried having unbound listen
>> on 10.0.1.2 (the VPN support net), that didn't work. I have not tried
>> putting unbound on an external interface, and would like to avoid
>> that.
>> 
>> I've actually taken unbound out of the equation on both sides.
>> Disabled unbound, commented supercede directive from dhclient and used
>> public name servers on both ends - that didn't work.
>> 
>> Today, I'll try some things again with the simplified pf confs. I'll
>> get some output from pflog. I'll try putting unbound on the public IP.
>> 
>> In the faq there are a few lines:
>> 
>> "Since all traffic goes through the VPN, including traffic targeted at
>> localhost, it might be necessary to exclude this traffic from the
>> flows to ensure connections to services running locally (such as a
>> local resolver) reach the right target. This can be achieved by adding
>> a single line to /etc/ipsec.conf on the initiator: flow from
>> 127.0.0.1/32 to 127.0.0.1/32 type bypass"
>> 
>> ^ I'm confused by this, i excluded this ipsec bypass and the rdr-to
>> rule in the responder pf conf. I would've expected that to work with
>> DNS targeting localhost? I'm also not clear how `match out log on enc0
>> inet all nat-to 10.0.5.2' behaves, is it akin to a "quick" directive?
>> Packets do not evaluate further rules because there are no more inet
>> packets after this? Does the position of this line in my initiator
>> pf.conf seem reasonable? I think perhaps it should go up...
>> 
>> Also this: "One caveat with using an OpenBSD client is that it doesn't
>> send configuration requests to the responder to configure its IP, so
>> the initiator needs to manually NAT its outgoing packets on the enc0
>> interface so that packets appear on the responder with an IP on the
>> VPN subnet."
>> 
>> I tried a config name-server directive on the initiator iked.conf, but
>> because it wants to verify the host at load-time, I get iked start
>> errors with it. *I think this is the reason anyway, I'll take a closer
>> look today*... So, I'm kind of wondering if a seamless way to switch
>> in and out of the VPN exists for openbsd clients? I should be able to
>> `ikectl couple/decouple' and just have it work right, so I'm looking
>> for a way to configure name-server in the iked.conf initiator ideally?
>> 
>> I'll go through your post a few more times and try your suggestions,
>> thank you very much!
>> 
>> Dale
>> 
>>> Chuck Wrote
>>> I am not sure if you noticed but 127.0.0.1 is always local to the machine
>>> using it.  If you try routing with it the packets will never leave the
>>> system.  If they do somehow leave then the system getting them will
>>> reject
>>> it as the packet did not come from itself.  I mention this as I see in
>>> both resolve.conf files the nameserver is listed as 127.0.0.1
>>> 
>>> You might try instead to have the unbound listen on the inside (or even
>>> the outside) address.  

Re: OpenBSD IKED Client Issues

[Antonino Sidoti]

Hello,

Thank you for your reply. I will test this out and see what happens.


> On 25 Sep 2019, at 8:27 am, Lucas  wrote:
> 
> Hello Antonio,
> 
> Although providing the output of `iked -dv` can help to debug further,
> I don't see you're letting traffic in on `enc0` in your server's pf
> ruleset. Adding `pass in on enc0` after `block all` should be enough to
> make it work, I think.
> 
> HTH,
> -Lucas

OpenBSD IKED Client Issues

[Antonino Sidoti]

Hi,

Host OpenBSD WAN IP = 1.2.3.4
Host OpenBSD VPN Subnet = 10.0.5.0/24
IKED responder (passive)

Remote OpenBSD WAN IP = Dynamic
Remote OpenBSD Internal LAN = 10.99.1.0/24
IKED Initiator (active)

I have an OpenBSD server hosted at Vultr running as an iked server.
It has a static public IP. I can use my iPhone and connect via iked
perfectly and my phone will have the public IP of the server. I can
browse the internet using my phone when connected via the VPN.

Now I would like to establish a VPN using an OpenBSD system located
at a remote site and be an iked initiator (Client). I cannot get
any flows to establish. I have read the OpenBSD VPN FAQ document and
also browsed past questions relating to "iked" on this mailing list.
I have tried some configurations but no success.

I have tried to debug iked by using "iked -dvv". But I can't understand 
what is going on with all the output provided.

Both OpenBSD systems are running v6.5 with all patches installed via
"syspatch" I am seeking some suggestions please as to where I am going
wrong?

I have configure the interface "enc0" so I can use the IP address 
with unbound and provide DNS via the VPN to end users.

** Server hostname.enc0
inet 10.0.5.1 255.255.255.0 10.0.5.255

---
** Server iked.conf
ikev2 "inet" passive esp \
  from 0.0.0.0/0 to 10.0.5.0/24 \
  local egress peer any \
  psk "---" \
  config protected-subnet 0.0.0.0/0 \
  config address 10.0.5.0/24 \
  config name-server 10.0.5.1 \
  tag "IKED"

---
** Server pf.conf
# Some options
set skip on {lo enc}
set block-policy return 
set loginterface egress
set reassemble yes

# Macros
trusted_ip = "{4.5.6.7}"
web_ports = "{80 443}"
iked_ports = "{500 4500}"
icmp_types = "{echoreq unreach}"

# Tables
table  const {192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}

# Scrub option
match in all scrub (no-df random-id max-mss 1440)

# NAT Rule
match out on egress inet from !(egress:network) to any nat-to (egress:0)

# Drop urpf-failed packets, add label uRPF
block in quick log from urpf-failed label uRPF

# Block bad IP addresses
block quick log from  label "BAD-IPs"

# Antispoof
antispoof quick for egress

# Block RFC1918 non-routable addresses
block in quick on egress from {no-route }

# Allow ping
pass in quick inet proto icmp icmp-type $icmp_types keep state label "ICMP-IN"

# Allow SSH
pass in quick log on egress proto tcp from $trusted_ip to egress port 22 label 
"SSH-IN-TRUSTED"

# Allow web
pass in quick log on egress proto tcp from $trusted_ip to egress port 
$web_ports label "WEB-IN"

# Allow iked
pass in quick log on egress proto esp from any to egress
pass in quick log on egress proto udp from any to egress port $iked_ports

# Block all
block all 

# Pass out all
pass out 

---
** Remote OpenBSD pf.conf
# Macros
ext_if = "em0"
int_if = "em1"
icmp_types = "{echoreq unreach}"

# Tables
table  const {192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}

# Options
set block-policy drop
set loginterface egress
set skip on {lo enc} 

# Scrub rule
match in all scrub (no-df random-id max-mss 1440)

# NAT Rule
match out on egress inet from !(egress:network) to any nat-to (egress:0)

# AntiSpoof and block martians rule
antispoof quick for { egress $int_if }
block in quick on egress from  to any

# Allow ping
pass in quick inet proto icmp icmp-type $icmp_types keep state label "ICMP-IN"

# Need to comment out the following rule due to double NAT (Telstra 4G MBB)
# block return out quick on egress from any to 

# Default block all
block log all

# Pass traffic out
pass out quick inet
pass in on { $int_if } inet

---
** Remote OpenBSD iked.conf
# macros
remote_gw = "1.2.3.4"

ikev2 "remote" active esp \
  from 10.0.5.0/24 to 10.99.1.0/24 \
  peer $remote_gw \
  psk "---"

Re: Error Upgrading 6.4 to 6.5 mount failure

[Antonino Sidoti]

I actually got it to upgrade;

Here are my steps;

I tried the ‘bsd.rd’ option and this failed too
I rebooted the server back to OpenBSD 6.4
I ran ‘fsck’ on my my partitions and they came back all clean
I made a change to /etc/fstab using ‘vi’ and changed the following;
>From = 123efb4cf9e3e6af.a / ffs rw,1 1
To = 123efb4cf9e3e6af.a / ffs rw 1 1
Saved my changes and rebooted again to make sure all partitions will mount
No issue after the reboot and all partition mounted
Rebooted to start upgrade; 'boot bsd.rd’
I selected ‘u’ to upgrade
System upgraded with no errors and now I am running 6.5

Thanks for your input and suggestions.

> On 11 May 2019, at 11:34 am, Theo de Raadt  wrote:
> 
> Antonino Sidoti  wrote:
> 
> [1. image/png; Screen Shot 2019-05-11 at 8.43.13 am.png]...   
> 
> Antonino,
> 
> If you can't file a proper bug report as described in many places --
> such as the FAQ -- that is just lazy and inconsiderate.  You are pushing
> others to go out of their way for some random person who elects to steal
> their time.
> 
> Grow up.  Be a responsibile adult.  Do it right, or go run something
> else, or even consider buying a product.
> 
> 
> 
> 

Re: Puffy Security smtpd out of date

[Antonino Sidoti]

Hi,

No issue in finding the contact details. It is on the site.
Public Directory 



> On 8 Mar 2019, at 10:51 am, Stuart Henderson  wrote:
> 
> On 2019-03-07, Christer Solskogen  wrote:
>> On Thu, Mar 7, 2019, 13:19 Geir Svalland  wrote:
>> 
>>> Hello all.
>>> 
>>> Any chance to get the http://puffysecurity.com/wiki/opensmtpd.html
>>> updated ?
>>> 
>> 
>> Probably. But why not rather ask the person behind the site instead of this
>> mailing list?
>> 
> 
> No contact details on the site.
> 
> If people are going to put up content like this, PLEASE:
> 
> - mention the date and relevant OpenBSD version number up front
> and clearly visible so people aren't tricked into thinking something
> 4 years old is still valid. (the iked page on this site is better in
> this regard).
> 
> - provide contact details
> 
> - keeping it up to date would be nice too. getting it into shape
> for www/faq/ would be even nicer, there's some useful information
> there which would likely make a good addition.
> 
> 

Re: Opensmtpd auth in 6.4

[Antonino Sidoti]

Hi,

Do you get any errors using ’doas smtpd -n’?

Can you tried to add this ‘listen’ statement in your smtpd.conf -  (This is how 
I have my setup)

listen on egress mask-src port submission tls-require pki mail.example.com auth

Another option is to try a different password.
Now, test the login credentials using the ‘openssl’ command as noted by Edgar 
in a previous email.

Converting the plain text data to a ‘base64’, I use the following command on my 
MacBook. 

echo -n u...@example.com  | base64
Base64 Output

echo -n password | base64
Base64 Output

openssl s_client -connect mail.example.com:587 -starttls smtp
…….(SSL Output)
250 HELP

Within the smtp session I enter the commands ‘ehlo’ and ‘auth login’ 
respectively;

ehlo mail.example.com
250-mail.example.com Hello mail.example.com [x.x.x.x], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250-AUTH PLAIN LOGIN
250 HELP

auth login
334 VXNlcm5hbWU6
Base64 Username (As noted above from the conversion of plain text to base64)
334 UGFzc3dvcmQ6
Base64 Password (As noted above from the conversion of plain text to base64)
235 2.0.0: Authentication succeeded

Nino



> On 14 Jan 2019, at 10:47 am, Flipchan  wrote:
> 
> I changed mask-src and tried some other stuff still without success when 
> using openssl ehlo test and auth login , all i get is authentication failed , 
> i have verified that the password is legit but no luck
> 
> On January 12, 2019 11:37:42 PM GMT+01:00, Carlin Bingham  
> wrote:
>> On Sat, Jan 12, 2019 at 05:36:11PM +0100, Flipchan wrote:
>>> Hey, am tryin to upgrade my opensmtpd 
>>> email server running on openbsd 6.3 towards a new one on 6.4, 
>>> i have used a simple config with the new syntax:
>>> cat /etc/mail/smtpd.conf 
>>> 
>>> table aliases file:/etc/mail/aliases 
>>> 
>>> #table other-relays file:/etc/mail/other-relays 
>>> 
>>> pki mail.example.com cert "/etc/ssl/mail.example.com.crt" 
>>> pki mail.example.com key "/etc/ssl/private/mail.example.com.key" 
>>> 
>>> listen on lo0 
>>> listen on vio0 port 587 hostname example.com tls-require pki
>> mail.example.com auth mask-source 
>> 
>> mask-source was changed to mask-src 
>> 
>> I think because mask-source is no longer a valid keyword its being
>> interpreted as a parameter to auth.
>> 
>> 
>> --
>> Carlin
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Blocking "shodan.io" - What are my options?

[Antonino Sidoti]

Hi,

I am bit surprised how this subject has spiralled. Interesting reading from all 
the comments and suggestions.

Nino

> On 9 Jan 2019, at 1:23 pm, Jordan Geoghegan  wrote:
> 
> 
> 
> On 01/08/19 18:08, tomr wrote:
>> 
>> On 1/9/19 12:42 PM, Jordan Geoghegan wrote:
>>> Yikes. Everything you are (erroneously) trying to do here can be done
>>> without leaving your pf.conf.
>>> 
>>> Remember, KISS.
>>> 
>> Is there a way to add an address to a table from within a rule, or
>> something to that effect? I can't see such an option. A la...
>> 
>> block in quick on $ext_if to any port ! { $allowed_ports } add-to 
>> 
>> 
>> (Otherwise I don't see how the whole show could be completed without
>> logging, monitoring the log, then running pfctl, ie with leaving your
>> pf.conf)
> 
> Without wasting too much time on this, the "overload" example from the 
> pf.conf man page could be pretty easily adapted to meet the specified needs:
> 
> pass in on egress proto tcp to egress port 22 keep state (max-src-conn-rate 
> 1/10, overload  flush global)
> 
> or to copy basically verbatim from the man page, (with only the src-conn-rate 
> and port number adjusted):
> 
> block quick from 
> pass in on $ext_if proto tcp to $webserver port ssh keep state \
>  (max-src-conn-rate 1/10, overload  flush global)
> 
> 
> I havent tested this personally, but it should be adequate.
> 
> 
> 

Re: vultr

[Antonino Sidoti]

Hi,

I have two systems with Vultr (Sydney and Tokyo) and find them to be fine. True 
the default install using the automated Vultr 6.3/6.4 install will create two 
partitions and swap. I have installed one of my OpenBSD system using a custom 
install ISO OpenBSD 6.4 and with that I can do it whatever I like and partition 
the system as I see fit.

> On 6 Jan 2019, at 9:40 am, Misc User  wrote:
> 
> On 1/5/2019 2:22 PM, ed...@pettijohn-web.com wrote:
>> I was thinking about spinning up a new instance on vultr to play with.
>> They have an option to install OBSD 6.3/4. Has anyone tried these? I
>> attempted the FBSD one in the past, but the default install was all
>> whacked out and I had to start over with a fresh install.
>> Thanks,
>> Edgar
> The default is alright, but comes with keys and passwords they generated, 
> plus they do a single-partition scheme on the smaller disk instances and the 
> auto partition on the others.  Good for a general purpose machine, but not so 
> great if you have a specific task in mind. They also tend to install all the 
> sets.
> 
> But since they let you upload an ISO and give you full console access, I just 
> do a fresh install and customize as much as I want for the system I am 
> building.  Usually so I can get a good partitioning scheme set up (256m on /, 
> /home, /tmp, /usr/local, /var and swap; with a 1g /usr and swap) so I can 
> dedicate 15g (Or more) to a partition for whatever task the machine was built 
> for.
> 
> -CA
> 

Re: Blocking "shodan.io" - What are my options?

[Antonino Sidoti]

Hi Jordan,

Sincere thanks for sharing your script. Also thanks to others for their input 
and comments.

Regards

Nino

> On 4 Jan 2019, at 10:19 am, Jordan Geoghegan  wrote:
> 
> Sorry for the double post, I got the link to the script wrong... woops.
> 
> The actual link is:
> 
> www.geoghegan.ca/pfbadhost.html
> 
> 
> On 01/03/19 15:06, Jordan Geoghegan wrote:
>> Hello,
>> 
>> I wrote a small script called 'pf-badhost' to block shodan and other 
>> annoyances via pf firewall. Check out www.geoghegan.ca/pf-badhost.html to 
>> see the script.
>> 
>> pf-badhost also blocks ssh bruteforcers and other annoyances by loading a 
>> list of regularly updated badhost lists from trusted sources. If you only 
>> want to block shodan specifically, just comment out the few lines that 
>> download the other blocklists, and you should be good to go. I've had a 
>> number of people give good feedback on it, and they've reported it blocking 
>> the scanners and baddies quite effectively; BSDNow also did a piece about 
>> it, so it seems to work alright.
>> 
>> 
>> Cheers,
>> 
>> Jordan
>> 
>> 
>> On 01/02/19 22:15, Antonino Sidoti wrote:
>>> Hi,
>>> 
>>> I wish to block all attempts by “shodan.io”. Basically I run an OpenBSD 
>>> (6.4) mail server using OpenSMTPD and notice quite bit of traffic all 
>>> stemming from “shodan.io". I have PF configured so I was wondering how to 
>>> block such a domain from making any attempts to connect to my server. There 
>>> is little information about Public IP addresses being used by "shodan.io" 
>>> scanner, so making an IP list for PF may be futile.
>>> 
>>> Could someone suggest a possible option? I was thinking along the lines of 
>>> “relayd” or "squid proxy”. My server is hosted at Vultr and has a single 
>>> WAN interface with Public IP. There is no internal LAN interface.
>>> 
>>> For those who do not know about “shodan.io”, please do a search and you 
>>> will discover what it does.
>>> 
>>> Regards
>>> 
>>> Nino
>>> 
>> 
> 

Blocking "shodan.io" - What are my options?

[Antonino Sidoti]

Hi,

I wish to block all attempts by “shodan.io”. Basically I run an OpenBSD (6.4) 
mail server using OpenSMTPD and notice quite bit of traffic all stemming from 
“shodan.io". I have PF configured so I was wondering how to block such a domain 
from making any attempts to connect to my server. There is little information 
about Public IP addresses being used by "shodan.io" scanner, so making an IP 
list for PF may be futile.

Could someone suggest a possible option? I was thinking along the lines of 
“relayd” or "squid proxy”. My server is hosted at Vultr and has a single WAN 
interface with Public IP. There is no internal LAN interface.

For those who do not know about “shodan.io”, please do a search and you will 
discover what it does.

Regards

Nino

SPAMD - GREY Listing Question

[Antonino Sidoti]

Hi,

I notice that Spamd when seeing a first time sender is not being labelled with 
“GREY” even though the log says it is.
 
/var/log/maillog shows a sender being flagged as ‘GREY’;

Oct  1 17:43:24 obsd-svr3 spamd[84545]: (GREY) 67.219.xxx.250: 
 -> 
Oct  1 17:43:24 obsd-svr3 spamd[16185]: Trapping 67.219.xxx.250 for tuple 
67.219.xxx.250 test.network-tools.com  

Oct  1 17:43:24 obsd-svr3 spamd[84545]: 67.219.149.250: disconnected after 13 
seconds.

obsd-svr3$ spamdb | grep GREY

No result

obsd-svr3$ spamdb | grep 67.219.xxx.250
TRAPPED|67.219.xxx.250|1541490191

As noted above the sender is “TRAPPED” for which I understand it is 
blacklisted. I am running ‘spamd’ in default mode and only added -v flag in 
'/etc/rc.conf.local’;

spamd_flags=-v

The ‘spamd’ process is like so;

obsd-svr3$ ps -aux | grep spam
_spamd   54244  0.0  0.1   580  1496 ??  Ssp   Sat03PM0:15.98 
/usr/libexec/spamlogd -l pflog1
_spamd   10589  0.0  0.1  9712  1552 ??  Ssp5:40PM0:00.11 spamd: (pf 
 update) (spamd)
_spamd   84545  0.0  0.2  9924  5012 ??  Sp 5:40PM0:00.19 spamd: [priv] 
(greylist) (spamd)
_spamd   16185  0.0  0.1  9692  1524 ??  Ip 5:40PM0:00.00 spamd: 
(/var/db/spamd update) (spamd)

Can anyone confirm if this is normal or I have an issue with ‘spamd’?

Thanks

Can I ask a question about PF Here?

[Antonino Sidoti]

Hi,

Before I go into to much detail, where is the appropriate place to get help for 
PF related problems? I am really stuck and need some assistance in 
understanding PF. I can provide diagrams, configuration files too to make is 
clearer.

Thanks in advance

Nino