Re: Simplifying pf-rules

2018-01-05 Thread Jon S 
Marko: Thanks for your input. Your proposals got me thinking a few steps
further.

I now came up with the following solution which have all propertiers i want:

pass in on re0 inet to !all:network
pass in on re0 inet to em0:network # Just in case we would need to interact
# with some other service on the same segment...
block in quick log on re0 inet to em0 # ... but not our own IP

The above lines replaces my initial rule "pass in on re0 to !re0:network"


2018-01-04 16:29 GMT+01:00 Marko Cupać <marko.cu...@mimar.rs>:

> On Thu, 4 Jan 2018 14:09:50 +0100
> Jon S <jonsjost...@gmail.com> wrote:
>
> > Hello misc!
> >
> > My OpenBSD file server just became a router too (after getting a new
> > internet connection where the provider does not include a router in
> > the subscription).
>
> If possible, I'd avoid combining file server and firewall services on
> single box
>

> > This led to my first experieces with pf. After some work I came up
> > with whats below. It works as I want it to work, but I wonder if
> > there is a way to create a rule where incomming traffic to the
> > internal NIC (re0) is passed if it is targeted for em0 (external,
> > internet NIC)? The current solution would require an update of the
> > "pass in on re0 to !re0:network"-rule if another NIC is added (lets
> > say a DMZ).
>
> All my pf rulesets start with defining interface macros so they are
> more readable, and also more flexible (this way changing NIC with
> different driver needs one line changed, instead of all lines in the
> ruleset referencing that interface):
>
> # INTERFACE MACROS
> if_int = "re0"
> if_ext = "em0"
>
> > set skip on lo0
> >
> > # Block everything everywhere by default
> > block log all
>
> I prefer to put "match" section above default "block log all" rule.
> It's more logical to me, as something being "matched" has no impact if
> it's not "passed" or "blocked" later on in the ruleset.
>
> > # NAT local network to external
> > match out on em0 inet from re0:network nat-to (em0)
> >
> > # Allow all outgoing traffic
> > pass out on {em0, re0}
> >
> > # Allow only specific services on this machine to be accessed from
> > # local network
> > pass in on re0 inet proto tcp to port ssh # ssh
> > pass in on re0 inet proto icmp# icmp
> > pass in on re0 inet proto tcp to port 445 # samba
>
> Your description line does not describe accurately what next three
> lines do - as destination IP is not present, "to any" is assumed, so
> more accurate description would be "Allow specific services on any
> machine be accessed from local network".
>
> If you wanted your ruleset to match description line, and your
> services listen on internal NIC, you would do something like:
>
> pass in on $if_int inet proto tcp  from re0:network to re0 port ssh
> pass in on $if_int inet proto icmp from re0:network to re0
> pass in on $if_int inet proto tcp  from re0:network to re0 port 445
>
> >
> > #pass in on re0 inet to em0:network # This does not work, since the
> > #mask for this IF will only let traffic through to the limitied set of
> > #IPs on the same C-segment as em0. That would probably be a set of
> > #other customers at the nework operator...
> >
> > # This works, but will require an update if any furter NIC is involved
> > # later
> > pass in on re0 to !re0:network
>
> There are multiple ways to achieve this. One of them would be passing
> everything on $if_int, and blocking what you don't want later (if
> "quick" keyword is not used, last matching rule wins):
>
> pass in on $if_int
> block in on $if_int inet proto tcp from $if_int:network to \
>   $if_int port { !=ssh !=445 }
>
> The other one would be blocking unwanted stuff quickly early in the
> ruleset, and passing what you want later on:
>
>   block in quick on $if_int inet proto tcp from $if_int:network to \
>   $if_int port { !=ssh !=445 }
> pass in on $if_int
>
> Both examples block only TCP to internal NIC, so blocking other
> protocols if there are any on the firewall also needs to be done.
> >
> > # I would like something like this to work, so that future added NICs
> > # wont open new unwanted paths
> > #pass in on re0 to em0
> >
> > # Allow only incomming SSH to external NIC
> > pass in on em0 inet proto tcp to port ssh
>
> In the end, your ruleset seems quite minimal. I suggest you start
> worrying about new NIC once you add it. For now it would be better to
> play around with pfctl -vvsr, systat states/rules, tcpdumping pflog etc.
>
> Hope this helps,
>
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/
>



-- 
<>
Jon Sjöstedt
Gamla Björboholmsvägen 2
443 72 GRÅBO

Mobil 0735 - 029 557

jonsjost...@gmail.com jonsjost...@hotmail.com

Simplifying pf-rules

2018-01-04 Thread Jon S 
Hello misc!

My OpenBSD file server just became a router too (after getting a new
internet connection where the provider does not include a router in the
subscription).

This led to my first experieces with pf. After some work I came up with
whats below. It works as I want it to work, but I wonder if there is a way
to create a rule where incomming traffic to the internal NIC (re0) is
passed if it is targeted for em0 (external, internet NIC)? The current
solution would require an update of the "pass in on re0 to
!re0:network"-rule if another NIC is added (lets say a DMZ).

set skip on lo0

# Block everything everywhere by default
block log all

# NAT local network to external
match out on em0 inet from re0:network nat-to (em0)

# Allow all outgoing traffic
pass out on {em0, re0}

# Allow only specific services on this machine to be accessed from
# local network
pass in on re0 inet proto tcp to port ssh # ssh
pass in on re0 inet proto icmp# icmp
pass in on re0 inet proto tcp to port 445 # samba

#pass in on re0 inet to em0:network # This does not work, since the
#mask for this IF will only let traffic through to the limitied set of
#IPs on the same C-segment as em0. That would probably be a set of
#other customers at the nework operator...

# This works, but will require an update if any furter NIC is involved
# later
pass in on re0 to !re0:network

# I would like something like this to work, so that future added NICs
# wont open new unwanted paths
#pass in on re0 to em0

# Allow only incomming SSH to external NIC
pass in on em0 inet proto tcp to port ssh


-- 
<>
Jon Sjöstedt

jonsjost...@gmail.com

Re: fsck_ffs: cannot alloc 131427074 bytes for lncntp

2017-07-26 Thread Jon S 
Problem solved/workaround: running fsck /dev/... worked. The problem seemd
to be with running fsck_ffs /dev/...

On 25 Jul 2017 5:17 pm, "Jon S" <jonsjost...@gmail.com> wrote:

No. Filesystem is FFS. The os is 4.9 or later but not above 5.4 afaik. I
will have physical access to the host tomorrow. It will probably be
replaced and installed with 6.1, but it would still be interesting to know
what kind of error this is and what can be done about it.


On 25 Jul 2017 3:40 pm, "Jeremie Courreges-Anglas" <j...@wxcvbn.org> wrote:

On Tue, Jul 25 2017, Jon S <jonsjost...@gmail.com> wrote:
> Hello misc! The message in the subject is the result of trying to run
> fsck_ffs in single user mode when auto fsck fails at boot. Any ideas or
> input on how to solve?

This error message is only present in the -current source code for
fsck_ext2fs (there's src/sbin/fsck_ffs/SMM.doc/4.t but this looks
outdated).

Are you using ext2fs?

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: fsck_ffs: cannot alloc 131427074 bytes for lncntp

2017-07-25 Thread Jon S 
No. Filesystem is FFS. The os is 4.9 or later but not above 5.4 afaik. I
will have physical access to the host tomorrow. It will probably be
replaced and installed with 6.1, but it would still be interesting to know
what kind of error this is and what can be done about it.

On 25 Jul 2017 3:40 pm, "Jeremie Courreges-Anglas" <j...@wxcvbn.org> wrote:

On Tue, Jul 25 2017, Jon S <jonsjost...@gmail.com> wrote:
> Hello misc! The message in the subject is the result of trying to run
> fsck_ffs in single user mode when auto fsck fails at boot. Any ideas or
> input on how to solve?

This error message is only present in the -current source code for
fsck_ext2fs (there's src/sbin/fsck_ffs/SMM.doc/4.t but this looks
outdated).

Are you using ext2fs?

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

fsck_ffs: cannot alloc 131427074 bytes for lncntp

2017-07-25 Thread Jon S 
Hello misc! The message in the subject is the result of trying to run
fsck_ffs in single user mode when auto fsck fails at boot. Any ideas or
input on how to solve?

Standard way to create a generic queue in ksh

2016-04-15 Thread Jon S 
Hello all!

As a port of a backup solution, i needa a queue. Having looked around the
net, i haven found any standard way (besides named pipes) that I can use.

Requirements are:
* There will be few elements in the queue (<20)
* No critical section  is needed (this is already adressed using mkdir)
* The queue must be possible to examine without altering it
* It would be nice if the queue only can contain unique elements (no point
in queing the same job twice)

My own two ideas are:
* Files in a dir. Gives uniqueness if names are well selected, but I dont
know how to handle element order neatly
* Rows in a file: No guarantee for unique jobs. Easy to define order and to
add a new job at end (or beginning) of a file or pop a job

Any ideas or proposal of standard way to do this?

--
<>
Jon Sjöstedt

ls cant print higher UTF-8 chars

2016-01-06 Thread Jon S 
Hello misc!

In an attempt to get a better idea on how to make all non-ascii chars
appear correctly in windows/samba, ssh and the local console I get the
impression that UTF-8 is the charset that is mostly used in general and
also most growing.

Using UTF-8 in samba and ssh on a OpenBSD 4.9 i386 generic machine that is
about to retire works as expected, tested with swedish and icelandish
letters outside the 7bit ascii range.

However, the new machine to replace the 4.9-box, running OpenBSD 5.6 on
amd64 generic.mp #333, shows questionmarks when doing ls in ssh (using
PuTTY set to UTF-8 in translation). The funny thing is that autocomplete
using tab shows the expected letters. pwd shows expected letters and even
ls | cat shows correct letters.

Is this a known problem? Is there a solution to make ls print correct UTF-8?

--
<>
Jon Sjöstedt

Re: Unable to do putty/SSH into fresh openBSD 5.6-install

2015-04-19 Thread Jon S 
Thanks for the tip. It gave me some clues, like not reacting at all
sometimes, going half way other times and some other inconsistent behaviour.

After giving the new box a static IP that it did NOT share with a switch
everything works smooth as expected :)

2015-04-19 19:34 GMT+02:00 Kent Fritz fritz.k...@gmail.com:

 You need to look at debug.  From console:
 # /etc/rc.d/sshd stop
 sshd(ok)
 # /usr/sbin/sshd -d

 Now try to log in and see if you can get any clues from the output.

 On Sun, Apr 19, 2015 at 10:11 AM, Jon S jonsjost...@gmail.com wrote:

 Updated PuTTY from 0,63 to 0,64, but no improvement.


 Any other ideas?

 2015-04-19 18:22 GMT+02:00 Mike. the.li...@mgm51.com:

  On 4/19/2015 at 5:09 PM Jon S wrote:
 
  |Hi all!
  |
  |I just installed a fresh OpenBSD 5.6 on a new machine (booting from
  a
  |USB-stick and running bsd.rd, installing from ftp.eu.openbsd.org =
  |networking is fine). All sets are installed.
  |
  |Now i cant ssh(using putty) into the new machine. authlog says
  fatal:
  |Timeout before authentication ip. My attempt to ssh is from a
  local
  |network. I can se a forked SSHD-process when i try to putty/ssh into
  the
  |new machine.
  |
  |ssh out from the new 5.6-machine to a different OpenBSD 4.9-machine
  works
  |fine. ssh back from the 4.9-machine to the new 5.6-machine works
  too.
  |
  |doing putty into the 4.9-machine also work
  |
  |Any ideas as to what can cause this? As far as I can remeber the
  |4.9-machine uses the default SSH-settings, just as the 5.6-machine
   =
 
 
  Are you using a current version of putty?
 
  When I had similar symptoms, I found out I was using an older version
  of putty.  Once I downloaded and installed the current version, all
  was happiness
 
 
 
 


 --
 
 Jon Sjöstedt
 Gamla Björboholmsvägen 2
 443 72 GRÅBO

 Mobil 0735 - 029 557

 jonsjost...@gmail.com jonsjost...@hotmail.com





--

Jon Sjöstedt
Gamla Björboholmsvägen 2
443 72 GRÅBO

Mobil 0735 - 029 557

jonsjost...@gmail.com jonsjost...@hotmail.com

Unable to do putty/SSH into fresh openBSD 5.6-install

2015-04-19 Thread Jon S 
Hi all!

I just installed a fresh OpenBSD 5.6 on a new machine (booting from a
USB-stick and running bsd.rd, installing from ftp.eu.openbsd.org =
networking is fine). All sets are installed.

Now i cant ssh(using putty) into the new machine. authlog says fatal:
Timeout before authentication ip. My attempt to ssh is from a local
network. I can se a forked SSHD-process when i try to putty/ssh into the
new machine.

ssh out from the new 5.6-machine to a different OpenBSD 4.9-machine works
fine. ssh back from the 4.9-machine to the new 5.6-machine works too.

doing putty into the 4.9-machine also work

Any ideas as to what can cause this? As far as I can remeber the
4.9-machine uses the default SSH-settings, just as the 5.6-machine



--

Jon Sjöstedt

jonsjost...@gmail.com jonsjost...@hotmail.com

Re: Unable to do putty/SSH into fresh openBSD 5.6-install

2015-04-19 Thread Jon S 
Updated PuTTY from 0,63 to 0,64, but no improvement.


Any other ideas?

2015-04-19 18:22 GMT+02:00 Mike. the.li...@mgm51.com:

 On 4/19/2015 at 5:09 PM Jon S wrote:

 |Hi all!
 |
 |I just installed a fresh OpenBSD 5.6 on a new machine (booting from
 a
 |USB-stick and running bsd.rd, installing from ftp.eu.openbsd.org =
 |networking is fine). All sets are installed.
 |
 |Now i cant ssh(using putty) into the new machine. authlog says
 fatal:
 |Timeout before authentication ip. My attempt to ssh is from a
 local
 |network. I can se a forked SSHD-process when i try to putty/ssh into
 the
 |new machine.
 |
 |ssh out from the new 5.6-machine to a different OpenBSD 4.9-machine
 works
 |fine. ssh back from the 4.9-machine to the new 5.6-machine works
 too.
 |
 |doing putty into the 4.9-machine also work
 |
 |Any ideas as to what can cause this? As far as I can remeber the
 |4.9-machine uses the default SSH-settings, just as the 5.6-machine
  =


 Are you using a current version of putty?

 When I had similar symptoms, I found out I was using an older version
 of putty.  Once I downloaded and installed the current version, all
 was happiness






--

Jon Sjöstedt
Gamla Björboholmsvägen 2
443 72 GRÅBO

Mobil 0735 - 029 557

jonsjost...@gmail.com jonsjost...@hotmail.com

Group access issue

2014-01-07 Thread Jon S 
Hi!

I have a situation where I would like to assign one group of people rights
to read a file and a different group of people the right to read and write
the same file (there are actually many files).

A different way to describe it would be: I would like a file to belong to
two groups, one with RW-permissions and one with R--permissions.

The files are accessed using ssh.


I run OpenBSD 4.9. Installing new software and/or upgrading to latest
OpenBSD would be acceptable partial solutions.

Any hints or ideas on how I can accomplish this?

--

Jon Sjöstedt

jonsjost...@hotmail.com