snmpd and route changes
msi, address ec:eb:b8:95:29:7c brgphy0 at bge0 phy 1: BCM5719C 10/100/1000baseT PHY, rev. 0 bge1 at pci14 dev 0 function 1 "Broadcom BCM5719" rev 0x01, BCM5719 A1 (0x5719001), APE firmware NCSI 1.5.33.0: msi, address ec:eb:b8:95:29:7d brgphy1 at bge1 phy 2: BCM5719C 10/100/1000baseT PHY, rev. 0 bge2 at pci14 dev 0 function 2 "Broadcom BCM5719" rev 0x01, BCM5719 A1 (0x5719001), APE firmware NCSI 1.5.33.0: msi, address ec:eb:b8:95:29:7e brgphy2 at bge2 phy 3: BCM5719C 10/100/1000baseT PHY, rev. 0 bge3 at pci14 dev 0 function 3 "Broadcom BCM5719" rev 0x01, BCM5719 A1 (0x5719001), APE firmware NCSI 1.5.33.0: msi, address ec:eb:b8:95:29:7f brgphy3 at bge3 phy 4: BCM5719C 10/100/1000baseT PHY, rev. 0 ppb13 at pci1 dev 28 function 6 "Intel C610 PCIE" rev 0xd5 pci15 at ppb13 bus 18 ppb14 at pci1 dev 28 function 7 "Intel C610 PCIE" rev 0xd5 pci16 at ppb14 bus 19 ehci1 at pci1 dev 29 function 0 "Intel C610 USB" rev 0x05: apic 8 int 18 usb3 at ehci1: USB revision 2.0 uhub3 at usb3 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 pcib0 at pci1 dev 31 function 0 "Intel C610 LPC" rev 0x05 ahci0 at pci1 dev 31 function 2 "Intel C610 AHCI" rev 0x05: msi, AHCI 1.3 ahci0: port 0: 6.0Gb/s ahci0: port 1: 6.0Gb/s scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: naa.5000c500b212c82e sd0: 953869MB, 512 bytes/sector, 1953525168 sectors sd1 at scsibus1 targ 1 lun 0: naa.5000c500b2126c31 sd1: 953869MB, 512 bytes/sector, 1953525168 sectors ichiic0 at pci1 dev 31 function 3 "Intel C610 SMBus" rev 0x05: apic 8 int 18 iic0 at ichiic0 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 spkr0 at pcppi0 vmm0 at mainbus0: VMX/EPT efifb0 at mainbus0: 1280x1024, 32bpp wsdisplay0 at efifb0 mux 1: console (std, vt100 emulation), using wskbd0 wsdisplay0: screen 1-5 added (std, vt100 emulation) uhub4 at uhub0 port 3 configuration 1 interface 0 "Standard Microsystems product 0x2660" rev 2.00/8.01 addr 2 uhidev0 at uhub0 port 10 configuration 1 interface 0 "Chicony HP Elite USB Keyboard" rev 1.10/1.21 addr 3 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub0 port 10 configuration 1 interface 1 "Chicony HP Elite USB Keyboard" rev 1.10/1.21 addr 3 uhidev1: iclass 3/0, 2 report ids uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0 ucc0 at uhidev1 reportid 2: 768 usages, 20 keys, array wskbd2 at ucc0 mux 1 wskbd2: connecting to wsdisplay0 uhidev2 at uhub0 port 11 configuration 1 interface 0 "PixArt USB Optical Mouse" rev 1.10/1.00 addr 4 uhidev2: iclass 3/1 ums0 at uhidev2: 3 buttons, Z dir wsmouse0 at ums0 mux 0 uhub5 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.05 addr 2 uhub6 at uhub3 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.05 addr 2 vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets sd2 at scsibus3 targ 1 lun 0: sd2: 953868MB, 512 bytes/sector, 1953523553 sectors root on sd2a (6134b362762c60c8.a) swap on sd2b dump on sd2b -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: load balancing with rdomains
On Mon, 18 Dec 2023 14:08:04 +0100 Claudio Jeker wrote: > On Mon, Dec 18, 2023 at 01:53:50PM +0100, Marko Cupać wrote: > > What OpenBSD FAQ https://www.openbsd.org/faq/faq6.html#Multipath > > says for a bit different scenario applies to some extent for this > > one as well: > > > > "It's worth noting that if an interface used by a multipath route > > goes down (i.e., loses carrier), the kernel will still try to > > forward packets using the route that points to that interface. This > > traffic will of course be blackholed and end up going nowhere. It's > > highly recommended to use ifstated(8) to check for unavailable > > interfaces and adjust the routing table accordingly." > > Uhm. This is not accurate. The kernel tracks interface state on > routes and will not select a multipath route that is not considered > UP. There is a smaller issue when there is no other multipath route. > The lookup will select the route and not fall back to a less specific > one that is still up. > > Could please someone update the FAQ? I would like to contribute to the FAQ, but I'm not sure in which way to go. According to my tests, above is not literally correct in described case (route goes down on lost carrier). However, in frequent scenario where interface is up, route is valid, but ISP's side won't route our packets (which is perceived as "link is down" by a user), a mechanism is still needed to prevent sending packets over that interface. Would "It's worth noting that if an interface used by a multipath route loses data link while physical link is active..." be more appropriate? More radical option would be to describe rdomain-based solution instead of current examples in both: https://www.openbsd.org/faq/faq6.html#Multipath https://www.openbsd.org/faq/pf/pools.html#outgoing Best regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: load balancing with rdomains
On Sat, 16 Dec 2023 18:53:29 +0100 Petr Ročkai wrote: > Hi, > > On Sat, Dec 16, 2023 at 06:37:54PM +0100, Marko Cupać wrote: > > pass in on em0 from (em0:network) to probability 50% > > rtable 1 pass in on em0 from (em0:network) to probability > > 50% rtable 2 > > IIUIC these two only add up to 75% probability – you presumably want > probability 50% on the second of the two (the first one then being a > match for everything that the later rule doesn't take up). Thank you, I can confirm that your solution: pass in on em0 from (em0:network) to rtable 1 pass in on em0 from (em0:network) to probability 50% rtable 2 ... results in what I was trying to achieve - it load balances over both uplinks without any blocked packets as long as both uplinks are active. What OpenBSD FAQ https://www.openbsd.org/faq/faq6.html#Multipath says for a bit different scenario applies to some extent for this one as well: "It's worth noting that if an interface used by a multipath route goes down (i.e., loses carrier), the kernel will still try to forward packets using the route that points to that interface. This traffic will of course be blackholed and end up going nowhere. It's highly recommended to use ifstated(8) to check for unavailable interfaces and adjust the routing table accordingly." ...except - if I'm not mistaken - ifstated should in this case adjust pf ruleset instead of routing table. If so, would using anchors be the best way? Any working examples to share? I used some simple ifstated rules but it is hard to wrap my head around probability percentages for all the use cases - first link up, second down and vice versa. Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: load balancing with rdomains
On Sat, 16 Dec 2023 10:25:07 - (UTC) Stuart Henderson wrote: > See "probability" in pf.conf(5). Thank you for the tip. My test ruleset: ---start--- block log all pass in on em0 from (em0:network) to pass in on em0 from (em0:network) to probability 50% rtable 1 pass in on em0 from (em0:network) to probability 50% rtable 2 pass out on em0 pass out on em1 pass out on em2 ---end--- ... somewhat works, in a way that sessions from lan host to do get load balanced to both rtables most of the time. However, some of the sessions to (I tested with ssh) get denied by default block rule initially: block in on em0: PR.IV.AT.E.35528 > PU.BL.I.C.22: tcp 0 (DF) [tos 0x48] and then, on consequent automatic ssh retry after a few seconds, get moved to one of two rtables. >From above I conclude that the two rules of 50% do not make a total of 100% in pf's logic, and there are situations where a packet won't be passed by any of the two. That unfortunately won't work for my use case. Or perhaps I'm configuring something wrong? Best regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
load balancing with rdomains
Hi, I have a router whose LAN interface is in default rdomain 0, ISP1 in rdomain 1 and ISP2 in rdomain 2. Reason for this is a bit complicated, involves wireguard tunneling, I will give more details if needed. LAN hosts can access Internet over ISP1 by means of: pass in on $if_lan from ($if_lan:network) to rtable 1 Also over ISP2 if I change above line to: pass in on $if_lan from ($if_lan:network) to rtable 2 Is it possible to load-balance over both ISPs / rdomains? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: pf queues
On Fri, 1 Dec 2023 04:56:40 +0300 4 wrote: > match proto icmp set prio(6 7) queue(6-fly 7-ack) > how is this supposed to work at all? i.e. packets are placed both in > prio's queues 6/7(in theory priorities and queues are the same > thing), and in hsfc's queues 6-fly/7-ack at once? I am not sure I understand what you don't understand here. Straight from manpage: https://man.openbsd.org/pf.conf#set~2 If two priorities are given, TCP ACKs with no data payload and packets which have a TOS of lowdelay will be assigned to the second one. https://man.openbsd.org/pf.conf#set~3 If two queues are given, packets which have a TOS of lowdelay and TCP ACKs with no data payload will be assigned to the second one. ICMP is not the best example, but syntax works. I guess the rule you quoted results in behaviour where all the ICMP packets get priority of 6 and get assigned to queue 6-fly, even though the idea was to have requests with priority of 6 assigned to queue 6-fly, and replies with priority of 7 to queue 7-ack. But then again perhaps it works the latter way, if icmp replies have TOS of lowdelay. If this was TCP, payload would get priority of 6 and assigned to queue 6-fly, while ACKs would get priority of 7 and assigned to queue 7-ack. Anyway, after years of usage, and lot of frustration in the beginning, I find current approach more flexible, because in HFSC queue and priority have to be the same, while in current pf we can set it to be exactly like HFSC, but also to have different priorities within the same queue, or different queue for same priority. At this point I only miss the ability to see prio values somewhere in monitoring tools like systat. The only way to get the answers is to test, write ruleset wisely, and observe systat. If someone knows of some others please let me know, I am by no means "an expert on pf queueing", just a guy who tries to tame his employer's network for quite some time now. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: pf queues
f wireguard tunnels on external interfaces etc. I once had the privilege to sit with Henning, author of 'pf megapatch' who introduced new queuing mechanism. I complained new stuff is not well documented, and asked if he could explain it better to me. He said something along the lines "I have no idea. It works for me. All I know is in the manpage and the code is available in CVS. Try if it works for you. If it doesn't and you know what should be improved send a patch". Upon hearing this, I was enlightened :) I hope above will be helpful. Best regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: ipsec hardware recommendation
Hi, thank you for suggestions, took me some time to think about them and reply here. On Fri, 11 Aug 2023 14:19:44 - (UTC) Stuart Henderson wrote: > If you post your IPsec configuration, perhaps someone can suggest > whether the choice of ciphers etc could be improved. It can make > quite a difference. I have just recently bumped quick enc from aes-128-gcm to aes-256-gcm, as well as group from modp3072 to ecp256: ike passive esp transport proto gre from $me to $peer \ main auth hmac-sha2-256 enc aes-256 group ecp256 lifetime 24h \ quick enc aes-256-gcm group ecp256 lifetime 8h I have also increased lifetime from default values because I was getting quite a lot of INVALID COOKIE messages from isakmpd: isakmpd[51306]: message_recv: invalid cookie(s) cookiea cookieb isakmpd[51306]: dropped message from $peer port 500 due to notification type INVALID_COOKIE On Sat, 12 Aug 2023 12:17:36 +1000 David Gwynne wrote: > The things you can do Right Now(tm) are: > > - upgrade to -current > > the pf purge code has been taken out from under the big kernel lock. > if you have a lot of pf states, this will give more time to crypto. I have ~50,000 states during peak time. I can't go -current, but I will look forward to 7.4. I also read the following articles on undeadly.org: https://undeadly.org/cgi?action=article;sid=20230807094305 https://undeadly.org/cgi?action=article;sid=20230706115843 Once 7.4 hits, is it expected that changing gre/ipsec to sec(4) could make positive difference in throughput on same hardware? > - pick faster crypto algorithms I posted mine above, I would be thankful to get latest recommendation. > - try wireguard? I am testing replacing a few of gre/ipsec with wg interfaces on 7.3 at the moment. Main problem I am encountering so far is the fact that `ospfctl reload` does not seem to pick newly added (to ospfd.conf) wg interfaces. `ospfctl sh int` shows them in DOWN state after reload, and no OSPFv2-hello packets are being sent until `rcctl restart ospfd`. It is quite unmaintainable to have to restart ospfd every time wg interfaces are added or removed from ospfd.conf. Any way around it? Perhaps on some later releases this will improve? Or am I doing it wrong? I have more questions about wireguard but I guess I should better ask them in another topic. Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
ipsec hardware recommendation
Hi, I have star topology network where dozens of spokes communicate with other spokes through central hub over GRE tunnels protected with transport-mode ipsec. This worked great for years, but lately all the locations got bandwidth upgrade (spokes: 10Mbit -> 50Mbit, hub: 2x200Mbit -> 2x500Mbit), and I'm starting to experience problems. Spokes have APU4D4s, and my tests show they can push up to 30Mbit/s of ipsec bidirectionally. Hub has HPE DL360g9 with Xeon CPU E5-2623 v4 @ 2.60GHz and bge NICs, and it seems it can push no more than 200Mbit/s of ipsec bidirectionally (I have no chance to test this thoroughly in a lab, but what I see in production indicate this strongly). Are there any commands I can run which would indicate ipsec traffic is being throttled due to hardware being underspecced? top shows CPU is more than 50% idle. netstat shows ~1 Ierrs / Ifail (no Oerrs / Ifail) on interfaces that deal with ipsec for two months worth of uptime. Would replacing Xeon box with AMD EPYC 7262 likely result in an improvement? Should I go for some NICs other than bge? What hardware do I need at Hub location to accomodate ~400Mbit/s of ipsec bidirectionally? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Some more humor, maybe?
On Wed, 22 Sep 2021 22:09:14 -0600 flint pyrite wrote: > Remember movement would not occur without involvement Hax0rz of the early 2020s why are you looking so round up? Without posture there's no movement. https://www.youtube.com/watch?v=a1oSXlU0ZUk :) -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
local openrsync - incorrect directory ownership?
Hi, I am using openrsync to backup some directory trees locally to a separate mount point, using -a flag, which should preserve file and directory ownership provided rsync is run as root. I noticed directory ownerships are not as expected in backup location (/tmp for the purpose of this demonstration), as opposed to file ownerships, which are correct. I tested on multiple systems, 6.8 and 6.9, and I can always reproduce it as follows: - create the following directory and file structure in user's home: /home/user/dir1/file1.txt /home/user/dir1/dir2/file2.txt /home/user/dir1/dir2/dir3/file3.txt By default, they are all owned by user (check with ls -lR): /home/user/dir1: total 8 drwxr-xr-x 3 user user 512 Jun 7 11:28 dir2 -rw-r--r-- 1 user user8 Jun 7 11:28 file1.txt /home/user/dir1/dir2: total 8 drwxr-xr-x 2 user user 512 Jun 7 11:34 dir3 -rw-r--r-- 1 user user 10 Jun 7 11:28 file2.txt /home/user/dir1/dir2/dir3: total 4 -rw-r--r-- 1 user user 13 Jun 7 11:34 file3.txt - now, as root, using -a flag, sync /home/user/dir1 to /tmp/: openrsync --rsync-path=/usr/bin/openrsync -a /home/user/dir1 /tmp/ - check (perhaps with ls -lR) file and directory ownership: /tmp/dir1: total 4 drwxr-xr-x 3 root wheel 512 Jun 7 11:28 dir2 -rw-r--r-- 1 user user 8 Jun 7 11:28 file1.txt /tmp/dir1/dir2: total 4 drwxr-xr-x 2 root wheel 512 Jun 7 11:34 dir3 -rw-r--r-- 1 user user 10 Jun 7 11:28 file2.txt /tmp/dir1/dir2/dir3: total 2 -rw-r--r-- 1 user user 13 Jun 7 11:34 file3.txt Notice that files are correctly owned by user:user, but directories are owned by root:wheel, as opposed what manpage says about -a flag (shorthand for, among others -g and -o - preserve owner and group if run as root). Best regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: BGP circular routing
On Thu, 29 Apr 2021 12:04:53 - (UTC) Stuart Henderson wrote: > On 2021-04-29, Marko Cupać wrote: > > (...) > > I have a problem with circular routing on a site which talks > > BGP with two upstream providers, with traffic to site which has > > static default route over third ISP: > > > > --> ISP1 --> ISP3 --> > > SITEASITEB > > <-- ISP2 <-- ISP3 <-- > > Asymmetric routing (circular suggest that it's looping so you have > no working connecticity, which I tuink ks not what you're describing). Yes, thank you for the correction. > > I tried to prepend self / neighbor to ISP2 - no change (ISP1 has > > best routes for 99% of the prefixes, including to SITEB). I > > contacted ISP2, they said the problem is with ISP3. I contacted > > ISP3, they said ISP2 announces my prefix (they're my LIR) so the > > best route is over them. I contacted ISP2 again, they said they > > prepended my prefix to ISP3, but situation is the same. > > > > Is it OK for ISP2 (my LIR) to announce and prepend my prefix? I > > thought I should be in control of that. > > > > Is there anything I can do about the situation? > > You can't do much to control incoming traffic though you can sometimes > influence it. But you do control which routes you accept/prefer. If > you want to avoid the assymetric path, you need to prefer ISP2's > announcwments for SITEB, for example you could match and give it a > higher localpref. That was really helpful suggestion. I increased SITEB's localpref: match from $ISP2 prefix { A.B.C.D/E } set localpref 200 ...and I ended up sending and receiving traffic to SITEB through the same interface over ISP2. This is even better because link over ISP2 until now had almost no outgoing traffic, while the one over ISP1 was heavily utilized. > Is it causing a problem though? This is completely normal and expected > on the internet. I was seeing quite a number of state-mismatch packets in SITEB's PF info, which is the reason why I wanted to make traffic come and go through same interface on SITEA. Traffic between the sites is ipsec protected GRE tunnel, so isakmpd (udp) and esp. I suspect state-mismatch was due to slight difference in latency of links. It is to early to say that for sure, but I think I am noticing much less state-mismatch packets in SITEB's PF info since the change. Thanks! -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
BGP circular routing
Hi, I guess this is not related to bgpd, but I hope there are skilled network admins here who can give me advice. I have a problem with circular routing on a site which talks BGP with two upstream providers, with traffic to site which has static default route over third ISP: --> ISP1 --> ISP3 --> SITEASITEB <-- ISP2 <-- ISP3 <-- I tried to prepend self / neighbor to ISP2 - no change (ISP1 has best routes for 99% of the prefixes, including to SITEB). I contacted ISP2, they said the problem is with ISP3. I contacted ISP3, they said ISP2 announces my prefix (they're my LIR) so the best route is over them. I contacted ISP2 again, they said they prepended my prefix to ISP3, but situation is the same. Is it OK for ISP2 (my LIR) to announce and prepend my prefix? I thought I should be in control of that. Is there anything I can do about the situation? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
sasyncd question
Hi, Is there a way to sync only SAs created on CARP interfaces, without syncing those created on physical, non-CARP interfaces? Something like no-sync option in pf.conf for pfsync? I'm asking because I have a pair of firewalls where majority of IPsec peers connect directly to non-CARP interfaces (GRE tunnels connected with transport mode IPsec + OSPF), and just a few of them connect to CARP interface (passive tunnel mode IPsec because of dynamic IP address on peers). sasyncd now syncs everything, so CARP peers get SAS for physical interfaces of other CARP member, which is undesirable, and I guess also prolongs time to re-negotiate SAs. Any other way how OpenBSD admins handle this situation? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: npppd failed enable pipex: Invalid argument
On Mon, 17 Aug 2020 00:36:35 +0300 Vitaliy Makkoveev wrote: > Hello Marko. > > Can I propose you to try upcoming 6.8? We moved pppac(4) and pppx(4) > output processing out of kernel lock. pppx(4) output is still > serialised by netlock, but I hope we'll made it per-cpu before 6.8 > release. > > Also, for curiosity reasons, what is your pppx(4) clients count? Hi Vitaliy, I can try 6.8 snapshot and test 2-3 simultaneous clients, but unfortunately not in "real life" production. In April, during WFH boom in early days of lockdown I had up to 150 concurrent clients, nowadays they average around 50. But not too much traffic, ~20Mbit/s in total (people mostly RDP over pptp). I'll report how I fare with 6.8 snapshots. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: npppd failed enable pipex: Invalid argument
> > On 4 Aug 2020, at 17:04, Marko Cupać wrote: > > > > Hi, > > > > I have recently upgraded (actually installed from scratch and copied > > config files) one of my firewalls from 6.6 to 6.7, and (sys)patched > > it to 017_dix. Everything works great except my npppd setup. It > > starts fine, but upon connecting over pptp I get the following > > records in log: > > (...) > > Aug 4 15:48:48 nat2 npppd[66557]: ppp id=0 layer=base failed > > enable pipex: Invalid argument > > On Tue, 4 Aug 2020 18:31:44 +0300 > Vitaliy Makkoveev wrote: > > In kernel timeout was disabled for pppx(4). Remove please > "idle-timeout”. Sorry for late reply, I haven't had the chance to test until now. That was it, after removing idle-timeout, npppd accepts pptp connections. Once again you saved me with npppd, thank you! -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
npppd failed enable pipex: Invalid argument
o com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo com1: probed fifo depth: 0 bytes pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 spkr0 at pcppi0 pci16 at mainbus0 bus 255 "Intel Xeon-D QPI Link" rev 0x01 at pci16 dev 11 function 0 not configured "Intel Xeon-D QPI Link" rev 0x01 at pci16 dev 11 function 1 not configured "Intel Xeon-D QPI Link" rev 0x01 at pci16 dev 11 function 2 not configured "Intel Xeon-D QPI Debug" rev 0x01 at pci16 dev 11 function 3 not configured "Intel Xeon-D Cache" rev 0x01 at pci16 dev 12 function 0 not configured "Intel Xeon-D Cache" rev 0x01 at pci16 dev 12 function 1 not configured "Intel Xeon-D Cache" rev 0x01 at pci16 dev 12 function 2 not configured "Intel Xeon-D Cache" rev 0x01 at pci16 dev 12 function 3 not configured "Intel Xeon-D Cache" rev 0x01 at pci16 dev 15 function 0 not configured "Intel E5 v4 Cache" rev 0x01 at pci16 dev 15 function 1 not configured "Intel Xeon-D Cache" rev 0x01 at pci16 dev 15 function 4 not configured "Intel Xeon-D Cache" rev 0x01 at pci16 dev 15 function 5 not configured "Intel Xeon-D Cache" rev 0x01 at pci16 dev 15 function 6 not configured "Intel Xeon-D PCIE" rev 0x01 at pci16 dev 16 function 0 not configured "Intel E5 v4 R2PCIe Agent" rev 0x01 at pci16 dev 16 function 1 not configured "Intel Xeon-D Ubox" rev 0x01 at pci16 dev 16 function 5 not configured "Intel Xeon-D Ubox" rev 0x01 at pci16 dev 16 function 6 not configured "Intel Xeon-D Ubox" rev 0x01 at pci16 dev 16 function 7 not configured "Intel Xeon-D Home Agent" rev 0x01 at pci16 dev 18 function 0 not configured "Intel Xeon-D Home Agent" rev 0x01 at pci16 dev 18 function 1 not configured vendor "Intel", unknown product 0x6f70 (class system subclass miscellaneous, rev 0x01) at pci16 dev 18 function 2 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 0 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 1 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 2 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 3 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 4 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 5 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 6 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 7 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 0 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 1 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 2 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 3 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 4 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 5 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 6 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 7 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 21 function 0 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 21 function 1 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 21 function 2 not configured "Intel Xeon-D Memory" rev 0x01 at pci16 dev 21 function 3 not configured "Intel E5 v4 RAS" rev 0x01 at pci16 dev 22 function 0 not configured "Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 22 function 6 not configured "Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 22 function 7 not configured "Intel E5 v4 Thermal" rev 0x01 at pci16 dev 23 function 0 not configured "Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 23 function 4 not configured "Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 23 function 5 not configured "Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 23 function 6 not configured "Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 23 function 7 not configured "Intel Xeon-D PCU" rev 0x01 at pci16 dev 30 function 0 not configured "Intel Xeon-D PCU" rev 0x01 at pci16 dev 30 function 1 not configured "Intel Xeon-D PCU" rev 0x01 at pci16 dev 30 function 2 not configured "Intel Xeon-D PCU" rev 0x01 at pci16 dev 30 function 3 not configured "Intel Xeon-D PCU" rev 0x01 at pci16 dev 30 function 4 not configured "Intel Xeon-D PCU" rev 0x01 at pci16 dev 31 function 0 not configured "Intel Xeon-D PCU" rev 0x01 at pci16 dev 31 function 2 not configured vmm0 at mainbus0: VMX/EPT efifb0 at mainbus0: 1280x1024, 32bpp ws
Re: OpenBSD Readonly File System
On 2020-06-24, Aaron Mason wrote: Auto filesystem repair is bad juju. On 2020-06-25 11:17, Stuart Henderson wrote: Nonsense. For many, the possible downsides of automatically running fsck -y are much less a problem than the downsides of *not* running it. Some time ago I wrote here on misc@ about read-only setup, where I intended to modify rc(8) in order to be able to relink kernel before mounting filesystems read-only, and - if I remember correctly - I was warned never to modify rc(8) directly as it's considered as part of base system, and I should only affect it with rc.local, which I did. Is there a way to run fsck -y automatically without modifying rc(8)? Is modifying rc(8) now supported? -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OpenBSD Readonly File System
On 2020-06-09 09:59, Vertigo Altair wrote: Hi Misc, I have a firewall device and I'm using OpenBSD on it. There is an electricity problem where the device runs. Therefore, I have to run the "fsck -y" command regularly at startup due to the electricity problem. To overcome this, I want to use readonly file system. I know there are some projects like "resflash", but I want to do that manually. ... On startup following errors comming from /etc/rc; I think errors about /etc/motd are not so important, but are the errors coming from /etc/tty* can cause any problems? If my method is not correct, what is the best way to do this? AFAIK, OpenBSD officially does not support read-only root file system. But I have a similar problem, and I have described my solution here: https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages HTH, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: About pf max-src-conn-rate
On 2020-05-27 14:27, Walter Alejandro Iglesias wrote: Another question about pf. Perhaps I don't fully understand how connection rate is calculated. The following line in /etc/pf.conf: pass in log inet proto tcp to any port { smtp smtps } synproxy state \ (max-src-conn-rate 5/30, overload flush global) Shouldn't avoid this happen? In /var/log/maillog ... A total of *323* connections from the same IP at less than a 1/4 second interval during more than four minutes. If I'm not mistaken (someone please correct me if I'm wrong), 323 connections in maillog is not the same as 323 tcp connections. You can send 323 smtp commands in single tcp session. Perhaps you should look into https://man.openbsd.org/spamd to achieve your goal. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 2020-05-13 11:02, i...@aulix.com wrote: (all your emails to @misc) Dear Info, the best way to get answers to all of your questions regarding OpenBSD is to try and run OpenBSD for a few years trying to make it help with your real-world needs, such as personal laptop, home gateway, personal email or web server etc. After some time, you will be able to decide wheather OpenBSD is the right choice for you. You should be able to find majority of answers to your questions regarding OpenBSD in manpages, FAQ, and books similar to "Absolute OpenBSD", "The Book of PF" etc. There are also various blogs from OpenBSD users, whose quality varies from very bad to very good. As for idle gossip, I can suggest local bars, which is what I use. I understand they are all closed now due to current situation with pandemic, but @misc mailing list is really poor substitute. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: pf table for all publicly routable ipv4 addresses
Hi, thanks to everyone who sent me tips and ideas about the topic. At the moment I am testing "negated table" approach, which seems to work fine: block log all pass in on $vlan_guests from $vlan:guests:network to ! ...where table is list of subnets I don't want to be reachable from guest vlan (basically table from pf FAQ). I have also been testing "table with negated records" approach, which also seems to work fine block log all pass in on $vlan_guests from $vlan:guests:network to ...where routable is list of negated subnets I don't want to be reachable from guest vlan (basically table from pf FAQ but with negated records, plus 0.0.0.0/0 on top). Could it be that pf FAQ is outdated about 0.0.0.0/0 shouldn't be used in tables? pfctl has no problem adding, removing and listing 0.0.0.0/0 subnet in tables. I'll test some more and send some feedback. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: change default constraint server in ntpd.conf
On 2020-05-08 00:17, Theo de Raadt wrote: Theo de Raadt wrote: (...) Stuart Henderson wrote: (...) Dear Stuart, Theo, thank you for insightful answers. I admit my understanding of intricacies of ntp protocol equals zero - same as my current motivation to learn more about it. My need for accurate timekeeping on my OpenBSD firewalls is best described by the fact that I occasionally log into branch routers where I routinely discover their clock is off by >2 years because I forget to either start ntpd with default ntpd.conf in appropriate rdomain with Internet access, or to edit default ntpd.conf to point them to internal ntp server, also running on OpenBSD with default ntpd.conf. To my great joy, this never affects their main functionality of pushing packets between branch office and HQ in a way I consider secure enough. My main motivation for asking this question on @misc was political, and went along the lines of "why send these ad-peddling, private-data-slurping clowns any packets?" Thanks to your answers, I understand now there is more to it than "let's just put some website that is most likely to be there when we query it for constraints, and also promote it a bit while there". Stay fresh, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
change default constraint server in ntpd.conf
Hi, why not change default constraint server in ntpd.conf from current https://google.com to something more neutral / reputable? If https://www.openbsd.org does not want to be involved, perhaps https://www.ntp.org would be fine. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: pf table for all publicly routable ipv4 addresses
On 2020-05-04 19:23, Stuart Henderson wrote: On 2020-05-04, Marko Cupać wrote: Hi, I'd like to create pf table "all publicly routable ipv4 addresses". Is this possible with some short syntax? Thank you in advance. something like this? # https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt table { !0.0.0.0/8 !10.0.0.0/8 !100.64.0.0/10 !127.0.0.0/8 !169.254.0.0/16 !172.16.0.0/12 !192.0.0.0/24 !192.0.2.0/24 !192.168.0.0/16 !198.18.0.0/15 !198.51.100.0/24 !203.0.113.0/24 !224.0.0.0/3 } Yes. I want to have the opposite of table described in pf faq: https://www.openbsd.org/faq/pf/example1.html#pf ...so I can permit hosts on guest vlan access Internet hosts, but not hosts on other private vlans similar to: block log all pass in on $guest_vlan from $guest_vlan:network to However, this apparently doesn't work. If I tested well, your table expands to "no addresses", not "all addresses but those". I thought I could do such table like this: table {0.0.0.0/0 \ !0.0.0.0/8 \ ... !224.0.0.0/3 } ...but https://www.openbsd.org/faq/pf/tables.html#addr states that "One limitation when specifying addresses is that 0.0.0.0/0 and 0/0 will not work in tables". I know I can solve this by reordering rules, and using block instead of pass, but I'd really like to have a table of all publicly routable ip addresses in pf. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
pf table for all publicly routable ipv4 addresses
Hi, I'd like to create pf table "all publicly routable ipv4 addresses". Is this possible with some short syntax? Thank you in advance. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
bad AGGREGATOR, AS 0 not allowed
Hi, on 6.6-RELEASE amd64, (sys)patched up to 019_smtpd_exec, I am noticing these: Apr 29 17:23:33 bgp1 bgpd[42338]: neighbor IP.ADD.RE.SS (desc): bad AGGREGATOR, AS 0 not allowed, attribute discarded My bgpd.conf is almost default, announcing my AS to two upstream peers. I wrote to my peer, they said they are not sending me AS 0, and to clear my session. After 'bgpctl neighbor desc clear' I'm still getting these messages. Is this related to: [https://marc.info/?l=openbsd-tech=156510627921885=2] Can I safely disregard this, and wait for next release for these messages to disappear? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: iked and rdomain
On 2020-04-17 14:37, Florian Weber wrote: Good afternoon, is it possible to have only traffic which is routed through a specific rdomain being encryped, i.e. have an enc interface in another rdomain and only the whole traffic that runs in that rdomain gets encryped? I have just recently implemented something which seem similar to what you need, albeit with isakmpd, not iked. Perhaps my hostname.if will give some hints: me@somebox:~ $ doas cat /etc/hostname.em1 rdomain 1 inet 192.0.2.2 255.255.255.252 NONE \ description "ISP" !/sbin/route -T1 -n add default 192.0.2.1 !/sbin/route -T1 exec /sbin/isakmpd -K -c /etc/isakmpd/isakmpd.conf.1 !/sbin/route -T1 exec /sbin/ipsecctl -f /etc/ipsec.conf.1 !/sbin/route -T1 exec /usr/sbin/sshd -4 -f /etc/ssh/sshd_config.1 And yes, you will need enc1 for rdomain 1: me@somebox:~ $ doas cat /etc/hostname.enc1 rdomain 1 up Feel free to ask for more details (there's more to this setup, namely gre tunnel protected with transport-mode ipsec, OSPF etc.). Hope this helps, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: npppd pptp hangs
On 2020-03-31 10:07, Marko Cupać wrote: On Mon, 30 Mar 2020 14:33:46 +0300 Vitaliy Makkoveev wrote: On Mon, Mar 30, 2020 at 02:28:08PM +0300, Vitaliy Makkoveev wrote: > You have pipex(4) disabled. Is it still hangs with disabled > pipex(4)? As I discovered > (https://marc.info/?t=15852997681=1=2), npppd with pipex(4) > enabled and non-NULL "idle-timeout" option will crash kernel. You > can disable this option in yout npppd.conf an reenable pipex(4). > Looks like crashes should gone. And don't use pppac(4) with pipex enabled, use pppx(4). Crash you reported https://marc.info/?t=15850622592=1=2 is actual for pppac(4). Thanks for the instruction. I have: - left net.pipex.enable=1 - replaced tun1 with pppx0 in npppd.conf - removed 'pipex no' from npppd.conf So far so good, I'll send update if I experience further hangs. No crash since changing interface from tun to pppx. Thanx! -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: npppd pptp hangs
On Mon, 30 Mar 2020 14:33:46 +0300 Vitaliy Makkoveev wrote: > On Mon, Mar 30, 2020 at 02:28:08PM +0300, Vitaliy Makkoveev wrote: > > You have pipex(4) disabled. Is it still hangs with disabled > > pipex(4)? As I discovered > > (https://marc.info/?t=15852997681=1=2), npppd with pipex(4) > > enabled and non-NULL "idle-timeout" option will crash kernel. You > > can disable this option in yout npppd.conf an reenable pipex(4). > > Looks like crashes should gone. > And don't use pppac(4) with pipex enabled, use pppx(4). Crash you > reported https://marc.info/?t=15850622592=1=2 is actual for > pppac(4). > Thanks for the instruction. I have: - left net.pipex.enable=1 - replaced tun1 with pppx0 in npppd.conf - removed 'pipex no' from npppd.conf So far so good, I'll send update if I experience further hangs. The instruction on pppx(4) you gave me came as surprising news to me. I have been using npppd since it still had undocumented 'old style' config. Once npppd.conf got its manpage (was it 5.3?) I've set up tun1 as PPTP interface and it worked great with up to ~20 clients all these years. I was very satisfied that all PPTP traffic went through single interface (as opposed to my previous setup with poptop which created separate tun interface for each session), as I had the ability to graph its traffic from SNMP data. I guess I was 'holding it wrong' all this time, and yet it worked well :) Thank you once again. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: npppd pptp hangs
On Sat, 28 Mar 2020 01:46:41 +0300 Vitaliy Makkoveev wrote: > Can you try latest snapshot? Unfortunately, the box that runs npppd is the most important machine on my network (GRE/IPsec hub for multiple branch offices), I can't take the risk. > Can you share your npppd.conf? Below, I have redacted sensitive information. Perhaps it is worth mentioning that npppd listens on IP address of CARP interface. ---npppd.conf.start--- # GLOBAL set max-session 200 set user-max-session 1 # TUNNEL tunnel EXAMPLEORG protocol pptp { listen on IP.ADD.RE.SS pptp-hostname vpn.example.org pptp-vendor-name "openbsd-npppd" ingress-filter yes pipex no mppe required mppe-key-length 128 mppe-key-state stateless idle-timeout 1800 } # IPCP ipcp KAPPASTAR { pool-address "IP.ADD.RE.SS/24" dns-servers IP.ADD.RE.SS allow-user-selected-address no } # INTERFACE interface tun1 address IP.ADD.RE.SS ipcp EXAMPLEORG # AUTHENTICATION authentication RADIUS type radius { strip-nt-domain yes strip-atmark-realm yes authentication-server { address IP.ADD.RE.SS secret "ThisIsNotRealPassword" } accounting-server { address IP.ADD.RE.SS secret "ThisIsNotRealPassword" } } bind tunnel from EXAMPLEORG authenticated by RADIUS to tun1 ---npppd.conf.end--- Thank you in advance for looking into it. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: npppd pptp hangs
On Tue, 24 Mar 2020 09:34:09 +0100 Marko Cupać wrote: > On Tue, 24 Mar 2020 07:13:27 +1000 > Stuart Longland wrote: > > > On 23/3/20 10:26 pm, Marko Cupać wrote: > > > Anything I can do to avoid future hangs? I got another hang, this time killing npppd process crashed complete OS (sorry for photo, I don't have serial console set up): https://oblak.mimar.rs/index.php/s/Cc9J745jH93RK6j At the time when npppd wouldn't accept new connections, and npppctl won't return anything, but before the crash, i noticed high CPU usage in top: 45125 _ppp 640 3128K 6340K onproc/3 -39:05 99.85% npppd Pehaps bugs@ would be more appropriate list? -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: npppd pptp hangs
On Tue, 24 Mar 2020 07:13:27 +1000 Stuart Longland wrote: > On 23/3/20 10:26 pm, Marko Cupać wrote: > > Anything I can do to avoid future hangs? > > Whilst probably not the answer you're looking for: moving away from > PPTP would be a good start. > > The MSCHAPv2 authentication used in PPTP is vulnerable to dictionary > attacks and the RC4 cipher used in MPPE (the security layer of PPTP) > is laughably weak in today's security context. Whilst MSCHAPv2 can be > replaced with EAP-TLS, there's no fix for MPPE. > > IPSec (which is built into OpenBSD) or OpenVPN (in ports) would be > vastly superior options. Indeed, I am also waiting for the day when I'll be able to point iked to Microsoft's implementation of a RADIUS server (NPS), which will authenticate Active Directory domain-joined machines by their machine certificate and hopefully with additional domain user password for 2FA, authorise them by Active Directory group membership, and log their accounting in format which can be easily parsed and converted into human-readable statistics with currently available parsers. Uh, that sounded like I'm some kind of Microsoft fanboy, but I'm not. I just have to provide hundreds of Windows users a way to access resources on a corporate network in order to keep my bills paid. npppd's pptp helps me brilliantly (anyone remember poptop? that was hell :) Anyway, I use IPSec extensively to connect branch office routers, both in tunnel mode for passive clients with dynamic IPs, and in transport mode for protecting GRE tunnels (OSPF). Lately I'm adding multipath redundancy over multiple ISPs using rdomains. OpenVPN also has a place on my network. OpenBSD is a miracle :) Pardon my blatant self-promotion on link below, but I think it's a win-win situation - I get eternal fame and glory on the Internet, and list readers get copy/paste howto set up npppd pptp server with RADIUS authentication. Could come handy in this "end of days" situation where everyone works remotely :D https://www.mimar.rs/blog/how-to-set-up-pptp-vpn-server-with-openbsd-and-npppd Best regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
npppd pptp hangs
Hi, my npppd pptp server has recently got increase from ~20 to >200 concurrent users. So far it worked flawlessly for years, but before few minutes it become unresponsive. It stopped logging at one point (I have log redirected to its own file, /var/log/npppd). npppctl also hanged, returning nothing. I couldn't restart it with rcctl, or kill it with HUP. I had to resort to `kill -9', and it started fine afterwards. It appears that already established sessions worked, but with poor performance. I have lots of these in log (I saw them earlier as well but they weren't causing problems AFAIK): Mar 23 12:03:26 nat1 /bsd: pipex: ppp=1869 iface=tun1 protocol=PPTP id=45012 Received bad data packet: out of sequence: seq=1266880(1266946-1267010) ack=1915237(1915368-1915471) Mar 23 12:03:26 nat1 /bsd: pipex: ppp=1869 iface=tun1 protocol=PPTP id=45012 Received bad data packet: out of sequence: seq=1266881(1266946-1267010) ack=1915239(1915368-1915472) Mar 23 12:03:26 nat1 /bsd: pipex: ppp=1869 iface=tun1 protocol=PPTP id=45012 Workaround the out-of-sequence PPP framing problem: 1215 => 1151 Mar 23 12:06:59 nat1 /bsd: pipex: ppp=1847 iface=tun1 protocol=PPTP id=45439 received packet caused window overflow. seq=218469(218273-218337)may lost 196 packets. Also, at the time before killing it there's: Mar 23 13:13:37 nat1 /bsd: splassert: pipex_destroy_session: want 2 have 0 Mar 23 13:13:37 nat1 last message repeated 95 times Anything I can do to avoid future hangs? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: routing with DMZ between internal and external firewall
On Mon, 16 Mar 2020 09:49:30 +0100 pebwindkraft wrote: > Hi, > > I have a question concerning static routes and default gateways for a > DMZ setup, with internal and external firewall. > ... > What would be the correct design? > Can I use "only" the ext_fw with a static route, so that packages > from DNS would travel twice through DMZ net (from DNS to ext_fw, and > then from ext_fw via int_fw back to int_pc)? > > The information I found on misc@ and internet is usually talking > about "home router" with NAT and three network cards, where one leg > supplies the DMZ... Mine is different, and I think I do not need NAT > here? Hi, I have similar setup. Being on public IP space, I treat my DMZ as "Internet", meaning private IP addresses, either from Internet or from internal network, must not be able to contact it. So, I NAT everything from internal network to DMZ, which results in DNS & http seing requestes from em1, and not from internal network. Should you need more information don't hesitate to ask. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: no pcap file from isakmpd in OBSD6.6
Christoph Leser wrote: Hi, after upgrading openbsd6.5 to oopenbsd6.6 using sysupgrade isakmpd does no longer write pcap files in /var/run. In /var/log/messages we see the following message: isakmpd[7385]: log_packet_init: fopen ("/var/run/isakmpd.pcap", "w") failed: Permission denied On 2019-12-03 19:30, Theo de Raadt wrote: m_priv_local_sanitize_path() contains some realpath() checks. I think this is either exposing realpath() abuse( as a result of the new in-kernel realpath to support unveil better), or it is hitting the realpath() bug which was fixed post-release? I get similar message when trying to report information about SAs to isakmpd.results through isakmpd.fifo on 6.6. echo "S" > /var/run/isakmpd.fifo ...(as root) doesn't return anything, doesn't create results file, and gives error message in log: Feb 6 21:20:16 kerber isakmpd[36105]: ui_open_result: fopen() failed: Permission denied If someone knows about some workaround for obtaining isakmpd.results on 6.6 I'd be very grateful (or at least binary patch :D ) -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
ipsec pf queuing wierdness
Hi, while trying to implement queuing by service inside ipsec tunnel, by tagging traffic first (both in ipsec.conf or enc0 in pf.conf) and then setting queue by tag on outbound physical interface, I noticed that all traffic ends up in same queue - the first one which starts queuing (not default one). Anyone interested looking deeper into it? At this point I'm starting to suspect it could be a bug, or at least undocumented caveat. I'll reply with much more information if someone responds :) Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
how to update remote bind zone from pppoe client?
Hi, I have a bunch of branch offices whose gateways (OpenBSD on APU) connect to 'net via PPPoE and obtain their dynamic public IP addresses from ISPs. Is there a way for them to update remote bind zone every time IP changes so I have their current public IP in DNS? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Filesystem corruption on OpenBSD routers after power outage?
On Tue, 04 Jun 2019 19:30:08 + Mogens Jensen wrote: > Can anyone with experience running OpenBSD routers without UPS, tell > if filesystem corruption is going to be a problem after power > outages, or if there are any officially supported ways to make the > system resilient enough to not break after a power outage? I have described my !!!UNSUPPORTED!!! setup !!!WARNING, BLATANT SELF-PROMOTION!!! here: https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages So far I have two 6.5's on PCengine's apu2d4 (~20 6.2-6.4's). The only "problem" I have since 6.4 is that I have to mount / rw when tcpdumping because unveil does not like ro /etc. HTH, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OpenBSD with root FS mounted read only
Hi, I'm a little late to the party, missed this for me very important topic. On Thu, 15 Nov 2018 15:26:03 +0100 jean-yves boisiaud wrote: > Now, OpenBSD needs root FS mounted RW. And, from 6.4, even if fstab > says root fs to be mounted RO, it stays RW and it is not possible to > remount it RO manually. And lsof has been retired... You can still mount rootfs RO. The trick is not to specify it as RO in fstab, but to create script in rc.conf.local which will periodically check if reorder_kernel script has finished its job, and only then remount partitions RO. More details on my [WARNING!BLATANT-SELF-PROMOTION-BELOW!] blog: [https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages] BUT, as I wrote there, there are problems with above setup on 6.4. I noticed tcpdump won't work when /etc is mounted RO. There is already patch available for testing, but I haven't yet found the time to get to it: [https://marc.info/?l=openbsd-bugs=154056998503006=2] I have an information that even if this patch was accepted, it won't be released as syspatch for 6.4, as it is not security-related. I am reluctant to install RO 6.4 on my production firewalls because I don't know if tcpdump is the only thing affected by unveil bug, or there are also other components of the system that will behave badly because of RO file systems. Finally, RO rootfs is unsupported by OpenBSD, but I sincerely hope devs will consider the fact that some users depend on it, and try not to break it completely down the road. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chip wood, draw water. Marko Cupać https://www.mimar.rs/
bgp match to $neighbor set nexthop $carp_ip on 6.4
Hi, I am struggling to announce nexthop to my bgp peers after default ruleset change in 6.4's bgpd.conf. On 6.3, I used to have: match to $ISP1 set nexthop $CARP_TO_ISP1 match to $ISP2 set nexthop $CARP_TO_ISP2 deny from ebgp deny to ebgp allow to { $ISP1 $ISP2 } allow from ibgp allow to ibgp (...defaults...) I like the idea of having my simple ruleset done with minimal override to defaults. Moreover, I see that slapping above ruleset to 6.4 does not work the same as on 6.3 (I think I'm sending garbage upstream). Any good soul out there to tell me what to put above: ### for simple BGP setups, no editing below this line is required ### ...in order to set nexthop per upstream neighbor, if possible? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
mgre questions
Hi, I'm trying to test mgre on 6.3, but without luck. There isn't much on it in gre and ifconfig manpages, I am mostly trying out configuration as stated here: [http://openbsd-archive.7691.n7.nabble.com/mgre-4-point-to-multipoint-gre-tunnels-td337655.html] ...except I found out mgre tunnel is specified with 'tunneladdr' and not 'tunnel', and inet is specified with netmask (/24 in my case). Are there some more texts on mgre on OpenBSD? Can they be terminated on CARP and pppoe interfaces? Right now I am trying to create mgre on CARP interface on one side and pppoe interface on the other side, I just can't make it work, and I don't see anything blocked in pf. Standard gre works fine. Any advice? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: carppeer question
On Fri, 12 Oct 2018 17:31:41 +0200 Marko Cupać wrote: > On Fri, 12 Oct 2018 11:56:28 +0200 > Marko Cupać wrote: > > > After introducing carppeer option I see incoming traffic on physical > > interfaces of both MASTER and BACKUP firewalls, as opposed to the > > situation without carppeer option, where I see incoming traffic on > > physical interface of MASTER only. > > > I am aware this is quite complex issue, presumably not related to > OpenBSD itself but maybe to the switch (ATGS900MX). Still, I'd be very > thankful for any advice on the matter. The issue was apparently caused by default spanning-tree configuration of the switch. Once I've configured switch ports as "edgeports", by means of 'spanning-tree portfast', mac address table on switch updates instantly. Thanks to everyone for standing by while I was figuring this out :) -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: carppeer question
On Fri, 12 Oct 2018 11:56:28 +0200 Marko Cupać wrote: > After introducing carppeer option I see incoming traffic on physical > interfaces of both MASTER and BACKUP firewalls, as opposed to the > situation without carppeer option, where I see incoming traffic on > physical interface of MASTER only. I hope I'm making some progress. I have set static non-multicast lladdr to my CARP interfaces (I have 3 of them - to ISP1, to ISP2 and to DMZ) for starters. I am also monitoring mac address table on a switch which connects my firewalls to above networks. Failing over with carpdemote results in clean failover, and switch mac address table shows both physical and CARP lladdrs on ports that connect to current MASTER, and only physical lladdrs on ports that connect to current BACKUP. However, rebooting BACKUP results (in my opinion) in strange situation, where switch's mac address table shows only MASTER's physical lladdrs, while CARP lladdrs go missing. When BACKUP comes back, lladdr of one of three CARP interfaces of MASTER appear immediately in switch's mac address table (DMZ), while the other two don't - respective switch ports show only physical lladdrs. Then, after a few minutes, another CARP lladdr shows up in switch's mac address table (ISP1), but the third one (ISP2) continues to show physical lladdr only, which results in incoming traffic on physical interfaces that connect to ISP2 of both CARP members. The situation seems to be self healing when designated BACKUP (higher advskew) takes the role of MASTER by increasing carpdemote on designated MASTER (lower advskew), and designated MASTER (currently BACKUP) reboots, at the moment when designated MASTER takes over MASTER role. But when designated BACKUP gets restarted, switching roles does not happen, MASTER stays MASTER, and switch's mac address table never updates port with CARP lladdr for ISP2. I am aware this is quite complex issue, presumably not related to OpenBSD itself but maybe to the switch (ATGS900MX). Still, I'd be very thankful for any advice on the matter. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
carppeer question
Hi, I have changed my CARP failover setup from default multicast to unicast by introducing carppeer config option. Physical interfaces share /29 subnet with upstream ISP, and IP addressing is as follows: ISP: XX.XXX.XXX.121/29 FW1: XX.XXX.XXX.122/29 FW2: XX.XXX.XXX.123/29 FW_CARP: XX.XXX.XXX.124/29 I am announcing my AS to ISP via BGP from both FW1 and FW2, using match rules to set $FW_CARP as nexthop address: match to $ISP set nexthop $FW_CARP After introducing carppeer option I see incoming traffic on physical interfaces of both MASTER and BACKUP firewalls, as opposed to the situation without carppeer option, where I see incoming traffic on physical interface of MASTER only. Here's hostname.carp3 of both firewalls: FW2 (MASTER): inet XX.XXX.XXX.124 255.255.255.248 NONE \ description ISP-CARP \ advskew 0 \ carpdev bge3 \ carppeer XX.XX.XXX.122 \ pass -OfCourseIChangedThis \ vhid 3 FW1 (BACKUP): inet XX.XXX.XXX.124 255.255.255.248 NONE \ description ISP-CARP \ advskew 100 \ carpdev em1 \ carppeer XX.XXX.XXX.123 \ pass -OfCourseIChangedThis \ vhid 3 Is this the intended behaviour? Or am I doing something wrong? By the way, I am moving to unicast CARP primarily because I heard that OSPF sessions in GRE tunnels that terminate on unicast CARP interfaces survive failovers, as opposed to my tests with default multicast CARP where OSPF gets confused after failover. I couldn't find much info on this, and I would be thankful if someone pointed me where to look or share their experiences. Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Running your own mail server
On Tue, 18 Sep 2018 10:32:25 +0100 Kevin Chadwick wrote: > I see clamav and other scanning stuff as an insecurity personally. Can you elaborate, please? -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: alien OSPF route
On Fri, 14 Sep 2018 15:27:30 +0200 Remi Locherer wrote: > Did you save the console output and daemon log from the restart? > Can you share it? I restarted ospfd again with rcctl, console output gives just usual: ospfd(ok) ospfd(ok) The second one waiting a bit more than I remember it used to. Here's ospfd-related stuff from daemon log: Sep 14 15:40:58 nat1 ospfd[34802]: route decision engine exiting Sep 14 15:40:58 nat1 ospfd[73845]: ospf engine exiting Sep 14 15:40:58 nat1 ospfd[2242]: kernel routing table decoupled Sep 14 15:40:58 nat1 ospfd[2242]: terminating Sep 14 15:40:58 nat1 ospfd[55815]: startup Sep 14 15:40:58 nat1 ospfd[55815]: alien OSPF route 10.30.1.45/32 Sep 14 15:40:58 nat1 ospfd[55815]: alien OSPF route 10.30.1.56/32 Sep 14 15:40:58 nat1 ospfd[55815]: alien OSPF route 10.30.6.81/32 Sep 14 15:40:58 nat1 ospfd[55815]: alien OSPF route 10.30.19.42/32 First three alien routes are on openbsd router two hops away, the last one is my laptop which is one hop away. Could it be these are routes installed when someone connects through ssh? I am connected through ssh, and it is possible that my colleague also connected through ssh from 10.30.1.X and 10.30.6.X addresses. > Would I be in charge of running this network I would want to know > where these alien routes come from. But I think it did not affect > your network badly since you did not mention an outage. ;-) My point exactly :) If you have any idea where to start looking I'd be grateful for any tips. Thank you for helping me with this. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
network architecture question
Hi, for years I have been using setup with two firewalls: "outer" one - FW1-BGP - connecting to upstream ISPs and talking BGP to them regarding my DMZ, and "inner" one - FW2-NAT, doing NAT for my LAN. ISP1 ISP2 \ / [FW1-BGP] | (DMZ) | [FW2-NAT] | (LAN) (Actually, it's more complicated due to each of the firewalls having their CARP twin, but that shouldn't matter for my questions). I'm considering moving to setup with just one firewall (ok, two, because of CARP, once again it should not matter), which would connect to upstream ISPs, DMZ and LAN. ISP1 ISP2 \ / [FW1-ALL] / \ (DMZ) (LAN) Any success / failure stories from admins who already went through this? Any pitfalls I should avoid? My main concern is the fact that in previous setup I could set up ip aliases on DMZ interface on my NAT server, and redirect requests to them to LAN hosts. This way I could switch ISPs and still access my LAN hosts (via redirection) through same, DMZ ip addresses. Will I still be able to do this in single firewall setup? I guess this won't work: pass in on $ext_if inet proto tcp from any to $dmz_ipaddr \ rdr-to $lan_ipaddr ...assuming I am also doing NAT on $ext_if: match out on $ext_if inet from any to any received-on $if_int \ nat-to $ext_if If I'm correct about above not working, is there a chance to achieve the same goal by means of nc proxy? Or some other way? Any other things I should be aware of? Or should I just continue with my current two-firewall setup? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: alien OSPF route
On Thu, 13 Sep 2018 21:13:11 +0200 Remi Locherer wrote: > On Thu, Sep 13, 2018 at 05:21:37PM +0200, Marko Cupać wrote: > > Hi, > > > > I saw this in my log for the first time, after adding 'no > > redistribute default': > > > > ospfd[10921]: alien OSPF route 10.30.1.47/32 > > > ospfd logs this message when it sees a routing entry with priority 32 > which it did not originate. Thank you for clarification, Remi. Indeed, this firewall gets default route with priority of 32 from downstream cisco router, which is visible in routing table: Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 193.53.106.254 UGS 1187 10456064776 - 8 bnx1 default 192.168.225.6UG 00 -32 carp1 > When you see this during the start of ospfd it could be from another > ospfd running in the same rdomain. I had this when I wanted to do a > config check but missed to option "-n" and started a second instance. > There is now a check for this in the startup of ospfd in -current. Those addresses reported as alien routes are on subnet which is connected to another openbsd box, something like this: openbsd---cisco---openbsd All those three boxes talk OSPF. But on remote openbsd box which probably reports those routes, vlan interfaces for these subnets are set as passive, so they shouldn't get any updates even if someone ran OSPF on their phone. > You will also see this message when you add a static route with the > "-priority 32". ospfd removes such routes after logging it. > > What did you do after adding "no redistribute default" to the config > file? Restart with rcctl, reload with ospfctl? Restart with rcctl. > And why did you add "no redistribute default"? By default your default > route is not redistributed. I thought this firewall's carp partner to-be was getting default route from it, but it doesn't - it gets it from downstream cisco router. I don't see any negative effects on my network, just curious if I should be worried :) Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
alien OSPF route
Hi, I saw this in my log for the first time, after adding 'no redistribute default': ospfd[10921]: alien OSPF route 10.30.1.47/32 My ospfd.conf is quite minimal: router-priority 0 router-id IP.ADD.RE.SS no redistribute default area 0.0.0.0 { interface bnx0 { metric 100 } } How to further investigate this? I see this on OpenBSD firewall which connects to Cisco router. The address appears to be smartphone on one of remote networks. Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: The Ultimate OpenBSD Media Server
On 2018-08-12, John Long wrote: > I don't get why anybody would want transcoding in 2018. >> On Sun, 12 Aug 2018 08:42:41 + (UTC) >> Stuart Henderson wrote: >> They don't usually *want* transcoding but are forced to do it by >> poor codec support on client devices. Actually I *want* the possibility of transcoding, mostly because lately I have the luxury of active listening to music only during my daily commute (public transit + park walking), on a smartphone with in-ear headphones. In this environment I don't hear much difference between original 320kbps and transcoded 64kbps mp3s. I am fortunate enough to have unlimited mobile data plan, but am frequently passing dead spots and zones with edge transfer speeds which is another reason. Or not, because I can turn on pre-fetch and caching but still. Having a choice is good, isn't it? -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: The Ultimate OpenBSD Media Server
On Sat, 11 Aug 2018 21:55:15 -0700 Jordan Geoghegan wrote: > ...'Serviio'... Thank you for the tip. I have tried dozens of these but not Serviio. I have currently settled on subsonic's fork called airsonic which runs in tomcat. I run it on FreeBSD at the moment but it should work on OpenBSD too. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: pf - NAT not working after systemboot
On Fri, 27 Jul 2018 12:33:01 +0300 Ville Valkonen wrote: > On 26 July 2018 at 13:01, Thomas Huber wrote: > > Hi misc, > > > > my current pf setup works fine but I face the problem, that NAT > > does not work directly after system boot. Only when a do a > > > > # pfctl -f /etc/pf.conf > > > > after the booting things a working correctly. > > Note: I don´t make any changes to pf.conf. > > as Solene mentioned, it's because the interface is not ready. > > Maybe something like this (adapted from iked.conf manual page): > all rules that have pppoe mentioned, append (if-bound). I am using pf with pppoe for more than a decade on dozens of boxes and never got into a problem with NAT not working. On some crappy providers it is not unusual to wait for 10 minutes after reboot for pppoe to negotiate and get IP address. Also, sometimes pppoe link goes down and don't come back for hours. None of this requires reloading of pf rules, it just waits until pppoe reconnects, box usually gets different public IP adress, and after that NATs to new address. Am I missing something? -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Status of Owncloud?
On Sun, 22 Jul 2018 16:25:35 -0400 Rupert Gallagher wrote: > Nextcloud, a government-funded project to keep your data secure... > Hold on to your buts, here it comes. So, National governments = bad I guess as opposed to Multinational corporations = good Got it, thanks. :D On a more serious note, I switched to Nextcloud the day it was forked and never looked back to Owncloud. On FreeBSD though. It introduced WebRTC videoconferencing via spreed app, also public upload folders, I like NC more than OC not just because of politics but also because of features. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Employers, Jobs and OpenBSD
On Fri, 13 Jul 2018 23:05:09 -0300 Man Hobby wrote: > What is the opinion of employers about OpenBSD? > There is reason for to learn use OpenBSD to find job? > If not, why? > If there is not reason for to learn use OpenBSD to find job, why use > OpenBSD? There are employers and employers, as for mine I think their opinion goes somewhere along the lines of "This is great, both technically and financially wise, but I'd like to have more than one local guy who knows how to run this stuff". Hack with OpenBSD if you like it, and hopefully one day you will be able to get some money from it. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: %ÿ4 Coding OS, Vanity gods, LKML/GNU Attiude Problems, Problematic Netelements in general.
On Mon, 9 Jul 2018 16:30:58 +0200 Ywe Cærlyn wrote: > Slight retweak, to %ÿ4 Coding OS. > > Having had a bit of feel with the namechange I think I can do even > better. Looking at what really needs to be fixed with the internet, > starting with Fair Pay, getting rid of poor and thieving GNU, and > warezpups in general, LKML/GNU Attitude problems, and problematic > netelements in general, slight final finish with retweak to %ÿ4 > coding OS. Where's ISO? I'd like to give it a spin :D -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
On Wed, 4 Jul 2018 19:02:56 +0100 Tom Smyth wrote: > Hello Marko /Sekeres > > I dont mean to start a flame war as it is counterproductive but Idont > fully get what you mean / imply by > > >.".. while not requiring from OpenBSD to introduce Code of Conduct" I'm just trolling around :) At the same time I'm relatively long-time *BSD user, thankful to anyone and everyone who is making them possible. Specially to OpenBSD who still appears to stick to simple "Don't be an asshole" CoC, as opposed to some who took the different path, probably partly as a result of accepting large "generous" "contributions". As The Smiths sang, "Some BSDs are bigger than the others". Once again, I'm just trolling around, I hope noone takes my posts on this topic seriously. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
On Wed, 4 Jul 2018 18:06:04 +0200 Reyk Floeter wrote: > I hope somebody steps up and donates $500,000 to the OpenBSD > foundation instead. ... while not requiring from OpenBSD to introduce Code od Conduct :D -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
On Sat, 30 Jun 2018 23:11:15 +0200 "Szekeres Dani" wrote: > Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux > Zero-Days Seen this comment on /. http://dilbert.com/strip/1995-11-13 :D -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
chromium and firefox - myths and facts?
Hi, over last few years, I got an impression that OpenBSD project seem to favour Chromium over Firefox. For example, in: https://www.openbsd.org/papers/BeckPledgeUnveilBSDCan2018.pdf "We know it's right when we can do chrome." "[...]chrome - the stuff we use frequently" I don't understand neither browser's code. However, current propaganda that reaches me goes along the lines "Firefox is made by non-profit organization with users' freedom in mind, while Chromium is made by for-profit organization for the purpose of extraction of users' personal information". I trust OpenBSD project and it's users more than big vendors' pitches, so I'd like to ask: Is the above untrue? Am I, as a user, more vulnerable to security and privacy violations using Firefox than Chromium on OpenBSD? Or is this question off-topic, as OpenBSD cares about technical correctness of the code in regard to overall security of a computer system, not outcome of users voluntarily running technically correct code, even when it compromises their personal security? Something else? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
ProLiant DL380 gen10
Hi, anyone running OpenBSD on ProLiant DL380 gen10? I need a box to replace my dying firewall. My employer strongly prefers HP for (networking) servers due to their presence here in Serbia. How good is their support is best described by the fact they don't have demo centre to try it out, while non-faulty hardware can not be returned. Other vendors are either non-present, or have even worse support. So I have to buy a few thousand worth "cat in a bag" and cross my fingers it will work. If there are people running OpenBSD on ProLiant DL380 gen 10 or some other current ProLiant please tell me about your experiences. Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Viewport for man.openbsd.org -- readability on phones
On May 2018 Multiple list members wrote: > I took and iPhone with iOS and Safari ( i think!) on it and pointed > the browser to the current link of man pages [1]. All i can say is the > layout is displayed on full display, not stretched. > Text is fine, paragraphs are scaled ok, not even a simple problem. > Font is fine. > I tried it on my iPhone 5s and everything looks great! > I can second that. It looks perfect on iPhone using Safari. >From last few posts, I can conclude one should use Safari on iPhone for the purpose of reading OpenBSD manpages on a mobile device. One of the things I like about OpenBSD is the ability to focus on its goal of trying to be the most secure operating system, not fads. I am sure OpenBSD will correct their errors in html/css code, if any, according to established standards, for the benefit of their users. I believe OpenBSD won't bend over to fullfill 'embrace, extend, extinguish'-style expectations of big browser vendors. Keep up the good work. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OpenBSD blocks IPsec traffic
On Wed, 18 Apr 2018 15:45:04 +0200 "C. L. Martinez" <carlopm...@gmail.com> wrote: > Thanks Marko, but I have found the problem. > > These rules are under anchor sub-group rules ... Moving these rules > to top after "block log all", all it is working ... I'm glad you made it work. > Maybe is it a bug with anchor rules? I couldn't comment on this, I don't write PF code, just rulesets :) However, before considering the possibility of a bug, I would first check if rule order in pf.conf matches output of `pfctl -vvsr'. ruleset-optimization is by default set to "basic" (read more in pf.conf(5)), so rule order you see in pf.conf is often not rule order that you get in pfctl -vvsr. Happy firewalling, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OpenBSD blocks IPsec traffic
On Wed, 18 Apr 2018 15:01:24 +0200 "C. L. Martinez" <carlopm...@gmail.com> wrote: > Hi all, > > I am trying to configure an ipsec tunnel (host-to-host) between two > hosts that go through an openbsd firewall. Tunnel is established, but > when I try to, for example, connect via ssh from one host to the > other, pf blocks traffic: > > Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > To do some tests, I have configured the following rules: > > pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state > (if-bound) > pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state > (if-bound) > > Any idea? Hard to say without complete ruleset, but from what I see here, your rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0, while no other rule after that (or one before that with 'quick' keyword) permits it. Check exact line with pfctl -vvsr. Add either dafault 'pass out' somewhere below (I prefer it at the end of my ruleset, as I have so far never blocked out stuff I already passed in), or pass out exact traffic you need, eg: pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2 Hope this helps, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
PS1 in 6.3
Hi, before I get to the question, I'd like to thank all the people who made 6.3 happen. Keep up the good work! :) I noticed that on 6.3 prompt shows hostname($|#) by default. Up until now I was setting it by exporting PS1 in .profile: PS1="\u@\h:\w \\$ " export PS1 Where is the default setting for prompt? Is it still ok to change it in .profile (I like also to have pwd in prompt). Pardon my ignorance, and thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: bug tracking system for OpenBSD
On Sat, 31 Mar 2018 08:55:35 -0400 Eric Furman <ericfur...@fastmail.net> wrote: > You think I'm going to visit a .ru website? Until I read this I thought nothing about your possible actions as I knew nothing about you. Now I have negative opinion. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OSPF over gif on top of IPsec transport -current
Hi, sorry to hijack the thread, my question is not directly related, but deals with same goal. I have physical topology where datacentre has two carped firewalls, while branch offices have single firewall each, with two uplinks: isp2---em0 branchoffice1 datacenterA isp3---em1 em0 \isp4---em0 carp0---isp1 INTERNET branchoffice2 /isp5---em1 em0 datacenterB ispX---em0 branchofficeN ispY---em1 I'd like to achieve two primary goals: - each branch office has routes to both datacentre and all other branch offices (OSPF?) - each branch office uses em0 as primary link, fails over automatically to em1 when em0 fails I tried GRE tunnels from branch offices' both phsycal interfaces to datacentres' carp interface, but this doesn't work (apparently gre is not aware of carp and links go down when carp master changes). I din't test two gre tunnels for each branch office's physical interface (one to each carp member physical interface), as this seems too cumbersome to maintain even if it worked. Any advices? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Bandwidth Queuing on Asymmetrical Connections?
On Sat, 17 Feb 2018 12:30:28 -0800 Jordan Geoghegan <jgeoghega...@gmail.com> wrote: > Hi folks, I was wondering how one goes about maintaining separate > upload and download queues in pf. I have been playing with various > combinations and I can't seem to get both queues to apply > simultaneously. > > For example, I have a 150 down 15 up connection. I want to limit a > specific device on the network to 100 down and 10 up. I can't for the > life of me figure out how to make this apply. I either end up setting > a 10 megabit limit or 100. How do the pf gurus manage their > asymmetrical connections? > >From my experience queueing is a bit tricky nowadays, but here are a few tips. Do not trust ISP's declared bandwidth. Do extensive testing, and see how much you really get. Next, set your parent queues to 90% of max bandwidth you get without queueing. Set all three values (bandwidth, min and max) to this value: # QUEUES queue ul on $if_ext bandwidth 14M min 14M max 14M ... queue dl on $if_int bandwidth 140M min 140M max 140M I prefer to set my queue matches early in the ruleset, so it applies to all the rules later: # QUEUE MATCHES match proto tcp to any port ssh set queue ssh match proto tcp to any port rdp set queue rdp match proto tcp to any port $xmppset queue xmpp If you queue not by services but by ip addresses, and you have NAT, you will need to tag traffic on internal interface and queue it on external interface by that tag. Good luck, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Community-driven OpenBSD tutorials wiki?
Sorry for late chime-in. On Thu, 4 Jan 2018 15:02:45 -0500 Nick Holland <n...@holland-consulting.net> wrote: > But the magic is not setting up the wiki (or anything else for > documenting), it's MAINTAINING it and getting others to participate. > ... > For example, I looked at the first article on the mimar blog > here, and I disagree with the basic structure. Too much duplication > of installation instructions, too much "do this", too little "here's > why I'm doing this". There's some really great things in there, like > the -P command to populate the MFS file systems, without even > commenting about that nifty command people might not know about. And > then you have a bunch of echos used to create a script. boo. Just > provide the script and say "copy/paste this into your editor", or > better, "here's how I did it", and assume if someone needs to be told > to copy/paste into their editor, they shouldn't. Don't obscure the > actual details with "echo ... I am doing my part! :D I updated my article for 6.2 to include multiple disk partitions in order to take advantage of W^X, kernel relinking etc. I also considered your feedback and rewrote stuff without echos. There's even video tutorial at the end of the page (I know I know everyone hates them). !WARNING - BLATANT SELF PROMOTION BELOW! [https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages] Feedback is welcome. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
check list mails for malware
Hi, my mail system has just blocked mail from b...@openbsd.org which contains malware. Perhaps incoming mails to openbsd lists should be checked for malware before they are distributed to list members? Here's amavis report: A virus was found: Rtf.Downloader.Obfuscation-6370377-2 Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 38708-15/bg254irHCuHA First upstream SMTP client IP address: [192.43.244.163]:25439 lists.openbsd.org Received trace: ESMTPS://[192.43.244.163]:25439 < ESMTP://127.0.0.1 < ESMTPS://46.102.152.157 < local://x Return-Path: <owner-bugs+m28...@openbsd.org> From: Natalia.S <natalia.shchetin...@westernunion.com> Sender: owner-b...@openbsd.org Message-ID: <e1eboox-0006fw...@bankosantantder.com> Subject: Запрос на возврат средств клиента The message has been quarantined as: virus-bg254irHCuHA The message WAS NOT relayed to: <marko.cu...@mimar.rs>: 250 2.7.0 ok, discarded, id=38708-15 - infected: rtf.downloader.obfuscation-6370377-2 Virus scanner output: p001: Rtf.Downloader.Obfuscation-6370377-2 FOUND p004: Rtf.Downloader.Obfuscation-6370377-2 FOUND Return-Path: <owner-bugs+m28...@openbsd.org> Received: from openbsd.org (lists.openbsd.org [192.43.244.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mimar.rs (Postfix) with ESMTPS id 294A9625A23E for <marko.cu...@mimar.rs>; Tue, 16 Jan 2018 15:34:12 +0100 (CET) Received: from openbsd.org (localhost [127.0.0.1]) by openbsd.org (OpenSMTPD) with ESMTP id e9a25692; Tue, 16 Jan 2018 07:34:08 -0700 (MST) Received: from bankosantantder.com (bankosantantder.com [46.102.152.157]) by openbsd.org (OpenSMTPD) with ESMTPS id b863df7e (TLSv1.2:AES256-SHA256:256:NO) for <b...@openbsd.org>; Tue, 16 Jan 2018 06:17:48 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bankosantantder.com; s=dkim; h=Date:Message-Id:Reply-To:Content-type:MIME-Version:From:Subject:To; bh=zqQlCXfowdvAkKI7caNIkqVOL643LzTD988dF1+98Ms=; b=Z8IH5uRa0b4QCZ+m2aMA64/EIZvyl8O+Ep92Bg6J11VgMRXK1aVxvHEFT/vANurnwqVFyyEWcmU6Y72TD9IwwCF6hqV78kZl00rM/8RxDqBXrDs9AJwKFy6SEZQa8nvG7qSpZ7qCOlUgo8R3rWUO4Vw5yCIH4GnPctpPUA/IOSQ=; Received: by bankosantantder.com with local (Exim 4.80) id 1ebOox-0006FW-0M; Tue, 16 Jan 2018 05:50:23 -0500 To: b...@openbsd.org Subject: =?UTF-8?B?0JfQsNC/0YDQvtGBINC90LAg0LLQvtC30LLRgNCw0YIg0YHRgNC10LTRgdGC0LIg0LrQu9C40LXQvdGC0LA=?= From: =?UTF-8?B?TmF0YWxpYS5T?= <natalia.shchetin...@westernunion.com> MIME-Version: 1.0; Content-type: multipart/mixed; boundary="--pnSRa1E8p2" Reply-To: natalia.shchetin...@westernunion.com Message-Id: <e1eboox-0006fw...@bankosantantder.com> Date: Tue, 16 Jan 2018 05:50:23 -0500 X-Content-Discarded: text/html List-Help: <mailto:majord...@openbsd.org?body=help> List-ID: List-Owner: <mailto:owner-b...@openbsd.org> List-Post: <mailto:b...@openbsd.org> List-Subscribe: <mailto:majord...@openbsd.org?body=sub%20bugs> List-Unsubscribe: <mailto:majord...@openbsd.org?body=unsub%20bugs> X-Loop: b...@openbsd.org Precedence: list Sender: owner-b...@openbsd.org -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Video-conferencing tool a la Skype or Facetime for OpenBSD?
On Fri, 5 Jan 2018 00:18:12 +0900 Bryan Linton <b...@shoshoni.info> wrote: > Hello misc@ > > I have a friend who runs Windows who has asked me if there is any > way we can occasionally communicate with each other via some kind > of video-conferencing application similar to what programs like > Skype and Facetime provide. > > Does such a thing already exist for OpenBSD? Do you mean client software that connects from both Windows and OpenBSD to public videoconferencing services, or self-hosted videoconferencing server? I don't know about the former, but as for latter, I am testing two different approaches: - nextcloud with webrtc: [https://nextcloud.com/webrtc/] - matrix/synapse: [https://github.com/matrix-org/synapse] Nextcloud with webrtc should work on OpenBSD. Matrix/Synapse has FreeBSD port, I don't know about OpenBSD. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Community-driven OpenBSD tutorials wiki?
On Thu, 4 Jan 2018 09:13:58 -0700 Base Pr1me <tlemery5...@gmail.com> wrote: > The Pledge of the Network Admin, from one of those book authors: > http://bsdly.blogspot.com/2011/01/i-will-not-mindlessly-paste-from-howtos.html > :D I found this pledge quite early, and it instantly became my pledge as well. But I think the significant word here is "mindlessly". Pasting from howtos is not bad per se, in my opinion, as long as you gradually get to understand what you pasted. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Community-driven OpenBSD tutorials wiki?
On Thu, 4 Jan 2018 10:41:19 -0500 Bryan Harris <bryanlhar...@gmail.com> wrote: > My preference is to purchase a book. I have had a good experience with > Absolute OpenBSD, Httpd & Relayd, the tarsnap book, and the Book of > PF. > > I would buy a book about OpenSMTPD and also ikev2 but I didn't see > any. > > Just my $0.02, I like books better than online tutorials. Couldn't agree more. Those are good books. However, back in a day when I was completely fresh to OpenBSD, I preferred to copy/paste someone's working solution, and then discover which config line does what, how, and why. That's because I had no clue about anything. It was valuable to read how people designed solutions to their needs, what combination of software they used etc. Only at the later stage I was able to dive into documentation. I was particularly fond of this set of howtos: http://www.kernel-panic.it/openbsd.html -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Community-driven OpenBSD tutorials wiki?
Feel free to contribute to [!WARNING - BLATANT SELF PROMOTION BELOW!] [https://www.mimar.rs/blog/tag:openbsd] As a side note, setting up apache and grav [https://getgrav.org/] took me an hour or so. Writing simple article takes whole day, sometimes much more. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Simplifying pf-rules
On Thu, 4 Jan 2018 14:09:50 +0100 Jon S <jonsjost...@gmail.com> wrote: > Hello misc! > > My OpenBSD file server just became a router too (after getting a new > internet connection where the provider does not include a router in > the subscription). If possible, I'd avoid combining file server and firewall services on single box. > This led to my first experieces with pf. After some work I came up > with whats below. It works as I want it to work, but I wonder if > there is a way to create a rule where incomming traffic to the > internal NIC (re0) is passed if it is targeted for em0 (external, > internet NIC)? The current solution would require an update of the > "pass in on re0 to !re0:network"-rule if another NIC is added (lets > say a DMZ). All my pf rulesets start with defining interface macros so they are more readable, and also more flexible (this way changing NIC with different driver needs one line changed, instead of all lines in the ruleset referencing that interface): # INTERFACE MACROS if_int = "re0" if_ext = "em0" > set skip on lo0 > > # Block everything everywhere by default > block log all I prefer to put "match" section above default "block log all" rule. It's more logical to me, as something being "matched" has no impact if it's not "passed" or "blocked" later on in the ruleset. > # NAT local network to external > match out on em0 inet from re0:network nat-to (em0) > > # Allow all outgoing traffic > pass out on {em0, re0} > > # Allow only specific services on this machine to be accessed from > # local network > pass in on re0 inet proto tcp to port ssh # ssh > pass in on re0 inet proto icmp# icmp > pass in on re0 inet proto tcp to port 445 # samba Your description line does not describe accurately what next three lines do - as destination IP is not present, "to any" is assumed, so more accurate description would be "Allow specific services on any machine be accessed from local network". If you wanted your ruleset to match description line, and your services listen on internal NIC, you would do something like: pass in on $if_int inet proto tcp from re0:network to re0 port ssh pass in on $if_int inet proto icmp from re0:network to re0 pass in on $if_int inet proto tcp from re0:network to re0 port 445 > > #pass in on re0 inet to em0:network # This does not work, since the > #mask for this IF will only let traffic through to the limitied set of > #IPs on the same C-segment as em0. That would probably be a set of > #other customers at the nework operator... > > # This works, but will require an update if any furter NIC is involved > # later > pass in on re0 to !re0:network There are multiple ways to achieve this. One of them would be passing everything on $if_int, and blocking what you don't want later (if "quick" keyword is not used, last matching rule wins): pass in on $if_int block in on $if_int inet proto tcp from $if_int:network to \ $if_int port { !=ssh !=445 } The other one would be blocking unwanted stuff quickly early in the ruleset, and passing what you want later on: block in quick on $if_int inet proto tcp from $if_int:network to \ $if_int port { !=ssh !=445 } pass in on $if_int Both examples block only TCP to internal NIC, so blocking other protocols if there are any on the firewall also needs to be done. > > # I would like something like this to work, so that future added NICs > # wont open new unwanted paths > #pass in on re0 to em0 > > # Allow only incomming SSH to external NIC > pass in on em0 inet proto tcp to port ssh In the end, your ruleset seems quite minimal. I suggest you start worrying about new NIC once you add it. For now it would be better to play around with pfctl -vvsr, systat states/rules, tcpdumping pflog etc. Hope this helps, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
pcengines apu3b4 with lte modem huawei ME909s-120
rev 0x00: msi pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 "Intel I211" rev 0x03: msi, address 00:0d:b9:49:da:5d ppb2 at pci0 dev 2 function 4 "AMD AMD64 16h PCIE" rev 0x00: msi pci3 at ppb2 bus 3 em2 at pci3 dev 0 function 0 "Intel I211" rev 0x03: msi, address 00:0d:b9:49:da:5e "AMD CCP" rev 0x00 at pci0 dev 8 function 0 not configured xhci0 at pci0 dev 16 function 0 "AMD Bolton xHCI" rev 0x11: msi usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "AMD xHCI root hub" rev 3.00/1.00 addr 1 ahci0 at pci0 dev 17 function 0 "AMD Hudson-2 SATA" rev 0x40: apic 4 int 19, AHCI 1.3 scsibus1 at ahci0: 32 targets ehci0 at pci0 dev 19 function 0 "AMD Hudson-2 USB2" rev 0x39: apic 4 int 18 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x42: SMBus disabled pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11 sdhc0 at pci0 dev 20 function 7 "AMD Bolton SD/MMC" rev 0x01: apic 4 int 16 sdhc0: SDHC 2.0, 50 MHz base clock sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma pchb2 at pci0 dev 24 function 0 "AMD AMD64 16h Link Cfg" rev 0x00 pchb3 at pci0 dev 24 function 1 "AMD AMD64 16h Address Map" rev 0x00 pchb4 at pci0 dev 24 function 2 "AMD AMD64 16h DRAM Cfg" rev 0x00 km0 at pci0 dev 24 function 3 "AMD AMD64 16h Misc Cfg" rev 0x00 pchb5 at pci0 dev 24 function 4 "AMD AMD64 16h CPU Power" rev 0x00 pchb6 at pci0 dev 24 function 5 "AMD AMD64 16h Misc Cfg" rev 0x00 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x53 vmm0 at mainbus0: SVM/RVI scsibus2 at sdmmc0: 2 targets, initiator 0 sd0 at scsibus2 targ 1 lun 0: SCSI2 0/direct removable sd0: 14868MB, 512 bytes/sector, 30449664 sectors uhub2 at uhub1 port 1 configuration 1 interface 0 "Advanced Micro Devices product 0x7900" rev 2.00/0.18 addr 2 cdce0 at uhub2 port 3 configuration 2 interface 0 "Huawei Technologies Co., Ltd. HUAWEI Mobile V7R11" rev 2.10/1.02 addr 3 cdce0: could not find data bulk in ugen0 at uhub2 port 3 configuration 2 "Huawei Technologies Co., Ltd. HUAWEI Mobile V7R11" rev 2.10/1.02 addr 3 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (acba5e9b98800af4.a) swap on sd0b dump on sd0b -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: ssh from cisco to OpenBSD 6.2 error status 0
On Mon, 25 Dec 2017 15:06:34 +0100 "Peter N. M. Hansteen" <pe...@bsdly.net> wrote: > On 12/25/17 11:13, Marko Cupać wrote: > > Hi, > > > > I noticed I can't ssh from cisco router running IOS 15.X to OpenBSD > > 6.2. No problem with 6.1. > > > > Anyone else with this problem? Any idea how to solve it or where to > > start digging? > > I'd start by looking for messages in /var/log/authlog on the OpenBSD > machine, and if possible running with ssh -v or -vv (I forget how many > you can usefully put in, or if the Cisco boxes even use the same > options) to get more detail on what happens. > > My hunch is that you will be looking at resolving a gap in ciphers > offered as available at either end. Newer ssh versions have > incrementally dropped or disabled by default the unsafe ones, but > increasing the message verbosity will point you in the right > direction. Hi, thanks for pointing me to auth.log, I never have problems with ssh, so I don't have the habit of checking auth.log - I was looking at messages and daemon logs. I saw this in auth.log: Protocol major versions differ for 192.168.223.1 port 45187: SSH-2.0-OpenSSH_7.6 vs. SSH-1.99-Cisco-1.25 I started passing different cipher options to ssh client on cisco, and finally managed to connect to OpenBSD 6.2 with: ssh -v 2 -c aes256-ctr -m hmac-sha1-160 IP.ADD.RE.SS Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OpenBSD 6.2 (up2date with syspatch) - HANGING
On Fri, 22 Dec 2017 13:43:35 +0100 Florian Obser <flor...@openbsd.org> wrote: > Yes, quite a lot of effort and money (think travel cost to hackathons) > was spent by developers between 5.9 and 6.2 releases. > You are welcome. Somehow I have the impression that most of the OpenBSD code wasn't written in fancy guest facilities where priesthood arrives and departs by means of business class flights to churn out some lines of code. The time when it wasn't all about MONEY. But yeah, we have to embrace modern times and not hold on to the past. Still, OpenBSD is the best :) -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: bug tracking system for OpenBSD
While not exactly bug tracker, more like general-purpose issue tracker, I have successfully implemented rt44 in a company I work for: [https://docs.bestpractical.com/rt/4.4.2/README.html] The reason why I succeeded with rt44, and failed with other, shinier trackers with more bells and whistles, is its integration with email. All of my users want single email address where they can report issues. Some of my colleagues in IT want to continue using email-only correspondence while dealing with users' issues, while others prefer to use additional features in rt44's web interface. All of them can have their way with rt. No one was forced to something new, something different. Email-only is still there, with the addition of web interface for those who want/like it. If OpenBSD people are interested, I can provide complete rt44-based solution directly from my servers, or I can help building and integrating it on some other hardware. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
ssh from cisco to OpenBSD 6.2 error status 0
Hi, I noticed I can't ssh from cisco router running IOS 15.X to OpenBSD 6.2. No problem with 6.1. Anyone else with this problem? Any idea how to solve it or where to start digging? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: How to make ProtonMail compatible with misc@ Re: Do not give-up on marketing
On Wed, 06 Dec 2017 00:06:14 -0500 Joseph Mayer <joseph.ma...@protonmail.com> wrote: > Here is how to make ProtonMail compatible with misc@: > > Click "Settings" up to the right. > > Click the "Appearance" tab in the menu. > > Under the "Composer mode" section there's a dropdown with two > options, it's preset to "Normal". > > Switch it to "Plain Text". > > > This email was sent from ProtonMail. I presume it's in the format > everyone wants. Almost there, but still violating second part of the first rule: 72 characters per line ;) Claws-mail inserts line breaks automatically. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
3g modem support
Hi, I would like to test 3g networking on PC Engines' APU3b4 (I heard it does not work yet on this particular board with OpenBSD 6.2, apparently due to issues between EHCI driver and AMD USB chipset, but I'd like to help with development testing). PC Engines website has "short and incomplete list of working 3G miniPCIe modems": [http://pcengines.ch/howto.htm#3G] ...which suggests some Sierra Wireless modems, none of which are available for purchase in the country I live in. This one is available for ~25€ (Sierra Wireless MC8755): [http://www.netiks.rs/3g-minipciexpress-card] Also this one for ~100€ (Huawei ME909s-120): [http://www.netiks.rs/huawei-me909s-120-minipciexpress-card] If someone can confirm these cards are / aren't supported by OpenBSD, I'd be very grateful. Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: pcengines apu boards
On Mon, 4 Dec 2017 12:53:26 -0800 "Paul B. Henson" <hen...@acm.org> wrote: > > From: Marko Cupac > > Sent: Monday, December 4, 2017 3:54 AM > > > > I have just ordered one APU3b4, as I wanted to test mobile provider > > as a backup link. I see it probably won't be any good as OpenBSD > > router (yet), but at least I'll be able to test and give feedback. > > Assuming you're planning to use an internal Mini PCI card, unless you > have more luck than me, it's not going to work :(. I'm hoping I will > be able to fix the EHCI driver to be more happy with the AMD USB > chipset, but this point I'm still fumbling with it :). My APU3b4 has just arrived, hopefully I'll have time to install it with OpenBSD tomorrow and send feedback. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Do not give-up on marketing
On Sun, 3 Dec 2017 12:58:42 +0200 Mihai Popescu <mih...@gmail.com> wrote: > I use to read lists in marc.info. > It is a little bit off topic, but I dare to ask: what combination are > you using, like email client and misc@ configuration( i.e, daily > digest, individual emails, etc.)? I am using claws-mail, redirecting (by means of server-side sieve filters) emails from each mailing list to a separate folder. I configure sieve filters from roundcube, and for mailing lists I mostly use rule similar to "list id contains -> move message to "INBOX\lists\openbsd\misc". I like to receive individual mails and set mailing lists folders to "thread view" in claws-mail. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: pcengines apu boards
On Sat, 2 Dec 2017 20:08:41 -0800 "Paul B. Henson" <hen...@acm.org> wrote: > On Sat, Dec 02, 2017 at 10:40:14PM +1000, Douglas Ray wrote: > > > On the APU3a4 the internal USB headers were broken. > > I had email from pcengines (March 2017) saying this would > > be addressed in the APU3b series., but we went for APU2. > > I have a APU3b series, they fixed the incorrect pinout on the internal > usb headers. The internal ECHI ports work fine under both linux and > freebsd connected to a USB backplate I'm testing with. It's > definitely a disagreement between the AMD EHCI USB chipset and > OpenBSD . I'm going to see if I can port some of the > workarounds and quirks for that chipset from linux/freebsd to the > openbsd driver and see if I have any luck getting it working; drivers > aren't my strong suite but we'll see what happens. In the worst case > I guess I'll use an external miniPCI to USB adapter and connect my > LTE modem to the external xHCI ports, they seem to work fine under > OpenBSD. > > Thanks... > I have a bunch of APU2c4's, they play nice with OpenBSD. Actually my complete fleet (~20) of branch office routers are based on APU2c4's running various OpenBSD versions (I think the oldest is 5.8). I have just ordered one APU3b4, as I wanted to test mobile provider as a backup link. I see it probably won't be any good as OpenBSD router (yet), but at least I'll be able to test and give feedback. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Image viewer alternative to eog
On Sun, 26 Nov 2017 20:15:14 -0200 "x9p" <m...@x9p.org> wrote: > Is there a good/safe and light image viewer? Was used to eog, but it > has too many "vfprintf %s NULL" in messages. gimp is too big and good > for play with images, In need of smth fast. ... > Thank you all for the inputs. feh suited best. lots of command line > options, folder slideshow and option to specify geometry was a big > plus. I don't know if that counts as 'good/safe and light', but I use XFCE's ristretto. When jumping sinking ship of GNOME some years ago I tried to go all the way down to openbox and its ecosystem (including feh), but it was a bit too much of a change for me for my primary work environment (I still use openbox and friends in some thin client setups). XFCE and its ecosystem are not as lightweight, but from my point of view they have balanced usability and weight for my primary laptop use case. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
pf queueing syntax question
Hi, I'm (re)trying out queuing possibilities in 6.2. I am trying out different possibilities, mixing queue with prio. I have accidentally put two different lines in my pf.conf: match proto tcp to any port domain set prio 6 set queue dns match proto udp to any port domain set queue dns prio 6 I reloaded the ruleset and there weren't any complaints. `pfctl -sr' interpeted these two lines differently: match proto tcp from any to any port = 53 set ( prio 6, queue dns ) match proto udp from any to any port = 53 prio 6 set ( queue dns ) Are those two lines expected to queue differently? In which way? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: pf and max bandwidth in nested queues (bug?)
I've just given a spin to 6.2. And queueing in PF actually does all I want it to do - giving child queues max bandwidth of parent queue when parent queue is unsaturated, and throttling them down to set bandwidth when parent queue is saturated. Now those few years of pf queueing problems look so far away, almost like they never happened :) Thanks to people who made it possible. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: pf and max bandwidth in nested queues (bug?)
On Wed, 1 Nov 2017 13:22:03 + Oliver Humpage <oli...@watershed.co.uk> wrote: > Hello, > > I have an OpenBSD 6.2 router, set up in a test rig so there's no > traffic apart from my tests. It has vmx interfaces. $int_if is a vlan > on one of them. > > I have an issue where if a child queue has a different “max” from a > parent queue, the bandwidth is throttled down to much less than > either. Hi fellow adventurer in PF queuing :) I'd like authoritative, correct, field-tested answers to a number of questions related to PF queuing, but at the moment it appears there aren't any. pf.conf(5) doesn't say much, PF FAQ's chapter on queuing is in the attic for quite some time now: http://cvsweb.openbsd.org/cgi-bin/cvsweb/www/faq/pf/Attic/queueing.html So I guess it's you and me and maybe someone else on this list who will have to test and get those answers from those tests. I haven't yet get to do any tests on 6.2, but from my experience, the only way for queuing to work as expected is to set all three - declared, min and max bandwidth on parent, and all the child queues to the same value, where sum of child queues has to be less or equal to parent queue. Pay attention to the fact that only new states go to appropriate queues, so (from my experience) every ruleset change needs flushing of states (pfctl -F states). If you have NAT in the mix it complicates things further, and I think tagging packets inbound on internal interface, and queueing them on external interface by tags is the way to go. You will get different answers from different people regarding inbound (interface-wise) queuing - most people say it has no effect, but some people say it puts return traffic into appropriate queues, so it apparently does have effect. Go figure, and let me know if you do :) If you search misc@ list for my posts, you will find quite a number of rants regarding PF queuing. Not much useful info tho. Now, what I'd really like to know is, if I have let's say 4Mbit uplink, and 4x1Mbit declared queues (without min and max values), what is the logic of borrowing bandwidth from non-saturated queues. Because I can't for love of my life make any sense of it. That being said, all the alternatives to OpenBSD are worse. I guess we need to keep trying :) Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Traffic filtering
On Mon, 30 Oct 2017 20:50:46 + greg...@airmail.cc wrote: > Hi, > I'm new to this area, but I would like to filter some traffic. > The goal is to keep people secure while web browsing, not to censure. > And also enable better privacy, mainly stop "malware" and > tracking/ads as restrictively as possible. > > I have 3 questions, in case someone here has the time to answer me: > > 1. What layers I should be filtering? Direct IP drop using pf, > DNS drop with NSD/Unbound server, layer 7 with relayd, etc. I'm filtering web traffic with squid, a http proxy. That way I can give more information to users about reasons for restriction, not just "request timeout" or "no dns record". > 2. If the right approach is blacklisting domains, then what list > do OpenBSD users recommend to use? People seem to be using these > two, but I would like to know the opinion from OpenBSD users: > http://www.malware-domains.com/files/ > https://hosts-file.net/?s=Download I had good experience with http://www.shallalist.de/ > 3. There's any well designed tool that I can automatically update > these lists (using pledge and signify, for example), or a simple shell > script is enough? ftp and reload service. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
late ro remount to permit reorder_kernel on 6.2
Hi, on 6.2, kernel relinking is done last in rc: # Re-link the kernel, placing the objects in a random order. # Replace current with relinked kernel and inform root about it. /usr/libexec/reorder_kernel & I have some boxes which have /var /tmp and /dev mounted as mfs, while others are mounted from local SDcard and kept read-only. Historically I used @reboot cron for remounting local filesystems (mount -urA -t nomfs), but this prevents relinking libraries, and - as of 6.2 - relinking kernel, because cron is started earlier in rc. I am currently remounting local file systems late by modifying rc (terrible I know): /usr/libexec/reorder_kernel && mount -urA -t nomfs >/dev/null 2>&1 I know read-only setups are unsupported, modifying base files as well, but if someone has an advice on what would be a better way of remounting local file systems read-only after kernel relinking is done, I'd be grateful. Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: bgpd.conf invalidated on 6.2
On Mon, 16 Oct 2017 12:18:40 +0200 Claudio Jeker <cje...@diehard.n-r-g.com> wrote: > On Mon, Oct 16, 2017 at 12:13:14PM +0200, Marko Cupa?? wrote: > > Hi, > > > > I've just upgraded one of my firewalls to 6.2, but bgpd won't start > > with bgpd.conf which worked for 5 releases or so. > > > > Here's error message: > > /etc/bgpd.conf:11: duplicate prefix in network statement > > config file /etc/bgpd.conf has errors, not reloading > > > > The problem appears to be with the two following lines in bgpd.conf > > (redacted): > > network NE.TW.OR.K/24 set nexthop IP.ADD.RE.SS1 > > network NE.TW.OR.K/24 set nexthop IP.ADD.RE.SS2 > > > > Any idea how to make this work on 6.2? > > > > Remove one of the two lines. IIRC, those lines were added more than 5 years ago, because they made CARPed setup work, and have instant failover (IP.ADD.RE.SS1 and IP.ADD.RE.SS2 are IP adresses of CARP interfaces facing ISP1 and ISP2). So, the session is established from physical interface (local-address), but nexthops are set to respective carp interfaces, so that BGP session is always up, even from CARP BACKUP, and failover is instantaneous. Are you suggesting I will have the same functionality even after removal of any of the two lines? Here's my complete non-redacted bgpd.conf for better understanding: # MACROS orion = "178.253.194.253" sbb = "82.117.192.121" # GLOBAL CONFIGURATION AS 12823 router-id 193.53.106.253 network 193.53.106.0/24 set nexthop 178.254.158.60 network 193.53.106.0/24 set nexthop 82.117.192.124 # NEIGHBORS AND PEERS neighbor $orion { remote-as 9125 descr "orion" multihop 10 local-address 178.254.158.59 demote carp set localpref -10 } neighbor $sbb { remote-as 31042 descr "sbb" local-address 82.117.192.123 demote carp set localpref +10 } (default filters below) Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
bgpd.conf invalidated on 6.2
Hi, I've just upgraded one of my firewalls to 6.2, but bgpd won't start with bgpd.conf which worked for 5 releases or so. Here's error message: /etc/bgpd.conf:11: duplicate prefix in network statement config file /etc/bgpd.conf has errors, not reloading The problem appears to be with the two following lines in bgpd.conf (redacted): network NE.TW.OR.K/24 set nexthop IP.ADD.RE.SS1 network NE.TW.OR.K/24 set nexthop IP.ADD.RE.SS2 Any idea how to make this work on 6.2? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Filtering other network layer protocols with PF
On Mon, 11 Sep 2017 10:26:22 -0500 Christopher Snell <chris.sn...@gmail.com> wrote: > Hi, > > I have an AT fiber connection at home that relies on a crappy, > proprietary, and insecure [1] router that does proprietary > authentication with upstream equipment via EAP over 802.1x. Some > folks have figured out how to bypass it by putting the AT router > behind their actual firewalls and proxying the 802.1x packets to/from > the AT device, thus faking out the upstream gateway. > > Unfortunately, the common solution [2] for this is Linux-specific and > relies on their PF_RING stuff. I was hoping to proxy this protocol in > OpenBSD without having to use something slow like pcap. As far as I > can tell from reading man pages, PF does not support this network > layer protocol (0x888E). Does anybody have any ideas on how I might > efficiently capture these packets and copy them to another interface? > > Chris > > [1] https://www.nomotion.net/blog/sharknatto/ > [2] https://github.com/jaysoffian/eap_proxy Hi, not exactly answer to your question, but: I have similar situation, where my ISP gives me crappy device whose uplink is ADSL, and downlink is ethernet. By default, it does PAP-authenticated ppooe, NAT and ingress filtering on uplink. I managed to configure this device in 'bridge mode', and put two-nic (PC Engines' APU2) OpenBSD firewall behind it, which calls pppoe, NATs, filters, etc. The rest of my home LAN plugs into internal interface of mentioned firewall. ISP--adsl I still can't secure ISP's device, but I can filter traffic which enters and leaves my LAN. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: syspatch question
On Tue, 8 Aug 2017 18:17:35 -0400 Taylor Stearns <t...@tstearns.com> wrote: > On Tue, Aug 08, 2017 at 01:10:22PM -0400, tec...@protonmail.com wrote: > > I had this exact issue a few days ago, I just re-partitioned to a > > bigger size so not have to face the issue again as was a new install > > anyway. But, sure would be nice to see this added. Thanks > > > > > From: marko.cu...@mimar.rs > > > - at the moment of writing this, there are 025 patches. If > > > applying them all at once, they (perhaps needlessly) need quite > > > some space in /tmp (my mfs for /tmp is 256m, and it got filled > > > already at 012), as a result of (I guess) > > > deleting /tmp/syspatch.XX only after all the patches are > > > applied, or after /tmp gets filled up. Perhaps it is possible to > > > flush /tmp earlier in the process (maybe after each patch is > > > applied successfully)? > > Have you tried with -current? Here is a change from June that might be > what you're looking for: > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/syspatch/syspatch.sh#rev1.108 That's it, thank you. Also rev1.108 appears to work on 6.1-release without problems - I've just overwritten rev1.93 included in 6.1-release. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: syspatch question
On Tue, 08 Aug 2017 13:14:43 +0200 Antoine Jacoutot <ajacou...@bsdfrog.org> wrote: > I'll have a look at it thanks. I'm aware that noone is going to optimize syspatch for my corner case, but here are a few observations regarding my experience with it: - at the moment of writing this, there are 025 patches. If applying them all at once, they (perhaps needlessly) need quite some space in /tmp (my mfs for /tmp is 256m, and it got filled already at 012), as a result of (I guess) deleting /tmp/syspatch.XX only after all the patches are applied, or after /tmp gets filled up. Perhaps it is possible to flush /tmp earlier in the process (maybe after each patch is applied successfully)? - syspatch silently fails if it cannot contact installurl server. Perhaps some warning could be added? Best regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
syspatch question
Hi, first of all, thanx for syspatch. One-liner to apply all the errata patches instead of syncing source and rebuilding stuff are welcomed on my fleet of geographically remote OpenBSD firewalls running on PC Engines' apu2d4, not only because of its speed and simplicity, but also because of SDcard tear minimisation. Now, I know I'm in unsupported waters because I noticed this on a box with only / mounted read-only, and /dev /var and /tmp as writable mfs file systems described (warning! blatant self-promotion below!) here: [https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages] ...but the problem I am facing is that syspatch -l shows installed patches up to 013: pacija@zemun:~ $ doas syspatch -l 001_dhcpd 002_vmmfpu 003_libressl 004_softraid_concat 005_pf_src_tracking 006_libssl 007_freetype 008_exec_subr 009_icmp_opts 010_perl 012_wsmux 013_icmp6_linklocal ...whereas syspatch -c returns zero, while I guess it should return 014_libcrypto at the time of writing this. Another identical box which was patched up to 012 shows correct information (-l up to 012, -c 013 and 014). I'm not whining or anything, I trust my OpenBSD firewalls to be more secure than any other solution out there even without these patches. But maybe someone with more knowledge of syspatch finds this behaviour worth investigating, even on unsupported setup. Finally, my question: How does syspatch check current patchlevel? By checking contents of /var/syspatch or some other way? I guess I'm showing my ignorance here :) Best regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OpenBSD IPSec setup
On Thu, 29 Jun 2017 12:32:01 +0200 Luescher Claude <starg...@tango.lu> wrote: > Why are you using ipsec in the 21th century: Because it is in OpenBSD base. Because, at least on OpenBSD, it integrates great with the rest of networking ecosystem (carp, sasync, ospf, pf etc.) Because it pays my bills for more than a decade now. Because my users are satisfied. Because my employers are satisfied. Because I haven't encountered anything better for site-to-site VPNs so far (I also use both OpenVPN and npppd for my road warriors' needs). I could go on. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: PF packets being blocked...why?
On Mon, 26 Jun 2017 10:02:00 -0600 Steve Williams <st...@williamsitconsulting.com> wrote: > Hi, > > New install of OpenBSD 6.1 on apu2. Love the little box. > > I have em0 as the connection to the Internet and I bridged em1 and > em2 together on 192.168.123.0. > > I've been using OpenBSD since the 2.7 days, but have never run NAT so > this is my first foray into that world. I have followed the FAQ on > "building a router" almost vebatim. It's working fine, but I am > seeing some packets blocked with no effect on browsing behind the > OpenBSD box. > > My ruleset: > > # pfctl -sr > match in all scrub (no-df random-id) > match out on egress inet from ! (egress:network) to any nat-to > (egress:0) round-robin > block drop log quick from to any > block drop log quick from to any > block drop log all > pass out quick inet all flags S/SA > pass in on vether0 inet all flags S/SA > pass in on em1 inet all flags S/SA > pass in on em2 inet all flags S/SA > pass in on egress inet proto tcp from any to (egress) port = 22 flags > S/SA pass in on egress inet proto tcp from any to (egress) port = 993 > flags S/SA pass in on egress inet proto tcp from any to (egress) port > = 80 flags S/SA pass in on egress inet proto tcp from any to (egress) > port = 443 flags S/SA > > # tcpdump -n -e -ttt -i pflog0# from man pflog man page > Jun 26 09:45:54.241145 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:45:54.701283 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:45:55.623757 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:45:57.460985 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:46:01.150933 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:46:08.522599 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:46:47.479083 rule 4/(match) block in on vether0: > 192.168.123.2.46549 > 172.217.3.206.443: P 4042174712:4042174735(23) > ack 2564095917 win 1593 (DF) > Jun 26 09:46:47.896295 rule 4/(match) block in on vether0: > 192.168.123.2.53452 > 23.23.126.54.443: P 4003838125:4003838156(31) > ack 2044539346 win 65535 (DF) > Jun 26 09:46:47.896662 rule 4/(match) block in on vether0: > 192.168.123.2.53452 > 23.23.126.54.443: R 31:31(0) ack 1 win 65535 > (DF) Jun 26 09:46:47.896674 rule 4/(match) block in on vether0: > 192.168.123.2.59762 > 216.58.216.163.443: P 113176577:113176608(31) > ack 2619790719 win 1403 (DF) > Jun 26 09:46:47.896685 rule 4/(match) block in on vether0: > 192.168.123.2.59762 > 216.58.216.163.443: F 31:31(0) ack 1 win 1403 > (DF) Jun 26 09:46:47.896711 rule 4/(match) block in on vether0: > 192.168.123.2.39279 > 31.13.77.6.443: P 4254697166:4254697197(31) ack > 2615144509 win 1545 (DF) > Jun 26 09:46:47.896735 rule 4/(match) block in on vether0: > 192.168.123.2.39279 > 31.13.77.6.443: R 31:31(0) ack 1 win 1545 (DF) > > # pfctl -R 4 -sr > block drop log all > > It is not all https traffice that is being blocked as I can hit my > banking site, etc. Does anyone have an idea why are these packets > being blocked? What happens when you remove 'quick' keyword from 'pass out' rule? Does setting skip on lo make any difference? Does reducing max-mss in nat rule make any difference (mine is 1440)? -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: splassert: pool_put: want 0 have 4
On Tue, 20 Jun 2017 12:22:46 +0200 Martin Pieuchot <m...@openbsd.org> wrote: > On 14/06/17(Wed) 16:56, Marko Cupać wrote: > > On Tue, 13 Jun 2017 11:38:46 + (UTC) > > Stuart Henderson <s...@spacehopper.org> wrote: > > > > > Can you try "sysctl kern.splassert=2" to obtain a backtrace? > > > > > > (This isn't on by default as there's a small risk of problems, > > > though I run this on almost all my routers/firewalls and never > > > had trouble from it). > > > > Here's the backtrace: > > > > Jun 14 16:52:05 nat2 /bsd: splassert: pool_put: want 0 have 4 > > Jun 14 16:52:05 nat2 /bsd: Starting stack trace... > > Jun 14 16:52:05 nat2 /bsd: pool_put() at pool_put+0x6b > > Jun 14 16:52:05 nat2 /bsd: pipex_destroy_session() at > > pipex_destroy_session+0xe4 Jun 14 16:52:05 nat2 /bsd: pipex_timer() > > at pipex_timer+0x85 Jun 14 16:52:05 nat2 /bsd: timeout_run() at > > timeout_run+0x48 Jun 14 16:52:05 nat2 /bsd: softclock() at > > softclock+0x147 Jun 14 16:52:05 nat2 /bsd: softintr_dispatch() at > > softintr_dispatch+0x8b Jun 14 16:52:05 nat2 /bsd: > > Xsoftclock() at Xsoftclock+0x1f > > This has been fixed by yasuoka@ on Mai 28th. Please try a new > snapshot and report back if you still encounter similar problems. Thanx for info. Any chance to get this as (sys)patch? I'm tracking binary -stable for my production, I'd rather not experiment with snapshots as they tend to fix one thing while breaking another. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/