from:"Marko Cupać"

snmpd and route changes

2024-02-23 Thread Marko Cupać

 msi, address ec:eb:b8:95:29:7c
brgphy0 at bge0 phy 1: BCM5719C 10/100/1000baseT PHY, rev. 0
bge1 at pci14 dev 0 function 1 "Broadcom BCM5719" rev 0x01, BCM5719 A1 
(0x5719001), APE firmware NCSI 1.5.33.0: msi, address ec:eb:b8:95:29:7d
brgphy1 at bge1 phy 2: BCM5719C 10/100/1000baseT PHY, rev. 0
bge2 at pci14 dev 0 function 2 "Broadcom BCM5719" rev 0x01, BCM5719 A1 
(0x5719001), APE firmware NCSI 1.5.33.0: msi, address ec:eb:b8:95:29:7e
brgphy2 at bge2 phy 3: BCM5719C 10/100/1000baseT PHY, rev. 0
bge3 at pci14 dev 0 function 3 "Broadcom BCM5719" rev 0x01, BCM5719 A1 
(0x5719001), APE firmware NCSI 1.5.33.0: msi, address ec:eb:b8:95:29:7f
brgphy3 at bge3 phy 4: BCM5719C 10/100/1000baseT PHY, rev. 0
ppb13 at pci1 dev 28 function 6 "Intel C610 PCIE" rev 0xd5
pci15 at ppb13 bus 18
ppb14 at pci1 dev 28 function 7 "Intel C610 PCIE" rev 0xd5
pci16 at ppb14 bus 19
ehci1 at pci1 dev 29 function 0 "Intel C610 USB" rev 0x05: apic 8 int 18
usb3 at ehci1: USB revision 2.0
uhub3 at usb3 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
pcib0 at pci1 dev 31 function 0 "Intel C610 LPC" rev 0x05
ahci0 at pci1 dev 31 function 2 "Intel C610 AHCI" rev 0x05: msi, AHCI 1.3
ahci0: port 0: 6.0Gb/s
ahci0: port 1: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  naa.5000c500b212c82e
sd0: 953869MB, 512 bytes/sector, 1953525168 sectors
sd1 at scsibus1 targ 1 lun 0:  naa.5000c500b2126c31
sd1: 953869MB, 512 bytes/sector, 1953525168 sectors
ichiic0 at pci1 dev 31 function 3 "Intel C610 SMBus" rev 0x05: apic 8 int 18
iic0 at ichiic0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX/EPT
efifb0 at mainbus0: 1280x1024, 32bpp
wsdisplay0 at efifb0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)
uhub4 at uhub0 port 3 configuration 1 interface 0 "Standard Microsystems 
product 0x2660" rev 2.00/8.01 addr 2
uhidev0 at uhub0 port 10 configuration 1 interface 0 "Chicony HP Elite USB 
Keyboard" rev 1.10/1.21 addr 3
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub0 port 10 configuration 1 interface 1 "Chicony HP Elite USB 
Keyboard" rev 1.10/1.21 addr 3
uhidev1: iclass 3/0, 2 report ids
uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0
ucc0 at uhidev1 reportid 2: 768 usages, 20 keys, array
wskbd2 at ucc0 mux 1
wskbd2: connecting to wsdisplay0
uhidev2 at uhub0 port 11 configuration 1 interface 0 "PixArt USB Optical Mouse" 
rev 1.10/1.00 addr 4
uhidev2: iclass 3/1
ums0 at uhidev2: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
uhub5 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 
2.00/0.05 addr 2
uhub6 at uhub3 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 
2.00/0.05 addr 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
sd2 at scsibus3 targ 1 lun 0: 
sd2: 953868MB, 512 bytes/sector, 1953523553 sectors
root on sd2a (6134b362762c60c8.a) swap on sd2b dump on sd2b

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: load balancing with rdomains

2023-12-18 Thread Marko Cupać

On Mon, 18 Dec 2023 14:08:04 +0100
Claudio Jeker  wrote:

> On Mon, Dec 18, 2023 at 01:53:50PM +0100, Marko Cupać wrote:
> > What OpenBSD FAQ https://www.openbsd.org/faq/faq6.html#Multipath
> > says for a bit different scenario applies to some extent for this
> > one as well:
> > 
> > "It's worth noting that if an interface used by a multipath route
> > goes down (i.e., loses carrier), the kernel will still try to
> > forward packets using the route that points to that interface. This
> > traffic will of course be blackholed and end up going nowhere. It's
> > highly recommended to use ifstated(8) to check for unavailable
> > interfaces and adjust the routing table accordingly."
> 
> Uhm. This is not accurate. The kernel tracks interface state on
> routes and will not select a multipath route that is not considered
> UP. There is a smaller issue when there is no other multipath route.
> The lookup will select the route and not fall back to a less specific
> one that is still up.
> 
> Could please someone update the FAQ?

I would like to contribute to the FAQ, but I'm not sure in which way to
go. According to my tests, above is not literally correct in described
case (route goes down on lost carrier). However, in frequent scenario
where interface is up, route is valid, but ISP's side won't route our
packets (which is perceived as "link is down" by a user), a mechanism
is still needed to prevent sending packets over that interface.

Would "It's worth noting that if an interface used by a multipath route
loses data link while physical link is active..." be more appropriate?

More radical option would be to describe rdomain-based solution instead
of current examples in both:
https://www.openbsd.org/faq/faq6.html#Multipath
https://www.openbsd.org/faq/pf/pools.html#outgoing

Best regards,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: load balancing with rdomains

2023-12-18 Thread Marko Cupać

On Sat, 16 Dec 2023 18:53:29 +0100
Petr Ročkai  wrote:

> Hi,
> 
> On Sat, Dec 16, 2023 at 06:37:54PM +0100, Marko Cupać wrote:
> > pass in on em0 from (em0:network) to   probability 50%
> > rtable 1 pass in on em0 from (em0:network) to   probability
> > 50% rtable 2
> 
> IIUIC these two only add up to 75% probability – you presumably want
> probability 50% on the second of the two (the first one then being a
> match for everything that the later rule doesn't take up).

Thank you, I can confirm that your solution:

pass in on em0 from (em0:network) to   rtable 1
pass in on em0 from (em0:network) to   probability 50% rtable 2

... results in what I was trying to achieve - it load balances over both
uplinks without any blocked packets as long as both uplinks are active.

What OpenBSD FAQ https://www.openbsd.org/faq/faq6.html#Multipath says
for a bit different scenario applies to some extent for this one as
well:

"It's worth noting that if an interface used by a multipath route goes
down (i.e., loses carrier), the kernel will still try to forward
packets using the route that points to that interface. This traffic
will of course be blackholed and end up going nowhere. It's highly
recommended to use ifstated(8) to check for unavailable interfaces and
adjust the routing table accordingly."

...except - if I'm not mistaken - ifstated should in this case adjust
pf ruleset instead of routing table.

If so, would using anchors be the best way? Any working examples to
share? I used some simple ifstated rules but it is hard to wrap my head
around probability percentages for all the use cases - first link up,
second down and vice versa.

Thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: load balancing with rdomains

2023-12-16 Thread Marko Cupać

On Sat, 16 Dec 2023 10:25:07 - (UTC)
Stuart Henderson  wrote:

> See "probability" in pf.conf(5).

Thank you for the tip.

My test ruleset:

---start---
block log all

pass in on em0 from (em0:network) to 
pass in on em0 from (em0:network) to   probability 50% rtable 1
pass in on em0 from (em0:network) to   probability 50% rtable 2

pass out on em0
pass out on em1
pass out on em2
---end---

... somewhat works, in a way that sessions from lan host to  do
get load balanced to both rtables most of the time. However, some of
the sessions to  (I tested with ssh) get denied by default
block rule initially:

block in on em0: PR.IV.AT.E.35528 > PU.BL.I.C.22: tcp 0 (DF) [tos 0x48]

and then, on consequent automatic ssh retry after a few seconds, get
moved to one of two rtables.

>From above I conclude that the two rules of 50% do not make a total of
100% in pf's logic, and there are situations where a packet won't be
passed by any of the two. That unfortunately won't work for my use case.

Or perhaps I'm configuring something wrong?

Best regards,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

load balancing with rdomains

2023-12-15 Thread Marko Cupać

Hi,

I have a router whose LAN interface is in default rdomain 0, ISP1 in
rdomain 1 and ISP2 in rdomain 2. Reason for this is a bit complicated,
involves wireguard tunneling, I will give more details if needed.

LAN hosts can access Internet over ISP1 by means of:

pass in on $if_lan from ($if_lan:network) to  rtable 1

Also over ISP2 if I change above line to:

pass in on $if_lan from ($if_lan:network) to  rtable 2

Is it possible to load-balance over both ISPs / rdomains?

Thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: pf queues

2023-12-01 Thread Marko Cupać

On Fri, 1 Dec 2023 04:56:40 +0300
4  wrote:

> match proto icmp set prio(6 7) queue(6-fly 7-ack)
> how is this supposed to work at all? i.e. packets are placed both in
> prio's queues 6/7(in theory priorities and queues are the same
> thing), and in hsfc's queues 6-fly/7-ack at once?

I am not sure I understand what you don't understand here.

Straight from manpage:
https://man.openbsd.org/pf.conf#set~2

If two priorities are given, TCP ACKs with no data payload and packets
which have a TOS of lowdelay will be assigned to the second one.

https://man.openbsd.org/pf.conf#set~3

If two queues are given, packets which have a TOS of lowdelay and TCP
ACKs with no data payload will be assigned to the second one.

ICMP is not the best example, but syntax works. I guess the rule you
quoted results in behaviour where all the ICMP packets get priority of
6 and get assigned to queue 6-fly, even though the idea was to have
requests with priority of 6 assigned to queue 6-fly, and replies with
priority of 7 to queue 7-ack. But then again perhaps it works the
latter way, if icmp replies have TOS of lowdelay.

If this was TCP, payload would get priority of 6 and assigned to queue
6-fly, while ACKs would get priority of 7 and assigned to queue 7-ack.

Anyway, after years of usage, and lot of frustration in the beginning, I
find current approach more flexible, because in HFSC queue and priority
have to be the same, while in current pf we can set it to be exactly
like HFSC, but also to have different priorities within the same queue,
or different queue for same priority. At this point I only miss the
ability to see prio values somewhere in monitoring tools like systat.

The only way to get the answers is to test, write ruleset wisely, and
observe systat. If someone knows of some others please let me know, I
am by no means "an expert on pf queueing", just a guy who tries to tame
his employer's network for quite some time now.

Regards,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: pf queues

2023-11-30 Thread Marko Cupać

f wireguard tunnels on external
interfaces etc.

I once had the privilege to sit with Henning, author of 'pf megapatch'
who introduced new queuing mechanism. I complained new stuff is not
well documented, and asked if he could explain it better to me. He said
something along the lines "I have no idea. It works for me. All I
know is in the manpage and the code is available in CVS. Try if it works
for you. If it doesn't and you know what should be improved send a
patch". Upon hearing this, I was enlightened :)

I hope above will be helpful.

Best regards,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: ipsec hardware recommendation

2023-09-14 Thread Marko Cupać

Hi,

thank you for suggestions, took me some time to think about them and
reply here.

On Fri, 11 Aug 2023 14:19:44 - (UTC)
Stuart Henderson  wrote:

> If you post your IPsec configuration, perhaps someone can suggest
> whether the choice of ciphers etc could be improved. It can make
> quite a difference.

I have just recently bumped quick enc from aes-128-gcm to aes-256-gcm,
as well as group from modp3072 to ecp256:

ike passive esp transport proto gre from $me to $peer \
  main auth hmac-sha2-256 enc aes-256 group ecp256 lifetime 24h \
  quick enc aes-256-gcm group ecp256 lifetime 8h

I have also increased lifetime from default values because I was
getting quite a lot of INVALID COOKIE messages from isakmpd:

isakmpd[51306]: message_recv: invalid cookie(s) cookiea cookieb
isakmpd[51306]: dropped message from $peer port 500 due to notification
type INVALID_COOKIE

On Sat, 12 Aug 2023 12:17:36 +1000
David Gwynne  wrote:

> The things you can do Right Now(tm) are:
> 
> - upgrade to -current
> 
> the pf purge code has been taken out from under the big kernel lock.
> if you have a lot of pf states, this will give more time to crypto.

I have ~50,000 states during peak time. I can't go -current, but I will
look forward to 7.4. I also read the following articles on undeadly.org:

https://undeadly.org/cgi?action=article;sid=20230807094305
https://undeadly.org/cgi?action=article;sid=20230706115843

Once 7.4 hits, is it expected that changing gre/ipsec to sec(4) could
make positive difference in throughput on same hardware?

> - pick faster crypto algorithms

I posted mine above, I would be thankful to get latest recommendation.

> - try wireguard?

I am testing replacing a few of gre/ipsec with wg interfaces on 7.3 at
the moment. Main problem I am encountering so far is the fact that
`ospfctl reload` does not seem to pick newly added (to ospfd.conf) wg
interfaces. `ospfctl sh int` shows them in DOWN state after reload, and
no OSPFv2-hello packets are being sent until `rcctl restart ospfd`.

It is quite unmaintainable to have to restart ospfd every time
wg interfaces are added or removed from ospfd.conf. Any way around it?
Perhaps on some later releases this will improve? Or am I doing it
wrong?

I have more questions about wireguard but I guess I should better ask
them in another topic.

Thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

ipsec hardware recommendation

2023-08-11 Thread Marko Cupać

Hi,

I have star topology network where dozens of spokes communicate with
other spokes through central hub over GRE tunnels protected with
transport-mode ipsec.

This worked great for years, but lately all the locations got bandwidth
upgrade (spokes: 10Mbit -> 50Mbit, hub: 2x200Mbit -> 2x500Mbit), and I'm
starting to experience problems.

Spokes have APU4D4s, and my tests show they can push up to 30Mbit/s of
ipsec bidirectionally. Hub has HPE DL360g9 with Xeon CPU E5-2623 v4 @
2.60GHz and bge NICs, and it seems it can push no more than 200Mbit/s
of ipsec bidirectionally (I have no chance to test this thoroughly in a
lab, but what I see in production indicate this strongly).

Are there any commands I can run which would indicate ipsec traffic is
being throttled due to hardware being underspecced? top shows CPU is
more than 50% idle. netstat shows ~1 Ierrs / Ifail (no Oerrs /
Ifail) on interfaces that deal with ipsec for two months worth of
uptime.

Would replacing Xeon box with AMD EPYC 7262 likely result in an
improvement? Should I go for some NICs other than bge? What hardware do
I need at Hub location to accomodate ~400Mbit/s of ipsec
bidirectionally?

Thank you in advance,


-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Some more humor, maybe?

2021-09-23 Thread Marko Cupać

On Wed, 22 Sep 2021 22:09:14 -0600
flint pyrite  wrote:

> Remember movement would not occur without involvement

Hax0rz of the early 2020s why are you looking so round up?

Without posture there's no movement.

https://www.youtube.com/watch?v=a1oSXlU0ZUk

:)

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

local openrsync - incorrect directory ownership?

2021-06-07 Thread Marko Cupać

Hi,

I am using openrsync to backup some directory trees locally to a
separate mount point, using -a flag, which should preserve file and
directory ownership provided rsync is run as root.

I noticed directory ownerships are not as expected in backup location
(/tmp for the purpose of this demonstration), as opposed to file
ownerships, which are correct. I tested on multiple systems, 6.8 and
6.9, and I can always reproduce it as follows:

- create the following directory and file structure in user's home:

/home/user/dir1/file1.txt
/home/user/dir1/dir2/file2.txt
/home/user/dir1/dir2/dir3/file3.txt

By default, they are all owned by user (check with ls -lR):

/home/user/dir1:
total 8
drwxr-xr-x  3 user  user  512 Jun  7 11:28 dir2
-rw-r--r--  1 user  user8 Jun  7 11:28 file1.txt

/home/user/dir1/dir2:
total 8
drwxr-xr-x  2 user  user  512 Jun  7 11:34 dir3
-rw-r--r--  1 user  user   10 Jun  7 11:28 file2.txt

/home/user/dir1/dir2/dir3:
total 4
-rw-r--r--  1 user  user  13 Jun  7 11:34 file3.txt

- now, as root, using -a flag, sync /home/user/dir1 to /tmp/:

openrsync --rsync-path=/usr/bin/openrsync -a /home/user/dir1 /tmp/

- check (perhaps with ls -lR) file and directory ownership:

/tmp/dir1:
total 4
drwxr-xr-x  3 root  wheel   512 Jun  7 11:28 dir2
-rw-r--r--  1 user  user  8 Jun  7 11:28 file1.txt

/tmp/dir1/dir2:
total 4
drwxr-xr-x  2 root  wheel   512 Jun  7 11:34 dir3
-rw-r--r--  1 user  user 10 Jun  7 11:28 file2.txt

/tmp/dir1/dir2/dir3:
total 2
-rw-r--r--  1 user  user 13 Jun  7 11:34 file3.txt

Notice that files are correctly owned by user:user, but directories are
owned by root:wheel, as opposed what manpage says about -a flag
(shorthand for, among others -g and -o - preserve owner and group if
run as root).

Best regards,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: BGP circular routing

2021-05-01 Thread Marko Cupać

On Thu, 29 Apr 2021 12:04:53 - (UTC)
Stuart Henderson  wrote:

> On 2021-04-29, Marko Cupać  wrote:
> > (...)
> > I have a problem with circular routing on a site which talks
> > BGP with two upstream providers, with traffic to site which has
> > static default route over third ISP:
> >
> >   --> ISP1 --> ISP3 --> 
> > SITEASITEB
> >   <-- ISP2 <-- ISP3 <--
> 
> Asymmetric routing (circular suggest that it's looping so you have
> no working connecticity, which I tuink ks not what you're describing).

Yes, thank you for the correction.

> > I tried to prepend self / neighbor to ISP2 - no change (ISP1 has
> > best routes for 99% of the prefixes, including to SITEB). I
> > contacted ISP2, they said the problem is with ISP3. I contacted
> > ISP3, they said ISP2 announces my prefix (they're my LIR) so the
> > best route is over them. I contacted ISP2 again, they said they
> > prepended my prefix to ISP3, but situation is the same.
> >
> > Is it OK for ISP2 (my LIR) to announce and prepend my prefix? I
> > thought I should be in control of that.
> >
> > Is there anything I can do about the situation?
> 
> You can't do much to control incoming traffic though you can sometimes
> influence it. But you do control which routes you accept/prefer. If
> you want to avoid the assymetric path, you need to prefer ISP2's
> announcwments for SITEB, for example you could match and give it a
> higher localpref.

That was really helpful suggestion. I increased SITEB's localpref:

match from $ISP2 prefix { A.B.C.D/E } set localpref 200

...and I ended up sending and receiving traffic to SITEB through the
same interface over ISP2. This is even better because link over ISP2
until now had almost no outgoing traffic, while the one over ISP1 was
heavily utilized.

> Is it causing a problem though? This is completely normal and expected
> on the internet.

I was seeing quite a number of state-mismatch packets in SITEB's PF
info, which is the reason why I wanted to make traffic come and go
through same interface on SITEA. Traffic between the sites is ipsec
protected GRE tunnel, so isakmpd (udp) and esp. I suspect
state-mismatch was due to slight difference in latency of links.

It is to early to say that for sure, but I think I am noticing much
less state-mismatch packets in SITEB's PF info since the change.

Thanks!

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

BGP circular routing

2021-04-29 Thread Marko Cupać

Hi,

I guess this is not related to bgpd, but I hope there are skilled
network admins here who can give me advice.

I have a problem with circular routing on a site which talks BGP with
two upstream providers, with traffic to site which has static default
route over third ISP:

  --> ISP1 --> ISP3 --> 
SITEASITEB
  <-- ISP2 <-- ISP3 <--

I tried to prepend self / neighbor to ISP2 - no change (ISP1 has best
routes for 99% of the prefixes, including to SITEB). I contacted ISP2,
they said the problem is with ISP3. I contacted ISP3, they said ISP2
announces my prefix (they're my LIR) so the best route is over them. I
contacted ISP2 again, they said they prepended my prefix to ISP3, but
situation is the same.

Is it OK for ISP2 (my LIR) to announce and prepend my prefix? I thought
I should be in control of that.

Is there anything I can do about the situation?

Thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

sasyncd question

2020-10-23 Thread Marko Cupać

Hi,

Is there a way to sync only SAs created on CARP interfaces, without
syncing those created on physical, non-CARP interfaces? Something like
no-sync option in pf.conf for pfsync?

I'm asking because I have a pair of firewalls where majority of IPsec
peers connect directly to non-CARP interfaces (GRE tunnels connected
with transport mode IPsec + OSPF), and just a few of them connect to
CARP interface (passive tunnel mode IPsec because of dynamic IP address
on peers). sasyncd now syncs everything, so CARP peers get SAS for
physical interfaces of other CARP member, which is undesirable, and I
guess also prolongs time to re-negotiate SAs.

Any other way how OpenBSD admins handle this situation?

Thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: npppd failed enable pipex: Invalid argument

2020-08-17 Thread Marko Cupać

On Mon, 17 Aug 2020 00:36:35 +0300
Vitaliy Makkoveev  wrote:

> Hello Marko.
> 
> Can I propose you to try upcoming 6.8? We moved pppac(4) and pppx(4)
> output processing out of kernel lock. pppx(4) output is still
> serialised by netlock, but I hope we'll made it per-cpu before 6.8
> release.
> 
> Also, for curiosity reasons, what is your pppx(4) clients count? 

Hi Vitaliy,

I can try 6.8 snapshot and test 2-3 simultaneous clients, but
unfortunately not in "real life" production.

In April, during WFH boom in early days of lockdown I had up to 150
concurrent clients, nowadays they average around 50. But not too much
traffic, ~20Mbit/s in total (people mostly RDP over pptp).

I'll report how I fare with 6.8 snapshots.

Regards,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: npppd failed enable pipex: Invalid argument

2020-08-10 Thread Marko Cupać

> > On 4 Aug 2020, at 17:04, Marko Cupać  wrote:
> > 
> > Hi,
> > 
> > I have recently upgraded (actually installed from scratch and copied
> > config files) one of my firewalls from 6.6 to 6.7, and (sys)patched
> > it to 017_dix. Everything works great except my npppd setup. It
> > starts fine, but upon connecting over pptp I get the following
> > records in log:
> > (...)
> > Aug  4 15:48:48 nat2 npppd[66557]: ppp id=0 layer=base failed
> > enable pipex: Invalid argument
>
> On Tue, 4 Aug 2020 18:31:44 +0300
> Vitaliy Makkoveev  wrote:
>
> In kernel timeout was disabled for pppx(4). Remove please
> "idle-timeout”.

Sorry for late reply, I haven't had the chance to test until now. That
was it, after removing idle-timeout, npppd accepts pptp connections.

Once again you saved me with npppd, thank you!
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

npppd failed enable pipex: Invalid argument

2020-08-04 Thread Marko Cupać

o
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
com1: probed fifo depth: 0 bytes
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
pci16 at mainbus0 bus 255
"Intel Xeon-D QPI Link" rev 0x01 at pci16 dev 11 function 0 not configured
"Intel Xeon-D QPI Link" rev 0x01 at pci16 dev 11 function 1 not configured
"Intel Xeon-D QPI Link" rev 0x01 at pci16 dev 11 function 2 not configured
"Intel Xeon-D QPI Debug" rev 0x01 at pci16 dev 11 function 3 not configured
"Intel Xeon-D Cache" rev 0x01 at pci16 dev 12 function 0 not configured
"Intel Xeon-D Cache" rev 0x01 at pci16 dev 12 function 1 not configured
"Intel Xeon-D Cache" rev 0x01 at pci16 dev 12 function 2 not configured
"Intel Xeon-D Cache" rev 0x01 at pci16 dev 12 function 3 not configured
"Intel Xeon-D Cache" rev 0x01 at pci16 dev 15 function 0 not configured
"Intel E5 v4 Cache" rev 0x01 at pci16 dev 15 function 1 not configured
"Intel Xeon-D Cache" rev 0x01 at pci16 dev 15 function 4 not configured
"Intel Xeon-D Cache" rev 0x01 at pci16 dev 15 function 5 not configured
"Intel Xeon-D Cache" rev 0x01 at pci16 dev 15 function 6 not configured
"Intel Xeon-D PCIE" rev 0x01 at pci16 dev 16 function 0 not configured
"Intel E5 v4 R2PCIe Agent" rev 0x01 at pci16 dev 16 function 1 not configured
"Intel Xeon-D Ubox" rev 0x01 at pci16 dev 16 function 5 not configured
"Intel Xeon-D Ubox" rev 0x01 at pci16 dev 16 function 6 not configured
"Intel Xeon-D Ubox" rev 0x01 at pci16 dev 16 function 7 not configured
"Intel Xeon-D Home Agent" rev 0x01 at pci16 dev 18 function 0 not configured
"Intel Xeon-D Home Agent" rev 0x01 at pci16 dev 18 function 1 not configured
vendor "Intel", unknown product 0x6f70 (class system subclass miscellaneous, 
rev 0x01) at pci16 dev 18 function 2 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 0 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 1 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 2 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 3 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 4 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 5 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 6 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 19 function 7 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 0 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 1 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 2 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 3 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 4 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 5 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 6 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 20 function 7 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 21 function 0 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 21 function 1 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 21 function 2 not configured
"Intel Xeon-D Memory" rev 0x01 at pci16 dev 21 function 3 not configured
"Intel E5 v4 RAS" rev 0x01 at pci16 dev 22 function 0 not configured
"Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 22 function 6 not configured
"Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 22 function 7 not configured
"Intel E5 v4 Thermal" rev 0x01 at pci16 dev 23 function 0 not configured
"Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 23 function 4 not configured
"Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 23 function 5 not configured
"Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 23 function 6 not configured
"Intel E5 v4 DDRIO" rev 0x01 at pci16 dev 23 function 7 not configured
"Intel Xeon-D PCU" rev 0x01 at pci16 dev 30 function 0 not configured
"Intel Xeon-D PCU" rev 0x01 at pci16 dev 30 function 1 not configured
"Intel Xeon-D PCU" rev 0x01 at pci16 dev 30 function 2 not configured
"Intel Xeon-D PCU" rev 0x01 at pci16 dev 30 function 3 not configured
"Intel Xeon-D PCU" rev 0x01 at pci16 dev 30 function 4 not configured
"Intel Xeon-D PCU" rev 0x01 at pci16 dev 31 function 0 not configured
"Intel Xeon-D PCU" rev 0x01 at pci16 dev 31 function 2 not configured
vmm0 at mainbus0: VMX/EPT
efifb0 at mainbus0: 1280x1024, 32bpp
ws

Re: OpenBSD Readonly File System

2020-06-26 Thread Marko Cupać


On 2020-06-24, Aaron Mason  wrote:
Auto filesystem repair is bad juju.



On 2020-06-25 11:17, Stuart Henderson wrote:
Nonsense. For many, the possible downsides of automatically running
fsck -y are much less a problem than the downsides of *not* running it.


Some time ago I wrote here on misc@ about read-only setup, where I 
intended to modify rc(8) in order to be able to relink kernel before 
mounting filesystems read-only, and - if I remember correctly - I was 
warned never to modify rc(8) directly as it's considered as part of base 
system, and I should only affect it with rc.local, which I did.


Is there a way to run fsck -y automatically without modifying rc(8)? Is 
modifying rc(8) now supported?


--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: OpenBSD Readonly File System

2020-06-13 Thread Marko Cupać


On 2020-06-09 09:59, Vertigo Altair wrote:

Hi Misc,
I have a firewall device and I'm using OpenBSD on it. There is an
electricity problem where the device runs. Therefore, I have to run the
"fsck -y" command regularly at startup due to the electricity problem. 
To

overcome this, I want to use readonly file system.
 I know there are some projects like "resflash", but I want to do that
manually.
...
On startup following errors comming from /etc/rc; I think errors about
/etc/motd are not so important, but are the errors coming from 
/etc/tty*
can cause any problems? If my method is not correct, what is the best 
way

to do this?


AFAIK, OpenBSD officially does not support read-only root file system.

But I have a similar problem, and I have described my solution here:

https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages

HTH,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: About pf max-src-conn-rate

2020-05-28 Thread Marko Cupać


On 2020-05-27 14:27, Walter Alejandro Iglesias wrote:

Another question about pf.

Perhaps I don't fully understand how connection rate is calculated.

The following line in /etc/pf.conf:

  pass in log inet proto tcp to any port { smtp smtps } synproxy state 
\

(max-src-conn-rate 5/30, overload  flush global)

Shouldn't avoid this happen?

In /var/log/maillog
...
A total of *323* connections from the same IP at less than a 1/4 second
interval during more than four minutes.


If I'm not mistaken (someone please correct me if I'm wrong), 323 
connections in maillog is not the same as 323 tcp connections. You can 
send 323 smtp commands in single tcp session.


Perhaps you should look into https://man.openbsd.org/spamd to achieve 
your goal.


--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-13 Thread Marko Cupać


On 2020-05-13 11:02, i...@aulix.com wrote:

(all your emails to @misc)


Dear Info,

the best way to get answers to all of your questions regarding OpenBSD 
is to try and run OpenBSD for a few years trying to make it help with 
your real-world needs, such as personal laptop, home gateway, personal 
email or web server etc. After some time, you will be able to decide 
wheather OpenBSD is the right choice for you.


You should be able to find majority of answers to your questions 
regarding OpenBSD in manpages, FAQ, and books similar to "Absolute 
OpenBSD", "The Book of PF" etc. There are also various blogs from 
OpenBSD users, whose quality varies from very bad to very good.


As for idle gossip, I can suggest local bars, which is what I use. I 
understand they are all closed now due to current situation with 
pandemic, but @misc mailing list is really poor substitute.


Regards,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: pf table for all publicly routable ipv4 addresses

2020-05-12 Thread Marko Cupać


Hi,

thanks to everyone who sent me tips and ideas about the topic.

At the moment I am testing "negated table" approach, which seems to work 
fine:


block log all
pass in on $vlan_guests from $vlan:guests:network to ! 

...where table  is list of subnets I don't want to be 
reachable from guest vlan (basically  table from pf FAQ).


I have also been testing "table with negated records" approach, which 
also seems to work fine


block log all
pass in on $vlan_guests from $vlan:guests:network to 

...where routable is list of negated subnets I don't want to be 
reachable from guest vlan (basically  table from pf FAQ but 
with negated records, plus 0.0.0.0/0 on top). Could it be that pf FAQ is 
outdated about 0.0.0.0/0 shouldn't be used in tables? pfctl has no 
problem adding, removing and listing 0.0.0.0/0 subnet in tables.


I'll test some more and send some feedback.
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: change default constraint server in ntpd.conf

2020-05-11 Thread Marko Cupać


On 2020-05-08 00:17, Theo de Raadt wrote:

Theo de Raadt  wrote:
(...)

Stuart Henderson  wrote:
(...)


Dear Stuart, Theo,

thank you for insightful answers.

I admit my understanding of intricacies of ntp protocol equals zero - 
same as my current motivation to learn more about it. My need for 
accurate timekeeping on my OpenBSD firewalls is best described by the 
fact that I occasionally log into branch routers where I routinely 
discover their clock is off by >2 years because I forget to either start 
ntpd with default ntpd.conf in appropriate rdomain with Internet access, 
or to edit default ntpd.conf to point them to internal ntp server, also 
running on OpenBSD with default ntpd.conf. To my great joy, this never 
affects their main functionality of pushing packets between branch 
office and HQ in a way I consider secure enough.


My main motivation for asking this question on @misc was political, and 
went along the lines of "why send these ad-peddling, 
private-data-slurping clowns any packets?"


Thanks to your answers, I understand now there is more to it than "let's 
just put some website that is most likely to be there when we query it 
for constraints, and also promote it a bit while there".


Stay fresh,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

change default constraint server in ntpd.conf

2020-05-07 Thread Marko Cupać

Hi,

why not change default constraint server in ntpd.conf from current
https://google.com to something more neutral / reputable?

If https://www.openbsd.org does not want to be involved, perhaps
https://www.ntp.org would be fine.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: pf table for all publicly routable ipv4 addresses

2020-05-04 Thread Marko Cupać


On 2020-05-04 19:23, Stuart Henderson wrote:

On 2020-05-04, Marko Cupać  wrote:

Hi,

I'd like to create pf table "all publicly routable ipv4 addresses". Is
this possible with some short syntax?

Thank you in advance.



something like this?

# https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
table  {
!0.0.0.0/8
!10.0.0.0/8
!100.64.0.0/10
!127.0.0.0/8
!169.254.0.0/16
!172.16.0.0/12
!192.0.0.0/24
!192.0.2.0/24
!192.168.0.0/16
!198.18.0.0/15
!198.51.100.0/24
!203.0.113.0/24
!224.0.0.0/3
}


Yes. I want to have the opposite of  table described in pf 
faq:

https://www.openbsd.org/faq/pf/example1.html#pf

...so I can permit hosts on guest vlan access Internet hosts, but not 
hosts on other private vlans similar to:


block log all
pass in on $guest_vlan from $guest_vlan:network to 

However, this apparently doesn't work. If I tested well, your  
table expands to "no addresses", not "all addresses but those".


I thought I could do such table like this:

table  {0.0.0.0/0 \
 !0.0.0.0/8 \
 ...
   !224.0.0.0/3 }

...but https://www.openbsd.org/faq/pf/tables.html#addr states that "One 
limitation when specifying addresses is that 0.0.0.0/0 and 0/0 will not 
work in tables".


I know I can solve this by reordering rules, and using block instead of 
pass, but I'd really like to have a table of all publicly routable ip 
addresses in pf.


Regards,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

pf table for all publicly routable ipv4 addresses

2020-05-04 Thread Marko Cupać


Hi,

I'd like to create pf table "all publicly routable ipv4 addresses". Is 
this possible with some short syntax?


Thank you in advance.

--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

bad AGGREGATOR, AS 0 not allowed

2020-04-29 Thread Marko Cupać


Hi,

on 6.6-RELEASE amd64, (sys)patched up to 019_smtpd_exec, I am noticing 
these:


Apr 29 17:23:33 bgp1 bgpd[42338]: neighbor IP.ADD.RE.SS (desc): bad 
AGGREGATOR, AS 0 not allowed, attribute discarded


My bgpd.conf is almost default, announcing my AS to two upstream peers.

I wrote to my peer, they said they are not sending me AS 0, and to clear 
my session.


After 'bgpctl neighbor desc clear' I'm still getting these messages.

Is this related to:
[https://marc.info/?l=openbsd-tech=156510627921885=2]

Can I safely disregard this, and wait for next release for these 
messages to disappear?


Thank you in advance,

--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: iked and rdomain

2020-04-21 Thread Marko Cupać


On 2020-04-17 14:37, Florian Weber wrote:

Good afternoon,

is it possible to have only traffic which is routed through a specific
rdomain being encryped, i.e. have an enc interface in another rdomain
and only the whole traffic that runs in that rdomain gets encryped?


I have just recently implemented something which seem similar to what 
you

need, albeit with isakmpd, not iked.

Perhaps my hostname.if will give some hints:

me@somebox:~ $ doas cat /etc/hostname.em1
rdomain 1
inet 192.0.2.2 255.255.255.252 NONE \
  description "ISP"
!/sbin/route -T1 -n add default 192.0.2.1
!/sbin/route -T1 exec /sbin/isakmpd -K -c /etc/isakmpd/isakmpd.conf.1
!/sbin/route -T1 exec /sbin/ipsecctl -f /etc/ipsec.conf.1
!/sbin/route -T1 exec /usr/sbin/sshd -4 -f /etc/ssh/sshd_config.1

And yes, you will need enc1 for rdomain 1:

me@somebox:~ $ doas cat /etc/hostname.enc1
rdomain 1 up

Feel free to ask for more details (there's more to this setup, namely 
gre

tunnel protected with transport-mode ipsec, OSPF etc.).

Hope this helps,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: npppd pptp hangs

2020-04-04 Thread Marko Cupać


On 2020-03-31 10:07, Marko Cupać wrote:

On Mon, 30 Mar 2020 14:33:46 +0300
Vitaliy Makkoveev  wrote:


On Mon, Mar 30, 2020 at 02:28:08PM +0300, Vitaliy Makkoveev wrote:
> You have pipex(4) disabled. Is it still hangs with disabled
> pipex(4)? As I discovered
> (https://marc.info/?t=15852997681=1=2), npppd with pipex(4)
> enabled and non-NULL "idle-timeout" option will crash kernel. You
> can disable this option in yout npppd.conf an reenable pipex(4).
> Looks like crashes should gone.
And don't use pppac(4) with pipex enabled, use pppx(4). Crash you
reported https://marc.info/?t=15850622592=1=2 is actual for
pppac(4).



Thanks for the instruction.

I have:
 - left net.pipex.enable=1
 - replaced tun1 with pppx0 in npppd.conf
 - removed 'pipex no' from npppd.conf

So far so good, I'll send update if I experience further hangs.


No crash since changing interface from tun to pppx.

Thanx!

--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: npppd pptp hangs

2020-03-31 Thread Marko Cupać

On Mon, 30 Mar 2020 14:33:46 +0300
Vitaliy Makkoveev  wrote:

> On Mon, Mar 30, 2020 at 02:28:08PM +0300, Vitaliy Makkoveev wrote:
> > You have pipex(4) disabled. Is it still hangs with disabled
> > pipex(4)? As I discovered
> > (https://marc.info/?t=15852997681=1=2), npppd with pipex(4)
> > enabled and non-NULL "idle-timeout" option will crash kernel. You
> > can disable this option in yout npppd.conf an reenable pipex(4).
> > Looks like crashes should gone.
> And don't use pppac(4) with pipex enabled, use pppx(4). Crash you
> reported https://marc.info/?t=15850622592=1=2 is actual for
> pppac(4).
> 

Thanks for the instruction.

I have:
 - left net.pipex.enable=1
 - replaced tun1 with pppx0 in npppd.conf
 - removed 'pipex no' from npppd.conf

So far so good, I'll send update if I experience further hangs.

The instruction on pppx(4) you gave me came as surprising news to me. I
have been using npppd since it still had undocumented 'old style'
config. Once npppd.conf got its manpage (was it 5.3?) I've set up tun1
as PPTP interface and it worked great with up to ~20 clients all these
years. I was very satisfied that all PPTP traffic went through single
interface (as opposed to my previous setup with poptop which created
separate tun interface for each session), as I had the ability to graph
its traffic from SNMP data.

I guess I was 'holding it wrong' all this time, and yet it worked well
:)

Thank you once again.

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: npppd pptp hangs

2020-03-30 Thread Marko Cupać

On Sat, 28 Mar 2020 01:46:41 +0300
Vitaliy Makkoveev  wrote:

> Can you try latest snapshot?

Unfortunately, the box that runs npppd is the most important machine on
my network (GRE/IPsec hub for multiple branch offices), I can't take the
risk.

> Can you share your npppd.conf?

Below, I have redacted sensitive information. Perhaps it is worth
mentioning that npppd listens on IP address of CARP interface.

---npppd.conf.start---
# GLOBAL
set max-session 200
set user-max-session 1

# TUNNEL
tunnel EXAMPLEORG protocol pptp {
listen on IP.ADD.RE.SS
pptp-hostname vpn.example.org
pptp-vendor-name "openbsd-npppd"
ingress-filter yes
pipex no
mppe required
mppe-key-length 128
mppe-key-state stateless
idle-timeout 1800
}

# IPCP
ipcp KAPPASTAR {
pool-address "IP.ADD.RE.SS/24"
dns-servers IP.ADD.RE.SS
allow-user-selected-address no
}

# INTERFACE
interface tun1 address IP.ADD.RE.SS ipcp EXAMPLEORG

# AUTHENTICATION
authentication RADIUS type radius {
strip-nt-domain yes
strip-atmark-realm yes
authentication-server {
address IP.ADD.RE.SS secret "ThisIsNotRealPassword"
}
accounting-server {
address IP.ADD.RE.SS secret "ThisIsNotRealPassword"
}
}

bind tunnel from EXAMPLEORG authenticated by RADIUS to tun1
---npppd.conf.end---

Thank you in advance for looking into it.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: npppd pptp hangs

2020-03-24 Thread Marko Cupać

On Tue, 24 Mar 2020 09:34:09 +0100
Marko Cupać  wrote:

> On Tue, 24 Mar 2020 07:13:27 +1000
> Stuart Longland  wrote:
> 
> > On 23/3/20 10:26 pm, Marko Cupać wrote:
> > > Anything I can do to avoid future hangs?

I got another hang, this time killing npppd process crashed complete OS
(sorry for photo, I don't have serial console set up):

https://oblak.mimar.rs/index.php/s/Cc9J745jH93RK6j

At the time when npppd wouldn't accept new connections, and npppctl
won't return anything, but before the crash, i noticed high CPU usage
in top:

45125 _ppp  640 3128K 6340K onproc/3  -39:05 99.85% npppd

Pehaps bugs@ would be more appropriate list?

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: npppd pptp hangs

2020-03-24 Thread Marko Cupać

On Tue, 24 Mar 2020 07:13:27 +1000
Stuart Longland  wrote:

> On 23/3/20 10:26 pm, Marko Cupać wrote:
> > Anything I can do to avoid future hangs?
> 
> Whilst probably not the answer you're looking for: moving away from
> PPTP would be a good start.
> 
> The MSCHAPv2 authentication used in PPTP is vulnerable to dictionary
> attacks and the RC4 cipher used in MPPE (the security layer of PPTP)
> is laughably weak in today's security context.  Whilst MSCHAPv2 can be
> replaced with EAP-TLS, there's no fix for MPPE.
> 
> IPSec (which is built into OpenBSD) or OpenVPN (in ports) would be
> vastly superior options.

Indeed, I am also waiting for the day when I'll be able to point iked
to Microsoft's implementation of a RADIUS server (NPS), which will
authenticate Active Directory domain-joined machines by their machine
certificate and hopefully with additional domain user password for 2FA,
authorise them by Active Directory group membership, and log their
accounting in format which can be easily parsed and converted into
human-readable statistics with currently available parsers.

Uh, that sounded like I'm some kind of Microsoft fanboy, but I'm not. I
just have to provide hundreds of Windows users a way to access resources
on a corporate network in order to keep my bills paid. npppd's pptp
helps me brilliantly (anyone remember poptop? that was hell :)

Anyway, I use IPSec extensively to connect branch office routers, both
in tunnel mode for passive clients with dynamic IPs, and in transport
mode for protecting GRE tunnels (OSPF). Lately I'm adding multipath
redundancy over multiple ISPs using rdomains. OpenVPN also has a place
on my network. OpenBSD is a miracle :)

Pardon my blatant self-promotion on link below, but I think it's a
win-win situation - I get eternal fame and glory on the Internet, and
list readers get copy/paste howto set up npppd pptp server with RADIUS
authentication. Could come handy in this "end of days" situation where
everyone works remotely :D

https://www.mimar.rs/blog/how-to-set-up-pptp-vpn-server-with-openbsd-and-npppd

Best regards,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

npppd pptp hangs

2020-03-23 Thread Marko Cupać

Hi,

my npppd pptp server has recently got increase from ~20 to >200
concurrent users. So far it worked flawlessly for years, but before few
minutes it become unresponsive.

It stopped logging at one point (I have log redirected to its own file,
/var/log/npppd). npppctl also hanged, returning nothing. I couldn't
restart it with rcctl, or kill it with HUP. I had to resort to `kill
-9', and it started fine afterwards.

It appears that already established sessions worked, but with poor
performance.

I have lots of these in log (I saw them earlier as well but they
weren't causing problems AFAIK):

Mar 23 12:03:26 nat1 /bsd: pipex: ppp=1869 iface=tun1 protocol=PPTP id=45012 
Received bad data packet: out of sequence: seq=1266880(1266946-1267010) 
ack=1915237(1915368-1915471)
Mar 23 12:03:26 nat1 /bsd: pipex: ppp=1869 iface=tun1 protocol=PPTP id=45012 
Received bad data packet: out of sequence: seq=1266881(1266946-1267010) 
ack=1915239(1915368-1915472)
Mar 23 12:03:26 nat1 /bsd: pipex: ppp=1869 iface=tun1 protocol=PPTP id=45012 
Workaround the out-of-sequence PPP framing problem: 1215 => 1151
Mar 23 12:06:59 nat1 /bsd: pipex: ppp=1847 iface=tun1 protocol=PPTP id=45439 
received packet caused window overflow. seq=218469(218273-218337)may lost 196 
packets.

Also, at the time before killing it there's:

Mar 23 13:13:37 nat1 /bsd: splassert: pipex_destroy_session: want 2 have 0
Mar 23 13:13:37 nat1 last message repeated 95 times


Anything I can do to avoid future hangs?

Thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: routing with DMZ between internal and external firewall

2020-03-16 Thread Marko Cupać

On Mon, 16 Mar 2020 09:49:30 +0100
pebwindkraft  wrote:

> Hi,
> 
> I have a question concerning static routes and default gateways for a 
> DMZ setup, with internal and external firewall.
> ...
> What would be the correct design?
> Can I use "only" the ext_fw with a static route, so that packages
> from DNS would travel twice through DMZ net (from DNS to ext_fw, and
> then from ext_fw via int_fw back to int_pc)?
> 
> The information I found on misc@ and internet is usually talking
> about "home router" with NAT and three network cards, where one leg
> supplies the DMZ... Mine is different, and I think I do not need NAT
> here?

Hi,

I have similar setup. Being on public IP space, I treat my DMZ as
"Internet", meaning private IP addresses, either from Internet or
from internal network, must not be able to contact it.

So, I NAT everything from internal network to DMZ, which results in DNS
& http seing requestes from em1, and not from internal network.

Should you need more information don't hesitate to ask.

Regards,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: no pcap file from isakmpd in OBSD6.6

2020-02-06 Thread Marko Cupać


Christoph Leser  wrote:


Hi,

after upgrading openbsd6.5 to oopenbsd6.6 using sysupgrade isakmpd 
does no longer write pcap files in /var/run.


In /var/log/messages we see the following message:

isakmpd[7385]: log_packet_init: fopen ("/var/run/isakmpd.pcap", "w") 
failed: Permission denied


On 2019-12-03 19:30, Theo de Raadt wrote:

m_priv_local_sanitize_path() contains some realpath() checks.

I think this is either exposing realpath() abuse( as a result of the
new in-kernel realpath to support unveil better), or it is hitting the
realpath() bug which was fixed post-release?


I get similar message when trying to report information about SAs to
isakmpd.results through isakmpd.fifo on 6.6.

echo "S" > /var/run/isakmpd.fifo

...(as root) doesn't return anything, doesn't create results file, and
gives error message in log:

Feb  6 21:20:16 kerber isakmpd[36105]: ui_open_result: fopen() failed: 
Permission denied


If someone knows about some workaround for obtaining isakmpd.results
on 6.6 I'd be very grateful (or at least binary patch :D )

--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

ipsec pf queuing wierdness

2019-09-20 Thread Marko Cupać

Hi,

while trying to implement queuing by service inside ipsec tunnel, by
tagging traffic first (both in ipsec.conf or enc0 in pf.conf) and then
setting queue by tag on outbound physical interface, I noticed that all
traffic ends up in same queue - the first one which starts queuing (not
default one).

Anyone interested looking deeper into it? At this point I'm starting
to suspect it could be a bug, or at least undocumented caveat. I'll
reply with much more information if someone responds :)

Thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

how to update remote bind zone from pppoe client?

2019-07-05 Thread Marko Cupać

Hi,

I have a bunch of branch offices whose gateways (OpenBSD on APU) connect
to 'net via PPPoE and obtain their dynamic public IP addresses from
ISPs. Is there a way for them to update remote bind zone every time IP
changes so I have their current public IP in DNS?

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Filesystem corruption on OpenBSD routers after power outage?

2019-06-06 Thread Marko Cupać

On Tue, 04 Jun 2019 19:30:08 +
Mogens Jensen  wrote:

> Can anyone with experience running OpenBSD routers without UPS, tell
> if filesystem corruption is going to be a problem after power
> outages, or if there are any officially supported ways to make the
> system resilient enough to not break after a power outage?

I have described my !!!UNSUPPORTED!!! setup !!!WARNING, BLATANT
SELF-PROMOTION!!! here:

https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages

So far I have two 6.5's on PCengine's apu2d4 (~20 6.2-6.4's). The only
"problem" I have since 6.4 is that I have to mount / rw when tcpdumping
because unveil does not like ro /etc.

HTH,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: OpenBSD with root FS mounted read only

2018-11-20 Thread Marko Cupać

Hi,

I'm a little late to the party, missed this for me very important topic.

On Thu, 15 Nov 2018 15:26:03 +0100
jean-yves boisiaud  wrote:

> Now, OpenBSD needs root FS mounted RW. And, from 6.4, even if fstab
> says root fs to be mounted RO, it stays RW and it is not possible to
> remount it RO manually. And lsof has been retired...

You can still mount rootfs RO. The trick is not to specify it as RO in
fstab, but to create script in rc.conf.local which will periodically
check if reorder_kernel script has finished its job, and only then
remount partitions RO.

More details on my [WARNING!BLATANT-SELF-PROMOTION-BELOW!] blog:
[https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages]

BUT, as I wrote there, there are problems with above setup on 6.4. I
noticed tcpdump won't work when /etc is mounted RO. There is already
patch available for testing, but I haven't yet found the time to get
to it:
[https://marc.info/?l=openbsd-bugs=154056998503006=2]

I have an information that even if this patch was accepted, it won't be
released as syspatch for 6.4, as it is not security-related.

I am reluctant to install RO 6.4 on my production firewalls because I
don't know if tcpdump is the only thing affected by unveil bug, or
there are also other components of the system that will behave badly
because of RO file systems.

Finally, RO rootfs is unsupported by OpenBSD, but I sincerely hope devs
will consider the fact that some users depend on it, and try not to
break it completely down the road.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chip wood, draw water.

Marko Cupać
https://www.mimar.rs/

bgp match to $neighbor set nexthop $carp_ip on 6.4

2018-10-22 Thread Marko Cupać

Hi,

I am struggling to announce nexthop to my bgp peers after default
ruleset change in 6.4's bgpd.conf.

On 6.3, I used to have:

match to $ISP1 set nexthop $CARP_TO_ISP1
match to $ISP2 set nexthop $CARP_TO_ISP2
deny from ebgp
deny to ebgp
allow to   { $ISP1 $ISP2 }
allow from ibgp
allow to ibgp
(...defaults...)


I like the idea of having my simple ruleset done with minimal override
to defaults. Moreover, I see that slapping above ruleset to 6.4 does
not work the same as on 6.3 (I think I'm sending garbage upstream).

Any good soul out there to tell me what to put above:

### for simple BGP setups, no editing below this line is required ###

...in order to set nexthop per upstream neighbor, if possible?

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

mgre questions

2018-10-16 Thread Marko Cupać

Hi,

I'm trying to test mgre on 6.3, but without luck. There isn't much on
it in gre and ifconfig manpages, I am mostly trying out configuration
as stated here:

[http://openbsd-archive.7691.n7.nabble.com/mgre-4-point-to-multipoint-gre-tunnels-td337655.html]

...except I found out mgre tunnel is specified with 'tunneladdr' and
not 'tunnel', and inet is specified with netmask (/24 in my case).

Are there some more texts on mgre on OpenBSD? Can they be terminated on
CARP and pppoe interfaces?

Right now I am trying to create mgre on CARP interface on one side and
pppoe interface on the other side, I just can't make it work, and I
don't see anything blocked in pf. Standard gre works fine.

Any advice?

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: carppeer question

2018-10-15 Thread Marko Cupać

On Fri, 12 Oct 2018 17:31:41 +0200
Marko Cupać  wrote:

> On Fri, 12 Oct 2018 11:56:28 +0200
> Marko Cupać  wrote:
> 
> > After introducing carppeer option I see incoming traffic on physical
> > interfaces of both MASTER and BACKUP firewalls, as opposed to the
> > situation without carppeer option, where I see incoming traffic on
> > physical interface of MASTER only.  
> 
> 
> I am aware this is quite complex issue, presumably not related to
> OpenBSD itself but maybe to the switch (ATGS900MX). Still, I'd be very
> thankful for any advice on the matter.

The issue was apparently caused by default spanning-tree configuration
of the switch. Once I've configured switch ports as "edgeports", by
means of 'spanning-tree portfast', mac address table on switch updates
instantly.

Thanks to everyone for standing by while I was figuring this out :)
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: carppeer question

2018-10-12 Thread Marko Cupać

On Fri, 12 Oct 2018 11:56:28 +0200
Marko Cupać  wrote:

> After introducing carppeer option I see incoming traffic on physical
> interfaces of both MASTER and BACKUP firewalls, as opposed to the
> situation without carppeer option, where I see incoming traffic on
> physical interface of MASTER only.

I hope I'm making some progress. I have set static non-multicast lladdr
to my CARP interfaces (I have 3 of them - to ISP1, to ISP2 and to
DMZ) for starters. I am also monitoring mac address table on a switch
which connects my firewalls to above networks.

Failing over with carpdemote results in clean failover, and switch mac
address table shows both physical and CARP lladdrs on ports that
connect to current MASTER, and only physical lladdrs on ports that
connect to current BACKUP.

However, rebooting BACKUP results (in my opinion) in strange situation,
where switch's mac address table shows only MASTER's physical lladdrs,
while CARP lladdrs go missing. When BACKUP comes back, lladdr of one of
three CARP interfaces of MASTER appear immediately in switch's mac
address table (DMZ), while the other two don't - respective switch
ports show only physical lladdrs. Then, after a few minutes, another
CARP lladdr shows up in switch's mac address table (ISP1), but
the third one (ISP2) continues to show physical lladdr only, which
results in incoming traffic on physical interfaces that connect to
ISP2 of both CARP members.

The situation seems to be self healing when designated BACKUP
(higher advskew) takes the role of MASTER by increasing carpdemote on
designated MASTER (lower advskew), and designated MASTER (currently
BACKUP) reboots, at the moment when designated MASTER takes over MASTER
role.

But when designated BACKUP gets restarted, switching roles does not
happen, MASTER stays MASTER, and switch's mac address table never
updates port with CARP lladdr for ISP2.

I am aware this is quite complex issue, presumably not related to
OpenBSD itself but maybe to the switch (ATGS900MX). Still, I'd be very
thankful for any advice on the matter.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

carppeer question

2018-10-12 Thread Marko Cupać

Hi,

I have changed my CARP failover setup from default multicast to unicast
by introducing carppeer config option. Physical interfaces share /29
subnet with upstream ISP, and IP addressing is as follows:

ISP: XX.XXX.XXX.121/29
FW1: XX.XXX.XXX.122/29
FW2: XX.XXX.XXX.123/29
FW_CARP: XX.XXX.XXX.124/29

I am announcing my AS to ISP via BGP from both FW1 and FW2, using match
rules to set $FW_CARP as nexthop address:

match to $ISP set nexthop $FW_CARP

After introducing carppeer option I see incoming traffic on physical
interfaces of both MASTER and BACKUP firewalls, as opposed to the
situation without carppeer option, where I see incoming traffic on
physical interface of MASTER only.

Here's hostname.carp3 of both firewalls:

FW2 (MASTER):
inet XX.XXX.XXX.124 255.255.255.248 NONE \
  description ISP-CARP \
  advskew 0 \
  carpdev bge3 \
  carppeer XX.XX.XXX.122 \
  pass -OfCourseIChangedThis \
  vhid 3

FW1 (BACKUP):
inet XX.XXX.XXX.124 255.255.255.248 NONE \
  description ISP-CARP \
  advskew 100 \
  carpdev em1 \
  carppeer XX.XXX.XXX.123 \
  pass -OfCourseIChangedThis \
  vhid 3

Is this the intended behaviour? Or am I doing something wrong?

By the way, I am moving to unicast CARP primarily because I heard that
OSPF sessions in GRE tunnels that terminate on unicast CARP interfaces
survive failovers, as opposed to my tests with default multicast CARP
where OSPF gets confused after failover. I couldn't find much info on
this, and I would be thankful if someone pointed me where to look or
share their experiences.

Thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Running your own mail server

2018-09-18 Thread Marko Cupać

On Tue, 18 Sep 2018 10:32:25 +0100
Kevin Chadwick  wrote:

> I see clamav and other scanning stuff as an insecurity personally.

Can you elaborate, please?
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: alien OSPF route

2018-09-14 Thread Marko Cupać

On Fri, 14 Sep 2018 15:27:30 +0200
Remi Locherer  wrote:

> Did you save the console output and daemon log from the restart?
> Can you share it?

I restarted ospfd again with rcctl, console output gives just usual:

ospfd(ok)
ospfd(ok)

The second one waiting a bit more than I remember it used to.

Here's ospfd-related stuff from daemon log:

Sep 14 15:40:58 nat1 ospfd[34802]: route decision engine exiting
Sep 14 15:40:58 nat1 ospfd[73845]: ospf engine exiting
Sep 14 15:40:58 nat1 ospfd[2242]: kernel routing table decoupled
Sep 14 15:40:58 nat1 ospfd[2242]: terminating
Sep 14 15:40:58 nat1 ospfd[55815]: startup
Sep 14 15:40:58 nat1 ospfd[55815]: alien OSPF route 10.30.1.45/32
Sep 14 15:40:58 nat1 ospfd[55815]: alien OSPF route 10.30.1.56/32
Sep 14 15:40:58 nat1 ospfd[55815]: alien OSPF route 10.30.6.81/32
Sep 14 15:40:58 nat1 ospfd[55815]: alien OSPF route 10.30.19.42/32

First three alien routes are on openbsd router two hops away, the last
one is my laptop which is one hop away.

Could it be these are routes installed when someone connects through
ssh? I am connected through ssh, and it is possible that my colleague
also connected through ssh from 10.30.1.X and 10.30.6.X addresses.

> Would I be in charge of running this network I would want to know
> where these alien routes come from. But I think it did not affect
> your network badly since you did not mention an outage. ;-)

My point exactly :) If you have any idea where to start looking I'd be
grateful for any tips.

Thank you for helping me with this.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

network architecture question

2018-09-14 Thread Marko Cupać

Hi,

for years I have been using setup with two firewalls: "outer" one -
FW1-BGP - connecting to upstream ISPs and talking BGP to them regarding
my DMZ, and "inner" one - FW2-NAT, doing NAT for my LAN.

ISP1   ISP2
  \ /
   [FW1-BGP]
   |
 (DMZ)
   |
   [FW2-NAT]
   |
 (LAN)

(Actually, it's more complicated due to each of the firewalls having
their CARP twin, but that shouldn't matter for my questions).

I'm considering moving to setup with just one firewall (ok, two,
because of CARP, once again it should not matter), which would connect
to upstream ISPs, DMZ and LAN.

ISP1   ISP2
  \ /
   [FW1-ALL]
  / \
(DMZ)  (LAN)

Any success / failure stories from admins who already went through
this? Any pitfalls I should avoid?

My main concern is the fact that in previous setup I could set up ip
aliases on DMZ interface on my NAT server, and redirect requests to
them to LAN hosts. This way I could switch ISPs and still access my LAN
hosts (via redirection) through same, DMZ ip addresses.

Will I still be able to do this in single firewall setup? I guess this
won't work:

pass in on $ext_if inet proto tcp from any to $dmz_ipaddr \
  rdr-to $lan_ipaddr

...assuming I am also doing NAT on $ext_if:

match out on $ext_if inet from any to any received-on $if_int \
  nat-to $ext_if

If I'm correct about above not working, is there a chance to achieve
the same goal by means of nc proxy? Or some other way? Any other things
I should be aware of?

Or should I just continue with my current two-firewall setup?

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: alien OSPF route

2018-09-14 Thread Marko Cupać

On Thu, 13 Sep 2018 21:13:11 +0200
Remi Locherer  wrote:

> On Thu, Sep 13, 2018 at 05:21:37PM +0200, Marko Cupać wrote:
> > Hi,
> > 
> > I saw this in my log for the first time, after adding 'no
> > redistribute default':
> > 
> > ospfd[10921]: alien OSPF route 10.30.1.47/32
>
> 
> ospfd logs this message  when it sees a routing entry with priority 32
> which it did not originate.

Thank you for clarification, Remi. Indeed, this firewall gets
default route with priority of 32 from downstream cisco router, which
is visible in routing table:

Internet:
Destination   Gateway  Flags   Refs  Use   Mtu  Prio Iface
default   193.53.106.254   UGS 1187 10456064776 - 8 bnx1 
default   192.168.225.6UG 00 -32 carp1

> When you see this during the start of ospfd it could be from another
> ospfd running in the same rdomain. I had this when I wanted to do a
> config check but missed to option "-n" and started a second instance.
> There is now a check for this in the startup of ospfd in -current.

Those addresses reported as alien routes are on subnet which is
connected to another openbsd box, something like this:

openbsd---cisco---openbsd

All those three boxes talk OSPF. But on remote openbsd box which
probably reports those routes, vlan interfaces for these subnets are
set as passive, so they shouldn't get any updates even if someone ran
OSPF on their phone.

> You will also see this message when you add a static route with the
> "-priority 32". ospfd removes such routes after logging it.
> 
> What did you do after adding "no redistribute default" to the config
> file? Restart with rcctl, reload with ospfctl?

Restart with rcctl.

> And why did you add "no redistribute default"? By default your default
> route is not redistributed.

I thought this firewall's carp partner to-be was getting default route
from it, but it doesn't - it gets it from downstream cisco router.

I don't see any negative effects on my network, just curious if I
should be worried :)

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

alien OSPF route

2018-09-13 Thread Marko Cupać

Hi,

I saw this in my log for the first time, after adding 'no redistribute
default':

ospfd[10921]: alien OSPF route 10.30.1.47/32

My ospfd.conf is quite minimal:

router-priority 0
router-id IP.ADD.RE.SS
no redistribute default
area 0.0.0.0 {
interface bnx0   { metric 100 }
}

How to further investigate this? I see this on OpenBSD firewall which
connects to Cisco router. The address appears to be smartphone on one
of remote networks.

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: The Ultimate OpenBSD Media Server

2018-08-15 Thread Marko Cupać

On 2018-08-12, John Long  wrote:
> I don't get why anybody would want transcoding in 2018.  

>> On Sun, 12 Aug 2018 08:42:41 + (UTC)
>> Stuart Henderson  wrote:
>> They don't usually *want* transcoding but are forced to do it by
>> poor codec support on client devices.

Actually I *want* the possibility of transcoding, mostly because lately
I have the luxury of active listening to music only during my daily
commute (public transit + park walking), on a smartphone with in-ear
headphones. In this environment I don't hear much difference between
original 320kbps and transcoded 64kbps mp3s. I am fortunate enough to
have unlimited mobile data plan, but am frequently passing dead spots
and zones with edge transfer speeds which is another reason. Or not,
because I can turn on pre-fetch and caching but still. Having a choice
is good, isn't it?
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: The Ultimate OpenBSD Media Server

2018-08-15 Thread Marko Cupać

On Sat, 11 Aug 2018 21:55:15 -0700
Jordan Geoghegan  wrote:

> ...'Serviio'...

Thank you for the tip. I have tried dozens of these but not Serviio. I
have currently settled on subsonic's fork called airsonic which runs in
tomcat. I run it on FreeBSD at the moment but it should work on OpenBSD
too.

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: pf - NAT not working after systemboot

2018-07-27 Thread Marko Cupać

On Fri, 27 Jul 2018 12:33:01 +0300
Ville Valkonen  wrote:

> On 26 July 2018 at 13:01, Thomas Huber  wrote:
> > Hi misc,
> >
> > my current pf setup works fine but I face the problem, that NAT
> > does not work directly after system boot. Only when a do a
> >
> > # pfctl -f /etc/pf.conf
> >
> > after the booting things a working correctly.
> > Note: I don´t make any changes to pf.conf.
>
> as Solene mentioned, it's because the interface is not ready.
> 
> Maybe something like this (adapted from iked.conf manual page):
> all rules that have pppoe mentioned, append (if-bound).

I am using pf with pppoe for more than a decade on dozens of boxes and
never got into a problem with NAT not working. On some crappy providers
it is not unusual to wait for 10 minutes after reboot for pppoe to
negotiate and get IP address. Also, sometimes pppoe link goes down and
don't come back for hours. None of this requires reloading of pf rules,
it just waits until pppoe reconnects, box usually gets different public
IP adress, and after that NATs to new address.

Am I missing something?
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Status of Owncloud?

2018-07-23 Thread Marko Cupać

On Sun, 22 Jul 2018 16:25:35 -0400
Rupert Gallagher  wrote:

> Nextcloud, a government-funded project to keep your data secure...
> Hold on to your buts, here it comes.

So,

National governments = bad

I guess as opposed to

Multinational corporations = good

Got it, thanks. 

:D

On a more serious note, I switched to Nextcloud the day it was forked
and never looked back to Owncloud. On FreeBSD though. It introduced
WebRTC videoconferencing via spreed app, also public upload folders, I
like NC more than OC not just because of politics but also because of
features.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Employers, Jobs and OpenBSD

2018-07-16 Thread Marko Cupać

On Fri, 13 Jul 2018 23:05:09 -0300
Man Hobby  wrote:

> What is the opinion of employers about OpenBSD?
> There is reason for to learn use OpenBSD to find job?
> If not, why?
> If there is not reason for to learn use OpenBSD to find job, why use
> OpenBSD?

There are employers and employers, as for mine I think their opinion
goes somewhere along the lines of "This is great, both technically and
financially wise, but I'd like to have more than one local guy who knows
how to run this stuff".

Hack with OpenBSD if you like it, and hopefully one day you will be
able to get some money from it.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: %ÿ4 Coding OS, Vanity gods, LKML/GNU Attiude Problems, Problematic Netelements in general.

2018-07-10 Thread Marko Cupać

On Mon, 9 Jul 2018 16:30:58 +0200
Ywe Cærlyn  wrote:

> Slight retweak, to %ÿ4 Coding OS.
> 
> Having had a bit of feel with the namechange I think I can do even 
> better. Looking at what really needs to be fixed with the internet, 
> starting with Fair Pay, getting rid of poor and thieving GNU, and 
> warezpups in general, LKML/GNU Attitude problems, and problematic 
> netelements in general, slight final finish with retweak to %ÿ4
> coding OS.

Where's ISO? I'd like to give it a spin :D
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

2018-07-04 Thread Marko Cupać

On Wed, 4 Jul 2018 19:02:56 +0100
Tom Smyth  wrote:

> Hello Marko /Sekeres
> 
> I dont mean to start a flame war as it is counterproductive but Idont
> fully get what you mean / imply by
> 
> >.".. while not requiring from OpenBSD to introduce Code of Conduct"  

I'm just trolling around :)

At the same time I'm relatively long-time *BSD user, thankful to anyone
and everyone who is making them possible. Specially to OpenBSD who still
appears to stick to simple "Don't be an asshole" CoC, as opposed to
some who took the different path, probably partly as a result of
accepting large "generous" "contributions".

As The Smiths sang, "Some BSDs are bigger than the others".

Once again, I'm just trolling around, I hope noone takes my posts on
this topic seriously.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

2018-07-04 Thread Marko Cupać

On Wed, 4 Jul 2018 18:06:04 +0200
Reyk Floeter  wrote:

> I hope somebody steps up and donates $500,000 to the OpenBSD
> foundation instead.

... while not requiring from OpenBSD to introduce Code od Conduct

:D

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

2018-07-04 Thread Marko Cupać

On Sat, 30 Jun 2018 23:11:15 +0200
"Szekeres Dani"  wrote:

> Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux
> Zero-Days

Seen this comment on /.

http://dilbert.com/strip/1995-11-13

:D
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

chromium and firefox - myths and facts?

2018-06-11 Thread Marko Cupać

Hi,

over last few years, I got an impression that OpenBSD project seem to
favour Chromium over Firefox. For example, in:

https://www.openbsd.org/papers/BeckPledgeUnveilBSDCan2018.pdf

"We know it's right when we can do chrome."
"[...]chrome - the stuff we use frequently"

I don't understand neither browser's code. However, current propaganda
that reaches me goes along the lines "Firefox is made by non-profit
organization with users' freedom in mind, while Chromium is made by
for-profit organization for the purpose of extraction of users'
personal information". I trust OpenBSD project and it's users more than
big vendors' pitches, so I'd like to ask:

Is the above untrue? Am I, as a user, more vulnerable to security and
privacy violations using Firefox than Chromium on OpenBSD?

Or is this question off-topic, as OpenBSD cares about technical
correctness of the code in regard to overall security of a computer
system, not outcome of users voluntarily running technically correct
code, even when it compromises their personal security?

Something else?

Thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

ProLiant DL380 gen10

2018-05-28 Thread Marko Cupać

Hi,

anyone running OpenBSD on ProLiant DL380 gen10?

I need a box to replace my dying firewall. My employer strongly prefers
HP for (networking) servers due to their presence here in Serbia. How
good is their support is best described by the fact they don't have
demo centre to try it out, while non-faulty hardware can not be
returned. Other vendors are either non-present, or have even worse
support. So I have to buy a few thousand worth "cat in a bag" and cross
my fingers it will work.

If there are people running OpenBSD on ProLiant DL380 gen 10 or some
other current ProLiant please tell me about your experiences.

Thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Viewport for man.openbsd.org -- readability on phones

2018-05-23 Thread Marko Cupać

On May 2018
Multiple list members wrote:

> I took and iPhone with iOS and Safari ( i think!) on it and pointed
> the browser to the current link of man pages [1]. All i can say is the
> layout is displayed on full display, not stretched.
> Text is fine, paragraphs are scaled ok, not even a simple problem.
> Font is fine.

> I tried it on my iPhone 5s and everything looks great!

> I can second that.  It looks perfect on iPhone using Safari.

>From last few posts, I can conclude one should use Safari on iPhone for
the purpose of reading OpenBSD manpages on a mobile device.

One of the things I like about OpenBSD is the ability to focus on its
goal of trying to be the most secure operating system, not fads.

I am sure OpenBSD will correct their errors in html/css code, if any,
according to established standards, for the benefit of their users. I
believe OpenBSD won't bend over to fullfill 'embrace, extend,
extinguish'-style expectations of big browser vendors.

Keep up the good work.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: OpenBSD blocks IPsec traffic

2018-04-18 Thread Marko Cupać

On Wed, 18 Apr 2018 15:45:04 +0200
"C. L. Martinez" <carlopm...@gmail.com> wrote:

> Thanks Marko, but I have found the problem.
> 
> These rules are under anchor sub-group rules ... Moving these rules
> to top after "block log all", all it is working ...

I'm glad you made it work.

> Maybe is it a bug with anchor rules?

I couldn't comment on this, I don't write PF code, just rulesets :)

However, before considering the possibility of a bug, I would first
check if rule order in pf.conf matches output of `pfctl -vvsr'.
ruleset-optimization is by default set to "basic" (read more in
pf.conf(5)), so rule order you see in pf.conf is often not rule
order that you get in pfctl -vvsr.

Happy firewalling,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: OpenBSD blocks IPsec traffic

2018-04-18 Thread Marko Cupać

On Wed, 18 Apr 2018 15:01:24 +0200
"C. L. Martinez" <carlopm...@gmail.com> wrote:

> Hi all,
> 
>  I am trying to configure an ipsec tunnel (host-to-host) between two
> hosts that go through an openbsd firewall. Tunnel is established, but
> when I try to, for example, connect via ssh from one host to the
> other, pf blocks traffic:
> 
> Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> 
>  To do some tests, I have configured the following rules:
> 
> pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state
> (if-bound)
> pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state
> (if-bound)
> 
> Any idea?

Hard to say without complete ruleset, but from what I see here, your
rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0,
while no other rule after that (or one before that with 'quick'
keyword) permits it.

Check exact line with pfctl -vvsr. Add either dafault 'pass out'
somewhere below (I prefer it at the end of my ruleset, as I have so far
never blocked out stuff I already passed in), or pass out exact traffic
you need, eg:

pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2

Hope this helps,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

PS1 in 6.3

2018-04-03 Thread Marko Cupać

Hi,

before I get to the question, I'd like to thank all the people who made
6.3 happen. Keep up the good work! :)

I noticed that on 6.3 prompt shows hostname($|#) by default. Up until
now I was setting it by exporting PS1 in .profile:

PS1="\u@\h:\w \\$ "
export PS1

Where is the default setting for prompt? Is it still ok to change it
in .profile (I like also to have pwd in prompt).

Pardon my ignorance, and thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: bug tracking system for OpenBSD

2018-04-03 Thread Marko Cupać

On Sat, 31 Mar 2018 08:55:35 -0400
Eric Furman <ericfur...@fastmail.net> wrote:

> You think I'm going to visit a .ru website?

Until I read this I thought nothing about your possible actions as I
knew nothing about you. Now I have negative opinion.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: OSPF over gif on top of IPsec transport -current

2018-03-13 Thread Marko Cupać

Hi,

sorry to hijack the thread, my question is not directly related, but
deals with same goal.

I have physical topology where datacentre has two carped firewalls,
while branch offices have single firewall each, with two uplinks:

 isp2---em0
 branchoffice1
datacenterA  isp3---em1
  em0
\isp4---em0
   carp0---isp1 INTERNET branchoffice2
/isp5---em1
  em0
datacenterB  ispX---em0
 branchofficeN
 ispY---em1

I'd like to achieve two primary goals:
- each branch office has routes to both datacentre and all other branch
  offices (OSPF?)
- each branch office uses em0 as primary link, fails over automatically
  to em1 when em0 fails

I tried GRE tunnels from branch offices' both phsycal interfaces to
datacentres' carp interface, but this doesn't work (apparently gre is
not aware of carp and links go down when carp master changes). I din't
test two gre tunnels for each branch office's physical interface (one
to each carp member physical interface), as this seems too cumbersome to
maintain even if it worked.

Any advices?

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Bandwidth Queuing on Asymmetrical Connections?

2018-03-01 Thread Marko Cupać

On Sat, 17 Feb 2018 12:30:28 -0800
Jordan Geoghegan <jgeoghega...@gmail.com> wrote:

> Hi folks, I was wondering how one goes about maintaining separate
> upload and download queues in pf. I have been playing with various
> combinations and I can't seem to get both queues to apply
> simultaneously.
> 
> For example, I have a 150 down 15 up connection. I want to limit a 
> specific device on the network to 100 down and 10 up. I can't for the 
> life of me figure out how to make this apply. I either end up setting
> a 10 megabit limit or 100. How do the pf gurus manage their
> asymmetrical connections?
> 

>From my experience queueing is a bit tricky nowadays, but here are a
few tips.

Do not trust ISP's declared bandwidth. Do extensive testing, and see
how much you really get. Next, set your parent queues to 90% of max
bandwidth you get without queueing. Set all three values (bandwidth,
min and max) to this value:

# QUEUES
queue ul on $if_ext bandwidth 14M  min  14M max  14M
...
queue dl on $if_int bandwidth 140M min 140M max 140M

I prefer to set my queue matches early in the ruleset, so it applies to
all the rules later:

# QUEUE MATCHES
match proto tcp  to any port ssh  set queue ssh
match proto tcp  to any port rdp  set queue rdp
match proto tcp  to any port $xmppset queue xmpp

If you queue not by services but by ip addresses, and you have NAT, you
will need to tag traffic on internal interface and queue it on external
interface by that tag.

Good luck,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Community-driven OpenBSD tutorials wiki?

2018-01-25 Thread Marko Cupać

Sorry for late chime-in.

On Thu, 4 Jan 2018 15:02:45 -0500
Nick Holland <n...@holland-consulting.net> wrote:

> But the magic is not setting up the wiki (or anything else for
> documenting), it's MAINTAINING it and getting others to participate.
> ...
> For example, I looked at the first article on the mimar blog
> here, and I disagree with the basic structure.  Too much duplication
> of installation instructions, too much "do this", too little "here's
> why I'm doing this".  There's some really great things in there, like
> the -P command to populate the MFS file systems, without even
> commenting about that nifty command people might not know about.  And
> then you have a bunch of echos used to create a script.  boo.  Just
> provide the script and say "copy/paste this into your editor", or
> better, "here's how I did it", and assume if someone needs to be told
> to copy/paste into their editor, they shouldn't.  Don't obscure the
> actual details with "echo ...

I am doing my part! :D

I updated my article for 6.2 to include multiple disk partitions in
order to take advantage of W^X, kernel relinking etc. I also considered
your feedback and rewrote stuff without echos. There's even video
tutorial at the end of the page (I know I know everyone hates them).

!WARNING - BLATANT SELF PROMOTION BELOW!

[https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages]

Feedback is welcome.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

check list mails for malware

2018-01-16 Thread Marko Cupać

Hi,

my mail system has just blocked mail from b...@openbsd.org which
contains malware. Perhaps incoming mails to openbsd lists should be
checked for malware before they are distributed to list members?

Here's amavis report:


A virus was found: Rtf.Downloader.Obfuscation-6370377-2

Scanner detecting a virus: ClamAV-clamd

Content type: Virus
Internal reference code for the message is 38708-15/bg254irHCuHA

First upstream SMTP client IP address: [192.43.244.163]:25439
  lists.openbsd.org

Received trace: ESMTPS://[192.43.244.163]:25439 < ESMTP://127.0.0.1 <
  ESMTPS://46.102.152.157 < local://x

Return-Path: <owner-bugs+m28...@openbsd.org>
From: Natalia.S <natalia.shchetin...@westernunion.com>
Sender: owner-b...@openbsd.org
Message-ID: <e1eboox-0006fw...@bankosantantder.com>
Subject: Запрос на возврат средств клиента
The message has been quarantined as: virus-bg254irHCuHA

The message WAS NOT relayed to:
<marko.cu...@mimar.rs>:
   250 2.7.0 ok, discarded, id=38708-15 - infected:
rtf.downloader.obfuscation-6370377-2

Virus scanner output:
  p001: Rtf.Downloader.Obfuscation-6370377-2 FOUND
  p004: Rtf.Downloader.Obfuscation-6370377-2 FOUND


Return-Path: <owner-bugs+m28...@openbsd.org>
Received: from openbsd.org (lists.openbsd.org [192.43.244.163])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) (No client certificate requested)
by mail.mimar.rs (Postfix) with ESMTPS id 294A9625A23E
for <marko.cu...@mimar.rs>; Tue, 16 Jan 2018 15:34:12 +0100
(CET) Received: from openbsd.org (localhost [127.0.0.1])
by openbsd.org (OpenSMTPD) with ESMTP id e9a25692;
Tue, 16 Jan 2018 07:34:08 -0700 (MST)
Received: from bankosantantder.com (bankosantantder.com
[46.102.152.157]) by openbsd.org (OpenSMTPD) with ESMTPS id b863df7e
(TLSv1.2:AES256-SHA256:256:NO) for <b...@openbsd.org>;
Tue, 16 Jan 2018 06:17:48 -0700 (MST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=bankosantantder.com; s=dkim;
h=Date:Message-Id:Reply-To:Content-type:MIME-Version:From:Subject:To;
bh=zqQlCXfowdvAkKI7caNIkqVOL643LzTD988dF1+98Ms=;
b=Z8IH5uRa0b4QCZ+m2aMA64/EIZvyl8O+Ep92Bg6J11VgMRXK1aVxvHEFT/vANurnwqVFyyEWcmU6Y72TD9IwwCF6hqV78kZl00rM/8RxDqBXrDs9AJwKFy6SEZQa8nvG7qSpZ7qCOlUgo8R3rWUO4Vw5yCIH4GnPctpPUA/IOSQ=;
Received: by bankosantantder.com with local (Exim 4.80) id
1ebOox-0006FW-0M; Tue, 16 Jan 2018 05:50:23 -0500 To: b...@openbsd.org
Subject:
=?UTF-8?B?0JfQsNC/0YDQvtGBINC90LAg0LLQvtC30LLRgNCw0YIg0YHRgNC10LTRgdGC0LIg0LrQu9C40LXQvdGC0LA=?=
From: =?UTF-8?B?TmF0YWxpYS5T?= <natalia.shchetin...@westernunion.com>
MIME-Version: 1.0; Content-type: multipart/mixed;
boundary="--pnSRa1E8p2" Reply-To: natalia.shchetin...@westernunion.com
Message-Id: <e1eboox-0006fw...@bankosantantder.com> Date: Tue, 16 Jan
2018 05:50:23 -0500 X-Content-Discarded: text/html
List-Help: <mailto:majord...@openbsd.org?body=help>
List-ID: 
List-Owner: <mailto:owner-b...@openbsd.org>
List-Post: <mailto:b...@openbsd.org>
List-Subscribe: <mailto:majord...@openbsd.org?body=sub%20bugs>
List-Unsubscribe: <mailto:majord...@openbsd.org?body=unsub%20bugs>
X-Loop: b...@openbsd.org
Precedence: list
Sender: owner-b...@openbsd.org

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Video-conferencing tool a la Skype or Facetime for OpenBSD?

2018-01-04 Thread Marko Cupać

On Fri, 5 Jan 2018 00:18:12 +0900
Bryan Linton <b...@shoshoni.info> wrote:

> Hello misc@
> 
> I have a friend who runs Windows who has asked me if there is any
> way we can occasionally communicate with each other via some kind 
> of video-conferencing application similar to what programs like
> Skype and Facetime provide.
> 
> Does such a thing already exist for OpenBSD?

Do you mean client software that connects from both Windows and
OpenBSD to public videoconferencing services, or self-hosted
videoconferencing server? I don't know about the former, but as for
latter, I am testing two different approaches:
- nextcloud with webrtc: [https://nextcloud.com/webrtc/]
- matrix/synapse: [https://github.com/matrix-org/synapse]

Nextcloud with webrtc should work on OpenBSD. Matrix/Synapse has
FreeBSD port, I don't know about OpenBSD.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Community-driven OpenBSD tutorials wiki?

2018-01-04 Thread Marko Cupać

On Thu, 4 Jan 2018 09:13:58 -0700
Base Pr1me <tlemery5...@gmail.com> wrote:

> The Pledge of the Network Admin, from one of those book authors:
> http://bsdly.blogspot.com/2011/01/i-will-not-mindlessly-paste-from-howtos.html
> :D

I found this pledge quite early, and it instantly became my pledge as
well. But I think the significant word here is "mindlessly". Pasting
from howtos is not bad per se, in my opinion, as long as you gradually
get to understand what you pasted.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Community-driven OpenBSD tutorials wiki?

2018-01-04 Thread Marko Cupać

On Thu, 4 Jan 2018 10:41:19 -0500
Bryan Harris <bryanlhar...@gmail.com> wrote:

> My preference is to purchase a book. I have had a good experience with
> Absolute OpenBSD, Httpd & Relayd, the tarsnap book, and the Book of
> PF.
>
> I would buy a book about OpenSMTPD and also ikev2 but I didn't see
> any.
> 
> Just my $0.02, I like books better than online tutorials.

Couldn't agree more. Those are good books.

However, back in a day when I was completely fresh to OpenBSD, I
preferred to copy/paste someone's working solution, and then discover
which config line does what, how, and why. That's because I had no
clue about anything. It was valuable to read how people designed
solutions to their needs, what combination of software they used etc.
Only at the later stage I was able to dive into documentation.

I was particularly fond of this set of howtos:
http://www.kernel-panic.it/openbsd.html
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Community-driven OpenBSD tutorials wiki?

2018-01-04 Thread Marko Cupać

Feel free to contribute to [!WARNING - BLATANT SELF PROMOTION BELOW!]

[https://www.mimar.rs/blog/tag:openbsd]

As a side note, setting up apache and grav [https://getgrav.org/] took
me an hour or so. Writing simple article takes whole day, sometimes
much more.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Simplifying pf-rules

2018-01-04 Thread Marko Cupać

On Thu, 4 Jan 2018 14:09:50 +0100
Jon S <jonsjost...@gmail.com> wrote:

> Hello misc!
> 
> My OpenBSD file server just became a router too (after getting a new
> internet connection where the provider does not include a router in
> the subscription).

If possible, I'd avoid combining file server and firewall services on
single box.

> This led to my first experieces with pf. After some work I came up
> with whats below. It works as I want it to work, but I wonder if
> there is a way to create a rule where incomming traffic to the
> internal NIC (re0) is passed if it is targeted for em0 (external,
> internet NIC)? The current solution would require an update of the
> "pass in on re0 to !re0:network"-rule if another NIC is added (lets
> say a DMZ).

All my pf rulesets start with defining interface macros so they are
more readable, and also more flexible (this way changing NIC with
different driver needs one line changed, instead of all lines in the
ruleset referencing that interface):

# INTERFACE MACROS
if_int = "re0"
if_ext = "em0"

> set skip on lo0
> 
> # Block everything everywhere by default
> block log all

I prefer to put "match" section above default "block log all" rule.
It's more logical to me, as something being "matched" has no impact if
it's not "passed" or "blocked" later on in the ruleset.

> # NAT local network to external
> match out on em0 inet from re0:network nat-to (em0)
> 
> # Allow all outgoing traffic
> pass out on {em0, re0}
> 
> # Allow only specific services on this machine to be accessed from
> # local network
> pass in on re0 inet proto tcp to port ssh # ssh
> pass in on re0 inet proto icmp# icmp
> pass in on re0 inet proto tcp to port 445 # samba

Your description line does not describe accurately what next three
lines do - as destination IP is not present, "to any" is assumed, so
more accurate description would be "Allow specific services on any
machine be accessed from local network".

If you wanted your ruleset to match description line, and your
services listen on internal NIC, you would do something like:

pass in on $if_int inet proto tcp  from re0:network to re0 port ssh
pass in on $if_int inet proto icmp from re0:network to re0
pass in on $if_int inet proto tcp  from re0:network to re0 port 445

> 
> #pass in on re0 inet to em0:network # This does not work, since the
> #mask for this IF will only let traffic through to the limitied set of
> #IPs on the same C-segment as em0. That would probably be a set of
> #other customers at the nework operator...
> 
> # This works, but will require an update if any furter NIC is involved
> # later
> pass in on re0 to !re0:network

There are multiple ways to achieve this. One of them would be passing
everything on $if_int, and blocking what you don't want later (if
"quick" keyword is not used, last matching rule wins):

pass in on $if_int
block in on $if_int inet proto tcp from $if_int:network to \
  $if_int port { !=ssh !=445 }

The other one would be blocking unwanted stuff quickly early in the
ruleset, and passing what you want later on:

block in quick on $if_int inet proto tcp from $if_int:network to \
  $if_int port { !=ssh !=445 }
pass in on $if_int

Both examples block only TCP to internal NIC, so blocking other
protocols if there are any on the firewall also needs to be done.
> 
> # I would like something like this to work, so that future added NICs
> # wont open new unwanted paths
> #pass in on re0 to em0
> 
> # Allow only incomming SSH to external NIC
> pass in on em0 inet proto tcp to port ssh

In the end, your ruleset seems quite minimal. I suggest you start
worrying about new NIC once you add it. For now it would be better to
play around with pfctl -vvsr, systat states/rules, tcpdumping pflog etc.

Hope this helps,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

pcengines apu3b4 with lte modem huawei ME909s-120

2017-12-29 Thread Marko Cupać

 rev 0x00: msi
pci2 at ppb1 bus 2
em1 at pci2 dev 0 function 0 "Intel I211" rev 0x03: msi, address
00:0d:b9:49:da:5d
ppb2 at pci0 dev 2 function 4 "AMD AMD64 16h PCIE" rev 0x00: msi
pci3 at ppb2 bus 3
em2 at pci3 dev 0 function 0 "Intel I211" rev 0x03: msi, address
00:0d:b9:49:da:5e
"AMD CCP" rev 0x00 at pci0 dev 8 function 0 not configured
xhci0 at pci0 dev 16 function 0 "AMD Bolton xHCI" rev 0x11: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "AMD xHCI root hub" rev
3.00/1.00 addr 1
ahci0 at pci0 dev 17 function 0 "AMD Hudson-2 SATA" rev 0x40: apic 4
int 19, AHCI 1.3
scsibus1 at ahci0: 32 targets
ehci0 at pci0 dev 19 function 0 "AMD Hudson-2 USB2" rev 0x39: apic 4
int 18
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "AMD EHCI root hub" rev
2.00/1.00 addr 1
piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x42: SMBus
disabled
pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11
sdhc0 at pci0 dev 20 function 7 "AMD Bolton SD/MMC" rev 0x01: apic 4
int 16
sdhc0: SDHC 2.0, 50 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma
pchb2 at pci0 dev 24 function 0 "AMD AMD64 16h Link Cfg" rev 0x00
pchb3 at pci0 dev 24 function 1 "AMD AMD64 16h Address Map" rev 0x00
pchb4 at pci0 dev 24 function 2 "AMD AMD64 16h DRAM Cfg" rev 0x00
km0 at pci0 dev 24 function 3 "AMD AMD64 16h Misc Cfg" rev 0x00
pchb5 at pci0 dev 24 function 4 "AMD AMD64 16h CPU Power" rev 0x00
pchb6 at pci0 dev 24 function 5 "AMD AMD64 16h Misc Cfg" rev 0x00
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x53
vmm0 at mainbus0: SVM/RVI
scsibus2 at sdmmc0: 2 targets, initiator 0
sd0 at scsibus2 targ 1 lun 0:  SCSI2 0/direct
removable
sd0: 14868MB, 512 bytes/sector, 30449664 sectors
uhub2 at uhub1 port 1 configuration 1 interface 0 "Advanced Micro
Devices product 0x7900" rev 2.00/0.18 addr 2
cdce0 at uhub2 port 3 configuration 2 interface 0 "Huawei Technologies
Co., Ltd. HUAWEI Mobile V7R11" rev 2.10/1.02 addr 3
cdce0: could not find data bulk in
ugen0 at uhub2 port 3 configuration 2 "Huawei Technologies Co., Ltd.
HUAWEI Mobile V7R11" rev 2.10/1.02 addr 3
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (acba5e9b98800af4.a) swap on sd0b dump on sd0b
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: ssh from cisco to OpenBSD 6.2 error status 0

2017-12-28 Thread Marko Cupać

On Mon, 25 Dec 2017 15:06:34 +0100
"Peter N. M. Hansteen" <pe...@bsdly.net> wrote:

> On 12/25/17 11:13, Marko Cupać wrote:
> > Hi,
> > 
> > I noticed I can't ssh from cisco router running IOS 15.X to OpenBSD
> > 6.2. No problem with 6.1.
> > 
> > Anyone else with this problem? Any idea how to solve it or where to
> > start digging?  
> 
> I'd start by looking for messages in /var/log/authlog on the OpenBSD
> machine, and if possible running with ssh -v or -vv (I forget how many
> you can usefully put in, or if the Cisco boxes even use the same
> options) to get more detail on what happens.
> 
> My hunch is that you will be looking at resolving a gap in ciphers
> offered as available at either end. Newer ssh versions have
> incrementally dropped or disabled by default the unsafe ones, but
> increasing the message verbosity will point you in the right
> direction.

Hi,

thanks for pointing me to auth.log, I never have problems with ssh, so
I don't have the habit of checking auth.log - I was looking at messages
and daemon logs.

I saw this in auth.log:
Protocol major versions differ for 192.168.223.1 port 45187:
SSH-2.0-OpenSSH_7.6 vs. SSH-1.99-Cisco-1.25

I started passing different cipher options to ssh client on cisco, and
finally managed to connect to OpenBSD 6.2 with:

ssh -v 2 -c aes256-ctr -m hmac-sha1-160 IP.ADD.RE.SS

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

2017-12-25 Thread Marko Cupać

On Fri, 22 Dec 2017 13:43:35 +0100
Florian Obser <flor...@openbsd.org> wrote:

> Yes, quite a lot of effort and money (think travel cost to hackathons)
> was spent by developers between 5.9 and 6.2 releases.
> You are welcome.

Somehow I have the impression that most of the OpenBSD code wasn't
written in fancy guest facilities where priesthood arrives and departs
by means of business class flights to churn out some lines of code. The
time when it wasn't all about MONEY.

But yeah, we have to embrace modern times and not hold on to the past.

Still, OpenBSD is the best :)
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: bug tracking system for OpenBSD

2017-12-25 Thread Marko Cupać

While not exactly bug tracker, more like general-purpose issue tracker,
I have successfully implemented rt44 in a company I work for:

[https://docs.bestpractical.com/rt/4.4.2/README.html]

The reason why I succeeded with rt44, and failed with other, shinier
trackers with more bells and whistles, is its integration with email.
All of my users want single email address where they can report issues.
Some of my colleagues in IT want to continue using email-only
correspondence while dealing with users' issues, while others prefer to
use additional features in rt44's web interface. All of them can have
their way with rt. No one was forced to something new, something
different. Email-only is still there, with the addition of web
interface for those who want/like it.

If OpenBSD people are interested, I can provide complete rt44-based
solution directly from my servers, or I can help building and
integrating it on some other hardware.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

ssh from cisco to OpenBSD 6.2 error status 0

2017-12-25 Thread Marko Cupać

Hi,

I noticed I can't ssh from cisco router running IOS 15.X to OpenBSD
6.2. No problem with 6.1.

Anyone else with this problem? Any idea how to solve it or where to
start digging?

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: How to make ProtonMail compatible with misc@ Re: Do not give-up on marketing

2017-12-06 Thread Marko Cupać

On Wed, 06 Dec 2017 00:06:14 -0500
Joseph Mayer <joseph.ma...@protonmail.com> wrote:

> Here is how to make ProtonMail compatible with misc@:
> 
> Click "Settings" up to the right.
> 
> Click the "Appearance" tab in the menu.
> 
> Under the "Composer mode" section there's a dropdown with two
> options, it's preset to "Normal".
> 
> Switch it to "Plain Text".
> 
> 
> This email was sent from ProtonMail. I presume it's in the format
> everyone wants.

Almost there, but still violating second part of the first rule: 72
characters per line ;)

Claws-mail inserts line breaks automatically.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

3g modem support

2017-12-06 Thread Marko Cupać

Hi,

I would like to test 3g networking on PC Engines' APU3b4 (I heard it
does not work yet on this particular board with OpenBSD 6.2, apparently
due to issues between EHCI driver and AMD USB chipset, but I'd like to
help with development testing).

PC Engines website has "short and incomplete list of working 3G
miniPCIe modems":
[http://pcengines.ch/howto.htm#3G]

...which suggests some Sierra Wireless modems, none of which are
available for purchase in the country I live in.

This one is available for ~25€ (Sierra Wireless MC8755):
[http://www.netiks.rs/3g-minipciexpress-card]

Also this one for ~100€ (Huawei ME909s-120):
[http://www.netiks.rs/huawei-me909s-120-minipciexpress-card]

If someone can confirm these cards are / aren't supported by OpenBSD,
I'd be very grateful.

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: pcengines apu boards

2017-12-05 Thread Marko Cupać

On Mon, 4 Dec 2017 12:53:26 -0800
"Paul B. Henson" <hen...@acm.org> wrote:

> > From: Marko Cupac
> > Sent: Monday, December 4, 2017 3:54 AM
> > 
> > I have just ordered one APU3b4, as I wanted to test mobile provider
> > as a backup link. I see it probably won't be any good as OpenBSD
> > router (yet), but at least I'll be able to test and give feedback.  
> 
> Assuming you're planning to use an internal Mini PCI card, unless you
> have more luck than me, it's not going to work :(. I'm hoping I will
> be able to fix the EHCI driver to be more happy with the AMD USB
> chipset, but this point I'm still fumbling with it :).

My APU3b4 has just arrived, hopefully I'll have time to install it with
OpenBSD tomorrow and send feedback.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Do not give-up on marketing

2017-12-04 Thread Marko Cupać

On Sun, 3 Dec 2017 12:58:42 +0200
Mihai Popescu <mih...@gmail.com> wrote:

> I use to read lists in marc.info.
> It is a little bit off topic, but I dare to ask: what combination are
> you using, like email client and misc@ configuration( i.e, daily
> digest, individual emails, etc.)?

I am using claws-mail, redirecting (by means of server-side sieve
filters) emails from each mailing list to a separate folder. I
configure sieve filters from roundcube, and for mailing lists I mostly
use rule similar to "list id contains  -> move
message to "INBOX\lists\openbsd\misc".

I like to receive individual mails and set mailing lists folders to
"thread view" in claws-mail.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: pcengines apu boards

2017-12-04 Thread Marko Cupać

On Sat, 2 Dec 2017 20:08:41 -0800
"Paul B. Henson" <hen...@acm.org> wrote:

> On Sat, Dec 02, 2017 at 10:40:14PM +1000, Douglas Ray wrote:
> 
> > On the APU3a4 the internal USB headers were broken.
> > I had email from pcengines (March 2017) saying this would
> > be addressed in the APU3b series., but we went for APU2.  
> 
> I have a APU3b series, they fixed the incorrect pinout on the internal
> usb headers. The internal ECHI ports work fine under both linux and
> freebsd connected to a USB backplate I'm testing with. It's
> definitely a disagreement between the AMD EHCI USB chipset and
> OpenBSD . I'm going to see if I can port some of the
> workarounds and quirks for that chipset from linux/freebsd to the
> openbsd driver and see if I have any luck getting it working; drivers
> aren't my strong suite but we'll see what happens. In the worst case
> I guess I'll use an external miniPCI to USB adapter and connect my
> LTE modem to the external xHCI ports, they seem to work fine under
> OpenBSD.
> 
> Thanks...
> 

I have a bunch of APU2c4's, they play nice with OpenBSD. Actually my
complete fleet (~20) of branch office routers are based on
APU2c4's running various OpenBSD versions (I think the oldest is 5.8).

I have just ordered one APU3b4, as I wanted to test mobile provider as
a backup link. I see it probably won't be any good as OpenBSD router
(yet), but at least I'll be able to test and give feedback.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Image viewer alternative to eog

2017-11-27 Thread Marko Cupać

On Sun, 26 Nov 2017 20:15:14 -0200
"x9p" <m...@x9p.org> wrote:

> Is there a good/safe and light image viewer? Was used to eog, but it
> has too many "vfprintf %s NULL" in messages. gimp is too big and good
> for play with images, In need of smth fast.
...
> Thank you all for the inputs. feh suited best. lots of command line
> options, folder slideshow and option to specify geometry was a big
> plus.

I don't know if that counts as 'good/safe and light', but I use XFCE's
ristretto. When jumping sinking ship of GNOME some years ago I tried
to go all the way down to openbox and its ecosystem (including feh),
but it was a bit too much of a change for me for my primary work
environment (I still use openbox and friends in some thin client
setups).

XFCE and its ecosystem are not as lightweight, but from my point of
view they have balanced usability and weight for my primary laptop use
case.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

pf queueing syntax question

2017-11-09 Thread Marko Cupać

Hi,

I'm (re)trying out queuing possibilities in 6.2.

I am trying out different possibilities, mixing queue with prio.

I have accidentally put two different lines in my pf.conf:

match proto tcp  to any port domain   set prio 6 set queue dns
match proto udp  to any port domain   set queue dns prio 6

I reloaded the ruleset and there weren't any complaints.

`pfctl -sr' interpeted these two lines differently:

match proto tcp from any to any port = 53 set ( prio 6, queue dns )
match proto udp from any to any port = 53 prio 6 set ( queue dns )

Are those two lines expected to queue differently? In which way?

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: pf and max bandwidth in nested queues (bug?)

2017-11-06 Thread Marko Cupać

I've just given a spin to 6.2. And queueing in PF actually does all I
want it to do - giving child queues max bandwidth of parent queue when
parent queue is unsaturated, and throttling them down to set bandwidth
when parent queue is saturated.

Now those few years of pf queueing problems look so far away, almost
like they never happened :) Thanks to people who made it possible.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: pf and max bandwidth in nested queues (bug?)

2017-11-02 Thread Marko Cupać

On Wed, 1 Nov 2017 13:22:03 +
Oliver Humpage <oli...@watershed.co.uk> wrote:

> Hello,
>
> I have an OpenBSD 6.2 router, set up in a test rig so there's no
> traffic apart from my tests. It has vmx interfaces. $int_if is a vlan
> on one of them.
> 
> I have an issue where if a child queue has a different “max” from a
> parent queue, the bandwidth is throttled down to much less than
> either.

Hi fellow adventurer in PF queuing :)

I'd like authoritative, correct, field-tested answers to a number of
questions related to PF queuing, but at the moment it appears there
aren't any. pf.conf(5) doesn't say much, PF FAQ's chapter on queuing
is in the attic for quite some time now:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/www/faq/pf/Attic/queueing.html

So I guess it's you and me and maybe someone else on this list who will
have to test and get those answers from those tests.

I haven't yet get to do any tests on 6.2, but from my experience, the
only way for queuing to work as expected is to set all three -
declared, min and max bandwidth on parent, and all the child queues to
the same value, where sum of child queues has to be less or equal to
parent queue. Pay attention to the fact that only new states go to
appropriate queues, so (from my experience) every ruleset change needs
flushing of states (pfctl -F states). If you have NAT in the mix it
complicates things further, and I think tagging packets inbound on
internal interface, and queueing them on external interface by tags is
the way to go.

You will get different answers from different people regarding inbound
(interface-wise) queuing - most people say it has no effect, but some
people say it puts return traffic into appropriate queues, so it
apparently does have effect. Go figure, and let me know if you do :)

If you search misc@ list for my posts, you will find quite a number of
rants regarding PF queuing. Not much useful info tho.

Now, what I'd really like to know is, if I have let's say 4Mbit uplink,
and 4x1Mbit declared queues (without min and max values), what is the
logic of borrowing bandwidth from non-saturated queues. Because I can't
for love of my life make any sense of it.

That being said, all the alternatives to OpenBSD are worse. I guess we
need to keep trying :)

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Traffic filtering

2017-11-02 Thread Marko Cupać

On Mon, 30 Oct 2017 20:50:46 +
greg...@airmail.cc wrote:

> Hi,
> I'm new to this area, but I would like to filter some traffic.
> The goal is to keep people secure while web browsing, not to censure.
> And also enable better privacy, mainly stop "malware" and
> tracking/ads as restrictively as possible.
> 
> I have 3 questions, in case someone here has the time to answer me:
> 
> 1. What layers I should be filtering? Direct IP drop using pf,
> DNS drop with NSD/Unbound server, layer 7 with relayd, etc.

I'm filtering web traffic with squid, a http proxy. That way I can give
more information to users about reasons for restriction, not just
"request timeout" or "no dns record".

> 2. If the right approach is blacklisting domains, then what list
> do OpenBSD users recommend to use? People seem to be using these
> two, but I would like to know the opinion from OpenBSD users:
> http://www.malware-domains.com/files/
> https://hosts-file.net/?s=Download

I had good experience with http://www.shallalist.de/

> 3. There's any well designed tool that I can automatically update
> these lists (using pledge and signify, for example), or a simple shell
> script is enough?

ftp and reload service.

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

late ro remount to permit reorder_kernel on 6.2

2017-10-29 Thread Marko Cupać

Hi,

on 6.2, kernel relinking is done last in rc:

# Re-link the kernel, placing the objects in a random order.
# Replace current with relinked kernel and inform root about it.
/usr/libexec/reorder_kernel &

I have some boxes which have /var /tmp and /dev mounted as mfs,
while others are mounted from local SDcard and kept read-only.

Historically I used @reboot cron for remounting local filesystems (mount
-urA -t nomfs), but this prevents relinking libraries, and - as of 6.2
- relinking kernel, because cron is started earlier in rc.

I am currently remounting local file systems late by modifying rc
(terrible I know):
/usr/libexec/reorder_kernel && mount -urA -t nomfs >/dev/null 2>&1

I know read-only setups are unsupported, modifying base files as
well, but if someone has an advice on what would be a better way of
remounting local file systems read-only after kernel relinking is done,
I'd be grateful.

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: bgpd.conf invalidated on 6.2

2017-10-16 Thread Marko Cupać

On Mon, 16 Oct 2017 12:18:40 +0200
Claudio Jeker <cje...@diehard.n-r-g.com> wrote:

> On Mon, Oct 16, 2017 at 12:13:14PM +0200, Marko Cupa?? wrote:
> > Hi,
> > 
> > I've just upgraded one of my firewalls to 6.2, but bgpd won't start
> > with bgpd.conf which worked for 5 releases or so.
> > 
> > Here's error message:
> > /etc/bgpd.conf:11: duplicate prefix in network statement
> > config file /etc/bgpd.conf has errors, not reloading
> > 
> > The problem appears to be with the two following lines in bgpd.conf
> > (redacted):
> > network NE.TW.OR.K/24 set nexthop IP.ADD.RE.SS1
> > network NE.TW.OR.K/24 set nexthop IP.ADD.RE.SS2
> > 
> > Any idea how to make this work on 6.2?
> >   
> 
> Remove one of the two lines.

IIRC, those lines were added more than 5 years ago, because they made
CARPed setup work, and have instant failover (IP.ADD.RE.SS1 and
IP.ADD.RE.SS2 are IP adresses of CARP interfaces facing ISP1 and ISP2).
So, the session is established from physical interface (local-address),
but nexthops are set to respective carp interfaces, so that BGP session
is always up, even from CARP BACKUP, and failover is instantaneous.

Are you suggesting I will have the same functionality even after
removal of any of the two lines?

Here's my complete non-redacted bgpd.conf for better understanding:

# MACROS
orion = "178.253.194.253"
sbb   = "82.117.192.121"

# GLOBAL CONFIGURATION
AS 12823
router-id 193.53.106.253
network 193.53.106.0/24 set nexthop 178.254.158.60
network 193.53.106.0/24 set nexthop 82.117.192.124

# NEIGHBORS AND PEERS
neighbor $orion {
remote-as 9125
descr "orion"
multihop 10
local-address 178.254.158.59
demote carp
set localpref -10
}

neighbor $sbb {
remote-as 31042
descr "sbb"
local-address 82.117.192.123
demote carp
set localpref +10
}
(default filters below)

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

bgpd.conf invalidated on 6.2

2017-10-16 Thread Marko Cupać

Hi,

I've just upgraded one of my firewalls to 6.2, but bgpd won't start
with bgpd.conf which worked for 5 releases or so.

Here's error message:
/etc/bgpd.conf:11: duplicate prefix in network statement
config file /etc/bgpd.conf has errors, not reloading

The problem appears to be with the two following lines in bgpd.conf
(redacted):
network NE.TW.OR.K/24 set nexthop IP.ADD.RE.SS1
network NE.TW.OR.K/24 set nexthop IP.ADD.RE.SS2

Any idea how to make this work on 6.2?

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Filtering other network layer protocols with PF

2017-09-12 Thread Marko Cupać

On Mon, 11 Sep 2017 10:26:22 -0500
Christopher Snell <chris.sn...@gmail.com> wrote:

> Hi,
> 
> I have an AT fiber connection at home that relies on a crappy,
> proprietary, and insecure [1] router that does proprietary
> authentication with upstream equipment via EAP over 802.1x.  Some
> folks have figured out how to bypass it by putting the AT router
> behind their actual firewalls and proxying the 802.1x packets to/from
> the AT device, thus faking out the upstream gateway.
> 
> Unfortunately, the common solution [2] for this is Linux-specific and
> relies on their PF_RING stuff.  I was hoping to proxy this protocol in
> OpenBSD without having to use something slow like pcap.  As far as I
> can tell from reading man pages, PF does not support this network
> layer protocol (0x888E).  Does anybody have any ideas on how I might
> efficiently capture these packets and copy them to another interface?
> 
> Chris
> 
> [1] https://www.nomotion.net/blog/sharknatto/
> [2] https://github.com/jaysoffian/eap_proxy

Hi,

not exactly answer to your question, but:

I have similar situation, where my ISP gives me crappy device whose
uplink is ADSL, and downlink is ethernet. By default, it does
PAP-authenticated ppooe, NAT and ingress filtering on uplink.

I managed to configure this device in 'bridge mode', and put
two-nic (PC Engines' APU2) OpenBSD firewall behind it, which
calls pppoe, NATs, filters, etc. The rest of my home LAN plugs into
internal interface of mentioned firewall.

ISP--adsl

I still can't secure ISP's device, but I can filter traffic which
enters and leaves my LAN.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: syspatch question

2017-08-09 Thread Marko Cupać

On Tue, 8 Aug 2017 18:17:35 -0400
Taylor Stearns <t...@tstearns.com> wrote:

> On Tue, Aug 08, 2017 at 01:10:22PM -0400, tec...@protonmail.com wrote:
> > I had this exact issue a few days ago, I just re-partitioned to a
> > bigger size so not have to face the issue again as was a new install
> > anyway. But, sure would be nice to see this added. Thanks
> >   
> > > From: marko.cu...@mimar.rs
> > > - at the moment of writing this, there are 025 patches. If
> > > applying them all at once, they (perhaps needlessly) need quite
> > > some space in /tmp (my mfs for /tmp is 256m, and it got filled
> > > already at 012), as a result of (I guess)
> > > deleting /tmp/syspatch.XX only after all the patches are
> > > applied, or after /tmp gets filled up. Perhaps it is possible to
> > > flush /tmp earlier in the process (maybe after each patch is
> > > applied successfully)?  
> 
> Have you tried with -current? Here is a change from June that might be
> what you're looking for:
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/syspatch/syspatch.sh#rev1.108

That's it, thank you. Also rev1.108 appears to work on 6.1-release
without problems - I've just overwritten rev1.93 included in
6.1-release.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: syspatch question

2017-08-08 Thread Marko Cupać

On Tue, 08 Aug 2017 13:14:43 +0200
Antoine Jacoutot <ajacou...@bsdfrog.org> wrote:

> I'll have a look at it thanks.

I'm aware that noone is going to optimize syspatch for my corner case,
but here are a few observations regarding my experience with it:
 - at the moment of writing this, there are 025 patches. If applying
   them all at once, they (perhaps needlessly) need quite some space
   in /tmp (my mfs for /tmp is 256m, and it got filled already at 012),
   as a result of (I guess) deleting /tmp/syspatch.XX only
   after all the patches are applied, or after /tmp gets filled up.
   Perhaps it is possible to flush /tmp earlier in the process (maybe
   after each patch is applied successfully)?
- syspatch silently fails if it cannot contact installurl server.
  Perhaps some warning could be added?

Best regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

syspatch question

2017-07-31 Thread Marko Cupać

Hi,

first of all, thanx for syspatch. One-liner to apply all the errata
patches instead of syncing source and rebuilding stuff are welcomed on
my fleet of geographically remote OpenBSD firewalls running on PC
Engines' apu2d4, not only because of its speed and simplicity, but also
because of SDcard tear minimisation.

Now, I know I'm in unsupported waters because I noticed this on a box
with only / mounted read-only, and /dev /var and /tmp as writable mfs
file systems described (warning! blatant self-promotion below!) here:
[https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages]

...but the problem I am facing is that syspatch -l shows installed
patches up to 013:

pacija@zemun:~ $ doas syspatch -l
001_dhcpd
002_vmmfpu
003_libressl
004_softraid_concat
005_pf_src_tracking
006_libssl
007_freetype
008_exec_subr
009_icmp_opts
010_perl
012_wsmux
013_icmp6_linklocal

...whereas syspatch -c returns zero, while I guess it should return
014_libcrypto at the time of writing this. Another identical box which
was patched up to 012 shows correct information (-l up to 012, -c 013
and 014).

I'm not whining or anything, I trust my OpenBSD firewalls to be more
secure than any other solution out there even without these patches.
But maybe someone with more knowledge of syspatch finds this behaviour
worth investigating, even on unsupported setup.

Finally, my question: How does syspatch check current patchlevel? By
checking contents of /var/syspatch or some other way? I guess I'm
showing my ignorance here :)

Best regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: OpenBSD IPSec setup

2017-06-29 Thread Marko Cupać

On Thu, 29 Jun 2017 12:32:01 +0200
Luescher Claude <starg...@tango.lu> wrote:

> Why are you using ipsec in the 21th century:

Because it is in OpenBSD base. Because, at least on OpenBSD, it
integrates great with the rest of networking ecosystem (carp, sasync,
ospf, pf etc.) Because it pays my bills for more than a decade
now. Because my users are satisfied. Because my employers are
satisfied. Because I haven't encountered anything better for
site-to-site VPNs so far (I also use both OpenVPN and npppd for my road
warriors' needs).

I could go on.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: PF packets being blocked...why?

2017-06-27 Thread Marko Cupać

On Mon, 26 Jun 2017 10:02:00 -0600
Steve Williams <st...@williamsitconsulting.com> wrote:

> Hi,
> 
> New install of OpenBSD 6.1 on apu2.  Love the little box.
> 
> I have em0 as the connection to the Internet and I bridged em1 and
> em2 together on 192.168.123.0.
> 
> I've been using OpenBSD since the 2.7 days, but have never run NAT so 
> this is my first foray into that world.  I have followed the FAQ on 
> "building a router" almost vebatim.  It's working fine, but I am
> seeing some packets blocked with no effect on browsing behind the
> OpenBSD box.
> 
> My ruleset:
> 
> # pfctl -sr
> match in all scrub (no-df random-id)
> match out on egress inet from ! (egress:network) to any nat-to 
> (egress:0) round-robin
> block drop log quick from  to any
> block drop log quick from  to any
> block drop log all
> pass out quick inet all flags S/SA
> pass in on vether0 inet all flags S/SA
> pass in on em1 inet all flags S/SA
> pass in on em2 inet all flags S/SA
> pass in on egress inet proto tcp from any to (egress) port = 22 flags
> S/SA pass in on egress inet proto tcp from any to (egress) port = 993
> flags S/SA pass in on egress inet proto tcp from any to (egress) port
> = 80 flags S/SA pass in on egress inet proto tcp from any to (egress)
> port = 443 flags S/SA
> 
> # tcpdump -n -e -ttt -i pflog0# from man pflog man page
> Jun 26 09:45:54.241145 rule 4/(match) block in on vether0: 
> 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win
> 1805 (DF) Jun 26 09:45:54.701283 rule 4/(match) block in on vether0: 
> 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win
> 1805 (DF) Jun 26 09:45:55.623757 rule 4/(match) block in on vether0: 
> 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win
> 1805 (DF) Jun 26 09:45:57.460985 rule 4/(match) block in on vether0: 
> 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win
> 1805 (DF) Jun 26 09:46:01.150933 rule 4/(match) block in on vether0: 
> 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win
> 1805 (DF) Jun 26 09:46:08.522599 rule 4/(match) block in on vether0: 
> 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win
> 1805 (DF) Jun 26 09:46:47.479083 rule 4/(match) block in on vether0: 
> 192.168.123.2.46549 > 172.217.3.206.443: P 4042174712:4042174735(23)
> ack 2564095917 win 1593 (DF)
> Jun 26 09:46:47.896295 rule 4/(match) block in on vether0: 
> 192.168.123.2.53452 > 23.23.126.54.443: P 4003838125:4003838156(31)
> ack 2044539346 win 65535 (DF)
> Jun 26 09:46:47.896662 rule 4/(match) block in on vether0: 
> 192.168.123.2.53452 > 23.23.126.54.443: R 31:31(0) ack 1 win 65535
> (DF) Jun 26 09:46:47.896674 rule 4/(match) block in on vether0: 
> 192.168.123.2.59762 > 216.58.216.163.443: P 113176577:113176608(31)
> ack 2619790719 win 1403 (DF)
> Jun 26 09:46:47.896685 rule 4/(match) block in on vether0: 
> 192.168.123.2.59762 > 216.58.216.163.443: F 31:31(0) ack 1 win 1403
> (DF) Jun 26 09:46:47.896711 rule 4/(match) block in on vether0: 
> 192.168.123.2.39279 > 31.13.77.6.443: P 4254697166:4254697197(31) ack 
> 2615144509 win 1545 (DF)
> Jun 26 09:46:47.896735 rule 4/(match) block in on vether0: 
> 192.168.123.2.39279 > 31.13.77.6.443: R 31:31(0) ack 1 win 1545 (DF)
> 
> # pfctl -R 4 -sr
> block drop log all
> 
> It is not all https traffice that is being blocked as I can hit my 
> banking site, etc.  Does anyone have an idea why are these packets
> being blocked?

What happens when you remove 'quick' keyword from 'pass out' rule?
Does setting skip on lo make any difference?
Does reducing max-mss in nat rule make any difference (mine is 1440)?
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: splassert: pool_put: want 0 have 4

2017-06-21 Thread Marko Cupać

On Tue, 20 Jun 2017 12:22:46 +0200
Martin Pieuchot <m...@openbsd.org> wrote:

> On 14/06/17(Wed) 16:56, Marko Cupać wrote:
> > On Tue, 13 Jun 2017 11:38:46 + (UTC)
> > Stuart Henderson <s...@spacehopper.org> wrote:
> >   
> > > Can you try "sysctl kern.splassert=2" to obtain a backtrace?
> > > 
> > > (This isn't on by default as there's a small risk of problems,
> > > though I run this on almost all my routers/firewalls and never
> > > had trouble from it).  
> > 
> > Here's the backtrace:
> > 
> > Jun 14 16:52:05 nat2 /bsd: splassert: pool_put: want 0 have 4
> > Jun 14 16:52:05 nat2 /bsd: Starting stack trace...
> > Jun 14 16:52:05 nat2 /bsd: pool_put() at pool_put+0x6b
> > Jun 14 16:52:05 nat2 /bsd: pipex_destroy_session() at
> > pipex_destroy_session+0xe4 Jun 14 16:52:05 nat2 /bsd: pipex_timer()
> > at pipex_timer+0x85 Jun 14 16:52:05 nat2 /bsd: timeout_run() at
> > timeout_run+0x48 Jun 14 16:52:05 nat2 /bsd: softclock() at
> > softclock+0x147 Jun 14 16:52:05 nat2 /bsd: softintr_dispatch() at
> > softintr_dispatch+0x8b Jun 14 16:52:05 nat2 /bsd:
> > Xsoftclock() at Xsoftclock+0x1f  
> 
> This has been fixed by yasuoka@ on Mai 28th.  Please try a new
> snapshot and report back if you still encounter similar problems.

Thanx for info. Any chance to get this as (sys)patch? I'm tracking
binary -stable for my production, I'd rather not experiment with
snapshots as they tend to fix one thing while breaking another.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

1 2 3 >

1 - 100 of 295 matches

Mail list logo