Re: Firewall setup

[Michael Lambert]

There is a typo on the second line of the martians definition (spurious comma 
and space).

Michael

> On Apr 14, 2024, at 11:09, Karel Lucas  wrote:
> 
> Hi all,
> 
> Everything about PF is all very confusing to me at the moment, so any help is 
> appreciated. So let's start simple and then proceed step by step. I want to 
> continue with ping so that I can test the connection to the internet. This 
> works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 
> www.apple.com. As others have stated, I have a problem with using DNS servers 
> on the internet. The PF ruleset needs to be adjusted for this, but it is 
> still not clear to me how to do that. What else do I need to get ping to work 
> correctly? To get started simply, I created a new pf.conf file, see below.
> 
> 
> /etc/pf.conf:
> 
> ext_if = igc0  # The interface to the outside 
> world
> int_if = "{ igc1, igc2 }"# The interfaces to the private hosts
> localnet = "192.168.2.0/24"  # Hosts on the screened LAN
> 
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
>   446, cvspserver, 2628, 5999, 8000, 8080 }"
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
> 
> # Options:
> set block-policy return
> 
> set skip on lo
> 
> block log all# block stateless traffic
> 
> # Normalize packets:
> match in all scrub ( no-df max-mss 1440 )
> 
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
> 
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> 
> pass out all
> 
> 

Re: Date of yesterday

[Michael Lambert]

> On 9 Apr 2018, at 16:34, Philip Guenther  wrote:
> 
> On Mon, Apr 9, 2018 at 11:58 AM, Stephane HUC "PengouinBSD" <
> b...@stephane-huc.net> wrote:
> 
>> get the current timestamp, subtracting 86400 seconds is not reliable to
>> get yesterday's date to the nearest second?
>> terrible!
> 
> 
> Yes, some days are 9 seconds long.

But those make up for the days that are only 82800 seconds...

Re: non-wintel hardware choices

[Michael Lambert]

> On 5 May 2016, at 19:52, Bryan Everly  wrote:
>
> Unfortunately PA-RISC doesn't have X support at the console. You can
> run X on it and have the Windows render on a SPARC, MIPS or Intel
> platform though.

Neither does Alpha (AXP).  Does anyone know if there are blockers in building
xenocara on these platforms or there just isn't enough interest for anyone to
try seriously?

Thanks,

Michael

Re: if I were to make a pkg-add diff

[Michael Lambert]

> On 19 Jan 2016, at 03:57, Erling Westenvik 
wrote:
>
>> On Tue, Jan 19, 2016 at 01:26:15AM -0600, Luke Small wrote:
>> then it changes all the parsed http and ftp mirrors into http and ftp
>> downloads and changes them to non redundant http mirrors (it has to to
>> easily call ftp on it). It takes them and downloads SHA256 from the
>> mirrors and the parent times how long it takes. If it takes too long
>> it kills the ftp call and goes on to the next one. Then it sorts the
>> results and puts the winner in /etc/pkg.conf
>
> So the program basically makes several network connections to
> potentially some 120 servers all across the world and the "winner" is
> calculated based on the "speed" it took downloading a 1.9K text file
> from each of them?

Which isn't even a big enough transfer to get TCP out of slow start.

Michael

Re: multicast via non-primary interface

[Michael Lambert]

On 20 May 2013, at 15:35, unk wrote:

 bash-4.2$ sudo sysctl net.inet.ip.mforwarding=1
 Password:
 net.inet.ip.mforwarding: 0 - 1
 bash-4.2$ ./mcast
 mcast: sendto: No route to host
 
 so, this does not help.

pf isn't blocking 224.0.0.0/4?

Re: Get total size of all files in directory using unit Bytes?

[Michael Lambert]

On 4 Mar 2013, at 10:02, f5b wrote:

 Maybe because we come from Windows system.
 In Windows, sum files' size by Byte is a simple quick way to check if 
 thousands of files are 
 
 modified/sync/same, although not accurate.

openssl {md5|sha1|...} *

Re: OpenBGP - iBGP peers not announcing after 3 hops

[Michael Lambert]

On 4 Feb 2013, at 10:36, Peter Hessler wrote:

 make iBGP2 a route server.

I think this would be a route reflector since you're dealing with iBGP.

Michael

Medialink USB WiFi

[Michael Lambert]

Does anyone have experience with the Medialink MWN-USB150N USB 802.11g/n 
adapter?  It allegedly uses the Ralink RT3070 chipset, which appears to be 
supported by the run(4) driver.

Thanks,

Michael

Re: named not answer on external query

[Michael Lambert]

On 17 Jan 2013, at 06:44, lilit-aibolit wrote:

 On 01/17/2013 11:27 AM, Vadim Zhukov wrote:
 
 At first, find where the flow gets stopped: enable debug logging on resolver 
 and add match log (matches) to port 53 rule as first one in your firewall. 
 Then probably you'll see the problem yourself.

 match log on $ext_if inet proto udp to port 53

Don't you want:

match log on $ext_if inet proto {tcp, udp} to port 53

Michael

Re: Q: username policy in install and in adduser

[Michael Lambert]

On 13 Aug 2012, at 09:20, Eike Lantzsch wrote:

 The choice of usernames during OBSD install is more restrictive than
adduser.
 For example install does not allow capital letters in usernames.
 I read up the facts but I'd like to know the reasons.

 I do not seem to find an answer to my question: What benefit is there in not
 using capital letters in usernames?
 1) usability-wise (I can imagine)
 2) security-wise?
 3) administration-wise
 4) programming reasons of the installer?

Historically, entering a username beginning with a capital letter turns off
lower-case support.  The assumption is that the terminal is upper-case only
(some of us have used them).

Michael

Re: problem in fstab

[Michael Lambert]

On 24 Jul 2012, at 13:16, HvN wrote:

 I booted into single user mode, mounted / and /usr according to FAQ 8. 
 However, when I try to use vi to change fstab, it says unknown terminal 
 type. Any suggestions ?

Use ed(1) to edit?

Re: OpenBSD as IPv4+6 gateway

[Michael Lambert]

On 21 Jun 2012, at 18:04, Mark Felder wrote:

 The provider shouldn't be using a /64 for the link net. That means your
router is getting the broadcasts from everyone else on that link net. The
provider should be setting aside something like a /64 for link nets and
actually be giving you /126s.

There is a school of thought that says point-to-point links should be
allocated /64s, just like LAN subnets.  Not everyone agrees.  I like /120s to
keep things octet-aligned for reverse DNS.

Michael