Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

2009-05-05 Thread Mischa Diehm 
On Mon, May 04, 2009 at 01:38:16PM -0600, Bob Beck wrote:
   Look dude, that ftp site made something available before any of the
 second level mirrors were even opened up to other sites to retreive
 it. Deliberate action was taken to release something early without
 mirroring it from a credible source. Judging by the contents, not all
 of it was exactly 4.5. This is cause for concern to anyone using the
 mirror. 

How many unofficial ftp servers are there on this dangerous
internet which are or might or could be having wrong packages? This is
what ftp.html is all about right? Why is there a list of official
mirrors anyway?

   It's not like the operator of the site could have done this
 *accidentally* - This showed some kind of deliberate intent to release
 something early, and they obviously didn't seem too concerned if it
 was 100% correct. I don't know the reason, and I don't care to. All I know
 is that when we see it, that says danger. 

This is the german coast gard. We are thinking... That's ridiculous.
 
   Mirroring is based upon trust. Whoever's running that site obviously
 decided to go rogue and do something goofy.  I don't care who mirrors
 openbsd, but I expect them to actually mirror it through authorized
 channels, not put something up early that is deceptive to the users
 and potentially harmful.  When we *SEE* evidence of this being done, not
 telling the user community is simply irresponsible. 

great reasoning. Now I get it! The word I was missing is trust.
I almost forgot: In god we trust. Thanks for the reminder.

 * Mike Belopuhov mi...@lucifier.net [2009-05-04 04:55]:
  C'mon, ftp.kd86.com was delisted from the ftp.html page on Mon Apr 6.
  Can you just stop bashing Wim?  It doesn't make anyone happier (except
  Theo probably).  Or maybe we should rush searching the whole fscking
  internet for the incorrect OpenBSD mirrors?  Chill out, dudes.
  
  On Thu, Apr 30, 2009 at 11:21 -0600, Bob Beck wrote:

 Users are cautioned about rogue ftp sites claiming to have OpenBSD.

 The best place to get OpenBSD is from an official CD set, produced in
   a secured location

 It has come to our attention that some ftp sites (ftp.kd85.com) which
   are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5
   at this time. We have noted that what is actually present in the 4.5
   directory is not 4.5, but rather a late development cycle snapshot which
   they have moved into place claiming it is 4.5. 

 While we have no problem with anyone mirroring OpenBSD for the good 
   of the user community, we do believe that people who offer up the wrong
   thing are being deceptive and will hurt the userbase - particularly when
   the packages being offered up are not the release versions. 

 please ensure you look at http://www.openbsd.org/ftp.html when
   choosing to do an ftp install, and don't be fooled by someone phishing
   for your ftp traffic.
  
 
 -- 
 #!/usr/bin/perl
 if ((not 0  not 1) !=  (! 0  ! 1)) {
print Larry and Tom must smoke some really primo stuff...\n; 
 }
 

-- 
Eigentum verpflichtet. Sein Gebrauch soll zugleich dem Wohle der
Allgemeinheit dienen. (Art. 14 II GG)

IPsec Road Warrior question

2008-05-23 Thread Mischa Diehm 

Hi,

host A and host B are connected through IPsec. Additionally we have road
warriors that directly connect to Host B. Unfortunately we can not
define an IP-range from where these road warriors connect thus we have
to use the range to any.

/etc/ipsec.conf:

Host A:
ike esp from 192.168.1.1/24 to 10.1.0.0/16 \
local 1.1.1.1 peer  2.2.2.2 \
srcid foo.bar.com

Host B:
ike esp from 10.128.0.0/16 to 192.168.1.1/24 \
local 2.2.2.2 peer 1.1.1.1 \
srcid bar.foo.com

# Road Warrior
ike dynamic esp from 10.1.0.0/16 to any \
   main auth hmac-md5 enc 3des group modp1024 \
   quick auth hmac-md5 enc 3des group modp1024 \
   srcid bar.foo.com

Initial start and setting up of SA's works fine. We are facing problems
when Host A and B have to rekey (default 20Min). I see Invalid Cookie
messages and NEGOTIATION Error messages. We have an outage of a few
minutes after the old SA's are timed out. At some point the systems seem
to recover.

Can this problem occur because Host B has overlapping IP-Ranges within
the configuration? Is there a different way to configure this - e.g.
negated ranges like to !192.168.1.1/24?

Thx,
Mischa

dhclient and numerous addresses on the same interface

2006-08-26 Thread Mischa Diehm 
Hi,

we were trying to setup a filter-machine behind a dsl-router (dsl-router
does dhcp only no static mapping) doing dhclient on its external
interface and at the same time have different networks routed over that
interface. When you have static addresses configured on the ext.
interface every time you call dhclient and you receive a new lease one
static address (the first one) gets rotated out of the list of addresse
due to dhclient-script calling ifconfig without alias. Well dhclient
takes care of old leases in terms of deleting those addresses from the
interface-list before setting a new address. For us the following change
fixed the issue:

[EMAIL PROTECTED]:dhclient$ ient/dhclient-script /sbin/dhclient-script
--- /usr/src/sbin/dhclient/dhclient-script  Wed Jul 26 22:28:50 2006
+++ /sbin/dhclient-script   Fri Aug 25 18:37:15 2006
@@ -34,7 +34,7 @@
inet $new_ip_address \
netmask $new_subnet_mask \
broadcast $new_broadcast_address \
-   $medium
+   alias $medium
 
# XXX Original TIMEOUT code did not do this unless $new_routers was set?
route add $new_ip_address 127.0.0.1 /dev/null 21

With this dhclient only cares about addresses it set itself. Not
deleting static ips which we need on the interface. Is this sth. worth
fixing or should there be an option in dhclient preventing it to delete
static addresses and thus not breaking actual (not very consistent)
behaviour?


Mischa