Re: CARP and VRRP compliance
Am 13.02.2024 19:07 schrieb Samuel Jayden: Also I've another question: Is it feasible to achieve CARP and VRRP interoperability through a user-space application? One step back.. you're looking for using one cisco router and one OpenBSD box as a redundant pair? I've no idea and in over 20y I did not consider doing this. If you think about how an OpenBSD pair (failover/load between themselves) and "on the other side" a Cisco pair using VRRP (acting betweeen themselves), I can tell that this works w/o having a stamped letter with some crayon on it. -- pb
Re: OpenBSD: CI/CD alternatives
Am 20.11.2023 14:15 schrieb Nowarez Market: Prefance, I have some simple expectations: be able to do something like artifact configuration and deployment from my local settings (OpenBSD) to the cloud (Linux, testing or production whatever). Do you have any suggestion about a good (non commercial) software? Not sure I understand what's requested between rant and want. anyhoo: "laminar" - where freebsd support is coming up https://github.com/ohwgiles/laminar/issues/169 issue is on compiler side/stub so that could likely go 1:1 for openbsd in my eyes. PS: still this stupid reply-to. replying for the sake of misc@ - not your "lols". -- pb
Re: Default rdomain for CLI commands
Am 24.10.2023 03:08 schrieb Andy Lemin: So I have to run; ‘route -T0 exec syspatch’ for example. but 0 is the "default"!? How do I set/override the default rdomain for system level CLI commands? route -T9 exec /bin/ksh everything in that shell will be in rdomain 9 HTH, PS: or tmux .. -- pb
Re: I would like help matching my outgoing domains to the right IP for smtpd
Am 12.08.2023 03:13 schrieb Chris Bennett: I can't figure out how to match the outgoing mails to the correct IP/mx they are coming from. Just one server, different A records for the mx versus domain name. Difficult to understand what you're trying there... I kinda understand that you have multiple IP-addresses on that smtpd machine and need to send from a "correct" one? If so, check back that 'action' with a relay delivery has a 'src' option. HTH, -- pb
Re: I need help to see if I can reboot new network OK. Wild misadventures with non-OpenBSD support and bad IPMI
Am 29.07.2023 21:29 schrieb Chris Bennett: The other IP's are randomly missing or give this: link#2 UHLc 0 450 - 3 em1 Each route flush;sh -x /etc/nestart or a reboot changes the result. Oh, you need an alias for each IP that should be bound on em1 so, like: # cat /etc/hostname.em1 inet 103.103.103.170/29 inet alias 103.103.103.171/32 inet alias 103.103.103.172/32 inet alias 103.103.103.173/32 inet alias 103.103.103.174/32 # cat /etc/mygate 103.103.103.169 mygate and netstart has a manpage, as there is 'hostname.if' to read :) PS: pointless to use '-x'; just a lot of debug noise -- pb
Re: I need help to see if I can reboot new network OK. Wild misadventures with non-OpenBSD support and bad IPMI
Am 29.07.2023 20:04 schrieb Chris Bennett: inet 103.103.103.168/29 That's wrong, you put the "first" IP-address you want to use/have on em1. So that would be 170/29 (168 is this network's BSD-broadcast or "net address") /etc/mygate is 103.103.103.169 Cannot forsee what your ISP provides as the gateway, but likely that's correct. All names (hosts,myname) is not directly relevant to IP networking. Do not put names in mygate (just a sidenote). ifconfig gave 103.103.103.168 as the IP address route -n show gave 103.103.103.168 as the gateway. Likely a config from the errornous hostname.if entry, see above. I did not change or remove what's in /etc/hostname which is at 103.103.103.170. Does that matter? hosts I assume? That might be relevant to apache, but not the networking (reachability) itself. -- pb
Re: I need help to see if I can reboot new network OK. Wild misadventures with non-OpenBSD support and bad IPMI
Moin Chris, Am 29.07.2023 04:17 schrieb Chris Bennett: The network is 108.181.26.176/28. Right now,the first IP is 108.181.26.178 and the last regular address is 108.181.26.190, which might be wrong. I'm too tired to read any more man pages or web pages. I needed more than 2hrs of sleep. I'm super worn out, so forgive my mistakes. Any help appreciated. I don't want the next syspatch reboot to fail. To save mindboggling counting of 'f' or similar, just write this to /etc/hostname.em1 inet 108.181.26.178/28 The ifconfig called from netstart will figure it out ;-) That's a headups for everybody, so cc misc@. The current ifconfig em1 shows a bit wild setup for 108.181.26.179; but that is likely unintended and the wrong mask/bc will be gone with the above setting. The route output shows several hosts in 108.136/108.137 ranges where there is no corresponding setup given. But to reach the system via 108.181.26.178 again, this looks sound. HTH, -- pb PS: tyo# cat /etc/hostname.vlan1 vlandev vio0 inet 108.181.26.178/28 tyo# sh /etc/netstart vlan1 tyo# ifconfig vlan1 vlan1: flags=8843 mtu 1500 lladdr fe:e1:bb:6e:63:36 index 7 priority 0 llprio 3 encap: vnetid none parent vio0 txprio packet rxprio outer groups: vlan media: Ethernet autoselect status: active inet 108.181.26.178 netmask 0xfff0 broadcast 108.181.26.191 PPS: to check quickly on reachability of a gateway directly: ping -I 108.181.26.178 -t 1 108.181.26.177 and check arp table accordingly
Re: Concise passage in OpenBSD documentation about motivation
Am 18.07.2023 19:26 schrieb Ibsen S Ripsbusker: Dear colleagues, About 20 years ago I read in some OpenBSD documentation, likely the installation instructions, that we want people to copy our OpenBSD even if to use it even in proprietary products, because the alternative is that incompetent people write their own software instead of copying and then the users suffer. I found this particular passage to be very well written. Does someone know where I might find this wonderful passage? Maybe you recall lyrics from 4.2 release (or remotely 3.6) here? http://www.openbsd.org/lyrics.html#42 -- pb
Re: Possible typo in pf NAT FAQ
Am 18.06.2023 20:35 schrieb Stephan Neuhaus: Here you can see that the "from" part is what the above description calls the src_addr, not the ext_addr, as it claims. This makes much more sense and is consistent with all the other documentation that I've seen. The "match" is rewriting to ext_addr from src_addr the moment it... matches. Thus the f'up pass rule is working on ext_addr. HTH, -- pb
Re: mail command - change "from address" for Charlie Root
Am 06.05.2023 02:03 schrieb Nino Sidoti: Hello, I am trying to work out how to change the “From address” for when the daily output reports are run. I want to use a real email address rather than the default of Charlie Root “root@hostname”. It takes the name from /etc/passwd. See vipw(8) for changing it. -- pb
Re: OpenBSD with GRUB2
Am 04.05.2023 09:31 schrieb Luca Di Gregorio: To be honest, I don't know if the modification of GRUB in Debian is needed. Or, installing with Whole disk MBR (w) is enough. But it works, OpenBSD is automatically started at reboot. The modification in grub configuration would make it possible to boot into the installer via grub menu. your logbook doesn't make use of that; you just go via grub console again. For the persistency of the then installed OpenBSD is installboot(8) and so to make EFI/BIOS to find the bootloader again, you needed "Whole disk" (as Benjamin already wrote). in short: grubconsole OR grub.conf to boot installer-bsd.rd and "whole disk" to wipe all debian/grub parts and make installboot writing in the correct location HTH, -- pb
Re: IPv6 chellange and OpenBSD
Am 16.02.2023 08:27 schrieb Daniele B.: 3) Can you advise about hosting providers in terms of managed VPS with OpenBSD, in North America and Europe? For some years now with https://transip.eu - spotless IPv6 and OpenBSD included. The web/vnc console just works, too. I think I had only one (maybe two) involvements with their support, super quick and competent. As of now they "only" offer 7.1, but sysupgrade is so easy... HTH, -- pb
Re: amd64 vmm(4) virtual machine "powers off" instead of rebooting when started with "-B disk"
Am 29.12.2022 15:40 schrieb Jurjen Oskam: From the host dmesg I noticed the following line: It has been this way since day-1 of -B -- unclear if you want to call it expected, feature or bug :-) Noticed this early on the vagrant+packer works.. -B is adhoc and thus vmd is not aware of it after the process ends.. -- pb
Re: pf question - antispoof and loopback
Am 22.12.2022 21:37 schrieb J Doe: set skip on lo0 . . . antispoof quick for $ext_if This one will be faster (a tad) if you do not plan for more detailled filtering (and who does so on lo0 besides the esoteric ones). ciao -- pb
Re: pf question - set skip on wildcards ?
Am 13.12.2022 22:11 schrieb J Doe: set skip on !$ext_if ... with the idea that this skips all interfaces (virtual or otherwise) _EXCEPT_ em0, which is the real Ethernet NIC that I want to perform filtering on ? Yes, but likely to need a space between ! and $. ciao -- pb
Re: pf question - set skip on wildcards ?
Am 13.12.2022 06:02 schrieb J Doe:
set skip on { lo0, vif* }
in pf.conf(5) the GRAMMAR shows:
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
"{" interface-list "}"
So you could do "set skip on { lo0 vif0 vif1 }" for explicit, or you
use interface-group, alas "set skip on vif". If that "one" interface
is e.g. vif7 within vif(4) this MIGHT go: "set skip on { vif !vif7 }".
HTH,
--
pb
Re: A minimal browser in base
Am 10.09.2022 21:29 schrieb Stuart Henderson: With the web as it is, I can't see a text-mode browser as being comfortable for day-to-day desktop usage. In addition, some of the gui browsers have some degree of process separation and jailing, and active enough development there's a better chance to find and fix fixed more quickly which seems not the case with the text-mode browsers. maybe thinking of a headless/non-X server where "checking" the FAQ (as the example was given) .. i really like the idea - before someone starts piping HTML into pandoc (or rewrites the FAQ in mandoc to render .html, oh wait...) ciao -- pb
Re: Mutt cannot sent mail in OpenBsd
Am 08.07.2022 15:49 schrieb Dave Voutila: $ openssl s_client -showcerts -servername mail.thinkerwim.org -connect mail.thinkerwim.org:587 `-starttls smtp` helps a lot. The cert is there (also on :25 ftm) and signed by LE. The rub is that the mutt client machine does not know that issuer, See openssl documentation how to do this. HTH -- pb
Re: Historical Reasons For Default NAT Source Port Modification
Am 16.05.2022 10:20 schrieb Elias Carter: One possible advantage of randomizing source ports is that it helps prevent fingerprinting of the devices behind the NAT? Are there any other reasons? Back in the days outgoing (tcp) connections had predictable port numbers, sequence numbers, time based stamps of kinds and so on. This did change like "let's random all the things" and this was not only against fingerprinting but actual hijack/connection killing attacks. So I cannot tell (recall) but randomizing in nat-to will bring those attacks down even for "naive" stacks sending from behind the pf gateway. I cannot recall many applications from 20y ago that have been very keen on sending from certain ports (besides IKE already mentioned by JJ). This "pattern" came in later on with "let's udp all the things" ;-) HTH, -- pb
Re: Another kernel fault incident on a Vultr OpenBSD VM
Am 16.04.2022 01:31 schrieb open...@maniaphobic.org: the representative told me, "OpenBSD has very special configurations that are required on our end to work properly with our virtualization software". It lowers my confidence in Vultr as a reliable OpenBSD host. Crucial question (likely on behalf all of those looking): * and WHAT configuration is that? * regards, -- pb
Re: ipsec traffic is dropped between two machines
Am 21.03.2022 19:04 schrieb rea...@catastrophe.net: The flows look correct in the SA table on server-west and traffic leaves on enc0, hits vio0 on server-east as ESP traffic, but then is dropped. Again, only when I also start a ping on server-east (10.254.255.1) to server-west (10.255.255.1) does the original ping session see replies. Out of balance / asymmetric rule set not generating needed state. server-west PF rule: - @73 pass log quick on enc0 all flags S/SA tagged VPN.EAST server-east PF rule: - @58 pass log quick on enc0 all flags S/SA tagged VPN.WEST enc(4) is an observer interface and not meant to take pf rules besides "set skip on enc0" :-) Check back your actual interfaces (vio0..) for ESP traffic allowance. The '@73' and '@58' already indicates a major difference so check for 'pass ... proto esp'. HTH, -- pb
Re: Issue with relayd and redirections
Am 13.07.2020 07:08 schrieb Gabri Tofano: "Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself." - Keep my current configuration with HAproxy - Add another network interface to the box and configure an additional network to it (it might be tricky when deploying a droplet with a direct public IP address) - Migrate to relayd relays and give up with SSL passthrough (with the benefit of SSL offloading if want to implement it) There's a "workaround" also mentioned in pf.conf(5) which also works with relayd inserted rdr-rules, e.g. pass out quick on vlan99 proto tcp to 192.168.89.13 received-on vlan99 nat-to 192.168.89.1 vlan99 has 'inet 192.168.89.1/24' and 192.168.89.13 is the relayd rdr "target". HTH, -- pb
Re: OpenBSD in the news...from a long time ago
Am 13.06.2020 09:29 schrieb jungle boogie: Hi, Here's an old news clip about OpenBSD many folks haven't seen or have forgotten about. I don't know what year it's from or the hackathon that was taking place. Maybe someone can fill us in on the details? I can see a pf2k4 Tshirt as "newest".. might be 2005/2006. -- pb
Re: pfsync interface in carp group
Am 08.06.2020 00:29 schrieb Paul B. Henson: However, for only two firewalls, when you're using the syncpeer directive for the pfsync interface, it seems it would be better not to default to belonging to the carp group? With only two firewalls, if one of them has broken synchronization, so does the other, so is there any real point in trying to migrate away from the one that's currently master? Hi, did you follow some "howto" and set net.inet.carp.preempt=1? ciao -- pb
Re: one-character expansion in shell
Am 06.05.2020 15:54 schrieb Ingo Schwarze: Your misunderstandiing is that file names consist of characters. They do not. They consist of bytes, and to match two bytes, you need two question marks. One can hold for the OP; the ksh(1) manpage talks about "characters" in 'File name patterns' throughout. Just two bytes ;-) -- pb
Re: combining macro with interface modifiers in pf.conf
Hey Paul,
Am 25.01.2020 11:43 schrieb Paul de Weerd:
block in on $IntIF inet proto { tcp, udp } from $IntIF:network to !
$IntIF:0 port domain
block in on $IntIF inet6 proto { tcp, udp } from $IntIF:network to !
$IntIF:0 port domain
I just tested this with "IntIF=vio0" and works on 6.6-stable.
Is there more in the story, like concat macros, quotes in quotes or
others along that?
ciao
PS: tested on oldest I could find, 5.5, also works
--
pb
Re: Ipsec with NAT on phase 2
Am 15.01.2020 18:50 schrieb Dante F. B. Colò: Hello everyone I maintain some ipsec gateway using isakmpd on OpenBSD no problem at all, but i need to setup a new one but now with NAT on phase 2 , is this possible with iked or isakmpd ? outgoing NAT is like this: http://man.openbsd.org/ipsec.conf#OUTGOING_NETWORK_ADDRESS_TRANSLATION -- pb
Re: Awaiting a diff [was: Re: File systems...]
Am 09.01.2020 16:10 schrieb Ingo Schwarze: https://www.youtube.com/watch?v=HTD9Gow1wTU And Bob gave a talk about VFS hacking the very same event. Might be an eye-opener of those "proposing to help". https://www.youtube.com/watch?v=rVb8jdlP4gE (somehow the slides didn't made it to /papers/?) Cool, i wasn't even aware of thib@'s talk back then. That was the very first year i ever took part in a hackathon, and it wasn't that And I wasn't aware the 3-line-diff joke is at least that old.. hmm :) Anyway.. at c2k3 (or was it 2004?) I was looking into porting linux ciss(4) driver to OpenBSD naively. As a more or less young gun back then: "all driver code is there, just some... interfaces and be done!". Nope. Well, you cannot hack storage/disk drivers without some VFS knowledge.. mickey@ (bless him!!), art@ and niklas@ walked me through someof that but hell.. what did I knew. Long story short: even with help and lotsa beer I ended up with empty hands. (eventually mickey did the "port" 1-2y later (by manpage 3.8) So for the "aah, cant be that hard" crowd: it IS a bloody messy place (even IF you rip NFS out of it). I'd say hacking in this area (arena..) requires years of experience to produce something that can go into the tree. In other news.. ah no, cut it. HTH, -- pb
Re: password-less user (without bothering security(8))?
Am 10.12.2019 17:07 schrieb Evan Silberman: Is there a way to placate security(8) that I'm just not seeing? Or is my goal fundamentally misguided for some reason I'm not seeing? The user in this case is semi-trusted (e.g. yes, we'll let you login using an unprivileged account to run bgpctl in pipelines) but not organizationally-trusted (i.e. but that's ALL we want you to do on this system). Why not assign a long, random password and then not share it with the user? Or put 13 asterisks as "password" in master.passwd(5) (the case is mentioned explicitly there) HTH, -- pb
VMM: crashing BIOS "hangs" vmctl start -c / cu
Hi, just a head's up / for the archives. Do more important things first :) While testing my packer-vmm port "across the board", I just noticed that bsd.rd older 5.7 will just hang in 'vmctl start -c' for.. forever? Dec 9 12:24:12 ssfnhv011 vmd[48696]: myvm: started vm 1 successfully, tty /dev/ttyp2 Dec 9 12:24:12 ssfnhv011 vmd[81215]: write_mem: failed - invalid memory range dst = 0x80f0, len = 0x1000: Invalid argument Dec 9 12:24:12 ssfnhv011 vmd[81215]: myvm: failed to load kernel or BIOS - exiting: Invalid argument Apparently omitting -c will return to prompt directly - and 'myvm' being gone (obviously). With -c there's a "dangling" '/usr/bin/cu -l /dev/ttyp2 -s 115200' around .. Maybe something for CAVEATS in vmctl.8 or cu(1) needing kinda signal that remote end hung up? ciao -- pb
Re: Who is 'anchor 11' (pfctl -vvss ./. pfctl -vsA)?
Am 02.01.2019 21:35 schrieb Klemens Nanni:
Anchor 11 is the twelfth rule in your main ruleset (the anchor rule),
in which the first rule established this state.
Ouch, overlooked this one. Thanks..
Provide your ruleset so we can look at actual rules without guessing in
case your problem persists, `pfctl -a\* -s rules' prints them including
anchors.
Hmm, still a bit ambigious:
===
@11 anchor "relayd/*" all {
[ Evaluations: 21256227 Packets: 845613Bytes: 363090876 States:
31]
[ Inserted: uid 0 pid 12958 State Creations: 16822 ]
anchor "depa_portal_http" all {
}
anchor "depa_portal_https" all {
}
anchor "rnexus_portal_http" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 80 flags S/SA keep state (tcp.established 600) tag RNEXUS_PORTAL_HTTP
rdr-to port 60280 round-robin sticky-address
[ Evaluations: 8919094 Packets: 1101 Bytes: 56088 States:
0 ]
[ Inserted: uid 89 pid 29940 State Creations: 162 ]
}
anchor "rnexus_portal_https" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 443 flags S/SA keep state (tcp.established 600) tag
RNEXUS_PORTAL_HTTPS rdr-to port 60643
round-robin sticky-address
[ Evaluations: 13343728 Packets: 253 Bytes: 57853 States:
0 ]
[ Inserted: uid 89 pid 29940 State Creations: 18]
}
anchor "ssfn-imaps" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 993 flags S/SA keep state (tcp.established 600) tag SSFN_IMAPS rdr-to
port 993 round-robin sticky-address
[ Evaluations: 169032000 Packets: 4965436 Bytes: 1932456130
States: 22]
[ Inserted: uid 89 pid 29940 State Creations: 33036 ]
}
So, for every redirect one anchor (as expected/designed) - and each has
a rule 0.
Besides from the ip/port tuple (the state in question was to port 993),
I cannot follow this down
to which relayd-subanchor?
ciao
--
pb
Who is 'anchor 11' (pfctl -vvss ./. pfctl -vsA)?
Hello, in the midst of debugging ruleset/migrations, I came across this output in 'pfctl -vvss': all tcp 10.45.30.7:993 (public-nat:993) <- remote-ip:4690 ESTABLISHED:ESTABLISHED [1683650613 + 66296] wscale 7 [3702552199 + 16768] wscale 2 age 04:32:22, expires in 00:09:25, 745:737 pkts, 55579:87226 bytes, anchor 11, rule 0, source-track id: 5b5139707ff0259a creatorid: cfe3cb20 Now, who is 'anchor 11'? By no means 'relayctl show redirects' or 'pfctl -vsA' or "pfctl -a 'relayd/*' -vvsr" would give me a "numbered" clue. The anchors are ascii/literally named - no number like on the rules in 'pfctl -vvsr'. In the current case I've only one relayd-redirection with port 993, so I can guestimate the anchor. Am I overlooking a pfctl/relayctl option or is '11' internal only? TIA, -- pb
Re: Automated remote install
Am 20.12.2018 19:24 schrieb cho...@jtan.com: I'm not sure what you mean by that. The script I posted the other day is part of a (working, tested) process to create an openbsd image within openbsd and then upload it to aws as an iam. I based it on, I think, an earlier version of the instructions linked above. No linux or osx required (no osx even present). News to me that vagrant and esp. virtualbox is available on OpenBSD. -- pb
Re: Automated remote install
Am 20.12.2018 18:13 schrieb David Diggles: However it's possible to build for AWS. https://github.com/ajacoutot/aws-openbsd and there's more stuff "in the pipe", since the above needs a Linux or OSX environment Next year ;) it'll be possible to do this on OpenBSD (vmm/packer/vagrant). ciao -- pb
Re: isakmpd and iked on the same box
Hi, Am 30.08.2018 10:27 schrieb Sebastian Reitenbach: Hi, I'm wondering if it would be possible to add iked to my box already running isakmpd. I found this quite old thread: http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html Why is it "always" my old threads in this area? :-) I was not following development too closely, but I think that on the kernel side things have not changed. Which means iked and isakmpd will happily "toe tap" on each others SADB in the kernel (even if there is *some* PID handling). Would like to hear if kernel side has "improved" lately, but the overall standpoint looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in iked some "months ago"). [Still stuck with my ikev2 with strongswan on a different box solution] HTH... wait, no: ciao -- pb
Re: dhcrelay between rdomains
Am 15.06.2018 10:27 schrieb Holger Glaess: ist see the forwarded bootreqest from dhcrelay but it is not possible , for me , to shift this reqest to an other rdom . just lift the outgoing (directed) request from dhcrelay with pf? -- pb
Re: OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?
Hello Andre, Am 14.05.2018 13:38 schrieb Andre Ruppert: I got the tips from this 2013 undeadly.org article: Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway https://undeadly.org/cgi?action=article=20131125041429 Apparently I wrote that article, and I feel your pain :-) 2.) less /var/run/isakmpd.result ... SA name: (Phase 1/Responder) src: dst: Flags 0x icookie 9f5bf7497f0ebe10 rcookie 8a6c7b1b1f5923ec ... Feeding the fifo with sh -c "echo 't ' > /var/run/isakmpd.fifo" only deletes phase 2. But I didn't have an SA name at this time... ?? The problem here is you only have an 'unnamed' SA, indeed; but you have cookies.. What you can do - found that a bit later after the undeadly article: echo 'd 9f5bf7497f0ebe108a6c7b1b1f5923ec -' > isakmpd.fifo which is "d $icookie$rcookie -" (no space between the cookie values). If I am changing a peer configuration, I also block 500/udp for the time being to avoid these 'Responder' SAs altogether. Think along pf.conf:pass in proto udp from to $myself port 500 pfctl -T delete -t vpn_peers $thatpeer pfctl -k $thatpeer ipsecctl -d -f $thatpeer.conf vi $thatpeer.conf ipsecctl -f $thatpeer.conf pfctl -T add -t vpn_peers $thatpeer HTH, -- pb
Re: Why are so many people running and writing about current snapshots
Am 25.03.2018 08:49 schrieb Z Ero: Is 6.3 release almost here? Is that why? If you are using your computer for production and are not actively developing / debugging OpenBSD why would you run a current snapshot rather than the stable release? Just curious. Because with a "myriad" of snapshot testers the quality for the "only release"-users would not be as good as it is. -- pb
Re: UNIX Stackexchange - Community Promotion Ads - 2018
Am 26.02.2018 02:33 schrieb Constantine A. Murenin: I recently got 10k on StackOverflow, which is the minimum reputation required to see not just any deleted stuff, but even your own deleted questions and answers; and the sheer volume of my own questions and answers that got deleted (some of which was done automatically based on rather arbitrary "metrics" without any human intervention) is simply mind boggling — `deleted:1` returns 36 results (questions and/or answers), which at 259 A + 105 Q in my profile, represents nearly 10% of my Qs and As! I've used the site for years, and knew some of my stuff was gone, but I was nonetheless totally surprised and shocked to see just how much of it was deleted and hidden from me until 10k! Wow, just wow. Thanks for that insight. Not that I was very fond of it previously (more like Ingo says..), but this is stunning. The in-band documentation must be helpful in itself. A reachout to a community should be for rather complicated stuff or concepts. Doing sysadmin longer than google exists: I know the value of good docs :-) ciao -- pb
Re: considering a move to OpenBSD
Am 09.02.2018 10:27 schrieb Consus: It is possible to list all block devices (with type and size) with one command? You now, like lsblk(8) in Linux. You're implying.. # lsblk bash: lsblk: command not found And just that is already a reason, I do not like "Linux" very much. -- pb
Re: OpenBSD 6.1-stable lock up
Hello, Am 01.09.2017 00:33 schrieb Maxim Bourmistrov: 0/232/64 mbuf 2048 byte clusters in use (current/peak/max) 423/2865/120 mbuf 2112 byte clusters in use (current/peak/max) 0/160/64 mbuf 4096 byte clusters in use (current/peak/max) 0/200/64 mbuf 8192 byte clusters in use (current/peak/max) I've seen this before - including a kind of "lock up". How does one reach a peak/current way over the maximum - and 2112 byte mcl? IIRC, there was activity in this area changing allocation and statistics. -- pb
Re: OpenBSD IPSec setup
Am 29.06.2017 12:32 schrieb Luescher Claude: Why are you using ipsec in the 21th century: https://serverfault.com/questions/202917/openvpn-vs-ipsec-pros-and-cons-what-to-use just a week after four CVEs (incl RCE) in openvpn? Great. -- pb
Re: OpenBSD IPSec setup
Am 28.06.2017 11:18 schrieb Liviu Daia:
set skip on { lo, enc }
pass in quick on egress inet proto udp to any port { isakmp,
ipsec-nat-t }
needs (on both) a 'pass quick inet proto esp', too
--
pb
Re: Get an MAC address of a LAN PC - OpenBSD
Am 23.06.2017 07:19 schrieb Indunil Jayasooriya: I am running darkstat as well. It also does NOT give it either. I think This pf box has been rebooted after removing that PC. See darkstat documentation, you can save/reload statistics across restarts/reboots. For the next time.. -- pb
Re: IPSEC,CARP,sasyncd -- IPSEC failover not working
Am 20.06.2017 11:13 schrieb claudiu vasadi: Now some question: 1) On fw2, I omit the ipsecctl command and start only isakmpd and sasyncd. If I check the SA's and flows, they will be synced from fw1 but is this how it should be or do I need to have ipsec.conf on fw2 as well and issue the "ipsecctl -f /etc/ipsec.conf" cmd when starting the IPSEC VPN? You need to use ipsecctl on fw2, too. The -S will prevent active negotiating until CARP flips over. 2) Once the SA's and flows are in sync and I carpdemote fw1, I loose the IPSEC connection. When running isakmpd in debug mode, it looks like it doesn't adhere to the SA's and flows "ipsecctl -sa" shows (a.k.a I need to copy the ipsec.conf to fw2 and ipsecctl -f ipsec.conf). Without the use of ipsecctl, you've SA data, as you've seen, but no routing information (I think). Thus no more traffic passes (thinking: no route with SA -> packet dropped). HTH, -- pb
Re: bug tracking system for OpenBSD
Am 19.06.2017 18:51 schrieb Harald Dunkel: some reliable response time I've to decide between popcorn and other stuff with flames. -- pb
Re: Etnernal & infernal browser woes
Am 30.04.2017 00:07 schrieb Mihai Popescu: Do you know a method like this to disable kernel panic screen, too? Also something for hidding the dmesg scroll on boot will be nice. Maybe something to show a nice picture with a text like "sit back and relax while your OS is loading ..." - the last three points must be some kind of animation. Nothing is that stupid, noone would go there. We did that back in early 3.x times to have a full installation (auto_install wasnt even beyond the horizon back then) including suppressed boot>, no dmesg (but a nice 'whirl'), some install-progress and kind of dyndns. All on a single 80x24 screen without scrolling. Needed some serious diffs including meddling in some .S and init(8).. diff is on a backup tape far far away :-) ciao -- pb
Re: Topics for revised PF and networking tutorial
Am 07.04.2017 18:38 schrieb Peter N. M. Hansteen: On 04/07/17 18:00, I love OpenBSD wrote: I second to more IPv6 related information. I am curious about blocking port scanning in IPv6 Web. Does pf let me put a CIDR into the named table based on offending IPv6 address and 64-bit mask? I mean something similar to 'overload ' option. Tables can hold both inet and inet6 items, and you can add them as single addresses or with masks: Also tables can be manipulated with bgpd, so keen to see phessler's new talk on that in Ottawa. ciao -- pb
Re: L2TP/IPsec VPN server: trying to force HMAC_SHA in phase 2, but isakmpd keeps offering HMAC_SHA2_256?
Am 19.03.2017 15:36 schrieb Jurjen Oskam: So, to validate that I'm indeed hitting this bug (and also as a workaround) I tried to set up the OpenBSD side to not use SHA2. I haven't been able to get this running yet: isakmpd always seems to offer HMAC_SHA2_256. It's not offering that - but accepting "better" Phase2 transforms. If isakmpd would start the negotiation, it'd propose HMAC_SHA. To keep out unwanted proposals, you need an isakmpd.policy. (hint: no -K) In my eyes this is 'bad behaviour' and tends to lead to situations where e.g. a remote end "upgrades" (and locks down) the transforms and thus rekeying started by isakmpd start to fail. HTH, -- pb
Re: Isakmpd and NAT-T
Am 14.03.2017 01:46 schrieb Mik J: Hello Sebastien,I'm not sure there's something special to force nat-t, it's automatic.The natted side has to initiate the flow to the non natted side.If the two sides are natted then there should be a port forward to one of them.There should be a nat keepalive parameter as well. Since I've seen this on several occassions, check that isakmpd is /not/ having the flag -T. But you might want to use -L and look into the resulting /var/run/isakmpd.pcap (hint: tail -fc+0 isakmpd.pcap|tcpdump -netttvvr -) and watch out for the vendor lines in the proposal if NAT-T is actually advertised - and of course allow 4500/udp in both directions.
Re: Hardware recommendations for compact 1U firewall
Am 17.12.2016 02:32 schrieb Predrag Punosevac: SYS-5018A-FTN4 are really nice boxes. This one has 16GB of RAM and was btw.. just got SYS-1028R-WMRT and the dual I350 isnt "supported", likely because of the weird PPB/riser. -- pb
Re: IPSec
Am 24.11.2016 22:58 schrieb Damian McGuckin: Can you mix the use of 'isakmpd.conf' and 'ipsec.conf'? You can.. ipsecctl just translates ipsec.conf syntax into isakmpd.conf style and injects that (or removes with -d) into the running isakmpd. Just take a config-dump after loading with ipsecctl and you'll see. -- pb
Re: Redirect all traffic to new server
Am 30.10.2016 18:28 schrieb Jeff Ross:
It seems like I should be able to use pf to redirect all inbound
traffic except ssh to the new server. I tried redirecting web traffic
as a test with the following rule in pf.conf:
#pass all non-ssl web traffic to luna
pass in quick proto tcp to port www rdr-to luna.openvistas.net port 80
I just assume that the incoming interface is the same that would be
needed
to reach luna.openvistas.net?
If so, please see pf.conf(5) in Translation/rdr-to along the
'received-on'
example.
The rdr-to (as of now) will likely send the SYN to the the desired
address,
but the src-ip-address will still be of the initial one ("browser") and
thus
the SYN-ACK (emitted from luna) goes there where it'll be ignored for
not
being legit.
The example with received-on will fix this.
HTH,
--
pb
Re: howto use route-to with pf and carp
Am 14.08.2016 07:06 schrieb niya levi: if yes can someone show me an example of how the route-to rule would be written, if no what would be the best way to go about this. Easier is to put an ip-address on the parent (carpdev) that can be reached from the ntp, mailserver, ..preferable w/o routing via the carp master. HTH, -- pb
Re: I need to get a Russian keyboard
Am 27.05.2016 06:27 schrieb Chris Bennett: This question has probably been asked before, but a lot has changed since then. I want to buy a new one, sent to the USA. Looked at Amazon briefly. Not sure if there may be a better place to order from. http://www.pckeyboard.com/page/product/KBDCFG offers 'Language: Russian' (among others) HTH, -- pb
Re: Flaw in ipsec.conf(5)?
Am 24.05.2016 10:53 schrieb Bruno Flueckiger: As a result of my tests I've created the diff below for ipsec.conf(5). Is this ok or did I miss something? You missed the 'set skip on enc0' a bit up. -- pb
Fwd: Re: hostname.carp - CARP Bootup Woes Correct layout / format for >=5.9 - man page for hostname.carp
just realized I didnt reply to the list so someone could pick up the diff for commit consideration Originalnachricht Betreff: Re: hostname.carp - CARP Bootup Woes Correct layout / format for >=5.9 - man page for hostname.carp Datum: 20.05.2016 17:30 Von: Philipp Buehler <e1c1bac6253dc54a1e89ddc046585...@posteo.net> An: Andy Lemin <a...@brandwatch.com> Am 20.05.2016 17:02 schrieb Andy Lemin: Just if it helps anyone else having similar problems with CARP (was hoping someone would make a comment about the man page for hostname.carp if it is going to be so fussy about the order of parameters). Thanks for boggling this down. I dont see a need for hostname.carp(5). Extending the hostname.if(5) would be sufficient. Which by the way gives some subtle clue: == Any lines not matching these packed formats are passed directly to ifconfig(8). The packed formats are converted using a somewhat inflexible parser and the administrator should not expect magic -- if in doubt study ifconfig(8) and the per-driver manual pages to see what arguments are permitted. == The driver (carp(4)) manpage isn't much of a clue on positionals, but ifconfig(8) is: == ifconfig carp-interface [advbase n] [advskew n] [balancing mode] [carpnodes vhid:advskew,vhid:advskew,...] [carpdev iface] [[-]carppeer peer_address] [pass passphrase] [state state] [vhid host-id] == The intermix with inet[6] is a different story.. LSS: An example like there is for a bridge setup in hostname.if(5) would be nice. Shot across: --- hostname.if.5 Sat Jun 6 15:13:07 2015 +++ hostname.if.5.carpexp Wed May 11 22:51:32 2016 @@ -282,6 +282,20 @@ static fxp0 8:0:20:1e:2f:2b up# and finally enable it .Ed +.Sh CARP INTERFACE CONFIGURATION +To enable a +.Xr carp 4 +interface, the options have to be put in order as described in +.Xr ifconfig 8 . +Having a valid carppeer needs to have the inet/inet6 configuration +first. +.Pp +For example: +.Bd -literal -offset indent +carpdev ix0 advbase 2 advskew 10 pass carppass vhid 1 +inet 10.2.1.254 255.255.255.0 10.2.1.255 +carppeer 10.2.1.253 +.Ed .Sh FILES .Bl -tag -width "/etc/hostname.XX" .It Pa /etc/hostname.XXX -- pb
Re: PF and interface changing IP
Am 12.05.2016 11:52 schrieb Gabriele Tozzi: I did not know about the "new" parentheses feature. It was brand-new with the 3.2 release :-) -- pb
Re: How does isakmpd determine which config stanza to use?
Am 19.02.2016 15:31 schrieb Christopher Sean Hilton: * Am I right to assume that when connecting to isakmpd the soekris box will match to the "Remote router" stanza because it's trying to build a tunnel from "srcid <-> dstid" or is isakmpd using the "local <-> peer" to choose the stanza? Somewhat both. If no srcid/dstid is defined, the local/peer will be taken as default as ipv4_addr ID. Run isakmpd with -L and check the isakmpd.pcap for what's being send/received. -- pb
Re: Hi There! I am trying to install OpenBSD
Am 01.02.2016 23:52 schrieb Stuart Henderson: i.e. it's just missing support for a quirky chip that needs the OS to do some weird setup. Or just use only that first SATA (and PATA) port? e.g., Gabriele, if there's only one disk in there, try to recable it to the other SATA slot. -- pb
Re: IPsec IKEv1 accepts non-matching phase 2 parameters
Am 31.12.2015 06:56 schrieb Julian Hsiao: How do I configure isakmpd such that phase 2 parameters must also match on both ends in order to establish security associations? Just a guess, but do: echo r > /var/run/isakmpd.fifo and look into the /var/run/isakmpd.report My bet is, that you had a hmac-md5 configured earlier and did not unload this before the hmac2 was loaded. ipsecctl simply ADDs configurations to isakmpd (unless -d), e.g. this: $ sudo isakmpd -L $ sudo ipsecctl -f /etc/ipsec.conf $ sudo vi /etc/ipsec.conf #change to something "lesser" $ sudo ipsecctl -f /etc/ipsec.conf now you have TWO running configurations in isakmpd both matching proposals. -- pb
