Re: Need to add dummy IP addresses to interfaces in OpenBSD 7

[Stuart Henderson]

On 2022-12-12, Randall Gellens  wrote:
> Changing the /etc/hostname.if files for the U-Verse and client ports to 
> add an 'inet' line with a dummy IP address made it all start working. 
> Before, they just had a line with "description" and text.

> Questions:
>
> (1) I'd like to understand the interfaces worked without having IP 
> addresses in OpenBSD 6 but not in OpenBSD 7. They showed as up and as 
> part of the bridge, but no traffic.

One possibility:

They would need the word "up" as well as the description, otherwise the
interface would remain inactive.

Setting an IP or IPv6 address implicitly brings the interface up.

(btw it's not "OpenBSD 7", it's "7.2", or "7.1", or whatever - the first
digit doesn't mean anything special, they are just numbers raised by .1
each time).

> (2) Also, I have several old machines that can no longer SSH into the 
> OpenBSD 7 box. They get an error "no hostkey alg". Is there an easy way 
> to get the OpenBSD box to accept connections from older clients? 
> Presumably I need to enable older key algorithms, but after hunting 
> through the OpenSSH manual I can't see what I need to do. The packet 
> rules block access to the OpenBSD box from outside.

See https://www.openssh.com/legacy.html but particularly note "The
best resolution for these failures is to upgrade the software at the
other end and/or replace the weak key types with safer modern types.
OpenSSH only disables algorithms that we actively recommend against
using because they are known to be weak."

If it's possible to update the ssh clients that would be better (there
may be other important bugs fixed in them too; for example if any are
using old versions of PuTTY there are sdcurity fixes in newer ones too).

-- 
Please keep replies on the mailing list.

Need to add dummy IP addresses to interfaces in OpenBSD 7

[Randall Gellens]

[[[ My apologies, I accidentally sent this before I'd finished it. ]]]

I have a Protectli box that is the router for my home network. The home 
network uses U-Verse to connect to the outside, and has separate 
Ethernet networks for servers, wired clients, and Wi-Fi IoT clients. 
U-Verse supplies their own box (a "Residential Gateway" or RG) that sits 
at the connection points. The RG throws a tantrum if it detects an 
internal router or multi-homed devices, so the OpenBSD box is set up as 
a transparent filtering bridge so the RG thinks all the devices are 
connected directly to it. The OpenBSD box has Ethernet ports for the 
U-Verse RG and one for the three internal networks, with pf filtering 
the packets. The /etc/hostname.if files provide an IP address for the 
interface for the server network and one for the Wi-Fi interface (these 
are on different networks). The /etc/hostname.if files for the U-Verse 
and wired client Ethernet ports have just a description.


The Protectli was running (I think) OpenBSD 6.2, but suffered a disk 
failure and I couldn't find my backup, so I installed a fresh OpenBSD 
7.2 on it and added the users and config files (I had current versions 
of those). The config files are pretty minimal: /etc/hostname.if files 
for the four Ethernet ports and the bridge, /etc/sysctl.conf to set 
net.inet.ip.forwarding=1, pf.conf for the rules. There aren't any other 
services running on the box (other boxes are used for DHCP, DNS, etc.).


Initially, the server and Wi-Fi Ethernet ports had traffic and packets 
were routed between them, but there was no traffic on the wired clients 
nor U-Verse Ethernet ports, and no packets got between them. A client on 
Wi-Fi could ping a server and vice versa, and other servers could reach 
the OpenBSD box. But clients couldn't reach servers, and nothing could 
get outside. All interfaces looked right when viewed using ifconfig, and 
the bridge looked right (it was up and had the four interfaces). There 
were no errors during startup, nor when running netstart.


Changing the /etc/hostname.if files for the U-Verse and client ports to 
add an 'inet' line with a dummy IP address made it all start working. 
Before, they just had a line with "description" and text.


Questions:

(1) I'd like to understand the interfaces worked without having IP 
addresses in OpenBSD 6 but not in OpenBSD 7. They showed as up and as 
part of the bridge, but no traffic.


(2) Also, I have several old machines that can no longer SSH into the 
OpenBSD 7 box. They get an error "no hostkey alg". Is there an easy way 
to get the OpenBSD box to accept connections from older clients? 
Presumably I need to enable older key algorithms, but after hunting 
through the OpenSSH manual I can't see what I need to do. The packet 
rules block access to the OpenBSD box from outside.


Thank you for any help,

--Randall