Re: Usage of global tables and anchors in PF

On 20 Jun 2017 at 14:17, Alen Mistric wrote: > Howdy! > > I have a global table defined in pf.conf that I would like to use in > both the main rule set and inside an anchor. However, I keep getting > a namespace collision when I reload the configuration file. I can't > quite figure out from

Re: relayd(8) dosn´t listen

On 2017-06-20, miraculli . wrote: > For every aiohttp instance I created one vether(4) and assigned 10.0.0.x/24 > to it Don't put addresses from the same /24 onto a bunch of different interfaces. Use one /24 and the others should be /32 aliases, all on a single interface. >

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

Hi, Sadly in my testing it seems that CVE-2017-8301 ( http://seclists.org/oss-sec/2017/q2/145) is still broken with the latest LibreSSL (2.5.4) and OpenVPN 2.4.2. Here is someone else reporting the same issue; https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/1358/4 Of

Re: bug tracking system for OpenBSD

> Kai Wetlesen wrote: > > What would a potential curator of a bug tracker need > > to do besides spin up a server, install, and maintain > > the chosen (or written) software? > > not underestimate the effort involved. > > so this has come up before, and the answer remains the same. anyone can

Re: bug tracking system for OpenBSD

Kai Wetlesen wrote: > What would a potential curator of a bug tracker need > to do besides spin up a server, install, and maintain > the chosen (or written) software? not underestimate the effort involved. so this has come up before, and the answer remains the same. anyone can setup a bug

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

I've just found this hint on GitHub for the Openvpn compile options for Libressl; https://gist.github.com/gsora/2b3e9eb31c15a356c7662b0f960e2995 So will try a build later tonight and share back here if that CVE is fixed. Would prefer to rebuild with the same options as the packaged binary, and

relayd(8) dosn´t listen

Hi misc, I try to setup relayd(8) as load balancer for two Python3.6 based aiohttp web-servers on -stable. Right now I´m just playing around to get into it so everything runs inside a VirtualBox Instance. For every aiohttp instance I created one vether(4) and assigned 10.0.0.x/24 to it and start

Libressl issue verifying self-signed certs with tls-auth and Openvpn

Hi Misc, Has anyone else come across any issues recently with Openvpn, Libressl and TLS on OpenBSD 6.1? I am using an .ovpn file with TLS auth static key and cert inline within the file, to connect to VPN service. Running openvpn binary from command line without any special params, just .ovpn

Re: inet6 packet filter question: link local address vs antispoof

Hi Martin, the host I had used for testing is off, so I had to switch. After disabling the packet filter I see: # tcpdump -i re0 -env icmp6 tcpdump: listening on re0, link-type EN10MB 20:58:08.865529 20:cf:30:e8:0d:58 52:54:00:2e:f3:25 86dd 118: fe80::22cf:30ff:fee8:d58 >

Re: Stack clash and OpenBSD

On Tue, Jun 20, 2017 at 11:49:52AM -0400, Mike wrote: > > Does 008: SECURITY FIX: May 19, 2017 fix the Stack Clash bug? > > Or is a fix forthcoming? Yes, it does. Here's the CVE, and the patch is linked from there. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000372 Thanks to the

Re: Stack clash and OpenBSD

On 6/20/2017 11:29 AM, Luis Coronado wrote: > If you run -current most likely you already have the patched code, if you > run -stable 6.1 follow https://www.openbsd.org/faq/faq10.html#Patches: > > "If you're running the -release branch of OpenBSD, you can simply use the > syspatch(8)

Re: Stack clash and OpenBSD

If you run -current most likely you already have the patched code, if you run -stable 6.1 follow https://www.openbsd.org/faq/faq10.html#Patches: "If you're running the -release branch of OpenBSD, you can simply use the syspatch(8) utility to upgrade any files in

Stack clash and OpenBSD

Hi all, I'm trying to determine which action I should take in response to the Stack Clash thing https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt . I suspect that "008: SECURITY FIX: May 19, 2017" (https://www.openbsd.org/errata61.html) is the mitigation for OpenBSD 6.1? On a

Re: bug tracking system for OpenBSD

On Mon, Jun 19, 2017 at 07:01:13PM +0200, Philipp Buehler wrote: > Am 19.06.2017 18:51 schrieb Harald Dunkel: > > some reliable response time > > I've to decide between popcorn and other stuff with flames. Or just point out the support list? http://www.openbsd.org/support.html I guess most

Usage of global tables and anchors in PF

Howdy! I have a global table defined in pf.conf that I would like to use in both the main rule set and inside an anchor. However, I keep getting a namespace collision when I reload the configuration file. I can't quite figure out from reading the man pages if you're not supposed to use a

Re: bug tracking system for OpenBSD

Hi, Carlin Bingham wrote on Tue, Jun 20, 2017 at 11:20:10PM +1200: > On Mon, Jun 19, 2017 at 06:51:24PM +0200, Harald Dunkel wrote: >> would it be possible to establish a real bug tracking system for >> OpenBSD? Something with bug owner, severity, attachments, assignee, >> and (very important)

Re: bug tracking system for OpenBSD

Good morning, In regards to this: >> would it be possible to establish a real bug tracking system >> for OpenBSD? > > There is exactly one reason it hasn't happened yet: > > No developer has been able and willing to invest the additional > time required to set it up and to commit to

Re: bug tracking system for OpenBSD

Thanks for the link. That was a fun read. Another reason I love OBSD. Take things seriously but have fun doing it. ⁣Sent from BlueMail ​ On Jun 20, 2017, 6:21 AM, at 6:21 AM, Carlin Bingham wrote: >On Mon, Jun 19, 2017 at 06:51:24PM +0200, Harald Dunkel wrote: >> Hi folks, >>

Re: bug tracking system for OpenBSD

On Mon, Jun 19, 2017 at 06:51:24PM +0200, Harald Dunkel wrote: > Hi folks, > > would it be possible to establish a real bug tracking system for > OpenBSD? Something with bug owner, severity, attachments, assignee, > and (very important) some reliable response time and a databse > to search for

Re: inet6 packet filter question: link local address vs antispoof

On 11/06/17(Sun) 16:23, Harald Dunkel wrote: > PS #1: Outgoing traffic to a link-local address initiated by the > gateway is not corrupted. > > PS #2: It seems that OpenBSD 6.0 doesn't show this problem. Could you use tcpdump on 6.0, do you spot any difference?

Re: inet6 packet filter question: link local address vs antispoof

On 11/06/17(Sun) 15:51, Harald Dunkel wrote: > Hi folks, > > pf.conf on my gateway (6.1) says > > bash-4.4# pfctl -sr | egrep -i icmp\|block > block return log all > : > : > pass quick inet proto icmp all keep state (if-bound) > pass quick inet6 proto ipv6-icmp all keep state (if-bound) > >

Re: splassert: pool_put: want 0 have 4

On 14/06/17(Wed) 16:56, Marko Cupać wrote: > On Tue, 13 Jun 2017 11:38:46 + (UTC) > Stuart Henderson wrote: > > > Can you try "sysctl kern.splassert=2" to obtain a backtrace? > > > > (This isn't on by default as there's a small risk of problems, > > though I run this

Re: IPSEC,CARP,sasyncd -- IPSEC failover not working

Am 20.06.2017 11:13 schrieb claudiu vasadi: Now some question: 1) On fw2, I omit the ipsecctl command and start only isakmpd and sasyncd. If I check the SA's and flows, they will be synced from fw1 but is this how it should be or do I need to have ipsec.conf on fw2 as well and issue the

Re: Correct tftpproxy in faq/pf/ftp.html

On Tue, Jun 20, 2017 at 10:35:14AM +0200, Martin Ziemer wrote: > Since OpenBSD 5.3 the tftpproxy is no longer startet via inetd, but as > a daemon. The faq section in ftp.html still instructs you to use > inetd. > > Below is a diff which instructs the reader to use the service instead > of inetd.

Re: bug tracking system for OpenBSD

On 2017-06-19, Ingo Schwarze wrote: > Hi, > > Harald Dunkel wrote on Mon, Jun 19, 2017 at 06:51:24PM +0200: > >> would it be possible to establish a real bug tracking system >> for OpenBSD? > > There is exactly one reason it hasn't happened yet: > > No developer has been able

IPSEC,CARP,sasyncd -- IPSEC failover not working

Hello everyone, I'm in dire need of sasyncd help Here's the current setup I have: - 2x OpenBSD 6.1 amd64 redundant firewalls (em0 (ext_if), em1 (int_if), carp0 (carp_if over em0), carp1 (carp_if over em1)) - carp0 has 16 public IP's (ex: 1.1.1.1->1.1.1.16) - carp1 has 1x internal IP (ex:

Re: Correct tftpproxy in faq/pf/ftp.html

On Tue, Jun 20, 2017 at 10:35:14AM +0200, Martin Ziemer wrote: > Since OpenBSD 5.3 the tftpproxy is no longer startet via inetd, but as > a daemon. The faq section in ftp.html still instructs you to use > inetd. > > Below is a diff which instructs the reader to use the service instead > of inetd.

synproxy state with multipath routing

Hi Misc, Can We have synproxy state in pf.conf, when net.inet.ip.multipath=1 is set in /etc/sysctl.conf here is my config in /etc/sysctl.conf net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4

Correct tftpproxy in faq/pf/ftp.html

Since OpenBSD 5.3 the tftpproxy is no longer startet via inetd, but as a daemon. The faq section in ftp.html still instructs you to use inetd. Below is a diff which instructs the reader to use the service instead of inetd. Index: ftp.html

Re: Rebuilding a degraded RAID5 softraid array

LÉVAI Dániel @ 2017-06-20T10:22:27 +0200: > Joel Sing @ 2017-06-19T18:14:30 +0200: [...] Hit reply too fast. > > > You in fact gave the advice at a so lucky time, that I was about to > > > return the disk for a warranty replacement -- had I done that, I could > > > not have been able to repair

Re: Rebuilding a degraded RAID5 softraid array

Joel Sing @ 2017-06-19T18:14:30 +0200: > On Friday 16 June 2017 10:11:20 LÉVAI Dániel wrote: > > Karel Gardas @ 2017-06-15T09:07:39 +0200: > > > On Thu, Jun 15, 2017 at 7:04 AM, LEVAI Daniel wrote: > > [...] > > > > > > Strangest thing is, if I boot with the 'bad' (=failing)

Re: isakmpd memory usage

Hi Here is my ipsec.conf : ike esp from /24 to /24 peer main auth hmac-sha1 enc aes-256 group modp1024 lifetime 28800 quick auth hmac-sha1 enc aes-256 group modp1024 lifetime 3600 srcid psk '' tag vpn ike passive esp transport proto udp from to any port 1701 main auth hmac-sha1