Loading of pf rule hangs

I just installed the recent fixes for 6.0 with syspatch. After reboot my pf rules have not been installed. pfctl -nvvf pf.conf shows rule loading hangs between these rules: - - - table persist file "/etc/pf/black_hole.txt" block drop in quick on $red_if from flags any - - - After a minute rule

Re: functional difference of isakmpd and iked

> Am 11.03.2022 um 14:32 schrieb Tobias Heider : > > looks like your setup should also work with iked. So I will try this in a few weeks and report back. Thanks for responding, Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius

Re: functional difference of isakmpd and iked

> Am 09.03.2022 um 11:44 schrieb Axel Rau : > > are both able to support the same network topologies with both IPv4 and IPv6? Seems to be a difficult question. What can I do to get an answer / a comment of one of the experts? Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius

functional difference of isakmpd and iked

Hi all, are both able to support the same network topologies with both IPv4 and IPv6? The application uses 3 VPN gateways (all OpenBSD) and connects several public nets behind both gateways. Some private nets are served without NAT to other VPN members. One gateway uses a fixed IPv4 address,

Re: fighting amplification attack --was: Re: pf: block drop not working

> Am 05.05.2021 um 16:20 schrieb Stuart Henderson >: > > This is usually best dealt with in your DNS server software e.g. by using > the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config > section in BIND. Yes, I have this in place now, but I try

fighting amplification attack --was: Re: pf: block drop not working

> Am 05.05.2021 um 13:30 schrieb Tom Smyth : > > black_whole vs black_hole > > check the table name … But even with the correct table name I had to flush states to get it working. Does anyone has a script handy to update the table to black hole dns clients which repeat same query with high

Re: pf: block drop not working

> Am 05.05.2021 um 13:30 schrieb Tom Smyth >: > > black_whole vs black_hole > > check the table name … Thanks a lot! Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius signature.asc Description: Message signed with OpenPGP

pf: block drop not working

Hi all, in pf.conf, I have at the beginning: - - - table persist file "/etc/pf/black_hole.txt" block drop in quick on $red_if from flags any fw1# pfctl -s rules | head -3 block drop in quick on em2 from to any fw1# pfctl -t black_hole -T show . . . 146.168.0.0/16 . . . But responses

[RESOLVED] Re: Neighbor Solicitation packets try to go out on enc0

> inet6 ??:??:??:34::a prefixlen 64 I forgot the reflexive bypassrule: flow esp out from ??:??:??:30::/60 to ??:??:??:30::/60 type bypass Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius signature.asc Description: Message signed with OpenPGP

Re: Neighbor Solicitation packets try to go out on enc0

Routers don't forward neighbour solicitation messages. So this is a bug? Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius signature.asc Description: Message signed with OpenPGP

Neighbor Solicitation packets try to go out on enc0

Hello I have a router, running rad(8). SLAAC works as expected, but I see: - - - 11:40:58.374264 rule 16/(match) [uid 0, pid 97445] block out on enc0: \ ??:??:??:34::a > ??:??:??:34:3551:6e57:d90b:5a77: \ icmp6: neighbor sol: who has ??:??:??:34:3551:6e57:d90b:5a77\ (src lladdr:

[RESOLVED] Re: Wrong net in vlan

Hi Stuart, > Am 18.11.2020 um 13:20 schrieb Stuart Henderson : > > On 2020/11/18 12:48, Axel Rau wrote: >> From /etc/dhcpd.conf: >> - - - >> shared-network WLAN-NET { > > This is your problem. Oh yes. The art of carefully reading . . . Thanks a lot, Axel --

Re: Wrong net in vlan

> Am 18.11.2020 um 11:00 schrieb Stuart Henderson : > > On 2020-11-18, Axel Rau wrote: >> I think, the problem is that all vlans share the same lladr (see recent >> ifconfigs). >> To allow dhcpd to distinguish the vlans, I have to set the mac addresses >>

Re: Wrong net in vlan

:09 schrieb Stuart Henderson : > > On 2020-11-17, Axel Rau wrote: >> >> >> --Apple-Mail=_AD48A584-E586-4B64-9277-CAE8E8103BC1 >> Content-Type: text/plain; >>charset=utf-8 >> Content-Transfer-Encoding: 8bit >> >> Hi all. >> >>>

Re: Wrong net in vlan

Hi all. > Am 16.11.2020 um 11:09 schrieb Axel Rau : > > - - - > From /etc/rc.conf.local: > - - - > dhcpd_flags="em0 em3 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16" > - - - I have still no resolution. dhcpd preovides always an address from the subnet 172.16.11/24 r

Re: Wrong net in vlan

> Am 15.11.2020 um 22:33 schrieb Mihai Popescu : > > Hint: show some dhcpd configs. >From /etc/dhcpd.conf: - - - subnet 172.16.11.0 netmask 255.255.255.0 { option routers 172.16.11.1; range 172.16.11.100 172.16.11.200; } subnet

Wrong net in vlan

Hi all, in hostname.vlan11, I have: - - - vnetid 11 parent em3 inet 172.16.11.1 255.255.255.0 NONE - - - in hostname.vlan12, I have: - - - vnetid 12 parent em3 inet 172.16.12.1 255.255.255.0 NONE - - - but dhcpd logs: - - - DHCPOFFER on 172.16.11.106 to d6:b5:e4:2a:3a:1c via vlan12 - - - What

Re: Routing between VPNs broken

Hi Rudy, thanks for answering. I have a default route and I had success while using localhost as gateway in the past. But static routes do no longer help. I tried your proposal with a fictive gateway. No chance. Would be interesting, if the same bug happens with wireguard. > Am 01.11.2020 um

Re: Routing between VPNs broken

After rebooting the client, everything works as expected. Until next re-keeing, where it stops working. Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius signature.asc Description: Message signed with OpenPGP

Routing between VPNs broken

Hi all, I have 3 firewalls, all running OpenBSD 6.7, 2 are IPsec-clients one is the server. After installing (unrelated?) syspatches (67-19, 67-20, 67-23 und 67-24) on the server and rebooting it after 2 months of uptime, I noticed, that routing between VPNs has been broken: fw1# ipsecctl -s

CARP with /30 ?

Hi all, does a CARP setup with 2 firewll boxes with an upstream /30 transfer net i feasible? E.g. 5.6.7.232/30 5.6.7.232 if box1 5.6.7.233 upstream router 5.6.7.234 if box2 5.6.7.235 if CARP Quick answer would be very helpfull. Thanks, Axel --- PGP-Key: CDE74120 ☀ computing @ chaos

Re: ping blocked for 12 minutes

> Am 17.05.2018 um 11:47 schrieb Axel Rau <axel@chaos1.de>: > > Hi, > > a firewall box blocks ICMP packets (from icinga2 hostalive4 check_command) > for 12 minutes. > This happens nearly every night. mtr shows 100% loss on the last hop. Forwarded traffic is n

ping blocked for 12 minutes

Hi, a firewall box blocks ICMP packets (from icinga2 hostalive4 check_command) for 12 minutes. This happens nearly every night. mtr shows 100% loss on the last hop. The ICMP echo requests (10/minute) are directed to the firewall box itself. If this is from a rate-limiting feature, how can I

Re: Message arrived but could not be stored

Hi, could you please fix your MUA? The argument of the header „Content-Language“ in your mails violates RFC 1766. My IMAP server http://aox.org/ can’t store your mails. > Am 19.04.2018 um 12:37 schrieb Kapetanakis Giannis > : > > The appended

[RESOLVED] Re: 6.0 sppp does not answer PPPoE-Discovery code offer

Updating the firmware of the Vigor130 box from 3.7.9_m7 to 3.7.9.4_m7 solved the problem. > . . . > It seems that sppp does not work with vlan pseudi device. Anybody fixing that? Axel --- PGP-Key:29E99DD6 ☀ computing @ chaos claudius

Re: 6.0 sppp does not answer PPPoE-Discovery code offer

> Am 07.01.2017 um 20:01 schrieb Axel Rau <axel@chaos1.de>: > > Hi, > > while trying to switch my Vigor130 to pppoe pass through and let my > OpenBSD firewall handle the pppoe stuff, I get: Turning on debug shows: Jan 8 17:48:05 gw1 /bsd: pppoe0 (8863) sta

6.0 sppp does not answer PPPoE-Discovery code offer

Hi, while trying to switch my Vigor130 to pppoe pass through and let my OpenBSD firewall handle the pppoe stuff, I get: 1:31:42.085747 00:0f:c9:04:db:87 ff:ff:ff:ff:ff:ff 8100 36: 802.1Q vid 7 pri 3 PPPoE-Discovery code Initiation, version 1, type 1, id 0x, length 12 tag

Re: kernel logs "v_type 1" and "f_type 1"

Hi Ville, > Am 09.05.2016 um 18:04 schrieb Ville Valkonen <weezeld...@gmail.com>: > > On 9 May 2016 at 16:03, Axel Rau <axel@chaos1.de> wrote: >> A firewall box (dual Atom N270, 2GB, 5 nics, running 5.8-current > (GENERIC.MP) >> #1219) >> s

kernel logs "v_type 1" and "f_type 1"

A firewall box (dual Atom N270, 2GB, 5 nics, running 5.8-current (GENERIC.MP) #1219) suddenly started logging v_type 1 f_type 1 (up to 40 times/sec) and stopped routing. The effect went away after disconnecting all but one nic. Any help appreciated, Axel --- PGP-Key:29E99DD6 ☀

Re: pppoe broken on either 5.7 or on if Intel 82541GI ?

Am 05.06.2015 um 12:40 schrieb Axel Rau axel@chaos1.de: A similar box with identical configuration running 5.7-RELEASE on „Intel 82541GI rev 0x05: hardware fails so: Anybody running 5.7 successfully on an Intel 82541GI interface? Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283

pppoe broken on either 5.7 or on if Intel 82541GI ?

Hi, I have a box running with 5.6 and a pppoe device on vlan on em with „Intel I354 SGMII“ rev 0x03: msi hardware: - - - 20:21:26.689948 00:60:e0:5a:75:45 ff:ff:ff:ff:ff:ff 8100 36: 802.1Q vid 7 pri 3 PPPoE-Discovery code Initiation, version 1, type 1, id 0x, length 12

pf on 5.6: rule counter with proto esp not working

Hi, I failed to setup a queue on outgoing esp traffic and noticed that the rule counters are all 0 and do not advance: @155 pass out quick on vlan2 inet proto esp from any to road_worrier_nets:8 set ( queue vpn ) keep state (if-bound) [ Evaluations: 0 Packets: 0 Bytes: 0

Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

I tested this on other hardware: It has nothing to do with i354. It’s a bug in the vlan driver which has already been reported here http://marc.info/?l=openbsd-miscm=139903544321689w=2 Axel Am 02.09.2014 um 15:45 schrieb Axel Rau axel@chaos1.de: Am 30.08.2014 um 13:46 schrieb Axel

Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

Am 02.09.2014 um 15:45 schrieb Axel Rau axel@chaos1.de: The i347 device (em5) has a hardware-MAC of 00:60:e0:5a:75:45, but shows up above as 00:60:e0:5a:75:39. The answer to the pppoe server with MAC address 00:30:88:1f:18:9a is being sent to MAC 00:30:75:39:00:30 instead. Nobody any idea

Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

Am 30.08.2014 um 13:46 schrieb Axel Rau axel@chaos1.de: Am 29.08.2014 um 08:11 schrieb Jonathan Gray j...@jsg.id.au: Initial support for the i347 phy was added back in March but that wasn't part of 5.5. I suspect you want something along the lines of the following patch: Yes

[RESOLVED] Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

Am 29.08.2014 um 08:11 schrieb Jonathan Gray j...@jsg.id.au: Initial support for the i347 phy was added back in March but that wasn't part of 5.5. I suspect you want something along the lines of the following patch: Yes, this patch worked (does at least initialization of em2-em5, more testing

Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

Hi All, while installing 5.5-RELEASE on a ATOM C2000 based Axiomtek NA361, I get em2 at pci0 dev 20 function 0 „Intel I354 SGMII“ rev 0x03: msiem2: Hardware Initialization Failedem2: Unable to initialize the hardware on all 4 nics. Installing a recent snapshot from 5.5-CURRENT does not show

Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

Am 28.08.2014 um 12:36 schrieb Gregor Best g...@ring0.de: since you seem to be deploying a new setup, I'd simply install a snapshot. The release of 5.6 is soon(-ish), so I doubt there will be lots of functional changes until then, and it'd be wise to upgrade anyway once 5.6 is out.

Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

Am 28.08.2014 um 13:51 schrieb Jonathan Gray j...@jsg.id.au: Start with the following patch, perhaps there needs to be some additional i347 specific handling. I’m seeing now: - - - em_set_phy_type Invalid PHY ID 0x1410DC0 Error, did not detect valid phy. em2: Hardware Initialization

Re: routing problem with 2nd default route via ipsec

Am 28.07.2011 um 13:23 schrieb Axel Rau: all CARP traffic from its carp2) go to enc0, like this: What may cause IPv4 CARP traffic to not go out on its parent device but on enc0 instead? IPv6 CARP and other CARP devises behave as expected. Axel --- PGP-Key:29E99DD6 b +49 151 2300 9283 b

Re: IPsec 4.94.9 VPN

Am 22.07.2011 um 00:13 schrieb Mikeal Clark: 163350.058716 Default ike_phase_1_recv_ID: received remote ID other than expected 1.2.3.4 I think, you need srcid 1.2.3.4 dstid 5.6.7.8 on site A ike. Axel --- PGP-Key:29E99DD6 b +49 151 2300 9283 b computing @ chaos claudius

routing problem with 2nd default route via ipsec

Hi all, I have a routing firewall, which is also a ipsec client like this: ppp uplink (IPv4) | dc3|pppoe0 +++ |+|dc1 | enc0

Re: routing problem with 2nd default route via ipsec

Am 28.07.2011 um 16:06 schrieb Gregory Edigarov: let me guess I think you just need to allow traffic on enc0 set skip on enc0 No, its not that easy. (-; I block carp multicast messages on enc0 and just showed that. A tcpdump on enc0 would have shown the same. The problem is that those

instable vpn after upgrading to 4.8

Hi all, this ipsec tunnel configuration has 2 endpoints of CARPed pairs of obsd 4.8 boxes each with pfsync and sasyncd. After upgrading to 4.8 (stable) the vpn starts blocking in one direction after 2 days of uptime of the gateway pair. When this happens, netstat -rn shows flows as usual and

Re: instable vpn after upgrading to 4.8

Am 20.12.2010 um 12:50 schrieb Axel Rau: After upgrading to 4.8 (stable) the vpn starts blocking in one direction after 2 days of uptime of the gateway pair. Today it took only 2 hours to start blocking. Blocking cab be prevented by keeping a ping running. Axel --- axel@chaos1.de PGP-Key

Re: Migrating from isakmpd to iked: interface name not recognized

Am 13.12.2010 um 18:50 schrieb Axel Rau: no IP address found for pppoe0 This happens with all devices, I have tried. Anybody succeeded in using an interface name as argument of option local? This is 4.8 stable on i386 generic. Axel --- axel@chaos1.de PGP-Key:29E99DD6 +49 151

Re: Migrating from isakmpd to iked: interface name not recognized

Am 14.12.2010 um 17:23 schrieb Mike Belopuhov: mask2prefixlen functions are taken from bgpd. OK? Thanks, Axel --- axel@chaos1.de PGP-Key:29E99DD6 +49 151 2300 9283 computing @ chaos claudius

Migrating from isakmpd to iked: interface name not recognized

Hi all, in the man page for iked.conf, I read: Addresses can be specified in CIDR notation (matching netblocks), as symbolic host names, interface names, or interface group names. In my iked.conf, I have local pppoe0 but iked -vn complains: no IP address found for pppoe0

Re: HA: pair of firewalls, 2 switches and 1 server

Am 21.05.2010 um 01:53 schrieb Tomoyuki Sakurai: You need additional two OSPF routers for L3 redundancy (claudio@ explained why in a paper). Thanks for the hint, Tomoyuki. I have now ospfd running on both firewalls, which was one necessary stop towards success. Axel --- axel@chaos1.de

Re: HA: pair of firewalls, 2 switches and 1 server

Am 21.05.2010 um 12:55 schrieb Axel Rau: Am 20.05.2010 um 22:07 schrieb Reyk Floeter: I will try the following with unmanaged switches, no RST: On fbsd: fbsd# ifconfig em0 up fbsd# ifconfig em1 up fbsd# ifconfig lagg0 create fbsd# ifconfig lagg0 laggproto failover laggport em0 laggport

Re: HA: pair of firewalls, 2 switches and 1 server

Am 20.05.2010 um 22:07 schrieb Reyk Floeter: I will try the following with unmanaged switches, no RST: +---+ +--+ |fw1|+-+ | | +em1++ sw1 +---+ | carp0|em2+--+ +-+-+-+em0| | | | | | |

Re: HA: pair of firewalls, 2 switches and 1 server

Am 20.05.2010 um 00:04 schrieb Henning Brauer: * Axel Rau axel@chaos1.de [2010-05-19 10:34]: Now the question: Can I put a trunk on top of a carp? you put carp on top of the trunk of course. OK. Can I have a trunk connected to 2 different switches then? Axel --- axel@chaos1.de PGP

Re: HA: pair of firewalls, 2 switches and 1 server

Am 20.05.2010 um 20:17 schrieb Henning Brauer: However, if you need to ask if you can run a trunk on top of a carp, This was an academic question to keep the thread running (-; do yourself a favor and use a single switch. There will be less downtime. that is something i could subscribe to

Re: HA: pair of firewalls, 2 switches and 1 server

Thanks for this detailed elaboration, Reyk. A few questions: Am 20.05.2010 um 22:07 schrieb Reyk Floeter: On Thu, May 20, 2010 at 07:02:23PM +0200, Axel Rau wrote: Now the question: Can I put a trunk on top of a carp? you put carp on top of the trunk of course. OK. Can I have a trunk

Re: HA: pair of firewalls, 2 switches and 1 server

Am 19.05.2010 um 07:59 schrieb Guido Tschakert: What problem are you trying to resolve? I will clarify: +---+ +--+ | |+-+ | | +fw1++ sw1 +---+ | carp0| +--+ +-+-+-+em0| | | | |

HA: pair of firewalls, 2 switches and 1 server

Hi all, I have a pair of redundant firewalls (obsd 4.6) and a server (fbsd 8.0): +---+ +--+ | | | | +fw1+--+ +-+ | carp0| |carp1 | | em0| | | | | | | |

Re: HA: pair of firewalls, 2 switches and 1 server

Am 18.05.2010 um 14:20 schrieb Leonardo Carneiro - Veltrac: IMHO, the second scenario you draw solves the problem in a very elegant way. Beside, STP and RSTP-enabled switches are becoming less expansive in the last years. Yes, but what carps/trunks do I need? Axel --- axel@chaos1.de

Re: HA: pair of firewalls, 2 switches and 1 server

Am 18.05.2010 um 14:11 schrieb Guido Tschakert: I would say your Server is __the__ single point of failure (sure the switch is also a spof but normally I'm more worried about servers then switches) Yes, but it has 2 power supplies and redundant disks. If the mini pwr supply of the single