Em maio 10, 2016 9:07 Kamil CholewiĆski escreveu:
On Tue, 10 May 2016, Giancarlo Razzolini <grazzol...@gmail.com> wrote:
This is of limited usefulness.
All you need to do (as a mitm) is to block the connection on port 443,
client will now automagically fall back to using 80 and plai
to first try TLS and *only then* fall back to clear text http, this kind of
measure has its uses.
Cheers,
Giancarlo Razzolini
Em maio 9, 2016 18:39 Theo de Raadt escreveu:
Giancarlo Razzolini <grazzol...@gmail.com> wrote:
> It is really nice to finally see TLS on openbsd.org. How about
redirecting
> http to https?
I dislike the idea.
Let me be more clear, both of you.
Those decisions will made by the
, it seems STS isn't being used. I don't know if this is a
testing phase, but it would be nice to have those nevertheless.
Cheers,
Giancarlo Razzolini
that. This happens because kombu is using an
internal python function that got removed from 2.7.9 to 2.7.10, if I recall it
correctly. I had this same issue recently.
Cheers,
Giancarlo Razzolini
Em 19-02-2016 12:42, Jorge Luis escreveu:
> "What is LibertyBSD?
> OpenBSD is universally known as an operating system designed with security
> in mind, proudly being able to say that it has had "Only two remote holes in
> the default install, in a heck of a long time!"
Will you please, please, go
tc.
The TLS could be implemented on a non mandatory way, you don't need to
redirect HTTP connections to HTTPS ones. But it would be nice to have
the option, at least.
Cheers,
Giancarlo Razzolini
ompletely? At least if you trust your fist access to the site. But I
think this thread followed its course, lets move on.
Cheers,
Giancarlo Razzolini
client shouldn't connect to it,
because it already has the fingerprint pinned. It is the same rationale
as ssh host keys, trust on first use.
But, by the way this thread evolved, we're beating a dead horse here now.
Cheers,
Giancarlo Razzolini
ay, isn't very secure.
Also, now that we have two free TLS certs providers, one can use HPKP
and completely disregard the CA's, which is a security benefit.
Cheers,
Giancarlo Razzolini
My question is malformed, sorry.
Take a look at bro. It's on ports.
Cheers,
Giancarlo Razzolini
act that the num
lock switch was on (or off). At first I thought it wasn't tmux related.
But now it seems otherwise.
Cheers,
Giancarlo Razzolini
d to be present in each anchor file. Tables don't need to. I
have a little script that copies all my macros after I edit /etc/pf.conf
to the anchors. I use commented marks on /etc/pf.con to know where to
begin copying and where to end. But you get the point.
Cheers,
Giancarlo Razzolini
m some people who
> understand the importance, otherwise I'd be looking for a cashier job.
I really don't want to see this happen, but I'd imagine you wouldn't
stress yourself as much.
Keep the good work,
Giancarlo Razzolini
oad the iso from the internet, safely
verify them and write your own USB stick with it. And Theo gets pay for
the wonderful job he (and others of course) do with OpenBSD.
Cheers,
Giancarlo Razzolini
eo saves the shipping, and you
contribute directly to him. Which, isn't different from contributing to
OpenBSD.
Cheers,
Giancarlo Razzolini
you made it even more clear how things operate.
Cheers,
Giancarlo Razzolini
Em 27-11-2015 18:35, bofh escreveu:
> Why do you continue by asking about blobs in FreeBSD?
Troll Detected. Troll Fed. End of Thread.
keyword. You can also have success using the user directive.
Cheers,
Giancarlo Razzolini
Everything is signed using signify. The transfer medium can (and is) be
unencrypted. Of course this pretty much means anyone listening knows
you're downloading/installing OpenBSD. If your concern is this, then
you'll need to figure it for yourself how to hide the fact that you're
installing OpenBSD.
Cheers,
Giancarlo Razzolini
using a proxy. Relayd can work quite well
for simple cases.
Cheers,
Giancarlo Razzolini
ith the inet6
-autoconf option, so you'll get only the link-local address. When you
run dhcpcd it will configure only a private address on the interface
thus solving your issue. You don't need to make pf prefer the privacy
address, because there will only be one address on the interface.
Cheers,
Giancarlo Razzolini
ound + nsd combo, if you
also need authoritative. I think you'll need to hack your /etc/rc file
to load them before your pf.conf is loaded.
Cheers,
Giancarlo Razzolini
rent. These days I prefer
using ULA and making nat, so I can assure my internal address space will
never change.
Cheers,
Giancarlo Razzolini
I can update DNS records, I was
just extending that so the OP could do another thing (restart rtadvd). I
don't know anything that could be done in my case, since my ISP and CPE
will change the prefix anytime the CPE restarts or the CPE connection to
the ISP is lost.
Cheers,
Giancarlo Razzolini
n
is a very intrusive piece of software. Unless you understand everything
it is doing in the background, you'll always face up problems for which
you won't know the answer, at least, not easily.
Cheers,
Giancarlo Razzolini
f: No such file or directory
> Nov 6 08:25:46 janus dhcpd[24427]: exiting.
It seems you have two instances of dhcpd running. It might explain your
problem.
Cheers,
Giancarlo Razzolini
for me.
Cheers,
Giancarlo Razzolini
ou don't need
an ip address on the bridge, only on the internal LAN interface.
Cheers,
Giancarlo Razzolini
Don't try to implement the same thing ftp does on top of other
protocols. That being said, using OpenSSH you can have everything ftp
has even better. You can even chroot every user to his/her home. With
the benefit of, you know, talking ssh protocol, instead of ftp.
Cheers,
Giancarlo Razzolini
ipv6 packets to my external lan address. I will try to
port some of the ndp proxy solutions available to OpenBSD. Everyone I
found are linux centric. OpenBSD ndp(8) has proxy functionality. I
couldn't make it work, and you also need to add entries host by host to it.
Cheers,
Giancarlo Razzolini
take a look into that. If your CPE doesn't have the
internal lan prefix, you can't expect it to work.
Cheers,
Giancarlo Razzolini
make it easier to visualize where you're packets are going.
Cheers,
Giancarlo Razzolini
ed. Also, you can (should) always use tags. Not
only they make your ruleset "debugable", but any stray packet should hit
a block rule (possibly logging it). I suspect your first three rules
aren't matching because you're using the external interface. Try using
the internal on them.
Cheers,
Giancarlo Razzolini
t understand it either. From my point of view, the OpenVPN project
has slowed down a lot on the past few years. Coincidentally, it's
commercial solution, didn't.
> so did Tamas, it's in ports.
Good to know. I don't think my code still compiles against newer OpenVPN
versions.
Cheers,
Giancarlo Razzolini
work with IPv6,
and the rules don't get reloaded when the addresses change.
I will (unfortunately) still use IPv4 based internal LAN's, as long as
these IPv6 woes don't get sorted out. I think things will get much
worse, before they get better.
Cheers,
Giancarlo Razzolini
ie! I beg you. Every time an
admin starts a ftp server, a puppy dies. Consider using SSH. Or, if you
must, DAV.
Cheers,
Giancarlo Razzolini
you want, but I don't even know if it
compiles with recent OpenVPN code.
Cheers,
Giancarlo Razzolini
. Without it, it's
difficult to help you.
Cheers,
Giancarlo Razzolini
do not change it after a key
replacement.
Cheers,
Giancarlo Razzolini
is the other way around: make the route-to rules for your customers
and let your OpenBSD use whatever default gateway you want. If your
networks are static, you can hard code them in your pf rules.
Cheers,
Giancarlo Razzolini
ting priority, OpenBSD would
round-robin between them. This is where ifstated can be used, to detect
failures and add/remove the routes as needed.
Cheers,
Giancarlo Razzolini
t using that queue and add a match rule to pf.conf to push it into my
> bulk queue.
>
> But I am wondering if there is a way to log what traffic is using a
> queue or which packets are being dropped.
>
> Thanks,
> jh
>
match log
man pflow(4)
pkg_add nfsen
Happy!
Cheers,
Giancarlo Razzolini
or your OpenBSD firewall is also running a proxy or dns server.
In this case I find that using mpath along side with ifstated, it's
easier than use rdomain. Specially if your network layout is simple.
Cheers,
Giancarlo Razzolini
y passing two of them, so packets with lowdelay TOS and
empty acks can go to a higher priority, hence improving your interactive
browsing and your downloads.
Cheers,
Giancarlo Razzolini
rnet, making all of them pass through the subnet 2, will slow
things down.
Cheers,
Giancarlo Razzolini
x has an option also. But that is not true for every
browser (or lib that some app might be using). To complicate things
further, there is HPKP. You can also use pflow(4) with nfsen for
detecting odd behaviour in your network, and try to catch anything that
might have passed.
Cheers,
Giancarlo Razzolini
ediately use https for your domain without going through the redirect.
The redirect is still necessary, given the fact that STS headers have a
expiration time. So, configure and forget the redirect and always
maintain your TLS setup working, and you should be fine.
Cheers,
Giancarlo Razzolini
outed, unfortunately. But this discussion
gave me the idea of making a bridge for my dmz and using ULA with nat on
my internal networks, that don't need much external connectivity. This
also solve my problem of having only one /64 prefix.
Cheers,
Giancarlo Razzolini
d, the so called internet of
things, nat will have a performance hit on that, so it will eventually
fade away, hopefully.
Cheers,
Giancarlo Razzolini
nks the prefix
is reachable using NDP. Hence the need for a proxy, which OpenBSD
currently doesn't have.
Cheers,
Giancarlo Razzolini
dhcpv6 servers, rtadvd, and anchors, etc.
>
> Also it's good for winding up IPv6 purists :-)
Wound up me. :-)
Cheers,
Giancarlo Razzolini
nly the OpenBSD router's address so it should work.
I ended up setting up a bridge for that. It's harder to filter on them
though. I plan to port some NDP proxy to OpenBSD, but all of the
candidates looked very cumbersome to my taste. I'll have eventually to
do it, unless someone else beat me to it.
Cheers,
Giancarlo Razzolini
uests. If so, and if it follows RFC 7084, you could ask a
IA_NA from it, and you'd get an address which is not the privacy
address, but also is not based on your MAC address.
Cheers,
Giancarlo Razzolini
, many CPE responds to this address as
your default route (fe80::1). If it didn't, you would have a lot of
problems.
Cheers,
Giancarlo Razzolini
net connectivity
going to the right interfaces.
Cheers,
Giancarlo Razzolini
n this
list is soekris. But there are other options too.
P.s.: Talking about this kind of embedded system, you'll most likely end
up with a single core one. Pay attention to the RAM speed and bus speed too.
Cheers,
Giancarlo Razzolini
des. As I said, you should try and see. But, in
general, you will benefit from mp. Yes, I'm being vague, as you were.
P.s.: Don't use anything you read on calomel.org. Want to learn pf, read
the manual or buy the book of pf.
Cheers,
Giancarlo Razzolini
ll itself), then it will consume more RAM and CPU than pf. Having
more of both in this case is better. Again, each case is different and
you should really try and see. Also, all of this might become somewhat
irrelevant when (if) the mp pf patch enters base.
Cheers,
Giancarlo Razzolini
d nfsen come to mind. symon
is another good candidate. With that, you can deploy only the amount of
hardware needed.
Cheers,
Giancarlo Razzolini
at the bottleneck almost never
is it. If you ever reach a point where pf is giving you trouble, than
I'm guessing you're a backbone with tons of GB/s of traffic. And even
then it can adjusted to not give you trouble. Clearer now?
Cheers,
Giancarlo Razzolini
n to go through with a single core. If you're
only using pf, dhcpd and dns server, it will work. But don't expect it
to scale too well if your small office becomes a medium sized office.
Cheers,
Giancarlo Razzolini
s (yet) from MP,
it doesn't mean these other programs won't. That being said, you'll
probably be ok with a single core. But, if you machine have no problems
with it, using MP won't hurt, and will definitely improve your performance.
Cheers,
Giancarlo Razzolini
,
and I had to hard reset it. These events had nothing to do with the
OpenBSD machine per se. Since the OpenBSD machine is using the virtio
ballooned memory, I guess it might have something with it, but I fail to
see exactly what. Anyone got any clues?
Cheers,
Giancarlo Razzolini
. But,
there is a catch. My ISP can remotely configure which LAN ports works
and which doesn't. In mine, only the 3 first ethernet ports work, the
remaining doesn't. Check if you're using the first port, try changing
them. And ask your provider to enable the other ports if it doesn't.
Cheers,
Giancarlo
have a L2 VPN to your OpenBSD machine, so that you would
effectively be inside the same network the machine is. You problem
isn't unsolvable.
Cheers, Giancarlo Razzolini
the OpenBSD machine can communicate with every
network and every machine on it, you have plenty of options.
Cheers,
Giancarlo Razzolini
routing protocol for this, but just simple
firewall rules to allow or deny the traffic.
You won't need to. The pf man pages are great, and they provide lots of
examples. Also, if you take some time to learn BNF, it will surely help you.
Cheers,
Giancarlo Razzolini
only
and DHCPv6 is UDP based, just as DHCPv4 is. So your ruleset must
accommodate for that.
Cheers,
Giancarlo Razzolini
connectivity. But, not
every manufacturer is fond of RFC's.
Cheers,
Giancarlo Razzolini
[0] https://tools.ietf.org/html/rfc7084
communication with them. You can also try to disable PF and turn on ndp
debugging, net.inet6.icmp6.nd6_debug.
Cheers,
Giancarlo Razzolini
be minimal, if you do so
only on LAN interfaces.
Cheers,
Giancarlo Razzolini
with -current.
So, it might be worth.
Cheers,
Giancarlo Razzolini
otherwise, your OpenBSD firewall will happily route any incoming packets
directly to their intended destination. Keep that in mind when writing
your ruleset.
Cheers,
Giancarlo Razzolini
[0] https://tools.ietf.org/html/rfc4861
,
Giancarlo Razzolini
(if you can call them that) being lazy. I bet that a lot of
the good old fashioned admins got replaced by a new devop who can
deploy everything really fast cutting every corner possible. And people
still want it to be ported to OpenBSD.
Cheers,
Giancarlo Razzolini
Em 04-08-2015 18:28, openda...@hushmail.com escreveu:
a) Discourse is not a conventional Rails app. It has been abstracted to the
point of insanity and will require you to make a ton of modifications and
disable a ton of stuff if you decide to go that route,
Kind figured. To me, any system
their software is stupid and try to verify if
you're inside a docker and refuses to run if not.
Cheers,
Giancarlo Razzolini
and
install something, that can, with some work and thinking, be installed
on the metal. This is wrong. And is also part of the security problem.
Cheers,
Giancarlo Razzolini
,
Giancarlo Razzolini
Em 31-07-2015 03:07, Peter Hessler escreveu:
this is a real problem for real people.
Which was pretty much solved with PKP [0]. As I mentioned, custom CA's
have their uses, but in the end, they are just one more thing waiting to
bite you in the ass. You can pretend to have a decent OPSEC for a
for getting free (valid) certificates.
Cheers,
Giancarlo Razzolini
warnings, they got their uses. But, as it is becoming clearer and
clearer to the OP, you need to maintain it yourself, and not screw up.
Cheers,
Giancarlo Razzolini
this out.
Cheers,
Giancarlo Razzolini
.
Unless I use NDP proxying, I can't do normal routing. As I stated, I did
a bridge. When I have some free time I'll visit the NDP proxy again.
Perhaps I'll be able to port some of the existing solutions to OpenBSD.
Cheers,
Giancarlo Razzolini
Em 27-07-2015 09:13, Kimmo Paasiala escreveu:
It's next to impossible identify the make and
model of the NIC that holds an IP address
With IPv6 and poor configuration, a remote attacker already have that
information. MAC addresses reveal a lot of information about a NIC.
Cheers,
Giancarlo
it
because of plain and simple lack of knowledge.
Cheers,
Giancarlo Razzolini
Em 24-07-2015 14:27, Kevin Chadwick escreveu:
The guidance is to use pubkey or long passwords in which case you
should either have no problem or notice the cpu cycles if your an admin
worth any salt.
There are tons of info regarding OpenSSH best practices. The link bellow
[1] is one of them. I
sorted things out with
the OP. But, truth is, that this bug is being sold by others, including
news sites, as The BUG. It's hard to stay over the fence when things
like this happen. Perhaps I need to drink less coffee and see what that
thing called meditation is all about.
Cheers,
Giancarlo Razzolini
, it was provided because people are lazy, and
wouldn't fix their own PAM configuration.
Cheers,
Giancarlo Razzolini
available to test it. But it seems to be the only OS
affected. I'm betting that they have some bad interaction between the
openssh configuration and their PAM configuration.
Cheers,
Giancarlo Razzolini
. But that could perhaps be overcome with some
kind of distributed attack, with many connections opened.
Cheers,
Giancarlo Razzolini
Konsole output
to affect only FreeBSD. But it's bad, and affect a lot of
versions, dating back to 2007. And also, as I guessed, interaction with
PAM is the culprit.
Cheers,
Giancarlo Razzolini
it using (egress). Since your
interfaces will have default routes, they will be all part of the egress
group. You can exploit that. Use tags and tcpdump to debug your rules, I
believe you can find a solution.
Cheers,
Giancarlo Razzolini
years ago. Things have changed. But some didn't.
Cheers,
Giancarlo Razzolini
a broken configuration where more than one concentrator would reply.
They eventually fixed it, but I had to debug a lot to get to this.
Perhaps you're seeing something similar. But without more information
it's difficult to know.
Cheers,
Giancarlo Razzolini
to be
allowed both on the router and clients.
Cheers,
Giancarlo Razzolini
with it
for a while. But my ISP is implementing native IPv6 and sooner or later
I'll have to deal with this. So will you.
Cheers,
Giancarlo Razzolini
, there will be a lot of people that will be caught off guard,
specially because almost every OS (except OpenBSD) will automatically
configure IPv6 if present.
Cheers,
Giancarlo Razzolini
if the openbsd base dhclient have it, but you could
possibly use some that is on ports and make it not add the default
routes. And, you could make it call a script that creates them. They
need to be created with the -mpath modifier anyway.
Cheers,
Giancarlo Razzolini
1 - 100 of 516 matches
Mail list logo
