How to debug IPSec and PF problem
Hi all, I've got a VPN running between two networks. Works fine for basically everything and very easy to setup, kudos to the guys that worked on ipsecctl and isakmpd. I have one problem though that I am trying to debug. Network looks like this: 192.168.11.250# Asterisk1 | | 192.168.11.1# OpenBSD1 4.3 | | # VPN | 192.168.4.1 # OpenBSD2 4.3 | | 192.168.4.250 # Asterisk2 Firstly, I can ssh from any box to any box over the VPN. This works fine. So the basic VPN is functional. Secondly, 192.168.4.1 has several different routes out of it and a fairly complex setup in pf.conf and this is what I think I have misconfigured. I am trying to setup an IAX2 (port 4569) from asterisk1 to asterisk2. The traffic is running and I get the traffic flowing from one end to the other, but return traffic is getting blocked or misrouted. Tcpdump on 192.168.4.250 eth0 I see the packets from 192.168.11.250 arriving and packets from 192.168.4.250 leaving. Tcpdump on 192.168.4.1 enc0 I see the packets from 192.168.11.250 arriving and packets from 192.168.4.250 leaving. Tcpdump on 192.168.11.1 enc0 I only see the 192.168.11.250 packets. Tcpdump on 192.168.11.250 eth0 I only see the 192.168.11.250 packets. I have disabled any firewalls on both asterisk boxes, but this makes no change. Disabling pf on the 192.168.11.1 box makes no change. I can't disable pf on 192.168.4.1 right now (could schedule a time later) I believe the problem is somewhere in 192.168.4.1's pf.conf or route table. Now, I know this email contains no where near all the data needed to debug this by someone on list, but I want to work it out myself and I have a few questions. 1) Is the ipsec tunnel just treated like a standard interface by PF? 2) how and when does the ipsec tunnel grab packets to send through the tunnel? I can't see any route entries or the like. I assume it attaches somehow the same way PF does and intercepts packets. And probably most importantly: 3) What is the best way to find what rule in PF is matching the IAX UDP packet stream? I'm not getting anywhere with eyeballing it. If I can find how the packet is moving through the stack, I am sure I can fix the darn thing. Thanks Mikel
Re: Longest Uptime?
new_guy schrieb: I know. Longest uptime is silly, macho, pointless stuff... but I ran across an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The only reason it was not an open mail relay is that /var was full. So, I thought to myself, I bet I could run an OpenBSD box for that amount of time or longer without getting hacked and without doing much to it. Just wondering what's the longest OpenBSD uptime some folks on misc have seen? Thanks Hmm, what about 180-190 days uptime max? Afaik you need to reboot your OpenBSD when you upgrade in May and November... guido
Re: NTFS-3G Stable Read/Write Driver ready to merge on cvs obsd ?
Heimdall Imbert [EMAIL PROTECTED] writes: Hahaha, I wanted to say the same thing but figured that this wouldn't be an appropriate venue for a discussion of this nature. But since someone else brought it up, I figure I might as well add my two cents. I currently run Debian and Windows XP on my laptop and I use it as a learning tool (because I am nowhere near a guru unlike many of the people here!). LEGO is a learning tool too. So are picture books and dolls. I don't think that word means what you think it means. //art
Re: How to debug IPSec and PF problem
On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote: Hi all, I've got a VPN running between two networks. Works fine for basically everything and very easy to setup, kudos to the guys that worked on ipsecctl and isakmpd. I have one problem though that I am trying to debug. Network looks like this: 192.168.11.250# Asterisk1 | | 192.168.11.1# OpenBSD1 4.3 | | # VPN | 192.168.4.1 # OpenBSD2 4.3 | | 192.168.4.250 # Asterisk2 Firstly, I can ssh from any box to any box over the VPN. This works fine. So the basic VPN is functional. Secondly, 192.168.4.1 has several different routes out of it and a fairly complex setup in pf.conf and this is what I think I have misconfigured. I am trying to setup an IAX2 (port 4569) from asterisk1 to asterisk2. The traffic is running and I get the traffic flowing from one end to the other, but return traffic is getting blocked or misrouted. Tcpdump on 192.168.4.250 eth0 I see the packets from 192.168.11.250 arriving and packets from 192.168.4.250 leaving. Tcpdump on 192.168.4.1 enc0 I see the packets from 192.168.11.250 arriving and packets from 192.168.4.250 leaving. Tcpdump on 192.168.11.1 enc0 I only see the 192.168.11.250 packets. Tcpdump on 192.168.11.250 eth0 I only see the 192.168.11.250 packets. I have disabled any firewalls on both asterisk boxes, but this makes no change. Disabling pf on the 192.168.11.1 box makes no change. I can't disable pf on 192.168.4.1 right now (could schedule a time later) I believe the problem is somewhere in 192.168.4.1's pf.conf or route table. Now, I know this email contains no where near all the data needed to debug this by someone on list, but I want to work it out myself and I have a few questions. 1) Is the ipsec tunnel just treated like a standard interface by PF? 2) how and when does the ipsec tunnel grab packets to send through the tunnel? I can't see any route entries or the like. I assume it attaches somehow the same way PF does and intercepts packets. And probably most importantly: 3) What is the best way to find what rule in PF is matching the IAX UDP packet stream? I'm not getting anywhere with eyeballing it. If I can find how the packet is moving through the stack, I am sure I can fix the darn thing. Thanks Mikel By your statement I can ssh from any box to any box over the VPN. I understand you to mean from any LAN host at either end to any LAN host at the other. Is that correct? If so why would traffic from one LAN host at the 192.168.4. end be any different to the others? There is nothing magic about asterisk. I suggest that you traceroute from 192.168.4.250 to the other asterisk and see just where those packets go. I have a funny feeling they are heading out to the cloud naked rather than through IPsec. Of course if that is true there will be no reply after they hit the $ext_if in the near-end router. I don't know how you would manage to get this situation without screwing up the other hosts on the same LAN but then you have not shown any configurations at all so I have to use my personal ESP which has less than 6/6 vision. FYI your inet routing table gives no hint to packets as to which path to choose involving IPsec. If they don't match your ipsec.conf they don't go up the tunnel. If you need more help you need to supply more info. /R *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Re: Longest Uptime?
new_guy [EMAIL PROTECTED] writes: I know. Longest uptime is silly, macho, pointless stuff... but I ran across an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The only reason it was not an open mail relay is that /var was full. So, I thought to myself, I bet I could run an OpenBSD box for that amount of time or longer without getting hacked and without doing much to it. Just wondering what's the longest OpenBSD uptime some folks on misc have seen? 7:52AM up 6134 days, 16:36, 3 users, load averages: 0.52, 0.47, 0.43 http://www.blahonga.org/~art/diffs/epenis-enlargement.20060210 //art
Re: Longest Uptime?
On Tue, Oct 28, 2008 at 11:45 PM, Guido Tschakert [EMAIL PROTECTED] wrote: Hmm, what about 180-190 days uptime max? Afaik you need to reboot your OpenBSD when you upgrade in May and November... guido Just hope an important kernel update doesn't come by within those six months. ;)
Re: How to debug IPSec and PF problem
-Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Rod Whitworth Gesendet: Mittwoch, 29. Oktober 2008 07:47 An: OpenBSD general usage list Betreff: Re: How to debug IPSec and PF problem On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote: Hi all, I've got a VPN running between two networks. Works fine for basically everything and very easy to setup, kudos to the guys that worked on ipsecctl and isakmpd. I have one problem though that I am trying to debug. Network looks like this: 192.168.11.250# Asterisk1 | | 192.168.11.1# OpenBSD1 4.3 | | # VPN | 192.168.4.1 # OpenBSD2 4.3 | | 192.168.4.250 # Asterisk2 Firstly, I can ssh from any box to any box over the VPN. This works fine. So the basic VPN is functional. Secondly, 192.168.4.1 has several different routes out of it and a fairly complex setup in pf.conf and this is what I think I have misconfigured. I am trying to setup an IAX2 (port 4569) from asterisk1 to asterisk2. The traffic is running and I get the traffic flowing from one end to the other, but return traffic is getting blocked or misrouted. Tcpdump on 192.168.4.250 eth0 I see the packets from 192.168.11.250 arriving and packets from 192.168.4.250 leaving. Tcpdump on 192.168.4.1 enc0 I see the packets from 192.168.11.250 arriving and packets from 192.168.4.250 leaving. Tcpdump on 192.168.11.1 enc0 I only see the 192.168.11.250 packets. Tcpdump on 192.168.11.250 eth0 I only see the 192.168.11.250 packets. I have disabled any firewalls on both asterisk boxes, but this makes no change. Disabling pf on the 192.168.11.1 box makes no change. I can't disable pf on 192.168.4.1 right now (could schedule a time later) I believe the problem is somewhere in 192.168.4.1's pf.conf or route table. Now, I know this email contains no where near all the data needed to debug this by someone on list, but I want to work it out myself and I have a few questions. 1) Is the ipsec tunnel just treated like a standard interface by PF? 2) how and when does the ipsec tunnel grab packets to send through the tunnel? I can't see any route entries or the like. I assume it attaches somehow the same way PF does and intercepts packets. And probably most importantly: 3) What is the best way to find what rule in PF is matching the IAX UDP packet stream? I'm not getting anywhere with eyeballing it. If I can find how the packet is moving through the stack, I am sure I can fix the darn thing. Thanks Mikel By your statement I can ssh from any box to any box over the VPN. I understand you to mean from any LAN host at either end to any LAN host at the other. Is that correct? If so why would traffic from one LAN host at the 192.168.4. end be any different to the others? There is nothing magic about asterisk. I suggest that you traceroute from 192.168.4.250 to the other asterisk and see just where those packets go. I have a funny feeling they are heading out to the cloud naked rather than through IPsec. Of course if that is true there will be no reply after they hit the $ext_if in the near-end router. I don't know how you would manage to get this situation without screwing up the other hosts on the same LAN but then you have not shown any configurations at all so I have to use my personal ESP which has less than 6/6 vision. FYI your inet routing table gives no hint to packets as to which path to choose involving IPsec. If they don't match your ipsec.conf they don't go up the tunnel. If you need more help you need to supply more info. /R *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device Hi, I think 1. netstat -rn -f encap should show 2 entries for your IPSEC tunnel, one for each direction. 2. tcpdump -lenvvvi pflog0 will show packets being blocked are let pass including the number of the rule which was applied ( if you have logging enabled in your pf.conf ) 3. tcpdump on the other interfaces of your bsd boxed might help to discover the missing packets ( if, as Rod suspects, they are just routed into the cloud ). Regards Christoph
Re: Capture serial port output to a file
On Tuesday 28 October 2008, Marc Balmer wrote: * Bruce Bauer wrote: Problem: OpenBSD 4.2 on i386 Serial port /dev/cua00 connected to the console port on a firewall. I need to catch all text output from the serial port to a file. The process doing this must survive a loss of network. The box is running headless. I could suggest you run cu in a screen session. I have used cu ... | tee logfile in the past, but there are possibly more elegant solutions I've never tried using tee(1) but it is more elegant than using the default solution provided by tip/cu/remote. As is often the case, wanted the feature is in base, and has been there long enough for most people to both forget about it, and to some degree, most people no longer understand the language used to describe the features in the man page. The language used in man tip(1) and man remote(5) is accurate, but the problem is you'd need to be ancient to know what the language means. The problematic term in the man pages is script since it basically means log file In remote(5) you'll see an option for re which is a string to define to a path/filename, and an option for sc boolean which tells tip to turn on scripting The boolean options are turned on by just listing them (without the =1 =on =true nonsense). Here's the default entry for tty00 in /etc/remote tty00|For hp300,i386,mac68k,macppc,mvmeppc,vax:\ :dv=/dev/tty00:tc=direct:tc=unixhost: Here's the entry for my tty00 in /etc/remote tty00|For hp300,i386,mac68k,macppc,mvmeppc,vax:\ :dv=/dev/tty00:tc=direct:sc:re=/home/jcr/tip.txt:tc=unixhost: If I do a simple # tip tty00 And boot the serial connected host, everything shows up on screen just like always *BUT* all of the output is also written to the given file. You might might also want to look over the beautify (be), line ending and escape sequence stuff in man remote(5) to tweak the text file output to your liking. -- jcr
Re: Longest Uptime?
new_guy a icrit : I know. Longest uptime is silly, macho, pointless stuff... but I ran across an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The only reason it was not an open mail relay is that /var was full. So, I thought to myself, I bet I could run an OpenBSD box for that amount of time or longer without getting hacked and without doing much to it. Just wondering what's the longest OpenBSD uptime some folks on misc have seen? Thanks It is not the size of your uptime that matters, it is what you do with it. Gilles
Re: J.C. Roberts [EMAIL PROTECTED] saiz OpenBSD. --We won't miss you.
-Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von bofh Gesendet: Dienstag, 28. Oktober 2008 16:13 An: OpenBSD general usage list Betreff: Re: J.C. Roberts [EMAIL PROTECTED] saiz OpenBSD. --We won't miss you. On Tue, Oct 28, 2008 at 9:55 AM, Kevin Wilcox [EMAIL PROTECTED] wrote: 2008/10/28 Owain Ainsworth [EMAIL PROTECTED]: On Tue, Oct 28, 2008 at 05:37:24AM -0700, Neko wrote: git a life [EMAIL PROTECTED]:~$git clone a://life Initialized empty Git repository in /home/oga/life/.git/ fatal: I don't handle protocol 'a' Didn't anyone ever tell you not to run arbitrary commands you read on a mailing list? grin I dunno. I once typed in :(){ :|: };: that I read on a mailing list into my bash shell but it did nothing to my openbsd box. Nor my osx box. Linux boxes otoh I tried on linux ( rhel5 ), where it generated lots of -bash: fork: Resource temporarily unavailable messages. After running it once, a single colon on the commandline gave the same effect, which was the clue to what happened. On linux bash :(){ :|: };: defines a function calling itself recursively in the background : () { : | : } The last colon then calls this function. I'm not a shell expert. Is this behaviour expected? I found, that I can define function '+', '-', '/', '?' etc. .
Re: OPENVAS on OpneBSD [was Re: PCI Compliant Vulnerability Scanner]
Simon, I have nearly completed a port of OpenVAS for OpenBSD. I have it running but a few things to resolve before submitting to the ports. Regards Nigel Taylor Simon Slaytor wrote: Dorian B|ttner wrote: Looking for openvas? http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2005-11/0067.html I've been looking at OpenVAS has anyone got it working under OpenBSD?
Re: Using OpenBGPD as a route-server
On Tue, Oct 28, 2008 at 04:24:02PM +0100, Hans Vosbergen wrote: Hi Misc, I am trying to make OpenBGPD work as a route-server for a little hobby project I am working on. As it's very hard to find configuration examples for this usage on the web i have to turn here. What I am trying to achieve: - A route-server acting as a transparent route distributor. - Control by neighbours who their prefixes are announced to, based on communities. Making OpenBGP work as a transparent AS was the easy part. However I'm stuck in the communities control part. How it is supposed to work, my route-server has AS1234 in my test environment. If a neighbour announces: 1. { community 1234:1234 } -- Their prefixes will be announced to EVERY other neighbour. 2. { community 1234:as} -- Their prefixes will ONLY be announced to AS, ie: 1234:8943 will only send the prefixes to AS8943. 3. { community 1234:1234 1234:AS } -- Their prefixes will be announced to every other neighbour EXCEPT AS. I have been able to achieve the first 2 ways the prefix control should work, but I can't manage to get the 3rd to work. Before moving to OpenBGPD I managed to produce the way I want it to work in Quagga but I simply do not want to use that. Would anyone have an idea on how to make OpenBGPD not announce prefixes to specific neighbours if they appear in the 1234:1234 1234:AS list? The route server I set up uses more or less this config: # global configuration AS $ASNUM router-id $IP transparent-as yes network $LAN group RS { announce all max-prefix 5000 restart 15 set nexthop no-modify # softreconfig in no neighbor $LAN { descr RS peer passive } } # filter out prefixes longer than 24 or shorter than 8 bits deny from any prefixlen 8 24 # do not accept a default route, multicast and experimental networks deny from any prefix 0.0.0.0/0 deny from any prefix 10.0.0.0/8 prefixlen = 8 deny from any prefix 127.0.0.0/8 prefixlen = 8 deny from any prefix 169.254.0.0/16 prefixlen = 16 deny from any prefix 172.16.0.0/12 prefixlen = 12 deny from any prefix 192.0.2.0/24 prefixlen = 24 deny from any prefix 192.168.0.0/16 prefixlen = 16 deny from any prefix 224.0.0.0/4 prefixlen = 4 deny from any prefix 224.0.0.0/4 prefixlen = 4 deny from any prefix 240.0.0.0/4 prefixlen = 4 # we set's these communities to identify from where # it learned a route: match from any set community $ASNUM:neighbor-as # 1. Prepend RS $ASNUM to *all* RS-Peers match from group RS community $ASNUM:65500 set prepend-self 1 # 2. Prepend RS $ASNUM to *selected* RS-Peer N-times # (N can be 1 to 3) match to group RS community 65501:neighbor-as set prepend-self 1 match to group RS community 65502:neighbor-as set prepend-self 2 match to group RS community 65503:neighbor-as set prepend-self 3 # 3. Do *not* announce to RS-Peers with AS deny to group RS community $ASNUM:neighbor-as # 4. Do *not* announce to *ANY* RS-Peers deny to group RS community $ASNUM:65535 # 5. Prepend own announcement by one match to group RS prefix $LAN set prepend-self 1 Works like a champ without any additional per peer config :) -- :wq Claudio
Re: file encrypyion
Paul M wrote: I'm looking for a way to encrypy backup files for secure storage. Gpg is an obvious candidate, but I'm wondering if there's anything in base, perhaps a creative use of ssh or some other tool, though not something liable to break, obviously. Any thoughts would be much appreciated. paulm i am surprised that nobody has pointed you at the manpages for bioctl and softraid. read these and you can see how to use crypto volumes with softraid. AFAICT most of the work done on bioctl and softraid should have made it into 4.4, if not you need to run current to get these features.
Re: How to debug IPSec and PF problem
On Wed, Oct 29, 2008 at 8:06 PM, Christoph Leser [EMAIL PROTECTED] wrote: On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote: I've got a VPN running between two networks. Works fine for basically If so why would traffic from one LAN host at the 192.168.4. end be any different to the others? There is nothing magic about asterisk. 3. tcpdump on the other interfaces of your bsd boxed might help to discover the missing packets ( if, as Rod suspects, they are just routed into the cloud OK, turns out the problem was a state entry. I did pfctl -k 0.0.0.0/0 -k 192.168.11.250 and all was good. Thanks for your pointers though. Mikel
Re: J.C. Roberts [EMAIL PROTECTED] saiz OpenBSD. --We won't miss you.
On Wed, Oct 29, 2008 at 6:15 AM, Christoph Leser [EMAIL PROTECTED] wrote: I'm not a shell expert. Is this behaviour expected? wiki has a nice article on fork bombs. -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
FFS file system driver for Windows 2000/XP/2003
Hi, guys, I just want to share this link I just found. Didn't tried it yet, but others may want to try it too. Giving the results we get, it would be a good idea to include the link in the FAQ: How can I access my OpenBSD file system from Windows directly? http://ffsdrv.sourceforge.net/ Greetings!
Re: FFS file system driver for Windows 2000/XP/2003
On Wednesday 29 October 2008 14:55:58 Andris wrote: Hi, guys, I just want to share this link I just found. Didn't tried it yet, but others may want to try it too. Giving the results we get, it would be a good idea to include the link in the FAQ: How can I access my OpenBSD file system from Windows directly? http://ffsdrv.sourceforge.net/ Please search archives before posting. This driver (and his bugs) are known. And it doesn't work with contemporary OpenBSD FFS realization, AFAIK. -- Best wishes, Vadim Zhukov
Re: Capture serial port output to a file -Solved
Combining suggestions from several people. I installed screen This gives me an interactive screen that doesn't die when I disconnect the session. Then in the screen session: cu -l /dev/cua00 -t | tee /var/log/log.console I can then kill my ssh connction, connect again and see that the screen and cu processes are still running. I can tail -f /var/log/log.console to see new output from the console Bonus: I can reconnect to the screen session to issue interactive commands to get more debugging info out of the device. Thanks all --- [EMAIL PROTECTED] wrote: From: Nick Holland [EMAIL PROTECTED] To: misc misc@openbsd.org Subject: Re: Capture serial port output to a file Date: Tue, 28 Oct 2008 22:03:58 -0400 Marc Balmer wrote: * Bruce Bauer wrote: Problem: OpenBSD 4.2 on i386 Serial port /dev/cua00 connected to the console port on a firewall. I need to catch all text output from the serial port to a file. The process doing this must survive a loss of network. The box is running headless. I could suggest you run cu in a screen session. I have used cu ... | tee logfile in the past, but there are possibly more elegant solutions Not sure it is more elegant, but I mention it just because I was happy to find out about it: script(1). It's in base. Nick.
Samo do 1. novembra pokloni i popusti
PoÅ¡tovani, PodseÄamo Vas da samo joÅ¡ 3 dana uz poklon i sa popustom možete poruÄiti sledeÄe proizvode: * Bun Thigh Doer po ceni od 5.990,00 RSD + POKLON Rina's 90 - priruÄnik za mrÅ¡avljenje - poruÄite ovde! * Air Climber po ceni od 8.990,00 RSD + POKLON Rina's 90 - priruÄnik za mrÅ¡avljenje - poruÄite ovde! * The Bean po ceni od 4290,00 RSD + POKLON Rina's 90 - priruÄnik za mrÅ¡avljenje - poruÄite ovde! * Sanozen jonizator po sniženoj ceni od: 5990,00 RSD - poruÄite ovde! Ne propustite oktobarske popuste - poruÄite odmah! VaÅ¡, E-Topshop Ovu elektronsku poÅ¡tu primate, ukoliko ste svojevoljno ostavili svoju e-mail adresu, uÄestvovali u posebnim akcijama ili poklon igrama na sajtu www.e-topshop.tv Ponuda data u ovom e-mailu važi iskljuÄivo za porudžbine upuÄene putem Interneta ili broja telefona 021 489 26 60. Ukoliko ne želite viÅ¡e da primate naÅ¡e elektronske poruke, za odjavljivanje sa naÅ¡e e-mailing liste, kliknite ovde. Studio Moderna d.o.o., Bulevar vojvode Stepe 30, 21000 Novi Sad, Tel: 021 489 29 00, Fax: 021 489 29 08, E-mail: [EMAIL PROTECTED] [IMAGE]If you would no longer like to receive our emails please unsubscribe by clicking here.
4.4 in germany
Thank you all for the OpenBSD 4.4 CD set! Nice Pictures, nice stickers, nice song and great operating system :)
NATing traffic going into the ipsec tunnel
We need to connect to a vendor's network over VPN however they are telling us we need to NAT all the traffic going to their network. They also want publicly addressable IPs as the NATed address (go figure). I have read extensively and looked at manuals but can't quite get it working Set up is as follows 1.1.1.1 - My network VPN endpoint 1.1.1.100 - My NAT address (I took it off the $ext_if) 2.2.2.1 - Vendor Network VPN endpoint 2.2.2.100 - Vendor NAT address Vendor is running a TCP service on 2.2.2.100:5000 that I am trying to access from my network. I have set up a VPN tunnel which seems to be in place e.g. doing netstat -nr shows this Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 2.2.2.100/32 0 1.1.1.100/320 0 2.2.2.1/esp/use/in 1.1.1.100/32 0 2.2.2.100/32 0 0 2.2.2.1/esp/require/out Then per instructions in following document I did http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html ifconfig lo1 1.1.1.100/32 route add 2.2.2.100/32 1.1.1.100 If I do that I can ping Vendor NAT address from the firewall itself but telnetting to port 2.2.2.100:5000 never connects. Then I added nat on lo1 from 10.0.8.0/24 to 2.2.2.100 - 1.1.1.100 If I then try to ping 2.2.2.100 from e.g. 10.0.8.101 I get From 10.0.8.254 icmp_seq=1 Time to live exceeded If I try to telnet to 2.2.2.100:5000 I get # telnet 2.2.2.100 5000 Trying 2.2.2.100... telnet: connect to address 2.2.2.100: No route to host telnet: Unable to connect to remote host: No route to host If I try to sniff on lo1 I get tcpdump -vvv -i lo1 tcpdump: listening on lo1, link-type LOOP 13:14:40.279954 10.0.8.101.55173 2.2.2.100.3128: S [tcp sum ok] 4262188680:4262188680(0) win 5840 mss 1460,sackOK,timestamp 883518184 0,nop,wscale 7 (DF) [tos 0x10] (ttl 63, id 3738, len 60) 13:14:40.279982 10.0.8.101.55173 2.2.2.100.3128: S [tcp sum ok] 4262188680:4262188680(0) win 5840 mss 1460,sackOK,timestamp 883518184 0,nop,wscale 7 (DF) [tos 0x10] (ttl 62, id 21751, len 60) 13:14:40.279993 10.0.8.101.55173 2.2.2.100.3128: S [tcp sum ok] 4262188680:4262188680(0) win 5840 mss 1460,sackOK,timestamp 883518184 0,nop,wscale 7 (DF) [tos 0x10] (ttl 61, id 29876, len 60) I even tried assigning the 1.1.1.100 enc0 interface which enables me to connect to 2.2.2.100:5000 from the firewall but nat over enc0 doesn't work. I would appreciate any help. Thanks, Vladimir
Re: Longest Uptime?
Hi, Uptimes sucks. Here's the biggest i've ever seen in the company i work: [EMAIL PROTECTED] ~]$ uname -a SunOS optg998 5.6 Generic_105181-26 sun4u sparc SUNW,UltraSPARC-IIi-cEngine [EMAIL PROTECTED] ~]$ uptime 3:40pm up 2639 day(s), 13:50, 1 user, load average: 0.08, 0.07, 0.06 [EMAIL PROTECTED] ~]$ date Wed Oct 29 15:45:24 BRST 2008 [EMAIL PROTECTED] ~]$ psrinfo -v Status of processor 0 as of: 10/29/08 15:41:07 Processor has been on-line since 08/08/01 00:50:54. The sparc processor operates at 440 MHz, and has a sparc floating point processor. [EMAIL PROTECTED] ~]$ dmesg | tail -5 SUNW,hme0: Using External Transceiver SUNW,hme0: 100 Mbps half-duplex Link Up dump on /dev/md/dsk/d50 size 2042608K SUNW,hme0: Using External Transceiver SUNW,hme0: full-duplex Link Up Ok it's not OpenBSD, blame on me. But what i liked is that this machine is working for 2639 days and it stills blink green leds. The harddisk never gave up too. No errors on dmesg. It's a Netra T1 machine, running our internal DNS server. I think we'll replace it when it dies ;) On Wed, Oct 29, 2008 at 7:15 AM, Gilles Chehade [EMAIL PROTECTED] wrote: new_guy a icrit : I know. Longest uptime is silly, macho, pointless stuff... but I ran across an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The only reason it was not an open mail relay is that /var was full. So, I thought to myself, I bet I could run an OpenBSD box for that amount of time or longer without getting hacked and without doing much to it. Just wondering what's the longest OpenBSD uptime some folks on misc have seen? Thanks It is not the size of your uptime that matters, it is what you do with it. Gilles
Re: Longest Uptime?
On Wed, Oct 29, 2008 at 1:49 PM, guilherme m. schroeder [EMAIL PROTECTED] wrote: Ok it's not OpenBSD, blame on me. But what i liked is that this machine is working for 2639 days and it stills blink green leds. The We bought 2 machines (together). Expensive ones. After putting them in, my peon walks around looking at them. One had a green blinking power led. All is well. The other had a red blinking power led. Peon went nuts looking in the documentation, etc etc. Diagnostics and everything seems to indicate the system is working. Called support up. After a while, they finally figured out what was the problem. The vendor neglected to spec the color of the power led, and had sourced it from 2 different factories. So, one factory put in a green led, and the other put in a red one. I have since made it my life's mission to tell every single one of their reps that in a data center, you only want to see green blinking lights, not red blinking lights. -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
multiple subnets and gateways on CARP interface
I apologize in advance if this has already been covered. I searched the mailing lists and didn't see any mention of exactly this question. So I have two redundant firewalls using CARP and NAT with one public subnet on the external interface and one private subnet on the internal interface. This is a fairly common setup and is easy to accomplish with PF of course. Now, my ISP has allocated a new, public subnet for me. I'm wanting to add to my existing subnet on the external side. I've seen only a handful of references to doing this on the mailing list, and none are very detailed. Here is my current setup in /etc/hostname.carp0 (names and passwords changed to protect the innocent): --- inet 1.1.1.194 255.255.255.224 1.1.1.223 vhid 1 carpdev bnx0 pass nopasswd inet alias 1.1.1.195 255.255.255.255 inet alias 1.1.1.198 255.255.255.255 inet alias 1.1.1.199 255.255.255.255 inet alias 1.1.1.204 255.255.255.255 Clearly, I'm not hosting services on every available IP in this subnet at the moment. But that's beside the point. Also, I'm using a default gateway in /etc/mygate of: --- 1.1.1.193 Now, I want to allocate more addresses in this newly allocated subnet. So I just use the new subnet and netmask. But what about other addresses in that new subnet? Should I designate them with 255.255.255.255 and the kernel will figure out which subnet is which? Like such: --- inet 1.1.1.194 255.255.255.224 1.1.1.223 vhid 1 carpdev bnx0 pass nopasswd inet alias 1.1.1.195 255.255.255.255 inet alias 1.1.1.198 255.255.255.255 inet alias 1.1.1.199 255.255.255.255 inet alias 1.1.1.204 255.255.255.255 inet alias 2.2.2.66 255.255.255.192 inet alias 2.2.2.67 255.255.255.255 inet alias 2.2.2.68 255.255.255.255 inet alias 2.2.2.69 255.255.255.255 I also now have essentially two possible default gateways. But since my ISP doesn't provide any sort of dynamic routing, we're just going to assume the first subnet has the default gateway, as specified above in /etc/mygate. But I still need to get the second subnet setup to route to in general, so I assume I want something like this in my hostname.carp0: --- !route add -inet 2.2.2.64/26 2.2.2.65 Or do I also need a -host or -interface route setup too? Now, assuming all of the above is in place as it should be, will traffic ultimately be coming and going via the proper IP addresses? I think I'm over analyzing this last part, but bear with me a second. Since my default gateway is going to be the 1.1.1.193 gateway, will traffic destined for addresses in my 2.2.2.64/26 come from the correct source address? I have lines like this in my PF rules at the moment: --- binat on bnx0 from 192.168.1.80 to any - 1.1.1.195 rdr on bnx0 proto tcp from any to 1.1.1.195 port www - 192.168.1.80 . . (further down...) pass in on bnx0 proto tcp from any to 192.168.1.80 port www So once I add this newly allocated subnet, I assume I can simply put things like this: --- binat on bnx0 from 192.168.1.50 to any - 2.2.2.66 rdr on bnx0 proto tcp from any to 2.2.2.66 port www - 192.168.1.50 . . (further down...) pass in on bnx0 proto tcp from any to 192.168.1.50 port www and not only will remote hosts on the public Internet be able to access a web server running on this internal, private host but they'll also see any connection attempts or responses from that private internal host as coming from 2.2.2.66, correct? The routing part is the most confusing part for me as it seems to me like traffic will come in correctly from remote hosts, but as soon as the firewall tries to send back out, it will end up using the default gateway somehow and things will get all mucked up. But like I said, maybe I'm just over analyzing and it will all just work as it should! Thanks for reading this far. I know that's a bunch of information and I hope I made it all as clear as possible. -- Mark Nippere-contacts: 12345 Lamplight Vlg 818 [EMAIL PROTECTED] Austin, Texas 78758-2564http://nipsy.bitgnome.net/ (979)575-3193 AIM/Yahoo: texasnipsy ICQ: 66971617 ---begin random quote of the moment--- There's madness in my methods. -- random sig seen on /. by Tough Love (215404) end random quote of the moment
Re: Looking for EeePC 701
On Wed, Oct 29, 2008 at 06:45:11AM +0100, Marcus Glocker wrote: Hi Folks, We want to add USB BULK support for UVC devices in our uvideo(4) driver. There are not that many UVC devices around which do BULK transfers, but the advantage would be that BULK transfers are working a bit more stable than our current ISOC implementation and we could do some further testing. One device which I know for sure that has a built-in BULK cabable device is the EeePC 701. If somebody would be willing to donate such a device to me, please contact me off-list. Thanks. Regards, Marcus Hi Guys, We've already got many offers in a very short period and one device should almost be on the way to me plus an additional device for one or two more developers. That's more than enough! Many thanks for the great and quick support! Best Regards, Marcus -- [ Marcus Glocker, [EMAIL PROTECTED], [EMAIL PROTECTED] ]
Re: Serial ATA RAID ctrl on PCI
For example: # bioctl arc0 Volume Status Size Device arc0 0 Online 199336448 sd0 RAID6 0 Online 500107862016 0:0.0 noencl ST3500320AS SD15 1 Online 500107862016 0:1.0 noencl ST3500630AS 3.AAG 2 Online 500107862016 0:2.0 noencl ST3500320AS SD15 3 Online 500107862016 0:3.0 noencl ST3500320AS SD15 4 Online 500107862016 0:4.0 noencl ST3500320AS SD15 5 Online 500107862016 0:5.0 noencl ST3500320AS SD15 # sysctl hw.sensors.arc0 hw.sensors.arc0.drive0=online (sd0), OK From /etc/sensorsd.conf drive:command=echo %t failed with status: %s %2 on %x | mail -s `hostname` sensorsd CRITICAL \(RAID\) alarm Stuart Henderson wrote: On 2008-10-28, Don Jackson [EMAIL PROTECTED] wrote: On Oct 28, 2008, at 3:47 PM, Robert Franklin wrote: Did you read the man page for arc(4)? It says right there. I did, and I'm not seeing anything. ... arc supports alarm control and monitoring of volumes configured on the controllers via the bio(4) interface and the bioctl(8) utility. ...
congrats and update questions
Hi all, First I'd like to give my congrats to all OpenBSD dev team. The last time I used it was back in 2.5 release. I decided to check it out again when an old alpha came in my hands recently, which was ideal running particular services (replacement for an RS6000 that died). I also installed it today on a newer PA-RISC 8600 (smp is not yet there but I can live :) It's simplicity, efficiency, maturity and the logic of the whole project made another happy sysadm (the rms thread in this list also contributed to thisomg :)) Well done again! (I needed to say this) And a few quick questions since I haven't found relevant info online: a) for how long each release is being supported in terms of security patches (as well as important updates) after a new release is out? This applies for the i386 only or all the archs? b) if the userland (make build in /usr/src) updating is forced to stop, how can you continue from the point it's stopped. c) I choosed to follow the -stable release OPENBSD_4_3. What happens when I update my sources with cvs up? Do I have to rebuild the whole thing again from scratch or does it detect the new diffs and compiles/installs there only? Are there any other working options available? I don't want to make a mess by playing with make args. regards, Giannis
Re: congrats and update questions
* Kapetanakis Giannis [EMAIL PROTECTED] [081029 15:32]: Hi all, First I'd like to give my congrats to all OpenBSD dev team. The last time I used it was back in 2.5 release. I decided to check it out again when an old alpha came in my hands recently, which was ideal running particular services (replacement for an RS6000 that died). I also installed it today on a newer PA-RISC 8600 (smp is not yet there but I can live :) It's simplicity, efficiency, maturity and the logic of the whole project made another happy sysadm (the rms thread in this list also contributed to thisomg :)) Well done again! (I needed to say this) And a few quick questions since I haven't found relevant info online: a) for how long each release is being supported in terms of security patches (as well as important updates) after a new release is out? This applies for the i386 only or all the archs? Short answer: the two most current releases are supported. http://www.openbsd.org/faq/faq5.html Applies to all archs. b) if the userland (make build in /usr/src) updating is forced to stop, how can you continue from the point it's stopped. make should be able to figure out what's built and what's not. Try another make build and see, or go conservatively with make clean, depend, and build to start from scratch. c) I choosed to follow the -stable release OPENBSD_4_3. What happens when I update my sources with cvs up? Do I have to rebuild the whole thing again from scratch or does it detect the new diffs and compiles/installs there only? Your question implies some unfamiliarity with the build tools and process. I recommend studying FAQ 5 as well as these: http://www.openbsd.org/faq/current.html http://www.openbsd.org/stable.html Are there any other working options available? snapshots, as described in FAQ 5. I don't want to make a mess by playing with make args. regards, Giannis Good luck! Jim
new home box for secure data storage
I'll be setting up a new box for the house and I want to use OpenBSD for it, both for its security and since it will be an older box it will run better than with Debian. Roles: main firewall for dialup internet access. fetchmail and sendmail to ISP smarthost other simple stuff (have another box for insecure stuff like watching videos, surfing the net with javascript and flash). We've moved and now our main security threat is physical security. We don't want the data on the computer (i.e. in the /home directories) to be readable if someone steals the box. I'm thinking I could go two routes: 1. encrypt all of /home with an encrypted virtualfs file. However, then the data is unencrypted whenever the box is powered on. 2. I wonder if there's a way to have per-user home directory encryption so that the user's directory is accessed/unencrypted/mounted (whatever the semantics) on login and recrypted/unmounted on logout. Have swap and /tmp encrypted too. Also, perhaps per-user $TMP directories if go with plan 2, above. I think I want root to be able to mount/access the directories so that the data can be included in a backup set (which is then piped through openssl for encryption) on a file-by-file basis rather than just backing up a filesystem image and risking the whole thing if that image becomes corrupted. Ideas? What do others do to secure /home? I read on undeadly an idea of putting the /home filesystem on a removable drive and putting it into a safe but then you have to have the safe mounted securely. Doug.
Re: new home box for secure data storage
On Wed, Oct 29, 2008 at 04:14:22PM -0400, Douglas A. Tutty wrote: I'll be setting up a new box for the house and I want to use OpenBSD for it, both for its security and since it will be an older box it will run better than with Debian. Roles: main firewall for dialup internet access. fetchmail and sendmail to ISP smarthost other simple stuff (have another box for insecure stuff like watching videos, surfing the net with javascript and flash). We've moved and now our main security threat is physical security. We don't want the data on the computer (i.e. in the /home directories) to be readable if someone steals the box. if someone knowledgeable enough has physical access to the running box, you can't keep the data private.
Como Organizar un Area de Capacitacion Orientada a Resultados
CC3mo Organizar un Crea de CapacitaciC3n Orientada a Resultados MC)xico, D.F. - 06 de Noviembre B!Ultima PresentaciC3n del AC1o! Como responsable del C!rea de Recursos Humanos o CapacitaciC3n, usted estC! consciente que el fracaso o consolidaciC3n de la empresa y sus proyectos dependen del talento de los colaboradores, sin embargo, ante los resultados tradicionales de la capacitaciC3n, para muchos Directivos esta labor sC3lo representa una pC)rdida de tiempo y dinero, por lo que su reto debe ser ORGANIZAR UN CREA DE CAPACITACICN REALMENTE ORIENTADA A RESULTADOS... Quality Training de MC)xico , a travC)s de este valioso seminario, le otorgarC! las herramientas que harC!n que su C!rea de capacitaciC3n se convierta en un detonador para lograr las estrategias de su empresa y le ayudarC! a identificar el talento necesario para hacerlo. Asista y aprenda cC3mo orientar los esfuerzos de la capacitaciC3n para generar dichos talentos, las diversas maneras de organizar las actividades de capacitaciC3n y a conocer los indicadores de la efectividad de la misma, obteniendo entre otros beneficios: . Organizar el C!rea de capacitaciC3n de la forma mC!s efectiva. . Identificar las necesidades de talento de una forma precisa. . Identificar la modalidad de capacitaciC3n acorde a la organizaciC3n y sus objetivos. . Lograr el compromiso y apoyo de las C!reas hacia la capacitaciC3n. . Asegurar que la inversiC3n en capacitaciC3n se realice rentablemente. -Solicite un folleto gratuito con la informaciC3n Completa de este seminario Responda este correo con los siguientes datos: Seminario: CC3mo Organizar un Crea de CapacitaciC3n Orientada a Resultados Nombre: Empresa: Puesto: Telefono: Ciudad: O llamenos al 01.800.250.10.20 (Lada sin costo) . Esta invitaciC3n fuC) enviada a: misc@openbsd.org Si no desea e-mails futuros responda nocap
Re: new home box for secure data storage
I think I want root to be able to mount/access the directories so that the data can be included in a backup set (which is then piped through openssl for encryption) on a file-by-file basis rather than just backing up a filesystem image and risking the whole thing if that image becomes corrupted. Most of your requests are pretty common and come up frequently enough you should be able to find the answers, but this part makes me wonder. So how does root have the key? Do you type it in everytime you do a backup or is there a file called dontreadthis in /root? You could maybe do some tricks with cfs but it's a guaranteed shot in the foot. Ideas? What do others do to secure /home? I don't let people steal my computers.
Re: new home box for secure data storage
On Wednesday 29 October 2008 16:41:36 Almir Karic wrote: On Wed, Oct 29, 2008 at 04:14:22PM -0400, Douglas A. Tutty wrote: I'll be setting up a new box for the house and I want to use OpenBSD for it, both for its security and since it will be an older box it will run better than with Debian. Roles: main firewall for dialup internet access. fetchmail and sendmail to ISP smarthost other simple stuff (have another box for insecure stuff like watching videos, surfing the net with javascript and flash). We've moved and now our main security threat is physical security. We don't want the data on the computer (i.e. in the /home directories) to be readable if someone steals the box. if someone knowledgeable enough has physical access to the running box, you can't keep the data private. Thats true, but you can make it awfully hard to get the data. I know of someone who put his computer in a gun closet, which is a tall metal cabinet weighing many hundreds of pounds, secured with bolts inside the case to the cement wall in the basement. Could you get it? Sure: with enough effort and possibly explosives. You can secure a computer pretty well. Just think heavy and bolted to a wall. --STeve Andre'
Re: PostgreSQL Problems
Simon Connah wrote: Sorry if this is the wrong list, I debated whether to post it to ports but as it is not a problem with the port itself and is more a user problem (i.e I'm being stupid :)) I thought misc was probably more appropriate. Anyway I've been trying to get PostgreSQL setup on my 4.3 box and I'm not having much luck at all. I've followed the instructions in README.OpenBSD but I think I am missing something very simple here. Any help would be greatly appreciated. Thank you. It would probably be easier to post a log of all the steps I have taken so here it is: [Sun Oct 26 16:20:48 [EMAIL PROTECTED]:~]sudo su - [Sun Oct 26 16:20:52 [EMAIL PROTECTED]:~]passwd _postgresql Changing local password for _postgresql. New password: Retype new password: [Sun Oct 26 16:21:12 [EMAIL PROTECTED]:~]logout [Sun Oct 26 16:21:16 [EMAIL PROTECTED]:~]su - _postgresql Password: $ mkdir /var/postgresql/data $ initdb -D /var/postgresql/data -U postgres -A md5 -W The files belonging to this database system will be owned by user _postgresql. This user must also own the server process. The database cluster will be initialized with locale C. fixing permissions on existing directory /var/postgresql/data ... ok creating subdirectories ... ok selecting default max_connections ... 10 selecting default shared_buffers/max_fsm_pages ... 400kB/2 creating configuration files ... ok creating template1 database in /var/postgresql/data/base/1 ... FATAL: could not create shared memory segment: Cannot allocate memory DETAIL: Failed system call was shmget(key=1, size=1646592, 03600). HINT: This error usually means that PostgreSQL's request for a shared memory segment exceeded available memory or swap space. To reduce the request size (currently 1646592 bytes), reduce PostgreSQL's shared_buffers parameter (currently 50) and/or its max_connections parameter (currently 10). The PostgreSQL documentation contains more information about shared memory configuration. child process exited with exit code 1 initdb: removing contents of data directory /var/postgresql/data $ logout sh: logout: not found $ exit [Sun Oct 26 16:23:32 [EMAIL PROTECTED]:~]sudo shutdown -r now Shutdown NOW! shutdown: [pid 30708] [Sun Oct 26 16:23:44 [EMAIL PROTECTED]:~] *** FINAL System shutdown message from [EMAIL PROTECTED] *** System going down IMMEDIATELY System shutdown time has arrived Connection to 192.168.1.15 closed by remote host. Connection to 192.168.1.15 closed. typhoon:~ simon$ ssh [EMAIL PROTECTED] ssh: connect to host 192.168.1.15 port 22: Connection refused typhoon:~ simon$ ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Last login: Sun Oct 26 16:22:14 2008 from typhoon.local OpenBSD 4.3 (GENERIC) #2: Wed Oct 22 22:43:28 BST 2008 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. [Sun Oct 26 16:25:14 [EMAIL PROTECTED]:~]top [Sun Oct 26 16:25:36 [EMAIL PROTECTED]:~]su - _postgresql Password: $ initdb -D /var/postgresql/data -U postgres -A md5 -W The files belonging to this database system will be owned by user _postgresql. This user must also own the server process. The database cluster will be initialized with locale C. fixing permissions on existing directory /var/postgresql/data ... ok creating subdirectories ... ok selecting default max_connections ... 40 selecting default shared_buffers/max_fsm_pages ... 28MB/179200 creating configuration files ... ok creating template1 database in /var/postgresql/data/base/1 ... ok initializing pg_authid ... ok Enter new superuser password: Enter it again: setting password ... ok initializing dependencies ... ok creating system views ... ok loading system objects' descriptions ... ok creating conversions ... ok setting privileges on built-in objects ... ok creating information schema ... ok vacuuming database template1 ... ok copying template1 to template0 ... ok copying template1 to postgres ... ok Success. You can now start the database server using: postgres -D /var/postgresql/data or pg_ctl -D /var/postgresql/data -l logfile start $ pg_ctl -D /var/postgresql/data -l logfile start server starting $ createuser simon Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) y Shall the new role be allowed to create more new roles? (y/n) y Password: createuser: could not connect to database postgres: FATAL: password authentication failed for user _postgresql $ createuser simon Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) y Shall the new role be allowed to create more new roles? (y/n) y Password: createuser: could not connect to database postgres:
Management of HP Proliant DL and BL Series
I've got a few (10) HP DL and BL servers running OpenBSD. These are spread out over several sites and run our firewalls and monitoring servers. Trying to find the best way to monitor them for drive, psu failures etc. Has anyone had any success along this line? Looking at the various sites, the best option seems to be trying to get the HP Linux health drivers working to generate traps, but don't know if trying to do this is pie in the sky. What tools / options would you recommend? Mikel
Re: new home box for secure data storage
On Wed, Oct 29, 2008 at 09:41:36PM +0100, Almir Karic wrote: On Wed, Oct 29, 2008 at 04:14:22PM -0400, Douglas A. Tutty wrote: I'll be setting up a new box for the house and I want to use OpenBSD for it, both for its security and since it will be an older box it will run better than with Debian. Roles: main firewall for dialup internet access. fetchmail and sendmail to ISP smarthost other simple stuff (have another box for insecure stuff like watching videos, surfing the net with javascript and flash). We've moved and now our main security threat is physical security. We don't want the data on the computer (i.e. in the /home directories) to be readable if someone steals the box. if someone knowledgeable enough has physical access to the running box, you can't keep the data private. If the box is running but no users are logged-in, why can't the data be encrypted and therefore private? This is my thinking about per-user home directory/partition encryption. Doug.
Re: new home box for secure data storage
On Wed, Oct 29, 2008 at 02:56:53PM -0700, Ted Unangst wrote: I think I want root to be able to mount/access the directories so that the data can be included in a backup set (which is then piped through openssl for encryption) on a file-by-file basis rather than just backing up a filesystem image and risking the whole thing if that image becomes corrupted. Most of your requests are pretty common and come up frequently enough you should be able to find the answers, but this part makes me wonder. So how does root have the key? Do you type it in everytime you do a backup or is there a file called dontreadthis in /root? Lets say the key is in a file. Lets encrypt that file with openssl and keep it in /root. Whoever runs the backup program is asked for the passphrase to unlock the file. The backup program then uses that file to mount the directories to back them up. You could maybe do some tricks with cfs but it's a guaranteed shot in the foot. Ideas? What do others do to secure /home? I don't let people steal my computers. Of course there's the risk/benefit/cost analysis. Gun cabinets or safes bolted to the floor work but are expensive. I could get the same kind of deterrence if I installed a big rack-mount 12U server full of a dozen hard drives (think too heavy for one person to steal, assuming that they recognized it as a computer in the first place). Software encryption is free. Doug.
Habilidades para Conducir Reuniones Eficaces
Habilidades para Conducir Reuniones Eficaces B!como Nunca Antes! MC)xico, D.F. - 06 de Noviembre B!Unica PresentaciC3n en el AC1o! Bloqueo mentalb improductividadb pC)rdida de tiempob B?Esto le suena familiar? Si usted ha participado en una mala reuniC3n, entonces ha vivido todo lo anterior. Aquellas reuniones donde los objetivos no han sido definidos se vuelven lentas durante horas, el conflicto domina la discusiC3n y detiene el progresob Al final no se logra nada. Estas situaciones hacen que las reuniones tengan un obstC!culo y sean un verdadero problema de productividad. B!B!Pero manejadas correctamente, sus juntas pueden promover comunicaciC3n, generar nuevas ideas, fomentar la moral, crear objetivos, construir equipos y mucho mC!s!! Desde crear un orden del dC-a hasta el manejo de opiniones contrarias, este seminario le brinda las soluciones que usted necesita para darle vida a sus reuniones. Asista y obtenga fC!ciles estrategias para mejorar sus reuniones rC!pidamente. Usted aprenderC! a dirigir discusiones positivas y productivas, identificarC! y neutralizarC! los puntos ocultos que lo alejan del tema, mediarC! rC!pidamente el conflicto y los argumentos cuando los bsabelotodob estallen, lograrC! poderosos cierres que garanticen compromiso, acciC3n y comprensiC3n de todos los participantes, incluyendo tambiC)n: . CC3mo determinar si su reuniC3n es necesaria. . Habilidades para conducir discusiones encontradas. . Aptitudes clave que debe tener un facilitador para comunicarse efectivamente. . Tips que le ayudarC!n a alcanzar resultados positivos en su reuniC3n. . Entendiendo las dinC!micas de grupo y quC) ocasiona las efervescencias. . CC3mo identificar y neutralizar las agendas ocultas. . CC3mo desarrollar una buena discusiC3n y mantenerla. . Estrategias y tC)cnicas de cierre que ganen compromiso y consigan resultados. . Herramientas y actividades que garanticen reuniones interesantes y memorables. -Solicite un folleto gratuito con la informaciC3n Completa de este seminario Responda este correo con los siguientes datos: Seminario: Habilidades para Conducir Reuniones Eficaces B!como Nunca Antes! Nombre: Empresa: Puesto: Telefono: Ciudad: O llamenos al 01.800.250.10.20 (Lada sin costo) . Esta invitaciC3n fuC) enviada a: misc@openbsd.org Si no desea e-mails futuros responda noreu
Re: new home box for secure data storage
I'm confused, the encrypted volume cannot be backed up without a key? On Wed, Oct 29, 2008 at 8:45 PM, Douglas A. Tutty [EMAIL PROTECTED] wrote: On Wed, Oct 29, 2008 at 02:56:53PM -0700, Ted Unangst wrote: I think I want root to be able to mount/access the directories so that the data can be included in a backup set (which is then piped through openssl for encryption) on a file-by-file basis rather than just backing up a filesystem image and risking the whole thing if that image becomes corrupted. Most of your requests are pretty common and come up frequently enough you should be able to find the answers, but this part makes me wonder. So how does root have the key? Do you type it in everytime you do a backup or is there a file called dontreadthis in /root? Lets say the key is in a file. Lets encrypt that file with openssl and keep it in /root. Whoever runs the backup program is asked for the passphrase to unlock the file. The backup program then uses that file to mount the directories to back them up. You could maybe do some tricks with cfs but it's a guaranteed shot in the foot. Ideas? What do others do to secure /home? I don't let people steal my computers. Of course there's the risk/benefit/cost analysis. Gun cabinets or safes bolted to the floor work but are expensive. I could get the same kind of deterrence if I installed a big rack-mount 12U server full of a dozen hard drives (think too heavy for one person to steal, assuming that they recognized it as a computer in the first place). Software encryption is free. Doug. -- Some software money can't buy. For everything else there's Micros~1.
Re: new home box for secure data storage
On Wed, Oct 29, 2008 at 09:09:20PM -0500, patric conant wrote: I'm confused, the encrypted volume cannot be backed up without a key? Sure, I could backup the encrypted volume. However, I'd rather back the data up as an unencrypted directory along with everything else. I don't know what's involved in e.g. restoring an accidentally deleted file from within an encrypted volume. I guess I'd treat it like a tarball in that its a file, mount it somewhere using the usual key and retreive the file, mount the user's encrypted volume and copy the file back where it belongs. Its likely that its me that's confused. Since what I'm contemplating doesn't seem to be mainstream, I'm assuming that backup and restore procedures aren't mainstream (e.g. have the kinks worked out) either. That assumption could be invalid. Doug.
Corrupted RAIDFrame device
Hi all I have a simple 2 disk RAID 1 array which has become corrupted by a faulty memory module. If I repeatedly generate an MD5 hash on the same file, I consistantly get 1 of 2 values back, roughly alternating, so I assume that the 2 disks have different versions of the same file and they are accessed more-or-less alternately. 'raidclt -s' tells me that all is well with the array. It appears that the likelyhood of corruption is greater with larger files - approx 1/2 gig are pretty much all corrupt while small files are pretty much all ok. All this sounds reasonable under the circumstances. My idea on recovering as much as possible was to disconnect 1 drive, copy all the data off, switch to the other drive and do the same, then run an anaysis on the 2 copies - if a file is the same on both copys, the it's probably ok, if they differ, then one or both will be bad. So, I did the first copy, but when I swap to the other disk, RAIDFrame has remembered that this has 'failed' so will not configure it into the set (as I feared it would(nt)). Does anyone know how I can tell RAIDFrame that the first drive is actually ok, or is my reasoning just nonsense anyway? What would a parity re-write do in this case? Ironicaly this computer is in the process of being configured as backup storage, so while I have the originals of most of the data, there is some that I dont, and I haven't yet set up the secondary (off site) backups. And yes I did test the backups were ok, the first ones at least. It appears the module failed some time during the process. I know, I should have been anal and checked every single one, but it was all brand new hardware ... Actually, that's when failure rates are high. paulm
Re: Longest Uptime?
2008/10/29 Gilles Chehade [EMAIL PROTECTED] new_guy a icrit : I know. Longest uptime is silly, macho, pointless stuff... but I ran across an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The only reason it was not an open mail relay is that /var was full. So, I thought to myself, I bet I could run an OpenBSD box for that amount of time or longer without getting hacked and without doing much to it. Just wondering what's the longest OpenBSD uptime some folks on misc have seen? Thanks It is not the size of your uptime that matters, it is what you do with it. Nice One :) Gilles http://www.crice.org
Re: Capture serial port output to a file
On Oct 29, 2008, at 2:13 AM, J.C. Roberts wrote: On Tuesday 28 October 2008, Marc Balmer wrote: * Bruce Bauer wrote: Problem: OpenBSD 4.2 on i386 Serial port /dev/cua00 connected to the console port on a firewall. I need to catch all text output from the serial port to a file. The process doing this must survive a loss of network. The box is running headless. I could suggest you run cu in a screen session. I have used cu ... | tee logfile in the past, but there are possibly more elegant solutions I've never tried using tee(1) but it is more elegant than using the default solution provided by tip/cu/remote. I use 'script'. It gets EVERYTHING. You have to do a little post- processing, but it works very well. However, if you're saying that you want to capture all output on the firewall coming in to /dev/cua00, why not just open the device and read from it? 'tail -f /dev/cua00 logfile' would do this. Assuming that you have the line dedicated to this and don't need to provide any input. If you want to use 'cu', you could also investigate the 'record' variable. (~s record /path/to/logfile) Sean