Re: rcctl ansible service support

2014-10-16 Thread Patrik Lundin 
On Wed, Oct 15, 2014 at 8:51 PM, Antoine Jacoutot ajacou...@bsdfrog.org wrote:
 On Wed, Oct 15, 2014 at 11:48:20AM -0700, xSAPPYx wrote:

 Is a recent rcctl post the 5.6 freeze or will this work with the next
 release?

 Extract from 'man rcctl':
  rcctl first appeared in OpenBSD 5.7.


By recent i mean a version that supports the 'default' argument:
http://marc.info/?l=openbsd-cvsm=141303663711396w=2

I am very happy that armani@ started the ansible work as early as
he did so we were were able to request features before rcctl was
officially released!

Regards,
Patrik Lundin

Re: Shadow TCP stacks

2014-10-16 Thread Kevin Chadwick 
On Wed, 15 Oct 2014 20:22:56 -0400
Ian Grant wrote:

 Moved to misc.
 
 Yes, you missed something: the point :-)
 
 The idea is that the existence of this entire 'ultranet' is
 undetectable by even someone snooping all national traffic. So a TCP
 port 80 connection looks to the snooper _exactly_ like an HTTP
 connection handshake. Only the ISN and the source address mark the
 connection as 'ultra' and take it into a back room where it connects
 to the real network. If the snooper tries to connecto to that port
 they the same HTTP service that all the other muggles see.

I still don't see the benefit though but do see added complexity or
more code to audit.

Reducing DDOS against a visible SSH service maybe? Reduce password
attempts on your logs allowing them to go after targets that might
actually use passwords (port change also works there, I find)?

Re: Shadow TCP stacks

2014-10-16 Thread Martin Schröder 
2014-10-16 13:16 GMT+02:00 Kevin Chadwick ma1l1i...@yahoo.co.uk:
 I still don't see the benefit though but do see added complexity or
 more code to audit.

 Reducing DDOS against a visible SSH service maybe? Reduce password
 attempts on your logs allowing them to go after targets that might
 actually use passwords (port change also works there, I find)?

The impossibility to scan for services - which the NSA/GHCQ/... do.

Best
   Martin

LibreSSL Portable, disable SSLv3

2014-10-16 Thread Heiko Zimmermann 
Hello together,

what is the best way, to disable SSLv3 support in LibreSSL 2.1.0
portable (f.e. using on Mac OSX)?

Thank you.
/Heiko

Re: LibreSSL Portable, disable SSLv3

2014-10-16 Thread Stefan Sperling 
On Thu, Oct 16, 2014 at 03:10:24PM +0200, Heiko Zimmermann wrote:
 Hello together,
 
 what is the best way, to disable SSLv3 support in LibreSSL 2.1.0
 portable (f.e. using on Mac OSX)?
 
 Thank you.
 /Heiko

Update to LibreSSL 2.1.1.

Re: LibreSSL Portable, disable SSLv3

2014-10-16 Thread Heiko Zimmermann 
Now are the updates on the mirror. 
Thx. 

 Am 16.10.2014 um 15:27 schrieb Stefan Sperling 
 
 Update to LibreSSL 2.1.1.

Re: problem with CARP+VLAN+OpenBSD 5.5

2014-10-16 Thread Federico Donati 

On 10/15/2014 03:43 PM, Fede wrote:


I've removed defer from /etc/hostname.pfsync0, and I also added some
bpf device (one for every carp I have) with MAKEDEV, as you suggested.
Then, I've added no-sync to pf, so the running pf.conf is:

set skip on lo0
pass quick on em0 proto pfsync keep state (no-sync)
pass quick on em0
pass quick on { vlan2 vlan3 vlan4 vlan5 vlan6 vlan7 vlan1002 vlan1003 }
proto { carp pfsync } keep state (no-sync)
pass in quick
pass out quick

but my problem persists.


UPDATE

Today I've tried to put all carp interfaces in just 5 carp interfaces, 
using netmask 255.255.255.255 for IPs in the same broadcast domain, 
and the appropriate netmask for IPs outside the first ip's subnet. This 
way, the test systems are working fine for the moment.


This solution is working, but it will need some revision of pf.conf. 
Let's say that we will have fewer file to maintain...


BTW, I would like to understand where is the limit of the previous, 
non-working, configuration.
I tried to load previous hostname.carpXX interfaces, once per time, with 
a reboot for every new carp activated. I wasn't able to find a pattern, 
because interfaces on system-2 turn into MASTER state randomly.


When a split on a carp interface occur, I can see with tcpdump that on 
the backup machine advertisement packets are just ignored. For example:


16:08:19.848966 CARPv2-advertise 36: vhid=133 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
16:08:19.915796 CARPv2-advertise 36: vhid=133 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]
16:08:20.898960 CARPv2-advertise 36: vhid=133 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
16:08:21.715797 CARPv2-advertise 36: vhid=133 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]
16:08:21.948972 CARPv2-advertise 36: vhid=133 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]


And then, if I run a ksh /etc/nestart carpXX, the interface starts 
acting normal (MASTER/BACKUP) again.


At the end, I have my workaround, but it would be nice if someone could 
spot the misconfiguration or the problem with the faulty configuration I 
described.


Thank you all for the support.