Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Christian Weisgerber
On 2015-07-27, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Quartz
turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure A Lanner FW7525 or even an Alix APU don't seem to be much larger...

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Kimmo Paasiala
On Mon, Jul 27, 2015 at 12:46 PM, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network

Re: dhclient.conf alias declarations?

2015-07-27 Thread Josh Grosse
On Mon, Jul 27, 2015 at 01:34:09PM +0300, Kimmo Paasiala wrote: ...I can live without the alias address, it would have been a convinient way to access the ADSL modem on the WAN side from inside the LAN network. Perhaps you could add an ifconfig(8) command to rc.local(8) to set the alias. Or,

amd(8) - am-utils code transition (or am-utils new port)?

2015-07-27 Thread Alessandro DE LAURENZIS
Dear misc@ readers, Some weeks ago I realized that OpenBSD amd(8) lacks NFSv3 support (see [1], [2]), which could increasingly become a serious limitation when dimension of shared files exceed the 2GB limit. Considering that the patch in [2] isn't working for me (maybe the OpenBSD NFS server

Re: Update to /etc/services

2015-07-27 Thread Denis Fondras
BTW your diff was line-wrapped, and the BFD entries used spaces instead of tabs, so I hand applied it. Thank you. Sorry for the BFD entries, I copied/pasted from the IANA document and missed that. BTW, what is the prefered way to send diff with lines longer than 80 characters ? I use mutt,

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Martin Schröder
2015-07-27 11:46 GMT+02:00 Quartz qua...@sneakertech.com: turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure A Lanner

Re: dhcpd.interfaces question

2015-07-27 Thread Markus Rosjat
So if I want to have a vlan interface providing dhcp I need to put dhcpd_flags=vlanXX in rc.conf.local ? regards MArkus Am 27.07.2015 um 14:09 schrieb Jiri B: On Mon, Jul 27, 2015 at 02:02:45PM +0200, Markus Rosjat wrote: Hi there, I just want to setup a dhcp for a Vlan on a openbsd 5.5

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Raul Miller
Though, of course, if you have been actively developing your system, or if you have already been subject to other root attempts, a root attempt runs a significant risk of crashing it. (And if you have been developing a lot, there's a decent chance you'll have already crashed it so many times that

dhcpd.interfaces question

2015-07-27 Thread Markus Rosjat
Hi there, I just want to setup a dhcp for a Vlan on a openbsd 5.5 box and somehow I can't find the dhcpd.interfaces file. Is there a change in the configuration since 5.x ? On a 4.9 installation I still have this file. Regards -- Markus Rosjatfon: +49 351 8107223mail:

Re: dhcpd.interfaces question

2015-07-27 Thread Jiri B
On Mon, Jul 27, 2015 at 02:02:45PM +0200, Markus Rosjat wrote: Hi there, I just want to setup a dhcp for a Vlan on a openbsd 5.5 box and somehow I can't find the dhcpd.interfaces file. Is there a change in the configuration since 5.x ? On a 4.9 installation I still have this file. No idea

Re: dhclient.conf alias declarations?

2015-07-27 Thread lists
...I can live without the alias address, it would have been a convinient way to access the ADSL modem on the WAN side from inside the LAN network. Perhaps you could add an ifconfig(8) command to rc.local(8) to set the alias. As previously said any ifconfig aliasing command removes

Re: rdomain with BGP dynamic route

2015-07-27 Thread BARDOU Pierre
Hello, I think this is what I tried a while ago, which is not possible. Cf http://openbsd-archive.7691.n7.nabble.com/Multi-VRF-bgpd-no-MPLS-td248639.html Bgpd.conf(5) says : Currently the routing table must belong to the default routing domain -- Cordialement, Pierre BARDOU -Message

Re: doas.conf: omitting [as root] allows me to run a command as everybody?

2015-07-27 Thread Theo Buehler
On Mon, Jul 27, 2015 at 03:13:55PM +0200, Marc Espie wrote: On Mon, Jul 27, 2015 at 02:40:53PM +0200, Theo Buehler wrote: So omitting [as identity] allows me to run as every user, not just as root? Is this intentional? I think it's intentional. It's definitely what I would expect [as

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Maxim Khitrov
On Mon, Jul 27, 2015 at 7:37 AM, Christian Weisgerber na...@mips.inka.de wrote: On 2015-07-27, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to

doas.conf: omitting [as root] allows me to run a command as everybody?

2015-07-27 Thread Theo Buehler
I'm not sure whether this is a misunderstanding on my side or a bug. Suppose I have the following /etc/doas.conf $ cat /etc/doas.conf permit nopass theo cmd /usr/bin/touch args /tmp/doastest/foo I would expect from the excerpt as targetThe target user the running user is allowed to

Re: dhcpd.interfaces question

2015-07-27 Thread martinblank64
That is correct -- I use the same configuration. If there are multiple VLAN (or other) interface, separate them with a space. Sent from my iPhone On Jul 27, 2015, at 5:28 AM, Markus Rosjat ros...@ghweb.de wrote: So if I want to have a vlan interface providing dhcp I need to put

Re: doas.conf: omitting [as root] allows me to run a command as everybody?

2015-07-27 Thread Marc Espie
On Mon, Jul 27, 2015 at 02:40:53PM +0200, Theo Buehler wrote: So omitting [as identity] allows me to run as every user, not just as root? Is this intentional? I think it's intentional. It's definitely what I would expect [as identity] is a restrictive modifier. If you want to only be able to

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Quartz
It is certainly possible theoretically but you'll have to go to very great lengths to imagine a scenario where a remote attacker could exploit such a flaw. It's next to impossible identify the make and model of the NIC that holds an IP address (if it is even directly bound to a NIC, CARP and

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Joseph Crivello
If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system.

Re: Intel Atom?

2015-07-27 Thread Josh Grosse
On 2015-07-27 11:22, Quartz wrote: What's Intel Atom support like these days? I remember they used to be a little weird. Are they handled pretty much like any other x86 chip now or are some things still unsupported? Are they capable of handling pf on a saturated 100-base-t connection? How about

Re: dovecot startup failure (5.7-stable)

2015-07-27 Thread Adam Wolk
On Sat, 25 Jul 2015 13:51:32 +0200 Tor Houghton t...@bogus.net wrote: Hi, Hi, It appears that the dovecot package won't start at boot time unless the ulimit is raised for open files: .. Jul 25 13:39:53 duck dovecot: master: Error: open(/var/dovecot/login-master-notifyda2290c6851a9f03)

dmesg: Intel Atom C2758 - SuperMicro A1SRi-2758F with LSI SAS9211-8i

2015-07-27 Thread Aaron Poffenberger
dmesg from a box that was en route to becoming a FreeNAS system. Everything I cared about as far as networking and disk management worked with one issue. smartctl was uneven about whether it get could get stats from the disks connected throught the LSI (mpii0). The first two requests would

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Quartz
These days you have bypass features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Can you elaborate on this? Also, that brings up another point wrt motherboards with multiple jacks; are bios attacks something to worry about?

Intel Atom?

2015-07-27 Thread Quartz
What's Intel Atom support like these days? I remember they used to be a little weird. Are they handled pretty much like any other x86 chip now or are some things still unsupported? Are they capable of handling pf on a saturated 100-base-t connection? How about gig-e?

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Stuart Henderson
On 2015-07-27, Quartz qua...@sneakertech.com wrote: This is a little off-topic, but I should clarify that although this device's primary purpose is a firewall+router, it also has to provide a handful of other network related services that set a few requirements vis a vis hardware. Depends

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Giancarlo Razzolini
Em 27-07-2015 09:13, Kimmo Paasiala escreveu: It's next to impossible identify the make and model of the NIC that holds an IP address With IPv6 and poor configuration, a remote attacker already have that information. MAC addresses reveal a lot of information about a NIC. Cheers, Giancarlo

Re: Intel Atom?

2015-07-27 Thread Bryan C. Everly
FWIW here's the DMESG from the system I just put in place. Case, power supply and all I was at around $350 total. It's making an excellent router/firewall: OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar 8 11:04:17 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real

Re: Intel Atom?

2015-07-27 Thread Michael McConville
Michael McConville wrote: (especially when the proxied traffic is TLS-encrypted) Disregard that clause. It's obviously the end-points that handle TLS sessions, not the exit relay.

Re: dmesg: Intel Atom C2758 - SuperMicro A1SRi-2758F with LSI SAS9211-8i

2015-07-27 Thread Stefan Sperling
On Mon, Jul 27, 2015 at 10:59:02AM -0500, Aaron Poffenberger wrote: dmesg from a box that was en route to becoming a FreeNAS system. Everything I cared about as far as networking and disk management worked with one issue. smartctl was uneven about whether it get could get stats from the disks

Re: Intel Atom?

2015-07-27 Thread Quartz
I just posted a dmesg from a SuperMicro motherboard with 8-core Intel Atom C2758. Yeah, I've heard about that board. I think it's a tad overkill for our situation though :) Depending on how you configure your disks the 8-core C2758 should be able to saturate a single gig-e nic. Our

Re: Intel Atom?

2015-07-27 Thread Quartz
FWIW here's the DMESG from the system I just put in place. pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x0bf3 rev 0x04 ehci0: timed out waiting for BIOS xhci0 at pci2 dev 0 function 0 vendor Etron, unknown product 0x7052 ehci1: timed out waiting for BIOS I admit

Re: dhclient.conf alias declarations?

2015-07-27 Thread Stuart Henderson
On 2015-07-26, Kimmo Paasiala kpaas...@gmail.com wrote: Hello, I'm in the process of migrating my router/firewall system from FreeBSD to OpenBSD and I came across a minor problem. I want to have a static alias address on an interface that is otherwise configured with DHCP. What I had in

Re: Intel Atom?

2015-07-27 Thread Bryan C. Everly
I just deployed an OpenBSD 5.7 firewall/router/dhcp/dns using this motherboard: http://www.newegg.com/Product/Product.aspx?Item=N82E16813157417 It uses the Intel Atom D2550 1.86GHz 2-Core chip and has dual 1000 Mbps Intel NICs on the motherboard. I am running the amd64 binaries on it and it's

Re: dmesg: Intel Atom C2758 - SuperMicro A1SRi-2758F with LSI SAS9211-8i

2015-07-27 Thread Aaron Poffenberger
On 7/27/15 11:20, Stefan Sperling wrote: On Mon, Jul 27, 2015 at 10:59:02AM -0500, Aaron Poffenberger wrote: dmesg from a box that was en route to becoming a FreeNAS system. Everything I cared about as far as networking and disk management worked with one issue. smartctl was uneven about

Re: Intel Atom?

2015-07-27 Thread Quartz
I just deployed an OpenBSD 5.7 firewall/router/dhcp/dns using this motherboard: http://www.newegg.com/Product/Product.aspx?Item=N82E16813157417 As a side question, is that a female usb connector planted vertically right on the motherboard? It uses the Intel Atom D2550 1.86GHz 2-Core chip

Re: Intel Atom?

2015-07-27 Thread Quartz
There's a huge range of Atom processors. Some are 32-bit only single- core, there are models which are 64-bit capable and multi-core. There are a wide range of clock speeds, cache sizes, and bus speeds. I know, I was mainly looking for general opinion about support and performance. IIRC, back

Re: Intel Atom?

2015-07-27 Thread Bryan Everly
On the USB connector I didn't notice it when I installed the board but I can look when I get home in a couple of days. I haven't pushed it to breaking but it has yet to present a bottleneck. Thanks, Bryan On Jul 27, 2015, at 1:14 PM, Quartz qua...@sneakertech.com wrote: I just deployed an

Re: Intel Atom?

2015-07-27 Thread Dain Bentley
I've been using an atom for a firewall/VPN for a couple of years. Works great On Monday, July 27, 2015, Quartz qua...@sneakertech.com wrote: What's Intel Atom support like these days? I remember they used to be a little weird. Are they handled pretty much like any other x86 chip now or are

Re: Intel Atom?

2015-07-27 Thread Quartz
Here's the dmesg for my Tor exit relay, which runs on a D2700. It moves about 2.0-4.5 MB/s in each direction. Hmmm that's nowhere near as fast as what we do, and not even as fast as a P3. It seems to be running at full capacity doing so, I don't know much about tor. When you say full

Re: Intel Atom?

2015-07-27 Thread Michael McConville
Quartz wrote: Here's the dmesg for my Tor exit relay, which runs on a D2700. It moves about 2.0-4.5 MB/s in each direction. Hmmm that's nowhere near as fast as what we do, and not even as fast as a P3. Do you have 4,500-7,000 open connections? That slows my machine's networking down

Re: Intel Atom?

2015-07-27 Thread Aaron Poffenberger
On 7/27/15 10:22, Quartz wrote: What's Intel Atom support like these days? I remember they used to be a little weird. Are they handled pretty much like any other x86 chip now or are some things still unsupported? Are they capable of handling pf on a saturated 100-base-t connection? How about

Re: Intel Atom?

2015-07-27 Thread Michael McConville
Here's the dmesg for my Tor exit relay, which runs on a D2700. It moves about 2.0-4.5 MB/s in each direction. It seems to be running at full capacity doing so, but that's with 3,000-5,000 open files and 4,500-7,000 open connections. So, I think you'll be able to get a lot out of one of these CPUs.

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Maxim Khitrov
On Mon, Jul 27, 2015 at 11:10 AM, Quartz qua...@sneakertech.com wrote: These days you have bypass features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Can you elaborate on this? Search for intel nic bypass mode and you'll find lots

Re: Intel Atom?

2015-07-27 Thread Stuart Henderson
On 2015-07-27, Aaron Poffenberger a...@hypernote.com wrote: The SuperMicro board I was using has 4 intel nics + a separate IPMI nic. N.B. on the recent SuperMicro boards I have, if the IPMI nic is unconnected, standard settings are to run IPMI on the first main NIC instead. This isn't really

Re: Update to /etc/services

2015-07-27 Thread Stuart Henderson
On 2015-07-27, Denis Fondras open...@ledeuns.net wrote: BTW your diff was line-wrapped, and the BFD entries used spaces instead of tabs, so I hand applied it. Thank you. Sorry for the BFD entries, I copied/pasted from the IANA document and missed that. No worries. BTW, what is the

Re: SPARC minimum hardware specification

2015-07-27 Thread Christian Weisgerber
We're hurtling towards the 5.8 release and, as usual, ports and packages on non-x86 platforms are in dire shape. If you want to put your money where your mouth is, take a look at recent build logs and start fixing some of those problems. http://build-failures.rhaalovely.net/ sparc64, powerpc,

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Chris Cappuccio
Joseph Crivello [josephcrive...@gmail.com] wrote: If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system. If you are running OpenBSD

Re: ipv6 kernel pppoe + slaac problem

2015-07-27 Thread Stuart Henderson
On 2015-07-25, Holger Glaess gla...@glaessixs.de wrote: hi if i start dhcpcd i got dhcpcd[26307]: version 6.4.2 starting dhcpcd[26307]: IPV6CTL_ACCEPT_RTADV: Operation not supported dhcpcd[26307]: kernel does not report IPv6 address flag changes dhcpcd[26307]: polling tentative address

Re: Intel Atom?

2015-07-27 Thread Aaron Poffenberger
On 7/27/15 14:34, Stuart Henderson wrote: On 2015-07-27, Aaron Poffenberger a...@hypernote.com wrote: The SuperMicro board I was using has 4 intel nics + a separate IPMI nic. N.B. on the recent SuperMicro boards I have, if the IPMI nic is unconnected, standard settings are to run IPMI on

Re: doas.conf: omitting [as root] allows me to run a command as everybody?

2015-07-27 Thread Alexander Hall
On July 27, 2015 3:22:13 PM GMT+02:00, Theo Buehler t...@math.ethz.ch wrote: On Mon, Jul 27, 2015 at 03:13:55PM +0200, Marc Espie wrote: On Mon, Jul 27, 2015 at 02:40:53PM +0200, Theo Buehler wrote: So omitting [as identity] allows me to run as every user, not just as root? Is this

Re: rdomain with BGP dynamic route

2015-07-27 Thread XU, YANG (YANG)
Pierre, Thanks for forwarding the information to me. Yes, what you tried was related, especially the overlapping addresses of clients. What I want to do is to assign different RD to different VRF routes learned dynamically from clients. Based on what I heard and read so far, I just assume it's

aucat problems

2015-07-27 Thread Stefan Berger
Hi, i have some trouble, configuring my audio devices: I want to record with my internal microphone (Thinkpad x220i) or/and my headphones with aucat, but I can't configure it according to FAQ because the output from mixerctl is somehow, different. inputs.dac-0:1_mute=off

Re: aucat problems

2015-07-27 Thread lists
I am not sure which settings must be changed to record with the internal microphone. When i start aucat, I can't hear anything. I've had the same trouble figuring out which set of settings control the selection of the internal and external microphone on my laptop. Wild guess it might

Re: aucat problems

2015-07-27 Thread lists
I am not sure which settings must be changed to record with the internal microphone. When i start aucat, I can't hear anything. I've had the same trouble figuring out which set of settings control the selection of the internal and external microphone on my laptop. Wild guess it might be

Re: Intel Atom?

2015-07-27 Thread lists
Here's the dmesg for my Tor exit relay, which runs on a D2700. It moves about 2.0-4.5 MB/s in each direction. Hmmm that's nowhere near as fast as what we do, and not even as fast as a P3. I have an N280 1000/1666 MHz netbook which is roughly the same computation power as a P3 750 MHz

Re: Intel Atom?

2015-07-27 Thread Sonic
On Mon, Jul 27, 2015 at 7:14 PM, li...@wrant.com wrote: The D525 is quite older than the new systems suggested in the thread, and fully saturates the 100 Mbps LAN with SSH so no worries, external networks is 100 Mbps. snip Recommendation for a very capable router are C2750/C2758 Supermicro

Re: ipv6 kernel pppoe + slaac problem

2015-07-27 Thread Giancarlo Razzolini
Em 27-07-2015 18:16, Stuart Henderson escreveu: Can you try 6.9.1 from -current ports please? (I updated it recently so packages might not be there yet). You can try using the wide-dhcp6 too. But, I couldn't make it work because my upstream router would delegate the prefix, but not route the

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Joel Rees
On Mon, Jul 27, 2015 at 10:52 PM, Joseph Crivello josephcrive...@gmail.com wrote: If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire

Re: dhclient.conf alias declarations?

2015-07-27 Thread Kimmo Paasiala
On Mon, Jul 27, 2015 at 4:21 AM, Edgar Pettijohn ed...@pettijohn-web.com wrote: On 07/26/15 19:10, Kimmo Paasiala wrote: On Mon, Jul 27, 2015 at 3:00 AM, Kimmo Paasiala kpaas...@gmail.com wrote: On Mon, Jul 27, 2015 at 2:33 AM, Josh Grosse j...@jggimi.homeip.net wrote: On 2015-07-26

Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Quartz
Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple ethernet ports. The thinking being that it was

Re: Intel Atom?

2015-07-27 Thread Quartz
Recommendation for a very capable router are C2750/C2758 Supermicro So, do you think we'd *need* a board like that? The reason I ask is that they're nearly twice the price of other dual-gigE Atom boards, and the ECC SODIMMs don't help. If you're saying that an old D525 can handle our traffic

Re: Sluggish/laggy browser behaviour

2015-07-27 Thread Benjamin Baier
I can pretty much confirm this on an X220i, I have sort of come to terms with it, but it is definitely noticeable (in chromium and firefox). X220 here. Also, when I play clips on YouTube, playback sometimes hangs for half a second. That is with a snapshot from today. To be safe, I also