Re: Adding zombies to a pf table?
On 2015 Sep 24 (Thu) at 12:37:03 +0300 (+0300), Pantelis Roditis wrote: :On 09/24/2015 11:39 AM, Peter Hessler wrote: :>On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: :>:Hello, :>: :>:Zombies are often attacking ports which don't have services running, :>:such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. :> : :Hi, : :This is the exact reason why we created bofh-divert[1]. The idea is that you :pass those packets with PF to a divert socket opened by a daemon. The daemon :grabs the source IP and adds it to a predefined table. : :The rules look something like this : :-- pf.conf snip -- : :table persist counters : :block in log quick from : :pass in log quick on { egress } inet proto tcp from ! to port { :3389, 5900, 6001, 8080, } divert-packet port 1100 no state : :-- pf.conf snip -- : :We have used this on some of our firewalls for some time now without :problems. : :>I've been playing with this, too. Overload won't work until the packet :>is processed by a userland process. :> :>:Or is there something handy in ports to help? :>: :> :>I don't know of any, but I have such a thing on my TODO. :> : :The port[2] is under cleanup/testing and will be submitted for review soon. : :I hope this is close to what you guys were looking for. : : :[1] https://github.com/echothrust/pf-diverters :[2] https://github.com/echothrust/OpenBSD-ports-mystuff : Yes, this looks very close to what I had in mind. Main comment: looks like no IPv6 support. -- In Boston, it is illegal to hold frog-jumping contests in nightclubs.
Re: Making IPv6 NAT prefer privacy address
On 2015-09-23, Giancarlo Razzoliniwrote: > Em 23-09-2015 11:49, Stuart Henderson escreveu: >> Exactly. It also makes it easier to handle multiple ISPs for load-balancing >> or failover, which IPv6 handles poorly (short of using BGP). > > Wouldn't multipath and properly constructed ifstated scripts be better > in this case? Like reloading dhcpv6 servers, rtadvd, and anchors, etc. The problem is that you rely on the end host to make decisions about which address to use etc. The router can only influence those decisions (by choosing which networks to advertise) rather than force them. This might be good enough for failover (though failover is likely to be slower than doing it on the router) but isn't going to work at all for the type of load-balancing that many people currently do across multiple ISP connections (often built-in to small/home office routers, and like the example in faq/pf/pools.html).
Re: Recommended miniPCI express wireless module for PC Engines' APU system board?
On 2015-09-24, Adamwrote: >>> So the one you recommend from Amazon got some >>> mediocre reviews and comes from Asia. >>> But it works, good for you, that's a plus. It is >>> also a Qualcomm Atheros, maybe not >>> so dissimilar from the ones PC Engines sells on >>> their site: >>> http://www.pcengines.ch/wle200nx.htm and >> >> This one should work ok with athn(4). > > Huh, athn(4)? Which one is that? http://www.pcengines.ch/order1.php?c=4 > > No such SKU for PC Engines. Do you mean the APU board, perhaps? > > Thanks for your additional tips, though. > > http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/athn.4?query=athn
Re: Adding zombies to a pf table?
On 09/24/2015 11:39 AM, Peter Hessler wrote: On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: :Hello, : :Zombies are often attacking ports which don't have services running, :such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. Hi, This is the exact reason why we created bofh-divert[1]. The idea is that you pass those packets with PF to a divert socket opened by a daemon. The daemon grabs the source IP and adds it to a predefined table. The rules look something like this -- pf.conf snip -- table persist counters block in log quick from pass in log quick on { egress } inet proto tcp from ! to port { 3389, 5900, 6001, 8080, } divert-packet port 1100 no state -- pf.conf snip -- We have used this on some of our firewalls for some time now without problems. I've been playing with this, too. Overload won't work until the packet is processed by a userland process. :Or is there something handy in ports to help? : I don't know of any, but I have such a thing on my TODO. The port[2] is under cleanup/testing and will be submitted for review soon. I hope this is close to what you guys were looking for. [1] https://github.com/echothrust/pf-diverters [2] https://github.com/echothrust/OpenBSD-ports-mystuff
Re: Recommended miniPCI express wireless module for PC Engines' APU system board?
>> So the one you recommend from Amazon got some >> mediocre reviews and comes from Asia. >> But it works, good for you, that's a plus. It is >> also a Qualcomm Atheros, maybe not >> so dissimilar from the ones PC Engines sells on >> their site: >> http://www.pcengines.ch/wle200nx.htm and > > This one should work ok with athn(4). Huh, athn(4)? Which one is that? http://www.pcengines.ch/order1.php?c=4 No such SKU for PC Engines. Do you mean the APU board, perhaps? Thanks for your additional tips, though.
Re: Making IPv6 NAT prefer privacy address
On 2015-09-23, Giancarlo Razzoliniwrote: > Em 23-09-2015 11:16, Marios Makassikis escreveu: >> Rather than announcing the prefix obtained via DHCPv6-PD you can pick a >> prefix >> from fd00::/8 and announce that on your network. >> It is the equivalent to RFC1918 addresses, except it is for IPv6. > > Figured it. These are ULA, right? yep. >> Therefore, it is >> not routable and you need to perform NAT on it. The global address is the one >> the router obtained via static configuration/SLAAC/DHCPv6, which will then be >> used by all your clients. > > It kind of defeats the purpose of IPv6, doesn't it? What is the purpose of IPv6? The main purpose that I see is "ability to continue getting internet addresses after v4 runout". (If it had been left at that and didn't change a bunch of other things at the same time, perhaps more people would be using it already). And, like it or not, the majority of network admins have learned their trade in a post-NAT world, and are relying on things which are difficult or impossible to do without that... >> Your CPE will see only the OpenBSD router's address so it should work. > > I ended up setting up a bridge for that. It's harder to filter on them > though. I plan to port some NDP proxy to OpenBSD, but all of the > candidates looked very cumbersome to my taste. I'll have eventually to > do it, unless someone else beat me to it. So you're relying on your ISPs CPE for network addressing and it doesn't have a way to add a static route? It seems like you would have the same problem with v4, doesn't it? Can you terminate the session on the OpenBSD box instead?
Re: Adding zombies to a pf table?
On 09/24/2015 12:48 PM, Peter Hessler wrote: On 2015 Sep 24 (Thu) at 12:37:03 +0300 (+0300), Pantelis Roditis wrote: :On 09/24/2015 11:39 AM, Peter Hessler wrote: :>On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: :>:Hello, :>: :>:Zombies are often attacking ports which don't have services running, :>:such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. :> [..] : :[1] https://github.com/echothrust/pf-diverters :[2] https://github.com/echothrust/OpenBSD-ports-mystuff : Yes, this looks very close to what I had in mind. Main comment: looks like no IPv6 support. I know, unfortunately my familiarity with anything IPv6 is close to 0. However it shouldn’t be too hard to add the support. If anyone is interested in taking the task I am happy to accept pull requests or patches.
Re: Adding zombies to a pf table?
On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: :Hello, : :Zombies are often attacking ports which don't have services running, :such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. : :With a default pf block drop in on $ext_if, how can those source ips be :added to a table? Which all can be dropped & small queued. : :I've tried to overload a match statement, but that won't work. : I've been playing with this, too. Overload won't work until the packet is processed by a userland process. :Or is there something handy in ports to help? : I don't know of any, but I have such a thing on my TODO. Annoyingly, that TODO list is too long. If you beat me to it, please share :). :Thanks. :-- :By the time they had diminished from 50 to 8, :the other dwarves began to suspect "Hungry" ... :-- Gary Larson, "The Far Side" : -- Ed Sullivan will be around as long as someone else has talent. -- Fred Allen
Re: 5.8-stable: panic: mtx_enter locking against myself
Looks like I found the root cause. At least it is stable as it suppose to be. In need to reproduce this in lab before making next move. //mxb > On 17 sep. 2015, at 10:35, mxbwrote: > > > Hey, > getting panics with 5.8-STABLE kernel. > > panic: mix_enter: locking against myself > Starting stack trace… > panic() at panic+0x10b > mtx_enter() at mtx_enter+0x60 > sofree() at sofree+0xa0 > in_pcbdetach() at in_pcbdetach+0x40 > tcp_close() at tcp_close+0xad > tcp_timer_2msl() at tcp_timer_2msl+0x90 > softclock() at softclock+0x315 > softintr_dispatch() at softintr_dispatch+0x8b > Xsoftclock() at Xsoftclock+0x1f > ——interrupt——— > (null)() at 0x8 > end of kernel > end trace frame: 0x1120001, count: 247 > end of stack trace
Re: Making IPv6 NAT prefer privacy address
For the record, some ISPs offer both dynamic and static IPv6 subnets to their clients, like Internode, which uses router advertisements for dynamic subnets, and DHCPv6 IA_PD for static subnets.
Re: Adding zombies to a pf table?
Am Donnerstag, den 24.09.2015, 10:39 +0200 schrieb Peter Hessler: > On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: > :Zombies are often attacking ports which don't have services running, > :such as telnet (most popular indeed), mysql, 3551, 8080, 13272, > etc. > : [..] > :I've tried to overload a match statement, but that won't work. > : > > I've been playing with this, too. Overload won't work until the > packet > is processed by a userland process. I remember to have done it once. But when I look into that old configuration, I am not sure whether the "synproxy state" or the "rdr-to 127.0.0.1 port 9" part of the rule did the trick. -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: Making IPv6 NAT prefer privacy address
On 23/09/2015 16:16, Marios Makassikis wrote: > On 23 September 2015 at 15:34, Giancarlo Razzolini> wrote: >> Em 23-09-2015 04:40, Stuart Henderson escreveu: >>> Saves messing about with DHCPv6-PD >> >> I see. So you translate from what exactly? Wouldn't it be better to use >> af-to instead of nat? > > Hello, > > Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix > from fd00::/8 and announce that on your network. > It is the equivalent to RFC1918 addresses, except it is for IPv6. > Therefore, it is > not routable and you need to perform NAT on it. The global address is the one > the router obtained via static configuration/SLAAC/DHCPv6, which will then be > used by all your clients. > >> But I can relate to that, given that my CPE will >> give me a PD, but won't route packets back because it thinks the prefix >> is reachable using NDP. Hence the need for a proxy, which OpenBSD >> currently doesn't have. >> >> Cheers, >> Giancarlo Razzolini >> > > Your CPE will see only the OpenBSD router's address so it should work. > > Marios > And that's exactly what I am doing. Well, I don't use DHCP but rather assign the fd00::/8 addresses statically, but for the rest, it's the same. Why NAT? I'm using pppoe to establish a connection to my ISP. And for every new connection, I get new IPv4 and IPv6 addresses. This is at home and I don't want my machines being accessible from the internet (except for some specific ports to some specific machines). As the addresses change all the time, firewalling would be quite difficult. SO NAT is very useful here :) But with that configuration, the problem is that all outgoing traffic (after the NAT) will use the main IPv6 address of the external interface (auto configured) or will pick one dynamically (auto configured / privacy address) (depending on the match statement in pf.conf). I think I will try to write a script to periodically check if the privacy address has changed and then update my pf.conf for now. But it would be a nice feature to be able to use something like egress:privacy for example or make pf automagically prefer the privacy addresses when natting:) Daniel
Re: Making IPv6 NAT prefer privacy address
Em 24-09-2015 08:36, Stuart Henderson escreveu: > What is the purpose of IPv6? The main purpose that I see is "ability to > continue getting internet addresses after v4 runout". (If it had been left > at that and didn't change a bunch of other things at the same time, perhaps > more people would be using it already). This sure is the purpose now. Short term. But one of the main reasons the address space is so large, is for every connected device be accessible from every other. > > And, like it or not, the majority of network admins have learned their > trade in a post-NAT world, and are relying on things which are difficult or > impossible to do without that... Yes. I got that. But I prefer to learn to do things properly, even if it means it's more difficult. > So you're relying on your ISPs CPE for network addressing and it doesn't > have a way to add a static route? It seems like you would have the same > problem with v4, doesn't it? I can add a static route, yes. And it answers to IA_PD requests, and also IA_NA. So I've managed to get it working for my internal machines. The only issue is that the CPE wont try to route the prefix it delegated to me. What it does instead, is to keep asking, using NDP, who has the address. Hence the need for a NDP proxy. > > Can you terminate the session on the OpenBSD box instead? If you mean a pppoe or other way to get the IPv6 directly on the OpenBSD box, then no. My CPE is only routed, unfortunately. But this discussion gave me the idea of making a bridge for my dmz and using ULA with nat on my internal networks, that don't need much external connectivity. This also solve my problem of having only one /64 prefix. Cheers, Giancarlo Razzolini
Re: Adding zombies to a pf table?
On 2015-09-24 11:37, Pantelis Roditis wrote: > On 09/24/2015 11:39 AM, Peter Hessler wrote: >> On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: >> :Hello, >> : >> :Zombies are often attacking ports which don't have services running, >> :such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. >> > > Hi, > > This is the exact reason why we created bofh-divert[1]. The idea is that > you pass those packets with PF to a divert socket opened by a daemon. > The daemon grabs the source IP and adds it to a predefined table. I've used one of the inetd "trivial services" (echo, discard, chargen, daytime or time) for this purpose, in combination with a couple of PF rules. Something like this: match in log on egress from any to tag honeypot pass in log tagged honeypot rdr-to 127.0.0.1 port echo keep state \ (max-src-conn-rate 1/30, overload flush global) Regards, /Benny PS. Who named unlistened-to ports "zombies" anyway? I've never heard that before. A zombie in a unix context have always been one thing and one thing only - a dead process that has yet to be wait()ed for by its parent.
Re: Adding zombies to a pf table?
On Thu, Sep 24, 2015 at 02:42:47PM +0200, Benny Lofgren wrote: > On 2015-09-24 11:37, Pantelis Roditis wrote: > > On 09/24/2015 11:39 AM, Peter Hessler wrote: > >> On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: > >> :Hello, > >> : > >> :Zombies are often attacking ports which don't have services running, > >> :such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. > >> > > > > Hi, > > > > This is the exact reason why we created bofh-divert[1]. The idea is that > > you pass those packets with PF to a divert socket opened by a daemon. > > The daemon grabs the source IP and adds it to a predefined table. > > I've used one of the inetd "trivial services" (echo, discard, chargen, > daytime or time) for this purpose, in combination with a couple of PF > rules. Something like this: > > match in log on egress from any to tag honeypot > pass in log tagged honeypot rdr-to 127.0.0.1 port echo keep state \ > (max-src-conn-rate 1/30, overload flush global) > > > Regards, > /Benny > > > PS. Who named unlistened-to ports "zombies" anyway? I've never heard > that before. A zombie in a unix context have always been one thing and > one thing only - a dead process that has yet to be wait()ed for by its > parent. Zombie is also a pc taken over bij malware. -Otto
Re: Adding zombies to a pf table?
Thanks for all the helpful replies. On 2015-09-23 Wed 18:14 PM |, Craig Skinner wrote: > > Zombies are often attacking ports which don't have services running, > such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. > This was logged from Friday - Monday (zombies love the weekend)... Blocked logged connections from hosts in tables & count destination 12957 25 tcp 5396 23 tcp 3703 22 tcp 1578 1433 tcp 638 80 tcp 545 5060 udp 393 13282 udp 373 13272 udp 358 13281 udp 330 13283 udp 305 135 tcp 281 53 udp 269 3389 tcp 222 123 udp 210 443 tcp 208 113 tcp 194 3306 tcp 192 8080 tcp 124 445 tcp 124 1900 udp 118 9200 tcp 102 1723 tcp 93 63875 udp 82 137 udp 76 5902 tcp 75 tcp 74 5900 tcp 70 3551 udp 69 4899 tcp 67 19 udp 67 161 udp 64 53413 udp 61 5901 tcp 56 502 tcp 54 53 tcp 52 50571 udp 52 43022 udp 50 111 udp 48 2228 tcp 48 2223 tcp 47 110 tcp 40 81 tcp 40 3128 tcp 38 91 tcp 38 21320 tcp 38 1701 udp 34 520 udp 32 2226 tcp 32 2225 tcp 32 2224 tcp 31 8000 tcp 30 5351 udp 30 47808 udp 30 139 tcp 29 5093 udp 29 49153 udp 28 623 udp 27 441 tcp 26 27017 tcp 26 1434 udp 26 11211 tcp 24 30022 tcp 20 6379 tcp 19 17 udp 18 14435 tcp 18 1234 tcp 17 995 tcp 17 143 tcp 16 9443 tcp 16 5903 tcp 16 2227 tcp 16 22012 tcp 16 11911 tcp 15 8081 tcp 14 8800 tcp 14 4000 tcp 13 8443 tcp 13 5000 tcp 13 3443 tcp 12 tcp 12 5070 udp 12 5062 udp 12 5061 udp 12 33436 udp 11 5800 tcp 10 8123 tcp 10 8118 tcp 10 tcp 10 44818 udp 10 2022 tcp 9 tcp 9 80 udp 9 tcp 9 442 tcp 9 3444 tcp 9 21 tcp 9 2082 tcp 9 10444 tcp 8 9080 tcp 8 9000 tcp 8 843 tcp 8 8291 tcp 8 808 tcp 8 8022 tcp 8 8001 tcp 8 7003 tcp 8 6060 udp 8 5905 tcp 8 5904 tcp 8 5069 udp 8 5068 udp 8 5067 udp 8 5066 udp 8 5065 udp 8 5064 udp 8 5063 udp 8 5060 tcp 8 34352 tcp 8 27164 tcp 8 26600 tcp 8 25955 tcp 8 22122 tcp 8 2066 tcp 8 2055 tcp 8 2044 tcp 8 2033 tcp 8 1991 tcp 8 1218 tcp 8 tcp 8 10155 tcp 7 3 tcp 7 2323 tcp 7 2 tcp 7 1911 tcp 7 18000 tcp 7 1337 tcp 6 9797 tcp 6 9393 tcp 6 9090 tcp 6 9001 tcp 6 8140 tcp 6 8090 tcp 6 8089 tcp 6 8086 tcp 6 7808 tcp 6 7547 tcp 6 7004 tcp 6 tcp 6 63000 tcp 6 6006 tcp 6 5353 udp 6 37564 tcp 6 3 tcp 6 3130 tcp 6 3129 tcp 6 25967 tcp 6 2083 tcp 6 18186 tcp 6 14410 tcp 6 1080 tcp 5 9600 tcp 5 9051 tcp 5 5432 tcp 5 5007 tcp 5 1883 tcp 5 12345 tcp 5 11 tcp 4 9993 tcp 4 9987 udp 4 9527 tcp 4 9160 tcp 4 902 tcp 4 9010 tcp 4 9009 tcp 4 9008 tcp 4 9007 tcp 4 9006 tcp 4 9005 tcp 4 9004 tcp 4 9003 tcp 4 9002 tcp 4 9 tcp 4 udp 4 8810 tcp 4 8809 tcp 4 8808 tcp 4 8807 tcp 4 8806 tcp 4 8805 tcp 4 8804 tcp 4 8803 tcp 4 8802 tcp 4 8801 tcp 4 8686 tcp 4 8554 tcp 4 8145 tcp 4 8085 tcp 4 8010 tcp 4 8009 tcp 4 8008 tcp 4 8007 tcp 4 8006 tcp 4 8005 tcp 4 8004 tcp 4 8003 tcp 4 8002 tcp 4 8 tcp 4 7778 tcp 4 7443 tcp 4 7005 tcp 4 6443 tcp 4 6080 udp 4 6050 udp 4 6022 tcp 4 60022 tcp 4 6001 tcp 4 587 tcp 4 55313 tcp 4 5443 tcp 4 51132 tcp 4 5099 udp 4 5098 udp 4 5090 udp 4 5080 udp 4 5075 udp 4 5038 tcp 4 5022 tcp 4 5010 tcp 4 5009 tcp 4 5008 tcp 4 5006 tcp 4 5005 tcp 4 5004 tcp 4 5003 tcp 4 5002 tcp 4 5001 tcp 4 46536 tcp 4 44818 tcp 4 tcp 4 4443 tcp 4 4022 tcp 4 4 tcp 4 37191 tcp 4 3493 tcp 4 3264 tcp 4 3263 tcp 4 3262 tcp 4 3261 tcp 4 31337 tcp 4 3000 tcp 4 2701 tcp 4 25557 tcp 4 2443 tcp 4 22322 tcp 4 udp 4 2049 tcp 4 20288 tcp 4 2001 tcp 4 1755 tcp 4 17185 udp 4 15 tcp 4 1443 tcp 4 14226 tcp 4 14 tcp 4 13282 tcp 4 13281 tcp 4 13272 tcp 4 13 tcp 4 1283 tcp 4 12 tcp 4 1122 tcp 4 10 tcp 3 993 tcp 3 9151 tcp 3 82 tcp 3 64738 udp 3 500 udp 3 4500 udp 3 3780 tcp 3 3460 tcp 3 2480 tcp 3 2152 udp 3 21025 tcp 3 20547 tcp 3 19 tcp 3 1604 udp 3 1010 tcp 2 9798 tcp 2 8989 tcp 2 8834 tcp 2 88 udp 2 873 tcp 2 83 tcp 2 8060 tcp 2 7548 tcp 2 69 udp 2 6664 tcp 2 64436 tcp 2 63184 tcp 2 62484 tcp 2 6243 tcp 2 61049 tcp 2 60607 tcp 2 60333 tcp 2 59806 tcp 2 59395 tcp 2 57490 tcp 2 57358 tcp 2 5632 udp 2 56067 tcp 2 55650 tcp 2 5560 tcp 2 55107 tcp 2 5364 tcp 2 52072 tcp 2 51546 tcp 2 51483 tcp 2 5148 tcp 2 51065 tcp 2 50787 tcp 2 50009 tcp 2 4911 tcp 2 45925 tcp 2 44877 tcp 2 43501 tcp 2 4343 tcp 2 43192 tcp 2 42741 tcp 2 4040 tcp 2 38956
Re: Adding zombies to a pf table?
Hi Ted, On 2015-09-23 Wed 13:51 PM |, Ted Unangst wrote: > > > > Zombies are often attacking ports which don't have services running, > > such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. > > > > block log those ports, then process the log file? > Running tcpdump was my first thought too, via an rc.d started script, but I wasn't too keen on having that running all the time. Ta. -- An elephant is a mouse with an operating system.
Re: Adding zombies to a pf table?
Hi Pantelis, On 2015-09-24 Thu 12:37 PM |, Pantelis Roditis wrote: > > This is the exact reason why we created bofh-divert[1]. The idea is that you > pass those packets with PF to a divert socket opened by a daemon. The daemon > grabs the source IP and adds it to a predefined table. > Wow, that looks like the ticket. If nothing else, I was considering a fake inetd driven telnet daemon, which would just be a script to drive netcat, grab the remote ip & pfctl add it to a table. With pf re-directs to it for commonly attacked ports, finishing up with: block in log from Cheers. -- The only possible interpretation of any research whatever in the `social sciences' is: some do, some don't. -- Ernest Rutherford
Re: Adding zombies to a pf table?
On 2015-09-24 Thu 14:42 PM |, Benny Lofgren wrote: > > I've used one of the inetd "trivial services" (echo, discard, chargen, > daytime or time) for this purpose, in combination with a couple of PF > rules. Something like this: > > match in log on egress from any to tag honeypot > pass in log tagged honeypot rdr-to 127.0.0.1 port echo keep state \ > (max-src-conn-rate 1/30, overload flush global) > Ahhh! Cunning plan Benny. I shall play... > > PS. Who named unlistened-to ports "zombies" anyway? http://en.wikipedia.org/wiki/Zombie_computer Cool. -- It is only the great men who are truly obscene. If they had not dared to be obscene, they could never have dared to be great. -- Havelock Ellis
PF stops accepting packets after ~2 days on -current
Hi, Since the recent mp network hackathon two weekd ago, I'm seeing very strange behavior on my gateway (PC-Engine APU on -current/amd64). After about 2 days, the box stops accepting "external" trafic, although everything seems normal when connected on serial. I dug a bit and it seems related to PF. When PF is disabled, the box is responding from the network. When PF is enabled (even with a simple "pass log all"), no packets seems to pass : when pinging from another host, I'm seeing requests, but no reply. On the pflog side, nothing is blocked. Trafic originated from the box is OK : I can ping other hosts on the network. I tried reloading rules, flushing states, nothing helped. Rebooting seems to be the only way to be back to normal. I'm out of ideas how to debug this situation. Any clues ? -- Mattieu Baptiste "/earth is 102% full ... please delete anyone you can."
Re: Making IPv6 NAT prefer privacy address
> On Sep 24, 2015, at 07:49, Giancarlo Razzoliniwrote: > > Em 24-09-2015 08:36, Stuart Henderson escreveu: >> What is the purpose of IPv6? The main purpose that I see is "ability to >> continue getting internet addresses after v4 runout". (If it had been left >> at that and didn't change a bunch of other things at the same time, perhaps >> more people would be using it already). > > This sure is the purpose now. Short term. But one of the main reasons > the address space is so large, is for every connected device be > accessible from every other. Another consideration that has entered the picture since that idea came out, though, is how much easier it will be in the non-NAT world for advertisers or whomever to track individuals' behaviour. Not everyone likes that.
Re: xrandr: Failed to get size of gamma for output default
On 09/20/15 16:35, Aaron Poffenberger wrote: I mentioned this in my dmesg for the Thinkpad T450s but thought it might also help others who have seen or may later see this issue to pull it out as a separate email. In addition to the xrandr issue below I can't change backlight settings. Noting here in case they're related. $ xrandr xrandr: Failed to get size of gamma for output default Screen 0: minimum 1920 x 1080, current 1920 x 1080, maximum 1920 x 1080 default connected 1920x1080+0+0 0mm x 0mm 1920x1080 0.00* $ xbacklight -set 50 No outputs have backlight property Any thoughts or suggestions? Cheers, --Aaron This issue is resolved with the build from 2015-09-23. This is now what I get back from xrandr: Screen 0: minimum 8 x 8, current 1920 x 1080, maximum 32767 x 32767 eDP1 connected 1920x1080+0+0 (normal left inverted right x axis y axis) 309mm x 174mm 1920x1080 60.02*+ 1400x1050 59.98 1280x1024 60.02 1280x960 60.00 1024x768 60.00 800x600 60.3256.25 640x480 59.94 DP1 disconnected (normal left inverted right x axis y axis) DP2 disconnected (normal left inverted right x axis y axis) HDMI1 disconnected (normal left inverted right x axis y axis) HDMI2 disconnected (normal left inverted right x axis y axis) VIRTUAL1 disconnected (normal left inverted right x axis y axis) And with a monitor connected to Display Port with a DP -> DVI adapter: Screen 0: minimum 8 x 8, current 3840 x 1080, maximum 32767 x 32767 eDP1 connected 1920x1080+1920+0 (normal left inverted right x axis y axis) 309mm x 174mm 1920x1080 60.02*+ 1400x1050 59.98 1280x1024 60.02 1280x960 60.00 1024x768 60.00 800x600 60.3256.25 640x480 59.94 DP1 disconnected (normal left inverted right x axis y axis) DP2 disconnected (normal left inverted right x axis y axis) HDMI1 connected 1920x1080+0+0 (normal left inverted right x axis y axis) 510mm x 287mm 1920x1080 60.00*+ 1600x1200 60.00 1680x1050 59.88 1280x1024 60.02 1440x900 59.90 1280x960 60.00 1280x800 59.91 1024x768 60.00 800x600 60.3256.25 640x480 60.00 HDMI2 disconnected (normal left inverted right x axis y axis) VIRTUAL1 disconnected (normal left inverted right x axis y axis) xbacklight -set also works. Thanks! --Aaron
Re: network config question
On 24/09/15 22:41, patrick keshishian wrote: Hi, I'm pretty sure I'm over-thinking this, so I thought I'd step back and see if I can get some hints as how this sort of a set-up is done "properly" by pros. Say, existing set up: [internet] -- [pf] -- [ public-ip-net/24 ] Want to add/connect a private 192.168.0/24 to existing [ public-ip-net/24]: ... [ public-ip-net/24] -?- [ obsd box ] -- [ 192.168.0/24 ] Goals: 1. Hosts in both networks "talk" with one another freely. e.g., hosts in existing network see hosts in to-be-added 192 network, as they are; i.e., not NAT-ed. And vice versa. 2. Hosts in 192.168.0/24 have access to the internet through the same/existing gateway. I lack some knowledge wrt to the subject, where I think, I am filling the "holes" with, possibly, far too complicated ideas. Appreciate any and all help offered. Thanks, --patrick First of all you don't need a second obsd/pf router for this. Either put the private network on a secondary ip on the same vlan/interface as the public or use a new vlan/interface for the private network. pf can be tuned to fit you filtering needs. Do the nat on [pf] box only for packets going out on its egress interface. G
Re: Recommended miniPCI express wireless module for PC Engines' APU system board?
On 15-09-23 05:01 PM, Mike Bregg wrote: I'm using an APU as a firewall/router and it works very well. However, after experimenting with some different wireless cards, I actually opted to install a separate EnGenius EAP600 Access Point on the main floor of my house, using PoE to run to the router/switch. [OT, sorry...] One word of warning: don't *ever* put an EnGenius AP outside the firewall... it has an open DNS resolver running on it that you can't disable. Found that out the hard way when I used an EAP600 to bridge a cable modem connection to a router in another room :-(. -Adam
Re: network config question
On Thu, Sep 24, 2015 at 1:41 PM, patrick keshishianwrote: > I'm pretty sure I'm over-thinking this, so I thought I'd step back and > see if I can get some hints as how this sort of a set-up is done > "properly" by pros. > > Say, existing set up: > > [internet] -- [pf] -- [ public-ip-net/24 ] > > Want to add/connect a private 192.168.0/24 to existing [ public-ip-net/24]: > > ... [ public-ip-net/24] -?- [ obsd box ] -- [ 192.168.0/24 ] > > Goals: > 1. Hosts in both networks "talk" with one another freely. >e.g., hosts in existing network see hosts in to-be-added 192 >network, as they are; i.e., not NAT-ed. And vice versa. > 2. Hosts in 192.168.0/24 have access to the internet through >the same/existing gateway. > > I lack some knowledge wrt to the subject, where I think, I am > filling the "holes" with, possibly, far too complicated ideas. Is it possible to add another NIC or VLAN interface the existing pf box? If so, this is how I'd do it and have the pf box route between the two subnets.
Re: Making IPv6 NAT prefer privacy address
Em 24-09-2015 16:51, Devin Reade escreveu: > Another consideration that has entered the picture since that idea came out, > though, is how much easier it will be in the non-NAT world for advertisers or > whomever to track individuals' behaviour. Not everyone likes that. Hence privacy addresses extensions and non-temporary address associations. In hindsight, it was a poor choice to make IPv6 addresses based on MAC addresses, given the advancements on pseudo-random number generation. The fact is, that OpenBSD and the other OS's should prefer privacy address for everything (even pf itself). This already happens on some linux configurations, where you have a semi stable privacy address any given time on a interface, and only that kind of address, not the MAC address based form. Anyway, this ULA natted will sure have it's uses, specially now in the beginning of the IPv4 to IPv6 migration. What Stuart mentioned that most of network administrators where born in a world already needing nat, has a big impact on this. Still it's not substitute to proper implementation and might even slow IPv6 deployment for a while. But with the advent of more devices in the IPv6 world, the so called internet of things, nat will have a performance hit on that, so it will eventually fade away, hopefully. Cheers, Giancarlo Razzolini
Re: Making IPv6 NAT prefer privacy address
On Thu, Sep 24, 2015 at 05:25:31PM -0300, Giancarlo Razzolini wrote: > The fact is, that OpenBSD and the other OS's should prefer > privacy address for everything (even pf itself). This already happens on > some linux configurations, where you have a semi stable privacy address > any given time on a interface, and only that kind of address, not the > MAC address based form. OpenBSD has been defaulting to autoconfprivacy addresses as source address for outgoing connections since 2012. http://marc.info/?l=openbsd-cvs=134557868416796=2
Re: Recommended miniPCI express wireless module for PC Engines' APU system board?
On Thu, Sep 24, 2015 at 5:28 PM, Adam Thompsonwrote: On 15-09-23 05:01 PM, Mike Bregg wrote: > I'm using an APU as a firewall/router and it works very well. > However, after experimenting with some different wireless cards, I > actually opted to install a separate EnGenius EAP600 Access Point on > the main floor of my house, using PoE to run to the router/switch. [OT, sorry...] One word of warning: don't *ever* put an EnGenius AP outside the firewall... it has an open DNS resolver running on it that you can't disable. Found that out the hard way when I used an EAP600 to bridge a cable modem connection to a router in another room :-(. -Adam Good to know, thanks for the heads up Adam. Mike
Re: doas and home directory of target user
At any rate, I have convinced myself that doas follows the manual page in preserving the calling user's key environment variables, including HOME and USER. I had not grasped that this was considered desired behavior, so did not initially read it that way. I still think the man page is a little confusing, but do not at the moment have any suggestions for clarifying things. (Now I'm not sure what doas is for, other than for running build scripts more safely, which I think it will be much more reliable at than sudo.) For the purpose below (allowing running firefox as a non-login user), I've installed sudo, and note that sudo -s now passes quoted strings as if the string itself were the command, such that scripts that were sudo -H -u user2 -s "cd; command" must now explicitly say sh -c, as sudo -H -u user2 sh -c "cd; command" For the larger purpose, providing a reliable sandbox, I'm going to see whether chroot would allow me to use a non-login user as proxy user for the stupid (pardon my French) bloated web browsers. On Wed, Sep 23, 2015 at 8:29 AM, Joel Reeswrote: > Thank you, Dan, Ben, and Frank. I see that I have left out some > important information: > > user2 is specified as a non-login class of user in /etc/login.conf, > auth=reject: shell=/sbin/nologin, and has a default shell of > /sbin/nologin in /etc/passwd . > > On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees wrote: >> I have this rule in doas.conf: >> >> permit nopass user1 as user2 >> >> As user1, I try this at the command line: >> >> doas -u user2 whoami >> >> and it tells me I am user2, as I expect. And >> >>doas -u user2 ls >> >> tells me I don't have permission. I kind of expect this. >> >> I'm looking for a way to do the equivalent of >> >> sudo -u user2 -s "cd; ls" >> >> I don't see a way to do this with doas, at least not without a short >> intermediary script, which script is not going to be able to do cd ~/. >> >> Should I assume that doas is not intended to do this sort of thing? > > With this intermediary script: > > #! /bin/sh > export USER=user2 > . /etc/ksh.kshrc > printenv > ls > > I get > > MAIL=/var/mail/user1 > LOGNAME=user1 > HOME=/home/classU/user1 > > PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:. > DISPLAY=:0.0 > TERM=xterm > USER=user2 > ls: .: Permission denied > > Which, I guess, does surprise me. > >> (And therefore [I should] do things "right" by setting up ssh with public-key >> authentication to do the user switch?) > > Which would also require enabling login for user2. (I tried this > without thinking yesterday.) > >> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/ >> ) > > Would this also require enabling login? > > -- > Joel Rees > > Be careful when you look at conspiracy. > Arm yourself with knowledge of yourself, as well: > http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html -- Joel Rees Be careful when you look at conspiracy. Arm yourself with knowledge of yourself, as well: http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html
Tratamiento para controlar la Gastritis naturalmente.
La foma natural de eliminar la gastritis comienza desde las causas. âLa gastritisâ se da por problemas digestivos y la deficiente función del sistema inmunológico, resultado de una incorrecta alimentación y de malos hábitos. Se debe curar la raÃz, âLa RaÃz Son Los Hábitos En El Estilo De Vidaâ, de lo contrario nada efectivo sucederá por más antiácidos, antibióticos o simples remedios caseros que tomemos. E incluso ni una cirugía la soluciona. Al contrario todo esto complica el problema. La cura natural y definitiva se logra aplicando un conjunto de técnicas que podrás conocer ingresando a nuestra página web dando Clic Aquí < BR> ** ** SI DESEA DESUSCRIBIRSE de Click Aquí para ser removido inmediatamente ** ***
dig and DNSSEC
Hello there, Is there any chance that dig (src/usr.sbin/bind/bin/dig/) could be build with -DDIG_SIGCHASE to enable dnssec verification in future releases? Where would be a proper place to request that? Cheers, -- Étienne
network config question
Hi, I'm pretty sure I'm over-thinking this, so I thought I'd step back and see if I can get some hints as how this sort of a set-up is done "properly" by pros. Say, existing set up: [internet] -- [pf] -- [ public-ip-net/24 ] Want to add/connect a private 192.168.0/24 to existing [ public-ip-net/24]: ... [ public-ip-net/24] -?- [ obsd box ] -- [ 192.168.0/24 ] Goals: 1. Hosts in both networks "talk" with one another freely. e.g., hosts in existing network see hosts in to-be-added 192 network, as they are; i.e., not NAT-ed. And vice versa. 2. Hosts in 192.168.0/24 have access to the internet through the same/existing gateway. I lack some knowledge wrt to the subject, where I think, I am filling the "holes" with, possibly, far too complicated ideas. Appreciate any and all help offered. Thanks, --patrick
Re: mini itx from intel
On Sun, Sep 20, 2015, at 08:50 AM, frantisek holop wrote: > does anyone happen to have any of these? > http://www.intel.com/content/www/us/en/nuc/nuc-comparison.html > > plz send dmesg if possible. > > -f > -- > loose lips sinks ships > Intel NUC 54250WYK, everything seems to work, prone to over-heating the wifi/mSATA cards though. OpenBSD 5.7 (GENERIC.MP) #2: Mon Jul 27 16:16:48 CEST 2015 r...@stable-57-amd64.mtier.org:/binpatchng/work-binpatch57-amd64/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8498167808 (8104MB) avail mem = 8268029952 (7885MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec170 (83 entries) bios0: vendor Intel Corp. version "WYLPT10H.86A.0026.2014.0514.1714" date 05/14/2014 bios0: Intel Corporation D54250WYK acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT MCFG HPET SSDT SSDT DMAR CSRT acpi0: wakeup devices PS2K(S3) PS2M(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) RP07(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-4250U CPU @ 1.30GHz, 2295.05 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-4250U CPU @ 1.30GHz, 2294.69 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Core(TM) i5-4250U CPU @ 1.30GHz, 2294.69 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 1, core 0, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i5-4250U CPU @ 1.30GHz, 2294.69 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 40 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (RP01) acpiprt2 at acpi0: bus 2 (RP04) acpiprt3 at acpi0: bus -1 (PEG0) acpiec0 at acpi0: not present acpicpu0 at acpi0: C2, C1, PSS acpicpu1 at acpi0: C2, C1, PSS acpicpu2 at acpi0: C2, C1, PSS acpicpu3 at acpi0: C2, C1, PSS acpipwrres0 at acpi0: FN00, resource for FAN0 acpipwrres1 at acpi0: FN01, resource for FAN1 acpipwrres2 at acpi0: FN02, resource for FAN2 acpipwrres3 at acpi0: FN03, resource for FAN3 acpipwrres4 at acpi0: FN04, resource for FAN4 acpitz0 at acpi0: critical temperature is 105 degC acpitz1 at acpi0: critical temperature is 105 degC acpibat0 at acpi0: BAT0 not present acpibat1 at acpi0: BAT1 not present acpibat2 at acpi0: BAT2 not present acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD1F cpu0: Enhanced SpeedStep 2295 MHz: speeds: 1901, 1900, 1800, 1700, 1600, 1500, 1400, 1300, 1200, 1100, 1000, 900, 800, 779 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 4G Host" rev 0x09 vga1 at pci0 dev 2 function 0 "Intel HD Graphics 5000" rev 0x09 intagp at vga1 not configured inteldrm0 at vga1 drm0 at inteldrm0 error: [drm:pid0:i915_write32] *ERROR* Unknown unclaimed register before writing to 10 inteldrm0: 1920x1080 wsdisplay0 at vga1 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) azalia0 at pci0 dev 3