Re: OpenBSD 6-stable vmd

2016-10-24 Thread Ax0n
Thanks for the update, ml.

The VM Just did it again in the middle of backspacing over uname -a...

$ uname -a
OpenBSD vmmbsd.labs.h-i-r.net 6.0 GENERIC.MP#0 amd64
$ un   <-- frozen

Spinning like mad.

[axon@transient ~]$ vmctl status
   ID   PID VCPUSMAXMEMCURMEM  TTY NAME
2  2769 1 512MB 149MB   /dev/ttyp3 -c
1 48245 1 512MB 211MB   /dev/ttyp0 obsdvmm.vm
[axon@transient ~]$ ps aux | grep 48245
_vmd 48245 98.5  2.3 526880 136956 ??  Rp 1:54PM   47:08.30 vmd:
obsdvmm.vm (vmd)

load averages:  2.43,  2.36,
2.26
transient.my.domain 18:29:10
56 processes: 53 idle, 3 on
processor
up  4:35
CPU0 states:  3.8% user,  0.0% nice, 15.4% system,  0.6% interrupt, 80.2%
idle
CPU1 states: 15.3% user,  0.0% nice, 49.3% system,  0.0% interrupt, 35.4%
idle
CPU2 states:  6.6% user,  0.0% nice, 24.3% system,  0.0% interrupt, 69.1%
idle
CPU3 states:  4.7% user,  0.0% nice, 18.1% system,  0.0% interrupt, 77.2%
idle
Memory: Real: 1401M/2183M act/tot Free: 3443M Cache: 536M Swap: 0K/4007M

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
48245 _vmd  430  515M  134M onprocthrslee  47:37 98.00% vmd
 7234 axon   20  737M  715M sleep poll 33:18 19.14% firefox
42481 _x11  550   16M   42M onproc- 2:53  9.96% Xorg
 2769 _vmd  290  514M   62M idle  thrslee   2:29  9.62% vmd
13503 axon  100  512K 2496K sleep nanosle   0:52  1.12% wmapm
76008 axon  100  524K 2588K sleep nanosle   0:10  0.73% wmmon
57059 axon  100  248M  258M sleep nanosle   0:08  0.34% wmnet
23088 axon   20  580K 2532K sleep select0:10  0.00%
wmclockmon
64041 axon   20 3752K   10M sleep poll  0:05  0.00% wmaker
16919 axon   20 7484K   20M sleep poll  0:04  0.00%
xfce4-terminal
1 root  100  408K  460K idle  wait  0:01  0.00% init
80619 _ntp   2  -20  880K 2480K sleep poll  0:01  0.00% ntpd
 9014 _pflogd40  672K  408K sleep bpf   0:01  0.00% pflogd
58764 root  100 2052K 7524K idle  wait  0:01  0.00% slim



On Mon, Oct 24, 2016 at 10:47 PM, Mike Larkin  wrote:

> On Mon, Oct 24, 2016 at 07:36:48PM -0500, Ax0n wrote:
> > I suppose I'll ask here since it seems on-topic for this thread. Let me
> > know if I shouldn't do this in the future. I've been testing vmm for
> > exactly a week on two different snapshots. I have two VMs: One running
> the
> > same snapshot (amd64, Oct 22) I'm running on the host vm, the other
> running
> > amd64 6.0-RELEASE with no patches of any kind.
> >
> > For some reason, the vm running a recent snapshot locks up occasionally
> > while I'm interacting with it via cu or occasionally ssh. Should I
> expect a
> > ddb prompt and/or kernel panic messages via the virtualized serial
> console?
> > Is there some kind of "break" command on the console to get into ddb when
> > it appears to hang? A "No" or "Not yet" on those two questions would
> > suffice if not possible. I know this isn't supported, and appreciate the
> > hard work.
> >
> > Host dmesg:
> > http://stuff.h-i-r.net/2016-10-22.Aspire5733Z.dmesg.txt
> >
> > VM (Oct 22 Snapshot) dmesg:
> > http://stuff.h-i-r.net/2016-10-22.vmm.dmesg.txt
> >
>
> These look fine. Not sure why it would have locked up. Is the associated
> vmd
> process idle, or spinning like mad?
>
> -ml
>
> > Second:
> > I'm using vm.conf (contents below) to start the aforementioned snapshot
> vm
> > at boot.
> > There's a "disable" line inside vm.conf to keep one VM from spinning up
> > with vmd.  Is there a way to start this one with vmctl aside from passing
> > all the options to vmctl as below?
> >
> > doas vmctl start -c -d OBSD-RELa -i 1 -k /home/axon/obsd/amd64/bsd -m
> 512M
> >
> > I've tried stuff along the lines of:
> > doas vmctl start OBSD-RELa.vm
> >
> > vm "obsdvmm.vm" {
> > memory 512M
> > kernel "bsd"
> > disk "/home/axon/vmm/OBSD6"
> > interface tap
> > }
> > vm "OBSD-RELa.vm" {
> > memory 512M
> > kernel "/home/axon/obsd/amd64/bsd"
> > disk "/home/axon/vmm/OBSD-RELa"
> > interface tap
> > disable
> > }
> >
>
> I think this is being worked on, but not done yet.
>
> -ml



Re: OpenBSD 6-stable vmd

2016-10-24 Thread Mike Larkin
On Mon, Oct 24, 2016 at 07:36:48PM -0500, Ax0n wrote:
> I suppose I'll ask here since it seems on-topic for this thread. Let me
> know if I shouldn't do this in the future. I've been testing vmm for
> exactly a week on two different snapshots. I have two VMs: One running the
> same snapshot (amd64, Oct 22) I'm running on the host vm, the other running
> amd64 6.0-RELEASE with no patches of any kind.
> 
> For some reason, the vm running a recent snapshot locks up occasionally
> while I'm interacting with it via cu or occasionally ssh. Should I expect a
> ddb prompt and/or kernel panic messages via the virtualized serial console?
> Is there some kind of "break" command on the console to get into ddb when
> it appears to hang? A "No" or "Not yet" on those two questions would
> suffice if not possible. I know this isn't supported, and appreciate the
> hard work.
> 
> Host dmesg:
> http://stuff.h-i-r.net/2016-10-22.Aspire5733Z.dmesg.txt
> 
> VM (Oct 22 Snapshot) dmesg:
> http://stuff.h-i-r.net/2016-10-22.vmm.dmesg.txt
> 

These look fine. Not sure why it would have locked up. Is the associated vmd
process idle, or spinning like mad?

-ml

> Second:
> I'm using vm.conf (contents below) to start the aforementioned snapshot vm
> at boot.
> There's a "disable" line inside vm.conf to keep one VM from spinning up
> with vmd.  Is there a way to start this one with vmctl aside from passing
> all the options to vmctl as below?
> 
> doas vmctl start -c -d OBSD-RELa -i 1 -k /home/axon/obsd/amd64/bsd -m 512M
> 
> I've tried stuff along the lines of:
> doas vmctl start OBSD-RELa.vm
> 
> vm "obsdvmm.vm" {
> memory 512M
> kernel "bsd"
> disk "/home/axon/vmm/OBSD6"
> interface tap
> }
> vm "OBSD-RELa.vm" {
> memory 512M
> kernel "/home/axon/obsd/amd64/bsd"
> disk "/home/axon/vmm/OBSD-RELa"
> interface tap
> disable
> }
> 

I think this is being worked on, but not done yet.

-ml



Re: OpenBSD 6-stable vmd

2016-10-24 Thread Ax0n
I suppose I'll ask here since it seems on-topic for this thread. Let me
know if I shouldn't do this in the future. I've been testing vmm for
exactly a week on two different snapshots. I have two VMs: One running the
same snapshot (amd64, Oct 22) I'm running on the host vm, the other running
amd64 6.0-RELEASE with no patches of any kind.

For some reason, the vm running a recent snapshot locks up occasionally
while I'm interacting with it via cu or occasionally ssh. Should I expect a
ddb prompt and/or kernel panic messages via the virtualized serial console?
Is there some kind of "break" command on the console to get into ddb when
it appears to hang? A "No" or "Not yet" on those two questions would
suffice if not possible. I know this isn't supported, and appreciate the
hard work.

Host dmesg:
http://stuff.h-i-r.net/2016-10-22.Aspire5733Z.dmesg.txt

VM (Oct 22 Snapshot) dmesg:
http://stuff.h-i-r.net/2016-10-22.vmm.dmesg.txt

Second:
I'm using vm.conf (contents below) to start the aforementioned snapshot vm
at boot.
There's a "disable" line inside vm.conf to keep one VM from spinning up
with vmd.  Is there a way to start this one with vmctl aside from passing
all the options to vmctl as below?

doas vmctl start -c -d OBSD-RELa -i 1 -k /home/axon/obsd/amd64/bsd -m 512M

I've tried stuff along the lines of:
doas vmctl start OBSD-RELa.vm

vm "obsdvmm.vm" {
memory 512M
kernel "bsd"
disk "/home/axon/vmm/OBSD6"
interface tap
}
vm "OBSD-RELa.vm" {
memory 512M
kernel "/home/axon/obsd/amd64/bsd"
disk "/home/axon/vmm/OBSD-RELa"
interface tap
disable
}





On Mon, Oct 24, 2016 at 4:58 PM, R0me0 ***  wrote:

> Hey @Peter, one more time thank so much for the heads up :)
>
> For those that interest.
>
> I'm running OpenBSD-Current under VMware-Workstation 12 ( just need to set
> processor proprieties to virtualize intel VT-x/EPT or AMD-V/RVI )
>
> And have fun to test VMD
>
> :)
>
> Thank you
>
>
>
>
>
> 2016-10-22 8:43 GMT-02:00 R0me0 *** :
>
> > Hey Peter ,
> >
> > Thank you for the advice, I'll get current
> >
> > Cheers dude !
> >
> > (:
> >
> >
> > 2016-10-22 6:44 GMT-02:00 Peter Hessler :
> >
> >> This isn't expected to work at all.  That is why it was disabled.
> >> You'll need to upgrade the Hypervisor to -current, or to 6.1 when it is
> >> released.
> >>
> >>
> >>
> >> On 2016 Oct 22 (Sat) at 00:06:08 -0200 (-0200), R0me0 *** wrote:
> >> :Hello misc.
> >> :
> >> :For testing purposes
> >> :
> >> :I compiled kernel with vmd support.
> >> :
> >> :After start the vm -> vmctl start "myvm" -m 512M -i 1 -d disk.img -k
> >> /bsd.rd
> >> :
> >> :I created a bridge and added vether0 and tap0
> >> :
> >> :In the vm I have configured an ip 192.168.1.30
> >> :
> >> :If I perform ping from OpenBSD Hypervisor -> ping 192.168.1.30 all
> >> packages
> >> :are send and received "on the fly"
> >> :
> >> :But if I perform the same step from "myvm", there is no packet loss but
> >> the
> >> :packets take so long to be send and consecutively replied
> >> :
> >> :I am performing this tests on Linux  running Vmware Workstation 12 .
> >> :
> >> :Is this behavior expected ?
> >> :
> >> :Any directions will be appreciated.
> >> :
> >> :Thank you
> >> :
> >> :myvm dmesg:
> >> :
> >> :OpenBSD 6.0 (RAMDISK_CD) #2100: Tue Jul 26 13:05:59 MDT 2016
> >> :   dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/
> RAMDISK_CD
> >> :RTC BIOS diagnostic error 20
> >> :real mem = 520093696 (496MB)
> >> :avail mem = 502673408 (479MB)
> >> :mainbus0 at root
> >> :bios0 at mainbus0
> >> :acpi at bios0 not configured
> >> :cpu0 at mainbus0: (uniprocessor)
> >> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 14335.74 MHz
> >> :cpu0:
> >> :FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,
> >> PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,
> >> FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,AVX,F1
> >> :6C,RDRAND,HV,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT
> >> :pvbus0 at mainbus0: OpenBSD
> >> :pci0 at mainbus0 bus 0
> >> :pchb0 at pci0 dev 0 function 0 "OpenBSD VMM PCI Host Bridge" rev 0x00
> >> :virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
> >> :viornd0 at virtio0
> >> :virtio0: irq 3
> >> :virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
> >> :vioblk0 at virtio1
> >> :scsibus0 at vioblk0: 2 targets
> >> :sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct
> >> fixed
> >> :sd0: 5120MB, 512 bytes/sector, 10485760 sectors
> >> :virtio1: irq 5
> >> :virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
> >> :vio0 at virtio2: address fe:e1:ba:d0:d0:94
> >> :virtio2: irq 9
> >> :isa0 at mainbus0
> >> :com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
> >> :com0: console
> >> :softraid0 at root
> >> :scsibus1 at softraid0: 256 targets
> >> :root on rd0a swap on rd0b dump on rd0b
> >> :WARNING: invalid 

Re: OpenBSD 6-stable vmd

2016-10-24 Thread R0me0 ***
Hey @Peter, one more time thank so much for the heads up :)

For those that interest.

I'm running OpenBSD-Current under VMware-Workstation 12 ( just need to set
processor proprieties to virtualize intel VT-x/EPT or AMD-V/RVI )

And have fun to test VMD

:)

Thank you





2016-10-22 8:43 GMT-02:00 R0me0 *** :

> Hey Peter ,
>
> Thank you for the advice, I'll get current
>
> Cheers dude !
>
> (:
>
>
> 2016-10-22 6:44 GMT-02:00 Peter Hessler :
>
>> This isn't expected to work at all.  That is why it was disabled.
>> You'll need to upgrade the Hypervisor to -current, or to 6.1 when it is
>> released.
>>
>>
>>
>> On 2016 Oct 22 (Sat) at 00:06:08 -0200 (-0200), R0me0 *** wrote:
>> :Hello misc.
>> :
>> :For testing purposes
>> :
>> :I compiled kernel with vmd support.
>> :
>> :After start the vm -> vmctl start "myvm" -m 512M -i 1 -d disk.img -k
>> /bsd.rd
>> :
>> :I created a bridge and added vether0 and tap0
>> :
>> :In the vm I have configured an ip 192.168.1.30
>> :
>> :If I perform ping from OpenBSD Hypervisor -> ping 192.168.1.30 all
>> packages
>> :are send and received "on the fly"
>> :
>> :But if I perform the same step from "myvm", there is no packet loss but
>> the
>> :packets take so long to be send and consecutively replied
>> :
>> :I am performing this tests on Linux  running Vmware Workstation 12 .
>> :
>> :Is this behavior expected ?
>> :
>> :Any directions will be appreciated.
>> :
>> :Thank you
>> :
>> :myvm dmesg:
>> :
>> :OpenBSD 6.0 (RAMDISK_CD) #2100: Tue Jul 26 13:05:59 MDT 2016
>> :   dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
>> :RTC BIOS diagnostic error 20
>> :real mem = 520093696 (496MB)
>> :avail mem = 502673408 (479MB)
>> :mainbus0 at root
>> :bios0 at mainbus0
>> :acpi at bios0 not configured
>> :cpu0 at mainbus0: (uniprocessor)
>> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 14335.74 MHz
>> :cpu0:
>> :FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,
>> PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,
>> FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,AVX,F1
>> :6C,RDRAND,HV,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT
>> :pvbus0 at mainbus0: OpenBSD
>> :pci0 at mainbus0 bus 0
>> :pchb0 at pci0 dev 0 function 0 "OpenBSD VMM PCI Host Bridge" rev 0x00
>> :virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
>> :viornd0 at virtio0
>> :virtio0: irq 3
>> :virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
>> :vioblk0 at virtio1
>> :scsibus0 at vioblk0: 2 targets
>> :sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct
>> fixed
>> :sd0: 5120MB, 512 bytes/sector, 10485760 sectors
>> :virtio1: irq 5
>> :virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
>> :vio0 at virtio2: address fe:e1:ba:d0:d0:94
>> :virtio2: irq 9
>> :isa0 at mainbus0
>> :com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
>> :com0: console
>> :softraid0 at root
>> :scsibus1 at softraid0: 256 targets
>> :root on rd0a swap on rd0b dump on rd0b
>> :WARNING: invalid time in clock chip
>> :WARNING: CHECK AND RESET THE DATE!
>> :
>> :openbsd hypervisor :
>> :
>> :
>> :OpenBSD 6.0-stable (GENERIC.MP) #0: Fri Oct 21 20:07:42 BRST 2016
>> :   root@puffysor.localdomain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> :real mem = 2130640896 (2031MB)
>> :avail mem = 2061631488 (1966MB)
>> :mpath0 at root
>> :scsibus0 at mpath0: 256 targets
>> :mainbus0 at root
>> :bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (242 entries)
>> :bios0: vendor Phoenix Technologies LTD version "6.00" date 07/02/2015
>> :bios0: VMware, Inc. VMware Virtual Platform
>> :acpi0 at bios0: rev 2
>> :acpi0: sleep states S0 S1 S4 S5
>> :acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
>> :acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
>> S3F0(S3)
>> :S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
>> :S12F(S3) S13F(S3) [...]
>> :acpitimer0 at acpi0: 3579545 Hz, 24 bits
>> :acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>> :cpu0 at mainbus0: apid 0 (boot processor)
>> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3800.69 MHz
>> :cpu0:
>> :FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CM
>> OV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,
>> VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLIN
>> :E,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PE
>> RF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
>> :
>> :cpu0: 256KB 64b/line 8-way L2 cache
>> :cpu0: smt 0, core 0, package 0
>> :mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
>> :cpu0: apic clock running at 65MHz
>> :cpu1 at mainbus0: apid 1 (application processor)
>> :cpu1: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3810.50 MHz
>> :cpu1:
>> :FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CM
>> OV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,
>> 

dante socksify authenticate a different user

2016-10-24 Thread Rashad Kanavath
Hello,

Can someone provide a sample configuration for socks.conf to use socsk5
protocol with authentication.

after basic configuration it uses  a system user but I have a different
username for proxy server

here is /etc/socks.conf

route {
from: 0.0.0.0/0   to: 0.0.0.0/0   via: x.x.x.x port = 1080
proxyprotocol: socks_v5 # server supports socks v5.
}

this is only modified afer pkg_add dante

OpenBSD rkm.my.domain 6.0 GENERIC.MP#2319 amd64

-- 
Regards,
   Rashad



Re: pf rule for openvpn

2016-10-24 Thread R0me0 ***
Assuming you block the traffic by default

pf.conf

block log all


# tcpdump -e -ttt -ni pflog0 action block

You will be able to see what exactly is being blocked :)


-Regards

2016-10-24 12:19 GMT-02:00 Kenneth Gober :

> On Sun, Oct 23, 2016 at 4:46 PM, Thuban  wrote:
> > Here are the relevant parts of my pf.conf :
> >
> > ext_if = "re0"
> > tcp_pass = "{ gopher ipp 8000 }"
> > udp_pass = "{ 1194 }"
> >
> > pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
> > pass in quick on $ext_if proto udp to any port $udp_pass keep state
> >
> > pass out on $ext_if from 10.8.0.0/24 to any nat-to $ext_if
> >
> > pass out on $ext_if proto { tcp udp icmp } all modulate state
>
> Do you have rules that allow traffic in from tun0?  Something like:
>
> pass in quick on tun0 keep state
>
> Otherwise traffic will reach OpenVPN but get no further, being blocked
> coming out of the tunnel.
>
> -ken



Re: openbsd bgp problem send /128 ipv6 announcement for remote blackhole

2016-10-24 Thread Claudio Jeker
On Mon, Oct 24, 2016 at 04:03:01PM +0200, Thomas Boernert wrote:
> Dear List,
> 
> with ipv4 it works fine:
> bgpctl network add ipv4-address/32 community 1:0
> 
> but with ipv6 it won't work:
> 
> # bgpctl network add ipv6-address/128 community 1:0
> request sent.
> 
> => but no update will be send to the neighbor, checked with
> tcpdump too, no packet will be send.
> 
> # bgpctl sh network
> flags: S = Static
> flags destination
> *S   0 ipv4/21 0.0.0.0
> *S   0 ipv6/32   ::
> *0 ipv6-address/128 ::
> 
> => it looks ok

You look in the wrong place. That is parts of the FIB and not the RIB.
bgpctl show rib empty-as or bgpctl show rib 
This should give you more ideas what goes wrong.

> 
> i tried to run bgpd in forground and verbose mode, but no message.
> 
> i also tried to add this line to bgpd.conf
> 
> allow from group "isp1" prefix myipv6prefix/32 prefixlen = 128 community
> 1:0
> or
> allow to group "isp1" prefix myipv6prefix/32 prefixlen = 128 community
> 1:0
> 
> same problem.
> 
> Has everyone an idea ?
> 
> Thanks
> 
> Thomas
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Diese Nachricht wurde versandt mit Webmail von www.tbits.net.
> This message was sent using webmail of www.tbits.net.
> 

-- 
:wq Claudio



Re: pf rule for openvpn

2016-10-24 Thread Kenneth Gober
On Sun, Oct 23, 2016 at 4:46 PM, Thuban  wrote:
> Here are the relevant parts of my pf.conf :
>
> ext_if = "re0"
> tcp_pass = "{ gopher ipp 8000 }"
> udp_pass = "{ 1194 }"
>
> pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
> pass in quick on $ext_if proto udp to any port $udp_pass keep state
>
> pass out on $ext_if from 10.8.0.0/24 to any nat-to $ext_if
>
> pass out on $ext_if proto { tcp udp icmp } all modulate state

Do you have rules that allow traffic in from tun0?  Something like:

pass in quick on tun0 keep state

Otherwise traffic will reach OpenVPN but get no further, being blocked
coming out of the tunnel.

-ken



openbsd bgp problem send /128 ipv6 announcement for remote blackhole

2016-10-24 Thread Thomas Boernert

Dear List,

with ipv4 it works fine:
bgpctl network add ipv4-address/32 community 1:0

but with ipv6 it won't work:

# bgpctl network add ipv6-address/128 community 1:0
request sent.

=> but no update will be send to the neighbor, checked with
tcpdump too, no packet will be send.

# bgpctl sh network
flags: S = Static
flags destination
*S   0 ipv4/21 0.0.0.0
*S   0 ipv6/32   ::
*0 ipv6-address/128 ::

=> it looks ok

i tried to run bgpd in forground and verbose mode, but no message.

i also tried to add this line to bgpd.conf

allow from group "isp1" prefix myipv6prefix/32 prefixlen = 128 community 
1:0

or
allow to group "isp1" prefix myipv6prefix/32 prefixlen = 128 community 
1:0


same problem.

Has everyone an idea ?

Thanks

Thomas













Diese Nachricht wurde versandt mit Webmail von www.tbits.net.
This message was sent using webmail of www.tbits.net.



Re: dmidecode and access to /dev/mem denied

2016-10-24 Thread Raul Miller
On Fri, Oct 21, 2016 at 11:56 AM, Theo de Raadt  wrote:
> For the simple reason that this is 2016 not 1986, and userland code that
> can sniff through the kernel's physical address space is a ridiculous
> process.  It needs to die; or have proper device driver interface that
> gives it exactly what it needs.

And if anyone is wondering why and has not been a part of the
discussions, here's an illustration of the issue:

http://arstechnica.com/security/2016/10/using-rowhammer-bitflips-to-root-android-phones-is-now-a-thing/

(That said, if you do not see this message because of that url and
filtering, ... there will be nothing I am going to do about that.)

-- 
Raul



Re: pf rule for openvpn

2016-10-24 Thread Thuban
* Predrag Punosevac  le [23-10-2016 20:18:27 -0400]:
> Op 23-10-2016 om 17:01 schreef Thuban:
> > Hi,
> > I have an openvpn server running and working, but can't
> > go "outside" the server to access the web.
> >
> > To configure the server, I followed this :
> > http://2f30.org/guides/openvpn.html
> >
> > So ip forwarding is ative, vpn port is open, clients can connect to
> the
> > vpn. But they can't access wwweb.
> >
> > I guess the problem comes from this pf rule :
> >
> > pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
> >
> > I've been on this issue for too many hours to have a clear mind on
> this.
> > Any advice to find why I'm stuck on the server?
> >
> > Regards.
> >
> >
>
> Hi,
>
> I saw your e-mail this morning but I had no idea what to make out of it
> as I am confused about your network topology. I was also not impressed
> that you were following some howto from the internet. Both PF and
> OpenVPN are well documented. Grab the books and read it.
>

The link to the howto was to avoid long explanations. Anyway, here is
some more information. I'm pretty sure I'm wrong to redirect packets.

What I want is this :

 VPN
Clients -> Server -> Web

simply.

openvpn configuration :

dev tun0
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 80.67.169.12"
push "redirect-gateway def1"

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/private/server.key
dh /etc/openvpn/dh.pem
crl-verify /etc/openvpn/crl.pem

daemon openvpn
group _openvpn
user _openvpn
keepalive 10 120
management 127.0.0.1 1195 /etc/openvpn/private/mgmt.pwd
max-clients 100
persist-key
persist-tun
port 1194
proto udp
comp-lzo

client-cert-not-required
username-as-common-name
script-security 3 system
auth-user-pass-verify /usr/local/libexec/openvpn_bsdauth via-env
auth-nocache

log-append  /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
verb 3


/etc/pf.conf :

ext_if = "re0"  # interface
ssh_port = ""   # port ssh
http_ports = "{ www https }"# ports http(s)
mail_ports = "{ submission imaps }" # ports mails
tcp_pass = "{ gopher ipp 8000 }"  # ports tcp
ouverts
udp_pass = "{ 1194 }" # ports udp ouverts
set block-policy drop   # bloque
silencieusement
set skip on lo  # Pas de filtre en
local
set limit table-entries 40

## tables pour les vilains bruteforceurs
table  persist
table  persist
table  persist

# antispam avec greylisting
table  persist
table  persist file "/etc/mail/nospamd"
table  persist

## Traitement des paquets ##
match in all scrub (no-df)  # Paquets
partiels
block in quick from urpf-failed

## Les règles du parefeu ##
# on bloque tout par défaut
block log all

# on bloque les ip blacklistées
block in log quick proto tcp from  to any port $http_ports
block in log quick proto tcp from  to any port $ssh_port

# antispam
pass in on $ext_if proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on $ext_if proto tcp from  to any port smtp
pass in on $ext_if proto tcp from  to any port smtp
pass in quick on $ext_if proto tcp from  to any port
smtp

# Si + de 3 connections toutes les 60 secondes sur le port ssh
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $ssh_port flags S/SA keep state
\
(max-src-conn-rate 5/60, overload  flush global)

# Si + de 50 connections toutes les 5 secondes sur les ports http(s)
# ou si elle essaie de se connecter + de 100 fois
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $http_ports flags S/SA keep state
\
(max-src-conn-rate 50/5, overload  flush)

# Protection bruteforce pour les mails
pass in on $ext_if proto tcp to any port $mail_ports flags S/SA keep state
\
(max-src-conn-rate 10/60, overload  flush global)

# on autorise le ping
pass quick inet6 proto ipv6-icmpall icmp6-type { echoreq, unreach
}
pass quick inet proto icmp  all icmp-type { echoreq, unreach
}

# on ouvre les autres ports
pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
pass in quick on $ext_if proto udp to any port $udp_pass keep state

# vpn
pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)

# tout ouvert en sortie
pass out on $ext_if proto { tcp udp icmp } all modulate state


Regards.

[demime 1.01d removed an attachment of type application/pgp-signature 

Re: How to analyse excessive PF states?

2016-10-24 Thread Patrick Lamaiziere
Le Sat, 22 Oct 2016 18:12:37 +0200,
Federico Giannici  a écrit :

> We have a firewall with OpenBSD 6.0 amd64 that handles about 1.5 Gbps
> of traffic.
> 
> I noticed that from a few weeks the number of states is increased
> from around 250.000 to almost 2 millions (no change in PF config)!
> 
> At the same time the firewall started loosing a few packets (around 
> 1-2%, with peeks of 4%). Maybe this is due to too many states to
> handle?

Hard to tell for the number of states but you have some PF congestions,
which is bad.

Did you try to augment the sysctl net.inet.ip.ifq.maxlen ?
In my previous setup that helped a bit against congestion
(net.inet.ip.ifq.maxlen=2048).

Regards,