IPSec flow not properly routed
Openbsd: 6.0 Hello, I have an ipsec vpn set up but I don't understand why my packets are going out on the wrong interface. # ipsecctl -sa FLOWS: flow esp in from 192.168.8.0/24 to 10.2.89.224/27 peer remote.y.y.y srcid external.ip.x.x/32 dstid remote.y.y.y/32 type use flow esp out from 10.2.89.224/27 to 192.168.8.0/24 peer remote.y.y.y srcid external.ip.x.x/32 dstid remote.y.y.y/32 type require SAD: esp tunnel from remote.y.y.y to external.ip.x.x spi 0x779061a9 auth hmac-sha1 enc aes-256 esp tunnel from external.ip.x.x to remote.y.y.y spi 0xfd952672 auth hmac-sha1 enc aes-256 When I ping 192.168.8.1 it's going out on OpenBSD external interface and doesn't get into the tunnel. # tcpdump -n -i vmx0 icmp 08:23:35.881059 external.ip.x.x > 192.168.8.1: icmp: echo request # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 I have another OpenBSD version 5.8 and everything is working properly For example # tcpdump -i enc0 tcpdump: listening on enc0, link-type ENC 08:32:25.011263 (authentic,confidential): SPI 0x08927690: 192.168.x.2 > 10.2.1.2: icmp: echo request (encap) 08:32:25.071152 (authentic,confidential): SPI 0xa9b5a687: 10.2.1.2 > 192.168.x.2: icmp: echo reply (encap) Does anyone have an idea why it behaves like this ? Thank you
Re: Removal of old libraries
Ax0n wrote on 09/03/16 13:12: I've got a Toshiba NB305 netbook that's been my daily-use laptop for more than 6 years now. The last fresh install I did was OpenBSD 4.9-RELEASE in early May 2011. I've been quite happy with how it works, and I've been doing bsd.rd upgrades and M:Tier binary updates ever since. There is a lot of seemingly unused cruft in /usr/local/lib -- stuff with an atime of my last level 0 dump several months ago. Looks like pkg_add -u left a bunch of stuff behind. Is there a recommended way to clean this stuff up, or should I just start chopping away with something like: find /usr/local/lib -type f -atime +90 | doas xargs rm (after a new level 0 dump, obviously...) Ax0n wrote on 09/03/16 13:12: > I've got a Toshiba NB305 netbook that's been my daily-use laptop for more > than 6 years now. The last fresh install I did was OpenBSD 4.9-RELEASE in > early May 2011. I've been quite happy with how it works, and I've been > doing bsd.rd upgrades and M:Tier binary updates ever since. > > There is a lot of seemingly unused cruft in /usr/local/lib -- stuff with an > atime of my last level 0 dump several months ago. Looks like pkg_add -u > left a bunch of stuff behind. Is there a recommended way to clean this > stuff up, or should I just start chopping away with something like: > > find /usr/local/lib -type f -atime +90 | doas xargs rm > > (after a new level 0 dump, obviously...) I've been removing the old system during the upgrade script since 4.9, coincidentally. I haven't had a problem yet while upgrading two production servers and my two laptops, from release to release. After selecting the OS sets during the upgrade, but before hitting ENTER, type ! at the “Set name(s)?” prompt to enter a shell. Then run: `cd /mnt && rm -rf bin sbin usr/!(local) && exit`. Then just hit enter and continue running the upgrade script. WARNING: this will wipe out your system, so if the upgrade fails for some reason, you are TOTALLY SCREWED! I periodically (every few releases) clean out /usr/local. First, get a list of manually installed packages using `pkg_info -m`. Then uninstall everything. It is interesting to see what gets left behind. If any garbage is left over, remove it. Then reinstall from your generated list. I don't do this very often anymore as `pkg_delete -a` seems to clean up quite well. As insurance, I take level 0 dumps just before upgrading or cleaning /usr/local. Also, one of my laptops is a spare that has all the same software installed as the production servers and my main laptop. So this laptop is a test run if you will. If there are quirks, my main laptop is my second chance to make sure I know what the hell I'm doing before finally upgrading my two production systems. Also, just a public announcement, test your restore-from-backup process once in awhile. I've always thought about sharing this process, but always thought it is probably not the best advice.
Re: OpenBGPD status for RPKI
As far as I know, that effort has been dropped. There is currently no effort, and no interest from the developers. On 2016 Nov 07 (Mon) at 21:51:20 +0100 (+0100), minek van wrote: :oh, sorry, : :I thought it was already in because I seen mails: : :Adding RPKI/ROA support to OpenBGPd Denis Fondras Sun, 08 Jun 2014 09:28:25 -0700 : :Any idea when will it get in? It looks promising! : :Thanks! : :> Sent: Monday, November 07, 2016 at 9:40 PM :> From: "Peter Hessler" :> To: "minek van" :> Cc: misc@openbsd.org :> Subject: Re: OpenBGPD status for RPKI :> :> There is currently no RPKI in OpenBGPD. :> :> :> On 2016 Nov 07 (Mon) at 21:19:20 +0100 (+0100), minek van wrote: :> :Hello, :> : :> :is RPKI production ready with OpenBGPD? Does anyone uses it? :> : :> :Many thanks!
Re: OpenBGPD status for RPKI
oh, sorry, I thought it was already in because I seen mails: Adding RPKI/ROA support to OpenBGPd Denis Fondras Sun, 08 Jun 2014 09:28:25 -0700 Any idea when will it get in? It looks promising! Thanks! > Sent: Monday, November 07, 2016 at 9:40 PM > From: "Peter Hessler" > To: "minek van" > Cc: misc@openbsd.org > Subject: Re: OpenBGPD status for RPKI > > There is currently no RPKI in OpenBGPD. > > > On 2016 Nov 07 (Mon) at 21:19:20 +0100 (+0100), minek van wrote: > :Hello, > : > :is RPKI production ready with OpenBGPD? Does anyone uses it? > : > :Many thanks!
Re: OpenBGPD status for RPKI
There is currently no RPKI in OpenBGPD. On 2016 Nov 07 (Mon) at 21:19:20 +0100 (+0100), minek van wrote: :Hello, : :is RPKI production ready with OpenBGPD? Does anyone uses it? : :Many thanks! :
Re: What is the difference between the security of HardenedBSD, security of FreeBSD, security of NetBSD, security of OpenBSD and security of DragonflyBSD?
The rank would be probably (if only counting the OS itself, no ports, no custom things, responsible admin): 1. OpenBSD 2. HardenedBSD the remaining are not security oriented. From what are you trying to defend? > Sent: Monday, November 07, 2016 at 1:32 PM > From: "SOUL_OF_ROOT 55" > To: misc@openbsd.org > Subject: What is the difference between the security of HardenedBSD, security > of FreeBSD, security of NetBSD, security of OpenBSD and security of > DragonflyBSD? > > Sorry for this question: > > What is the difference between the security of HardenedBSD, security of > FreeBSD, security of NetBSD, security of OpenBSD and security of > DragonflyBSD? > > Thank you
OpenBGPD status for RPKI
Hello, is RPKI production ready with OpenBGPD? Does anyone uses it? Many thanks!
Re: softraid crypto performance on Sun Fire T1000
Hi, ...on Sat, Oct 29, 2016 at 03:06:05PM +0200, Jonathan Schleifer wrote: > While a single core of the T1000 is quite slow, this just seems too slow, > making this setup unusable. openssl speed shows 10 MB/s for AES-128-CBC and 7 > MB/s for AES-256-CBC on a single core. So a single core is definitely capable > of more than just 2 MB/s. While even 10 MB/s is still slow for today, it's A long time ago, compiler flags made a hell of a difference for openssl on sparc64 (and I assume that kernel crypto might behave in a similar way)... I don't know about the current defaults in OpenBSD/sparc64, but for a T1 cpu, you could try rebuilding the kernel with something like "-mcpu=v9 -mtune=niagara" in mk.conf COPTS, and check if you see an improvement. You'll be on your own with any problems though - custom compiler otimizations for the system are generally frowned upon :) Alex.
Re: What is the difference between the security of HardenedBSD, security of FreeBSD, security of NetBSD, security of OpenBSD and security of DragonflyBSD?
Make your homework and come back to this list to ask questions when you have real ones.
Re: What is the difference between the security of HardenedBSD, security of FreeBSD, security of NetBSD, security of OpenBSD and security of DragonflyBSD?
On 2016-11-07 20:32, SOUL_OF_ROOT 55 wrote: Sorry for this question: What is the difference between the security of HardenedBSD, security of FreeBSD, security of NetBSD, security of OpenBSD and security of DragonflyBSD? Thank you Mate, your questions come off as very general, maybe too general for this list, and your previous emails can be felt as having a rude tone, and perhaps as coming out of Google Translate. Please research and come back with more articulated questions. Maybe ask this on the IRC. But really, go study and try things yourself first. Most of this explains itself. Also fix your attitude, assume a tone that's more appropriate-sounding.
What is the difference between the security of HardenedBSD, security of FreeBSD, security of NetBSD, security of OpenBSD and security of DragonflyBSD?
Sorry for this question: What is the difference between the security of HardenedBSD, security of FreeBSD, security of NetBSD, security of OpenBSD and security of DragonflyBSD? Thank you
Re: Oddness with pkg_add
On 2016-11-04, Chris Huxtable wrote: > > # doas -u _pkgfetch host ftp.openbsd.org > ftp.openbsd.org is an alias for openbsd.sunsite.ualberta.ca. > openbsd.sunsite.ualberta.ca has address 129.128.5.191 Don't use host(1) to check, it doesn't use the system resolver that is used by normal programs for name resolution. Try this instead: $ doas -u _pkgfetch getent hosts ftp.openbsd.org 129.128.5.191 ftp.openbsd.org Or even $ doas -u _pkgfetch ftp -o- http://ftp.openbsd.org/pub/OpenBSD/6.0/ ... Is there anything else involved? http_proxy? anything "odd" in resolv.conf?