Re: Mid-2015 MacBook Pro
This one *should* be identical to the one I've been issued by my employer (on which I'm running OS X) -- in that case, it has the NVidia GeForce GT 750M and the Intel Iris Pro. The Plot Thickens. There's an error about /etc/boot.conf. The keyboard works fine at the FDE prompt, and at the boot> prompt. There's an RTC BIOS diagnostic error before the kernel loads. At the UCK prompt, the cursor is glitching and the keyboard is unresponsive. External keyboard isn't helping. Photos here, if it matters: https://imgur.com/a/iL6T0 On Thu, Sep 21, 2017 at 7:22 PM, Dave Voutila wrote: > ax0n, > > Is that a model with both integrated Intel gpu and dedicated Radeon > gpu? Maybe look at drm(4) and try removing the radeon driver since the > intel one should work fine. > > The intel drivers work great on my early-2015 MBP (i5 Broadwell), but > then again it doesn't have any dedicated graphics. > > -Dave > > On Thu, Sep 21, 2017 at 6:19 PM, Ax0n wrote: > > I have a Mid-2015 MacBook Pro that I'm trying to get OpenBSD on. I > > installed from the latest snapshot and from -RELEASE (installXX.fs > written > > to SD card). The install goes fine (using an axen(4) USB dongle for > > connectivity) but upon reboot, it gets part way through, then the screen > > goes blank with the backlight on. Although I can briefly see the axen(4) > > attach, it doesn't seem to get an IP address if I let it sit around for a > > few minutes. I can't get the dmesg, and I can't determine what the last > > message is before the screen blanks. It doesn't appear to respond to the > > keyboard. > > > > Has anyone gotten this working? Google is pointing me to a few posts from > > the likes of jcs@ and others about systems that are either slightly > newer > > or slightly older than mine. Any suggestions on getting a good dmesg out > of > > it? Devices I should consider disabling from UKC to get this thing off > the > > ground? > > > > TIA- > > ax0n >
Re: Mid-2015 MacBook Pro
ax0n, Is that a model with both integrated Intel gpu and dedicated Radeon gpu? Maybe look at drm(4) and try removing the radeon driver since the intel one should work fine. The intel drivers work great on my early-2015 MBP (i5 Broadwell), but then again it doesn't have any dedicated graphics. -Dave On Thu, Sep 21, 2017 at 6:19 PM, Ax0n wrote: > I have a Mid-2015 MacBook Pro that I'm trying to get OpenBSD on. I > installed from the latest snapshot and from -RELEASE (installXX.fs written > to SD card). The install goes fine (using an axen(4) USB dongle for > connectivity) but upon reboot, it gets part way through, then the screen > goes blank with the backlight on. Although I can briefly see the axen(4) > attach, it doesn't seem to get an IP address if I let it sit around for a > few minutes. I can't get the dmesg, and I can't determine what the last > message is before the screen blanks. It doesn't appear to respond to the > keyboard. > > Has anyone gotten this working? Google is pointing me to a few posts from > the likes of jcs@ and others about systems that are either slightly newer > or slightly older than mine. Any suggestions on getting a good dmesg out of > it? Devices I should consider disabling from UKC to get this thing off the > ground? > > TIA- > ax0n
Mid-2015 MacBook Pro
I have a Mid-2015 MacBook Pro that I'm trying to get OpenBSD on. I installed from the latest snapshot and from -RELEASE (installXX.fs written to SD card). The install goes fine (using an axen(4) USB dongle for connectivity) but upon reboot, it gets part way through, then the screen goes blank with the backlight on. Although I can briefly see the axen(4) attach, it doesn't seem to get an IP address if I let it sit around for a few minutes. I can't get the dmesg, and I can't determine what the last message is before the screen blanks. It doesn't appear to respond to the keyboard. Has anyone gotten this working? Google is pointing me to a few posts from the likes of jcs@ and others about systems that are either slightly newer or slightly older than mine. Any suggestions on getting a good dmesg out of it? Devices I should consider disabling from UKC to get this thing off the ground? TIA- ax0n
Re the OpenBSD-supported Octeon-based "Rhino Labs Inc. SDNA Shasta", they are manufacturing it. (That was not all obvious.)
Regarding the device listed as supported on https://www.openbsd.org/octeon.html "Rhino Labs Inc. SDNA Shasta": Their product ad is at https://web.archive.org/web/20161208032606/http://www.rhinolabsinc.com:80/rhino-shasta-enterprise-grade-network-appliance/ , while archive.org is an uncommon place to advertise a product, I talked to them and they're manufacturing it. Their main web site is http://www.whizzsystems.com/ . They manufacture the SDNA Shasta, however more frequently they manufacture this 8-port version of the same (photo here https://web.archive.org/web/20161221202746im_/http://www.rhinolabsinc.com/wp-content/uploads/2015/03/Home-A1.jpg ), need to clarify its actual name, it's some four-digit product name. They manufacture and sell the Shasta in batches only, for a 50 pieces batch each piece is 780 USD, and for a 100 piece batch each piece is 690 USD. Sometimes some spares remain after a run and they get some extra that they could sell to an unannoying customer. He is looking at what a higher-RAM variant would cost also. He was clear it fits at least 16GB, and they need to have the RAM soldered. There is M.2 NVME support, probably as bootable medium also. It has an eMMC, which exports some gigabytes for boot medium (which can be used in all cases), and he mentioned the firmware is on nonexported sectors on the eMMC. (They'll make an ARM64 ThunderX variant of the same soon also, anyhow.) Tinker
Re: log up or down interface end change physical address
There's ifstated - http://man.openbsd.org/ifstated On 21 September 2017 at 14:29, Krzysztof Strzeszewski wrote: > Hi, > > How to log up or down (connect or not connect cable) interface end change > physical address on OpenBSD? > > > -- > Regards, > Krzysztof Strzeszewski >
Re: log up or down interface end change physical address
On Thu, September 21, 2017 9:29 am, Krzysztof Strzeszewski wrote: > Hi, > > How to log up or down (connect or not connect cable) interface end > change physical address on OpenBSD? > > > -- > Regards, > Krzysztof Strzeszewski > ifstated(8) and some scripts?
log up or down interface end change physical address
Hi, How to log up or down (connect or not connect cable) interface end change physical address on OpenBSD? -- Regards, Krzysztof Strzeszewski
Re: relayd https relay
I want to go with let's encrypt certifcates so if I provide the pem created by the acme-client it should be ok even it seems not for now. I dont know if relayd development is going to add SNI sometime soon but for now I could live with a certificate that basically has all my served domains as in the SAN field. Am 21.09.2017 um 14:49 schrieb trondd: On Thu, September 21, 2017 8:25 am, rosjat wrote: I try to figure out the ca file option mentioned by ronan maybe this is some kind of option here. Using 'ca file' means you have to decrypt the SSL connection from the clients with relayd then re-encrypt from relayd to the web servers. Clients will only see relayd's SSL certificate. Originally you said you want to use a different cert for each web site. What CA signs the web server certificates? There was a bug, I don't know if it got fixed, in relayd that you can't use a big file of CAs for the 'ca file', the imsg was not chunked and if the file is too big, relayd will fail to start the relay. Take the CA cert that signed the web server certificates and put that into a file and reference that file like 'ca file "/etc/ssl/webca.pem"' Am 21.09.2017 um 14:11 schrieb trondd: On Thu, September 21, 2017 3:49 am, rosjat wrote: Hi, so I added the with tls keywords to the relay and my webserver gets request now but from my relayhost and this is making the way back quiet hard :( so I added the X Headers for Forwarded-For and Forwarded-By but it still leaves the question how to tell the relayhost to just let it all out like in a normal rdr-to rule in pf? Like I said pf rule just works fine so the traffic can go thorugh all the interfaces just fine. regards MArkus You can't do what you want with a layer 7 relay in relayd. Redirect rules in pf work because pf doesn't know or care about DNS host names. Because you are using SSL, once you need to make decisions based on the host, you have two options: A relay server that supports SNI so it can see the Host and forward to the right server. Or terminating the SSL encryption at the relay server so you can read the unencrypted host value. Option 2 is required for relayd as it does not support SNI. But that means the relay server holds the SSL certificate. You can only have 1 certificate per IP and port. If you want to use individual certs for each web site, you're stuck. You either need to use different ports, which is typically a non-starter for web sites, or put multiple IPs on the relay box. If security between the relay server and web servers is necessary (don't trust someone else's network, and if possible, don't trust your own) you can re-encrypt the communication from relayd and the web server but it'll be relayd using the web server certificate, not the user. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
third screen / multi video cards
Hello, My system is OpenBSD 6.1 release and my videos cards are ATI Radeon HD 5450 and ATI Radeon 9200 SE Sec (added after for debug) I'm using the HD 5450 card with two screens for a while now (DVI + VGA) without any issues. Since yestreday i'm trying to add a third screen (on the HDMI port ) but i have very stranges behaviours. The screen plugged on the HDMI port up and down every 5sec. When the screen go up & down i got this on my log : Sep 21 14:23:07 thy-ws-026 /bsd: error: [drm:pid36888:drm_edid_block_valid] *ERROR* EDID checksum is invalid, remainder is 76 Sep 21 14:23:07 thy-ws-026 /bsd: Raw EDID: Sep 21 14:23:07 thy-ws-026 /bsd: Raw EDID: Sep 21 14:23:07 thy-ws-026 /bsd: 00 ff ff ff ff ff ff 00 22 f0 5a 28 01 01 01 01 Sep 21 14:23:07 thy-ws-026 /bsd: 0f 15 03 ff ff ff ff ff ff ff ff ff ff ff ff ff Sep 21 14:23:07 thy-ws-026 /bsd: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Sep 21 14:23:07 thy-ws-026 last message repeated 5 times Sep 21 14:23:07 thy-ws-026 /bsd: error: [drm:pid36888:radeon_dvi_detect] *ERROR* HDMI-A-1: probed a monitor but no|invalid EDID So to go ahead i decided to add a new video card (ATI Radeon 9200) to be able to plug the third screen. But i don't know how to handle and manage it the second video card with xrandr. Is there any solution to use 3 screens connected to two differents video cards ? There is info about my cards on the dmesg. radeondrm0: 1280x1024, 32bpp wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0 wskbd1: connecting to wsdisplay0 wskbd2: connecting to wsdisplay0 wsdisplay0: screen 1-5 added (std, vt100 emulation) radeondrm1: 1024x768, 32bpp wsdisplay1 at radeondrm1 wsdisplay1: screen 0-5 added (std, vt100 emulation) wsdisplay0: screen 6 added (std, vt100 emulation) This is the output of pcidump Domain /dev/pci0: 0:0:0: Intel X58 Host 0:1:0: Intel X58 PCIE 0:3:0: Intel X58 PCIE 0:7:0: Intel X58 PCIE 0:16:0: Intel X58 QuickPath 0:16:1: Intel X58 QuickPath 0:17:0: Intel X58 QuickPath 0:17:1: Intel X58 QuickPath 0:20:0: Intel X58 Misc 0:20:1: Intel X58 GPIO 0:20:2: Intel X58 RAS 0:21:0: Intel unknown 0:22:1: Intel X58 QuickData 0:22:2: Intel X58 QuickData 0:22:3: Intel X58 QuickData 0:22:4: Intel X58 QuickData 0:22:5: Intel X58 QuickData 0:22:6: Intel X58 QuickData 0:22:7: Intel X58 QuickData 0:26:0: Intel 82801JI USB 0:26:1: Intel 82801JI USB 0:26:2: Intel 82801JI USB 0:26:7: Intel 82801JI USB 0:27:0: Intel 82801JI HD Audio 0:28:0: Intel 82801JI PCIE 0:28:5: Intel 82801JI PCIE 0:29:0: Intel 82801JI USB 0:29:1: Intel 82801JI USB 0:29:2: Intel 82801JI USB 0:29:7: Intel 82801JI USB 0:30:0: Intel 82801BA Hub-to-PCI 0:31:0: Intel 82801JIR LPC 0:31:2: Intel 82801JI SATA 0:31:5: Intel 82801JI SATA 1:0:0: Broadcom BCM5764 15:0:0: ATI Radeon HD 5450 15:0:1: ATI Radeon HD 5470 Audio 55:5:0: AT&T/Lucent FW322 1394 55:9:0: ATI Radeon 9200 SE Sec 63:0:0: Intel unknown 63:0:1: Intel unknown 63:2:0: Intel unknown 63:2:1: Intel unknown 63:3:0: Intel unknown 63:3:1: Intel unknown 63:3:4: Intel unknown 63:4:0: Intel unknown 63:4:1: Intel unknown 63:4:2: Intel unknown 63:4:3: Intel unknown 63:5:0: Intel unknown 63:5:1: Intel unknown 63:5:2: Intel unknown 63:5:3: Intel unknown 63:6:0: Intel unknown 63:6:1: Intel unknown 63:6:2: Intel unknown 63:6:3: Intel unknown When the HDMI port is up $ xrandr -d :0 Screen 0: minimum 320 x 200, current 2560 x 1024, maximum 8192 x 8192 HDMI-0 connected primary 1280x1024+0+0 (normal left inverted right x axis y axis) 380mm x 300mm 1280x1024 60.02*+ 1920x1080 60.0059.94 1280x960 60.00 1280x720 60.0059.94 1024x768 60.00 800x600 60.32 720x480 60.0059.94 640x480 60.0059.94 720x400 70.08 DVI-0 connected 1280x1024+0+0 (normal left inverted right x axis y axis) 380mm x 300mm 1280x1024 60.02*+ 1280x960 60.00 1024x768 60.00 800x600 60.32 640x480 60.00 720x400 70.08 VGA-0 connected 1280x1024+1280+0 (normal left inverted right x axis y axis) 380mm x 300mm 1280x1024 60.02*+ 1280x960 60.00 1024x768 60.00 800x600 60.32 640x480 60.00 720x400 70.08 and when it's down $ xrandr -d :0 Screen 0: minimum 320 x 200, current 2560 x 1024, maximum 8192 x 8192 HDMI-0 disconnected primary 1280x1024+0+0 (normal left inverted right x axis y axis) 0mm x 0mm DVI-0 connected 1280x1024+0+0 (normal left inverted right x axis y axis) 380mm x 300mm 1280x1024 60.02*+ 1280x960 60.00 1024x768 60.00 800x600 60.32 640x480 60.00 720x400 70.08 VGA-0 connected 1280x1024+1280+0 (normal left inverted right x axis y axis) 380mm x 300mm 1280x1024 60.02*+ 1280x960 60.00 1024x768 60.00 800x600 60.32 640x480 60.00 720x400 70.08 I you need more informations tell me. Or just po
Re: relayd https relay
On Thu, September 21, 2017 8:25 am, rosjat wrote: > I try to figure out the ca file option mentioned by ronan maybe this is > some kind of option here. > Using 'ca file' means you have to decrypt the SSL connection from the clients with relayd then re-encrypt from relayd to the web servers. Clients will only see relayd's SSL certificate. Originally you said you want to use a different cert for each web site. What CA signs the web server certificates? There was a bug, I don't know if it got fixed, in relayd that you can't use a big file of CAs for the 'ca file', the imsg was not chunked and if the file is too big, relayd will fail to start the relay. Take the CA cert that signed the web server certificates and put that into a file and reference that file like 'ca file "/etc/ssl/webca.pem"' > Am 21.09.2017 um 14:11 schrieb trondd: >> On Thu, September 21, 2017 3:49 am, rosjat wrote: >>> Hi, >>> >>> so I added the with tls keywords to the relay and my webserver gets >>> request now but from my relayhost and this is making the way back quiet >>> hard :( >>> >>> so I added the X Headers for Forwarded-For and Forwarded-By but it >>> still >>> leaves the question how to tell the relayhost to just let it all out >>> like in a normal rdr-to rule in pf? Like I said pf rule just works fine >>> so the traffic can go thorugh all the interfaces just fine. >>> >>> regards >>> >>> MArkus >>> >> >> You can't do what you want with a layer 7 relay in relayd. Redirect >> rules >> in pf work because pf doesn't know or care about DNS host names. >> >> Because you are using SSL, once you need to make decisions based on the >> host, you have two options: >> >> A relay server that supports SNI so it can see the Host and forward to >> the >> right server. Or terminating the SSL encryption at the relay server so >> you can read the unencrypted host value. >> >> Option 2 is required for relayd as it does not support SNI. But that >> means the relay server holds the SSL certificate. You can only have 1 >> certificate per IP and port. If you want to use individual certs for >> each >> web site, you're stuck. You either need to use different ports, which >> is >> typically a non-starter for web sites, or put multiple IPs on the relay >> box. >> >> If security between the relay server and web servers is necessary (don't >> trust someone else's network, and if possible, don't trust your own) you >> can re-encrypt the communication from relayd and the web server but >> it'll >> be relayd using the web server certificate, not the user. >>
Re: Problem IPSEC phase 2
Hi, In the link below, are the client screens, with the settings. http://189.6.44.103:8080/ Does anyone on the list use this McAfee Stonesoft? Thanks!! 2017-09-20 17:27 GMT-03:00 Christiano Liberato : > More information: > > The customer uses Mcafee Stonesoft. > Phase 1 > main auth hmac-md5 enc 3des group modp1024 lifetime 86400 > > Phase 2 > quick auth hmac-md5 enc 3des group modp1024 lifetime 3600 > > psk > > Errors in the messages > > Sep 20 17:25:09 gw isakmpd[14702]: message_recv: cleartext phase 2 message > Sep 20 17:25:09 gw isakmpd[14702]: dropped message from ip_client port 500 > due to notification type INVALID_FLAGS > Sep 20 17:25:16 gw isakmpd[14702]: message_recv: invalid cookie(s) > 385f90768ec871e1 928fe1b941afcfe4 > Sep 20 17:25:16 gw isakmpd[14702]: dropped message from ip_client port 500 > due to notification type INVALID_COOKIE > Sep 20 17:25:25 gw isakmpd[14702]: message_recv: invalid cookie(s) > 385f90768ec871e1 059208ff39accc6d > Sep 20 17:25:25 gw isakmpd[14702]: dropped message from ip_client port 500 > due to notification type INVALID_COOKIE > Sep 20 17:25:36 gw isakmpd[14702]: transport_send_messages: giving up on > exchange peer-ip_client, no response from peer ip_client:500 > > 2017-09-18 11:30 GMT-03:00 Christiano Liberato < > christianoliber...@gmail.com>: > >> Hi, >> >> I've been trying for days to close a tunnel with a client and I can not. >> Logs always appear: >> >> message_recv: cleartext phase 2 message >> dropped message from ipcliente port 500 due to notification type >> INVALID_FLAGS >> transport_send_messages: giving up on exchange peer-ipcliente, no >> response from peer ipcliente:500 >> >> I've been looking for a lot on the internet and so far no solution. Just >> ask to restart the tunnel on both sides. >> On my side, I use openbsd 6.1. >> Has anyone seen this error? >> >> Thanks!! >> > >
Re: relayd https relay
I try to figure out the ca file option mentioned by ronan maybe this is some kind of option here. Am 21.09.2017 um 14:11 schrieb trondd: On Thu, September 21, 2017 3:49 am, rosjat wrote: Hi, so I added the with tls keywords to the relay and my webserver gets request now but from my relayhost and this is making the way back quiet hard :( so I added the X Headers for Forwarded-For and Forwarded-By but it still leaves the question how to tell the relayhost to just let it all out like in a normal rdr-to rule in pf? Like I said pf rule just works fine so the traffic can go thorugh all the interfaces just fine. regards MArkus You can't do what you want with a layer 7 relay in relayd. Redirect rules in pf work because pf doesn't know or care about DNS host names. Because you are using SSL, once you need to make decisions based on the host, you have two options: A relay server that supports SNI so it can see the Host and forward to the right server. Or terminating the SSL encryption at the relay server so you can read the unencrypted host value. Option 2 is required for relayd as it does not support SNI. But that means the relay server holds the SSL certificate. You can only have 1 certificate per IP and port. If you want to use individual certs for each web site, you're stuck. You either need to use different ports, which is typically a non-starter for web sites, or put multiple IPs on the relay box. If security between the relay server and web servers is necessary (don't trust someone else's network, and if possible, don't trust your own) you can re-encrypt the communication from relayd and the web server but it'll be relayd using the web server certificate, not the user. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
ikev2 on 6.1 not working with RSA keys (generated by the machine)
Hello misc! Just posting in case someone else has come across this problem and save them some time. I've been trying to get ikev2 to work between two 6.1 machines to replace our isakmpd + ipsec setup and was getting nowhere. the iked man page says: iked supports mutual authentication using RSA or ECDSA public keys and X.509 certificates. See the PUBLIC KEY AUTHENTICATION section below and PKI AND CERTIFICATE AUTHORITY COMMANDS in ikectl(8) for more information about creating and maintaining the public key infrastructure. but as I found out it does not work with the RSA keys generated on first boot (even if you delete them and reboot to re-create them) To be clear the keys I refer to are /etc/iked/local.pub and /etc/iked/private/local.key And the relevant part from /etc/rc # grep iked /etc/rc # Generate keys for isakmpd, iked and sshd if they don't exist yet. local _iked_key=/etc/iked/private/local.key local _iked_pub=/etc/iked/local.pub echo -n "openssl: generating isakmpd/iked RSA keys... " if [[ ! -f $_iked_key ]]; then cp $_isakmpd_key $_iked_key chmod 600 $_iked_key cp $_isakmpd_pub $_iked_pub start_daemon iscsid isakmpd iked sasyncd ldapd npppd The error I was getting was: ikev2_recv: IKE_SA_INIT request from initiator aa.aa.aa.aa:500 to bb.bb.bb.bb:500 policy 'policy6' id 0, 510 bytes ikev2_msg_send: IKE_SA_INIT response from bb.bb.bb.bb:500 to aa.aa.aa.aa:500 msgid 0, 451 bytes ikev2_recv: IKE_AUTH request from initiator aa.aa.aa.aa:500 to bb.bb.bb.bb:500 policy 'policy6' id 1, 784 bytes ikev2_dispatch_cert: peer certificate is invalid ikev2_msg_send: IKE_AUTH response from bb.bb.bb.bb:500 to aa.aa.aa.aa:500 msgid 1, 80 bytes I then deleted the keys and generated new ECDSA openssl ecparam -name secp256k1 -out local.key -genkey -> place that under /etc/iked/private/local.pub openssl ec -in local.key -pubout > local.pub and place it under /etc/iked/local.pub and the public key openssl ec -in local.key -pubout > local.pub and place that under /etc/iked/local.pub copy the public keys on hostA and hostB under /etc/iked/pubkeys/ipv4/aa.aa.aa.aa and /etc/iked/pubkeys/ipv4/bb.bb.bb.bb accordingly started iked -dv (manually to help me debug) on both nodes and can see from the output that it worked: # iked -dv ikev2 "hostA" active esp inet from aa.aa.aa.aa to bb.bb.bb.bb local aa.aa.aa.aa peer bb.bb.bb.bb ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid aa.aa.aa.aa dstid bb.bb.bb.bb lifetime 10800 bytes 536870912 ecdsa256 tag "ipsec_tag" ikev2_recv: IKE_SA_INIT request from initiator bb.bb.bb.bb:500 to aa.aa.aa.aa:500 policy 'hostA' id 0, 510 bytes ikev2_msg_send: IKE_SA_INIT response from aa.aa.aa.aa:500 to bb.bb.bb.bb:500 msgid 0, 451 bytes ikev2_recv: IKE_AUTH request from initiator bb.bb.bb.bb:500 to aa.aa.aa.aa:500 policy 'hostA' id 1, 384 bytes ikev2_msg_send: IKE_AUTH response from aa.aa.aa.aa:500 to bb.bb.bb.bb:500 msgid 1, 336 bytes sa_state: VALID -> ESTABLISHED from bb.bb.bb.bb:500 to aa.aa.aa.aa:500 policy 'hostA' and the ipsecctl -sa output (trimmed) # ipsecctl -sa FLOWS: flow esp in from aa.aa.aa.aa to bb.bb.bb.bb peer aa.aa.aa.aa srcid IPV4/bb.bb.bb.bb dstid IPV4/aa.aa.aa.aa type use flow esp out from bb.bb.bb.bb to aa.aa.aa.aa peer aa.aa.aa.aa srcid IPV4/bb.bb.bb.bb dstid IPV4/aa.aa.aa.aa type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from bb.bb.bb.bb to aa.aa.aa.aa spi 0x5f6fd9cc auth hmac-sha2-256 enc aes-256 esp tunnel from aa.aa.aa.aa to bb.bb.bb.bb spi 0xa8a4dd4c auth hmac-sha2-256 enc aes-256 I hope this will help someone and of course let me know if I missed something obvious. Cheers Doros Eracledes
Re: relayd https relay
On Thu, September 21, 2017 3:49 am, rosjat wrote: > Hi, > > so I added the with tls keywords to the relay and my webserver gets > request now but from my relayhost and this is making the way back quiet > hard :( > > so I added the X Headers for Forwarded-For and Forwarded-By but it still > leaves the question how to tell the relayhost to just let it all out > like in a normal rdr-to rule in pf? Like I said pf rule just works fine > so the traffic can go thorugh all the interfaces just fine. > > regards > > MArkus > You can't do what you want with a layer 7 relay in relayd. Redirect rules in pf work because pf doesn't know or care about DNS host names. Because you are using SSL, once you need to make decisions based on the host, you have two options: A relay server that supports SNI so it can see the Host and forward to the right server. Or terminating the SSL encryption at the relay server so you can read the unencrypted host value. Option 2 is required for relayd as it does not support SNI. But that means the relay server holds the SSL certificate. You can only have 1 certificate per IP and port. If you want to use individual certs for each web site, you're stuck. You either need to use different ports, which is typically a non-starter for web sites, or put multiple IPs on the relay box. If security between the relay server and web servers is necessary (don't trust someone else's network, and if possible, don't trust your own) you can re-encrypt the communication from relayd and the web server but it'll be relayd using the web server certificate, not the user.
Re: relayd multiple values in match rules ?
Ok it seems I got myself a bit mixed up with the wildcard problem.
I testet *.domain.tld and didnt got it to work but it seems *doamin.tld
does the trick.
So this one seems to be solved :)
Regards
MArkus
Am 21.09.2017 um 11:59 schrieb rosjat:
Hi there,
in my battle with relayd I noticed that a line like
match request quick header "Host" value "domain.tld" forward to
works perfectly for a request like http://domain.tld but breaks on
http://www.domain.tld
So I can add a new rule like
match request quick header "Host" value "www.domain.tld" forward to
and I'm good for the www part but it gets kinda silly if I have to add
more request. So basic question, because I didn't sow it in the
examples, is it possible to write someting like
match request quick header "Host" value "*.domain.tld" forward to
or at least
match request quick header "Host" value {"domain.tld" "www.domain.tld"}
forward to
Regards
--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
relayd multiple values in match rules ?
Hi there,
in my battle with relayd I noticed that a line like
match request quick header "Host" value "domain.tld" forward to
works perfectly for a request like http://domain.tld but breaks on
http://www.domain.tld
So I can add a new rule like
match request quick header "Host" value "www.domain.tld" forward to
and I'm good for the www part but it gets kinda silly if I have to add
more request. So basic question, because I didn't sow it in the
examples, is it possible to write someting like
match request quick header "Host" value "*.domain.tld" forward to
or at least
match request quick header "Host" value {"domain.tld" "www.domain.tld"}
forward to
Regards
--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
Re: raid and crypto file system
On 2017-09-20, Friedrich Locke wrote: > My question is: > > I would like to use hardware raid disks with disk encryption. Is that > possible ? Since the disk raid appears transparently to the OS. > > Is that possible ? Yes.
Re: relayd https relay
Hi,
so I added the with tls keywords to the relay and my webserver gets
request now but from my relayhost and this is making the way back quiet
hard :(
so I added the X Headers for Forwarded-For and Forwarded-By but it still
leaves the question how to tell the relayhost to just let it all out
like in a normal rdr-to rule in pf? Like I said pf rule just works fine
so the traffic can go thorugh all the interfaces just fine.
regards
MArkus
Am 21.09.2017 um 08:27 schrieb rosjat:
Hi there,
ok I tried the with tls option and I can al least see relayd tries to
send the request to the webserver. I still cant get a proper response
from the webserver. When I do da simple rdr-to rule in pf it just works.
Do I need to do some magic that I miss still?
Regards
MArkus
Am 21.09.2017 um 07:19 schrieb rosjat:
Hi Ronan,
thanks for the hint I'll give it a try!
regards
Markus
Am 20.09.2017 um 21:30 schrieb Ronan Viel:
Hi,
This kind of config works perfectly on my box. I am not sure SNI has
something to do here as relayd terminates the https connection, gets
all the headers and reopens a new one.
I just think you forgot the "with tls" in your forward directive below:
relay "proxyssl" {
listen on $gateway port https
protocol "httpproxy"
forward with tls to port https
}
Do not forget to set a "ca file" in your protocol section if you want
relayd to check the certificate of your target's server (see
relayd.conf man).
Ronan
--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
remotely attached tmux vs X
This is current/amd64, but I don't think it makes a difference. I work in a tmux session opened in an xterm, as people do. I read email, run some shell commands, and run some X apps from the tmux command line, such as launch mupdf to view the PDF I have just compiled from a TeX source. All works fine. Then I go home, login remotely to my work machine, and reattach the tmux session to read more work email. All works fine. The next day at work, I cannot launch X apps from the tmux session. Looking at the environment, I see that DISPLAY and WINDOWID are no longer present in env(1) run from the tmux shell. Is this intentional? I suppose tmux resets DISPLAY and WINDOWID when I reattach the tmux session remotely. My speculation is that they are not set back, and that's why X apps can no longer be launched. Jan
