Re: 6.3 router crash
> > On Sep 8, 2018 11:27 AM, Jay Hart wrote: >> >> Hello, >> >> My new router crashed this morning. About 4-5 days ago I ran 'syspatch' >> and think that 14, 15, >> and 16 patches were installed. At the conclusion of the install, the kernel >> "relinked". No >> issues >> reported. I did not reboot the box. >> >> Today, while trying to combat that duplicate IP address issue, I rebooted >> the box, Upon startup >> it >> dropped into the debugger. Did another reboot just to see if that was a >> one-off, but it dropped >> into the debugger again. >> >> Standard 6.3 release machine. Not following current or snapshots... >> >> I've attached a pic below of the screen. Its all I've got right now. I >> have to disable >> inteldrm >> to get the box to boot [normally]. I have an old thread about that. >> >> www.kevla.org/6.3crash.jpg >> >> Any suggestions or processes to try? I've never been in this boat, no idea >> what to do... >> >> Thanks, >> >> Jay >> > > Maybe you can boot single user and try syspatch -R. > > boot> boot -s > > # syspatch -R > # reboot > > If that fixes it you could then possibly apply one patch at a time via source > until you find what > hosed it and report that to tech@. > > I tried that. Same thing, gets to the line shown in my original email pic, and drops down into the debugger. Jay
IKED not sending packets ?
Hi, Thinking it might be something with my earlier config, I created a simple one-liner: ikev2 esp from 172.16.1.2 to 172.16.1.3 However iked does not appear to be sending out any packets ? Which I thought would be the case in its default active mode ? It seems to just load the config and then sit there doing nothing ? $ doas iked -dvvv ikev2 "policy1" passive esp inet from 172.16.1.2 to 172.16.1.3 local 172.16.1.2 peer 172.16.1.3 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 rfc7427 /etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type ECDSA length 171 ca_pubkey_serialize: type ECDSA length 124 config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getmobike: no mobike ca_privkey_to_method: type ECDSA method ECDSA_384 ca_getkey: received private key type ECDSA length 171 ca_getkey: received public key type ECDSA length 124 ca_dispatch_parent: config reset ca_reload: local cert type ECDSA config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type ECDSA length 0
Re: IKED "not a valid authentication mode"
> Note that this isn't commenting a line, this is commenting all lines > that come after it. The parser joins the line first and removes > comments afterwards, so the config above becomes > > ... group curve22519 #childsa enc aes-128 auth hmac-sha2-256 srcid ... > > and then everything after the # is ignored. As someone pointed out the > error is at ikeauth. The error goes away because that line is > commented out, as are the three that precede it. > > You have no idea how many hours I wasted trying to make sense of why > some configuration changes seemed to have no effect whatsoever, before I > learned about this. Incidentally, pf.conf uses the same parser, so it > behaves the same. > > Cheers > Zé Zé wow. That's one handy piece of advice. As you say, could save hours and days of wasted time. Thank you.
Re: Running your own mail server
On 09-10 13:30, Craig Skinner wrote: > Being a postmaster (email server administrator) and hostmaster (DNS > server administrator) is fun, hectic, and takes about 5 years to learn. > [] > Save yourself the trouble and let them use their gMail > accounts/addresses directly. They'll soon be getting Android or Apple > phones, so let them use their Google/Apple accounts themselves. > Some good points. One could also use a different provider just for mail (pop or webmail) instead of google, if one wants to keep from centralizing more power there. (One example among many is pair.com, for webmail, DNS, domain, some hosting but not OpenBSD that I know of, unless you get a virtual private server).
Re: APU2 and Spectre
> Wiadomość napisana przez Consus w dniu 25.08.2018, o godz. > 17:08: > > Seems like APU2 board is vulnerable to Spectre: seems there is microcode update with mitigations but looks like none want to claim where that microcode comes from: https://github.com/pcengines/apu2-documentation/issues/75 did someone try to load it from obsd? is it possible? _ Zbyszek Żółkiewski
Re: Equipment for OBSD based firewall
On 09/10/18 08:22, Sonic wrote: How does the Edgerouter compare in performance to an Atom 2358/2558 based system? Especially interested in firewall performance using site-to-site VPN's. There's trade-offs for everything. The x86 platform is fundamentally flawed and contains innumerable backdoors and vulnerabilities. The C2000 chip series has issues with hardware/circuit degradation. On MIPS64 the mmu lacks support for W^X and the pmap module only supports 32 bit mappings resulting in weaker ASLR, there's also no rtc on octeon. In terms of performance, I've found the Edgerouter Pro to be able to handle half a gigabit of traffic no problem. I've never owned an APU / soekris device to compare the performance to. Obviously a 2 or 3 Ghz x86 machine is going to push more packets through sheer brute force, but for the average home or office connection, there will be no difference unless you're among the lucky few with a synchronous gigabit connection. For my clients or family/friends with their measly 30/5 or 80/8 connections, an ERL running fq_codel QoS runs great, and pulls less than 10 watts of power. Something like a soekris device would be unnecessary overkill. Even in situations where I was working with 100/100 or 250/250 connections, the ERPro handled it like a champ. A buddy of mine has been running a PowerMac G4 as a OpenBSD router/firewall for his 150/150 fibre connection for many years just because he doesn't like x86. I've seen benchmarks of the early beta octeon IPsec hw accleration being able to push around 50Mbit/s on an Edgerouter Lite. There should be better performance on the ERPro, but I have yet to see any benchmarks.
Re: IKED "not a valid authentication mode"
On 2018-09-10, Tim Jones wrote: > Unless I misunderstand the 6.3 docs, the following should be valid : > childsa auth enc chacha20-poly1305 group curve25519 For the AEAD types like chacha20-poly1305 and aes-256-gcm, just specify them in "enc" and leave out "auth". > But i get an error "not a valid authentication mode". If I comment out that > line, my configuration validates OK. > > The same happens if I copy/paste one of the examples from the docs (e.g. > childsa enc aes-128 auth hmac-sha2-256 ) > > This is what my /etc/iked.conf looks like (excluding the macro lines, which > have been wittheld to protect the innocent) : > > # MAIN CONFIG > ikev2 esp from $local_subnet to $remote_subnet \ > local $local_ip peer $remote_ip \ > ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group > curve25519 \ > #childsa enc aes-128 auth hmac-sha2-256\ > srcid $local_ip dstid $remote_ip \ > ikelifetime 4h lifetime 3h bytes 512M \ > ikeauth ecdsa384 "ikeauth" isn't a keyword to be used in the file, it's something that is replaced with either "eap ", "ecdsa###", "psk ", etc.
Domain name including openbsd
Hi, I was wondering if the OpenBSD community permits the usage of the "openbsd" word inside a domain name with the purpose of offering commercial OpenBSD-based services? For example let's say I want to sell OpenBSD-based cloud services, would I be allowed to purchase the domain name openbsd.cloud and use it to sell my OpenBSD-based cloud services? Best regards, John
Re: Equipment for OBSD based firewall
How does the Edgerouter compare in performance to an Atom 2358/2558 based system? Especially interested in firewall performance using site-to-site VPN's. On Mon, Sep 3, 2018 at 8:01 PM Jordan Geoghegan wrote: > > On 09/03/18 16:17, Bogdan Kulbida wrote: > > Ladies and gentlemen, > > > > I need to build a pf OBSD firewall for a small office. What minimally > > feasible equipment would you recommend in order to achieve this goal? > > > > Thank you! > I've ran multiple office networks on octeon devices. I've found the > Edgerouter and Edgerouter Pro to be quite performant. The Edgerouter Pro > can easily handle a 100/100 connection or even a 250/250 connection. I > like them because they're free of any spectre / fpu bugs as they use an > in-order CPU. OpenBSD also supports hw accelerated IPsec on them. I've > used them to run DHCP and DNS servers, used them heavily as jump > hosts/proxies and also ran my unbound-adblock and pf-badhost scripts; > with over 100,000 domains and IP/CIDR blocks being filtered while > pushing dozens of terrabytes in network traffic through them each month, > they've proven to be rock solid. If you have modest needs, then an > Edgerouter lite should suffice. > > Keep in mind, these are just my personal opinions, and I am biased. I > can't stand the thought of having an x86 machine exposed on the open > internet, much less trusting it to secure and segment my network. With > spooky management engine shenanigans and hardware bugs abound, I'm just > not interested in putting my faith in x86 again. Too much emotion, too > much garbage. > > Cheers, > Jordan >
IKED "not a valid authentication mode"
Unless I misunderstand the 6.3 docs, the following should be valid : childsa auth enc chacha20-poly1305 group curve25519 But i get an error "not a valid authentication mode". If I comment out that line, my configuration validates OK. The same happens if I copy/paste one of the examples from the docs (e.g. childsa enc aes-128 auth hmac-sha2-256 ) This is what my /etc/iked.conf looks like (excluding the macro lines, which have been wittheld to protect the innocent) : # MAIN CONFIG ikev2 esp from $local_subnet to $remote_subnet \ local $local_ip peer $remote_ip \ ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group curve25519 \ #childsa enc aes-128 auth hmac-sha2-256\ srcid $local_ip dstid $remote_ip \ ikelifetime 4h lifetime 3h bytes 512M \ ikeauth ecdsa384
Re: Vultr hosting of OpenBSD
> On 8. Sep 2018, at 19:55, Ken M wrote: ... > 1. Is it still current information that it would be better to use my own > image/install/iso for openbsd on Vultr? > I’ve run general purpose OpenBSD boxes on Vultr for several years, mostly for development while travelling and without access to my basement stacks, each on -current (initially installed from OpenBSD FTP servers) and then upgraded every week or two using ramdisks from snapshots. I’ve never tried Vultr’s own baked images so I can’t comment on them. However, I’ve never had any problems maintaining my methodology in which both new installs as well as upgrades can be completed in a few minutes. > 2. Is vultr a good place to host an openbsd box? If not interested in hearing > alternatives. Uptime can sometimes be unreliable (I run hosts from Vultr’s European locations only, mostly Amsterdam and Frankfurt), network “maintenance” being quite frequent. However, given that I am not using Vultr for critical services, I’m prepared to accept this minor irritation when weighed against cost. For important hosts that I rely upon for mail, OpenVPN, DNS, etc., I use Exoscale and find the slightly higher costs well worth it. Kindly, -Merv
Re: iked[12345]: pfkey_reply: no reply from PF_KEY (-current)
Yes, a short test shows no errors anymore. On Mon, Sep 10, 2018 at 10:39:56AM -0300, Martin Pieuchot wrote: > On 10/09/18(Mon) 12:15, Mark Patruck wrote: > > I've tested with a current snapshot and two freshly installed systems > > and get the same error, but... > > > > reverting mpi@s 'Add per-TDB counters and a new SADB extension (1)' > > changes make the issues disappear. > > > > (1) https://marc.info/?l=openbsd-cvs&m=153546931106420&w=2 > > Does the smaller revert below also fix the issue? > > Index: net/pfkeyv2.c > === > RCS file: /cvs/src/sys/net/pfkeyv2.c,v > retrieving revision 1.191 > diff -u -p -r1.191 pfkeyv2.c > --- net/pfkeyv2.c 31 Aug 2018 12:55:46 - 1.191 > +++ net/pfkeyv2.c 10 Sep 2018 13:39:01 - > @@ -793,8 +793,7 @@ pfkeyv2_get(struct tdb *tdb, void **head > void *p; > > /* Find how much space we need */ > - i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime) + > - sizeof(struct sadb_x_counter); > + i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime); > > if (tdb->tdb_soft_allocations || tdb->tdb_soft_bytes || > tdb->tdb_soft_timeout || tdb->tdb_soft_first_use) > @@ -955,9 +954,6 @@ pfkeyv2_get(struct tdb *tdb, void **head > export_tap(&p, tdb); > } > #endif > - > - headers[SADB_X_EXT_COUNTER] = p; > - export_counter(&p, tdb); > > rval = 0; > > -- Mark Patruck ( mark at wrapped.cx ) GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 http://www.wrapped.cx
Re: iked[12345]: pfkey_reply: no reply from PF_KEY (-current)
On 10/09/18(Mon) 12:15, Mark Patruck wrote: > I've tested with a current snapshot and two freshly installed systems > and get the same error, but... > > reverting mpi@s 'Add per-TDB counters and a new SADB extension (1)' > changes make the issues disappear. > > (1) https://marc.info/?l=openbsd-cvs&m=153546931106420&w=2 Does the smaller revert below also fix the issue? Index: net/pfkeyv2.c === RCS file: /cvs/src/sys/net/pfkeyv2.c,v retrieving revision 1.191 diff -u -p -r1.191 pfkeyv2.c --- net/pfkeyv2.c 31 Aug 2018 12:55:46 - 1.191 +++ net/pfkeyv2.c 10 Sep 2018 13:39:01 - @@ -793,8 +793,7 @@ pfkeyv2_get(struct tdb *tdb, void **head void *p; /* Find how much space we need */ - i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime) + - sizeof(struct sadb_x_counter); + i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime); if (tdb->tdb_soft_allocations || tdb->tdb_soft_bytes || tdb->tdb_soft_timeout || tdb->tdb_soft_first_use) @@ -955,9 +954,6 @@ pfkeyv2_get(struct tdb *tdb, void **head export_tap(&p, tdb); } #endif - - headers[SADB_X_EXT_COUNTER] = p; - export_counter(&p, tdb); rval = 0;
Re: Duplicate IP Address -> Spoof/Verizon???
Den 08-09-2018 kl. 14:47 skrev Pierre Emeriaud: Le sam. 8 sept. 2018 à 13:40, Jay Hart a écrit : -ifconfig -A from the router-- re1: flags=8843 mtu 1500 lladdr 00:22:4d:d1:48:d5 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 Some CPEs have 192.168.1.1 hardcoded as management ip address, even though they are currently used as modem/bridges. Renumber your internal subnet to some other private address space and see if the logs go away. I have seen a cheap managed switch from Zyxel that decided to live on 192.168.1.1 after a power cut... 192.168.1.1 is the default address on a lot of stuff.
Re: Running your own mail server
Hi Ken, On Sat, 8 Sep 2018 11:23:35 -0400 Ken M wrote: > Just curious how many of you use openbsd to run your own personal > email server? Do you find it a hassle to manage in any way? Being a postmaster (email server administrator) and hostmaster (DNS server administrator) is fun, hectic, and takes about 5 years to learn. OpenBSD is the best OS for both tasks (I've worked for an ISP doing both roles, on other operating systems). > Back story my family all has email addresses through the domain I > have. Which basically will forward to a gmail account. Save yourself the trouble and let them use their gMail accounts/addresses directly. They'll soon be getting Android or Apple phones, so let them use their Google/Apple accounts themselves. > The kids are getting old enough to use their own accounts for > things and not just through the school which sets them up with google > accounts to use through their chromebook. Let them use their Google account themselves. > So my wife really doesn't like the idea of setting them loose on > their own email accounts, and I don't necessarily disagree with her, > but I disagree on the way to do it. In a gmail point of view all I > can think of is shared passwords for for the kids. I don't like that > because first of all they could change it, second of all monitoring > their email means literally reading their email. What about their Google 'Hangout' instant messages? Or their Messenger/Facebook messages? Or their Twitter/Tumbler/Reddit/etc/etc/etc messages? Why not let them grow up? They will soon mature and leave home anyway. Are you going to be a permanent policeman/ISP in their adult lives?? If you want to become a hostnaster and postmaster for _yourself_, then do it. By the time you're skilled, your children could have left home. Forget the wife & kids - don't be a slave to them man! Do what you want, for your own personal technical skills. Are you more interested in being a sysadmin, webmaster, netadmin, hostmaster or postmaster? What do *YOU* want to do with your time? Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: iked[12345]: pfkey_reply: no reply from PF_KEY (-current)
I've tested with a current snapshot and two freshly installed systems and get the same error, but... reverting mpi@s 'Add per-TDB counters and a new SADB extension (1)' changes make the issues disappear. (1) https://marc.info/?l=openbsd-cvs&m=153546931106420&w=2 On Mon, Sep 10, 2018 at 10:13:12AM +0200, Mark Patruck wrote: > Unfortunately the last kernel i could test with, is from 12 Aug 2018 - > no issues here. I've also built a new kernel about 12h ago (just to > make sure) but the error stays. > > Every few hours (lifetime?) the following errors pops up > > pfkey_write: writev failed: Invalid argument > > I'll create an easier test setup and report back. > > > On Sat, Sep 08, 2018 at 12:28:22PM +0200, Mark Patruck wrote: > > Hi, > > > > is anyone else seeing the following message with -current? > > (i've updated my 25 days old -current yesterday) > > > > iked[12345]: pfkey_reply: no reply from PF_KEY > > > > Also, "ipsecctl -m" looks pretty empty now: > > > > > > sadb_get: satype esp vers 2 len 10 seq 2898 pid 12345 > > sa: spi 0xbe0128cf auth none enc none > > state mature replay 64 flags 0<> > > address_src: 1.2.3.4 > > address_dst: 5.6.7.8 > > sadb_get: satype esp vers 2 len 10 seq 2899 pid 12345 > > sa: spi 0x24649f1c auth none enc none > > state mature replay 64 flags 0<> > > address_src: 5.6.7.8 > > address_dst: 1.2.3.4 > > > > > > Thanks, > > > > -Mark > > > > -- > > Mark Patruck ( mark at wrapped.cx ) > > GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 > > > > http://www.wrapped.cx > > > > -- > Mark Patruck ( mark at wrapped.cx ) > GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 > > http://www.wrapped.cx > -- Mark Patruck ( mark at wrapped.cx ) GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 http://www.wrapped.cx
Re: iked[12345]: pfkey_reply: no reply from PF_KEY (-current)
Unfortunately the last kernel i could test with, is from 12 Aug 2018 - no issues here. I've also built a new kernel about 12h ago (just to make sure) but the error stays. Every few hours (lifetime?) the following errors pops up pfkey_write: writev failed: Invalid argument I'll create an easier test setup and report back. On Sat, Sep 08, 2018 at 12:28:22PM +0200, Mark Patruck wrote: > Hi, > > is anyone else seeing the following message with -current? > (i've updated my 25 days old -current yesterday) > > iked[12345]: pfkey_reply: no reply from PF_KEY > > Also, "ipsecctl -m" looks pretty empty now: > > > sadb_get: satype esp vers 2 len 10 seq 2898 pid 12345 > sa: spi 0xbe0128cf auth none enc none > state mature replay 64 flags 0<> > address_src: 1.2.3.4 > address_dst: 5.6.7.8 > sadb_get: satype esp vers 2 len 10 seq 2899 pid 12345 > sa: spi 0x24649f1c auth none enc none > state mature replay 64 flags 0<> > address_src: 5.6.7.8 > address_dst: 1.2.3.4 > > > Thanks, > > -Mark > > -- > Mark Patruck ( mark at wrapped.cx ) > GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 > > http://www.wrapped.cx > -- Mark Patruck ( mark at wrapped.cx ) GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 http://www.wrapped.cx
Re: "Transit" BGPD not announcing learnt routes to neighbors
> I think you are mixing up 6.3 code with docs for -current, this was > changed mid-June: > https://marc.info/?l=openbsd-cvs&m=152888243922828&w=2 > > There have been big changes in bgpd since 6.3, there are now methods > to give a simpler/clearer configuration, and some big improvements in > performance especially when using some of the newer config. These are > ongoing, especially this week as a network-focussed hackathon is > currently taking place. > > If you aren't quite happy with how things work in 6.3 (especially for > performance when filtering is used), I'd strongly recommend re-evaluating > with -current in a week or so. Thanks Stuart. Will bear that im mind.