Re: experience setting up a low memory machine
I wouldn't call 64Mb "small" for memory, it's tiny. Even 20 years ago 64 wasn't really enough. The introduction of kernel relinking on boot has been noted since 6.5 (or was it 6.4?) to make tiny memory systems obsolete. They simply can't cope. Theo has noted he has other projects in the pipeline that will make that situation even worse. The only thing I can recommend is to stick to an older version of the OS and not use the machine for anything needing web browsing. It can still be a useful console terminal to headless devices, for example. Good luck, Noth
Re: strongSwan cannot install IPsec policies on OpenBSD
On 2020-02-14, Peter Müller wrote: > Hello openbsd-misc, > > during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec > client on an > OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing > policies for CHILD_SA > fails (as expected): > >> unable to install IPsec policies (SPD) in kernel >> failed to establish CHILD_SA, keeping IKE_SA > > To those who are running strongSwan as an IPsec client on OpenBSD: Which is > the best > procedure in this case? Are there other methods of installing IPsec policies > into the > kernel available? strongSwan's module to install policies to the kernel (kernel-pfkey) does not support OpenBSD without making code changes. Not impossible but hasn't been done. Only their userland setup that works with tun(4) devices (slightly confusingly called kernel-ipsec) is available. > P.S.: In case anybody wonders about the "OpenIKED flaws", these are as > follows: > (a) Restarting single connections is not possible > (b) Dead Peer Detection is missing (I am aware of ifstated as a > "replacement", but since > there seems to be no way of restarting a single IPsec connection, > restarting the whole > iked daemon causes operational tunnels to crash) > (c) IKE is missing AES-GCM support (while ESP does - not sure why this is) > (d) Does not seem to support more than one private key (e) no client side address-config (f) doesn't work with intermediate certs (plus some other missing things that would make life a lot easier, especially punting EAP off to a radius server ;) > Apart from that, I really appreciate OpenIKED especially for its > configuration file > syntax, but unfortunately cannot use it primarily due to (a) and (d).
Re: Replace PF rule + inetd Proxy with 2 PF rules
On 2/14/2020 11:21 AM, Fabio Martins wrote:
I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.
Unfortunately still no success.
# pf.conf:
ext_if="xnf0"
match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
rdr-to 129.128.5.194 port 80
match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \
$ext_if nat-to $ext_if
match out log quick on $ext_if inet all tagged RDR \
nat-to $ext_if
server_open="{ 80,110,443,25,587,465 }"
pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if
port $server_open tag n_traffic
#block all to start
block all
pass quick tagged RDR
pass quick tagged n_traffic
pass out on $ext_if
On 2/14/2020 6:30 AM, Fabio Martins wrote:
Hi Nick,
Thanks. I applied both rules below, unfortunately I am still only
hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.
#1
match in on $ext_if proto tcp from to ($ext_if) port 25 \
rdr-to 200.200.200.200 port
#2
match out on $ext_if proto tcp to 200.200.200.200 port received-on
\
$ext_if nat-to ($ext_if)
--
Fabio Martins
Odd, are you allowing the traffic with an appropriate pass rule later?
I use tagging for rules related to rdr and nat to keep things simple,
here is the full working setup I used to bounce port 8099 on the
external interface to www.openbsd.org port 80.
#Fun reverse redirection of www.openbsd.org
match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR
rdr-to 129.128.5.194 port 80
match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on
$ext_if nat-to $ext_if
#block all to start
block log all
pass quick tagged RDR
pass out on $ext_if
Make sure you are testing from an external host of course.
May be a dumb question, but do you have net.inet.ip.forwarding=1 set?
tcpdump of a successful test connection:
c.c.c.c = remote test client on internet
r.r.r.r = firewall external IP
pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194
tcpdump: listening on vmx1, link-type EN10MB
14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0)
win 64240 [tos 0x20]
14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S
3178148684:3178148684(0) win 64240 8,nop,nop,sackOK> [tos 0x20]
14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S
3355699325:3355699325(0) ack 3178148685 win 16384 1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20]
14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0)
ack 3178148685 win 16384 [tos 0x20]
14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20]
14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win
1026 [tos 0x20]
14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos
0x20]
14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win
1026 [tos 0x20]
14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436
win 273 (DF) [tos 0x20]
14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack
436 win 273 (DF) [tos 0x20]
14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win
273 [tos 0x20]
14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436
win 273 [tos 0x20]
Re: Replace PF rule + inetd Proxy with 2 PF rules
I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.
Unfortunately still no success.
# pf.conf:
ext_if="xnf0"
match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
rdr-to 129.128.5.194 port 80
match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \
$ext_if nat-to $ext_if
match out log quick on $ext_if inet all tagged RDR \
nat-to $ext_if
server_open="{ 80,110,443,25,587,465 }"
pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if
port $server_open tag n_traffic
#block all to start
block all
pass quick tagged RDR
pass quick tagged n_traffic
pass out on $ext_if
>
>
> On 2/14/2020 6:30 AM, Fabio Martins wrote:
>> Hi Nick,
>>
>> Thanks. I applied both rules below, unfortunately I am still only
>> hitting
>> rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
>> test). I tried inverting the order, too, but no luck.
>>
>> #1
>> match in on $ext_if proto tcp from to ($ext_if) port 25 \
>> rdr-to 200.200.200.200 port
>>
>> #2
>> match out on $ext_if proto tcp to 200.200.200.200 port received-on
>> \
>> $ext_if nat-to ($ext_if)
>>
>> --
>> Fabio Martins
>>
>
> Odd, are you allowing the traffic with an appropriate pass rule later?
>
> I use tagging for rules related to rdr and nat to keep things simple,
> here is the full working setup I used to bounce port 8099 on the
> external interface to www.openbsd.org port 80.
>
> #Fun reverse redirection of www.openbsd.org
> match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR
> rdr-to 129.128.5.194 port 80
> match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on
> $ext_if nat-to $ext_if
>
> #block all to start
> block log all
> pass quick tagged RDR
> pass out on $ext_if
>
>
> Make sure you are testing from an external host of course.
>
>
>
>
>
strongSwan cannot install IPsec policies on OpenBSD
Hello openbsd-misc, during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec client on an OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing policies for CHILD_SA fails (as expected): > unable to install IPsec policies (SPD) in kernel > failed to establish CHILD_SA, keeping IKE_SA To those who are running strongSwan as an IPsec client on OpenBSD: Which is the best procedure in this case? Are there other methods of installing IPsec policies into the kernel available? Thanks for any help in advance. Best regards, Peter Müller P.S.: In case anybody wonders about the "OpenIKED flaws", these are as follows: (a) Restarting single connections is not possible (b) Dead Peer Detection is missing (I am aware of ifstated as a "replacement", but since there seems to be no way of restarting a single IPsec connection, restarting the whole iked daemon causes operational tunnels to crash) (c) IKE is missing AES-GCM support (while ESP does - not sure why this is) (d) Does not seem to support more than one private key Apart from that, I really appreciate OpenIKED especially for its configuration file syntax, but unfortunately cannot use it primarily due to (a) and (d).
Re: Replace PF rule + inetd Proxy with 2 PF rules
Hi Fabio (xará), Apparently I achieved this with these rules: -- pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8 port = flags S/SA label "TESTE LISTA" pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port = 25 flags S/SA label "TESTE LISTA" tag TESTE rdr-to 8.8.8.8 port match out log quick on hvn0 inet all label "TESTE LISTA" tagged TESTE nat-to 10.101.0.17 -- Of course there's room for improvement, be it simplify the rules or make it more specific. Maybe I needed three rules because I use "block log" as a default rule so: "block in" and "block out" by default. Here is the tcpdump output: -- rule 0/(match) match in on hvn0: 10.101.0.24.47964 > 10.101.0.17.25: S 3824310731:3824310731(0) win 42340 (DF) rule 53/(match) match out on hvn0: 10.101.0.17.60331 > 8.8.8.8.: S 3824310731:3824310731(0) win 42340 rule 16/(match) pass out on hvn0: 10.101.0.17.60331 > 8.8.8.8.: S 3824310731:3824310731(0) win 42340 -- Regards, Fabio Almeida On Fri, Feb 14, 2020 at 8:33 AM Fabio Martins < fm+obsd+misc+l...@phosphorusnetworks.com> wrote: > > Hi Nick, > > Thanks. I applied both rules below, unfortunately I am still only hitting > rule number #1 (rdr-to). nat-to is never reached (added "log" on each to > test). I tried inverting the order, too, but no luck. > > #1 > match in on $ext_if proto tcp from to ($ext_if) port 25 \ > rdr-to 200.200.200.200 port > > #2 > match out on $ext_if proto tcp to 200.200.200.200 port received-on \ > $ext_if nat-to ($ext_if) > > -- > Fabio Martins > > > Hi Fabio, > > > > I believe this will do what you want, seemed to work in quick testing > > here, adjust to suit your environment. > > > > > > match in on $ext_if proto tcp from to ($ext_if) port 25 > > rdr-to 200.200.200.200 port > > match out on $ext_if proto tcp to 200.200.200.200 port received-on > > $ext_if nat-to ($ext_if) > > > > >
Re: Full disk encryption including /boot, excluding bootloader?
On Thu, Feb 13, 2020 at 01:31:43PM +0100, no@s...@mgedv.net wrote: depends what you want to achieve, but my recommendation is booting from USB and mount encrypted root from the HDD. you can safely remove the usb key after root mount and all your configs/etc files are used from the encrypted storage. this ensures 2 things: bootloader + kernel on USB boot media cannot be attacked during system uptime and all bytes on disk are encrypted. another advantage is, you don't need (to type, write down or remember) any passphrases but can use strong random data for crypto payload/keys. How do you do this on OpenBSD?
Re: Replace PF rule + inetd Proxy with 2 PF rules
On 2/14/2020 6:30 AM, Fabio Martins wrote: Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200 port #2 match out on $ext_if proto tcp to 200.200.200.200 port received-on \ $ext_if nat-to ($ext_if) -- Fabio Martins Odd, are you allowing the traffic with an appropriate pass rule later? I use tagging for rules related to rdr and nat to keep things simple, here is the full working setup I used to bounce port 8099 on the external interface to www.openbsd.org port 80. #Fun reverse redirection of www.openbsd.org match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR rdr-to 129.128.5.194 port 80 match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on $ext_if nat-to $ext_if #block all to start block log all pass quick tagged RDR pass out on $ext_if Make sure you are testing from an external host of course.
experience setting up a low memory machine
misc@
sharing a recent experience with OpenBSD 6.6 and old, low spec, low memory
devices.
remember the Toshiba Libretto? back in 2000, OpenBSD got some CPU time on
one of mine. sadly that Libretto is now dead, and with the current state of
affairs, it wont be able to run OpenBSD.
last weekend i was able to snag one of the Libretto's cousin. this one is a
Cassiopeia Fiva 102. sligthly larger than the 70CT. has a touchpad, has USB,
a parallel, serial, IRDA, VGA, PS/2 port, an extra USB port on the dock. it
has 64Mb RAM (32Mb base + a 32Mb DIMM in the slot), expandable to 96Mb ...
if i can find old DIMMs. 6Gb PATA drivea. Cardbus slot. CPU is a Cyrix.
battery is toast but ... still a good looking ~20 year old laptop.
first order of bussiness, upgrade the disk. i have a 2x CF to PATA adapter
which i used. this adapter has a jumper to select which CF is the master.
for installing -current, i dded the install66.fs to a 512Mb CF. set that as
master and a 64Gb Sandisk as slave. install was smooth. first boot was OK.
then i noticed a big problem. the system seems to "hang" after 10mins.
testing more, i let the machine stand overnight. no change. i have the
command prompt, pressing ENTER creates a new line but i don't get the prompt
back. maybe it is the CF card. switched cards. tried 32Gb and 16Gb. same.
i thought it was the RAM ... i disable Fast boot ... and POST detected no
issues with the RAM. also i"ve installed -current several times already with
no hiccups, if the DIMM had issues it should have manifested when
decompressing the large tarball packages.
mounted the CF with "noatime" -> no change
vm.swapencrypt.enable = 0 -> no change
library_aslr=NO -> no change
in one final effort, i reinstalled everything again, rebooted, log in ...
and started top(1). lo and behold ... after 10mins i got my "hang" and a
probable culprit ...
every boot OpenBSD relinks the kernel ... i stared at the top display and
saw ld on top with around 170Mb ... literally out of memory ... and out of
swap space. on machines with small memory swap is configured by disklabel
as 2x physmem. in my case 122Mb swap was calculated but it was not enough
for the kernel relinking.
reinstalled everything again but customized the disklabel ... 4Gb of swap
was configured ... well i did waste 2Gb since 32-bit archs can only use 2Gb
and i'm too lazy to re-install again.
so that's something to watch out for when setting up low memory systems.
i was expecting ld to just segfault ... bec of the out of memory condition
but i never saw a segfault.
at the moment no more psuedo "hangs" ... but relink spews out an error
on every reboot:
(SHA256) /bsd: OK
LD="ld" LDFLAGS="-g" sh makegap.sh 0x gapdummy.o
ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o ${OBJS}
size: newbsd: not object file or archive
*** Error 1 in /usr/share/relink/kernel/GENERIC (Makefile:1125 'newbsd': @size
newbsd ; umask 007; echo mv newbsd newbsd.gdb; rm -f newbsd)
- and dc0 (i have 2 of these, 32-bit PC Card)
dc0 at cardbus0 dev 0 function 0 "Xircom X3201-3" rev 0x03: irq 11, address
00:06:29:xx:xx:xx
tqphy0 at dc0 phy 0: 78Q2120 10/100 PHY, rev. 11
can't see anyone on my network ... i see the ARP packets but i
can not ping anyone on my newly created network (sneakernet via USB
flash drives with BE and LE machines is complicated).
these cards work on my Powerbook G4.
- but axe0 works! slow (3-4ms ping to a local machine) ... but it works.
axe0 at uhub1 port 1 configuration 1 interface 0 "Apple Computer Ethernet
A1277" rev 2.00/0.01 addr 3
axe0: AX88772, address 10:9a:dd:xx:xx:xx
ukphy0 at axe0 phy 16: Generic IEEE 802.3u media interface, rev. 1: OUI
0x000ec6, model 0x0006
- so does urtwn0
urtwn0 at uhub1 port 2 configuration 1 interface 0 "I-O DATA DEVICE, INC.
WN-G150UM" rev 2.00/2.00 addr 4
urtwn0: MAC/BB RTL8188CUS, RF 6052 1T1R, address 34:76:c5:xx:xx:xx
but not much testing done yet.
- and urndis0 has issues
urndis0 at uhub1 port 2 configuration 1 interface 0 "Sony 501SO" rev 2.00/3.10
addr 3
urndis0: using RNDISurndis0: IOERROR
urndis0: query failed
: unable to get hardware address
ugen0 at uhub1 port 2 configuration 1 "Sony 501SO" rev 2.00/3.10 addr 3
urndis0 detached
ugen0 detached
ugen0 at uhub1 port 2 "Sony 501SO" rev 2.00/3.10 addr 3
ugen0 detached
- of course no Xorg
yorosiku ~
PS
and thanks for all the efforts of past and present developers ...
PPS
back to trying to understand PPC assembly and ofw ...
OpenBSD 6.6-current (GENERIC) #502: Thu Jan 16 11:34:46 MST 2020
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
real mem = 63979520 (61MB)
avail mem = 47181824 (44MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 01/13/00, BIOS32 rev. 0 @ 0xfb970
apm0 at bios0: Power Management spec V1.2 (slowidle)
pcibios0 at bios0: rev 2.1 @ 0xf/0xbde8
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdfc0/48 (1 entries)
pcibios0: PCI Exclusive IRQs:
Re: Full disk encryption including /boot, excluding bootloader?
no@s...@mgedv.net(nos...@mgedv.net) on 2020.02.13 13:31:43 +0100:
> > > On Linux you can do the following:
> > > { [1MB unencrypted GRUB bootloader partition] [Rest of hard drive
> entirely encrypted] }
> ... which i would consider to be as insecure, as unencrypted root at all.
... which totaly depends on what you are trying to protect your laptop/data
from.
The lost/stolen laptop szenario is covered nicely by what OpenBSD offers.
Re: Replace PF rule + inetd Proxy with 2 PF rules
Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200 port #2 match out on $ext_if proto tcp to 200.200.200.200 port received-on \ $ext_if nat-to ($ext_if) -- Fabio Martins > Hi Fabio, > > I believe this will do what you want, seemed to work in quick testing > here, adjust to suit your environment. > > > match in on $ext_if proto tcp from to ($ext_if) port 25 > rdr-to 200.200.200.200 port > match out on $ext_if proto tcp to 200.200.200.200 port received-on > $ext_if nat-to ($ext_if) >
