; immediately use https for your domain without going through the redirect.
The redirect is still necessary, given the fact that STS headers have a
expiration time. So, configure and forget the redirect and always
maintain your TLS setup working, and you should be fine.
Cheers,
Giancarlo Razzolini
f custom
CA's, and firefox has an option also. But that is not true for every
browser (or lib that some app might be using). To complicate things
further, there is HPKP. You can also use pflow(4) with nfsen for
detecting odd behaviour in your network, and try to catch anything that
might have passed.
Cheers,
Giancarlo Razzolini
onnected through
the internet, making all of them pass through the subnet 2, will slow
things down.
Cheers,
Giancarlo Razzolini
set the priority passing two of them, so packets with lowdelay TOS and
empty acks can go to a higher priority, hence improving your interactive
browsing and your downloads.
Cheers,
Giancarlo Razzolini
ing, or your OpenBSD firewall is also running a proxy or dns server.
In this case I find that using mpath along side with ifstated, it's
easier than use rdomain. Specially if your network layout is simple.
Cheers,
Giancarlo Razzolini
different
gateways. If they have the same routing priority, OpenBSD would
round-robin between them. This is where ifstated can be used, to detect
failures and add/remove the routes as needed.
Cheers,
Giancarlo Razzolini
t
> want using that queue and add a match rule to pf.conf to push it into my
> bulk queue.
>
> But I am wondering if there is a way to log what traffic is using a
> queue or which packets are being dropped.
>
> Thanks,
> jh
>
match log
man pflow(4)
pkg_add nfsen
Happy!
Cheers,
Giancarlo Razzolini
. You can also do
this the other way around: make the route-to rules for your customers
and let your OpenBSD use whatever default gateway you want. If your
networks are static, you can hard code them in your pf rules.
Cheers,
Giancarlo Razzolini
ecially if you do not change it after a key
replacement.
Cheers,
Giancarlo Razzolini
as text here. Without it, it's
difficult to help you.
Cheers,
Giancarlo Razzolini
it up if you want, but I don't even know if it
compiles with recent OpenVPN code.
Cheers,
Giancarlo Razzolini
I beg you. Every time an
admin starts a ftp server, a puppy dies. Consider using SSH. Or, if you
must, DAV.
Cheers,
Giancarlo Razzolini
v.
I don't understand it either. From my point of view, the OpenVPN project
has slowed down a lot on the past few years. Coincidentally, it's
commercial solution, didn't.
> so did Tamas, it's in ports.
Good to know. I don't think my code still compiles against newer OpenVPN
versions.
Cheers,
Giancarlo Razzolini
ce name with () won't work with IPv6,
and the rules don't get reloaded when the addresses change.
I will (unfortunately) still use IPv4 based internal LAN's, as long as
these IPv6 woes don't get sorted out. I think things will get much
worse, before they get better.
Cheers,
Giancarlo Razzolini
ng triggered. Also, you can (should) always use tags. Not
only they make your ruleset "debugable", but any stray packet should hit
a block rule (possibly logging it). I suspect your first three rules
aren't matching because you're using the external interface. Try using
the internal on them.
Cheers,
Giancarlo Razzolini
can
make it easier to visualize where you're packets are going.
Cheers,
Giancarlo Razzolini
advance), Marcus
Don't try to implement the same thing ftp does on top of other
protocols. That being said, using OpenSSH you can have everything ftp
has even better. You can even chroot every user to his/her home. With
the benefit of, you know, talking ssh protocol, instead of ftp.
Cheers,
Giancarlo Razzolini
know) ipv6 packets to my external lan address. I will try to
port some of the ndp proxy solutions available to OpenBSD. Everyone I
found are linux centric. OpenBSD ndp(8) has proxy functionality. I
couldn't make it work, and you also need to add entries host by host to it.
Cheers,
Giancarlo Razzolini
e a look into that. If your CPE doesn't have the
internal lan prefix, you can't expect it to work.
Cheers,
Giancarlo Razzolini
an ip address on the bridge, only on the internal LAN interface.
Cheers,
Giancarlo Razzolini
the trick
for me.
Cheers,
Giancarlo Razzolini
open f: No such file or directory
> Nov 6 08:25:46 janus dhcpd[24427]: exiting.
It seems you have two instances of dhcpd running. It might explain your
problem.
Cheers,
Giancarlo Razzolini
han that. Webmin
is a very intrusive piece of software. Unless you understand everything
it is doing in the background, you'll always face up problems for which
you won't know the answer, at least, not easily.
Cheers,
Giancarlo Razzolini
5.8 that
might help you, if you're willing to run -current. These days I prefer
using ULA and making nat, so I can assure my internal address space will
never change.
Cheers,
Giancarlo Razzolini
necessary. In
my case I need to monitor changes so I can update DNS records, I was
just extending that so the OP could do another thing (restart rtadvd). I
don't know anything that could be done in my case, since my ISP and CPE
will change the prefix anytime the CPE restarts or the CPE connection to
the ISP is lost.
Cheers,
Giancarlo Razzolini
ace with the inet6
-autoconf option, so you'll get only the link-local address. When you
run dhcpcd it will configure only a private address on the interface
thus solving your issue. You don't need to make pf prefer the privacy
address, because there will only be one address on the interface.
Cheers,
Giancarlo Razzolini
e unbound with local-zones or a unbound + nsd combo, if you
also need authoritative. I think you'll need to hack your /etc/rc file
to load them before your pf.conf is loaded.
Cheers,
Giancarlo Razzolini
th this is using a proxy. Relayd can work quite well
for simple cases.
Cheers,
Giancarlo Razzolini
elevant for the OpenBSD installation.
Everything is signed using signify. The transfer medium can (and is) be
unencrypted. Of course this pretty much means anyone listening knows
you're downloading/installing OpenBSD. If your concern is this, then
you'll need to figure it for yourself how to hide the fact that you're
installing OpenBSD.
Cheers,
Giancarlo Razzolini
using the self
keyword. You can also have success using the user directive.
Cheers,
Giancarlo Razzolini
Em 27-11-2015 18:35, bofh escreveu:
> Why do you continue by asking about blobs in FreeBSD?
Troll Detected. Troll Fed. End of Thread.
e delivery. You can download the iso from the internet, safely
verify them and write your own USB stick with it. And Theo gets pay for
the wonderful job he (and others of course) do with OpenBSD.
Cheers,
Giancarlo Razzolini
mall bursary as well from some people who
> understand the importance, otherwise I'd be looking for a cashier job.
I really don't want to see this happen, but I'd imagine you wouldn't
stress yourself as much.
Keep the good work,
Giancarlo Razzolini
D's but
do not get them delivery. That way Theo saves the shipping, and you
contribute directly to him. Which, isn't different from contributing to
OpenBSD.
Cheers,
Giancarlo Razzolini
on. Now
you made it even more clear how things operate.
Cheers,
Giancarlo Razzolini
). My question is malformed, sorry.
Take a look at bro. It's on ports.
Cheers,
Giancarlo Razzolini
fact that the num
lock switch was on (or off). At first I thought it wasn't tmux related.
But now it seems otherwise.
Cheers,
Giancarlo Razzolini
?
Macros need to be present in each anchor file. Tables don't need to. I
have a little script that copies all my macros after I edit /etc/pf.conf
to the anchors. I use commented marks on /etc/pf.con to know where to
begin copying and where to end. But you get the point.
Cheers,
Giancarlo Razzolini
servers. Having them in clear text as
they are today, isn't very secure.
Also, now that we have two free TLS certs providers, one can use HPKP
and completely disregard the CA's, which is a security benefit.
Cheers,
Giancarlo Razzolini
the client shouldn't connect to it,
because it already has the fingerprint pinned. It is the same rationale
as ssh host keys, trust on first use.
But, by the way this thread evolved, we're beating a dead horse here now.
Cheers,
Giancarlo Razzolini
#x27;s and
tor, etc.
The TLS could be implemented on a non mandatory way, you don't need to
redirect HTTP connections to HTTPS ones. But it would be nice to have
the option, at least.
Cheers,
Giancarlo Razzolini
completely? At least if you trust your fist access to the site. But I
think this thread followed its course, lets move on.
Cheers,
Giancarlo Razzolini
Em 19-02-2016 12:42, Jorge Luis escreveu:
> "What is LibertyBSD?
> OpenBSD is universally known as an operating system designed with security
> in mind, proudly being able to say that it has had "Only two remote holes in
> the default install, in a heck of a long time!"
Will you please, please, go
To add to the strange thing, I have another bare metal machine, with a
different hardware, but using the same qemu version, and I had never
experienced any lockups. But it also will not show more cores on OpenBSD.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
Em 14-11-2013 11:43, David Coppa escreveu:
> On Thu, Nov 14, 2013 at 2:33 PM, Giancarlo Razzolini
> wrote:
>> Em 13-11-2013 22:40, Jeff Fuhrman escreveu:
>>> I'm the tech Bruno has been working with regarding this. QEMU version is
>>> 1.5 and the relevan
lockups (so far). I am betting
it was indeed the problem.
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
My regards,
--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
pf won't reflect the connection back to the interface it come. I recall
making this work on other firewalls, but on pf, it doesn't work. But,
using the inetd work just as the same.
My regards,
--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Eng
Stuart Henderson escreveu:
On 2008-12-30, Giancarlo Razzolini wrote:
fRANz escreveu:
Hi.
I've some trouble with this configuration:
LAN -- fw (openbsd 4.4) -- adsl router
LAN: 192.168.100.0/24
fw int int: sis1
fw int ind: 192.168.100.2
fw ext int: sis0
fw ext ind: 10.0.0.2
r
/var/db/dhcpd.leases and manually remove the entries
corresponding to the desired ip address.
3) start the dhcpd server again.
Keep in mind the next time you answer something on the list to be more
specific and descriptive.
My regards,
--
Giancarlo Razzolini
http://lock.razzolini.adm.br
On 25-10-2014 15:10, Theron ZORBAS wrote:
> # here is where and what i dont know to do?
> # How to forward https requests to https_server arriving at pppoe1
interface/IP
Your problem isn't with binat, which, by the way, you don't need. There
are several options for solving your problem. The easies
an run in /etc/sudoers.
Cheers,
Giancarlo Razzolini
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
ters and it will revert to the old way.
Anyway, I, like you, have many OpenBSD systems that "just work". Thank
you OpenBSD.
Cheers,
Giancarlo Razzolini
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
ower frequency, more cores is better, because my firewall isn't used
just for PF. If you're gonna use you OpenBSD firewall for other
processes such as, proxy, dns server, web server, dhcp server, it won't
hurt to have more cores.
Cheers,
Giancarlo Razzolini
ve the budget for this kind
of setup, I believe this trade-off is an acceptable one, if you
understand the risks. Also, there are some things you can't do if you
run the services on a separate machine such as divert(4).
Cheers,
Giancarlo Razzolini
don't
think any other text mode browser will make into base in the near
future, unless someone develops a secure one.
Cheers,
Giancarlo Razzolini
27;re on the wrong Operating System. OpenBSD is secure by default.
If lynx had the tiniest chance of compromising your system, then I'm
glad it's gone.
Cheers,
Giancarlo Razzolini
hard to
make a OS that try to don't allow you to shoot yourself in the face.
Even if that means removing software that might (or not) pose a threat
to you in any point in the future.
Cheers,
Giancarlo Razzolini
ass in quick from 192.168.1.200 to any route-to (tun0 gateway)
Cheers,
Giancarlo Razzolini
ving on these days. At least
now we have more people paying attention to what happens on our
computers BEFORE any OS is loaded.
Cheers,
Giancarlo Razzolini
mes it makes a
hard subject easier to swallow (as it is with cryptography). Perhaps
*that* one was misplaced.
Cheers,
Giancarlo Razzolini
PC about OpenBSD is ... a couple target platforms. :)
I'm remembering someone that was offended by smtpd manual page(IIRC).
Even sent a patch to fix it and everything!
>
> Nick.
> (making note to offend more in the future)
Oh no! Please don't!
Cheers,
Giancarlo Razzolini
nt on a production or critical environment will
prove to be a challenge. Unless you carefully test each snapshot and
then have some tool like puppet to automate the upgrade with snap or
other tool. Even with autoinstall(8).
Cheers,
Giancarlo Razzolini
you have the relevant files in your chroot's etc directory? I believe
that you need at least a resolv.conf there. Also, a localtime is always
a good idea.
Cheers,
Giancarlo Razzolini
the same problem with it enabled and with the
default firewall configuration. I'm trying first to get ipv6
connectivity working to after filter the packets. Anyone had a similar
issue?
Cheers,
Giancarlo Razzolini
t the
CPE is trully delegating the prefix, hence that's why he's issuing
neighbor solicitation messages. Someone pointed to me that I'll need to
use a ndp proxy or use the openbsd machine as a bridge filter. I can't
change the CPE configuration, it's locked by my ISP.
Cheers,
Giancarlo Razzolini
SP's, since I doubt
they will implement authenticated NDP. I will look into this ndp proxy
daemon, since I couldn't make the ndp(8) proxy functionality to work.
Thank all you guys who replied. Both on and off list.
Cheers,
Giancarlo Razzolini
oxy is the only viable solution (besides my ISP allowing me to
change my router configuration).
Cheers,
Giancarlo Razzolini
faq/faq6.html#Bridge
I'm trying to get some NDP proxy running on OpenBSD. But all of them are
linux centric. Perhaps, for now, I will use it as a filtering bridge.
Since I have enough interfaces on my OpenBSD machine, I will have a
bridge specifically for IPv6. And IPv4 will still be N
antime, I'll go with a bridge firewall. It seems
like the most hassle free way to go. Perhaps I'll hack some NDP proxy.
But I need IPv6 connectivity, and I need it now.
Cheers,
Giancarlo Razzolini
rt back to the
list if you can make it work with -current.
Cheers,
Giancarlo Razzolini
consistent with behaviour I've seen on -stable. Good to know
that it's fixed on -current.
Cheers,
Giancarlo Razzolini
Em 08-07-2015 15:34, Jorge Gabriel Lopez Paramount escreveu:
there are other OSes out there, no need to make accusations or throw a
tantrum about it.
Go use these other OSes and leave OpenBSD alone. You'd be doing us a favor.
Cheers,
Giancarlo Razzolini
r dealing
with many default gateways. Using tags you can write an even conciser
ruleset.
Cheers,
Giancarlo Razzolini
Em 08-07-2015 18:48, Артур Истомин escreveu:
And it was send from Linux OS
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
Thunderbird/38.0.1
Shame for you, linux fan boy:)
And this proves what exactly? You don't know about my use for neither
Linux nor OpenBSD, you don't g
ecall if the openbsd base dhclient have it, but you could
possibly use some that is on ports and make it not add the default
routes. And, you could make it call a script that creates them. They
need to be created with the -mpath modifier anyway.
Cheers,
Giancarlo Razzolini
y for a site to site VPN, I'll stay with it
for a while. But my ISP is implementing native IPv6 and sooner or later
I'll have to deal with this. So will you.
Cheers,
Giancarlo Razzolini
ubset of ICMPv6 messages need to be
allowed both on the router and clients.
Cheers,
Giancarlo Razzolini
there will be a lot of people that will be caught off guard,
specially because almost every OS (except OpenBSD) will automatically
configure IPv6 if present.
Cheers,
Giancarlo Razzolini
ue and solved it using (egress). Since your
interfaces will have default routes, they will be all part of the egress
group. You can exploit that. Use tags and tcpdump to debug your rules, I
believe you can find a solution.
Cheers,
Giancarlo Razzolini
ilovers, lots of anchors.
This was almost 10 years ago. Things have changed. But some didn't.
Cheers,
Giancarlo Razzolini
t ideal, but it worked. My ISP
had a broken configuration where more than one concentrator would reply.
They eventually fixed it, but I had to debug a lot to get to this.
Perhaps you're seeing something similar. But without more information
it's difficult to know.
Cheers,
Giancarlo Razzolini
any
FreeBSD machine available to test it. But it seems to be the only OS
affected. I'm betting that they have some bad interaction between the
openssh configuration and their PAM configuration.
Cheers,
Giancarlo Razzolini
015/q3/156
It seems to affect only FreeBSD. But it's bad, and affect a lot of
versions, dating back to 2007. And also, as I guessed, interaction with
PAM is the culprit.
Cheers,
Giancarlo Razzolini
ot;yes" default. If there are any forms of PAM authentication
delays, they still apply. But that could perhaps be overcome with some
kind of distributed attack, with many connections opened.
Cheers,
Giancarlo Razzolini
Konsole output
enough to secure it. The patch wasn't provided because
of a bug in OpenSSH code, it was provided because people are lazy, and
wouldn't fix their own PAM configuration.
Cheers,
Giancarlo Razzolini
this off list. I already sorted things out with
the OP. But, truth is, that this bug is being sold by others, including
news sites, as "The BUG". It's hard to stay over the fence when things
like this happen. Perhaps I need to drink less coffee and see what that
thing called medi
Em 24-07-2015 14:27, Kevin Chadwick escreveu:
> The guidance is to use pubkey or long passwords in which case you
> should either have no problem or notice the cpu cycles if your an admin
> worth any salt.
There are tons of info regarding OpenSSH best practices. The link bellow
[1] is one of them.
Em 27-07-2015 09:13, Kimmo Paasiala escreveu:
> It's next to impossible identify the make and
> model of the NIC that holds an IP address
With IPv6 and poor configuration, a remote attacker already have that
information. MAC addresses reveal a lot of information about a NIC.
Cheers
as static PD). Others are doing it
because of plain and simple lack of knowledge.
Cheers,
Giancarlo Razzolini
nce to support your claim, as you can't even manage to
provide enough information for some good soul on this list to help you.
Come back when you sorted this out.
Cheers,
Giancarlo Razzolini
ghbor solicitation messages, and won't route the packets.
Unless I use NDP proxying, I can't do normal routing. As I stated, I did
a bridge. When I have some free time I'll visit the NDP proxy again.
Perhaps I'll be able to port some of the existing solutions to OpenBSD.
Cheers,
Giancarlo Razzolini
s? Given
the plethora of options for getting free (valid) certificates.
Cheers,
Giancarlo Razzolini
Since most people don't even care about tls
warnings, they got their uses. But, as it is becoming clearer and
clearer to the OP, you need to maintain it yourself, and not screw up.
Cheers,
Giancarlo Razzolini
Em 31-07-2015 03:07, Peter Hessler escreveu:
> this is a real problem for real people.
Which was pretty much solved with PKP [0]. As I mentioned, custom CA's
have their uses, but in the end, they are just one more thing waiting to
bite you in the ass. You can pretend to have a decent OPSEC for a wh
domains.
Cheers,
Giancarlo Razzolini
or pass rules, not block ones.
Cheers,
Giancarlo Razzolini
lling it
outside a docker. Unless their software is stupid and try to verify if
you're inside a docker and refuses to run if not.
Cheers,
Giancarlo Razzolini
take a image and
install something, that can, with some work and thinking, be installed
on the metal. This is wrong. And is also part of the security problem.
Cheers,
Giancarlo Razzolini
ins
or sysadmins (if you can call them that) being lazy. I bet that a lot of
the good old fashioned admins got replaced by a new "devop" who can
deploy everything really fast cutting every corner possible. And people
still want it to be ported to OpenBSD.
Cheers,
Giancarlo Razzolini
1 - 100 of 522 matches
Mail list logo