Re: WHere to put certificates for IKEDv2?

[C. L. Martinez]

On Sun, Jun 24, 2018 at 12:42:15PM +0200, C. L. Martinez wrote:
> On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote:
> > On 2018-06-23, C. L. Martinez  wrote:
> > > Hi all,
> > >
> > >  I am using Easy-RSA to manage my home's CA (using elliptic curve 
> > > certificates). I have created a certificate for my OpenBSD gw for IKEv2 
> > > connections (using strongswan mainly). My question is where do I need to 
> > > put OpenBSD certs under /etc/iked?
> > >
> > >  I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
> > > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" 
> > > returns me the following error:
> > 
> > The CA cert needs to go in /etc/iked/ca, do you have that?
> > 
> > 
> 
> Yes, it is there: -rw-r--r--  1 root  wheel  1326 Jun 24 10:12 
> /etc/iked/ca/ca.crt 
> 
> 

But when I start iked using "-dvv" and client tries to connect, I see the 
following error:

sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x )
config_free_proposals: free 0x177c81779900
config_free_proposals: free 0x177c81773080
config_free_proposals: free 0x177c81773400
config_free_proposals: free 0x177c81773580
ca_getreq: found CA /C=ES/ST=Barcelona/
ca_getreq: no valid local certificate found
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 20 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b 
initiator 0 sa valid type 0 data length 0
ikev2_dispatch_cert: cert type NONE length 0, ignored
ikev2_getimsgdata: imsg 25 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b 
initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0024 -> 0x002c certreq,auth,sa (required 0x )


But CA cert is loaded:

ikev2 "ipseccli" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 0.0.0.0/0 
peer 0.0.0.0/0 ikesa enc aes-256,aes-192,aes-128,3des prf 
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group 
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth 
hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 signature
/etc/iked.conf: loaded 2 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
config_new_user: inserting new user testusr
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 1191
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: mobike
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: loaded ca file ca.crt
ca_reload: /C=ES/ST=Barcelona/
ca_reload: loaded 1 ca certificate
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20

 But I am thinking that maybe exist some problems:

 - First, I am using strongswan for Android as a client, do I need to use some 
specific crypto algorithms on iked side?
 - Second, maybe is it best option to use EAP user auth instead of certificates?
 - I am using ECDSA certs, any problem with that?

Thanks

-- 
Greetings,
C. L. Martinez

Re: WHere to put certificates for IKEDv2?

[C. L. Martinez]

On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote:
> On 2018-06-23, C. L. Martinez  wrote:
> > Hi all,
> >
> >  I am using Easy-RSA to manage my home's CA (using elliptic curve 
> > certificates). I have created a certificate for my OpenBSD gw for IKEv2 
> > connections (using strongswan mainly). My question is where do I need to 
> > put OpenBSD certs under /etc/iked?
> >
> >  I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
> > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns 
> > me the following error:
> 
> The CA cert needs to go in /etc/iked/ca, do you have that?
> 
> 

Yes, it is there: -rw-r--r--  1 root  wheel  1326 Jun 24 10:12 
/etc/iked/ca/ca.crt 


-- 
Greetings,
C. L. Martinez

WHere to put certificates for IKEDv2?

[C. L. Martinez]

Hi all,

 I am using Easy-RSA to manage my home's CA (using elliptic curve 
certificates). I have created a certificate for my OpenBSD gw for IKEv2 
connections (using strongswan mainly). My question is where do I need to put 
OpenBSD certs under /etc/iked?

 I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns me 
the following error:

ikev2_msg_auth: initiator auth data length 960
ikev2_msg_authverify: method SIG keylen 962 type X509_CERT
_dsa_verify_init: signature scheme 4 selected
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b 
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 10
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b 
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0xb9bb7e8a80
config_free_proposals: free 0xb9bb7e8700
config_free_proposals: free 0xb965e22400
config_free_proposals: free 0xba238e1e80
ca_getreq: found CA /C=ES/ST=Barcelona..
ca_getreq: no valid local certificate found
ca_setauth: auth length 256
ca_validate_pubkey: unsupported public key type ASN1_DN
ca_validate_cert: /C=ES/... ok

 Do i need to install user certificates also in OpenBSD gw?

thanks
-- 
Greetings,
C. L. Martinez

Re: Errors with Php and curl under OpenBSD 6.3

[C. L. Martinez]

Works!! ... Many thanks Manolis.

On Tue, Apr 24, 2018 at 9:10 AM, Manolis Tzanidakis <mtzanida...@gmail.com>
wrote:

> Oops, forgot a sub-directory. Try this, instead:
>
> # mkdir -p /var/www/etc/ssl; cp /etc/ssl/cert.pem /var/www/etc/ssl
>
> On Tue (24/04/18), Manolis Tzanidakis wrote:
> > Hello,
> > try copying cert.pem to the www chroot:
> >
> > # mkdir -p /var/www/etc; cp /etc/ssl/cert.pem /var/www/etc/ssl
> >
> > and restart php-fpm.
> >
> > On Tue (24/04/18), C. L. Martinez wrote:
> > > Hi all,
> > >
> > >   Since this morning my OpenBSD 6.3 host (with tt-rss installed)
> returns
> > > the following error when I try to add some feeds:
> > >
> > > Couldn't download the specified URL: ; 77 error setting certificate
> verify
> > > locations: CAfile: /etc/ssl/cert.pem CApath: none
> > >
> > >  It seems some type of problem with curl ... Am I right? I found some
> > > solutions but all of them involves to make use of an insecure
> connection
> > > with curl.
> > >
> > >  Any idea?
> > >
> > > Thanks.
>
>

Errors with Php and curl under OpenBSD 6.3

[C. L. Martinez]

Hi all,

  Since this morning my OpenBSD 6.3 host (with tt-rss installed) returns
the following error when I try to add some feeds:

Couldn't download the specified URL: ; 77 error setting certificate verify
locations: CAfile: /etc/ssl/cert.pem CApath: none

 It seems some type of problem with curl ... Am I right? I found some
solutions but all of them involves to make use of an insecure connection
with curl.

 Any idea?

Thanks.

Re: OpenBSD blocks IPsec traffic

[C. L. Martinez]

Thanks Marko, but I have found the problem.

These rules are under anchor sub-group rules ... Moving these rules to top
after "block log all", all it is working ...

Maybe is it a bug with anchor rules?

On Wed, Apr 18, 2018 at 3:16 PM, Marko Cupać <marko.cu...@mimar.rs> wrote:

> On Wed, 18 Apr 2018 15:01:24 +0200
> "C. L. Martinez" <carlopm...@gmail.com> wrote:
>
> > Hi all,
> >
> >  I am trying to configure an ipsec tunnel (host-to-host) between two
> > hosts that go through an openbsd firewall. Tunnel is established, but
> > when I try to, for example, connect via ssh from one host to the
> > other, pf blocks traffic:
> >
> > Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> >
> >  To do some tests, I have configured the following rules:
> >
> > pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state
> > (if-bound)
> > pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state
> > (if-bound)
> >
> > Any idea?
>
> Hard to say without complete ruleset, but from what I see here, your
> rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0,
> while no other rule after that (or one before that with 'quick'
> keyword) permits it.
>
> Check exact line with pfctl -vvsr. Add either dafault 'pass out'
> somewhere below (I prefer it at the end of my ruleset, as I have so far
> never blocked out stuff I already passed in), or pass out exact traffic
> you need, eg:
>
> pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2
>
> Hope this helps,
>
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/
>

OpenBSD blocks IPsec traffic

[C. L. Martinez]

Hi all,

 I am trying to configure an ipsec tunnel (host-to-host) between two hosts
that go through an openbsd firewall. Tunnel is established, but when I try
to, for example, connect via ssh from one host to the other, pf blocks
traffic:

Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)

 To do some tests, I have configured the following rules:

pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state
(if-bound)
pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state
(if-bound)

Any idea?

Migrating nginx config to OpenBSD's httpd

[C. L. Martinez]

Hi all,

 I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
working ok, except for some proxy reverse config that I use with nginx's
config, like for example:

server {
listen 80;
server_name internal.w01.domain.org;

location / {
proxy_pass http://192.168.30.4;
}
}

 I don't see what is the option to use with httpd.conf or is it best
option to use relayd.conf for this type of configs?

Thanks.

Re: Testing IKEv2 with Android devices

[C. L. Martinez]

On Wed, Nov 29, 2017 at 9:33 AM, Stuart Henderson <s...@spacehopper.org> wrote:
> On 2017-11-26, C. L. Martinez <carlopm...@gmail.com> wrote:
>>
>> Ok, it is seems the prolem is that iked(8) does not know how to perform 
>> Diffie-Hellman group negotiation:
>>
>> https://marc.info/?l=openbsd-tech=151136800328145=2
>>
>>  Am I correct? What is the current status for Tim's fix?
>
> patrick@ has been following this rabbit hole, try his latest diff.
>

Thanks Stuart. Are you referring to this one:
https://marc.info/?l=openbsd-tech=151187345915827=2?

Re: Testing IKEv2 with Android devices

[C. L. Martinez]

On Sun, Nov 26, 2017 at 09:02:46PM +0100, C. L. Martinez wrote:
> Hi all,
> 
>  I am testing IKEv2 for Android roadwarriors clients ... I have done a very 
> basic config:
> 
> ikev2 "roadwarriors" passive esp \
> from 0.0.0.0/0 to 172.22.55.0/27 \
> peer any \
> config name-server 172.22.55.1 \
> psk "stargazer"
> 
>  Launching "iked -dvv" returns me:
> 
> ikev2_recv: IKE_SA_INIT request from initiator 172.17.35.20:500 to 
> 172.17.35.9:500 policy 'roadwarriors' id 0, 652 bytes
> ikev2_recv: ispi 0xe525d6e2b940fdb1 rspi 0x
> ikev2_policy2id: srcid FQDN/lowlands.lab.uxdom.org length 26
> ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0x 
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 
> 652 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 244
> ikev2_pld_sa: more than one proposal specified
> ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize 0 
> xforms 15 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id 
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group  reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0xe525d6e2b940fdb1 0x 
> 172.17.35.20:500
> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP 
> encapsulation
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0xe525d6e2b940fdb1 0x 
> 172.17.35.9:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA1 (1)
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
> sa_state: INIT -> SA_INIT
> ikev2_sa_negotiate: score 4
> sa_stateok: SA_INIT flags 0x, require 0x 
> sa_stateflags: 0x -> 0x0020 sa (required 0x )
> ikev2_sa_keys: SKEYSEED with 32 bytes
> ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 264 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0xe525d6e2b940fdb1 0xc417a42f151005cb 
> 172.17.35.9:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0xe525d6e2b940fdb1 0xc417a42f151005cb 
> 172.17.35.20:500
> ikev2_ne

Testing IKEv2 with Android devices

[C. L. Martinez]

 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 5
ikev2_pld_certreq: type RSA_KEY length 0
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT response from 172.17.35.9:500 to 172.17.35.20:500 
msgid 0, 451 bytes
config_free_proposals: free 0x1ccfc4952580

 According to this:

sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x, require 0x
sa_stateflags: 0x -> 0x0020 sa (required 0x )

 phase-1 is established, correct? but I am not sure because last message is:

ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT response from 172.17.35.9:500 to 172.17.35.20:500 
msgid 0, 451 bytes
config_free_proposals: free 0x1ccfc4952580

 Android device is a Samsung Galaxy Edge S7 (Adnroid 7.0) and OpenBSD is 6.2 
with all patches ... What ma I doing wrong?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: Problems configuring ifstated with dhcp interfaces /etc/ifstated.conf:4: macro '2' not defined (SOLVED)

[C. L. Martinez]

On Fri, Nov 10, 2017 at 07:28:19PM +, C. L. Martinez wrote:
> Hi all,
> 
>  I need to configure ifstated for two public interfaces and one of them is a 
> dhcp interface. To accomplish this I have configured the following macro in 
> ifcstated.conf's file:
> 
> wired_gate_test = '( "ping -q -c1 -w1 -I `awk '/fixed-address/ { print $2 }' 
> /var/db/dhclient.leases.em1 | sed -e 's/;//'` `awk '/routers/ { print $3 }' 
> /var/db/dhclient.leases.em1 | sed -e 's/;//'` > /dev/null" every 30 )'
> 
>  But it returns the following error:
> 
> wired_linkup = "em1.link.up"
> wireless_linkup = "em2.link.up"
> /etc/ifstated.conf:4: syntax error
> /etc/ifstated.conf:4: macro '2' not defined
> /etc/ifstated.conf:34: macro 'wired_gate_test' not defined
> /etc/ifstated.conf:34: syntax error
> ifstated: invalid start state wired
> 
>  From command line, ping command works ... What am I doing wrong?
> 
> Thanks.
> 
Oops .. I have the problem ... I need to escape awk like awk \'/fixed... Sorry 
for the noise ...

-- 
Greetings,
C. L. Martinez

Problems configuring ifstated with dhcp interfaces /etc/ifstated.conf:4: macro '2' not defined

[C. L. Martinez]

Hi all,

 I need to configure ifstated for two public interfaces and one of them is a 
dhcp interface. To accomplish this I have configured the following macro in 
ifcstated.conf's file:

wired_gate_test = '( "ping -q -c1 -w1 -I `awk '/fixed-address/ { print $2 }' 
/var/db/dhclient.leases.em1 | sed -e 's/;//'` `awk '/routers/ { print $3 }' 
/var/db/dhclient.leases.em1 | sed -e 's/;//'` > /dev/null" every 30 )'

 But it returns the following error:

wired_linkup = "em1.link.up"
wireless_linkup = "em2.link.up"
/etc/ifstated.conf:4: syntax error
/etc/ifstated.conf:4: macro '2' not defined
/etc/ifstated.conf:34: macro 'wired_gate_test' not defined
/etc/ifstated.conf:34: syntax error
ifstated: invalid start state wired

 From command line, ping command works ... What am I doing wrong?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: Debugging a php's script startup

[C. L. Martinez]

On Wed, Nov 08, 2017 at 08:43:55PM +0100, Martijn van Duren wrote:
> Hello C.,
> 
> Can you start up the daemon process from the CLI (without the rc
> script)? If not and it still has the same error message as below (which
> I reckon it will) you might want to change your mysqli.default_socket =
> in your /etc/php-7.0.ini.
> Do note however that this will also affect php-fpm and mod_php which run
> chrooted by default (hence the weird path), so if you need those installs
> unaffected try to create a custom ini-file and specify it with -c as a
> php-argument.
> 
> Also note that php is not designed to write daemons in and should only
> be done if there are no other options. The rc-script won't restart your
> daemon automatically if it crashes.
> 
> Hope this helps.
> 
> martijn@
> 
> > 

Wow!! ... Many many thanks Martijn. I have added "-c" switch to daemon_args and 
created another .ini file for this "daemon", and it works. Here it is:

#!/bin/sh -x
#

daemon="/usr/local/bin/php-7.0"
daemon_flags="-c /etc/tt-rss/php-7.0.ini /var/www/htdocs/rss/update_daemon2.php 
--log /tmp/update_rss.log"
daemon_user="www"

. /etc/rc.d/rc.subr

pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"

rc_bg=YES
rc_reload=NO

rc_post() {
rm -f /var/www/htdocs/rss/lock/update_daemon.lock
}

rc_cmd $1

 Inside .ini I have configured mysqli.default_socket option:

mysqli.default_socket = /var/www/var/run/mysql/mysql.sock

-- 
Greetings,
C. L. Martinez

Debugging a php's script startup

[C. L. Martinez]

Hi all,

 I am trying to setup a startup file for TT-Rss (installed under OpenBSD 6.2 
host, fully patched). This is the script:

#!/bin/sh -x
#

daemon="/usr/local/bin/php-7.0"
daemon_flags="/var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log"
daemon_user="www"

. /etc/rc.d/rc.subr

pexp="${MODPHP_BIN} ${daemon}${daemon_flags:+ ${daemon_flags}}"

rc_bg=YES
rc_reload=NO

rc_post() {
rm -f /var/www/htdocs/rss/lock/update_daemon.lock
}

rc_cmd $1

 And when I try to start it, this is the output:

root@rssweb:/etc/rc.d# ./tt_rss start
+ daemon=/usr/local/bin/php-7.0
+ daemon_flags=/var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log
+ daemon_user=www
+ . /etc/rc.d/rc.subr
+ _rc_actions=start stop restart reload check
+ readonly _rc_actions
+ [ -n  ]
+ basename ./tt_rss
+ _name=tt_rss
+ _rc_check_name tt_rss
+ [ -n /usr/local/bin/php-7.0 ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/tt_rss
+ _rc_do _rc_parse_conf
+ eval _rcflags=${tt_rss_flags}
+ _rcflags=
+ eval _rcrtable=${tt_rss_rtable}
+ _rcrtable=
+ eval _rcuser=${tt_rss_user}
+ _rcuser=
+ eval _rctimeout=${tt_rss_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf tt_rss
+ > /dev/null 
+ 2>&1 
+ daemon_class=daemon
+ [ -z  ]
+ daemon_rtable=0
+ [ -z www ]
+ [ -z  ]
+ daemon_timeout=30
+ [ -n  -o start != start ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ readonly daemon_class
+ unset _rcflags _rcrtable _rcuser _rctimeout
+ pexp=/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
/tmp/update_rss.log
+ rcexec=su -l -c daemon -s /bin/sh www -c
+ [ 0 -eq 0 ]
+ pexp= /usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
/tmp/update_rss.log
+ rc_bg=YES
+ rc_reload=NO
+ rc_cmd start
tt_rss(failed)

 pexp's option seems good ... I think the problem is with 'www' user and with 
this command: "su -l -c daemon -s /bin/sh www -c". Launching from console 
returns an error:

root@rssweb:/etc/rc.d# su -l -c daemon -s /bin/sh www -c 
'/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
/tmp/update_rss.log'
PHP Warning:  mysqli_connect(): (HY000/2002): Can't connect to local MySQL 
server through socket '/var/run/mysql/mysql.sock' (2 "No such file or 
directory") in /var/www/htdocs/rss/classes/db/mysqli.php on line 8
Unable to connect to database (as rss to localhost, database dbrss): Can't 
connect to local MySQL server through socket '/var/run/mysql/mysql.sock'

 mysql's socket is created under www's chroot like in pkg-readme says: 
srwxrwxrwx  1 _mysql  _mysql  0 Nov  8 17:45 /var/www/var/run/mysql/mysql.sock

 If I am not wrong, then, how can I configure this startup script?

Thanks
-- 
Greetings,
C. L. Martinez

About WPA2 compromised protocol

[C. L. Martinez]

HI all,

 Regarding WPA2 alert published today: https://www.krackattacks.com/,
if I use an IPSec tunnel with shared-key or certifcate or an OpenVPN
connection to authenticate and protect clients and hostAP comms, is
this vulnerability mitigated?

 Thanks.

Re: sysmerge is not needed when updating to 6.2?

[C. L. Martinez]

On Thu, Oct 12, 2017 at 11:45:24AM +0200, Theo Buehler wrote:
> > But I have only one question: Is sysmerge not longer needed for
> > updating process like in previous releases?
> 
> Since 6.0 the installer installs an rc.sysmerge that runs 'sysmerge -b'
> on first boot of the updated system.
> 

Perfect. 

Many thanks.

-- 
Greetings,
C. L. Martinez

sysmerge is not needed when updating to 6.2?

[C. L. Martinez]

Hi all,

 Today I have updated two OpenBSD 6.1 hosts to 6.2 after reading the FAQ and 
all works really well. Congratulations to all OpenBSD's developers for their 
hard work.

 But I have only one question: Is sysmerge not longer needed for updating 
process like in previous releases?

 Many thanks.

-- 
Greetings,
C. L. Martinez

Running OpenBSD 6.1 under vmware fusion

[C. L. Martinez]

Hi all,

 I have installed OpenBSD 6.1 under Vmware Fusion on a MacBook Pro 2017. All it 
is running ok, except when I would start graphical environment (i3).

 a) Resolution: I have configured /etc/xorg.conf file several times trying to 
catch a good resolution (2560x1600), but Xorg goes to 1280x768 every time.

 b) Mouse speed is really slow slow slow ... How can I increase mouse speed? 

Mouse conf to increase speed (but it doesn't works):

Section "InputClass"
Identifier "My Mouse"
MatchIsPointer "yes"
Option "AccelerationNumerator" "2"
Option "AccelerationDenominator" "1"
Option "AccelerationThreshold" "4"
EndSection


Display conf :

Section "Monitor"
Identifier  "default monitor"
DisplaySize 311 170
EndSection

Section "Device"
Identifier  "default device"
Driver  "vmware"
EndSection

Section "Screen"
Identifier  "default screen"
        Device      "default device"
Monitor "default monitor"
EndSection


 I have attached Xorg.log. Any help please?

Thanks
-- 
Greetings,
C. L. Martinez
[  4640.706] (--) checkDevMem: using aperture driver /dev/xf86
[  4640.888] (--) Using wscons driver on /dev/ttyC2
[  4640.891] 
X.Org X Server 1.18.4
Release Date: 2016-07-19
[  4640.892] X Protocol Version 11, Revision 0
[  4640.892] Build Operating System: OpenBSD 6.1 amd64 
[  4640.892] Current Operating System: OpenBSD stirling.lab.uxdom.org 6.1 
GENERIC#23 amd64
[  4640.892] Build Date: 01 April 2017  02:00:27PM
[  4640.892]  
[  4640.892] Current version of pixman: 0.34.0
[  4640.892]Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
[  4640.892] Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[  4640.892] (==) Log file: "/var/log/Xorg.0.log", Time: Sat Sep  9 10:06:36 
2017
[  4640.892] (==) Using config file: "/etc/xorg.conf"
[  4640.892] (==) Using config directory: "/etc/X11/xorg.conf.d"
[  4640.892] (==) Using system config directory 
"/usr/X11R6/share/X11/xorg.conf.d"
[  4640.892] (==) No Layout section.  Using the first Screen section.
[  4640.892] (**) |-->Screen "default screen" (0)
[  4640.892] (**) |   |-->Monitor "default monitor"
[  4640.892] (**) |   |-->Device "default device"
[  4640.892] (**) |   |-->GPUDevice "default device"
[  4640.892] (==) Disabling SIGIO handlers for input devices
[  4640.892] (==) Automatically adding devices
[  4640.892] (==) Automatically enabling devices
[  4640.892] (==) Not automatically adding GPU devices
[  4640.892] (==) Max clients allowed: 256, resource mask: 0x1f
[  4640.892] (==) FontPath set to:
/usr/X11R6/lib/X11/fonts/misc/,
/usr/X11R6/lib/X11/fonts/TTF/,
/usr/X11R6/lib/X11/fonts/OTF/,
/usr/X11R6/lib/X11/fonts/Type1/,
/usr/X11R6/lib/X11/fonts/100dpi/,
/usr/X11R6/lib/X11/fonts/75dpi/
[  4640.892] (==) ModulePath set to "/usr/X11R6/lib/modules"
[  4640.892] (II) The server relies on wscons to provide the list of input 
devices.
If no devices become available, reconfigure wscons or disable 
AutoAddDevices.
[  4640.892] (II) Loader magic: 0xd7e0a733020
[  4640.892] (II) Module ABI versions:
[  4640.892]X.Org ANSI C Emulation: 0.4
[  4640.892]X.Org Video Driver: 20.0
[  4640.892]X.Org XInput driver : 22.1
[  4640.892]X.Org Server Extension : 9.0
[  4640.893] (--) PCI:*(0:0:15:0) 15ad:0405:15ad:0405 rev 0, Mem @ 
0xe800/134217728, 0xfe00/8388608, I/O @ 0x1070/16
[  4640.893] (II) LoadModule: "glx"
[  4640.893] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so
[  4640.894] (II) Module glx: vendor="X.Org Foundation"
[  4640.894]compiled for 1.18.4, module version = 1.0.0
[  4640.894]ABI class: X.Org Server Extension, version 9.0
[  4640.894] (==) AIGLX enabled
[  4640.894] (II) LoadModule: "vmware"
[  4640.895] (II) Loading /usr/X11R6/lib/modules/drivers/vmware_drv.so
[  4640.895] (II) Module vmware: vendor="X.Org Foundation"
[  4640.895]compiled for 1.18.4, module version = 13.1.0
[  4640.895]Module class: X.Org Video Driver
[  4640.895]ABI class: X.Org Video Driver, version 20.0
[  4640.895] (II) vmware: driver for VMware SVGA: vmware0405, vmware0710
[  4640.895] (II) vmware(0): Driver was compiled without KMS- and 3D support.
[  4640.895] (WW) vmware(0): Disabling 3D support.
[  4640.895] (WW) vmware(0): Disabling Render Acceleration.
[  4640.895] (WW) vmware(0): Disabling RandR12+ support.
[  46

Re: Problem with key bindings with mutt under OpenBSD 6.1

[C. L. Martinez]

On Sat, Sep 02, 2017 at 02:48:12PM +0200, Anton Lindqvist wrote:
> On Sat, Sep 02, 2017 at 11:01:14AM +0000, C. L. Martinez wrote:
> > Hi all,
> > 
> >  I have used mutt over several months under FreeBSD and RHEL/CentOS. I have 
> > migrated my desktop to OpenBSD 6.1 and I have a problem with mutt's package 
> > installed from official OpenBSD's repos (neomutt-20170306-gpgme-sasl).
> > 
> >  In my mutt's config file I have defined the following key bindings:
> > 
> > #
> > # Key bindings
> > #
> > bind index \CP sidebar-prev
> > bind index \CN sidebar-next
> > bind index \CO sidebar-open
> > 
> >  Problem is with "\CO". It doesn't works under OpenBSD but it works without 
> > problems under FreeBSD 11 or RHEL7/CentOS7. If I change "\CO" to "\CA" or 
> > "\CI" or "\CH", for example, works without problems ... Is it "\CO" defined 
> > by default under OpenBSD? How can I revert this behavior?
> 
> $ stty discard undef; mutt
> 

Perfect!! .. It is working.. Many thanks Anton.

-- 
Greetings,
C. L. Martinez

Problem with key bindings with mutt under OpenBSD 6.1

[C. L. Martinez]

Hi all,

 I have used mutt over several months under FreeBSD and RHEL/CentOS. I have 
migrated my desktop to OpenBSD 6.1 and I have a problem with mutt's package 
installed from official OpenBSD's repos (neomutt-20170306-gpgme-sasl).

 In my mutt's config file I have defined the following key bindings:

#
# Key bindings
#
bind index \CP sidebar-prev
bind index \CN sidebar-next
bind index \CO sidebar-open

 Problem is with "\CO". It doesn't works under OpenBSD but it works without 
problems under FreeBSD 11 or RHEL7/CentOS7. If I change "\CO" to "\CA" or "\CI" 
or "\CH", for example, works without problems ... Is it "\CO" defined by 
default under OpenBSD? How can I revert this behavior?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: After applying patches, kernel version is slower?

[C. L. Martinez]

On Thu, May 04, 2017 at 07:49:04AM +, Stuart Henderson wrote:
> On 2017-05-04, C. L. Martinez <carlopm...@gmail.com> wrote:
> > Hi all,
> >
> >  I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a 
> > strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns:
> >
> > OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64
> >
> >  .. and in an OpenBSD 6.1 host with patches applied:
> >
> > OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64
> >
> >  Any idea why??
> >
> 
> They're built on a different machine. (The number after GENERIC# shows
> how many builds were done in that directory since it was cleaned.)
> 
> Check the date in "sysctl kern.version".
> 

Ahh ... Ok, many thanks for the info Stuart.

-- 
Greetings,
C. L. Martinez

After applying patches, kernel version is slower?

[C. L. Martinez]

Hi all,

 I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a 
strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns:

OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64

 .. and in an OpenBSD 6.1 host with patches applied:

OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64

 Any idea why??

-- 
Greetings,
C. L. Martinez

Sysctl options to install IDS software

[C. L. Martinez]

Hi all,

 In the following days, I want to replace some linux systems that acts as 
IDS/IPS nodes with OpenBSD 6.1 (congratulations to all OpenBSD's team. IMO, the 
best OpenBSD that I have used).

 These OpenBSD nodes will be installed with Suricata, Bro and Snort components. 
In the Linux and FreeBSD world, when you try to monitor 1GB/10GB networks 
(which is my case), some kernel variables needs to be tweaked.

 An example for linux systems some options are:

net.core.rmem_max
net.core.wmem_max
net.core.rmem_default
net.core.wmem_default
net.core.optmem_max
net.ipv4.tcp_rmem
net.ipv4.tcp_wmem
net.ipv4.udp_mem

 In the OpenBSD's old days, you can tweak some options like send and receive 
network buffers, etc. But in most recent OpenBSD releases, most of these 
options are not available, from what I understand, that is already made some 
sort of "tunning" by default in GENERIC kernel.

 But I see some kernel options that could need to be modified to use IDS/IPS 
software. Some of them:

kern.somaxconn
net.inet.udp.recvspace
net.inet.udp.sendspace
net.bpf.maxbufsize (I am not sure about this option)


 On the other side, I don't want to break anything in this first stage :) ... I 
prefer to do some type of control first and after apply these changes.

 Any recommendation? 

Many thanks.


-- 
Greetings,
C. L. Martinez

Re: What does it mean this error when I try install a package?

[C. L. Martinez]

On Mon, Apr 17, 2017 at 01:39:22PM +0200, Christoph R. Murauer wrote:
> > Hi all,
> >
> >  After install an OpenBSD 6.1, I am trying to install some packages,
> > for example python-2.7. When I launch the following command:
> >
> > pkg_add -v python-2.7
> >
> >  ... returns the following errors:
> >
> >  http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/: Read short
> > file.
> > http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/python-2.7.tgz:
> > ftp: Error retrieving file: 404 Not Found
> > signify: gzheader truncated
> > Can't find python-2.7
> > Extracted 11548847 from 11550420
> >
> >  What does these errors mean?? My PKG_PATH variable is
> > "PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64;
> 
> It means, that the package you try to install does not exist. Run
> 
> pkg_info -Q python
> 
> See FAQ https://www.openbsd.org/faq/faq15.html#PkgFind
> 
> you see something like (in my case it is already installed)
> 
> ...
> python-2.7.13p0 (installed)
> ...
> 
> You can also check the list of packages at
> http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/index.txt
> 
> So, try
> 
> pkg_add -v python-2.7.13p0
> 
> or, check the -z switch of pkg_add (man pkg_add)
> 
> pkg_add -v -z python-2.7.13
> 

Yep, undertood.

Many thanks.


-- 
Greetings,
C. L. Martinez

What does it mean this error when I try install a package?

[C. L. Martinez]

Hi all,

 After install an OpenBSD 6.1, I am trying to install some packages, for 
example python-2.7. When I launch the following command:

pkg_add -v python-2.7

 ... returns the following errors:

 http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/: Read short file.
http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/python-2.7.tgz: ftp: 
Error retrieving file: 404 Not Found
signify: gzheader truncated
Can't find python-2.7
Extracted 11548847 from 11550420

 What does these errors mean?? My PKG_PATH variable is 
"PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64;
-- 
Greetings,
C. L. Martinez

Re: New features in VMM for OpenBSD 6.1?

[C. L. Martinez]

On Mon, Mar 06, 2017 at 10:55:23AM -0800, Mike Larkin wrote:
> On Mon, Mar 06, 2017 at 06:22:07PM +0100, Juan Francisco Cantero Hurtado 
> wrote:
> > On Mon, Mar 06, 2017 at 10:40:52AM +, C. L. Martinez wrote:
> > > Hi all,
> > > 
> > >  Where can I see what new features will be released in VMM for OpenBSD 
> > > 6.1? For example, it could be possible to run linux or freebsd guests 
> > > apart of openbsd guests?
> > 
> > No, vmm will only support OpenBSD in the next release.
> > https://www.openbsd.org/61.html will include a list of new features and
> > fixes.
> > 
> > -- 
> > Juan Francisco Cantero Hurtado http://juanfra.info
> >
> 
> As Juan states, I'm sure someone will go back through the cvs logs and update
> that page with what new changes/features went in. Probably the biggest change
> will be adding SVM support, if I can manage to get the last +/- 900 lines of
> local changes in, and add interrupt windowing support.
> 
> -ml

Thanks for the info.

-- 
Greetings,
C. L. Martinez

New features in VMM for OpenBSD 6.1?

[C. L. Martinez]

Hi all,

 Where can I see what new features will be released in VMM for OpenBSD 6.1? For 
example, it could be possible to run linux or freebsd guests apart of openbsd 
guests?

Many thanks.

-- 
Greetings,
C. L. Martinez

Re: How easy is to do a MITM/spoof/etc. a public IP address?

[C. L. Martinez]

On Thu, Jan 26, 2017 at 10:51:14AM +, Stuart Henderson wrote:
> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote:
> > On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote:
> >> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote:
> >> > Hi all,
> >> >
> >> > I have received a (maybe) "stupid" request from one of our customers.
> >> > We have a pair of public OpenBSD firewalls (CARPed) that our development
> >> > team use to access to several customers via VPN IPsec tunnels. But this
> >> > morning we have received a request from one of these cutomers to access
> >> > to our development servers using only one acl to permit their public IP
> >> > address (without using VPN IPsec, or VPN SSL tunnels).
> >> >
> >> > And my (OT) question: how easy is to do a MITM attack (DNS spoofing
> >> > for example, or another type of attack that permits to fake source
> >> > public ip address) in this scenario?
> >> 
> >> For an attacker with no access to endpoints or network in between:
> >> 
> >> - For many protocols including UDP, it is absolutely trivial to send
> >> traffic from a fake source address.
> >
> > But, only SYN can be sent, right?? Source's attacker ip address will not 
> > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS 
> > attack, they can't steal information, right?
> > 
> >> - With TCP it depends on various things but sometimes you can predict
> >> enough of the IP stack behaviour to spoof blindly and send data.
> >> reassemble tcp + random-id can help.
> 
> They won't get any responses, but if an attacker can predict some of
> what's in the packets (port numbers, sequence numbers etc), they can
> send a bunch of packets that *might* match. If they get lucky and hit
> on a correct one, they can handshake and transmit, obviously not
> receive data directly on that connection, but sending might be enough
> to do damage.
> 
> >> If an attacker can MITM (either by getting $client to send to their
> >> machine instead of yours directly, they can obviously log or modify
> >> packets before forwarding on to the real server. It depends what
> >> you're running over it as to whether this is a problem.
> >> 
> >
> > Uhmmm ... but in this case, I don't see how an attacker can fake original 
> > ip public source address ... Any theorical example?
> 
> If they have access to a machine that the packets pass through, or a
> machine that they can be made to pass through (e.g. by DNS manipulation,
> or if they're on an unprotected layer-2 network with a real router ARP
> attacks etc might work) they can just inspect/modify the packets as
> they're passing.
> 
> Even if it's just a router that doesn't let them do much with the
> packets directly, they might still be able to forward them over a GRE
> tunnel or similar to a machine where they can do this.
> 
> There are enough ISPs and colos around that don't do BCP38 (i.e. don't
> check source addresses) that there won't be too much difficulty
> re-forwarding packets with the original sender IP address.
> 
> > Many thanks Stuart for your help.
> 
> tl;dr: if VPN isn't suitable, make sure comms are protected by some
> other method that includes at least strong authentication and protects
> messages against being modified - e.g. modern SSH, TLS or equivalent -
> and be careful with certificates (test to make sure that you'll notice
> an unexpected change).
> 

Many thanks for your explained answer Stuart. Fantastic. Only one more 
question. Due to this access only requires http service, will be sufficient if 
I try to convince them to use https instead? And in the case that we could use 
https, a MITM attack would be minimized?

-- 
Greetings,
C. L. Martinez

Re: How easy is to do a MITM/spoof/etc. a public IP address?

[C. L. Martinez]

On Wed, Jan 25, 2017 at 08:20:32PM +0100, Daniel Gillen wrote:
> On 25.01.2017 15:42, C. L. Martinez wrote:
> > On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote:
> >> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote:
> >>> Hi all,
> >>>
> >>> I have received a (maybe) "stupid" request from one of our customers.
> >>> We have a pair of public OpenBSD firewalls (CARPed) that our development
> >>> team use to access to several customers via VPN IPsec tunnels. But this
> >>> morning we have received a request from one of these cutomers to access
> >>> to our development servers using only one acl to permit their public IP
> >>> address (without using VPN IPsec, or VPN SSL tunnels).
> >>>
> >>> And my (OT) question: how easy is to do a MITM attack (DNS spoofing
> >>> for example, or another type of attack that permits to fake source
> >>> public ip address) in this scenario?
> >>
> >> For an attacker with no access to endpoints or network in between:
> >>
> >> - For many protocols including UDP, it is absolutely trivial to send
> >> traffic from a fake source address.
> > 
> > But, only SYN can be sent, right?? Source's attacker ip address will not 
> > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS 
> > attack, they can't steal information, right?
> > 
> 
> UDP and many other protocols are connectionless, so there is no such
> thing as SYN/ACK. You basically just send your data package and hope it
> somehow gets to its destination.
> 
> https://en.wikipedia.org/wiki/User_Datagram_Protocol

Yep, sorry. My mistake. I am referring to TCP connections ...

> 
> >>
> >> - With TCP it depends on various things but sometimes you can predict
> >> enough of the IP stack behaviour to spoof blindly and send data.
> >> reassemble tcp + random-id can help.
> >>
> >> If an attacker can MITM (either by getting $client to send to their
> >> machine instead of yours directly, they can obviously log or modify
> >> packets before forwarding on to the real server. It depends what
> >> you're running over it as to whether this is a problem.
> >>
> > 
> > Uhmmm ... but in this case, I don't see how an attacker can fake original 
> > ip public source address ... Any theorical example?
> > 
> > Many thanks Stuart for your help.
> > 
> > 
> 
> In an MITM scenario, the send data packets actually flow _trough_ the
> MITM's machine before they are forwarded to your machine. No need to
> fake original source address, as it won't be changed. Think of the
> MITM's machine as a simple router interconnecting your and the $client's
> WAN.
> 
> https://en.wikipedia.org/wiki/Man-in-the-middle_attack

Thanks. I see the concept when you are in a LAN. But with a WAN, I can't see 
how you can accomplish this. For example: ip public source address is 1.1.1.1, 
destination public ip address is 2.2.2.2 and attacker ip public address is 
3.3.3.3. To establish communications between these three elements, there are 
several routers between them to route packets. What  I don't see is how when 
attacker sends packets to 2.2.2.2 using source public ip address 1.1.1.1, 
routers between all elements resturns these packets to attacker (which has 
3.3.3.3 ip address) 

Sorry for my "basic" knowledge in these fields :)


-- 
Greetings,
C. L. Martinez

Re: How easy is to do a MITM/spoof/etc. a public IP address?

[C. L. Martinez]

On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote:
> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote:
> > Hi all,
> >
> > I have received a (maybe) "stupid" request from one of our customers.
> > We have a pair of public OpenBSD firewalls (CARPed) that our development
> > team use to access to several customers via VPN IPsec tunnels. But this
> > morning we have received a request from one of these cutomers to access
> > to our development servers using only one acl to permit their public IP
> > address (without using VPN IPsec, or VPN SSL tunnels).
> >
> > And my (OT) question: how easy is to do a MITM attack (DNS spoofing
> > for example, or another type of attack that permits to fake source
> > public ip address) in this scenario?
> 
> For an attacker with no access to endpoints or network in between:
> 
> - For many protocols including UDP, it is absolutely trivial to send
> traffic from a fake source address.

But, only SYN can be sent, right?? Source's attacker ip address will not 
receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS attack, 
they can't steal information, right?

> 
> - With TCP it depends on various things but sometimes you can predict
> enough of the IP stack behaviour to spoof blindly and send data.
> reassemble tcp + random-id can help.
> 
> If an attacker can MITM (either by getting $client to send to their
> machine instead of yours directly, they can obviously log or modify
> packets before forwarding on to the real server. It depends what
> you're running over it as to whether this is a problem.
> 

Uhmmm ... but in this case, I don't see how an attacker can fake original ip 
public source address ... Any theorical example?

Many thanks Stuart for your help.


-- 
Greetings,
C. L. Martinez

How easy is to do a MITM/spoof/etc. a public IP address?

[C. L. Martinez]

Hi all,

 I have received a (maybe) "stupid" request from one of our customers. We have 
a pair of public OpenBSD firewalls (CARPed) that our development team use to 
access to several customers via VPN IPsec tunnels. But this morning we have 
received a request from one of these cutomers to access to our development 
servers using only one acl to permit their public IP address (without using VPN 
IPsec, or VPN SSL tunnels).

 And my (OT) question: how easy is to do a MITM attack (DNS spoofing for 
example, or another type of attack that permits to fake source public ip 
address) in this scenario?

Many thanks.

-- 
Greetings,
C. L. Martinez

Re: PCI Express wireless adapter supported under OpenBSD

[C. L. Martinez]

On Wed 30.Nov'16 at 11:44:13 +0100, Stefan Sperling wrote:
> On Wed, Nov 30, 2016 at 10:12:32AM +0000, C. L. Martinez wrote:
> > I have discoverd that Asus AC88 AC3100 uses BCM4366 chip, but if I am not 
> > wrong this chip is not supported under OpenBSD, is it right?
> 
> Indeed, BCM4366 won't work.
> 
> There are many Atheros AR9280 devices on sites such as ebay.
> And some vendors like pcengines still sell cards with this chip.
> You could also search for other chip names listed in the athn(4) man page.

Ok, I have found a good candidate: TP-LINK TL-WDN4800. According to TP-Link's 
webpage uses an Atheros AR9380 chip. But, under athn(4) OpenBSD's man page, 
this chip doesn't appears for OpenBSD 6.0 ... but it appears under OpenBSD's 
4.9 changelog: https://www.openbsd.org/plus49.html. Then, is it supported or 
not?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: PCI Express wireless adapter supported under OpenBSD

[C. L. Martinez]

On Wed 30.Nov'16 at 10:26:32 +0100, Peter N. M. Hansteen wrote:
> On Wed, Nov 30, 2016 at 08:09:24AM +0000, C. L. Martinez wrote:
> >  I would like to install OpenBSD on a HP Microserver Gen8 to act as a 
> > firewall and hostap. I am searching what components I need and I have a 
> > doubt about what wireless interface I need to buy to use it as a hostap 
> > under OpenBSD.
> 
> The Microserver Gen8s are really nice machines for the application you 
> describe, once you set the disk controller to something sensible (as 
> previously reported). 
> 
> When it comes to your primary question I don't have a good answer, but in 
> case those boards are not suppurted it's worth keeping in mind one other 
> option: get the highest quality access point or 'wireless router' you can 
> afford, configure it as access point only (no dhcp or routing, leave that to 
> the OpenBSD tools)
> 
 I agree. Microserver Gen8 is a fantastic box to deploy this type of scenarios. 
My idea is to buy a SSD drive, configure this harddisk as RAID0 in B120i and 
fire up OpenBSD ..

 I prefer to avoid to buy an access point. I can wait best support and data 
rates from OpenBSD side in future releases ...

-- 
Greetings,
C. L. Martinez

Re: PCI Express wireless adapter supported under OpenBSD

[C. L. Martinez]

On Wed 30.Nov'16 at 10:04:25 +0100, Stefan Sperling wrote:
> On Wed, Nov 30, 2016 at 08:09:24AM +0000, C. L. Martinez wrote:
> > Hi all,
> > 
> >  I would like to install OpenBSD on a HP Microserver Gen8 to act as a 
> > firewall and hostap. I am searching what components I need and I have a 
> > doubt about what wireless interface I need to buy to use it as a hostap 
> > under OpenBSD.
> > 
> >  I have found only these:
> > 
> >  - Asus PCE-AC88 Wireless 5GHz PCI-E AC3100
> >  - Asus PCE-AC68 PCI-E WiFi Dual-Band AC1900
> > 
> >  Searching in ASUS's web, I didn't find any info about what chip use these 
> > adapters. Are they supported under OpenBSD? Do you recommend any other 
> > wireless adpater (PCI-e)?? Throughput needs to be 300 Mbps, at least.
> > 
> > Thanks.
> 
> I'm afraid you won't get 300 Mbps from any wifi device on OpenBSD.
> Our 802.11n support is still in very early stages.
> 
> The best access point OpenBSD can offer uses obsolete AR9280 Atheros
> hardware with 802.11a data rates (theoretical maximum 54Mbit/s).
> 802.11n is not yet supported by any driver which has hostap support.
> 
> For your kinds of requirements, the best solution is an external
> access point connected to your OpenBSD box with gigabit ethernet.

Many thanks Stefan and Ze for your answers. But thinking about it maybe it is a 
good idea to limit throughput to 150Mbps or less at this first stage. I can 
wait until OpenBSD will support more data rates.

I have discoverd that Asus AC88 AC3100 uses BCM4366 chip, but if I am not wrong 
this chip is not supported under OpenBSD, is it right?

Thanks.

PCI Express wireless adapter supported under OpenBSD

[C. L. Martinez]

Hi all,

 I would like to install OpenBSD on a HP Microserver Gen8 to act as a firewall 
and hostap. I am searching what components I need and I have a doubt about what 
wireless interface I need to buy to use it as a hostap under OpenBSD.

 I have found only these:

 - Asus PCE-AC88 Wireless 5GHz PCI-E AC3100
 - Asus PCE-AC68 PCI-E WiFi Dual-Band AC1900

 Searching in ASUS's web, I didn't find any info about what chip use these 
adapters. Are they supported under OpenBSD? Do you recommend any other wireless 
adpater (PCI-e)?? Throughput needs to be 300 Mbps, at least.

Thanks.

-- 
Greetings,
C. L. Martinez

Re: httpd: old behavior returns: Couldn't resolve host (SOLVED)

[C. L. Martinez]

On Mon  5.Sep'16 at 16:15:12 +, C. L. Martinez wrote:
> Hi all,
> 
>  I have upgraded my TT-RSS server based on OpenBSD 5.9 to OpenBSD 6.0. All 
> goes perfect, except when I try to add news feeds. Like I have reported in 
> the past: http://marc.info/?l=openbsd-misc=146739024615025=2, tt-rss 
> returns "Couldn't resolve host" every time that I try to add a new feed. Like 
> Stuart appoints me in the past, I have copied /etc/hosts and /etc/resolv.conf 
> to /var/www/etc chroot, but in OpenBSD 6.0 doesn't works.
> 
>  Is it a bug or do I need to configure any option inside httpd.conf??
> 
> Thanks.
> 
> -- 
> Greetings,
> C. L. Martinez

Ok, problem solved. php-fpm needs to be restarted. Sorry for the noise.

-- 
Greetings,
C. L. Martinez

httpd: old behavior returns: Couldn't resolve host

[C. L. Martinez]

Hi all,

 I have upgraded my TT-RSS server based on OpenBSD 5.9 to OpenBSD 6.0. All goes 
perfect, except when I try to add news feeds. Like I have reported in the past: 
http://marc.info/?l=openbsd-misc=146739024615025=2, tt-rss returns 
"Couldn't resolve host" every time that I try to add a new feed. Like Stuart 
appoints me in the past, I have copied /etc/hosts and /etc/resolv.conf to 
/var/www/etc chroot, but in OpenBSD 6.0 doesn't works.

 Is it a bug or do I need to configure any option inside httpd.conf??

Thanks.

-- 
Greetings,
C. L. Martinez

Recommendation about an Alfa usb wireless adapter to use it as HostAP

[C. L. Martinez]

Hi all,

 I would like to install OpenBSD as a hostap for my home. I have done the same 
in the past, running OpenBSD as a kvm guest on my laptop and all works really 
well. I am thinking to use an Alfa (http://www.alfa.com.tw) usb wireless 
adapter. There is not much information in Alfa's web about which of them can 
run as a HostAP.

 Any recommendation? Maybe AWUS036ACH can supports this functionality, but I am 
not sure ...

Thanks.
-- 
Greetings,
C. L. Martinez

Re: Encrypting carp traffic with ipsec

[C. L. Martinez]

On Thu  4.Aug'16 at 12:30:56 +, C. L. Martinez wrote:
> On Tue  2.Aug'16 at  7:54:08 +0000, C. L. Martinez wrote:
> > On Mon  1.Aug'16 at  7:54:57 +0000, C. L. Martinez wrote:
> > > On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote:
> > > > On 28/07/16 22:47, C. L. Martinez wrote:
> > > > > Hi all,
> > > > > 
> > > > >  I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
> > > > > (fully patched). According to ifconfig(8) man page:
> > > > > 
> > > > > carppeer peer_address
> > > > > Send the carp advertisements to a specified point-to-point peer or
> > > > > multicast group instead of sending the messages to the default carp
> > > > > multicast group. The peer_address is the IP address of the other host
> > > > > taking part in the carp cluster. With this option, carp(4) traffic can
> > > > > be protected using ipsec(4) and it may be desired in networks that do
> > > > > not allow or have problems with IPv4 multicast traffic.
> > > > > 
> > > > >  And the last sentence describes the type of problem that I want to
> > > > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
> > > > > desired in networks that do not allow or have problems with IPv4
> > > > > multicast traffic".
> > > > > 
> > > > >  But I don't see how to implement this feature. If I am not wrong, I
> > > > > need to configure ipsec in transport mode. But how to encrypt carp
> > > > > protocol only and keep all others services and protocols out of ipsec
> > > > > tunnels??
> > > > > 
> > > > >  Any tip or sample??
> > > > > 
> > > > 
> > > > 
> > > > check proto (from protocol) in ipsec.conf(5)
> > > > 
> > > > G
> > > > 
> > > 
> > > Ok, after doing several tests these days, I have configured ipsec.conf 
> > > instead of iked.conf. But carp interfaces remains in MASTER mode in both 
> > > firewalls:
> > > 
> > > FwA:
> > > 
> > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > > lladdr 01:00:5e:00:01:01
> > > priority: 15
> > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
> > > state MASTER vhid 1 advskew 100
> > > state MASTER vhid 2 advskew 0
> > > groups: carp
> > > status: master
> > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > > lladdr 01:00:5e:00:01:03
> > > priority: 15
> > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
> > > state MASTER vhid 3 advskew 100
> > > state MASTER vhid 4 advskew 0
> > > groups: carp
> > > status: master
> > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> > > 
> > > 
> > > 
> > > 
> > > FwB:
> > > 
> > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > > lladdr 01:00:5e:00:01:01
> > > priority: 15
> > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
> > > state MASTER vhid 1 advskew 0
> > > state MASTER vhid 2 advskew 100
> > > groups: carp
> > > status: master
> > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > > lladdr 01:00:5e:00:01:03
> > > priority: 15
> > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
> > > state MASTER vhid 3 advskew 0
> > > state MASTER vhid 4 advskew 100
> > > groups: carp
> > > status: master
> > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> > > 
> > > 
> > > IPsec flows are established in both firewalls:
> > > 
> > > FwA:
> > > 
> > > FLOWS:
> > > flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 
> > > srcid 172.22.57.2/32 dstid 172.22.57.3/32 typ

Re: Encrypting carp traffic with ipsec

[C. L. Martinez]

On Tue  2.Aug'16 at  7:54:08 +, C. L. Martinez wrote:
> On Mon  1.Aug'16 at  7:54:57 +0000, C. L. Martinez wrote:
> > On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote:
> > > On 28/07/16 22:47, C. L. Martinez wrote:
> > > > Hi all,
> > > > 
> > > >  I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
> > > > (fully patched). According to ifconfig(8) man page:
> > > > 
> > > > carppeer peer_address
> > > > Send the carp advertisements to a specified point-to-point peer or
> > > > multicast group instead of sending the messages to the default carp
> > > > multicast group. The peer_address is the IP address of the other host
> > > > taking part in the carp cluster. With this option, carp(4) traffic can
> > > > be protected using ipsec(4) and it may be desired in networks that do
> > > > not allow or have problems with IPv4 multicast traffic.
> > > > 
> > > >  And the last sentence describes the type of problem that I want to
> > > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
> > > > desired in networks that do not allow or have problems with IPv4
> > > > multicast traffic".
> > > > 
> > > >  But I don't see how to implement this feature. If I am not wrong, I
> > > > need to configure ipsec in transport mode. But how to encrypt carp
> > > > protocol only and keep all others services and protocols out of ipsec
> > > > tunnels??
> > > > 
> > > >  Any tip or sample??
> > > > 
> > > 
> > > 
> > > check proto (from protocol) in ipsec.conf(5)
> > > 
> > > G
> > > 
> > 
> > Ok, after doing several tests these days, I have configured ipsec.conf 
> > instead of iked.conf. But carp interfaces remains in MASTER mode in both 
> > firewalls:
> > 
> > FwA:
> > 
> > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:01
> > priority: 15
> > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
> > state MASTER vhid 1 advskew 100
> > state MASTER vhid 2 advskew 0
> > groups: carp
> > status: master
> > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:03
> > priority: 15
> > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
> > state MASTER vhid 3 advskew 100
> > state MASTER vhid 4 advskew 0
> > groups: carp
> > status: master
> > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> > 
> > 
> > 
> > 
> > FwB:
> > 
> > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:01
> > priority: 15
> > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
> > state MASTER vhid 1 advskew 0
> > state MASTER vhid 2 advskew 100
> > groups: carp
> > status: master
> > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:03
> > priority: 15
> > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
> > state MASTER vhid 3 advskew 0
> > state MASTER vhid 4 advskew 100
> > groups: carp
> > status: master
> > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> > 
> > 
> > IPsec flows are established in both firewalls:
> > 
> > FwA:
> > 
> > FLOWS:
> > flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 
> > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type use
> > flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 
> > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require
> > flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 
> > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type use
> > flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 
> > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require
> > flow esp in proto carp from 172.22.55.13 to 172.22.55.12 pee

Re: Encrypting carp traffic with ipsec

[C. L. Martinez]

On Mon  1.Aug'16 at  7:54:57 +, C. L. Martinez wrote:
> On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote:
> > On 28/07/16 22:47, C. L. Martinez wrote:
> > > Hi all,
> > > 
> > >  I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
> > > (fully patched). According to ifconfig(8) man page:
> > > 
> > > carppeer peer_address
> > > Send the carp advertisements to a specified point-to-point peer or
> > > multicast group instead of sending the messages to the default carp
> > > multicast group. The peer_address is the IP address of the other host
> > > taking part in the carp cluster. With this option, carp(4) traffic can
> > > be protected using ipsec(4) and it may be desired in networks that do
> > > not allow or have problems with IPv4 multicast traffic.
> > > 
> > >  And the last sentence describes the type of problem that I want to
> > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
> > > desired in networks that do not allow or have problems with IPv4
> > > multicast traffic".
> > > 
> > >  But I don't see how to implement this feature. If I am not wrong, I
> > > need to configure ipsec in transport mode. But how to encrypt carp
> > > protocol only and keep all others services and protocols out of ipsec
> > > tunnels??
> > > 
> > >  Any tip or sample??
> > > 
> > 
> > 
> > check proto (from protocol) in ipsec.conf(5)
> > 
> > G
> > 
> 
> Ok, after doing several tests these days, I have configured ipsec.conf 
> instead of iked.conf. But carp interfaces remains in MASTER mode in both 
> firewalls:
> 
> FwA:
> 
> carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:01
> priority: 15
> carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
> state MASTER vhid 1 advskew 100
> state MASTER vhid 2 advskew 0
> groups: carp
> status: master
> inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:03
> priority: 15
> carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
> state MASTER vhid 3 advskew 100
> state MASTER vhid 4 advskew 0
> groups: carp
> status: master
> inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> 
> 
> 
> 
> FwB:
> 
> carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:01
> priority: 15
> carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
> state MASTER vhid 1 advskew 0
> state MASTER vhid 2 advskew 100
> groups: carp
> status: master
> inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:03
> priority: 15
> carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
> state MASTER vhid 3 advskew 0
> state MASTER vhid 4 advskew 100
> groups: carp
> status: master
> inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> 
> 
> IPsec flows are established in both firewalls:
> 
> FwA:
> 
> FLOWS:
> flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 srcid 
> 172.22.57.2/32 dstid 172.22.57.3/32 type use
> flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 
> srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require
> flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 srcid 
> 172.22.58.2/32 dstid 172.22.58.3/32 type use
> flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 
> srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require
> flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13 
> srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use
> flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13 
> srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require
> flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3 srcid 
> 172.30.77.2/32 dstid 172.30.77.3/32 type use
> flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3 
> srcid 172.30.77.2/32 dstid 172.30.77.3/32 type require
> flow esp in proto carp from 172.22.54.3 to 172.22.54.2 pee

Re: Encrypting carp traffic with ipsec

[C. L. Martinez]

On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote:
> On 28/07/16 22:47, C. L. Martinez wrote:
> > Hi all,
> > 
> >  I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
> > (fully patched). According to ifconfig(8) man page:
> > 
> > carppeer peer_address
> > Send the carp advertisements to a specified point-to-point peer or
> > multicast group instead of sending the messages to the default carp
> > multicast group. The peer_address is the IP address of the other host
> > taking part in the carp cluster. With this option, carp(4) traffic can
> > be protected using ipsec(4) and it may be desired in networks that do
> > not allow or have problems with IPv4 multicast traffic.
> > 
> >  And the last sentence describes the type of problem that I want to
> > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
> > desired in networks that do not allow or have problems with IPv4
> > multicast traffic".
> > 
> >  But I don't see how to implement this feature. If I am not wrong, I
> > need to configure ipsec in transport mode. But how to encrypt carp
> > protocol only and keep all others services and protocols out of ipsec
> > tunnels??
> > 
> >  Any tip or sample??
> > 
> 
> 
> check proto (from protocol) in ipsec.conf(5)
> 
> G
> 

Ok, after doing several tests these days, I have configured ipsec.conf instead 
of iked.conf. But carp interfaces remains in MASTER mode in both firewalls:

FwA:

carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
state MASTER vhid 1 advskew 100
state MASTER vhid 2 advskew 0
groups: carp
status: master
inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
state MASTER vhid 3 advskew 100
state MASTER vhid 4 advskew 0
groups: carp
status: master
inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7




FwB:

carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
state MASTER vhid 1 advskew 0
state MASTER vhid 2 advskew 100
groups: carp
status: master
inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
state MASTER vhid 3 advskew 0
state MASTER vhid 4 advskew 100
groups: carp
status: master
inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7


IPsec flows are established in both firewalls:

FwA:

FLOWS:
flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 srcid 
172.22.57.2/32 dstid 172.22.57.3/32 type use
flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 srcid 
172.22.57.2/32 dstid 172.22.57.3/32 type require
flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 srcid 
172.22.58.2/32 dstid 172.22.58.3/32 type use
flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 srcid 
172.22.58.2/32 dstid 172.22.58.3/32 type require
flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13 
srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use
flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13 
srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require
flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3 srcid 
172.30.77.2/32 dstid 172.30.77.3/32 type use
flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3 srcid 
172.30.77.2/32 dstid 172.30.77.3/32 type require
flow esp in proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.3 srcid 
172.22.54.2/32 dstid 172.22.54.3/32 type use
flow esp out proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.3 srcid 
172.22.54.2/32 dstid 172.22.54.3/32 type require
flow esp in proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.3 srcid 
172.22.56.2/32 dstid 172.22.56.3/32 type use
flow esp out proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.3 srcid 
172.22.56.2/32 dstid 172.22.56.3/32 type require

SAD:
esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth hmac-sha2-256 
enc aes
esp transport from 172.22.55.13 to 172.22.55.12 sp

Re: Encrypting carp traffic with ipsec

[C. L. Martinez]

On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote:
> On 28/07/16 22:47, C. L. Martinez wrote:
> > Hi all,
> > 
> >  I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
> > (fully patched). According to ifconfig(8) man page:
> > 
> > carppeer peer_address
> > Send the carp advertisements to a specified point-to-point peer or
> > multicast group instead of sending the messages to the default carp
> > multicast group. The peer_address is the IP address of the other host
> > taking part in the carp cluster. With this option, carp(4) traffic can
> > be protected using ipsec(4) and it may be desired in networks that do
> > not allow or have problems with IPv4 multicast traffic.
> > 
> >  And the last sentence describes the type of problem that I want to
> > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
> > desired in networks that do not allow or have problems with IPv4
> > multicast traffic".
> > 
> >  But I don't see how to implement this feature. If I am not wrong, I
> > need to configure ipsec in transport mode. But how to encrypt carp
> > protocol only and keep all others services and protocols out of ipsec
> > tunnels??
> > 
> >  Any tip or sample??
> > 
> 
> 
> check proto (from protocol) in ipsec.conf(5)
> 
> G
> 

Thanks Giannis. I have configured iked.conf in both firewalls.

FirewallA:

ikev2 esp proto carp from 172.22.55.12 to 172.22.55.13 psk 
"74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0


FirewallB:

ikev2 esp proto carp from 172.22.55.13 to 172.22.55.12 psk 
"74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0

 Starting iked from shell, all tunnels are established. But when I add 
iked_flags= to rc.conf.local and reboot both firewalls, startup process stops 
in iked process and neves finishes. I need to a hard reset ...

 Any idea why??

Encrypting carp traffic with ipsec

[C. L. Martinez]

Hi all,

 I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
(fully patched). According to ifconfig(8) man page:

carppeer peer_address
Send the carp advertisements to a specified point-to-point peer or
multicast group instead of sending the messages to the default carp
multicast group. The peer_address is the IP address of the other host
taking part in the carp cluster. With this option, carp(4) traffic can
be protected using ipsec(4) and it may be desired in networks that do
not allow or have problems with IPv4 multicast traffic.

 And the last sentence describes the type of problem that I want to
avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
desired in networks that do not allow or have problems with IPv4
multicast traffic".

 But I don't see how to implement this feature. If I am not wrong, I
need to configure ipsec in transport mode. But how to encrypt carp
protocol only and keep all others services and protocols out of ipsec
tunnels??

 Any tip or sample??

Using "> /tmp/debug.log 2>&" in a startup script

[C. L. Martinez]

Hi all,

 I need to debug a daemon when it is called from init process. To accomplish 
this, I need to add "> /tmp/debug.log 2>&1" to daemon_flags (or to another 
option), but it doesn't works. I have tried the following combinations:

 a/ daemon_flags="--first-option --second-option > /tmp/debug.log 2>&1" and 
using the following rc_start options: ${rcexec} "${daemon} ${daemon_flags} 
${_bg}" (rc_bg=YES in the startup script.

 b/ daemon_flags="--first-option --second-option", adding another section with 
more_flags="> /tmp/debug.log 2>&1" and using the following rc_start options: 
${rcexec} "${daemon} ${daemon_flags} ${more_flags} ${_bg}" (rc_bg=YES in the 
startup script).

 c/ And tha last try is to use rc_start options: ${rcexec} "${daemon} 
${daemon_flags}" > /tmp/debug.log 2>&1 & 

 
 Nothing of this solutions works. 

 What am I doing wrong?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: Core dumps with sphinx package

[C. L. Martinez]

On Fri  8.Jul'16 at 12:40:57 +0200, Adam Wolk wrote:
> On Fri, Jul 08, 2016 at 09:16:15AM +0000, C. L. Martinez wrote:
> > Hi all,
> > 
> >  Once a day, searchd daemon (installed from OpenBSD's packages repository) 
> > generate a core dump. How can I report this problem? To openbsd-ports 
> > mailing list??
> > 
> > Thanks.
> > 
> > -- 
> > Greetings,
> > C. L. Martinez
> > 
> 
> First of all obtain a backtrace from your core dump. You can do this with gdb 
> by
> passing in the program binary and the core dump as arguments:
>  $ gdb prog prog.core
> 
> use the 'bt' command to obtain a backtracce when it's done loading.
> 
> You might need to rebuild the package with debug symbols in order to obtain a
> useful trace.
> 
> Gather as much info as you can:
>  - check dmesg for errors
>  - did it work before? when did it start to segfault?
>  - anything in the logs?
>  - what OpenBSD version are you running? (-current?)
> 
> Take a look at the backtrace and the info you obtained. Check the upstream
> source code, maybe you can fix the error yourself now? If not. Take the
> information you gathered and post to ports@ CC'ing the port maintainer. You
> should also report the problem upstream to package developers if the problem 
> is
> not OpenBSD specific (and it's frequently worth to report even if it is
> specific).
> 
> Regards,
> Adam
> 
Many thanks Adam ... I will try to do all the steps and report to ports@ 
afterwards.


-- 
Greetings,
C. L. Martinez

Core dumps with sphinx package

[C. L. Martinez]

Hi all,

 Once a day, searchd daemon (installed from OpenBSD's packages repository) 
generate a core dump. How can I report this problem? To openbsd-ports mailing 
list??

Thanks.

-- 
Greetings,
C. L. Martinez

Strange behavior with php config

[C. L. Martinez]

Hi all

 I am using php-5.6 with NGinx web server in a OpenBSD 5.9 host. I have 
configured error_log option to log specific php errors in a separate log file: 
"error_log = /tmp/php_errors.log".

 Nginx is running in chroot (as it does by default) under /var/www. I hoped 
that the errors were fed into the above file inside of /var/www chroot, and it 
does. But it does also under system's /tmp directory. In resume, I have two 
php_errors.log file where I can see all ducplicated errors ...

 Why?? How can I fix it?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: Installing NextCloud under OpenBSD 5.9

[C. L. Martinez]

On Sat  2.Jul'16 at 22:37:49 +0200, Adam Wolk wrote:
> On Sat, 2 Jul 2016 19:26:57 +
> "C. L. Martinez" <carlopm...@gmail.com> wrote:
> 
> > Hi all,
> > 
> >  I am trying to install NextCloud under an OpenBSD 5.9 host using
> > OpenBSD's httpd. But I am not sure that Nextcloud can work with
> > OpenBSD's httpd.
> > 
> >  First of all, rewrite rules like these:
> > 
> > 
> >   RewriteEngine on
> >   RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
> >   RewriteRule ^\.well-known/host-meta /public.php?service=host-meta
> > [QSA,L] RewriteRule
> > ^\.well-known/host-meta\.json /public.php?service=host-meta-json
> > [QSA,L] RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
> > RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
> > RewriteRule ^remote/(.*) remote.php [QSA,L] RewriteRule
> > ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
> > RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
> > RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
> > 
> > 
> >  Can be backported to OpenBSD's httpd? I am thinking to install
> > apache on the same host, configure NextCloud on it, and redirect
> > requests from OpenBSD's httpd to apache (listening on localhost only).
> > 
> >  What do you think?
> > 
> > Thanks.
> > 
> > --
> > Greetings,
> > C. L. Martinez
> > 
> 
> 
> https://github.com/reyk/httpd/wiki/Running-ownCloud-with-httpd-on-OpenBSD
> 
> Ownclud works with httpd. Nextcloud should also work.
> 

Thans Adam. I will read carefully and I will try to configure using this guide: 
http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/owncloud/pkg/README?rev=1.44=text/x-cvsweb-markup

Many thanks to all.

-- 
Greetings,
C. L. Martinez

Installing NextCloud under OpenBSD 5.9

[C. L. Martinez]

Hi all,

 I am trying to install NextCloud under an OpenBSD 5.9 host using OpenBSD's 
httpd. But I am not sure that Nextcloud can work with OpenBSD's httpd.

 First of all, rewrite rules like these:


  RewriteEngine on
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json 
[QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
  RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]


 Can be backported to OpenBSD's httpd? I am thinking to install apache on the 
same host, configure NextCloud on it, and redirect requests from OpenBSD's 
httpd to apache (listening on localhost only).

 What do you think?

Thanks.

--
Greetings,
C. L. Martinez

Re: I am not sure if it is a problem with OpenBSD's httpd

[C. L. Martinez]

On Fri  1.Jul'16 at 16:21:27 +, Stuart Henderson wrote:
> On 2016-07-01, C. L. Martinez <carlopm...@gmail.com> wrote:
> >  Recently, I have installed an OpenBSD virtual machine in my laptop with 
> > TT-RSS, and all works perfectlly. Until I try to subscribe to a new feed. 
> > Every time, tt-rss returns the error "6 Couldn't resolve host". It is 
> > strange, because all other feeds migrated from other linux host, works ok.
> 
> It might be this, which used to be in faq 10 but was removed a while ago:
> 
> << Name Resolution: httpd(8) inside the chroot(2) will NOT be able to
> use the system /etc/hosts or /etc/resolv.conf. Therefore, if you have
> applications which require name resolution, you will need to populate
> /var/www/etc/hosts and/or /var/www/etc/resolv.conf in the chroot(2)
> environment. Note that some applications expect the resolution of
> "localhost" to work. >>
> 

It was!! .. Perfect, now it works. Many thanks Stuart

-- 
Greetings,
C. L. Martinez

I am not sure if it is a problem with OpenBSD's httpd

[C. L. Martinez]

Hi all

 Recently, I have installed an OpenBSD virtual machine in my laptop with 
TT-RSS, and all works perfectlly. Until I try to subscribe to a new feed. Every 
time, tt-rss returns the error "6 Couldn't resolve host". It is strange, 
because all other feeds migrated from other linux host, works ok.

 For example, if I try to subscribe to 
http://googleprojectzero.blogspot.com/feeds/posts/default feed, error is 
rturned. But when I try to resolve DNS googleprojectzero.blogspot.com name in 
the shell, works ok:

Last login: Fri Jul  1 07:06:54 2016 from 172.22.55.1
OpenBSD 5.9 (GENERIC) #4: Thu May 19 08:23:10 CEST 2016

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

root@edinburgh:~# nslookup googleprojectzero.blogspot.com   


Server: 172.22.55.1
Address:172.22.55.1#53

Non-authoritative answer:
googleprojectzero.blogspot.com  canonical name = 
blogspot.l.googleusercontent.com.
Name:   blogspot.l.googleusercontent.com
Address: 216.58.208.225

 Arrived to this point, could be a problem with OpenBSD's httpd daemon that 
runs in chroot??

Thanks.


-- 
Greetings,
C. L. Martinez

Re: Clean OpenBSD's httpd logs

[C. L. Martinez]

On Fri  1.Jul'16 at  7:39:13 +, Stuart Henderson wrote:
> On 2016-06-30, C. L. Martinez <carlopm...@gmail.com> wrote:
> > Hi all,
> >  
> >  Sorry if this question sounds stupid, but how can I avoid this type of 
> > entry in OpenBSD's httpd access.log:
> >
> > 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/] 
> > [/favicon.ico]
> 
> Untested, but in theory: set a location that matches the favicon.ico file and
> disable logging (e.g. "no log") in that location block.
> 

Perfect!!! .. Works like a charm. Many thanks Stuart.

-- 
Greetings,
C. L. Martinez

Re: Clean OpenBSD's httpd logs

[C. L. Martinez]

On Thu 30.Jun'16 at 15:21:05 +0200, Thuban wrote:
> * C. L. Martinez <carlopm...@gmail.com> le [30-06-2016 12:50:36 +]:
> > Hi all,
> >
> >  Sorry if this question sounds stupid, but how can I avoid this type of
> entry in OpenBSD's httpd access.log:
> >
> > 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/]
> [/favicon.ico]
> >
> 
> Hi,
> in httpd.conf :
> 
> server "yourdomain.com" {
> ...
> no log
> }
> 
> 
> You might want to keep access log. Separate errors in another file :
> 
> 
> server "yourdomain.com" {
> ...
> log access "yourdomain.access.log"
> log error "yourdomain.errors.log"
> }
> 
> 
> see man httpd.conf for more :)
> 
> 
> --
> /Thuban/
> 

Thanks Thuban, but I want to log all requests to this web server :)

-- 
Greetings,
C. L. Martinez

Clean OpenBSD's httpd logs

[C. L. Martinez]

Hi all,
 
 Sorry if this question sounds stupid, but how can I avoid this type of entry 
in OpenBSD's httpd access.log:

172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/] 
[/favicon.ico]

 ??

 Thanks.
-- 
Greetings,
C. L. Martinez

Re: OT: Toosl to manage PKI under OpenBSD

[C. L. Martinez]

On Fri 24.Jun'16 at 18:59:09 -0400, Predrag Punosevac wrote:
> > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote:
> > > Am Freitag, den 24.06.2016, 11:45 +0000 schrieb C. L. Martinez:
> > >
> > > > I would like to deploy/setup a PKI under OpenBSD for my home lab.
> > > > Searching about this topic, I think the best option is to use
> > > > customized openssl/libressl scripts, but it colud be very hard to
> > keep
> > > > for certifcate requests, revocations, etc.
> > > >
> > > > ? Any suggestion about what can be better option?
> > >
> > > Have a look at security/xca, else define "better option".
> > >
> > > Cheers
> >
> > For "better option", I am speaking about what could be the best tool or
> > procedure to \
> > manage a PKI under OpenBSD.
> >
> 
> easy-rsa
> 
> You just chose to ignore the answer.
> 
> Predrag
> 

 Where I am telling that I'm ignoring the answer? Please, before saying some 
things, wait.


-- 
Greetings,
C. L. Martinez

Re: OT: Toosl to manage PKI under OpenBSD

[C. L. Martinez]

On Sat 25.Jun'16 at 13:56:38 +, Stuart Henderson wrote:
> On 2016-06-24, C. L. Martinez <carlopm...@gmail.com> wrote:
> > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote:
> >> Am Freitag, den 24.06.2016, 11:45 +0000 schrieb C. L. Martinez:
> >> 
> >> > I would like to deploy/setup a PKI under OpenBSD for my home lab.
> >> > Searching about this topic, I think the best option is to use
> >> > customized openssl/libressl scripts, but it colud be very hard to keep
> >> > for certifcate requests, revocations, etc.
> >> > 
> >> >  Any suggestion about what can be better option?
> >> 
> >> Have a look at security/xca, else define "better option".
> >> 
> >> Cheers
> >
> > For "better option", I am speaking about what could be the best tool or 
> > procedure to manage a PKI under OpenBSD.
> 
> It really depends on what your reasons are for doing this.
> 
> If you're trying to learn about the nitty gritty of generating certs,
> CRLs, revocations, etc, then using the command line tools directly
> aren't a bad idea.
> 
> If you're trying to script things but at a higher level than the
> libressl/openssl command line tool, you might want to look at something
> like https://github.com/cloudflare/cfssl.
> 
> If you're just trying to manually generate certs for lab machines
> and are happier with something visual xca is pretty good.
> 
> Or you can look at the tools which are really made for simplifying vpn
> setup like "ikectl ca" (though the way it's designed, it really only
> makes sense if you generate the private key on a central machine, which
> is a bit non-standard though makes life easier in some cases). Or yes,
> as was already pointed out easy-rsa (though personally I find that more
> complex than easy).
> 
> If you're more interested in getting certs than investigating how to
> run pki, something like letsencrypt might work for you.
> 

Many thanks Stuart. I have configured a PKI using openssl tools, and it is 
working ok ... Now, I would like to install an oscp instance to check when a 
certificate is revoked ... But I have some doubts:

 - When a certificate is revoked, can be removed .csr and .crt files (the 
request and signed cert by CA) without problems?
 - I am trying to setup a startup script for oscp using openssl, can be 
accomplished this in OpenBSD's way?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: OT: Toosl to manage PKI under OpenBSD

[C. L. Martinez]

On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote:
> Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez:
> 
> > I would like to deploy/setup a PKI under OpenBSD for my home lab.
> > Searching about this topic, I think the best option is to use
> > customized openssl/libressl scripts, but it colud be very hard to keep
> > for certifcate requests, revocations, etc.
> > 
> >  Any suggestion about what can be better option?
> 
> Have a look at security/xca, else define "better option".
> 
> Cheers

For "better option", I am speaking about what could be the best tool or 
procedure to manage a PKI under OpenBSD.


-- 
Greetings,
C. L. Martinez

OT: Toosl to manage PKI under OpenBSD

[C. L. Martinez]

Hi all,

 I would like to deploy/setup a PKI under OpenBSD for my home lab. Searching 
about this topic, I think the best option is to use customized openssl/libressl 
scripts, but it colud be very hard to keep for certifcate requests, 
revocations, etc.

 Any suggestion about what can be better option?

Thanks

-- 
Greetings,
C. L. Martinez

Error loading pf rules: Device busy

[C. L. Martinez]

Hi all,


I have a strange problem. Every time that I try to reload my pf rules I see
the following error message:


pfctl: DIOCADDRULE: Device busy.


I am using OpenBSD 5.8 amd64 fully patched.


Any idea??

Remove "flags S/SA keep state" for tcp packets

[C. L. Martinez]

Hi all,

 I am trying to remove "flags S/SA keep state" for tcp packets inside
pf.conf and use "keep state" only, as it can do with udp and icmp.

 According to pf.conf man page, this is possible inserting "no state"
in tcp rule, but I can't use keep state.

 Is it possible to remove "flags S/SA keep state" and use only "keep
state" for tcp packets?

 Thanks.

 P.D: I am using OpenBSD 5.8

Re: Remove "flags S/SA keep state" for tcp packets

[C. L. Martinez]

On Tue, Dec 15, 2015 at 9:49 AM, Peter N. M. Hansteen <pe...@bsdly.net> wrote:
> On Tue, Dec 15, 2015 at 09:24:03AM +0000, C. L. Martinez wrote:
>>
>>  I am trying to remove "flags S/SA keep state" for tcp packets inside
>> pf.conf and use "keep state" only, as it can do with udp and icmp.
>
> Why? What is it you're trying to achieve?
>
> You can override the default flags by specifying a different set or even
> 'flags any' but the question remains, why?
>
> --


Thanks Peter. Sorry for the delay response.

I am trying to use divert-packet option inside pf rules to use
Suricata/Snort as an IPS.

At this moment, I can drop comms when an alert is triggered for udp
and icmp packets, but it doesn't works when it is a tcp packet. I was
thinking about if "using keep state for udp/icmp rules works, why not
for tcp?"

But maybe I am totally wrong ...

Re: Remove "flags S/SA keep state" for tcp packets

[C. L. Martinez]

On Tue, Dec 15, 2015 at 9:56 AM, David Dahlberg
<david.dahlb...@fkie.fraunhofer.de> wrote:
> Am Dienstag, den 15.12.2015, 09:24 + schrieb C. L. Martinez:
>>  I am trying to remove "flags S/SA keep state" for tcp packets inside
>> pf.conf and use "keep state" only, as it can do with udp and icmp.
>>
>>  According to pf.conf man page, this is possible inserting "no state"
>> in tcp rule, but I can't use keep state.
>
> "keep state" is addressed in pf.conf(5) (e.g. "Stateful Tracking
> Options"), but it is not mentioned as often as it is the default.
>
> IOW: If you have not changed the default options, you you may simply
> remove "flags S/SA keep state" string without changing mutch (except
> that it might now also match UDP/ICMP).
>

Thanks David. I have not changed any default options but I can't see
how can I remove these flags ... I have tried with "flags any keep
state" without result. If I use "no state", packets are rejected ...

Re: Captive portal with OpenBSD as a hostap

[C. L. Martinez]

On Mon, Oct 5, 2015 at 1:26 PM, laudarch  wrote:
> I made a custom implementation and a diff to authpf, will share that
> later just in case anyone wants it.
>
> I hope this helps you, it pretty simple
> http://bastienceriani.fr/?p=70
>

Thanks laudarch ... Very close to what I am searching... I will try your config.

Re: OT: Exists some problem with dnscrypt-proxy package?

[C. L. Martinez]

On Mon, Sep 21, 2015 at 1:28 AM, frederick w. soucy  wrote:
> On 2015.09.20, C.L. Martinez wrote:
>> Hi all,
>>
>>  I have installed an openbsd 5.7 VM today to do some tests with pf rules.
>> One of the components to I need to enable in this gateway is
>> unbound+dnscrypt-proxy.
>>
>>  I have configured forwarding in unbound.conf:
>>
>>  forward-zone:
>> name: "."
>> forward-addr: 127.0.0.1@4553
>>
>>  And I have started dnscypt-proxy with the following arguments:
>>
>> -d --user=_dnscrypt-proxy -a 127.0.0.1:4553 -R dnscrypt.eu-nl -p
>> /var/run/dnscrypt-proxy.pid
>>
>>  Output:
>>
>> 32032 ??  Is  0:00.00 /usr/sbin/ftp-proxy -m 25
>> 32411 ??  Is  0:00.00 /usr/local/sbin/dnscrypt-proxy -d
>> --user=_dnscrypt-proxy -a 127.0.0.1:4553 -R dnscrypt.eu-nl -p
>> /var/run/dnscrypt-proxy.pid
>>  5667 ??  I   0:00.03 /usr/local/sbin/dnscrypt-proxy -d
>> --user=_dnscrypt-proxy -a 127.0.0.1:4553 -R dnscrypt.eu-nl -p
>> /var/run/dnscrypt-proxy.pid
>>  1256 ??  Is  0:00.00 /usr/sbin/cron
>> 17818 ??  Ss  0:00.12 sshd: root@ttyp0 (sshd)
>>   527 ??  Is  0:00.05 unbound -c /var/unbound/etc/unbound.conf
>> 30164 p0  Ss  0:00.02 -ksh (ksh)
>>  7382 p0  R+  0:00.00 ps -xa
>> 16881 C0  Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC0
>>  3047 C1  Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC1
>>
>>  And it doesn't works. But if I change unbound's forward section to:
>>
>> forward-zone:
>> name: "."
>> #forward-addr: 127.0.0.1@4553
>> forward-addr: 8.8.8.8
>>
>>  Works ok. Removing all forward seciton, unbound works ok also. Then, I am
>> doing something wrong but I don't know which.
>>
>>  Any idea??
>>
>>  Thanks.
>
> i was having problems with dnscrypt.eu-nl today, could ping its ip but
> not get any dns resolution so i just switched to dnscrypt.eu-dk and
> everything is working again ymmv

Ok, it seems there is some problem with servers. This morning,
dnscrypt.eu-dk works, but not dnscrypt.eu-nl.

Uhmm ... I will try to update dnscrypt-resolvers.csv file to tests
more servers ...

Many thanks to all for your help.

Question about divert-to and divert-reply with pf.conf

[C. L. Martinez]

Hi all,

 I have installed a proxy server in a DMZ and I need to redirect all
http traffic from my internal lan to this proxy server in my openbsd
firewall.

 Readming pf.conf manual and squid wiki, I see that this can be
accomplished using divert-to and divert-reply in pf.conf.

 Configuration is like this??

pass in quick on inet proto tcp from 192.0.2.0/24 to port www
divert-to 172.16.1.1 port 8080
pass out quick inet from 192.0.2.0/24 divert-reply

Thanks.

Re: Unable to install openbsd 5.6 in a HP Proliant ML115 G5

[C. L. Martinez]

On Tue, Jan 6, 2015 at 3:07 AM, Steve Shockley
steve.shock...@shockley.net wrote:
 On 1/5/2015 7:52 PM, Stuart Henderson wrote:

 Some things to try: (Change only 1 thing at a time, and remember what you
 changed.)


 Also check the baseboard/system firmware; I didn't see anything specifically
 related in the release notes but HP occasionally makes undocumented fixes.


Sorry for this later response. It seems there is some type of problem
with the nvidia controller device. Server was returned to our dealer
to repair. When it will be returned to us, I will try to install
OpenBSD ...

Many thanks for your help.

Unable to install openbsd 5.6 in a HP Proliant ML115 G5

[C. L. Martinez]

Hi all,

 I am trying to install OpenBSD 5.6 in a HP ProlIant Ml115 G5, but
install process doesn't starts ... Stops in USB detection steps. There
is no error in console.

 This server uses Nvidia MCP55 controller device for SATA and USB
devices ... Maybe is this the problem??

 In OpenBSD's manual pages, I see that it is supported for ethernet:

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.6/man4/nfe.4?query=nvidiaapropos=1manpath=OpenBSD-5.6

Any idea??

Re: Unable to install openbsd 5.6 in a HP Proliant ML115 G5

[C. L. Martinez]

On Mon, Jan 5, 2015 at 1:11 PM, Jiri B ji...@devio.us wrote:
 On Mon, Jan 05, 2015 at 12:49:34PM +, C. L. Martinez wrote:
 Hi all,

  I am trying to install OpenBSD 5.6 in a HP ProlIant Ml115 G5, but
 install process doesn't starts ... Stops in USB detection steps. There
 is no error in console.

  This server uses Nvidia MCP55 controller device for SATA and USB
 devices ... Maybe is this the problem??

  In OpenBSD's manual pages, I see that it is supported for ethernet:

 http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.6/man4/nfe.4?query=nvidiaapropos=1manpath=OpenBSD-5.6

 Any idea??

 It seems it has serial port, capture as much of dmesg
 as you can and attach to mail. Devs usually get angry
 because of missing dmesg...

 j.

Sorry, but I haven't got a serial cable. Would it help a photo of the screen?

Re: About special configs to do in OpenBSD for KVM environments

[C. L. Martinez]

On Fri, Dec 19, 2014 at 7:51 AM, Peter Hessler phess...@theapt.org wrote:
 On 2014 Dec 19 (Fri) at 07:35:28 + (+), C. L. Martinez wrote:
 :b) OpenBSD/amd64: set up vio flags to 0x02

 The man page for vio(4) says:
  Setting the bit 0x2 in the flags disables the RingEventIndex feature.
  This can be tried as a workaround for possible bugs in host
  implementations of vio at the cost of slightly reduced performance.

 What bugs in the host implementation, which versions are affected, how
 bad is the performance hit, and should this be the default?


Yep, sorry Peter, you are right: OpenBSD 5.6 release.

And, when some weeks ago I have tried to copy several files (4 GiB)
using virtio for nics and disks, I've got the same problem like
Michael describes here:

http://blather.michaelwlucas.com/archives/2083

Re: About special configs to do in OpenBSD for KVM environments

[C. L. Martinez]

On Fri, Dec 19, 2014 at 8:04 AM, Peter Hessler phess...@theapt.org wrote:
 On 2014 Dec 19 (Fri) at 08:01:00 + (+), C. L. Martinez wrote:
 :On Fri, Dec 19, 2014 at 7:51 AM, Peter Hessler phess...@theapt.org wrote:
 : On 2014 Dec 19 (Fri) at 07:35:28 + (+), C. L. Martinez wrote:
 : :b) OpenBSD/amd64: set up vio flags to 0x02
 :
 : The man page for vio(4) says:
 :  Setting the bit 0x2 in the flags disables the RingEventIndex feature.
 :  This can be tried as a workaround for possible bugs in host
 :  implementations of vio at the cost of slightly reduced performance.
 :
 : What bugs in the host implementation, which versions are affected, how
 : bad is the performance hit, and should this be the default?
 :
 :
 :Yep, sorry Peter, you are right: OpenBSD 5.6 release.
 :

 I more mean: which versions on the host will trigger this behaviour.



KVM hosts?? CentOS 6.5 and CentOS 6.6, both x86_64. And OpenBSD 5.6/amd64

About special configs to do in OpenBSD for KVM environments

[C. L. Martinez]

Hi all,

 Please, first of all, I don't want to start a flame or quite similar.
I only want to know what problems I can encounter when I need to
install OpenBSD in kvm environments (mostly CentOS 6.x servers).

 Yes, I know, OpenBSD is not supported to run in virtualization
environments, but many of us only have access to that kind of
environments for testing (new pf rules, updates, etc). We can't use
physical server and although I am not a big fan of this type of
technology, it is here to stay.

 My questions are KVM specific. As far as I know:


a) OpenBSD/i386: turn APIC off and set up vio flags to 0x02

b) OpenBSD/amd64: set up vio flags to 0x02


Anything else??

Re: Securing communications with OpenBSD

[C. L. Martinez]

On Thu, Oct 9, 2014 at 7:21 AM, Duncan Patton a Campbell
campb...@neotext.ca wrote:
 On Tue, 7 Oct 2014 07:08:54 +
 C. L. Martinez carlopm...@gmail.com wrote:

 On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell
 campb...@neotext.ca wrote:
  The most basic consideration in computer security has nothing to
  do with technology and computers.  Do the people you need to keep
  out of the know need to know enough to come and break legs?
 
  If so, don't bother encrypting.  They may not just break legs.
 
  Dhu
 
  On Mon, 06 Oct 2014 13:48:33 -0600
  chester.t.fi...@hushmail.com wrote:
 
  Very true, filling your subterranean data server with angry hornets
  certainly seems like a good idea but it's really not, most AC
  maintenance contractors will charge you extra (usually per sting!).
 
  Chester T. Field
 
  And remember when I left all the meat out because I saw Mr. David Lynch 
  “I’m on TV” do it,
  and he got on TV from doin’ it, and I did it and didn’t get on TV from 
  doin’ it?  - Gandhi
 
  On 10/6/2014 at 1:37 PM, Matti Karnaattu mkarnaa...@gmail.com wrote:
  
  Yes, my goal is to secure the
  infrastructure as much as possible.
  
  I don't know details but it sounds overly complex. And complexity
  may cause other issues, without any benefit for security.
  
  Example, you don't have to encrypt your whole hard disk if the hard
  disk is located in guarded bunker. But if you do that, it will
  increase
  security in theory but that may cause service outtage if you have
  to
  always locally type your crypt password if machine crashes.
  
  I would put this effort to ease maintainability, ease monitoring,
  use stateful firewall, deploy honeypot etc. and avoid complexity.
 

 Thanks guys for your answers. I know it: our it sec. dept. adds a
 complexity to our infrastructure, but they are determined to do so.

 Searching via google I found this:

 http://www.safenet-inc.com/data-encryption/

 HSM: hardware security modules ... But exists another problem. If I
 would like to use some SSL/TLS or IPSec based solution, how can I
 authenticate these servers between them without compromise host
 security??

 Any ideas??



 Is man 8 iked what you are looking for?

 Dhu

Uhmm . .. I don't understand your question Duncan... To use IPsec is a
possibility.

Re: Securing communications with OpenBSD

[C. L. Martinez]

On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell
campb...@neotext.ca wrote:
 The most basic consideration in computer security has nothing to
 do with technology and computers.  Do the people you need to keep
 out of the know need to know enough to come and break legs?

 If so, don't bother encrypting.  They may not just break legs.

 Dhu

 On Mon, 06 Oct 2014 13:48:33 -0600
 chester.t.fi...@hushmail.com wrote:

 Very true, filling your subterranean data server with angry hornets
 certainly seems like a good idea but it's really not, most AC
 maintenance contractors will charge you extra (usually per sting!).

 Chester T. Field

 And remember when I left all the meat out because I saw Mr. David Lynch “I’m 
 on TV” do it,
 and he got on TV from doin’ it, and I did it and didn’t get on TV from doin’ 
 it?  - Gandhi

 On 10/6/2014 at 1:37 PM, Matti Karnaattu mkarnaa...@gmail.com wrote:
 
 Yes, my goal is to secure the
 infrastructure as much as possible.
 
 I don't know details but it sounds overly complex. And complexity
 may cause other issues, without any benefit for security.
 
 Example, you don't have to encrypt your whole hard disk if the hard
 disk is located in guarded bunker. But if you do that, it will
 increase
 security in theory but that may cause service outtage if you have
 to
 always locally type your crypt password if machine crashes.
 
 I would put this effort to ease maintainability, ease monitoring,
 use stateful firewall, deploy honeypot etc. and avoid complexity.


Thanks guys for your answers. I know it: our it sec. dept. adds a
complexity to our infrastructure, but they are determined to do so.

Searching via google I found this:

http://www.safenet-inc.com/data-encryption/

HSM: hardware security modules ... But exists another problem. If I
would like to use some SSL/TLS or IPSec based solution, how can I
authenticate these servers between them without compromise host
security??

Any ideas??

Securing communications with OpenBSD

[C. L. Martinez]

Hi all,

 I appeal to you to see if you can give me some advice. I need to
secure communications between my front-end and back-end servers.

 First, my infrastructure:


Internet --- Public OpenBSD Carp'ed fws --- FreeBSD front-end web
servers (https) --- Internal OpenBSD Carp'ed fws --- CentOS back-end
servers (http, tomcat and Oracle BBDD 11g).

 Between these back-end and front-end servers, packet average is 1000 pkt/sec.

 And as you can imagine, traffic between these back-end and front-end
servers goes in clear.

 I'm planning to deploy OpenBSD based servers between these back/front
end servers using these technologies, both or only one.


a) Establishing SSL tunnels.
b) Establishing IPSec tunnels host to host.

 It could establish tunnels using these servers directly, but I prefer
to avoid the impact of processing and/or performance that would occur.

 And another thing: I need to secure comms between backend servers
also. Oracle BBDD hosts are installed in different hosts than tomcat
application servers, for example.


 Is my approach correct? Any other better solution? Is it stupid this approach?

 Thanks.

P.D: I can use cryptographic cards, if I need it.

Re: Securing communications with OpenBSD

[C. L. Martinez]

On Mon, Oct 6, 2014 at 2:27 PM, Alan McKay alan.mc...@gmail.com wrote:
 On Mon, Oct 6, 2014 at 2:00 AM, C. L. Martinez carlopm...@gmail.com wrote:
  Is my approach correct? Any other better solution? Is it stupid this 
 approach?

 You did not really state what your goal was.   Or what the problem is.

 Securing communications between front and back end via SSH/SSL is
 not a goal or problem.  It is a solution to a problem.

 To me it seems a bit strange that you'd want to do this if they are all in the
 same rack, for example, connected to switches that you control.

 Is the goal just to make your infrastructure as secure as possible?

Thanks Alan for your answer. Yes, my goal is to secure the
infrastructure as much as possible. Our IT Security Dept. has made a
request in that direction.

Re: Does this usb wireless adapter works?

[C. L. Martinez]

On Fri, Jan 31, 2014 at 6:06 PM, Alexander Pakhomov ker0...@yandex.ru wrote:
 No, it doesn't.
 It crashes kernel once a day and deadly hangs till reboot every 30 min.
 I've send a bug report, but nobody cares.
 I use RTL8192CU. It crashes kernel once a month.


Sorry for this late response ... Oops ... then, what usb wireless
adapter can I use for an OpenBSD hostap?? It seems that Alfa Networks
adapters are not a good option ...

Does this usb wireless adapter works?

[C. L. Martinez]

Hi all,

 I have installed and OpenBSD 5.4 amd64 host to act as a wifi AP (I
know it, it is not a good option to use a usb adapter for this, but It
is my only option).

 I would like to use this usb wireless adapter: AWUS036NHA
(http://www.alfa.com.tw/products_show.php?pc=34ps=20) but searching
openbsd's man pages I didn't find any info about it.

 As you can see, this usb adapter uses an Atheros AR9271 chip ...
Works under OpenBSD?? and Can I use it as a hostap under openbsd??

Thanks.

Re: Does this usb wireless adapter works?

[C. L. Martinez]

On Fri, Jan 31, 2014 at 2:56 PM, Kirill Bychkov ki...@linklevel.net wrote:
 On Fri, January 31, 2014 17:50, C. L. Martinez wrote:
 Hi all,

  I have installed and OpenBSD 5.4 amd64 host to act as a wifi AP (I
 know it, it is not a good option to use a usb adapter for this, but It
 is my only option).

  I would like to use this usb wireless adapter: AWUS036NHA
 (http://www.alfa.com.tw/products_show.php?pc=34ps=20) but searching
 openbsd's man pages I didn't find any info about it.

  As you can see, this usb adapter uses an Atheros AR9271 chip ...
 Works under OpenBSD?? and Can I use it as a hostap under openbsd??

 Thanks.


 Hi. This one should be supported by athn driver.
 From M\man athn:
  The following table summarizes the supported chips and their
  capabilities.
 ChipsetSpectrum TxR:SBus
 [snip]
  AR9271 2GHz 1x1:1USB 2.0
 [snip]


oops .. that's my fault ... Many thanks Kirill ...

Re: Does this usb wireless adapter works?

[C. L. Martinez]

On Fri, Jan 31, 2014 at 3:26 PM, Josh Grosse j...@jggimi.homeip.net wrote:
 On 2014-01-31 08:50, C. L. Martinez wrote:

  As you can see, this usb adapter uses an Atheros AR9271 chip ...
 Works under OpenBSD?? and Can I use it as a hostap under openbsd??


 I'm replying off list because I don't know the status of a bug reported with
 a USB attached AR9271 with OpenBSD 5.3-release at the end of May:

 http://marc.info/?l=openbsd-bugsm=137001370631666w=2

 There may have been a fix, or this bug may not apply to the specific
 implementation of your chosen USB device.

 You might contact the original poster before making your acquisition.

Uhmm ... Thanks Josh for the info (I will try to contact him). Then,
any recommendation about some usb wifi adapter that works as a hostap
under openbsd without problems??

OT: Recommended wireless usb adapter as a hostap

[C. L. Martinez]

Hi all,

 I would like to use my openbsd fw box to provide wifi access for
friends, family, etc when they comes to my home.

 Due to hardware restrictions, I can only to add a wireless usb
adapter to use as a hostap, an yes, I know that is not the best
option, but ...

 Any recommendations about some usb wifi adapter that works well as a
hostap under OpenBSD 5.4 and up??

Thanks.

ipsec or iked to deploy under openbsd carp fws

[C. L. Martinez]

Hi all,

 I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients
like linux and windows) under two openbsd carp firewalls.

 Searching in google and reading some docs, I have several doubts
about which one to choose. If I am not wrong, iked doesn't supports
sasyncd, is it correct??

 What option can be best to deploy in these firewalls: ipsec
(ipsec.conf and isakmpd) or iked?

Thanks.

Re: ipsec or iked to deploy under openbsd carp fws

[C. L. Martinez]

On Mon, Dec 2, 2013 at 8:13 AM, C. L. Martinez carlopm...@gmail.com wrote:
 Hi all,

  I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients
 like linux and windows) under two openbsd carp firewalls.

  Searching in google and reading some docs, I have several doubts
 about which one to choose. If I am not wrong, iked doesn't supports
 sasyncd, is it correct??

  What option can be best to deploy in these firewalls: ipsec
 (ipsec.conf and isakmpd) or iked?

 Thanks.

Sorry, I am using openbsd 5.4 in these fws.

pfsync0 doesn't starts

[C. L. Martinez]

Hi all,

 I am doing some tests with two openBSD 5.4 hosts configuring carp
features. All it is ok, except for pfsync0 interface: it doesn't
starts up at system boot or when both are rebooted. I need to start it
manually every time.

cat /etc/hostname.pfsync0
up syncdev em3

Is this configuration wrong?? Any idea why??

Thanks.

Re: pfsync0 doesn't starts

[C. L. Martinez]

On Wed, Nov 27, 2013 at 3:25 PM, andy a...@brandwatch.com wrote:
 On Wed, 27 Nov 2013 15:08:33 +, C. L. Martinez
 carlopm...@gmail.com
 wrote:
 Hi all,

  I am doing some tests with two openBSD 5.4 hosts configuring carp
 features. All it is ok, except for pfsync0 interface: it doesn't
 starts up at system boot or when both are rebooted. I need to start it
 manually every time.

 cat /etc/hostname.pfsync0
 up syncdev em3

 Do you also have;
 cat /etc/hostname.em3
 inet 192.168.0.252 255.255.255.0
 up



Yes, interface em3 is up ..

Re: pfsync0 doesn't starts

[C. L. Martinez]

On Wed, Nov 27, 2013 at 4:12 PM, andy a...@brandwatch.com wrote:
 On Wed, 27 Nov 2013 15:31:49 +, C. L. Martinez
 carlopm...@gmail.com
 wrote:
 On Wed, Nov 27, 2013 at 3:25 PM, andy a...@brandwatch.com wrote:
 On Wed, 27 Nov 2013 15:08:33 +, C. L. Martinez
 carlopm...@gmail.com
 wrote:
 Hi all,

  I am doing some tests with two openBSD 5.4 hosts configuring carp
 features. All it is ok, except for pfsync0 interface: it doesn't
 starts up at system boot or when both are rebooted. I need to start it
 manually every time.

 cat /etc/hostname.pfsync0
 up syncdev em3

 Do you also have;
 cat /etc/hostname.em3
 inet 192.168.0.252 255.255.255.0
 up



 Yes, interface em3 is up ..

 If you have an 'up' in your /etc/hostname.em3 file, and your pfsync0 looks
 right, have you try running /etc/netstart to correct the permissions on
 your files.
 Other than that I don't know.. I've not heard of pfsync not starting at
 all before. It always starts without issue for us (albeit slowly).
 I have known it to take over 60 seconds after rebooting a box for pfsync
 to go up properly and for the carp demotion counters to come all the way
 down. I figured that was just due to various pfsync timers and the time
 taken to get the boxes in sync.

Thanks Andy. I have found the problem. I am doing these tests without
PF enabled. After enabling PF, pfsync0 interface is up and all works
ok.

Similar tool as poudriere for OpenBSD

[C. L. Martinez]

Hi all,

 Exists some tool in OpenBSD similar to poudriere for FreeBSD? This
tool builds massive packages for FreeBSD hosts and for different
versions and releses (current, stable, release).

https://wiki.freebsd.org/PkgPrimer
https://fossil.etoilebsd.net/poudriere/doc/trunk/doc/index.wiki

Thanks.

Re: Similar tool as poudriere for OpenBSD

[C. L. Martinez]

On Mon, Nov 11, 2013 at 4:29 PM, Vigdis vigdis+o...@chown.me wrote:
 On Mon, 11 Nov 2013 15:37:17 +,
 C. L. Martinez carlopm...@gmail.com wrote:

 Hi all,

  Exists some tool in OpenBSD similar to poudriere for FreeBSD? This
 tool builds massive packages for FreeBSD hosts and for different
 versions and releses (current, stable, release).

 https://wiki.freebsd.org/PkgPrimer
 https://fossil.etoilebsd.net/poudriere/doc/trunk/doc/index.wiki

 Thanks.


 http://openbsd.org/faq/faq15.html#dpb



Yep, pretty pretty close ... But if I understand correctly, if I would
like to build ports for i386 and amd64 archs I need to use two hosts:
one to build i386 ports and another to build amd64 ports, correct??

Re: Similar tool as poudriere for OpenBSD

[C. L. Martinez]

On Tue, Nov 12, 2013 at 12:04 AM, Theo de Raadt dera...@cvs.openbsd.org wrote:
 Note that these are all *deliberate design choices* in OpenBSD and its ports 
 tree,
 not a limitation of the tool.

 It follows the 'eat our own dogfood' principle.  We only have so many machines
 and developers around to eat our own dogfood, so we don't do cross 
 compilations.

 That would require more machines, or more people watching more machines, or
 looked at from the other side, it would mean less watching of the specific
 cases that matter the most (ie. native).

 Those all come from lack of manpower with respect to expected quality of the 
 results.

 Right.

 We run on many architectures, because it helps improve the quality.

 Running via cross compilers?  That's does not improve the quality of
 the resulting native output in any way.

 t might improves the quality of the cross compilation environment, or
 the compiler itself, but that is not where our core responsibilities
 lie.  And anyways, it is rather apparent that those who have that as
 a core responsibility also have far fewer cross-targets in mind than
 might be useful (ie. walk off their map, and you'll step in mud).

Perfect. Many thanks to all.

Re: Management of pf.conf

[C. L. Martinez]

On Thu, Jul 11, 2013 at 8:51 PM, Patrick Lamaiziere
patf...@davenulle.org wrote:
 Le Thu, 11 Jul 2013 13:18:13 +0200 (CEST),
 Jummo jum...@yahoo.de a écrit :

 This works quiet good for me and my firewalls with one exception, my
 big fat central router/firewall. This firewall has around 2000 lines
 of pf.conf, is attached with 12 VLAN interfaces and get slowly
 unmanageable with this concept.

 How to you manage such big firewalls? Do you split the pf.conf into
 logical parts? Do you use a base structure for every pf.conf? Do you
 use a tool for automatic creation of pf.conf? How do you tests your
 old rules after you changed something?

 We have a large set of rules at work on several routers/firewalls and we
 use a tool 'list firewall (lsfw)' to help to manage the rules set. The
 goal is to display the rules applied between a source address and a
 destination, on several equipments, doing routing and firewalling.
 See: https://groupes.renater.fr/wiki/jtacl/index

 It has some other features, ip cross references by example which is
 cool to know where an address is used directly or indirectly (in
 table/group) or to extract the addresses from the configurations and to
 automate tests on them.

 That works fine at work (PF + cisco + checkpoint), but there are some
 limitations (see the doc...)

 My next step is a tool to managed security policies. I mean if someone
 asks to open a port, we should be able to track this policy (who, why,
 which rules are used) and to check it. This is work in (slow) progress.
 If someone already has such tool please let me know :)

 If you want more precisions ask me, this is a bit out of topic here.

 Regards.



A really, really interesting topic. I have the same problem with my
CARP firewalls (20 in total), but I think the best option is the one
that says Andy: fast, reliable and secure (if you know what are you
doing) ...

Andy, do you use the firewall module that comes with puppet to
accomplish this task??

Re: Management of pf.conf

[C. L. Martinez]

On Fri, Jul 12, 2013 at 11:12 AM, Andy a...@brandwatch.com wrote:
 Hi,

 No we don't use the puppet firewall module as it doesn’t support PF
 properly. We don't use any 'software' to manage PF rules, but we do still
 have rules sets with thousands of lines.

 I have never found any PF configuration software that comes anywhere near
 what can be done with a carefully designed and hand written PF file
 structure, using Vim (with a modified bashrc and filetypes), reading the
 Book of PF and following the OpenBSD change logs to keep up with new
 features/changes and knowing the PF flow diagram by heart (
 http://notamentaldowu.files.wordpress.com/2009/08/flow.png?w=700).
 Their just simply isn't a magic bullet if you want to achieve the full power
 of PF..

 There are many great pieces PF software out there which are good for people
 who are learning, but none which can ever fully support the extremely wide
 features and packet mangling capabilities of PF (which is continually
 growing and changing), or can correctly parse all of our rules. Things
 especially get more complicated for parsing when you have multiple 'related'
 rules attached to different physical interfaces, but where all are needed to
 pass and queue a desired flow.

 I believe that a well structured PF file which is built up using several
 includes etc with a strong consistent structure is the best way to have
 access to all the latest features and functions whilst maintaining
 visibility and ease of management.

 To make PF super friendly in Vim, set-up your PF syntax highlighting;
 /root/.vimrc;
 so /root/.vim/filetypes.vim
 set guifont=9x15bold
 set ruler
 syntax on
 set tabstop=4
 set shiftwidth=4
 filetype on

 /root/.vim/filetypes.vim;
 augroup filetype
 au!
 au BufRead,BufNewFile *.c set filetype=c
 au BufRead,BufNewFile pf.* set filetype=pf
 au BufRead,BufNewFile pf.conf set filetype=pf
 au BufRead,BufNewFile pf.conf.* set filetype=pf
 au BufRead,BufNewFile snort.conf set filetype=hog
 au BufRead,BufNewFile snort.conf.* set filetype=hog
 augroup END

 Not wanting to waffle as this is already long, but seeing as people seem
 interested (tell me to shut up if I am just generating noise ;) we structure
 our PF's roughly as follows;
 Global common;
 'pc.conf.internalnetworks' - Defines common macro names for all of the
 different subnets we have globally; E.g. int_net_hbase=10.0.50.0/24,
 int_net_solr=10.0.51.0/24, int_net_stage=10.0.52.0/24 .
 'pf.conf.hosts' - This is a dynamic file. We have a script on each firewall
 which connects to the 'local' LDAP server, downloads every host macro for
 that zone and prints the int_ip_cn name=IP macros into pf.conf.hosts
 'pf.conf.publicips' - defines common macro names for all of our public IP
 addresses to the roles they provide access to (multiple roles means multiple
 macros with the same IP etc)
 'pf.conf.tables' - defines common tables like blacklist_hosts, snort2pf,
 ossec_fwtable, trusted_networks etc
 'pf.conf.options' - defines all our non-default firewall options including
 'states', 'table-entries'  and all of our 'Stateful Tracking Option'
 macros
 'pf.conf.portgroups' - defines common service groups. E.g.
 'office_mail_protos=smtp, 465, submission, imaps, pop3s',
 'office_chat_tcpports=5190, 5222, 5223, 5269, 5349' etc
 Per environment common (DC, Office etc);
 'pf.conf.queues.office' - defines all our HFSC queues (NB; the bandwidth
 values are $variables which are defined in the site specific includes
 allowing for a generic queue structure for all offices).
 'pf.conf.queues.livedc' - defines all our HFSC queues (NB; the bandwidth
 values are $variables which are defined in the site specific includes
 allowing for a generic queue structure for all offices).
 'pf.conf.rules.common.office' - The common office rules
 'pf.conf.rules.common.dc' - The common DC rules
 'pf.conf.scrub' -antispoof, urpf-failed, non_routable drops, packet
 scrubbing and tagging etc
 Site Specific;
 'pf.conf.interfaces.berlin' - Defines common macro names mapping to all the
 physical interface names; E.g. if_ext=em0, if_lan=em1, if_dmz=em2
 .
 'pf.conf.interfaces.newyork' - Defines common macro names mapping to all the
 physical interface names; E.g. if_ext=em0, if_lan=em1, if_dmz=em2
 .
 'pf.conf.rules.berlin' - rdr-to, binat-to, nat-to, block, pass etc.. These
 bespoke per site rule files are now small and easy to manage :)
 'pf.conf.rules.newyork' - rdr-to, binat-to, nat-to, block, pass etc..
 .
 etc

 Puppet then pushes out the appropriate files to the appropriate firewalls
 using simple manifests.

 Hope this makes sense.. By grouping and standardising common things, the
 final site specific rules become very small and easy to read, and making
 wider global/environment changes are a one file change :)

 NB; When writing filter rules try to continue to be consistent and maintain
 structure remembering the 'PF skip steps' (PF optimises rule inspection by
 grouping rules (skip steps) 

Is openbsd.org down??

[C. L. Martinez]

HI all,

 Trying to access:

 gateway timeout ...

Re: OT: OpenVAS under OpenBSD 5.3

[C. L. Martinez]

On Fri, Jun 7, 2013 at 8:24 PM, Nigel Taylor
njtay...@asterisk.demon.co.uk wrote:
 On 06/07/13 13:52, C. L. Martinez wrote:
 Hi all,

  Somebody had tried under OpenBSD?. I need to deploy a new VA server
 to subsitute my previous CentOS/Nessus server.

  What version is more stable under OpenBSD: 5 o 6?? Any tips??

 Thanks.


 it's not the latest version. I haven't updated it for some time.

 openvas-gsd-1.2.2.tgz
 openvas-libraries-5.0.4.tgz
 openvas-manager-3.0.4.tgz
 openvas-gsa-3.0.3.tgz
 openvas-scanner-3.3.1.tgz
 openvas-administrator-1.2.1.tgz
 openvas-cli-1.1.5.tgz

 The ports can be found here
 https://github.com/jasperla/openbsd-wip/tree/master/security/openvas

 You also need this port

 https://github.com/jasperla/openbsd-wip/tree/master/www/libmicrohttpd



 Many thanks Nigel ... I will look it .. have you tried to compile
version 6?? Can I expect some problem??

OT: OpenVAS under OpenBSD 5.3

[C. L. Martinez]

Hi all,

 Somebody had tried under OpenBSD?. I need to deploy a new VA server
to subsitute my previous CentOS/Nessus server.

 What version is more stable under OpenBSD: 5 o 6?? Any tips??

Thanks.

OT: Running Snort IDS under OpenBSD 5.3

[C. L. Martinez]

Hi all,

 I am trying to run snort IDS (release 2.9.4.6) with only so_rules
under an OpenBSD 5.3 amd64 host, but the numbers are disappointing.

 Host is a Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, with 8 GiB RAM and
four e1000 interfaces.

 Some numbers:

top:
load averages:  0.69,  0.65,  0.53
31 processes: 30 idle, 1 on processor
CPU0 states:  2.8% user,  0.0% nice,  0.4% system, 20.4% interrupt, 76.4% idle
CPU1 states:  2.2% user,  0.0% nice,  0.8% system,  0.0% interrupt, 97.0% idle
CPU2 states:  3.0% user,  0.0% nice,  3.4% system,  0.0% interrupt, 93.6% idle
CPU3 states:  6.0% user,  0.0% nice,  5.0% system,  0.0% interrupt, 89.0% idle
Memory: Real: 587M/2947M act/tot Free: 5012M Cache: 2213M Swap: 0K/6142M

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
14655 root   40  393M  183M sleep/1   bpf   8:44 14.26% snort
25669 root   40 1132K 1740K sleep/2   bpf   0:06  3.52% daemonlogger

systat ifstat (snort process is listening in em3)

3 usersLoad 0.89 0.71 0.56 Fri May 31 06:23:13 2013

IFACESTATE  DESC
 IPKTS   IBYTESIERRSOPKTS   OBYTES
OERRSCOLLS
em0  up
 2  13200  261
00
em1  up
 0  12600  131
00
em2  up
 10348  3425952000
00
em3  up
 10346  3425044000
00


systat mbufs


IFACE LIVELOCKS  SIZE ALIVE   LWM   HWM   CWM
System0   256   185  56
   2k   171 435
lo0
em02k 6 4   256 6
em12k 6 4   256 4
em22k66 4   25666
em32k65 4   25665


Stats with ALL so_rules disabled (5 min, more or less):

Rule application order:
activation-dynamic-pass-drop-sdrop-reject-alert-log
Verifying Preprocessor Configurations!
ICMP tracking disabled, no ICMP sessions allocated
IP tracking disabled, no IP sessions allocated
0 out of 1024 flowbits in use.

Packet Performance Monitor Config:
  ticks per usec  : 2417 ticks
  max packet time : 1 usecs
  packet action   : fastpath-expensive-packets
  packet logging  : log
  debug-pkts  : disabled

Rule Performance Monitor Config:
  ticks per usec  : 2417 ticks
  max rule time   : 4096 usecs
  rule action : suspend-expensive-rules
  rule threshold  : 5
  suspend timeout : 10 secs
  rule logging: log
pcap DAQ configured to passive.
Acquiring network traffic from em4.
Reload thread starting...
Reload thread started, thread 0xc100dbb8f00 (18056)
Decoding Ethernet

--== Initialization Complete ==--

   ,,_ -* Snort! *-
  o  )~   Version 2.9.4.6 GRE (Build 73)
   By Martin Roesch  The Snort Team:
http://www.snort.org/snort/snort-team
   Copyright (C) 1998-2013 Sourcefire, Inc., et al.
   Using libpcap version 1.3.0
   Using PCRE version: 8.31 2012-07-06
   Using ZLIB version: 1.2.3

   Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.17  Build 18
   Rules Object: web-misc  Version 1.0  Build 1
   Rules Object: web-iis  Version 1.0  Build 1
   Rules Object: web-client  Version 1.0  Build 1
   Rules Object: web-activex  Version 1.0  Build 1
   Rules Object: specific-threats  Version 1.0  Build 1
   Rules Object: snmp  Version 1.0  Build 1
   Rules Object: smtp  Version 1.0  Build 1
   Rules Object: p2p  Version 1.0  Build 1
   Rules Object: nntp  Version 1.0  Build 1
   Rules Object: netbios  Version 1.0  Build 1
   Rules Object: multimedia  Version 1.0  Build 1
   Rules Object: misc  Version 1.0  Build 1
   Rules Object: imap  Version 1.0  Build 1
   Rules Object: icmp  Version 1.0  Build 1
   Rules Object: exploit  Version 1.0  Build 1
   Rules Object: dos  Version 1.0  Build 1
   Rules Object: chat  Version 1.0  Build 1
   Rules Object: bad-traffic  Version 1.0  Build 1
   Preprocessor Object: SF_DNP3  Version 1.1  Build 1
   Preprocessor Object: SF_MODBUS  Version 1.1  Build 1
   Preprocessor Object: SF_GTP  Version 1.1  Build 1
   Preprocessor Object: SF_REPUTATION  Version 1.1  Build 1
   Preprocessor Object: SF_SIP  Version 1.1  Build 1
   Preprocessor Object: SF_SDF  Version 1.1  Build 1
   Preprocessor Object: SF_DCERPC2  Version 1.0  Build 3
   Preprocessor Object: SF_SSLPP  Version 1.1  Build 4
   Preprocessor Object: SF_DNS  Version 1.1  Build 4
   Preprocessor Object: SF_SSH  Version 1.1  Build 3
   Preprocessor Object: SF_SMTP  Version 1.1  Build 9
   

Re: OT: Running Snort IDS under OpenBSD 5.3

[C. L. Martinez]

On Fri, May 31, 2013 at 10:08 AM, Rodolfo Gouveia rgouv...@cosmico.net wrote:
 On 05/31/2013 08:02 AM, C. L. Martinez wrote:
 Could be better to use binary packaged version released by OpenBSD
 (http://ftp.openbsd.org/pub/OpenBSD/5.3/packages/amd64/snort-2.9.4.0.tgz)??

 Any reason why you didn't start with the packged version?
 And did you tune snort.conf to your setup?


 cheers,
 --rodolfo

Exists some important bugs resolved by 2.9.4.6 and 2.9.4.5 release:

2013-04-18 Steven Sturges sstur...@sourcefire.com
Snort 2.9.4.6
* src/build.h:
  updating build number to 73

* doc/README.counts, doc/snort_manual.pdf, doc/snort_manual.tex,
  src/decode.c, src/parser.c, src/snort.h:
  Added config tunnel_verdicts and tunnel bypass for whitelist and
  blacklist verdicts for 6in4 or 4in6 encapsulated traffic.

* src/preprocessors/spp_frag3.c:
  Don't update IP options length and count in frag3 after allocating
  option buffer when receiving duplicate 0 offset fragments with IP
  options.

2013-03-20 Steven Sturges sstur...@sourcefire.com
Snort 2.9.4.5
* src/build.h:
  updating build number to 71

* src/preprocessors/Stream5/snort_stream5_tcp.c:
  prevent pruning when dup'ing a seglist node to avoid broken
  flushed packets

* src/detection-plugins/detection_options.c:
  recursively search patterns within the HTTP uri
  buffers until the buffer ends.

* src/preprocessors/HttpInspect/: client/hi_client.c,
  client/hi_client_norm.c, include/hi_client.h:
  Remove proxy information from the normalized URI buffer.  Thanks
  to L0rd Ch0de1m0rt for reporting the issue.

* src/: control/sfcontrol.c, preprocessors/Stream5/snort_stream5_tcp.c:
  fix logging of unified2 packet data when alerting on a packet containing
  multiple HTTP PDUs

And yes, I need to tune snort.conf needed to correctly monitor my network ...

Re: Problem with a startup script

[C. L. Martinez]

On Tue, May 21, 2013 at 6:27 PM, russell russ...@dotplan.dyndns.org wrote:
 Because pexp uses pkill to do its work and pkill matches on command name
 only(like ps -c).


 sorry for the noise I just revisited this and I am wrong.
 the pkill bits in rc.subr are using pkill -f
 and that does match agianst the full arg list.

 as said before make a better pexp and it should work.



Buf .. I have tried to insert in this rc.d script these options:

rc_read_runfile=NO
rc_reload=NO
rc_usercheck=NO
rc_check=NO

and I have added a rc_stop option to send kill command to the process
... but nothing works ...

Any other idea??

Re: OT: trying to install vortex-idx in OpenBSD 5.3

[C. L. Martinez]

On Tue, May 21, 2013 at 10:38 PM, Stuart Henderson s...@spacehopper.org wrote:
 On 2013-05-21, C. L. Martinez carlopm...@gmail.com wrote:
 Hi all,

  I am trying to compile vortex-ids
 (http://sourceforge.net/projects/vortex-ids/?source=directory) under
 OpenBSD 5.3, but this error is returned:

 vortex.c: In function 'errors_thread':
 vortex.c:686: error: '__NR_gettid' undeclared (first use in this function)
 vortex.c:686: error: (Each undeclared identifier is reported only once
 vortex.c:686: error: for each function it appears in.)
 vortex.c:693: error: 'cpu_set_t' undeclared (first use in this function)
 vortex.c:693: error: expected ';' before 'csmask'
 vortex.c:694: error: 'csmask' undeclared (first use in this function)
 vortex.c: In function 'stats_thread':
 vortex.c:768: error: '__NR_gettid' undeclared (first use in this function)
 vortex.c:776: error: 'cpu_set_t' undeclared (first use in this function)
 vortex.c:776: error: expected ';' before 'csmask'
 vortex.c:777: error: 'csmask' undeclared (first use in this function)
 vortex.c: In function 'conn_writer':
 vortex.c:950: error: '__NR_gettid' undeclared (first use in this function)
 vortex.c:958: error: 'cpu_set_t' undeclared (first use in this function)
 vortex.c:958: error: expected ';' before 'csmask'
 vortex.c:959: error: 'csmask' undeclared (first use in this function)
 vortex.c: In function 'main':
 vortex.c:1917: error: '__NR_gettid' undeclared (first use in this function)
 vortex.c:1925: error: 'cpu_set_t' undeclared (first use in this function)
 vortex.c:1925: error: expected ';' before 'csmask'
 vortex.c:1926: error: 'csmask' undeclared (first use in this function)

 I have installed libnet-1.1.2.1p0, glib2-2.34.3 and libnids-1.24 packages.

 Compile options are:

 gcc -I/usr/local/include -I/data/soft/libpcap/include -L/usr/local/lib
 -L/data/soft/libpcap/lib -O3 vortex.c -o vortex -lnids -lnet
 -lgthread-2.0 -lpcap

 I have tried with this modified version also:

 https://github.com/ckane/vortex-dev

  ... but without luck.

 Any idea??



 This is trying to use non-portable Linux code (from the errors it
 looks like it maybe for processor affinity).

 The modified version you mention has some if defined(__FreeBSD__)
 hacks, you may get it to compile if you change those lines to
 if defined(__FreeBSD__) || defined(__OpenBSD__).


Uhmm I have tried, but same errors:

root@plzfnsm01:/tmp/1/vortex-dev-master# gcc -c vortex.c
-I/usr/local/include -I/data/soft/libpcap/include
vortex.c:44:24: error: sys/cpuset.h: No such file or directory
vortex.c:45: error: expected '=', ',', ';', 'asm' or '__attribute__'
before 'cpu_set_t'
vortex.c:47:1: warning: SIZE_MAX redefined
In file included from /usr/include/sys/limits.h:34,
 from /usr/include/sys/param.h:92,
 from vortex.c:43:
/usr/include/machine/limits.h:41:1: warning: this is the location of
the previous definition
vortex.c: In function 'errors_thread':
vortex.c:676: error: 'cpu_set_t' undeclared (first use in this function)
vortex.c:676: error: (Each undeclared identifier is reported only once
vortex.c:676: error: for each function it appears in.)
vortex.c:676: error: expected ';' before 'csmask'
vortex.c:677: error: 'csmask' undeclared (first use in this function)
vortex.c: In function 'stats_thread':
vortex.c:756: error: 'cpu_set_t' undeclared (first use in this function)
vortex.c:756: error: expected ';' before 'csmask'
vortex.c:757: error: 'csmask' undeclared (first use in this function)
vortex.c: In function 'conn_writer':
vortex.c:936: error: 'cpu_set_t' undeclared (first use in this function)
vortex.c:936: error: expected ';' before 'csmask'
vortex.c:937: error: 'csmask' undeclared (first use in this function)
vortex.c: In function 'main':
vortex.c:1870: error: 'cpu_set_t' undeclared (first use in this function)
vortex.c:1870: error: expected ';' before 'csmask'
vortex.c:1871: error: 'csmask' undeclared (first use in this function)

cpuset.h and cpu_set_t function doesn't exists in OpenBSD, right??

Problem with a startup script

[C. L. Martinez]

Hi all,

 I have a problem with some tcl rc.d startup scripts. Start and status
works ok but stop and restart, doesn't.

 Script:

#!/bin/sh -x
#
# $OpenBSD: suricata_proxyin_agent,v 1.0

daemon=/usr/local/bin/suricata_proxyin_agent.tcl
daemon_flags=-c /data/config/etc/sguil/suricata_proxyin_agent.conf -D

. /etc/rc.d/rc.subr

pexp=/usr/local/bin/tclsh8.5 $daemon

rc_cmd $1

I have tried several variants like to insert rc_stop specific option
or changing pexp to /usr/local/bin/tclsh8.5 $daemon $daemon_args
without luck.

Debugging script, acts as like the other system startup scripts:

.

+ echo NO
+ : NO
+ [ XNO = XYES ]
+ echo NO
+ : NO
+ domainname
+ [ X != X -a -d /var/yp/binding ]
+ echo NO
+ : NO
+ : NO
+ [ -n /usr/local/bin/suricata_proxyin_agent.tcl ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename ./suricata_proxyin_agent
+ _name=suricata_proxyin_agent
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/suricata_proxyin_agent
+ eval _rcflags=${suricata_proxyin_agent_flags}
+ _rcflags=
+ eval _rcuser=${suricata_proxyin_agent_user}
+ _rcuser=
+ getcap -f /etc/login.conf suricata_proxyin_agent
+  /dev/null
+ 21
+ [ -z  ]
+ daemon_class=daemon
+ [ -z  ]
+ daemon_user=root
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ printf  %s -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D
+ daemon_flags= -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D
+ daemon_flags=-c /data/config/etc/sguil/suricata_proxyin_agent.conf -D
+ readonly daemon_class
+ unset _rcflags _rcuser
+ pexp=/usr/local/bin/suricata_proxyin_agent.tcl -c
/data/config/etc/sguil/suricata_proxyin_agent.conf -D
+ rcexec=su -l -c daemon -s /bin/sh root -c
+ pexp=/usr/local/bin/tclsh8.5 /usr/local/bin/suricata_proxyin_agent.tcl
+ rc_cmd stop

root@nsm10:/usr/local/etc/rc.d# ps xa |grep suricata_proxyin_agent.tcl
| grep -v grep
17486 p2- I   0:00.29 /usr/local/bin/tclsh8.5
/usr/local/bin/suricata_proxyin_agent.tcl -c
/data/config/etc/sguil/suricata_proxyin_agent.conf -D

Any idea why process is not stopped??