Re: WHere to put certificates for IKEDv2?
On Sun, Jun 24, 2018 at 12:42:15PM +0200, C. L. Martinez wrote: > On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote: > > On 2018-06-23, C. L. Martinez wrote: > > > Hi all, > > > > > > I am using Easy-RSA to manage my home's CA (using elliptic curve > > > certificates). I have created a certificate for my OpenBSD gw for IKEv2 > > > connections (using strongswan mainly). My question is where do I need to > > > put OpenBSD certs under /etc/iked? > > > > > > I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and > > > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" > > > returns me the following error: > > > > The CA cert needs to go in /etc/iked/ca, do you have that? > > > > > > Yes, it is there: -rw-r--r-- 1 root wheel 1326 Jun 24 10:12 > /etc/iked/ca/ca.crt > > But when I start iked using "-dvv" and client tries to connect, I see the following error: sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x ) config_free_proposals: free 0x177c81779900 config_free_proposals: free 0x177c81773080 config_free_proposals: free 0x177c81773400 config_free_proposals: free 0x177c81773580 ca_getreq: found CA /C=ES/ST=Barcelona/ ca_getreq: no valid local certificate found ca_setauth: auth length 256 ikev2_getimsgdata: imsg 20 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b initiator 0 sa valid type 0 data length 0 ikev2_dispatch_cert: cert type NONE length 0, ignored ikev2_getimsgdata: imsg 25 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b initiator 0 sa valid type 1 data length 256 ikev2_dispatch_cert: AUTH type 1 len 256 sa_stateflags: 0x0024 -> 0x002c certreq,auth,sa (required 0x ) But CA cert is loaded: ikev2 "ipseccli" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 0.0.0.0/0 peer 0.0.0.0/0 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 signature /etc/iked.conf: loaded 2 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 config_new_user: inserting new user testusr ca_privkey_to_method: type RSA_KEY method RSA_SIG config_getpolicy: received policy ca_getkey: received private key type RSA_KEY length 1191 config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getmobike: mobike ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: /C=ES/ST=Barcelona/ ca_reload: loaded 1 ca certificate ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 But I am thinking that maybe exist some problems: - First, I am using strongswan for Android as a client, do I need to use some specific crypto algorithms on iked side? - Second, maybe is it best option to use EAP user auth instead of certificates? - I am using ECDSA certs, any problem with that? Thanks -- Greetings, C. L. Martinez
Re: WHere to put certificates for IKEDv2?
On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote: > On 2018-06-23, C. L. Martinez wrote: > > Hi all, > > > > I am using Easy-RSA to manage my home's CA (using elliptic curve > > certificates). I have created a certificate for my OpenBSD gw for IKEv2 > > connections (using strongswan mainly). My question is where do I need to > > put OpenBSD certs under /etc/iked? > > > > I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and > > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns > > me the following error: > > The CA cert needs to go in /etc/iked/ca, do you have that? > > Yes, it is there: -rw-r--r-- 1 root wheel 1326 Jun 24 10:12 /etc/iked/ca/ca.crt -- Greetings, C. L. Martinez
WHere to put certificates for IKEDv2?
Hi all, I am using Easy-RSA to manage my home's CA (using elliptic curve certificates). I have created a certificate for my OpenBSD gw for IKEv2 connections (using strongswan mainly). My question is where do I need to put OpenBSD certs under /etc/iked? I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns me the following error: ikev2_msg_auth: initiator auth data length 960 ikev2_msg_authverify: method SIG keylen 962 type X509_CERT _dsa_verify_init: signature scheme 4 selected ikev2_msg_authverify: authentication successful sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) ikev2_sa_negotiate: score 0 ikev2_sa_negotiate: score 10 ikev2_sa_negotiate: score 0 ikev2_sa_negotiate: score 4 sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID config_free_proposals: free 0xb9bb7e8a80 config_free_proposals: free 0xb9bb7e8700 config_free_proposals: free 0xb965e22400 config_free_proposals: free 0xba238e1e80 ca_getreq: found CA /C=ES/ST=Barcelona.. ca_getreq: no valid local certificate found ca_setauth: auth length 256 ca_validate_pubkey: unsupported public key type ASN1_DN ca_validate_cert: /C=ES/... ok Do i need to install user certificates also in OpenBSD gw? thanks -- Greetings, C. L. Martinez
Re: Errors with Php and curl under OpenBSD 6.3
Works!! ... Many thanks Manolis. On Tue, Apr 24, 2018 at 9:10 AM, Manolis Tzanidakis <mtzanida...@gmail.com> wrote: > Oops, forgot a sub-directory. Try this, instead: > > # mkdir -p /var/www/etc/ssl; cp /etc/ssl/cert.pem /var/www/etc/ssl > > On Tue (24/04/18), Manolis Tzanidakis wrote: > > Hello, > > try copying cert.pem to the www chroot: > > > > # mkdir -p /var/www/etc; cp /etc/ssl/cert.pem /var/www/etc/ssl > > > > and restart php-fpm. > > > > On Tue (24/04/18), C. L. Martinez wrote: > > > Hi all, > > > > > > Since this morning my OpenBSD 6.3 host (with tt-rss installed) > returns > > > the following error when I try to add some feeds: > > > > > > Couldn't download the specified URL: ; 77 error setting certificate > verify > > > locations: CAfile: /etc/ssl/cert.pem CApath: none > > > > > > It seems some type of problem with curl ... Am I right? I found some > > > solutions but all of them involves to make use of an insecure > connection > > > with curl. > > > > > > Any idea? > > > > > > Thanks. > >
Errors with Php and curl under OpenBSD 6.3
Hi all, Since this morning my OpenBSD 6.3 host (with tt-rss installed) returns the following error when I try to add some feeds: Couldn't download the specified URL: ; 77 error setting certificate verify locations: CAfile: /etc/ssl/cert.pem CApath: none It seems some type of problem with curl ... Am I right? I found some solutions but all of them involves to make use of an insecure connection with curl. Any idea? Thanks.
Re: OpenBSD blocks IPsec traffic
Thanks Marko, but I have found the problem. These rules are under anchor sub-group rules ... Moving these rules to top after "block log all", all it is working ... Maybe is it a bug with anchor rules? On Wed, Apr 18, 2018 at 3:16 PM, Marko Cupać <marko.cu...@mimar.rs> wrote: > On Wed, 18 Apr 2018 15:01:24 +0200 > "C. L. Martinez" <carlopm...@gmail.com> wrote: > > > Hi all, > > > > I am trying to configure an ipsec tunnel (host-to-host) between two > > hosts that go through an openbsd firewall. Tunnel is established, but > > when I try to, for example, connect via ssh from one host to the > > other, pf blocks traffic: > > > > Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > > > To do some tests, I have configured the following rules: > > > > pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state > > (if-bound) > > pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state > > (if-bound) > > > > Any idea? > > Hard to say without complete ruleset, but from what I see here, your > rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0, > while no other rule after that (or one before that with 'quick' > keyword) permits it. > > Check exact line with pfctl -vvsr. Add either dafault 'pass out' > somewhere below (I prefer it at the end of my ruleset, as I have so far > never blocked out stuff I already passed in), or pass out exact traffic > you need, eg: > > pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2 > > Hope this helps, > > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/ >
OpenBSD blocks IPsec traffic
Hi all, I am trying to configure an ipsec tunnel (host-to-host) between two hosts that go through an openbsd firewall. Tunnel is established, but when I try to, for example, connect via ssh from one host to the other, pf blocks traffic: Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) To do some tests, I have configured the following rules: pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state (if-bound) pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state (if-bound) Any idea?
Migrating nginx config to OpenBSD's httpd
Hi all, I am trying to migrate nginx configuration to OpenBSD's httpd. All it is working ok, except for some proxy reverse config that I use with nginx's config, like for example: server { listen 80; server_name internal.w01.domain.org; location / { proxy_pass http://192.168.30.4; } } I don't see what is the option to use with httpd.conf or is it best option to use relayd.conf for this type of configs? Thanks.
Re: Testing IKEv2 with Android devices
On Wed, Nov 29, 2017 at 9:33 AM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2017-11-26, C. L. Martinez <carlopm...@gmail.com> wrote: >> >> Ok, it is seems the prolem is that iked(8) does not know how to perform >> Diffie-Hellman group negotiation: >> >> https://marc.info/?l=openbsd-tech=151136800328145=2 >> >> Am I correct? What is the current status for Tim's fix? > > patrick@ has been following this rabbit hole, try his latest diff. > Thanks Stuart. Are you referring to this one: https://marc.info/?l=openbsd-tech=151187345915827=2?
Re: Testing IKEv2 with Android devices
On Sun, Nov 26, 2017 at 09:02:46PM +0100, C. L. Martinez wrote: > Hi all, > > I am testing IKEv2 for Android roadwarriors clients ... I have done a very > basic config: > > ikev2 "roadwarriors" passive esp \ > from 0.0.0.0/0 to 172.22.55.0/27 \ > peer any \ > config name-server 172.22.55.1 \ > psk "stargazer" > > Launching "iked -dvv" returns me: > > ikev2_recv: IKE_SA_INIT request from initiator 172.17.35.20:500 to > 172.17.35.9:500 policy 'roadwarriors' id 0, 652 bytes > ikev2_recv: ispi 0xe525d6e2b940fdb1 rspi 0x > ikev2_policy2id: srcid FQDN/lowlands.lab.uxdom.org length 26 > ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0x > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > 652 response 0 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 244 > ikev2_pld_sa: more than one proposal specified > ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize 0 > xforms 15 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 > ikev2_pld_ke: dh group reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_nat_detection: peer source 0xe525d6e2b940fdb1 0x > 172.17.35.20:500 > ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP > encapsulation > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_nat_detection: peer destination 0xe525d6e2b940fdb1 0x > 172.17.35.9:500 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16 > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > ikev2_pld_notify: signature hash SHA1 (1) > ikev2_pld_notify: signature hash SHA2_256 (2) > ikev2_pld_notify: signature hash SHA2_384 (3) > ikev2_pld_notify: signature hash SHA2_512 (4) > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED > sa_state: INIT -> SA_INIT > ikev2_sa_negotiate: score 4 > sa_stateok: SA_INIT flags 0x, require 0x > sa_stateflags: 0x -> 0x0020 sa (required 0x ) > ikev2_sa_keys: SKEYSEED with 32 bytes > ikev2_sa_keys: S with 80 bytes > ikev2_prfplus: T1 with 32 bytes > ikev2_prfplus: T2 with 32 bytes > ikev2_prfplus: T3 with 32 bytes > ikev2_prfplus: T4 with 32 bytes > ikev2_prfplus: T5 with 32 bytes > ikev2_prfplus: T6 with 32 bytes > ikev2_prfplus: T7 with 32 bytes > ikev2_prfplus: Tn with 224 bytes > ikev2_sa_keys: SK_d with 32 bytes > ikev2_sa_keys: SK_ai with 32 bytes > ikev2_sa_keys: SK_ar with 32 bytes > ikev2_sa_keys: SK_ei with 32 bytes > ikev2_sa_keys: SK_er with 32 bytes > ikev2_sa_keys: SK_pi with 32 bytes > ikev2_sa_keys: SK_pr with 32 bytes > ikev2_add_proposals: length 44 > ikev2_next_payload: length 48 nextpayload KE > ikev2_next_payload: length 264 nextpayload NONCE > ikev2_next_payload: length 36 nextpayload NOTIFY > ikev2_nat_detection: local source 0xe525d6e2b940fdb1 0xc417a42f151005cb > 172.17.35.9:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_nat_detection: local destination 0xe525d6e2b940fdb1 0xc417a42f151005cb > 172.17.35.20:500 > ikev2_ne
Testing IKEv2 with Android devices
3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 5 ikev2_pld_certreq: type RSA_KEY length 0 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_msg_send: IKE_SA_INIT response from 172.17.35.9:500 to 172.17.35.20:500 msgid 0, 451 bytes config_free_proposals: free 0x1ccfc4952580 According to this: sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x, require 0x sa_stateflags: 0x -> 0x0020 sa (required 0x ) phase-1 is established, correct? but I am not sure because last message is: ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_msg_send: IKE_SA_INIT response from 172.17.35.9:500 to 172.17.35.20:500 msgid 0, 451 bytes config_free_proposals: free 0x1ccfc4952580 Android device is a Samsung Galaxy Edge S7 (Adnroid 7.0) and OpenBSD is 6.2 with all patches ... What ma I doing wrong? Thanks. -- Greetings, C. L. Martinez
Re: Problems configuring ifstated with dhcp interfaces /etc/ifstated.conf:4: macro '2' not defined (SOLVED)
On Fri, Nov 10, 2017 at 07:28:19PM +, C. L. Martinez wrote: > Hi all, > > I need to configure ifstated for two public interfaces and one of them is a > dhcp interface. To accomplish this I have configured the following macro in > ifcstated.conf's file: > > wired_gate_test = '( "ping -q -c1 -w1 -I `awk '/fixed-address/ { print $2 }' > /var/db/dhclient.leases.em1 | sed -e 's/;//'` `awk '/routers/ { print $3 }' > /var/db/dhclient.leases.em1 | sed -e 's/;//'` > /dev/null" every 30 )' > > But it returns the following error: > > wired_linkup = "em1.link.up" > wireless_linkup = "em2.link.up" > /etc/ifstated.conf:4: syntax error > /etc/ifstated.conf:4: macro '2' not defined > /etc/ifstated.conf:34: macro 'wired_gate_test' not defined > /etc/ifstated.conf:34: syntax error > ifstated: invalid start state wired > > From command line, ping command works ... What am I doing wrong? > > Thanks. > Oops .. I have the problem ... I need to escape awk like awk \'/fixed... Sorry for the noise ... -- Greetings, C. L. Martinez
Problems configuring ifstated with dhcp interfaces /etc/ifstated.conf:4: macro '2' not defined
Hi all, I need to configure ifstated for two public interfaces and one of them is a dhcp interface. To accomplish this I have configured the following macro in ifcstated.conf's file: wired_gate_test = '( "ping -q -c1 -w1 -I `awk '/fixed-address/ { print $2 }' /var/db/dhclient.leases.em1 | sed -e 's/;//'` `awk '/routers/ { print $3 }' /var/db/dhclient.leases.em1 | sed -e 's/;//'` > /dev/null" every 30 )' But it returns the following error: wired_linkup = "em1.link.up" wireless_linkup = "em2.link.up" /etc/ifstated.conf:4: syntax error /etc/ifstated.conf:4: macro '2' not defined /etc/ifstated.conf:34: macro 'wired_gate_test' not defined /etc/ifstated.conf:34: syntax error ifstated: invalid start state wired From command line, ping command works ... What am I doing wrong? Thanks. -- Greetings, C. L. Martinez
Re: Debugging a php's script startup
On Wed, Nov 08, 2017 at 08:43:55PM +0100, Martijn van Duren wrote: > Hello C., > > Can you start up the daemon process from the CLI (without the rc > script)? If not and it still has the same error message as below (which > I reckon it will) you might want to change your mysqli.default_socket = > in your /etc/php-7.0.ini. > Do note however that this will also affect php-fpm and mod_php which run > chrooted by default (hence the weird path), so if you need those installs > unaffected try to create a custom ini-file and specify it with -c as a > php-argument. > > Also note that php is not designed to write daemons in and should only > be done if there are no other options. The rc-script won't restart your > daemon automatically if it crashes. > > Hope this helps. > > martijn@ > > > Wow!! ... Many many thanks Martijn. I have added "-c" switch to daemon_args and created another .ini file for this "daemon", and it works. Here it is: #!/bin/sh -x # daemon="/usr/local/bin/php-7.0" daemon_flags="-c /etc/tt-rss/php-7.0.ini /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log" daemon_user="www" . /etc/rc.d/rc.subr pexp="${daemon}${daemon_flags:+ ${daemon_flags}}" rc_bg=YES rc_reload=NO rc_post() { rm -f /var/www/htdocs/rss/lock/update_daemon.lock } rc_cmd $1 Inside .ini I have configured mysqli.default_socket option: mysqli.default_socket = /var/www/var/run/mysql/mysql.sock -- Greetings, C. L. Martinez
Debugging a php's script startup
Hi all, I am trying to setup a startup file for TT-Rss (installed under OpenBSD 6.2 host, fully patched). This is the script: #!/bin/sh -x # daemon="/usr/local/bin/php-7.0" daemon_flags="/var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log" daemon_user="www" . /etc/rc.d/rc.subr pexp="${MODPHP_BIN} ${daemon}${daemon_flags:+ ${daemon_flags}}" rc_bg=YES rc_reload=NO rc_post() { rm -f /var/www/htdocs/rss/lock/update_daemon.lock } rc_cmd $1 And when I try to start it, this is the output: root@rssweb:/etc/rc.d# ./tt_rss start + daemon=/usr/local/bin/php-7.0 + daemon_flags=/var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log + daemon_user=www + . /etc/rc.d/rc.subr + _rc_actions=start stop restart reload check + readonly _rc_actions + [ -n ] + basename ./tt_rss + _name=tt_rss + _rc_check_name tt_rss + [ -n /usr/local/bin/php-7.0 ] + unset _RC_DEBUG _RC_FORCE + getopts df c + shift 0 + _RC_RUNDIR=/var/run/rc.d + _RC_RUNFILE=/var/run/rc.d/tt_rss + _rc_do _rc_parse_conf + eval _rcflags=${tt_rss_flags} + _rcflags= + eval _rcrtable=${tt_rss_rtable} + _rcrtable= + eval _rcuser=${tt_rss_user} + _rcuser= + eval _rctimeout=${tt_rss_timeout} + _rctimeout= + getcap -f /etc/login.conf tt_rss + > /dev/null + 2>&1 + daemon_class=daemon + [ -z ] + daemon_rtable=0 + [ -z www ] + [ -z ] + daemon_timeout=30 + [ -n -o start != start ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + readonly daemon_class + unset _rcflags _rcrtable _rcuser _rctimeout + pexp=/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log + rcexec=su -l -c daemon -s /bin/sh www -c + [ 0 -eq 0 ] + pexp= /usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log + rc_bg=YES + rc_reload=NO + rc_cmd start tt_rss(failed) pexp's option seems good ... I think the problem is with 'www' user and with this command: "su -l -c daemon -s /bin/sh www -c". Launching from console returns an error: root@rssweb:/etc/rc.d# su -l -c daemon -s /bin/sh www -c '/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log' PHP Warning: mysqli_connect(): (HY000/2002): Can't connect to local MySQL server through socket '/var/run/mysql/mysql.sock' (2 "No such file or directory") in /var/www/htdocs/rss/classes/db/mysqli.php on line 8 Unable to connect to database (as rss to localhost, database dbrss): Can't connect to local MySQL server through socket '/var/run/mysql/mysql.sock' mysql's socket is created under www's chroot like in pkg-readme says: srwxrwxrwx 1 _mysql _mysql 0 Nov 8 17:45 /var/www/var/run/mysql/mysql.sock If I am not wrong, then, how can I configure this startup script? Thanks -- Greetings, C. L. Martinez
About WPA2 compromised protocol
HI all, Regarding WPA2 alert published today: https://www.krackattacks.com/, if I use an IPSec tunnel with shared-key or certifcate or an OpenVPN connection to authenticate and protect clients and hostAP comms, is this vulnerability mitigated? Thanks.
Re: sysmerge is not needed when updating to 6.2?
On Thu, Oct 12, 2017 at 11:45:24AM +0200, Theo Buehler wrote: > > But I have only one question: Is sysmerge not longer needed for > > updating process like in previous releases? > > Since 6.0 the installer installs an rc.sysmerge that runs 'sysmerge -b' > on first boot of the updated system. > Perfect. Many thanks. -- Greetings, C. L. Martinez
sysmerge is not needed when updating to 6.2?
Hi all, Today I have updated two OpenBSD 6.1 hosts to 6.2 after reading the FAQ and all works really well. Congratulations to all OpenBSD's developers for their hard work. But I have only one question: Is sysmerge not longer needed for updating process like in previous releases? Many thanks. -- Greetings, C. L. Martinez
Running OpenBSD 6.1 under vmware fusion
Hi all, I have installed OpenBSD 6.1 under Vmware Fusion on a MacBook Pro 2017. All it is running ok, except when I would start graphical environment (i3). a) Resolution: I have configured /etc/xorg.conf file several times trying to catch a good resolution (2560x1600), but Xorg goes to 1280x768 every time. b) Mouse speed is really slow slow slow ... How can I increase mouse speed? Mouse conf to increase speed (but it doesn't works): Section "InputClass" Identifier "My Mouse" MatchIsPointer "yes" Option "AccelerationNumerator" "2" Option "AccelerationDenominator" "1" Option "AccelerationThreshold" "4" EndSection Display conf : Section "Monitor" Identifier "default monitor" DisplaySize 311 170 EndSection Section "Device" Identifier "default device" Driver "vmware" EndSection Section "Screen" Identifier "default screen" Device "default device" Monitor "default monitor" EndSection I have attached Xorg.log. Any help please? Thanks -- Greetings, C. L. Martinez [ 4640.706] (--) checkDevMem: using aperture driver /dev/xf86 [ 4640.888] (--) Using wscons driver on /dev/ttyC2 [ 4640.891] X.Org X Server 1.18.4 Release Date: 2016-07-19 [ 4640.892] X Protocol Version 11, Revision 0 [ 4640.892] Build Operating System: OpenBSD 6.1 amd64 [ 4640.892] Current Operating System: OpenBSD stirling.lab.uxdom.org 6.1 GENERIC#23 amd64 [ 4640.892] Build Date: 01 April 2017 02:00:27PM [ 4640.892] [ 4640.892] Current version of pixman: 0.34.0 [ 4640.892]Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. [ 4640.892] Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. [ 4640.892] (==) Log file: "/var/log/Xorg.0.log", Time: Sat Sep 9 10:06:36 2017 [ 4640.892] (==) Using config file: "/etc/xorg.conf" [ 4640.892] (==) Using config directory: "/etc/X11/xorg.conf.d" [ 4640.892] (==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d" [ 4640.892] (==) No Layout section. Using the first Screen section. [ 4640.892] (**) |-->Screen "default screen" (0) [ 4640.892] (**) | |-->Monitor "default monitor" [ 4640.892] (**) | |-->Device "default device" [ 4640.892] (**) | |-->GPUDevice "default device" [ 4640.892] (==) Disabling SIGIO handlers for input devices [ 4640.892] (==) Automatically adding devices [ 4640.892] (==) Automatically enabling devices [ 4640.892] (==) Not automatically adding GPU devices [ 4640.892] (==) Max clients allowed: 256, resource mask: 0x1f [ 4640.892] (==) FontPath set to: /usr/X11R6/lib/X11/fonts/misc/, /usr/X11R6/lib/X11/fonts/TTF/, /usr/X11R6/lib/X11/fonts/OTF/, /usr/X11R6/lib/X11/fonts/Type1/, /usr/X11R6/lib/X11/fonts/100dpi/, /usr/X11R6/lib/X11/fonts/75dpi/ [ 4640.892] (==) ModulePath set to "/usr/X11R6/lib/modules" [ 4640.892] (II) The server relies on wscons to provide the list of input devices. If no devices become available, reconfigure wscons or disable AutoAddDevices. [ 4640.892] (II) Loader magic: 0xd7e0a733020 [ 4640.892] (II) Module ABI versions: [ 4640.892]X.Org ANSI C Emulation: 0.4 [ 4640.892]X.Org Video Driver: 20.0 [ 4640.892]X.Org XInput driver : 22.1 [ 4640.892]X.Org Server Extension : 9.0 [ 4640.893] (--) PCI:*(0:0:15:0) 15ad:0405:15ad:0405 rev 0, Mem @ 0xe800/134217728, 0xfe00/8388608, I/O @ 0x1070/16 [ 4640.893] (II) LoadModule: "glx" [ 4640.893] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so [ 4640.894] (II) Module glx: vendor="X.Org Foundation" [ 4640.894]compiled for 1.18.4, module version = 1.0.0 [ 4640.894]ABI class: X.Org Server Extension, version 9.0 [ 4640.894] (==) AIGLX enabled [ 4640.894] (II) LoadModule: "vmware" [ 4640.895] (II) Loading /usr/X11R6/lib/modules/drivers/vmware_drv.so [ 4640.895] (II) Module vmware: vendor="X.Org Foundation" [ 4640.895]compiled for 1.18.4, module version = 13.1.0 [ 4640.895]Module class: X.Org Video Driver [ 4640.895]ABI class: X.Org Video Driver, version 20.0 [ 4640.895] (II) vmware: driver for VMware SVGA: vmware0405, vmware0710 [ 4640.895] (II) vmware(0): Driver was compiled without KMS- and 3D support. [ 4640.895] (WW) vmware(0): Disabling 3D support. [ 4640.895] (WW) vmware(0): Disabling Render Acceleration. [ 4640.895] (WW) vmware(0): Disabling RandR12+ support. [ 46
Re: Problem with key bindings with mutt under OpenBSD 6.1
On Sat, Sep 02, 2017 at 02:48:12PM +0200, Anton Lindqvist wrote: > On Sat, Sep 02, 2017 at 11:01:14AM +0000, C. L. Martinez wrote: > > Hi all, > > > > I have used mutt over several months under FreeBSD and RHEL/CentOS. I have > > migrated my desktop to OpenBSD 6.1 and I have a problem with mutt's package > > installed from official OpenBSD's repos (neomutt-20170306-gpgme-sasl). > > > > In my mutt's config file I have defined the following key bindings: > > > > # > > # Key bindings > > # > > bind index \CP sidebar-prev > > bind index \CN sidebar-next > > bind index \CO sidebar-open > > > > Problem is with "\CO". It doesn't works under OpenBSD but it works without > > problems under FreeBSD 11 or RHEL7/CentOS7. If I change "\CO" to "\CA" or > > "\CI" or "\CH", for example, works without problems ... Is it "\CO" defined > > by default under OpenBSD? How can I revert this behavior? > > $ stty discard undef; mutt > Perfect!! .. It is working.. Many thanks Anton. -- Greetings, C. L. Martinez
Problem with key bindings with mutt under OpenBSD 6.1
Hi all, I have used mutt over several months under FreeBSD and RHEL/CentOS. I have migrated my desktop to OpenBSD 6.1 and I have a problem with mutt's package installed from official OpenBSD's repos (neomutt-20170306-gpgme-sasl). In my mutt's config file I have defined the following key bindings: # # Key bindings # bind index \CP sidebar-prev bind index \CN sidebar-next bind index \CO sidebar-open Problem is with "\CO". It doesn't works under OpenBSD but it works without problems under FreeBSD 11 or RHEL7/CentOS7. If I change "\CO" to "\CA" or "\CI" or "\CH", for example, works without problems ... Is it "\CO" defined by default under OpenBSD? How can I revert this behavior? Thanks. -- Greetings, C. L. Martinez
Re: After applying patches, kernel version is slower?
On Thu, May 04, 2017 at 07:49:04AM +, Stuart Henderson wrote: > On 2017-05-04, C. L. Martinez <carlopm...@gmail.com> wrote: > > Hi all, > > > > I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a > > strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns: > > > > OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64 > > > > .. and in an OpenBSD 6.1 host with patches applied: > > > > OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64 > > > > Any idea why?? > > > > They're built on a different machine. (The number after GENERIC# shows > how many builds were done in that directory since it was cleaned.) > > Check the date in "sysctl kern.version". > Ahh ... Ok, many thanks for the info Stuart. -- Greetings, C. L. Martinez
After applying patches, kernel version is slower?
Hi all, I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns: OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64 .. and in an OpenBSD 6.1 host with patches applied: OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64 Any idea why?? -- Greetings, C. L. Martinez
Sysctl options to install IDS software
Hi all, In the following days, I want to replace some linux systems that acts as IDS/IPS nodes with OpenBSD 6.1 (congratulations to all OpenBSD's team. IMO, the best OpenBSD that I have used). These OpenBSD nodes will be installed with Suricata, Bro and Snort components. In the Linux and FreeBSD world, when you try to monitor 1GB/10GB networks (which is my case), some kernel variables needs to be tweaked. An example for linux systems some options are: net.core.rmem_max net.core.wmem_max net.core.rmem_default net.core.wmem_default net.core.optmem_max net.ipv4.tcp_rmem net.ipv4.tcp_wmem net.ipv4.udp_mem In the OpenBSD's old days, you can tweak some options like send and receive network buffers, etc. But in most recent OpenBSD releases, most of these options are not available, from what I understand, that is already made some sort of "tunning" by default in GENERIC kernel. But I see some kernel options that could need to be modified to use IDS/IPS software. Some of them: kern.somaxconn net.inet.udp.recvspace net.inet.udp.sendspace net.bpf.maxbufsize (I am not sure about this option) On the other side, I don't want to break anything in this first stage :) ... I prefer to do some type of control first and after apply these changes. Any recommendation? Many thanks. -- Greetings, C. L. Martinez
Re: What does it mean this error when I try install a package?
On Mon, Apr 17, 2017 at 01:39:22PM +0200, Christoph R. Murauer wrote: > > Hi all, > > > > After install an OpenBSD 6.1, I am trying to install some packages, > > for example python-2.7. When I launch the following command: > > > > pkg_add -v python-2.7 > > > > ... returns the following errors: > > > > http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/: Read short > > file. > > http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/python-2.7.tgz: > > ftp: Error retrieving file: 404 Not Found > > signify: gzheader truncated > > Can't find python-2.7 > > Extracted 11548847 from 11550420 > > > > What does these errors mean?? My PKG_PATH variable is > > "PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64; > > It means, that the package you try to install does not exist. Run > > pkg_info -Q python > > See FAQ https://www.openbsd.org/faq/faq15.html#PkgFind > > you see something like (in my case it is already installed) > > ... > python-2.7.13p0 (installed) > ... > > You can also check the list of packages at > http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/index.txt > > So, try > > pkg_add -v python-2.7.13p0 > > or, check the -z switch of pkg_add (man pkg_add) > > pkg_add -v -z python-2.7.13 > Yep, undertood. Many thanks. -- Greetings, C. L. Martinez
What does it mean this error when I try install a package?
Hi all, After install an OpenBSD 6.1, I am trying to install some packages, for example python-2.7. When I launch the following command: pkg_add -v python-2.7 ... returns the following errors: http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/: Read short file. http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/python-2.7.tgz: ftp: Error retrieving file: 404 Not Found signify: gzheader truncated Can't find python-2.7 Extracted 11548847 from 11550420 What does these errors mean?? My PKG_PATH variable is "PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64; -- Greetings, C. L. Martinez
Re: New features in VMM for OpenBSD 6.1?
On Mon, Mar 06, 2017 at 10:55:23AM -0800, Mike Larkin wrote: > On Mon, Mar 06, 2017 at 06:22:07PM +0100, Juan Francisco Cantero Hurtado > wrote: > > On Mon, Mar 06, 2017 at 10:40:52AM +, C. L. Martinez wrote: > > > Hi all, > > > > > > Where can I see what new features will be released in VMM for OpenBSD > > > 6.1? For example, it could be possible to run linux or freebsd guests > > > apart of openbsd guests? > > > > No, vmm will only support OpenBSD in the next release. > > https://www.openbsd.org/61.html will include a list of new features and > > fixes. > > > > -- > > Juan Francisco Cantero Hurtado http://juanfra.info > > > > As Juan states, I'm sure someone will go back through the cvs logs and update > that page with what new changes/features went in. Probably the biggest change > will be adding SVM support, if I can manage to get the last +/- 900 lines of > local changes in, and add interrupt windowing support. > > -ml Thanks for the info. -- Greetings, C. L. Martinez
New features in VMM for OpenBSD 6.1?
Hi all, Where can I see what new features will be released in VMM for OpenBSD 6.1? For example, it could be possible to run linux or freebsd guests apart of openbsd guests? Many thanks. -- Greetings, C. L. Martinez
Re: How easy is to do a MITM/spoof/etc. a public IP address?
On Thu, Jan 26, 2017 at 10:51:14AM +, Stuart Henderson wrote: > On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote: > > On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote: > >> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote: > >> > Hi all, > >> > > >> > I have received a (maybe) "stupid" request from one of our customers. > >> > We have a pair of public OpenBSD firewalls (CARPed) that our development > >> > team use to access to several customers via VPN IPsec tunnels. But this > >> > morning we have received a request from one of these cutomers to access > >> > to our development servers using only one acl to permit their public IP > >> > address (without using VPN IPsec, or VPN SSL tunnels). > >> > > >> > And my (OT) question: how easy is to do a MITM attack (DNS spoofing > >> > for example, or another type of attack that permits to fake source > >> > public ip address) in this scenario? > >> > >> For an attacker with no access to endpoints or network in between: > >> > >> - For many protocols including UDP, it is absolutely trivial to send > >> traffic from a fake source address. > > > > But, only SYN can be sent, right?? Source's attacker ip address will not > > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS > > attack, they can't steal information, right? > > > >> - With TCP it depends on various things but sometimes you can predict > >> enough of the IP stack behaviour to spoof blindly and send data. > >> reassemble tcp + random-id can help. > > They won't get any responses, but if an attacker can predict some of > what's in the packets (port numbers, sequence numbers etc), they can > send a bunch of packets that *might* match. If they get lucky and hit > on a correct one, they can handshake and transmit, obviously not > receive data directly on that connection, but sending might be enough > to do damage. > > >> If an attacker can MITM (either by getting $client to send to their > >> machine instead of yours directly, they can obviously log or modify > >> packets before forwarding on to the real server. It depends what > >> you're running over it as to whether this is a problem. > >> > > > > Uhmmm ... but in this case, I don't see how an attacker can fake original > > ip public source address ... Any theorical example? > > If they have access to a machine that the packets pass through, or a > machine that they can be made to pass through (e.g. by DNS manipulation, > or if they're on an unprotected layer-2 network with a real router ARP > attacks etc might work) they can just inspect/modify the packets as > they're passing. > > Even if it's just a router that doesn't let them do much with the > packets directly, they might still be able to forward them over a GRE > tunnel or similar to a machine where they can do this. > > There are enough ISPs and colos around that don't do BCP38 (i.e. don't > check source addresses) that there won't be too much difficulty > re-forwarding packets with the original sender IP address. > > > Many thanks Stuart for your help. > > tl;dr: if VPN isn't suitable, make sure comms are protected by some > other method that includes at least strong authentication and protects > messages against being modified - e.g. modern SSH, TLS or equivalent - > and be careful with certificates (test to make sure that you'll notice > an unexpected change). > Many thanks for your explained answer Stuart. Fantastic. Only one more question. Due to this access only requires http service, will be sufficient if I try to convince them to use https instead? And in the case that we could use https, a MITM attack would be minimized? -- Greetings, C. L. Martinez
Re: How easy is to do a MITM/spoof/etc. a public IP address?
On Wed, Jan 25, 2017 at 08:20:32PM +0100, Daniel Gillen wrote: > On 25.01.2017 15:42, C. L. Martinez wrote: > > On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote: > >> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote: > >>> Hi all, > >>> > >>> I have received a (maybe) "stupid" request from one of our customers. > >>> We have a pair of public OpenBSD firewalls (CARPed) that our development > >>> team use to access to several customers via VPN IPsec tunnels. But this > >>> morning we have received a request from one of these cutomers to access > >>> to our development servers using only one acl to permit their public IP > >>> address (without using VPN IPsec, or VPN SSL tunnels). > >>> > >>> And my (OT) question: how easy is to do a MITM attack (DNS spoofing > >>> for example, or another type of attack that permits to fake source > >>> public ip address) in this scenario? > >> > >> For an attacker with no access to endpoints or network in between: > >> > >> - For many protocols including UDP, it is absolutely trivial to send > >> traffic from a fake source address. > > > > But, only SYN can be sent, right?? Source's attacker ip address will not > > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS > > attack, they can't steal information, right? > > > > UDP and many other protocols are connectionless, so there is no such > thing as SYN/ACK. You basically just send your data package and hope it > somehow gets to its destination. > > https://en.wikipedia.org/wiki/User_Datagram_Protocol Yep, sorry. My mistake. I am referring to TCP connections ... > > >> > >> - With TCP it depends on various things but sometimes you can predict > >> enough of the IP stack behaviour to spoof blindly and send data. > >> reassemble tcp + random-id can help. > >> > >> If an attacker can MITM (either by getting $client to send to their > >> machine instead of yours directly, they can obviously log or modify > >> packets before forwarding on to the real server. It depends what > >> you're running over it as to whether this is a problem. > >> > > > > Uhmmm ... but in this case, I don't see how an attacker can fake original > > ip public source address ... Any theorical example? > > > > Many thanks Stuart for your help. > > > > > > In an MITM scenario, the send data packets actually flow _trough_ the > MITM's machine before they are forwarded to your machine. No need to > fake original source address, as it won't be changed. Think of the > MITM's machine as a simple router interconnecting your and the $client's > WAN. > > https://en.wikipedia.org/wiki/Man-in-the-middle_attack Thanks. I see the concept when you are in a LAN. But with a WAN, I can't see how you can accomplish this. For example: ip public source address is 1.1.1.1, destination public ip address is 2.2.2.2 and attacker ip public address is 3.3.3.3. To establish communications between these three elements, there are several routers between them to route packets. What I don't see is how when attacker sends packets to 2.2.2.2 using source public ip address 1.1.1.1, routers between all elements resturns these packets to attacker (which has 3.3.3.3 ip address) Sorry for my "basic" knowledge in these fields :) -- Greetings, C. L. Martinez
Re: How easy is to do a MITM/spoof/etc. a public IP address?
On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote: > On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote: > > Hi all, > > > > I have received a (maybe) "stupid" request from one of our customers. > > We have a pair of public OpenBSD firewalls (CARPed) that our development > > team use to access to several customers via VPN IPsec tunnels. But this > > morning we have received a request from one of these cutomers to access > > to our development servers using only one acl to permit their public IP > > address (without using VPN IPsec, or VPN SSL tunnels). > > > > And my (OT) question: how easy is to do a MITM attack (DNS spoofing > > for example, or another type of attack that permits to fake source > > public ip address) in this scenario? > > For an attacker with no access to endpoints or network in between: > > - For many protocols including UDP, it is absolutely trivial to send > traffic from a fake source address. But, only SYN can be sent, right?? Source's attacker ip address will not receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS attack, they can't steal information, right? > > - With TCP it depends on various things but sometimes you can predict > enough of the IP stack behaviour to spoof blindly and send data. > reassemble tcp + random-id can help. > > If an attacker can MITM (either by getting $client to send to their > machine instead of yours directly, they can obviously log or modify > packets before forwarding on to the real server. It depends what > you're running over it as to whether this is a problem. > Uhmmm ... but in this case, I don't see how an attacker can fake original ip public source address ... Any theorical example? Many thanks Stuart for your help. -- Greetings, C. L. Martinez
How easy is to do a MITM/spoof/etc. a public IP address?
Hi all, I have received a (maybe) "stupid" request from one of our customers. We have a pair of public OpenBSD firewalls (CARPed) that our development team use to access to several customers via VPN IPsec tunnels. But this morning we have received a request from one of these cutomers to access to our development servers using only one acl to permit their public IP address (without using VPN IPsec, or VPN SSL tunnels). And my (OT) question: how easy is to do a MITM attack (DNS spoofing for example, or another type of attack that permits to fake source public ip address) in this scenario? Many thanks. -- Greetings, C. L. Martinez
Re: PCI Express wireless adapter supported under OpenBSD
On Wed 30.Nov'16 at 11:44:13 +0100, Stefan Sperling wrote: > On Wed, Nov 30, 2016 at 10:12:32AM +0000, C. L. Martinez wrote: > > I have discoverd that Asus AC88 AC3100 uses BCM4366 chip, but if I am not > > wrong this chip is not supported under OpenBSD, is it right? > > Indeed, BCM4366 won't work. > > There are many Atheros AR9280 devices on sites such as ebay. > And some vendors like pcengines still sell cards with this chip. > You could also search for other chip names listed in the athn(4) man page. Ok, I have found a good candidate: TP-LINK TL-WDN4800. According to TP-Link's webpage uses an Atheros AR9380 chip. But, under athn(4) OpenBSD's man page, this chip doesn't appears for OpenBSD 6.0 ... but it appears under OpenBSD's 4.9 changelog: https://www.openbsd.org/plus49.html. Then, is it supported or not? Thanks. -- Greetings, C. L. Martinez
Re: PCI Express wireless adapter supported under OpenBSD
On Wed 30.Nov'16 at 10:26:32 +0100, Peter N. M. Hansteen wrote: > On Wed, Nov 30, 2016 at 08:09:24AM +0000, C. L. Martinez wrote: > > I would like to install OpenBSD on a HP Microserver Gen8 to act as a > > firewall and hostap. I am searching what components I need and I have a > > doubt about what wireless interface I need to buy to use it as a hostap > > under OpenBSD. > > The Microserver Gen8s are really nice machines for the application you > describe, once you set the disk controller to something sensible (as > previously reported). > > When it comes to your primary question I don't have a good answer, but in > case those boards are not suppurted it's worth keeping in mind one other > option: get the highest quality access point or 'wireless router' you can > afford, configure it as access point only (no dhcp or routing, leave that to > the OpenBSD tools) > I agree. Microserver Gen8 is a fantastic box to deploy this type of scenarios. My idea is to buy a SSD drive, configure this harddisk as RAID0 in B120i and fire up OpenBSD .. I prefer to avoid to buy an access point. I can wait best support and data rates from OpenBSD side in future releases ... -- Greetings, C. L. Martinez
Re: PCI Express wireless adapter supported under OpenBSD
On Wed 30.Nov'16 at 10:04:25 +0100, Stefan Sperling wrote: > On Wed, Nov 30, 2016 at 08:09:24AM +0000, C. L. Martinez wrote: > > Hi all, > > > > I would like to install OpenBSD on a HP Microserver Gen8 to act as a > > firewall and hostap. I am searching what components I need and I have a > > doubt about what wireless interface I need to buy to use it as a hostap > > under OpenBSD. > > > > I have found only these: > > > > - Asus PCE-AC88 Wireless 5GHz PCI-E AC3100 > > - Asus PCE-AC68 PCI-E WiFi Dual-Band AC1900 > > > > Searching in ASUS's web, I didn't find any info about what chip use these > > adapters. Are they supported under OpenBSD? Do you recommend any other > > wireless adpater (PCI-e)?? Throughput needs to be 300 Mbps, at least. > > > > Thanks. > > I'm afraid you won't get 300 Mbps from any wifi device on OpenBSD. > Our 802.11n support is still in very early stages. > > The best access point OpenBSD can offer uses obsolete AR9280 Atheros > hardware with 802.11a data rates (theoretical maximum 54Mbit/s). > 802.11n is not yet supported by any driver which has hostap support. > > For your kinds of requirements, the best solution is an external > access point connected to your OpenBSD box with gigabit ethernet. Many thanks Stefan and Ze for your answers. But thinking about it maybe it is a good idea to limit throughput to 150Mbps or less at this first stage. I can wait until OpenBSD will support more data rates. I have discoverd that Asus AC88 AC3100 uses BCM4366 chip, but if I am not wrong this chip is not supported under OpenBSD, is it right? Thanks.
PCI Express wireless adapter supported under OpenBSD
Hi all, I would like to install OpenBSD on a HP Microserver Gen8 to act as a firewall and hostap. I am searching what components I need and I have a doubt about what wireless interface I need to buy to use it as a hostap under OpenBSD. I have found only these: - Asus PCE-AC88 Wireless 5GHz PCI-E AC3100 - Asus PCE-AC68 PCI-E WiFi Dual-Band AC1900 Searching in ASUS's web, I didn't find any info about what chip use these adapters. Are they supported under OpenBSD? Do you recommend any other wireless adpater (PCI-e)?? Throughput needs to be 300 Mbps, at least. Thanks. -- Greetings, C. L. Martinez
Re: httpd: old behavior returns: Couldn't resolve host (SOLVED)
On Mon 5.Sep'16 at 16:15:12 +, C. L. Martinez wrote: > Hi all, > > I have upgraded my TT-RSS server based on OpenBSD 5.9 to OpenBSD 6.0. All > goes perfect, except when I try to add news feeds. Like I have reported in > the past: http://marc.info/?l=openbsd-misc=146739024615025=2, tt-rss > returns "Couldn't resolve host" every time that I try to add a new feed. Like > Stuart appoints me in the past, I have copied /etc/hosts and /etc/resolv.conf > to /var/www/etc chroot, but in OpenBSD 6.0 doesn't works. > > Is it a bug or do I need to configure any option inside httpd.conf?? > > Thanks. > > -- > Greetings, > C. L. Martinez Ok, problem solved. php-fpm needs to be restarted. Sorry for the noise. -- Greetings, C. L. Martinez
httpd: old behavior returns: Couldn't resolve host
Hi all, I have upgraded my TT-RSS server based on OpenBSD 5.9 to OpenBSD 6.0. All goes perfect, except when I try to add news feeds. Like I have reported in the past: http://marc.info/?l=openbsd-misc=146739024615025=2, tt-rss returns "Couldn't resolve host" every time that I try to add a new feed. Like Stuart appoints me in the past, I have copied /etc/hosts and /etc/resolv.conf to /var/www/etc chroot, but in OpenBSD 6.0 doesn't works. Is it a bug or do I need to configure any option inside httpd.conf?? Thanks. -- Greetings, C. L. Martinez
Recommendation about an Alfa usb wireless adapter to use it as HostAP
Hi all, I would like to install OpenBSD as a hostap for my home. I have done the same in the past, running OpenBSD as a kvm guest on my laptop and all works really well. I am thinking to use an Alfa (http://www.alfa.com.tw) usb wireless adapter. There is not much information in Alfa's web about which of them can run as a HostAP. Any recommendation? Maybe AWUS036ACH can supports this functionality, but I am not sure ... Thanks. -- Greetings, C. L. Martinez
Re: Encrypting carp traffic with ipsec
On Thu 4.Aug'16 at 12:30:56 +, C. L. Martinez wrote: > On Tue 2.Aug'16 at 7:54:08 +0000, C. L. Martinez wrote: > > On Mon 1.Aug'16 at 7:54:57 +0000, C. L. Martinez wrote: > > > On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote: > > > > On 28/07/16 22:47, C. L. Martinez wrote: > > > > > Hi all, > > > > > > > > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > > > > > (fully patched). According to ifconfig(8) man page: > > > > > > > > > > carppeer peer_address > > > > > Send the carp advertisements to a specified point-to-point peer or > > > > > multicast group instead of sending the messages to the default carp > > > > > multicast group. The peer_address is the IP address of the other host > > > > > taking part in the carp cluster. With this option, carp(4) traffic can > > > > > be protected using ipsec(4) and it may be desired in networks that do > > > > > not allow or have problems with IPv4 multicast traffic. > > > > > > > > > > And the last sentence describes the type of problem that I want to > > > > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > > > > > desired in networks that do not allow or have problems with IPv4 > > > > > multicast traffic". > > > > > > > > > > But I don't see how to implement this feature. If I am not wrong, I > > > > > need to configure ipsec in transport mode. But how to encrypt carp > > > > > protocol only and keep all others services and protocols out of ipsec > > > > > tunnels?? > > > > > > > > > > Any tip or sample?? > > > > > > > > > > > > > > > > > check proto (from protocol) in ipsec.conf(5) > > > > > > > > G > > > > > > > > > > Ok, after doing several tests these days, I have configured ipsec.conf > > > instead of iked.conf. But carp interfaces remains in MASTER mode in both > > > firewalls: > > > > > > FwA: > > > > > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > lladdr 01:00:5e:00:01:01 > > > priority: 15 > > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13 > > > state MASTER vhid 1 advskew 100 > > > state MASTER vhid 2 advskew 0 > > > groups: carp > > > status: master > > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > lladdr 01:00:5e:00:01:03 > > > priority: 15 > > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3 > > > state MASTER vhid 3 advskew 100 > > > state MASTER vhid 4 advskew 0 > > > groups: carp > > > status: master > > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > > > > > > > > > > > > > FwB: > > > > > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > lladdr 01:00:5e:00:01:01 > > > priority: 15 > > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12 > > > state MASTER vhid 1 advskew 0 > > > state MASTER vhid 2 advskew 100 > > > groups: carp > > > status: master > > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > lladdr 01:00:5e:00:01:03 > > > priority: 15 > > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2 > > > state MASTER vhid 3 advskew 0 > > > state MASTER vhid 4 advskew 100 > > > groups: carp > > > status: master > > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > > > > > > > IPsec flows are established in both firewalls: > > > > > > FwA: > > > > > > FLOWS: > > > flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 > > > srcid 172.22.57.2/32 dstid 172.22.57.3/32 typ
Re: Encrypting carp traffic with ipsec
On Tue 2.Aug'16 at 7:54:08 +, C. L. Martinez wrote: > On Mon 1.Aug'16 at 7:54:57 +0000, C. L. Martinez wrote: > > On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote: > > > On 28/07/16 22:47, C. L. Martinez wrote: > > > > Hi all, > > > > > > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > > > > (fully patched). According to ifconfig(8) man page: > > > > > > > > carppeer peer_address > > > > Send the carp advertisements to a specified point-to-point peer or > > > > multicast group instead of sending the messages to the default carp > > > > multicast group. The peer_address is the IP address of the other host > > > > taking part in the carp cluster. With this option, carp(4) traffic can > > > > be protected using ipsec(4) and it may be desired in networks that do > > > > not allow or have problems with IPv4 multicast traffic. > > > > > > > > And the last sentence describes the type of problem that I want to > > > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > > > > desired in networks that do not allow or have problems with IPv4 > > > > multicast traffic". > > > > > > > > But I don't see how to implement this feature. If I am not wrong, I > > > > need to configure ipsec in transport mode. But how to encrypt carp > > > > protocol only and keep all others services and protocols out of ipsec > > > > tunnels?? > > > > > > > > Any tip or sample?? > > > > > > > > > > > > > check proto (from protocol) in ipsec.conf(5) > > > > > > G > > > > > > > Ok, after doing several tests these days, I have configured ipsec.conf > > instead of iked.conf. But carp interfaces remains in MASTER mode in both > > firewalls: > > > > FwA: > > > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 01:00:5e:00:01:01 > > priority: 15 > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13 > > state MASTER vhid 1 advskew 100 > > state MASTER vhid 2 advskew 0 > > groups: carp > > status: master > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 01:00:5e:00:01:03 > > priority: 15 > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3 > > state MASTER vhid 3 advskew 100 > > state MASTER vhid 4 advskew 0 > > groups: carp > > status: master > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > > > > > > > > FwB: > > > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 01:00:5e:00:01:01 > > priority: 15 > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12 > > state MASTER vhid 1 advskew 0 > > state MASTER vhid 2 advskew 100 > > groups: carp > > status: master > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 01:00:5e:00:01:03 > > priority: 15 > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2 > > state MASTER vhid 3 advskew 0 > > state MASTER vhid 4 advskew 100 > > groups: carp > > status: master > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > > > > IPsec flows are established in both firewalls: > > > > FwA: > > > > FLOWS: > > flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 > > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type use > > flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 > > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require > > flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 > > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type use > > flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 > > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require > > flow esp in proto carp from 172.22.55.13 to 172.22.55.12 pee
Re: Encrypting carp traffic with ipsec
On Mon 1.Aug'16 at 7:54:57 +, C. L. Martinez wrote: > On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote: > > On 28/07/16 22:47, C. L. Martinez wrote: > > > Hi all, > > > > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > > > (fully patched). According to ifconfig(8) man page: > > > > > > carppeer peer_address > > > Send the carp advertisements to a specified point-to-point peer or > > > multicast group instead of sending the messages to the default carp > > > multicast group. The peer_address is the IP address of the other host > > > taking part in the carp cluster. With this option, carp(4) traffic can > > > be protected using ipsec(4) and it may be desired in networks that do > > > not allow or have problems with IPv4 multicast traffic. > > > > > > And the last sentence describes the type of problem that I want to > > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > > > desired in networks that do not allow or have problems with IPv4 > > > multicast traffic". > > > > > > But I don't see how to implement this feature. If I am not wrong, I > > > need to configure ipsec in transport mode. But how to encrypt carp > > > protocol only and keep all others services and protocols out of ipsec > > > tunnels?? > > > > > > Any tip or sample?? > > > > > > > > > check proto (from protocol) in ipsec.conf(5) > > > > G > > > > Ok, after doing several tests these days, I have configured ipsec.conf > instead of iked.conf. But carp interfaces remains in MASTER mode in both > firewalls: > > FwA: > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 01:00:5e:00:01:01 > priority: 15 > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13 > state MASTER vhid 1 advskew 100 > state MASTER vhid 2 advskew 0 > groups: carp > status: master > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 01:00:5e:00:01:03 > priority: 15 > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3 > state MASTER vhid 3 advskew 100 > state MASTER vhid 4 advskew 0 > groups: carp > status: master > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > > > FwB: > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 01:00:5e:00:01:01 > priority: 15 > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12 > state MASTER vhid 1 advskew 0 > state MASTER vhid 2 advskew 100 > groups: carp > status: master > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 01:00:5e:00:01:03 > priority: 15 > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2 > state MASTER vhid 3 advskew 0 > state MASTER vhid 4 advskew 100 > groups: carp > status: master > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > IPsec flows are established in both firewalls: > > FwA: > > FLOWS: > flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 srcid > 172.22.57.2/32 dstid 172.22.57.3/32 type use > flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require > flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 srcid > 172.22.58.2/32 dstid 172.22.58.3/32 type use > flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require > flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13 > srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use > flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13 > srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require > flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3 srcid > 172.30.77.2/32 dstid 172.30.77.3/32 type use > flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3 > srcid 172.30.77.2/32 dstid 172.30.77.3/32 type require > flow esp in proto carp from 172.22.54.3 to 172.22.54.2 pee
Re: Encrypting carp traffic with ipsec
On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote: > On 28/07/16 22:47, C. L. Martinez wrote: > > Hi all, > > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > > (fully patched). According to ifconfig(8) man page: > > > > carppeer peer_address > > Send the carp advertisements to a specified point-to-point peer or > > multicast group instead of sending the messages to the default carp > > multicast group. The peer_address is the IP address of the other host > > taking part in the carp cluster. With this option, carp(4) traffic can > > be protected using ipsec(4) and it may be desired in networks that do > > not allow or have problems with IPv4 multicast traffic. > > > > And the last sentence describes the type of problem that I want to > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > > desired in networks that do not allow or have problems with IPv4 > > multicast traffic". > > > > But I don't see how to implement this feature. If I am not wrong, I > > need to configure ipsec in transport mode. But how to encrypt carp > > protocol only and keep all others services and protocols out of ipsec > > tunnels?? > > > > Any tip or sample?? > > > > > check proto (from protocol) in ipsec.conf(5) > > G > Ok, after doing several tests these days, I have configured ipsec.conf instead of iked.conf. But carp interfaces remains in MASTER mode in both firewalls: FwA: carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 01:00:5e:00:01:01 priority: 15 carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13 state MASTER vhid 1 advskew 100 state MASTER vhid 2 advskew 0 groups: carp status: master inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 01:00:5e:00:01:03 priority: 15 carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3 state MASTER vhid 3 advskew 100 state MASTER vhid 4 advskew 0 groups: carp status: master inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 FwB: carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 01:00:5e:00:01:01 priority: 15 carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12 state MASTER vhid 1 advskew 0 state MASTER vhid 2 advskew 100 groups: carp status: master inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 01:00:5e:00:01:03 priority: 15 carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2 state MASTER vhid 3 advskew 0 state MASTER vhid 4 advskew 100 groups: carp status: master inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 IPsec flows are established in both firewalls: FwA: FLOWS: flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 srcid 172.22.57.2/32 dstid 172.22.57.3/32 type use flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 srcid 172.22.58.2/32 dstid 172.22.58.3/32 type use flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13 srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13 srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3 srcid 172.30.77.2/32 dstid 172.30.77.3/32 type use flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3 srcid 172.30.77.2/32 dstid 172.30.77.3/32 type require flow esp in proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.3 srcid 172.22.54.2/32 dstid 172.22.54.3/32 type use flow esp out proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.3 srcid 172.22.54.2/32 dstid 172.22.54.3/32 type require flow esp in proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.3 srcid 172.22.56.2/32 dstid 172.22.56.3/32 type use flow esp out proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.3 srcid 172.22.56.2/32 dstid 172.22.56.3/32 type require SAD: esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth hmac-sha2-256 enc aes esp transport from 172.22.55.13 to 172.22.55.12 sp
Re: Encrypting carp traffic with ipsec
On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote: > On 28/07/16 22:47, C. L. Martinez wrote: > > Hi all, > > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > > (fully patched). According to ifconfig(8) man page: > > > > carppeer peer_address > > Send the carp advertisements to a specified point-to-point peer or > > multicast group instead of sending the messages to the default carp > > multicast group. The peer_address is the IP address of the other host > > taking part in the carp cluster. With this option, carp(4) traffic can > > be protected using ipsec(4) and it may be desired in networks that do > > not allow or have problems with IPv4 multicast traffic. > > > > And the last sentence describes the type of problem that I want to > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > > desired in networks that do not allow or have problems with IPv4 > > multicast traffic". > > > > But I don't see how to implement this feature. If I am not wrong, I > > need to configure ipsec in transport mode. But how to encrypt carp > > protocol only and keep all others services and protocols out of ipsec > > tunnels?? > > > > Any tip or sample?? > > > > > check proto (from protocol) in ipsec.conf(5) > > G > Thanks Giannis. I have configured iked.conf in both firewalls. FirewallA: ikev2 esp proto carp from 172.22.55.12 to 172.22.55.13 psk "74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0 FirewallB: ikev2 esp proto carp from 172.22.55.13 to 172.22.55.12 psk "74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0 Starting iked from shell, all tunnels are established. But when I add iked_flags= to rc.conf.local and reboot both firewalls, startup process stops in iked process and neves finishes. I need to a hard reset ... Any idea why??
Encrypting carp traffic with ipsec
Hi all, I will try to encrypt all carp traffic between two OpenBSD 5.9 fws (fully patched). According to ifconfig(8) man page: carppeer peer_address Send the carp advertisements to a specified point-to-point peer or multicast group instead of sending the messages to the default carp multicast group. The peer_address is the IP address of the other host taking part in the carp cluster. With this option, carp(4) traffic can be protected using ipsec(4) and it may be desired in networks that do not allow or have problems with IPv4 multicast traffic. And the last sentence describes the type of problem that I want to avoid: "carp(4) traffic can be protected using ipsec(4) and it may be desired in networks that do not allow or have problems with IPv4 multicast traffic". But I don't see how to implement this feature. If I am not wrong, I need to configure ipsec in transport mode. But how to encrypt carp protocol only and keep all others services and protocols out of ipsec tunnels?? Any tip or sample??
Using "> /tmp/debug.log 2>&" in a startup script
Hi all, I need to debug a daemon when it is called from init process. To accomplish this, I need to add "> /tmp/debug.log 2>&1" to daemon_flags (or to another option), but it doesn't works. I have tried the following combinations: a/ daemon_flags="--first-option --second-option > /tmp/debug.log 2>&1" and using the following rc_start options: ${rcexec} "${daemon} ${daemon_flags} ${_bg}" (rc_bg=YES in the startup script. b/ daemon_flags="--first-option --second-option", adding another section with more_flags="> /tmp/debug.log 2>&1" and using the following rc_start options: ${rcexec} "${daemon} ${daemon_flags} ${more_flags} ${_bg}" (rc_bg=YES in the startup script). c/ And tha last try is to use rc_start options: ${rcexec} "${daemon} ${daemon_flags}" > /tmp/debug.log 2>&1 & Nothing of this solutions works. What am I doing wrong? Thanks. -- Greetings, C. L. Martinez
Re: Core dumps with sphinx package
On Fri 8.Jul'16 at 12:40:57 +0200, Adam Wolk wrote: > On Fri, Jul 08, 2016 at 09:16:15AM +0000, C. L. Martinez wrote: > > Hi all, > > > > Once a day, searchd daemon (installed from OpenBSD's packages repository) > > generate a core dump. How can I report this problem? To openbsd-ports > > mailing list?? > > > > Thanks. > > > > -- > > Greetings, > > C. L. Martinez > > > > First of all obtain a backtrace from your core dump. You can do this with gdb > by > passing in the program binary and the core dump as arguments: > $ gdb prog prog.core > > use the 'bt' command to obtain a backtracce when it's done loading. > > You might need to rebuild the package with debug symbols in order to obtain a > useful trace. > > Gather as much info as you can: > - check dmesg for errors > - did it work before? when did it start to segfault? > - anything in the logs? > - what OpenBSD version are you running? (-current?) > > Take a look at the backtrace and the info you obtained. Check the upstream > source code, maybe you can fix the error yourself now? If not. Take the > information you gathered and post to ports@ CC'ing the port maintainer. You > should also report the problem upstream to package developers if the problem > is > not OpenBSD specific (and it's frequently worth to report even if it is > specific). > > Regards, > Adam > Many thanks Adam ... I will try to do all the steps and report to ports@ afterwards. -- Greetings, C. L. Martinez
Core dumps with sphinx package
Hi all, Once a day, searchd daemon (installed from OpenBSD's packages repository) generate a core dump. How can I report this problem? To openbsd-ports mailing list?? Thanks. -- Greetings, C. L. Martinez
Strange behavior with php config
Hi all I am using php-5.6 with NGinx web server in a OpenBSD 5.9 host. I have configured error_log option to log specific php errors in a separate log file: "error_log = /tmp/php_errors.log". Nginx is running in chroot (as it does by default) under /var/www. I hoped that the errors were fed into the above file inside of /var/www chroot, and it does. But it does also under system's /tmp directory. In resume, I have two php_errors.log file where I can see all ducplicated errors ... Why?? How can I fix it? Thanks. -- Greetings, C. L. Martinez
Re: Installing NextCloud under OpenBSD 5.9
On Sat 2.Jul'16 at 22:37:49 +0200, Adam Wolk wrote: > On Sat, 2 Jul 2016 19:26:57 + > "C. L. Martinez" <carlopm...@gmail.com> wrote: > > > Hi all, > > > > I am trying to install NextCloud under an OpenBSD 5.9 host using > > OpenBSD's httpd. But I am not sure that Nextcloud can work with > > OpenBSD's httpd. > > > > First of all, rewrite rules like these: > > > > > > RewriteEngine on > > RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] > > RewriteRule ^\.well-known/host-meta /public.php?service=host-meta > > [QSA,L] RewriteRule > > ^\.well-known/host-meta\.json /public.php?service=host-meta-json > > [QSA,L] RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L] > > RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L] > > RewriteRule ^remote/(.*) remote.php [QSA,L] RewriteRule > > ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L] > > RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.* > > RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L] > > > > > > Can be backported to OpenBSD's httpd? I am thinking to install > > apache on the same host, configure NextCloud on it, and redirect > > requests from OpenBSD's httpd to apache (listening on localhost only). > > > > What do you think? > > > > Thanks. > > > > -- > > Greetings, > > C. L. Martinez > > > > > https://github.com/reyk/httpd/wiki/Running-ownCloud-with-httpd-on-OpenBSD > > Ownclud works with httpd. Nextcloud should also work. > Thans Adam. I will read carefully and I will try to configure using this guide: http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/owncloud/pkg/README?rev=1.44=text/x-cvsweb-markup Many thanks to all. -- Greetings, C. L. Martinez
Installing NextCloud under OpenBSD 5.9
Hi all, I am trying to install NextCloud under an OpenBSD 5.9 host using OpenBSD's httpd. But I am not sure that Nextcloud can work with OpenBSD's httpd. First of all, rewrite rules like these: RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L] RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L] RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L] RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L] RewriteRule ^remote/(.*) remote.php [QSA,L] RewriteRule ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L] RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.* RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L] Can be backported to OpenBSD's httpd? I am thinking to install apache on the same host, configure NextCloud on it, and redirect requests from OpenBSD's httpd to apache (listening on localhost only). What do you think? Thanks. -- Greetings, C. L. Martinez
Re: I am not sure if it is a problem with OpenBSD's httpd
On Fri 1.Jul'16 at 16:21:27 +, Stuart Henderson wrote: > On 2016-07-01, C. L. Martinez <carlopm...@gmail.com> wrote: > > Recently, I have installed an OpenBSD virtual machine in my laptop with > > TT-RSS, and all works perfectlly. Until I try to subscribe to a new feed. > > Every time, tt-rss returns the error "6 Couldn't resolve host". It is > > strange, because all other feeds migrated from other linux host, works ok. > > It might be this, which used to be in faq 10 but was removed a while ago: > > << Name Resolution: httpd(8) inside the chroot(2) will NOT be able to > use the system /etc/hosts or /etc/resolv.conf. Therefore, if you have > applications which require name resolution, you will need to populate > /var/www/etc/hosts and/or /var/www/etc/resolv.conf in the chroot(2) > environment. Note that some applications expect the resolution of > "localhost" to work. >> > It was!! .. Perfect, now it works. Many thanks Stuart -- Greetings, C. L. Martinez
I am not sure if it is a problem with OpenBSD's httpd
Hi all Recently, I have installed an OpenBSD virtual machine in my laptop with TT-RSS, and all works perfectlly. Until I try to subscribe to a new feed. Every time, tt-rss returns the error "6 Couldn't resolve host". It is strange, because all other feeds migrated from other linux host, works ok. For example, if I try to subscribe to http://googleprojectzero.blogspot.com/feeds/posts/default feed, error is rturned. But when I try to resolve DNS googleprojectzero.blogspot.com name in the shell, works ok: Last login: Fri Jul 1 07:06:54 2016 from 172.22.55.1 OpenBSD 5.9 (GENERIC) #4: Thu May 19 08:23:10 CEST 2016 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. root@edinburgh:~# nslookup googleprojectzero.blogspot.com Server: 172.22.55.1 Address:172.22.55.1#53 Non-authoritative answer: googleprojectzero.blogspot.com canonical name = blogspot.l.googleusercontent.com. Name: blogspot.l.googleusercontent.com Address: 216.58.208.225 Arrived to this point, could be a problem with OpenBSD's httpd daemon that runs in chroot?? Thanks. -- Greetings, C. L. Martinez
Re: Clean OpenBSD's httpd logs
On Fri 1.Jul'16 at 7:39:13 +, Stuart Henderson wrote: > On 2016-06-30, C. L. Martinez <carlopm...@gmail.com> wrote: > > Hi all, > > > > Sorry if this question sounds stupid, but how can I avoid this type of > > entry in OpenBSD's httpd access.log: > > > > 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/] > > [/favicon.ico] > > Untested, but in theory: set a location that matches the favicon.ico file and > disable logging (e.g. "no log") in that location block. > Perfect!!! .. Works like a charm. Many thanks Stuart. -- Greetings, C. L. Martinez
Re: Clean OpenBSD's httpd logs
On Thu 30.Jun'16 at 15:21:05 +0200, Thuban wrote: > * C. L. Martinez <carlopm...@gmail.com> le [30-06-2016 12:50:36 +]: > > Hi all, > > > > Sorry if this question sounds stupid, but how can I avoid this type of > entry in OpenBSD's httpd access.log: > > > > 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/] > [/favicon.ico] > > > > Hi, > in httpd.conf : > > server "yourdomain.com" { > ... > no log > } > > > You might want to keep access log. Separate errors in another file : > > > server "yourdomain.com" { > ... > log access "yourdomain.access.log" > log error "yourdomain.errors.log" > } > > > see man httpd.conf for more :) > > > -- > /Thuban/ > Thanks Thuban, but I want to log all requests to this web server :) -- Greetings, C. L. Martinez
Clean OpenBSD's httpd logs
Hi all, Sorry if this question sounds stupid, but how can I avoid this type of entry in OpenBSD's httpd access.log: 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/] [/favicon.ico] ?? Thanks. -- Greetings, C. L. Martinez
Re: OT: Toosl to manage PKI under OpenBSD
On Fri 24.Jun'16 at 18:59:09 -0400, Predrag Punosevac wrote: > > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote: > > > Am Freitag, den 24.06.2016, 11:45 +0000 schrieb C. L. Martinez: > > > > > > > I would like to deploy/setup a PKI under OpenBSD for my home lab. > > > > Searching about this topic, I think the best option is to use > > > > customized openssl/libressl scripts, but it colud be very hard to > > keep > > > > for certifcate requests, revocations, etc. > > > > > > > > ? Any suggestion about what can be better option? > > > > > > Have a look at security/xca, else define "better option". > > > > > > Cheers > > > > For "better option", I am speaking about what could be the best tool or > > procedure to \ > > manage a PKI under OpenBSD. > > > > easy-rsa > > You just chose to ignore the answer. > > Predrag > Where I am telling that I'm ignoring the answer? Please, before saying some things, wait. -- Greetings, C. L. Martinez
Re: OT: Toosl to manage PKI under OpenBSD
On Sat 25.Jun'16 at 13:56:38 +, Stuart Henderson wrote: > On 2016-06-24, C. L. Martinez <carlopm...@gmail.com> wrote: > > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote: > >> Am Freitag, den 24.06.2016, 11:45 +0000 schrieb C. L. Martinez: > >> > >> > I would like to deploy/setup a PKI under OpenBSD for my home lab. > >> > Searching about this topic, I think the best option is to use > >> > customized openssl/libressl scripts, but it colud be very hard to keep > >> > for certifcate requests, revocations, etc. > >> > > >> > Any suggestion about what can be better option? > >> > >> Have a look at security/xca, else define "better option". > >> > >> Cheers > > > > For "better option", I am speaking about what could be the best tool or > > procedure to manage a PKI under OpenBSD. > > It really depends on what your reasons are for doing this. > > If you're trying to learn about the nitty gritty of generating certs, > CRLs, revocations, etc, then using the command line tools directly > aren't a bad idea. > > If you're trying to script things but at a higher level than the > libressl/openssl command line tool, you might want to look at something > like https://github.com/cloudflare/cfssl. > > If you're just trying to manually generate certs for lab machines > and are happier with something visual xca is pretty good. > > Or you can look at the tools which are really made for simplifying vpn > setup like "ikectl ca" (though the way it's designed, it really only > makes sense if you generate the private key on a central machine, which > is a bit non-standard though makes life easier in some cases). Or yes, > as was already pointed out easy-rsa (though personally I find that more > complex than easy). > > If you're more interested in getting certs than investigating how to > run pki, something like letsencrypt might work for you. > Many thanks Stuart. I have configured a PKI using openssl tools, and it is working ok ... Now, I would like to install an oscp instance to check when a certificate is revoked ... But I have some doubts: - When a certificate is revoked, can be removed .csr and .crt files (the request and signed cert by CA) without problems? - I am trying to setup a startup script for oscp using openssl, can be accomplished this in OpenBSD's way? Thanks. -- Greetings, C. L. Martinez
Re: OT: Toosl to manage PKI under OpenBSD
On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote: > Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez: > > > I would like to deploy/setup a PKI under OpenBSD for my home lab. > > Searching about this topic, I think the best option is to use > > customized openssl/libressl scripts, but it colud be very hard to keep > > for certifcate requests, revocations, etc. > > > > Any suggestion about what can be better option? > > Have a look at security/xca, else define "better option". > > Cheers For "better option", I am speaking about what could be the best tool or procedure to manage a PKI under OpenBSD. -- Greetings, C. L. Martinez
OT: Toosl to manage PKI under OpenBSD
Hi all, I would like to deploy/setup a PKI under OpenBSD for my home lab. Searching about this topic, I think the best option is to use customized openssl/libressl scripts, but it colud be very hard to keep for certifcate requests, revocations, etc. Any suggestion about what can be better option? Thanks -- Greetings, C. L. Martinez
Error loading pf rules: Device busy
Hi all, I have a strange problem. Every time that I try to reload my pf rules I see the following error message: pfctl: DIOCADDRULE: Device busy. I am using OpenBSD 5.8 amd64 fully patched. Any idea??
Remove "flags S/SA keep state" for tcp packets
Hi all, I am trying to remove "flags S/SA keep state" for tcp packets inside pf.conf and use "keep state" only, as it can do with udp and icmp. According to pf.conf man page, this is possible inserting "no state" in tcp rule, but I can't use keep state. Is it possible to remove "flags S/SA keep state" and use only "keep state" for tcp packets? Thanks. P.D: I am using OpenBSD 5.8
Re: Remove "flags S/SA keep state" for tcp packets
On Tue, Dec 15, 2015 at 9:49 AM, Peter N. M. Hansteen <pe...@bsdly.net> wrote: > On Tue, Dec 15, 2015 at 09:24:03AM +0000, C. L. Martinez wrote: >> >> I am trying to remove "flags S/SA keep state" for tcp packets inside >> pf.conf and use "keep state" only, as it can do with udp and icmp. > > Why? What is it you're trying to achieve? > > You can override the default flags by specifying a different set or even > 'flags any' but the question remains, why? > > -- Thanks Peter. Sorry for the delay response. I am trying to use divert-packet option inside pf rules to use Suricata/Snort as an IPS. At this moment, I can drop comms when an alert is triggered for udp and icmp packets, but it doesn't works when it is a tcp packet. I was thinking about if "using keep state for udp/icmp rules works, why not for tcp?" But maybe I am totally wrong ...
Re: Remove "flags S/SA keep state" for tcp packets
On Tue, Dec 15, 2015 at 9:56 AM, David Dahlberg <david.dahlb...@fkie.fraunhofer.de> wrote: > Am Dienstag, den 15.12.2015, 09:24 + schrieb C. L. Martinez: >> I am trying to remove "flags S/SA keep state" for tcp packets inside >> pf.conf and use "keep state" only, as it can do with udp and icmp. >> >> According to pf.conf man page, this is possible inserting "no state" >> in tcp rule, but I can't use keep state. > > "keep state" is addressed in pf.conf(5) (e.g. "Stateful Tracking > Options"), but it is not mentioned as often as it is the default. > > IOW: If you have not changed the default options, you you may simply > remove "flags S/SA keep state" string without changing mutch (except > that it might now also match UDP/ICMP). > Thanks David. I have not changed any default options but I can't see how can I remove these flags ... I have tried with "flags any keep state" without result. If I use "no state", packets are rejected ...
Re: Captive portal with OpenBSD as a hostap
On Mon, Oct 5, 2015 at 1:26 PM, laudarchwrote: > I made a custom implementation and a diff to authpf, will share that > later just in case anyone wants it. > > I hope this helps you, it pretty simple > http://bastienceriani.fr/?p=70 > Thanks laudarch ... Very close to what I am searching... I will try your config.
Re: OT: Exists some problem with dnscrypt-proxy package?
On Mon, Sep 21, 2015 at 1:28 AM, frederick w. soucywrote: > On 2015.09.20, C.L. Martinez wrote: >> Hi all, >> >> I have installed an openbsd 5.7 VM today to do some tests with pf rules. >> One of the components to I need to enable in this gateway is >> unbound+dnscrypt-proxy. >> >> I have configured forwarding in unbound.conf: >> >> forward-zone: >> name: "." >> forward-addr: 127.0.0.1@4553 >> >> And I have started dnscypt-proxy with the following arguments: >> >> -d --user=_dnscrypt-proxy -a 127.0.0.1:4553 -R dnscrypt.eu-nl -p >> /var/run/dnscrypt-proxy.pid >> >> Output: >> >> 32032 ?? Is 0:00.00 /usr/sbin/ftp-proxy -m 25 >> 32411 ?? Is 0:00.00 /usr/local/sbin/dnscrypt-proxy -d >> --user=_dnscrypt-proxy -a 127.0.0.1:4553 -R dnscrypt.eu-nl -p >> /var/run/dnscrypt-proxy.pid >> 5667 ?? I 0:00.03 /usr/local/sbin/dnscrypt-proxy -d >> --user=_dnscrypt-proxy -a 127.0.0.1:4553 -R dnscrypt.eu-nl -p >> /var/run/dnscrypt-proxy.pid >> 1256 ?? Is 0:00.00 /usr/sbin/cron >> 17818 ?? Ss 0:00.12 sshd: root@ttyp0 (sshd) >> 527 ?? Is 0:00.05 unbound -c /var/unbound/etc/unbound.conf >> 30164 p0 Ss 0:00.02 -ksh (ksh) >> 7382 p0 R+ 0:00.00 ps -xa >> 16881 C0 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC0 >> 3047 C1 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC1 >> >> And it doesn't works. But if I change unbound's forward section to: >> >> forward-zone: >> name: "." >> #forward-addr: 127.0.0.1@4553 >> forward-addr: 8.8.8.8 >> >> Works ok. Removing all forward seciton, unbound works ok also. Then, I am >> doing something wrong but I don't know which. >> >> Any idea?? >> >> Thanks. > > i was having problems with dnscrypt.eu-nl today, could ping its ip but > not get any dns resolution so i just switched to dnscrypt.eu-dk and > everything is working again ymmv Ok, it seems there is some problem with servers. This morning, dnscrypt.eu-dk works, but not dnscrypt.eu-nl. Uhmm ... I will try to update dnscrypt-resolvers.csv file to tests more servers ... Many thanks to all for your help.
Question about divert-to and divert-reply with pf.conf
Hi all, I have installed a proxy server in a DMZ and I need to redirect all http traffic from my internal lan to this proxy server in my openbsd firewall. Readming pf.conf manual and squid wiki, I see that this can be accomplished using divert-to and divert-reply in pf.conf. Configuration is like this?? pass in quick on inet proto tcp from 192.0.2.0/24 to port www divert-to 172.16.1.1 port 8080 pass out quick inet from 192.0.2.0/24 divert-reply Thanks.
Re: Unable to install openbsd 5.6 in a HP Proliant ML115 G5
On Tue, Jan 6, 2015 at 3:07 AM, Steve Shockley steve.shock...@shockley.net wrote: On 1/5/2015 7:52 PM, Stuart Henderson wrote: Some things to try: (Change only 1 thing at a time, and remember what you changed.) Also check the baseboard/system firmware; I didn't see anything specifically related in the release notes but HP occasionally makes undocumented fixes. Sorry for this later response. It seems there is some type of problem with the nvidia controller device. Server was returned to our dealer to repair. When it will be returned to us, I will try to install OpenBSD ... Many thanks for your help.
Unable to install openbsd 5.6 in a HP Proliant ML115 G5
Hi all, I am trying to install OpenBSD 5.6 in a HP ProlIant Ml115 G5, but install process doesn't starts ... Stops in USB detection steps. There is no error in console. This server uses Nvidia MCP55 controller device for SATA and USB devices ... Maybe is this the problem?? In OpenBSD's manual pages, I see that it is supported for ethernet: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.6/man4/nfe.4?query=nvidiaapropos=1manpath=OpenBSD-5.6 Any idea??
Re: Unable to install openbsd 5.6 in a HP Proliant ML115 G5
On Mon, Jan 5, 2015 at 1:11 PM, Jiri B ji...@devio.us wrote: On Mon, Jan 05, 2015 at 12:49:34PM +, C. L. Martinez wrote: Hi all, I am trying to install OpenBSD 5.6 in a HP ProlIant Ml115 G5, but install process doesn't starts ... Stops in USB detection steps. There is no error in console. This server uses Nvidia MCP55 controller device for SATA and USB devices ... Maybe is this the problem?? In OpenBSD's manual pages, I see that it is supported for ethernet: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.6/man4/nfe.4?query=nvidiaapropos=1manpath=OpenBSD-5.6 Any idea?? It seems it has serial port, capture as much of dmesg as you can and attach to mail. Devs usually get angry because of missing dmesg... j. Sorry, but I haven't got a serial cable. Would it help a photo of the screen?
Re: About special configs to do in OpenBSD for KVM environments
On Fri, Dec 19, 2014 at 7:51 AM, Peter Hessler phess...@theapt.org wrote: On 2014 Dec 19 (Fri) at 07:35:28 + (+), C. L. Martinez wrote: :b) OpenBSD/amd64: set up vio flags to 0x02 The man page for vio(4) says: Setting the bit 0x2 in the flags disables the RingEventIndex feature. This can be tried as a workaround for possible bugs in host implementations of vio at the cost of slightly reduced performance. What bugs in the host implementation, which versions are affected, how bad is the performance hit, and should this be the default? Yep, sorry Peter, you are right: OpenBSD 5.6 release. And, when some weeks ago I have tried to copy several files (4 GiB) using virtio for nics and disks, I've got the same problem like Michael describes here: http://blather.michaelwlucas.com/archives/2083
Re: About special configs to do in OpenBSD for KVM environments
On Fri, Dec 19, 2014 at 8:04 AM, Peter Hessler phess...@theapt.org wrote: On 2014 Dec 19 (Fri) at 08:01:00 + (+), C. L. Martinez wrote: :On Fri, Dec 19, 2014 at 7:51 AM, Peter Hessler phess...@theapt.org wrote: : On 2014 Dec 19 (Fri) at 07:35:28 + (+), C. L. Martinez wrote: : :b) OpenBSD/amd64: set up vio flags to 0x02 : : The man page for vio(4) says: : Setting the bit 0x2 in the flags disables the RingEventIndex feature. : This can be tried as a workaround for possible bugs in host : implementations of vio at the cost of slightly reduced performance. : : What bugs in the host implementation, which versions are affected, how : bad is the performance hit, and should this be the default? : : :Yep, sorry Peter, you are right: OpenBSD 5.6 release. : I more mean: which versions on the host will trigger this behaviour. KVM hosts?? CentOS 6.5 and CentOS 6.6, both x86_64. And OpenBSD 5.6/amd64
About special configs to do in OpenBSD for KVM environments
Hi all, Please, first of all, I don't want to start a flame or quite similar. I only want to know what problems I can encounter when I need to install OpenBSD in kvm environments (mostly CentOS 6.x servers). Yes, I know, OpenBSD is not supported to run in virtualization environments, but many of us only have access to that kind of environments for testing (new pf rules, updates, etc). We can't use physical server and although I am not a big fan of this type of technology, it is here to stay. My questions are KVM specific. As far as I know: a) OpenBSD/i386: turn APIC off and set up vio flags to 0x02 b) OpenBSD/amd64: set up vio flags to 0x02 Anything else??
Re: Securing communications with OpenBSD
On Thu, Oct 9, 2014 at 7:21 AM, Duncan Patton a Campbell campb...@neotext.ca wrote: On Tue, 7 Oct 2014 07:08:54 + C. L. Martinez carlopm...@gmail.com wrote: On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell campb...@neotext.ca wrote: The most basic consideration in computer security has nothing to do with technology and computers. Do the people you need to keep out of the know need to know enough to come and break legs? If so, don't bother encrypting. They may not just break legs. Dhu On Mon, 06 Oct 2014 13:48:33 -0600 chester.t.fi...@hushmail.com wrote: Very true, filling your subterranean data server with angry hornets certainly seems like a good idea but it's really not, most AC maintenance contractors will charge you extra (usually per sting!). Chester T. Field And remember when I left all the meat out because I saw Mr. David Lynch “I’m on TV” do it, and he got on TV from doin’ it, and I did it and didn’t get on TV from doin’ it? - Gandhi On 10/6/2014 at 1:37 PM, Matti Karnaattu mkarnaa...@gmail.com wrote: Yes, my goal is to secure the infrastructure as much as possible. I don't know details but it sounds overly complex. And complexity may cause other issues, without any benefit for security. Example, you don't have to encrypt your whole hard disk if the hard disk is located in guarded bunker. But if you do that, it will increase security in theory but that may cause service outtage if you have to always locally type your crypt password if machine crashes. I would put this effort to ease maintainability, ease monitoring, use stateful firewall, deploy honeypot etc. and avoid complexity. Thanks guys for your answers. I know it: our it sec. dept. adds a complexity to our infrastructure, but they are determined to do so. Searching via google I found this: http://www.safenet-inc.com/data-encryption/ HSM: hardware security modules ... But exists another problem. If I would like to use some SSL/TLS or IPSec based solution, how can I authenticate these servers between them without compromise host security?? Any ideas?? Is man 8 iked what you are looking for? Dhu Uhmm . .. I don't understand your question Duncan... To use IPsec is a possibility.
Re: Securing communications with OpenBSD
On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell campb...@neotext.ca wrote: The most basic consideration in computer security has nothing to do with technology and computers. Do the people you need to keep out of the know need to know enough to come and break legs? If so, don't bother encrypting. They may not just break legs. Dhu On Mon, 06 Oct 2014 13:48:33 -0600 chester.t.fi...@hushmail.com wrote: Very true, filling your subterranean data server with angry hornets certainly seems like a good idea but it's really not, most AC maintenance contractors will charge you extra (usually per sting!). Chester T. Field And remember when I left all the meat out because I saw Mr. David Lynch “I’m on TV” do it, and he got on TV from doin’ it, and I did it and didn’t get on TV from doin’ it? - Gandhi On 10/6/2014 at 1:37 PM, Matti Karnaattu mkarnaa...@gmail.com wrote: Yes, my goal is to secure the infrastructure as much as possible. I don't know details but it sounds overly complex. And complexity may cause other issues, without any benefit for security. Example, you don't have to encrypt your whole hard disk if the hard disk is located in guarded bunker. But if you do that, it will increase security in theory but that may cause service outtage if you have to always locally type your crypt password if machine crashes. I would put this effort to ease maintainability, ease monitoring, use stateful firewall, deploy honeypot etc. and avoid complexity. Thanks guys for your answers. I know it: our it sec. dept. adds a complexity to our infrastructure, but they are determined to do so. Searching via google I found this: http://www.safenet-inc.com/data-encryption/ HSM: hardware security modules ... But exists another problem. If I would like to use some SSL/TLS or IPSec based solution, how can I authenticate these servers between them without compromise host security?? Any ideas??
Securing communications with OpenBSD
Hi all, I appeal to you to see if you can give me some advice. I need to secure communications between my front-end and back-end servers. First, my infrastructure: Internet --- Public OpenBSD Carp'ed fws --- FreeBSD front-end web servers (https) --- Internal OpenBSD Carp'ed fws --- CentOS back-end servers (http, tomcat and Oracle BBDD 11g). Between these back-end and front-end servers, packet average is 1000 pkt/sec. And as you can imagine, traffic between these back-end and front-end servers goes in clear. I'm planning to deploy OpenBSD based servers between these back/front end servers using these technologies, both or only one. a) Establishing SSL tunnels. b) Establishing IPSec tunnels host to host. It could establish tunnels using these servers directly, but I prefer to avoid the impact of processing and/or performance that would occur. And another thing: I need to secure comms between backend servers also. Oracle BBDD hosts are installed in different hosts than tomcat application servers, for example. Is my approach correct? Any other better solution? Is it stupid this approach? Thanks. P.D: I can use cryptographic cards, if I need it.
Re: Securing communications with OpenBSD
On Mon, Oct 6, 2014 at 2:27 PM, Alan McKay alan.mc...@gmail.com wrote: On Mon, Oct 6, 2014 at 2:00 AM, C. L. Martinez carlopm...@gmail.com wrote: Is my approach correct? Any other better solution? Is it stupid this approach? You did not really state what your goal was. Or what the problem is. Securing communications between front and back end via SSH/SSL is not a goal or problem. It is a solution to a problem. To me it seems a bit strange that you'd want to do this if they are all in the same rack, for example, connected to switches that you control. Is the goal just to make your infrastructure as secure as possible? Thanks Alan for your answer. Yes, my goal is to secure the infrastructure as much as possible. Our IT Security Dept. has made a request in that direction.
Re: Does this usb wireless adapter works?
On Fri, Jan 31, 2014 at 6:06 PM, Alexander Pakhomov ker0...@yandex.ru wrote: No, it doesn't. It crashes kernel once a day and deadly hangs till reboot every 30 min. I've send a bug report, but nobody cares. I use RTL8192CU. It crashes kernel once a month. Sorry for this late response ... Oops ... then, what usb wireless adapter can I use for an OpenBSD hostap?? It seems that Alfa Networks adapters are not a good option ...
Does this usb wireless adapter works?
Hi all, I have installed and OpenBSD 5.4 amd64 host to act as a wifi AP (I know it, it is not a good option to use a usb adapter for this, but It is my only option). I would like to use this usb wireless adapter: AWUS036NHA (http://www.alfa.com.tw/products_show.php?pc=34ps=20) but searching openbsd's man pages I didn't find any info about it. As you can see, this usb adapter uses an Atheros AR9271 chip ... Works under OpenBSD?? and Can I use it as a hostap under openbsd?? Thanks.
Re: Does this usb wireless adapter works?
On Fri, Jan 31, 2014 at 2:56 PM, Kirill Bychkov ki...@linklevel.net wrote: On Fri, January 31, 2014 17:50, C. L. Martinez wrote: Hi all, I have installed and OpenBSD 5.4 amd64 host to act as a wifi AP (I know it, it is not a good option to use a usb adapter for this, but It is my only option). I would like to use this usb wireless adapter: AWUS036NHA (http://www.alfa.com.tw/products_show.php?pc=34ps=20) but searching openbsd's man pages I didn't find any info about it. As you can see, this usb adapter uses an Atheros AR9271 chip ... Works under OpenBSD?? and Can I use it as a hostap under openbsd?? Thanks. Hi. This one should be supported by athn driver. From M\man athn: The following table summarizes the supported chips and their capabilities. ChipsetSpectrum TxR:SBus [snip] AR9271 2GHz 1x1:1USB 2.0 [snip] oops .. that's my fault ... Many thanks Kirill ...
Re: Does this usb wireless adapter works?
On Fri, Jan 31, 2014 at 3:26 PM, Josh Grosse j...@jggimi.homeip.net wrote: On 2014-01-31 08:50, C. L. Martinez wrote: As you can see, this usb adapter uses an Atheros AR9271 chip ... Works under OpenBSD?? and Can I use it as a hostap under openbsd?? I'm replying off list because I don't know the status of a bug reported with a USB attached AR9271 with OpenBSD 5.3-release at the end of May: http://marc.info/?l=openbsd-bugsm=137001370631666w=2 There may have been a fix, or this bug may not apply to the specific implementation of your chosen USB device. You might contact the original poster before making your acquisition. Uhmm ... Thanks Josh for the info (I will try to contact him). Then, any recommendation about some usb wifi adapter that works as a hostap under openbsd without problems??
OT: Recommended wireless usb adapter as a hostap
Hi all, I would like to use my openbsd fw box to provide wifi access for friends, family, etc when they comes to my home. Due to hardware restrictions, I can only to add a wireless usb adapter to use as a hostap, an yes, I know that is not the best option, but ... Any recommendations about some usb wifi adapter that works well as a hostap under OpenBSD 5.4 and up?? Thanks.
ipsec or iked to deploy under openbsd carp fws
Hi all, I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients like linux and windows) under two openbsd carp firewalls. Searching in google and reading some docs, I have several doubts about which one to choose. If I am not wrong, iked doesn't supports sasyncd, is it correct?? What option can be best to deploy in these firewalls: ipsec (ipsec.conf and isakmpd) or iked? Thanks.
Re: ipsec or iked to deploy under openbsd carp fws
On Mon, Dec 2, 2013 at 8:13 AM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients like linux and windows) under two openbsd carp firewalls. Searching in google and reading some docs, I have several doubts about which one to choose. If I am not wrong, iked doesn't supports sasyncd, is it correct?? What option can be best to deploy in these firewalls: ipsec (ipsec.conf and isakmpd) or iked? Thanks. Sorry, I am using openbsd 5.4 in these fws.
pfsync0 doesn't starts
Hi all, I am doing some tests with two openBSD 5.4 hosts configuring carp features. All it is ok, except for pfsync0 interface: it doesn't starts up at system boot or when both are rebooted. I need to start it manually every time. cat /etc/hostname.pfsync0 up syncdev em3 Is this configuration wrong?? Any idea why?? Thanks.
Re: pfsync0 doesn't starts
On Wed, Nov 27, 2013 at 3:25 PM, andy a...@brandwatch.com wrote: On Wed, 27 Nov 2013 15:08:33 +, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I am doing some tests with two openBSD 5.4 hosts configuring carp features. All it is ok, except for pfsync0 interface: it doesn't starts up at system boot or when both are rebooted. I need to start it manually every time. cat /etc/hostname.pfsync0 up syncdev em3 Do you also have; cat /etc/hostname.em3 inet 192.168.0.252 255.255.255.0 up Yes, interface em3 is up ..
Re: pfsync0 doesn't starts
On Wed, Nov 27, 2013 at 4:12 PM, andy a...@brandwatch.com wrote: On Wed, 27 Nov 2013 15:31:49 +, C. L. Martinez carlopm...@gmail.com wrote: On Wed, Nov 27, 2013 at 3:25 PM, andy a...@brandwatch.com wrote: On Wed, 27 Nov 2013 15:08:33 +, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I am doing some tests with two openBSD 5.4 hosts configuring carp features. All it is ok, except for pfsync0 interface: it doesn't starts up at system boot or when both are rebooted. I need to start it manually every time. cat /etc/hostname.pfsync0 up syncdev em3 Do you also have; cat /etc/hostname.em3 inet 192.168.0.252 255.255.255.0 up Yes, interface em3 is up .. If you have an 'up' in your /etc/hostname.em3 file, and your pfsync0 looks right, have you try running /etc/netstart to correct the permissions on your files. Other than that I don't know.. I've not heard of pfsync not starting at all before. It always starts without issue for us (albeit slowly). I have known it to take over 60 seconds after rebooting a box for pfsync to go up properly and for the carp demotion counters to come all the way down. I figured that was just due to various pfsync timers and the time taken to get the boxes in sync. Thanks Andy. I have found the problem. I am doing these tests without PF enabled. After enabling PF, pfsync0 interface is up and all works ok.
Similar tool as poudriere for OpenBSD
Hi all, Exists some tool in OpenBSD similar to poudriere for FreeBSD? This tool builds massive packages for FreeBSD hosts and for different versions and releses (current, stable, release). https://wiki.freebsd.org/PkgPrimer https://fossil.etoilebsd.net/poudriere/doc/trunk/doc/index.wiki Thanks.
Re: Similar tool as poudriere for OpenBSD
On Mon, Nov 11, 2013 at 4:29 PM, Vigdis vigdis+o...@chown.me wrote: On Mon, 11 Nov 2013 15:37:17 +, C. L. Martinez carlopm...@gmail.com wrote: Hi all, Exists some tool in OpenBSD similar to poudriere for FreeBSD? This tool builds massive packages for FreeBSD hosts and for different versions and releses (current, stable, release). https://wiki.freebsd.org/PkgPrimer https://fossil.etoilebsd.net/poudriere/doc/trunk/doc/index.wiki Thanks. http://openbsd.org/faq/faq15.html#dpb Yep, pretty pretty close ... But if I understand correctly, if I would like to build ports for i386 and amd64 archs I need to use two hosts: one to build i386 ports and another to build amd64 ports, correct??
Re: Similar tool as poudriere for OpenBSD
On Tue, Nov 12, 2013 at 12:04 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: Note that these are all *deliberate design choices* in OpenBSD and its ports tree, not a limitation of the tool. It follows the 'eat our own dogfood' principle. We only have so many machines and developers around to eat our own dogfood, so we don't do cross compilations. That would require more machines, or more people watching more machines, or looked at from the other side, it would mean less watching of the specific cases that matter the most (ie. native). Those all come from lack of manpower with respect to expected quality of the results. Right. We run on many architectures, because it helps improve the quality. Running via cross compilers? That's does not improve the quality of the resulting native output in any way. t might improves the quality of the cross compilation environment, or the compiler itself, but that is not where our core responsibilities lie. And anyways, it is rather apparent that those who have that as a core responsibility also have far fewer cross-targets in mind than might be useful (ie. walk off their map, and you'll step in mud). Perfect. Many thanks to all.
Re: Management of pf.conf
On Thu, Jul 11, 2013 at 8:51 PM, Patrick Lamaiziere patf...@davenulle.org wrote: Le Thu, 11 Jul 2013 13:18:13 +0200 (CEST), Jummo jum...@yahoo.de a écrit : This works quiet good for me and my firewalls with one exception, my big fat central router/firewall. This firewall has around 2000 lines of pf.conf, is attached with 12 VLAN interfaces and get slowly unmanageable with this concept. How to you manage such big firewalls? Do you split the pf.conf into logical parts? Do you use a base structure for every pf.conf? Do you use a tool for automatic creation of pf.conf? How do you tests your old rules after you changed something? We have a large set of rules at work on several routers/firewalls and we use a tool 'list firewall (lsfw)' to help to manage the rules set. The goal is to display the rules applied between a source address and a destination, on several equipments, doing routing and firewalling. See: https://groupes.renater.fr/wiki/jtacl/index It has some other features, ip cross references by example which is cool to know where an address is used directly or indirectly (in table/group) or to extract the addresses from the configurations and to automate tests on them. That works fine at work (PF + cisco + checkpoint), but there are some limitations (see the doc...) My next step is a tool to managed security policies. I mean if someone asks to open a port, we should be able to track this policy (who, why, which rules are used) and to check it. This is work in (slow) progress. If someone already has such tool please let me know :) If you want more precisions ask me, this is a bit out of topic here. Regards. A really, really interesting topic. I have the same problem with my CARP firewalls (20 in total), but I think the best option is the one that says Andy: fast, reliable and secure (if you know what are you doing) ... Andy, do you use the firewall module that comes with puppet to accomplish this task??
Re: Management of pf.conf
On Fri, Jul 12, 2013 at 11:12 AM, Andy a...@brandwatch.com wrote: Hi, No we don't use the puppet firewall module as it doesn’t support PF properly. We don't use any 'software' to manage PF rules, but we do still have rules sets with thousands of lines. I have never found any PF configuration software that comes anywhere near what can be done with a carefully designed and hand written PF file structure, using Vim (with a modified bashrc and filetypes), reading the Book of PF and following the OpenBSD change logs to keep up with new features/changes and knowing the PF flow diagram by heart ( http://notamentaldowu.files.wordpress.com/2009/08/flow.png?w=700). Their just simply isn't a magic bullet if you want to achieve the full power of PF.. There are many great pieces PF software out there which are good for people who are learning, but none which can ever fully support the extremely wide features and packet mangling capabilities of PF (which is continually growing and changing), or can correctly parse all of our rules. Things especially get more complicated for parsing when you have multiple 'related' rules attached to different physical interfaces, but where all are needed to pass and queue a desired flow. I believe that a well structured PF file which is built up using several includes etc with a strong consistent structure is the best way to have access to all the latest features and functions whilst maintaining visibility and ease of management. To make PF super friendly in Vim, set-up your PF syntax highlighting; /root/.vimrc; so /root/.vim/filetypes.vim set guifont=9x15bold set ruler syntax on set tabstop=4 set shiftwidth=4 filetype on /root/.vim/filetypes.vim; augroup filetype au! au BufRead,BufNewFile *.c set filetype=c au BufRead,BufNewFile pf.* set filetype=pf au BufRead,BufNewFile pf.conf set filetype=pf au BufRead,BufNewFile pf.conf.* set filetype=pf au BufRead,BufNewFile snort.conf set filetype=hog au BufRead,BufNewFile snort.conf.* set filetype=hog augroup END Not wanting to waffle as this is already long, but seeing as people seem interested (tell me to shut up if I am just generating noise ;) we structure our PF's roughly as follows; Global common; 'pc.conf.internalnetworks' - Defines common macro names for all of the different subnets we have globally; E.g. int_net_hbase=10.0.50.0/24, int_net_solr=10.0.51.0/24, int_net_stage=10.0.52.0/24 . 'pf.conf.hosts' - This is a dynamic file. We have a script on each firewall which connects to the 'local' LDAP server, downloads every host macro for that zone and prints the int_ip_cn name=IP macros into pf.conf.hosts 'pf.conf.publicips' - defines common macro names for all of our public IP addresses to the roles they provide access to (multiple roles means multiple macros with the same IP etc) 'pf.conf.tables' - defines common tables like blacklist_hosts, snort2pf, ossec_fwtable, trusted_networks etc 'pf.conf.options' - defines all our non-default firewall options including 'states', 'table-entries' and all of our 'Stateful Tracking Option' macros 'pf.conf.portgroups' - defines common service groups. E.g. 'office_mail_protos=smtp, 465, submission, imaps, pop3s', 'office_chat_tcpports=5190, 5222, 5223, 5269, 5349' etc Per environment common (DC, Office etc); 'pf.conf.queues.office' - defines all our HFSC queues (NB; the bandwidth values are $variables which are defined in the site specific includes allowing for a generic queue structure for all offices). 'pf.conf.queues.livedc' - defines all our HFSC queues (NB; the bandwidth values are $variables which are defined in the site specific includes allowing for a generic queue structure for all offices). 'pf.conf.rules.common.office' - The common office rules 'pf.conf.rules.common.dc' - The common DC rules 'pf.conf.scrub' -antispoof, urpf-failed, non_routable drops, packet scrubbing and tagging etc Site Specific; 'pf.conf.interfaces.berlin' - Defines common macro names mapping to all the physical interface names; E.g. if_ext=em0, if_lan=em1, if_dmz=em2 . 'pf.conf.interfaces.newyork' - Defines common macro names mapping to all the physical interface names; E.g. if_ext=em0, if_lan=em1, if_dmz=em2 . 'pf.conf.rules.berlin' - rdr-to, binat-to, nat-to, block, pass etc.. These bespoke per site rule files are now small and easy to manage :) 'pf.conf.rules.newyork' - rdr-to, binat-to, nat-to, block, pass etc.. . etc Puppet then pushes out the appropriate files to the appropriate firewalls using simple manifests. Hope this makes sense.. By grouping and standardising common things, the final site specific rules become very small and easy to read, and making wider global/environment changes are a one file change :) NB; When writing filter rules try to continue to be consistent and maintain structure remembering the 'PF skip steps' (PF optimises rule inspection by grouping rules (skip steps)
Is openbsd.org down??
HI all, Trying to access: gateway timeout ...
Re: OT: OpenVAS under OpenBSD 5.3
On Fri, Jun 7, 2013 at 8:24 PM, Nigel Taylor njtay...@asterisk.demon.co.uk wrote: On 06/07/13 13:52, C. L. Martinez wrote: Hi all, Somebody had tried under OpenBSD?. I need to deploy a new VA server to subsitute my previous CentOS/Nessus server. What version is more stable under OpenBSD: 5 o 6?? Any tips?? Thanks. it's not the latest version. I haven't updated it for some time. openvas-gsd-1.2.2.tgz openvas-libraries-5.0.4.tgz openvas-manager-3.0.4.tgz openvas-gsa-3.0.3.tgz openvas-scanner-3.3.1.tgz openvas-administrator-1.2.1.tgz openvas-cli-1.1.5.tgz The ports can be found here https://github.com/jasperla/openbsd-wip/tree/master/security/openvas You also need this port https://github.com/jasperla/openbsd-wip/tree/master/www/libmicrohttpd Many thanks Nigel ... I will look it .. have you tried to compile version 6?? Can I expect some problem??
OT: OpenVAS under OpenBSD 5.3
Hi all, Somebody had tried under OpenBSD?. I need to deploy a new VA server to subsitute my previous CentOS/Nessus server. What version is more stable under OpenBSD: 5 o 6?? Any tips?? Thanks.
OT: Running Snort IDS under OpenBSD 5.3
Hi all, I am trying to run snort IDS (release 2.9.4.6) with only so_rules under an OpenBSD 5.3 amd64 host, but the numbers are disappointing. Host is a Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, with 8 GiB RAM and four e1000 interfaces. Some numbers: top: load averages: 0.69, 0.65, 0.53 31 processes: 30 idle, 1 on processor CPU0 states: 2.8% user, 0.0% nice, 0.4% system, 20.4% interrupt, 76.4% idle CPU1 states: 2.2% user, 0.0% nice, 0.8% system, 0.0% interrupt, 97.0% idle CPU2 states: 3.0% user, 0.0% nice, 3.4% system, 0.0% interrupt, 93.6% idle CPU3 states: 6.0% user, 0.0% nice, 5.0% system, 0.0% interrupt, 89.0% idle Memory: Real: 587M/2947M act/tot Free: 5012M Cache: 2213M Swap: 0K/6142M PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 14655 root 40 393M 183M sleep/1 bpf 8:44 14.26% snort 25669 root 40 1132K 1740K sleep/2 bpf 0:06 3.52% daemonlogger systat ifstat (snort process is listening in em3) 3 usersLoad 0.89 0.71 0.56 Fri May 31 06:23:13 2013 IFACESTATE DESC IPKTS IBYTESIERRSOPKTS OBYTES OERRSCOLLS em0 up 2 13200 261 00 em1 up 0 12600 131 00 em2 up 10348 3425952000 00 em3 up 10346 3425044000 00 systat mbufs IFACE LIVELOCKS SIZE ALIVE LWM HWM CWM System0 256 185 56 2k 171 435 lo0 em02k 6 4 256 6 em12k 6 4 256 4 em22k66 4 25666 em32k65 4 25665 Stats with ALL so_rules disabled (5 min, more or less): Rule application order: activation-dynamic-pass-drop-sdrop-reject-alert-log Verifying Preprocessor Configurations! ICMP tracking disabled, no ICMP sessions allocated IP tracking disabled, no IP sessions allocated 0 out of 1024 flowbits in use. Packet Performance Monitor Config: ticks per usec : 2417 ticks max packet time : 1 usecs packet action : fastpath-expensive-packets packet logging : log debug-pkts : disabled Rule Performance Monitor Config: ticks per usec : 2417 ticks max rule time : 4096 usecs rule action : suspend-expensive-rules rule threshold : 5 suspend timeout : 10 secs rule logging: log pcap DAQ configured to passive. Acquiring network traffic from em4. Reload thread starting... Reload thread started, thread 0xc100dbb8f00 (18056) Decoding Ethernet --== Initialization Complete ==-- ,,_ -* Snort! *- o )~ Version 2.9.4.6 GRE (Build 73) By Martin Roesch The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.3.0 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.3 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.17 Build 18 Rules Object: web-misc Version 1.0 Build 1 Rules Object: web-iis Version 1.0 Build 1 Rules Object: web-client Version 1.0 Build 1 Rules Object: web-activex Version 1.0 Build 1 Rules Object: specific-threats Version 1.0 Build 1 Rules Object: snmp Version 1.0 Build 1 Rules Object: smtp Version 1.0 Build 1 Rules Object: p2p Version 1.0 Build 1 Rules Object: nntp Version 1.0 Build 1 Rules Object: netbios Version 1.0 Build 1 Rules Object: multimedia Version 1.0 Build 1 Rules Object: misc Version 1.0 Build 1 Rules Object: imap Version 1.0 Build 1 Rules Object: icmp Version 1.0 Build 1 Rules Object: exploit Version 1.0 Build 1 Rules Object: dos Version 1.0 Build 1 Rules Object: chat Version 1.0 Build 1 Rules Object: bad-traffic Version 1.0 Build 1 Preprocessor Object: SF_DNP3 Version 1.1 Build 1 Preprocessor Object: SF_MODBUS Version 1.1 Build 1 Preprocessor Object: SF_GTP Version 1.1 Build 1 Preprocessor Object: SF_REPUTATION Version 1.1 Build 1 Preprocessor Object: SF_SIP Version 1.1 Build 1 Preprocessor Object: SF_SDF Version 1.1 Build 1 Preprocessor Object: SF_DCERPC2 Version 1.0 Build 3 Preprocessor Object: SF_SSLPP Version 1.1 Build 4 Preprocessor Object: SF_DNS Version 1.1 Build 4 Preprocessor Object: SF_SSH Version 1.1 Build 3 Preprocessor Object: SF_SMTP Version 1.1 Build 9
Re: OT: Running Snort IDS under OpenBSD 5.3
On Fri, May 31, 2013 at 10:08 AM, Rodolfo Gouveia rgouv...@cosmico.net wrote: On 05/31/2013 08:02 AM, C. L. Martinez wrote: Could be better to use binary packaged version released by OpenBSD (http://ftp.openbsd.org/pub/OpenBSD/5.3/packages/amd64/snort-2.9.4.0.tgz)?? Any reason why you didn't start with the packged version? And did you tune snort.conf to your setup? cheers, --rodolfo Exists some important bugs resolved by 2.9.4.6 and 2.9.4.5 release: 2013-04-18 Steven Sturges sstur...@sourcefire.com Snort 2.9.4.6 * src/build.h: updating build number to 73 * doc/README.counts, doc/snort_manual.pdf, doc/snort_manual.tex, src/decode.c, src/parser.c, src/snort.h: Added config tunnel_verdicts and tunnel bypass for whitelist and blacklist verdicts for 6in4 or 4in6 encapsulated traffic. * src/preprocessors/spp_frag3.c: Don't update IP options length and count in frag3 after allocating option buffer when receiving duplicate 0 offset fragments with IP options. 2013-03-20 Steven Sturges sstur...@sourcefire.com Snort 2.9.4.5 * src/build.h: updating build number to 71 * src/preprocessors/Stream5/snort_stream5_tcp.c: prevent pruning when dup'ing a seglist node to avoid broken flushed packets * src/detection-plugins/detection_options.c: recursively search patterns within the HTTP uri buffers until the buffer ends. * src/preprocessors/HttpInspect/: client/hi_client.c, client/hi_client_norm.c, include/hi_client.h: Remove proxy information from the normalized URI buffer. Thanks to L0rd Ch0de1m0rt for reporting the issue. * src/: control/sfcontrol.c, preprocessors/Stream5/snort_stream5_tcp.c: fix logging of unified2 packet data when alerting on a packet containing multiple HTTP PDUs And yes, I need to tune snort.conf needed to correctly monitor my network ...
Re: Problem with a startup script
On Tue, May 21, 2013 at 6:27 PM, russell russ...@dotplan.dyndns.org wrote: Because pexp uses pkill to do its work and pkill matches on command name only(like ps -c). sorry for the noise I just revisited this and I am wrong. the pkill bits in rc.subr are using pkill -f and that does match agianst the full arg list. as said before make a better pexp and it should work. Buf .. I have tried to insert in this rc.d script these options: rc_read_runfile=NO rc_reload=NO rc_usercheck=NO rc_check=NO and I have added a rc_stop option to send kill command to the process ... but nothing works ... Any other idea??
Re: OT: trying to install vortex-idx in OpenBSD 5.3
On Tue, May 21, 2013 at 10:38 PM, Stuart Henderson s...@spacehopper.org wrote: On 2013-05-21, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I am trying to compile vortex-ids (http://sourceforge.net/projects/vortex-ids/?source=directory) under OpenBSD 5.3, but this error is returned: vortex.c: In function 'errors_thread': vortex.c:686: error: '__NR_gettid' undeclared (first use in this function) vortex.c:686: error: (Each undeclared identifier is reported only once vortex.c:686: error: for each function it appears in.) vortex.c:693: error: 'cpu_set_t' undeclared (first use in this function) vortex.c:693: error: expected ';' before 'csmask' vortex.c:694: error: 'csmask' undeclared (first use in this function) vortex.c: In function 'stats_thread': vortex.c:768: error: '__NR_gettid' undeclared (first use in this function) vortex.c:776: error: 'cpu_set_t' undeclared (first use in this function) vortex.c:776: error: expected ';' before 'csmask' vortex.c:777: error: 'csmask' undeclared (first use in this function) vortex.c: In function 'conn_writer': vortex.c:950: error: '__NR_gettid' undeclared (first use in this function) vortex.c:958: error: 'cpu_set_t' undeclared (first use in this function) vortex.c:958: error: expected ';' before 'csmask' vortex.c:959: error: 'csmask' undeclared (first use in this function) vortex.c: In function 'main': vortex.c:1917: error: '__NR_gettid' undeclared (first use in this function) vortex.c:1925: error: 'cpu_set_t' undeclared (first use in this function) vortex.c:1925: error: expected ';' before 'csmask' vortex.c:1926: error: 'csmask' undeclared (first use in this function) I have installed libnet-1.1.2.1p0, glib2-2.34.3 and libnids-1.24 packages. Compile options are: gcc -I/usr/local/include -I/data/soft/libpcap/include -L/usr/local/lib -L/data/soft/libpcap/lib -O3 vortex.c -o vortex -lnids -lnet -lgthread-2.0 -lpcap I have tried with this modified version also: https://github.com/ckane/vortex-dev ... but without luck. Any idea?? This is trying to use non-portable Linux code (from the errors it looks like it maybe for processor affinity). The modified version you mention has some if defined(__FreeBSD__) hacks, you may get it to compile if you change those lines to if defined(__FreeBSD__) || defined(__OpenBSD__). Uhmm I have tried, but same errors: root@plzfnsm01:/tmp/1/vortex-dev-master# gcc -c vortex.c -I/usr/local/include -I/data/soft/libpcap/include vortex.c:44:24: error: sys/cpuset.h: No such file or directory vortex.c:45: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'cpu_set_t' vortex.c:47:1: warning: SIZE_MAX redefined In file included from /usr/include/sys/limits.h:34, from /usr/include/sys/param.h:92, from vortex.c:43: /usr/include/machine/limits.h:41:1: warning: this is the location of the previous definition vortex.c: In function 'errors_thread': vortex.c:676: error: 'cpu_set_t' undeclared (first use in this function) vortex.c:676: error: (Each undeclared identifier is reported only once vortex.c:676: error: for each function it appears in.) vortex.c:676: error: expected ';' before 'csmask' vortex.c:677: error: 'csmask' undeclared (first use in this function) vortex.c: In function 'stats_thread': vortex.c:756: error: 'cpu_set_t' undeclared (first use in this function) vortex.c:756: error: expected ';' before 'csmask' vortex.c:757: error: 'csmask' undeclared (first use in this function) vortex.c: In function 'conn_writer': vortex.c:936: error: 'cpu_set_t' undeclared (first use in this function) vortex.c:936: error: expected ';' before 'csmask' vortex.c:937: error: 'csmask' undeclared (first use in this function) vortex.c: In function 'main': vortex.c:1870: error: 'cpu_set_t' undeclared (first use in this function) vortex.c:1870: error: expected ';' before 'csmask' vortex.c:1871: error: 'csmask' undeclared (first use in this function) cpuset.h and cpu_set_t function doesn't exists in OpenBSD, right??
Problem with a startup script
Hi all, I have a problem with some tcl rc.d startup scripts. Start and status works ok but stop and restart, doesn't. Script: #!/bin/sh -x # # $OpenBSD: suricata_proxyin_agent,v 1.0 daemon=/usr/local/bin/suricata_proxyin_agent.tcl daemon_flags=-c /data/config/etc/sguil/suricata_proxyin_agent.conf -D . /etc/rc.d/rc.subr pexp=/usr/local/bin/tclsh8.5 $daemon rc_cmd $1 I have tried several variants like to insert rc_stop specific option or changing pexp to /usr/local/bin/tclsh8.5 $daemon $daemon_args without luck. Debugging script, acts as like the other system startup scripts: . + echo NO + : NO + [ XNO = XYES ] + echo NO + : NO + domainname + [ X != X -a -d /var/yp/binding ] + echo NO + : NO + : NO + [ -n /usr/local/bin/suricata_proxyin_agent.tcl ] + unset _RC_DEBUG _RC_FORCE + getopts df c + shift 0 + basename ./suricata_proxyin_agent + _name=suricata_proxyin_agent + _RC_RUNDIR=/var/run/rc.d + _RC_RUNFILE=/var/run/rc.d/suricata_proxyin_agent + eval _rcflags=${suricata_proxyin_agent_flags} + _rcflags= + eval _rcuser=${suricata_proxyin_agent_user} + _rcuser= + getcap -f /etc/login.conf suricata_proxyin_agent + /dev/null + 21 + [ -z ] + daemon_class=daemon + [ -z ] + daemon_user=root + [ -n ] + [ -n ] + [ -n ] + printf %s -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D + daemon_flags= -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D + daemon_flags=-c /data/config/etc/sguil/suricata_proxyin_agent.conf -D + readonly daemon_class + unset _rcflags _rcuser + pexp=/usr/local/bin/suricata_proxyin_agent.tcl -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D + rcexec=su -l -c daemon -s /bin/sh root -c + pexp=/usr/local/bin/tclsh8.5 /usr/local/bin/suricata_proxyin_agent.tcl + rc_cmd stop root@nsm10:/usr/local/etc/rc.d# ps xa |grep suricata_proxyin_agent.tcl | grep -v grep 17486 p2- I 0:00.29 /usr/local/bin/tclsh8.5 /usr/local/bin/suricata_proxyin_agent.tcl -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D Any idea why process is not stopped??