Re: Problem configuring multiple wireguard tunnels

2022-02-16 Thread Carlos Lopez
> On 15 Feb 2022, at 13:58, Stuart Henderson wrote: > > On 2022-02-15, Carlos Lopez wrote: >> But regarding the question to use different keys for every wg client? > > You have two options: > > 1. use the same 'server' key for all connections: use one wg inter

Re: Problem configuring multiple wireguard tunnels

2022-02-15 Thread Carlos Lopez
> On 15 Feb 2022, at 10:16, Łukasz Moskała wrote: > > > > Dnia 15 lutego 2022 10:13:57 CET, Carlos Lopez napisał/a: >> Hi all, >> >> I am trying to configure multiple Wireguard road-warriors config using this >> simple config i

Problem configuring multiple wireguard tunnels

2022-02-15 Thread Carlos Lopez
Hi all, I am trying to configure multiple Wireguard road-warriors config using this simple config in /etc/hostname.wg0 wgkey Ls1Os9/oE0kU5jJdFp1dLpzJhtL8WIzzJ/G+7bzSEZk= wgport 8443 wgpeer 2XLLj0O6jdtx+BNCt90m2pEyJS/M2kh6WaskFTz+n1A= vgaip 10.55.55.2/32 vgaip 10.55.55.3/32 inet 10.55.55.1/28

Re: Problem with some pf table defined outside of an anchor

2022-01-13 Thread Carlos Lopez
nd then fall back to >> the table defined in the main ruleset, if there is one. This is >> similar to C rules for variable scope. It is possible to create >> distinct tables with the same name in the global ruleset and in an >> anchor, but this is often bad design and a warning will be issued i

Problem with some pf table defined outside of an anchor

2022-01-12 Thread Carlos Lopez
Hi all, I have a strange issue when I use a pf table inside an anchor. Error returned is: pfctl: warning: table already defined in anchor "pub-network/_2” Table is defined in global pf.conf file. In pf.conf I have defined some anchors by interface, like this: # Group of rules for public

Re: Error trying to compile Suricata 6.0.1 under OpenBSD 6.8 (SOLVED)

2021-01-27 Thread Carlos Lopez
Hi all, I have exported "CC=/usr/bin/clang" in the shell and now Suricata compiles ok. Many thanks to all for your help. On 27/1/21, 14:45, "owner-m...@openbsd.org on behalf of Carlos Lopez" wrote: HI Stuart, Many thanks for your help. I have tried to compile

Re: Error trying to compile Suricata 6.0.1 under OpenBSD 6.8

2021-01-27 Thread Carlos Lopez
HI Stuart, Many thanks for your help. I have tried to compile using "--with-clang=/usr/bin/clang" flag but same error appears... On 27/1/21, 13:49, "owner-m...@openbsd.org on behalf of Stuart Henderson" wrote: On 2021-01-27, Carlos Lopez wrote: > Hi all,

Re: Error trying to compile Suricata 6.0.1 under OpenBSD 6.8

2021-01-27 Thread Carlos Lopez
> On 27. Jan 2021, at 13:31, Carlos Lopez wrote: > > Hi all, > > I am trying to compile suricata 6.0.1 with some custom options and the following error is returned: > > hecking for strlcat... yes > checking for special C compi

Error trying to compile Suricata 6.0.1 under OpenBSD 6.8

2021-01-27 Thread Carlos Lopez
Hi all, I am trying to compile suricata 6.0.1 with some custom options and the following error is returned: hecking for strlcat... yes checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking host os...

Re: CARP load balancing problems under KVM

2021-01-14 Thread Carlos Lopez
On 12/01/2021 18:58, Carlos Lopez wrote: > Thanks Gianni, but about what interface ? KVM bridges? In theory, MAC spoofing is avoided using this option: > > bridge.ageing-time: 300 > > On 12/1/21, 17:47, "owner-m...@openbsd.org on

Re: CARP load balancing problems under KVM

2021-01-12 Thread Carlos Lopez
r disabled on that interface. G On 12/01/2021 15:30, Carlos Lopez wrote: > Hi David and misc@, > > Sorry to disturb with this.I have realized several tests this morning with two OpenBSD 6.8 carp'ed firewalls (fully patched) as kvm guests and result is the same:

Re: CARP load balancing problems under KVM

2021-01-12 Thread Carlos Lopez
6.7 (pf rules and carp config), works like a charm. Arrived to this point I am confused. Any idea? Do you use some specific config for the kvm bridges? Mybe is a problem with multicast? Many thanks for your help in advance. On 11/1/21, 17:01, "owner-b...@openbsd.org on behalf of Carlos Lop

Connecting to a Fortinet VPN SSL gateway with OpenBSD 6.8 as a client

2020-12-21 Thread Carlos Lopez
Hi all, Does anyone know of a valid option to connect an OpenBSD host as a roadwarrior to a Fortinet SSL-VPN gateway? Using VPN-SSL ... Regards, C. L. Martinez

Re: CARP load balancing problems under KVM

2020-10-21 Thread Carlos Lopez
Ok, done. I have already sent the bug report. On 21/10/2020, 11:11, "Uwe Werler" wrote: On 21 Oct 07:12, Carlos Lopez wrote: > Hi all, > > Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was using carp in IP balance mode without problems

CARP load balancing problems under KVM

2020-10-21 Thread Carlos Lopez
Hi all, Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was using carp in IP balance mode without problems from several months. These firewalls are installed in a RHEL 8.2 (fully patched) KVM host. After upgrading to OpenBSD 6.8, carp ip balance mode doesn’t works. I have

Re: Managing PF logs

2020-08-07 Thread Carlos Lopez
-- Cordialement, Pierre BARDOU -Message d'origine- De : owner-m...@openbsd.org De la part de Peter N. M. Hansteen Envoyé : vendredi 7 août 2020 13:10 À : misc@openbsd.org Objet : Re: Managing PF logs On Fri, Aug 07, 2020 at 10:29:32AM +, Carlos Lopez

Managing PF logs

2020-08-07 Thread Carlos Lopez
Hi all, I am thinking about how could be the best option to inject PF logs in Elasticsearch (or any similar platform). If I am not wrong, some years ago there is an option using a shell wrapper to store all pf logs in ASCII format and redirect all of them to a central syslog server (published

Re: Message WARNING: CHECK AND RESET THE DATE! in kvm guests

2020-06-02 Thread Carlos Lopez
pool.ntp.org 1 10 2 3005s 3154s 1.199ms19.994ms 0.321ms On 25/05/2020, 10:20, "Otto Moerbeek" wrote: On Mon, May 25, 2020 at 07:53:47AM +0000, Carlos Lopez wrote: > Hi all, > > After upgrading four kvm guests to OpenBSD 6.7, I see the follo

Message WARNING: CHECK AND RESET THE DATE! in kvm guests

2020-05-25 Thread Carlos Lopez
Hi all, After upgrading four kvm guests to OpenBSD 6.7, I see the following messages when these guests starts: WARNING: clock gained 2 days WARNING: CHECK AND RESET THE DATE! All four guests are fully patched. Dmesg output: OpenBSD 6.7 (GENERIC) #1: Sat May 16 16:07:20 MDT 2020

Strange numbers for pfsync

2020-05-22 Thread Carlos Lopez
Hi all, After upgrade my two OpenBSD carp’ed fws to 6.7, I am seeing a lot of “failed state lookup/inserts” statistics. On firewall A: pfsync: 5487 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0

Re: OPenBSD 6.7 as a Q35 KVM guest (SOLVED)

2020-05-20 Thread Carlos Lopez
Hi all another time, Problem is solved ... I had made a mistake: I had disabled the nic offloading options for this guest. By enabling them again, everything works. Many thanks. On 20/05/2020, 09:34, "Carlos Lopez" wrote: Hi all, I just set up an OpenBSD 6.7

OPenBSD 6.7 as a Q35 KVM guest

2020-05-20 Thread Carlos Lopez
Hi all, I just set up an OpenBSD 6.7 kvm guest on an RHEL8.2 server and selected q35 instead of pc as a machine type. Everything seems to be working fine, except for the network interfaces (virtio interfaces). They don't work. On the other hand, if I modify q35 by pc, everything works

Re: What is the difference between these anchor rules

2020-03-16 Thread Carlos Lopez
Thanks Edgar … Nop, it is not a typo  -- Regards, C. L. Martinez From: "ed...@pettijohn-web.com" Date: Monday, 16 March 2020 at 17:16 To: Carlos Lopez Cc: "misc@openbsd.org" Subject: Re: What is the difference between these anchor rules On Mar 16, 2020 11:07 AM, Carl

What is the difference between these anchor rules

2020-03-16 Thread Carlos Lopez
Hi all, I am trying to accomplish several different tests using anchors rules under an OpenBSD 6.6 host. But I am seeing a strange behavior depending how I configure them. For example: This rule works: anchor inet from $laptop_admin label "Allow access from $srcaddr via SSH" { anchor

Re: Lot of errors as a "bad ip cksum" using Tor

2020-03-16 Thread Carlos Lopez
Thanks Stuart. This is a KVM virtual machine with all offloads settings disabled for the guest ... I will try to enable and see how it goes ... -- Regards, C. L. Martinez On 15/03/2020, 17:41, "owner-m...@openbsd.org on behalf of Stuart Henderson" wrote: On 2020-03-15, Ca

Re: Lot of errors as a "bad ip cksum" using Tor

2020-03-15 Thread Carlos Lopez
Sorry, my mistake. I have only one match rule configured as: match in all scrub (no-df max-mss 1440 random-id) -- Regards, C. L. Martinez On 15/03/2020, 13:33, "Carlos Lopez" wrote: Good morning, I've been seeing a lot of "bad ip cksum" error messages

Lot of errors as a "bad ip cksum" using Tor

2020-03-15 Thread Carlos Lopez
Good morning, I've been seeing a lot of "bad ip cksum" error messages in my OpenBSD’s Tor gateway, like these: Mar 15 12:27:03.113986 rule 2._5.1/(match) [uid 0, pid 71416] pass in on vio0: [orig src 172.22.55.4:49964, dst 172.217.19.142:443] 172.22.55.4.49964 > 127.0.0.1.9040: SWE

Re: Compiling Zeek 3.0.2 returns an error at final stage (partially solved)

2020-03-08 Thread Carlos Lopez
, one host can connect to the other (ping, ssh and so on). Maybe it is a bug with Zeek ... -- Regards, C. L. Martinez On 08/03/2020, 10:42, "owner-m...@openbsd.org on behalf of Carlos Lopez" wrote: Hi Monah, Yes, zeekctl deploy works without problem. If I launch severa

Re: Compiling Zeek 3.0.2 returns an error at final stage

2020-03-08 Thread Carlos Lopez
at 00:25 To: Carlos Lopez Cc: "misc@openbsd.org" Subject: Re: Compiling Zeek 3.0.2 returns an error at final stage >From the server if you curl a website, in zeek log current folder do you see a >http.log file, and after changing the interface did you zeekctl deploy. Thanks Monah

Re: Compiling Zeek 3.0.2 returns an error at final stage

2020-03-07 Thread Carlos Lopez
Thanks Monah … But this is not the problem … interface configuration is correct … -- Regards, C. L. Martinez From: Monah Baki Date: Saturday, 7 March 2020 at 23:30 To: Carlos Lopez Cc: "misc@openbsd.org" Subject: Re: Compiling Zeek 3.0.2 returns an error at final stage Hi Carl

Re: Compiling Zeek 3.0.2 returns an error at final stage

2020-03-07 Thread Carlos Lopez
ner-m...@openbsd.org on behalf of Stuart Henderson" wrote: On 2020-03-07, Carlos Lopez wrote: > Hi all, > > I am trying to install Zeek 3.0.2 under OpenBSD 6.6 amd64 fully patched but compilation returns me the following error: > > [ 97%] Building C objec

Compiling Zeek 3.0.2 returns an error at final stage

2020-03-07 Thread Carlos Lopez
Hi all, I am trying to install Zeek 3.0.2 under OpenBSD 6.6 amd64 fully patched but compilation returns me the following error: [ 97%] Building C object src/CMakeFiles/zeek.dir/nb_dns.c.o [ 97%] Linking CXX executable zeek ld: error: unable to find library -llibbinpac.so.VERSION c++: error:

Re: Errors when I try to configure multiple DNS search suffixes in dhcpd.conf

2019-09-24 Thread Carlos Lopez
On 24/09/2019 12:26, Erling Westenvik wrote: > On Tue, Sep 24, 2019 at 08:11:00AM +0000, Carlos Lopez wrote: >> When I try to configure multiple search DNS suffixes in dhcpd.conf, I >> am receiving the following error: >> >> /etc/dhcpd.conf line 21: &

Re: Errors when I try to configure multiple DNS search suffixes in dhcpd.conf

2019-09-24 Thread Carlos Lopez
Regards, C. L. Martinez On 24/09/2019 10:22, Rudolf Leitgeb wrote: > Could this be a case of missing semicolon at the end ? > Thanks Rudolf, but not ... My complete config is: subnet 172.22.55.0 netmask 255.255.255.224 { option routers 172.22.55.30; range 172.22.55.17

Errors when I try to configure multiple DNS search suffixes in dhcpd.conf

2019-09-24 Thread Carlos Lopez
Hi all, When I try to configure multiple search DNS suffixes in dhcpd.conf, I am receiving the following error: /etc/dhcpd.conf line 21: option domain-search "custom.domain.org" ^ fatal in dhcpd: Configuration file errors encountered According to man page: option

Re: route-to rule problem after upgrading to 6.5

2019-05-19 Thread Carlos Lopez
On 19/05/2019 14:16, Ville Valkonen wrote: > On Sun, 19 May 2019 at 12.14, Carlos Lopez <mailto:clo...@outlook.com>> wrote: > > Hi all, > >   Yesterday, I have upgraded my home OpenBSD's fws from 6.4 to 6.5. > All > seems to work ok execpt with

route-to rule problem after upgrading to 6.5

2019-05-19 Thread Carlos Lopez
Hi all, Yesterday, I have upgraded my home OpenBSD's fws from 6.4 to 6.5. All seems to work ok execpt with route-to rules. The following rules have been working smoothly in previous versions: pass in quick inet proto tcp from to port = 80 flags S/SA keep state (if-bound) label "Force

Re: Warning applying latest syspatch

2018-11-02 Thread Carlos Lopez
On 02/11/2018 18:18, Theo de Raadt wrote: > Carlos Lopez wrote: > >>  Applying syspatch today, returns me the following warning: >> >> root@obsd-fw-per01:~# syspatch >> ln: /usr/X11R6/bin/X: No such file or directory >> >>  I guess it's an expec

Warning applying latest syspatch

2018-11-02 Thread Carlos Lopez
Hi all,  Applying syspatch today, returns me the following warning: root@obsd-fw-per01:~# syspatch ln: /usr/X11R6/bin/X: No such file or directory  I guess it's an expected error since I don't have X11 installed. Correct? -- Regards, C.L. Martinez

Re: OT: Firmware encryption hacked?

2018-09-17 Thread Carlos Lopez
Many thanks to all for your explanations, as always. Regards, C. L. Martinez From: owner-m...@openbsd.org on behalf of Kevin Chadwick Sent: 13 September 2018 17:39 To: misc@openbsd.org Subject: Re: OT: Firmware encryption hacked? On Thu, 13 Sep 2018

OT: Firmware encryption hacked?

2018-09-13 Thread Carlos Lopez
Uhmm … Reality? https://techcrunch.com/2018/09/12/security-flaw-in-nearly-all-modern-pcs-and-macs-leaks-encrypted-data/?guccounter=1 Can we consider a risk to encrypt at OS level also?