Re: Security via the NSA?
On Sat, Nov 21, 2009 at 8:29 PM, Doug Milam doug_mi...@yahoo.com wrote: Will OpenBSD be the next to be 'helped'? http://www.npr.org/blogs/thetwo-way/2009/11/nsa_microsoft_windows_7.html NSA also helped Linux with SElinux. As long as OpenBSD remains open source, I don't see the problem.
Re: Security via the NSA?
On Sat, Nov 21, 2009 at 11:32 PM, AG computing.acco...@googlemail.comwrote: Felipe Alfaro Solana wrote: On Sat, Nov 21, 2009 at 8:29 PM, Doug Milam doug_mi...@yahoo.com wrote: Will OpenBSD be the next to be 'helped'? http://www.npr.org/blogs/thetwo-way/2009/11/nsa_microsoft_windows_7.html NSA also helped Linux with SElinux. As long as OpenBSD remains open source, I don't see the problem. Depends on whether one trusts the NSA or not. This is about trusting OpenBSD and its developers (which I personally do), not the NSA. OpenBSD developers do code reviews and audits of all code that is to be committed (except perhaps the ports tree), so what's the problem here? Again, I don't see the problem.
Re: Why I Love Open Source - NSA helped with Windows 7 development
On Fri, Nov 20, 2009 at 9:19 AM, patrick keshishian pkesh...@gmail.comwrote: On Thu, Nov 19, 2009 at 11:40 PM, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: On Fri, Nov 20, 2009 at 12:43 AM, Obiozor Okeke obiozorok...@yahoo.com wrote: From Network World: NSA helped with Windows 7 development Privacy expert voices 'backdoor' concerns, security researchers dismiss idea By Gregg Keizer , Computerworld , 11/18/2009 Why would NSA need backdoors when they have a front-door via DHS, national security and things like that? Same reason there exist unconstitutional congressional acts/bills that allow for secret torture prisons, detention of persons without due process, complete bypassing of fouth and sixth amendments, voiding of the Posse Comitatus Act, etc. etc. ... naive voters like you are the reason we are in this shithole right now. I'm neither a US citizen nor a greencard holder, so I'm not a voter in the US (still can be naive, and naiver voter in another country, though).
Re: Hardware versus Software RAID
On Sat, Nov 21, 2009 at 12:06 AM, Mauro Rezzonico l...@ch23.org wrote: Darrin Chandler wrote: If you're doing RAID for redundancy/safety then there are some things to consider: No. I am considering Raid, RAID1, in this case, mainly for *UPTIME*... * with RAID, you should still do backups I do my backups very well, thanks... Point here is that I am not considering raid as an alternative to backup, but as a way to keep the system up... Please correct me if I am wrong, but when your drive fails you have *TWO* problems: 1) you have to restore from your (well kept, well done, well designed and well verified) backups (a big *IF*, if I can say); 2) the system is down until you restore everything; So, either you have the luxury (or the need) of a hot spare machine... Or a raid solution can /help/ you recover more quickly... or not? Please note that although raid and/or backups and how they are configured in respect to each other and how they are deployed is a *very* fascinating topic (and I am *very* interested in hearing everybody's ideas, opinions, experiences on this) actually this is an off topic debate... Because my original question was indeed very narrow: Hardware or Software? Software. If you go hardware you will get married to your hardware's vendor, which is typically costly and requires you to have +X spares for the controller. Software is hardware independent (you only depend on the OS). With hardware RAID you depend on the hardware (to run the RAID) and the OS (to use the filesystem or volumes on top of the RAID). I think we all got sucked into a very serious/complex/fascinating/interesting/whatever issue, that of how to make your system more reliable, in these difficult days of complex network architectures... But this is just a can of worms... I wouldn't dare to mail such a question to the list... You see: - what if you have raid level whatever everywhere? - what if you can implement hot spare machines? - what if your valuable data is mainly into a RDMS? - what if your disks are cheap and your cpus are expensive? - what if your disks are expensive and your cpus are cheap? - what if you are using VMs? - what if you just use ZFS everywhere (sorry I couldn't resist)? - what if you are on the cloud (sorry I couldn't resist)? I appreciate your post, don't get me wrong, the problem of making a network infrastructure rock solid and totally reliable is probably the secret dream of every respectable net administrator... But I think we must chop the problem in swallow-able pieces... -- Mauro Rezzonico ma...@ch23.org, Como, Italia Maybe this world is another planet's hell - H.Huxley -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Why I Love Open Source - NSA helped with Windows 7 development
On Fri, Nov 20, 2009 at 12:43 AM, Obiozor Okeke obiozorok...@yahoo.comwrote: From Network World: NSA helped with Windows 7 development Privacy expert voices 'backdoor' concerns, security researchers dismiss idea By Gregg Keizer , Computerworld , 11/18/2009 Why would NSA need backdoors when they have a front-door via DHS, national security and things like that? This story appeared on Network World at http://www.networkworld.com/news/2009/111809-nsa-helped-with-windows-7.html http://www.stumbleupon.com/s/#1uLpIW/www.networkworld.com/news/2009/111809-nsa-helped-with-windows-7.html?source=NWWNLE_nlt_daily_am_2009-11-19/ -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: How to PF
On Mon, Nov 16, 2009 at 12:50 AM, phil philippe.aub...@gmail.com wrote: Hi All I know that is a stupid question but where can I find a doc about pf and 4.6 ? http://www.openbsd.org/faq/pf/index.html ? (I got that just by Googling)
Re: multiple videocards... for console text
On Fri, May 22, 2009 at 6:37 AM, Joel Wiramu Pauling aener...@aenertia.netwrote: Just use USB to RS323 convert cables and have as many heads as you like off of dumb terminals. Or old laptops. RS323? Is that a new standard? Or do you mean RS232? :)
Re: route add -interface
On Sun, May 17, 2009 at 9:57 AM, Claudio Jeker cje...@diehard.n-r-g.comwrote:
On Sun, May 17, 2009 at 01:13:29AM +0200, Felipe Alfaro Solana wrote:
Hi misc,
route add allows one to specify a directly-connected route reachable over
an
interface, using the -interface switch. However, I can't seem to figure
out
if it's possible to specify just the interface name to the -interface
switch. According to the manual page, only an IP address is allowed:
If the destination is directly reachable via an interface requiring
no
intermediary system to act as a gateway, the -interface modifier
should
be specified; the gateway given is the address of this host on the
common
network, indicating the interface to be used for transmission.
The thing is the interface I want to use with the -interface switch does
not
have a static IP address. I could script something to get the current IP
address of that interface but looks hacky to me. Is it possible to do
something like?
# route add -net 128.0.0.0/16 -interface vr2
instead in OpenBSD? I'm a little bit confused since adding the route
while
using the IP address yields the following entry in the routing table:
128.0/16 link#3 UCS00 - 8
vr2
So, why is exactly that -interface wants an IP address but does not like
interface names?
ifconfig vr2 alias 128.0.0.1/16
This will ensure that everything is correctly set up.
Doing it with route will most probably cause issues because it will not
setup everything correctly. You need an IP on that interface in that
network or it will not work.
Thanks for your reply, Claudio.
Initially, I tried setting up the alias directly in the vr2 interface.
However, I had problems because vr2 is an Internet-facing interface
that uses DHCP. I
used to use a custom dhclient.conf configuration file as described in [1]
but, for some reason, when the lease is renewed, I start to suffer
packet loss. A tcpdump capture shows that some TCP connections are
being sourced with the IP
alias address and not the public IP address. That's why I tried using a
loopback interface.
This was my custom dhclient.conf:
interface vr2 {
supersede domain-name my.domain;
supersede domain-name-servers 1.2.3.4;
}
alias {
interface vr2;
fixed-address 128.0.0.1;
option subnet-mask 255.255.0.0;
}
First time I invoke dhclient, everything seems to work fine:
# dhclient vr2
DHCPREQUEST on vr2 to 255.255.255.255 port 67
DHCPACK from 10.177.128.1
bound to A.B.C.D -- renewal in 2590 seconds.
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
However, if I call dhclient one more time, the martian IP address seems to
become the primary IP address and the public IP address the alias:
# dhclient vr2
DHCPREQUEST on vr2 to 255.255.255.255 port 67
DHCPACK from 10.177.128.1
bound to A.B.C.D -- renewal in 2579 seconds.
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
Even more funny, if I want to entirely remove the martian IP address I need
to remove it twice:
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
# ifconfig vr2 delete 128.0.0.1
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
# ifconfig vr2 delete 128.0.0.1
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet
Re: route add -interface
On Sun, May 17, 2009 at 11:39 AM, Felipe Alfaro Solana
felipe.alf...@gmail.com wrote:
On Sun, May 17, 2009 at 9:57 AM, Claudio Jeker
cje...@diehard.n-r-g.comwrote:
On Sun, May 17, 2009 at 01:13:29AM +0200, Felipe Alfaro Solana wrote:
Hi misc,
route add allows one to specify a directly-connected route reachable
over an
interface, using the -interface switch. However, I can't seem to figure
out
if it's possible to specify just the interface name to the -interface
switch. According to the manual page, only an IP address is allowed:
If the destination is directly reachable via an interface requiring
no
intermediary system to act as a gateway, the -interface modifier
should
be specified; the gateway given is the address of this host on the
common
network, indicating the interface to be used for transmission.
The thing is the interface I want to use with the -interface switch does
not
have a static IP address. I could script something to get the current IP
address of that interface but looks hacky to me. Is it possible to do
something like?
# route add -net 128.0.0.0/16 -interface vr2
instead in OpenBSD? I'm a little bit confused since adding the route
while
using the IP address yields the following entry in the routing table:
128.0/16 link#3 UCS00 - 8
vr2
So, why is exactly that -interface wants an IP address but does not like
interface names?
ifconfig vr2 alias 128.0.0.1/16
This will ensure that everything is correctly set up.
Doing it with route will most probably cause issues because it will not
setup everything correctly. You need an IP on that interface in that
network or it will not work.
Thanks for your reply, Claudio.
Initially, I tried setting up the alias directly in the vr2 interface.
However, I had problems because vr2 is an Internet-facing interface that uses
DHCP. I
used to use a custom dhclient.conf configuration file as described in [1]
but, for some reason, when the lease is renewed, I start to suffer packet
loss. A tcpdump capture shows that some TCP connections are being sourced
with the IP
alias address and not the public IP address. That's why I tried using a
loopback interface.
The problem with incorrectly-sourced IP datagrams seems to be NAT:
nat on vr2 inet from 172.16.0.1/24 to any - (vr2) round-robin
This rule is created as:
nat on $ext_if from $int_if:network to any - ($ext_if)
I understand the problem is the (vr2) round-robin. I have no idea, however,
how to prevent PF from using the two IP addresses (the public IP and the IP
alias). Any ideas how to force NAT to only use 1 IP address (the public IP
address)?
This was my custom dhclient.conf:
interface vr2 {
supersede domain-name my.domain;
supersede domain-name-servers 1.2.3.4;
}
alias {
interface vr2;
fixed-address 128.0.0.1;
option subnet-mask 255.255.0.0;
}
First time I invoke dhclient, everything seems to work fine:
# dhclient vr2
DHCPREQUEST on vr2 to 255.255.255.255 port 67
DHCPACK from 10.177.128.1
bound to A.B.C.D -- renewal in 2590 seconds.
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
However, if I call dhclient one more time, the martian IP address seems to
become the primary IP address and the public IP address the alias:
# dhclient vr2
DHCPREQUEST on vr2 to 255.255.255.255 port 67
DHCPACK from 10.177.128.1
bound to A.B.C.D -- renewal in 2579 seconds.
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
Even more funny, if I want to entirely remove the martian IP address I need
to remove it twice:
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
# ifconfig vr2 delete 128.0.0.1
# ifconfig vr2
vr2: flags=8843UP
Re: route add -interface
On Sun, May 17, 2009 at 3:38 PM, Stuart Henderson s...@spacehopper.orgwrote: On 2009-05-17, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: The problem with incorrectly-sourced IP datagrams seems to be NAT: nat on vr2 inet from 172.16.0.1/24 to any - (vr2) round-robin This rule is created as: nat on $ext_if from $int_if:network to any - ($ext_if) I understand the problem is the (vr2) round-robin. I have no idea, however, how to prevent PF from using the two IP addresses (the public IP and the IP alias). Any ideas how to force NAT to only use 1 IP address (the public IP address)? (vr2:0) Yes and no. The problem seems to be in dhclient-script. Somehow, it has a funky behavior that leads to what I described above: the IP alias becomes the primary address and the public IP address becomes a secondary address. If I hack dhclient-script to always keep the IP alias a secondary address then using (vr2:0) works. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: route add -interface
On Sun, May 17, 2009 at 3:52 PM, Claudio Jeker cje...@diehard.n-r-g.comwrote: On Sun, May 17, 2009 at 01:38:07PM +, Stuart Henderson wrote: On 2009-05-17, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: The problem with incorrectly-sourced IP datagrams seems to be NAT: nat on vr2 inet from 172.16.0.1/24 to any - (vr2) round-robin This rule is created as: nat on $ext_if from $int_if:network to any - ($ext_if) I understand the problem is the (vr2) round-robin. I have no idea, however, how to prevent PF from using the two IP addresses (the public IP and the IP alias). Any ideas how to force NAT to only use 1 IP address (the public IP address)? (vr2:0) May not work correctly when an address is reassigned because of the way how ifconfig vr0 delete works. It can happen that after a lease refresh the two networks are shuffled and so (vr2:0) may get the wrong address. I think I found the root cause and fixed it: --- /etc/dhclient-scriptSun May 17 13:30:02 2009 +++ /sbin/dhclient-script Sat Feb 28 22:33:05 2009 @@ -182,6 +182,8 @@ delete_old_address delete_old_routes fi + # XXX Why add alias we just deleted above? + add_new_alias if [ -f /etc/resolv.conf.save ]; then cat /etc/resolv.conf.save /etc/resolv.conf fi this seems to avoid the problem where the addresses get shuffled and the alias becomes the primary but, honestly, I'm not entirely sure why. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: route add -interface
On Sun, May 17, 2009 at 4:13 PM, Claudio Jeker cje...@diehard.n-r-g.comwrote:
On Sun, May 17, 2009 at 11:39:43AM +0200, Felipe Alfaro Solana wrote:
On Sun, May 17, 2009 at 9:57 AM, Claudio Jeker cje...@diehard.n-r-g.com
wrote:
On Sun, May 17, 2009 at 01:13:29AM +0200, Felipe Alfaro Solana wrote:
Hi misc,
route add allows one to specify a directly-connected route reachable
over
an
interface, using the -interface switch. However, I can't seem to
figure
out
if it's possible to specify just the interface name to the -interface
switch. According to the manual page, only an IP address is allowed:
If the destination is directly reachable via an interface
requiring
no
intermediary system to act as a gateway, the -interface modifier
should
be specified; the gateway given is the address of this host on
the
common
network, indicating the interface to be used for transmission.
The thing is the interface I want to use with the -interface switch
does
not
have a static IP address. I could script something to get the current
IP
address of that interface but looks hacky to me. Is it possible to do
something like?
# route add -net 128.0.0.0/16 -interface vr2
instead in OpenBSD? I'm a little bit confused since adding the route
while
using the IP address yields the following entry in the routing table:
128.0/16 link#3 UCS00 -
8
vr2
So, why is exactly that -interface wants an IP address but does not
like
interface names?
ifconfig vr2 alias 128.0.0.1/16
This will ensure that everything is correctly set up.
Doing it with route will most probably cause issues because it will not
setup everything correctly. You need an IP on that interface in that
network or it will not work.
Thanks for your reply, Claudio.
Initially, I tried setting up the alias directly in the vr2 interface.
However, I had problems because vr2 is an Internet-facing interface
that uses DHCP. I
used to use a custom dhclient.conf configuration file as described in [1]
but, for some reason, when the lease is renewed, I start to suffer
packet loss. A tcpdump capture shows that some TCP connections are
being sourced with the IP
alias address and not the public IP address. That's why I tried using a
loopback interface.
This was my custom dhclient.conf:
interface vr2 {
supersede domain-name my.domain;
supersede domain-name-servers 1.2.3.4;
}
alias {
interface vr2;
fixed-address 128.0.0.1;
option subnet-mask 255.255.0.0;
}
First time I invoke dhclient, everything seems to work fine:
# dhclient vr2
DHCPREQUEST on vr2 to 255.255.255.255 port 67
DHCPACK from 10.177.128.1
bound to A.B.C.D -- renewal in 2590 seconds.
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
However, if I call dhclient one more time, the martian IP address seems
to
become the primary IP address and the public IP address the alias:
# dhclient vr2
DHCPREQUEST on vr2 to 255.255.255.255 port 67
DHCPACK from 10.177.128.1
bound to A.B.C.D -- renewal in 2579 seconds.
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
Even more funny, if I want to entirely remove the martian IP address I
need
to remove it twice:
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
# ifconfig vr2 delete 128.0.0.1
# ifconfig vr2
vr2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
route add -interface
Hi misc, route add allows one to specify a directly-connected route reachable over an interface, using the -interface switch. However, I can't seem to figure out if it's possible to specify just the interface name to the -interface switch. According to the manual page, only an IP address is allowed: If the destination is directly reachable via an interface requiring no intermediary system to act as a gateway, the -interface modifier should be specified; the gateway given is the address of this host on the common network, indicating the interface to be used for transmission. The thing is the interface I want to use with the -interface switch does not have a static IP address. I could script something to get the current IP address of that interface but looks hacky to me. Is it possible to do something like? # route add -net 128.0.0.0/16 -interface vr2 instead in OpenBSD? I'm a little bit confused since adding the route while using the IP address yields the following entry in the routing table: 128.0/16 link#3 UCS00 - 8 vr2 So, why is exactly that -interface wants an IP address but does not like interface names? Thanks in advance. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: sendmail vs. other MTAs
On Tue, May 12, 2009 at 7:26 PM, bofh goodb...@gmail.com wrote: On Tue, May 12, 2009 at 5:35 AM, Henning Brauer lists-open...@bsws.de wrote: * Dan d...@ourbrains.org [2009-05-11 22:24]: Henning Brauer(lists-open...@bsws.de)@2009.05.11 19:45:57 +0200: but there is some rumor in usr.sbin/smtpd/ ... This new smtpd better be at least as good as qmail, otherwise - what's the point? is anyone really thinking it won't be? Oh boy, this is so rocking my world! B I can't wait for it! B I went from sendmail to vmail/postfix, but they were all still too big and complicated for what I really want, just simple mail delivery for my home box. B This is starting to sound so good! B Of course, you guys will design it well and make it work for big places, but, damnit, openbsd appears to be the only folks who care about usability (ipf/ipfilter, I'm looking at you). I'm also looking for a very simple MTA that I can use at home and have it configured to relay e-mail without having to write 75 directives in 3 configuration files (and then use m4 or generate the hash-map files, then reload and cross my fingers). And if people think usr.sbin/smtpd is not what they are expecting, they can always use any other MTA. Diversity is good.
Re: sendmail vs. other MTAs
On Tue, May 12, 2009 at 8:07 PM, L. V. Lammert l...@omnitec.net wrote: On Tue, 12 May 2009, Felipe Alfaro Solana wrote: On Tue, May 12, 2009 at 7:26 PM, bofh goodb...@gmail.com wrote: I'm also looking for a very simple MTA that I can use at home and have it configured to relay e-mail without having to write 75 directives in 3 configuration files (and then use m4 or generate the hash-map files, then reload and cross my fingers). If you want simple, install Webmin. Runs fine with sendmail, default install! I'm not that crazy to combine something that remembers passwords in clear text with an MTA that has a horrible security track record.
Re: sendmail vs. other MTAs
On Tue, May 12, 2009 at 9:31 PM, L. V. Lammert l...@omnitec.net wrote: At 09:16 PM 5/12/2009 +0200, Felipe Alfaro Solana wrote: If you want simple, install Webmin. Runs fine with sendmail, default install! I'm not that crazy to combine something that remembers passwords in clear text with an MTA that has a horrible security track record. If this is clear text, I want to know where you got your glasses: B B B B admin:XXl2dzFGzv.Yk:0 Also, if sendmail has such a horrible track record, why is it the default MTA on this system? We handle 40K+ emails daily on a single box with no problems at all. http://en.securitylab.ru/nvd/378946.php
Re: sendmail vs. other MTAs
On Mon, May 11, 2009 at 7:45 PM, Henning Brauer lists-open...@bsws.de wrote: * Felipe Alfaro Solana felipe.alf...@gmail.com [2009-05-10 13:58]: Hi misc, May I ask what's the reason behind having sendmail be the default MTA in OpenBSD? Why not switching to something that is easier to configure like Postfix or EXIM? exim is a piece of shit using the wrong design that sendmail abondoned long ago.and wasn't it GPL or some other unfree license anyway? postfix is not free. but there is some rumor in usr.sbin/smtpd/ ... I'm really looking forward for this smtpd thing :)
sendmail vs. other MTAs
Hi misc, May I ask what's the reason behind having sendmail be the default MTA in OpenBSD? Why not switching to something that is easier to configure like Postfix or EXIM? -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: sendmail vs. other MTAs
On Sun, May 10, 2009 at 2:02 PM, Jasper Valentijn jasper.valent...@gmail.com wrote: 2009/5/10 Felipe Alfaro Solana felipe.alf...@gmail.com: Hi misc, May I ask what's the reason behind having sendmail be the default MTA in OpenBSD? Why not switching to something that is easier to configure like Postfix or EXIM? http://openbsd.com/faq/faq1.html#HowAbout :) Why isn't Postfix included? The license is not free, and thus can not be considered. And anyways, I found that switching from sendmail to postfix is extremely easy in OpenBSD. Thanks!
Re: No OS safe??
On Fri, May 8, 2009 at 12:34 PM, Chris Harries ch...@sharescope.co.uk wrote: This is more of a grammar/wording question, but it does go on to the security of OS's in general. Was having a read of this; http://www.cbc.ca/technology/story/2009/04/15/ibotnet-trojan.html And the last comment made me think about OpenBSD. The article closes by saying this shows that no OS in inherently safe but they are comparing Mac and Windows. Could the same also be said about OpenBSD. This here problem of downloading a dodgy copy of Photoshop which opens you up for a BotNet is something that can effect all OS's.but is that completely true? Can the same thing happen to an OpenBSD machine and is there no way around this? Oh my God! Not again a thread about absolute and inherent security! An OS is ultimately about the user as well, My XP machine is fine, but my friends are all ridden to shit, not so much these days with new'er Windows, but few years ago everyone's PC was a nightmare, so you take the risk downloading a file from BitTorrent of course, but is there measures to prevent this happening in the first place, is OpenBSD as open to this as Mac/Windows or is it inherently more secure (of course I know it is but im aiming that question more specifically at this kind of scenario) We could debate why OpenBSD is inherently more secure than Windows (in fact we could debate why almost any operating system is inherently more secure than Windows). The point here is OpenBSD is inherently more secure because of the development process, because it's completely open source software, because there are great developers that understand problems and know how to solve them and code it properly, because there is a big community behind, etc, etc. In one sentence: please, use whatever you think it suits you. There are things you can't easily do in OpenBSD, like running Quake, so use the best tool at your disposal. For me, Linux and OpenBSD are the best tools at my disposal.
Re: No OS safe??
On Fri, May 8, 2009 at 2:48 PM, Ian Turner iturner.c...@gtalumni.org wrote: On Fri, May 8, 2009 at 8:17 AM, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: We could debate why OpenBSD is inherently more secure than Windows (in fact we could debate why almost any operating system is inherently more secure than Windows). The point here is OpenBSD is inherently more secure because of the development process, because it's completely open source software, because there are great developers that understand problems and know how to solve them and code it properly, because there is a big community behind, etc, etc. The key point of what you said, which I think is important to note, is that OpenBSD is more secure. B It's easy to prove, and correct to say, that OpenBSD is more secure than other operating systems. B It's much harder to prove that OpenBSD is secure. B But, that's also up for debate depending on if you interpret secure to be synonymous with secure enough or with completely secure. Also, if you throw the end-user into the equation, the definition of what completely secure is becomes meaningless: as long as a user is logged into the system, even if the software is perfectly secure the system is very likely to not be completely secure. Nothing will prevent your end-user from downloading some stupid binary and running it locally, compromising the end-user's data or the system's integrity.
dhclient and dynamic IP address
Hi misc, I've been reading dhclient(8) but still it is not clear to me if dhclient(8) is supposed to stay in the background to automatically renew leases. In the manual page it says: -d Forces dhclient to always run as a foreground process. By de- fault, dhclient runs in the foreground until it has configured the interface, and then will revert to running in the back- ground. So apparently dhclient(8) should be kept in the background waiting for leases to be renewed. However, if I run ps ax I can't see anything that looks like dhclient(8) is running in the background at all. How is this supposed to work for DHCP leases for cable/residential users that are not guaranteed to always keep the same IP? Thanks in advance. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: dhclient and dynamic IP address
On Thu, May 7, 2009 at 10:09 AM, Owain Ainsworth zer...@googlemail.com wrote: On Thu, May 07, 2009 at 09:57:57AM +0200, Felipe Alfaro Solana wrote: Hi misc, I've been reading dhclient(8) but still it is not clear to me if dhclient(8) is supposed to stay in the background to automatically renew leases. In the manual page it says: B B B -d B B B Forces dhclient to always run as a foreground process. B By de- B B B B B B B fault, dhclient runs in the foreground until it has configured B B B B B B B the interface, and then will revert to running in the back- B B B B B B B ground. So apparently dhclient(8) should be kept in the background waiting for leases to be renewed. However, if I run ps ax I can't see anything that looks like dhclient(8) is running in the background at all. How is this supposed to work for DHCP leases for cable/residential users that are not guaranteed to always keep the same IP? Thanks in advance. o...@stephanie/pj:~$ pgrep -lf dhclient 30516 dhclient: iwn0 12511 dhclient: iwn0 [priv] 13402 dhclient: em0 27486 dhclient: em0 [priv] I already said before that dhclient is _not_ running at all: $ pgrep -lf dhclient $ Any more ideas?
Re: dhclient and dynamic IP address
On Thu, May 7, 2009 at 10:20 AM, Vadim Zhukov persg...@gmail.com wrote: On Thursday 07 May 2009 11:57:57 Felipe Alfaro Solana wrote: Hi misc, I've been reading dhclient(8) but still it is not clear to me if dhclient(8) is supposed to stay in the background to automatically renew leases. In the manual page it says: B B B -d B B B Forces dhclient to always run as a foreground process. By de- fault, dhclient runs in the foreground until it has configured the interface, and then will revert to running in the back- ground. So apparently dhclient(8) should be kept in the background waiting for leases to be renewed. However, if I run ps ax I can't see anything that looks like dhclient(8) is running in the background at all. How is this supposed to work for DHCP leases for cable/residential users that are not guaranteed to always keep the same IP? Thanks in advance. Check your /var/log/daemon for messages from dhclient. If interface is disabled on dhclient start and dhclient can't enable it, then it'll put its hands off. There's nothing in the logs. I've found out what the problem is. My /etc/hostname.vr2 looked like this: # cat /etc/hostname.vr2 dhcp inet 10.255.255.1 255.255.255.0 NONE alias up /etc/netstart gets confused about the dhcp and static definitions.
Re: dhclient and dynamic IP address
On Fri, May 8, 2009 at 12:00 AM, Felipe Alfaro Solana
felipe.alf...@gmail.com wrote:
On Thu, May 7, 2009 at 10:20 AM, Vadim Zhukov persg...@gmail.com wrote:
On Thursday 07 May 2009 11:57:57 Felipe Alfaro Solana wrote:
Hi misc,
I've been reading dhclient(8) but still it is not clear to me if
dhclient(8) is supposed to stay in the background to automatically
renew leases. In the manual page it says:
B B B -d B B B Forces dhclient to always run as a foreground
process.
By de- fault, dhclient runs in the foreground until it has configured
the interface, and then will revert to running in the back- ground.
So apparently dhclient(8) should be kept in the background waiting for
leases to be renewed. However, if I run ps ax I can't see anything
that looks like dhclient(8) is running in the background at all. How
is this supposed to work for DHCP leases for cable/residential users
that are not guaranteed to always keep the same IP?
Thanks in advance.
Check your /var/log/daemon for messages from dhclient. If interface is
disabled on dhclient start and dhclient can't enable it, then it'll put
its hands off.
There's nothing in the logs. I've found out what the problem is. My
/etc/hostname.vr2 looked like this:
# cat /etc/hostname.vr2
dhcp
inet 10.255.255.1 255.255.255.0 NONE alias
up
/etc/netstart gets confused about the dhcp and static definitions.
Just in case anyone is curious about how I solved the problem:
# cat /etc/dhclient.conf
interface vr2 {
supersede domain-name example.com;
supersede domain-name-servers 1.2.3.4;
}
alias {
interface vr2;
fixed-address 4.5.6.7;
option subnet-mask 255.255.255.0;
}
--
http://www.felipe-alfaro.org/blog/disclaimer/
Re: Spanish BSD Group
On Wed, Apr 29, 2009 at 9:44 AM, Daniel Gracia Garallar danie...@electronicagracia.com wrote: Nice! I must confess I have a strong bias towards english language when talking about programming, but as a spanish OpenBSD user I'll try to support the group as far as possible. !Mucha suerte en la singladura! ;) QuizC! sea un buen momento para empezar a utilizar el espaC1ol cuando se hable de temas relacionados con la programaciC3n. Al fin y al cabo, el espaC1ol es un idioma muy rico y no es necesario utilizar anglicismos (a no ser que sea estrictamente necesario).
Re: Transparent firewall (bridge) with DMZ + LAN
On Tue, Apr 28, 2009 at 8:35 AM, Claudio Jeker cje...@diehard.n-r-g.com wrote: Did you ever check the security record of snort? It is at least as bad as wireshark's but it is sitting in the middle of your network passing packets. I couldn't sleep with such a system in my core. It is also a lot easier to bypass unnoticed a bridging FW/IDS then a box that does actual routing. I checked and it doesn't look that bad: http://secunia.com/advisories/product/16919/?task=statistics http://secunia.com/advisories/product/13116/?task=statistics In CERT, it looks like there were 4 vulnerabilities in 2008, 4 in 2007 and currently 2 in 2009 (one of them is related to libpng which Snort doesn't link to by default in Linux and other one is not specific to Snort). But I agree that using snort_inline is probably questionable, given how complex it is and it's security record. I also agree that, for passive systems, using a Tap is safer and better. Go ahead, use it and get burned, I think you need pain to realize that it is bad. Isn't this how humans learn? By making mistakes and learning from them? :)
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 5:10 AM, Daniel Ouellet dan...@presscom.net wrote: patrick keshishian wrote: On Sun, Apr 26, 2009 at 4:10 PM, bofh goodb...@gmail.com wrote: It's called going off on a related tangent - whenever I hear people talking about using something because someone has published a paper and here's all these smart people using it (transparent bridging, etc, or in my case natting externally accessible/routable hosts), it pisses me off. People use it because they have a need to do something. B When you're told there's a better way to do things, pay attention, instead of telling the experts here (and I'm talking about the openbsd developers in this thread - not me, I'm in management now, no brain cells left) they're wrong because you have all these great URLs - if you want to listen to those people, then you should be using the OS they use too. so you prefer to take someone's word blindly without any backing evidence or facts, so long as you believe they are a credible source? Well, let say that if they spend years developing the system, including PF and the capability of bridge and the same people tells me that it's bad to do so. Well, HELL yes I would listen to them. They are better mind then me and they have the code to back it up as well as their saying too. So, to that answer yes. They are a credible source, they design it for crying wolf. Maybe management is a good place for you, but I'd hate to be a shareholder in a company people like you may have any sort of influential role in steering its goals and/or direction. Not relevant at all. But even if that was, contrary to the majority of managers that only listen to marketing vapor ware, or oppose to dig up themselves, this might, may be very good to listen to the source of reason, and not to say as well the origin of the product oppose to marketing people, then yes. I would. Most manager wouldn't even understand it anyway and there is exceptions, but by all mean not the norm, so your analogy is pointless and off topic. Perhaps as one of the older generation, I should preach a little sermon to you, but I do not propose to do so. I shall, instead, give you a word of advice about how to behave toward your elders. When an old and distinguished person apeaks to you, listen to him carefully and with respect -- but do not believe him. Never put your trust in anything but your own intellect. Your elder, no matter whether he has gray hair or lost his hair, no matter whether he is a Nobel Laureate, may be wrong... So you must always be skeptical -- always think for yourself. I am so glad for you that you are born with the knowledge you need already and do not need to listen to anyone that might speak from years of experience. I envy you really I do! I can't claim that gift from birth itself. Some might become senile at old age, yes, by the simple fact of getting older. Still the natural path of life as we know it. May you be bless as to never suffer that sad outcome. But, many are still very sound and a few of them oppose to the young padawan with the hope to may be, become Jedi one day, don't need to proof anything to anyone anymore, and actually provide valuable informations from experiences without asking anything in return and without alternate motivations other then helping who ever are welling to listen. Many are not withholding knowledge in the hopes of getting ahead ans screwing you over in the process to get an edge over you. Yes, it's rare, but there is still many people like that. I guess it comes with self confidence and actual real knowledge. I actually welcome their input. But do as you wish, no one is stoping you rally. (; As for why not to do bridge setup. May be something as simple as for one example that comes to mind. Your bridge needs to work in promiscuous mode and will see, received and process all kind of crap that it wouldn't need to do otherwise. For a two-interface router/firewall, most of the traffic that reaches is will probably have to traverse it anyways, so I don't see how a two-interface bridge or a two-interface router will have different workloads. But, fortunately, someone on this thread pointed out good technical arguments on why bridging in OpenBSD is perhaps not a good idea. But, to me, it doesn't mean that bridging firewalls are a bad idea in other platforms. More resources will be use on the bridge that could be better use else where. Should I also add that a miss configuration of a bridge can stay undetected for years, oppose to a miss configuration of a decent firewall not in bridge mode would become more obvious sooner in most cases anyway. Call that security by default setup if you like. (; Don't forget that the simple action to put a box in bridge mode have the effect to pass all traffic across it. You may think your bridge is working as the traffic is passing, but in reality, may be someone affected it
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 1:00 PM, Henning Brauer lists-open...@bsws.dewrote: * Felipe Alfaro Solana felipe.alf...@gmail.com [2009-04-27 11:56]: For a two-interface router/firewall, most of the traffic that reaches is will probably have to traverse it anyways, so I don't see how a two-interface bridge or a two-interface router will have different workloads. it has been pointed out, but if you don't read it the first time there is no point in repeating... I saw some pretty good arguments from Daniel, but no data backing them up. I will need to search a bit around to understand why a two-interface bridging firewall will see more interrupts and data traffic than a two-interface routing firewall. But, fortunately, someone on this thread pointed out good technical arguments on why bridging in OpenBSD is perhaps not a good idea. . But, to me, it doesn't mean that bridging firewalls are a bad idea in other platforms. That is because, to you, networking an operating system internals are apparently black magic. It is not an OpenBSD problem. Again, not a single or valid technical argument on why a bridging firewall is a bad idea. Just a moot and offensive responsive, and a very strong assessment from someone that doesn't know me at all. It's also very sad to see so many impolite answers in this list. Perhaps saying are apparently black magic would be more appropriate. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 2:52 PM, Marcello Cruz marcello.c...@globo.comwrote: Hey guys, There are some articles that may bring some light to the discussion: * http://en.wikipedia.org/wiki/Network_bridge (best bet) * http://en.wikipedia.org/wiki/Bridging_(networking) * http://en.wikipedia.org/wiki/Transparent_bridge * http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Bridging-Basics.html I was talking about something like: http://www.snort.org/docs/snort_manual/node16.html http://snort-inline.sourceforge.net/ http://en.hakin9.org/attachments/hakin9_6-2006_str22-33_snort_EN.pdf and not a pure bridge, as described in the links you sent. Best, Marcello - Original Message - From: Daniel Ouellet dan...@presscom.net To: Openbsd-Misc misc@openbsd.org Sent: Monday, April 27, 2009 12:10 AM Subject: Re: Transparent firewall (bridge) with DMZ + LAN patrick keshishian wrote: On Sun, Apr 26, 2009 at 4:10 PM, bofh goodb...@gmail.com wrote: It's called going off on a related tangent - whenever I hear people talking about using something because someone has published a paper and here's all these smart people using it (transparent bridging, etc, or in my case natting externally accessible/routable hosts), it pisses me off. People use it because they have a need to do something. B When you're told there's a better way to do things, pay attention, instead of telling the experts here (and I'm talking about the openbsd developers in this thread - not me, I'm in management now, no brain cells left) they're wrong because you have all these great URLs - if you want to listen to those people, then you should be using the OS they use too. so you prefer to take someone's word blindly without any backing evidence or facts, so long as you believe they are a credible source? Well, let say that if they spend years developing the system, including PF and the capability of bridge and the same people tells me that it's bad to do so. Well, HELL yes I would listen to them. They are better mind then me and they have the code to back it up as well as their saying too. So, to that answer yes. They are a credible source, they design it for crying wolf. Maybe management is a good place for you, but I'd hate to be a shareholder in a company people like you may have any sort of influential role in steering its goals and/or direction. Not relevant at all. But even if that was, contrary to the majority of managers that only listen to marketing vapor ware, or oppose to dig up themselves, this might, may be very good to listen to the source of reason, and not to say as well the origin of the product oppose to marketing people, then yes. I would. Most manager wouldn't even understand it anyway and there is exceptions, but by all mean not the norm, so your analogy is pointless and off topic. Perhaps as one of the older generation, I should preach a little sermon to you, but I do not propose to do so. I shall, instead, give you a word of advice about how to behave toward your elders. When an old and distinguished person apeaks to you, listen to him carefully and with respect -- but do not believe him. Never put your trust in anything but your own intellect. Your elder, no matter whether he has gray hair or lost his hair, no matter whether he is a Nobel Laureate, may be wrong... So you must always be skeptical -- always think for yourself. I am so glad for you that you are born with the knowledge you need already and do not need to listen to anyone that might speak from years of experience. I envy you really I do! I can't claim that gift from birth itself. Some might become senile at old age, yes, by the simple fact of getting older. Still the natural path of life as we know it. May you be bless as to never suffer that sad outcome. But, many are still very sound and a few of them oppose to the young padawan with the hope to may be, become Jedi one day, don't need to proof anything to anyone anymore, and actually provide valuable informations from experiences without asking anything in return and without alternate motivations other then helping who ever are welling to listen. Many are not withholding knowledge in the hopes of getting ahead ans screwing you over in the process to get an edge over you. Yes, it's rare, but there is still many people like that. I guess it comes with self confidence and actual real knowledge. I actually welcome their input. But do as you wish, no one is stoping you rally. (; As for why not to do bridge setup. May be something as simple as for one example that comes to mind. Your bridge needs to work in promiscuous mode and will see, received and process all kind of crap that it wouldn't need to do otherwise. More resources will be use on the bridge that could be better use else where. Should I also add that a miss configuration of a bridge can stay undetected for years, oppose to a miss
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst ted.unan...@gmail.com wrote: On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: Again, not a single or valid technical argument on why a bridging firewall is a bad idea. Just a moot and offensive responsive, and a very strong assessment from someone that doesn't know me at all. It's also very sad to see so many impolite answers in this list. Perhaps saying are apparently black magic would be more appropriate. http://marc.info/?l=openbsd-miscm=124082008204226w=2 You can either read the code or listen to somebody who has. I don't know you either, but I know Henning and I know the bridge code, and the short version is he's right. And again, I think you mean that running a bridge under OpenBSD is perhaps not the fastest or brightest solution. And I trust you, But again, I have yet to hear a single technical argument on why running, for example, Snort inline on other platforms is a bad idea and makes one stupid. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Tue, Apr 28, 2009 at 1:16 AM, Robert rob...@openbsd.pap.st wrote: On Mon, 27 Apr 2009 23:20:07 +0200 Felipe Alfaro Solana felipe.alf...@gmail.com wrote: And again, I think you mean that running a bridge under OpenBSD is perhaps not the fastest or brightest solution. And I trust you, But again, I have yet to hear a single technical argument on why running, for example, Snort inline on other platforms is a bad idea and makes one stupid. (Looks like we aren't out of trollfood, yet. ;) Are you calling me a troll? :) You want an example why it is bad to put sensors inline? One word: Downtime. The same holds true for a firewall. If you have a firewall between your DMZ and your internal network and it goes down, unless you are using a HA solution (like one using CARP), then you are screwed anyways. If your bridge breakes the network, you can be happy if the insurance covers it the first time it happens. Contracts and lawyers will get involved and that isn't fun. And even if you don't end up having to pay anything, the hair and years of life expectancy lost isn't worse it. Why risk it, when a tap is so much better? A tap is not a firewall. You can't use the tap to filter traffic you don't want. (Exeptions proof the rule of sumthin :) - Robert -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Tue, Apr 28, 2009 at 1:29 AM, Fred Crowson fred.crow...@googlemail.comwrote: On 4/27/09, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst ted.unan...@gmail.com wrote: On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: Again, not a single or valid technical argument on why a bridging firewall is a bad idea. Just a moot and offensive responsive, and a very strong assessment from someone that doesn't know me at all. It's also very sad to see so many impolite answers in this list. Perhaps saying are apparently black magic would be more appropriate. http://marc.info/?l=openbsd-miscm=124082008204226w=2 You can either read the code or listen to somebody who has. I don't know you either, but I know Henning and I know the bridge code, and the short version is he's right. And again, I think you mean that running a bridge under OpenBSD is perhaps not the fastest or brightest solution. And I trust you, But again, I have yet to hear a single technical argument on why running, for example, Snort inline on other platforms is a bad idea and makes one stupid. You are free to read: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c Is it something in the on other platforms sentence that you don't understand? The link you provide is for OpenBSD code. And it's now clear to me that bridging in OpenBSD consumes a lot of resources and developers dislike it. So I don't get your point. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer lists-open...@bsws.dewrote: * openbsder openbs...@gmail.com [2009-04-24 12:19]: Recently, it has been suggested that a transparent firewall implementation is ideal where possible. But as far as I understand, transparency is only available when the firewall acts as a bridge between TWO networks. How would I keep my DMZ and LAN both while using a bridging firewall. Is it even possible? yes. lots of idiots do it. Really? What's wrong with transparent bridging? What's wrong with a transparent, in-line IDS? What's wrong with a software tap? All of these technologies use some sort of transparent bridging and are not being used exclusively by idiots, but also smart people [1] [2] [1] http://eatingsecurity.blogspot.com/2007/09/transparent-bridging-mmap-pcap-and.html [2] http://www.shiftedbit.net/IDS.txt [3] http://www.securityfocus.com/infocus/1737 bridging is stupid. don't. there are cases where you can't avoid it, but deliberately? about as clever as knowingly drinking methanol. Bridging, in the ample sense, is not stupid. Your switch is doing that. Bridging, in the sense of firewalls, is also not stupid. There are reasons why you want to use a transparent bridging-mode firewall. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Sun, Apr 26, 2009 at 9:21 PM, bofh goodb...@gmail.com wrote: Anyone who puts in an inline IDS is a damned idiot. D stands for detection, so you should always use a tap or something else. Only IPS should be inline. You should provide arguments, not empty words. At least, if you are calling people idiot. You obviously do not know what you're talking about. Things like NAT have their uses to, but people who design networks including DMZs and networks that require external routing but put them behind NATs deserve everything they get. I don't know what DMZ and NAT has to do with what we're discussing here. Instead of calling people idiots you could provide a valid reasoning supported by arguments. On 4/26/09, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer lists-open...@bsws.dewrote: * openbsder openbs...@gmail.com [2009-04-24 12:19]: Recently, it has been suggested that a transparent firewall implementation is ideal where possible. But as far as I understand, transparency is only available when the firewall acts as a bridge between TWO networks. How would I keep my DMZ and LAN both while using a bridging firewall. Is it even possible? yes. lots of idiots do it. Really? What's wrong with transparent bridging? What's wrong with a transparent, in-line IDS? What's wrong with a software tap? All of these technologies use some sort of transparent bridging and are not being used exclusively by idiots, but also smart people [1] [2] [1] http://eatingsecurity.blogspot.com/2007/09/transparent-bridging-mmap-pcap-and.html [2] http://www.shiftedbit.net/IDS.txt [3] http://www.securityfocus.com/infocus/1737 bridging is stupid. don't. there are cases where you can't avoid it, but deliberately? about as clever as knowingly drinking methanol. Bridging, in the ample sense, is not stupid. Your switch is doing that. Bridging, in the sense of firewalls, is also not stupid. There are reasons why you want to use a transparent bridging-mode firewall. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- http://www.felipe-alfaro.org/blog/disclaimer/ -- Sent from my mobile device http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 1:10 AM, bofh goodb...@gmail.com wrote: It's called going off on a related tangent - whenever I hear people talking about using something because someone has published a paper and here's all these smart people using it (transparent bridging, etc, or in my case natting externally accessible/routable hosts), it pisses me off. People use it because they have a need to do something. When you're told there's a better way to do things, pay attention, instead of telling the experts here (and I'm talking about the openbsd developers in this thread - not me, I'm in management now, no brain cells left) they're wrong because you have all these great URLs - if you want to listen to those people, then you should be using the OS they use too. Still no arguments on why idiots use transparent firewalls. Good to know. On 4/26/09, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: On Sun, Apr 26, 2009 at 9:21 PM, bofh goodb...@gmail.com wrote: Anyone who puts in an inline IDS is a damned idiot. D stands for detection, so you should always use a tap or something else. Only IPS should be inline. You should provide arguments, not empty words. At least, if you are calling people idiot. You obviously do not know what you're talking about. Things like NAT have their uses to, but people who design networks including DMZs and networks that require external routing but put them behind NATs deserve everything they get. I don't know what DMZ and NAT has to do with what we're discussing here. Instead of calling people idiots you could provide a valid reasoning supported by arguments. On 4/26/09, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer lists-open...@bsws.dewrote: * openbsder openbs...@gmail.com [2009-04-24 12:19]: Recently, it has been suggested that a transparent firewall implementation is ideal where possible. But as far as I understand, transparency is only available when the firewall acts as a bridge between TWO networks. How would I keep my DMZ and LAN both while using a bridging firewall. Is it even possible? yes. lots of idiots do it. Really? What's wrong with transparent bridging? What's wrong with a transparent, in-line IDS? What's wrong with a software tap? All of these technologies use some sort of transparent bridging and are not being used exclusively by idiots, but also smart people [1] [2] [1] http://eatingsecurity.blogspot.com/2007/09/transparent-bridging-mmap-pcap-and.html [2] http://www.shiftedbit.net/IDS.txt [3] http://www.securityfocus.com/infocus/1737 bridging is stupid. don't. there are cases where you can't avoid it, but deliberately? about as clever as knowingly drinking methanol. Bridging, in the ample sense, is not stupid. Your switch is doing that. Bridging, in the sense of firewalls, is also not stupid. There are reasons why you want to use a transparent bridging-mode firewall. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- http://www.felipe-alfaro.org/blog/disclaimer/ -- Sent from my mobile device http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related -- http://www.felipe-alfaro.org/blog/disclaimer/ -- Sent from my mobile device http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Fri, Apr 24, 2009 at 12:12 PM, openbsder openbs...@gmail.com wrote: I am currently interested in setting up a three-legged network topology, using OBSD+PF as the firewall appliance. Originally, I was going to simply have the firewall equipped with three network cards: one for DMZ, one for LAN, the other for EXT/WAN/Internet (whatever you call this). The idea was for a switch to be used on both DMZ and LAN, providing NAT on both segments. Pretty straight forward. Recently, it has been suggested that a transparent firewall implementation is ideal where possible. But as far as I understand, transparency is only available when the firewall acts as a bridge between TWO networks. How would I keep my DMZ and LAN both while using a bridging firewall. Is it even possible? What do you mean? Whether OpenBSD supports bridging? Whether PF supports L2-based filtering? Whether you can have two interfaces in a bridge and have, at the same time, L2-based filtering and L3-based filtering? By L2-based filtering I mean having the firewall inspect frames/packets from interfaces that are bridged together that do not have an IP address configured (i.e. L2-switching). -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 3:36 PM, irix i...@ukr.net wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND.
Re: arp MiTM
On Mon, Mar 9, 2009 at 1:11 PM, irix i...@ukr.net wrote: Hello Misc, How to protect your server from such attacks without the use of static arp entries? By freebsd 5.0 patch was written arp_antidote ( http://freecap.ru/if_ether.c.patch), somebody could port it on openbsd? Also, in freebsd it is possible to specify a flag through the ifconfig on the interface staticarp, while If the Address Resolution Protocol is enabled, the host will only reply to requests for its addresses, and will never send anyrequests. May you made this flag in openbsd ? ARP is insecure, no matter how many patches you apply or how many hacks you try. If you want something more secure, use 802.1X, use security on the switch, use IPv6+IPSec/SeND, etc.
Re: NFS or SAMBA ?
On Mon, Mar 9, 2009 at 4:56 PM, Henning Brauer lists-open...@bsws.dewrote: * Guillermo Bernaldo de Quiros Maraver debug...@gmail.com [2009-02-13 21:06]: if you have a shared network between WINDOWS and OpenBSD i recommend Samba if not, NFS NFS = Insecure SAMBA = Have a problems, but, it's more secure. that is the most ridiculous bullshit I have ever read here in some time. Why do you exactly thing that is bullshit?
Re: System security question
On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze schwa...@usta.de wrote: Hi Jean-Francois, Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: I actually built the following system : - OpenBSD running on a standard AMD platform - This box is actually used as firewall - This box is also used as webserver - This box is finally used as local shared drives via NFS file but only open to subnetwork through PF It's hard to tell what this is supposed to say, but in case you intend to use the same physical machine as a firewall, as a public webserver and as a private NFS server, that's almost certainly a very bad idea and not at all secure. Never put your private NFS server on the same host as either your firewall or your webserver. Never. If you don't own and can't afford enough hardware to physically seperate the NFS server from the firewall and the webserver, do not use NFS at all. If your network is so small that you consider putting everything on one single server, just use some old 200MHz i386 for the firewall and some old 500MHz i386 for the NFS server. People will almost certainly give you such hardware for free, at least in Europe. That's probably sufficient, and lets you use your shiny new amd64 box as the webserver. Just to clarify, NFSv4 does not necessarily transmit data in clear text. NFSv4 allows one to use encryption and/or data authentication. NFSv3 and older versions do not use encryption at all, but you can use IPSec to protect it at the network layer. NFS is not designed with security in mind. It transmits data unencrypted. It has no real authentication and no real access control. If is designed for strictly private networks with no external access that no potential attackers have access to. If you can afford it, also seperate the webserver from the firewall. Webservers tend to run lots of crappy software, and thus, they tend to get hacked. Well, perhaps that's somewhat mitigated by running the webserver chrooted, but anyway, it is clearly better to make the firewall a three-leg router and physically seperate the network segment containing the webserver (DMZ) and the internal NFS server (private intranet). Assuming that subnetwork computers might be hacked or infected by any threat You mean, attackers might gain access to either the hardware of your internal network, or any of the computers in your internal network might get hacked from the Internet? If i understood that correctly, you cannot use NFS at all, not even on a dedicated server inside your intranet, physically well seperated from the firewall. There is basically no way to secure it. Assuming that there is no mistake in PF rules Assuming that there is nothing of a third party installed on the box (basically it's only a tuned system) - Would you please confirm that hacking is almost impossible ? If i understood your setup and threat scenario correctly -- computers inside your internal network might be compromised, and you want to run an NFS server inside your internal network -- then no, that's not secure. Spying out the private data on the NFS server is trivial and does not even need script kiddie skills. All the attacker needs to do is: Use an IP number having access to the NFS server, locally create an account with the UID he is interested in, mount the NFS volume(s) and read the data. No hacking is required. This is completely insecure. - Would you confirm any personnal datas hosted on server are safe as long as the (subnet is not compromised by false manipulation of course) I don't know what you mean by subnet is not compromised, but it doesn't matter. If subnetwork computers might be hacked, then the data is not at all secure. No idea why so many other posters said there's no problem... :-( Yours Ingo -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: System security question
On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze schwa...@usta.de wrote: Hi Felipe, Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM +0100: On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze schwa...@usta.de wrote: Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: I actually built the following system : - OpenBSD running on a standard AMD platform - This box is actually used as firewall - This box is also used as webserver - This box is finally used as local shared drives via NFS file but only open to subnetwork through PF NFS is not designed with security in mind. It transmits data unencrypted. It has no real authentication and no real access control. If is designed for strictly private networks with no external access that no potential attackers have access to. Just to clarify, On an OpenBSD list, i am talking about NFS on OpenBSD (-current and -stable), and that's NFSv3. ;-) Of course, you are right that i could have mentioned that. NFSv4 does not necessarily transmit data in clear text. NFSv4 allows one to use encryption and/or data authentication. That doesn't help the original poster because NFSv4 is not available on OpenBSD. See http://marc.info/?l=openbsd-miscm=123469849717017 Peter Hessler wrote on Feb 15, 2009: openbsd uses nfsv3 over ipv4. nfsv4 is still being worked on, but is not ready. Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS on OpenBSD is a very poor choice due to lack of proper authentication and encryption :) NFSv3 and older versions do not use encryption at all, but you can use IPSec to protect it at the network layer. I do not know enough about IPSec to judge whether and under which conditions it's viable, effective and efficient to secure NFS usage in an internal network that attackers have access to by using IPSec between the NFS server and each NFS client. Maybe this could be an option. Of course if the attacker can gain remote access to the machine, IPSec is not very useful since the attacker can probably retrieve the encryption keys from the kernel :) IPSec is only useful to prevent attacks (replay, sniff, etc.) from the network. Thanks for pointing this out. But even if that's sound, which i neither claim nor deny, it's still a bad idea to run purely internal services on a firewall, no matter whether they use encrtption or not. And I totally agree with you, Mixing firewall services with services like Web or file/print services is a recipe for disaster.
Re: System security question
On Sat, Feb 28, 2009 at 6:40 PM, Jean-Francois jfsimon1...@gmail.comwrote: Hi, And I totally agree with you, Mixing firewall services with services like Web or file/print services is a recipe for disaster. True since hacking the web server is entering the firewall itself. But the web server, httpd, is chrooted ... so why would there be a problem here ? There are ways to evade chroots, although I'm not sure how feasible they are for OpenBSD. Le samedi 28 fC)vrier 2009 C 17:49 +0100, Felipe Alfaro Solana a C)crit : On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze schwa...@usta.de wrote: Hi Felipe, Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM +0100: On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze schwa...@usta.de wrote: Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: I actually built the following system : - OpenBSD running on a standard AMD platform - This box is actually used as firewall - This box is also used as webserver - This box is finally used as local shared drives via NFS file but only open to subnetwork through PF NFS is not designed with security in mind. It transmits data unencrypted. It has no real authentication and no real access control. If is designed for strictly private networks with no external access that no potential attackers have access to. Just to clarify, On an OpenBSD list, i am talking about NFS on OpenBSD (-current and -stable), and that's NFSv3. ;-) Of course, you are right that i could have mentioned that. NFSv4 does not necessarily transmit data in clear text. NFSv4 allows one to use encryption and/or data authentication. That doesn't help the original poster because NFSv4 is not available on OpenBSD. See http://marc.info/?l=openbsd-miscm=123469849717017 Peter Hessler wrote on Feb 15, 2009: openbsd uses nfsv3 over ipv4. nfsv4 is still being worked on, but is not ready. Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS on OpenBSD is a very poor choice due to lack of proper authentication and encryption :) NFSv3 and older versions do not use encryption at all, but you can use IPSec to protect it at the network layer. I do not know enough about IPSec to judge whether and under which conditions it's viable, effective and efficient to secure NFS usage in an internal network that attackers have access to by using IPSec between the NFS server and each NFS client. Maybe this could be an option. Of course if the attacker can gain remote access to the machine, IPSec is not very useful since the attacker can probably retrieve the encryption keys from the kernel :) IPSec is only useful to prevent attacks (replay, sniff, etc.) from the network. Thanks for pointing this out. But even if that's sound, which i neither claim nor deny, it's still a bad idea to run purely internal services on a firewall, no matter whether they use encrtption or not. And I totally agree with you, Mixing firewall services with services like Web or file/print services is a recipe for disaster. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: System security question
On Wed, Feb 25, 2009 at 10:08 PM, Jean-Francois jfsimon1...@gmail.comwrote: Hi All, I actually built the following system : - OpenBSD running on a standard AMD platform - This box is actually used as firewall - This box is also used as webserver - This box is finally used as local shared drives via NFS file but only open to subnetwork through PF Assuming that subnetwork computers might be hacked or infected by any threat Assuming that there is no mistake in PF rules Assuming that there is nothing of a third party installed on the box (basically it's only a tuned system) - Would you please confirm that hacking is almost impossible ? We would never do that. It'd be stupid to think that hacking this machine is almost impossible. There exists no unhackable or unbreakable software, not even OpenBSD. - Would you confirm any personnal datas hosted on server are safe as long as the (subnet is not compromised by false manipulation of course) Never, because you are running a Web server on the machine, and possibly an SSH server and lots of code that might contain security holes. Thanks for care, JF -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: CARP under heavy load
On Tue, Jan 6, 2009 at 3:51 PM, ropers rop...@gmail.com wrote: * ropers rop...@gmail.com [2008-12-12 15:01]: Maybe --possibly-- my own understanding is sorely lacking. Let me try to explain. The following requires a non-proportional font: (...) OTOH, if you have a dedicated link, maybe your setup looks like this? external network || OpenBSD#0OpenBSD#1 || internal network I was under the impression that it should be possible to exchange CARP advertisements via the dedicated link (), though I have to admit that I haven't actually built such a network yet -- I'm planning to do that shortly. Maybe others can weigh in? 2008/12/23 Henning Brauer lists-open...@bsws.de: that would defeat carp's purpose. if, in your scenario above, OpenBSD#0 loses link to the external network, wouldn't you want OpenBSD#1 to become master? Thanks for that. But I have a follow-up: To fully work, the OpenBSD hosts in the above scenario need working external and internal interfaces. So if CARP talked over the external network, that would just test the external interfaces. OTOH, if CARP talked over the internal network, that would just test the internal interfaces. Is there a way for a CARPed host to detect if either its external or internal links go down? Please forgive the sort of stupid question, but I'm curious. I don't think you need that. When deploying multiple CARP interfaces, you can enable CARP preempt. When CARP preempt is enabled (via sysctl), if one CARP interface goes into backup mode, all other CARP interfaces will also failover to backup. So, if you have carp0 (internal network) and carp1 (external network) and carp0 fails over because e.g. the network link goes down or the cable gets unplugged, carp1 will also fail over. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: AH+ESP and IPv6
On Tue, Dec 30, 2008 at 9:29 PM, fortunato.montre...@earthlink.net wrote: I'm trying to use both AH and ESP to setup IPsec using Transport mode between two IPv6 OpenBSD 4.4 hosts. So far it worked for AH Transport mode or ESP Transport mode but I don't quite know how to do both AH and ESP. Any ideas? Here's a snippet from /etc/ipsec.conf : ike esp transport from 2001::10 to 2001::5 psk secret The tried the following (and vice versa - ah vice esp). ike esp transport from 2001::10 to 2001::5 psk secret flow ah from 2001::10 to 2001::5 I'm not sure either. Since you can apply ESP then AH, or apply AH and then ESP (depending on what's more important for you, the digital signature or the encryption) it's not obvious to me how to do it. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: AH+ESP and IPv6
On Fri, Jan 2, 2009 at 7:52 PM, Todd T. Fries t...@fries.net wrote: The other answer is, ESP provides AH, therefore AH is deprecated. What do you mean? That OpenBSD's implementation of ESP automatically uses AH too? (payload inside AH inside ESP?) Because ESP only provides authentication for the payload only but not for the IP header. That's why AH is useful. Unless you really really want to play with AH to verify it works and such (which the below suggests it does not) ... -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | ..in support of free software solutions. \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Felipe Alfaro Solana on 20090102 17:38.51, we have: | On Tue, Dec 30, 2008 at 9:29 PM, fortunato.montre...@earthlink.net wrote: | | I'm trying to use both AH and ESP to setup IPsec using Transport mode | between two IPv6 OpenBSD 4.4 hosts. | | So far it worked for AH Transport mode or ESP Transport mode but I don't | quite know how to do both AH and ESP. Any ideas? | | Here's a snippet from /etc/ipsec.conf : | | ike esp transport from 2001::10 to 2001::5 psk secret | | The tried the following (and vice versa - ah vice esp). | | ike esp transport from 2001::10 to 2001::5 psk secret | flow ah from 2001::10 to 2001::5 | | I'm not sure either. | | Since you can apply ESP then AH, or apply AH and then ESP (depending on | what's more important for you, the digital signature or the encryption) it's | not obvious to me how to do it. | | -- | http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: AH+ESP and IPv6
On Fri, Jan 2, 2009 at 8:36 PM, t...@fries.net wrote: If ESP does not decrypt, the payload is invalid. Adding AH adds no further functionality other than to thwart any attempts at NAT. AH is not meant to thwart any attempts at NAT. For that, you have IPSec over UDP. AH prevents any tampering with the IP header, which can be very useful. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | ..in support of free software solutions. \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Felipe Alfaro Solana on 20090102 20:29.56, we have: | On Fri, Jan 2, 2009 at 7:52 PM, Todd T. Fries t...@fries.net wrote: | | The other answer is, ESP provides AH, therefore AH is deprecated. | | | What do you mean? That OpenBSD's implementation of ESP automatically uses AH | too? (payload inside AH inside ESP?) Because ESP only provides | authentication for the payload only but not for the IP header. That's why AH | is useful. | | Unless you really really want to play with AH to verify it works and such | (which the below suggests it does not) ... | -- | Todd Fries .. t...@fries.net | | _ | | \ 1.636.410.0632 (voice) | | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | | ..in support of free software solutions. \ 250797 (FWD) | | \ | \\ | | 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A | http://todd.fries.net/pgp.txt | | Penned by Felipe Alfaro Solana on 20090102 17:38.51, we have: | | On Tue, Dec 30, 2008 at 9:29 PM, fortunato.montre...@earthlink.net | wrote: | | | | I'm trying to use both AH and ESP to setup IPsec using Transport mode | | between two IPv6 OpenBSD 4.4 hosts. | | | | So far it worked for AH Transport mode or ESP Transport mode but I | don't | | quite know how to do both AH and ESP. Any ideas? | | | | Here's a snippet from /etc/ipsec.conf : | | | | ike esp transport from 2001::10 to 2001::5 psk secret | | | | The tried the following (and vice versa - ah vice esp). | | | | ike esp transport from 2001::10 to 2001::5 psk secret | | flow ah from 2001::10 to 2001::5 | | | | I'm not sure either. | | | | Since you can apply ESP then AH, or apply AH and then ESP (depending on | | what's more important for you, the digital signature or the encryption) | it's | | not obvious to me how to do it. | | | | -- | | http://www.felipe-alfaro.org/blog/disclaimer/ | | | | | -- | http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
On Wed, Dec 24, 2008 at 11:13 AM, Henning Brauer lists-open...@bsws.dewrote: * Felipe Alfaro Solana felipe.alf...@gmail.com [2008-12-24 06:17]: easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, randomized library addresses etc yadda yadda yadda. RedHat has been shipping a version of glibc that does randomized library addresses for, at least, a year. wow. one thing out of dozens we do. sure a killer argument. Who said this is a killer argument? I was just pointing out that nearly any mainstream OS currently has randomized library address space. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
On Thu, Dec 25, 2008 at 10:50 PM, Marco Peereboom sl...@peereboom.uswrote: RedHat has been shipping a version of glibc that does randomized library addresses for, at least, a year. Libraries have to be compiled with -fPIC, however, but that's the case for most. Not sure about other distros. Right, now tell me again about strl* What's so special about strl*? Anyone can implement it in glibc. But applications must be changed anyways to use it. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
On Tue, Dec 23, 2008 at 12:34 PM, Henning Brauer lists-open...@bsws.dewrote: * Douglas A. Tutty dtu...@vianet.ca [2008-12-23 05:45]: On Tue, Dec 23, 2008 at 02:41:08AM +0100, Henning Brauer wrote: * Jussi Peltola pe...@pelzi.net [2008-12-11 20:52]: On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: That said, OpenBSD base services are extremely secure, compared to the competition, when properly configured and patched. Note that no security audits are done to software in the ports tree; you're on your own with 3rd party software. many thing from ports are patched or otherwise modified for security reasons, and many things are deliberately NOT in ports due to security considerations. nontheless there is truth in your above statement; averaged things from ports are not on the same level as openbsd. Has anybody done any comparisons to see how things from ports (especially commone things like firefox) compare to the competition's packages (rpms, debs, whatever)? I know that the ports don't get audited like base, but then I don't think anyone else's does either. In other words, if you need a box with multiple third-party apps, (lets say that none of them are server apps), (eg, firefox, a window manager or DTE, mutt, LaTex, gv, a pdf reader), which box would be more secure (with the same admin): OpenBSD with ports or a Linux (e.g. Debian)? easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, randomized library addresses etc yadda yadda yadda. RedHat has been shipping a version of glibc that does randomized library addresses for, at least, a year. Libraries have to be compiled with -fPIC, however, but that's the case for most. Not sure about other distros. crappy applications are still crappy applications on OpenBSD, but worse on pretty much any other OS. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: CARP under heavy load
On Mon, Dec 15, 2008 at 9:14 AM, Jussi Peltola pe...@pelzi.net wrote: On Mon, Dec 15, 2008 at 03:43:43AM +0100, Felipe Alfaro Solana wrote: If the two machines that are part of the same CARP group are connected to the same switch, and you are experiencing packet loss, then something really bad is going on. How many ports does your switch have? Perhaps the total aggregated switching capacity of the switch is not enough in your deployment. Who says the switch is losing the packets, if your router is overloaded it's forwarding at 100% speed and you have no room for CARP announcements. One solution would be to increase the time between advertisements and hope for the best. What does overloaded mean? It's CPU overload? NIC overload? If it's CPU, it might be possible that CARP packets will get lost but who cares? Because if the router's CPU is at 100% you have a problem and need to scale up. If the NIC is overloaded, it means you have too much non-TCP traffic and are not using Ethernet flow control. Perhaps using Ethernet flow control might help. IME forwarded packets seem to somehow have a higher priority than self-originated traffic in most OS's; don't know why this is, just a gut feeling. Probably related to interrupts taking away CPU time from other things; if the machine is so loaded the physical console is slow as molasses, I doubt that CARP can work very well either. -- Jussi Peltola -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: CARP under heavy load
On Sat, Dec 13, 2008 at 6:56 AM, Stephan A. Rickauer stephan.ricka...@ini.phys.ethz.ch wrote: On Fri, 2008-12-12 at 17:32 +0100, Felipe Alfaro Solana wrote: What's the point on using CARP to send advertisements over a dedicated link? The dedicated link is typically a cross-over cable (i.e. used for pfsync) and hence, in case of a switch port failure (or cable failure), CARP won't be able to see this. That's true, of course. Then I don't see a chance to make CARP behave under heavy load, cause it can always be misinterpreted as a link failure by CARP. I'll try prioritizing carp ads with altq and see how that goes. If the two machines that are part of the same CARP group are connected to the same switch, and you are experiencing packet loss, then something really bad is going on. How many ports does your switch have? Perhaps the total aggregated switching capacity of the switch is not enough in your deployment. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: CARP under heavy load
On Fri, Dec 12, 2008 at 3:12 PM, Stephan A. Rickauer stephan.ricka...@ini.phys.ethz.ch wrote: On Fri, 2008-12-12 at 14:57 +0100, ropers wrote: Maybe --possibly-- my own understanding is sorely lacking. Let me try to explain. The following requires a non-proportional font: Is this what your CARP setup looks like? external network || OpenBSD#0OpenBSD#1 || internal network If so, are the CARP advertisements being sent via the external or internal network? Your diagram would use two CARP interfaces, not just one. One for the external and one for the internal network. Thus, you'd have carp0 (external) and carp1 (internal), both would exchange ads via multicast by default over their underlying physical interfaces. Yes, this is our setup ;) - at least the relevant part of it. I was under the impression that it should be possible to exchange CARP advertisements via the dedicated link (), though I have to admit that I haven't actually built such a network yet -- I'm planning to do that shortly. Maybe others can weigh in? One can use 'carppeer' to not send multicast but unicast. However, I was under the impression one still needs to do peering on the same link as the carp interfaces sit. Can one use the same 'carppeer ded.ica.ted.ip' statement for all carp interfaces altogether (and the other dedicated peer IP on the other)? What's the point on using CARP to send advertisements over a dedicated link? The dedicated link is typically a cross-over cable (i.e. used for pfsync) and hence, in case of a switch port failure (or cable failure), CARP won't be able to see this.
Re: Running another OS under OpenBSD
On Thu, Dec 11, 2008 at 7:30 PM, Jeff_1981 jfsimon1...@gmail.com wrote: Dear All, Please can you indicate me how to run Windows or Linux under OpenBSD ? Under Linux for example there is possibility to virtualize another OS. If the other OS is hacked from the web does it compromizes the security of OpenBSD ? Does QEMU work under OpenBSD? But even if it does, it's probably too slow to use it in production. Also, it might contain bugs and crash, decrease the security of the host or guest, etc. If I were you and decided on using virtualization, I'd go with a proven, mature solution. I don't think QEMU is that mature or that it got enough exposure. Another question is if I run a server under OpenBSD is this impossible to hack it from the web ? Nothing is impossible (or impossible is nothing). Even operating systems certified as EAL4+ have been hacked, and some of them have horrible security tracks, despite being certified. No software is bug-free, so forget about the concept of unbreakable or unhackable. It does not exist at all. The standard install of OpenBSD has no security holes anymore if I understand, does this mean noone can hack it from the web ? what about an OpenBSD on which wa have activated one or more services, like mail server / web server and file sharing for within network (if used as NAS / server as example ? Being hackable from the Web is just too vague. Your system might have SSH enabled and a poor password for a particular user, such as that a hacker can log in and, from there, launch a local attack against the system (local exploit instead of a remote exploit, like crashing the box), launching a DoS attack, etc. As usual, the security of the system depends on the weakest chain. That's typically the user, or a poor password, or an unpatched system, or a misconfigured system, or an unqualified administrator, or ... :) Thanks a lot for your help. Regards, JF -- View this message in context: http://www.nabble.com/Running-another-OS-under-OpenBSD-tp20961548p20961548.html Sent from the openbsd user - misc mailing list archive at Nabble.com. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: The New Secure Operating System
On Tue, Dec 9, 2008 at 4:14 PM, Sunnz [EMAIL PROTECTED] wrote: The secure operating system standard will never be the same now that a National Security Agency-certified OS has gone commercial, but few mainstream enterprises today need an airtight OS tuned to run on fighter jets. And many organizations aren't properly securing their existing commercial OSes, anyway, security experts say. http://www.darkreading.com/security/management/showArticle.jhtml?articleID=212201490 This article sounds like pure and cheap marketing to me. EAL certification has never meant anything to me, except the vendor went through a certification process. Has EAL certification to be renewed every year? Windows has been certified EAL4+ and it has never (and probably will never) been secure. RHEL is also EAL4+ and it also had security problems. Commercial operating systems, as long as its source code is closed for professionals to study it, will never be secure. This new operating system is a commercial one and the Web page of the vendor doesn't look very open source friendly.
CARP with a single public IP address
Hi misc, I've been thinking about this for a while but can't seem to figure out a proper solution. Perhaps you have seen an scenario like this before and have ideas on how to tackle it. I have two OpenBSD 4.4 boxes configured in active/backup CARP, connected to an ADSL router. I want to reconfigure the ADSL router an turn it into a bridge. This way, my public IP address will move from the ADSL router into the CARP interface and will be shared by both OpenBSD machines. The ADSL router has a built-in hub where both OpenBSD machines are plugged into. While the machine whose CARP interface is in ACTIVE won't have problems sending and processing traffic, the OpenBSD machine whose CARP interface is in BACKUP will. The machine whose CARP interface is in BACKUP will be able to send traffic to the Internet from its public IP address, but will not be able to process any response, for example to contact a NTP server: the UDP response from the NTP server will arrive at both OpenBSD machines (since both are sharing the public IP address), but the machine whose CARP interface is BACKUP will likely ignore the NTP response. For TCP is also very similar. I have no idea how to deploy an scenario like this, while allowing the machine whose CARP interface is in BACKUP to access the Internet. A workaround is having the machine whose CARP interface is in BACKUP have a default route installed pointing to the machine whose CARP interface is ACTIVE. The problem is the setup is more complex and requires a way of dynamically adjusting the default route. A possible solution is using ifstated(8). Is it possible to use OSPF instead? Thanks in advance! -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: CARP with a single public IP address
On Fri, Dec 5, 2008 at 12:11 PM, Paul de Weerd [EMAIL PROTECTED] wrote: Hey Felipe, On Fri, Dec 05, 2008 at 11:51:05AM +0100, Felipe Alfaro Solana wrote: | Hi misc, | | I've been thinking about this for a while but can't seem to figure out | a proper solution. Perhaps you have seen an scenario like this before | and have ideas on how to tackle it. | | I have two OpenBSD 4.4 boxes configured in active/backup CARP, | connected to an ADSL router. I want to reconfigure the ADSL router an | turn it into a bridge. This way, my public IP address will move from | the ADSL router into the CARP interface and will be shared by both | OpenBSD machines. The ADSL router has a built-in hub where both | OpenBSD machines are plugged into. Some years ago, I did exactly this. Configured a ADSL modem for rfc1483 mode (which my ISP supported) and had two machines behind it for routing (NATting) my local network out. | While the machine whose CARP interface is in ACTIVE won't have | problems sending and processing traffic, the OpenBSD machine whose | CARP interface is in BACKUP will. The machine whose CARP interface is | in BACKUP will be able to send traffic to the Internet from its public | IP address, but will not be able to process any response, for example | to contact a NTP server: the UDP response from the NTP server will | arrive at both OpenBSD machines (since both are sharing the public IP | address), but the machine whose CARP interface is BACKUP will likely | ignore the NTP response. For TCP is also very similar. I did this before we had openntpd and didn't run that other ntpd on my machines. Internet access was only available when the machine was CARP master. I think there's two solutions here, both of which have issues. First solution (only solves the ntp issue), configure your CARP'ed routers to use an ntpd on your local network (which gets its time via the same set of CARP'ed routers). The other option is to get more public IP's from your ISP. This makes your routers accessible from the internet. These are a very interesting ideas. I'm now thinking of running two openntpd daemons, one on each machine. openntpd can be configured to use a NTP server from the internet and the other OpenBSD peer. For the active CARP, it can reach both NTP servers. For the backup CARP, it can only reach its peer and still keep the time up to date. Downsides are that the first solution requires an extra machine and the second solution is probably difficult with most ISPs. My ISP won't give me any more IP addresses, unfortunately. It's Telefonica, and I was one of the very first lucky customers to get a public, fixed IP address in 1999. Nowadays, they don't hand out public IP addresses anymore and I can feel myself lucky by not getting mine withdrawn. | I have no idea how to deploy an scenario like this, while allowing the | machine whose CARP interface is in BACKUP to access the Internet. A | workaround is having the machine whose CARP interface is in BACKUP | have a default route installed pointing to the machine whose CARP | interface is ACTIVE. The problem is the setup is more complex and | requires a way of dynamically adjusting the default route. A possible | solution is using ifstated(8). Is it possible to use OSPF instead? I don't really like that solution. My suggestion would be to try and minimize the amount of traffic the machines need to send to the internet (preferably to 0). Maybe use IPv6 (if your ISP does native v6 on the link) when you can't work around this. No native IPv6 either. Same problem as with IPv4. In Spain, IPv6 is just SciFi, unless you use a tunnel broker like SixXS. And since this requires IPv4, I have a dead lock :( Thanks for your suggestions, Paul! Cheers ;) Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD and XenSource
On Wed, Dec 3, 2008 at 4:45 AM, Dongsheng Song [EMAIL PROTECTED] wrote: Yes, I running OpenBSD amd64 in Debian 5.0(lenny) kvm box for OpenBSD Translation Status[1] at lease one month, it's fine! For me, OpenBSD 4.4 on KVM/HVM in 32-bit mode is painful: I keep getting a watchdog message from the OpenBSD kernel related to the NIC that causes any ongoing TCP transfer from halt for a few seconds. Have you seen this? [1] http://repo.e2echina.com/status/ --- Dongsheng Song 2008/12/3 Vinicius Vianna [EMAIL PROTECTED]: tico escreveu: Stephan A. Rickauer wrote: Those of you interested in running OpenBSD as a Xen guest in XenEnterprise might want to use this opportunity to raise their voice: http://forums.citrix.com/thread.jspa?threadID=151525 Stephan, thanks for the notice -- I just posted my $0.02 on that board as well. If you manage to make any progress in your efforts (or any one else's) to run OpenBSD under Xen with any amount of usefulness, I'd be interested to hear about it. Feel free to contact me off-list. Cheers! -Tico Don't know if it fits your project, but have you tried KVM? Read at least Ubuntu is moving to it since some issues with licenses and code with Xen, don't know in depth what was. I have some OpenBSD's installed in KVM with no issues using the e1000 emulated nic (em0 in OpenBSD) for some network test setups. HTH, DS -- http://www.felipe-alfaro.org/blog/disclaimer/
OpenBSD 4.4 panics when using AICCU
Hi misc, Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take AICCU down, then up, after a while the system panics. I can reproduce this reliably, although the timing is not always the same: sometimes the system panics in a few seconds, sometimes it takes longer. Have you experienced this? Thanks in advance. PS: I have crash dumps for each panic. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD 4.4 panics when using AICCU
On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: Hi misc, Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take AICCU down, then up, after a while the system panics. I can reproduce this reliably, although the timing is not always the same: sometimes the system panics in a few seconds, sometimes it takes longer. Have you experienced this? I've been trying to chase down what is causing the panic. Apparently, it's related to IPSec/IPv6: when I reboot the system with no IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't panic when I take aiccu down and then up. The system panics here: uvm_fault(0xd623f758, 0x0, 0, 1) - e kernel: page fault trap, code=0 Stopped at in6_selecthlim+0x29:movzbl 0x1c(%eax),%eax Thanks in advance. PS: I have crash dumps for each panic. -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD 4.4 panics when using AICCU
On Fri, Nov 14, 2008 at 12:58 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: Hi misc, Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take AICCU down, then up, after a while the system panics. I can reproduce this reliably, although the timing is not always the same: sometimes the system panics in a few seconds, sometimes it takes longer. Have you experienced this? I've been trying to chase down what is causing the panic. Apparently, it's related to IPSec/IPv6: when I reboot the system with no IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't panic when I take aiccu down and then up. The system panics here: uvm_fault(0xd623f758, 0x0, 0, 1) - e kernel: page fault trap, code=0 Stopped at in6_selecthlim+0x29:movzbl 0x1c(%eax),%eax Looks to me that the IPSec/IPv6 code is holding a reference to a in6pcb structure (that represents or is associated the aiccu tun0 interface) that gets destroyed when I take aiccu down. When I start aiccu again, the in6_selecthlim ends up being called with an old reference to tun0 interface that does not exist anymore (was freed) and that causes the trap. Thanks in advance. PS: I have crash dumps for each panic. -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD 4.4 panics when using AICCU
On Fri, Nov 14, 2008 at 12:58 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana [EMAIL PROTECTED] wrote: Hi misc, Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take AICCU down, then up, after a while the system panics. I can reproduce this reliably, although the timing is not always the same: sometimes the system panics in a few seconds, sometimes it takes longer. Have you experienced this? I've been trying to chase down what is causing the panic. Apparently, it's related to IPSec/IPv6: when I reboot the system with no IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't panic when I take aiccu down and then up. The system panics here: uvm_fault(0xd623f758, 0x0, 0, 1) - e kernel: page fault trap, code=0 Stopped at in6_selecthlim+0x29:movzbl 0x1c(%eax),%eax Another datapoint: When bringing aiccu down, the kernel logs the following message: in6_purgeaddr: failed to remove a route to the p2p destination: 2001::::2 on tun0, errno=3. This looks very suspicious to me, and wrong, by the way, since tun0 interface is using 2001::::2 as the local IPv6 address, while 2001::::1 is the remote end point. Hence, there is no route in the routing table that is bound to tun0 and has 2001::::2 as the destination (there is one but is bound to lo0). It leads me to think that some data structures are not properly freed/referenced counted which leads eventually to the panic. Any ideas? Thanks in advance. PS: I have crash dumps for each panic. -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/
quagga ospf6d crashes on interface change
Hi misc, Do you have experience running quagga's ospf6d in OpenBSD? I've been using it for a while in combination with AICCU (AYIYA tunnel to tunnel IPv6 over IPv4 using a tun0 tunnel) but ospf6d crashes whenever the tun0 tunnel interface goes up and down. Have seen this before? Thanks. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Can't SSH into CARP'd system from the outside
On Wed, Nov 12, 2008 at 12:53 AM, Vivek Ayer [EMAIL PROTECTED] wrote:
Here's my current configuration for my entire network. Two routers
working as one using IP balancing and two web servers on the inside
working as one using IP balancing. I'm still getting issues as to
reaching the web servers from the outside. I just feel like it's
gotten too complicated CARPing the systems. The server could be
reached from the outside previously when I only had one router and
server. The router uses carpnodes 1,2,3 and 4 while the web server
used 5 and 6 if that makes any difference at all.
Can you reach the system at the non-CARP address? It seems to me that
what might be happening is that you are sending SSH traffic to the
CARP interface but since you are NAT-ting, the reply packets have the
source address of the Ethernet interface (ext_if) and not the CARP
interface. This will confuse your SSH client.
Here's my router pf.conf:
# $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# macros
ext_if = re0 # External Interface (169.229.158.0/24)
int_if = xl0 # Internal Interface (192.168.1.0/24)
localnet = $int_if:network
webserver = 192.168.1.50 # Redundant Sun Servers
nameserver = 192.168.1.101 # Dell L400 Celeron
webports = { http , https }
domainport = { domain }
tcp_services = { ssh }
icmp_types = echoreq
carpdevs = { carp0 , carp1 }
syncdev = { re1 }
ssh_allowed = 192.168.1.100
carp_mcast = 224.0.0.18
# extra tweaks
set skip on lo
set block-policy return
set loginterface $ext_if
scrub in all
# nat/rdr
nat on $ext_if from $localnet to any - ($ext_if)
nat on $int_if proto tcp from $localnet to $webserver port $webports -
$int_if
no nat on $int_if proto tcp from $int_if to $localnet
rdr on $ext_if proto tcp from any to any port $webports - $webserver
rdr on $int_if proto tcp from $localnet to $ext_if port $webports -
$webserver
rdr on $ext_if proto tcp from any to any port $domainport - $nameserver
rdr on $int_if proto tcp from $localnet to $ext_if port $domainport -
$nameserver
rdr on $ext_if proto udp from any to any port $domainport - $nameserver
rdr on $int_if proto udp from $localnet to $ext_if port $domainport -
$nameserver
# pass rules
# block in # Default Deny
pass out keep state
pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
pass in quick on $int_if
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
pass in on $ext_if inet proto tcp from any to $webserver port $webports \
flags S/SA synproxy state
pass in on $ext_if inet proto udp from any to $nameserver port $domainport
pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
flags S/SA synproxy state
# CARP/pfsync pass rules
pass on $carpdevs proto carp keep state
pass quick on $ext_if proto carp \
from $ext_if:network to $carp_mcast keep state
pass on $syncdev proto pfsync
pass in on $carpdevs inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
pass in on $carpdevs inet proto tcp from any to $webserver port $webports \
flags S/SA synproxy state
pass in on $carpdevs inet proto udp from any to $nameserver port $domainport
pass in on $carpdevs inet proto tcp from any to $nameserver port $domainport \
flags S/SA synproxy state
pass in on $int_if from $ssh_allowed to self keep state (no-sync)
antispoof quick for { lo $int_if }
And here'e my web server pf.conf:
# $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# macros
ext_if=gem0 # External Interface (192.168.1.0/24)
tcp_services = { ssh, www, https }
udp_services = { 123 }
icmp_types = echoreq
carpdev = { carp0 }
syncdev = { re0 }
carp_mcast = 224.0.0.18
# extra tweaks
set skip on lo
set skip on gem0
set block-policy return
set loginterface $ext_if
scrub in all
# pass rules
# block in
# pass out proto tcp to any port $tcp_services
# pass proto udp to any port $udp_services
# pass in inet proto icmp all icmp-type $icmp_types keep state
# CARP/pfsync pass rules
pass on $carpdev proto carp keep state
pass quick on $ext_if proto carp \
from $ext_if:network to $carp_mcast keep state
pass on $syncdev proto pfsync
antispoof quick for { lo }
Help appreciated!
Vivek
On Mon, Oct 20, 2008 at 1:51 PM, Stuart Henderson [EMAIL PROTECTED] wrote:
On 2008/10/20 14:19, Vivek Ayer wrote:
I'll give that a shot. But in the meanwhile, it appears ntpd doesn't
Re: quagga-0.99.11
On Mon, Nov 10, 2008 at 11:09 AM, Gregory Edigarov [EMAIL PROTECTED] wrote: Felipe Alfaro Solana wrote: Are there any plans on bumping net/quagga to 0.99.11? I tried to compile it myself, from the vanilla sources while applying the following two patches: Are you sure you still want to run that piece of shit(quagga)? There is much much better realization of routing protocols readily available to you in the base system. Well, you can quagga what you want but the base system does not (yet) have support for OSPFv3 (IPv6). What do you propose? :) -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: quagga-0.99.11
On Mon, Nov 10, 2008 at 1:21 PM, Stuart Henderson [EMAIL PROTECTED] wrote: ** Please honour reply-to: ports@ ** On 2008-11-10, Gregory Edigarov [EMAIL PROTECTED] wrote: Felipe Alfaro Solana wrote: Are there any plans on bumping net/quagga to 0.99.11? I tried to compile it myself, from the vanilla sources while applying the following two patches: Are you sure you still want to run that piece of shit(quagga)? There is much much better realization of routing protocols readily available to you in the base system. quagga does some things you can't do with base OS, and it's useful to have a second implementation in ports to test against. the quagga we have now definitely needs an update, a lot changed since 0.99.6. felipe, please send *dmesg output* (why do we have to ask for this every time!) and details of your config and what you're running. ifconfig -A might help too. which daemon is it that has the fault? check the logs (use verbose logging), do you get any log output before it dies first? BTW, if anybody is interested, I have a patch to bring quagga up to 0.99.11. Not very well tested so far (only lightly). -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: quagga-0.99.11
On Mon, Nov 10, 2008 at 1:21 PM, Stuart Henderson [EMAIL PROTECTED] wrote: ** Please honour reply-to: ports@ ** On 2008-11-10, Gregory Edigarov [EMAIL PROTECTED] wrote: Felipe Alfaro Solana wrote: Are there any plans on bumping net/quagga to 0.99.11? I tried to compile it myself, from the vanilla sources while applying the following two patches: Are you sure you still want to run that piece of shit(quagga)? There is much much better realization of routing protocols readily available to you in the base system. quagga does some things you can't do with base OS, and it's useful to have a second implementation in ports to test against. the quagga we have now definitely needs an update, a lot changed since 0.99.6. felipe, please send *dmesg output* (why do we have to ask for this every time!) and details of your config and what you're running. ifconfig -A might help too. which daemon is it that has the fault? check the logs (use verbose logging), do you get any log output before it dies first? I fixed it already. I had the two listed patches for, but some reason, the ports package failed to get rebuilt so I was installing 0.99.11 without the two patches. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: quagga-0.99.11
On Mon, Nov 10, 2008 at 2:30 PM, Stuart Henderson [EMAIL PROTECTED] wrote:
On 2008/11/10 14:13, Felipe Alfaro Solana wrote:
I fixed it already. I had the two listed patches for, but some reason,
the ports package failed to get rebuilt so I was installing 0.99.11
without the two patches.
ah, ok - thanks..
here is a diff to update the port, but it doesn't fix FLAVOR=snmp
(which is currently broken).
Can you resend as an attachment? I think there are some tabs in the
patch that are expanded into blanks. Hence, if I try to apply this
patch it fails. For example, it fails for Makefile.
Thanks!
Index: Makefile
===
RCS file: /cvs/ports/net/quagga/Makefile,v
retrieving revision 1.11
diff -u -p -r1.11 Makefile
--- Makefile23 May 2008 12:55:58 - 1.11
+++ Makefile10 Nov 2008 13:29:10 -
@@ -2,8 +2,7 @@
COMMENT= multi-threaded routing daemon
-DISTNAME= quagga-0.99.9
-PKGNAME= ${DISTNAME}p0
+DISTNAME= quagga-0.99.11
SHARED_LIBS=ospf 0.0 \
zebra 0.0
CATEGORIES=net
Index: distinfo
===
RCS file: /cvs/ports/net/quagga/distinfo,v
retrieving revision 1.5
diff -u -p -r1.5 distinfo
--- distinfo12 Sep 2007 20:31:17 - 1.5
+++ distinfo10 Nov 2008 13:29:10 -
@@ -1,5 +1,5 @@
-MD5 (quagga-0.99.9.tar.gz) = Tb2vkb9mCYA4Gdl9X8zEyQ==
-RMD160 (quagga-0.99.9.tar.gz) = x61o0Mco0TwZF+xyeqET4+xgco8=
-SHA1 (quagga-0.99.9.tar.gz) = uyj/3lhaPHV9iD/XXcwdXzoa/nA=
-SHA256 (quagga-0.99.9.tar.gz) = kqv0TFI5yKGHYs8nyv0DtG1YHxgLxBFwYxS4uNHpTbA=
-SIZE (quagga-0.99.9.tar.gz) = 2341067
+MD5 (quagga-0.99.11.tar.gz) = kD5Ax0RzCtTWK+6HLuuBOw==
+RMD160 (quagga-0.99.11.tar.gz) = ZUEHN4lVwkxQcwxMnnVEoWO8M7g=
+SHA1 (quagga-0.99.11.tar.gz) = ZUKqtrVYy4isCAbM4Qszvg8Ayic=
+SHA256 (quagga-0.99.11.tar.gz) = qDo1fW3iPXBiNgypMTcdLWXA4aK6EcV8ejXG42tHpkY=
+SIZE (quagga-0.99.11.tar.gz) = 2192249
Index: patches/patch-bgpd_bgp_snmp_c
===
RCS file: patches/patch-bgpd_bgp_snmp_c
diff -N patches/patch-bgpd_bgp_snmp_c
--- patches/patch-bgpd_bgp_snmp_c 12 Sep 2007 20:31:18 - 1.3
+++ /dev/null 1 Jan 1970 00:00:00 -
@@ -1,17 +0,0 @@
-$OpenBSD: patch-bgpd_bgp_snmp_c,v 1.3 2007/09/12 20:31:18 rui Exp $
bgpd/bgp_snmp.c.orig Fri May 4 19:50:58 2007
-+++ bgpd/bgp_snmp.cTue Sep 11 16:52:20 2007
-@@ -21,12 +21,8 @@ Software Foundation, Inc., 59 Temple Place - Suite 330
- #include zebra.h
-
- #ifdef HAVE_SNMP
--#ifdef HAVE_NETSNMP
- #include net-snmp/net-snmp-config.h
--#endif
--#include asn1.h
--#include snmp.h
--#include snmp_impl.h
-+#include net-snmp/net-snmp-includes.h
-
- #include if.h
- #include log.h
Index: patches/patch-configure
===
RCS file: /cvs/ports/net/quagga/patches/patch-configure,v
retrieving revision 1.4
diff -u -p -r1.4 patch-configure
--- patches/patch-configure 12 Sep 2007 20:31:18 - 1.4
+++ patches/patch-configure 10 Nov 2008 13:29:10 -
@@ -1,7 +1,7 @@
$OpenBSD: patch-configure,v 1.4 2007/09/12 20:31:18 rui Exp $
configure.orig Fri Sep 7 17:54:55 2007
-+++ configure Tue Sep 11 16:52:20 2007
-@@ -21131,6 +21131,15 @@ cat confdefs.h conftest.$ac_ext
+--- configure.orig Thu Oct 2 09:31:36 2008
configure Mon Nov 10 09:14:15 2008
+@@ -21359,6 +21359,15 @@ cat confdefs.h conftest.$ac_ext
cat conftest.$ac_ext _ACEOF
/* end confdefs.h. */
$ac_includes_default
@@ -17,7 +17,7 @@ $OpenBSD: patch-configure,v 1.4 2007/09/
#include $ac_header
_ACEOF
rm -f conftest.$ac_objext
-@@ -24842,6 +24851,18 @@ cat confdefs.h conftest.$ac_ext
+@@ -25070,6 +25079,18 @@ cat confdefs.h conftest.$ac_ext
cat conftest.$ac_ext _ACEOF
/* end confdefs.h. */
$ac_includes_default
@@ -36,7 +36,7 @@ $OpenBSD: patch-configure,v 1.4 2007/09/
#include $ac_header
_ACEOF
rm -f conftest.$ac_objext
-@@ -35776,10 +35797,3 @@ log file mask : ${enable_logfile_mask}
+@@ -37195,10 +37216,3 @@ log file mask : ${enable_logfile_mask}
The above user and group must have read/write access to the state file
directory and to the config files in the config file directory.
Index: patches/patch-doc_Makefile_in
===
RCS file: /cvs/ports/net/quagga/patches/patch-doc_Makefile_in,v
retrieving revision 1.3
diff -u -p -r1.3 patch-doc_Makefile_in
--- patches/patch-doc_Makefile_in 12 Sep 2007 20:31:18 - 1.3
+++ patches/patch-doc_Makefile_in 10 Nov 2008 13:29:10 -
@@ -1,6 +1,6 @@
$OpenBSD: patch-doc_Makefile_in,v 1.3 2007/09/12 20:31:18 rui Exp $
doc/Makefile.in.orig Tue Sep 11 16:59:47 2007
-+++ doc/Makefile.inTue Sep 11 17:02:43 2007
+--- doc
quagga-0.99.11
Hi misc, Are there any plans on bumping net/quagga to 0.99.11? I tried to compile it myself, from the vanilla sources while applying the following two patches: patch-configure patch-zebra_kernel_socket_c But the resulting zebra daemon always fails with an Abort trap message. I've seen people reporting this for quagga-0.99.9 and they claimed that the patch-zebra_kernel_socket_c patch fixes the problem but apparently it does not work for quagga-0.99.11. Any ideas? Thanks in advance. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: 4-port firewall device
On Fri, Nov 7, 2008 at 10:22 PM, marrandy [EMAIL PROTECTED] wrote: Hello. Been a bit out IT the last year or so. My last firewall projects used LE-564 embedded. http://www.commell.com.tw/product/sbc/le-564.htm What are people using now ? I'm using PC Engines GmbH PC ALIX boxes running, of course, OpenBSD 4.4. They use AMD Geode processors, with 256MB of RAM, 3 Ethernet NICs, 1 Wireless NIC, 2 USB ports and 4GB of CF storage. Pretty neat boxes, very small and extremely silent (no moving parts). Regards...Martin -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: VPN Ipsec
On Thu, Nov 6, 2008 at 9:39 AM, Louis Opter [EMAIL PROTECTED] wrote:
Hello,
I am trying to set up an ipsec vpn between two networks. But, I can't
figure out why it doesn't work.
I get some errors like (here on the malenfant gate, see network map
below) :
Plcy 30 keynote_cert_obtain: failed to open
/etc/isakmpd/keynote//192.168.1.159/credentials
Default rsa_sig_decode_hash: no public key found
Default dropped message from $dugny_addr port 4500 due to notification
type INVALID_ID_INFORMATION
These messages typically mean that the identifiers used by the peers
do not match. Try adding srcid foo and dstid bar on your ike esp
tunnel lines:
- on nemoto :
st_cyr_net=192.168.2.0/24
dugny_net=192.168.3.0/24
st_cyr_addr=xx.xx.xx.xx
ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr srcid
nemoto dstid malenfant
- on malenfant :
st_cyr_net=192.168.2.0/24
dugny_net=192.168.3.0/24
dugny_addr=yy.yy.yy.yy
ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr srcid
malenfant dsitd nemoto
Also, if your machine is multi-homed, you will probably want to
specify local to remove any ambiguity with respect the source IP
address that will be used in the outer (encapsulating) IP datagram.
I don't understand why I have messages about keynote, because isakmpd is
launched with the -K flag (and why 192.168.1.159 instead of
$dugny_addr ?).
And, I don't understand why it doesn't find the public key. I have
correctly copied for each gate /etc/isakmpd/local.pub to the other gate
at /etc/isakmpd/pubkeys/ipv4/gate_ip
Here is my network map :
{ st_cyr_net : 192.168.2.0/24 }
|
xl1 : 192.168.2.1
[gate malenfant] Openbsd 4.4-current (as of 10/18) on the
livebox's DMZ
xl0 : 192.168.1.183
|
192.168.1.1
[adsl router/modem livebox]
$st_cyr_addr
@@@
@@@ Internet
@@@
$dugny_addr
[adsl router/modem livebox]
192.168.1.1
|
xl0 : 192.168.1.159
[gate nemoto] Openbsd 4.4-release on the livebox's DMZ
xl1 : 192.168.3.1
|
{ dugny_net : 192.168.3.0/24 }
By DMZ I mean that all ports for tcp and udp are rediriged on the gate.
I don't see why the liveboxes can be the problem, they redirect all the
traffic. How nat on the liveboxes can cause troubles ?
Because the two gates run a different version of OpenBSD ?
I don't think so, however malenfant will be upgraded to 4.4-release
tomorrow evening.
My ipsec.confs :
- on nemoto :
st_cyr_net=192.168.2.0/24
dugny_net=192.168.3.0/24
st_cyr_addr=xx.xx.xx.xx
ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr
- on malenfant :
st_cyr_net=192.168.2.0/24
dugny_net=192.168.3.0/24
dugny_addr=yy.yy.yy.yy
ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr
pf is correctly (I hope) configured on both gates with (here is a
snippet from malenfant's pf.conf) :
set skip on { lo enc0 }
block in
pass out
pass in on $ext_if proto { tcp udp } \
from $dugny_addr to ($ext_if) port ipsec-nat-t
pass in on $ext_if proto udp to ($ext_if) port isakmp
My two enc0 interfaces are up.
If you find my mistake(s), have ideas, or need more informations please
tell me. Full configuration files and isakmpd log are available at :
http://www.kalessin.fr/stuff/openbsd_ipsec.tar.gz
Best Regards, Louis Opter.
--
http://www.felipe-alfaro.org/blog/disclaimer/
Source address algorithm
Hi misc, How does the OpenBSD source address selection algorithm works? Is there a way to override the source address? I have two interfaces on my box: tun0 and vr0. tun0 uses A::2/64 as its IPv6 address. vr0 uses B::2/48 as its IPv6 address. The default route ::/0 is on the tun0 interface. Hence, when sending IPv6 packets, the source address is the one from tun0 (A::2/64). Is there a way to override the source address for _all_ traffic (i.e. not having to bind services to an specific IP) to be B::2/48 instead? Thanks! -- http://www.felipe-alfaro.org/blog/disclaimer/
fatal in rtadvd: getpwnam
Hi there, After upgrading to OpenBSD 4.4, rtadvd now fails to come up: # rtadvd -d -s carp0 RA timer on carp0 is set to 16:0 fatal in rtadvd: getpwnam # cat /etc/rtadvd.conf carp0:\ :addr=2001:::::prefixlen#64:nolladdr: Any ideas? Thanks! -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD 4.4 released, Nov 1. Enjoy!
On Sat, Nov 1, 2008 at 11:31 AM, Lars NoodC)n [EMAIL PROTECTED] wrote: A very heartfelt thankyou, to you and the rest of the developers. Congratulations, again. Yes! I love OpenBSD and I'm sure OpenBSD 4.4 will be an awesome release.
Interactions between PF and enc0
Hi misc, I'm experiencing interaction problems between PF and the enc0 interface. I've been reading several OpenBSD manual pages about how IPSec traffic filtering is supposed to work, but so far I'm unable to get IPSec filtering working for me. I have created an IPSec/IPv6-based VPN between two sites, one in Madrid and another in ZCrich. Each side of the tunnel connects to the IPv6 internet using AICCU via a SixXS POP. This means that each VPN end-point has a tun0 interface where all IPv6 traffic is received and sent (I'm using dynamic AYITA tunnels). The funny thing is that the enc0 interface on both end points sees the IPv6 traffic before and after IPSec encryption and encapsulation but PF seems to disagree and any filtering done on enc0 is completely ignored. To test my assumption, I created this very simple PF configuration file, with just two rules: pass in on enc0 no state pass out on enc0 no state The first thing I did not understand is that I have to use two different rules for in/out. Otherwise, pftop will display I in the direction column for this state, which leads me to think PF is only allowing inbound traffic. But I might be wrong. Next, from the C host, I run: # ping6 -c1 D::1 in order to send some traffic across the VPN. At the same time, I run tcpdump on enc0 and this what I see: # tcpdump -n -i enc0 -s 1800 -v 14:15:19.769555 (authentic,confidential): SPI 0x27151066: A::2 B::2: C::1 D::1: icmp6: echo request (len 16, hlim 63) (len 56, hlim 64) # Tunneled ICMPv6 Echo request from C::1 to D::1 (from A::2 to B::2). 14:15:19.769682 (authentic,confidential): SPI 0xef18f14a: esp A::2 B::2 spi 0x27151066 seq 30 len 100 (len 100, hlim 64) # ESP - encapsulated ICMPv6 Echo Request from C::1 to D::1. 14:15:19.913539 (authentic,confidential): SPI 0xcefeac0c: truncated-ip6 - 48 bytes missing!esp B::2 A::2 spi 0xF2FC992F seq 30 len 148 (len 148, hlim 63) # ESP - encapsulated ICMPv6 Echo Reply from D::1 to C::1. 14:15:19.913620 (authentic,confidential): SPI 0xf2fc992f: truncated-ip6 - 92 bytes missing!B::2 A: D::1 C::1: icmp6: echo reply (len 16, hlim 63) (len 148, hlim 63) # Tunneled ICMPv6 Echo Reply from D::1 to C::1 (from B::2 to A::2). The second thing that strikes me is the XX bytes missing that tcpdump is reporting. Is this normal? Take into account that the snaplen that I used when running tcpdump is larger than the MTU of enc0. Everything else looks fine to me. The third thing that confuses me complete is that pftop does not display any hits on both PF rules. So does pfctl: # pfctl -s rules -v pass in on enc0 all no state [ Evaluations: 141 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 26751 ] pass out on enc0 all no state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 26751 ] Do you have any idea what's going on? Thanks in advance. -- http://www.felipe-alfaro.org/blog/disclaimer/
OSPF6?
Hi misc, Does OpenBSD's default ospdf daemon support IPv6? I'm confused as the manual page implies that only IPv4 is supported, but /etc/passwd has a user named ospf6d. Is the manual page incorrect? Is it Zebra/Quagga the only option? Thanks! -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: new home box for secure data storage
On Wed, Oct 29, 2008 at 9:14 PM, Douglas A. Tutty [EMAIL PROTECTED] wrote: I'll be setting up a new box for the house and I want to use OpenBSD for it, both for its security and since it will be an older box it will run better than with Debian. Roles: main firewall for dialup internet access. fetchmail and sendmail to ISP smarthost other simple stuff (have another box for insecure stuff like watching videos, surfing the net with javascript and flash). We've moved and now our main security threat is physical security. We don't want the data on the computer (i.e. in the /home directories) to be readable if someone steals the box. I'm thinking I could go two routes: 1. encrypt all of /home with an encrypted virtualfs file. However, then the data is unencrypted whenever the box is powered on. Is your data that important? :) 2. I wonder if there's a way to have per-user home directory encryption so that the user's directory is accessed/unencrypted/mounted (whatever the semantics) on login and recrypted/unmounted on logout. Have swap and /tmp encrypted too. Also, perhaps per-user $TMP directories if go with plan 2, above. I think I want root to be able to mount/access the directories so that the data can be included in a backup set (which is then piped through openssl for encryption) on a file-by-file basis rather than just backing up a filesystem image and risking the whole thing if that image becomes corrupted. Ideas? What do others do to secure /home? I read on undeadly an idea of putting the /home filesystem on a removable drive and putting it into a safe but then you have to have the safe mounted securely. Doug. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Modern operating systems are flawed by design, including OpenBSD.
On Fri, Oct 24, 2008 at 3:32 AM, Brian [EMAIL PROTECTED] wrote: --- On Thu, 10/23/08, mak maxie [EMAIL PROTECTED] wrote: From: mak maxie [EMAIL PROTECTED] Subject: Modern operating systems are flawed by design, including OpenBSD. To: misc@openbsd.org Date: Thursday, October 23, 2008, 3:54 AM http://www.computerworld.com.au/index.php?id=264209080rid=-219 Microsoft Windows is the only operating that supports signed binaries. This is the same dude that still hasn't provided good answers to djbdns as to what supposedly was found wrong with their dns program. Signed binaries mean nothing. They only provide meaningful ways to assert the source of the code but not its intentions. As long as the intentions are not enforceable and authenticated, signed binaries are worthless. Here's the related thread: http://marc.info/?t=1219834r=1w=2 -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: load balanced carp and local routes
On Thu, Oct 23, 2008 at 6:24 AM, [EMAIL PROTECTED] wrote: Greetings list. I have a set of four load-balanced carp servers. Here are there hostname.carp files: box1: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth carpnodes 1:0,2:100,3:100,4:100 box2: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth carpnodes 1:100,2:0,3:100,4:100 box3: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth carpnodes 1:100,2:100,3:0,4:100 box4: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth carpnodes 1:100,2:100,3:100,4:0 We notice that the first box (or whichever box holds vhid 1, advskew 0) has the following route: 10.104.72.010.104.72.0UH 04 - carp0 Thus when box1 pings the carp IP, it responds to itself and none of the other carp hosts sees the traffic. Not sure about this. I would agree if with what you say if instead of carp0 you'd have lo0 in the entry. Having carp0 means the packet will be sent to the CARP interface for processing and hence over the network to the muticast MAC address of the CARP interface, where all nodes in the group will see it. This behavior is expected, and useful to us. The other three boxes however do not have this route, possessing instead a route for the carp IP that points to em0: 10.104.72.0 00:00:5e:00:01:01 UHLc127000 - em0 When one of the other three boxes attempts to ping the carp IP all four boxes sees the traffic and none of them responds. This behaviour is neither expected, nor useful to us. So my question is, what is carp thinking in this configuration? Am I wrong to expect that all four load balanced carp hosts should contain a local route to the carpdev for a shared carp IP? Why would vhid1,advskew0 be different than the other three? I don't think CARP works they way you expect. For each incoming packet, and when using IP balancing, all nodes in the CARP group have to see the traffic (this is achieved by using a multicast MAC address). Even if it's one of the nodes pinging the CARP IP, this process will still apply (loopback processing should not be done). The nodes will apply a hash function to (source IP, destination IP) modulo 4 of the packet received on the CARP interface and the one that sees the result match its vhid will process the packet. Only one node will have the result of the previous function match its vhid when its master. Thanks in advance. --dave josephsen [demime 1.01d removed an attachment of type application/pgp-signature] -- http://www.felipe-alfaro.org/blog/disclaimer/
Multiple default gateways with different metrics?
Hi openbsd-misc, Is there a way to have two entries in the routing table for the default gateway, one with a low metric (typically 0) and another one with a higher metric? Usually, the route with the lowest metric should be used unless marked invalid or removed. I'm currently using AICCU in a active/active firewall environment. AICCU sets up a default route for the IPv6 internet. If AICCU goes down the entry is removed so a manual route has to be injected in the routing table pointing to the other firewall in the HA group (AICCU can only run in one of the firewalls due to limitations). It would be nice to have a second default route with a higher metric such as that if AICCU goes down and removes it's default route, the other default route (the one with a higher) metric is left in the routing table and used from there on. Then, the IPv6 internet can be reached over this higher metric router. When AICCU is started again, a new entry will be injected by AICCU using a very low metric, and the route with the high metric won't be used anymore. Is there a way to achieve this other than using ifstated or shell scripts? OSPF won't do the job as it doesn't support IPv6. Thanks for your time. -- http://www.felipe-alfaro.org/blog/disclaimer/
