carp backup and disconnecting ssh session
Hi, I have a carp master and backup on a pair of one-armed Rapsberry Pi 4B devices (router1 and router2) and when I ssh to the backup using the carp IP as my gateway, it repeatedly throws me out after a few seconds with the message: My laptop's network config: --- IP: 192.168.4.109 Subnet mask: 255.255.255.0 Gateway: 192.168.4.1 Both RPI4s are connected to switchports with packets tagged for VLANs 2,3,4,6 and the network devices don't have IP configuration - everything is configured on VLAN interfaces with the single parent interface bse0. CARP failover actually works as expected, but as mentioned I am unable to maintain an ssh session with the backup "router2" while using the carp IPs as my network gateway. Network switch is a Zyxel GS1200-8 with firmware V2.00(ABME.0)C0. Loop prevention is enabled and I have also tested with it disabled to no avail. What happens: --- $ ssh 10.0.1.101 Last login: Sun May 23 17:44:21 2021 from 10.0.1.100 OpenBSD 6.9 (GENERIC.MP) #1134: Sun Apr 18 01:53:35 MDT 2021 router2# router2# client_loop: send disconnect: Broken pipe Router 1 network config: --- router1# cat hostname.bse0 up router1# cat hostname.vlan2 172.16.1.6/24 172.16.1.255 parent bse0 vnetid 2 group PFSYNC description "private segment with router2" router1# cat hostname.vlan3 10.0.1.100/24 10.0.1.255 parent bse0 vnetid 3 group INTERNAL description "router1 internal interface" router1# cat hostname.vlan4 192.168.1.252/24 192.168.1.255 parent bse0 vnetid 4 group OLDSHIT description "unmigrated shit" router1# cat hostname.vlan6 192.168.4.2/24 192.168.4.255 parent bse0 vnetid 6 group TCWIFI description "Time-Capsule Wifi" router1# cat hostname.carp4 192.168.1.1/24 carpdev vlan4 pass fukdissh1t vhid 41 advskew 1 description "TC-WIFI gateway" router1# cat hostname.carp6 192.168.4.1/24 carpdev vlan6 pass fukdissh1t vhid 61 advskew 1 description "TC-WIFI gateway" Router2 network config: --- router2# cat hostname.bse0 up router2# cat hostname.vlan2 172.16.1.7/24 172.16.1.255 parent bse0 vnetid 2 group PFSYNC description "private segment with router1" router2# cat hostname.vlan3 10.0.1.101/24 10.0.1.255 parent bse0 vnetid 3 group INTERNAL description "router2 internal interface" router2# cat hostname.vlan4 192.168.1.253/24 192.168.1.255 parent bse0 vnetid 4 group OLDSHIT description "unmigrated shit" router2# cat hostname.vlan6 192.168.4.3/24 192.168.4.255 parent bse0 vnetid 6 group TCWIFI description "Time-Capsule Wifi" router2# cat hostname.carp4 192.168.1.1/24 carpdev vlan4 pass fukdissh1t vhid 41 advskew 128 description "TC-WIFI gateway" router2# cat hostname.carp6 192.168.4.1/24 carpdev vlan6 pass fukdissh1t vhid 61 advskew 128 description "TC-WIFI gateway" Any tips much appreciated. -mike
Re: Request for Funding our Electricity
On 18 Jan 2014, at 04.33, Theo de Raadt dera...@cvs.openbsd.org wrote: Why is there this effort to convince us to do less? I do not propagate such a train of thought; only said that if you want corporate funding then be prepared to detail your costs and justify each and every one of them as well as satisfying said corporation’s business interest. Not trying to be condescending here at all, but that’s just Logic 101. The sad and really embarassing fact is that I am not in a position to make any sort of donation at this moment, but I promise you that I will do it just as soon as I can. And I hope it’s the thought that counts more than the amount. I appreciate your work, a lot - I really do. -mike
Re: NIST-free crypto, autociphering, and libsodium (NaCl)
On 18 Jan 2014, at 01.13, Christopher Ahrens n...@leviacomm.net wrote: In reality, I don't give a shit about any else who doesn't pay me, make my life easier or make my life more enjoyable. Its a rare moment when I feel the need to publicly bitch-slap someone, but you triggered it. That statement alone, and its simply impossible to take it out of context, is the height of selfishness and it disqualifies you from the benefit of the doubt. Its at the minimum sociopathy, and at the maximum pure narcissism. Neither one of them are socially acceptable and since we are participating in a society here then you, sir, are out of line. I have my feelings and opinions, boy do I have them, but I dont go around devaluing others just because they dont serve my interests. You, dont do it either - stop it. We are all human beings and we all have feelings. Corporations are greedy, we people dont have to be. -mike
Re: NIST-free crypto, autociphering, and libsodium (NaCl)
On 17 Jan 2014, at 06.05, Philip Guenther guent...@gmail.com wrote: Ah, so if NIST looked at work done by someone completely unrelated to NIST and said looks good, we'll standardize exactly what you did, you think that it's now contaminated by NISTs talking about it? For example, AES, which was designed by europeans and standardized after a massively public competitive process that even the losing competitors think was legit with no funny games, should be excluded by your clarified criteria. That sounds like you're interested in a political statement and not a security goal. Hi Phil, Thanks for your response. I am, indeed, more interested in a security goal than a political goal, though political goals are not foreign to my train of thought. My feeling is thus: NIST is strongly advocating the cryptographic primitives that NSA finds feasible to circumvent. This is the thing that is disturbing me. The fact is that none of us, unless you are working for NSA crypto team, know what their capabilities are. But we do know that they are spending a shitload of money and working night and day to establish a functional quantum computer which would render all of our current state of the art crypto invalid. That is their goal number 1. I don’t trust NIST at all, and I also don’t trust ICANN. Here are a list of people I trust when it comes to running their code, in order of importance: RMS DJB (and his proteges by proxy) Theo | Henning Now, if DJB has been recruited than I will forever hang my head in shame. I don’t trust Eric Allman, and I don’t entirely trust Kirk McKusick though I would like to. -mike
Re: OPENBSD FUNDING SOLUTION -- COME AND PARTICIPATE
On 18 Jan 2014, at 22.25, Chris Cappuccio ch...@nmedia.net wrote: Mike, maybe you can stop your rambling, and just do the same. Because otherwise, I don't understand why you feel justified to be on this mailing list. You were henning's roommate, so that means that you know all about OpenBSD, programming, commputers, business, Logic 101, and how Theo is not a businessman? And you have the real solution, right? You can tell everyone how to make it work? I wasn’t Henning’s roommate, “live” with a long vowel means simply that I know him face to face for several days straight, sorry for the ambiguity of our English language - you can blame our mother. Life is full of unpredictable twists and turns. I’ve had more than my share of them as of late. But you are probably right - if I’d spend more time trying to get a business off the ground and less time, for example, on this mailing list (which is, coincidentally, a very small portion of my time), then I might be in a position to actually make enough money that I could donate something something deemed significant. Of course, the same applies to you. —Mike
Re: Request for Funding our Electricity
On 18 Jan 2014, at 20.15, Jan Stary h...@stare.cz wrote: On Jan 18 16:29:46, m...@sci.fi wrote: On 18 Jan 2014, at 04.33, Theo de Raadt dera...@cvs.openbsd.org wrote: And I hope it?s the thought that counts more than the amount. LOL, yes, especially when it comes to bills being paid. You, too, sir, can also take an overdose of fugoff. 1 0, no matter how you look at it. I will do what I can. And do not private message me again without including the rest of the addresses included in the original context. Or are you simply seeking supply? -mike
Re: Request for Funding our Electricity
On 19 Jan 2014, at 01.36, Jan Stary h...@stare.cz wrote: So, the 1 is the thought, and the 0 is the amount? Sorry, but your comments were so ridiculous I couldn't help it. Saying it's the thougth that counts to people who have repeated explicitly they need MONEY. There you go again with your simple inability to understand what Reply All means. I will do what I can. And do not private message me again without including the rest of the addresses included in the original context. Or are you simply seeking supply? ? A supply of what? No comment. Mike
Re: OpenBSD funding status
On 18 Jan 2014, at 20.01, Desktop User OpenBSD openbsd.desktop.u...@gmail.com wrote: Hello, I would love to subscribe to the monthly donation on: http://openbsdfoundation.org/donations.html but I need to ask, say a few things before: 1) The https://openbsdfoundation.org/donations.html is redirecting to http://www.obtuse.com/ why? HTTPS should work properly or it shouldn't be there. Word. 2) What is the status of the funding? The CAD$(?) 20,000? Word again. Open with the code doesn’t mean black box with the money. 3) Are there any subscriptions too or there are only one-time donations? I would do a subscription if it were possible, but the amount has to be entirely of my own choosing. Paypal certainly does offer recurring payments, so there is no reason not to offer them to people willing to support the project. 4) Could Theo or anyone from the OpenBSD team contact any vendors, or has the project any bigger subscription donator already? Again, and I really need to highlight this: when the project comes to the position that it is asking for money or die, then the project is also in a requirement to provide financial transparency. If money is the question, then a mailing list isn’t the answer - this is 2014 and most of the world couldn’t give a flying shit about email anymore (and if I can additionally stick in a side comment regarding antiquity, then give up the FTP already - it’s a dinosaur, it’s unnecessarily complex, and it serves no specific purpose when HTTP is available.) 5) If something would happen to Theo (which __I don't want or wish__), who would be the project leader? Son or daughter? Or any lead developers? Are there any plans for this? In the book: Absolute OpenBSD (2nd) which came out at April of 2013 says only one sentence about this: Theo takes whatever actions necessary to keep the OpenBSD Project running smoothly. If something should ever happen to Theo, the project does have plans for replacing him.” Maybe Michael knows something that we don’t as the result of an evening full of beers together with the core team. According to Wikipedia, Theo is only a year and a half younger than me, so he’s still got at least 30 years in front of him barring accidental death or an incurable tumor. Corporate attitude likes to propagate the attitude that none of us are indispensable, but the fact is that unless you are a java coder and by default travelling down the Ho Chi Min trail then you are also indispensable. Friends don’t let friends code Java. Period. 6) off: If OpenSSH is deployed widely in the world, wouldn't it be nice to put the donation URL in it? (man page or after install) That’s great if what you are after is peanuts from people like me. People with serious money waiting for a purpose don’t read man pages, with the possible exception of Mark Shuttleworth, and he shouldn’t need to be prodded to throw some money in this direction - but again, I simply can not overemphasise the importance of my response to point 4 above. Isn’t Mark running a Canadian company? Even if the OS he’s promoting is directly competing, he is standing on the shoulders of at least one giant - Theo. -mike
Re: NIST-free crypto, autociphering, and libsodium (NaCl)
On 17 Jan 2014, at 17.30, Christian Weisgerber na...@mips.inka.de wrote: As guenther@ has pointed out, refusing all crypto covered by that definition is silly. But even if you limit yourself to the specification part, you should be very disappointed about the newly added Curve25519 key exchange and Ed25519 signing in OpenSSH, because as implemented both rely on SHA-2 cryptographic hashes, which were not only specified by NIST, but in fact designed by the NSA. Of course mainstream cryptographers don't think that SHA-2 is insecure, much less backdoored, but that again raises the question: What do mean by that NIST crypto you want to avoid? -- Christian naddy Weisgerber na...@mips.inka.de Hi, Consider for a moment the difference between objective thinking and objective feeling, then you might consider my point of view. You are right, mere involvement has not tainted reality. But it has left me suspicious, and that’s something that needs to be satisfied. It’s a fuzzy logic, and it wasn’t enough to get me past the doorman in the Umverschämft. -mike
NIST-free crypto, autociphering, and libsodium (NaCl)
Hello, I would like to inquire as to which OpenBSD RELEASE will offer the possibility to avoid NIST crypto for everything in Base (isakmpd, openssh, openssl, https, nginx being the key items in mind)? BTW, looks like things are heading in the right direction (http://www.slideshare.net/yandex/rubsd2013-mikeben) As it stands, there is currently cipher-suite negotiation / configuration coded into every single crypto-enabled tool / daemon and its a bit of a mess and a headache to manage it all. Would it be good to start to think about having a single, system-wide cipher-suite negotiation configuration and socket? interface and removing all this mess from things like isakmpd, openssh, openssl, httpd, nginx, etc? For example, one could specify a preferred ordered list of cipher suites and ones that arent listed would be completely avoided at the system level. This could, for example, eliminate static algorithm configuration in ipsec.conf and instead start negotiation traveling down the ordered list until either success or end of list. This method would provide an abstract interface to avoid future version downgrade attacks, i.e. no need to update anything other than the configuration file. And, of course, the autocipher engine would be powered by libsodium (NaCl). Thoughts, comments, insults, etc, are all welcome! The quantum computer is coming soon to a theatre near you. -mike
Re: NIST-free crypto, autociphering, and libsodium (NaCl)
On 16 Jan 2014, at 18.23, Chris Cappuccio ch...@nmedia.net wrote: For instance, you may have noticed that OpenSSH is moving towards an openssl-free mode by importing NaCl components directly? One problem with abandoning OpenSSL is that you lose SSL, TLS, (oh, and everything has to be rewritten to use NaCl, and is now incompatible with everything else.) So what you see with OpenSSH is the first attempt at doing this, and it will only be compatible with other people also using new OpenSSH. The issue is compatbility. Thanks Chris for your response and yes, you make a good point regarding compatibility. I am by far a crypto expert, but these issues have been anyway on my mind as of late. So bear with me, but would it be possible to switch /dev/crypto to be an interface to an autocipher engine where both OpenSSL and NaCl ciphers could be supported via e.g. /etc/autocipher.conf and then change all crypto-enabled apps to use /dev/crypto and only /dev/crypto as the interface? This approach could highly simplify the crypto operations in all of the associated daemons/tools included in Base, as well Ports could slowly converted to use the same interface. This is precisely the approach that is being taken in Ethos operating system which is being designed from the ground up to withstand cryptographic attack. Given the current status quo (widespread compromise of our computing base by 3 letter agencies), this starts to sound a bit less paranoid of an approach. Or have I got something wrong? Again, I am open to any sort of response. -mike
Re: NIST-free crypto, autociphering, and libsodium (NaCl)
On 16 Jan 2014, at 18.23, Chris Cappuccio ch...@nmedia.net wrote: For instance, you may have noticed that OpenSSH is moving towards an openssl-free mode by importing NaCl components directly? One problem with abandoning OpenSSL is that you lose SSL, TLS, (oh, and everything has to be rewritten to use NaCl, and is now incompatible with everything else.) So what you see with OpenSSH is the first attempt at doing this, and it will only be compatible with other people also using new OpenSSH. The issue is compatbility. I’m sorry for the typo: s/I am by far a crypto expert/I am far from being a crypto expert/ Thanks. -mike
Re: Request for Funding our Electricity
On 16 Jan 2014, at 19.45, Jack Woehr jwo...@softwoehr.com wrote: I think Theo has answered this previously. His point was that he doesn't want to spend his time year after year running campaigns. Being neither a politician nor a diplomat nor a grantmaster, he wants a sustainable model. There’s a person who writes excellent documentation for OpenBSD, isn’t he an English language professor? Excellent documentation is one of the key features of OpenBSD, hands down, i.e. he is an extremely valuable project member even if he doesn’t commit executable code to version control. With this in mind, wouldn’t there be room in core for a person dedicated to fund-raising, i.e. a person with a strong vote? I really do want to see OpenBSD survive, but expenses are a reality as we now see. Being the project leader means also addressing the issue of funding in a feasible manner, even if addressing simply means delegation to a person who has both the competence as well as motivation to perform such a role. Fact is, if I were capable of funding the electricity bill then I would do it in a heartbeat, but it would definitely require transparency as has been stated earlier in this conversation. Wikipedia runs these sort of fundraisers every year and they do it in a very obtrusive way, but they haven’t yet run out of money. Time to face reality. -mike
Re: NIST-free crypto, autociphering, and libsodium (NaCl)
On 16 Jan 2014, at 19.17, Chris Cappuccio ch...@nmedia.net wrote: OpenBSD has already began incorporating NaCl by bypassing OpenSSL entirely. Good news - perhaps my philosophy is “why lay a lot of small bricks here and there when you can lay a cornerstone and be done with it?”. But perhaps I am not taking all things into consideration. I can't speak for the architectural issues but I can't imagine that I or you are the only people imagining better cipher suites in the base system. You are certainly right - that would be just naive. The OpenBSD approach to things is generally to make the interfaces as simple as possible, drop-dead simple. This eliminates configuration mistakes. Take OpenNTPD for example - it’s simply beautiful what has been done with the configuration interface. A systemwide autocipher engine device could easily be incorporated directly in to PF, no? block all cipher hmac-sha1 (for example). -mike
Re: NIST-free crypto, autociphering, and libsodium (NaCl)
On 16 Jan 2014, at 20.24, Chris Cappuccio ch...@nmedia.net wrote: Block traffic with specific ciphers from traversing the network? That's sci.fi You’re right again - this stuff is futuristic but could potentially be accomplished via inspection of unencrypted packet headers, etc (i.e. via packet-pattern/flow analysis). However, it could likely be accomplished for things that access the machine itself. We are getting into the realm of wirespeed DPI now. If we won’t be doing it, somebody else will. What are our efforts worth if the crypto exists in silos and is vulnerable to side channel attacks? Is it really worth delegating these sorts of things to ports?
Re: NIST-free crypto, autociphering, and libsodium (NaCl)
On 16 Jan 2014, at 20.49, Nicolai nicolai-om...@chocolatine.org wrote: Things are moving in the right direction! The last six months have seen MAJOR improvements in crypto. If you want to be a part of it, pick up DNSCrypt or DNSCurve. Get a recent Chromium and play with QUIC. Read about MinimaLT. Strong, fast encryption is coming. And I think OpenBSD 5.5 will be light years ahead when it's released in May. DNSCurve, I was already trying to compile it yesterday. Wonderful: # ./configure.nacl Took a long, long time to complete and didnt produce any output at all. # ./configure.curvedns Finished configuring CurveDNS, ready for compiling. Chosen/picked ABI: x86 Chosen/picked compiler: gcc Chosen/picked compiler options: -m32 -O3 -fomit-frame-pointer -funroll-loops We are now ready to compile, run 'make' to do so. # make gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing -O3 -Inacl/build/include/x86 -c curvedns-keygen.c In file included from misc.h:49, from curvedns-keygen.c:46: ip.h:54:31: error: ev.h: No such file or directory In file included from misc.h:49, from curvedns-keygen.c:46: ip.h:78: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'global_ip_internal_timeout' ip.h:79: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'global_ip_tcp_external_timeout' *** Error code 1 Stop in /usr/local/src/curvedns-0.87 (line 79 of Makefile). Seems that it cant even find headers in /usr/local/include, which is where the OpenBSD pack for libev installs the header, so I had to add that: # vim Makefile # If you have libev at a non-standard place, specify that here: EV=/usr/local EVCFLAGS=-I$(EV)/include EVLDFLAGS=-L$(EV)/lib And then we get a bit further: # make gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing -O3 -Inacl/build/include/x86 -I/usr/local/include -c curvedns-keygen.c gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing -O3 -Inacl/build/include/x86 -I/usr/local/include -c debug.c gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing -O3 -Inacl/build/include/x86 -I/usr/local/include -c ip.c gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing -O3 -Inacl/build/include/x86 -I/usr/local/include -c misc.c misc.c: In function 'misc_base32_decode': misc.c:291: error: 'EPROTO' undeclared (first use in this function) misc.c:291: error: (Each undeclared identifier is reported only once misc.c:291: error: for each function it appears in.) *** Error code 1 Stop in /usr/local/src/curvedns-0.87 (line 76 of Makefile). Whats this EPROTO and do I really need to care? I commented it out in misc.c, dnscurve.c and dns.c: PROTO: //errno = EPROTO; return 0; } And then: # make gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing -O3 -Inacl/build/include/x86 -I/usr/local/include -c dns.c gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing -O3 -Inacl/build/include/x86 -I/usr/local/include -c curvedns.c In file included from curvedns.c:37: /usr/include/sys/socket.h:162: error: expected specifier-qualifier-list before 'u_int8_t' /usr/include/sys/socket.h:180: error: expected specifier-qualifier-list before 'u_int8_t' /usr/include/sys/socket.h:378: error: expected specifier-qualifier-list before 'socklen_t' /usr/include/sys/socket.h:405: error: expected specifier-qualifier-list before 'socklen_t' In file included from curvedns.c:37: /usr/include/sys/socket.h:462: error: expected declaration specifiers or '...' before 'socklen_t' /usr/include/sys/socket.h:463: error: expected declaration specifiers or '...' before 'socklen_t' /usr/include/sys/socket.h:464: error: expected declaration specifiers or '...' before 'socklen_t' /usr/include/sys/socket.h:465: error: expected declaration specifiers or '...' before 'uid_t' /usr/include/sys/socket.h:465: error: expected declaration specifiers or '...' before 'gid_t' /usr/include/sys/socket.h:466: error: expected declaration specifiers or '...' before 'socklen_t' /usr/include/sys/socket.h:467: error: expected declaration specifiers or '...' before 'socklen_t' /usr/include/sys/socket.h:468: error: expected declaration specifiers or '...' before 'socklen_t' /usr/include/sys/socket.h:470: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'recv' /usr/include/sys/socket.h:471: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'recvfrom' /usr/include/sys/socket.h:472: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'recvmsg' /usr/include/sys/socket.h:473: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'send' /usr/include/sys/socket.h:474: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'sendto' /usr/include/sys/socket.h:476: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'sendmsg' /usr/include/sys/socket.h:477: error:
Re: NIST-free crypto, autociphering, and libsodium (NaCl)
On 16 Jan 2014, at 23.55, Chris Cappuccio ch...@nmedia.net wrote: All until we learn from the newest Snowden slide that Dan Bernstein is actually on the NSA payroll :) All your DJBs belong to us!
Re: NIST-free crypto, autociphering, and libsodium (NaCl)
On 17 Jan 2014, at 00.54, Christian Weisgerber na...@mips.inka.de wrote: MJ m...@sci.fi wrote: I would like to inquire as to which OpenBSD RELEASE will offer the possibility to avoid NIST crypto for everything in Base (isakmpd, openssh, openssl, https, nginx being the key items in mind)? What is NIST crypto? Are you serious or just being facetious? I basically used it as an umbrella term to include all of the crypto in which the US government has had their hand involved in it’s specification, implementation, approval, standardisation, etc and so forth. http://csrc.nist.gov/groups/ST/toolkit/index.html
Re: Request for Funding our Electricity
On 15 Jan 2014, at 16.35, Gilles LAMIRAL gilles.lami...@laposte.net wrote: Dear Theo, Don't we do enough? You already do too much. I have long held the opinion that Theo is probably the best coder on this planet. That’s not any sort of ass-kissing, either, it’s my objective, unbiased opinion. And I know Henning personally, as in “live and worked together with him - one hell of an expert. However, the dilemma that the project has found itself in now very clearly demonstrates that Theo is not a businessman and that there isn’t any other businessman at the helm, either. Imagining that people will suddenly start to pay for something that they have constantly been getting for free is absurd - their belief is that somebody else will surely step up first or somebody will fork in the name of fame. No business on this planet is going to allocate budget to paying OpenBSD’s electricity bills, let alone anything else, without 1) a detailed itemisation of the electrical bills, 2) a detailed justification of said line items, and 3) a satisfaction of their own business interest. It’s just not sexy for a philanthropist to support a relatively unheard of operating system when cancer is still left uncured. It’s not good to be removing coders from their tasks; the project needs a businessman or two. One who will handle the corporate feature requests and charge dearly for them. Things like routing technology and high-speed packet forwarding - things that can replace the exorbitant costs of maintaining cisco routers. This is the key. With the FBSD 10GB wire speed packet forwarding incorporated, OpenBSD would be ready to challenge Cisco in a very serious way. Completely free as always, but with paid support for this edge cases that make life what it is. Thanks Theo, Henning, and all of the rest of you. -mike
Re: Security
On 11 Jan 2014, at 13.36, Craig R. Skinner skin...@britvault.co.uk wrote: Hosts in hinet have been relentlessly attacking my mail web servers for over 8 years. I feed them rubbish to play with, A good technique is to run a geospatially-enabled DNS server that maps AS numbers to locations and then simply serve different different results to different locations. AS number to geospatial mapping isn’t perfect, but it’s good enough. For example, when hosts in hinet location query your MX record, you could serve them the answer of 127.0.0.1 ;-) Spammers will love you! -mike
Re: NPPPD and IPSec
This works with Windows 8, OSX, Android and iOS: ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk $psk On 03 Dec 2013, at 00:28, Frans Haarman franshaar...@gmail.com wrote: I have used this with windows 7 and osx: ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk 2013/12/2 Or Elimelech o...@xwise.com Hi, I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret Thank you so much and keep up the good work I love the OpenBSD project _ __ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
Re: wanna be sys admin question
On 07 Nov 2013, at 06:09, Predrag Punosevac punoseva...@gmail.com wrote: I am soliciting opinions and some guidance on few very general sys admin questions. 1. What do people in general use to parse large amount of log files received in the form of e-mails? security/logsurfer and similar. I have seen some in the ports tree. Perl. You won’t be much of a sysadmin if you don’t take the time to master perl. 3. Are there any advantages of graphics/dia over general purposes vectorial graphics programs like graphics/inkscape for drawing network topology. Sure, dia has things like network shapes and connection points already included.
Re: strange error on openbsd
Why reinvent the wheel? [root@black ~]# getent passwd 1 daemon:*:1:1:The devil himself:/root:/sbin/nologin [root@black ~]# -mike On May 7, 2013, at 4:06 AM, Friedrich Locke friedrich.lo...@gmail.com wrote: Dear list members, I am in need to write a simple program to return the passwd entry for a given uid number. Here you have it: #include sys/types.h #include errno.h #include pwd.h #include stdio.h int main(int argc, char **argv) { struct passwd *p; int e; e = errno, errno = 0; p = getpwuid(0); if (errno) { fprintf(stdout, errno is: %u\n, errno); return 127; } errno = e; fprintf(stdout, %s\n, p-pw_name); return 0; } When i execute it i get this on a openbsd: sioux@lion$ ./pw errno is: 13 sioux@lion$ Any ideia why openbsd implementation of getpwuid returns error ? Thanks in advance.
ospfd OOM crash
Hi, On two occasions (had to test it to see if it was repeatable), ospfd has crashed on my 5.2 release i386 machine while I was running a ruby script that consumed too much memory (which also crashed). No other daemons on the machine crashed except ospfd. Needless to say, my network also went down… I am not sure how the OpenBSD OOM killer works, but IMO important daemons such as ospfd should be exempted. Thanks.
Re: ospfd OOM crash
On Mar 21, 2013, at 10:46 PM, Ted Unangst t...@tedunangst.com wrote: There is no OOM killer. Your bug report also lacks crucial details like what it means to crash. Do you mean it logged a message like fatal: out of memory? That's not a crash, that's a message informing you about an error condition. You fix it by adding more memory. Crashed as in disappeared from the process table without a trace in the logs. It's under supervision now.
Re: strange bash (prompt) problem
On Mar 19, 2013, at 11:17 PM, jca+o...@wxcvbn.org (Jérémie Courrèges-Anglas) wrote: MJ m...@netauth.com writes: Hi, Sometimes, maybe once ever 100 commands or so, I get the following type of error: [root@black socklog]# dmesg | less -bash: $'\302\240less': command not found Here you have an UTF-8 non-breaking space character. It is not reproducible, at least I don't know how to reproduce it. Hitting up arrow will reproduce it, but typing the command again will make it go away. It seems to only happen when piping output through something. Any ideas how to fix this? Don't type on both your AltGr and your Space key when you don't intend to. Interesting, so that's the cause of it? On my macbook, I type space and then AltGr 7 to get a pipe character. I have had this MacBook for 3 years, and I didn't just start typing or using OpenBSD yesterday… I do type extremely fast, but this never happens to me for example on my FreeBSD server or the MacBook itself. The OpenBSD machine is a very old i386 Epia that is pretty heavily loaded with a lot of processes. Could it be that my typing input sometimes comes faster than it can process it (bytes getting crossed on the wire)? [root@black ~]# cat .bash_profile alias ll='ls -al' PAGER=less PATH=/usr/local/bin:/usr/local/sbin:$PATH PS1=[\u@\h \W]# LANG=en_US.UTF-8 PKG_PATH=http://ftp.funet.fi/pub/mirrors/ftp.openbsd.org/pub/OpenBSD/5.2/packages/i386 export PAGER PATH PKG_PATH PS1 LANG Thanks. -- Jérémie Courrèges-Anglas GPG Key fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
strange bash (prompt) problem
Hi, Sometimes, maybe once ever 100 commands or so, I get the following type of error: [root@black socklog]# dmesg | less -bash: $'\302\240less': command not found It is not reproducible, at least I don't know how to reproduce it. Hitting up arrow will reproduce it, but typing the command again will make it go away. It seems to only happen when piping output through something. Any ideas how to fix this? [root@black ~]# cat .bash_profile alias ll='ls -al' PAGER=less PATH=/usr/local/bin:/usr/local/sbin:$PATH PS1=[\u@\h \W]# LANG=en_US.UTF-8 PKG_PATH=http://ftp.funet.fi/pub/mirrors/ftp.openbsd.org/pub/OpenBSD/5.2/packages/i386 export PAGER PATH PKG_PATH PS1 LANG Thanks.
Re: EIGRP implementation?
IGRP is a 28 year old routing protocol from the stone ages, no wonder it was retired. EIGRP is a bit more modern ;-) Cisco won't be discontinuing EIGRP anytime soon; it's the preferred routing protocol for building DMVPNs and Cisco DMVPN is a very widely used technology. Cisco definitely pushes EIGRP for building DMVPNs as it works better than anything currently available. The best way for OpenBSD to take hold in this area would be to implement NHRP (RFC 2332) and allow users to build DMVPNs using nhrpd and bgpd. BGP is not quite as good as EIGRP for DMVPNs, but it's a lot more scalable than OSPF. On Feb 21, 2013, at 4:28 PM, Daniel Ouellet dan...@presscom.net wrote: Interesting. Cisco discontinued IGRP starting with IOS 12.2(13)T and 12.2(R1s4)S. And many years ago it was recommended to me my the Cisco SmartNet people to switch form EIGRP to may be ISIS or OSPF back then as it was possible that Cisco discontinue EIGRP as well. May be they are desperate to loose control over EIGRP now and various router protocol seeing that lots more competition is coming to them now. (: I guess after you know OSPF and in some cases if you want to use ISIS, I see no reason to have EIGRP anyway. I don't think Cisco is pushing their own EIGRP and not that I miss it anyway, but may be ISIS would be nicer then EIGRP inside an OpenBSD router, even if I do not miss it. The only advantage is that ISIS is much simpler to use and learn then properly done OSPF for a smaller and simpler network that OpenBSD may fit better with it. Some not to familiar IT guys may prefer ISIS to OSPF, but really I see no needs for EIGRP. Anyway, just my $0.02 worth for what it is. Daniel On 2/20/13 7:24 PM, Stuart Henderson wrote: On 2013-02-20, Claudio Jeker cje...@diehard.n-r-g.com wrote: On Wed, Feb 20, 2013 at 03:35:59PM +0300, Aaron Glenn wrote: I'm wondering if any one is thinking/contemplating/attempting implementing the newly release EIGRP draft from Cisco. No, I don't have patches to contribute...this is just a simple anyone else thinking about this? message. feel free to contact me privately if this is too noisy a message (hah...misc...noisy...heaven forbid) interesting commentary at packetpushers if you missed it.. http://packetpushers.net/why-is-cisco-bothering-with-open-eigrp/ Last time I looked EIGRP was a Cisco propretary protocol from the times when RIP was modern. I see no need to support it, I would first consider ISIS and adding stuff to ospfd / ospf6d. +1 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Millions of files in /var/www inode / out of space issue.
Which app are you running that is generating millions of tiny files in a single directory? Regardless, in this case OpenBSD is not the right tool for the job. You need either FreeBSD or a Solaris variant to handle this problem because you need ZFS. What limits does ZFS have? --- The limitations of ZFS are designed to be so large that they will never be encountered in any practical operation. ZFS can store 16 Exabytes in each storage pool, file system, file, or file attribute. ZFS can store billions of names: files or directories in a directory, file systems in a file system, or snapshots of a file system. ZFS can store trillions of items: files in a file system, file systems, volumes, or snapshots in a pool. I'm not sure why ZFS hasn't yet been ported to OpenBSD, but if it were then that would pretty much eliminate the need for my one and only FreeBSD box ;-) On Feb 19, 2013, at 2:35 AM, Keith ke...@scott-land.net wrote: Q. How do I make the default web folder /var/www/ capable of holding millions of files (say 50GB worth of small 2kb-12kb files) so that I won't get inode issues ? The problem is that my server has the default disk layout as I didn't expect to have millions of files (I though they would be stored in the DB). When I started the app it generated all the files and I got out of space warnings. I tried moving the folder containing the files and making a symlink back but that didn't work because nginx is in a chroot. The two option I think I have are. 1. Reinstall the OS and make a dedicated /var/www partition but how I increase the inode limit I have no idea. 2. Make a new partition, format it, copy the files from the original partition and swap them around and restart nginx. ( Do i run newfs with some option to make more inodes ?) Thanks Keith.
Re: Pf with multi gateways
Best solution is ECMP combined with ifstated - you get double bandwidth until one link goes down, in which case it is automatically removed from the routing table until it comes up again. This is a pretty common setup in e.g. Top Of Rack (ToR) switching setups. I just wrote a blog post mentioning this a few days ago, didn't go into technical configurations yet but when I do the next post I will be sure to mention ifstated. http://terminalprompt.com/2013/02/12/openbsd-a-real-powerhouse/ On Feb 13, 2013, at 6:09 PM, Janne Johansson icepic...@gmail.com wrote: You can have ifstated test gw reachability, I think relayd has similar functionality to manage routes, one could somewhat easily script if gwA up send packets via ifA, if gwB up ... mpath would be yet one option. 2013/2/13 What you get is Not what you see wygin...@gmail.com: Hi I have a pf box with 4 links (a multihomed box ) and some services like dns,dhcp on it. I have set /etc/mygate to one of the gateways. Sometimes the line drops and when it drops, obviously some services like dns stop. But the other lines are up then. What is the proper way of handling mygate? Do you suggest mpath? -- May the most significant bit of your life be positive.
OSPFD on a VLAN Trunk Interface
192.168.1.0/24 10.1.0.1 Type 1 ext Network 110 03:28:33 Above: next-hop for 10.1.8.0/22 should be 10.1.8.1 (vlan3 interface on box2), and so forth. -mj