Re: What determines source IP of traffic from OpenBSD box ?

2021-02-28 Thread Rachel Roch
28 Feb 2021, 11:28 by s...@spacehopper.org: > On 2021/02/28 11:46, Rachel Roch wrote: > >> Thank you all for the suggestions, I am currently testing a few of them. >> >> Incase it makes any difference, the underlying problem I have is I have two >> firewalls

Re: What determines source IP of traffic from OpenBSD box ?

2021-02-28 Thread Rachel Roch
2021, 15:34 by s...@spacehopper.org: > On 2021-02-26, Daniel Jakots wrote: > >> On Fri, 26 Feb 2021 11:53:40 +0100 (CET), Rachel Roch >> > > wrote: > >>> Let's say I'm running "pkg_add -u" on a OpenBSD-based router with >>> mul

What determines source IP of traffic from OpenBSD box ?

2021-02-26 Thread Rachel Roch
Hi Let's say I'm running "pkg_add -u" on a OpenBSD-based router with multiple interfaces. What determines the source IP ? Building on that, there is no "source interface" flag for pkg_add like there is for ping and certain others.  Is there a way for me to configure a default interface for

Re: man netstart(8) OpenBSD-6.8

2020-11-03 Thread Rachel Roch
> an updated diff for this just got committed. > jmc > Thank you all.  For myself and on behalf of future devoted man page readers, very much appreciated that such a key man page has been brought up to date. rr

Re: man netstart(8) OpenBSD-6.8

2020-10-26 Thread Rachel Roch
ne look forward to you adding your entry into the netstart man page > for community review. > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > On Sunday, 25 October 2020 09:42, Rachel Roch wrote: > >> 25 Oct 2020, 01:25 by dera...@openbsd

Re: man netstart(8) OpenBSD-6.8

2020-10-25 Thread Rachel Roch
25 Oct 2020, 01:25 by dera...@openbsd.org: > Rachel Roch wrote: > >> Is it just me or is the man entry for netstart(8) missing a reference to >> wg(4) ? >> > > ... and 300 other network interfaces. > > In otherwords, no, it should not be there. > OK

man netstart(8) OpenBSD-6.8

2020-10-24 Thread Rachel Roch
Hi Is it just me or is the man entry for netstart(8) missing a reference to wg(4) ? Rachel

Re: South American mirrors?

2020-10-19 Thread Rachel Roch
One of the CDNs would seem the obvious answer to your problem. Or have you already tried them ? Addresses are : Fastly (CDN) https://cdn.openbsd.org/pub/OpenBSD/ Cloudflare (CDN) https://cloudflare.cdn.openbsd.org/pub/OpenBSD/ Verizon Digital Media Services (CDN)

rad(8) and carp - anything I ought to know ?

2020-01-17 Thread Rachel Roch
Hi, I'm sure many here have been down this road before me.  So to save me many hours of tears and frustration, I have a simple question. Say I was hoping to use rad(8) in conjunction with carp, any tales from the battlefield (a.k.a. config tips, things to be aware of etc.). Thanks ! Rachel

Re: sysupgrade to 6.6 failed at comp66.tgz

2019-11-23 Thread Rachel Roch
> This topic has been beat to death. deraadt@ and other have made it clear that > if you do not install all the sets, you are running an unsupported > configuration. It has been stated that if people keep bitching, they're just > going to merge the release sets into one set. > > I like the

Re: sysupgrade to 6.6 failed at comp66.tgz

2019-11-23 Thread Rachel Roch
>> - maybe sysupgrade needs to be patched to avoid this issue? >> > > Probably not. sysupgrade has assumptions baked in to it which have > evidently been rendered invalid either by another tool or by the > person using them. That tool is where the patch most likely ought > to be directed. > >

bgpd not exporting default route

2019-11-23 Thread Rachel Roch
Hi, I'm probably being completely dumb here, but I'm adding an additional perimiter router to my network which is running OpenBSD 6.6. My current perimiter is a 6.4 instance (soon to be upgraded !) which talks BGP to internal firewalls. The config below works perfectly on 6.4, but on 6.6, the

Re: Sonos and OpenBSD PF - anyone on-list with experience ?

2019-11-23 Thread Rachel Roch
Thanks all for your ideas.  I'll spend a little time on it over the next few days and see how far I can get. 22 Nov 2019, 16:34 by s...@spacehopper.org: > On 2019-11-22, Peter N. M. Hansteen wrote: > >> On Fri, Nov 22, 2019 at 12:56:51PM +0100, Rachel Roch wrote: >> &

Re: Sonos and OpenBSD PF - anyone on-list with experience ?

2019-11-22 Thread Rachel Roch
round the > uPNP requirement ? > > > > > > > > On Fri, 22 Nov 2019 at 11:26, Rachel Roch wrote: > >> >> Hi, >> >> Refuse to use Sonos myself, but am helping (or trying to) out a friend who >> has a Sonos try to get things working wtih OpenBSD PF. >&

Sonos and OpenBSD PF - anyone on-list with experience ?

2019-11-22 Thread Rachel Roch
Hi, Refuse to use Sonos myself, but am helping (or trying to) out a friend who has a Sonos try to get things working wtih OpenBSD PF. I've simplified their PF rulese to a simple swiss cheese (i.e. stateful NAT'd allow any out to any). Everything else they care to run on their network is

ifstated.conf advice needed

2019-11-15 Thread Rachel Roch
Hi, I'm looking for a bit of help on how to write a sensible and safe (i.e. avoid race conditions) ifstated.conf. I have a scenario where I have a LACP trunk and on top of the trunk, I have four carp interfaces. So: trunk1 => carp0–3 Now, obviously I know I can monitor up/down on trunk1. But

Re: pfsync on VLAN - supported ?

2019-11-14 Thread Rachel Roch
14 Nov 2019, 11:21 by liste...@wernig.net: > On 14.11.2019 11:30, Rachel Roch wrote: > >>>> Does this mean Bad Things (TM) will happen if I try to use a dedicated >>>> vlan interface for pfsync ? >>>> > I have had pfsync running happily over

Re: pfsync on VLAN - supported ?

2019-11-14 Thread Rachel Roch
13 Nov 2019, 20:21 by ch...@nmedia.net: > Rachel Roch [rr...@tutanota.de] wrote: > >> Hi, >> >> Both the man page and FAQ (https://www.openbsd.org/faq/pf/carp.html) >> <https://www.openbsd.org/faq/pf/carp.html> talk about "physical interface&

pfsync on VLAN - supported ?

2019-11-13 Thread Rachel Roch
Hi, Both the man page and FAQ (https://www.openbsd.org/faq/pf/carp.html) talk about "physical interface" in relation to the syncdev parameter. Does this mean Bad Things (TM) will happen if I try to use a dedicated vlan interface for pfsync ? Thanks

bgpctl sho ri nei terse output vs man page discrepancy

2019-09-22 Thread Rachel Roch
Hi, Hopefully I'm not missing something silly here but I've read the paragraph in the man page and it only lists 15 variables: "The printed numbers are the sent and received open, sent and received notifications, sent and received updates, sent and received keepalives, and sent and received

Re: Prometheus node_exporter on OpenBSD - anyone managed ?

2019-09-20 Thread Rachel Roch
Sep 20, 2019, 15:57 by k...@plek.org: >> On Sep 20, 2019, at 01:38, Rachel Roch >> >> Regarding the other gmake suggestion, that possibility occurred to me after >> sending yesterday's email, but I guess I would have to edit various source >> files to make sure

Re: Prometheus node_exporter on OpenBSD - anyone managed ?

2019-09-20 Thread Rachel Roch
the build with 'gmake'. >> >> >> If you don't already have gmake installed: >> >> >> # pkg_add gmake >> > > Or just do `pkg_add node_exporter`. While prometheus does not provide > a pre-compiled binary OpenBSD does. > >> On Thu, Se

Prometheus node_exporter on OpenBSD - anyone managed ?

2019-09-19 Thread Rachel Roch
Hi, The official Prometheus github repo (https://github.com/prometheus/node_exporter) appears to suggest in multiple places that node_exporter is capable of working on OpenBSD. But although they provide pre-compiled binaries for multiple platforms

Re: NSD & Unbound refusing to bind to IPv6 when anycast flag set ?

2019-05-16 Thread Rachel Roch
> RFC3513 says this: > > o An anycast address must not be used as the source address of > an IPv6 packet. > > o An anycast address must not be assigned to an IPv6 host, that > is, it may be assigned to an IPv6 router only. > > And to help ensure this, the kernel denies binding to an address

NSD & Unbound refusing to bind to IPv6 when anycast flag set ?

2019-05-11 Thread Rachel Roch
I'm still learning IPv6 intricacies, so forgive me if this is a silly question. When I have interfaces set in the standard manner, e.g.: inet6 2001:DB8:beef::1 128 up NSD and Unbound will bind to that address without problem. However if I add the anycast flag: inet6 2001:DB8:beef::1 128

PKCS11 on OpenBSD 6.5 ?

2019-05-11 Thread Rachel Roch
Hi, To save me hours of Googling followed by hours of console bashing I thought perhaps someone here who's "been there, done that, got the T-shirt" can point me in the right direction. So far I've got: • A USB HSM • OpenSC installed (from package) and working (i.e. no problems using

nat-to random : A couple of questions

2019-04-28 Thread Rachel Roch
Hi, I've read the delightful manual but its a little terse in this area, so I hope some knowledgeable soul can enlighten me: 1) Looking at tcpdumps, I've noticed (on 6.5 have no prior experience with nat-to random to compare against) that 'random' seems to operate more like 'round-robin' 

Re: Code of Conduct location

2019-04-28 Thread Rachel Roch
Apr 28, 2019, 9:16 AM by cho...@jtan.com : > Strahil Nikolov writes: > >> Hello All, >> >> can someone point me to the link of the OpenBSD code of Conduct ? >> > > I believe OpenBSD's code of conduct can be summed up as "if you are the > type of person who needs a code of

Re: Down on em fibre doesn't kill Layer 1 ?

2019-04-19 Thread Rachel Roch
Apr 18, 2019, 10:41 AM by s...@spacehopper.org: > On 2019-04-16, Rachel Roch <> rr...@tutanota.de <mailto:rr...@tutanota.de>> > > wrote: > >> Hi, >> >> Is it expected behaviour that ifconfig emX down on a fibre interface doesn't >> kill the l

Down on em fibre doesn't kill Layer 1 ?

2019-04-16 Thread Rachel Roch
Hi, Is it expected behaviour that ifconfig emX down on a fibre interface doesn't kill the laser on a GBIC ? Rachel

Re: Viewing SFP diagnostic data in OpenBSD ?

2019-04-12 Thread Rachel Roch
Apr 8, 2019, 5:25 AM by da...@gwynne.id.au: > > >> On 6 Apr 2019, at 01:54, Rachel Roch <>> rr...@tutanota.de >> <mailto:rr...@tutanota.de>>> > wrote: >> >> >> >> >> Apr 2, 2019, 11:19 PM by >> da...@gwynne.id.au <m

Re: bgpd between two 6.4 boxes. IPv6 flapping, IPv4 rock solid

2019-04-02 Thread Rachel Roch
Mar 30, 2019, 11:10 AM by s...@spacehopper.org: > On 2019-03-29, Rachel Roch <> rr...@tutanota.de <mailto:rr...@tutanota.de>> > > wrote: > >> Hi, >> >> Has anyone encountered this before ? >> >> Neighbor    AS    Msg

Viewing SFP diagnostic data in OpenBSD ?

2019-04-02 Thread Rachel Roch
Hi, Hopefully I'm just searching the man pages wrong but I can't seem to find any hints as to how I can view SFP diagnostics in OpenBSD (i.e. light power etc.) Perhaps someone could kindly point me in the right direction ? Rachel

Re: bgpd between two 6.4 boxes. IPv6 flapping, IPv4 rock solid

2019-03-29 Thread Rachel Roch
29 Mar 2019, 18:57 by rr...@tutanota.de: > Hi, > > Has anyone encountered this before ? > > Neighbor    AS    MsgRcvd    MsgSent  OutQ Up/Down  State/PrfRcvd > EXT-V6-R2   65515 50 40 0 00:02:55 Active > EXT-V4-R2   65515 38 37 0

bgpd between two 6.4 boxes. IPv6 flapping, IPv4 rock solid

2019-03-29 Thread Rachel Roch
Hi, Has anyone encountered this before ? Neighbor    AS    MsgRcvd    MsgSent  OutQ Up/Down  State/PrfRcvd EXT-V6-R2   65515 50 40 0 00:02:55 Active EXT-V4-R2   65515 38 37 0 00:27:42  1 After approx just over 2 minutes, the V6

Re: How to overrule bioctl "chunk already in use"

2019-03-29 Thread Rachel Roch
29 Mar 2019, 02:42 by n...@holland-consulting.net: > On 3/28/19 10:29 AM, Rachel Roch wrote: > >> Hi, >> >> I've been following the instructions here >> https://www.openbsd.org/faq/faq14.html >> <https://www.openbsd.org/faq/faq14.html> >> <&

How to overrule bioctl "chunk already in use"

2019-03-28 Thread Rachel Roch
Hi, I've been following the instructions here https://www.openbsd.org/faq/faq14.html to setup softraid. Unfortunately I somehow messed up the original attempt through my own stupidity. So I've been trying to go through the steps again.  However nothing

Re: Current thinking on OpenBSD "router" "firewall" role separation ?

2019-03-03 Thread Rachel Roch
Mar 3, 2019, 11:34 AM by s...@spacehopper.org: > On 2019-03-02, Rachel Roch <> rr...@tutanota.de <mailto:rr...@tutanota.de>> > > wrote: > >> Hi, >> >> I would be interested to find out the community's view on whether separating >> "route

Current thinking on OpenBSD "router" "firewall" role separation ?

2019-03-02 Thread Rachel Roch
Hi, I would be interested to find out the community's view on whether separating "router" and "firewall" roles is still a good thing or whether developments in recent iterations of OpenBSD would permit aggregation whilst maintaining integrity and security ? If you forgive my attempt at ASCII

Any experiences with recent single-socket Dell machines (i.e. R230/R330/R340)

2019-02-02 Thread Rachel Roch
Hi, Subject line says it all really, I'm looking to hear of people's experiences with recent models of Dell single-socket machines (i.e. R230/R330/R340 - especially the newest R340, obviously!). I'm looking for a decent machine with enterprisey features (i.e. hotswap PSU + drives,

Experiences with single mode fibre on OpenBSD ?

2019-01-02 Thread Rachel Roch
Hi, I see the man pages mention the odd SM fibre NIC, which is a good start. However I could do with some real-world feedback from people in terms of the SM NICs they're using and any other experiences with SM on OpenBSD. Thanks ! Rachel

Re: TLS suddenly not working over IKED site-to-site

2018-12-03 Thread Rachel Roch
> Rachel, > > As a first step, try using s_client to connect to a TLS service and see what > comes back: > > $ openssl s_client -connect : -showcerts > > There are more possible options on s_client to debug more deeply but this is > a good start. > > > --Paul > In answer to the above.

Re: TLS suddenly not working over IKED site-to-site

2018-12-03 Thread Rachel Roch
> > Hello, > This appears to be the same thing I have been having issues with and > mentioned in a post to misc last week ("Untable ssl connections over ikev2 > VPN") - (yes, typo intact - it should be "unstable"). > > I have tried adding a "max-mss 1300" directive into pf.conf (i.e.: "match

TLS suddenly not working over IKED site-to-site

2018-12-03 Thread Rachel Roch
I hope someone here can shed light on an infuriating problem I’ve spent a week trying to resolve without luck. The problem concerns an IKED site-to-site VPN on OpenBSD 6.3 (both endpoints fully syspatched). The VPN worked absolutely perfectly until it suddenly started behaving strangely.