Flag to move isakmpd default keys dir?

2011-06-04 Thread Paul Suh
Folks, I've been working with the flashrd system for booting from compact flash media, and ran across a case where I'd like to make some changes to isakmpd, but before I do so I'm not sure that it's a good idea. The location for certificates, CA's, private keys, etc. is hard-coded in

Re: Flag to move isakmpd default keys dir?

2011-06-05 Thread Paul Suh
Stuart, I tried using a symlink, but isakmpd didn't seem to like it. --Paul On Jun 5, 2011, at 7:00 AM, Stuart Henderson wrote: Can't you just use symlinks? On 2011-06-05, Paul Suh pl...@goodeast.com wrote: Folks, I've been working with the flashrd system for booting from compact flash

Re: Flag to move isakmpd default keys dir?

2011-06-14 Thread Paul Suh
On Jun 5, 2011, at 2:42 PM, Stuart Henderson wrote: On 2011/06/05 13:09, Paul Suh wrote: Stuart, I tried using a symlink, but isakmpd didn't seem to like it. For the file or the whole directory? It seems to work with /etc/isakmpd - /somewhere/else. Stuart, Sorry about the delay but my

Re: Flag to move isakmpd default keys dir?

2011-06-14 Thread Paul Suh
On Jun 7, 2011, at 11:29 AM, Rodolfo Gouveia wrote: On 06/05/2011 02:37 AM, Paul Suh wrote: Folks, I've been working with the flashrd system for booting from compact flash media, and ran across a case where I'd like to make some changes to isakmpd, but before I do so I'm not sure that it's

Re: Hardware recommendation?

2011-06-20 Thread Paul Suh
Nick, I'm getting about 40 Mbit/sec throughput with a Soekris Net4801, so the 5501 or 2d13 are both more than enough box for basic filtering. A lot depends on how much content filtering you want to do. Some simple QoS and squid rules won't place any serious load on it, but if you want to use

Re: website down from here

2011-06-20 Thread Paul Suh
On Jun 21, 2011, at 12:37 AM, Samuel Baldwin wrote: 2011/6/21 patric conant mirage.comput...@gmail.com: $ ping www.openbsd.org PING www.openbsd.org (142.244.12.42): 56 data bytes --- www.openbsd.org ping statistics --- 7 packets transmitted, 0 packets received, 100.0% packet loss also

Can one interface have an IP address and bridge as well?

2011-06-21 Thread Paul Suh
Folks, Is this possible and/or a good idea? I have a router with three interfaces: sis0: external interface, IPv4 address 1.2.3.4/24 sis1: internal interface, IPv4 address 192.168.1.1/24 sis2: DMZ interface, IPv4 address 192.168.2.1/24 NAT rules pass all traffic from the internal and DMZ zones

Re: Can one interface have an IP address and bridge as well?

2011-06-22 Thread Paul Suh
on? It might be possible to do bridging and nat on the same interface (possibly using bridge rules and PF tags) but at best you're setting yourself up for a complicated and fragile ruleset. On 2011-06-22, Shane Lazarus shane.laza...@pobox.com wrote: Heya On Wed, Jun 22, 2011 at 12:13 PM, Paul

Re: Is your switch a single point of failure?

2011-07-06 Thread Paul Suh
Sam, On Jul 6, 2011, at 3:31 AM, Sam Vaughan wrote: I should be able to avoid the need for a switch on the upstream side by getting the ISP to provide me with two links from the rack router, one for each firewall board. These links would be CARP'd to share one external static IP. I'd be

Re: Anyone know of an smtp-proxy (or other mechanism) for routing mail to different IMAP servers depending recipient address?

2011-07-07 Thread Paul Suh
Paul Suh http://www.ps-enable.com/ paul@ps-enable.com (240) 672-4212 [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

Re: How does OpenBSD compare to Ubuntu Server?

2011-07-09 Thread Paul Suh
On Jul 9, 2011, at 11:34 AM, Nico Kadel-Garcia wrote: On Thu, Jul 7, 2011 at 1:45 PM, Alexander Schrijver alexander.schrij...@gmail.com wrote: For starters, there is 100% consensus among developers that we'll never use newfangled overengineered stuff like System V init. You mean Upstart!

Re: isakmpd and INVALID_COOKIE

2011-07-09 Thread Paul Suh
Hmm.. sounds like this might be a candidate for -STABLE? --Paul On Jul 8, 2011, at 10:09 AM, Stuart Henderson wrote: On 2011-07-08, Tony Sarendal t...@polarcap.org wrote: If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull up src/sbin/isakmpd/dh.c to r1.14 otherwise you

Re: apache ssl behind nat problems

2011-07-11 Thread Paul Suh
On Jul 11, 2011, at 5:57 PM, Jacob L. Leifman wrote: Environment: - OpenBSD 4.9, stock (base) apache with self-signed certificate - behind a SOHO NAT router (with relevant in-bound redirects) Problem: non-local SSL connections never complete the handshake (verified while monitoring the

Re: How does OpenBSD compare to Ubuntu Server?

2011-07-12 Thread Paul Suh
brraaiiinsss. B-) On Jul 12, 2011, at 7:25 PM, Zeb Packard wrote: I think it worked. Sent from my iclone. On Tue, Jul 12, 2011 at 4:23 PM, Marco Peereboom sl...@peereboom.us wrote: shoot it again son. On Tue, Jul 12, 2011 at 03:59:31PM -0700, Zeb Packard wrote: Help, i shot it

Re: apache ssl behind nat problems

2011-07-12 Thread Paul Suh
On Jul 12, 2011, at 9:35 PM, Jacob L. Leifman wrote: FWIW, I'm guessing that the problem is at the router. The packet trace is showing a TCP SYN coming from the client, followed correctly by a SYN-ACK going back from the server. The client should send an ACK packet back, but instead it waits

Re: ISAKMPD

2011-07-14 Thread Paul Suh
Folks, Hmm -- it's not showing on the 4.9 or 4.8 Errata pages: http://www.openbsd.org/errata49.html http://www.openbsd.org/errata48.html If it's easy to pull the diff it shouldn't be hard to post it, and it would be a nice thing to do for folks have scripts that notify them on changes of the

Re: Bug Tracking system does not work

2011-07-19 Thread Paul Suh
On Jul 18, 2011, at 6:24 PM, Ted Unangst wrote: On Mon, Jul 18, 2011, Sergey Bronnikov wrote: may be proper link is http://www.openbsd.org/query-pr.html The bug tracker is down and will still that way for some time. Ted, Is there something that we can do to help? --Paul On 17:28

Re: Jail-System for OpenBSD

2011-07-21 Thread Paul Suh
Folks, I would add that sysjail (not the FreeBSD implementation but the implementation http://sysjail.bsd.lv/ based on systrace(4)) has known holes that make it unsuitable as a security tool; please don't use it. I had the privilege of speaking with Robert Watson directly at a conference a few

Quad-Gigabit 1U mini-itx board recommendations?

2011-08-29 Thread Paul Suh
Folks, I'm looking for a mini-ITX motherboard with at least 4 x Gig-E ports. I would like to fit two of them into a 1U, dual mini-ITX case to have a CARP/SASYNC pair with connections to external, internal, and DMZ zones. http://www.casetronic.com/product_d.php?id=16 Using Google i've

Re: Quad-Gigabit 1U mini-itx board recommendations?

2011-08-31 Thread Paul Suh
On Aug 30, 2011, at 3:08 AM, Henrique Antsnio Evaristo wrote: Humm, nice ... I was interested in knowing the power consumption of that setup. Do you have any possibility to provide that ? Thanks. Best regards, Henrique Henrique, I will be in a position to post on power consumption of my

Re: Quad-Gigabit 1U mini-itx board recommendations?

2011-08-31 Thread Paul Suh
On Aug 30, 2011, at 3:18 AM, Paul de Weerd wrote: Are you putting two boards in one case for redundancy / high availability ? So that, when one fails the other can ... be taken down too to fix the first one ? Paul, As far as I can tell. The two sides are fully independent of each other. As

Re: Quad-Gigabit 1U mini-itx board recommendations?

2011-08-31 Thread Paul Suh
On Aug 30, 2011, at 2:03 AM, Johan Linner wrote: We're running OpenBSD 4.9 on: http://www.mini-itx.com/store/?c=47#jnc92-330 with Jetway 3x Gigabit LAN Motherboard Modules: http://www.mini-itx.com/store/?c=34#modules Works great. Johan, Thanks for the info! --Paul [demime 1.01d

Re: Quad-Gigabit 1U mini-itx board recommendations?

2011-08-31 Thread Paul Suh
On Aug 30, 2011, at 9:47 AM, Stuart Henderson wrote: On 2011-08-29, Paul Suh pl...@goodeast.com wrote: I'm looking for a mini-ITX motherboard with at least 4 x Gig-E ports. I would like to fit two of them into a 1U, dual mini-ITX case to have a CARP/SASYNC pair with connections to external

Re: Quad-Gigabit 1U mini-itx board recommendations?

2011-08-31 Thread Paul Suh
On Aug 30, 2011, at 2:34 AM, Martin Schrvder wrote: 2011/8/30 Paul Suh pl...@goodeast.com: I'm looking for a mini-ITX motherboard with at least 4 x Gig-E ports. I would Not a board, but full computers: http://www.lannerinc.com/Embedded_Computing/All-Purpose_Box_Computers/LEC-212 6 http

ipsec packets don't show up at destination enc0 interface

2011-02-02 Thread Paul Suh
Folks, I'm running 4.8-stable on one end and 4.5-stable at the other of a site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are working before upgrading the 4.5-stable end.) The tunnel is configured using ipsec.conf and ipsecctl, and the relevant portions of the configs are:

Re: ipsec packets don't show up at destination enc0 interface

2011-02-02 Thread Paul Suh
That seems to have fixed it, thanks! --Paul On Feb 2, 2011, at 5:12 AM, Otto Moerbeek wrote: On Wed, Feb 02, 2011 at 03:05:49AM -0500, Paul Suh wrote: Folks, I'm running 4.8-stable on one end and 4.5-stable at the other of a site-to-site IPSec VPN tunnel. (I'm trying to make sure

Asymmetric load balancing?

2011-04-09 Thread Paul Suh
the FIOS link, then send any overflow to the ADSL line, or (B) set the pf load balancing so that it favors the FIOS link over the ADSL link by a 10:3 ratio. Is there a pf config that does this, or do I need to get hacking? --Paul Paul Suh http://www.ps

Re: Update OpenBSD Remotely

2015-05-17 Thread Paul Suh
On May 17, 2015, at 10:08 AM, Peter Leber leberpe...@web.de wrote: I want to build a test system based on OpenBSD 5.7 which updates in an automated fashion. The goal is to have a remotely located machine which runs OpenBSD 5.7 and is constantly updated. While restarting the machine remotely

Re: Creating and protecting flash installed OpenBSD image

2015-04-04 Thread Paul Suh
On Apr 3, 2015, at 5:30 AM, Denis Lapshin den...@mindall.org wrote: Interesting does anybody have experience of creating flash memory image with OpenBSD system running. I see this like extracting all of soldered FLASH memory contents in to RAM and running from where. Flash memory image

Re: random.seed question

2015-11-26 Thread Paul Suh
> On Thu, Nov 26, 2015 at 01:30:51PM +0100, Marko Cupa?? wrote: > > | The reason why I am asking is the fact that I am preparing pcengines > | apu box which needs to be read-only because of reduced sdcard wear but > | also because it is going to be placed in remote environment with > | frequent

Re: Long life on SSD in a firewall environment

2016-06-19 Thread Paul Suh
> On Jun 19, 2016, at 5:56 AM, Sjöholm Per-Olov wrote: > > Hi > > Does anyone know if there exist any list of recommendations about how to make > an SSD disk to live as long as possible when using it for firewall purpose on > OpenBSD? It seems that OpenBSD lack some features

Re: 5.8 IKEv2 with OSX 10.11.3

2016-01-31 Thread Paul Suh
DY - First things first. Can you please post a printout of the certificate in text and PEM format? Clearly the OS X machine doesn't like the subjectAltName, but there may be other issues as well. --Paul > On Jan 31, 2016, at 1:16 AM, Dot Yet wrote: > > Forgot to mention

Re: Syntax error in pf rules

2016-03-31 Thread Paul Suh
> On Mar 30, 2016, at 10:58 PM, Adam Smith wrote: > > Are you the owner of misc@openbsd.org? > >> --- dera...@cvs.openbsd.org wrote: >> >> From: Theo de Raadt >> To: ken...@dcemail.com >> >>> I know. Do you have proof that I hadn't put in my

Re: your mail

2016-05-17 Thread Paul Suh
Bah, humbug! TECO Rulez! > On May 17, 2016, at 5:47 AM, Roderick wrote: > > On Mon, 16 May 2016, 1 9 wrote: > >> What editor? vim or emacs? what is the reason? [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

I am thankful for OpenBSD quality docs

2016-05-17 Thread Paul Suh
Folks, I've been playing over at Alpine Linux, to get support for a WiFi card that is not supported under OpenBSD. Their installation instructions and general documentation are horribly confused and outdated. Makes me long for our goodness here. --Paul [demime 1.01d removed an attachment of

Re: I am thankful for OpenBSD quality docs

2016-05-17 Thread Paul Suh
> On May 17, 2016, at 11:17 AM, Donald Allen wrote: > > My point is that good documentation is not > easy to do, something I think many of us tend to forget. It's also > less fun than writing code. Things like K that explain their subject > so concisely and yet completely

Support for Realtek wifi card?

2016-05-08 Thread Paul Suh
Folks, Can someone give me a read on support for Realtek WiFi cards -- specifically the support for the 8723BE? I'm thinking it's along the lines of "ba-ha-ha-ha-ha you're joking right?". It's not critical for me -- I got the little box because it has 4 GigE ports and a Atom D525, the WiFi would

Re: Looking for a way to deal with unwanted HTTP requests using mod_perl

2016-09-29 Thread Paul Suh
On Sep 28, 2016, at 10:04 PM, Chris Bennett wrote: > > I don't think bruteforce will be helpful in my case. I do occasionally > get bruteforce attacks, but not very often. > What I usually get are identical attacks of a certain set of variations > of URLs from

Re: OpenBSD 6.0 bsd.rd doesn't boot on soekris net4801 [solved, but ...]

2016-10-02 Thread Paul Suh
> On Oct 2, 2016, at 3:06 PM, Peer Janssen wrote: > > Now I reinstalled on another CF-Disk (4GB Transcend) with another method > (miniboot.fs), this went through and first-rebooted just fine. > > But now halting the machine produces a panic: Peer, I suspect that part of the problem

Re: Hardware recommendations for compact 1U firewall

2017-01-09 Thread Paul Suh
> On Dec 16, 2016, at 8:32 PM, Predrag Punosevac wrote: > > This is my favorite Ebay seller and they have lots of nice network > equipment for home, small, and large business. > > http://stores.ebay.com/MITXPC/ +1 for MITXPC. I've purchased several systems from them over

Re: OT: Recommendations for a CMS?

2017-05-12 Thread Paul Suh
> On May 12, 2017, at 11:34 AM, Michael Hekeler <mich...@hekeler.com> wrote: > > Am Wed, 10 May 2017 15:58:18 -0400 > schrieb Paul Suh <pl...@goodeast.com>: > >> (...) >>> https://redaxo.org >> >> I guess it's ok, but the site is ent

Re: OT: Recommendations for a CMS?

2017-05-10 Thread Paul Suh
Thanks to everyone for suggestions and ideas. My comments on some of the suggestions, in more or less chronological order: > I would recommend something like Magento Magento is total overkill -- this is not an e-commerce site and the additional exposed attack surface is horrendous. >

DNS hijacking (was Re: Is this an intrusion?)

2017-06-17 Thread Paul Suh
On Jun 16, 2017, at 9:32 PM, Joe Holden wrote: > > It is done by the VM dns servers, if you visit a domain that doesn't > exist you should be directed to the advanced search page, there *should* > be a link to disable it there, but if not login to your account and >

Re: IPsec and certificates

2017-05-07 Thread Paul Suh
> On May 7, 2017, at 2:10 PM, Steve Shockley > wrote: > > I'm trying to get IPsec set up in transport mode using isakmpd, between > OpenBSD 6.0, Windows 2008R2+, and i5/OS 7.1. I've already gotten everything > working using PSK, but I'd like to use certificates.

OT: Recommendations for a CMS?

2017-05-07 Thread Paul Suh
Folks, Completely off topic, but I'd value input from this community in particular. I need to recommend a (replacement) CMS for the public-facing web site for my day job. My wants: 1) NOT Wordpress -- I don't need the security headaches. 2) Allows updates by users who don't know HTML and for

IPSec Flow and SA to unexpected subnet

2017-11-26 Thread Paul Suh
Folks, I set up a router using 6.2-stable, and created IKEv1 tunnels using isakmpd, something I've done many times before. The other end is a Sonicwall NSA 4500, which I've used as an endpoint before as well. My ipsec.conf file is: > ike active esp \ > from 192.168.144.0/24 \ >

Pass through a single external IP address and NAT others

2018-10-24 Thread Paul Suh
Folks, I'm about to make a change in my external networking setup. I have 5 public IPs from Verizon FIOS and all 5 are coming into an OpenBSD 6.3 (shortly to be 6.4) box using pf and NAT. I would like to have four of the IPs continue to come into the OpenBSD box but pass through the fifth IP

Re: TLS suddenly not working over IKED site-to-site

2018-12-03 Thread Paul Suh
> On Dec 3, 2018, at 12:18 PM, Rachel Roch wrote: > > I hope someone here can shed light on an infuriating problem I’ve spent a > week trying to resolve without luck. > > The problem concerns an IKED site-to-site VPN on OpenBSD 6.3 (both endpoints > fully syspatched). > > The VPN worked

Mac laptop to iked errors

2018-12-06 Thread Paul Suh
Folks, Fiddling with a basic iked configuration: ikev2 roadwarrior \ from any to 172.31.0.0/20 \ local 172.31.15.102 peer any \ config address 172.31.0.224/28 \ config protected-subnet 172.31.0.0/20 \ tag "IKED" I created a ca and certs using ikectl using hostnames. When

Re: Cheaper alternatives for APC UPS

2018-12-28 Thread Paul Suh
On Dec 23, 2018, at 7:13 AM, Stuart Henderson wrote: > > I have had APCs that required a crowbar to remove the batteries before ;) > Whatever brand, it's probably a good idea to schedule a battery inspection > from time to time. I would second this and go further. I spent four years working in

Re: Are there open source firewall distributions which are built on top of OpenBSD?

2019-03-13 Thread Paul Suh
> On Mar 13, 2019, at 6:05 AM, Stuart Henderson wrote: > > On 2019-03-13, Mehma Sarja wrote: >> My current setup is basic firewall with DHCP, NAT and routing. But there is >> power in the simplicity. When something goes wrong -and it has happened >> twice due to power failures, there is so

Linux equivalent of ifstated?

2019-04-18 Thread Paul Suh
Folks, Sorry to pollute with with non-OpenBSD but it's sorta related. I need to work on a Linux system and I need the functionality of ifstated(8), in particular with respect to arbitrary tests as well as interface state. The ifupdown scripts are not sufficient. Can anyone tell me the

Re: serial console images for installing on vmd based guests

2019-03-13 Thread Paul Suh
> On Mar 13, 2019, at 6:30 PM, Chris Cappuccio wrote: > > I think I'm just too stupid to use Linux. I know grub-based boot loaders give > you that option, but then I went to try Alpine Linux, and from what I'm > finding, I have to setup a config file put it back into the ISO. Chris, I've