Re: Replace PF rule + inetd Proxy with 2 PF rules

2020-02-14 Thread Nick Gustas
On 2/14/2020 6:30 AM, Fabio Martins wrote: Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from

Re: Full disk encryption including /boot, excluding bootloader?

2020-02-14 Thread Frank Beuth
On Thu, Feb 13, 2020 at 01:31:43PM +0100, no@s...@mgedv.net wrote: depends what you want to achieve, but my recommendation is booting from USB and mount encrypted root from the HDD. you can safely remove the usb key after root mount and all your configs/etc files are used from the encrypted

Re: Replace PF rule + inetd Proxy with 2 PF rules

2020-02-14 Thread Fabio Almeida
Hi Fabio (xará), Apparently I achieved this with these rules: -- pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8 port = flags S/SA label "TESTE LISTA" pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port = 25 flags S/SA label "TESTE LISTA" tag

experience setting up a low memory machine

2020-02-14 Thread rgc
misc@ sharing a recent experience with OpenBSD 6.6 and old, low spec, low memory devices. remember the Toshiba Libretto? back in 2000, OpenBSD got some CPU time on one of mine. sadly that Libretto is now dead, and with the current state of affairs, it wont be able to run OpenBSD. last weekend i

strongSwan cannot install IPsec policies on OpenBSD

2020-02-14 Thread Peter Müller
Hello openbsd-misc, during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec client on an OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing policies for CHILD_SA fails (as expected): > unable to install IPsec policies (SPD) in kernel > failed to establish

Re: Replace PF rule + inetd Proxy with 2 PF rules

2020-02-14 Thread Fabio Martins
I am trying now only with the redirect to www.openbsd.org, if it works, I am sure it can be adapted to my case. Unfortunately still no success. # pf.conf: ext_if="xnf0" match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \ rdr-to 129.128.5.194 port 80 match out log on

Re: strongSwan cannot install IPsec policies on OpenBSD

2020-02-14 Thread Stuart Henderson
On 2020-02-14, Peter Müller wrote: > Hello openbsd-misc, > > during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec > client on an > OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing > policies for CHILD_SA > fails (as expected): > >> unable to install

Re: Replace PF rule + inetd Proxy with 2 PF rules

2020-02-14 Thread Nick Gustas
On 2/14/2020 11:21 AM, Fabio Martins wrote: I am trying now only with the redirect to www.openbsd.org, if it works, I am sure it can be adapted to my case. Unfortunately still no success. # pf.conf: ext_if="xnf0" match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \

Re: experience setting up a low memory machine

2020-02-14 Thread Noth
I wouldn't call 64Mb "small" for memory, it's tiny. Even 20 years ago 64 wasn't really enough. The introduction of kernel relinking on boot has been noted since 6.5 (or was it 6.4?) to make tiny memory systems obsolete. They simply can't cope. Theo has noted he has other projects in the

Re: Replace PF rule + inetd Proxy with 2 PF rules

2020-02-14 Thread Fabio Martins
Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200

Re: Full disk encryption including /boot, excluding bootloader?

2020-02-14 Thread Sebastian Benoit
no@s...@mgedv.net(nos...@mgedv.net) on 2020.02.13 13:31:43 +0100: > > > On Linux you can do the following: > > > { [1MB unencrypted GRUB bootloader partition] [Rest of hard drive > entirely encrypted] } > ... which i would consider to be as insecure, as unencrypted root at all. ... which totaly