Re: [PF] bug in port range.

[Henning Brauer]

* Patrick Lamaiziere patf...@davenulle.org [2012-01-03 19:00]:
 Well because for me 80:82 is (80, 81, 82) and 82:80 the same
 items and so the same range.

but it is NOT the same. I'd claim your expectations is strange ;)

 So what is the meaning for PF of the range 82:80? If this is a non
 sense, an error from pfctl would be cool.

it isn't nonsense, it just can't match. that is not an error, strictly
speaking.

it comes down to basic unix philosophy. the system doesn't assume it
is more clever than its operator. it does exactly what you tell it to
do, no more, no less.

  port 82  80 defines a range that can't match, and it doesn't. as in,
  all is good. when you mean 80  82 you ought to write 80  82 and
  not 82  80.
 
 Sure, but when using service name it's easy to make a mistake. In fact
 I've found this strange behavior while translating a Cisco acl :
 
 permit tcp any any range ftp ftp-data 
 
 Translated to port ftp:ftp-data, which if I understand well does not
 mean anything for PF.

right. pilot error.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: PF Snort tutorial

[Wesley M.]

Hi,

Perhaps, this can be helpful ;-)
http://www.procyonlabs.com/guides/openbsd/snort/

Cheers,

Wesley MOUEDINE ASSABY
http://mouedine.net/ruleset50.aspx

On Tue, 3 Jan 2012 17:56:13 -0500, Bentley, Dain dbent...@nas.edu
wrote:
 ughthat's what I thought.
 I'm reading through some OSSEC docs right now and it seems pretty
 promising.
 Having trouble finding anything about having it read from pflog.
 
 From: Andres Genovez [andresgeno...@gmail.com]
 Sent: Tuesday, January 03, 2012 3:04 PM
 To: Bentley, Dain
 Cc: misc@openbsd.org
 Subject: Re: PF Snort tutorial
 
 2012/1/3 Bentley, Dain dbent...@nas.edumailto:dbent...@nas.edu
 I've been looking around for a good tutorial on implementing snort with
PF
 and
 everything I see is old, does anyone know of or have implemented a
solution
 using an IDS/IPS with PF on the same box?  If possible I'd like snort of
 some
 other IDS inspect packets and have pf drop them based on the fact they
 match
 certain signatures.  Thanks in advance.
 
 
 Implimenting that is really a Pain in the hell out..I did it on a
4.9,
 i
 need to do it from sources, there is no complete tutorial, it works on
4.9,
 not implemented with PF tought...
 
 Greetings...
 
 
 
 --
 Atentamente
 
 Andris Genovez Tobar / Tecnico
 Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
 http://www.puntonet.ec

Re: PF Snort tutorial

[Wesley M.]

Also, an idea, add scanlogd package, and do a small script to add ip in
log to your pf table ;-)

Cheers,

Wesley MOUEDINE ASSABY
http://mouedine.net/ruleset50.aspx

On Tue, 3 Jan 2012 17:56:13 -0500, Bentley, Dain dbent...@nas.edu
wrote:
 ughthat's what I thought.
 I'm reading through some OSSEC docs right now and it seems pretty
 promising.
 Having trouble finding anything about having it read from pflog.
 
 From: Andres Genovez [andresgeno...@gmail.com]
 Sent: Tuesday, January 03, 2012 3:04 PM
 To: Bentley, Dain
 Cc: misc@openbsd.org
 Subject: Re: PF Snort tutorial
 
 2012/1/3 Bentley, Dain dbent...@nas.edumailto:dbent...@nas.edu
 I've been looking around for a good tutorial on implementing snort with
PF
 and
 everything I see is old, does anyone know of or have implemented a
solution
 using an IDS/IPS with PF on the same box?  If possible I'd like snort of
 some
 other IDS inspect packets and have pf drop them based on the fact they
 match
 certain signatures.  Thanks in advance.
 
 
 Implimenting that is really a Pain in the hell out..I did it on a
4.9,
 i
 need to do it from sources, there is no complete tutorial, it works on
4.9,
 not implemented with PF tought...
 
 Greetings...
 
 
 
 --
 Atentamente
 
 Andris Genovez Tobar / Tecnico
 Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
 http://www.puntonet.ec

Happy New Year 2012

[International confrence SETIT'12]

Dear

If you can't see the animation on this card please click here:
http://www.setit.rnu.tn/NewYear2012/New_Year_2012.html




 All the staff of the organization committee of the 6th International
Conference on Sciences of Electronics, Technologies of Information and
Telecommunications (SETIT 2012) as well as the staff of the Research Unit:
Sciences  Technologies of Image and Telecommunications would like to wish you
a very Happy and Successful New Years 2012.
 May it be full of health, wealth and happiness for you, for your families
and for your loved ones.



Best Regards.

Mohamed Salim BOUHLEL
General Chair, SETIT 2012
Head of Research Unit:Sciences  Technologies of Image and Telecommunications
( Sfax University )
GSM +216 20 20 00 05


=
=
This email is sent out to all those on the SETIT database. If you want to be
removed from this database, please send an email to
unsubscribe.se...@gmail.com with subject Unsubscribe
=
=

ISAKMPD question: ID-type ASN1_...?

[Toni Mueller]

Hi,

I've run into an interoperability problem with an Astaro, which does not
like our certificate. The certificate basically looks like

...
  Subject: C=DE, L=..., CN=IP-number
...
  Subject Alternative Name: IPv4 Address: IP-number
...


Now the Astaro is said to require an ID type of ASN1-DN, when used in
conjunction with X.509 certificates, but it also appears that OpenBSD
can't send that to the remote side. Or am I wrong?

TIA!


Kind regards,
--Toni++

Re: ISAKMPD question: ID-type ASN1_...?

[Ingo Schwarze]

Hi Toni,

Toni Mueller wrote on Wed, Jan 04, 2012 at 06:09:55PM +0100:

 I've run into an interoperability problem with an Astaro, which does
 not like our certificate. The certificate basically looks like
 
 ...
   Subject: C=DE, L=..., CN=IP-number
 ...
   Subject Alternative Name: IPv4 Address: IP-number
 ...
 
 Now the Astaro is said to require an ID type of ASN1-DN,
 when used in conjunction with X.509 certificates,

A colleague of mine working on the IPsec subsystem of the ASG
says that the ASG can be configured to accept an ID-type
of IP-number, if i understand correctly what he says.

So maybe, the problem might not be on the OpenBSD side, but the ASG
might be misconfigured.  In case you do not manage to solve this
yourself, consider calling Astaro support or check out the
Astaro User Bulletin Board (astaro.org, a public support forum).

Yours,
  Ingo

-- 
ingo.schwa...@sophos.com | Software Engineer, Network Security
Astaro GmbH  Co. KG - a Sophos company | 76227 Karlsruhe, Germany
www.astaro.com | www.sophos.com

#bom dia#

[and]

esta C) uma boa chance para vocC*
nosso site principalmente vender muitos tipos de telefone, cCmera,
laptop.watch ... se vocC* comprar um produto. podemos enviar outros
produtos, oferecemos tambC)m o custo frete grC!tis

s i te:  www. heidow.com

1:17:27

ro / and /etc on mfs - clarification

[Jiri B]

Hello,

I was reading couple of howtos (yeah!) about read-only / with
/etc as mfs.

I suppose these howtos overlook problem with unavailability of some
important files.

I suppose boot and init needs some files in /etc before running
/etc/rc, like ttys and master.passwd etc... If you mount /etc
as mfs over old /etc used by init, I think you can see following:

* you cannot modify files hidden under monted over /etc

...and...

* init in single user would ask you different root's password
  then used in normal state

I apologize if anybody would complain that this is not supported
solution but anyway, what is your workaround and what do you
think about solution below?

jirib

files before init:
==
/etc/boot.conf

files needed by init:
=
/etc/rc
/etc/ttys
/etc/passwd
/etc/master.passwd
/etc/ptmp # ignore!
/etc/pwd.db
/etc/spwd.db
/etc/login.conf

files used by /etc/rc before `mount'

/etc/defaultdomain # ignored by me
/etc/rc.conf # this could be theoretically skipped
 # if moved later in /etc/rc
/etc/raid$dev.conf # ignored by me
/etc/fstab

scenario:
=

* mkdir /proto_etc
* cp -Rp /etc/* /proto_etc
* mkdir /pre_etc
* cd /pre_etc
* for i in boot.conf rc ttys passwd master.passwd pwd.db spwd.db login.conf 
fstab rc.conf ; do
  ln /etc/$i $i
  done
* mount_mfs -s 20M -P /proto-etc swap /etc
* rsync -vhaz --delete \
  --exclude boot.conf \
  --exclude rc \
  --exclude ttys \
  --exclude passwd \
  --exclude master.passwd \
  --exclude pwd.db \
  --exclude spwd.db \
  --exclude login.conf \
  --exclude fstab \
  --exclude rc.conf /etc/ /proto_etc/
* cd /etc
* for i in boot.conf rc ttys passwd master.passwd pwd.db spwd.db login.conf 
fstab rc.conf ; do
  cat /etc/$i  /pre_etc/$i
  done

Inscripciones Compranet 5.0 Actualización de la Plataforma

[Lic. Alicia Sandoval]

[IMAGE]
Zltimos dmas con promocisn!
Manejo Sptimo de la Plataforma Compranet 5.0
25 de Enero Mixico D.F. y 27 de Enero Guadalajara, Jalisco.

Si desea participar Inscrmbase Ahora:
1.-Favor de enviar por esta vma datos fiscales para la emisisn de su
factura.
2.-Proporcionar el o los nombres completos de los participantes para
enviar su ficha de registro

!Solicite Mayores Informes! Por favor responda este e-mail con los datos
siguientes.
Empresa:
Nombre:
Telifono:
Email:
Nzmero de Interesados:
En breve recibira la informacisn completa de este inigualable evento.
Comunmquese a los telifonos y con gusto uno de nuestros ejecutivos le
atendera.
Telifonos: (0133) 8851-2365, (0133) 8851-2741. 10 lmneas a su servicio

Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico  S.C. Derechos
Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas
registradas. ADVERTENCIA PMS de Mixico no cuenta con alianzas
estratigicas de ningzn tipo dentro de la Republica Mexicana. NO SE DEJE
ENGAQAR - DIGA NO A LA PIRATERIA. Todos los logotipos, marcas comerciales
e imagenes son propiedad de sus respectivas corporaciones y se utilizan
con fines informativos solamente.

Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de
Mixico o bien un usuario le refiris para recibir este boletmn.
Como usuario de Pms de Mixico, en este acto autoriza de manera expresa
que Pms de Mixico le puede contactar vma correo electrsnico u otros
medios.
Si usted ha recibido este mensaje por error, haga caso omiso de el y
reporte su cuenta respondiendo este correo con el subject BAJACOMP

Unsubscribe to this mailing list, reply a blank message with the subject
UNSUBSCRIBE BAJACOMP
Tenga en cuenta que la gestisn de nuestras bases de datos es de suma
importancia y no es intencisn de la empresa la inconformidad del
receptor.

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
image002.jpg]

Re: Install without the DNS domain name from DHCP

[bofh]

There are other free ones, but dyndns have been severely abused by all
the cheap router manufacturers.  Someone needs to pay the electric
bill.  And I believe the sysadmins like to eat every now and then.

If you don't want to pay for it, then it is a want, not a need.


--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: PF Snort tutorial

[Peter N. M. Hansteen]

Wesley M. open...@e-solutions.re writes:

 Perhaps, this can be helpful ;-)
 http://www.procyonlabs.com/guides/openbsd/snort/

It's possible it's quite valid for the Snort parts, but unfortunately
this HOWTO shows several of the features typical of docs maintained by
people who are not, in fact, terribly familiar with OpenBSD:

first off, consider the statement

   One thing a lot of people overlook is patching their OpenBSD
system(s). This is because it is a major pain in the ass. 

Show of hands, how many of people here agree with that statement?

Next, the only part of the system he considers important enough to patch
is the kernel.  (OpenBSD has patches for all parts of the base system,
the only patch so far for 4.9 is for bind, not the kernel).

He then moves on to rebuild all packages locally from the ports tree,
but there are no indications that he builds special flavors that are not
already available as downloadable packages.

And finally, he then proceeds to download -- to /usr/src of all places
-- the source archives for Snort and supporting software (which may or
may not be due to some appropriate reason such as the packages (aka
ports) lagging behind upstream), builds and installs them.

All this while working as root (not a sudo in sight, but this may be one
of my grumpier nights). 

If you find this is a useful document, it would be a very smart move to
prod its author to check that the information is still up to date and to
make any changes that are necessary for OpenBSD 5.0. It's only been two
months, but even busy and forgetful people who take an active interest
*should* be able to find the time for keeping their stuff up to date.

As others have said here earlier, any document that claims to be about
OpenBSD and does not live somewhere on http://www.openbsd.org/ should
be treated with caution, one of the things to look out for is some basic
familiarity with OpenBSD such as the points (possibly minor) I pointed
out earlier.

Cheers,
Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: ro / and /etc on mfs - clarification

[Stuart Henderson]

On 2012-01-04, Jiri B ji...@devio.us wrote:
 Hello,

 I was reading couple of howtos (yeah!) about read-only / with
 /etc as mfs.

 I suppose these howtos overlook problem with unavailability of some
 important files.

 I suppose boot and init needs some files in /etc before running
 /etc/rc, like ttys and master.passwd etc... If you mount /etc
 as mfs over old /etc used by init, I think you can see following:

 * you cannot modify files hidden under monted over /etc

 ...and...

 * init in single user would ask you different root's password
   then used in normal state

 I apologize if anybody would complain that this is not supported
 solution but anyway, what is your workaround and what do you
 think about solution below?

What's the advantage in having /etc on mfs? Why not just remount /
readonly after booting and mount it read/write when you need to make
changes? If you're looking at something more than this then take
a look at how flashboot does things but I'd only consider that in
special cases..

Re: ro / and /etc on mfs - clarification

[Jiri B]

On Thu, Jan 05, 2012 at 01:12:43AM +, Stuart Henderson wrote:
 What's the advantage in having /etc on mfs? Why not just remount /
 readonly after booting and mount it read/write when you need to make
 changes? If you're looking at something more than this then take
 a look at how flashboot does things but I'd only consider that in
 special cases..

As I'm not building super-small embedded appliance the flasboot is
not optimal.

I wanted to separate service from (not much important) data thus I
installed OpenBSD on little usb stick and dedicated normal disk
for my own data (mp3, source repo, etc...). If the disk would go
down, no problem, dns/ssh/pf etc would still work OK. (I'm ignoring
here discussion if the problem is more disk or power supply.)

So why /etc on mfs? Maybe I'm thinking that always remounting rw /
because little changement of a config file would be too much work when
computers could do that for us invisible in background :) (If it
would not crash before sync, of course.)

jirib

consulta

[Das Drucken]

Ver Listado de Combos

   * Postales 9x15 cm. full color doble faz en papel ilustracion de 300 
gr. +
Laca UV x 1.000 unid. $349.99

* Flyers 9x10 cm. full color doble faz en papel ilustracion de 300 gr. + Laca
UV x 1.000 unid. $279.99

* Tarjetas Personales 9x5 cm. full color doble faz en papel ilustracion de 300
gr. + Laca UV x 1.000 unid. $99.99

* Hojas Membrete formato A4 full color en papel obra de 90 gr. x 1.000 unid.
$459.99

* Dipticos 25x36 cm. (abierto) full color doble faz en papel ilustracion de
300 gr. + Laca UV + doblado x 1.000 unid. $1.799.-

* Carpetas con solapa formato A4 full color en papel ilustracion de 300 gr. +
Laca UV x 1.000 unid. $2.89 c/u.





  QUIENES SOMOS?





  Somos una joven pero pujante empresa, cuyo objetivo principal es acercarle a
nuestros clientes la mejor tecnologia en servicios graficos al menor costo.

A la izquierda de estas lineas podran observar algunas de nuestras
publicidades en diferentes medios, para verlas ampliadas,  solo haga click
sobre la imagen.

En DAS DRUCKEN contamos con equipos de gran formato (Heidelberg
Speedmaster SM-102 AP 72x102 8 colores - 4/4 en linea, Komori Lithrone L-440
EM 72x102 5 colores y Komori Lithrone L-426 BP 66x48 4 colores) e impresion
digital de ultima generacion, lo que nos permite optimizar costos, brindar
mayor velocidad de entrega y reducir los margenes de error en la impresion,
sin descuidar la calidad de nuestro trabajo.

En DAS DRUCKEN simplificamos las necesidades de nuestros clientes, somos la
primera empresa grafica en ofrecer la opcion del pago de sus trabajos con
tarjeta de credito hasta en 12 cuotas.

Los invitamos a seguirnos a traves de Facebook, donde encontraran
promociones y contenido exclusivo para nuestros seguidores, y asi comenzar a
ser parte de nuestra historia, descubriran un nuevo concepto en artes
graficas.



  NUESTROS SERVICIOS


  Tarjetas Personales
Folletos
Volantes
Dipticos
Tripticos
Posters
Catalogos
Revistas
Calendarios
Sentilde;aladores
Calcomanias / Stickers
Imanes
Carpetas Institucionales
Carpetas de Presentacion
Sobres
Papeleria Comercial
Impresiones Offset gran formato
Armado de Mailing Promocional
Impresion con Datos Variables
Afiches
Estuches y Cajas
Packaging
Naipes Publicitarios
Material de POP
Articulos para Promocion
Y mucho, pero mucho mas!!!


  Servicio de envio propio a Cap.Fed. y GBA.
Realizamos envios al interior.
Tarjetas de Credito hasta en 12 cuotas.

  Consultanos por diferentes cantidades.



  CONTACTO



Florida 1973 - B1868CHE
Avellaneda - Buenos Aires - Argentina
Tel./Fax: (54)(11) 5983-0920 (Rot.)
Cel.: (11)(15) 6399-1276 - ID: 703*2545
dasdruc...@yahoo.com.ar
Formulario para Consultas

Descarga nuestra Carpeta de Presentacion en PDF



  PRESUPUESTOS

  Para solicitar presupuesto, clickea aqui



 Florida 1973 - B1868CHE - Avellaneda - Buenos Aires - Argentina - Tel./Fax:
(54)(11) 5983-0920 - dasdruc...@yahoo.com.ar


Consideramos que este tipo de informacion puede ser de su interes. Si quiere
dejar de recibir estas comunicaciones responda este mensaje haciendo click
aqui
 En caso de que estas comunicaciones le lleguen a mas de una direccion, por
favor   indiquenos las siguientes en el cuerpo del mensaje, a fin de no 
volver
a molestarlos.  Gracias. Este mensaje no puede ser considerado SPAM al
contener un metodo para ser removidode la lista de destinatarios, de
acuerdo a la Ley N: 25.326 Art. 27 Inc. 3 (Ley de Habeas Data)
de la
Republica Argentina.