Re: cheapest firewall?
On 2014-02-02, Adam Thompson wrote: > On 14-02-01 02:37 PM, Adam wrote: >> Any suggestions for the cheapest possible firewall (that is new >> hardware not re-purposing some old stuff)? All I need is 2 ethernet >> interfaces and for it to run openbsd. >> > > Possibly a refurbished PC with an add-in NIC. Locally, I keep seeing > IBM Pentium4D-class desktops being sold for well under $200, and it's > usually possible to pick up a single-port PCI NIC for $20. (Less if you > buy up someone's stock of 100Mbit NICs in bulk.) > Not sure if that qualifies as "new", precisely, but you will get a > warranty of some sort. > Power consumption is pretty bad with P4, and I don't see how it can possibly be classed as "new hardware". Of course the original question didn't mention anything about bandwidth/PPS estimates or whether it needs encryption, which would be useful in suggesting something..
Re: mail(1) encrypt daily(8) output
On 02/04/14 00:27, Simon Drewitz wrote: > Hi misc@, > > I have set up mail(1) so that it forwards mails such as the output of > /etc/daily to my mail account and now I want to encrypt these mails > using my public gpg-key. The best solution I have come up with is > changing these two lines at the end of /etc/daily: > > - } 2>&1 | mail -s "`hostname` daily output" root > + } 2>&1 | gpg2 --encrypt -r --armor | mail -s "`hostname` daily > output" root > > ... > > - [ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < > $MAINOUT > + [ -s $MAINOUT ] && gpg2 --encrypt -r --armor < $MAINOUT | mail -s > "`hostname` daily insecurity output" root > > While it perfectly does what I want, I consider it bad habit to change > /etc/daily itself and would like to know if there is any preferred > solution to this issue? I don't know about preferred, but I believe adding this to daily.local would also solve your issue (and leave other mail to root untouched): mail() { gpg2 --encrypt -r --armor | /usr/bin/mail "$@" } /Alexander > > Thanks in advance > Simon
Re: mail(1) encrypt daily(8) output
On 02/04/14 00:27, Simon Drewitz wrote: Hi misc@, I have set up mail(1) so that it forwards mails such as the output of /etc/daily to my mail account and now I want to encrypt these mails using my public gpg-key. The best solution I have come up with is changing these two lines at the end of /etc/daily: - } 2>&1 | mail -s "`hostname` daily output" root + } 2>&1 | gpg2 --encrypt -r --armor | mail -s "`hostname` daily output" root ... - [ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT + [ -s $MAINOUT ] && gpg2 --encrypt -r --armor < $MAINOUT | mail -s "`hostname` daily insecurity output" root While it perfectly does what I want, I consider it bad habit to change /etc/daily itself and would like to know if there is any preferred solution to this issue? add it to ~root/.forward file? Thanks in advance Simon
mail(1) encrypt daily(8) output
Hi misc@, I have set up mail(1) so that it forwards mails such as the output of /etc/daily to my mail account and now I want to encrypt these mails using my public gpg-key. The best solution I have come up with is changing these two lines at the end of /etc/daily: - } 2>&1 | mail -s "`hostname` daily output" root + } 2>&1 | gpg2 --encrypt -r --armor | mail -s "`hostname` daily output" root ... - [ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT + [ -s $MAINOUT ] && gpg2 --encrypt -r --armor < $MAINOUT | mail -s "`hostname` daily insecurity output" root While it perfectly does what I want, I consider it bad habit to change /etc/daily itself and would like to know if there is any preferred solution to this issue? Thanks in advance Simon
Re: The "unknown" in i386-unknown-openbsd5.4
On Mon, Feb 3, 2014 at 6:20 PM, Andy wrote: > We've all 'written' things that get misinterpreted.. context is often lost > in written language ;) > Which is a good reminder to think before you press send on that email. -- chs
Re: They are watching you
Em 03-02-2014 18:06, patrick keshishian escreveu: > On 2/3/14, Giancarlo Razzolini wrote: >> Em 02-02-2014 20:04, Jason Barbier escreveu: >>> On 02/02/14 11:45, Chris Cappuccio wrote: Christian Weisgerber [na...@mips.inka.de] wrote: > http://www.cbc.ca/news/politics/csec-used-airport-wi-fi-to-track-canadian-travellers-edward-snowden-documents-1.2517881 > > > If you didn't know already, this is your cue to look up ifconfig(8)'s > "lladdr random". > And when you visit the US, Canada, or a number of other countries, the NSA has keeps record of every control and text message sent or received by your cellular phone. You know, things like your location and who you are calling. They aren't quite watching you, it's more like, they're sleeping with you :) >>> Think it would be inappropriate to ask them for dinner since they are >>> so far up my bisness? >>> >> The truth is that any nerd with a decent hardware can do what was done >> in this specific case. Tracking people with wifi? It can be done with a >> laptop. It would be nice to have an agent to take me out for dinner. But >> I believe that we would run out of topics to talk about very quickly, >> since they already know so much about me. > > why? you could have them show you how they did this using > just a laptop: accessing wifi hotspots starting from the > airport, to hotels, restaurants and cafe's across town > cataloging and cross-referencing all the data.. err...meta- > data. all allegedly without help from or knowledge of the > hotspot operator. could make a nifty youtube DIY vid. Put your card in monitor mode. Then capture management frames. And then you'll know how they did. Of course they have many more funds than any individual and can affect much more people that only one nerd with a laptop. But how they did is easy to understand. Even without help from the operators. They would only need help, if any, if the wifi network they wanted to track you into was closed. And even so, with the proper hardware, hacking into wpa-psk is feasible. Also even with encryption, you are open to side channel attacks, and they'll always know how many bytes you sent and received, as long as they do not loose any frame. The bottom line in: Don't want to be tracked? Go live in the woods with no gadgets, nor internet, nor anything else. Also do not forget to wear camouflage. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: They are watching you
On 2/3/14, Giancarlo Razzolini wrote: > Em 02-02-2014 20:04, Jason Barbier escreveu: >> On 02/02/14 11:45, Chris Cappuccio wrote: >>> Christian Weisgerber [na...@mips.inka.de] wrote: http://www.cbc.ca/news/politics/csec-used-airport-wi-fi-to-track-canadian-travellers-edward-snowden-documents-1.2517881 If you didn't know already, this is your cue to look up ifconfig(8)'s "lladdr random". >>> And when you visit the US, Canada, or a number of other countries, the >>> NSA has keeps record of every control and text message sent or >>> received by >>> your cellular phone. You know, things like your location and who you are >>> calling. They aren't quite watching you, it's more like, they're >>> sleeping >>> with you :) >> Think it would be inappropriate to ask them for dinner since they are >> so far up my bisness? >> > The truth is that any nerd with a decent hardware can do what was done > in this specific case. Tracking people with wifi? It can be done with a > laptop. It would be nice to have an agent to take me out for dinner. But > I believe that we would run out of topics to talk about very quickly, > since they already know so much about me. why? you could have them show you how they did this using just a laptop: accessing wifi hotspots starting from the airport, to hotels, restaurants and cafe's across town cataloging and cross-referencing all the data.. err...meta- data. all allegedly without help from or knowledge of the hotspot operator. could make a nifty youtube DIY vid.
Re: dhclient
Em 03-02-2014 14:54, Kenneth Westerback escreveu: > Reactivating the dhclient-script is not going to happen. > > I am interested in what you would see syntax in dhclient.conf looking like. > > Would multi-path routing modifications to all routes be needed? How should > this > be combined with supersede/default/append commands for the relevant > options? Would it apply to all members of each option, or route by > route? > > If all else fails you can always use the ISC dhclient from ports to > gain access to a dhclient-script again. > > Ken > > On 31 January 2014 02:04, Holger Glaess wrote: >> Am 30.01.2014 13:10, schrieb Giancarlo Razzolini: >> >>> Em 29-01-2014 18:13, Holger Glaess escreveu: hi i try to setup and multipath configuration with 2 line provider 1 cable with dhcp(client) 1 with pppoe just dynamic ips. the pppoe config create well the new default route with -math but dhclient dont. [snip pppoe config] inet 0.0.0.0 255.255.255.255 NONE \ pppoedev msk0 authproto pap \ authname 'bla@blub' authkey 'blub' up dest 0.0.0.1 !/sbin/route add -mpath default -ifp pppoe0 0.0.0.1 [/snip pppoe config] after a couple of days i found that the dhclient not use the dhclient-script since 5.3 anymore. so how can i setup the -math option at the dhclient config ? or it is possible to add some lines in dhclient that he check the sysctl and , if net.inet.ip.multipath=1 , he add the default route with ( for ) multipathing. holger >>> Check if your dhcp server always gives you the same router ip address. >>> If so, you can tweak with your dhclient.conf to reject and not ask for >>> routers, and then set it up manually as you do in your hostname.pppoe0. >>> And you can always run a script that is run after the dhcp negotiation, >>> looks for the gateway related entry, deletes it and then re-adds it with >>> the mpath modifier. There are a lot of options in this regard. >>> >>> Cheers, >>> >> hi >> >> shure , i can write a wrap around solution for the but this not the >> "dynamic" way like >> pppoe or dhcp to get and set ips. >> >> i'm not the C programmer but i think it is not mutch work to add a solution >> in dhclient, >> or as option to reaktivate the dhclient-script part. >> >> >> holger Yep, it would be very messy to add the multipath option to the dhclient configuration. But I believe that before dhclient gets changed, the whole multipath thing needs some love. I'm using it for some years now, but there where lots of issues the documentation would not cover. I want to take some time soon to address them. It is a great feature that is not widely used yet. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: They are watching you
Em 02-02-2014 20:04, Jason Barbier escreveu: > On 02/02/14 11:45, Chris Cappuccio wrote: >> Christian Weisgerber [na...@mips.inka.de] wrote: >>> http://www.cbc.ca/news/politics/csec-used-airport-wi-fi-to-track-canadian-travellers-edward-snowden-documents-1.2517881 >>> >>> >>> If you didn't know already, this is your cue to look up ifconfig(8)'s >>> "lladdr random". >>> >> And when you visit the US, Canada, or a number of other countries, the >> NSA has keeps record of every control and text message sent or >> received by >> your cellular phone. You know, things like your location and who you are >> calling. They aren't quite watching you, it's more like, they're >> sleeping >> with you :) > Think it would be inappropriate to ask them for dinner since they are > so far up my bisness? > The truth is that any nerd with a decent hardware can do what was done in this specific case. Tracking people with wifi? It can be done with a laptop. It would be nice to have an agent to take me out for dinner. But I believe that we would run out of topics to talk about very quickly, since they already know so much about me. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: The "unknown" in i386-unknown-openbsd5.4
We've all 'written' things that get misinterpreted.. context is often lost in written language ;) On Mon 03 Feb 2014 17:05:25 GMT, Adam Jensen wrote: On Mon, 03 Feb 2014 16:57:28 + Andy wrote: Please realise who you are talking to and learn to treat this community with respect whether they're a first time user, or a lead dev.. Despite the contextual irony, that seems like a good point. Thanks!
Re: The "unknown" in i386-unknown-openbsd5.4
On Mon, 03 Feb 2014 16:57:28 + Andy wrote: > Please realise who you are talking to and learn to treat this > community with respect whether they're a first time user, or a > lead dev.. > Despite the contextual irony, that seems like a good point. Thanks!
Re: The "unknown" in i386-unknown-openbsd5.4
Claudio is one of the main developers and contributers to OpenBSD and does what he does for free for fun like all the devs, so we can go to work and get paid.. Please realise who you are talking to and learn to treat this community with respect whether they're a first time user, or a lead dev.. He was just trying to end a moot point. On Mon 03 Feb 2014 16:34:36 GMT, Claudio Jeker wrote: On Mon, Feb 03, 2014 at 11:18:30AM -0500, Adam Jensen wrote: On Mon, 03 Feb 2014 05:15:39 -0500 Brad Smith wrote: Enough is enough. Just drop it. Of course people are going to start making fun of this non issue. How bizarre. I'm sorry the discussion has offended you but I don't think your commands have any authority. If it's a delicate topic, perhaps you could ignore the thread? Great, you tell a developer with almost 10'000 OpenBSD commits to have no authority. Fuck off.
Re: dhclient
Reactivating the dhclient-script is not going to happen. I am interested in what you would see syntax in dhclient.conf looking like. Would multi-path routing modifications to all routes be needed? How should this be combined with supersede/default/append commands for the relevant options? Would it apply to all members of each option, or route by route? If all else fails you can always use the ISC dhclient from ports to gain access to a dhclient-script again. Ken On 31 January 2014 02:04, Holger Glaess wrote: > Am 30.01.2014 13:10, schrieb Giancarlo Razzolini: > >> Em 29-01-2014 18:13, Holger Glaess escreveu: >>> >>> hi >>> >>> i try to setup and multipath configuration with 2 line provider >>> >>> 1 cable with dhcp(client) >>> 1 with pppoe >>> >>> just dynamic ips. >>> >>> the pppoe config create well the new default route with -math >>> but dhclient dont. >>> >>> [snip pppoe config] >>> >>> inet 0.0.0.0 255.255.255.255 NONE \ >>> pppoedev msk0 authproto pap \ >>> authname 'bla@blub' authkey 'blub' up >>> dest 0.0.0.1 >>> !/sbin/route add -mpath default -ifp pppoe0 0.0.0.1 >>> >>> [/snip pppoe config] >>> >>> >>> after a couple of days i found that the dhclient not use the >>> dhclient-script since 5.3 anymore. >>> >>> >>> so how can i setup the -math option at the dhclient config ? >>> >>> >>> or it is possible to add some lines in dhclient that he check the >>> sysctl and , if net.inet.ip.multipath=1 , >>> he add the default route with ( for ) multipathing. >>> >>> >>> >>> >>> >>> >>> holger >>> >> Check if your dhcp server always gives you the same router ip address. >> If so, you can tweak with your dhclient.conf to reject and not ask for >> routers, and then set it up manually as you do in your hostname.pppoe0. >> And you can always run a script that is run after the dhcp negotiation, >> looks for the gateway related entry, deletes it and then re-adds it with >> the mpath modifier. There are a lot of options in this regard. >> >> Cheers, >> > > hi > > shure , i can write a wrap around solution for the but this not the > "dynamic" way like > pppoe or dhcp to get and set ips. > > i'm not the C programmer but i think it is not mutch work to add a solution > in dhclient, > or as option to reaktivate the dhclient-script part. > > > holger
Re: Does this usb wireless adapter works?
Em 02-02-2014 18:57, Alexander Pakhomov escreveu: > I'm glad it works for you. Just warn that buying it > could be a bad idea. > I tried to use it as a client too. > > 01.02.2014, 19:35, "Dan Daley" : >> I had this USB wireless NIC laying around (it's old). So far it seems to be >> working fine for me. But, I am just using it as a wireless client and not >> as an AP or anything. >> >> http://www.newegg.com/Product/Product.aspx?Item=N82E16833164015 >> >> On Feb 1, 2014, at 5:40 AM, C. L. Martinez wrote: >> >>> On Fri, Jan 31, 2014 at 6:06 PM, Alexander Pakhomov >>> wrote: No, it doesn't. It crashes kernel once a day and deadly hangs till reboot every 30 min. I've send a bug report, but nobody cares. I use RTL8192CU. It crashes kernel once a month. >>> Sorry for this late response ... Oops ... then, what usb wireless >>> adapter can I use for an OpenBSD hostap?? It seems that Alfa Networks >>> adapters are not a good option ... Alfa cards are great for doing pen tests and general wireless hacking. I have one that can go up to 2W of tx power. That plus a directional antenna is great. But I wouldn't rely on them as an ap. They sometimes hang up all of the sudden. You have to physically remove and attach them again, for them to work. I do not know of any card that has a decent tx power and works great with openbsd for being an ap. If you guys know one, name it. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: cheapest firewall?
Em 02-02-2014 14:27, Adam Thompson escreveu: > On 14-02-01 02:37 PM, Adam wrote: >> Any suggestions for the cheapest possible firewall (that is new >> hardware not re-purposing some old stuff)? All I need is 2 ethernet >> interfaces and for it to run openbsd. >> > > Possibly a refurbished PC with an add-in NIC. Locally, I keep seeing > IBM Pentium4D-class desktops being sold for well under $200, and it's > usually possible to pick up a single-port PCI NIC for $20. (Less if > you buy up someone's stock of 100Mbit NICs in bulk.) > Not sure if that qualifies as "new", precisely, but you will get a > warranty of some sort. > I built a lot of these refurbished firewalls. And also I had relatively success using some thin clients and inexpensive nic's. But, I advise that you built these firewalls in pairs and always use carp, because these hardwares will fail, more often than you might think. Always keep spare hardware. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: The "unknown" in i386-unknown-openbsd5.4
On Mon, Feb 03, 2014 at 11:18:30AM -0500, Adam Jensen wrote: > On Mon, 03 Feb 2014 05:15:39 -0500 > Brad Smith wrote: > > > Enough is enough. Just drop it. Of course people are > > going to start making fun of this non issue. > > > > How bizarre. I'm sorry the discussion has offended you but I > don't think your commands have any authority. If it's a delicate > topic, perhaps you could ignore the thread? > Great, you tell a developer with almost 10'000 OpenBSD commits to have no authority. Fuck off. -- :wq Claudio
Re: The "unknown" in i386-unknown-openbsd5.4
On Mon, 03 Feb 2014 05:15:39 -0500 Brad Smith wrote: > Enough is enough. Just drop it. Of course people are > going to start making fun of this non issue. > How bizarre. I'm sorry the discussion has offended you but I don't think your commands have any authority. If it's a delicate topic, perhaps you could ignore the thread?
Re: pkg_add error, Dependencies.pm:387
On Mon, Feb 03, 2014 at 10:53:30AM +0100, LEVAI Daniel wrote: > Hi! > > Updated to Feb. 2 snapshots, and everytime I run pkg_add, I get this: > > Can't use an undefined value as a HASH reference at > /usr/libdata/perl5/OpenBSD/Dependencies.pm line 387. > > Maybe this is the culprit: > CVSROOT: /cvs > Module name: src > Changes by: es...@cvs.openbsd.org 2014/02/01 04:37:58 > > Modified files: > usr.sbin/pkg_add/OpenBSD: Dependencies.pm > > Log message: > let solve_depends work as soon as we have update_info > > > Reverting Dependencies.pm to 1.151 fixes it for me. Actually, it's more complicated than that. This commit makes things more brittle, and the few next commits fix the issues exposed by it.
Re: The "unknown" in i386-unknown-openbsd5.4
On 02/02/14 1:50 PM, Adam Jensen wrote: On Sun, 2 Feb 2014 18:18:06 + (UTC) na...@mips.inka.de (Christian Weisgerber) wrote: Miod Vallat wrote: i386-donatetoopenbsdfoundationtoday-openbsd5.4? or i386-bikeshed-openbsd. What is the string equivalent of goatse or tubgirl? Maybe something simple that distinguishes compilers: i386-gcc-openbsd5.4 i386-clang-openbsd5.4 Or something more elaborate signifies the origin: Locally compiled: i386-srcbld-openbsd5.4 i386-portbld-openbsd5.4 Upstream binary releases: i386-dist-openbsd5.4 i386-package-openbsd5.4 Enough is enough. Just drop it. Of course people are going to start making fun of this non issue. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
pkg_add error, Dependencies.pm:387
Hi! Updated to Feb. 2 snapshots, and everytime I run pkg_add, I get this: Can't use an undefined value as a HASH reference at /usr/libdata/perl5/OpenBSD/Dependencies.pm line 387. Maybe this is the culprit: CVSROOT:/cvs Module name:src Changes by: es...@cvs.openbsd.org 2014/02/01 04:37:58 Modified files: usr.sbin/pkg_add/OpenBSD: Dependencies.pm Log message: let solve_depends work as soon as we have update_info Reverting Dependencies.pm to 1.151 fixes it for me. Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
carp and rtadvd
Hi, I'm running carp with rtadvd on 5.4, and see some strange behavior regarding NDP during failover. I run rtadvd with no configuration file and it runs on the carp interface (carp is using carpdev, so no address on the physical interface) on both carp nodes. When rtadvd starts on the MASTER, it sends a router advertisement to the network from the link-local address of the carp interface (fe80::200:5eff:fe00:101), and the clients sets a default route to this address. So when the clients sends a neighbor sol for fe80::200:5eff:fe00:101, the carp MASTER responds with neighbor adv with tgt lladdr 00:00:5e:00:01:01, and the client populates the NDP table accordingly. But when the current carp BACKUP becomes MASTER (using carpdemote), the new MASTER immediately sends out two neighbor advertisements (one for the link-local address and one for the global address with tgt lladdr as the physical lladdr of the carpdev interface on the new MASTER. This causes the clients to remove their default route to fe80::200:5eff:fe00:101 and all clients are left without a default route until rtadvd on the new MASTER sends out a new router advertisement. In this case, the clients are both OpenBSD and Windows. So with net.inet6.icmp6.nd6_debug=1 on the OpenBSD clients, I see this in the log when neighbor advertisements are sent from the new carp MASTER: ndp info overwritten for fe80:0002::0200:5eff:fe00:0101 by on em1 I am able to work around this behavior by restarting rtadvd with ifstated during transition to MASTER so that router advertisement are sent when rtadvd starts. However, this takes some time. So is it possible to not send out neighbor adv with the physical lladdr when transitioning to MASTER? Thanks. -- Ole Myhre