Re: Securing communications with OpenBSD

[Duncan Patton a Campbell]

On Tue, 7 Oct 2014 07:08:54 +
"C. L. Martinez"  wrote:

> On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell
>  wrote:
> > The most basic consideration in computer security has nothing to
> > do with technology and computers.  Do the people you need to keep
> > out of the know need to know enough to come and break legs?
> >
> > If so, don't bother encrypting.  They may not just break legs.
> >
> > Dhu
> >
> > On Mon, 06 Oct 2014 13:48:33 -0600
> > chester.t.fi...@hushmail.com wrote:
> >
> >> Very true, filling your subterranean data server with angry hornets
> >> certainly seems like a good idea but it's really not, most AC
> >> maintenance contractors will charge you extra (usually per sting!).
> >>
> >> Chester T. Field
> >>
> >> And remember when I left all the meat out because I saw Mr. David Lynch 
> >> “I’m on TV” do it,
> >> and he got on TV from doin’ it, and I did it and didn’t get on TV from 
> >> doin’ it?  - Gandhi
> >>
> >> On 10/6/2014 at 1:37 PM, "Matti Karnaattu"  wrote:
> >> >
> >> >>Yes, my goal is to secure the
> >> >>infrastructure as much as possible.
> >> >
> >> >I don't know details but it sounds overly complex. And complexity
> >> >may cause other issues, without any benefit for security.
> >> >
> >> >Example, you don't have to encrypt your whole hard disk if the hard
> >> >disk is located in guarded bunker. But if you do that, it will
> >> >increase
> >> >security in theory but that may cause service outtage if you have
> >> >to
> >> >always locally type your crypt password if machine crashes.
> >> >
> >> >I would put this effort to ease maintainability, ease monitoring,
> >> >use stateful firewall, deploy honeypot etc. and avoid complexity.
> >>
> 
> Thanks guys for your answers. I know it: our it sec. dept. adds a
> complexity to our infrastructure, but they are determined to do so.
> 
> Searching via google I found this:
> 
> http://www.safenet-inc.com/data-encryption/
> 
> HSM: hardware security modules ... But exists another problem. If I
> would like to use some SSL/TLS or IPSec based solution, how can I
> authenticate these servers between them without compromise host
> security??
> 
> Any ideas??
> 
> 

Is "man 8 iked" what you are looking for?

Dhu

-- 
Ne obliviscaris, vix ea nostra voco.

Re: Securing communications with OpenBSD

[C. L. Martinez]

On Thu, Oct 9, 2014 at 7:21 AM, Duncan Patton a Campbell
 wrote:
> On Tue, 7 Oct 2014 07:08:54 +
> "C. L. Martinez"  wrote:
>
>> On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell
>>  wrote:
>> > The most basic consideration in computer security has nothing to
>> > do with technology and computers.  Do the people you need to keep
>> > out of the know need to know enough to come and break legs?
>> >
>> > If so, don't bother encrypting.  They may not just break legs.
>> >
>> > Dhu
>> >
>> > On Mon, 06 Oct 2014 13:48:33 -0600
>> > chester.t.fi...@hushmail.com wrote:
>> >
>> >> Very true, filling your subterranean data server with angry hornets
>> >> certainly seems like a good idea but it's really not, most AC
>> >> maintenance contractors will charge you extra (usually per sting!).
>> >>
>> >> Chester T. Field
>> >>
>> >> And remember when I left all the meat out because I saw Mr. David Lynch 
>> >> “I’m on TV” do it,
>> >> and he got on TV from doin’ it, and I did it and didn’t get on TV from 
>> >> doin’ it?  - Gandhi
>> >>
>> >> On 10/6/2014 at 1:37 PM, "Matti Karnaattu"  wrote:
>> >> >
>> >> >>Yes, my goal is to secure the
>> >> >>infrastructure as much as possible.
>> >> >
>> >> >I don't know details but it sounds overly complex. And complexity
>> >> >may cause other issues, without any benefit for security.
>> >> >
>> >> >Example, you don't have to encrypt your whole hard disk if the hard
>> >> >disk is located in guarded bunker. But if you do that, it will
>> >> >increase
>> >> >security in theory but that may cause service outtage if you have
>> >> >to
>> >> >always locally type your crypt password if machine crashes.
>> >> >
>> >> >I would put this effort to ease maintainability, ease monitoring,
>> >> >use stateful firewall, deploy honeypot etc. and avoid complexity.
>> >>
>>
>> Thanks guys for your answers. I know it: our it sec. dept. adds a
>> complexity to our infrastructure, but they are determined to do so.
>>
>> Searching via google I found this:
>>
>> http://www.safenet-inc.com/data-encryption/
>>
>> HSM: hardware security modules ... But exists another problem. If I
>> would like to use some SSL/TLS or IPSec based solution, how can I
>> authenticate these servers between them without compromise host
>> security??
>>
>> Any ideas??
>>
>>
>
> Is "man 8 iked" what you are looking for?
>
> Dhu

Uhmm . .. I don't understand your question Duncan... To use IPsec is a
possibility.

Re: smtpd smarthost ISP config

[admin]

On 08/10/14 04:05 PM, admin wrote:
> Hello
> 
> Current Sep 25 i386:
> 
> I want to use shawmail.vc.shawcable.net as smarthost, and i tried
> smtp:// tls+auth:// and the others with failing results. What could be
> wrong? Thanks.
> --
> 
> # $OpenBSD: smtpd.conf,v 1.7 2014/03/12 18:21:34 tedu Exp $
> 
> # This is the smtpd server system-wide configuration file.
> # See smtpd.conf(5) for more information.
> 
> # To accept external mail, replace with: listen on all
> #
> #listen on lo0
> #listen on rl0
> listen on all
> 
> table aliases db:/etc/mail/aliases.db
> 
> # Uncomment the following to accept external mail for domain "example.org"
> #
> accept from any for domain "example.ca" alias  deliver to mbox
> accept for local alias  deliver to mbox
> accept from local for any relay via smtp://shawmail.vc.shawcable.net
> 

OK, it is working now!

I did 2 things:

1. rebooted the system
2. cleaned the queue.

Re: combination of ssh port fowarding and pf redirection

[Giancarlo Razzolini]

On 08-10-2014 18:25, stan wrote:
> Anyone have any sugestions as to how to make this work?
Did you try the suggestion I gave you off list, of making two ssh
connections? Also, you could provide more details of your setup? Both
your e-mails trying to explain it, were confusing. I think I understood
what you want, but I'm not sure.

Cheers

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Route-to dynamic next hop

[Justin Mayes]

I have 2 internet connections. One of them is static IP, one is dynamic. I
want to use both of them on my gateway. From the man pages and other docs I
see the use of route-to in the pf.conf including the 'next-hop' that it
requires. This is easy enough. Problem is that the next hop is hard coded IP
in all examples. I need that next hop to get updated when my one WAN DHCP link
is updated. I know about if:peer, if:broadcast, if:network ect but there is no
if:gateway. Seems like you could have used dhclient-script to adjust pf config
when ip changed but dhclient-script has been removed.  It also seems like
relayd has become the best option to accomplish this uplink load balancing. I
just wanted to check with you all to make sure I'm not missing something basic
with the load balanced uplink scenario in OpenBSD. As always, comments and
suggestions are much appreciated.

J

Re: Route-to with a dynamic 'next hop'

[Giancarlo Razzolini]

On 09-10-2014 02:58, Justin Mayes wrote:
> Ok I got it working. Here is what I did
>
> Enabled multipath routing (sysctl)
> Added the relayd anchor to pf.conf
> Created a relayd.conf with this in it
>
> gw1="fxp0"
> gw2="fxp1"
>
> table  { $gw1 ip ttl 1, $gw2 ip ttl 1 }
> router "uplinks" {
>   route 0.0.0.0/0
>   forward to  check icmp
> }
> Started relayd
> Reloaded pf.conf
>
> I then could see with 'relayctl show summary' my two gateways and their 'up'
status as well as the default route to each with 'route show'. When I
'ifconfig down' one interface, 'relayctl show summary' showed it as down and
then default route to it was removed automatically. Awesomeness.
>
>
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Justin Mayes
> Sent: Wednesday, October 8, 2014 10:56 PM
> To: misc@openbsd.org
> Subject: Re: Route-to with a dynamic 'next hop'
>
> I just watched Reyk's youtube. I'm going with relayd. I can see the
'routers' section in the man page for relayd to do what I want.
>
> http://www.youtube.com/watch?v=JtMxGslqGbM
>
>
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Justin Mayes
> Sent: Wednesday, October 8, 2014 10:04 PM
> To: misc@openbsd.org
> Subject: Route-to with a dynamic 'next hop'
>
> Greetings all -
>
> I have 2 internet connections. One of them is static IP, one is dynamic. I
want to use both of them on my gateway. From the man pages and other docs I
see the use of route-to in the pf.conf including the 'next-hop' that it
requires. This is easy enough. Problem is that the next hop is hard coded IP
in all examples. I need that next hop to get updated when my one WAN DHCP link
is updated. I know about if:peer, if:broadcast, if:network ect but there is no
if:gateway. Seems like you could have used dhclient-script to adjust pf config
when ip changed but dhclient-script has been removed.  I also read that relayd
has become the best option to accomplish this uplink load balancing in current
versions of OpenBSD. I wanted to check with you all to make sure I'm not
missing something basic with the load balanced uplink scenario in OpenBSD. As
always, comments and suggestions are much appreciated.
>
> J
>
There is no need to use relayd. Plain pf rules would do the trick, even
on you dynamic interface. The relayd conf you made will only detect
failure at the LAN network level. It will not detect internet failure.
For that you would need to add another checks through icmp to ping
external ip addresses. Or a check script. There is also the option of
using ifstated. As, for the rules part you could use the route-to direct
to the interface.

Cheers

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Route-to with a dynamic 'next hop'

[Justin Mayes]

I did notice the problem with only detecting a LAN failure and was looking at a 
better monitor.  If I just used plain PF rules what would I use for the 
next-hop parameter to the route-to command? This IP is dynamic.


-Original Message-
From: Giancarlo Razzolini [mailto:grazzol...@gmail.com] 
Sent: Thursday, October 9, 2014 7:26 AM
To: Justin Mayes; misc@openbsd.org
Subject: Re: Route-to with a dynamic 'next hop'

On 09-10-2014 02:58, Justin Mayes wrote:
> Ok I got it working. Here is what I did
>
> Enabled multipath routing (sysctl)
> Added the relayd anchor to pf.conf
> Created a relayd.conf with this in it
>
> gw1="fxp0"
> gw2="fxp1"
>
> table  { $gw1 ip ttl 1, $gw2 ip ttl 1 }
> router "uplinks" {
>   route 0.0.0.0/0
>   forward to  check icmp
> }
> Started relayd
> Reloaded pf.conf
>
> I then could see with 'relayctl show summary' my two gateways and their 'up' 
> status as well as the default route to each with 'route show'. When I 
> 'ifconfig down' one interface, 'relayctl show summary' showed it as down and 
> then default route to it was removed automatically. Awesomeness.
>
>
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
> Justin Mayes
> Sent: Wednesday, October 8, 2014 10:56 PM
> To: misc@openbsd.org
> Subject: Re: Route-to with a dynamic 'next hop'
>
> I just watched Reyk's youtube. I'm going with relayd. I can see the 'routers' 
> section in the man page for relayd to do what I want.
>
> http://www.youtube.com/watch?v=JtMxGslqGbM
>
>
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
> Justin Mayes
> Sent: Wednesday, October 8, 2014 10:04 PM
> To: misc@openbsd.org
> Subject: Route-to with a dynamic 'next hop'
>
> Greetings all -
>
> I have 2 internet connections. One of them is static IP, one is dynamic. I 
> want to use both of them on my gateway. From the man pages and other docs I 
> see the use of route-to in the pf.conf including the 'next-hop' that it 
> requires. This is easy enough. Problem is that the next hop is hard coded IP 
> in all examples. I need that next hop to get updated when my one WAN DHCP 
> link is updated. I know about if:peer, if:broadcast, if:network ect but there 
> is no if:gateway. Seems like you could have used dhclient-script to adjust pf 
> config when ip changed but dhclient-script has been removed.  I also read 
> that relayd has become the best option to accomplish this uplink load 
> balancing in current versions of OpenBSD. I wanted to check with you all to 
> make sure I'm not missing something basic with the load balanced uplink 
> scenario in OpenBSD. As always, comments and suggestions are much appreciated.
>
> J
>
There is no need to use relayd. Plain pf rules would do the trick, even 
on you dynamic interface. The relayd conf you made will only detect 
failure at the LAN network level. It will not detect internet failure. 
For that you would need to add another checks through icmp to ping 
external ip addresses. Or a check script. There is also the option of 
using ifstated. As, for the rules part you could use the route-to direct 
to the interface.

Cheers

Re: Route-to with a dynamic 'next hop'

[Giancarlo Razzolini]

On 09-10-2014 10:16, Justin Mayes wrote:
> I did notice the problem with only detecting a LAN failure and was looking
at a better monitor.  If I just used plain PF rules what would I use for the
next-hop parameter to the route-to command? This IP is dynamic.
>
There is no next-hop. Just make your rule point to the interface.
route-to (if). You can also make it route-to if. In either cases, you'd
be better off using ifstated/relayd with anchors to dynamicaly change
your rules, in case of link failures. Also, if possible, use snmp to
query your modems/routers to determine the internet link availability.

Cheers

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?

[Nicolas Christener]

Hello

We have a somewhat curious issue and run out of ideas ;)

We do not have a trigger to reproduce the issue, but we for example see
some IRC disconnects from users behind our firewall.

What we have:
- two HP Proliant DL360 G5 with Broadcom BCM5708 NICs, 2GB RAM,
  Intel Xeon E5335@2.0GHz
- OpenBSD 5.5
- trunk between the two NICs
- 13 VLANs interfaces with carp failover
- one VLAN for pfsync
- ospfd and ospf6d
- approx. 200Mbit/s of traffic
- the initial pfysnc takes quite long (~1h)

The setup looks like this (not sure if relevant):
- both servers have a failover trunk with two interfaces
- all traffic including pfsync is sent over this trunk
- the problem also occurs, if we disable one box

What happens/what we tried:
The main issue is, that we occasionally see broken SSH connections and
quite a lot of broken IRC connections during the day. It looks a bit
like the problem happens more in the evening - however we do not see a
correlation with the amount of traffic or number of connections.
As a first reaction we updated to the latest stable OpenBSD release
which didn't solve the issue. Afterwards we replaced the onboard
Broadcom NIC with a PCIe Intel 82576 (em driver) card, however this card
seems to cause some new issues - i.e. we see quite some input (rx)
errors using "netstat -i". Because we don't see such errors using the
Broadcom NICs we decided to not investigate this issue any further and
switch back to the Broadcom setup.
Besides those steps we also disabled one of the boxes by stopping ospf
and removing the carp interfaces - however, the disconnects didn't go
away. 
Furthermore we also checked if any state-tables are overflowing and we
didn't find any suspicious kernel messages either.

We have quite a similar setup which doesn't show those issues - however
we don't have the same amount of traffic over those systems.

I uploaded some information about the system to this place:
* sysctl -a http://dpaste.com/08VBA93
* pfctl (w/o rules and states) http://dpaste.com/2BBJG5P
Feel free to ask for more if needed.

Long story short; do you have any hints or ideas where we could look
next? Did you ever see such a problem in an other setup? At least to me,
it looks like long-during sessions (like IRC) are somehow affected -
does this ring some bells?

I appreciate any hints and hope that I didn't miss any important
information - otherwise feel free to bug me.

Thanks in advance and have a nice day!

Kind regards,
Nicolas

Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?

[Paul S.]

I can confirm that we've seen this with any long running TCP connections 
in environments where pf was literally only sampling packets for pflow 
(not even actually firewalling.)


Removing pf from the equation fixed the problem right up.

5.5 current was what I was running at the time.

On 10/9/2014 午後 10:52, Nicolas Christener wrote:

Hello

We have a somewhat curious issue and run out of ideas ;)

We do not have a trigger to reproduce the issue, but we for example see
some IRC disconnects from users behind our firewall.

What we have:
- two HP Proliant DL360 G5 with Broadcom BCM5708 NICs, 2GB RAM,
   Intel Xeon E5335@2.0GHz
- OpenBSD 5.5
- trunk between the two NICs
- 13 VLANs interfaces with carp failover
- one VLAN for pfsync
- ospfd and ospf6d
- approx. 200Mbit/s of traffic
- the initial pfysnc takes quite long (~1h)

The setup looks like this (not sure if relevant):
- both servers have a failover trunk with two interfaces
- all traffic including pfsync is sent over this trunk
- the problem also occurs, if we disable one box

What happens/what we tried:
The main issue is, that we occasionally see broken SSH connections and
quite a lot of broken IRC connections during the day. It looks a bit
like the problem happens more in the evening - however we do not see a
correlation with the amount of traffic or number of connections.
As a first reaction we updated to the latest stable OpenBSD release
which didn't solve the issue. Afterwards we replaced the onboard
Broadcom NIC with a PCIe Intel 82576 (em driver) card, however this card
seems to cause some new issues - i.e. we see quite some input (rx)
errors using "netstat -i". Because we don't see such errors using the
Broadcom NICs we decided to not investigate this issue any further and
switch back to the Broadcom setup.
Besides those steps we also disabled one of the boxes by stopping ospf
and removing the carp interfaces - however, the disconnects didn't go
away.
Furthermore we also checked if any state-tables are overflowing and we
didn't find any suspicious kernel messages either.

We have quite a similar setup which doesn't show those issues - however
we don't have the same amount of traffic over those systems.

I uploaded some information about the system to this place:
* sysctl -a http://dpaste.com/08VBA93
* pfctl (w/o rules and states) http://dpaste.com/2BBJG5P
Feel free to ask for more if needed.

Long story short; do you have any hints or ideas where we could look
next? Did you ever see such a problem in an other setup? At least to me,
it looks like long-during sessions (like IRC) are somehow affected -
does this ring some bells?

I appreciate any hints and hope that I didn't miss any important
information - otherwise feel free to bug me.

Thanks in advance and have a nice day!

Kind regards,
Nicolas

Re: Route-to with a dynamic 'next hop'

[Justin Mayes]

My understanding of route-to is that if the destination is not on same network 
as the 'route-to' interface, you need the second 'next hop' parameter. All 
examples I was seeing show pf.conf this way. Is that not right? I will test 
with just the interface name.



-Original Message-
From: Giancarlo Razzolini [mailto:grazzol...@gmail.com] 
Sent: Thursday, October 9, 2014 8:52 AM
To: Justin Mayes; misc@openbsd.org
Subject: Re: Route-to with a dynamic 'next hop'

On 09-10-2014 10:16, Justin Mayes wrote:
> I did notice the problem with only detecting a LAN failure and was looking at 
> a better monitor.  If I just used plain PF rules what would I use for the 
> next-hop parameter to the route-to command? This IP is dynamic.
>
There is no next-hop. Just make your rule point to the interface. 
route-to (if). You can also make it route-to if. In either cases, you'd 
be better off using ifstated/relayd with anchors to dynamicaly change 
your rules, in case of link failures. Also, if possible, use snmp to 
query your modems/routers to determine the internet link availability.

Cheers

Re: Route-to with a dynamic 'next hop'

[Justin Mayes]

In Reyk's presentation he talks about this 
(http://www.youtube.com/watch?v=JtMxGslqGbM) @ 19:30 and describes the 'link 
balancer' functionality of relayd intended to do exactly what I want. It 
appears to work as described. In the presentation Reyk says relayd will check 
for upstream router availability but the conf example just pings the interface 
it appears. Sorry for all the babble but I am away from the location where I 
have 2 internet connections so I cannot test this stuff right now as I normally 
would.


-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Justin Mayes
Sent: Thursday, October 9, 2014 9:05 AM
To: grazzol...@gmail.com; misc@openbsd.org
Subject: Re: Route-to with a dynamic 'next hop'

My understanding of route-to is that if the destination is not on same network 
as the 'route-to' interface, you need the second 'next hop' parameter. All 
examples I was seeing show pf.conf this way. Is that not right? I will test 
with just the interface name.



-Original Message-
From: Giancarlo Razzolini [mailto:grazzol...@gmail.com]
Sent: Thursday, October 9, 2014 8:52 AM
To: Justin Mayes; misc@openbsd.org
Subject: Re: Route-to with a dynamic 'next hop'

On 09-10-2014 10:16, Justin Mayes wrote:
> I did notice the problem with only detecting a LAN failure and was looking at 
> a better monitor.  If I just used plain PF rules what would I use for the 
> next-hop parameter to the route-to command? This IP is dynamic.
>
There is no next-hop. Just make your rule point to the interface. 
route-to (if). You can also make it route-to if. In either cases, you'd be 
better off using ifstated/relayd with anchors to dynamicaly change your rules, 
in case of link failures. Also, if possible, use snmp to query your 
modems/routers to determine the internet link availability.

Cheers

Re: Securing communications with OpenBSD

[Duncan Patton a Campbell]

On Thu, 9 Oct 2014 08:15:22 +
"C. L. Martinez"  wrote:

> On Thu, Oct 9, 2014 at 7:21 AM, Duncan Patton a Campbell
>  wrote:
> > On Tue, 7 Oct 2014 07:08:54 +
> > "C. L. Martinez"  wrote:
> >
> >> On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell
> >>  wrote:
> >> > The most basic consideration in computer security has nothing to
> >> > do with technology and computers.  Do the people you need to keep
> >> > out of the know need to know enough to come and break legs?
> >> >
> >> > If so, don't bother encrypting.  They may not just break legs.
> >> >
> >> > Dhu
> >> >
> >> > On Mon, 06 Oct 2014 13:48:33 -0600
> >> > chester.t.fi...@hushmail.com wrote:
> >> >
> >> >> Very true, filling your subterranean data server with angry hornets
> >> >> certainly seems like a good idea but it's really not, most AC
> >> >> maintenance contractors will charge you extra (usually per sting!).
> >> >>
> >> >> Chester T. Field
> >> >>
> >> >> And remember when I left all the meat out because I saw Mr. David Lynch 
> >> >> “I’m on TV” do it,
> >> >> and he got on TV from doin’ it, and I did it and didn’t get on TV from 
> >> >> doin’ it?  - Gandhi
> >> >>
> >> >> On 10/6/2014 at 1:37 PM, "Matti Karnaattu"  wrote:
> >> >> >
> >> >> >>Yes, my goal is to secure the
> >> >> >>infrastructure as much as possible.
> >> >> >
> >> >> >I don't know details but it sounds overly complex. And complexity
> >> >> >may cause other issues, without any benefit for security.
> >> >> >
> >> >> >Example, you don't have to encrypt your whole hard disk if the hard
> >> >> >disk is located in guarded bunker. But if you do that, it will
> >> >> >increase
> >> >> >security in theory but that may cause service outtage if you have
> >> >> >to
> >> >> >always locally type your crypt password if machine crashes.
> >> >> >
> >> >> >I would put this effort to ease maintainability, ease monitoring,
> >> >> >use stateful firewall, deploy honeypot etc. and avoid complexity.
> >> >>
> >>
> >> Thanks guys for your answers. I know it: our it sec. dept. adds a
> >> complexity to our infrastructure, but they are determined to do so.
> >>
> >> Searching via google I found this:
> >>
> >> http://www.safenet-inc.com/data-encryption/
> >>
> >> HSM: hardware security modules ... But exists another problem. If I
> >> would like to use some SSL/TLS or IPSec based solution, how can I
> >> authenticate these servers between them without compromise host
> >> security??
> >>
> >> Any ideas??
> >>
> >>
> >
> > Is "man 8 iked" what you are looking for?
> >
> > Dhu
> 
> Uhmm . .. I don't understand your question Duncan... To use IPsec is a
> possibility.
> 
> 
Possibly 'cause I don't understand yours.  You want to authenticate servers
"without compromise host security" which to me implies the use of something 
like iked, the Internet Key Exchange (IKEv2) daemon,

"which performs mutual authentication and which establishes and maintains 
IPsec flows and security associations (SAs) between the two peers."

You don't need iked to run something like ipsec.  You can exhange the keys 
some different way like, say multiple redundant one time pads and courriers 
(for the truly 'noidal).

Dhu


-- 
Ne obliviscaris, vix ea nostra voco.

Re: Route-to with a dynamic 'next hop'

[Giancarlo Razzolini]

On 09-10-2014 11:23, Justin Mayes wrote:
> In Reyk's presentation he talks about this
(http://www.youtube.com/watch?v=JtMxGslqGbM) @ 19:30 and describes the 'link
balancer' functionality of relayd intended to do exactly what I want. It
appears to work as described. In the presentation Reyk says relayd will check
for upstream router availability but the conf example just pings the interface
it appears. Sorry for all the babble but I am away from the location where I
have 2 internet connections so I cannot test this stuff right now as I
normally would.
Link balancer doesn't mean link failover. Also, with multipath you
already have your links balanced, provided they have the same route
priority. You can extend the relayd funcionality through the use of
scripts and achieve link failover. But, in this case, I believe that a
state machine, such as ifstated, is better suited for the job. Also, it
has network interface failure detection for free, withouth the need for
icmp checks. Take a look at it and see if helps in your case. I've been
using for years to balance/failover mulltiple links (not just two) with
no issue. Of course it will have to interact with you pf rules, mostly
through the use of anchors.

Cheers

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Firewall: Where is the bottleneck?

[Andy]

Hi,

Just so I understand what you have done, PRIQ is not the same as queuing.

You can set a simple prio on a rule like;
pass proto tcp from $left to $right set prio (1,4)

But this doesn't manage the situations where you have lots of different 
types/profiles of traffic on your network.
For example you might have some big file transfers going on which can be 
delayed and can have a high latency but high throughput, alongside your 
control/real-time protocols which need low latency etc.
Generally in this situation just using prio won't always be enough and 
your file transfers will still swamp your Interactive SSH or VNC 
connections etc..


So we do something like this;

altq on $if_trunk1 bandwidth 4294Mb hfsc queue { _wan }
oldqueue _wan on $if_trunk1 bandwidth 4290Mb priority 15 
hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, 
_wan_vpn, _wan_web, _wan_dflt, _wan_bulk }
oldqueue _wan_rt on $if_trunk1 bandwidth 20% priority 7 qlimit 
50 hfsc(realtime(20%, 5000, 10%), linkshare 20%)
oldqueue _wan_int on $if_trunk1 bandwidth 10% priority 5 qlimit 
100 hfsc(realtime 5%, linkshare 10%)
oldqueue _wan_pri on $if_trunk1 bandwidth 10% priority 4 qlimit 
100 hfsc(realtime(15%, 2000, 5%), linkshare 10%)
oldqueue _wan_vpn on $if_trunk1 bandwidth 30% priority 3 qlimit 
300 hfsc(realtime(15%, 2000, 5%), linkshare 30%)
oldqueue _wan_web on $if_trunk1 bandwidth 10% priority 2 qlimit 
300 hfsc(realtime(10%, 3000, 5%), linkshare 10%)
oldqueue _wan_dflt on $if_trunk1 bandwidth 15% priority 1 
qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default)
oldqueue _wan_bulk on $if_trunk1 bandwidth 5% priority 0 qlimit 
100 hfsc(linkshare 5%, upperlimit 30%, ecn, red)


altq on $if_trunk2 bandwidth 4294Mb hfsc queue { _wan }
oldqueue _wan on $if_trunk2 bandwidth 4290Mb priority 15 
hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, 
_wan_vpn, _wan_web, _wan_dflt, _wan_bulk }
oldqueue _wan_rt on $if_trunk2 bandwidth 20% priority 7 qlimit 
50 hfsc(realtime(20%, 5000, 10%), linkshare 20%)
oldqueue _wan_int on $if_trunk2 bandwidth 10% priority 5 qlimit 
100 hfsc(realtime 5%, linkshare 10%)
oldqueue _wan_pri on $if_trunk2 bandwidth 10% priority 4 qlimit 
100 hfsc(realtime(15%, 2000, 5%), linkshare 10%)
oldqueue _wan_vpn on $if_trunk2 bandwidth 30% priority 3 qlimit 
300 hfsc(realtime(15%, 2000, 5%), linkshare 30%)
oldqueue _wan_web on $if_trunk2 bandwidth 10% priority 2 qlimit 
300 hfsc(realtime(10%, 3000, 5%), linkshare 10%)
oldqueue _wan_dflt on $if_trunk2 bandwidth 15% priority 1 
qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default)
oldqueue _wan_bulk on $if_trunk2 bandwidth 5% priority 0 qlimit 
100 hfsc(linkshare 5%, upperlimit 30%, ecn, red)


pass quick proto { tcp, udp } from { (vlan1:network) } to { 
(vlan234:network) } port { 4569, 5060, 1:2 } queue _wan_rt set 
prio 7
pass quick proto { tcp, udp } from { (vlan1:network) } to { 
(vlan234:network) } port { 53, 123, 5900 } queue _wan_pri set prio 4
pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) 
} port { 80, 443 } queue (_wan_web,_wan_pri) set prio (2,4)
pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) 
} port { ssh } queue (_wan_bulk,_wan_int) set prio (0,5)

.
. All the other rules needing higher priority than the rest
.
pass quick proto { tcp, udp, icmp } from { (vlan1:network) } to { 
(vlan234:network) } queue (_wan_bulk,_wan_pri) set prio (0,4)



NB; This is the old syntax for queues and I strongly recommend reading 
the 3rd edition of "The book of PF" (A must read for *anyone* new or old 
to OpenBSD and PF) :) and using the new syntax


The rule I use is that whenever one queue starts to get used too much 
and their is more than one type of traffic in a queue (here in this 
example I have DNS, NTP and VNC in the same queue) and if they start to 
affect eachother, its time to split the traffic out into further 
separate queues. So here you would split VNC into its own queue to stop 
VNC swamping the DNS queries :)


The priority in these queues is not the same as PRIO. These "priority" 
values don't have much impact *apparently* compared the the queues 
themselves (I just understand these to be CPU or bucket scheduling or 
something), but I've never understood how true that is, so I just set 
them to be the same number as the desired relative PRIO as that seems 
sensible.



Last but NOT least; the PRIO value gets copied into the VLAN's CoS 
header! :) So if you use VLANs like we do here on our trunks, the 
different packets will end up as frames with the prio copied in meaning 
your switches can then also maintain the layer 3 QoS in the layer 2 
CoS... Amazing stuff :)



Good luck

Andrew Lemin

*** looking forward to 64bit queues! :) ***



On 08/10/14 20:49, jum...@yahoo.de wrote:

Hi Andy,

This morning I have ad

Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?

[Andy]

I have seen this when the allowed number or states is too low and PF 
clears the idle states too early..

See http://www.openbsd.org/faq/pf/options.html;
set optimization/option/

Good luck, Andy.


On 09/10/14 14:58, Paul S. wrote:
> I can confirm that we've seen this with any long running TCP 
> connections in environments where pf was literally only sampling 
> packets for pflow (not even actually firewalling.)
>
> Removing pf from the equation fixed the problem right up.
>
> 5.5 current was what I was running at the time.
>
> On 10/9/2014 午後 10:52, Nicolas Christener wrote:
>> Hello
>>
>> We have a somewhat curious issue and run out of ideas ;)
>>
>> We do not have a trigger to reproduce the issue, but we for example see
>> some IRC disconnects from users behind our firewall.
>>
>> What we have:
>> - two HP Proliant DL360 G5 with Broadcom BCM5708 NICs, 2GB RAM,
>>Intel Xeon E5335@2.0GHz
>> - OpenBSD 5.5
>> - trunk between the two NICs
>> - 13 VLANs interfaces with carp failover
>> - one VLAN for pfsync
>> - ospfd and ospf6d
>> - approx. 200Mbit/s of traffic
>> - the initial pfysnc takes quite long (~1h)
>>
>> The setup looks like this (not sure if relevant):
>> - both servers have a failover trunk with two interfaces
>> - all traffic including pfsync is sent over this trunk
>> - the problem also occurs, if we disable one box
>>
>> What happens/what we tried:
>> The main issue is, that we occasionally see broken SSH connections and
>> quite a lot of broken IRC connections during the day. It looks a bit
>> like the problem happens more in the evening - however we do not see a
>> correlation with the amount of traffic or number of connections.
>> As a first reaction we updated to the latest stable OpenBSD release
>> which didn't solve the issue. Afterwards we replaced the onboard
>> Broadcom NIC with a PCIe Intel 82576 (em driver) card, however this card
>> seems to cause some new issues - i.e. we see quite some input (rx)
>> errors using "netstat -i". Because we don't see such errors using the
>> Broadcom NICs we decided to not investigate this issue any further and
>> switch back to the Broadcom setup.
>> Besides those steps we also disabled one of the boxes by stopping ospf
>> and removing the carp interfaces - however, the disconnects didn't go
>> away.
>> Furthermore we also checked if any state-tables are overflowing and we
>> didn't find any suspicious kernel messages either.
>>
>> We have quite a similar setup which doesn't show those issues - however
>> we don't have the same amount of traffic over those systems.
>>
>> I uploaded some information about the system to this place:
>> * sysctl -a http://dpaste.com/08VBA93
>> * pfctl (w/o rules and states) http://dpaste.com/2BBJG5P
>> Feel free to ask for more if needed.
>>
>> Long story short; do you have any hints or ideas where we could look
>> next? Did you ever see such a problem in an other setup? At least to me,
>> it looks like long-during sessions (like IRC) are somehow affected -
>> does this ring some bells?
>>
>> I appreciate any hints and hope that I didn't miss any important
>> information - otherwise feel free to bug me.
>>
>> Thanks in advance and have a nice day!
>>
>> Kind regards,
>> Nicolas

Changing root password from stdin value

[Nux!]

Hello,

I'm trying to get some scripts working which would take a password from stdin 
and set it for root.
In Linux "passwd --stdin" is used, in FreeBSD "pw mod user root -h 0". How 
would I do this in OpenBSD?

Thanks,
Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Re: Changing root password from stdin value

[Sébastien Marie]

On Thu, Oct 09, 2014 at 06:22:05PM +0100, Nux! wrote:
> Hello,
> 
> I'm trying to get some scripts working which would take a password from stdin 
> and set it for root.
> In Linux "passwd --stdin" is used, in FreeBSD "pw mod user root -h 0". How 
> would I do this in OpenBSD?
> 
> Thanks,
> Lucian
> 

Hi,

You could use encrypt(1) + usermod(1).

encrypt will encrypt passwords from the command line or standard input.
usermod will accept an already-encrypted password.

-- 
Sébastien Marie

Re: Changing root password from stdin value

[Nux!]

Thanks, that worked great!

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "Sébastien Marie" 
> To: "Nux!" 
> Cc: misc@openbsd.org
> Sent: Thursday, 9 October, 2014 18:48:54
> Subject: Re: Changing root password from stdin value

> On Thu, Oct 09, 2014 at 06:22:05PM +0100, Nux! wrote:
>> Hello,
>> 
>> I'm trying to get some scripts working which would take a password from stdin
>> and set it for root.
>> In Linux "passwd --stdin" is used, in FreeBSD "pw mod user root -h 0". How 
>> would
>> I do this in OpenBSD?
>> 
>> Thanks,
>> Lucian
>> 
> 
> Hi,
> 
> You could use encrypt(1) + usermod(1).
> 
> encrypt will encrypt passwords from the command line or standard input.
> usermod will accept an already-encrypted password.
> 
> --
> Sébastien Marie

openbsd "sysprep"?

[Nux!]

Hi,

I'm trying to build a Cloudstack OpenBSD template and I need to do a bit of 
cleaning up on it before I let people use it.
Besides changing the password, wiping the shell history, ssh keys, random seed 
and /var/log stuff, what else should I be doing to trigger a more "unique" 
installation?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Re: Question re dhclient.conf

[Duncan Patton a Campbell]

On Mon, 29 Sep 2014 10:24:44 -0400
Jiri B  wrote:

> On Mon, Sep 29, 2014 at 08:03:14AM -0600, Duncan Patton a Campbell wrote:
> > My purpose here is to allow dynamic dns updates 
> > via nsupdate from a dhcp clients where addresses 
> > are subject to change.  I have a solution that
> > will remain stable so long as the !command 
> > hook in hostname.if remains stable.  This is
> > not as good as the dhclient.conf script interface
> > as it can't exclude calls that don't change 
> > the interface, but hey... 
> > 
> > # more /etc/hostname.nfe0
> > dhcp
> > !/usr/local/sbin/dydns.sh $if
> 
> This is executed only during boot or explicitly
> via netstart. So you believe your IP won't be changed
> by DHCP.
> 
> j.
> 

For the use that I wanted it is sufficient: code to park on a 
remote box that may be connected (manually) for occasional 
maintenance.  If it's reasonable from other perspectives I
think it would be good to reinclude the external command 
option in dhclient.conf.  Otherwise monitoring the dhcp lease
with the -L flag I had not thought of but does provide the 
necessary trigger to update dns.

Thanks,

Dhu

-- 
Ne obliviscaris, vix ea nostra voco.

Re: Changing root password from stdin value

[Nick Holland]

On 10/09/14 13:21, Nux! wrote:

Hello,

I'm trying to get some scripts working which would take a password
from stdin and set it for root. In Linux "passwd --stdin" is used, in
FreeBSD "pw mod user root -h 0". How would I do this in OpenBSD?

Thanks, Lucian



in addition to the already provided tip... consider this:

Disable root password logins completely.  Change the (encrypted) 
password to something nonsense or one or 13 "*"s, and use either sudo or 
SSH keys to get root acceess.  This has the added advantages of no one 
having "extra" access by having root pw, no need to share/distribute 
root pw, etc.  And unlike a number of other Unixes, this works very nicely.


Nick.

Which is the better way to use softraid?

[tmw]

Hello

It seems I will be moving on up, and replacing an old P4 (that I  
pulled out of the trash and have been using with openbsd as a mail  
server and such) with a much newer/fancier computer.


I was reading about softraid, and saw the suggestions about using  
softraid and altroot.  I understand that raid is not a panacea; but, I  
am planning on taking advantage of it.


So, when I look at the FAQ, it says (in crude summary):  use fdisk to  
make openbsd partitions; then, use disklabel and make partitions for  
softraid; then use bioctl to assemble then softraid; then use  
disklabel to create partition/s in the created softraid volume.


Seems easy enough.

Now, if there are going to be multiple partitions for the install  
(e.g. /home, /var, etc.), my questions is, which is better:


A:  Is it better to make "larger" initial partitions for raid  
assembly, and then use disklable to create multiple partitions within  
that one softraid volume (i.e.:  one big softraid volume sd0, broken  
up into sd0a, sd0b, sd0c...)?


B:  Is it better to make several smaller install partitions, and then  
assemble multiple softraid volumes, and then use disklable to place  
only one (or two?) system partitions in each softraid volume (i.e.:  
multiple softraids like sd0, sd1, sd2..., each with only one partition  
like sd0a, sd1a, sd2a...)?


C:  Or, does it not matter?

My limited (ok, non-existent) knowledge and/or understanding of disk  
I/O makes it impossible for me to being to even guess what may be best.


Thanks
Ted

rrdtool troubles after 5.4->5.5 upgrade

[Steven Surdock]

As required for the upgrade I exported all my rrd's and they appear correct, 
but when I performed a 'restore' on the upgraded 5.5 system the dates appeared 
to become advanced by 136 years.

These are for Cacti and interestingly, cacti shows graphs for the old data, but 
not for data collected after the upgrade.  The rrd's are being updated, but 
with a recent date.


--5.4 EXPORTED RRD-
   
 AVERAGE 
 1  


 5.00e-01 



 6.0147896722e+02 
 NaN 
 NaN 
 0 


 2.1042432308e+02 
 NaN 
 NaN 
 0 



  
1.6942546263e+02  1.0782825095e+02 
  
1.3230701552e+02  8.5905507986e+01 
  
1.5090053841e+03  5.1040593693e+02 
  
4.3326648631e+02  1.7794450478e+02 
  
5.0533918152e+01  6.0539432673e+01 
  
6.0977588814e+01  6.1744402908e+01 
  
5.0497766741e+01  8.6521608203e+01 
  
5.586560e+01  6.660450e+01 
  
4.1272303359e+01  5.2785814360e+01 

--5.5 RESTORED then EXPORTED RRD-


AVERAGE
1 


5.00e-01



6.0147896722e+02
NaN
NaN
0


2.1042432308e+02
NaN
NaN
0



 
1.6942546263e+021.0782825095e+02
 
1.3230701552e+028.5905507986e+01
 
1.5090053841e+035.1040593693e+02
 
4.3326648631e+021.7794450478e+02
 
5.0533918152e+016.0539432673e+01
 
6.0977588814e+016.1744402908e+01
 
5.0497766741e+018.6521608203e+01
 
5.586560e+016.660450e+01


-Steve S.

Re: Which is the better way to use softraid?

[Nick Holland]

On 10/09/14 14:24, t...@wynnychenko.com wrote:
...

Now, if there are going to be multiple partitions for the install (e.g.
/home, /var, etc.), my questions is, which is better:

A:  Is it better to make "larger" initial partitions for raid assembly,
and then use disklable to create multiple partitions within that one
softraid volume (i.e.:  one big softraid volume sd0, broken up into
sd0a, sd0b, sd0c...)?


YES


B:  Is it better to make several smaller install partitions, and then
assemble multiple softraid volumes, and then use disklable to place only
one (or two?) system partitions in each softraid volume (i.e.: multiple
softraids like sd0, sd1, sd2..., each with only one partition like sd0a,
sd1a, sd2a...)?


NO! NO! NO! (generally :)


C:  Or, does it not matter?

My limited (ok, non-existent) knowledge and/or understanding of disk I/O
makes it impossible for me to being to even guess what may be best.


it matters. :)

The point of RAID isn't just to build the array, but to maintain it, 
including replacing failed elements.


So, you replace a failed disk and restart the mirroring process.  If you 
have one softraid volume, you just start it and let it go.  If you have 
multiple softraid volumes, you will have to rebuild each.  So, you have 
to either do them sequentially or at the same time.  Sequentially 
requires watching for one remirror to finish before starting the next, 
so you have to be hovering over the server.  So why not just start them 
all at the same time?  If on different physical disks, sure, go for it. 
 But on one disk?  you will end up with some horrific thrashing of the 
heads as it mirrors a block here and another block over there.  Your 
rebuild time may be 20x to 100x as slow as doing one volume at a time, 
your disks will make unpleasant noises, and you may just break your 
remaining disk before the rebuild is complete.  Remirroring a 2T disk 
may take more than a day...so twenty times as long is bad, one hundred 
times as long is a complete disaster.  Should you need to be FSCK'ing a 
disk while a rebuild is happening (you want to avoid this, really) 
things can get really really slow.


Nick.

Re: Changing root password from stdin value

[Артур Истомин]

On Thu, Oct 09, 2014 at 02:23:54PM -0400, Nick Holland wrote:
> On 10/09/14 13:21, Nux! wrote:
> >Hello,
> >
> >I'm trying to get some scripts working which would take a password
> >from stdin and set it for root. In Linux "passwd --stdin" is used, in
> >FreeBSD "pw mod user root -h 0". How would I do this in OpenBSD?
> >
> >Thanks, Lucian
> >
> 
> in addition to the already provided tip... consider this:
> 
> Disable root password logins completely.  Change the (encrypted) password to
> something nonsense or one or 13 "*"s, and use either sudo or SSH keys to get
> root acceess.  This has the added advantages of no one having "extra" access
> by having root pw, no need to share/distribute root pw, etc.  And unlike a
> number of other Unixes, this works very nicely.

Ubuntu-style? :)