Re: Removal of old libraries
Jan Stary wrote on 11/14/16 03:00: On Nov 14 00:14:19, pa...@ecentryx.com wrote: But the very next step in the upgrade blows away the system by overwriting it anyway. Right? What could happen? What if following the normal procedure of untaring the OS sets on top of the existing system fails midway? Then you have an inconsistent system too. Yes, you have an inconsistent system, as opposed to nothing. This sounds like someone who is not confident in their backup/restore procedure, if one even exists. I think you need to worry more about that than me saving a few megabytes with my upgrade process. Like I mentioned a couple times in the thread, I have "level 0" dumps; that's consistency. I would not classify that as "nothing." There is a reason why restore(8) and ftp(1) are included on bsd.rd. This behavior of mine may stem from my days as a hard-real-time embedded systems engineer where we had to get rid of every single byte that did not matter. I used to count the assembly instructions and add up all the clock cycles for each hardware interrupt routine to make sure we would never stall/slow the system. I just like minimal I guess. Say I compile a C program on your system, which gets linked to /usr/lib/libc.so.84.2. After an upgrade, my program no longer works. Bad, bad admin! Oh yeah, and before you know it your crufty libc.so.84.2 is 2 years old and full of security vulnerabilities. Thank god your users can still use it and you don't have to bother them with a recompile. I thought the philosophy of the project is to move forward for the sake of proactive security and correctness, not to rely on buggy legacy code because it's convenient and lazy.
Re: Mount HDD USB on 6.0 Stable: Fail
On 11/14/16 13:03, Alexey Vatchenko wrote: > Unfortunately, from time to time FUSE hangs my system. So I have to > use -F to disable FUSE. $ /usr/local/libexec/hotplug-diskmount cleanup 3AS $ /usr/local/libexec/hotplug-diskmount attach -u $USER -m 0700 -F 3AS $ mount /dev/sd0a on / type ffs (local, wxallowed, softdep) /dev/sd0l on /home type ffs (local, nodev, nosuid, wxallowed, softdep) /dev/sd0d on /tmp type ffs (local, nodev, nosuid, softdep) /dev/sd0f on /usr type ffs (local, nodev, wxallowed, softdep) /dev/sd0g on /usr/X11R6 type ffs (local, nodev, softdep) /dev/sd0h on /usr/local type ffs (local, nodev, wxallowed, softdep) /dev/sd0k on /usr/obj type ffs (local, nodev, nosuid, wxallowed, softdep) /dev/sd0i on /usr/ports type ffs (local, nodev, nosuid, wxallowed, softdep) /dev/sd0j on /usr/src type ffs (local, nodev, nosuid, softdep) /dev/sd0e on /var type ffs (local, nodev, nosuid, softdep) Here, disk is not displaying!? $ ls -la /vol/ total 16 drwxr-xr-x 4 root wheel 512 Nov 15 08:07 . drwxr-xr-x 14 root wheel 512 Nov 6 18:19 .. drwx-- 2 root wheel 512 Nov 15 08:07 .db drwx-- 2 zou wheel 512 Nov 15 08:07 3AS $ ls -la /vol/3AS/ total 8 drwx-- 2 zou wheel 512 Nov 15 08:07 . drwxr-xr-x 4 root wheel 512 Nov 15 08:07 .. Nothing ?! -- ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< Stephane HUC as PengouinPdt or CIOTBSD b...@stephane-huc.net
Re: Mount HDD USB on 6.0 Stable: Fail
Ok, Last night, i formatted again my HDD under Windows 7, in NTFS - normal mode. This taked more than 3 hours. After i connect at my laptop under OBSD. It's same result. $ disklabel sd1 # /dev/rsd1c: type: SCSI disk: SCSI disk label: 3AS duid: flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 38913 total sectors: 625142448 boundstart: 0 boundend: 625142448 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] c:6251424480 unused i:625139712 2048 MSDOS Always, fstype appears as MSDOS! On 11/13/16 21:57, David Coppa wrote: > On Sun, 13 Nov 2016, Stephane HUC "CIOTBSD" wrote: > >> $ disklabel sd1 >> # /dev/rsd1c: >> type: SCSI >> disk: SCSI disk >> label: 3AS >> duid: >> flags: >> bytes/sector: 512 >> sectors/track: 63 >> tracks/cylinder: 255 >> sectors/cylinder: 16065 >> cylinders: 38913 >> total sectors: 625142448 >> boundstart: 0 >> boundend: 625142448 >> drivedata: 0 >> >> 16 partitions: >> #size offset fstype [fsize bsize cpg] >> c:6251424480 unused >> i:625139712 2048 MSDOS > ^^^ > > Now that I've read your mail carefully... > > Why is your disk of type "MSDOS"? > > It should be "NTFS". > > Here's the output of disklabel for a ntfs formatted pendrive I have > here: > > ---8<--- > > # /dev/rsd2c: > type: SCSI > disk: SCSI disk > label: TS4GJFV30 > duid: > flags: > bytes/sector: 512 > sectors/track: 63 > tracks/cylinder: 255 > sectors/cylinder: 16065 > cylinders: 498 > total sectors: 8011774 > boundstart: 0 > boundend: 8011774 > drivedata: 0 > > 16 partitions: > #size offset fstype [fsize bsize cpg] > c: 80117740 unused > i: 8009726 2048NTFS > > ---8<--- > > Ciao! > David > -- ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< Stephane HUC as PengouinPdt or CIOTBSD b...@stephane-huc.net
Re: Why on earth would online voting be insecure?
So yes, back to my original point. A Civic's blockchain, one that does not rely on the integrity (or rather is resilient to) the system it runs on, or the security of the transmission media ; as a platform for use in civic's - needs to exist first. Block-chains are relatively new and we are still discovering properties and flaws in them, but I think if you view them as data-structure and as being useful for certain things, they potentially mitigate a lot of traditional security concerns. But we are a long way away from having them adopted as an everyday tool. I've been on the NZ government panel on on-line voting, and submitted a submission to the Canada electoral commission whilst living here. Unfortunately people view on-line voting and make the false comparison to banks "Well if some SSL secured website cluster, backed by some $sql database, in some $secure data centre is good enough for banks ..." falacy all the time. The problem is a bank is a centralised system, they have legal responsibilities and make calculated risk assessments and have insurance coverage. You have a one to one relationship with them and have choice (arguably) over choosing them or not. The trust relationship is between you and your bank, that's it. The bank is responsible for liability to third parties not you. Civics engagement by necessity needs to be verifiable, independent and distributed, not reliant on central systems where you trust some entity to negotiate on your behalf. It is a lot more nuanced that it appears at first glance. Would I design a voting station to run on OpenBSD ... sure... but I would also design it to work on /Linux, Windows or an Abacus. The paper comparison is a good one, block-chains provide a ledger verifiable by hand (yes with some hard math, but doable) but unlike paper can't be lost, or tampered with (the court is still out on exactly the best ways to implement this is...) and don't care how much they get graphetti'd on during passing around. You can also check your vote went to where you wanted it to go. Talking about traditional Databases, and Application system designs is simply the wrong mindset. On 15 November 2016 at 00:03, gwes wrote: > On 11/14/2016 22:19, Alan Corey wrote: > >> OK, it's relevant to OpenBSD because I wouldn't consider anything else >> safe enough to run on the servers. Not that I'm in a position to do >> any of it. The servers could even be run from custom official live >> CDs so they were harder to tamper with, with maybe a RAM drive for >> speed. >> >> There seems to be a conflict between having anonymous votes and having >> something similar to paper ballots that can be recounted. So let >> authentication, identification, etc. be handled by one machine and >> stored in one database then the transaction is handed over to another >> machine which stores the votes. That could be something simple like a >> tab-delimited file which could be counted by hand, one line per voter. >> The file could be only writeable by the owner. The same person can't >> vote twice because the first machine wouldn't allow them in a second >> time. >> >> > How do you know if the voter is under duress or being watched? > > Paper can last two thousand years. It's pretty easy to make > paper that can't be duplicated in any useful quantity. > Functionally indelible ink, too. > > Using machines to assist voting is a good thing. > Physical objects are much more convincing and easier to secure. > > Oh yes -- the magic ghost Intel has put in every processor > for years. With a secret key -- security by obscurity. > Disk drives can be secretly reprogrammed. Network interfaces > have microcode, too. The memory system is also vulnerable > to secret tampering. All of these are back doors which are > or could be in place. > > Securing the system is far harder than securing a program > or group of programs. > > Geoff Steckel
Re: Why on earth would online voting be insecure?
On 11/14/2016 22:19, Alan Corey wrote: OK, it's relevant to OpenBSD because I wouldn't consider anything else safe enough to run on the servers. Not that I'm in a position to do any of it. The servers could even be run from custom official live CDs so they were harder to tamper with, with maybe a RAM drive for speed. There seems to be a conflict between having anonymous votes and having something similar to paper ballots that can be recounted. So let authentication, identification, etc. be handled by one machine and stored in one database then the transaction is handed over to another machine which stores the votes. That could be something simple like a tab-delimited file which could be counted by hand, one line per voter. The file could be only writeable by the owner. The same person can't vote twice because the first machine wouldn't allow them in a second time. How do you know if the voter is under duress or being watched? Paper can last two thousand years. It's pretty easy to make paper that can't be duplicated in any useful quantity. Functionally indelible ink, too. Using machines to assist voting is a good thing. Physical objects are much more convincing and easier to secure. Oh yes -- the magic ghost Intel has put in every processor for years. With a secret key -- security by obscurity. Disk drives can be secretly reprogrammed. Network interfaces have microcode, too. The memory system is also vulnerable to secret tampering. All of these are back doors which are or could be in place. Securing the system is far harder than securing a program or group of programs. Geoff Steckel
Re: Why on earth would online voting be insecure?
OK, it's relevant to OpenBSD because I wouldn't consider anything else safe enough to run on the servers. Not that I'm in a position to do any of it. The servers could even be run from custom official live CDs so they were harder to tamper with, with maybe a RAM drive for speed. There seems to be a conflict between having anonymous votes and having something similar to paper ballots that can be recounted. So let authentication, identification, etc. be handled by one machine and stored in one database then the transaction is handed over to another machine which stores the votes. That could be something simple like a tab-delimited file which could be counted by hand, one line per voter. The file could be only writeable by the owner. The same person can't vote twice because the first machine wouldn't allow them in a second time. I'm assuming there's physical security over the server room, if that was compromised all bets are off. When I last voted I verbally identified myself to one person who handed me my ballot, which I checked off in pencil, then identified myself to another worker who cranked my ballot into a simple counting machine about 40 years old. Yes, if one person got access to the files in seclusion they could alter something assuming they were root, that would have to be as impossible as erasing the pencil marks on the ballots and changing them. I assume there are always multiple scrupulous workers present. It doesn't have to be an SSN, a driver's license number would work as well. Some long number known mostly only to the voter and to the government which doesn't arrive by the same mailing as the key the town sends Somewhat analogous to a public key, with the private key being the number the town mails each voter for each election. Laziness isn't the only reason to do this, I would hope to expand it to maybe a weekly vote on things that are put to the House and Senate so there's direct input from voters instead of only electing people who do their voting. There probably wouldn't be a lot of interest but being able to provide feedback to elected representatives could be useful, conversely there would be statistics on what percentage of the time they voted as the public wanted. Instead of voting with a web browser, there might be some security to be gained by using a dedicated client. Or voting from something like an Android phone (I have no experience with IOS). Android security seems almost excessive. Incorporating the phone numbers on each end could be useful although not to be trusted as identification by itself. An app could connect to a phone number and load a ballot, fill it out offline, then dial another number to submit it in milliseconds which lessens the load on the server. For that matter you could produce live CDs to be booted and used only for voting, any operating system you want. I think bouncing ideas off a community of knowledgeable computer hobbyists and professionals is a useful thing to do. I became an OpenBSD user about 2001 because I inherited a Linux box at my job that had been root kitted and I needed something more secure, it's still my first choice. I later firewalled the entire office through another OpenBSD box, it worked very well. So yes, security in academia where student records were concerned, we had thousands of transcripts. -- Credit is the root of all evil. - AB1JX
Re: Why on earth would online voting be insecure?
On Mon, Nov 14, 2016 at 2:52 PM, Alan Corey wrote: > This sounds like heel-dragging to me, or they're trying to do it under > Windows or something: > https://www.washingtonpost.com/news/post-nation/wp/2016/05/17/more-than-30-states-offer-online-voting-but-experts-warn-it-isnt-secure/ > > It seems simple to me, you use firewalls and only make the results https://twitter.com/mattblaze/status/788800648942944258
Re: Why on earth would online voting be insecure?
You need a civic blockchain or some-such that guarantee's data integrity and agnosticism of the platform that anyone can verify. The interface into / mechanics once you have a blockchain which you can issue tokens from is the simple bit. Not sure this is relevant for this list tho. -Joel On 14 November 2016 at 17:52, Alan Corey wrote: > This sounds like heel-dragging to me, or they're trying to do it under > Windows or something: > https://www.washingtonpost.com/news/post-nation/wp/2016/ > 05/17/more-than-30-states-offer-online-voting-but- > experts-warn-it-isnt-secure/ > > It seems simple to me, you use firewalls and only make the results > writeable by the process that should be writing to it, probably > nothing needs to have read access in the short term. As far as > security after the election, mount the servers in a Brinks truck or > something, it just sounds like a ludicrous excuse. > > Something like: for each election the town government mails you a > random number that's your key to vote that election. You go to a > website and put in your town, name, SSN, and the key. If somebody > steals the mail they won't have your SSN. If Russian hackers or > whoever tries to impersonate you online they won't have the key. It's > bringing those 2 pieces of information plus your name and town > together that makes it secure. Just guessing. Did I overlook anything? > > -- > Credit is the root of all evil. - AB1JX
Re: Why on earth would online voting be insecure?
[Off-topic; sorry. It's important to remind people of this issue, but I won't follow up any further.] This sort of security, no matter how well done, doesn't address one of the very important but often forgotten features of voting in person at a polling place: it makes it very difficult to buy or extort votes, since there's no way to reliably confirm how someone actually voted. With online (or by mail, etc) voting there's nothing to prevent someone from watching while a vote is cast. Dave On Mon, 14 Nov 2016, Alan Corey wrote: This sounds like heel-dragging to me, or they're trying to do it under Windows or something: https://www.washingtonpost.com/news/post-nation/wp/2016/05/17/more-than-30-states-offer-online-voting-but-experts-warn-it-isnt-secure/ It seems simple to me, you use firewalls and only make the results writeable by the process that should be writing to it, probably nothing needs to have read access in the short term. As far as security after the election, mount the servers in a Brinks truck or something, it just sounds like a ludicrous excuse. Something like: for each election the town government mails you a random number that's your key to vote that election. You go to a website and put in your town, name, SSN, and the key. If somebody steals the mail they won't have your SSN. If Russian hackers or whoever tries to impersonate you online they won't have the key. It's bringing those 2 pieces of information plus your name and town together that makes it secure. Just guessing. Did I overlook anything? -- Dave Anderson
Re: OSPFD over IPSEC
14 novembre 2016 22:50 "Remi Locherer" a écrit: > On Mon, Nov 14, 2016 at 04:50:21PM +, Comète wrote: > >> 14 novembre 2016 14:50 "Remi Locherer" a écrit: >> On >> 2016-11-14 12:48, Comète wrote: >> >> Hi, >> I'm trying to run OSPFD over >> IPSEC with OpenBSD 6.0 stable, so I first >> start looking at > >> http://undeadly.org/cgi?action=article&sid=20131105075303 >> Now that etherip >> has it's own interface in 6.0, I tried to replace gif > with >> etherip like >> this: > > [...] > >> Can >> you show pf.conf? Are there any blocks if you check on pflog0 with tcpdump? >> >> But why do you want to have Ethernet frames tunneled? If you use gif >> interfaces >> and make ospfd beeing active on it you save a few bits. That way >> you can make >> the MTU bigger. >> https://cway.cisco.com/tools/ipsec-overhead-calc can give you >> and idea how >> big your MTU can be (needs an account but is free). >> >> Be careful when >> configuring gif interfaces. ospfd only recognizes that it is a >> >> point-to-point interface when you configure the netmask as 255.255.255.255. >> I finally got it working. I forgot the 'link2' option in /etc/hostname.bridge0 >> : >> >> -=>> cat /etc/hostname.bridge0 >> add etherip0 add vether0 >> up link2 >> >> but it >> wasn't enough... >> I had to set 'net.inet.etherip.allow=1' in sysctl.conf >> despite what it is said in the 'etherip' man page: >> >> "The sysctl(3) variable >> net.inet.etherip.allow must be set to 1, unless ipsec(4) is being used to >> protect the traffic." >> >> This is what I don't understand, is there any >> particular case in this configuration or maybe something changed in 6.0 ? >> thanks > > I can not tell you what is wrong with your configuration. Im not using > etherip. But why do you think you need to tunnel Ethernet? You don't need it > for ospf. rWWith gif interfaces you're doing ip-over-ip and don't need > bridge and vether. Then just add the gif interface to ospfd.conf. Ok, good to know, I will test this too. In fact, I will need etherip for some sites where I use VLANS. But for others, IP over IP will be ok. So thank you for the advice. If someone knows why, with etherip over IPSEC, I had to set 'net.inet.etherip.allow=1' in sysctl.conf ? The question is still opened... Thanks
Why on earth would online voting be insecure?
This sounds like heel-dragging to me, or they're trying to do it under Windows or something: https://www.washingtonpost.com/news/post-nation/wp/2016/05/17/more-than-30-states-offer-online-voting-but-experts-warn-it-isnt-secure/ It seems simple to me, you use firewalls and only make the results writeable by the process that should be writing to it, probably nothing needs to have read access in the short term. As far as security after the election, mount the servers in a Brinks truck or something, it just sounds like a ludicrous excuse. Something like: for each election the town government mails you a random number that's your key to vote that election. You go to a website and put in your town, name, SSN, and the key. If somebody steals the mail they won't have your SSN. If Russian hackers or whoever tries to impersonate you online they won't have the key. It's bringing those 2 pieces of information plus your name and town together that makes it secure. Just guessing. Did I overlook anything? -- Credit is the root of all evil. - AB1JX
Re: OSPFD over IPSEC
On Mon, Nov 14, 2016 at 04:50:21PM +, Comète wrote: > 14 novembre 2016 14:50 "Remi Locherer" a écrit: > > On > 2016-11-14 12:48, Comète wrote: > > > >> Hi, > >> I'm trying to run OSPFD over > IPSEC with OpenBSD 6.0 stable, so I first > >> start looking at > > http://undeadly.org/cgi?action=article&sid=20131105075303 > >> Now that etherip > has it's own interface in 6.0, I tried to replace gif > with > >> etherip like > this: [...] > > Can > you show pf.conf? Are there any blocks if you check on pflog0 with tcpdump? > > > > But why do you want to have Ethernet frames tunneled? If you use gif > interfaces > > and make ospfd beeing active on it you save a few bits. That way > you can make > > the MTU bigger. > https://cway.cisco.com/tools/ipsec-overhead-calc can give you > > and idea how > big your MTU can be (needs an account but is free). > > > > Be careful when > configuring gif interfaces. ospfd only recognizes that it is a > > > point-to-point interface when you configure the netmask as 255.255.255.255. > I finally got it working. I forgot the 'link2' option in /etc/hostname.bridge0 > : > > -=>> cat /etc/hostname.bridge0 > add etherip0 add vether0 > up link2 > > but it > wasn't enough... > I had to set 'net.inet.etherip.allow=1' in sysctl.conf > despite what it is said in the 'etherip' man page: > > "The sysctl(3) variable > net.inet.etherip.allow must be set to 1, unless ipsec(4) is being used to > protect the traffic." > > This is what I don't understand, is there any > particular case in this configuration or maybe something changed in 6.0 ? > thanks I can not tell you what is wrong with your configuration. Im not using etherip. But why do you think you need to tunnel Ethernet? You don't need it for ospf. rWWith gif interfaces you're doing ip-over-ip and don't need bridge and vether. Then just add the gif interface to ospfd.conf.
Re: OSPFD over IPSEC
14 novembre 2016 14:50 "Remi Locherer" a écrit: > On 2016-11-14 12:48, Comète wrote: > >> Hi, >> I'm trying to run OSPFD over IPSEC with OpenBSD 6.0 stable, so I first >> start looking at > http://undeadly.org/cgi?action=article&sid=20131105075303 >> Now that etherip has it's own interface in 6.0, I tried to replace gif > with >> etherip like this: >> On one host: >> >> -=>> cat /etc/hostname.bridge0 >> add etherip0 add vether0 >> up >> -=>> cat /etc/hostname.vether0 >> inet 10.60.10.2 >> 255.255.255.0 NONE up >> -=>> cat /etc/hostname.etherip0 >> tunnel 1.2.3.4 4.3.2.1 >> up >> -=>> doas cat /etc/ipsec.conf >> ike active esp proto etherip from 1.2.3.4 to >> 4.3.2.1 psk "mypassword" >>> -=>> doas ipsecctl -sa >> FLOWS: >> flow esp in proto >> etherip from 4.3.2.1 to 1.2.3.4 peer 4.3.2.1 srcid 1.2.3.4/32 dstid > 4.3.2.1/32 >> type use >> flow esp out proto etherip from 1.2.3.4 to 4.3.2.1 peer 4.3.2.1 srcid >> 1.2.3.4/32 dstid 4.3.2.1/32 type require >> SAD: >> esp tunnel from 4.3.2.1 to >> 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes >> esp tunnel from 1.2.3.4 to >> 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes >>> On the other host: >> -- >> -=>> cat /etc/hostname.bridge0 >> add etherip0 add vether0 >> up >> -=>> cat /etc/hostname.vether0 >> inet 10.60.10.1 255.255.255.0 NONE up >> -=>> cat >> /etc/hostname.etherip0 >> tunnel 4.3.2.1 1.2.3.4 up >> -=>> doas cat >> /etc/ipsec.conf >> ike passive esp proto etherip from 4.3.2.1 to 1.2.3.4 psk >> "mypassword" >>> -=>> doas ipsecctl -sa >> FLOWS: >> flow esp in proto etherip from >> 1.2.3.4 to 4.3.2.1 peer 1.2.3.4 srcid 4.3.2.1/32 dstid 1.2.3.4/32 type > use >> flow esp out proto etherip from 4.3.2.1 to 1.2.3.4 peer 1.2.3.4 srcid >> 4.3.2.1/32 dstid 1.2.3.4/32 type require >> SAD: >> esp tunnel from 4.3.2.1 to >> 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes >> esp tunnel from 1.2.3.4 to >> 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes >>> I forgot to mention that i >> didn't set net.inet.etherip.allow=1 and let it set to 0, as said in > "etherip" >> man page, because I use IPSEC. >> As you can see the ipsec VPN is well >> established, but my problem is that I can't ping 10.60.10.1 from > 10.60.10.2 >> and 10.60.10.2 from 10.60.10.1. >> On each vether interface, tcpdump -nettti >> shows me that nothing is going out of them. >> Any idea ? > > Can you show pf.conf? Are there any blocks if you check on pflog0 with tcpdump? > > But why do you want to have Ethernet frames tunneled? If you use gif interfaces > and make ospfd beeing active on it you save a few bits. That way you can make > the MTU bigger. https://cway.cisco.com/tools/ipsec-overhead-calc can give you > and idea how big your MTU can be (needs an account but is free). > > Be careful when configuring gif interfaces. ospfd only recognizes that it is a > point-to-point interface when you configure the netmask as 255.255.255.255. I finally got it working. I forgot the 'link2' option in /etc/hostname.bridge0 : -=>> cat /etc/hostname.bridge0 add etherip0 add vether0 up link2 but it wasn't enough... I had to set 'net.inet.etherip.allow=1' in sysctl.conf despite what it is said in the 'etherip' man page: "The sysctl(3) variable net.inet.etherip.allow must be set to 1, unless ipsec(4) is being used to protect the traffic." This is what I don't understand, is there any particular case in this configuration or maybe something changed in 6.0 ? thanks
Re: OSPFD over IPSEC
14 novembre 2016 14:50 "Remi Locherer" a écrit: > On 2016-11-14 12:48, Comète wrote: > >> Hi, >> I'm trying to run OSPFD over IPSEC with OpenBSD 6.0 stable, so I first >> start looking at > http://undeadly.org/cgi?action=article&sid=20131105075303 >> Now that etherip has it's own interface in 6.0, I tried to replace gif > with >> etherip like this: >> On one host: >> >> -=>> cat /etc/hostname.bridge0 >> add etherip0 add vether0 >> up >> -=>> cat /etc/hostname.vether0 >> inet 10.60.10.2 >> 255.255.255.0 NONE up >> -=>> cat /etc/hostname.etherip0 >> tunnel 1.2.3.4 4.3.2.1 >> up >> -=>> doas cat /etc/ipsec.conf >> ike active esp proto etherip from 1.2.3.4 to >> 4.3.2.1 psk "mypassword" >>> -=>> doas ipsecctl -sa >> FLOWS: >> flow esp in proto >> etherip from 4.3.2.1 to 1.2.3.4 peer 4.3.2.1 srcid 1.2.3.4/32 dstid > 4.3.2.1/32 >> type use >> flow esp out proto etherip from 1.2.3.4 to 4.3.2.1 peer 4.3.2.1 srcid >> 1.2.3.4/32 dstid 4.3.2.1/32 type require >> SAD: >> esp tunnel from 4.3.2.1 to >> 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes >> esp tunnel from 1.2.3.4 to >> 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes >>> On the other host: >> -- >> -=>> cat /etc/hostname.bridge0 >> add etherip0 add vether0 >> up >> -=>> cat /etc/hostname.vether0 >> inet 10.60.10.1 255.255.255.0 NONE up >> -=>> cat >> /etc/hostname.etherip0 >> tunnel 4.3.2.1 1.2.3.4 up >> -=>> doas cat >> /etc/ipsec.conf >> ike passive esp proto etherip from 4.3.2.1 to 1.2.3.4 psk >> "mypassword" >>> -=>> doas ipsecctl -sa >> FLOWS: >> flow esp in proto etherip from >> 1.2.3.4 to 4.3.2.1 peer 1.2.3.4 srcid 4.3.2.1/32 dstid 1.2.3.4/32 type > use >> flow esp out proto etherip from 4.3.2.1 to 1.2.3.4 peer 1.2.3.4 srcid >> 4.3.2.1/32 dstid 1.2.3.4/32 type require >> SAD: >> esp tunnel from 4.3.2.1 to >> 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes >> esp tunnel from 1.2.3.4 to >> 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes >>> I forgot to mention that i >> didn't set net.inet.etherip.allow=1 and let it set to 0, as said in > "etherip" >> man page, because I use IPSEC. >> As you can see the ipsec VPN is well >> established, but my problem is that I can't ping 10.60.10.1 from > 10.60.10.2 >> and 10.60.10.2 from 10.60.10.1. >> On each vether interface, tcpdump -nettti >> shows me that nothing is going out of them. >> Any idea ? > > Can you show pf.conf? Are there any blocks if you check on pflog0 with tcpdump? pf is disabled on both ends > > But why do you want to have Ethernet frames tunneled? If you use gif interfaces > and make ospfd beeing active on it you save a few bits. That way you can make > the MTU bigger. https://cway.cisco.com/tools/ipsec-overhead-calc can give you > and idea how big your MTU can be (needs an account but is free). I simply thought that etherip interface was the new way to go, anyway I just tried the exact same config as explained here: http://undeadly.org/cgi?action=article&sid=20131105075303 with gif interfaces instead etherip and the problem is the same, I can't ping the vether interface on the other host... thanks for your help
Re: OSPFD over IPSEC
On 2016-11-14 12:48, Comète wrote: Hi, I'm trying to run OSPFD over IPSEC with OpenBSD 6.0 stable, so I first start looking at http://undeadly.org/cgi?action=article&sid=20131105075303 Now that etherip has it's own interface in 6.0, I tried to replace gif with etherip like this: On one host: -=>> cat /etc/hostname.bridge0 add etherip0 add vether0 up -=>> cat /etc/hostname.vether0 inet 10.60.10.2 255.255.255.0 NONE up -=>> cat /etc/hostname.etherip0 tunnel 1.2.3.4 4.3.2.1 up -=>> doas cat /etc/ipsec.conf ike active esp proto etherip from 1.2.3.4 to 4.3.2.1 psk "mypassword" -=>> doas ipsecctl -sa FLOWS: flow esp in proto etherip from 4.3.2.1 to 1.2.3.4 peer 4.3.2.1 srcid 1.2.3.4/32 dstid 4.3.2.1/32 type use flow esp out proto etherip from 1.2.3.4 to 4.3.2.1 peer 4.3.2.1 srcid 1.2.3.4/32 dstid 4.3.2.1/32 type require SAD: esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes On the other host: -- -=>> cat /etc/hostname.bridge0 add etherip0 add vether0 up -=>> cat /etc/hostname.vether0 inet 10.60.10.1 255.255.255.0 NONE up -=>> cat /etc/hostname.etherip0 tunnel 4.3.2.1 1.2.3.4 up -=>> doas cat /etc/ipsec.conf ike passive esp proto etherip from 4.3.2.1 to 1.2.3.4 psk "mypassword" -=>> doas ipsecctl -sa FLOWS: flow esp in proto etherip from 1.2.3.4 to 4.3.2.1 peer 1.2.3.4 srcid 4.3.2.1/32 dstid 1.2.3.4/32 type use flow esp out proto etherip from 4.3.2.1 to 1.2.3.4 peer 1.2.3.4 srcid 4.3.2.1/32 dstid 1.2.3.4/32 type require SAD: esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes I forgot to mention that i didn't set net.inet.etherip.allow=1 and let it set to 0, as said in "etherip" man page, because I use IPSEC. As you can see the ipsec VPN is well established, but my problem is that I can't ping 10.60.10.1 from 10.60.10.2 and 10.60.10.2 from 10.60.10.1. On each vether interface, tcpdump -nettti shows me that nothing is going out of them. Any idea ? Can you show pf.conf? Are there any blocks if you check on pflog0 with tcpdump? But why do you want to have Ethernet frames tunneled? If you use gif interfaces and make ospfd beeing active on it you save a few bits. That way you can make the MTU bigger. https://cway.cisco.com/tools/ipsec-overhead-calc/ can give you and idea how big your MTU can be (needs an account but is free). Be careful when configuring gif interfaces. ospfd only recognizes that it is a point-to-point interface when you configure the netmask as 255.255.255.255.
Re: Running OpenSMTPD at home behind a cloud proxy
Why not use opensmtpd on the VPS to relay your mail ? A rule like "accept for domain example.com relay via secure://you.dynamic.dns" should do what you want if I read the man correctly 2016-11-13 23:25 GMT+01:00 Jiri B : > On Sun, Nov 13, 2016 at 10:51:22PM +0100, Joris Vanhecke wrote: >> Hey all, >> >> I'd like to pull my emails out of the cloud and run them on a local >> server (pcengines APU2 looks good). >> My ISP blocks tcp ports below 1024 and sending email from a residential >> (dynamic) IP might mark my email as spam. >> >> Right now I'm thinking of renting a cheap VPS and using it as a proxy >> for my home server which would use a dynamic DNS. >> I don't really want a copy of the email on the VPS so I was planning to >> use relayd or socat to route incoming traffic to my local OpenSMTPD >> server. >> >> But I don't really see a way to proxy outgoing connections from smtpd... >> >> Any ideas? > > What about to have paused remote delivery on cloud proxy (and deliver > on request initiated from home server) and paused remote delivery on home > mail server as well and unpause the queue when you do tcp port forwardning > to cloud host as well. > > Or just run VPN between cloud host and home host. If either of them won't > be available your mail will stay in queue. > > j. > -- Cordialement, Coues Ludovic +336 148 743 42
Re: Mount HDD USB on 6.0 Stable: Fail
Unfortunately, from time to time FUSE hangs my system. So I have to use -F to disable FUSE.
OSPFD over IPSEC
Hi, I'm trying to run OSPFD over IPSEC with OpenBSD 6.0 stable, so I first start looking at http://undeadly.org/cgi?action=article&sid=20131105075303 Now that etherip has it's own interface in 6.0, I tried to replace gif with etherip like this: On one host: -=>> cat /etc/hostname.bridge0 add etherip0 add vether0 up -=>> cat /etc/hostname.vether0 inet 10.60.10.2 255.255.255.0 NONE up -=>> cat /etc/hostname.etherip0 tunnel 1.2.3.4 4.3.2.1 up -=>> doas cat /etc/ipsec.conf ike active esp proto etherip from 1.2.3.4 to 4.3.2.1 psk "mypassword" -=>> doas ipsecctl -sa FLOWS: flow esp in proto etherip from 4.3.2.1 to 1.2.3.4 peer 4.3.2.1 srcid 1.2.3.4/32 dstid 4.3.2.1/32 type use flow esp out proto etherip from 1.2.3.4 to 4.3.2.1 peer 4.3.2.1 srcid 1.2.3.4/32 dstid 4.3.2.1/32 type require SAD: esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes On the other host: -- -=>> cat /etc/hostname.bridge0 add etherip0 add vether0 up -=>> cat /etc/hostname.vether0 inet 10.60.10.1 255.255.255.0 NONE up -=>> cat /etc/hostname.etherip0 tunnel 4.3.2.1 1.2.3.4 up -=>> doas cat /etc/ipsec.conf ike passive esp proto etherip from 4.3.2.1 to 1.2.3.4 psk "mypassword" -=>> doas ipsecctl -sa FLOWS: flow esp in proto etherip from 1.2.3.4 to 4.3.2.1 peer 1.2.3.4 srcid 4.3.2.1/32 dstid 1.2.3.4/32 type use flow esp out proto etherip from 4.3.2.1 to 1.2.3.4 peer 1.2.3.4 srcid 4.3.2.1/32 dstid 1.2.3.4/32 type require SAD: esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes I forgot to mention that i didn't set net.inet.etherip.allow=1 and let it set to 0, as said in "etherip" man page, because I use IPSEC. As you can see the ipsec VPN is well established, but my problem is that I can't ping 10.60.10.1 from 10.60.10.2 and 10.60.10.2 from 10.60.10.1. On each vether interface, tcpdump -nettti shows me that nothing is going out of them. Any idea ? Thanks, Morgan
Re: Removal of old libraries
On Nov 14 00:14:19, pa...@ecentryx.com wrote: > But the very next step in the upgrade blows away the system by overwriting > it anyway. Right? > > What could happen? What if following the normal procedure of untaring the OS > sets on top of the existing system fails midway? Then you have an > inconsistent system too. Yes, you have an inconsistent system, as opposed to nothing. > This behavior of mine may stem from my days as a hard-real-time embedded > systems engineer where we had to get rid of every single byte that did not > matter. I used to count the assembly instructions and add up all the clock > cycles for each hardware interrupt routine to make sure we would never > stall/slow the system. I just like minimal I guess. Say I compile a C program on your system, which gets linked to /usr/lib/libc.so.84.2. After an upgrade, my program no longer works. Bad, bad admin!
