Re: Ways to get PostgreSQL working with base httpd?
Chris Bennett writes: > I know that PostgreSQL can be accessed via a socket or through > 127.0.0.1. > It's crucial since I've set it up for quite a lot of functionality on > some of my websites. > > What are good and secure ways to accomplish this? > And why is one or the other better? > I learned all kinds of stuff about the operator group in an > unrelated thread, which has changed me to not give that out to any users > at all. > > I just couldn't google or DuckDuckGo anything at all about this. > Plus I would also like to know a little bit more than just cut and paste > if anyone has time to offer that up. > > OT? > I am assuming that for perl, since I wanted a full and clean startup.pl > for mod_perl, I already know what modules I need to add from studying > each module back a while ago. > > Thanks, > Chris Bennett I read your mail and I still don't know what you are trying to accomplish. Could you give a more specific questions so they are easier to answer. Timo
Re: Duplicate IP Address -> Spoof/Verizon???
> Le sam. 8 sept. 2018 à 18:06, Jay Hart a écrit : >> >> > Le sam. 8 sept. 2018 à 13:40, Jay Hart a écrit : >> >> -ifconfig -A from the router-- >> >> re1: flags=8843 mtu 1500 >> >> lladdr 00:22:4d:d1:48:d5 >> >> inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 >> > >> > >> > Some CPEs have 192.168.1.1 hardcoded as management ip address, even >> > though they are currently used as modem/bridges. Renumber your >> > internal subnet to some other private address space and see if the >> > logs go away. >> > > >> I don't get why I would set up a second IP on re0, explain your thought >> process here... > > This is to confirm or deny that the modem do have 192.168.1.1 as > management address. That could be an explanation for the duplicate ip > address message you're seeing. > > You could just temporarily delete 192.168.1.1 from re1 to perform the > test, and only if it's successful (ie 192.168.1.1 on re0 answers to > pings) modify the IP configuration of re1 and renumber your lan. > > This is one of the reasons why I tend to avoid using 192.168.0.0/24 > and 192.168.1.0/24 as home lan addressing ranges. > > Moved everything over to a 10.a.b.x subnet. Its all tested and working. Now I can back to seeing about that duplicate IP address BS, but suspect that particular issue solved itself.
Re: Running your own mail server
I definitely agree to qmail It was a learning curve for me in the late 90's to get it going on Redhat, after that Mandrake and Slackware with finally settling down on FreeBSD and OpenBSD Sadly, there are some concerns about the aging code with various patches available to compensate, but I have not found a viable replacement ever since getting fond of qmails/tcpserver's flexibility with patches and pain to adopt to new encoders and ssl/tls versions Be aware, qmail is not an off the shelf usable software but once you get into it - you may never leave I did not and do not intent until it can't be maintained. -- if you demand for performance, FreeBSD + Qmail-ldap is THE way to go. my 1 cent. On Sat, Sep 8, 2018 at 12:26 PM Ken M wrote: > Just curious how many of you use openbsd to run your own personal > email server? > Do you find it a hassle to manage in any way? > > I know openbsd is perfectly fine for a mail server, don't get me wrong > the question is more about is it worth it to do yourself. Specifically > I will probably be doing it through a guest on vultr. > > Back story my family all has email addresses through the domain I have. > Which > basically will forward to a gmail account. The kids accounts don't > really forward anywhere, they are place holders I guess. But they are > getting old enough to use their own accounts for things and not just > through the school which sets them up with google accounts to use through > their chromebook. > > So my wife really doesn't like the idea of setting them loose on their > own email accounts, and I don't necessarily disagree with her, but I > disagree on the way to do it. In a gmail point of view all I can think > of is shared passwords for for the kids. I don't like that because > first of all they could change it, second of all monitoring their > email means literally reading their email. > > My wife and I have different views on privacy as well. > > I was thinking I could run my own email server to give them accounts > there, and at the same time instead of reading their email be able to > more specifically block certain senders, but also to scan the email > for troubling words. In my mind that is things like suicide, kill, > etc. > > So I guess the end question, is for protecting the email of minors is > running my own email server, when I have never done it before on any > OS, worth it over some other solution. And yes I am very open to other > suggestions for a solution, even if it is something I have to pay for, > to avoid sharing passwords or grotesque privacy infringement of > literally reading all their emails. > > Welcome to differences of opinion as well. Thank you. > > Ken > >
Re: Running your own mail server
On Sat, Sep 08, 2018 at 09:22:01PM -0300, Friedrich Locke wrote: > if you demand for performance, FreeBSD + Qmail-ldap is THE way to go. > > my 1 cent. > Performance is a priority, but not my first priority. In fact I think that is why I have started becoming a convert to openbsd. Although I do like freebsd for servers as well and linux and what not. Just lately I have started trying to see if I can OpenBSD all the things I need. Ken
Re: Vultr hosting of OpenBSD
On Sat, Sep 08, 2018 at 08:36:01PM +0100, Chris Narkiewicz wrote: > On 08/09/2018 19:55, Ken M wrote: > What kind of issues? I'm curious. Can you pls provide a reference? > Without digging them up I did a quick google on openbsd issues vultr. It pulled some things I saw before with 6.2 and timing, as well as issues with the base image, and other ones talking about a setting in KVM that was causing issues on certain servers. I can link them if you wish. I wanted to ask here because they seemed out of date, and when it comes to openbsd I have to filter what a google search pulls as I find so much misinformation about openbsd out there. Some of it more for being out of date, some of it just plain anti without knowing, some just misinformation. So in short I figured asking here would be more current and accurate. This is a case where I consider the absence of such information a result. Although I think I might consider openbsd amsterdam that was mentioned. My only hesitation is vmm/vmd considered mature enough for a production hosting solution? Ken
Re: Running your own mail server
if you demand for performance, FreeBSD + Qmail-ldap is THE way to go. my 1 cent. On Sat, Sep 8, 2018 at 12:26 PM Ken M wrote: > Just curious how many of you use openbsd to run your own personal email > server? > Do you find it a hassle to manage in any way? > > I know openbsd is perfectly fine for a mail server, don't get me wrong the > question is more about is it worth it to do yourself. Specifically I will > probably be doing it through a guest on vultr. > > Back story my family all has email addresses through the domain I have. > Which > basically will forward to a gmail account. The kids accounts don't really > forward anywhere, they are place holders I guess. But they are getting old > enough to use their own accounts for things and not just through the school > which sets them up with google accounts to use through their chromebook. > > So my wife really doesn't like the idea of setting them loose on their own > email > accounts, and I don't necessarily disagree with her, but I disagree on the > way > to do it. In a gmail point of view all I can think of is shared passwords > for > for the kids. I don't like that because first of all they could change it, > second of all monitoring their email means literally reading their email. > > My wife and I have different views on privacy as well. > > I was thinking I could run my own email server to give them accounts > there, and > at the same time instead of reading their email be able to more > specifically > block certain senders, but also to scan the email for troubling words. In > my > mind that is things like suicide, kill, etc. > > So I guess the end question, is for protecting the email of minors is > running my > own email server, when I have never done it before on any OS, worth it > over some > other solution. And yes I am very open to other suggestions for a > solution, even > if it is something I have to pay for, to avoid sharing passwords or > grotesque > privacy infringement of literally reading all their emails. > > Welcome to differences of opinion as well. Thank you. > > Ken > >
Re: Vultr hosting of OpenBSD
On Sep 8, 2018 4:35 PM, flipchan wrote: > > U have to tell em to open port 25 > > On September 8, 2018 6:55:16 PM UTC, Ken M wrote: > >This is related to my mail server thread, but in googling about openbsd > >on vultr > >I have seen some comments here and there about issues with the default > >image on > >vultr and to use a custom image or iso instead of what they have. Some > >of these > >seem dated and related to older versions of openbsd. My questions are: > > > >1. Is it still current information that it would be better to use my > >own > >image/install/iso for openbsd on Vultr? > > > >2. Is vultr a good place to host an openbsd box? If not interested in > >hearing > >alternatives. > > > >Also a side note question, is it possible to use VMD/VMM in an openbsd > >guest on > >vultr. I was thinking probably not. I just ask as sometinmes I > >appreciate using > >docker to test things, yeah I know. But the point is my dev workflow on > >my > >openbsd current laptop involves sometimes using alpine linux on vmm an > >using > >docker on that to spin up different things I want to check out. > > > >Ken > > -- > Take Care Sincerely flipchan layerprox dev I wasn't aware that they had openbsd imagez to choose from. I know from experience that their freebsd image was hosed. Something to do with the swap size as I recall. I would suggest just installing it yourself so you set up the partitions and what not how you want it. Such as a small /home and a larger /var since it's a server. Edgar
Re: Running your own mail server
opensmtpd is great! Aliases and alot more goodness On September 8, 2018 3:23:35 PM UTC, Ken M wrote: >Just curious how many of you use openbsd to run your own personal email >server? >Do you find it a hassle to manage in any way? > >I know openbsd is perfectly fine for a mail server, don't get me wrong >the >question is more about is it worth it to do yourself. Specifically I >will >probably be doing it through a guest on vultr. > >Back story my family all has email addresses through the domain I have. >Which >basically will forward to a gmail account. The kids accounts don't >really >forward anywhere, they are place holders I guess. But they are getting >old >enough to use their own accounts for things and not just through the >school >which sets them up with google accounts to use through their >chromebook. > >So my wife really doesn't like the idea of setting them loose on their >own email >accounts, and I don't necessarily disagree with her, but I disagree on >the way >to do it. In a gmail point of view all I can think of is shared >passwords for >for the kids. I don't like that because first of all they could change >it, >second of all monitoring their email means literally reading their >email. > >My wife and I have different views on privacy as well. > >I was thinking I could run my own email server to give them accounts >there, and >at the same time instead of reading their email be able to more >specifically >block certain senders, but also to scan the email for troubling words. >In my >mind that is things like suicide, kill, etc. > >So I guess the end question, is for protecting the email of minors is >running my >own email server, when I have never done it before on any OS, worth it >over some >other solution. And yes I am very open to other suggestions for a >solution, even >if it is something I have to pay for, to avoid sharing passwords or >grotesque >privacy infringement of literally reading all their emails. > >Welcome to differences of opinion as well. Thank you. > >Ken -- Take Care Sincerely flipchan layerprox dev
Re: Vultr hosting of OpenBSD
U have to tell em to open port 25 On September 8, 2018 6:55:16 PM UTC, Ken M wrote: >This is related to my mail server thread, but in googling about openbsd >on vultr >I have seen some comments here and there about issues with the default >image on >vultr and to use a custom image or iso instead of what they have. Some >of these >seem dated and related to older versions of openbsd. My questions are: > >1. Is it still current information that it would be better to use my >own >image/install/iso for openbsd on Vultr? > >2. Is vultr a good place to host an openbsd box? If not interested in >hearing >alternatives. > >Also a side note question, is it possible to use VMD/VMM in an openbsd >guest on >vultr. I was thinking probably not. I just ask as sometinmes I >appreciate using >docker to test things, yeah I know. But the point is my dev workflow on >my >openbsd current laptop involves sometimes using alpine linux on vmm an >using >docker on that to spin up different things I want to check out. > >Ken -- Take Care Sincerely flipchan layerprox dev
Re: Duplicate IP Address -> Spoof/Verizon???
Le sam. 8 sept. 2018 à 18:06, Jay Hart a écrit : > > > Le sam. 8 sept. 2018 à 13:40, Jay Hart a écrit : > >> -ifconfig -A from the router-- > >> re1: flags=8843 mtu 1500 > >> lladdr 00:22:4d:d1:48:d5 > >> inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > > > > > > Some CPEs have 192.168.1.1 hardcoded as management ip address, even > > though they are currently used as modem/bridges. Renumber your > > internal subnet to some other private address space and see if the > > logs go away. > > > I don't get why I would set up a second IP on re0, explain your thought > process here... This is to confirm or deny that the modem do have 192.168.1.1 as management address. That could be an explanation for the duplicate ip address message you're seeing. You could just temporarily delete 192.168.1.1 from re1 to perform the test, and only if it's successful (ie 192.168.1.1 on re0 answers to pings) modify the IP configuration of re1 and renumber your lan. This is one of the reasons why I tend to avoid using 192.168.0.0/24 and 192.168.1.0/24 as home lan addressing ranges.
Re: Running your own mail server
I run an email server for myself on OpenBSD running on Vultr. OpenBSD, OpenSMTPD, dovecot and Roundcube all run fine on a $5 per month server. If you want a pre-packaged mail server to avoid any hassle, check out iRedMail. On September 8, 2018 10:23:35 AM CDT, Ken M wrote: >Just curious how many of you use openbsd to run your own personal email >server? >Do you find it a hassle to manage in any way? > >I know openbsd is perfectly fine for a mail server, don't get me wrong >the >question is more about is it worth it to do yourself. Specifically I >will >probably be doing it through a guest on vultr. > >Back story my family all has email addresses through the domain I have. >Which >basically will forward to a gmail account. The kids accounts don't >really >forward anywhere, they are place holders I guess. But they are getting >old >enough to use their own accounts for things and not just through the >school >which sets them up with google accounts to use through their >chromebook. > >So my wife really doesn't like the idea of setting them loose on their >own email >accounts, and I don't necessarily disagree with her, but I disagree on >the way >to do it. In a gmail point of view all I can think of is shared >passwords for >for the kids. I don't like that because first of all they could change >it, >second of all monitoring their email means literally reading their >email. > >My wife and I have different views on privacy as well. > >I was thinking I could run my own email server to give them accounts >there, and >at the same time instead of reading their email be able to more >specifically >block certain senders, but also to scan the email for troubling words. >In my >mind that is things like suicide, kill, etc. > >So I guess the end question, is for protecting the email of minors is >running my >own email server, when I have never done it before on any OS, worth it >over some >other solution. And yes I am very open to other suggestions for a >solution, even >if it is something I have to pay for, to avoid sharing passwords or >grotesque >privacy infringement of literally reading all their emails. > >Welcome to differences of opinion as well. Thank you. > >Ken -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Duplicate IP Address -> Spoof/Verizon???
Jay Hart(jh...@kevla.org) on 2018.09.08 12:06:03 -0400: > > Le sam. 8 sept. 2018 13:40, Jay Hart a crit : > >> -ifconfig -A from the router-- > >> re1: flags=8843 mtu 1500 > >> lladdr 00:22:4d:d1:48:d5 > >> inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > > > > > > Some CPEs have 192.168.1.1 hardcoded as management ip address, even > > though they are currently used as modem/bridges. Renumber your > > internal subnet to some other private address space and see if the > > logs go away. > > > > One way to verify this theory is to configure another ip in that > > subnet on re0, renumber re1 to 192.168.2.0/24 for example, and try > > pinging 192.168.1.1. > > > > > If I shifted to the 10.10.10.x network, would I set all my machines to use > /24 subnet? yes. classfull routing was deprecated in 1993.
Re: Vultr hosting of OpenBSD
On Sat, Sep 08, 2018 at 06:55:16PM +, Ken M wrote: > 2. Is vultr a good place to host an openbsd box? If not interested in hearing > alternatives. > I have been using baremetal servers. They are cheap (please don't go too cheap!) You do need to make sure that they will allow you to use a KVM and that it's not one of the old kind that required Java. You shouldn't let them install, since you will need to be able to do this regularly, plus you need access to the BIOS to turn off hyper-threading. Right now I'm using one with an Intel and I'm not happy about that, so I'm going to look elsewhere next month. Also, make sure that they don't have blacklisted IP's. Otherwise your time and money are wasted. But I like having exclusive control of my server, short of them physically accessing it during maintenance, which leaves me just needing to keep good backups elsewhere. If you do this, make sure everything works under OpenBSD first. But this isn't the way a lot of people want to do things, so go with whatever you're comfortable with. You might want to try a couple of different ways for one or two months. Not that much money and keep what you like best of the bunch. :-} Chris Bennett
Re: Vultr hosting of OpenBSD
On 08/09/2018 19:55, Ken M wrote: I have seen some comments here and there about issues with the default image What kind of issues? I'm curious. Can you pls provide a reference?
Re: Vultr hosting of OpenBSD
I have an instance on ramnode. No problems since 6.0 On Sat, 8 Sep 2018 at 20:18, Tony Boston wrote: > On 08.09.18 02:55, Ken M wrote: > > This is related to my mail server thread, but in googling about openbsd > on vultr > > I have seen some comments here and there about issues with the default > image on > > vultr and to use a custom image or iso instead of what they have. Some > of these > > seem dated and related to older versions of openbsd. My questions are: > > > > 1. Is it still current information that it would be better to use my own > > image/install/iso for openbsd on Vultr? > > > > 2. Is vultr a good place to host an openbsd box? If not interested in > hearing > > alternatives. > > > > Also a side note question, is it possible to use VMD/VMM in an openbsd > guest on > > vultr. I was thinking probably not. I just ask as sometinmes I > appreciate using > > docker to test things, yeah I know. But the point is my dev workflow on > my > > openbsd current laptop involves sometimes using alpine linux on vmm an > using > > docker on that to spin up different things I want to check out. > > > > Ken > > > > I am running a few instances at vultr - no problems at all with the > images they have. > > -- > Tony > > GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580 > Threema: DN8PJX4Z > >
Re: Vultr hosting of OpenBSD
+1 Misha the guy running openbsd.amsterdam is sound out On 8 September 2018 at 20:04, Tracey Emery wrote: > > > I'm very happy with https://openbsd.amsterdam/. > > > > Plus, they donate back. > > > > Tracey > > > > > > >> >> On Sep 8, 2018 at 12:55,wrote: >> >> >> This is related to my mail server thread, but in googling about openbsd on >> vultr I have seen some comments here and there about issues with the default >> image on vultr and to use a custom image or iso instead of what they have. >> Some of these seem dated and related to older versions of openbsd. My >> questions are: 1. Is it still current information that it would be better to >> use my own image/install/iso for openbsd on Vultr? 2. Is vultr a good place >> to host an openbsd box? If not interested in hearing alternatives. Also a >> side note question, is it possible to use VMD/VMM in an openbsd guest on >> vultr. I was thinking probably not. I just ask as sometinmes I appreciate >> using docker to test things, yeah I know. But the point is my dev workflow >> on my openbsd current laptop involves sometimes using alpine linux on vmm an >> using docker on that to spin up different things I want to check out. Ken >> > -- Kindest regards, Tom Smyth Mobile: +353 87 6193172 The information contained in this E-mail is intended only for the confidential use of the named recipient. If the reader of this message is not the intended recipient or the person responsible for delivering it to the recipient, you are hereby notified that you have received this communication in error and that any review, dissemination or copying of this communication is strictly prohibited. If you have received this in error, please notify the sender immediately by telephone at the number above and erase the message You are requested to carry out your own virus check before opening any attachment.
Re: Vultr hosting of OpenBSD
I'm very happy with https://openbsd.amsterdam/. Plus, they donate back. Tracey > > On Sep 8, 2018 at 12:55,wrote: > > > This is related to my mail server thread, but in googling about openbsd on > vultr I have seen some comments here and there about issues with the default > image on vultr and to use a custom image or iso instead of what they have. > Some of these seem dated and related to older versions of openbsd. My > questions are: 1. Is it still current information that it would be better to > use my own image/install/iso for openbsd on Vultr? 2. Is vultr a good place > to host an openbsd box? If not interested in hearing alternatives. Also a > side note question, is it possible to use VMD/VMM in an openbsd guest on > vultr. I was thinking probably not. I just ask as sometinmes I appreciate > using docker to test things, yeah I know. But the point is my dev workflow on > my openbsd current laptop involves sometimes using alpine linux on vmm an > using docker on that to spin up different things I want to check out. Ken >
Re: Vultr hosting of OpenBSD
On 08.09.18 02:55, Ken M wrote: > This is related to my mail server thread, but in googling about openbsd on > vultr > I have seen some comments here and there about issues with the default image > on > vultr and to use a custom image or iso instead of what they have. Some of > these > seem dated and related to older versions of openbsd. My questions are: > > 1. Is it still current information that it would be better to use my own > image/install/iso for openbsd on Vultr? > > 2. Is vultr a good place to host an openbsd box? If not interested in hearing > alternatives. > > Also a side note question, is it possible to use VMD/VMM in an openbsd guest > on > vultr. I was thinking probably not. I just ask as sometinmes I appreciate > using > docker to test things, yeah I know. But the point is my dev workflow on my > openbsd current laptop involves sometimes using alpine linux on vmm an using > docker on that to spin up different things I want to check out. > > Ken > I am running a few instances at vultr - no problems at all with the images they have. -- Tony GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580 Threema: DN8PJX4Z
Vultr hosting of OpenBSD
This is related to my mail server thread, but in googling about openbsd on vultr I have seen some comments here and there about issues with the default image on vultr and to use a custom image or iso instead of what they have. Some of these seem dated and related to older versions of openbsd. My questions are: 1. Is it still current information that it would be better to use my own image/install/iso for openbsd on Vultr? 2. Is vultr a good place to host an openbsd box? If not interested in hearing alternatives. Also a side note question, is it possible to use VMD/VMM in an openbsd guest on vultr. I was thinking probably not. I just ask as sometinmes I appreciate using docker to test things, yeah I know. But the point is my dev workflow on my openbsd current laptop involves sometimes using alpine linux on vmm an using docker on that to spin up different things I want to check out. Ken
Re: Running your own mail server
On Sat, Sep 08, 2018 at 05:54:18PM +0200, Peter N. M. Hansteen wrote: > On 09/08/18 17:23, Ken M wrote: > > If you've never run a mail server before but are familiar with OpenBSD, > please do go the OpenBSD route. > > Setting up and running a mail service involves learning a few skills. If > you already manage DNS for your domain(s) I suppose you have a head start. > > Anything that comes as part of OpenBSD or packaged for OpenBSD will come > with sensible defaults. Please do yourself and the rest of the world a > favor and read up properly on the effects of anything you do change. A > lot of stuff that appears on the face of it to be trivial actually isn't. > > I've written quite a few pieces on mail and related topics on the blog > (the first URL in the signature) and of course The Book of PF touches on > the issue as well, at least the spamd(8) parts. I suppose the "Effective > Spam and Malware Countermeasures" > (https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html) > piece is a goodish place to start. > > For anyone setting up a mail server these days there are worse things to > do than read Aaron Poffenberger's SMTPd mail server tutorial slides and > some related materials > (https://www.bsdcan.org/2016/schedule/events/691.en.html and links therein). > > - Peter > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > I have never run a mail server before so I know I have a learning curve to work on, which I was not trying to solve in this email, just to feel out where similar people have their mindset on this. I do have more experience administering linux than openbsd but I am slowly working on changing that as I really appreciate the way openbsd is engineered at all levels. I am familiar with your blogs so I will read up and when I get to the point of specific questions I will bring them up here. Ken
Re: Running your own mail server
On Sat, Sep 08, 2018 at 10:55:40AM -0700, jungle Boogie wrote: > Ken, > > Just curious, are you using pf to filter out the bad websites for you kids? > I find that to be more challenging for our older daughter to not stumble > into the bad stuff and not the wholesome sites like openbsd.org, which > happens to be her homepage. ;) > > Best, > J. B. So when computer usage for them first became something to talk about here they had only kindles that only connect to our wifi. Kindles are pretty good out of the box for parental controls. For the main workstation in the house (usually linux) that they can access I used Dan's Guardian. Overtime, they got older and so many more devices are in play, from android phones to chromebooks. Our home uses opendns, set at the router. Granted easy enough to bypass but my kids aren't there yet. On the android side we have verizon so we use the verizon family settings. I don't consider any of this ideal but it is the best I got so far without having to spend all my time administrating things on the home network. I opt for a mixture of what I got and keeping the kids believing that my computer skills are that that I can see what they do no matter what. Which is mostly true but I don't practice that. Also if asked to unlock their devices for us to see something they know they are to do it without question or delay or they lose said device. The difficult part of all this and why I asked this here. My wife and I have different philosophies on such things. Example she would put the kids in a damn plastic bubble, meanwhile I am the type that believes that our job is not to protect them from everything but to teach them to protect themselves and make good decisions as we won't always be there. My wife is on the religious right side of the room politics wise and I am more of the libertarian. Sorry to digress but I asked these things here as I figure others here have similar mindset on security vs censorship vs privacy. I don't view them as mutually exclusive but there are ways that I try to avoid that strengthen one by compromising the other. As my kids enter their teenage years I know they will find a way to subvert such controls and the more I try to stop them from doing so the harder it will get when they do and the more likely they are to not trust us to bring us a problem they have. In short I am more worried about my kids feeling they have to hide everything that they don't bring something important to us to talk about, than I am about them sneaking something by me. Ken
Re: Running your own mail server
On Sat, Sep 8, 2018, 11:32 AM Peter N. M. Hansteen wrote: > On 09/08/18 19:55, jungle Boogie wrote: > > Just a general question about openbsd... > > > > I understand smtpd is in base for sending mail. Then we also have spam. > > Both very neat and useful! > > > > Is there a particular reason there is not a mail receiving agent in base? > > You're joking, right? > > man smtpd and references therein. There are also pointers in this thread > to running a full featured mail server on OpenBSD with smtpd from base. > > > Ah, thanks for setting me straight. >
Re: Running your own mail server
> Wiadomość napisana przez Ken M w dniu 08.09.2018, o godz. > 17:23: > > Just curious how many of you use openbsd to run your own personal email > server? another here - running my own server since long time (OpenBSD). If you choose dovecot you can nicely encrypt backend store mails: https://blog.onefellow.com/post/167267172603/server-side-email-encryption-with-dovecot and keep private key safe: https://blog.onefellow.com/post/173796677183/how-to-obfuscate-dovecot-encryption-key good luck! _ Zbyszek Żółkiewski
Re: Running your own mail server
On 09/08/18 19:55, jungle Boogie wrote: > Just a general question about openbsd... > > I understand smtpd is in base for sending mail. Then we also have spam. > Both very neat and useful! > > Is there a particular reason there is not a mail receiving agent in base? You're joking, right? man smtpd and references therein. There are also pointers in this thread to running a full featured mail server on OpenBSD with smtpd from base. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Running your own mail server
Hi all, Just a general question about openbsd... I understand smtpd is in base for sending mail. Then we also have spam. Both very neat and useful! Is there a particular reason there is not a mail receiving agent in base? Are the existing one sufficient enough for devs and there isn't enough desire to write one? Ken, Just curious, are you using pf to filter out the bad websites for you kids? I find that to be more challenging for our older daughter to not stumble into the bad stuff and not the wholesome sites like openbsd.org, which happens to be her homepage. ;) Best, J. B.
network problem with latest snapshots
Hello, So, my box was working fine from a relatively recent snapshot (first days of Aug). Then I upgraded to a snapshot of Sep 5th, and I can no longer connect to my local network: dhclient responds with "got link" but ends with "no lease", and bge0 has no IP assigned to it. Even if I assign inet IP, netmask, and gateway manually, there is no connectivity. I cannot ping my gateway (or anything else, for that matter). On the other hand, booting with the miniroot63.fs and exiting to shell, indeed everything works fine. I tried the miniroot64.fs's of 5/sep and the most recent one of 7/sep, and both behave the same way. I believe this is a card-specific problem because the same snapshots work fine on a different machine on the same network (my laptop for example). The interface is a bge, and I do get some error messages from the kernel: APE event 0x... send timed out But I've always had those error messages with this particular ethernet card and never experienced any problems, and when I boot on the miniroot63.fs, the same messages appear, but the interface is still working fine. Any help on how to debug this / or how to provide more useful information, would be appreciated! Cheers -- Thanos Tsouanas http://www.tsouanas.org/
Ways to get PostgreSQL working with base httpd?
I know that PostgreSQL can be accessed via a socket or through 127.0.0.1. It's crucial since I've set it up for quite a lot of functionality on some of my websites. What are good and secure ways to accomplish this? And why is one or the other better? I learned all kinds of stuff about the operator group in an unrelated thread, which has changed me to not give that out to any users at all. I just couldn't google or DuckDuckGo anything at all about this. Plus I would also like to know a little bit more than just cut and paste if anyone has time to offer that up. OT? I am assuming that for perl, since I wanted a full and clean startup.pl for mod_perl, I already know what modules I need to add from studying each module back a while ago. Thanks, Chris Bennett
Re: Running your own mail server
On 9/8/18 6:01 PM, Chris Bennett wrote: [snip] IMHO, I would skip using partially insecure OS's like Linux. These are your kids! Of course security at the OS level is important but also a lot of work must be done around in the infrastructure area too for security... running a good IDS for example: OpenBSD with Snort totally rocks in this area going through a web proxy... again OpenBSD with Squid and Clamd. Additionally perhaps a VPN to whatever mail solution the OP chooses if 'in house' like OpenVPN running on an OBSD gateway for example then lock down the mail system to just have port 25 open inbound in PF maybe even with queueing enabled. Encryption of the storage medium can also be suggested so wherever the maildir store is located the FS becomes encrypted as added layer of security. There's a lot one can do even just by sticking to a few OpenBSD based boxes but it really is a matter of locking things down as opposed to doing something silly even OpenBSD will become insecure if port 22 (ssh) is opened up with root account available and password something easily guessed like 'root' or 'admin'. It's not really a short topic that has one specific answer but I will state that OpenBSD for router/gateways and servers is an excellent solution as unlike other OS's is not resource intensive and overall pretty secure right out of the box. --K
Re: Running your own mail server
On Sat, 08 Sep 2018, Ken M wrote: > Just curious how many of you use openbsd to run your own personal email > server? > Do you find it a hassle to manage in any way? I've managed my personal domain on and off over the years (not at the moment, but that will change again later this year). I've used Debian, FreeBSD and OpenBSD. By far the easiest setup is OpenBSD in my opinion. OpenSMTPd + spamd and add spamassassin and dovecot to the mix and you have a pretty good solution. Using sieve with dovecot you can even filter email before it get's delivered to mailboxes if you need to. That said, the biggest challenge when self hosting email is not on the OS or programs you use, but on the fact of spam. Keeping spam away is not difficult but requires some work (take a look at P. Hansteen's blog. He does an amazing job explaining this sort of things). Another challenge is be sure your mx hosts are "reputable". Meaning they don't get up on any blacklist over there (a lot of admins use them on their smtps ... which I think is madness ... but anyway). This can be because of the ip you get assigned on your vm is reused by an spammer or a million other reasons. Get your emails delivered can be a problem sometimes. And maybe another problem you may encounter is reliability. You should have at least 2 mx hosts. Thet involves a bit of work (on OpenBSD keep spamd in sync between hosts and other stuff ...). Basically be sure you can rely on your setup. If somebody sends you an email you'll get it. I hope it helps. -- Paco Esteban. GnuPG key: https://onna.be/44CA735E.asc
Re: Running your own mail server
I have to absolutely agree that OpenBSD using OpenSMTPD is "the right solution" for this problem. It's secure and after a little bit of learning, not hard to use. Spamd is pretty effective for most spam. Not perfect, but what is now-a-days? You can monitor both sent and received emails. The delivery part raises the exact same questions for whatever you use, but dovecot is excellent and can work with whatever email programs you/they want to use on what devices. As far as privacy, others can give you help with that and scanning incoming and outgoing emails. Personally, I would send a copy to another user and scan without actually reading them yourself unless a "red light" shows up. That can be accomplished pretty easily and I did that myself when I had a set of mailing list emails processed before a script posted them to a forum board of received emails. i.e in from user joe, forwarded to joe2 and then scanning is done. IMHO, I would skip using partially insecure OS's like Linux. These are your kids! Chris Bennett
Re: 6.3 router crash
On Sep 8, 2018 11:27 AM, Jay Hart wrote: > > Hello, > > My new router crashed this morning. About 4-5 days ago I ran 'syspatch' and > think that 14, 15, > and 16 patches were installed. At the conclusion of the install, the kernel > "relinked". No issues > reported. I did not reboot the box. > > Today, while trying to combat that duplicate IP address issue, I rebooted the > box, Upon startup it > dropped into the debugger. Did another reboot just to see if that was a > one-off, but it dropped > into the debugger again. > > Standard 6.3 release machine. Not following current or snapshots... > > I've attached a pic below of the screen. Its all I've got right now. I have > to disable inteldrm > to get the box to boot [normally]. I have an old thread about that. > > www.kevla.org/6.3crash.jpg > > Any suggestions or processes to try? I've never been in this boat, no idea > what to do... > > Thanks, > > Jay > Maybe you can boot single user and try syspatch -R. boot> boot -s # syspatch -R # reboot If that fixes it you could then possibly apply one patch at a time via source until you find what hosed it and report that to tech@.
Re: Running your own mail server
Sat, 8 Sep 2018 16:39:52 +0100 Kaya Saman > I agree here! > [snip] > That way you have a fully managed mail system right out of the box with Hi misc, Fully managed and VPS are incompatible. Also incompatible are: remote infrastructure and turnkey solutions without complete control of bits. They are remote flawed products and services with some tweaks & knobs. This thread seems like a poor imitation of virtual server comparisons. I see no mention of OpenBSD and the software related to OpenBSD here.. I'd be really interested to read "running OpenBSD as our mail server". Kind regards, Anton Lazarov
6.3 router crash
Hello, My new router crashed this morning. About 4-5 days ago I ran 'syspatch' and think that 14, 15, and 16 patches were installed. At the conclusion of the install, the kernel "relinked". No issues reported. I did not reboot the box. Today, while trying to combat that duplicate IP address issue, I rebooted the box, Upon startup it dropped into the debugger. Did another reboot just to see if that was a one-off, but it dropped into the debugger again. Standard 6.3 release machine. Not following current or snapshots... I've attached a pic below of the screen. Its all I've got right now. I have to disable inteldrm to get the box to boot [normally]. I have an old thread about that. www.kevla.org/6.3crash.jpg Any suggestions or processes to try? I've never been in this boat, no idea what to do... Thanks, Jay
Re: Duplicate IP Address -> Spoof/Verizon???
> Le sam. 8 sept. 2018 à 13:40, Jay Hart a écrit : >> -ifconfig -A from the router-- >> re1: flags=8843 mtu 1500 >> lladdr 00:22:4d:d1:48:d5 >> inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > > > Some CPEs have 192.168.1.1 hardcoded as management ip address, even > though they are currently used as modem/bridges. Renumber your > internal subnet to some other private address space and see if the > logs go away. > > One way to verify this theory is to configure another ip in that > subnet on re0, renumber re1 to 192.168.2.0/24 for example, and try > pinging 192.168.1.1. > > If I shifted to the 10.10.10.x network, would I set all my machines to use /24 subnet? IOW, hostname.re1 would be inet 10.10.10.x 255.255.255.0 NONE I don't get why I would set up a second IP on re0, explain your thought process here... I called Verizon and they stated that the ONTs MAC is not the MAC causing problems, and actually told me it must be coming from my house. I found my wifes PC had lost its network connection, I have to use TL-PA4010 power adapters to get the last 10 feet of connections. I'm wondering if this was causing the issue. None of the MAC addresses for these devices are 20:c0:47:... though. I think this was just nit noise... Jay
Re: Running your own mail server
On 09/08/18 17:23, Ken M wrote: > Just curious how many of you use openbsd to run your own personal email > server? I've been running my personal domains on OpenBSD for a number of years. So have I suspect a largish subset of the readership here, but I have no idea how many will actually come forward and say so in public. > Do you find it a hassle to manage in any way? If anything I find running everything on OpenBSD makes for less hassle than most other options, because the system is so consistently sane. That said, I've had other systems in the mix for various reasons at various times for places I've worked, but I go for all-OpenBSD setups whenever feasible. > So I guess the end question, is for protecting the email of minors is running > my > own email server, when I have never done it before on any OS, worth it over > some > other solution. And yes I am very open to other suggestions for a solution, > even > if it is something I have to pay for, to avoid sharing passwords or grotesque > privacy infringement of literally reading all their emails. If you've never run a mail server before but are familiar with OpenBSD, please do go the OpenBSD route. Setting up and running a mail service involves learning a few skills. If you already manage DNS for your domain(s) I suppose you have a head start. Anything that comes as part of OpenBSD or packaged for OpenBSD will come with sensible defaults. Please do yourself and the rest of the world a favor and read up properly on the effects of anything you do change. A lot of stuff that appears on the face of it to be trivial actually isn't. I've written quite a few pieces on mail and related topics on the blog (the first URL in the signature) and of course The Book of PF touches on the issue as well, at least the spamd(8) parts. I suppose the "Effective Spam and Malware Countermeasures" (https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html) piece is a goodish place to start. For anyone setting up a mail server these days there are worse things to do than read Aaron Poffenberger's SMTPd mail server tutorial slides and some related materials (https://www.bsdcan.org/2016/schedule/events/691.en.html and links therein). - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Running your own mail server
> On Sat, Sep 08, 2018 at 11:32:00AM -0400, Jay Hart wrote: >> Ken, >> >> I've run my own email server for 15 years now I think. I stick with Linux >> for email server, >> OpenBSD for routing/firewall. I personally find this is the best of both >> worlds... >> >> Just my 35 cents... >> >> Jay >> > > Dare I ask, is there a specific technical reason for using Linux as your email > server. I ask as I already run a Debian web server on Digital Ocean. > > Ken > > Main "technical reason" would be not all my eggs in one basket (ie box).
Re: Running your own mail server
I agree here! Basically you would need a few components: MTA / MDA / MUA https://en.wikipedia.org/wiki/Message_transfer_agent One way to do it would be something like: Postfix / Courier IMAP / Then bolt something like SquirrelMail on top for web UI client There are many ways to achieve the same goal as in you don't have to use Postfix you could go for Sendmail or any other However for you it might be a better option to go with Linux as @Jay suggested and then whack something like Scalix or Zimbra on top.. http://www.scalix.com/en/ https://www.zimbra.com/ That way you have a fully managed mail system right out of the box with granular control of what users can and can't do. Regards, Kaya On 9/8/18 4:32 PM, Jay Hart wrote: Ken, I've run my own email server for 15 years now I think. I stick with Linux for email server, OpenBSD for routing/firewall. I personally find this is the best of both worlds... Just my 35 cents... Jay Just curious how many of you use openbsd to run your own personal email server? Do you find it a hassle to manage in any way? I know openbsd is perfectly fine for a mail server, don't get me wrong the question is more about is it worth it to do yourself. Specifically I will probably be doing it through a guest on vultr. Back story my family all has email addresses through the domain I have. Which basically will forward to a gmail account. The kids accounts don't really forward anywhere, they are place holders I guess. But they are getting old enough to use their own accounts for things and not just through the school which sets them up with google accounts to use through their chromebook. So my wife really doesn't like the idea of setting them loose on their own email accounts, and I don't necessarily disagree with her, but I disagree on the way to do it. In a gmail point of view all I can think of is shared passwords for for the kids. I don't like that because first of all they could change it, second of all monitoring their email means literally reading their email. My wife and I have different views on privacy as well. I was thinking I could run my own email server to give them accounts there, and at the same time instead of reading their email be able to more specifically block certain senders, but also to scan the email for troubling words. In my mind that is things like suicide, kill, etc. So I guess the end question, is for protecting the email of minors is running my own email server, when I have never done it before on any OS, worth it over some other solution. And yes I am very open to other suggestions for a solution, even if it is something I have to pay for, to avoid sharing passwords or grotesque privacy infringement of literally reading all their emails. Welcome to differences of opinion as well. Thank you. Ken
Re: Running your own mail server
On Sat, Sep 08, 2018 at 11:32:00AM -0400, Jay Hart wrote: > Ken, > > I've run my own email server for 15 years now I think. I stick with Linux for > email server, > OpenBSD for routing/firewall. I personally find this is the best of both > worlds... > > Just my 35 cents... > > Jay > Dare I ask, is there a specific technical reason for using Linux as your email server. I ask as I already run a Debian web server on Digital Ocean. Ken
Re: Running your own mail server
Ken, I've run my own email server for 15 years now I think. I stick with Linux for email server, OpenBSD for routing/firewall. I personally find this is the best of both worlds... Just my 35 cents... Jay > Just curious how many of you use openbsd to run your own personal email > server? > Do you find it a hassle to manage in any way? > > I know openbsd is perfectly fine for a mail server, don't get me wrong the > question is more about is it worth it to do yourself. Specifically I will > probably be doing it through a guest on vultr. > > Back story my family all has email addresses through the domain I have. Which > basically will forward to a gmail account. The kids accounts don't really > forward anywhere, they are place holders I guess. But they are getting old > enough to use their own accounts for things and not just through the school > which sets them up with google accounts to use through their chromebook. > > So my wife really doesn't like the idea of setting them loose on their own > email > accounts, and I don't necessarily disagree with her, but I disagree on the way > to do it. In a gmail point of view all I can think of is shared passwords for > for the kids. I don't like that because first of all they could change it, > second of all monitoring their email means literally reading their email. > > My wife and I have different views on privacy as well. > > I was thinking I could run my own email server to give them accounts there, > and > at the same time instead of reading their email be able to more specifically > block certain senders, but also to scan the email for troubling words. In my > mind that is things like suicide, kill, etc. > > So I guess the end question, is for protecting the email of minors is running > my > own email server, when I have never done it before on any OS, worth it over > some > other solution. And yes I am very open to other suggestions for a solution, > even > if it is something I have to pay for, to avoid sharing passwords or grotesque > privacy infringement of literally reading all their emails. > > Welcome to differences of opinion as well. Thank you. > > Ken > >
Running your own mail server
Just curious how many of you use openbsd to run your own personal email server? Do you find it a hassle to manage in any way? I know openbsd is perfectly fine for a mail server, don't get me wrong the question is more about is it worth it to do yourself. Specifically I will probably be doing it through a guest on vultr. Back story my family all has email addresses through the domain I have. Which basically will forward to a gmail account. The kids accounts don't really forward anywhere, they are place holders I guess. But they are getting old enough to use their own accounts for things and not just through the school which sets them up with google accounts to use through their chromebook. So my wife really doesn't like the idea of setting them loose on their own email accounts, and I don't necessarily disagree with her, but I disagree on the way to do it. In a gmail point of view all I can think of is shared passwords for for the kids. I don't like that because first of all they could change it, second of all monitoring their email means literally reading their email. My wife and I have different views on privacy as well. I was thinking I could run my own email server to give them accounts there, and at the same time instead of reading their email be able to more specifically block certain senders, but also to scan the email for troubling words. In my mind that is things like suicide, kill, etc. So I guess the end question, is for protecting the email of minors is running my own email server, when I have never done it before on any OS, worth it over some other solution. And yes I am very open to other suggestions for a solution, even if it is something I have to pay for, to avoid sharing passwords or grotesque privacy infringement of literally reading all their emails. Welcome to differences of opinion as well. Thank you. Ken
Re: Duplicate IP Address -> Spoof/Verizon???
Le sam. 8 sept. 2018 à 13:40, Jay Hart a écrit : > -ifconfig -A from the router-- > re1: flags=8843 mtu 1500 > lladdr 00:22:4d:d1:48:d5 > inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 Some CPEs have 192.168.1.1 hardcoded as management ip address, even though they are currently used as modem/bridges. Renumber your internal subnet to some other private address space and see if the logs go away. One way to verify this theory is to configure another ip in that subnet on re0, renumber re1 to 192.168.2.0/24 for example, and try pinging 192.168.1.1.
Re: detaching xnf(4) not recognized
Sebastian Reitenbach writes:
> Hi,
>
> I'm toying with OpenBSD 6.3 image on AWS, trying to add/remove Elastic
> Network Interfaces (ENI).
> OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> So when I attach an ENI to a running instance, then the system recognizes it:
> xnf1 at xen0 backend 0 channel 7: address 02:2f:d6:3e:88:50
>
> and I can use the interface, i.e. dhcp just works.
>
> When I later detach the ENI, there is nothing in dmesg, that it recognized
> it, no detach line, or the like.
> However, even with the detached interface, I get ifconfig output:
> xnf1: flags=8843 mtu 1500
> lladdr 02:2f:d6:3e:88:50
> index 5 priority 0 llprio 3
> media: Ethernet manual
> status: active
> inet 10.2.2.105 netmask 0xff00 broadcast 10.2.2.255
>
> For the OS, the Interface is still available and active, but i.e. dhclient
> obviously
> doesn't get a lease.
>
> Later on, when I reattach the ENI to the instance, similarily to the detach,
> no new line
> in dmesg, but I can use the Interface again. It's as if it hasn't been away
> at all.
>
> Is this all intended, just wondering if I miss something?
>
> cheers,
> Sebastian
AWS XenStore events are a bit finicky. Do you see anything in your
dmesg?
Please try this patch below and let us know what you see.
diff --git sys/dev/pv/xen.c sys/dev/pv/xen.c
index a2a63537378..4b7f0325911 100644
--- sys/dev/pv/xen.c
+++ sys/dev/pv/xen.c
@@ -1467,10 +1467,12 @@ xen_hotplug(void *arg)
memset(, 0, sizeof(xst));
xst.xst_id = 0;
xst.xst_cookie = sc->sc_xs;
+ printf("Xen hotplug event for %s\n", xdl->dl_node);
+
snprintf(path, sizeof(path), "device/%s", xdl->dl_node);
if ((error = xs_cmd(, XS_LIST, path, , _cnt)) != 0)
return;
seen = malloc(iov_cnt, M_TEMP, M_ZERO | M_WAITOK);
@@ -1484,11 +1486,11 @@ xen_hotplug(void *arg)
keep++;
break;
}
}
if (!keep) {
- DPRINTF("%s: removing \"%s/%s\"\n", sc->sc_dev.dv_xname,
+ printf("%s: removing \"%s/%s\"\n", sc->sc_dev.dv_xname,
xdl->dl_node, xdv->dv_unit);
LIST_REMOVE(xdv, dv_entry);
config_detach(xdv->dv_dev, 0);
free(xdv, M_DEVBUF, sizeof(struct xen_device));
}
diff --git sys/dev/pv/xenstore.c sys/dev/pv/xenstore.c
index eb77d384b26..412aecc9e2a 100644
--- sys/dev/pv/xenstore.c
+++ sys/dev/pv/xenstore.c
@@ -699,10 +699,12 @@ xs_event(struct xs_softc *xs, struct xs_msg *xsm)
printf("%s: event on \"%s\" without token\n",
xs->xs_sc->sc_dev.dv_xname, xsm->xsm_data);
return (-1);
}
+ printf("XenStore event for \"%s\"\n", token);
+
mtx_enter(>xs_watchlck);
TAILQ_FOREACH(xsw, >xs_watches, xsw_entry) {
if (strcmp(xsw->xsw_token, token))
continue;
mtx_leave(>xs_watchlck);
Re: Duplicate IP Address -> Spoof/Verizon???
> On 2018-09-07, Jay Hart wrote:
>> I'm now running my new router. Internal network is 192.168 based. I have two
>> interfaces on my
router, one external, one internal. Motherboard is a MITAC PDP11BICC using
Realtek NICs. I'm
seeing a lot of messages in the log file regarding duplicate IP Addresses,
specifically I'm
seeing:
>> /bsd: duplicate IP address 192.168.1.1 sent from ethernet 20:c0:47:dc:27:dd
>> This translates to
a Verizon MAC. My FIOS ONT is definitely Verizon. What I struggling with is
what exactly is
causing this message, and how to stop/resolve it. When I run 'Arp -a' either
internally from
another box, or on the router itself, I'm not seeing this MAC.
>> Hoping the list can provide some additional troubleshooting ideas. Can this
>> be some sort of spoof
>> attempt???
>> Thanks,
>> Jay
> Run "tcpdump -ne -i $interface ether host 20:c0:47:dc:27:dd" on the internal
> and external
interfaces, you should at least see which interface this is being sent on, and
might get some
other clues az to what it is.
> If you have a managed switch, you may be able to see which port it's coming
> from. "ifconfig -A"
from your router would give us a clearer picture of the configuration.
I have five items below...
#1:
For the first time I managed to capture this MAC address, I got it from an
internal machine. From
the captured behavior it seems that my gateway is getting cycled back and forth
between two NICs.
The commands were issued like two minutes apart...
[xx]$ arp -a
_gateway (192.168.1.1) at 20:c0:47:dc:27:dd [ether] on enp2s0
? (192.168.1.41) at 00:30:18:a5:a1:bd [ether] on enp2s0
? (192.168.1.29) at 00:80:77:e6:70:8e [ether] on enp2s0
[xx]$ arp -a
_gateway (192.168.1.1) at 00:22:4d:d1:48:d5 [ether] on enp2s0
? (192.168.1.41) at 00:30:18:a5:a1:bd [ether] on enp2s0
? (192.168.1.29) at 00:80:77:e6:70:8e [ether] on enp2s0
[xx]$ arp -a
_gateway (192.168.1.1) at 20:c0:47:dc:27:dd [ether] on enp2s0
? (192.168.1.41) at 00:30:18:a5:a1:bd [ether] on enp2s0
? (192.168.1.29) at 00:80:77:e6:70:8e [ether] on enp2s0
enp2s0 is the only interface on this machine and its gateway is 192.168.1.1,
connected through a
switch. The "correct" MAC for 192.168.1.1 (internal NIC on the router) SHOULD
be
00:22:4d:d1:48:d5
#2:
-ifconfig -A from the router--
lo0: flags=8049 mtu 32768
index 4 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff00
re0: flags=8843 mtu 1476
lladdr 00:22:4d:d1:48:d4
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 71.163.34.30 netmask 0xff00 broadcast 71.163.34.255
re1: flags=8843 mtu 1500
lladdr 00:22:4d:d1:48:d5
index 2 priority 0 llprio 3
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
enc0: flags=0<>
index 3 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141 mtu 33136
index 5 priority 0 llprio 3
groups: pflog
#3:
I'm attaching my pf.conf file. Maybe I messed something up, or you guys spot an
issue. I'm also
having issues with FTP-proxy, but that issue is for another thread.
[xx]$ more pf.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
int_if = "re1"
ext_if = "re0"
www_ad = "192.168.1.41"
proxy = "127.0.0.1"
icmp_types = "{ echoreq, unreach }"
table {127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}
set block-policy drop
set loginterface egress
set skip on lo0
#Protection
antispoof quick for { lo $int_if }
block in quick on egress from to any
block return out quick on egress from any to
#filter rules and anchor for ftp-proxy
anchor "ftp-proxy/*"
#rule needed to redirect ftp connection for ftp-proxy
pass log in quick proto tcp to port ftp rdr-to $proxy port 8021
#match rules
match out on egress inet from !(egress) to any nat-to (egress:0)
block in log
pass out quick
#next rule passes http-https traffic to the web/email server
pass in on egress inet proto tcp from any to (egress) port {80 443} rdr-to
$www_ad synproxy state
#traceroute rule (for IPv4)
pass out on egress inet proto udp to port 33433 >< 33626 keep state
#next rule redirects smtp traffic to the email server
pass in on egress inet proto tcp from any to (egress) port 25 rdr-to $www_ad
#pass in certain types of ICMP traffic
pass in inet proto icmp all icmp-type $icmp_types
#pass traffic on internal network
pass in on $int_if
# By default, do not permit remote connections to X11
#block return in on ! lo0 proto tcp to port 6000:6010
---end pf.conf-
#4:
tcpdump: I saw two packets from the re1 (internal INT) interface running the
command you suggested
above. How can I capture that to a file
iked[12345]: pfkey_reply: no reply from PF_KEY (-current)
Hi, is anyone else seeing the following message with -current? (i've updated my 25 days old -current yesterday) iked[12345]: pfkey_reply: no reply from PF_KEY Also, "ipsecctl -m" looks pretty empty now: sadb_get: satype esp vers 2 len 10 seq 2898 pid 12345 sa: spi 0xbe0128cf auth none enc none state mature replay 64 flags 0<> address_src: 1.2.3.4 address_dst: 5.6.7.8 sadb_get: satype esp vers 2 len 10 seq 2899 pid 12345 sa: spi 0x24649f1c auth none enc none state mature replay 64 flags 0<> address_src: 5.6.7.8 address_dst: 1.2.3.4 Thanks, -Mark -- Mark Patruck ( mark at wrapped.cx ) GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 http://www.wrapped.cx
Re: Duplicate IP Address -> Spoof/Verizon???
On 2018-09-07, Jay Hart wrote: > I'm now running my new router. Internal network is 192.168 based. I have two > interfaces on my > router, one external, one internal. Motherboard is a MITAC PDP11BICC using > Realtek NICs. > > I'm seeing a lot of messages in the log file regarding duplicate IP > Addresses, specifically I'm > seeing: > > /bsd: duplicate IP address 192.168.1.1 sent from ethernet 20:c0:47:dc:27:dd > > This translates to a Verizon MAC. My FIOS ONT is definitely Verizon. What I > struggling with is > what exactly is causing this message, and how to stop/resolve it. > > When I run 'Arp -a' either internally from another box, or on the router > itself, I'm not seeing > this MAC. > > Hoping the list can provide some additional troubleshooting ideas. Can this > be some sort of spoof > attempt??? > > Thanks, > > Jay > > Run "tcpdump -ne -i $interface ether host 20:c0:47:dc:27:dd" on the internal and external interfaces, you should at least see which interface this is being sent on, and might get some other clues az to what it is. If you have a managed switch, you may be able to see which port it's coming from. "ifconfig -A" from your routerwould give us a clearer picture of the configuration.
Re: Resize keydisk (softraid) partition...
> Wiadomość napisana przez Thomas Bohl w dniu > 08.09.2018, o godz. 03:41: > > Like the FAQ says, make a backup of the key with > # dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img > > Verify that backup-keydisk.img start with the string "marcCRAM". > > Reformat sd1 or whatever to your likings (with size 960 for example). > Restore the key with > # dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd1a thanks for the tips, I will test that and let you know _ Zbyszek Żółkiewski
Re: Resize keydisk (softraid) partition...
program...@netzbasis.de (Benjamin Baier), 2018.09.08 (Sat) 00:08 (CEST): > On Fri, 7 Sep 2018 21:00:58 +0200 > Zbyszek Żółkiewski wrote: > > > > > > Wiadomość napisana przez Marcus MERIGHI w dniu > > > 07.09.2018, o godz. 18:09: > > > > > > $ dd bs=8192 skip=1 if=/dev/rsd99z of=backup-keydisk.img > > > $ dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd99z > > > > thanks for answers but that will make dump of whole 14GB - i would > > like to shrink it to reasonable size… I never realized that since my keydisks were always set up a la FAQ! > Well, from reading the code a little seems the keydisk metadata is at > offset > SR_META_OFFSET = 8192 bytes and is SR_META_SIZE (64) * DEV_BSIZE (512 > bytes) = 32768 bytes long. > > Time ran out so do what you will with it. This is untested and always > keep a good backup. Thanks for reading the code! this would do, then $ dd bs=8192 skip=1 count=4 if=/dev/rsd99z of=backup-keydisk.img ^^^ though I am going to test this: $ dd bs=8192 skip=1 count=5 if=/dev/rsd99z of=backup-keydisk.img ^^^ Thanks, Marcus
