ipsec, add another ciphers and authentication types
� Hi! Who added his/external authentication types ans encryption algorithm to IPSec in OpenBSD?Have you seen examples or articles on this topic? Whether there is a?� �
Re: Wireguard Pre and Post Routing for OpenBSD
On Tue, Feb 05, 2019 at 08:20:20AM +0100, Claudio Jeker wrote: > Not really knowing iptables I would think you want somthing like: > > pass in on wg0 > pass out on eth0 received-on wg0 nat-to (eth0) > > Guess wg0 would be more like tun0 and eth0 could be egress so > > pass in on tun0 > pass out on egress received-on tun0 nat-to (egress) I was going to write much what Claudio said here but also (after looking it up in the iptables man page on a nearby system) it looks like your application needs to insert and delete rules in a running rule set, so you might consider inserting somewhere in the basic setup for your application that you set up an anchor in the system's pf.conf where it can do just that. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Wireguard Pre and Post Routing for OpenBSD
On Tue, Feb 05, 2019 at 07:40:30AM +, Tom Smyth wrote: > >From looking at your config it looks like when the wiregusrd interface > comes up > You want to allow forward traffic > And you want masqurade traffic leaving on eth0 > > 1)You dont really need to add and remove those rules as the wireguard > tunnel comes up id suggest just adding firewall rules statically I'm sort of clueless about the application, but I agree that it may not be worth the bother to insert and remove rules dynamically in most cases. If you really need to do that dance, ftp-proxy (shudder) is a prime example of one that does. > 5) to learn more about pf config check out Peter Hansteen's pf tutorial and > his book of pf and man pf.conf for more details Thanks for the recommendations :) Direct links at the end All the best, Peter PS: - > > in the OpenBSD pf dialect? I was going to ignore that but really: OpenBSD is the upstream for everyone else for PF and lots of other stuff (see eg[1]), so if there are such things as "dialect"s in play, they come from somewhere else. [1] https://home.nuug.no/~peter/openbsd_and_you (My "OpenBSD and you" propaganda-ish presentation) [2] https://home.nuug.no/~peter/pftutorial/ (The most recent version of the PF tutorial, slides refresh after each new session) [3] https://nostarch.com/pf3 (The Book of PF, 3rd ed by yours truly) [4] https://man.openbsd.org/pf.conf (The pf.conf(5) man page) [5] https://man.openbsd.org/ftp-proxy (the ftp-proxy(8) man page, if you really need to) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: amd64 cc error unknown argument '-msave-args'
On Tue, Feb 05, 2019 at 07:23:59AM +0200, Jyri Hovila [Turvamies.fi] wrote: > I must ask though: is it really so difficult to at least > try and help people out, instead of lashing them? As the OP I found the replies to my post helpful. I made a mistake (missed out the release tag on the cvs command when trying to update to -stable) and the replies immediately alerted me to the problem. > Then again: using RELEASE is a huge pain from the > perspective of a server administrator with many [often > virtual] hosts to maintain. The pain is so big that it > actually drove me away from using OpenBSD for almost a > decade. Syspatch and the existence of third-party packagers like m:tier have made it much less painful. Meanwhile, other OS's, eg. Systemd/Linux, have become much more painful (I say this after 20 years of Linux use). John
Re: Introducing pf-badhost and unbound-adblock
On Mon, Aug 06, 2018 at 04:52:04PM -0700, Jordan Geoghegan wrote: > > On 08/06/18 10:24, Scott Bonds wrote: > > On 08/05, Jordan Geoghegan wrote: > > > Hi everyone, > > > > > > I thought I would share a couple scripts I wrote to block ads and > > > bad hosts. I have found them to increase web-browsing speed and > > > reduce battery consumption, especially on mobile devices. They also > > > help reduce pop ups and fake sites, especially on mobile/in apps. > > > > > > I have also found pf-badhost to reduce noise in my httpd/ssh auth > > > logs. I used to get over 10,000 ssh attempts per day on my router, > > > now I usually get less than 100 a day. Another added benefit of > > > pf-badhost is that it blocks Shodan scans, which may appeal to some. > > > > > > I shared a similar script on misc@ earlier this year and received > > > positive feedback, so I thought I would clean up the scripts and > > > write a how-to guide. > > > > > > Enjoy! > > > > > > https:/www.geoghegan.ca > > > > > > https://www.geoghegan.ca/pfbadhost.html > > > > > > https://www.geoghegan.ca/unbound-adblock.html > > > > > > > Very nice, thank you for sharing and for the nicely written guides. > Thanks Scott! > I plan to update pf-badhost to also support geoblocking by country / region > in the near future. Stay tuned. > > Cheers, > > Jordan > Jordan, hi! Any news/progress on the geoblocking by country part? Looking forward to it. Regards, Ales
Re: is pfsync loosing data on reboot?
Hi folks, On 2/1/19 1:00 PM, Sebastian Benoit wrote: Janne Johansson(icepic...@gmail.com) on 2019.02.01 12:49:53 +0100: Yes, it will get a full dump since it has zero pre-existing knowledge of the current situation regarding states. I think carp will delay itself until the sync is done, so it will not try to take over even if it has lower advskew than the other, until the sync is complete. depending on the setting of sysctl net.inet.carp.log, carp(4) will log what it (and pfsync) does. I highly appreciate your response. Regards Harri
Re: Introducing pf-badhost and unbound-adblock
On 2019-02-05 14:03, Ales Tepina wrote: On Mon, Aug 06, 2018 at 04:52:04PM -0700, Jordan Geoghegan wrote: On 08/06/18 10:24, Scott Bonds wrote: > On 08/05, Jordan Geoghegan wrote: > > Hi everyone, > > > > I thought I would share a couple scripts I wrote to block ads and > > bad hosts. I have found them to increase web-browsing speed and > > reduce battery consumption, especially on mobile devices. They also > > help reduce pop ups and fake sites, especially on mobile/in apps. > > > > I have also found pf-badhost to reduce noise in my httpd/ssh auth > > logs. I used to get over 10,000 ssh attempts per day on my router, > > now I usually get less than 100 a day. Another added benefit of > > pf-badhost is that it blocks Shodan scans, which may appeal to some. > > > > I shared a similar script on misc@ earlier this year and received > > positive feedback, so I thought I would clean up the scripts and > > write a how-to guide. > > > > Enjoy! > > > > https:/www.geoghegan.ca > > > > https://www.geoghegan.ca/pfbadhost.html > > > > https://www.geoghegan.ca/unbound-adblock.html > > > > Very nice, thank you for sharing and for the nicely written guides. Thanks Scott! I plan to update pf-badhost to also support geoblocking by country / region in the near future. Stay tuned. Cheers, Jordan Jordan, hi! Any news/progress on the geoblocking by country part? Looking forward to it. Regards, Ales Hi I wrote a shell script that uses source addresses from ipdeny.com: https://github.com/elasmo/misc-scripts/blob/master/geoipblock.sh Regards Johan
Re: amd64 cc error unknown argument '-msave-args'
Jyri Hovila [Turvamies.fi] wrote: > > And since you are doing this with -current *ALL OVER THE PLACE* > > there are instructions that if you have trouble you should upgrade > > to a snapshot. > > Theo, with all due respect, there are many situations where upgrading to a > snapshot really isn't an option. Jyri, That is incorrect. The use of -current is "developer participation". Snapshots are part of the developer "conversation". They are built to ensure we aren't making mistakes, and to help get over the hump when we introduce incompatibilities which prevent build-over. Many of the peopl using them are testers helping ensure our FUTURE CODE DROP TO USERS -- which we release -- are in good shape. RELEASES are used by "users". SNAPSHOTS are used by developers, or people helping the development process. These usage patterns are DISTINCT. Everything you are saying is your DESIRE TO IMPOSE A DIFFERENT PROCESS upon the developers, which is about 100 people already doing a hard task, unlike you -- who are here carrying only "an opinion". > > Those instructions to exist the noise on the list everytime we > > make a change and people don't notice or understand it and suddenly > > they are in over their heads > > Again with all due respect, should all users of OpenBSD constantly > watch the development in order to be able to use it? > > Yes, I know: the CURRENT is not for production use, etc. etc. etc. So you know the difference, but you wish to preach to us that we should completely change our development process. You really should just shut up. > Then again: using RELEASE is a huge pain from the perspective of a > server administrator with many [often virtual] hosts to maintain. The > pain is so big that it actually drove me away from using OpenBSD for > almost a decade. Yes, life is hard. Grow up or run something else. > > *even our own developers* have to do that, from time to time > > I'd say issues like this are the ones that prevent OpenBSD from being > embraced by many otherwise potential users. You are allowed to have incorrect opinions which don't matter to us, but preaching to us is quite impolite.
Re: amd64 cc error unknown argument '-msave-args'
Anthony J. Bentley wrote: > Once again, the alternative is simple and well > documented: build -stable from -stable, build -current from snaps. Well said.
dell universal d6000 dock
Hi, I am running current from Jan 21st on a dell latitude 7490 (dmesg below) and was hoping to get a usb-c dock connected so that I could use 2 display ports, the hdmi, eth and extra usb ports in one easy to disconnect usb-c connection. The hdmi seems to work ok but I get the following errors in /var/log/messages when I plug/unplug a display port. Feb 5 16:48:56 curry /bsd: uhub1 at uhub0 port 1 configuration 1 interface 0 "GenesysLogic USB2.1 Hub" rev 2.10/88.16 addr 5 Feb 5 16:48:56 curry apmd: battery status: high. external power status: connected. estimated battery life 95% Feb 5 16:48:57 curry /bsd: uhub2 at uhub1 port 2 configuration 1 interface 0 "GenesysLogic USB2.1 Hub" rev 2.10/88.17 addr 6 Feb 5 16:48:58 curry /bsd: uhub3 at uhub1 port 3 configuration 1 interface 0 "Genesys Logic USB2.0 Hub" rev 2.00/88.32 addr 7 Feb 5 16:48:59 curry /bsd: uhidev2 at uhub3 port 1 configuration 1 interface 0 "Bizlink D6000 Controller" rev 2.00/0.18 addr 8 Feb 5 16:48:59 curry /bsd: uhidev2: iclass 3/0, 1 report id Feb 5 16:48:59 curry /bsd: uhid4 at uhidev2 reportid 1: input=0, output=0, feature=1 Feb 5 16:48:59 curry /bsd: uhub4 at uhub0 port 13 configuration 1 interface 0 "GenesysLogic USB3.1 Hub" rev 3.10/88.16 addr 9 Feb 5 16:49:00 curry /bsd: uaudio0 at uhub4 port 1 configuration 1 interface 2 "DisplayLink Dell Universal Dock D6000" rev 3.10/31.27 addr 10 Feb 5 16:49:00 curry /bsd: uaudio0: audio descriptors make no sense, error=4 Feb 5 16:49:00 curry /bsd: ugen1 at uhub4 port 1 configuration 1 "DisplayLink Dell Universal Dock D6000" rev 3.10/31.27 addr 10 Feb 5 16:49:01 curry /bsd: uhub5 at uhub4 port 2 configuration 1 interface 0 "GenesysLogic USB3.1 Hub" rev 3.10/88.17 addr 11 Feb 5 16:49:01 curry /bsd: uhub2 detached Feb 5 16:49:01 curry /bsd: uhid4 detached Feb 5 16:49:01 curry /bsd: uhidev2 detached Feb 5 16:49:01 curry /bsd: uhub3 detached Feb 5 16:49:01 curry /bsd: uhub1 detached Feb 5 16:49:02 curry /bsd: uhub1 at uhub0 port 1 configuration 1 interface 0 "GenesysLogic USB2.1 Hub" rev 2.10/88.16 addr 5 Feb 5 16:49:03 curry /bsd: uhub2 at uhub1 port 2 configuration 1 interface 0 "GenesysLogic USB2.1 Hub" rev 2.10/88.17 addr 6 Feb 5 16:49:04 curry /bsd: uhub3 at uhub1 port 3 configuration 1 interface 0 "Genesys Logic USB2.0 Hub" rev 2.00/88.32 addr 7 Feb 5 16:49:05 curry /bsd: uhidev2 at uhub3 port 1 configuration 1 interface 0 "Bizlink D6000 Controller" rev 2.00/0.18 addr 8 Feb 5 16:49:05 curry /bsd: uhidev2: iclass 3/0, 1 report id Feb 5 16:49:05 curry /bsd: uhid4 at uhidev2 reportid 1: input=0, output=0, feature=1 Feb 5 16:49:53 curry /bsd: umass0 at uhub5 port 2 configuration 1 interface 0 "SanDisk Ultra" rev 3.00/1.00 addr 12 Feb 5 16:49:53 curry /bsd: umass0: using SCSI over Bulk-Only Feb 5 16:49:53 curry /bsd: scsibus4 at umass0: 2 targets, initiator 0 Feb 5 16:49:53 curry /bsd: sd2 at scsibus4 targ 1 lun 0: Ultra, 1.00> SCSI4 0/direct removable serial.07815581200212119554 Feb 5 16:49:53 curry /bsd: sd2: 29328MB, 512 bytes/sector, 60063744 sectors Feb 5 16:51:59 curry /bsd: error: [drm:pid69604:intel_dp_aux_wait_done] *ERROR* dp aux hw did not signal timeout (has irq: 1)! Feb 5 16:54:57 curry /bsd: error: [drm:pid69604:intel_pipe_update_start] *ERROR* Potential atomic update failure on pipe B Feb 5 16:55:56 curry /bsd: WARNING !wm_changed failed at /usr/src/sys/dev/pci/drm/i915/intel_pm.c:3609 Feb 5 16:56:39 curry /bsd: uhub2 detached Feb 5 16:56:39 curry /bsd: uhid4 detached Feb 5 16:56:39 curry /bsd: uhidev2 detached Feb 5 16:56:39 curry /bsd: uhub3 detached Feb 5 16:56:39 curry /bsd: uhub1 detached Feb 5 16:56:39 curry /bsd: uaudio0 detached Feb 5 16:56:39 curry /bsd: ugen1 detached Feb 5 16:56:39 curry /bsd: sd2 detached Feb 5 16:56:39 curry /bsd: scsibus4 detached Feb 5 16:56:39 curry /bsd: umass0 detached Feb 5 16:56:39 curry /bsd: uhub5 detached Feb 5 16:56:39 curry /bsd: uhub4 detached Feb 5 16:56:40 curry apmd: battery status: high. external power status: not connected. estimated battery life 95% Feb 5 17:06:45 curry /bsd: error: [drm:pid69604:intel_pipe_update_start] *ERROR* Potential atomic update failure on pipe A Any thoughts? I have to return the dock in a couple of days but if there is any procedures or output that someone would like to see in the meantime, let me know. Thanks, Thomas OpenBSD 6.4-current (GENERIC.MP) #625: Mon Jan 21 22:20:46 MST 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 17037066240 (16247MB) avail mem = 16511123456 (15746MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.1 @ 0xe (109 entries) bios0: vendor Dell Inc. version "1.7.2" date 11/26/2018 bios0: Dell Inc. Latitude 7490 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT SSDT HPET SSDT UEFI SSDT LPIT SSDT SSDT SSDT SSDT DBGP DBG2 SSDT SSDT MSDM SLIC NHLT TPM2
Re: I am sorry
On Mon, Feb 04, 2019 at 05:44:57PM +0200, Leonid Bobrov wrote: > Hi, dear OpenBSD community. > > Please forgive me for drama I made earlier at mailing list and > IRC channel. I am not a troll, I promise, I want to contribute to > OpenBSD in any way I can, please give me a chance. > > All this time I had a depression and recently I've visited a doctor > and now I am taking tranquilizer and antidepressant pills and feel > myself much better, tomorrow I am going to visit a doctor once more. Fuck them all! All what you need: one night, one litre of vodka and one your best friend. And cozy small room of course. As an alternative you can probably take LSD. But I didn't try it personaly. > > I am sorry for all offending words I told you, I am sorry for yelling > at you, I admit I was wrong. I was very desperate and anxious. >
