Re: Unwind in rdomain1 returning NXDOMAIN for local queries
On 2022-03-25, Francisco Gaitan wrote: > On Fri, Mar 25, 2022 at 07:56:16AM -0400, Josh Grosse wrote: >> On Fri, Mar 25, 2022 at 11:41:08AM +0100, Francisco Gaitan wrote: >> > I have setup a WireGuard VPN so I run two instances of unwind, one for >> > rdomain 0 (unwind) and another for rdomain 1 (unwind1) this way: >> > lrwxr-xr-x 1 root wheel16 Mar 23 13:44 unwind1 -> /etc/rc.d/unwind >> > >> > $ cat /etc/rc.conf.local >> > unwind1_flags=-vvv -f /etc/unwind1.conf >> > unwind1_rtable=1 >> >> Here is where we differ. Both of my unwind(8) instances use the same >> configuration file, but they use different sockets: >> >> unwind1_flags=-s /dev/unwind1.sock >> unwind1_rtable=1 >> unwind_flags= >> > > Thank you. I updated my /etc/rc.conf.local (and rebooted): > > unwind1_flags=-s /var/run/unwind1.sock -f /etc/unwind1.conf > unwind1_rtable=1 > unwind_flags= > > But it still fails: > > iron$ route -T1 exec dig +short @127.0.0.1 iron.home.arpa > 192.168.10.10 > iron$ route -T1 exec dig +short @127.0.0.1 iron.home.arpa > > After rcctl restart unwind1: > > iron$ route -T1 exec dig +short @127.0.0.1 iron.home.arpa > 192.168.10.10 But now you have a working control socket for both, so you can provide "unwindctl status" and "unwindctl -s /var/run/unwind1.sock status", and show the configuration files, which would give a better idea of what might be wrong. (I found unwind more trouble than it's worth with rdomains though, I killed resolvd and hardcoded a public resolver in resolv.conf instead..) -- Please keep replies on the mailing list.
Tunnel traffic does not match SA on initial connection to remote httpd
The setup is two gateways with IPsec channels setup in tunnel mode to bridge networks 10.255.255.0/24 and 10.254.255.0/24. Traffic from server-east:enc0 does not match a SA in place when trying to connect to httpd on server-west. Setup in ASCII art: em0:203.0.113.50 -~-~- ipsec tunnel -~-~-~- vio0:100.64.1.92 | SERVER-WEST | | SERVER-EAST | enc0:10.255.255.1/24enc0:10.254.255.1/24 When traffic sources from 10.254.255.1 to server-west's httpd, the initial SYN goes out 100.64.1.92 and does not match the ipsec SA in place: flow esp out from 10.254.255.0/24 to 10.255.255.0/24 peer 203.0.113.50 srcid FQDN/server-east.example.com dstid FQDN/server-west.example.com type require However, return traffic on server-west matches an SA already in place and is sent back over the tunnel to server-east. Here is a pcap from server-west showing the initial connection; the second packet is the response from server-west to server-east over the tunnel, etc. 11:15:07.595477 100.64.1.92.53545 > 203.0.113.50.80: SWE 466527235:466527235(0) win 16384 (DF) 11:15:07.641673 203.0.113.50 > 100.64.1.92: esp spi 0x5787a1ca seq 1 len 80 (DF) 11:15:07.641901 100.64.1.92 > 203.0.113.50: esp spi 0x9a987eb3 seq 1 len 76 11:15:11.959583 100.64.1.92.63317 > 203.0.113.50.80: SWE 321626718:321626718(0) win 16384 (DF) 11:15:12.005730 203.0.113.50 > 100.64.1.92: esp spi 0x5787a1ca seq 2 len 80 (DF) The SA being match on server-west is: esp tunnel from 203.0.113.50 to 100.64.1.92 spi 0x5787a1ca enc aes-256-gcm Is something missing in my configs or does anything look obviously broken? Many thanks in advance for any help. PF RULES # server-west pf match in all scrub (no-df random-id max-mss 1440) match out on em0 inet from 10.255.255.0/24 to any nat-to (em0) round-robin block drop in log on ! em0 inet from 203.0.113.48/30 to any block drop log all pass out proto tcp all modulate state pass out proto udp from any to any port = 500 pass out proto udp from any to any port = 4500 pass out proto esp all pass out proto ah all pass out all modulate state block drop in log from urpf-failed to any label "uRPF" block drop in log from no-route to any pass in proto udp from any to 203.0.113.50 port = 500 keep state pass in proto udp from any to 203.0.113.50 port = 4500 keep state pass in proto esp from any to 203.0.113.50 pass in proto ah from any to 203.0.113.50 pass in inet proto tcp from any to 203.0.113.50 port = 80 flags S/SA synproxy state (source-track rule, max-src-conn 256, max-src-conn-rate 40/2, overload flush, src.track 2) pass in inet proto tcp from 100.64.1.92 to 203.0.113.50 port = 5201 flags S/SA # server-east pf match in all scrub (no-df random-id max-mss 1440) match out on vio0 inet from 10.254.255.0/24 to any nat-to (vio0) round-robin block drop in log on ! vio0 inet from 100.64.0.0/23 to any block drop log all pass out proto tcp all modulate state pass out proto udp from any to any port = 500 pass out proto udp from any to any port = 4500 pass out proto esp all pass out proto ah all pass out all modulate state block drop in log from urpf-failed to any label "uRPF" block drop in log from no-route to any pass in inet proto udp from any to 100.64.1.92 port = 500 keep state pass in inet proto udp from any to 100.64.1.92 port = 4500 keep state pass in inet proto esp from any to 100.64.1.92 pass in inet proto ah from any to 100.64.1.92 pass on enc0 all flags S/SA modulate state (if-bound) tagged VPN.SERVER-WEST pass on enc0 all flags S/SA modulate state (if-bound) pass in inet proto tcp from any to 100.64.1.92 port = 80 flags S/SA synproxy state (source-track rule, max-src-conn 256, max-src-conn-rate 40/2, overload flush, src.track 2) pass in inet proto tcp from 203.0.113.50 to 100.64.1.92 port = 5201 flags S/SA IPSEC FLOWS === # server-west flows FLOWS: flow esp in from 10.254.255.0/24 to 10.255.255.0/24 peer 100.64.1.92 srcid FQDN/server-west.example.com dstid FQDN/server-east.example.com type require flow esp in from 100.64.1.92 to 203.0.113.50 peer 100.64.1.92 srcid FQDN/server-west.example.com dstid FQDN/server-east.example.com type require flow esp out from 10.255.255.0/24 to 10.254.255.0/24 peer 100.64.1.92 srcid FQDN/server-west.example.com dstid FQDN/server-east.example.com type require flow esp out from 203.0.113.50 to 100.64.1.92 peer 100.64.1.92 srcid FQDN/server-west.example.com dstid FQDN/server-east.example.com type require SAD: esp tunnel from 203.0.113.50 to 100.64.1.92 spi 0x5787a1ca enc aes-256-gcm esp tunnel from 100.64.1.92 to 203.0.113.50 spi 0x9a987eb3 enc aes-256-gcm # server-east flows FLOWS: flow esp in from 10.255.255.0/24 to 10.254.255.0/24 peer 203.0.113.50 srcid FQDN/server-east.example.com dstid FQDN/server-west.example.com type require flow esp in from 203.0.113.50 to 100.64.1.92 peer 203.0.113.50 srcid FQDN/server-east.example.com dstid FQDN/server-west.example.com type require flow esp out from 10.254.255.0/24
Re: Question how to delete somewhat encrypted partisions / softraid?
On 3/25/22 5:28 AM, soko.tica wrote: Hello list, ... But I have failed to proceed before the installation with # cd /dev && sh MAKEDEV sd1 # dd if=/dev/zero of=/dev/rsd1c bs=1m count=1 So i ended up with unbootable install. I don't think that is cause and effect. If you want to start over from scratch (which I agree with others, this would be a good starting point), I'd just suggest zeroing the first 1MB of the physical disk. That will clear all OpenBSD structures from the physical disk, the softraid encrypted disk, and any (important) evidence there was a softraid disk there. I always recommend clearing the start of the physical disk whenever dealing with RAID because...well, deleting fdisk and disklabel tables looks good, there's often a lot of "structure" left on the disk which can sometimes be confusing to the user (or the OS!) when things suddenly pop back from the seeming dead. So ... dd /dev/zero over the first 1MB of sd0, start over and see what you get. But I think your real problem is the installation didn't go right for unknown reasons. You MAY want to start with a simple install, make sure your machine handles OpenBSD well without the encrypted disk, before jumping into the full disk encryption (OpenBSD installs are so fast and relatively painless, no reason to fret about getting everything "just so" on the first install!). Nick.
Re: Desktops and laptops status of firewall and FDE
On 2022-03-25, Mikolaj Kucharski wrote: > On Thu, Mar 24, 2022 at 09:56:24AM +, Mikolaj Kucharski wrote: >> Hi, >> >> Do you guys have an approach, a software to periodically monitor status of >> endpoint machines, laptops, desktops where the requirement is to have >> full disk encryption and firewall enabled, and appropriately configured? >> >> Machines would be OpenBSD and Linux. I guess MacOS too, but that is less >> relevant I think. >> > > I think I have more specific question. How you would codify answer that > a directory, for example "/" is on a softraid crypto device? bioctl $(df -h / | awk '/^\/dev/ { print substr($1, 6, length($1)-6) }')
Re: Desktops and laptops status of firewall and FDE
On Thu, Mar 24, 2022 at 09:56:24AM +, Mikolaj Kucharski wrote: > Hi, > > Do you guys have an approach, a software to periodically monitor status of > endpoint machines, laptops, desktops where the requirement is to have > full disk encryption and firewall enabled, and appropriately configured? > > Machines would be OpenBSD and Linux. I guess MacOS too, but that is less > relevant I think. > I think I have more specific question. How you would codify answer that a directory, for example "/" is on a softraid crypto device? -- Regards, Mikolaj
Re: Unwind in rdomain1 returning NXDOMAIN for local queries
On Fri, Mar 25, 2022 at 11:41:08AM +0100, Francisco Gaitan wrote: > I have setup a WireGuard VPN so I run two instances of unwind, one for > rdomain 0 (unwind) and another for rdomain 1 (unwind1) this way: > lrwxr-xr-x 1 root wheel16 Mar 23 13:44 unwind1 -> /etc/rc.d/unwind > > $ cat /etc/rc.conf.local > unwind1_flags=-vvv -f /etc/unwind1.conf > unwind1_rtable=1 Here is where we differ. Both of my unwind(8) instances use the same configuration file, but they use different sockets: unwind1_flags=-s /dev/unwind1.sock unwind1_rtable=1 unwind_flags= > > After some time and without any output to /var/log/daemon, unwind1 just > stops replying to queries for the local network until I restart, then it > works again during some time. > > This happens since days ago where I did this setup. > > $ cat /etc/resolv.conf > nameserver 127.0.0.1 # resolvd: unwind > search home.arpa > lookup file bind > > $ cat /etc/unwind1.conf > forwarder 192.168.10.1 > > $ route -T 1 exec dig @127.0.0.1 iron.home.arpa > > ; <<>> dig 9.10.8-P1 <<>> @127.0.0.1 iron.home.arpa > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31081 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;iron.home.arpa.IN A > > ;; AUTHORITY SECTION: > home.arpa. 3600IN SOA localhost. > nobody.invalid. 1 3600 1200 604800 10800 > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Fri Mar 25 11:25:43 CET 2022 > ;; MSG SIZE rcvd: 91 > > $ route -T 1 exec dig @127.0.0.1 +short iron.home.arpa > $ route -T 1 exec dig @192.168.10.1 +short iron.home.arpa > 192.168.10.10 > $ route -T 1 exec dig +short example.com > 93.184.216.34 > > $ doas rcctl restart unwind1 > unwind1(ok) > unwind1(ok) > > $ route -T 1 exec dig @127.0.0.1 +short iron.home.arpa > 192.168.10.10 > $ route -T 1 exec dig @192.168.10.1 +short iron.home.arpa > 192.168.10.10 > > $ ifconfig lo1 > lo1: flags=8049 rdomain 1 mtu 32768 > description: rdomain 1 loopback address > index 5 priority 0 llprio 3 > groups: lo > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo1 prefixlen 64 scopeid 0x5 > inet 127.0.0.1 netmask 0xff00 > > $ route -T 1 exec netstat -lnf inet > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address > TCP-State > tcp 0 0 127.0.0.1.53 *.* > LISTEN > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address > udp 0 0 192.168.10.10.68 *.* > udp 0 0 127.0.0.1.53 *.* > udp 0 0 *.17233*.* > > OpenBSD 7.1-beta (GENERIC.MP) #439: Thu Mar 24 20:01:15 MDT 2022 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 17087004672 (16295MB) > avail mem = 16551866368 (15785MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe838b (83 entries) > bios0: vendor Hewlett-Packard version "K51 v01.87" date 06/10/2019 > bios0: Hewlett-Packard HP Z220 CMT Workstation > acpi0 at bios0: ACPI 5.0 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT SSDT SLIC SSDT SSDT TCPA ASF! > acpi0: wakeup devices PS2K(S3) PS2M(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) > USB5(S3) USB6(S3) USB7(S3) HUB_(S4) RP01(S4) PXSX(S4) RP05(S4) PXSX(S4) > RP07(S4) PXSX(S4) [...] > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Xeon(R) CPU E3-1245 V2 @ 3.40GHz, 3392.75 MHz, 06-3a-09 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN > cpu0: 256KB 64b/line 8-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges > cpu0: apic clock running at 99MHz > cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE > cpu1 at mainbus0: apid 2 (application processor) > cpu1: Intel(R) Xeon(R) CPU E3-1245 V2 @ 3.40GHz, 3392.31 MHz, 06-3a-09 > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN > cpu1: 256KB 64b/line 8-way
Re: Question how to delete somewhat encrypted partisions / softraid?
On Fri, Mar 25, 2022 at 10:28:55AM +0100, soko.tica wrote: > Hello list, > > I have tried to encrypt disk before the installation of OpenBSD 7.0 > according to the instructions here > https://www.openbsd.org/faq/faq14.html#softraid and managed to mess it. First of all, if this is a fresh install onto an otherwise clean disk, I see no reason not to restart everything from scratch. > > I have performed > > # cd /dev && sh MAKEDEV sd0 > # fdisk -iy -g -b 960 sd0 > # disklabel -E sd0 > Label editor (enter '?' for help at any prompt) > sd0> a a > offset: [64] > size: [39825135] * > FS type: [4.2BSD] RAID > sd0*> w > sd0> q > No label changes. > # bioctl -c C -l sd0a softraid0 > > But I have failed to proceed before the installation with > > # cd /dev && sh MAKEDEV sd1 > # dd if=/dev/zero of=/dev/rsd1c bs=1m count=1 > > So i ended up with unbootable install. There is some missing information here. How did the installation proceed? Did it go all the way to the end? Did the installer create a disklabel? And if so, on which disk? If you boot the RAMDISK, exit to a shell, build the crypto volume (bioctl), create the dev node (MAKEDEV sd1) and check its disklabel (disklabel sd1) does it show anything? If there are partitions on the sd1 disklabel, can they be mounted and do they have anything in them? Again, if the disk was empty to begin with (and the information below seems to indicate so), there is nothing that needs to be salvaged, just restart the whole process. > The disk is shown > > # disklabel sd0 > # /dev/rsd0c: > type: SCSI > disk: SCSI disk > label: HGST HTS725050A7 > duid: f62d9ae29f67d326 > flags: > bytes/sector: 512 > sectors/track: 63 > tracks/cylinder: 255 > sectors/cylinder: 16065 > cylinders: 60801 > total sectors: 976773168 > boundstart: 1024 > boundend: 976773135 > drivedata: 0 > > 16 partitions: > #size offset fstype [fsize bsize cpg] > a:976772111 1024RAID > c:9767731680 unused > i: 960 64 MSDOS > > #fdisk sd0 > Disk: sd0 Usable LBA: 34 to 976773134 [976773168 Sectors] >#: type [ start: size ] > >0: EFI Sys [ 64: 960 ] >1: OpenBSD [1024:976772111 ] > > > Is it safe to delete all somewhat encrypted partitions by > # fdisk -iy sd0 > ? > > Should I perhaps first delete somewhat encrypted partitions by > > # disklabel -E sd0 > > d a > d i > > ? > > Thank you in advance for your answers. --
Question how to delete somewhat encrypted partisions / softraid?
Hello list, I have tried to encrypt disk before the installation of OpenBSD 7.0 according to the instructions here https://www.openbsd.org/faq/faq14.html#softraid and managed to mess it. I have performed # cd /dev && sh MAKEDEV sd0 # fdisk -iy -g -b 960 sd0 # disklabel -E sd0 Label editor (enter '?' for help at any prompt) sd0> a a offset: [64] size: [39825135] * FS type: [4.2BSD] RAID sd0*> w sd0> q No label changes. # bioctl -c C -l sd0a softraid0 But I have failed to proceed before the installation with # cd /dev && sh MAKEDEV sd1 # dd if=/dev/zero of=/dev/rsd1c bs=1m count=1 So i ended up with unbootable install. The disk is shown # disklabel sd0 # /dev/rsd0c: type: SCSI disk: SCSI disk label: HGST HTS725050A7 duid: f62d9ae29f67d326 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 60801 total sectors: 976773168 boundstart: 1024 boundend: 976773135 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a:976772111 1024RAID c:9767731680 unused i: 960 64 MSDOS #fdisk sd0 Disk: sd0 Usable LBA: 34 to 976773134 [976773168 Sectors] #: type [ start: size ] 0: EFI Sys [ 64: 960 ] 1: OpenBSD [1024:976772111 ] Is it safe to delete all somewhat encrypted partitions by # fdisk -iy sd0 ? Should I perhaps first delete somewhat encrypted partitions by # disklabel -E sd0 d a d i ? Thank you in advance for your answers.
Re: Cross-build ARM64 on AMD64. Any starting pointers?
Den fre 25 mars 2022 kl 09:23 skrev Slava Voronzoff : > Hello, I want to build ARM64 on my OpenBSD/amd64 machine. Any suggestions > on there to start with? I spent some time in qemu-aarch64, but while it is > working it is obviously pretty slow. http://www.openbsd.org/faq/faq5.html search for "cross" -- May the most significant bit of your life be positive.
Cross-build ARM64 on AMD64. Any starting pointers?
Hello, I want to build ARM64 on my OpenBSD/amd64 machine. Any suggestions on there to start with? I spent some time in qemu-aarch64, but while it is working it is obviously pretty slow.