Re: Renew/extend CA created with ikectl

[Kim Zeitler]

Hello Stuart

thanks for the reply, already suspected something along those lines.

On 12/10/18 7:14 PM, Stuart Henderson wrote:


It's a bit awkward but can be done, you'll find some information at
https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal

You'll need to get the new CA cert installed on clients anyway though
(and I don't suppose the client certs have much longer validity either?)
so doing the above might not save you much trouble ..


In the end I followed doing something along these lines.
As we have quite some clients in the field it was easier to get them to 
add the new CA.



I didn't find anything in the man pages nor on the mailing list. Having
had a look at ikeca.c gave me some idea of how the file is created.

Also is there a way of having the ca cert valid for more than 365 days?


Not without patching the command-line in ikectl code, or generating
the cert manually. It's not ideal..
I would be willing to patch ikectl to contain a ca renew, but would like 
some 'guidance' concerning sane defaults for this.




I'd probably recommend using something else to manage your internal
CA (or just avoiding X509 if you don't actually need it...).
Any suggestions? We used some other CA management SW over the years but 
enjoyed the clean and simple approach that ikectl gave us so far.

Cheers Kim

Renew/extend CA created with ikectl

[Kim Zeitler]

Hello,

before I start getting creative with openssl(1) on my ikectl(8) created ca.

Yesterday my ca certificate expired and I need to renew it (without 
loosing all the client certificates)


Is there a recommended way of renewing the ca.crt created using ikectl 
ca create?
I didn't find anything in the man pages nor on the mailing list. Having 
had a look at ikeca.c gave me some idea of how the file is created.


Also is there a way of having the ca cert valid for more than 365 days?

Cheers,
Kim




smime.p7s
Description: S/MIME Cryptographic Signature

Re: ikev2 and road warriors setup

[Kim Zeitler]

Good morning Radek,

I have a suspicion ...


For (1), (2) and (3) VPN is working just fine with Win7_warrior and 
puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if 
warrior has public IP or it is behind NAT). The rest of the world fails to 
connect the VPN_server.

My question was concerning the VPN_server, is the server NATed?
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...

Cheers,
Kim




smime.p7s
Description: S/MIME Cryptographic Signature

Re: ikev2 and road warriors setup

[Kim Zeitler]

Hello Radek,


On 11/2/18 10:16 PM, Radek wrote:

Thank you for your response,

Following your suggestion I removed IP from enc0 and changed iked.conf as below:

$ cat /etc/iked.conf
dns1 = "8.8.8.8"
dns2 = "8.8.4.4"
ikev2 "roadWarrior" ipcomp esp \
  from 0.0.0.0/0 to 0.0.0.0/0 \
  local A.B.C.77 peer any \
  srcid 
"/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \
  config address 10.0.1.0/24 \
  config netmask 255.255.255.0 \
  config name-server $dns1 \
  config name-server $dns2 \
  config access-server A.B.C.77 \
  config protected-subnet 0.0.0.0/0 \
  tag "$id"

It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error.
I know this set-up to be working, as it is currently running here in 
production.





I also tried another scenario: puffy_server <-> puffy_warrior
The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works 
fine for clients from A.B.C.0/23.
Both machines are 6.3/i386.
Your set-up is still a bit 'unclear', I would rather say you have a 
firewall/routing problem than an IPSec problem. Error 809 means no data 
received.


Could you post your pf.conf?
How do you connect to networks !A.B.C.0/23
Is your IPSec connection NATed?

Cheers
Kim



smime.p7s
Description: S/MIME Cryptographic Signature

Re: syntax error and doas.conf

[Kim Zeitler]

On 10/31/18 10:42 AM, Markus Rosjat wrote:
...

doas vi /etc/doas.conf

# Edit in vi
:w
:! doas -C %



You don't even have to leave your editor



smime.p7s
Description: S/MIME Cryptographic Signature

Re: ikev2 and road warriors setup

[Kim Zeitler]

On 10/28/18 3:04 PM, Radek wrote:

Hello,
I really need your help.
I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road 
warriors clients (Windows).
The problem is that it works ONLY if clients are in the same subnet as VPN 
Gateway (A.B.C.0/23).
Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the 
connection (809 Error). It does not matter if they are behind NAT or not, tried 
different ISP - the same.

Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23

I do not know what I am doing wrong.
Can anyone please help me with solving this problem?
Thank you.

This is a fresh 6.3/i386 install:



# cat /etc/hostname.enc0
inet 10.0.1.1 255.255.255.0 10.0.1.255
up

You don't need an IP on enc0



# cat /etc/iked.conf
ikev2 "test" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local A.B.C.77 peer any \
srcid A.B.C.77 \
config address 10.0.1.0/24 \
config name-server 8.8.8.8 \
tag "IKED"


Try something like this, it works for both Win7 and Win10:

/etc/iked.conf
-
ikev2 "roadWarrior" ipcomp esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
peer any \
srcid  $srcid \
config address 10.0.1.0/24 \
config netmask 255.255.255.0 \
config name-server $dns1 \
config name-server $dns2 \
config access-server A.B.C.77 \
config protected-subnet 0.0.0.0/0 \
tag "$id"

'access-server' tells Windows what gateway to use for 'protected-subnet' 
(see iked.conf(5)).



















smime.p7s
Description: S/MIME Cryptographic Signature

Re: Intel i350 Offloading not working

[Kim Zeitler]

On 07/18/18 11:37, Adonis Peralta wrote:

Will definitely do that, but still looking for any explanation from devs :).


https://marc.info/?l=openbsd-tech=135203532704213=2

Seems there have been some errors with offloading and I350 in the past

Cheers
Kim



smime.p7s
Description: S/MIME Cryptographic Signature

OpenIKED match on user/cert instead of gateway

[Kim Zeitler]

hello misc,

I got the requirement for a more exotic setup in which some road 
warriors are required to be in a different network segment.


From strongSWAN I know it is possible to match connections based on 
userid/cert.

iked.conf(5) only gives examples for different gateways.

To cut a long story short - is it possible to do this in openiked or do 
I need to setup a separate instance?


Cheers,
Kim



smime.p7s
Description: S/MIME Cryptographic Signature

Re: iked: how to request a virtual IP when running as a road warrior

[Kim Zeitler]

Hello

On 01/30/18 22:00, Peter Müller wrote:

Hello *,

I am trying to set up an IPsec connection between OpenBSD 6.2
and an IPFire firewall, while the OpenBSD is a road warrior.
There, I use "iked", while the firewall is running "strongswan".

After struggling with some cryptography issues (curve25519 and
brainpool512 did not work, neither did aes-gcm), the IKE
connection is now established, but the firewall requires a
request for a virtual IP:

[log snippet from "iked" @ OpenBSD:]
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 
length 12
ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 
length 8
ikev2_pld_notify: protoid NONE spisize 0 type FAILED_CP_REQUIRED

[log snippet from "strongswan" @ IPFire:]
21:45:26 charon:  07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH 
N(AUTH_LFT) N(FAIL_CP_REQ) ]
21:45:26 charon:  07[IKE] failed to establish CHILD_SA, keeping IKE_SA
21:45:26 charon:  07[IKE] configuration payload negotiation failed, no CHILD_SA 
built
21:45:26 charon:  07[IKE] expected a virtual IP request, sending 
FAILED_CP_REQUIRED

Until now, I tried inserting the following directives to my
/etc/iked.conf - without luck, they didn't seem to change anything:

(1) config address 10.XXX.XXX.XXX

(2) config address 10.XXX.XXX.XXX/24

(3) config address 10.XXX.XXX.XXX\
 config address 10.XXX.XXX.XXX/24

How do I configure "iked" to request a virtual IP?

Any help is highly appreciated, since I am flying blind here.

Thanks and best regards,
Peter Müller



Last time I looked, OpenIKED was not yet able to request a config 
payload, only reply to one. Looking at the source code of iked confirms 
this.


/src/sbin/iked/ikev2.c

ssize_t
ikev2_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf)
{
...
switch (sa->sa_cp) {
case IKEV2_CP_REQUEST:
cp->cp_type = IKEV2_CP_REPLY;
break;
case IKEV2_CP_REPLY:
case IKEV2_CP_SET:
case IKEV2_CP_ACK:
/* Not yet supported */ <===!!!
return (-1);
}
...

Cheers Kim



smime.p7s
Description: S/MIME Cryptographic Signature

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

[Kim Zeitler]

On 11/08/17 08:37, Claudio Jeker wrote:

On Tue, Nov 07, 2017 at 04:13:51PM +0100, Jeremie Courreges-Anglas wrote:

On Tue, Nov 07 2017, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:

On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:

On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote:




I have a question concerning routes and ospf.
We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
routing.

If the ipsec tunnel is down, no ospf route is set and the default route=20
used.

Is it sensible and possible to add a null-route from the vpn-gateway to=20
the remote-networks so a 'Network not reachable' is sent immediately?


Sensible - yes.

Possible - not sure but I think you would probably need to monitor the ipsec
status and add the route and/or gif interface only once the SA is up.


I may be missing something, but maybe just add a -reject route with
a low -priority for each of your ospf routes?  When an ospf route
disappears the -reject one would be preferred.

(And if all your "vpn" routes are in a common prefix, you can just use
a single -reject route for that prefix and let more-specifics win.)


something like this was actually my plan. just wasn't so sure if one
actually does it like this or if there are other ways of doing it.

so basically a
route add -inet 172.16/12 -reject -priority 33
would suffice (33 as the ospf routes have a prio of 32)


Yes, but I think that what Stuart points out is that your gif tunnel
might be used even if ipsec isn't protecting it...



I use pf(4) to make sure that gif is not leaking outside of the enc
interface (more or less):
block out proto { ipencap ipv6 }
pass on enc0 keep state (if-bound)

Using if-bound is needed else the enc0 state would float to the egress
interface.



I want to thank all for there time and answers.

not sure how I will implement this yet, but Stuart's and Claudio's 
clearly made me think a bit further.


Cheers,
Kim



smime.p7s
Description: S/MIME Cryptographic Signature

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

[Kim Zeitler]

On 11/07/17 16:13, Jeremie Courreges-Anglas wrote:

On Tue, Nov 07 2017, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:

On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:

On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote:




I have a question concerning routes and ospf.
We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
routing.

If the ipsec tunnel is down, no ospf route is set and the default route=20
used.

Is it sensible and possible to add a null-route from the vpn-gateway to=20
the remote-networks so a 'Network not reachable' is sent immediately?


Sensible - yes.

Possible - not sure but I think you would probably need to monitor the ipsec
status and add the route and/or gif interface only once the SA is up.


I may be missing something, but maybe just add a -reject route with
a low -priority for each of your ospf routes?  When an ospf route
disappears the -reject one would be preferred.

(And if all your "vpn" routes are in a common prefix, you can just use
a single -reject route for that prefix and let more-specifics win.)


something like this was actually my plan. just wasn't so sure if one
actually does it like this or if there are other ways of doing it.

so basically a
route add -inet 172.16/12 -reject -priority 33
would suffice (33 as the ospf routes have a prio of 32)


Yes, but I think that what Stuart points out is that your gif tunnel
might be used even if ipsec isn't protecting it...


OK, maybe I am missing something now.

I got two networks 192.168.1/24 and 192.168.2/24, each with a VPN GW 
192.168.X.254 and a default GW at 192.168.X.1.
Between the VPN GWs I have a gif tunnel using 192.168.X.254 -> IP otherside>, inside tunnel 10.23.23.1->10.23.23.2.


My iked is configured to use:

ikev2 "charlie" passive ipcomp esp \
proto encap \
from $OWN_IP to $CHARLIE \
peer $CHARLIE \
srcid $GW dstid $CHARLIE

To add the routing over this we use ospfd. As soon as the sa is loaded 
ospf discovers its neighbour and loads the route via the gif interface. 
Without the sa no traffic is passed.


@Stuart you say, I should only establish the gif "link" after I have an SA?

My question was, when the ospfd has a problem or the connection between 
both end-points can't be established (like now, due to roadworks and 
some cable) can I add a -reject route with low prio to use instead of 
the default route on my VPN GW?
Currently my VPN GW gets the traffic, has no route due to no ospf and 
sends it to the default gw, which returns it to the vpn gw and so forth. 
I would like it to reply with 'Netork unreachable' instead immediately. 
As far as I see my idea is similar to what Jeremie wrote.


Cheers
Kim



smime.p7s
Description: S/MIME Cryptographic Signature

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

[Kim Zeitler]

On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:

On Tue, Nov 07 2017, Stuart Henderson  wrote:




I have a question concerning routes and ospf.
We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
routing.

If the ipsec tunnel is down, no ospf route is set and the default route=20
used.

Is it sensible and possible to add a null-route from the vpn-gateway to=20
the remote-networks so a 'Network not reachable' is sent immediately?


Sensible - yes.

Possible - not sure but I think you would probably need to monitor the ipsec
status and add the route and/or gif interface only once the SA is up.


I may be missing something, but maybe just add a -reject route with
a low -priority for each of your ospf routes?  When an ospf route
disappears the -reject one would be preferred.

(And if all your "vpn" routes are in a common prefix, you can just use
a single -reject route for that prefix and let more-specifics win.)

something like this was actually my plan. just wasn't so sure if one 
actually does it like this or if there are other ways of doing it.


so basically a
route add -inet 172.16/12 -reject -priority 33
would suffice (33 as the ospf routes have a prio of 32)



smime.p7s
Description: S/MIME Cryptographic Signature

iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

[Kim Zeitler]

Hello

I have a question concerning routes and ospf.
We are using iked(8) with a gif(4) interface and ospfd(8) to set up 
routing.


If the ipsec tunnel is down, no ospf route is set and the default route 
used.


Is it sensible and possible to add a null-route from the vpn-gateway to 
the remote-networks so a 'Network not reachable' is sent immediately?


Cheers Kim



smime.p7s
Description: S/MIME Cryptographic Signature

Re: bgp-spamd question

[Kim Zeitler]

On 05/08/17 15:12, Markus Rosjat wrote:



Am 08.05.2017 um 15:02 schrieb Kim Zeitler:



Did you allow BGP on your firewall?



I was not aware there need to be special rules for bgp

I meant your outer-bound firewall, that you pass towards the internet.

Depending on your network setup you need to allow outbound traffic on a 
specific port and take care of nat.





smime.p7s
Description: S/MIME Cryptographic Signature

Re: bgp-spamd question

[Kim Zeitler]

On 05/08/17 14:42, Markus Rosjat wrote:



Am 08.05.2017 um 14:37 schrieb Kim Zeitler:

Could you check

bgpctl s

are there any messages received?

You can also check
bgpctl s neigh | grep state

This should give you least 2 connections claiming to be established



regards


Cheers
Kim



I checked and I have both neighbors in my list

$ doas bgpctl s
Neighbor   ASMsgRcvdMsgSent  OutQ Up/Down 
State/PrfRcvd

217.31.80.170   65066  0  0 0 NeverActive
64.142.121.62   65066  0  0 0 NeverActive

They appear as soon as you have configured them, but as you can see, 
neither MsgRcvd nor MsgSent show anything


# bgpctl s 

Neighbor   ASMsgRcvdMsgSent  OutQ Up/Down 
State/PrfRcvd

2a00:15a8:0:100:0:d965066  0  0 0 NeverActive
217.31.80.170   65066271134 0 01:05:59  15975
64.142.121.62   65066253134 0 01:05:59  15975

If you look at
# bgpctl show neigh | grep -C2 state
BGP neighbor is 2a00:15a8:0:100:0:d91f:50aa:1, remote AS 65066, Multihop 
(64)

  BGP version 4, remote router-id 0.0.0.0
  BGP state = Active
  Last read Never, holdtime 240s, keepalive interval 80s

--
BGP neighbor is 217.31.80.170, remote AS 65066, Multihop (64)
  BGP version 4, remote router-id 217.31.80.170
  BGP state = Established, up for 01:07:27
  Last read 00:00:11, holdtime 90s, keepalive interval 30s
  Neighbor capabilities:
--
BGP neighbor is 64.142.121.62, remote AS 65066, Multihop (64)
  BGP version 4, remote router-id 64.142.121.62
  BGP state = Established, up for 01:07:27
  Last read 00:00:10, holdtime 90s, keepalive interval 30s
  Neighbor capabilities:

you can see that out IPv6 connection is only active and waiting, while 
the IPv4 connections clearly show that they are established.


You can also see it in the sumamry, as the v6 only says Active while the 
v4s tell you for how long.


Did you allow BGP on your firewall?


still no success with

$ doas bgpctl show rib community 65066:42
flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale
origin: i = IGP, e = EGP, ? = Incomplete

flags destination  gateway  lpref   med aspath origin


$ doas bgpctl show rib community 65066:666
flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale
origin: i = IGP, e = EGP, ? = Incomplete

flags destination  gateway  lpref   med aspath origin



Cheers,
Kim



smime.p7s
Description: S/MIME Cryptographic Signature

Re: bgp-spamd question

[Kim Zeitler]

On 05/08/17 14:13, Markus Rosjat wrote:



Am 08.05.2017 um 13:58 schrieb Kim Zeitler:

On 05/08/17 09:59, Markus Rosjat wrote:

match from group "spam-bgp" community $spamASN:666 set pftable
"bgp_spamd"

Try to remove this line from your /etc/bgpd.conf, it is not in the
example on http://bgp-spamd.net

Checked it gainst my working setup and it is missing there too.


Well this doesn't solve the problem still. Even if I remove the line, 
which should simply update a pf table. I don't get any result on the cmd 
with a bgpctl command.


maybe it's related to my test environment I'll try it on a machine that 
has direct access to the net and see if there is a change.

Could you check

bgpctl s

are there any messages received?

You can also check
bgpctl s neigh | grep state

This should give you least 2 connections claiming to be established



regards


Cheers
Kim



smime.p7s
Description: S/MIME Cryptographic Signature

Re: bgp-spamd question

[Kim Zeitler]

On 05/08/17 09:59, Markus Rosjat wrote:

match from group "spam-bgp" community $spamASN:666 set pftable "bgp_spamd"
Try to remove this line from your /etc/bgpd.conf, it is not in the 
example on http://bgp-spamd.net


Checked it gainst my working setup and it is missing there too.
--
Kim Zeitler
Bachelor of Science (Hons)

Konzept Informationssysteme GmbH
Am Weiher 13 • 88709 Meersburg

Fon: +49 7532 4466-240
Fax: +49 7532 4466-66
kim.zeit...@konzept-is.de
www.konzept-is.de

Amtsgericht Freiburg 581491 • Geschäftsführer: Dr. Peer Griebel,
Frank Häßler, Dr. Christophe Schoenenberger



smime.p7s
Description: S/MIME Cryptographic Signature

Re: bgp-spamd question

[Kim Zeitler]

On 05/08/17 12:26, Markus Rosjat wrote:



Hi,

I have something like

bgp-spamd:\
 :black:\
 :msg="Your address %A has sent mail to a spamtrap\n\
  within the last 24 hours":\
 :method=file:\
 :file=/var/mail/spamd.black:

in /etc/mail/spamd.conf

and a cron job /bin/sh /etc/mail/bgp-spamd.black.sh which has

#!/bin/sh
AS=65066

bgpctl show rib community ${AS}:666 |
sed -e '1,4d' -e 's/\/.*$//' -e 's/[ \*\>]*//' >
/var/mail/spamd.black

/usr/libexec/spamd-setup

# EOF

Just double checked and can see it is being updated.

$ ls -l /var/mail/spamd.black
-rw-r--r--  1 root  wheel  233006 May  8 05:20 /var/mail/spamd.black

Hope this helps,

Vijay



I don't want to copy the results in a list for now I simply want to get 
any results at all :)

so as long as

bgpctl show rib community 65066:666

doesn't give any results I won't see any IP's in a spamlist file at all

regards



Hello Markus,
just on a hunch, did you remove the deny blocks that are listed in 
/etc/examples/bgpd.conf?


Cheers
Kim



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP

[Kim Zeitler]

Hi Markus

On 01/27/17 09:44, Markus Rosjat wrote:
> Hi there,
>
> so my question is what is the best strategy to migrate an exsiting LDAP
> directory from a system that has sendmail and courier running to a
> system with openSMTP and Dovecot.
>
Couple of years ago we changed from Courier to Dovecot and in short we
wouldn't go back.

As setup we hold all our users in LDAP except for system users (_*,
root, ...) and have a dedicated server for mail running postfix as MTA
and dovecot.

We started from Postfix+Courier with the LDAP users as system users. The
users could log into their accounts via ssh and do what ever they
wanted. This configuration caused some problems with performance and
also caused some permission problems as the dovecot process had to run
as the user.

Now Dovecot has direct access to the LDAP using the users as virtual
users, all maildirs belong to the dovecot user _vmail. Postfix
distinguishes between local users and ldap users, local users are
directly delivered via local delivery, ldap users relayed to dovecot's
lmtp server.


>  - is it possible to migrate old maildirs to use with dovecot
It is possible, Maildir can be used directly, mbox transferred.
There also exists an courier-dovecot-migrate script that rewrites
couriers index et. al. for dovecot.
(https://wiki2.dovecot.org/Migration/Courier)

You might want to move courier's flat maildir format to a file system format
>
> I dont want to set up just one virtual user to handle dovecot delivery
> since I already have the LDAP users. I tested to set permissions on
> directories and files for a LDAP user that has no systemaccount
> counterpart and it seems to work but it doesn't feel right to do so in a
> production environement :)
See my comment further up to using an _vmail user


Cheers
Kim

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Allow FTP through Openbsd firewall

[Kim Zeitler]

Hello

On 10/28/16 08:55, Mik J wrote:

Hello,

I have FTP clients behind my Openbsd firewall and they want to access ftp sites 
on the internet

I have read numerous documentations but haven't found the answer yet.

* I start the ftp-proxy like this
/usr/sbin/ftp-proxy -D7 -v

* I have rules in my pf.conf
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp from $lan to any port 21 divert-to 
127.0.0.1 port 8021
pass out quick on $ext_if inet proto tcp from $ext_add to any port 21

I filter both interfaces lan and wan on my firewall

I'm able to connect to a ftp server from inside the lan but when I do the 
command ls it fails
Of course, this is normal because there is no rule that allow the ftp data 
(passive) to go out and the packets are dropped when they try to go out of the 
firewall's external interface.
Oct 28 08:21:00.471990 rule 0/(match) block out on vmx0: 37.187.79.88.56327 > 
x.x.x.x.39046: S 1161913180:1161913180(0) win 16384 
This is not entirely correct ftp-proxy(8) creates dynamic rules and 
loads them at the anchor point allowing the traffic from your client to 
the server.


As an example
On a client:

$ftp ftp://ftp.hostserver.de
...
ftp> ls
150 Opening ASCII mode data connection for '/bin/ls'.
total 225608
-rw-r--r--   1 rootwheel   104857600 Sep 16  2013 100M.dat
-rw-r--r--   1 rootwheel10485760 Sep 16  2013 10M.dat
drwxr-xr-x  82 mirror  mirror   2048 Oct 28 01:29 archive
lrwxr-xr-x   1 rootwheel  10 Apr 16  2014 debian -> pub/debian
dr-x--x--x   2 rootwheel 512 Apr 15  2014 etc
drwxr-xr-x  10 rootwheel 512 Jul 26 10:20 internal
drwxr-xr-x   8 mirror  wheel 512 Oct 28 09:05 pub
drwxr-xr-x   2 1000wheel 512 Mar 28  2016 special
226 Transfer complete.
ftp> cd pub
250 CWD command successful.
ftp>

On the firewall 'systat rules' shows these two anchor rules added by 
ftp-proxy(8)


#systat rules
...
 0 /ftp-proxy/27562.62  Pass In  Qtcp   K 
 8 14771 1 inet from 192.168.3.5/32 to 217.31.80.35/32 
port = 52891
   1 /ftp-proxy/27562.62  Pass Out Qtcp   K 
   8 14771 1 inet from 192.168.3.5/32 to 
217.31.80.35/32 port = 65081






* My question
The ftp data channel connects to an unknown server and an unknown port. I don't 
want to open a large range of ports on my external firewall's interface.
How can I only allow a specific set of outgoing port when the connection is 
initiated by the ftp-proxy only ?



I am not sure I understand your question correctly, but you do not 
actually open a large port range.
- Your client tries to connect to the external server and your firewall 
rule "pass quick ... to any port ftp divert-to ..." hands it over to the 
ftp-proxy(8)
- ftp-proxy(8) opens the connection for the client and adds 2 firewall 
rules at the anchor "ftp-proxy" in your ruleset. (See ftp-proxy(8) for 
the rules that are added)


So only ftp-proxy(8) opens a connection and only to the port negotiated 
with the ftp server.

ipsec+tunnel vs. 'pure' ipsec

[Kim Zeitler]

Hello

having run a 'pure' ipsec tunnel for some years now I was wondering if 
there are more advantages in using a tunnel like gre(4),gif(4) or 
ehterip(4) over ipsec except being able to set the mtu or pass Layer2 
traffic?


Thanks for your answer

Kim

Re: problem with carp on 5.9, MAC address of carp interface?

[Kim Zeitler]

Hello Martin

before I go further - I just run a ping test with the tcpdump as you 
requested and it did work. The only thing that was changed was an 
upgrade from GENERIC.MP#1983 -> GENERIC.MP#1997.


On 04/25/16 11:56, Martin Pieuchot wrote:



He is running a carp interface on top of a vlan interface. In this scenario
the carp interface can not be pinged but the vlan interfaces can.


Do you mean the CARP node does not answer to ping with a destination
address on the carp(4) interfaces?  Is it for MASTER, BACKUP or both?


em2 (no ip) ---> vlan100 (192.168.150.200) ---> carp2 (192.168.150.1)
 \
  --> vlan101 (192.168.151.200) ---> carp3 (192.168.151.1)

This is my setup
if I ping either address assigned to carp2 or carp3 from a host on the
network I do not get an answer, pinging the vlan address answers.


When doing so, please use "# tcpdump -nvei carp2 icmp" to see if the
echo request/reply reach/leave the interface.





One node is clearly in MASTER, the other in BACKUP, demote works.


The routing table correspond to which node?  MASTER or BACKUP?  There's
something really weird in it, the RTF_CLONING routes are done.

The table was from the MASTER.

What do you mean exactly by 'the RTF_CLONING routes are done.'? I read 
route(4) and if I understand it correctly a wildcard route such as 
defaults is marked with it and new routes are created as soon as they 
are used and marked as RTF)CLONED.


Could you include your whole routing table?  Do you have an entry for
the machine initiating the ping?


The host also has two further carp interfaces sitting directly on a physical
interface which work as expected.


Then why excluding this information from the table?


Here is the entire routing table (be warned it is 'long')
# route -n show -inet
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio 
Iface
default192.168.3.1UGS0   171986 - 8 
em1
224/4  127.0.0.1  URS149977 32768 8 
lo0
10.0.0/24  10.0.0.2   UC 10 - 4 
em3
10.0.0.1   90:e2:ba:c3:df:7f  UHLc   097189 - 4 
em3
10.0.0.2   90:e2:ba:c3:df:7b  UHLl   085607 - 1 
em3
10.0.0.255 10.0.0.2   UHb00 - 1 
em3
127/8  127.0.0.1  UGRS   03 32768 8 
lo0
127.0.0.1  127.0.0.1  UHl11 32768 1 
lo0
172.16/16  172.16.0.198   UC89   295390 - 4 
em0
172.16/16  172.16.0.200   CP 00 - 4 
carp0
172.16/16  172.16.0.197   CP 00 - 4 
carp0
172.16.0.1 52:54:00:a9:8e:ab  UHLc   0   143368 - 4 
em0
172.16.0.5 8a:2f:e3:6e:00:64  UHLc   0   141541 - 4 
em0
172.16.0.6 00:0c:29:71:10:bd  UHLc   0   238784 - 4 
em0
172.16.0.8 52:54:00:9f:d4:df  UHLc   0   151386 - 4 
em0

...
172.16.0.196   fe:b6:96:ee:53:5a  UHLc   0   125966 - 4 
em0
172.16.0.197   00:00:5e:00:01:c8  UHLl   0 5417 - 1 
carp0
172.16.0.198   90:e2:ba:c3:df:78  UHLl   0 8220 - 1 
em0
172.16.0.199   90:e2:ba:c3:df:7c  UHLc   0 4705 - 4 
em0
172.16.0.200   00:00:5e:00:01:c8  UHLl   012612 - 1 
carp0
172.16.0.202   52:54:00:c8:0f:d2  UHLc   0   27 - 4 
em0  172.16.254.99  78:48:59:d6:77:1c  UHLc   0   289643 - 
   4 em0
172.16.255.255 172.16.0.198   UHb00 - 1 
em0
172.16.255.255 172.16.0.200   HPb00 - 1 
carp0
172.16.255.255 172.16.0.197   HPb00 - 1 
carp0
172.17/16  192.168.3.11   UGS0   820865 - 8 
em1
172.18/16  192.168.3.11   UGS0  555 - 8 
em1
172.19/16  192.168.3.11   UGS0   150326 - 8 
em1
172.20/16  192.168.3.11   UGS061888 - 8 
em1
172.30.0/24192.168.3.11   UGS00 - 8 
em1
172.31/16  192.168.3.10   UGS00 - 8 
em1
192.168.2/24   192.168.2.229  UC 2  506 - 4 
em1
192.168.2/24   192.168.2.3C  00 - 4 
carp1
192.168.2.1c0:25:06:2a:eb:38  UHLc   0  759 - 4 
em1
192.168.2.300:00:5e:00:01:03  UHLl   0   63 - 1 
carp1
192.168.2.446:52:22:77:e6:54  UHLc   0  1080487 - 4 
em1
192.168.2.229  90:e2:ba:c3:df:79  UHLl   09 - 1 
em1
192.168.2.255  192.168.2.229  UHb00 - 1 
em1
192.168.2.255  192.168.2.3Hb 00 - 1 
carp1
192.168.3/24   192.168.3.229  UC10 2736 - 

Re: problem with carp on 5.9, MAC address of carp interface?

[Kim Zeitler]

Hello Martin


On 04/25/16 11:12, Martin Pieuchot wrote:

On 25/04/16(Mon) 10:47, Kim Zeitler wrote:



He is running a carp interface on top of a vlan interface. In this scenario
the carp interface can not be pinged but the vlan interfaces can.


Do you mean the CARP node does not answer to ping with a destination
address on the carp(4) interfaces?  Is it for MASTER, BACKUP or both?


em2 (no ip) ---> vlan100 (192.168.150.200) ---> carp2 (192.168.150.1)
\
 --> vlan101 (192.168.151.200) ---> carp3 (192.168.151.1)

This is my setup
if I ping either address assigned to carp2 or carp3 from a host on the 
network I do not get an answer, pinging the vlan address answers.


One node is clearly in MASTER, the other in BACKUP, demote works.

The host also has two further carp interfaces sitting directly on a 
physical interface which work as expected.



I described a similar issue here
https://www.mail-archive.com/misc@openbsd.org/msg146230.html  but sadly had
no replies yet


How do your routing table looks like?


# route -n show
...
192.168.150/24 192.168.150.202CP 02 - 4 
vlan100
192.168.150/24 192.168.150.1  CP 00 - 4 
carp2
192.168.150.1  00:00:5e:00:01:c9  UHLl   00 - 1 
carp2
192.168.150.20290:e2:ba:c3:df:7a  UHLl   00 - 1 
vlan100
192.168.150.255192.168.150.202HPb00 - 1 
vlan100
192.168.150.255192.168.150.1  HPb00 - 1 
carp2
192.168.151/24 192.168.151.202CP 02 - 4 
vlan101
192.168.151/24 192.168.151.1  CP 00 - 4 
carp3
192.168.151.1  00:00:5e:00:01:ca  UHLl   00 - 1 
carp3
192.168.151.20290:e2:ba:c3:df:7a  UHLl   00 - 1 
vlan101
192.168.151.255192.168.151.202HPb00 - 1 
vlan101
192.168.151.255192.168.151.1  HPb00 - 1 
carp3





Currently I am upgrading my cluster to the latest snapshot to see if there
is any change.


There won't be no change.



If it helps, here are the hostname.if configs for vlan100 and carp2

# cat /etc/hostname.em2
up

# cat /etc/hostname.vlan100
inet 192.168.150.200 255.255.255.0 192.168.150.255 vlan 100 vlandev em2

# cat /etc/hostname.carp2

inet 192.168.150.1 255.255.255.0 192.168.150.255 vhid 201 carpdev 
vlan100 pass 1234 group wlan


Cheers
Kim

Re: problem with carp on 5.9, MAC address of carp interface?

[Kim Zeitler]

Hello Martin, hello Sebastian

On 04/25/16 10:15, Martin Pieuchot wrote:

On 25/04/16(Mon) 09:48, Sebastian Reitenbach wrote:

I'm trying to upgrade a HA carped firewall cluster to 5.9 but run into
issues.


Which issues?  After reading your whole email I still don't understand
your problem(s).  What does not work?
He is running a carp interface on top of a vlan interface. In this 
scenario the carp interface can not be pinged but the vlan interfaces can.


I described a similar issue here 
https://www.mail-archive.com/misc@openbsd.org/msg146230.html  but sadly 
had no replies yet


Currently I am upgrading my cluster to the latest snapshot to see if 
there is any change.



Cheers Kim

Carp interface sitting on vlan can not be pinged

[Kim Zeitler]

Hello

maybe a stupid question, but is it possible to run a carp(4) interface 
on vlan(4) interfaces?


In the following setup we have the problem that both boxes can be pinged 
on their address associated with their respective vlan(4) interface, but 
not on the carp(4) interface IP. Both boxes are recent installs and are 
running -current


em2 (no ip) ---> vlan100 (192.168.150.200) ---> carp2 (192.168.150.1)
\
 --> vlan101 (192.168.151.200) ---> carp3 (192.168.151.1)

respectively the corresponding node using .202 instead of .200 for the 
vlan(4) interfaces


== The configuration ==

# uname -a
OpenBSD router12 5.9 GENERIC.MP#1983 amd64

# cat /etc/hostname.em2
up

# cat /etc/hostname.vlan100
inet 192.168.150.200 255.255.255.0 192.168.150.255 vlan 100 vlandev em2

# cat /etc/hostname.carp2
inet 192.168.150.1 255.255.255.0 192.168.150.255 vhid 201 carpdev 
vlan100 pass 1234 group wlan


# cat /etc/pf.conf
...
pass quick on {em2,vlan100,vlan101} proto carp
...
pass inet proto icmp icmp-type $icmp_types
pass vlan100:network
...

# netstat -rn
...
192.168.150/24 192.168.150.200UCP0 4401 - 4 
vlan100
192.168.150/24 192.168.150.1  CP 00 - 4 
carp2
192.168.150.1  00:00:5e:00:01:c9  UHLl   0 9981 - 1 
carp2
192.168.150.20090:e2:ba:c1:11:11  UHLl   0   30 - 1 
vlan100
192.168.150.255192.168.150.200UHPb   0   80 - 1 
vlan100
192.168.150.255192.168.150.1  HPb00 - 1 
carp2
192.168.151/24 192.168.151.200UCP1 3040 - 4 
vlan101
192.168.151/24 192.168.151.1  CP 00 - 4 
carp3
192.168.151.1  00:00:5e:00:01:ca  UHLl   0  182 - 1 
carp3
192.168.151.20090:e2:ba:c1:11:11  UHLl   0   36 - 1 
vlan101
192.168.151.255192.168.151.200UHPb   00 - 1 
vlan101
192.168.151.255192.168.151.1  HPb00 - 1 
carp3



Cheers
Kim

Re: Squid slow in connecting to SSL

[Kim Zeitler]

Sorry for the long wait, but had a free weekend and none of the site 
techs got back to me until later today.


On 01/29/16 22:03, Stuart Henderson wrote:

If you have contact with any of the site admins see if they are
running on linux with tcp_tw_recycle=1, I think there is a strong
possibility that they are, and if so then they should fix their
configuration.

I wrote to our contact there and am trying to get the information if
they are using this setting.

I managed to get the information from their server and sadly

net.ipv4.tcp_tw_recycle = 0




Typical Linux behaviour (at least the version I tried) is to use a single
counter for all TCP sessions from the host so it would be more likely to
use 1,2,3 - 7,8,9 - 49,50,51 - 67,68,69.

This isn't required by TCP though - that only needs timestamps *within a
session* i.e src+dest host-port quad - to be increasing. Multiple sessions
are treated separately and can be in any order wrt each other. If I understand
correctly tw_recycle reduces it to just src+dest *host*.

If you have two hosts with the simple behaviour (single counter) going
through a NAT, it doesn't usually touch timestamps so they will be
out of order - maybe 49,50,51 - 67,68,69 - 1,2,3 - 7,8,9. This is
OK as far as TCP goes but breaks with tw_recycle. But in the NAT case
it's usually only noticed if two people from behind the same NAT visit
the site within the TIME_WAIT timeout window.

For a proxy, there is a cutoff. There are two TCP sessions end-to-end,
the packet data are copied across but not headers. The headers are subject
to the proxy's OS's behaviour.

Now... OpenBSD randomizes these per session. A random offset is applied
and stored as part of the TCP state. This is good because it's extra
entropy to help protect against blind spoofing, and avoids leaking
information about the host's uptime. So simplified example you could
have 4 consecutive sessions using 1,2,3 - 49,50,51 - 67,68,69 - 7,8,9 --
and that's ok. In spec for TCP, suggested by the newer RFC, and as you
can see above, it's totally normal for a natted connection to act like
this. It's just that Linux's tw_recycle misfeature gets confused.

If you run the proxy on an OS which doesn't offset timestamps like this
(note that OpenBSD has done this for many years), you won't trigger it,
but run it on OpenBSD and it's easy. You'll also be able to trigger it
by connecting from a single machine with a simple timestamp but running
the connection through a PF nat with the "modulate timestamps" option.

It can be worked around your side. But if you do that the server admins
will likely never fix things (and maybe blame it on OpenBSD) so I'm
reluctant to mention it on list - and that workaround will throttle tcp
for all connections to/from the server, limiting you to about 5Mb max
for transatlantic connections.



Thank you Stuart again for this great explanation of this behaviour.
Sadly as noted above the server doesn't have this option set.

I am currently at a lose and gladly provide more information.

Cheers
Kim

Re: Squid slow in connecting to SSL

[Kim Zeitler]

On 01/28/16 23:04, Stuart Henderson wrote:

On 2016-01-28, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:

currently I try to solve the phenomenon, that certain SSL sites are slow
when accessed via squid on OpenBSD. Mostly ownCloud in my case as well
as several web shops. The login screen alone taking minutes to load.


I'm not seeing that here (squid 3.5.13 and squidclamav from packages
on recent -current, in front of a handful of Windows boxes and 30-odd
OpenBSD/GNOME/Chromium/LibreOffice workstations).
Running a similar sized setup here with ~60 Clients (Win/Linux/OpenBSD) 
and normal operation is fine some complains bout it being slightly slow 
but...


Need more information. If it's consistent for certain sites, which
sites? Have you looked in logs etc?


I gladly provide any information you need.

It was reported to me that several webshops seem to have this problem
and one of our clients owncloud sites (I'll send zou the link off-list)

I have access to the logs and they show a mixture of 200 and 503

# /var/squid/logs/access.log
...
1454058493.156 67 172.16.10.42 TCP_TUNNEL/200 2748 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -

...
1454058498.761  18089 172.16.10.42 TCP_TUNNEL/200 20017 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058498.830 65 172.16.10.42 TCP_TUNNEL/200 2917 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058498.899 67 172.16.10.42 TCP_TUNNEL/200 4307 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058499.091   6055 172.16.10.42 TCP_TUNNEL/200 866 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058499.268   6110 172.16.10.42 TCP_TUNNEL/200 33106 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058540.011  59136 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058541.017  59623 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058547.097  59817 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058558.228  59326 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058559.036  59766 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058559.036  59943 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058559.087  18066 172.16.10.42 TCP_TUNNEL/200 6251 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058559.116 74 172.16.10.42 TCP_TUNNEL/200 1096 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058559.121 78 172.16.10.42 TCP_TUNNEL/200 4679 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058559.174 77 172.16.10.42 TCP_TUNNEL/200 7765 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058564.304   6071 172.16.10.42 TCP_TUNNEL/200 15279 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058600.688  60672 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058607.767  60665 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058607.838 67 172.16.10.42 TCP_TUNNEL/200 2395 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058607.842 72 172.16.10.42 TCP_TUNNEL/200 3877 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058607.989172 172.16.10.42 TCP_TUNNEL/200 21988 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058613.832   6061 172.16.10.42 TCP_TUNNEL/200 1197 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058613.870   6063 172.16.10.42 TCP_TUNNEL/200 7086 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -
1454058625.902  18089 172.16.10.42 TCP_TUNNEL/200 21260 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/ -



The current configuration is squid-ldap(3.5.13) from packages  on
-current running on a KVM host as VM (4 cores, 2GB RAM, virtio HDD and NIC)


That seems a bit low RAM for Squid, but I doubt that's the problem
for TLS sites which will just be CONNECT tunnels unless you've made
a lot more config changes than you mentioned.

I doubled the RAM on the machine, but no difference. As a test if the 
virtualization is to blame we set up a similar machine on HW basically 
virgin -current with only squid installed from packages without touching 
he config in anyway and had the same effect.


As an idea I added a ocal unbound to the test proxy and had squid run
its DNS through that, but to no avail.

Re: Squid slow in connecting to SSL

[Kim Zeitler]

On 01/29/16 15:00, Stuart Henderson wrote:



$ curl https://owncloud.XX/apps/files_pdfviewer/js/previewplugin.js
curl: (7) Failed to connect to owncloud.XX port 443: Operation timed out


I have access to the logs and they show a mixture of 200 and 503


...and that pretty much matches the pattern I've seen connecting by
hand, so it's no big surprise that there are problems with the proxy
too.
Glad that you could reproduce the problem, I was starting to doubt my 
own abilities with a 'simple' proxy.





If you have contact with any of the site admins see if they are
running on linux with tcp_tw_recycle=1, I think there is a strong
possibility that they are, and if so then they should fix their
configuration.
I wrote to our contact there and am trying to get the information if 
they are using this setting.


They're likely to be breaking connections for NATted clients
too (and this is only going to get worse as more ISPs start
using CG-NAT for IPv4). The links in the above post have
detailed explanations.

OpenBSD uses this method which is described in RFC7323 sec 5.4
(OpenBSD's implementation predates this RFC by some years).

o  A random offset may be added to the timestamp clock on a per-
   connection basis.  See [RFC6528], Section 3, on randomizing the
   initial sequence number (ISN).  The same function with a different
   secret key can be used to generate the per-connection timestamp
   offset.

There was a recent-ish change to the method used to generate the
offsets (MD5 to SHA512), I wondered if that had changed anything
so I've just checked from a 5.6 box, it does exactly the same -
if I make repeated connections to the owncloud box, some of them
fail.

Currently am not fully able to get my mind round the details in the 
post, but if I read it correctly the machine running with tw_recycle has 
problems associating connections correctly together because similar 
host,port pairs but different timestamps. Shouldn't this cause problems 
with all proxied or nated connections? Am simply asking as I somehow 
can't fit it in that openbsd+squid shows this particular behaviour yet 
{freebsd,debian}squid does not.


Thanks Stuart so far for what you have found and the patience to explain 
it to me.


Cheers
Kim

Squid slow in connecting to SSL

[Kim Zeitler]

Hello all

currently I try to solve the phenomenon, that certain SSL sites are slow 
when accessed via squid on OpenBSD. Mostly ownCloud in my case as well 
as several web shops. The login screen alone taking minutes to load.


I tested this also with squid running on a debian vm showing no problems 
at all.


The current configuration is squid-ldap(3.5.13) from packages  on 
-current running on a KVM host as VM (4 cores, 2GB RAM, virtio HDD and NIC)


My squid.cfg is basically the default except for setting $localnet bit 
stricter.


Any help is much appreciated

Cheers Kim

Re: Advices for a new laptop

[Kim Zeitler]

What about the B50-80 (80LT003C): i3, Intel HD 4400, wifi B/G/N/AC,
Gigabit Ethernet, 2x USB3.

Got some for testing here ( meant to run Windows actually) and had
some minor issues with them and sadly not enough time to look
fully into it. But first impressions weren't that 'impressive'


My x220 is outstanding. The only device that isn't supported is the
fingerprint reader.  Also the mSATA slot is great for a second SSD. I
dual boot OpenBSD and Arch (for when I need a Virtual Machine) and
just use the F12 key at boot to select the drive I boot off of. Really
simplifies the set up. Also you can put 16gb of ram in this model
(even with an i5 processor) even though the specs say max of 8gb.
Can only second this, running on an older x220 with an i7 on a fully 
encrypted mSATA SSD. Still faster than my coworkers newer kits.
Only thing I had to replace was one battery. Otherwise fine even after 
several years of service.


Money on an x220 is well spent. Also they feel more solid than the B50s.

Need to try extending my RAM to 16GB - thanks for the hint Bryan.

Cheers,
Kim

Re: pledge(2) problems on 18/x/ octeon snapshot

[Kim Zeitler]

Might be a stupid question, but I haven't found an answer to it yet
- how does one update to a new snapshot/kernel on an octeon system?


boot bsd.rd and select upgrade in the installer. (i hope.)


I'm afraid this is not as simple as this, yet. You will also need to
copy your kernel to the fat16 partition created during the install,
since this is the only filesystem #$%^@# u-boot can read.


Wouldn't this be a sensible addition to the INSTALL.octeon readme?

Something along the lines of:

--- INSTALL.octeon.new  Wed Oct 21 09:29:17 2015
+++ INSTALL.octeon  Wed Oct 21 09:34:50 2015
@@ -816,7 +816,8 @@
 helper script, since all components of your system may not function
 correctly until your files in `/etc' are updated.

-
+Note: Due to the limitations of U-Boot scripts/bootloader you need to
+copy your new bsd and bsd.rd to the MSDOS partition.

 Getting source code for your OpenBSD System:
 

Re: pledge(2) problems on 18/x/ octeon snapshot

[Kim Zeitler]

Hello

On 10/19/15 19:58, Sebastien Marie wrote:


RELEASE 5.8 returns ENOSYS ("Function not implemented") on tame(2) call
(which is the old name for pledge, so with the same syscall number).

I pulled the kernel down from the same URL path as the tgz I used.
Before reinstalling the system I noticed, the Kernel login string having 
an older date than the snapshot.



I would be great if you can grab the kernel version echoed at boot time.
You could use `boot -c' in the boot loader, in order to enter in config
mode, and have the time to read the OpenBSD version.

Sadly EdgeRouterLite have no 'real bootloader' but use U-Boot. Which I 
guess is part of the problem.


My steps where as followed:

mv bsd obsd
mv /tmp/bsd /bsd
mv /tmp/bsd.rd /bsd.rd
reboot

Can i be, that U-boot does not cleanly reload the new kernel on reboot?


Cheers,
Kim

Re: pledge(2) problems on 18/x/ octeon snapshot

[Kim Zeitler]

Sorry for the last empty answer - you shouldnt try to multi-task


boot bsd.rd and select upgrade in the installer. (i hope.)


Thanks for the answer Ted, I will try it with the next snapshot and
will give feedback

Cheers
Kim

Re: pledge(2) problems on 18/x/ octeon snapshot

[Kim Zeitler]

On 10/20/15 15:30, Ted Unangst wrote:

Kim Zeitler wrote:

Hello Sebastien, hello Jonathan

@Sebastien thank you for your valuable hints and advice, I did learn
quite a bit from it. The machine has been reinstalled to the latest
snapshot, as it is needed.

On 10/20/15 12:30, Jonathan Gray wrote:

There is no OpenBSD bootloader for armv7 or octeon, in part because
u-boot by default provides no interface for enumerating disks, reading blocks
or putc/getc equivalents unlike firmware shipped with almost every
other system.

As a result the kernel has to live on filesystems u-boot understands,
fat32 or ext2 not ffs.  So /bsd will not be the kernel that is loaded.

Might be a stupid question, but I haven't found an answer to it yet
- how does one update to a new snapshot/kernel on an octeon system?


boot bsd.rd and select upgrade in the installer. (i hope.)



--
Kim Zeitler
Bachlor of Science (Hons)

Konzept Informationssysteme GmbH
Am Weiher 13 • 88709 Meersburg

Fon: +49 7532 4466-240
Fax: +49 7532 4466-66
kim.zeit...@konzept-is.de
www.konzept-is.de

Amtsgericht Freiburg 581491 • Geschäftsführer: Heinz Grötzinger,
Dr. Udo Konzack, Hans-Peter Zimmermann

Re: pledge(2) problems on 18/x/ octeon snapshot

[Kim Zeitler]

Hello Sebastien, hello Jonathan

@Sebastien thank you for your valuable hints and advice, I did learn 
quite a bit from it. The machine has been reinstalled to the latest

snapshot, as it is needed.

On 10/20/15 12:30, Jonathan Gray wrote:

There is no OpenBSD bootloader for armv7 or octeon, in part because
u-boot by default provides no interface for enumerating disks, reading blocks
or putc/getc equivalents unlike firmware shipped with almost every
other system.

As a result the kernel has to live on filesystems u-boot understands,
fat32 or ext2 not ffs.  So /bsd will not be the kernel that is loaded.

Might be a stupid question, but I haven't found an answer to it yet
- how does one update to a new snapshot/kernel on an octeon system?



kernel arguments like -c to get into ukc can be set via
setenv bootargs
though it seems the octeon code may not use that while armv7 does.

This was the part I was missing, ta.

Cheers,
Kim

OpenIKED - send traffic selectors in own child sa

[Kim Zeitler]

Hello

Running -current I have currently got a minor issue with iked.

Trying to connect a security gateway running OpenIKED to a Fortinet 
IPSEC fw. Connection is set up and seems to work (mostly) but following 
behaviour is a bit of an issue.


IKED sends one CHILD_SA request containing all Traffic Selectors. This 
is RFC 5996 conform. Sadly some of the proprietary VPN boxes have a 
*suboptimal* implementation and want *one* CHILD_SA per traffic selector.


Reading ikevd/ikev2.c I found comments about iked not being able to 
initiate multiple concurrent CREATE_CHILD_SA exchanges.


Coming round to my question - is it somehow possible to configure iked 
in such a way, that it sends one CHILD_SA per Traffic Selector or do I 
read the code correctly and it is simply NOT possible?


Cheers

Kim

pledge(2) problems on 18/x/ octeon snapshot

[Kim Zeitler]

I just tried updating an EdgeRouterLite to the latest octeon snapshot
after replacing the kernel and unpacking base58.tgz
Literally all commands lead to

: pledge: Function not implemented


I would offer a ktrace/kdump but sadly my kdump also returns with said 
error.


Cheers,
Kim

Re: cu with XMODEM won't transfer file

[Kim Zeitler]

Hello


On 10/05/15 19:59, Nicholas Marriott wrote:

On Mon, Oct 05, 2015 at 10:07:21AM -0700, Philip Guenther wrote:

On Mon, Oct 5, 2015 at 6:54 AM, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:

I am trying to transfer a new firmware to a switch using cu(1) with XMODEM
using a USB-to-RS232 adapter and running on -current.

Connection works fine, but for the XMODEM resulting in 'Resource temporarily
unavailable'

$cu -d -l /dev/ttyU0
...
~X
Local file? /tmp/fw.swi
cu: /tmp/fw.swi: Resource temporarily unavailable


Tthe -d option makes cu open the tty with O_NONBLOCK so that it won't
block for carrier; perhaps it should be clearing the flag afterwards?
Hmm, no, it uses libevent, so maybe it should be *always* turning it
on xmodem_{read,write}() updated to use libevent too, or xmodem_send()
updated to explicitly mark it blocking during the transfer.


How about this?

(Not tested as I don't have any serial cables around at the moment :-/)





I have just tested it and can confirm it works great.

Many thanks to you for finding this and providing a patch so quickly.

Cheers Kim




Index: command.c
===
RCS file: /cvs/src/usr.bin/cu/command.c,v
retrieving revision 1.14
diff -u -p -r1.14 command.c
--- command.c   5 Oct 2015 17:53:56 -   1.14
+++ command.c   5 Oct 2015 17:56:14 -
@@ -51,6 +51,7 @@ pipe_command(void)
return;

restore_termios();
+   set_blocking(line_fd, 1);

switch (pid = fork()) {
case -1:
@@ -81,6 +82,7 @@ pipe_command(void)
break;
}

+   set_blocking(line_fd, 0);
set_termios();
  }

@@ -102,6 +104,7 @@ connect_command(void)
return;

restore_termios();
+   set_blocking(line_fd, 1);

switch (pid = fork()) {
case -1:
@@ -129,6 +132,7 @@ connect_command(void)
break;
}

+   set_blocking(line_fd, 0);
set_termios();
  }

Index: cu.c
===
RCS file: /cvs/src/usr.bin/cu/cu.c,v
retrieving revision 1.22
diff -u -p -r1.22 cu.c
--- cu.c18 May 2015 09:35:05 -  1.22
+++ cu.c5 Oct 2015 17:56:14 -
@@ -186,6 +186,7 @@ main(int argc, char **argv)
NULL);
bufferevent_enable(output_ev, EV_WRITE);

+   set_blocking(line_fd, 0);
line_ev = bufferevent_new(line_fd, line_read, NULL, line_error,
NULL);
bufferevent_enable(line_ev, EV_READ|EV_WRITE);
@@ -209,6 +210,21 @@ signal_event(int fd, short events, void
  }

  void
+set_blocking(int fd, int state)
+{
+   int mode;
+
+   if ((mode = fcntl(fd, F_GETFL)) == -1)
+   cu_err(1, "fcntl");
+   if (!state)
+   mode |= O_NONBLOCK;
+   else
+   mode &= ~O_NONBLOCK;
+   if (fcntl(fd, F_SETFL, mode) == -1)
+   cu_err(1, "fcntl");
+}
+
+void
  set_termios(void)
  {
struct termios tio;
@@ -342,7 +358,7 @@ try_remote(const char *host, const char

if (entry != NULL && cgetset(entry) != 0)
cu_errx(1, "cgetset failed");
-   error = cgetent(, (char**)paths, (char*)host);
+   error = cgetent(, (char **)paths, (char *)host);
if (error < 0) {
switch (error) {
case -1:
Index: cu.h
===
RCS file: /cvs/src/usr.bin/cu/cu.h,v
retrieving revision 1.6
diff -u -p -r1.6 cu.h
--- cu.h10 Jul 2012 12:47:23 -  1.6
+++ cu.h5 Oct 2015 17:56:14 -
@@ -27,6 +27,7 @@ extern FILE   *record_file;
  extern struct termios  saved_tio;
  extern int line_fd;
  extern struct bufferevent *line_ev;
+voidset_blocking(int, int);
  intset_line(int);
  void   set_termios(void);
  void   restore_termios(void);
Index: xmodem.c
===
RCS file: /cvs/src/usr.bin/cu/xmodem.c,v
retrieving revision 1.7
diff -u -p -r1.7 xmodem.c
--- xmodem.c21 Sep 2014 05:29:47 -  1.7
+++ xmodem.c5 Oct 2015 17:56:14 -
@@ -137,8 +137,9 @@ xmodem_send(const char *file)
if (tcsetattr(STDIN_FILENO, TCSAFLUSH, ) != 0)
cu_err(1, "tcsetattr");
}
-
+   set_blocking(line_fd, 1);
tcflush(line_fd, TCIFLUSH);
+
if (xmodem_read() != 0)
goto fail;
if (c == XMODEM_C)
@@ -214,6 +215,7 @@ fail:
cu_warn("%s", file);

  out:
+   set_blocking(line_fd, 0);
set_termios();

sigaction(SIGINT, , NULL);

cu with XMODEM won't transfer file

[Kim Zeitler]

Hello,

I am trying to transfer a new firmware to a switch using cu(1) with 
XMODEM using a USB-to-RS232 adapter and running on -current.


Connection works fine, but for the XMODEM resulting in 'Resource 
temporarily unavailable'


$cu -d -l /dev/ttyU0
...
~X
Local file? /tmp/fw.swi
cu: /tmp/fw.swi: Resource temporarily unavailable
...

I tried this with different files and also with not existing files, 
resulting correctly in a file not found.



$ ls -la /tmp/fw.swi
-rw-r--r--  1 zeitler  wheel  6903134 Oct  5 15:29 /tmp/fw.swi

$ ls -la /dev/ttyU0
crw-rw-rw-  1 uucp  dialer   66,   0 Oct  5 15:48 /dev/ttyU0


Any help how to debug this further is much appreciated.

Cheers Kim



--
Kim Zeitler

IKEd, rising SAD count and DPD

[Kim Zeitler]

Hello
I have iked running connecting to a Fortigate FW.

Running 'ipsecctl -s a' gives me the correct flows, but a rising number 
of SADs. The tunnel has been up 5 days and I got 212 SADs installed.


Do I need to set up some kind of dpd to have the old SADs pulled down, 
or is my error, that ikelifetime and lifetime are not in seconds?



#cat /etc/iked.conf
...
ikev2 "h" active esp \
from $k_dev to $h_server \
from $k_server to $h_dev \
peer $h_gw \
ikesa auth hmac-sha2-256 \
enc aes-256 \
group modp1536 \
childsa auth hmac-sha2-256 \
enc aes-256 \
group modp1536 \
srcid '80.80.80.80' \
ikelifetime 28800 \
lifetime 14400 \
psk 'Some nice long hash'
...

Cheers,
Kim

pfkey_sa_last_used: message: No such process

[Kim Zeitler]

Hi

I'm currently trying to set up a OpenIKED GW running 5.7-stable with a 
proprietary fw/VPN hosted at one of our clients.


Seemingly worked so far ipsecctl shows flows and SADs. I was able to 
ping a machine on the 'other-side' but this stopped without apparent reason.


Diving deeper into the logs and running iked in foreground gave me two 
messages

'pfkey_sa_last_used: message: No such process'
 and
'ikev2_init_ike_sa: "h" is already active'

I would greatly appreciate any help with this one.

# ipsecctl -s all
FLOWS:
flow esp in from 192.168.80.120 to 172.16.10.0/24 peer 217.6.6.6 srcid 
IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type use
flow esp out from 172.16.10.0/24 to 192.168.80.120 peer 217.6.6.6 srcid 
IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type require
flow esp in from 192.168.106.0/24 to 192.168.3.30 peer 217.6.6.6 srcid 
IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type use
flow esp out from 192.168.3.30 to 192.168.106.0/24 peer 217.6.6.6 srcid 
IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type require

flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 192.168.32.2 to 217.6.6.6 spi 0x2360324c auth 
hmac-sha2-256 enc aes-256
esp tunnel from 217.6.6.6 to 192.168.32.2 spi 0xa6537a08 auth 
hmac-sha2-256 enc aes-256



#iked -dvv
...
ikev2_sa_tag:  (0)
ikev2_childsa_negotiate: proposal 2
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 16 bytes
ikev2_prfplus: T2 with 16 bytes
ikev2_prfplus: T3 with 16 bytes
ikev2_prfplus: T4 with 16 bytes
ikev2_prfplus: T5 with 16 bytes
ikev2_prfplus: T6 with 16 bytes
ikev2_prfplus: T7 with 16 bytes
ikev2_prfplus: T8 with 16 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_add: add spi 0x2360324c
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0x2360324c
pfkey_sa_add: update spi 0xa6537a08
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0xa6537a08
ikev2_childsa_enable: loaded flow 0x151839b73800
ikev2_childsa_enable: loaded flow 0x15180aa49400
ikev2_childsa_enable: loaded flow 0x151839b73c00
ikev2_childsa_enable: loaded flow 0x151839b73000
sa_state: VALID -> ESTABLISHED from 217.6.6.6:4500 to 192.168.32.2:4500 
policy 'h'

config_free_proposals: free 0x15180bc69880
ikev2_recv: INFORMATIONAL request from responder 217.6.6.6:4500 to 
192.168.32.2:4500 policy 'h' id 0, 80 bytes

ikev2_recv: ispi 0xd6e43c6448fe0750 rspi 0x7f77a74b12244234
ikev2_init_recv: unknown SA
ikev2_init_ike_sa: "h" is already active
-- last line repeated several times --
...


/var/log/daemon
...
Sep 21 11:38:46 h iked[8231]: pfkey_sa_last_used: message: No such process
Sep 21 11:39:46 h last message repeated 2 times
...

#cat /etc/iked.conf
...
ikev2 "h" active esp \
from $k_dev to $h_server \
from $postgres_server to $h_dev \
peer $h_gw \
ikesa auth hmac-sha2-256 \
enc aes-256 \
group modp1536 \
childsa auth hmac-sha2-256 \
enc aes-256 \
group modp1536 \
srcid '80.154.4.243' \
ikelifetime 28800 \
lifetime 28800 \
psk ""

#cat /etc/pf.conf
...
block return# block stateless traffic

pass proto udp to port $ipsec_types

pass in on $ext_if proto esp from $h_gw
pass out on $ext_if proto esp to $h_gw

pass in on $ipsec_if proto ipencap from $h_gw keep state (if-bound)
pass out on $ipsec_if proto ipencap to $h_gw keep state (if-bound)

pass proto tcp from $k_dev to $h_server port $test_ports
pass proto tcp from $h_server port $test_ports to $k_dev
pass proto tcp from $h_dev to $h_postgres port postgresql
pass proto tcp from $h_postgres port postgresql to $h_dev
pass proto tcp from $k to (self) port ssh
pass proto tcp from 192.168.32.1 to (self) port ssh

pass inet proto icmp icmp-type $icmp_types
...

--
Cheers
Kim

Re: Ubiquiti EdgeRouter Lite

[Kim Zeitler]

Here are my notes, which are basic, but should be enough to get you through if
you're familiar with openbsd.
http://www.tedunangst.com/flak/post/OpenBSD-on-ERL


Hi Ted,

I just worked through the /pub/OpenBSD/snapshots/octeon/INSTALL.octeon 
write up and also read through your notes.


Had problems getting the boot loader to work with either bootcmd. It 
booted but ignored my rootdev option. I finally managed to get it 
booting through using

'fatload usb 0 $loadaddr bsd; bootoctlinux $loadaddr rootdev=/dev/sd0'
Any ideas to this?

Furthermore your notes said it to be a bit weak as a ipsec gw, I 
actually was trying to use it as a small VPN box with ipsec with a 
10M-50M through-put, can it handle this?


Cheers
Kim

Re: how to add squid access log in /etc/newsyslog.conf

[Kim Zeitler]

Hello,

On 07/13/15 22:29, Stuart Henderson wrote:

On 2015-07-13, Indunil Jayasooriya induni...@gmail.com wrote:

I delted 30 from that line. Now it looks like this.

/var/squid/logs/access.log  _squid:_squid   640 14  *
@T00Z   /var/squid/logs/squid.pid

Now it seems to work





But now it sends the default signal which is HUP. In Squid, this drains
existing connections and reloads the configuration, blocking new connections
while that occurs. You probably want USR1.


This is correct, Squid wants a SIGUSR1 as this triggers the
rotate ( like calling squid -k rotate).

You need to configure

logfile_rotate 0

 in the squid.conf. This tells squid to rotate the files but keep itself.

Your newsyslog.conf file should look like this
/var/squid/logs/cache.log _squid:_squid 640  2 250 @T00   ZB 
/var/run/squid.pid SIGUSR1


Compared to only using 'squid -k rotate' as Craig suggested, this will 
also compress the rotated log files.


Cheerskim

Re: Not able to pass BIOS drive check with OpenBSD drive attached

[Kim Zeitler]

Hello Adrian,

On 31.07.2014 18:59, Adrian Jervolino wrote:
 
 My questions to you are: Has anybody ran into similar issues and was
 able to resolve them? Do you think this is a OpenBSD related issue and
 actually solveable (in a reasonable amount of time)?
 
 Swaping the motherboard is currently no option, so I'm thankfull for
 every hint.

We ran into this issue twice so far, once beginning of the year with a
couple of Gigabyte boards and some weeks ago with a couple of Intel 4th
Generation NUCs.

The NUCs were simple to solve as Intel has provided a BIOS Patch.

With the Gigabytes, after one week we had analyzed it so far that simply
attaching a HDD used under OpenBSD (not only a system disk that was
installed upon) would trigger this problem.
Rewriting the partition table with fdisk on another machine let the
'faulty' boards access their bios again and see the disks.

Our suspicion at the time was the block size used by the OpenBSD system
(512 vs 4k)

We also disable UEFI boot in the bios.

Cheers,
Kim

Re: carp setup firewall

[Kim Zeitler]

Hello Waldemar,

On 24.07.2014 17:44, Waldemar Brodkorb wrote:
 Hi Peter,
 Peter Hessler wrote,
 
 if the addresses on the carp interface are out of sync, then the hashes
 won't mash, and the firewalls *WILL* conflict with each other.

 I recommend one IP per carp interface.  Far nicer in case you screw that
 bit up, and much easier to balance IPs to one system or the other.
 
 Thanks for the hints. The previous firewall is managed via
 fwbuilder, which does manage all the ip aliases for the wan
 interface for us. It seems fwbuilder has some support for carp,
 but I am not sure it will work with ip aliases.
 
 Thanks so far
 Waldemar
 

we have a similar setup here, with only a /29 range of external addresses.
Until now, we have had no problems so far running this using only one
external carp IF (using a private IP) and adding all external addresses
as aliases. But we do not use bi-nat for our DMZ Servers.

As for fwbuilder, we did use it for some years with iptables, but during
our switch to OpenBSD found writing pf.conf by hand gave a cleaner and
faster fw.
The file is under version control and distributed and enabled by Puppet
on both our FW-CARP nodes.

Cheers,
Kim

libiconv-1.14p1 - library c not found, bad major

[Kim Zeitler]

Hello,
yesterday I had to do a clean reinstall of a machine (RELEASE) and on
installing additional packages I ran into a libc error bad major with
libiconv.

# uname -a
OpenBSD gaia 5.5 GENERIC.MP#126 amd64

# export PKG_PATH=http://openbsd.cs.fau.de/pub/OpenBSD/5.5/packages/amd64/
# pkg_add -iv libiconv
Update candidates: quirks-1.113 - quirks-1.113 (ok)
Can't install libiconv-1.14p1 because of libraries
|library c.73.1 not found
| /usr/lib/libc.so.75.0 (system): bad major


Cheers,

-- 
Kim Zeitler

Re: libiconv-1.14p1 - library c not found, bad major

[Kim Zeitler]

On 22.07.2014 17:55, Philip Guenther wrote:

 OpenBSD gaia 5.5 GENERIC.MP#126 amd64

 
 That's not the 5.5 release.  The 5.5 release GENERIC.MP for amd64 had a
 banner of:
 OpenBSD 5.5 (GENERIC.MP) #315: Wed Mar  5 09:37:46 MST 2014
 
 so the build number is clearly off.
 
 
 You have libc.so.75.0?  That was only present for about a month starting in
 mid May.  You've installed a snapshot of -current that's something between
 a month and 3 months old and *not* the 5.5 release.  You'll have a hard
 time finding packages that match that, so you should reinstall with the
 correct release files.

Thanks Philip for your fast reply,
that explains a lot - a colleague of gave me the install disk, claiming
it to be the 5.5-Release.
*sigh* - if you want something done right ...

again many thanks.

Kim

Re: Only two holes in a heck of a long time, but why?

[Kim Zeitler]

 All in all the default install is pretty useless in itself and I am going
 to quote Absolute OpenBSD by Michael Lucas:
 
   «You're installed OpenBSD and rebooted into a bare-bones system. Of
 course, a minimal Unix-like system is actually pretty boring. While it
 makes a powerful foundation, it doesn't actually do much of anything.»

I may be a bit pedantic here but considering Michael's quote, he said
*boring* not *useless*. This is also reflected in his second sentence
... making a *powerful* foundation ...

Having a small pool of OpenBSD machines running for web, email, CARPed
firewalls and networking applications, I usually only install one ports
package - puppet to have it fit into our configuration management

Re: power failure resistance

[Kim Zeitler]

Another possibility which we use here is mounting / ro
and hold any other partition in rw as mfs filesystems (namely /tmp,
/home, /var/log and /var/db). Syslog goes o a central server.

These systems are managed via puppetd and the client remounts / rw,
runs and remounts back to ro

On 19.02.2014 12:38, Marko Cupać wrote:
 Hi,
 
 I need to deploy a number of openbsd firewalls based on alix2d13
 hardware. The goal is to separate industrial network from LAN, in order
 to protect unpatched systems on industrial network from potential
 malware on LAN, while providing some level of access (mostly
 low-traffic VNC from LAN to industrial and sql in the opposite
 direction).
 
 The problem is that we have very unstable power grid, resulting in
 unclean shutdnowns of devices. I cannot UPS them all.
 
 How can I configure firewalls so they are resistant to those power
 failures (ie do not need fsck)? How should I partition? Which partitions
 should be mount read-only? Which should be mount as memory disks? Which
 size shoud I allocate for memory disks (RAM is a constraint here as I
 have only 256Mb)? Any other advices?
 
 Thank you in advance,
 

-- 
Kim Zeitler

Joining the state of two carp interfaces

[Kim Zeitler]

Hello,

I have recently stumbled over a problem with a CARP router setup.
The routers have 2 carped interfaces, one for network A and B respectively.
We had the scenario that Router1 was Master for A and Backup for B,
Router2 Backup A and Master B. A manual demote managed to get one router
to be Master on A and B.
Is there a possibility to join the CARP state of 2 interfaces i.e. both
Master or both Backup, no mix.

Thanks in advance

Kim Zeitler