Re: Renew/extend CA created with ikectl
Hello Stuart thanks for the reply, already suspected something along those lines. On 12/10/18 7:14 PM, Stuart Henderson wrote: It's a bit awkward but can be done, you'll find some information at https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal You'll need to get the new CA cert installed on clients anyway though (and I don't suppose the client certs have much longer validity either?) so doing the above might not save you much trouble .. In the end I followed doing something along these lines. As we have quite some clients in the field it was easier to get them to add the new CA. I didn't find anything in the man pages nor on the mailing list. Having had a look at ikeca.c gave me some idea of how the file is created. Also is there a way of having the ca cert valid for more than 365 days? Not without patching the command-line in ikectl code, or generating the cert manually. It's not ideal.. I would be willing to patch ikectl to contain a ca renew, but would like some 'guidance' concerning sane defaults for this. I'd probably recommend using something else to manage your internal CA (or just avoiding X509 if you don't actually need it...). Any suggestions? We used some other CA management SW over the years but enjoyed the clean and simple approach that ikectl gave us so far. Cheers Kim
Renew/extend CA created with ikectl
Hello, before I start getting creative with openssl(1) on my ikectl(8) created ca. Yesterday my ca certificate expired and I need to renew it (without loosing all the client certificates) Is there a recommended way of renewing the ca.crt created using ikectl ca create? I didn't find anything in the man pages nor on the mailing list. Having had a look at ikeca.c gave me some idea of how the file is created. Also is there a way of having the ca cert valid for more than 365 days? Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: ikev2 and road warriors setup
Good morning Radek, I have a suspicion ... For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server. My question was concerning the VPN_server, is the server NATed? How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: ikev2 and road warriors setup
Hello Radek, On 11/2/18 10:16 PM, Radek wrote: Thank you for your response, Following your suggestion I removed IP from enc0 and changed iked.conf as below: $ cat /etc/iked.conf dns1 = "8.8.8.8" dns2 = "8.8.4.4" ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error. I know this set-up to be working, as it is currently running here in production. I also tried another scenario: puffy_server <-> puffy_warrior The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works fine for clients from A.B.C.0/23. Both machines are 6.3/i386. Your set-up is still a bit 'unclear', I would rather say you have a firewall/routing problem than an IPSec problem. Error 809 means no data received. Could you post your pf.conf? How do you connect to networks !A.B.C.0/23 Is your IPSec connection NATed? Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: syntax error and doas.conf
On 10/31/18 10:42 AM, Markus Rosjat wrote: ... doas vi /etc/doas.conf # Edit in vi :w :! doas -C % You don't even have to leave your editor smime.p7s Description: S/MIME Cryptographic Signature
Re: ikev2 and road warriors setup
On 10/28/18 3:04 PM, Radek wrote: Hello, I really need your help. I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road warriors clients (Windows). The problem is that it works ONLY if clients are in the same subnet as VPN Gateway (A.B.C.0/23). Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the connection (809 Error). It does not matter if they are behind NAT or not, tried different ISP - the same. Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23 I do not know what I am doing wrong. Can anyone please help me with solving this problem? Thank you. This is a fresh 6.3/i386 install: # cat /etc/hostname.enc0 inet 10.0.1.1 255.255.255.0 10.0.1.255 up You don't need an IP on enc0 # cat /etc/iked.conf ikev2 "test" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid A.B.C.77 \ config address 10.0.1.0/24 \ config name-server 8.8.8.8 \ tag "IKED" Try something like this, it works for both Win7 and Win10: /etc/iked.conf - ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ peer any \ srcid $srcid \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" 'access-server' tells Windows what gateway to use for 'protected-subnet' (see iked.conf(5)). smime.p7s Description: S/MIME Cryptographic Signature
Re: Intel i350 Offloading not working
On 07/18/18 11:37, Adonis Peralta wrote: Will definitely do that, but still looking for any explanation from devs :). https://marc.info/?l=openbsd-tech=135203532704213=2 Seems there have been some errors with offloading and I350 in the past Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
OpenIKED match on user/cert instead of gateway
hello misc, I got the requirement for a more exotic setup in which some road warriors are required to be in a different network segment. From strongSWAN I know it is possible to match connections based on userid/cert. iked.conf(5) only gives examples for different gateways. To cut a long story short - is it possible to do this in openiked or do I need to setup a separate instance? Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: iked: how to request a virtual IP when running as a road warrior
Hello On 01/30/18 22:00, Peter Müller wrote: Hello *, I am trying to set up an IPsec connection between OpenBSD 6.2 and an IPFire firewall, while the OpenBSD is a road warrior. There, I use "iked", while the firewall is running "strongswan". After struggling with some cryptography issues (curve25519 and brainpool512 did not work, neither did aes-gcm), the IKE connection is now established, but the firewall requires a request for a virtual IP: [log snippet from "iked" @ OpenBSD:] ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 12 ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type FAILED_CP_REQUIRED [log snippet from "strongswan" @ IPFire:] 21:45:26 charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(FAIL_CP_REQ) ] 21:45:26 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA 21:45:26 charon: 07[IKE] configuration payload negotiation failed, no CHILD_SA built 21:45:26 charon: 07[IKE] expected a virtual IP request, sending FAILED_CP_REQUIRED Until now, I tried inserting the following directives to my /etc/iked.conf - without luck, they didn't seem to change anything: (1) config address 10.XXX.XXX.XXX (2) config address 10.XXX.XXX.XXX/24 (3) config address 10.XXX.XXX.XXX\ config address 10.XXX.XXX.XXX/24 How do I configure "iked" to request a virtual IP? Any help is highly appreciated, since I am flying blind here. Thanks and best regards, Peter Müller Last time I looked, OpenIKED was not yet able to request a config payload, only reply to one. Looking at the source code of iked confirms this. /src/sbin/iked/ikev2.c ssize_t ikev2_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf) { ... switch (sa->sa_cp) { case IKEV2_CP_REQUEST: cp->cp_type = IKEV2_CP_REPLY; break; case IKEV2_CP_REPLY: case IKEV2_CP_SET: case IKEV2_CP_ACK: /* Not yet supported */ <===!!! return (-1); } ... Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn
On 11/08/17 08:37, Claudio Jeker wrote: On Tue, Nov 07, 2017 at 04:13:51PM +0100, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: On 11/07/17 15:31, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote: I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 routing. If the ipsec tunnel is down, no ospf route is set and the default route=20 used. Is it sensible and possible to add a null-route from the vpn-gateway to=20 the remote-networks so a 'Network not reachable' is sent immediately? Sensible - yes. Possible - not sure but I think you would probably need to monitor the ipsec status and add the route and/or gif interface only once the SA is up. I may be missing something, but maybe just add a -reject route with a low -priority for each of your ospf routes? When an ospf route disappears the -reject one would be preferred. (And if all your "vpn" routes are in a common prefix, you can just use a single -reject route for that prefix and let more-specifics win.) something like this was actually my plan. just wasn't so sure if one actually does it like this or if there are other ways of doing it. so basically a route add -inet 172.16/12 -reject -priority 33 would suffice (33 as the ospf routes have a prio of 32) Yes, but I think that what Stuart points out is that your gif tunnel might be used even if ipsec isn't protecting it... I use pf(4) to make sure that gif is not leaking outside of the enc interface (more or less): block out proto { ipencap ipv6 } pass on enc0 keep state (if-bound) Using if-bound is needed else the enc0 state would float to the egress interface. I want to thank all for there time and answers. not sure how I will implement this yet, but Stuart's and Claudio's clearly made me think a bit further. Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn
On 11/07/17 16:13, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: On 11/07/17 15:31, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote: I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 routing. If the ipsec tunnel is down, no ospf route is set and the default route=20 used. Is it sensible and possible to add a null-route from the vpn-gateway to=20 the remote-networks so a 'Network not reachable' is sent immediately? Sensible - yes. Possible - not sure but I think you would probably need to monitor the ipsec status and add the route and/or gif interface only once the SA is up. I may be missing something, but maybe just add a -reject route with a low -priority for each of your ospf routes? When an ospf route disappears the -reject one would be preferred. (And if all your "vpn" routes are in a common prefix, you can just use a single -reject route for that prefix and let more-specifics win.) something like this was actually my plan. just wasn't so sure if one actually does it like this or if there are other ways of doing it. so basically a route add -inet 172.16/12 -reject -priority 33 would suffice (33 as the ospf routes have a prio of 32) Yes, but I think that what Stuart points out is that your gif tunnel might be used even if ipsec isn't protecting it... OK, maybe I am missing something now. I got two networks 192.168.1/24 and 192.168.2/24, each with a VPN GW 192.168.X.254 and a default GW at 192.168.X.1. Between the VPN GWs I have a gif tunnel using 192.168.X.254 -> IP otherside>, inside tunnel 10.23.23.1->10.23.23.2. My iked is configured to use: ikev2 "charlie" passive ipcomp esp \ proto encap \ from $OWN_IP to $CHARLIE \ peer $CHARLIE \ srcid $GW dstid $CHARLIE To add the routing over this we use ospfd. As soon as the sa is loaded ospf discovers its neighbour and loads the route via the gif interface. Without the sa no traffic is passed. @Stuart you say, I should only establish the gif "link" after I have an SA? My question was, when the ospfd has a problem or the connection between both end-points can't be established (like now, due to roadworks and some cable) can I add a -reject route with low prio to use instead of the default route on my VPN GW? Currently my VPN GW gets the traffic, has no route due to no ospf and sends it to the default gw, which returns it to the vpn gw and so forth. I would like it to reply with 'Netork unreachable' instead immediately. As far as I see my idea is similar to what Jeremie wrote. Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn
On 11/07/17 15:31, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Stuart Hendersonwrote: I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 routing. If the ipsec tunnel is down, no ospf route is set and the default route=20 used. Is it sensible and possible to add a null-route from the vpn-gateway to=20 the remote-networks so a 'Network not reachable' is sent immediately? Sensible - yes. Possible - not sure but I think you would probably need to monitor the ipsec status and add the route and/or gif interface only once the SA is up. I may be missing something, but maybe just add a -reject route with a low -priority for each of your ospf routes? When an ospf route disappears the -reject one would be preferred. (And if all your "vpn" routes are in a common prefix, you can just use a single -reject route for that prefix and let more-specifics win.) something like this was actually my plan. just wasn't so sure if one actually does it like this or if there are other ways of doing it. so basically a route add -inet 172.16/12 -reject -priority 33 would suffice (33 as the ospf routes have a prio of 32) smime.p7s Description: S/MIME Cryptographic Signature
iked + gif + ospfd - use null-route to stop default route being used in case of no vpn
Hello I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up routing. If the ipsec tunnel is down, no ospf route is set and the default route used. Is it sensible and possible to add a null-route from the vpn-gateway to the remote-networks so a 'Network not reachable' is sent immediately? Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: bgp-spamd question
On 05/08/17 15:12, Markus Rosjat wrote: Am 08.05.2017 um 15:02 schrieb Kim Zeitler: Did you allow BGP on your firewall? I was not aware there need to be special rules for bgp I meant your outer-bound firewall, that you pass towards the internet. Depending on your network setup you need to allow outbound traffic on a specific port and take care of nat. smime.p7s Description: S/MIME Cryptographic Signature
Re: bgp-spamd question
On 05/08/17 14:42, Markus Rosjat wrote: Am 08.05.2017 um 14:37 schrieb Kim Zeitler: Could you check bgpctl s are there any messages received? You can also check bgpctl s neigh | grep state This should give you least 2 connections claiming to be established regards Cheers Kim I checked and I have both neighbors in my list $ doas bgpctl s Neighbor ASMsgRcvdMsgSent OutQ Up/Down State/PrfRcvd 217.31.80.170 65066 0 0 0 NeverActive 64.142.121.62 65066 0 0 0 NeverActive They appear as soon as you have configured them, but as you can see, neither MsgRcvd nor MsgSent show anything # bgpctl s Neighbor ASMsgRcvdMsgSent OutQ Up/Down State/PrfRcvd 2a00:15a8:0:100:0:d965066 0 0 0 NeverActive 217.31.80.170 65066271134 0 01:05:59 15975 64.142.121.62 65066253134 0 01:05:59 15975 If you look at # bgpctl show neigh | grep -C2 state BGP neighbor is 2a00:15a8:0:100:0:d91f:50aa:1, remote AS 65066, Multihop (64) BGP version 4, remote router-id 0.0.0.0 BGP state = Active Last read Never, holdtime 240s, keepalive interval 80s -- BGP neighbor is 217.31.80.170, remote AS 65066, Multihop (64) BGP version 4, remote router-id 217.31.80.170 BGP state = Established, up for 01:07:27 Last read 00:00:11, holdtime 90s, keepalive interval 30s Neighbor capabilities: -- BGP neighbor is 64.142.121.62, remote AS 65066, Multihop (64) BGP version 4, remote router-id 64.142.121.62 BGP state = Established, up for 01:07:27 Last read 00:00:10, holdtime 90s, keepalive interval 30s Neighbor capabilities: you can see that out IPv6 connection is only active and waiting, while the IPv4 connections clearly show that they are established. You can also see it in the sumamry, as the v6 only says Active while the v4s tell you for how long. Did you allow BGP on your firewall? still no success with $ doas bgpctl show rib community 65066:42 flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin $ doas bgpctl show rib community 65066:666 flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: bgp-spamd question
On 05/08/17 14:13, Markus Rosjat wrote: Am 08.05.2017 um 13:58 schrieb Kim Zeitler: On 05/08/17 09:59, Markus Rosjat wrote: match from group "spam-bgp" community $spamASN:666 set pftable "bgp_spamd" Try to remove this line from your /etc/bgpd.conf, it is not in the example on http://bgp-spamd.net Checked it gainst my working setup and it is missing there too. Well this doesn't solve the problem still. Even if I remove the line, which should simply update a pf table. I don't get any result on the cmd with a bgpctl command. maybe it's related to my test environment I'll try it on a machine that has direct access to the net and see if there is a change. Could you check bgpctl s are there any messages received? You can also check bgpctl s neigh | grep state This should give you least 2 connections claiming to be established regards Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: bgp-spamd question
On 05/08/17 09:59, Markus Rosjat wrote: match from group "spam-bgp" community $spamASN:666 set pftable "bgp_spamd" Try to remove this line from your /etc/bgpd.conf, it is not in the example on http://bgp-spamd.net Checked it gainst my working setup and it is missing there too. -- Kim Zeitler Bachelor of Science (Hons) Konzept Informationssysteme GmbH Am Weiher 13 • 88709 Meersburg Fon: +49 7532 4466-240 Fax: +49 7532 4466-66 kim.zeit...@konzept-is.de www.konzept-is.de Amtsgericht Freiburg 581491 • Geschäftsführer: Dr. Peer Griebel, Frank Häßler, Dr. Christophe Schoenenberger smime.p7s Description: S/MIME Cryptographic Signature
Re: bgp-spamd question
On 05/08/17 12:26, Markus Rosjat wrote: Hi, I have something like bgp-spamd:\ :black:\ :msg="Your address %A has sent mail to a spamtrap\n\ within the last 24 hours":\ :method=file:\ :file=/var/mail/spamd.black: in /etc/mail/spamd.conf and a cron job /bin/sh /etc/mail/bgp-spamd.black.sh which has #!/bin/sh AS=65066 bgpctl show rib community ${AS}:666 | sed -e '1,4d' -e 's/\/.*$//' -e 's/[ \*\>]*//' > /var/mail/spamd.black /usr/libexec/spamd-setup # EOF Just double checked and can see it is being updated. $ ls -l /var/mail/spamd.black -rw-r--r-- 1 root wheel 233006 May 8 05:20 /var/mail/spamd.black Hope this helps, Vijay I don't want to copy the results in a list for now I simply want to get any results at all :) so as long as bgpctl show rib community 65066:666 doesn't give any results I won't see any IP's in a spamlist file at all regards Hello Markus, just on a hunch, did you remove the deny blocks that are listed in /etc/examples/bgpd.conf? Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP
Hi Markus On 01/27/17 09:44, Markus Rosjat wrote: > Hi there, > > so my question is what is the best strategy to migrate an exsiting LDAP > directory from a system that has sendmail and courier running to a > system with openSMTP and Dovecot. > Couple of years ago we changed from Courier to Dovecot and in short we wouldn't go back. As setup we hold all our users in LDAP except for system users (_*, root, ...) and have a dedicated server for mail running postfix as MTA and dovecot. We started from Postfix+Courier with the LDAP users as system users. The users could log into their accounts via ssh and do what ever they wanted. This configuration caused some problems with performance and also caused some permission problems as the dovecot process had to run as the user. Now Dovecot has direct access to the LDAP using the users as virtual users, all maildirs belong to the dovecot user _vmail. Postfix distinguishes between local users and ldap users, local users are directly delivered via local delivery, ldap users relayed to dovecot's lmtp server. > - is it possible to migrate old maildirs to use with dovecot It is possible, Maildir can be used directly, mbox transferred. There also exists an courier-dovecot-migrate script that rewrites couriers index et. al. for dovecot. (https://wiki2.dovecot.org/Migration/Courier) You might want to move courier's flat maildir format to a file system format > > I dont want to set up just one virtual user to handle dovecot delivery > since I already have the LDAP users. I tested to set permissions on > directories and files for a LDAP user that has no systemaccount > counterpart and it seems to work but it doesn't feel right to do so in a > production environement :) See my comment further up to using an _vmail user Cheers Kim [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Allow FTP through Openbsd firewall
Hello On 10/28/16 08:55, Mik J wrote: Hello, I have FTP clients behind my Openbsd firewall and they want to access ftp sites on the internet I have read numerous documentations but haven't found the answer yet. * I start the ftp-proxy like this /usr/sbin/ftp-proxy -D7 -v * I have rules in my pf.conf anchor "ftp-proxy/*" pass in quick on $int_if inet proto tcp from $lan to any port 21 divert-to 127.0.0.1 port 8021 pass out quick on $ext_if inet proto tcp from $ext_add to any port 21 I filter both interfaces lan and wan on my firewall I'm able to connect to a ftp server from inside the lan but when I do the command ls it fails Of course, this is normal because there is no rule that allow the ftp data (passive) to go out and the packets are dropped when they try to go out of the firewall's external interface. Oct 28 08:21:00.471990 rule 0/(match) block out on vmx0: 37.187.79.88.56327 > x.x.x.x.39046: S 1161913180:1161913180(0) win 16384 This is not entirely correct ftp-proxy(8) creates dynamic rules and loads them at the anchor point allowing the traffic from your client to the server. As an example On a client: $ftp ftp://ftp.hostserver.de ... ftp> ls 150 Opening ASCII mode data connection for '/bin/ls'. total 225608 -rw-r--r-- 1 rootwheel 104857600 Sep 16 2013 100M.dat -rw-r--r-- 1 rootwheel10485760 Sep 16 2013 10M.dat drwxr-xr-x 82 mirror mirror 2048 Oct 28 01:29 archive lrwxr-xr-x 1 rootwheel 10 Apr 16 2014 debian -> pub/debian dr-x--x--x 2 rootwheel 512 Apr 15 2014 etc drwxr-xr-x 10 rootwheel 512 Jul 26 10:20 internal drwxr-xr-x 8 mirror wheel 512 Oct 28 09:05 pub drwxr-xr-x 2 1000wheel 512 Mar 28 2016 special 226 Transfer complete. ftp> cd pub 250 CWD command successful. ftp> On the firewall 'systat rules' shows these two anchor rules added by ftp-proxy(8) #systat rules ... 0 /ftp-proxy/27562.62 Pass In Qtcp K 8 14771 1 inet from 192.168.3.5/32 to 217.31.80.35/32 port = 52891 1 /ftp-proxy/27562.62 Pass Out Qtcp K 8 14771 1 inet from 192.168.3.5/32 to 217.31.80.35/32 port = 65081 * My question The ftp data channel connects to an unknown server and an unknown port. I don't want to open a large range of ports on my external firewall's interface. How can I only allow a specific set of outgoing port when the connection is initiated by the ftp-proxy only ? I am not sure I understand your question correctly, but you do not actually open a large port range. - Your client tries to connect to the external server and your firewall rule "pass quick ... to any port ftp divert-to ..." hands it over to the ftp-proxy(8) - ftp-proxy(8) opens the connection for the client and adds 2 firewall rules at the anchor "ftp-proxy" in your ruleset. (See ftp-proxy(8) for the rules that are added) So only ftp-proxy(8) opens a connection and only to the port negotiated with the ftp server.
ipsec+tunnel vs. 'pure' ipsec
Hello having run a 'pure' ipsec tunnel for some years now I was wondering if there are more advantages in using a tunnel like gre(4),gif(4) or ehterip(4) over ipsec except being able to set the mtu or pass Layer2 traffic? Thanks for your answer Kim
Re: problem with carp on 5.9, MAC address of carp interface?
Hello Martin before I go further - I just run a ping test with the tcpdump as you requested and it did work. The only thing that was changed was an upgrade from GENERIC.MP#1983 -> GENERIC.MP#1997. On 04/25/16 11:56, Martin Pieuchot wrote: He is running a carp interface on top of a vlan interface. In this scenario the carp interface can not be pinged but the vlan interfaces can. Do you mean the CARP node does not answer to ping with a destination address on the carp(4) interfaces? Is it for MASTER, BACKUP or both? em2 (no ip) ---> vlan100 (192.168.150.200) ---> carp2 (192.168.150.1) \ --> vlan101 (192.168.151.200) ---> carp3 (192.168.151.1) This is my setup if I ping either address assigned to carp2 or carp3 from a host on the network I do not get an answer, pinging the vlan address answers. When doing so, please use "# tcpdump -nvei carp2 icmp" to see if the echo request/reply reach/leave the interface. One node is clearly in MASTER, the other in BACKUP, demote works. The routing table correspond to which node? MASTER or BACKUP? There's something really weird in it, the RTF_CLONING routes are done. The table was from the MASTER. What do you mean exactly by 'the RTF_CLONING routes are done.'? I read route(4) and if I understand it correctly a wildcard route such as defaults is marked with it and new routes are created as soon as they are used and marked as RTF)CLONED. Could you include your whole routing table? Do you have an entry for the machine initiating the ping? The host also has two further carp interfaces sitting directly on a physical interface which work as expected. Then why excluding this information from the table? Here is the entire routing table (be warned it is 'long') # route -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default192.168.3.1UGS0 171986 - 8 em1 224/4 127.0.0.1 URS149977 32768 8 lo0 10.0.0/24 10.0.0.2 UC 10 - 4 em3 10.0.0.1 90:e2:ba:c3:df:7f UHLc 097189 - 4 em3 10.0.0.2 90:e2:ba:c3:df:7b UHLl 085607 - 1 em3 10.0.0.255 10.0.0.2 UHb00 - 1 em3 127/8 127.0.0.1 UGRS 03 32768 8 lo0 127.0.0.1 127.0.0.1 UHl11 32768 1 lo0 172.16/16 172.16.0.198 UC89 295390 - 4 em0 172.16/16 172.16.0.200 CP 00 - 4 carp0 172.16/16 172.16.0.197 CP 00 - 4 carp0 172.16.0.1 52:54:00:a9:8e:ab UHLc 0 143368 - 4 em0 172.16.0.5 8a:2f:e3:6e:00:64 UHLc 0 141541 - 4 em0 172.16.0.6 00:0c:29:71:10:bd UHLc 0 238784 - 4 em0 172.16.0.8 52:54:00:9f:d4:df UHLc 0 151386 - 4 em0 ... 172.16.0.196 fe:b6:96:ee:53:5a UHLc 0 125966 - 4 em0 172.16.0.197 00:00:5e:00:01:c8 UHLl 0 5417 - 1 carp0 172.16.0.198 90:e2:ba:c3:df:78 UHLl 0 8220 - 1 em0 172.16.0.199 90:e2:ba:c3:df:7c UHLc 0 4705 - 4 em0 172.16.0.200 00:00:5e:00:01:c8 UHLl 012612 - 1 carp0 172.16.0.202 52:54:00:c8:0f:d2 UHLc 0 27 - 4 em0 172.16.254.99 78:48:59:d6:77:1c UHLc 0 289643 - 4 em0 172.16.255.255 172.16.0.198 UHb00 - 1 em0 172.16.255.255 172.16.0.200 HPb00 - 1 carp0 172.16.255.255 172.16.0.197 HPb00 - 1 carp0 172.17/16 192.168.3.11 UGS0 820865 - 8 em1 172.18/16 192.168.3.11 UGS0 555 - 8 em1 172.19/16 192.168.3.11 UGS0 150326 - 8 em1 172.20/16 192.168.3.11 UGS061888 - 8 em1 172.30.0/24192.168.3.11 UGS00 - 8 em1 172.31/16 192.168.3.10 UGS00 - 8 em1 192.168.2/24 192.168.2.229 UC 2 506 - 4 em1 192.168.2/24 192.168.2.3C 00 - 4 carp1 192.168.2.1c0:25:06:2a:eb:38 UHLc 0 759 - 4 em1 192.168.2.300:00:5e:00:01:03 UHLl 0 63 - 1 carp1 192.168.2.446:52:22:77:e6:54 UHLc 0 1080487 - 4 em1 192.168.2.229 90:e2:ba:c3:df:79 UHLl 09 - 1 em1 192.168.2.255 192.168.2.229 UHb00 - 1 em1 192.168.2.255 192.168.2.3Hb 00 - 1 carp1 192.168.3/24 192.168.3.229 UC10 2736 -
Re: problem with carp on 5.9, MAC address of carp interface?
Hello Martin On 04/25/16 11:12, Martin Pieuchot wrote: On 25/04/16(Mon) 10:47, Kim Zeitler wrote: He is running a carp interface on top of a vlan interface. In this scenario the carp interface can not be pinged but the vlan interfaces can. Do you mean the CARP node does not answer to ping with a destination address on the carp(4) interfaces? Is it for MASTER, BACKUP or both? em2 (no ip) ---> vlan100 (192.168.150.200) ---> carp2 (192.168.150.1) \ --> vlan101 (192.168.151.200) ---> carp3 (192.168.151.1) This is my setup if I ping either address assigned to carp2 or carp3 from a host on the network I do not get an answer, pinging the vlan address answers. One node is clearly in MASTER, the other in BACKUP, demote works. The host also has two further carp interfaces sitting directly on a physical interface which work as expected. I described a similar issue here https://www.mail-archive.com/misc@openbsd.org/msg146230.html but sadly had no replies yet How do your routing table looks like? # route -n show ... 192.168.150/24 192.168.150.202CP 02 - 4 vlan100 192.168.150/24 192.168.150.1 CP 00 - 4 carp2 192.168.150.1 00:00:5e:00:01:c9 UHLl 00 - 1 carp2 192.168.150.20290:e2:ba:c3:df:7a UHLl 00 - 1 vlan100 192.168.150.255192.168.150.202HPb00 - 1 vlan100 192.168.150.255192.168.150.1 HPb00 - 1 carp2 192.168.151/24 192.168.151.202CP 02 - 4 vlan101 192.168.151/24 192.168.151.1 CP 00 - 4 carp3 192.168.151.1 00:00:5e:00:01:ca UHLl 00 - 1 carp3 192.168.151.20290:e2:ba:c3:df:7a UHLl 00 - 1 vlan101 192.168.151.255192.168.151.202HPb00 - 1 vlan101 192.168.151.255192.168.151.1 HPb00 - 1 carp3 Currently I am upgrading my cluster to the latest snapshot to see if there is any change. There won't be no change. If it helps, here are the hostname.if configs for vlan100 and carp2 # cat /etc/hostname.em2 up # cat /etc/hostname.vlan100 inet 192.168.150.200 255.255.255.0 192.168.150.255 vlan 100 vlandev em2 # cat /etc/hostname.carp2 inet 192.168.150.1 255.255.255.0 192.168.150.255 vhid 201 carpdev vlan100 pass 1234 group wlan Cheers Kim
Re: problem with carp on 5.9, MAC address of carp interface?
Hello Martin, hello Sebastian On 04/25/16 10:15, Martin Pieuchot wrote: On 25/04/16(Mon) 09:48, Sebastian Reitenbach wrote: I'm trying to upgrade a HA carped firewall cluster to 5.9 but run into issues. Which issues? After reading your whole email I still don't understand your problem(s). What does not work? He is running a carp interface on top of a vlan interface. In this scenario the carp interface can not be pinged but the vlan interfaces can. I described a similar issue here https://www.mail-archive.com/misc@openbsd.org/msg146230.html but sadly had no replies yet Currently I am upgrading my cluster to the latest snapshot to see if there is any change. Cheers Kim
Carp interface sitting on vlan can not be pinged
Hello maybe a stupid question, but is it possible to run a carp(4) interface on vlan(4) interfaces? In the following setup we have the problem that both boxes can be pinged on their address associated with their respective vlan(4) interface, but not on the carp(4) interface IP. Both boxes are recent installs and are running -current em2 (no ip) ---> vlan100 (192.168.150.200) ---> carp2 (192.168.150.1) \ --> vlan101 (192.168.151.200) ---> carp3 (192.168.151.1) respectively the corresponding node using .202 instead of .200 for the vlan(4) interfaces == The configuration == # uname -a OpenBSD router12 5.9 GENERIC.MP#1983 amd64 # cat /etc/hostname.em2 up # cat /etc/hostname.vlan100 inet 192.168.150.200 255.255.255.0 192.168.150.255 vlan 100 vlandev em2 # cat /etc/hostname.carp2 inet 192.168.150.1 255.255.255.0 192.168.150.255 vhid 201 carpdev vlan100 pass 1234 group wlan # cat /etc/pf.conf ... pass quick on {em2,vlan100,vlan101} proto carp ... pass inet proto icmp icmp-type $icmp_types pass vlan100:network ... # netstat -rn ... 192.168.150/24 192.168.150.200UCP0 4401 - 4 vlan100 192.168.150/24 192.168.150.1 CP 00 - 4 carp2 192.168.150.1 00:00:5e:00:01:c9 UHLl 0 9981 - 1 carp2 192.168.150.20090:e2:ba:c1:11:11 UHLl 0 30 - 1 vlan100 192.168.150.255192.168.150.200UHPb 0 80 - 1 vlan100 192.168.150.255192.168.150.1 HPb00 - 1 carp2 192.168.151/24 192.168.151.200UCP1 3040 - 4 vlan101 192.168.151/24 192.168.151.1 CP 00 - 4 carp3 192.168.151.1 00:00:5e:00:01:ca UHLl 0 182 - 1 carp3 192.168.151.20090:e2:ba:c1:11:11 UHLl 0 36 - 1 vlan101 192.168.151.255192.168.151.200UHPb 00 - 1 vlan101 192.168.151.255192.168.151.1 HPb00 - 1 carp3 Cheers Kim
Re: Squid slow in connecting to SSL
Sorry for the long wait, but had a free weekend and none of the site techs got back to me until later today. On 01/29/16 22:03, Stuart Henderson wrote: If you have contact with any of the site admins see if they are running on linux with tcp_tw_recycle=1, I think there is a strong possibility that they are, and if so then they should fix their configuration. I wrote to our contact there and am trying to get the information if they are using this setting. I managed to get the information from their server and sadly net.ipv4.tcp_tw_recycle = 0 Typical Linux behaviour (at least the version I tried) is to use a single counter for all TCP sessions from the host so it would be more likely to use 1,2,3 - 7,8,9 - 49,50,51 - 67,68,69. This isn't required by TCP though - that only needs timestamps *within a session* i.e src+dest host-port quad - to be increasing. Multiple sessions are treated separately and can be in any order wrt each other. If I understand correctly tw_recycle reduces it to just src+dest *host*. If you have two hosts with the simple behaviour (single counter) going through a NAT, it doesn't usually touch timestamps so they will be out of order - maybe 49,50,51 - 67,68,69 - 1,2,3 - 7,8,9. This is OK as far as TCP goes but breaks with tw_recycle. But in the NAT case it's usually only noticed if two people from behind the same NAT visit the site within the TIME_WAIT timeout window. For a proxy, there is a cutoff. There are two TCP sessions end-to-end, the packet data are copied across but not headers. The headers are subject to the proxy's OS's behaviour. Now... OpenBSD randomizes these per session. A random offset is applied and stored as part of the TCP state. This is good because it's extra entropy to help protect against blind spoofing, and avoids leaking information about the host's uptime. So simplified example you could have 4 consecutive sessions using 1,2,3 - 49,50,51 - 67,68,69 - 7,8,9 -- and that's ok. In spec for TCP, suggested by the newer RFC, and as you can see above, it's totally normal for a natted connection to act like this. It's just that Linux's tw_recycle misfeature gets confused. If you run the proxy on an OS which doesn't offset timestamps like this (note that OpenBSD has done this for many years), you won't trigger it, but run it on OpenBSD and it's easy. You'll also be able to trigger it by connecting from a single machine with a simple timestamp but running the connection through a PF nat with the "modulate timestamps" option. It can be worked around your side. But if you do that the server admins will likely never fix things (and maybe blame it on OpenBSD) so I'm reluctant to mention it on list - and that workaround will throttle tcp for all connections to/from the server, limiting you to about 5Mb max for transatlantic connections. Thank you Stuart again for this great explanation of this behaviour. Sadly as noted above the server doesn't have this option set. I am currently at a lose and gladly provide more information. Cheers Kim
Re: Squid slow in connecting to SSL
On 01/28/16 23:04, Stuart Henderson wrote: On 2016-01-28, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: currently I try to solve the phenomenon, that certain SSL sites are slow when accessed via squid on OpenBSD. Mostly ownCloud in my case as well as several web shops. The login screen alone taking minutes to load. I'm not seeing that here (squid 3.5.13 and squidclamav from packages on recent -current, in front of a handful of Windows boxes and 30-odd OpenBSD/GNOME/Chromium/LibreOffice workstations). Running a similar sized setup here with ~60 Clients (Win/Linux/OpenBSD) and normal operation is fine some complains bout it being slightly slow but... Need more information. If it's consistent for certain sites, which sites? Have you looked in logs etc? I gladly provide any information you need. It was reported to me that several webshops seem to have this problem and one of our clients owncloud sites (I'll send zou the link off-list) I have access to the logs and they show a mixture of 200 and 503 # /var/squid/logs/access.log ... 1454058493.156 67 172.16.10.42 TCP_TUNNEL/200 2748 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - ... 1454058498.761 18089 172.16.10.42 TCP_TUNNEL/200 20017 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058498.830 65 172.16.10.42 TCP_TUNNEL/200 2917 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058498.899 67 172.16.10.42 TCP_TUNNEL/200 4307 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058499.091 6055 172.16.10.42 TCP_TUNNEL/200 866 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058499.268 6110 172.16.10.42 TCP_TUNNEL/200 33106 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058540.011 59136 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058541.017 59623 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058547.097 59817 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058558.228 59326 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058559.036 59766 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058559.036 59943 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058559.087 18066 172.16.10.42 TCP_TUNNEL/200 6251 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058559.116 74 172.16.10.42 TCP_TUNNEL/200 1096 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058559.121 78 172.16.10.42 TCP_TUNNEL/200 4679 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058559.174 77 172.16.10.42 TCP_TUNNEL/200 7765 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058564.304 6071 172.16.10.42 TCP_TUNNEL/200 15279 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058600.688 60672 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058607.767 60665 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058607.838 67 172.16.10.42 TCP_TUNNEL/200 2395 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058607.842 72 172.16.10.42 TCP_TUNNEL/200 3877 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058607.989172 172.16.10.42 TCP_TUNNEL/200 21988 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058613.832 6061 172.16.10.42 TCP_TUNNEL/200 1197 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058613.870 6063 172.16.10.42 TCP_TUNNEL/200 7086 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058625.902 18089 172.16.10.42 TCP_TUNNEL/200 21260 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - The current configuration is squid-ldap(3.5.13) from packages on -current running on a KVM host as VM (4 cores, 2GB RAM, virtio HDD and NIC) That seems a bit low RAM for Squid, but I doubt that's the problem for TLS sites which will just be CONNECT tunnels unless you've made a lot more config changes than you mentioned. I doubled the RAM on the machine, but no difference. As a test if the virtualization is to blame we set up a similar machine on HW basically virgin -current with only squid installed from packages without touching he config in anyway and had the same effect. As an idea I added a ocal unbound to the test proxy and had squid run its DNS through that, but to no avail.
Re: Squid slow in connecting to SSL
On 01/29/16 15:00, Stuart Henderson wrote: $ curl https://owncloud.XX/apps/files_pdfviewer/js/previewplugin.js curl: (7) Failed to connect to owncloud.XX port 443: Operation timed out I have access to the logs and they show a mixture of 200 and 503 ...and that pretty much matches the pattern I've seen connecting by hand, so it's no big surprise that there are problems with the proxy too. Glad that you could reproduce the problem, I was starting to doubt my own abilities with a 'simple' proxy. If you have contact with any of the site admins see if they are running on linux with tcp_tw_recycle=1, I think there is a strong possibility that they are, and if so then they should fix their configuration. I wrote to our contact there and am trying to get the information if they are using this setting. They're likely to be breaking connections for NATted clients too (and this is only going to get worse as more ISPs start using CG-NAT for IPv4). The links in the above post have detailed explanations. OpenBSD uses this method which is described in RFC7323 sec 5.4 (OpenBSD's implementation predates this RFC by some years). o A random offset may be added to the timestamp clock on a per- connection basis. See [RFC6528], Section 3, on randomizing the initial sequence number (ISN). The same function with a different secret key can be used to generate the per-connection timestamp offset. There was a recent-ish change to the method used to generate the offsets (MD5 to SHA512), I wondered if that had changed anything so I've just checked from a 5.6 box, it does exactly the same - if I make repeated connections to the owncloud box, some of them fail. Currently am not fully able to get my mind round the details in the post, but if I read it correctly the machine running with tw_recycle has problems associating connections correctly together because similar host,port pairs but different timestamps. Shouldn't this cause problems with all proxied or nated connections? Am simply asking as I somehow can't fit it in that openbsd+squid shows this particular behaviour yet {freebsd,debian}squid does not. Thanks Stuart so far for what you have found and the patience to explain it to me. Cheers Kim
Squid slow in connecting to SSL
Hello all currently I try to solve the phenomenon, that certain SSL sites are slow when accessed via squid on OpenBSD. Mostly ownCloud in my case as well as several web shops. The login screen alone taking minutes to load. I tested this also with squid running on a debian vm showing no problems at all. The current configuration is squid-ldap(3.5.13) from packages on -current running on a KVM host as VM (4 cores, 2GB RAM, virtio HDD and NIC) My squid.cfg is basically the default except for setting $localnet bit stricter. Any help is much appreciated Cheers Kim
Re: Advices for a new laptop
What about the B50-80 (80LT003C): i3, Intel HD 4400, wifi B/G/N/AC, Gigabit Ethernet, 2x USB3. Got some for testing here ( meant to run Windows actually) and had some minor issues with them and sadly not enough time to look fully into it. But first impressions weren't that 'impressive' My x220 is outstanding. The only device that isn't supported is the fingerprint reader. Also the mSATA slot is great for a second SSD. I dual boot OpenBSD and Arch (for when I need a Virtual Machine) and just use the F12 key at boot to select the drive I boot off of. Really simplifies the set up. Also you can put 16gb of ram in this model (even with an i5 processor) even though the specs say max of 8gb. Can only second this, running on an older x220 with an i7 on a fully encrypted mSATA SSD. Still faster than my coworkers newer kits. Only thing I had to replace was one battery. Otherwise fine even after several years of service. Money on an x220 is well spent. Also they feel more solid than the B50s. Need to try extending my RAM to 16GB - thanks for the hint Bryan. Cheers, Kim
Re: pledge(2) problems on 18/x/ octeon snapshot
Might be a stupid question, but I haven't found an answer to it yet - how does one update to a new snapshot/kernel on an octeon system? boot bsd.rd and select upgrade in the installer. (i hope.) I'm afraid this is not as simple as this, yet. You will also need to copy your kernel to the fat16 partition created during the install, since this is the only filesystem #$%^@# u-boot can read. Wouldn't this be a sensible addition to the INSTALL.octeon readme? Something along the lines of: --- INSTALL.octeon.new Wed Oct 21 09:29:17 2015 +++ INSTALL.octeon Wed Oct 21 09:34:50 2015 @@ -816,7 +816,8 @@ helper script, since all components of your system may not function correctly until your files in `/etc' are updated. - +Note: Due to the limitations of U-Boot scripts/bootloader you need to +copy your new bsd and bsd.rd to the MSDOS partition. Getting source code for your OpenBSD System:
Re: pledge(2) problems on 18/x/ octeon snapshot
Hello On 10/19/15 19:58, Sebastien Marie wrote: RELEASE 5.8 returns ENOSYS ("Function not implemented") on tame(2) call (which is the old name for pledge, so with the same syscall number). I pulled the kernel down from the same URL path as the tgz I used. Before reinstalling the system I noticed, the Kernel login string having an older date than the snapshot. I would be great if you can grab the kernel version echoed at boot time. You could use `boot -c' in the boot loader, in order to enter in config mode, and have the time to read the OpenBSD version. Sadly EdgeRouterLite have no 'real bootloader' but use U-Boot. Which I guess is part of the problem. My steps where as followed: mv bsd obsd mv /tmp/bsd /bsd mv /tmp/bsd.rd /bsd.rd reboot Can i be, that U-boot does not cleanly reload the new kernel on reboot? Cheers, Kim
Re: pledge(2) problems on 18/x/ octeon snapshot
Sorry for the last empty answer - you shouldnt try to multi-task boot bsd.rd and select upgrade in the installer. (i hope.) Thanks for the answer Ted, I will try it with the next snapshot and will give feedback Cheers Kim
Re: pledge(2) problems on 18/x/ octeon snapshot
On 10/20/15 15:30, Ted Unangst wrote: Kim Zeitler wrote: Hello Sebastien, hello Jonathan @Sebastien thank you for your valuable hints and advice, I did learn quite a bit from it. The machine has been reinstalled to the latest snapshot, as it is needed. On 10/20/15 12:30, Jonathan Gray wrote: There is no OpenBSD bootloader for armv7 or octeon, in part because u-boot by default provides no interface for enumerating disks, reading blocks or putc/getc equivalents unlike firmware shipped with almost every other system. As a result the kernel has to live on filesystems u-boot understands, fat32 or ext2 not ffs. So /bsd will not be the kernel that is loaded. Might be a stupid question, but I haven't found an answer to it yet - how does one update to a new snapshot/kernel on an octeon system? boot bsd.rd and select upgrade in the installer. (i hope.) -- Kim Zeitler Bachlor of Science (Hons) Konzept Informationssysteme GmbH Am Weiher 13 • 88709 Meersburg Fon: +49 7532 4466-240 Fax: +49 7532 4466-66 kim.zeit...@konzept-is.de www.konzept-is.de Amtsgericht Freiburg 581491 • Geschäftsführer: Heinz Grötzinger, Dr. Udo Konzack, Hans-Peter Zimmermann
Re: pledge(2) problems on 18/x/ octeon snapshot
Hello Sebastien, hello Jonathan @Sebastien thank you for your valuable hints and advice, I did learn quite a bit from it. The machine has been reinstalled to the latest snapshot, as it is needed. On 10/20/15 12:30, Jonathan Gray wrote: There is no OpenBSD bootloader for armv7 or octeon, in part because u-boot by default provides no interface for enumerating disks, reading blocks or putc/getc equivalents unlike firmware shipped with almost every other system. As a result the kernel has to live on filesystems u-boot understands, fat32 or ext2 not ffs. So /bsd will not be the kernel that is loaded. Might be a stupid question, but I haven't found an answer to it yet - how does one update to a new snapshot/kernel on an octeon system? kernel arguments like -c to get into ukc can be set via setenv bootargs though it seems the octeon code may not use that while armv7 does. This was the part I was missing, ta. Cheers, Kim
OpenIKED - send traffic selectors in own child sa
Hello Running -current I have currently got a minor issue with iked. Trying to connect a security gateway running OpenIKED to a Fortinet IPSEC fw. Connection is set up and seems to work (mostly) but following behaviour is a bit of an issue. IKED sends one CHILD_SA request containing all Traffic Selectors. This is RFC 5996 conform. Sadly some of the proprietary VPN boxes have a *suboptimal* implementation and want *one* CHILD_SA per traffic selector. Reading ikevd/ikev2.c I found comments about iked not being able to initiate multiple concurrent CREATE_CHILD_SA exchanges. Coming round to my question - is it somehow possible to configure iked in such a way, that it sends one CHILD_SA per Traffic Selector or do I read the code correctly and it is simply NOT possible? Cheers Kim
pledge(2) problems on 18/x/ octeon snapshot
I just tried updating an EdgeRouterLite to the latest octeon snapshot after replacing the kernel and unpacking base58.tgz Literally all commands lead to : pledge: Function not implemented I would offer a ktrace/kdump but sadly my kdump also returns with said error. Cheers, Kim
Re: cu with XMODEM won't transfer file
Hello On 10/05/15 19:59, Nicholas Marriott wrote: On Mon, Oct 05, 2015 at 10:07:21AM -0700, Philip Guenther wrote: On Mon, Oct 5, 2015 at 6:54 AM, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: I am trying to transfer a new firmware to a switch using cu(1) with XMODEM using a USB-to-RS232 adapter and running on -current. Connection works fine, but for the XMODEM resulting in 'Resource temporarily unavailable' $cu -d -l /dev/ttyU0 ... ~X Local file? /tmp/fw.swi cu: /tmp/fw.swi: Resource temporarily unavailable Tthe -d option makes cu open the tty with O_NONBLOCK so that it won't block for carrier; perhaps it should be clearing the flag afterwards? Hmm, no, it uses libevent, so maybe it should be *always* turning it on xmodem_{read,write}() updated to use libevent too, or xmodem_send() updated to explicitly mark it blocking during the transfer. How about this? (Not tested as I don't have any serial cables around at the moment :-/) I have just tested it and can confirm it works great. Many thanks to you for finding this and providing a patch so quickly. Cheers Kim Index: command.c === RCS file: /cvs/src/usr.bin/cu/command.c,v retrieving revision 1.14 diff -u -p -r1.14 command.c --- command.c 5 Oct 2015 17:53:56 - 1.14 +++ command.c 5 Oct 2015 17:56:14 - @@ -51,6 +51,7 @@ pipe_command(void) return; restore_termios(); + set_blocking(line_fd, 1); switch (pid = fork()) { case -1: @@ -81,6 +82,7 @@ pipe_command(void) break; } + set_blocking(line_fd, 0); set_termios(); } @@ -102,6 +104,7 @@ connect_command(void) return; restore_termios(); + set_blocking(line_fd, 1); switch (pid = fork()) { case -1: @@ -129,6 +132,7 @@ connect_command(void) break; } + set_blocking(line_fd, 0); set_termios(); } Index: cu.c === RCS file: /cvs/src/usr.bin/cu/cu.c,v retrieving revision 1.22 diff -u -p -r1.22 cu.c --- cu.c18 May 2015 09:35:05 - 1.22 +++ cu.c5 Oct 2015 17:56:14 - @@ -186,6 +186,7 @@ main(int argc, char **argv) NULL); bufferevent_enable(output_ev, EV_WRITE); + set_blocking(line_fd, 0); line_ev = bufferevent_new(line_fd, line_read, NULL, line_error, NULL); bufferevent_enable(line_ev, EV_READ|EV_WRITE); @@ -209,6 +210,21 @@ signal_event(int fd, short events, void } void +set_blocking(int fd, int state) +{ + int mode; + + if ((mode = fcntl(fd, F_GETFL)) == -1) + cu_err(1, "fcntl"); + if (!state) + mode |= O_NONBLOCK; + else + mode &= ~O_NONBLOCK; + if (fcntl(fd, F_SETFL, mode) == -1) + cu_err(1, "fcntl"); +} + +void set_termios(void) { struct termios tio; @@ -342,7 +358,7 @@ try_remote(const char *host, const char if (entry != NULL && cgetset(entry) != 0) cu_errx(1, "cgetset failed"); - error = cgetent(, (char**)paths, (char*)host); + error = cgetent(, (char **)paths, (char *)host); if (error < 0) { switch (error) { case -1: Index: cu.h === RCS file: /cvs/src/usr.bin/cu/cu.h,v retrieving revision 1.6 diff -u -p -r1.6 cu.h --- cu.h10 Jul 2012 12:47:23 - 1.6 +++ cu.h5 Oct 2015 17:56:14 - @@ -27,6 +27,7 @@ extern FILE *record_file; extern struct termios saved_tio; extern int line_fd; extern struct bufferevent *line_ev; +voidset_blocking(int, int); intset_line(int); void set_termios(void); void restore_termios(void); Index: xmodem.c === RCS file: /cvs/src/usr.bin/cu/xmodem.c,v retrieving revision 1.7 diff -u -p -r1.7 xmodem.c --- xmodem.c21 Sep 2014 05:29:47 - 1.7 +++ xmodem.c5 Oct 2015 17:56:14 - @@ -137,8 +137,9 @@ xmodem_send(const char *file) if (tcsetattr(STDIN_FILENO, TCSAFLUSH, ) != 0) cu_err(1, "tcsetattr"); } - + set_blocking(line_fd, 1); tcflush(line_fd, TCIFLUSH); + if (xmodem_read() != 0) goto fail; if (c == XMODEM_C) @@ -214,6 +215,7 @@ fail: cu_warn("%s", file); out: + set_blocking(line_fd, 0); set_termios(); sigaction(SIGINT, , NULL);
cu with XMODEM won't transfer file
Hello, I am trying to transfer a new firmware to a switch using cu(1) with XMODEM using a USB-to-RS232 adapter and running on -current. Connection works fine, but for the XMODEM resulting in 'Resource temporarily unavailable' $cu -d -l /dev/ttyU0 ... ~X Local file? /tmp/fw.swi cu: /tmp/fw.swi: Resource temporarily unavailable ... I tried this with different files and also with not existing files, resulting correctly in a file not found. $ ls -la /tmp/fw.swi -rw-r--r-- 1 zeitler wheel 6903134 Oct 5 15:29 /tmp/fw.swi $ ls -la /dev/ttyU0 crw-rw-rw- 1 uucp dialer 66, 0 Oct 5 15:48 /dev/ttyU0 Any help how to debug this further is much appreciated. Cheers Kim -- Kim Zeitler
IKEd, rising SAD count and DPD
Hello I have iked running connecting to a Fortigate FW. Running 'ipsecctl -s a' gives me the correct flows, but a rising number of SADs. The tunnel has been up 5 days and I got 212 SADs installed. Do I need to set up some kind of dpd to have the old SADs pulled down, or is my error, that ikelifetime and lifetime are not in seconds? #cat /etc/iked.conf ... ikev2 "h" active esp \ from $k_dev to $h_server \ from $k_server to $h_dev \ peer $h_gw \ ikesa auth hmac-sha2-256 \ enc aes-256 \ group modp1536 \ childsa auth hmac-sha2-256 \ enc aes-256 \ group modp1536 \ srcid '80.80.80.80' \ ikelifetime 28800 \ lifetime 14400 \ psk 'Some nice long hash' ... Cheers, Kim
pfkey_sa_last_used: message: No such process
Hi I'm currently trying to set up a OpenIKED GW running 5.7-stable with a proprietary fw/VPN hosted at one of our clients. Seemingly worked so far ipsecctl shows flows and SADs. I was able to ping a machine on the 'other-side' but this stopped without apparent reason. Diving deeper into the logs and running iked in foreground gave me two messages 'pfkey_sa_last_used: message: No such process' and 'ikev2_init_ike_sa: "h" is already active' I would greatly appreciate any help with this one. # ipsecctl -s all FLOWS: flow esp in from 192.168.80.120 to 172.16.10.0/24 peer 217.6.6.6 srcid IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type use flow esp out from 172.16.10.0/24 to 192.168.80.120 peer 217.6.6.6 srcid IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type require flow esp in from 192.168.106.0/24 to 192.168.3.30 peer 217.6.6.6 srcid IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type use flow esp out from 192.168.3.30 to 192.168.106.0/24 peer 217.6.6.6 srcid IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 192.168.32.2 to 217.6.6.6 spi 0x2360324c auth hmac-sha2-256 enc aes-256 esp tunnel from 217.6.6.6 to 192.168.32.2 spi 0xa6537a08 auth hmac-sha2-256 enc aes-256 #iked -dvv ... ikev2_sa_tag: (0) ikev2_childsa_negotiate: proposal 2 ikev2_childsa_negotiate: key material length 128 ikev2_prfplus: T1 with 16 bytes ikev2_prfplus: T2 with 16 bytes ikev2_prfplus: T3 with 16 bytes ikev2_prfplus: T4 with 16 bytes ikev2_prfplus: T5 with 16 bytes ikev2_prfplus: T6 with 16 bytes ikev2_prfplus: T7 with 16 bytes ikev2_prfplus: T8 with 16 bytes ikev2_prfplus: Tn with 128 bytes pfkey_sa_add: add spi 0x2360324c pfkey_sa: udpencap port 4500 ikev2_childsa_enable: loaded CHILD SA spi 0x2360324c pfkey_sa_add: update spi 0xa6537a08 pfkey_sa: udpencap port 4500 ikev2_childsa_enable: loaded CHILD SA spi 0xa6537a08 ikev2_childsa_enable: loaded flow 0x151839b73800 ikev2_childsa_enable: loaded flow 0x15180aa49400 ikev2_childsa_enable: loaded flow 0x151839b73c00 ikev2_childsa_enable: loaded flow 0x151839b73000 sa_state: VALID -> ESTABLISHED from 217.6.6.6:4500 to 192.168.32.2:4500 policy 'h' config_free_proposals: free 0x15180bc69880 ikev2_recv: INFORMATIONAL request from responder 217.6.6.6:4500 to 192.168.32.2:4500 policy 'h' id 0, 80 bytes ikev2_recv: ispi 0xd6e43c6448fe0750 rspi 0x7f77a74b12244234 ikev2_init_recv: unknown SA ikev2_init_ike_sa: "h" is already active -- last line repeated several times -- ... /var/log/daemon ... Sep 21 11:38:46 h iked[8231]: pfkey_sa_last_used: message: No such process Sep 21 11:39:46 h last message repeated 2 times ... #cat /etc/iked.conf ... ikev2 "h" active esp \ from $k_dev to $h_server \ from $postgres_server to $h_dev \ peer $h_gw \ ikesa auth hmac-sha2-256 \ enc aes-256 \ group modp1536 \ childsa auth hmac-sha2-256 \ enc aes-256 \ group modp1536 \ srcid '80.154.4.243' \ ikelifetime 28800 \ lifetime 28800 \ psk "" #cat /etc/pf.conf ... block return# block stateless traffic pass proto udp to port $ipsec_types pass in on $ext_if proto esp from $h_gw pass out on $ext_if proto esp to $h_gw pass in on $ipsec_if proto ipencap from $h_gw keep state (if-bound) pass out on $ipsec_if proto ipencap to $h_gw keep state (if-bound) pass proto tcp from $k_dev to $h_server port $test_ports pass proto tcp from $h_server port $test_ports to $k_dev pass proto tcp from $h_dev to $h_postgres port postgresql pass proto tcp from $h_postgres port postgresql to $h_dev pass proto tcp from $k to (self) port ssh pass proto tcp from 192.168.32.1 to (self) port ssh pass inet proto icmp icmp-type $icmp_types ... -- Cheers Kim
Re: Ubiquiti EdgeRouter Lite
Here are my notes, which are basic, but should be enough to get you through if you're familiar with openbsd. http://www.tedunangst.com/flak/post/OpenBSD-on-ERL Hi Ted, I just worked through the /pub/OpenBSD/snapshots/octeon/INSTALL.octeon write up and also read through your notes. Had problems getting the boot loader to work with either bootcmd. It booted but ignored my rootdev option. I finally managed to get it booting through using 'fatload usb 0 $loadaddr bsd; bootoctlinux $loadaddr rootdev=/dev/sd0' Any ideas to this? Furthermore your notes said it to be a bit weak as a ipsec gw, I actually was trying to use it as a small VPN box with ipsec with a 10M-50M through-put, can it handle this? Cheers Kim
Re: how to add squid access log in /etc/newsyslog.conf
Hello, On 07/13/15 22:29, Stuart Henderson wrote: On 2015-07-13, Indunil Jayasooriya induni...@gmail.com wrote: I delted 30 from that line. Now it looks like this. /var/squid/logs/access.log _squid:_squid 640 14 * @T00Z /var/squid/logs/squid.pid Now it seems to work But now it sends the default signal which is HUP. In Squid, this drains existing connections and reloads the configuration, blocking new connections while that occurs. You probably want USR1. This is correct, Squid wants a SIGUSR1 as this triggers the rotate ( like calling squid -k rotate). You need to configure logfile_rotate 0 in the squid.conf. This tells squid to rotate the files but keep itself. Your newsyslog.conf file should look like this /var/squid/logs/cache.log _squid:_squid 640 2 250 @T00 ZB /var/run/squid.pid SIGUSR1 Compared to only using 'squid -k rotate' as Craig suggested, this will also compress the rotated log files. Cheerskim
Re: Not able to pass BIOS drive check with OpenBSD drive attached
Hello Adrian, On 31.07.2014 18:59, Adrian Jervolino wrote: My questions to you are: Has anybody ran into similar issues and was able to resolve them? Do you think this is a OpenBSD related issue and actually solveable (in a reasonable amount of time)? Swaping the motherboard is currently no option, so I'm thankfull for every hint. We ran into this issue twice so far, once beginning of the year with a couple of Gigabyte boards and some weeks ago with a couple of Intel 4th Generation NUCs. The NUCs were simple to solve as Intel has provided a BIOS Patch. With the Gigabytes, after one week we had analyzed it so far that simply attaching a HDD used under OpenBSD (not only a system disk that was installed upon) would trigger this problem. Rewriting the partition table with fdisk on another machine let the 'faulty' boards access their bios again and see the disks. Our suspicion at the time was the block size used by the OpenBSD system (512 vs 4k) We also disable UEFI boot in the bios. Cheers, Kim
Re: carp setup firewall
Hello Waldemar, On 24.07.2014 17:44, Waldemar Brodkorb wrote: Hi Peter, Peter Hessler wrote, if the addresses on the carp interface are out of sync, then the hashes won't mash, and the firewalls *WILL* conflict with each other. I recommend one IP per carp interface. Far nicer in case you screw that bit up, and much easier to balance IPs to one system or the other. Thanks for the hints. The previous firewall is managed via fwbuilder, which does manage all the ip aliases for the wan interface for us. It seems fwbuilder has some support for carp, but I am not sure it will work with ip aliases. Thanks so far Waldemar we have a similar setup here, with only a /29 range of external addresses. Until now, we have had no problems so far running this using only one external carp IF (using a private IP) and adding all external addresses as aliases. But we do not use bi-nat for our DMZ Servers. As for fwbuilder, we did use it for some years with iptables, but during our switch to OpenBSD found writing pf.conf by hand gave a cleaner and faster fw. The file is under version control and distributed and enabled by Puppet on both our FW-CARP nodes. Cheers, Kim
libiconv-1.14p1 - library c not found, bad major
Hello, yesterday I had to do a clean reinstall of a machine (RELEASE) and on installing additional packages I ran into a libc error bad major with libiconv. # uname -a OpenBSD gaia 5.5 GENERIC.MP#126 amd64 # export PKG_PATH=http://openbsd.cs.fau.de/pub/OpenBSD/5.5/packages/amd64/ # pkg_add -iv libiconv Update candidates: quirks-1.113 - quirks-1.113 (ok) Can't install libiconv-1.14p1 because of libraries |library c.73.1 not found | /usr/lib/libc.so.75.0 (system): bad major Cheers, -- Kim Zeitler
Re: libiconv-1.14p1 - library c not found, bad major
On 22.07.2014 17:55, Philip Guenther wrote: OpenBSD gaia 5.5 GENERIC.MP#126 amd64 That's not the 5.5 release. The 5.5 release GENERIC.MP for amd64 had a banner of: OpenBSD 5.5 (GENERIC.MP) #315: Wed Mar 5 09:37:46 MST 2014 so the build number is clearly off. You have libc.so.75.0? That was only present for about a month starting in mid May. You've installed a snapshot of -current that's something between a month and 3 months old and *not* the 5.5 release. You'll have a hard time finding packages that match that, so you should reinstall with the correct release files. Thanks Philip for your fast reply, that explains a lot - a colleague of gave me the install disk, claiming it to be the 5.5-Release. *sigh* - if you want something done right ... again many thanks. Kim
Re: Only two holes in a heck of a long time, but why?
All in all the default install is pretty useless in itself and I am going to quote Absolute OpenBSD by Michael Lucas: «You're installed OpenBSD and rebooted into a bare-bones system. Of course, a minimal Unix-like system is actually pretty boring. While it makes a powerful foundation, it doesn't actually do much of anything.» I may be a bit pedantic here but considering Michael's quote, he said *boring* not *useless*. This is also reflected in his second sentence ... making a *powerful* foundation ... Having a small pool of OpenBSD machines running for web, email, CARPed firewalls and networking applications, I usually only install one ports package - puppet to have it fit into our configuration management
Re: power failure resistance
Another possibility which we use here is mounting / ro and hold any other partition in rw as mfs filesystems (namely /tmp, /home, /var/log and /var/db). Syslog goes o a central server. These systems are managed via puppetd and the client remounts / rw, runs and remounts back to ro On 19.02.2014 12:38, Marko Cupać wrote: Hi, I need to deploy a number of openbsd firewalls based on alix2d13 hardware. The goal is to separate industrial network from LAN, in order to protect unpatched systems on industrial network from potential malware on LAN, while providing some level of access (mostly low-traffic VNC from LAN to industrial and sql in the opposite direction). The problem is that we have very unstable power grid, resulting in unclean shutdnowns of devices. I cannot UPS them all. How can I configure firewalls so they are resistant to those power failures (ie do not need fsck)? How should I partition? Which partitions should be mount read-only? Which should be mount as memory disks? Which size shoud I allocate for memory disks (RAM is a constraint here as I have only 256Mb)? Any other advices? Thank you in advance, -- Kim Zeitler
Joining the state of two carp interfaces
Hello, I have recently stumbled over a problem with a CARP router setup. The routers have 2 carped interfaces, one for network A and B respectively. We had the scenario that Router1 was Master for A and Backup for B, Router2 Backup A and Master B. A manual demote managed to get one router to be Master on A and B. Is there a possibility to join the CARP state of 2 interfaces i.e. both Master or both Backup, no mix. Thanks in advance Kim Zeitler