Re: Ping blocked by firewall

[list]

Still dont know whats happening because we dont know what those line errors 
mean.

When you changed the macros to tables, did you also update the rules to to 
match?

On April 9, 2024 9:32:06 AM UTC, Karel Lucas  wrote:
>I moved the lines with the martians between the 'block log all' line and the 
>ping lines. Furthermore, I changed the macro 'martians' to a table: table 
> persist file "etc/martians".
>
>Messages during booting:
>/etc/pf.conf:29: syntax error
>/etc/pf.conf:29: macro 'martians' not defined
>/etc/pf.conf:30: macro 'martians' not defined
>/etc/pf.conf:38: syntax error
>/etc/pf.conf:39: syntax error
>/etc/pf.conf:46: syntax error
>
>Op 09-04-2024 om 11:13 schreef Otto Moerbeek:
>> On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
>> 
>>> I defined the table as stated in your book (3rd edition, page 42). However,
>>> that gives an error message. In the lines with that table: macro 'martians'
>>> not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
>>> 46, causing the pf lines not to be loaded.
>> How abot showing what you did, showing the actual error messages so
>> people here can actually help you? Just saying "it does not work" does
>> not get you anywhere.
>> 
>>  -Otto
>>> Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen:
 On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
> Hi all,
> 
> For the first time I tested my new firewall with ping, and it is blocked. 
> I
> don't know what the reason is, you can find the information below. I have 
> a
> network with only regular clients, so no servers. I'm still using OpenBSD
> V7.4, and will upgrade once the firewall is up and running so I can test 
> the
> upgrade process.
 Upgrading to 7.5 will not affect this particular problem I think.
 
 Still low on caffeine I spot two likely factors - your $localnet range 
 overlaps
 with one of the ranges in $martians (which I anyway would recommend 
 converting
 into a table), and your block referencing $martians comes after the pass 
 rules
 that would have let icmp through. With no previous matching quick, last 
 match
 applies.
 
 - Peter
 
>

Re: relayd fallback when using tag/tagged

[list]

Hi

On February 13, 2024 12:20:26 AM UTC, Joel Carnat  wrote:
>Hello,
>
>I'm trying to configure relayd(8) to use tags, to allow legit host names only 
>and modify HTTP headers, and fallback. But I can't have it working properly.
>
>Using such a configuration:
>#-8<---
>table   { 192.0.2.4 }
>table  { 192.0.2.7}
>http protocol www {
>  block
>  match request header "Host" value "www.example" tag "example"
>  pass request tagged "example" forward to 
Try:
match request header "Host" value "www.example" tag example
pass forward to  tagged example
>}
>relay www {
>  listen on 192.0.2.30 port 80
>  protocol www
>  forward to   port 80 check http "/" code 200
>  forward to  port 80
>}
>#-8<---
>forwards all tagged HTTP traffic to the primary server. But if it is turned 
>off, relayd(8) only replies with error rather than sending the traffic to the 
>fallback server.
>
What errors are you having?
>Removing tags and using a simple "pass" directive in protocol (as described in 
>the man page) does work as expected regarding the fallback server.
>
>Is there a way to use both tags and fallback with relayd(8) to mimic Apache's 
>Failover[1] configuration with "ProxyPass" and "BalancerMember (...) 
>status=+H" ?
>
>Thank you,
>Joel C.
>
>[1] https://httpd.apache.org/docs/trunk/howto/reverse_proxy.html#failover
>
https://man.openbsd.org/relayd.conf.5#tag

httpd(8) and PHP - more details in error log

[openbsd . list]

Hi,

I use PHP on OpenBSD's HTTPD for my private web page. In the default
configuration it's hard
to debug an PHP error, because I don't see a time or the specific
request on which the
error occurred.

Is there a configuration for PHP or HTTPD to print more details in the
error log?

Thanks in advance!

Re: trying to add auth to specific location in httpd.conf

[fm+obsd+misc+list]

My bad.

Just plain authenticate with "/path/to/the/htpasswd/file" above the fastcgi 
line did the trick.

Regards, 

Fabio

trying to add auth to specific location in httpd.conf

[fm+obsd+misc+list]

Hi misc, 

Am trying to add HTTP Basic auth to an specific location in httpd.conf (a1).
Is it possible?

The other locations I want to mantain unprotected.



usually can be done to the entire site with:

authenticate "HTTP Basic" with "/htdocs/dev/.htpasswd"


but for specific files, dunno how

httpd.conf:

location "/API/v1/a1" {
  fastcgi socket "/run/php-fpm.sock"
}

location "/API/v1/a2" {
  fastcgi socket "/run/php-fpm.sock"
}

location "/API/v1/a3" {
  fastcgi socket "/run/php-fpm.sock"
}

Regards, 

Fabio

PF is ignored by IPsec Tunnel (iked)

[List]

Hello *, 
when running and IPsec Tunnel in the exactly same setup as described
here: 

https://www.openbsd.org/faq/faq17.html#clientikev2

On the roadwarrior my pf rules are completely ignored. Doesn't matter if
I try to nat the outgoing traffic on enc0 or to block it entirely. 
PF is completely omitted. I remember that this hasn't always been that
way. 

Is this due to my incompetencies or does the FAQ require an update ?

g Stephan

Restart single iked connections

[List]

Hi *,

I am in a situation where I've got hosts that handle IPsec connection
with multiple endpoints.

So I've wondered if it was possible to restart single connections
without rebuilding the rest of the connections.
For example Machine A has a tunnel to machine B and machine C.
The Tunnel to C is up and running as intended  but the tunnel to B is
broken (icmp echos don't return -> for example). How do I rebuilt the tunnel to 
B
without restarting iked for all connections and interrupting my tunnel to
C?

Thank you for your time.

g Stephan

Iked dead-peer-detection and DynDNS

[List]

Hi, 
I am using Iked to tunnel to my home router from an openbsd machine.
Everything works fine that far. Problems occur when my router reboots at
night and gets a new IP assigned. (DSL)
Afer receiving the new IP the tunnel is not rebuilt. Because the active
part doesn't recognize that the IP has changed. 
How do you guys handle that ?  Is there a builtin mechanism? 
I've got the impression that once iked startup it reads the hostname of the 
destination server
(FQDN && DynDNS) and saves that permanently and doesn't recheck untils
it is manually killed and restarted. 

And is second part of the problem. Is there a way to do
Dead-peer-detection as part of ikeds builtin mechanism? 

How do you guys handle all of that ? 

Enlighten me ! 


I'd greatly appreciate any help !

Best regards, 
Stephan

Iked site-to-site source ip is wrong

[List]

Hi *, 
I have the following setup: 

A: 

ikev2 '2router' active esp \
from A.A.A.A/32 to C.C.C.C/32 port 9001 \
local A.A.A.A peer 188.194.145.145 \
srcid a.home.arpa dstid b.home.arpa \
rsa \
config address 10.0.5.100

B: 

ikev2 '2router' passive esp \
from A.A.A.A/32 to C.C.C.C/32 \
peer A.A.A.A local 188.194.145.145 \
srcid b.home.arpa dstid a.home.arpa \
rsa \
config address 10.0.5.1 \
config protected-subnet C.C.C.C/32


A's pf.conf: 

match out on enc0 all nat-to 10.0.5.100


Whatever I do the packets that reach B have source address of A's public
interface and are not routed but dropped. The above config is just the
last variation. What am I doing wrong? 

I'd appreciate your help so much. 

Thank's alot.

Best regards, 
Stephan

Hardware for Access Point on OpenBSD

[List]

Hi *, 
I am currently building a home router based upon OpenBSD. 
I therefore need some kind of WIFI Hardware. This piece of hardware
needs to be connected over usb. 
Do you have any suggestions or recommendations ? As far as I can see
it's pretty hard  to find an antenna which is connected  via USB an runs
on a supported chipset. It is  easy to get your hands on a
realtek-chipset driven device. But urtw(4) doesn't support  Host AP
mode. Only ones that do are: athn(4),  ral(4), ath(4). 
Finding those is hard. 

Maybe you guys know things I couldn't find ? 

g, 
Stephan

iked as roadwarrior and strongswan server

[List]

Hi *, 

is there someone here who has got a setup running strongswan as server
and openbsd's iked as client ? In a Site-To-Site situation ? 

Thanks alot in advance. 

g Stephan

Re: rspamd stop rc script doesn't work in OpenBSD 6.6

[List]

On Sun, 27 Oct 2019 21:29:41 -0700
Jordan Geoghegan  wrote:

> On 2019-10-27 17:29, Chris Narkiewicz wrote:
> > Rspamd stop rc script doesn't work in OpenBSD 6.6.
> >
> > 1. Fresh OpenBSD 6.6 installation
> > 2. pkg_add rspamd
> > 3. rcctl start rspamd
> >
> > Works.
> >
> > 4. rcctl stop rspamd timeouts
> >
> > Looking at rspamd logs, it looks like it doesn not work
> > well with SIGTERM. It waits for workers.
> >
> > Currently I work around it by adding custom rc_stop():
> >
> > rc_stop() {
> >     pkill -KILL -T "${daemon_rtable}" -xf "${pexp}"
> >     pkill -KILL -u _rspamd
> > }
> >
> >
> > Anybody can confirm if this is a problem?
> >  
> 
> Yes, can confirm. I think I read something the other day mentioning 
> sthen@ possibly having a diff floating around to fix the issue. 
> Hopefully the fix will be backported to -stable.
> 

Hi, 
I am myself running a MX that uses rspamd + postfix. 
I did have the same issue. Especially when running rspamd and adding
redis to the setup. 
I think what causes the problem is rspamd which uses JITs. These JITS
break W^X. If you enable rspamd etc on boot by (rcctl enable ...). And
reboot.. Everything works fine. At least for me did. 
Don't hesitate asking.

Kind regards, 
Stephan

Kernel Debugging

[List]

Hi, 
I was wondering how you guys debug your kernel? 
Are you doing some vmd(8) voodoo ?

Recompiling every time you think you've found the error gets quite
exhausting over time. 

g,
Stephan

Re: Encrypting my keydisk

[List]

So answering your forwarded Mail Thread.

What's the reason ?

Because your diskencryption stands and falls with the complexity of your
passphrase. And if you were able to use a keydisk to encrypt your
harddrive it would be WAY harder to bruteforce your keydisk rather than
your passphrase.

This advantaged is kind of "compromised" by the fact that the keydisk
could be easily stolen or copied.

-> keydisk encryption to mitigate that. 

Overcomplicated? Not so much.

I'm at it so far implementing the diff. I'll see how that goes.


On 2019-10-24 03:31, Aaron Mason wrote:
> On Thu, Oct 24, 2019 at 10:44 AM List  wrote:
>> One would obviously NOT store the key on harddisk. That wouldn't make
>> any sense and is not necessary.
>>
>> This could be similarly achieved as the normal FDE with passphrase. But
>> instead of the actual harddisk as target, the target of the "yet to
>> implement" encryption of the keydisk would be the key on the keydisk
>> itself.
>>
> So how would the system access the key if it's encrypted?
>
>> g
>>
>> On 2019-10-22 23:40, Aaron Mason wrote:
>>> On Wed, Oct 23, 2019 at 5:11 AM List  wrote:
>>>> I'm sorry I might have not been so clear about it. I meant a way to
>>>> encrypt the actual keydisk with a passphrase.
>>>>
>>>> On 2019-10-18 13:34, Jan Stary wrote:
>>>>>>> On Wednesday, October 16, 2019 11:06 PM, List  
>>>>>>> wrote:
>>>>>>>> I was wondering if there is a reason for the lack of keydisk 
>>>>>>>> encryption.
>>>>> $ man bioctl
>>>>> # bioctl -h -v -c C ...
>>>>>
>>> To what end?  At some point you're going to have to store the
>>> passphrase somewhere it can be easily read, and all you've really
>>> achieved is a way to, at best, slow down a potential attacker.
>>>
>



signature.asc
Description: OpenPGP digital signature

Re: Encrypting my keydisk

[List]

One would obviously NOT store the key on harddisk. That wouldn't make
any sense and is not necessary.

This could be similarly achieved as the normal FDE with passphrase. But
instead of the actual harddisk as target, the target of the "yet to
implement" encryption of the keydisk would be the key on the keydisk
itself.

g

On 2019-10-22 23:40, Aaron Mason wrote:
> On Wed, Oct 23, 2019 at 5:11 AM List  wrote:
>> I'm sorry I might have not been so clear about it. I meant a way to
>> encrypt the actual keydisk with a passphrase.
>>
>> On 2019-10-18 13:34, Jan Stary wrote:
>>>>> On Wednesday, October 16, 2019 11:06 PM, List  
>>>>> wrote:
>>>>>> I was wondering if there is a reason for the lack of keydisk encryption.
>>> $ man bioctl
>>> # bioctl -h -v -c C ...
>>>
> To what end?  At some point you're going to have to store the
> passphrase somewhere it can be easily read, and all you've really
> achieved is a way to, at best, slow down a potential attacker.
>



signature.asc
Description: OpenPGP digital signature

Re: Encrypting my keydisk

[List]

I'm sorry I might have not been so clear about it. I meant a way to
encrypt the actual keydisk with a passphrase.

On 2019-10-18 13:34, Jan Stary wrote:
>>> On Wednesday, October 16, 2019 11:06 PM, List  wrote:
>>>> I was wondering if there is a reason for the lack of keydisk encryption.
> $ man bioctl
> # bioctl -h -v -c C ...
>

Companies using openbsd

[List]

Hi,

are there companies known to you who use openbsd for their products ?

For building let's say their own OS based upon OpenBSD ?

Thanks for your time.

Regards,

Stephan

Re: Encrypting my keydisk

[List]

Hi,

I've found the diff / suggestion you're talking about. But it seems to
be rather hacky. For what reason I guess it never made it into the tree.

I'll ask tech@ what they'd think about a patch.


g,
Stephan

 On 2019-10-17 11:02, flauenroth wrote:
> There was an effort, if memory serves but never got committed afaik. Not sure 
> what happened any why but you should be able to dig the mailiing list 
> conversation up and from there compile the uncommitted patch for your needs. 
> At least that would be my approach, except it's now part of OpenBSD. 
>
>
> Have a nice day,
>
> Fabian 
>
>
>
> ___
> Always exit with 42 to return the answer.
>
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, October 16, 2019 11:06 PM, List  wrote:
>
>> Hi,
>>
>> I was wondering if there is a reason for the lack of keydisk encryption.
>>
>> And if there is a reason what that would be. Or maybe I'm just missing
>> something and there is a way to achieve this.
>>
>> Please correct me. Thanks for your time.
>>
>> g Stephan



signature.asc
Description: OpenPGP digital signature

Encrypting my keydisk

[List]

Hi,

I was wondering if there is a reason for the lack of keydisk encryption.

And if there is a reason what that would be. Or maybe I'm just missing
something and there is a way to achieve this.

Please correct me. Thanks for your time.


g Stephan

Re: IPv6 problems

[list]

Hi,

when doing slaacctl send solicitation vio0, tcpdump says:

mx-00# tcpdump -ni vio0 icmp6 tcpdump: listening on vio0, link-type EN10MB

16:06:54.725229 fe80::2de:361a:24aa:d7a6 > ff02::2: icmp6: router
solicitation

16:06:55.803125 fe80::22d8:b00:86fa:424c > ff02::1:ff96:189a: icmp6:
neighbor sol: who has 2a03:4000:21:18a:84e:27ff:fe96:189a [class 0xc0]

16:06:55.807067 fe80::b438:86ff:fe34:b14d > ff02::1:ff00:0: icmp6:
neighbor sol: who has ::

16:06:57.152589 fe80::22d8:b00:86ee:ff4 > ff02::1:ff96:189a: icmp6:
neighbor sol: who has 2a03:4000:21:18a:84e:27ff:fe96:189a [class 0xc0]

16:06:58.815291 fe80::22d8:b00:86fa:424c > ff02::1:ff00:0: icmp6:
neighbor sol: who has 2a03:4000:21:6db:: [class 0xc0]

16:06:59.815941 fe80::22d8:b00:86fa:424c > ff02::1:ff00:0: icmp6:
neighbor sol: who has 2a03:4000:21:6db:: [class 0xc0]

16:07:00.822213 fe80::22d8:b00:86fa:424c > ff02::1:ff00:0: icmp6:
neighbor sol: who has 2a03:4000:21:6db:: [class 0xc0]

16:07:00.823550 fe80::7452:47ff:fe16:9b9 > ff02::1:ff00:0: icmp6:
neighbor sol: who has ::

16:07:00.825485 fe80::22d8:b00:86fa:424c > ff02::1:ff96:189a: icmp6:
neighbor sol: who has 2a03:4000:21:18a:84e:27ff:fe96:189a [class 0xc0]
16:07:02.150665 fe80::22d8:b00:86ee:ff4 > ff02::1:ff96:189a: icmp6:
neighbor sol: who has 2a03:4000:21:18a:84e:27ff:fe96:189a [class 0xc0]
^C 2558 packets received by filter


Any clearance ?


Regards,

Stephan

On 8/23/19 1:13 PM, Bastien Durel wrote:
> Le jeudi 22 août 2019 à 20:11 +0200, list a écrit :
>> Hi,
>>
>> I might be missing something right here
>>
>> I have the output of "route show" attached, because I cannot paste it
>> in
>> here in a formatted form.
>>
>>
>> This is super annoying.
>>
>> Just wanna get the damn thing running.
>>
> ff02::2 is a multicast address, it's not intended to be used as a route
> gateway.
> It's only a way to discover routers.
>
> for example:
>
> fremen# ping6  ff02::2%em1
> PING ff02::2%em1 (ff02::2%em1): 56 data bytes
> 64 bytes from fe80::6366:1356:e19:f361%em1: icmp_seq=0 hlim=64 time=0.114 ms
> 64 bytes from fe80::225:22ff:fe1e:bb7%em1: icmp_seq=0 hlim=64 time=0.320 ms 
> (DUP!)
> 64 bytes from fe80::6366:1356:e19:f361%em1: icmp_seq=1 hlim=64 time=0.082 ms
> 64 bytes from fe80::225:22ff:fe1e:bb7%em1: icmp_seq=1 hlim=64 time=0.293 ms 
> (DUP!)
>
> Here fe80::6366:1356:e19:f361 is the LL address of em1, so
> fe80::225:22ff:fe1e:bb7%em1 is the router on the other side of link.
>

Re: IPv6 problems

[list]

Hello,

@Fernando Gont:

I have tried that as well. No difference.


@ Bastien Durel

When pinging ff02::2%vio0 I don't receive any replies.

The tcpdump for those requests is the following:

# tcpdump -ni vio0 icmp6  
tcpdump: listening on vio0, link-type EN10MB
15:47:40.580787 fe80::22d8:b00:86fa:424c > ff02::1:ff00:0: icmp6: neighbor sol: 
who has 2a03:4000:21:6db:: [class 0xc0]
15:47:40.583638 fe80::22d8:b00:86fa:424c > ff02::1:ff96:189a: icmp6: neighbor 
sol: who has 2a03:4000:21:18a:84e:27ff:fe96:189a [class 0xc0]
15:47:41.725300 fe80::22d8:b00:86ee:ff4 > ff02::1:ff96:189a: icmp6: neighbor 
sol: who has 2a03:4000:21:18a:84e:27ff:fe96:189a [class 0xc0]
15:47:43.844162 fe80::2de:361a:24aa:d7a6 > ff02::2: icmp6: echo request
15:47:44.845036 fe80::2de:361a:24aa:d7a6 > ff02::2: icmp6: echo request
15:47:45.581326 fe80::22d8:b00:86fa:424c > ff02::1:ff96:189a: icmp6: neighbor 
sol: who has 2a03:4000:21:18a:84e:27ff:fe96:189a [class 0xc0]
15:47:45.834984 fe80::2de:361a:24aa:d7a6 > ff02::2: icmp6: echo request
15:47:46.729443 fe80::22d8:b00:86ee:ff4 > ff02::1:ff96:189a: icmp6: neighbor 
sol: who has 2a03:4000:21:18a:84e:27ff:fe96:189a [class 0xc0]
15:47:46.835383 fe80::2de:361a:24aa:d7a6 > ff02::2: icmp6: echo request
15:47:47.580262 fe80::22d8:b00:86fa:424c > ff02::1:ff00:3: icmp6: neighbor sol: 
who has 2a03:4000:21:6ef::3 [class 0xc0]
15:47:47.835361 fe80::2de:361a:24aa:d7a6 > ff02::2: icmp6: echo request
15:47:48.581182 fe80::22d8:b00:86fa:424c > ff02::1:ff00:3: icmp6: neighbor sol: 
who has 2a03:4000:21:6ef::3 [class 0xc0]
15:47:48.581516 fe80::8d4:7cff:fe04:a773 > ff02::1:ff00:0: icmp6: neighbor sol: 
who has ::
15:47:48.582270 fe80::845e:61ff:fe17:997d > ff02::1:ff00:0: icmp6: neighbor 
sol: who has ::
15:47:48.584608 fe80::3800:edff:fe06:769c > ff02::1:ff00:0: icmp6: neighbor 
sol: who has ::
15:47:48.590014 fe80::b438:86ff:fe34:b14d > ff02::1:ff00:0: icmp6: neighbor 
sol: who has ::
15:47:48.835487 fe80::2de:361a:24aa:d7a6 > ff02::2: icmp6: echo request
15:47:49.580501 fe80::22d8:b00:86fa:424c > ff02::1:ff00:3: icmp6: neighbor sol: 
who has 2a03:4000:21:6ef::3 [class 0xc0]
15:47:49.835293 fe80::2de:361a:24aa:d7a6 > ff02::2: icmp6: echo request
15:47:50.589407 fe80::22d8:b00:86fa:424c > ff02::1:ff96:189a: icmp6: neighbor 
sol: who has 2a03:4000:21:18a:84e:27ff:fe96:189a [class 0xc0]
15:47:51.725823 fe80::22d8:b00:86ee:ff4 > ff02::1:ff96:189a: icmp6: neighbor 
sol: who has 2a03:4000:21:18a:84e:27ff:fe96:189a [class 0xc0]

fe80::2de:361a:24aa:d7a6
 --> address of my interface.

Regards, 
Stephan.

On 8/23/19 1:13 PM, Bastien Durel wrote:
> Le jeudi 22 août 2019 à 20:11 +0200, list a écrit :
>> Hi,
>>
>> I might be missing something right here
>>
>> I have the output of "route show" attached, because I cannot paste it
>> in
>> here in a formatted form.
>>
>>
>> This is super annoying.
>>
>> Just wanna get the damn thing running.
>>
> ff02::2 is a multicast address, it's not intended to be used as a route
> gateway.
> It's only a way to discover routers.
>
> for example:
>
> fremen# ping6  ff02::2%em1
> PING ff02::2%em1 (ff02::2%em1): 56 data bytes
> 64 bytes from fe80::6366:1356:e19:f361%em1: icmp_seq=0 hlim=64 time=0.114 ms
> 64 bytes from fe80::225:22ff:fe1e:bb7%em1: icmp_seq=0 hlim=64 time=0.320 ms 
> (DUP!)
> 64 bytes from fe80::6366:1356:e19:f361%em1: icmp_seq=1 hlim=64 time=0.082 ms
> 64 bytes from fe80::225:22ff:fe1e:bb7%em1: icmp_seq=1 hlim=64 time=0.293 ms 
> (DUP!)
>
> Here fe80::6366:1356:e19:f361 is the LL address of em1, so
> fe80::225:22ff:fe1e:bb7%em1 is the router on the other side of link.
>

Re: IPv6 problems

[list]

Hi,

I might be missing something right here

I have the output of "route show" attached, because I cannot paste it in
here in a formatted form.


This is super annoying.

Just wanna get the damn thing running.


Regards,

Stephan

On 8/19/19 10:33 AM, Bastien Durel wrote:
> Le dimanche 18 août 2019 à 11:50 +0200, list a écrit :
>> When I take a closer look and run tcpdump while pinging I see the
>> following output: 
>> (With route to fe80::1%vio added and the normal hostname.vio0)
>>
>> 11:40:36.446539 fe80:: > ff02::1:ff00:1: icmp6: neighbor sol:
>> who has fe80::1
>>
>> This line is being repeated over and over again. I left out all the
>> other traffic that is not related to my /64. 
>>
>> Hm... 
>> Any ideas ? 
>>
>> I've got a feeling that somethings wrong with that fe80::1
>> address... 
> Hello,
>
> A router may be configured to use fe80::1 LL address, but it may not
> too. It's not a standard AFAIK. I never encountered one myself.
> If no one responds to your neighbor sol packet, it's probably because
> no router uses this address.
>
> To discover routers in an unknown network, I use "ping6 ff02::2%vio0",
> as ff02::2 is a standard multicast address for "ip6-allrouters" (as
> ff02::1 is for all nodes)
>
nternet6:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
defaultff02::2%vio0   UGS01 - 8 vio0 
::/96  localhost  UGRS   00 32768 8 lo0  
localhost  localhost  UHhl  1334104 32768 1 lo0  
:::0.0.0.0/96  localhost  UGRS   00 32768 8 lo0  
2002::/24  localhost  UGRS   00 32768 8 lo0  
2002:7f00::/24 localhost  UGRS   00 32768 8 lo0  
2002:e000::/20 localhost  UGRS   00 32768 8 lo0  
2002:ff00::/24 localhost  UGRS   00 32768 8 lo0  
2a03:4000:21:65f::UCn00 - 4 vio0 
   UHLl   00 - 1 vio0 
fe80::/10  localhost  UGRS   01 32768 8 lo0  
fec0::/10  localhost  UGRS   00 32768 8 lo0  
fe80::%vio0/64 fe80::2de:361a:24a UCn1   38 - 4 vio0 
fe80::1%vio0   00:00:5e:00:02:02  UHLc   0  366 - 3 vio0 
fe80::2de:361a:24a d6:2a:39:5a:c3:6b  UHLl   00 - 1 vio0 
fe80::1%lo0fe80::1%lo0UHl00 32768 1 lo0  
ff01::/16  localhost  UGRS   01 32768 8 lo0  
ff01::%vio0/32 fe80::2de:361a:24a Um 01 - 4 vio0 
ff01::%lo0/32  fe80::1%lo0Um 01 32768 4 lo0  
ff02::/16  localhost  UGRS   01 32768 8 lo0  
ff02::%vio0/32 fe80::2de:361a:24a Umh15 - 4 vio0 
ff02::%lo0/32  fe80::1%lo0Um 01 32768 4 lo0 

Re: IPv6 problems

[list]

Hi,

so i removed everything from /etc/mygate and rebooted the machine.

I still cannot ping anybody.

The output of slaacctl show interface vio0 ist the following:

# slaacctl show interface vio0

slaacctl: connect: /dev/slaacd.sock: Connection refused

This is not how it is supposed to be i guess.

My provider doesn't have any BSD related examples.


Thanks for your time freda bundchen!


Regards,

Stephan

On 8/18/19 3:10 PM, freda_bundc...@nym.hush.com wrote:
>> From:   list 
>> my /etc/hostname looks exactly like you proposed:
>> inet6 autoconf autoconfprivacy soii 
>> inet6 
>> when i enter the default IPv6 gateway manually. I can ping stuff 
>> but don't get a reply.  When I don't: "No route to host"
>> (With route to fe80::1%vio added and the normal hostname.vio0)
> I would suggest not specifying any routes or link-local addresses, and
> instead in /etc/hostname.vio0 make sure the IPv6 address in 
> is the public IPv6 address given by your provider (I know there's a
> /64, but I'm just going by the example of my own provider.)
>
> Then make sure /etc/mygate doesn't have any IPv6 addresses. Then
> perhaps reboot everything to make sure you've cleared out references
> to fe80::1, if /bin/sh /etc/netstart doesn't get everything working.
>
> My provider's configuration examples said to use -autoconfprivacy and
> -soii so you might try that also. But mine works with autoconfprivacy
> and soii.
>
> What is the output of slaacctl show interface vio0?
>
>

Re: IPv6 problems

[list]

Hi,

my /etc/hostname looks exactly like you proposed:

inet6 autoconf autoconfprivacy soii 
inet6 

when i enter the default IPv6 gateway manually. I can ping stuff but don't get 
a reply. 
When I don't: "No route to host"

PF is not the problem. Same results when loading pf rules that look like this:
"pass log all"

The ISO was uploaded by me. 

There is one thing that has me wondering. 

When looking at the output of tcpdump. 
In your example you told me that the host on the right site of a neighbor sol 
is always the router/gateway.. 
But when I look at the output of that i see two different addresses who are NOT 
fe80::1.

These IPs both follow this schema "fe80:something".

When I take a closer look and run tcpdump while pinging I see the following 
output: 
(With route to fe80::1%vio added and the normal hostname.vio0)

11:40:36.446539 fe80:: > ff02::1:ff00:1: icmp6: neighbor sol: who has 
fe80::1

This line is being repeated over and over again. I left out all the other 
traffic that is not related to my /64. 

Hm... 
Any ideas ? 

I've got a feeling that somethings wrong with that fe80::1 address... 

Stephan 

On 8/18/19 1:33 AM, freda_bundc...@nym.hush.com wrote:
>> From:   list  
>> I've restarted my VM over the official 
>> Webinterface but still...
>> When trying to ping the gateway on fe80::1 I don't get any icmp
>> echoreplies.
>> What is the behavior of pf when disabled ? Is there some kind of
>> default blocking rule that is still active ?
> Have you tried /etc/hostname.vio0 with 
> inet6 autoconf autoconfprivacy soii 
> inet6 
>
> instead of specifying a LL route?
>
> Just in case, you could try /etc/pf.conf with only 
>
> pass log all
>
> instead of disabling pf.
>
> Is the installion of OpenBSD provider by your VPS, or do they let
> you use a custom ISO? Maybe a trial installation using a differnt
> VPS but a similar configuration would indicate it's a problem with
> the VPS.
>
>

Re: IPv6 problems

[list]

Hi,

i did specify it correctly now and the entry in my routing table is made.

However that doesn't change my situation. I've restarted my VM over the
official Webinterface but still...

When trying to ping the gateway on fe80::1 I don't get any icmp
echoreplies.

When asking the provider I am given a link to the wiki and that this
isn't their responsibility.

What is the behavior of pf when disabled ? Is there some kind of default
blocking rule that is still active ?

I have no idea what to do.


With kind regards,

Stephan

On 8/15/19 7:03 PM, Denis Fondras wrote:
> On Thu, Aug 15, 2019 at 06:50:09PM +0200, list wrote:
>> Hi,
>>
>> EDIT:
>>
>> I have taken a look at the website of my hosting provider.
>>
>> My IPv6 gateway would be fe80::1.
>>
>> When trying to add the route manually i get "network unreachable".
>>
> Did you specify the output interface ? With LL addresses, you need to specify 
> it.
>
> route add -inet6 default fe80::1%vio0
>
>

Re: IPv6 problems

[list]

Hi,

EDIT:

I have taken a look at the website of my hosting provider.

My IPv6 gateway would be fe80::1.

When trying to add the route manually i get "network unreachable".

Which leaves me puzzeled. 

Stephan

On 8/14/19 11:08 PM, gwes wrote:
> On 8/14/19 4:45 PM, freda_bundc...@nym.hush.com wrote:
>> Hi, I just thought since the interface was vio that you're running in
>> a virtual
>> environment. Providers like Vultr say "Important Note: If you add an
>> IPv6
>> subnet to an existing machine, you must restart the server via the Vultr
>> control panel before IPv6 will work. Restarting via SSH or similar is
>> not
>> sufficient. IPv6 would not work at all until the server has been
>> restarted."
>>
> If the provider says anything like this and the VM hasn't been hard reset
> via the VM host all bets are off
>
>

Re: IPv6 problems

[list]

Hey,

thanks for the answers,

so ..

I firstly got rid of the alias and the manual routes.

1.) "Can you ping your own IPv6 address ?"

Yes i can. Works as expected.

2.) "tcpdump -ni vio0 -s 1500 icmp6"

results in alot of "neigbor sol".

3.) "Who are you trying to ping?"

I have a /64 for myself so I tried to ping google.com for example.

4.) "You must see them for your gateway"

This i do not. When trying to ping google I see the echo requests for
the IPv6 of google but not for my gateway. I haven't configured a
gateway for IPv6 at all. That could be the problem ? Do I have to do that ?

5.) "ndp -a"

I am missing the entry for my gateway completely.

6.) "netstat -s"

Looks fine. No zeros.

So I guess it has to do with my gateway that I haven't configured
anywhere to act as one.

When trying to add the gateway (which i learnt from looking at the
tcpdump output) manually i get "network is unreachable".

Hmm... 

Can you pull anything from that ?


Regards,

Stephan

On 8/14/19 11:05 PM, gwes wrote:
>
>
> On 8/14/19 2:36 PM, list wrote:
>> My hostname.vio0 now looks like this:
>>
>>      inet6 alias /64
>>      !route add -inet6 default fe80::2de:361a:24aa:d7a6%vio
>> When doing a "ifconfig vio0" I get:
>>
>>  vio0: flags=8843 mtu 1500
>>
>> [...]
>>  inet6 fe80::2de:361a:24aa:d7a6%vio0 prefixlen 64 scopeid 0x1
>>  inet6  prefixlen 64
> Take the "alias" out of your inet6 line in your hostname.vio0
>
> Since your interface is vio0 I am assuming you are running a
> guest VM on a server. I am also assuming that ip4 traffic is passing.
>
> Your VM server should be sending you Route Advertisement messages.
> You shouldn't have to set any route yourself. Doing so will confuse
> things mightily.
>
> Can you ping your own ipv6 address? If not something is really strange.
>
> If you say
> # tcpdump -ni -s 1500 icmp6
>
> You should eventually see (lines wrapped)
>
> 13:17:46.508540 fe80::669e:f3ff:feec:fc7f > ff02::1:
>   icmp6: router advertisement [class 0xe0]
> Along with
>
> 13:17:19.309191 your_gateway_ip6 > 2xxx0::1:
>   icmp6: neighbor sol: who has 2xxx0::1
> 13:17:19.311828 2xxx0::1 > 2xxx0::2:
>       icmp6: neighbor adv: tgt is 2xxx0::1 [class 0xe0]
>
>  It may take up to 20 minutes to see these messages.
>
> If you never see any route advertisements your server isn't configured
> to give you inet6 service.
>
> Who are you trying to ping? Someone on your /64 or someone outside?
> You must see neighbor solicitation msgs if you try to ping someone
> on your /64. You must see them for your gateway if you try to ping
> someone outside. Keep the tcpdump running and do the pings from
> another virtual terminal.
>
> If you say
> # ndp -a
>
> You should see
>
> Neighbor Linklayer Address   Netif
> Expire    S Flags
> your_gateway             64:9e:f3:ec:fc:7f    vio0
> 4s    D R
> your_hostname    52:54:00:27:22:43    vio0
> permanent R l
> fe80::669e:f3ff:feec:fc7f%vio0   64:9e:f3:ec:fc:7f    vio0
> 23h58m18s S R
> fe80::bd8b:afb3:be72:bd06%vio0   52:54:00:27:22:43    vio0
> permanent R l
>
> If you say
> # netstat -s
> Among a ***lot*** of other statistics you should see something like
> ip6:
>     1312572 total packets received <<<
>     907754 packets for this host <<<
>     1107139 packets sent from this host <<<
> .
> icmp6:
>     640 calls to icmp6_error
>     Output packet histogram:
>     unreach: 640
>     echo reply: 1328
>     multicast listener report: 6
>     neighbor solicitation: 137965
>     neighbor advertisement: 137761
> 
>     Input packet histogram:
>     echo: 1328
>     router advertisement: 56998 <<<<
>     neighbor solicitation: 137770 <<<<
>     neighbor advertisement: 137956 <<<<
>
> .
>
> The netstat -s output should show nonzero in the marked lines.
>
> If you CAN ping hosts on your /64 and you CAN'T ping anyone else
> if you CAN ping your gateway as a last resort set your default
> ipv6 route via that host.
>
> If things still don't work, excerpts of netstat -s
> and the output from ndp -an and tcpdump -ni icmp6 should be informative.
>
> geoff steckel
>
>
>

Re: IPv6 problems

[list]

Hi,

what do you mean by "a hard restart" ?

There is nothing else i can do apart from restarting my OpenBSD Box..

I think I am misunderstanding you right there.


Stephan

On 8/14/19 9:17 PM, freda_bundc...@nym.hush.com wrote:
> Hi, since your interface is vio0 your virtual service provider might
> require a hard restart of your server -- separate from rebooting 
> from your installed OpenBSD.
>
> I know you disabled pf, but once it's working, I think the rules
> you need to add would be something like:
>
> # ip6
> #   man icmp6 has the types and descriptions used below
> pass log on $ext_if inet6 proto icmp6 \
> to any icmp6-type \
> {133 134 135 136 137} modulate state
> # rfc 4890 section 4.3
> pass log inet6 proto icmp6 icmp6-type {unreach toobig} modulate state
> pass log inet6 proto icmp6 icmp6-type timex code 0 modulate state
> pass log inet6 proto icmp6 icmp6-type paramprob code 1 modulate state
> pass log inet6 proto icmp6 icmp6-type paramprob code 2 modulate state
> pass log inet6 proto icmp6 icmp6-type echoreq modulate state
>
> For the hostname.vio0 file, all I have is
> inet6 autoconf autoconfprivacy soii
> inet6 alias 
>
> You may also want to look at the Book of PF third edition which
> mentions other relevant RFCs.
>
>
>

Re: IPv6 problems

[list]

Hello,

thanks alot for your suggestions! I really appreciate it.

Unluckily that didn't work out.

My hostname.vio0 now looks like this:

        inet6 alias /64

        !route add -inet6 default fe80::2de:361a:24aa:d7a6%vio0

So with this gateway added I now don't get the "no route to host" when
trying to ping someone else on their IPv6. But I am not getting any
replies.

I somehow don't get any replies. Even with pf turned off. (pfctl -d)

I still cannot ping the issued server. Getting "no route to host" when
trying to ping it.

Which seems logical when i just added a route. Shouldn't change anything
when trying to ping from the outside.

Do you have any futher ideas ?

When doing a "ifconfig vio0" I get:

    vio0: flags=8843 mtu 1500

    lladdr 

    index 1 priority 0 llprio 3

    groups: egress

    media: Ethernet autoselect

    status: active

    inet  netmask 0xfc00 broadcast 

    inet6 fe80::2de:361a:24aa:d7a6%vio0 prefixlen 64 scopeid 0x1

    inet6  prefixlen 64

... Hmmm it feels like I am forgetting something.


I'd appreciate any suggestions !


Kind regards,


Stephan

On 8/13/19 10:21 PM, Jordan Geoghegan wrote:
>
> On 8/13/19 10:11 AM, Thomas Bohl wrote:
>> Hello,
>>
>>> My hostname.vio0 looks like this:
>>>
>>>
>>> dhcp
>>>
>>> inet6 alias >> provider> 64
>>>
>>
>> You most likely need to add a route. Add something like this to your
>> hostname file:
>> !route add -inet6 default fe80::1%vio0
>>
>>
>> Just in case you have the same problem. For whatever reason, after a
>> reboot, I have to do this in order to get IPv6 traffic flowing:
>> ping6 -c 10 fe80::1%vio0
>>
> or just add your gateway to your /etc/mygate file.
>
>
>

IPv6 problems

[list]

Hi,

I have been trying to set up IPv6 on my OpenBSD machine.

It is running on stable branch. 

The interface I am trying to configure IPv6 on is "vio".

My hostname.vio0 looks like this:


dhcp

inet6 alias  64


But I just can't get it to work. It is not reachable at all. I may not
be reached and I can't reach anybody else via IPv6.


I'd appreciate any help.


Thank you for your time.


With kind regards,

Stephan

Re: my experience with openbsdstore.com

[IMAP List Administration]

On 04/12/2015 08:12 PM, Jason Adams wrote:
 On 04/11/2015 06:01 AM, IMAP List Administration wrote:
 The trouble began immediately. I chose electronic wire transfer as the 
 payment
 method, 
 Its not 1929 any more. I'm utterly suprised the store still offers wire 
 transfer.

 In my day job, we refuse wire transfers.  We would rather lose a customer 
 than deal
 with it unless the invoice is several thousand dollars.  Its too much work 
 (on both ends)
 and one never gets the invoice amount, as the banks charge fees on both ends.
As other people have pointed out, wire transfer (EWT) is the norm in Europe. It
is effortless, automated by most, and it replaced using cheques 25 or so years
ago. There is either zero added fee or the fee is trivial -- this is required by
EU law.

So bragging that your company refuses EWT can be compared to bragging that your
company refuses to use online electronic methods to transfer files such as
FTP/etc, and only accepts files that are provided on floppy disks.

Your perception is highly subjective and in fact badly distorted because you
think that because your country/system has botched the implementation of EWT
that all countries/systems must also have botched it.  wrong.

 What should have been an automated order now requites human intervention on
 both ends, plus any transcription error along the way sends your money to 
 no-man's land.
botched implementation of your system. Not in EU.

 Even the store's handling of PayPal is obsolete, requiring two steps, and 
 manual matching
 of orders to payments.
nothing to do with EWT, but not surprising.


 There are a dozen other payment methods that could be used on the store, but 
 it seems
 hopelessly stuck in 1996.

based on assumption that own system is best.

How could anything be simpler than having A instruct A's bank to move funds to
B's bank account?

my experience with openbsdstore.com

[IMAP List Administration]

Hello,

the following describes my experience ordering CDs from the openbsdstore.com.

As openbsdstore.com is apparently the only source for OpenBSD CDs these days, I
ordered two sets of v5.6 a while ago (December 2014).

The order

The trouble began immediately. I chose electronic wire transfer as the payment
method, but even though I had supplied my VAT-ID and indicated that I wished to
avoid paying VAT, there total included VAT and there was no way to remove it.

I figured it was simpler to order and ask to have the VAT transferred back. I
ordered, and sent a corresponding request.

The Ticketing System

The store opened a ticket on my behalf (at least there *is* a ticketing system),
and I began to receive emails from the ticketing system. They mostly look like 
this:

 /Person's name/ just logged a message to a ticket in which you participate.

 [content of message]

 
 /You're getting this email because you are a collaborator on ticket #229757
 https://support.openbsdstore.com/view.php?auth=c1x2qaqaabxamaaa4o7EuU%2BmlBQAJA%3D%3D.
 To participate, simply reply to this email or click here
 https://support.openbsdstore.com/view.php?auth=c1x2qaqaabxamaaa4o7EuU%2BmlBQAJA%3D%3D
 for a complete archive of the ticket thread./

I cannot, however, participate by clicking on the link. The link is only for
internal use.  So the system can't differentiate between support staff and
customers


Bank Details

I am requested to provide bank details. Fair enough. I provide my IBAN (int'l
bank account number) and BIC/SWIFT (unique bank ID) details. These two items are
sufficient to transfer money *anywhere* within the EU (In fact, the IBAN alone
is sufficient, as it contains the bank code). This is made possible by SEPA.
From wikipedia:
 The *Single Euro Payments Area* (*SEPA*) is a payment-integration initiative
 of the European Union http://en.wikipedia.org/wiki/European_Union for
 simplification of bank transfers denominated in euro
 http://en.wikipedia.org/wiki/Euro. As of February 2014, SEPA consists of the
 28 EU member states, the 4 members of the EFTA
 http://en.wikipedia.org/wiki/European_Free_Trade_Association (Iceland,
 Liechtenstein, Norway and Switzerland), Monaco and San Marino
 http://en.wikipedia.org/wiki/San_Marino

IBAN/BIC Not Enough

The response is:
 I'm very sorry but our bank require your bank's address...
That the bank demands my bank's address is pure rubbish.


Transfer Costs More Than Refund

The next missive from openbsdstore.com was:
 Hopefully you should have received the €15 sent by post - unfortunately we 
 had
 to send it in this way, as our bank wanted to charge us €20 to send it to 
 you
 electronically!
This can't be happening And in fact an envelope containing a 10 and a 5 euro
note arrived somewhat later.

Maybe OpenBSD should look for a European partner that can tell its bank what to
do, instead of the other way round?

Rob Urban

any interest in old compaq/HP SCSI/FC disks?

[IMAP List Administration]

Hello Misc  Tech,

please forgive my cross-posting -- I wanted to be sure to reach people who might
be interested.

Some people I know are preparing to move out of an old machine-room, and will
dispose of some old hard disks soon.

The collection varies:
Sizes: 4.3, 9.1, 18, 36 (and maybe 72) GB
Interface: mostly LVD (maybe some HVD), a few copper FC
Connectors: mostly SCA-2, some 68-pin high-density connectors.

if it's important, I can probably get the exact model numbers of the disks.

The drives are located in Munich, Germany.

replies to: ur...@tru64.org

cheers,

Rob Urban

syslog-ng fails to start on v5.3

[IMAP List Administration]

Hello,

I recently installed 5.3 on my mail/imap/http server.  As I've used syslog-ng
for years, as part of the customization process I edit /etc/rc and change
syslog to syslog_ng.  There has been a problem in the past with syslog-ng
not finding libraries in /usr/local/lib because at the point in rc where syslog
is started ldconfig has not yet run.

In 5.2 (and possibly in previous versions) this was solved by setting up the
rc_pre hook to run /sbin/ldconfig -m /usr/local/lib.  This worked on 5.2.
This seems to be the official solution, as the syslog_ng start script now
contains the rc_pre hook.

On 5.3 this fails, because /var/run/ld.so.hints does not exist, and ldconfig
-m path cannot merge anything into it.

I realize that I will be cursed and derided for editing /etc/rc, and one
solution would be to simply turn off syslog by adding syslogd_flags=NO to
rc.conf.local, and adding syslog_ng to rc.conf.local's pkg_scripts list.

This solution does not appeal to me because there is a fair chunk of code in
/etc/rc between the start of syslog and where the pkg_scripts are run, for which
no messages will be logged. I do not like the idea of losing log messages,
particularly those generated when services start.

My current solution is to call syslog-ng prefixed by
LD_LIBRARY_PATH=/usr/local/lib.

I am happy with this, but someone might fancy getting the official solution to
work again.

cheers,

Rob Urban

Re: How to configure pppoe client on OpenBSD?

[list]

My apologies to all; I didn't mean to be trolling or rude back to those 
helpful on the list.


I just felt off putting comments like 
let-me-find-that-man-page-for-you are not the right way to treat those 
who support your projects.


A response back like: check the man pages, check the faqs, look on 
daemon forums; or google that are fine.


I know it's daunting to get redundant questions all the time and have 
new people who don't know where to look.


Too me it's just sad to see new people treated like crud; how can you 
get new supporters, porters and volunteers if new people aren't welcome. 
Even the uneducated sloppy ones can spend a few bucks on CD and T's


Anyway ... sorry to all I offended.



On 2013-01-13 18:43, Theo de Raadt wrote:

 On Sun, Jan 13, 2013, at 02:26 PM, Jay Jennings wrote:
 Rudeness is why people find openbsd hard for newbies; and 
potentially new

 funders of the projects and buyers of cds and merchandise.


Jay is the rude person here.

Someone helps him, and he insults them.

The world would be better off without characters like Jay.

responding to buttonpress ACPI event sent by KVM/Qemu (same behavior in v5.2)

[IMAP List Administration]

Hello,

some of you may remember a posting of mine here from March, 2012, in which I
mentioned that the ACPI buttonpress event is not being correctly transmitted
form a debian 6 host to an OpenBSD v5.1 guest.

In the meantime I've installed a OBSD v5.2 system which exhibits exactly the
same behavior -- the guest hangs (freezes) instantly and totally.

I've seen similar posts in the past which yielded replies mostly to the effect
of OpenBSD's implementation is clean, Linux must be the bad guy.

I'm not interested in assigning blame, or seeing it assigned. I'd simply like to
see the problem solved, somehow.

Would a developer be willing to have a look, if I set up a v5.2 sandbox on the
debian host?

cheers,

Robert Urban

--- original message ---

Hello,

I'm trying to get a v5.0 system newly installed in a VM running on Debian v6
am64 (squeeze) to respond properly when I execute virsh shutdown GUEST, which
apparently sends an ACPI power-button-press event to the guest.  I have acpi
configured for the guest.

Currently, when I run the command, the guest hangs totally.  All interactive
sessions, including console are frozen, and the guest stops answering pings.

It's not clear from the acpi(4) manpage what mechanism is/should be invoked for
this event, and what can be, or must be, configured for it to work.

thanks,

Robert Urban

sparc Ultra 10 workstation available for donation in Munich

[IMAP List Administration]

Hello Folks,

I'm about to chuck out an old SparcStation, but I wanted to ask here first in
case someone could put it to use.

Details:
512MB Memory
20GB disk
UltraSPARC IIi 333MHz
CDROM (IDE, I guess)
Floopy Drive
Keyboard and Mouse are part of the package.

If interested, please send me a mail at urban [at] spielwiese [dot] de.

cheers,

Robert Urban

Re: how to generate kernel message for testing

[IMAP List Administration]

On 09/03/2012 03:08 AM, Ted Unangst wrote:
 On Mon, Sep 03, 2012 at 02:44, IMAP List Administration wrote:

 I haven't seen anything in /var/log/kern since it's been running (days).

 Is there some way to generate a test kernel message ala logger(1)?  If
 not, how
 about a harmless way to get the kernel to report an error?
 plug something into a usb port.

good idea. Only problem is, OpenBSD is running in a VM.

Is there another way?

how to generate kernel message for testing

[IMAP List Administration]

Hello,

I've replaced syslogd with syslog-ng.  I have the following config for kernel
messages:

 source kernel {
 file(/dev/klog program_override(kernel: ));
 };

 destination kern { file(/var/log/kern); };

 log { source(kernel); destination(kern); };

Perhaps someone can comment on the validity of this config?

I haven't seen anything in /var/log/kern since it's been running (days).

Is there some way to generate a test kernel message ala logger(1)?  If not, how
about a harmless way to get the kernel to report an error?

thanks,

Rob

responding to buttonpress ACPI event sent by KVM/Qemu

[IMAP List Administration]

Hello,

I'm trying to get a v5.0 system newly installed in a VM running on Debian v6
am64 (squeeze) to respond properly when I execute virsh shutdown GUEST, which
apparently sends an ACPI power-button-press event to the guest.  I have acpi
configured for the guest.

Currently, when I run the command, the guest hangs totally.  All interactive
sessions, including console are frozen, and the guest stops answering pings.

It's not clear from the acpi(4) manpage what mechanism is/should be invoked for
this event, and what can be, or must be, configured for it to work.

thanks,

Robert Urban

Detect APC UPS is on battery

[mailing list]

Hello Everyone,

I have a machine running OBSD 4.4 which as an APC Back-UPS ES 550.

Anyway to have OpenBSD detect when power is coming from Battery?
(Plan on sending the system sending me an sms if so)

I found the following: http://www.apcupsd.com/
My understanding is you need a usb connection to the ups. (one I have has no
USB)

Anyone know of a package using detection over voltage changes (or
something)?

Thanks

-- 
Ben Adams
http://www.SpryMed.com/

Installer Source

[mailing list]

Can someone direct me to a copy of the OpenBSD installer, source code?
Thanks

Discover the Key to THE CLOUD - Register now for Brocade's Conference in Dubai

[GCC/UAE List]

BROCADE CONFERENCE 2010 Dubai - 29th  30th November Grosvenor House Hotel

[IMAGE]

[IMAGE]

DISCOVER THE KEY TO THE CLOUD
 FUTURE NETWORK TECHNOLOGIES

Without the right infrastructure you can forget being able to leverage
the benefits of the cloud and a virtual data center.  At the Brocade
Conference in Dubai - 29th  30th November , Brocade and its ecosystem of
partners will show how to optimize your existing network infrastructure
in order to deploy a high performance, scalable network that will enable
you to offer a true virtual environment and begin the journey to the
cloud. The Brocade Conference is designed to keep you one step ahead.

Discover leading insights and market trends, learn about Brocade Ones
unifying network architecture, get free networking certifications and
learn how new IP, Fibre Channel and FCoE/DCB technologies give you the
power to transform your business.

With independent guest speakers, industry analysts and technical breakout
sessions, its the IT infrastructure event you cant afford to miss.

Register Today! Its Free!

WWW.BROCADE-EVENTS.COM/BC2010

BROCADE CONFERENCE 2010
FRANKFURT | PARIS | DUBAI | LONDON

REGISTER

BROCADE

Reasons to attend:

[IMAGE]

Meet the Brocade Executive team

[IMAGE]

Network with our key innovation Partners

[IMAGE]

Gain innovative insight

[IMAGE]

Understand emerging trends

[IMAGE]

Exchange ideas

[IMAGE]

Hear from independent industry experts

[IMAGE]

Attend our Education in a Nutshell sessions to gain certification

[IMAGE]

Brocade Communications Systems, Inc. 130 Holger Way, San Jose, California
95134

) 2010 Brocade Communications Systems, Inc. All Rights Reserved. Brocade
and the B-wing symbol are registered of Brocade Communications Systems,
Inc. All other brands, products, or service names mentioned are or may be
trademarks or services of their respective owners.

To unsubscribe from: GCC/UAE List, just follow this link:

http://www.itpmailer.com/cgi-bin/mojo/mojo.cgi?f=ul=gcc_liste=m...@openbsd.orgp=4839

Click this link, or copy and paste the address into your browser.

encryption

[My List Mail]

Been waiting for a while to see some current encryption added to
openbsd. Surprised it has not been already, and frankly find it weak
that the 'worlds most secure OS' does not have current encryption. Why
is this?

I use vnconfig for encryption, which uses Blowfish. Blowfish is old,
early 1990's. 64-bit block size. I realize there is no known
cryptanalysis of it out in the public domain. But I would feel safer
using AES (Rijndael), Serpent, or Twofish. Something with a 128-bit
block size (and 256-bit key). Something that is recommended and in use
as a current standard. Even Bruce Schneier, blowfish's creator has
recommended that a stronger cipher be used.

At this point, though, I'm amazed it's still being used. If people
ask, I recommend Twofish instead.
from
http://www.computerworld.com.au/article/46254/bruce_almighty_schneier_preaches_security_linux_faithful?pp=1fp=4194304fpid=1
on page 3 of article

He also recently blogged about some attacks on AES, although none are
effective against all 14 rounds

What cipher is used to protect confidential information on the SECRET
and TOP SECRET levels? Its not blowfish, its AES-256.

I love OpenBSD, been using it since 3.3. Bought my 3.6 CD set and a
few t-shirts to support the project (Was surprised to read recently
that t-shirts do not directly support the project. Something else that
needs to be fixed. I know I'll buy more t-shirts, but CD sets are
doubtful) Tried to donate some old mac ppc hardware to support the
project, but never got a response from developers. I want to continue
using it and supporting it. But the operating system that is so
focused on security needs some cipher updates. Options for people to
choose from, not just old blowfish.

I am writing this because i am torn. On one end, the OS I love, am
familiar with, and includes so many great security features, by
default. On the other end, is this concern about encryption and
openbsd's lack of it. I am considering using any linux flavor, because
they all support AES(Rijndael) as well as the the most popular
finalists for AES, like Serpent and Twofish. I want to use OpenBSD,
but need to use the AES cipher. I do not feel safe with just blowfish.
Blowfish just does not 'cut it'

Please update the OS to include these new encryption standards.

If someone can explain why openbsd still only uses blowfish, after all
this time, that would be helpful too. If this is the case, it is time
for me to look for a secure operating system. Something with ciphers
that are current, relevant, and still recommended for use

J-BSD

Re: I can't mount HDDs

[Mark - obsd list]

Jose P.G wrote:

I swear that i am not a troll. I don't understand anything, LOL, why have to
be a troll? My questions are REAL, i haven't read the faq carefully, i only
seek for help (more fast, i think).

REALLY, i don't understand, when i was learning about Linux Debian i was
doing the same questions (though Linux is more easy for beginners), why this
mailing list is different? I repeat, i don't understand why i have to be a
troll.

Thank you.
  


Jose, without trying to be too rude, if this is the mindset you're 
bringing to the table, you're in way over your head and should probably 
stick to learning Debian further (based on the questions you're asking 
here, you very definitely have _not_ learned Debian/linux yet).


Regards,
Mark

Re: I can't connect to Internet

[Mark - obsd list]

Jose P.G wrote:

Ok, Internet is working. But i have the same problem. The strange is that i
can connect to the ftps when i am installing openbsd4.4, but not when i am
doing this. pkg_path is correct so i suppose that i am making an error
writing, though all i do is export pkg_path=
ftp://ftp.openbsd.org/ub/openbsd/4.4/packages/i386/; and pkg_add gnome2.

What could be doing this? Thank you very much.

  
I sure hope this is just a troll. He has written OpenBSD in just about 
every way that won't work and is ignoring everyone telling him 
repeatedly that he has to capitalize BSD.

Re: new home box for secure data storage

[eric-list-openbsd-misc]

On Thu, 2008-10-30 at 10:45:20 -0400, Douglas A. Tutty proclaimed...

 Yes.

Then keep it off a computer. Otherwise look for solutions that have already
been presented...because they work.

- Eric

Re: Sun M-class hardware denial of service

[list-obsd-misc]

My understanding of this issue is that it is only likely to be caused by an 
exploited domain, or running OpenBSD. Both should be a rare event (OpenBSD 
isn't really production-ready on this hardware). It's acceptable in the 
majority of cases to just let the domain be unused.

It's a bug, it's irritating, it should be fixed, but it's not a huge problem.

Re: Packet Filter: how to keep device names on hardware failure?

[list-obsd-misc]

 Question: How can I make sure that em2 doesn't become em0
 if my dual-port NIC dies? This would be fatal for my firewall
 setup. At least the antispoof rules _must_ be bound to the
 network devices.

Yep, this is an ugly problem.

You could have a shellscript at boot scan ifconfig output and associate NICs 
with their MAC addresses, adding appropriate macros to pf.conf.

Re: Hardware recommendation for firewalls (more than 4 NICs)

[list-obsd-misc]

On Fri, Aug 08, 2008 at 06:54:05PM -0500, patric conant wrote:
 You strongly overestimate the value of your comments (3 cents), it seems
 like there are many places more appropriate than this one for you to suggest
 middle-of-the-road hardware running a proprietary OS that has among the
 worst security records in the industry.

Oh, god, Cisco vs anyone else, especially free solutions seems to degenerate 
into things like this.

IOS and IOS XR actually has quite a good security history - other Cisco 
software, no.

If you doubt me, actually look at the security record - oh, and be careful not 
to just compare OpenBSD's only 2 remote holes in the default install vs IOS - 
many (most) of the IOS vulnerabilities are for things that haven't been enabled 
by default on recent IOS images.

Cisco routers general purpose computer parts of their routers are 
middle-of-the-road hardware in speed; much (slow) embedded hardware is far 
more reliable than the 'PC' equivelant. 

Server hardware (you shouldn't run anything important on a PC -- use proper 
server hardware) + Linux/Solaris/NetBSD/FreeBSD/OpenBSD works well as a router 
and firewall. IOS on a Cisco router does as well. The *nix solution works well 
and is cheap, but in my experience it's still slightly less stable than the 
Cisco equivelant. More importantly in many ways, Cisco hardware is usually 
marginally more reliable (both are reliable) than server hardware. 

IOS, while a complete PITA, is easier to configure than plain *nix OSes for 
networking stuff - one does not have sprawling config files, and making a 
config change updates running-config, making it easy to save your changes; ip 
address 192.0.2.0 255.255.255.255;do wr m is much easier than ifconfig fxp0 
192.0.2.0/24;vi /etc/hostname.fxp0;edit. It's also much less error prone, 
which is important.

With things like Quagga/Zebra this advantage is eliminated, but both of those 
have problems far more frequently than IOS.

IOS is a lot easier to upgrade than any *nix - just copy the image,
reload. Downtime is short, though many of their routers boot slow. This
*could* be changed (I'm thinking something along the lines of Solaris
LU - but easier), but as of yet has not been.

But, it's *much* cheaper, and PF is vastly better than IOS's firewall.

Software routers struggle at high PPS; Cisco makes some nice hardware that can 
handle that. As does Juniper, and a few others.

Re: Hardware recommendation for firewalls (more than 4 NICs)

[list-obsd-misc]

 So you expect additional reliability from stacking ebayed cisco equipment
 with OpenBSD bridges behind them, as the original poster mentioned, and cost
 effectiveness by buying used cisco equipment and paying for relicensing so
 that you can get updates, compared to setting up OpenBSD boxes as routers, I
 am not following the logic, and still think the original post was
 ridiculous. I understand the logic behind the no moving parts embedded
 solution ideas, but am I the only person whom has seen embedded equipment
 fail 2-4x more often than the Proliants behind them? I just don't think that
 embedded=reliable is a cut and dry equation.

Provided the Cisco boxes will failover to different bridges, I think that it 
would increase reliability. There are also many occasions where it is 
inpractical to have an OpenBSD box terminate a link - T3, OC-12, etc. 

I explicitly mentioned that OpenBSD is much cheaper. One might get higher cost 
effectiveness in a few occasions (such as where the networking guys are 
clueless about OpenBSD).

Of course embedded != reliable, but there are many embedded systems available 
that provide much higher reliability than standard x86 systems.

Most Cisco routers I've seen do have moving parts - big fans.

You're probably not the only person to see such failure rates, but I expect 
new, well cared for Cisco routers have higher hardware reliability than new, 
well cared for Proliants. Other embedded equipment is very variable.

What embedded equipment were you talking about? 

The original post was ridiculous, but that doesn't make your reply accurate.

Re: Any offshore OpenBSD hosting?

[list-obsd-misc]

 But if ISP's must have blackbox on their interfaces (hello FBI),than you can't
 trust your local hosting company even if they are very friendly ;-)

Cisco prefers a blueish-black color. Juniper boxes tend to be white and blue.

In most Western countries there are many ISPs; if many of them were forced to 
have, in secret, black boxes on their networks, it would soon be public that 
that is occuring.

Providers are, in many cases, being forced to allow, unmonitored, snooping by 
their governments - read up on CALEA. Hardware based routing platforms will be 
able to handle only a very small amount of traffic, the CPUs that are used in 
them tend to be very slow and even the fastest CPUs can route only a tiny 
amount of the traffic modern hardware-based routers can.

So, if the government wants to monitor YOU specifically, or occasionally 
monitor everyone, they might be able to do it via CALEA.

If I wished to monitor a large amount of peoples traffic (not all - that's not 
technically feasible), I would try and use passive taps with the cooperation of 
major transit providers. If I was on a smaller budget, then I would just do 
that with some major telcos.  The NSA appears to have decided to use a hybrid 
approach. If I had very large amounts of money that I am willing to spend 
(well, government has lots of money, and it's not theirs, so why would they 
mind spending it?) I would do the same with cable providers (not the coax kind).

I would definitely try and avoid small ISPs and IXPs - high maintenance, high 
whining and very difficult to perform surveillance using them clandestinely. 
Laying a submarine cable is far more expensive than starting an ISP or IXP.

So, basically, you are being paranoid about the wrong things. 

Re: ssh-keygen not reading stdin as expected

[list-obsd-misc]

 Option -f filename, Filename of the key file, seems to be the right
 option and '-' is the usual way of indicating stdin.

So? Just use /dev/stdin.

OpenBGPD IPv6 problems

[list-obsd-misc]

I'm running OpenBSD 4.2 on SPARC64. I have managed to get a simple BGP setup 
working on IPv4, however the IPv6 version of the same setup fails. A BGP 
session is established in both cases and peer B claims to be announcing what it 
should be announcing, yet in the IPv6 version peer A does not add it to its RIB.

Host A:
AS: 64512
Loopback: 192.168.0.1 2001:db8::1
To B: 192.168.1.1/24 2001:db8:1::1/64
Host B:
AS: 64513
Loopback: 192.168.0.2 2001:db8::2
To A: 192.168.1.2/24 2001:db8:1::2/64
To miscellaneous subnet: 192.168.2.1/24 2001:db8:2::1/64

Host A:

lo0:
inet6 ::1 prefixlen 128
inet6 2001:db8::1 prefixlen 128
inet 127.0.0.1 netmask 0xff00
inet 192.168.0.1 netmask 0x

gem1:
inet6 2001:db8:1::1 prefixlen 64
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255

bgp.conf.v4:
AS 64512
router-id 192.168.0.1

neighbor 192.168.1.2 {
remote-as 64513
announce all
}

allow from any

bgp.conf.v6:
AS 64512
router-id 192.168.0.1

neighbor 2001:db8:1::2 {
remote-as 64513
announce all
}

allow from any

bgpctl sh (v4):
Neighbor AS   MsgRcvdMsgSentOutQ  Up/Down  State/PrfRcvd
192.168.1.2 64513  3  3 0 00:00:13  2

bgpctl sh (v6):
Neighbor AS   MsgRcvdMsgSentOutQ  Up/Down  State/PrfRcvd
2001:db8:1::2   64513  3  4 0 00:00:31  0

bgpctl sh rib:
*192.168.0.2/32  192.168.1.2100 0 64513 i
*192.168.2.0/24  192.168.1.2100 0 64513 i

bgpctl sh rib inet6:
flags: * = Valid,  = Selected, I = via IBGP, A = Announced
origin: i = IGP, e = EGP, ? = Incomplete

flags destination gateway  lpref   med aspath origin

Host B:

lo0:

inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet 192.168.0.2 netmask 0x
inet6 2001:db8::2 prefixlen 128

gem0:
inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255
inet6 2001:db8:2::1 prefixlen 64

gem1:
inet 192.168.1.2 netmask 0xff00 broadcast 192.168.1.255
inet6 2001:db8:1::2 prefixlen 64

bgpd.conf.v4:
AS 64513
router-id 192.168.0.2

network 192.168.0.2/32
network 192.168.2.0/24

neighbor 192.168.1.1 {
remote-as 64512
announce all
}

allow from any

bgpd.conf.v6
AS 64513
router-id 192.168.0.2

network 2001:db8::2/128
network 2001:db8:2::/64

neighbor 2001:db8:1::1 {
remote-as 64512
announce all
}

allow from any

bgpctl sh (v4)
Neighbor AS   MsgRcvdMsgSentOutQ  Up/Down  State/PrfRcvd
192.168.1.1 64512  2  4 0 00:00:11  0

bgpctl sh (v6)
Neighbor AS   MsgRcvdMsgSentOutQ  Up/Down  State/PrfRcvd
2001:db8:1::1   64512  2  2 0 00:00:06  0

bgpctl sh rib
AI*  192.168.0.2/32  0.0.0.0100 0 i
AI*  192.168.2.0/24  0.0.0.0100 0 i

bgpctl sh rib inet6
AI*  2001:db8::2/128 :: 100 0 i
AI*  2001:db8:2::/64 :: 100 0 i

Blackhole / reject routes

[list-obsd-misc]

Currently I'm blackholing and rejecting some traffic with route add 
-reject/-blackhole address 127.0.0.1; this works fine, but bounces all the 
rejected/blackholed traffic to the loopback interface. 

This behaviour is.. annoying, and possibly ineffecient. I'm probably searching 
for a null/blackhole/fake address/interface. I tried creating an unconfigred 
pseudo-device, slapping an IP address on it and routing it to there; it 
blackholes traffic effectively, but also blackholes traffic if you have a 
reject. 

What is a better way to reject/blackhole traffic in OpenBSD?

Re: brute force voip QoS

[list-obsd-misc]

 My bandwidth is very very limited. Not more than 140 Kbps on both
 sides at any time. I use G729 as a codec in order to reduce
 consumption. Use the pf.conf below, when VoIP is the only traffic,
 the quality of the calls is excelent with no voice cutting at all.
 Now if I start a download I immediatelly see the quality degrade.
 
 That is why I thought of using some radical policy.

That's strange; it may be your connection struggles at much lower bandwidths 
than nominal - for instance, perhaps it suffers high packet loss  at 80% 
utilization; TCP could recover, but VoIP might be affected.

Doing what you want should be quite simple, though. There are many ways I can 
think of of detecting VoIP traffic if your ruleset manages to - have pf log 
(all) on a pflog interface dedicated to it, look at queue traffic - and many 
ways of blocking everything other than that. I can't think of an elegant way of 
doing what you want, though!

Re: low-MHz server

[list-obsd-misc]

You said you live rurally - in that case, perhaps you should build/buy a small 
quality (read as: won't get wet) shed, have your systems there and run some 
outdoor-rated CAT5e from it to your house. That should allow you to use KVM 
extenders, serial, etc. Remember the inverse-square law for RF. RF usually is 
attentuated greatly by opaque things, though just plants etc. will also 
attentuate. If you can place it behind a hill that would be good. 

Also, apply for the JREF Million Dollar Challenge. If you succeed, you should 
have a lot more options on reducing RF.

Re: brute force voip QoS

[list-obsd-misc]

To: Stuart Henderson [EMAIL PROTECTED]
Subject: Re: brute force voip QoS

  pass out queue (std_out,lowdelay)
 
 here, you place ACKs from downloads at a higher priority than
 your voip calls. this is unlikely to be what you want with priq
 over a 140Kb/s link..

According to pf.conf, that also prioritizes packets with ToS set to lowdelay; 
looking at what ToS the packets have would be a good idea.

Re: Please explain this disk (?) error

[eric-list-openbsd-misc]

On Fri, 2008-01-11 at 16:05:49 +0100, jere proclaimed...

 I suddenly got this error (while surfing the web in default Gnome 
 session) on OpenBSD 4.2 release (patched up to patch_004, including it).
 
 Is it a disk error or something else ? Please help.
 

This is just a soft disk error; you may have problems with your hard disk in
the future, but if you're only seeing a small number, I wouldn't worry
muchyet.

Dobar dan!

- Eric

Message (Your message dated Tue, 16 Oct 2007 18:53:46...)

[L-Soft list server at The CA-IDMS Database Applications User Association (1.8e)]

Your message dated Tue, 16 Oct 2007 18:53:46 -0400 with subject Hello has
been  submitted  to   the  moderator  of  the  IDMS-L   list:  Daniel  Hall
[EMAIL PROTECTED].

Sukkot Special at Tushiyah

[list]

Shalom Friends of Tushiyah Press,

Sukkot is just around the corner now, and there are many good things developing 
at Tushiyah Press.  We've had a number of requests over the past couple years 
to offer 'sales' and specials, and we've never done so, always shying away from 
the 'commercialism' side of what we do.  We see books as a ministry, not a 
business.  However, this year, there is such a strong demand in advance of 
Sukkot, that we've decided to part from the usual.

For the next three weeks (to assure delivery prior to Sukkot), all orders for 
cases of 5 or more books (per title) will have the shipping cost refunded to 
the buyer.  This is now an opportunity to stock up on the Ruach Qadim series or 
Reuniting The Covenant, and pay no shipping cost on case orders!  Ordering is 
at www.tushiyah.org.

Sukkot is supposed to be a time of study and learning together.  Everyone knows 
that the 15th and 22nd days of the 7th month are special annual Moedim, but did 
you ever consider the days in-between?  These are special Moedim as well!  They 
are not Sabbaths, but they are still a part of the Chag (feast).  In ancient 
times, and again in times to come, all Yisrael was/will assemble in 
Yerushalaim, and if one is assembling away from home, one is certainly not 
working, nu?  Now you don't think our ancestors sat around in the Sukkah all 
day and played Yahtzee?  They discussed, studied, midrashed, and debated the 
things of YHWH.

This is the model we at Tushiyah want to promote for Sukkot - study and open 
discussion.

The response to Andrew Roth's latest addition in the Ruach Qadim series (Path 
To Life), has been wonderful.  It has been a long awaited addition to his first 
book - Aramaic Origins - and has been blessing everyone reading it with fresh 
Aramaic insights into the New Testament writings.

Reuniting The Covenant by Rav. David Pollina is a wealth of information and 
resources for many weeks of Sukkah study.  If you want to start discussions and 
put traditional thinking to the test of Scripture, there is no book better to 
start that off.

And now, within a couple weeks, we are extremely excited to be publishing his 
latest book - Moedai Tishmoru, Discovering The Sabbath - which is in the final 
editing process right now.  This new book is a stunning scholarly work on the 
much discussed and little understood issue of Saturday vs. a lunar anchored 
Sabbath day.  Our hope is to have this shipping before Sukkot as well.  More in 
a couple weeks...

Finally, comming this fall, Rabbi David Ben Carmel has something cooking - 
literally - a Messianic cookbook of Flax recipes designed for witnessing!  
Also, later in the fall, Rav. David Pollina's book Seed of Abraham, another 
witnessing-focussed tool.

Well, the time is growing shorter, and information resources are getting more 
important as it does.  Stock-up for Sukkot with free shipping on case orders 
from Tushiyah Press... www.tushiyah.org

Spread the word.  Forward this e-mail to all your friends, and lists - 
encourage them to get involved in Sukkot study days.  Todah Rabbah (thanks a 
lot).

Shalom w'Baraka (peace and bless you),

- The Tushiyah Team


- - - - - - - - - - - - - - -
This mailing was sent to opt-in subscribers to the Tushiyah Thoughts mailing 
list.  To reach us personally, don't reply to this server, but e-mail [EMAIL 
PROTECTED]  If you wish to subscribe, send a blank e-mail from the account you 
wish to subscribe to [EMAIL PROTECTED]  If you are on the list in error, we 
apologise and will promptly remove you.  Send a blank e-mail from the account 
to be removed to [EMAIL PROTECTED]  This e-letter is published by Tushiyah 
Press, Box 10, Mosta, Malta, European Union www.tushiyah.org.  We value your 
privacy, only send one or two messages a month maximum to our friends, and 
never let anyone else use our mailing list.  Thanks.
-- The message was sent by Mass e-Mailer ---Download 
from http://www.mass-emailer.com

Ruach Qadim - Path To Life Released!

[list]

Shalom Friends of Tushiyah Press.  The much anticipated release of Ruach Qadim 
- The Path To Life by Andrew Gabriel Roth is happening this week!  Pre-orders 
for the book are available on www.tushiyah.org and should be shipping out by 
the end of this week.  More info will follow on the book, and details are 
available on the website.

-  Blessings.

As always, if you are on this opt-in list by mistake, just e-mail us to remove 
your address.  Thanks
-- The message was sent by Mass e-Mailer ---Download 
from http://www.mass-emailer.com

Re: isakmpd, preventing subnet clashing using NAT

[OpenBSD-List]

hey markus,
thanks for your reply.
no traffic on enc0 without the nat statement. i too suspect, that its 
not nat which is giving me headaches. our_fw and ASP_peer auth using a 
pre-shared key, if thats what you were asking. the tunnel gets 
established without any glitches. at least isakmpd in debug mode shows 
nothing unusal and our ASP confirmed that the tunnel is setup correctly 
(no ipsecctl available since its a 3.7 box).
no matter where exactly i do the nat (be it on enc0 or our internal IF) 
theres no traffic on enc0. as soon as i setup additional flows with 
ipsecadm, packets vanish after entering the internal IF. i'm suspecting 
that something with the flows is wrong. without them, our_fw is trying 
to route the packets out of the external IF (no antispoof rules at the 
moment).
using google turned up a few guys who were suggesting success on a 
similiar setup, doing nat on enc0 (i. e. 
http://archives.neohapsis.com/archives/openbsd/2004-05/0924.html).


Markus Wernig wrote:
greets
-WJ


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



 


nat on enc0 inet from 192.168.A.A/24 to B.B.B.B/8 - 172.C.C.C
   



Hi Realname not known

What do you see if you don't use the nat statement? Do packets from
192.168 get sent to B.B over enc0? If not you still have some other
problem. How do you and ASP_peer authenticate? Check first if your
tunnels get established (ipsecctl -s all after the ping).

I'm no pf expert but from my understanding of flows I'd try to nat on
the incoming interface before encryption and routing take place.
I think that if you nat on enc0 you will be changing the packet's
payload and break the hash. (Not sure about that one - is there a
description of the packet flow through a pf/ipsec gateway anywhere?)

krgds /markus

-BEGIN PGP SIGNATURE-

iD8DBQFDksFE8BX/d8pVi/cRArkvAJsHhi+thVTiWfWXlTXLfCwb9W8VzwCgp7pB
IgqfOdMd2CzEaEZ4K1uCXNE=
=RDRl
-END PGP SIGNATURE-

isakmpd, preventing subnet clashing using NAT

[OpenBSD-List]

hello people,
i'm trying to setup a vpn between us and our ASP. they've assigned us 
their own private rfc11918 addresses, from which they want us to 
connect from. basically our topology looks like depicted below:


our_internal -- our_fw -- internet -- ASP_peer -- ASP_internal

our_internal is 192.168.A.A/24
our_fw with 82.x.x.x on its external IF, running openbsd 3.7 release
the ASP_peer with 193.x.x.x on its external IF (some cisco vpn 
concentrator - which i've no access to)

ASP_internal is B.B.B.B/8
they want us to connect from 172.C.C.C/30

the tunnel between our_fw and ASP_peer is established and confirmed by 
our ASP. since our_fw would only route packets from 172.C.C.C/30 to 
B.B.B.B/8 i did setup additional flows using ipsecadm:


ipsecadm flow -addr B.B.B.B/8 192.168.A.A/24 -dst ASP_peer -proto esp 
-in -use
ipsecadm flow -addr 192.168.A.A/24 B.B.B.B/8 -dst ASP_peer -proto esp 
-out -require



the flows are being showed correctly when doing netstat -rf encap.

B/8   0 172.C.C.C/30   0 0 193.x.x.x/50/use/in
B/8   0 192.168.A/24   0 0 193.x.x.x/50/use/in
172.C.C.C/30  0 B/80 0 
193.x.x.x/50/require/out
192.168.A/24  0 B/80 0 
193.x.x.x/50/require/out



in pf.conf i've a line saying:

nat on enc0 inet from 192.168.A.A/24 to B.B.B.B/8 - 172.C.C.C

ping from our_internal to a machine in ASP_internal and listeing with 
tcpdump -ni $int_if shows icmp echo request coming in on the internal 
IF. listening on enc0 shows nothing but silence. tcpdump -ni $ext_if 
esp shows silence too. listeing on pflog0 shows packets entering our_fw 
on the internal IF. it looks like the packets simply disappear after 
entering our_fw.

at the moment our_fw does pass everything and keeps state.

also, occasionally i'm getting these from isakmpd:

transport_send_messages: giving up on message 0x3c069500, exchange 
Peer-ASP_fw

transport_send_messages: either this message did not reach the other peer
transport_send_messages: or the responsemessage did not reach us back
(tell me news...)

i know doing nat on enc0 and generally screwing-up VPNs with NAT doesnt 
seem to be a very good idea, but it looks like i havent got other 
options at the moment. please let me know if any additional infos are 
needed.


any help/hints/suggestions would be greatly appreciated.

Returned mail: Data format error

[redhat-list]

ALERT!

This e-mail, in its original form, contained one or more attached files that 
were infected with a virus, worm, or other type of security threat. This e-mail 
was sent from a Road Runner IP address. As part of our continuing initiative to 
stop the spread of malicious viruses, Road Runner scans all outbound e-mail 
attachments. If a virus, worm, or other security threat is found, Road Runner 
cleans or deletes the infected attachments as necessary, but continues to send 
the original message content to the recipient. Further information on this 
initiative can be found at http://help.rr.com/faqs/e_mgsp.html.
Please be advised that Road Runner does not contact the original sender of the 
e-mail as part of the scanning process. Road Runner recommends that if the 
sender is known to you, you contact them directly and advise them of their 
issue. If you do not know the sender, we advise you to forward this message in 
its entirety (including full headers) to the Road Runner Abuse Department, at 
[EMAIL PROTECTED]

Dear user of openbsd.org,

We have found that your e-mail account was used to send a huge amount of 
unsolicited commercial email messages during this week.
Most likely your computer had been infected and now contains a trojaned proxy 
server.

We recommend that you follow our instruction in order to keep your computer 
safe.

Have a nice day,
openbsd.org user support team.
file attachment: file.zip



This e-mail in its original form contained one or more attached files that were 
infected with the [EMAIL PROTECTED] virus or worm. They have been removed.

For more information on Road Runner's virus filtering initiative, visit our 
Help  Member Services pages at http://help.rr.com, or the virus filtering 
information page directly at http://help.rr.com/faqs/e_mgsp.html. 

[notify] Change of List-Membership details

[Webmaster-list]

  This message is to inform you of a change of your details on our
newsletter database

  You are currently member of the following newsletters:

No Lists



  The information on our system for you is as follows:

Email : misc@openbsd.org
Send HTML email : Yes


  If this is not correct, please update your information at the following
location:

http://www.aheadsup.com/lists/?p=preferencesuid=9a383d20ed4f30df80bba687fe0f2676

  Thank you

Welcome to our Newsletter

[Webmaster-list]

  Welcome to our Newsletter

  Please keep this email for later reference.

  Your email address has been added to the following newsletter(s):

 * None of them

  To update your details and preferences please go to
http://www.aheadsup.com/lists/?p=preferencesuid=9a383d20ed4f30df80bba687fe0f2676.
  If you do not want to receive any more messages, please go to
http://www.aheadsup.com/lists/?p=unsubscribeuid=9a383d20ed4f30df80bba687fe0f2676.

  Thank you

Re: document

[L-Soft list server at LISTSERV.NTBUGTRAQ.COM (1.8e)]

 Please read the document.
Unknown command - PLEASE. Try HELP.

Summary of resource utilization
---
 CPU time:0.000 secDevice I/O:4
 Overhead CPU:0.000 secPaging I/O:0
 CPU model: 1133MHz Pentium III 512k (1280M)
 Job origin:  misc@OPENBSD.ORG

Message (Your message dated Tue, 30 Aug 2005 12:24:28...)

[L-Soft list server at CINECA - Inter University Computing Centre (1.8d)]

Your message  dated Tue, 30 Aug  2005 12:24:28 -0500 with  subject Returned
mail: Data format error has been submitted to the moderator of the HPC-NEWS
list: [EMAIL PROTECTED]

Request for confirmation

[Webmaster-list]

  Almost welcome to our newsletter(s) ...

  Someone, hopefully you, has subscribed your email address to the
following newsletters:

  * group-9-26Aug


  If this is correct, please click the following link to confirm your
subscription.
  Without this confirmation, you will not receive any newsletters.

http://www.aheadsup.com/lists/?p=confirmuid=9a383d20ed4f30df80bba687fe0f2676

  If this is not correct, you do not need to do anything, simply delete
this message.

  Thank you

Welcome to our Newsletter

[Webmaster-list]

  Welcome to our Newsletter

  Please keep this email for later reference.

  Your email address has been added to the following newsletter(s):

 * None of them

  To update your details and preferences please go to
http://www.aheadsup.com/lists/?p=preferencesuid=9a383d20ed4f30df80bba687fe0f2676.
  If you do not want to receive any more messages, please go to
http://www.aheadsup.com/lists/?p=unsubscribeuid=9a383d20ed4f30df80bba687fe0f2676.

  Thank you