[Off Topic] metawire.org

[Paolo Supino]

Hi
  Does anyone knoe what happened to metawire.org?

TIA
Paolo

ste(4) driver

[Paolo Supino]

Hi
A couple of months ago brad  sent me a patch for the ste(4) driver. I 
downloaded a snapshot that had the patch already in it. Unfortunately 
the driver still caused problems: it didn't crash the kernel, but  it 
failed to initialize ports to 2-4 :-( I tried to contact brad a few 
times, but he didn't reply to any of the emails. Any of the developers 
on the mailing list know what is the status of the ste(4) driver and 
weather someone can debug and help make the card work?




TIA
Paolo

Mikrotik's routerboard 44

[Paolo Supino]

Hi

 I'm in the process of building firewall (Obviously it will run 
OpenBSD) and I need to put in a quad NIC card. There's Intel Quad card 
that I had a success with in the past but is expensive as hell. I found 
a company called Mikrotik that makes a Quad NIC card and I'm looking for 
success/failure stories of running it in a OpenBSD box ...

one letter

[Paolo Supino]

Hi

After reading the replies to my routerboard 44 question I reached the 
conclusion that I have no choice but buy the Intel quad NIC (my boss 
will hate me ;-)). I've started collecting quotes this morning, but I 
was only able to get quotes for the PWLA8494GT card and not for the 
PWLA8494MT card.
I guess that the GT card is just a newer version of the MT card (reading 
the product brief it seems as much). So just to make sure: Will the GT 
card work just as well as the MT  cards in OpenBSD?





TIA
Paolo

sendmail SMTP auth

[Paolo Supino]

Hi

 I want to add SMTP auth to sendmail. Will it be easier for me to try
and add the support to the source shipped by OpenBSD or to the source
that I will download from sendmail.org?
 Other suggestions on setting up a mail server with SMTP auth are
welcome.







TIA
Paolo

openbsd instead of cisco vpn client

[Paolo Supino]

Hi

 I came across the following situation: there's network where several
employees have access to a client of theirs using Cisco VPN clients.
To centralize and ease administration I want to put in place an OpenBSD
box that will create a single VPN.
The client is so bearucratic that by the time their paperwork  for
setting up a site to site VPN the need for this VPN will be gone.
So is it possible to mimick Cisco VPN client connection with OpenBSD
IPSEC?





TIA
Paolo

trying to compile frickin pptp proxy

[Paolo Supino]

Hi

 I'm trying to compile frickin pptp proxy on an OpenBSD 4.1 system.
The compilation fails with the following errors:
g++ -Wall -g -O2 -I/home/paolo/src/frickin/include 
-L/home/paolo/src/frickin/lib -o frickin2 main.o logger.o 
configuration.o session.o listener.o entity.o server.o client.o call.o 
rfc2637.o grehandler.o exception.o nat.o util.o -pthread -lconfig++

g++: main.o: No such file or directory
g++: logger.o: No such file or directory
g++: configuration.o: No such file or directory
g++: session.o: No such file or directory
g++: listener.o: No such file or directory
g++: entity.o: No such file or directory
g++: server.o: No such file or directory
g++: client.o: No such file or directory
g++: call.o: No such file or directory
g++: rfc2637.o: No such file or directory
g++: grehandler.o: No such file or directory
g++: exception.o: No such file or directory
g++: nat.o: No such file or directory
g++: util.o: No such file or directory
*** Error code 1

Stop in /home/paolo/src/frickin/src (line 12 of Makefile.OpenBSD).
*** Error code 1

Stop in /home/paolo/src/frickin (line 5 of Makefile).

I don't know why, but the objects never get created in the src directory.
Does anyone know how to solve it?




TIA
Paolo

Re: trying to compile frickin pptp proxy

[Paolo Supino]

Hi Lars

 I know about the limitation and their implications, but unfortunately
I don't control the other peer and have to live with what I'm given.




TIA
Paolo

Lars Noodin wrote:


Paolo Supino wrote:
 


I'm trying to compile frickin pptp proxy on an OpenBSD 4.1 system.
   



You may want to reconsider the experiment with PPTP.  It's very
difficult to deal with and there appear to be serious problems with the
protocol itself, even in later versions:
http://www.schneier.com/pptp-faq.html

IPsec and SSL are your two serious options:
http://www.vpnc.org/vpn-standards.html

-Lars

Re: trying to compile frickin pptp proxy

[Paolo Supino]

Hi
 Thank you!!!
 I had the feeling that the problem is in the Makefile.OpenBSD, but
didn't know how to fix it. Doing what you suggested below solved the
problem and I'm now able to build frickin proxy.

Now I have to make it work ...



TIA
Paolo


Marmotic Marvel wrote:


On Tue, 28 Aug 2007, Marmotic Marvel wrote:

 


The compilation fails with the following errors:
g++ -Wall -g -O2 -I/home/paolo/src/frickin/include
-L/home/paolo/src/frickin/lib -o frickin2 main.o logger.o configuration.o
session.o listener.o entity.o server.o client.o call.o rfc2637.o grehandler.o
exception.o nat.o util.o -pthread -lconfig++
g++: main.o: No such file or directory
g++: logger.o: No such file or directory
g++: configuration.o: No such file or directory
g++: session.o: No such file or directory
g++: listener.o: No such file or directory
g++: entity.o: No such file or directory
g++: server.o: No such file or directory
g++: client.o: No such file or directory
g++: call.o: No such file or directory
g++: rfc2637.o: No such file or directory
g++: grehandler.o: No such file or directory
g++: exception.o: No such file or directory
g++: nat.o: No such file or directory
g++: util.o: No such file or directory
*** Error code 1

Stop in /home/paolo/src/frickin/src (line 12 of Makefile.OpenBSD).
*** Error code 1

Stop in /home/paolo/src/frickin (line 5 of Makefile).

I don't know why, but the objects never get created in the src directory.
Does anyone know how to solve it?
 



I've since dloaded the tar file.  I duplicate your error.
It is not a make/gmake problem.  


I would suggest you complain to the program's developers.  The
Makefiles may be broken.  They are not written to use /usr/share/mk/bsd*

I think the makefiles need a rule to make .o from .cpp.  The
src/Makefile.OpenBSD looks "funny" to me.  It needs rules after
the lines like 


main.o: main.cpp listener.hpp session.hpp grehandler.hpp exception.hpp logger.hp
p
   $(CXX) -o $@ -c $(CXXFLAGS) main.cpp

I believe this will help, you need similar lines all through the makefile.

Dave

Re: openbsd instead of cisco vpn client

[Paolo Supino]

Hi Samuel

 Great, thank you for the information. I will take a look at it and
try it :-)




TIA
Paolo





Samuel Moqux wrote:


2007/8/27, Paolo Supino <[EMAIL PROTECTED]>:
 


Hi

 I came across the following situation: there's network where several
employees have access to a client of theirs using Cisco VPN clients.
To centralize and ease administration I want to put in place an OpenBSD
box that will create a single VPN.
The client is so bearucratic that by the time their paperwork  for
setting up a site to site VPN the need for this VPN will be gone.
So is it possible to mimick Cisco VPN client connection with OpenBSD
IPSEC?

   



You can't with base install since it doesn't support xauth(it's in
isakmpd's todo I think), but vpnc works good enough for my needs,
which look similar to yours. I need to reset the connection nightly
because unreliable ike rekeying, but, other than that, It's stable.

http://www.unix-ag.uni-kl.de/~massar/vpnc/

Best regards,
Samuel

routing question

[Paolo Supino]

Hi

 I have a firewall that also acts as a VPN peer for 2 VPNs. One of
the VPNs is IPSEC that connects between the main office and a branch
office. The second VPN is OpenVPN that connects windows based road
warriors to the branch office. I want to enable employees that connect
to the branch's OpenVPN to reach the main office servers (and filter
traffic to). Both VPNs are working so the appropriate routing entries
exist in the  firewall's routing table. Even if I disable all the
firewall rules and just let everything pass through the firewall the
OpenVPN clients still cannot reach the main office servers. What am
I missing?





TIA
Paolo

Re: routing question

[Paolo Supino]

Hi David

 It's true that all IP addresses are in the 10.x.x.x private address
space that isn't supposed to be routed on the Internet, but in all the
connections over the Internet the only visible addresses are the
public ones (otherwise the VPNs wouldn't be working): Main and branch
office public IP addresses and what ever the road warriors receive when
connecting their laptops, either at home or at a client's site.
The branch's firewall NATs the branch office 10.x.x.x address space
on its external interface, but I don't see how that would cause routing
problems between the 2 VPNs.






TIA
Paolo





David Newman wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 9/3/07 2:15 PM, Paolo Supino wrote:
 


Hi

I have a firewall that also acts as a VPN peer for 2 VPNs. One of
the VPNs is IPSEC that connects between the main office and a branch
office. The second VPN is OpenVPN that connects windows based road
warriors to the branch office. I want to enable employees that connect
to the branch's OpenVPN to reach the main office servers (and filter
traffic to). Both VPNs are working so the appropriate routing entries
exist in the  firewall's routing table. Even if I disable all the
firewall rules and just let everything pass through the firewall the
OpenVPN clients still cannot reach the main office servers. What am
I missing?
   



One possible issue is that the default config for OpenVPN uses
"unroutable" addresses out of RFC 1918 space. I believe the default
config file uses 172.16.111.0/29 or something like that.

Routers should never forward packets to RFC 1918 addresses across the
public Internet; it's a best practice to filter them. Remote OpenVPN
traffic looks like it comes from from 172.16.111.something, and the main
office router will quite properly drop traffic destined there.

You're either going to need to NAT your VPN traffic or (far better, if
you can) get enough public IPv4 or IPv6 addresses not to mess with NAT.

dn
iD8DBQFG3H+syPxGVjntI4IRAko7AJ9P7SamMasV+9hS/9f6jzPit00FywCgjfnb
9hQTU1zRm18kxf/K6vHpYv4=
=4YME
-END PGP SIGNATURE-

Re: routing question

[Paolo Supino]

Hi David

 I do push the route to the OpenVPN clients and I do have the route
back on the servers in the main office. To be sure I ran a sniffer on
a server in the main office to see if any traffic reaches the server
from the VPN client and the sniffer showed nothing reached the server.
It's not a firewalling issue in either the main or branch offices as
the same type of traffic (ping in this case) worked fine from a desktop
in the branch office.



TIA
Paolo


David Newman wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 9/3/07 3:28 PM, Paolo Supino wrote:
 


Hi David

It's true that all IP addresses are in the 10.x.x.x private address
space that isn't supposed to be routed on the Internet, but in all the
connections over the Internet the only visible addresses are the
public ones (otherwise the VPNs wouldn't be working): Main and branch
office public IP addresses and what ever the road warriors receive when
connecting their laptops, either at home or at a client's site.
The branch's firewall NATs the branch office 10.x.x.x address space
on its external interface, but I don't see how that would cause routing
problems between the 2 VPNs.
   



Per Stuart's suggestion, check your VPN clients' routing tables with
"netstat -f inet -nr | more" and determine whether they have a path to
your main office. Same thing for servers at the main office trying to
reach the VPN clients.

traceroute might be helpful (or might not; lots of places filter ICMP).

dn
iD8DBQFG3IxEyPxGVjntI4IRAj6MAKD5KMLoU74rea9P8HyApe8hS5nHmgCeLbco
+W9hUUKEAvhqCZM9ktKErd4=
=h5aK
-END PGP SIGNATURE-

Re: routing question

[Paolo Supino]

Hi RW

 Except for the branch VPN to the main office subnet (line# 3) I have
the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice
versa on the main office VPN peer). Why do I need to setup a tunnel
between the branch firewall and main office subnet?




TIA
Paolo


RW wrote:


On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote:

 


Hi

I have a firewall that also acts as a VPN peer for 2 VPNs. One of
the VPNs is IPSEC that connects between the main office and a branch
office. The second VPN is OpenVPN that connects windows based road
warriors to the branch office. I want to enable employees that connect
to the branch's OpenVPN to reach the main office servers (and filter
traffic to). Both VPNs are working so the appropriate routing entries
exist in the  firewall's routing table. Even if I disable all the
firewall rules and just let everything pass through the firewall the
OpenVPN clients still cannot reach the main office servers. What am
I missing?
   



I'll bet you don't have some flows set up in ipsec.conf to handle it.
Here is a simple ipsec.conf from one end of an ipsec tunnel where
OpenVPN clients also login:
ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 195.228.107.202 to 250.101.222.1

The first line adds the OpenVPN network to the mix.

Needless to say the other end of the tunnel has an ipsec.conf that
makes sure that traffic can return.

Fictional addresses used to protect the innocent...

Does that help?
Please reply to the list. I am subscribed and don't need a cc, thanks.

Rod/

From the land "down under": Australia.

Do we look  from up over?

Re: routing question (solved)

[Paolo Supino]

Hi RW

 I found the problem :-) My OpenVPN setup is OK. My ipsecctl.conf
was almost perfect: I setup the flow from my OpenBSD box (the branch
office) to be passive ... duh!!! ;-) Now that it has been converted
to dynamic the tunnel gets setup if the OpenVPN client initiates
traffic :-)



TIA
Paolo




RW wrote:


On Mon, 03 Sep 2007 20:26:14 -0400, Paolo Supino wrote:

 


Hi RW

Except for the branch VPN to the main office subnet (line# 3) I have
the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice
versa on the main office VPN peer). Why do I need to setup a tunnel
between the branch firewall and main office subnet?




TIA
Paolo


RW wrote:

   


On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote:



 


Hi

I have a firewall that also acts as a VPN peer for 2 VPNs. One of
the VPNs is IPSEC that connects between the main office and a branch
office. The second VPN is OpenVPN that connects windows based road
warriors to the branch office. I want to enable employees that connect
to the branch's OpenVPN to reach the main office servers (and filter
traffic to). Both VPNs are working so the appropriate routing entries
exist in the  firewall's routing table. Even if I disable all the
firewall rules and just let everything pass through the firewall the
OpenVPN clients still cannot reach the main office servers. What am
I missing?
  

   


I'll bet you don't have some flows set up in ipsec.conf to handle it.
Here is a simple ipsec.conf from one end of an ipsec tunnel where
OpenVPN clients also login:
ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1
ike esp from 195.228.107.202 to 250.101.222.1

The first line adds the OpenVPN network to the mix.

Needless to say the other end of the tunnel has an ipsec.conf that
makes sure that traffic can return.

Fictional addresses used to protect the innocent...

Does that help?
Please reply to the list. I am subscribed and don't need a cc, thanks.

Rod/
 



I don't know your setup because you didn't explain it fully but what I
showed you works for my client.

Let's make a symbolic ipsec.conf out of what I have shown you:
ike esp from $OpenVPNlan to $HOlan peer $HOfirewall
ike esp from $Branchlan to $HOlan peer $HOfirewall
ike esp from $BranchFW to $HOlan peer $HOfirewall
ike esp from $BranchFW to $HOfirewall
You cannot use macros like that but perhaps it makes it clearer.

In our case we have servers on both office LANs and the roadies using
OpenVPN need to be able to get to both.

You will have to trim and tweak your rules to suit your own variation
but think about this.

Regular route table entries have no influence on what happens with
IPsec and do not need to.
IPsec configuration sets up flows and then the packets "know" how to
get to their target.
If they don't have a flow path, they won't "know" how and will be
routed out to the cloud via the default gateway and then get lost.

Rod/

Hint. Read this:
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?


Rod/

From the land "down under": Australia.

Do we look  from up over?

using spamd to block outbound spam

[Paolo Supino]

Hi

  I have the following problem: I host a group of windows servers that 
run a webapp using IIS6 ASP technology. The webapp was written and is 
maintained by a small private company that develops custom webapps for 
companies. One of the services the webapp does is send out emails 
(nothing amazing until now). The problem is that the webapp isn't 
written securely. The developers keep saying the webapp is secure and 
isn't the problem. Bringing someone from the outside to prove them wrong 
has failed thus far. Showing logs and showing network access also proved 
futile. the webapp is (ab)used by spammers to relay spam emails which 
caused the webapp's IP address to be added to various spam black lists 
:-( I'm sure it's the ASP is the problem because only HTTP and HTTPS are 
accessible on these servers. The website itself is hidden behind a 
firewall and SMTP port isn't reachable. I'm in the process of replacing 
the current firewall (Microtik's RouterOS, a Linux based OS) with 
OpenBSD and I thought of using spamd to block outgoing spam emails. I've 
started reading about spamd and usage scenarios, but thus far only found 
spamd being used on incoming emails. Did anyone use spamd to block 
outgoing spam emails? Is what I want to do possible (in combination PF)?

Other solutions will also be appreciated obviously based on OpenBSD :-)





TIA
Paolo

Re: using spamd to block outbound spam

[Paolo Supino]

Hi Bob

  The webapp does talk to a real mail server: on localhost (IIS6 SMTP 
service). When a spammers abuses the webapp the email is actually sent 
via the local mail server and not directly from the webapp to all the 
mail servers on the Internet. Rate limiting isn't an option because 
emails must be out the door within a very short time frame from the 
moment a set of events is triggered in the webapp.
  Right now the only way I can think of is limit the SMTP service to 
connect only to authorized remote SMTP servers that I will manage 
manually (I'm in the process of checking how often I would have to 
change the list to see if it's feasible). You wrote that I can do it 
with spamd, how?
Another option I thought of is setting up a sendmail relay on another 
computer and let that sendmail only relay specific emails according to a 
set of criteria (that fit only valid emails).







TIA
Paolo


Bob Beck wrote:


* Paolo Supino <[EMAIL PROTECTED]> [2007-04-12 22:12]:


Hi

 I have the following problem: I host a group of windows servers that 
run a webapp using IIS6 ASP technology. The webapp was written and is 
maintained by a small private company that develops custom webapps for 
companies. One of the services the webapp does is send out emails 
(nothing amazing until now). The problem is that the webapp isn't 
written securely. The developers keep saying the webapp is secure and 
isn't the problem. Bringing someone from the outside to prove them wrong 
has failed thus far. Showing logs and showing network access also proved 
futile. the webapp is (ab)used by spammers to relay spam emails which 
caused the webapp's IP address to be added to various spam black lists 
:-( I'm sure it's the ASP is the problem because only HTTP and HTTPS are 
accessible on these servers. The website itself is hidden behind a 
firewall and SMTP port isn't reachable. I'm in the process of replacing 
the current firewall (Microtik's RouterOS, a Linux based OS) with 
OpenBSD and I thought of using spamd to block outgoing spam emails. I've 
started reading about spamd and usage scenarios, but thus far only found 
spamd being used on incoming emails. Did anyone use spamd to block 
outgoing spam emails? Is what I want to do possible (in combination PF)?

Other solutions will also be appreciated obviously based on OpenBSD :-)




While you can use spamd to do this, you do not need to.

What you want to do is make the webapp unattractive to spammers.

Ideally, the webapp should talk to a real mail server to
forward it's outgoing smtp messages, and you can limit messages sent
on the mta right there. Failing that, if it sends crap directrly
out via port 25, simply make it where it can't send out to port 25
very quickly using max-src-conn-rate at an appropriate rate.

But the ideal solution is really to ensure the webapp
does all it's smtp from a specific mail server, which is configured
appropriately for rate limiting, and ensuring an appropritate
source address with no relaying, and then you simply do not allow
the web app machine to make port 25 connections to elsewhere.   


-Bob

Re: using spamd to block outbound spam

[Paolo Supino]

Hi Kyle

1. Fixing the code is impossible :-( I already tried it, the developers 
keep saying that they're code is sound and safe. I've shown logs and 
statistics to the bosses of the company that owns the webapp, but the 
only response I got was: "fix it" (they aren't making the connection 
between the webapp and the spam emails). The only thing I can do to 
prove my point is exploit the webapp in front of them, but I don't know 
how to do that.


2. I currently don't have any suitable SMTP server that I can do 2 and 
see 1 above about changing the code.


3. Once the OpenBSD firewall will be in place I'll probably go with 
setting up rate limiting via sendmail, though I'd rather not run any 
servers on the firewall.









TIA
Paolo







Kyle George wrote:


On Fri, 13 Apr 2007, Paolo Supino wrote:

 The webapp does talk to a real mail server: on localhost (IIS6 SMTP 
service). When a spammers abuses the webapp the email is actually sent 
via the local mail server and not directly from the webapp to all the 
mail servers on the Internet. Rate limiting isn't an option because 
emails must be out the door within a very short time frame from the 
moment a set of events is triggered in the webapp.



You could:

1) Make them fix the code

2) Uninstall the IIS SMTP service and make them change the code to send 
through a trusted host that can rate limit, filter, etc.


3) http://support.microsoft.com/kb/308161, see "smart host"

(2) and (3) would let you configure an MTA to filter this mess.  The 
best option is for them to fix their code AND use (2) or (3).  It makes 
sense to have untrusted applications send through the network's MTA(s) 
and to put the machine behind pf blocking outgoing port 25.  You don't 
want to get blacklisted.  Also, code that's letting this happen likely 
has many other problems.  I'd isolate it.

Re: using spamd to block outbound spam

[Paolo Supino]

Hi Joachim

  I know that right now I'm mostly going at it in the wrong way but I 
have to fix it quickly and without changing the infrastructure. I'm not 
a windows or layer 7 person but rather a layer 1 to layer 4 in my 
background, so I'm trying to find a solution in those layers. I work in 
an environment where I'm told: Fix it without spending money ...
  The webapp development was outsourced thus the developers aren't 
local. Blunt objects aren't an option :-(
  The legitimate email structure (subject and content) is pretty 
limited and steady. Will sendmail + procmail to filter emails be a 
solutions?

  I will try to implement rate limiting.





TIA
Paolo




Joachim Schipper wrote:


On Fri, Apr 13, 2007 at 10:17:51PM -0400, Paolo Supino wrote:


Hi Bob

 The webapp does talk to a real mail server: on localhost (IIS6 SMTP 
service). When a spammers abuses the webapp the email is actually sent 
via the local mail server and not directly from the webapp to all the 
mail servers on the Internet. Rate limiting isn't an option because 
emails must be out the door within a very short time frame from the 
moment a set of events is triggered in the webapp.
 Right now the only way I can think of is limit the SMTP service to 
connect only to authorized remote SMTP servers that I will manage 
manually (I'm in the process of checking how often I would have to 
change the list to see if it's feasible). You wrote that I can do it 
with spamd, how?
Another option I thought of is setting up a sendmail relay on another 
computer and let that sendmail only relay specific emails according to a 
set of criteria (that fit only valid emails).



You are going about this all wrong. First step is finding a suitable
blunt instrument and getting the developers to fix it. The second step
is configuring rate limiting, along the lines of '1000 mails/hour';
this will allow a large batch of e-mail to get through immediately, but
stop spammers. What you're planning now is both less effective and way
more work.

Joachim

Re: using spamd to block outbound spam

[Paolo Supino]

Hi Henning

  From the technical aspect, I agree with you. But non technical people 
don't see (or understand) that :-( I wish I had time to sit down and 
find out how to exploit the webapp. I tried to bring in a company to do 
penetration testing, but I was refused the budget for it.
  I can't fix the problem completely, but I can put measures in place 
that will reduce the problem to an acceptable level.









TIA
Paolo


Henning Brauer wrote:


* Paolo Supino <[EMAIL PROTECTED]> [2007-04-14 16:43]:

1. Fixing the code is impossible :-( I already tried it, the developers 
keep saying that they're code is sound and safe. I've shown logs and 
statistics to the bosses of the company that owns the webapp, but the 
only response I got was: "fix it" (they aren't making the connection 
between the webapp and the spam emails). The only thing I can do to 
prove my point is exploit the webapp in front of them, but I don't know 
how to do that.



then you should obviously find out how to do the latter.

you cannot fix this problem without fixing the buggy application.

Re: using spamd to block outbound spam

[Paolo Supino]

Hi Henning

  I appriciate your straight and forward replies :-) but the world 
isn't black and white and sometime you have to create work arounds to 
overcome other people's crap (well most of the time). Unfortunately 
cutting the cable isn't an acceptable solution (I'll get fired and 
someone else will come and reconnect it). The IP range 0.0.0.0/0 to 
255.255.255.255/32  should cover it ;-)






TIA
Paolo







Henning Brauer wrote:


* Paolo Supino <[EMAIL PROTECTED]> [2007-04-14 17:53]:

 From the technical aspect, I agree with you. But non technical people 
don't see (or understand) that :-( I wish I had time to sit down and 
find out how to exploit the webapp. I tried to bring in a company to do 
penetration testing, but I was refused the budget for it.
 I can't fix the problem completely, but I can put measures in place 
that will reduce the problem to an acceptable level.



yeah, cut the cable.

otherwise at least tell us the IP address (range) so we can all 
blacklist it.


really, there is no solution (or even half reasonable band-aid) that is 
nbot "fix the application"

Re: using spamd to block outbound spam

[Paolo Supino]

Hi Vijay


  In one of my replies I did write that I was checking what it means to 
manage a white list (I didn't use the term white list though) to block 
outgoing spam but since the new firewall isn't in place yet (and it will 
be a couple of weeks before I can install it) I thought of doing it in 
the IIS6 SMTP service (this isn't the place to discuss IIS6 SMTP 
configurations).







TIA
Paolo


Vijay Sankar wrote:


On Saturday 14 April 2007 10:06, Paolo Supino wrote:


Hi Joachim

  I know that right now I'm mostly going at it in the wrong way but
I have to fix it quickly and without changing the infrastructure. I'm
not a windows or layer 7 person but rather a layer 1 to layer 4 in my
background, so I'm trying to find a solution in those layers. I work
in an environment where I'm told: Fix it without spending money ...
The webapp development was outsourced thus the developers aren't
local. Blunt objects aren't an option :-(
  The legitimate email structure (subject and content) is pretty
limited and steady. Will sendmail + procmail to filter emails be a
solutions?
  I will try to implement rate limiting.



Just a thought -- is it practical for you to have a white list? For 
example, I am wondering whether you could have a white-list table in pf 
and configure your openbsd firewall to allow email to go only to 
addresses in that white list from your app server. That may be  easier 
and more elegant to do with OpenBSD than limiting the smtp service to 
connect to authorized remote servers using TCPIP settings on Windows.








TIA
Paolo

Joachim Schipper wrote:


On Fri, Apr 13, 2007 at 10:17:51PM -0400, Paolo Supino wrote:


Hi Bob

The webapp does talk to a real mail server: on localhost (IIS6
SMTP service). When a spammers abuses the webapp the email is
actually sent via the local mail server and not directly from the
webapp to all the mail servers on the Internet. Rate limiting
isn't an option because emails must be out the door within a very
short time frame from the moment a set of events is triggered in
the webapp.
Right now the only way I can think of is limit the SMTP service
to connect only to authorized remote SMTP servers that I will
manage manually (I'm in the process of checking how often I would
have to change the list to see if it's feasible). You wrote that I
can do it with spamd, how?
Another option I thought of is setting up a sendmail relay on
another computer and let that sendmail only relay specific emails
according to a set of criteria (that fit only valid emails).


You are going about this all wrong. First step is finding a
suitable blunt instrument and getting the developers to fix it. The
second step is configuring rate limiting, along the lines of '1000
mails/hour'; this will allow a large batch of e-mail to get through
immediately, but stop spammers. What you're planning now is both
less effective and way more work.

Joachim


!DSPAM:1,4620f04c203471073733319!

couple of questions

[Paolo Supino]

Hi

  I have a couple of questions:
1. I'm in the process of setting up OpenBSD firewall for a building's 
network. one of the NICs on the firewall will be a wifi PCI card. I need 
to buy the card for it and I want to buy a card from a company that 
helped OpenBSD. Which wifi (PCI) vendor gave the best support for 
developing drivers for OpenBSD?
2. I have another project where I'm expanding a network to an adjacent 
building and I can't run cables between the building so I will be 
setting up a wifi connection between the 2 buildings. I intend to use 
OpenBSD on both ends of the wifi link. The network in the new building 
will only have 3 computer and has to be on the same Ethernet segment as 
the original network. Is it possible to tunnel Ethernet frames over an 
IPSEC tunnel in OpenBSD?




TIA
Paolo

Re: couple of questions

[Paolo Supino]

Hi Maxime

  I know that OpenBSD supports IPSEC very well (have been using it for 
several years), but that wasn't the question: Is it possible to __tunnel 
Ethernet__ over IPSEC in OpenBSD?





TIA
Paolo


Maxime DERCHE wrote:


Hello.

The answer to your first question is the Ralink chipsets family (see,
for exemple, the recent thread initiated by Vincent GROSS on this list).
For the second question the answer is yes. There is a very good support
of IPSEC in OpenBSD :p.


Regards,
Maxime DERCHE



Paolo Supino wrote:


Hi

 I have a couple of questions:
1. I'm in the process of setting up OpenBSD firewall for a building's
network. one of the NICs on the firewall will be a wifi PCI card. I
need to buy the card for it and I want to buy a card from a company
that helped OpenBSD. Which wifi (PCI) vendor gave the best support for
developing drivers for OpenBSD?
2. I have another project where I'm expanding a network to an adjacent
building and I can't run cables between the building so I will be
setting up a wifi connection between the 2 buildings. I intend to use
OpenBSD on both ends of the wifi link. The network in the new building
will only have 3 computer and has to be on the same Ethernet segment
as the original network. Is it possible to tunnel Ethernet frames over
an IPSEC tunnel in OpenBSD?



TIA
Paolo

Re: couple of questions

[Paolo Supino]

Hi Stuart

  Great, thanx :-) Read the manual page and it's exactly what I was 
looking for.





TIA
Paolo


Stuart Henderson wrote:


On 2007/05/06 15:41, Paolo Supino wrote:


Is it possible to __tunnel Ethernet__ over IPSEC in OpenBSD?



Yes, see gif(4)

Re: couple of questions

[Paolo Supino]

Hi Renaud

  I read your post about gif and bridging. Did you try your setup with 
prior releases (4.0, 3.9 and below)? I will try it non the less with 4.1 
and hopefully I will do something slightly different to make it work.
  I know openvpn does the work. I use OpenVPN (in routing mode) as the 
VPN solution for windows based clients on the existing network firewall 
(which will be on of the sides in the wifi link). If all my attempts 
with gif and IPSEC I will run a second instance of OpenVPN (in bridge 
mode).





TIA
Paolo




Renaud Allard wrote:


Stuart Henderson wrote:


On 2007/05/06 15:41, Paolo Supino wrote:


Is it possible to __tunnel Ethernet__ over IPSEC in OpenBSD?


Yes, see gif(4)





As I posted before, bridge over gif doesn't seem to work with 4.1 :(. At
least all my attempts to do such a configuration failed.
But, using openvpn in bridge mode :( works.

order

[Paolo Supino]

Hi

  Does anyone know how I can contact Austin@ except emails? My CDs and 
book have yet to arrive (preorderd on the day orders were opened) and 
I'm not getting any feedback/reaction via email :-(








TIA
Paolo

Dell 2950

[Paolo Supino]

Hi

 Is anyone running OpenBSD on the new Dell PowerEdge 2950 servers, what 
is the level of support for the integrated hardware?









--
TIA
Paolo Supino
IT Manager
Integrated Document Solutions
Cell: (786) 282-1480
Tel: (954) 484-0969
Fax: (954) 484-8491
http://www.idssite.com

snortsam compilation problem

[Paolo Supino]

Hi

 I'm trying to compile snortsam (2.50 and 2.52) on OpenBSD 4.0 and I 
get the following compilation problems: gcc -O2 -DOpenBSD  -DBSD -c ssp_pf.c

ssp_pf.c: In function `PFBlock':
ssp_pf.c:705: error: storage size of `t_rule' isn't known
ssp_pf.c:794: error: invalid application of `sizeof' to an incomplete type
*** Error code 1

  Anyone can help me solve this compilation problem?



TIA
Paolo

CPU selection

[Paolo Supino]

Hi

 I'm in the process of configuring a Dell PowerEdge 860 as firewall and 
I debating what kind of CPU to get for the firewall for an office of 
about 50 people, 20MB metro ethernet, and 15 lightly used Internet 
servers: FTP, web, DNS, email, NTP, etc ... In addition for the computer 
being a firewall it will also act as a NIDS and IPSEC peer (something 
like 10 concurrent tunnels). The options I have for the CPU are:

1. Intel Celeron 336 at 2.8Ghz/256K cache, 533Mhz FSB.
2. Dual Core Intel Pentium D 915 at 2.8Ghz/2x2MB cache, 800Mhz FSB.
3. Dual Core Xeon 3050, 2.13Ghz, 2MB cache, 1066Mhz FSB.
4. Dual Core Xeon 3060, 2.40Ghz, 4MB cache, 1066Mhz FSB.
5. Dual Core Xeon 3070, 2.66Ghz, 4MB cache, 1066Mhz FSB.

 I have to be very price concious so will the celeron CPU hold the load 
or should I take one of the Xeon CPU's for the load?





TIA
Paolo

Re: CPU selection

[Paolo Supino]

Hi K Kadow

  The NIDS would be snort.


TIA
Paolo



K Kadow wrote:


On 11/2/06, Paolo Supino <[EMAIL PROTECTED]> wrote:


  I'm in the process of configuring a Dell PowerEdge 860 as firewall and
I debating what kind of CPU to get for the firewall for an office of
about 50 people, 20MB metro ethernet, and 15 lightly used Internet
servers: FTP, web, DNS, email, NTP, etc ... In addition for the computer
being a firewall it will also act as a NIDS and IPSEC peer (something
like 10 concurrent tunnels).



So the only processes running on-box would be pf, IPSEC, and NIDS?
What sort of NIDS?

The Celeron @2.8Ghz should be sufficient, I do not recall if the PE860
with Celeron can be upgraded to Xeon later.

Kevin

Re: CPU selection

[Paolo Supino]

Hi Alexander

  I completely agree with you and in the long run it will happen, but 
getting a second machine is beyond my budget for the next couple of months.





TIA
Paolo





Alexander Lind wrote:


I don't think the celeron CPU will have any problems coping with that.

Consider getting two of the machines and CARPing them, for redundancy
and load balancing (not that you will likely really need that).
Also consider putting some extra cash down on a hw raid controller, and
2 scsi disks for each machine, and run raid 1 on them, for even more
failover safety.

Alec

Paolo Supino wrote:
 


Hi

I'm in the process of configuring a Dell PowerEdge 860 as firewall
and I debating what kind of CPU to get for the firewall for an office
of about 50 people, 20MB metro ethernet, and 15 lightly used Internet
servers: FTP, web, DNS, email, NTP, etc ... In addition for the
computer being a firewall it will also act as a NIDS and IPSEC peer
(something like 10 concurrent tunnels). The options I have for the CPU
are:
1. Intel Celeron 336 at 2.8Ghz/256K cache, 533Mhz FSB.
2. Dual Core Intel Pentium D 915 at 2.8Ghz/2x2MB cache, 800Mhz FSB.
3. Dual Core Xeon 3050, 2.13Ghz, 2MB cache, 1066Mhz FSB.
4. Dual Core Xeon 3060, 2.40Ghz, 4MB cache, 1066Mhz FSB.
5. Dual Core Xeon 3070, 2.66Ghz, 4MB cache, 1066Mhz FSB.

I have to be very price concious so will the celeron CPU hold the
load or should I take one of the Xeon CPU's for the load?




TIA
Paolo

OpenBSD, Samba and active directory

[Paolo Supino]

Hi

  I'm trying to compile Samba 3.0.21a on OpenBSD 3.8 with active 
directory enabled and when I run the configure script it fails to find 
libkrb5. Has anyone recently tried to compile Samba with Active 
Directory support enabled?





TIA
Paolo

Re: OpenBSD, Samba and active directory

[Paolo Supino]

Hi Thomas

OpenBSD's kerberos5 is heimdal as seen from the `klist --version` output:
klist (heimdal-0.6.3/OpenBSD)
Copyright 1999-2004 Kungliga Tekniska Hvgskolan
Send bug-reports to [EMAIL PROTECTED]
There is a 2 year old post on usenet describing the same problem, but 
there they talk about OpenBSD 3.5 and older version Samba so I don't 
know how relevant it is (hense the email).




Paolo


Thomas Bvrnert wrote:


not on openbsd, but i think you need heimdal and not the krb5

Thomas

On Mon, 2006-01-30 at 14:16 -0500, Paolo Supino wrote:
 


Hi

  I'm trying to compile Samba 3.0.21a on OpenBSD 3.8 with active 
directory enabled and when I run the configure script it fails to find 
libkrb5. Has anyone recently tried to compile Samba with Active 
Directory support enabled?





TIA
Paolo

writing to /var/log/ftpd

[Paolo Supino]

Hi

 Is it possible to have normal people's ftp file transfers to 
/var/log/ftpd?




TIA
Paolo

Re: writing to /var/log/ftpd

[Paolo Supino]

Hi Joel

There is a special case where anonymous ftp transfers are written to 
/var/log/ftpd (when using
double 'l' switch) . When writing /var/log/ftpd it uses a different file 
format than the one used
when writing to /var/log/xferlog. I'm interested in the information and 
not the name of the file




TIA
Paolo


Joel Dinel wrote:


On 02/06/06 at 11:03, Paolo Supino wrote:
 


Hi

Is it possible to have normal people's ftp file transfers to 
/var/log/ftpd?
   



syslog.conf states that ftp stuff is logged to /var/log/xferlog. Just
change that to /var/log/ftpd, -HUP inetd (or your ftpd), and don't
forget to add /var/log/ftpd to /etc/newsyslog.conf (you can just change
the existing 'xferlog' line in newsyslog.conf to read 'ftpd' instead).

OpenBGP on firewall

[Paolo Supino]

Hi

 I started working for a company that its production site is running 2 
PIX firewalls with no VRRP (to save cost on licensing, duh). I offered 
and they approved to replace them with 2 OpenBSD and CARP. In front of 
the FW there is a Cisco 7200 router doing BGP. I offered to remove the 
router and use OpenBGP on the OpenBSD firewalls instead, thus achieving 
failover on BGP too. But I don't know whether this is a good idea or 
should I add 2 more OpenBSD systems specifically for BPG?



TIA
Paolo

PS - The FWs will be single CPU Dell PowerEdge 1850 systems with 
(probably) 1GB RAM.

Re: OpenBGP on firewall

[Paolo Supino]

Hi Henning

 Thanx for the reply :-)
How do I make sure that the master is the one that advertises the routes 
to avoid asymmetric and packet loss?
Since these FW systems will also act as a ISPEC peers (2 permanent and 
some couple of concurrent road warriors) what would you estimate be a 
good enough hardware that will keep the load (ball park numbers will do 
;-))?







TIA
Paolo



Henning Brauer wrote:


* Paolo Supino <[EMAIL PROTECTED]> [2006-02-16 19:54]:
 

I started working for a company that its production site is running 2 
PIX firewalls with no VRRP (to save cost on licensing, duh). I offered 
and they approved to replace them with 2 OpenBSD and CARP. In front of 
the FW there is a Cisco 7200 router doing BGP. I offered to remove the 
router and use OpenBGP on the OpenBSD firewalls instead, thus achieving 
failover on BGP too. But I don't know whether this is a good idea or 
should I add 2 more OpenBSD systems specifically for BPG?
   



in prinicple, usinf bgpd on teh same machines is fine. you should take 
care that the car master also is the one that announces the best route 
to you so that you don't get too assymetric traffic flows. otherwise 
you'll see performance issues and some packet loss, likely.
with seperate machines for bgpd and stateless filtering that is not an 
issue at all.
I always wanted to add something so that you can make a prepend-self 1 
depending on carp state... maybe i should revive that idea

OpenBSD <-> Cisco IPSEC

[Paolo Supino]

Hi

 I need to setup an IPSEC VPN between 2 locations. 1 location runs 
Cisco gear (out of my control) and the other runs OpenBSD (my decision). 
I've never setup a VPN between Cisco and OpenBSD before (I did between 
Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are 
any pitfalls or incompatibilities between Cisco and OpenBSD 
implementations of IPSEC that will cause problems?





TIA
Paolo

Re: OpenBSD <-> Cisco IPSEC

[Paolo Supino]

Hi Diana

  I did a different search in google and received a lot of irrelevant 
hits :-( I looked up the mailing list archives but didn't find anything 
concrete on the subject. I agree that more information is needed but I 
kept it to the 2nd round of the emails on this subject because 1: I 
didn't have it at the time. 2: I didn't know exactly what kind of 
information other's would be interested (and overloading emails with 
numbers makes others less likely to respond to the email).
Now to the subject at hand: The OpenBSD side is simple: OpenBSD 
3.8-stable (and 3.9 when it comes out). Since I didn't have time to 
develop a policy I'm following the other location's policy. The Cisco 
they have is a 3745 concentrator. The encryption algorithm is 3DES. Hash 
algorithm is SHA1. DH group 2 (for phase 1) and phase 2 is esp-3des 
esp-sha-hmac.





TIA
Paolo






Diana Eichert wrote:


On Fri, 10 Mar 2006, Paolo Supino wrote:

 


Hi

 I need to setup an IPSEC VPN between 2 locations. 1 location runs
Cisco gear (out of my control) and the other runs OpenBSD (my decision).
I've never setup a VPN between Cisco and OpenBSD before (I did between
Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are
any pitfalls or incompatibilities between Cisco and OpenBSD
implementations of IPSEC that will cause problems?


TIA
Paolo
   



Ehlo

More info is required.  Cisco is a company that grows via acquisition,
therefore they have several different VPN solutions.  Also, I did a quick
search on Google for "Cisco and OpenBSD ipsec" and there are over 95k
English hits.  The very first response is "OpenBSD IPSEC with cisco -
HOWTO".

diana

Re: OpenBSD <-> Cisco IPSEC

[Paolo Supino]

Hi Matthew

 Thanx for a great reply (even though I didn't supply information). 
Here is some more information:
The OpenBSD side is simple: OpenBSD 3.8-stable (and 3.9 when it comes 
out). Since I didn't have time to develop a policy I'm following the 
other location's policy. The Cisco they have is a 3745 concentrator. The 
encryption algorithm is 3DES. Hash algorithm is SHA1. DH group 2 (for 
phase 1) and phase 2 is esp-3des esp-sha-hmac.




TIA
Paolo


Matthew Closson wrote:


On Fri, 10 Mar 2006, Paolo Supino wrote:


Hi

I need to setup an IPSEC VPN between 2 locations. 1 location runs 
Cisco gear (out of my control) and the other runs OpenBSD (my 
decision). I've never setup a VPN between Cisco and OpenBSD before (I 
did between Cisco to Cisco and OpenBSD to OpenBSD) and I was 
wondering if there are any pitfalls or incompatibilities between 
Cisco and OpenBSD implementations of IPSEC that will cause problems?


TIA
Paolo



Paolo,

As others have said we need more details.  I have setup isakmpd and 
IPSEC in tunnel mode with Cisco PIX's, as well as Cisco 3000 series 
VPN concentrators (which is really from Altiga Networks).  Getting the 
tunnel established between these devices is never a problem, 
especially if you define out every section in isakmpd.conf and only 
offer a single encryption/hash algorithm in your proposals.  The 
biggest problem I have had is rekeying.  I have had a lot of issues 
with tunnels getting out of sync, where my side keeps using XXX 
SA/SPI, while the other said moves on to another one or the reverse of 
that.


Cisco devices I have seen default their lifetime's to 86400 seconds 
for IKE and 28800 seconds for IPSEC.  This is of course different from 
isakmpd so you will want to keep that in mind.


I would highly recommend you read all the info listed here.

https://www.icsalabs.com/icsa/main.php?pid=fggfgd

iCSA does interoperability testing between various IPSEC 
implementations and they cover several Cisco products.  As well as in 
their paper:


"IPSEC VPN Advanced Troubleshooting" - they state that an excellent 
tools for debugging interoperability problems in the field is 
OpenBSD's isakmpd.


A lot of information on the specific cisco device you want to talk to 
may be available at http://www.cisco.com/univercd


I am also curious as to the successes and failures other people have 
had with cisco devices and rekeying, especially cisco 3005, cisco 3030 
concentrators.


-Matt-

dual booting on iBook

[Paolo Supino]

Hi

 I have a Macintosh iBook G4 and I was wondering weather it's possible 
to dual boot it (like in the I386 world)?





TIA
Paolo

OpenBSD as L2TP client

[Paolo Supino]

Hi

  A client asked me to setup a low cost router to connect to the Internet.
His current Internet connection requires his router to connect to the ISP
using L2TP protocol. I've looked through the archives and ports tree for a
similar posting, but found none...
Is anyone using  OpenBSD as an L2TP client to connect to the Inernet (or
knows a solution)?



--
TIA
Paolo

PF logging into a file

[Paolo Supino]

Hi

  I've often used the command "tcpdump -n -e -ttt -i pflog0" to view PF 
log in real time.
  I've decided to try and use it in order to log in real time PF 
through syslog. The solution described in the PF FAQ to log to syslog 
works in time intervals, which doesn't meet my needs in my current setup.
I tried piping the output of "tcpdump -n -e -ttt -i pflog0" through 
logger(1), and send it to syslog(8) using the complete command: "tcpdump 
-n -e -ttt -i pflog0 | logger -t PF -p local7.notice". I setup 
syslog.conf:  "local7.* 
/var/log/firewall.log", but the file "/var/log/firewall.log" remains 
empty. trying the command: "tcpdump -n -e -ttt -i pflog0 | logger -t PF 
-f /var/log/firewall.log" also leaves the file empty. As a last resort I 
tried: "tcpdump -n -e -ttt -i pflog0 >& /var/log/firewall.log", but that 
also didn't work and left the file /var/log/firewall.log empty). Running 
tcpdump with "-l" (output buffering) solve the clear text redirection 
into a file, but doesn't work with logger(1) (it simply ends the process 
silently after 1 second or so).
  Does anyone have a suggestion how to fix this so I can have real time 
PF logging sent to syslog?


Please try and help me solve the problem and don't try to convince me to 
drop either the real time logging and/or the use of syslog (I can't).



--
TIA
Paolo

Re: PF logging into a file

[Paolo Supino]

Hi Vadim

  pflogd is writing the A small detail I forgot to mention: I need the 
log to be in text (readable) format. pflogd write pcap format files, 
which isn't suitable for me ...




--
TIA
Paolo





On 1/24/10 2:17 PM, Vadim Agarkov wrote:

24.01.2010 13:36, Paolo Supino P?P8QP5Q:

Hi

I've often used the command "tcpdump -n -e -ttt -i pflog0" to view PF
log in real time.
I've decided to try and use it in order to log in real time PF through
syslog. The solution described in the PF FAQ to log to syslog works in
time intervals, which doesn't meet my needs in my current setup.
I tried piping the output of "tcpdump -n -e -ttt -i pflog0" through
logger(1), and send it to syslog(8) using the complete command:
"tcpdump -n -e -ttt -i pflog0 | logger -t PF -p local7.notice". I
setup syslog.conf: "local7.* /var/log/firewall.log", but the file
"/var/log/firewall.log" remains empty. trying the command: "tcpdump -n
-e -ttt -i pflog0 | logger -t PF -f /var/log/firewall.log" also leaves
the file empty. As a last resort I tried: "tcpdump -n -e -ttt -i
pflog0 >& /var/log/firewall.log", but that also didn't work and left
the file /var/log/firewall.log empty). Running tcpdump with "-l"
(output buffering) solve the clear text redirection into a file, but
doesn't work with logger(1) (it simply ends the process silently after
1 second or so).
Does anyone have a suggestion how to fix this so I can have real time
PF logging sent to syslog?

Please try and help me solve the problem and don't try to convince me
to drop either the real time logging and/or the use of syslog (I can't).


--
TIA
Paolo



hi Paolo!

try

pflogd_flags="-d 5"

in /etc/rc.conf.local


according to pflogd(8) man page,

pflogd closes and then re-opens the log file when it receives SIGHUP,
permitting newsyslog(8) to rotate logfiles automatically. SIGALRM causes
pflogd to flush the current logfile buffers to the disk, thus making the
most recent logs available. The buffers are also flushed every delay
seconds.
.
-d delay
Time in seconds to delay between automatic flushes of the file.
This may be specified with a value between 5 and 3600 seconds.
If not specified, the default is 60 seconds.

not a real time, but might be helpfull somehow ?

--
thanks,
VA

Re: PF logging into a file [solved]

[Paolo Supino]

Hi

  A different search on Google indicated that "The book of PF" has a 
section about logging to syslog ... And there it had the complete 
command line to logging in real time with tcpdump to syslog :-)
The complete command (and found to be working):  tcpdump -lnettti pflog0 
| logger -t pf -p [facility.level].
  This makes me wonder: is there a difference in the command line 
switches given to tcpdump (I tried using -l, but it didn't work in my 
attempts)?




--
TIA
Paolo



On 1/24/10 2:17 PM, Vadim Agarkov wrote:

24.01.2010 13:36, Paolo Supino P?P8QP5Q:

Hi

I've often used the command "tcpdump -n -e -ttt -i pflog0" to view PF
log in real time.
I've decided to try and use it in order to log in real time PF through
syslog. The solution described in the PF FAQ to log to syslog works in
time intervals, which doesn't meet my needs in my current setup.
I tried piping the output of "tcpdump -n -e -ttt -i pflog0" through
logger(1), and send it to syslog(8) using the complete command:
"tcpdump -n -e -ttt -i pflog0 | logger -t PF -p local7.notice". I
setup syslog.conf: "local7.* /var/log/firewall.log", but the file
"/var/log/firewall.log" remains empty. trying the command: "tcpdump -n
-e -ttt -i pflog0 | logger -t PF -f /var/log/firewall.log" also leaves
the file empty. As a last resort I tried: "tcpdump -n -e -ttt -i
pflog0 >& /var/log/firewall.log", but that also didn't work and left
the file /var/log/firewall.log empty). Running tcpdump with "-l"
(output buffering) solve the clear text redirection into a file, but
doesn't work with logger(1) (it simply ends the process silently after
1 second or so).
Does anyone have a suggestion how to fix this so I can have real time
PF logging sent to syslog?

Please try and help me solve the problem and don't try to convince me
to drop either the real time logging and/or the use of syslog (I can't).


--
TIA
Paolo



hi Paolo!

try

pflogd_flags="-d 5"

in /etc/rc.conf.local


according to pflogd(8) man page,

pflogd closes and then re-opens the log file when it receives SIGHUP,
permitting newsyslog(8) to rotate logfiles automatically. SIGALRM causes
pflogd to flush the current logfile buffers to the disk, thus making the
most recent logs available. The buffers are also flushed every delay
seconds.
.
-d delay
Time in seconds to delay between automatic flushes of the file.
This may be specified with a value between 5 and 3600 seconds.
If not specified, the default is 60 seconds.

not a real time, but might be helpfull somehow ?

--
thanks,
VA

ports install problem

[Paolo Supino]

Hi

  I'm trying to install php5-core from /usr/ports/www/php5/core ... 
When I run `make install` I get the following output:

# cd ports/www/php5/core/
# make install
===>  Checking files for php5-core-5.2.10
>> Fetch http://us2.php.net/distributions/php-5.2.10.tar.gz
php-5.2.10.tar.gz 100% 
|*| 
11165 KB08:05

>> Fetch http://blade2k.humppa.hu/suhosin-0.9.27.tgz
ftp: Error retrieving file: 404 Not Found
>> Fetch http://download.suhosin.org/suhosin-0.9.27.tgz
suhosin-0.9.27.tgz 100% 
|| 
  113 KB00:02
>> Fetch 
http://blade2k.humppa.hu/suhosin-patch-5.2.10-0.9.7-openbsd.patch.gz
suhosin-patch-5.2.10-0... 100% 
|*| 
23026   00:00

>> (SHA256) php-5.2.10.tar.gz: OK
>> (SHA256) suhosin-0.9.27.tgz: OK
>> (SHA256) suhosin-patch-5.2.10-0.9.7-openbsd.patch.gz: OK
===>  php5-core-5.2.10 depends on: gettext->=0.17 - found
===>  php5-core-5.2.10 depends on: metaauto-* - found
===>  php5-core-5.2.10 depends on: autoconf-2.13 - found
===>  php5-core-5.2.10 depends on: libxml-* - not found
===>  Verifying install for libxml-* in textproc/libxml
===>  Checking files for libxml2-2.6.32
>> Fetch ftp://xmlsoft.org/libxml/libxml2-2.6.32.tar.gz
Failed to open file.
>> Fetch 
ftp://ftp.no.gnome.org/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

No such file or directory
>> Fetch 
ftp://ftp.dit.upm.es/linux/gnome/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

Failed to open file.
>> Fetch 
http://ftp.acc.umu.se/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

ftp: Error retrieving file: 404 Not Found
>> Fetch 
ftp://ftp.belnet.be/mirror/ftp.gnome.org/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

libxml2-2.6.32.tar.gz: No such file or directory
>> Fetch 
ftp://ftp.unina.it/pub/linux/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

No such directory.
>> Fetch 
ftp://ftp.cse.buffalo.edu/pub/Gnome/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

libxml2-2.6.32.tar.gz: No such file or directory.
>> Fetch 
ftp://ftp.no.gnome.org/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

No such file or directory
>> Fetch 
http://fr2.rpmfind.net/linux/gnome.org/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

ftp: Error retrieving file: 404 Not Found
>> Fetch 
http://planetmirror.com/pub/gnome/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

>> Size does not match for /usr/ports/distfiles/libxml2-2.6.32.tar.gz
>> Fetch 
http://mirror.aarnet.edu.au/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

ftp: Error retrieving file: 404 Not Found
>> Fetch 
ftp://ftp.nara.wide.ad.jp/pub/X11/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

Failed to open file.
>> Fetch 
ftp://ftp.gnome.org/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz

Failed to open file.
>> Fetch ftp://ftp.openbsd.org/pub/OpenBSD/distfiles//libxml2-2.6.32.tar.gz
libxml2-2.6.32.tar.gz 100% 
|*| 
 4611 KB02:56

>> (SHA256) libxml2-2.6.32.tar.gz: OK
===>  libxml-2.6.32p2 depends on: python->=2.5,<2.6 - not found
===>  Verifying install for python->=2.5,<2.6 in lang/python/2.5
===>  python-2.5.4p1 uses X11, but /usr/X11R6 not found.
===> Returning to build of libxml-2.6.32p2
===>  libxml-2.6.32p2 depends on: python->=2.5,<2.6 - not found
===>  Verifying install for python->=2.5,<2.6 in lang/python/2.5
===>  python-2.5.4p1 uses X11, but /usr/X11R6 not found.
===> Returning to build of libxml-2.6.32p2
Dependency check failed
*** Error code 1

Stop in /usr/ports/textproc/libxml (line 1621 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/textproc/libxml (line 2018 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/textproc/libxml (line 1444 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/textproc/libxml (line 1984 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/textproc/libxml (line 1474 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/www/php5/core (line 1621 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/www/php5/core (line 2018 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/www/php5/core (line 1444 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/www/php5/core (line 1984 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/www/php5/core (line 1474 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

#


  Why does PHP5 need Python, and why does Python need X11? What am I 
doing wrong?




--
TIA
Paolo

Re: ports install problem

[Paolo Supino]

Hi Dorian

  I did as you wrote below, but ...

$ sudo -i
Password:
# cd /usr/ports/lang/python/2.5/
# export FLAVOR=no_x11
# make install
Fatal: no flavors for this port. (in lang/python/2.5)
*** Error code 1

Stop.
#

:-(


--
TIA
Paolo



On Sat, Feb 6, 2010 at 9:39 PM, Dorian B|ttner wrote:

> Paolo Supino schrieb:
>
>  Hi
>>
>>  I'm trying to install php5-core from /usr/ports/www/php5/core ... When I
>> run `make install` I get the following output:
>> # cd ports/www/php5/core/
>> # make install
>> ===>  Checking files for php5-core-5.2.10
>> >> Fetch http://us2.php.net/distributions/php-5.2.10.tar.gz
>> php-5.2.10.tar.gz 100%
>>
|
*|
>> 11165 KB08:05
>> >> Fetch http://blade2k.humppa.hu/suhosin-0.9.27.tgz
>> ftp: Error retrieving file: 404 Not Found
>> >> Fetch http://download.suhosin.org/suhosin-0.9.27.tgz
>> suhosin-0.9.27.tgz 100%
>>
|
|
>>  113 KB00:02
>> >> Fetch
>> http://blade2k.humppa.hu/suhosin-patch-5.2.10-0.9.7-openbsd.patch.gz
>> suhosin-patch-5.2.10-0... 100%
>>
|*|
>> 23026   00:00
>> >> (SHA256) php-5.2.10.tar.gz: OK
>> >> (SHA256) suhosin-0.9.27.tgz: OK
>> >> (SHA256) suhosin-patch-5.2.10-0.9.7-openbsd.patch.gz: OK
>> ===>  php5-core-5.2.10 depends on: gettext->=0.17 - found
>> ===>  php5-core-5.2.10 depends on: metaauto-* - found
>> ===>  php5-core-5.2.10 depends on: autoconf-2.13 - found
>> ===>  php5-core-5.2.10 depends on: libxml-* - not found
>> ===>  Verifying install for libxml-* in textproc/libxml
>> ===>  Checking files for libxml2-2.6.32
>> >> Fetch ftp://xmlsoft.org/libxml/libxml2-2.6.32.tar.gz
>> Failed to open file.
>> >> Fetch
>> ftp://ftp.no.gnome.org/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz
>> No such file or directory
>> >> Fetch
>> ftp://ftp.dit.upm.es/linux/gnome/sources/libxml2/2.6/libxml2-2.6.32.tar.gz
>> Failed to open file.
>> >> Fetch
>> http://ftp.acc.umu.se/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz
>> ftp: Error retrieving file: 404 Not Found
>> >> Fetch
>>
ftp://ftp.belnet.be/mirror/ftp.gnome.org/sources/libxml2/2.6/libxml2-2.6.32.t
ar.gz
>> libxml2-2.6.32.tar.gz: No such file or directory
>> >> Fetch
>>
ftp://ftp.unina.it/pub/linux/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz
>> No such directory.
>> >> Fetch
>>
ftp://ftp.cse.buffalo.edu/pub/Gnome/sources/libxml2/2.6/libxml2-2.6.32.tar.gz
>> libxml2-2.6.32.tar.gz: No such file or directory.
>> >> Fetch
>> ftp://ftp.no.gnome.org/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz
>> No such file or directory
>> >> Fetch
>>
http://fr2.rpmfind.net/linux/gnome.org/sources/libxml2/2.6/libxml2-2.6.32.tar
.gz
>> ftp: Error retrieving file: 404 Not Found
>> >> Fetch
>>
http://planetmirror.com/pub/gnome/sources/libxml2/2.6/libxml2-2.6.32.tar.gz
>> >> Size does not match for /usr/ports/distfiles/libxml2-2.6.32.tar.gz
>> >> Fetch
>>
http://mirror.aarnet.edu.au/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.
gz
>> ftp: Error retrieving file: 404 Not Found
>> >> Fetch
>>
ftp://ftp.nara.wide.ad.jp/pub/X11/GNOME/sources/libxml2/2.6/libxml2-2.6.32.ta
r.gz
>> Failed to open file.
>> >> Fetch
>> ftp://ftp.gnome.org/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.32.tar.gz
>> Failed to open file.
>> >> Fetch
>> ftp://ftp.openbsd.org/pub/OpenBSD/distfiles//libxml2-2.6.32.tar.gz
>> libxml2-2.6.32.tar.gz 100%
>>
|
*|
>>  4611 KB02:56
>> >> (SHA256) libxml2-2.6.32.tar.gz: OK
>> ===>  libxml-2.6.32p2 depends on: python->=2.5,<2.6 - not found
>> ===>  Verifying install for python->=2.5,<2.6 in lang/python/2.5
>> ===>  python-2.5.4p1 uses X11, but /usr/X11R6 not found.
>> ===> Returning to build of libxml-2.6.32p2
>> ===>  libxml-2.6.32p2 depends on: python->=2.5,<2.6 - not found
>> ===>  Verifying install for python->=2.5,<2.6 in lang/python/2.5
>> ===>  python-2.5.4p1 uses X11, but /usr/X11R6 not found.
>> ===> Returning to build of libxml-2.6.32p2
>> Dependency check failed
>> *** Error code 1
>>
>> Stop in /usr/ports/textproc/libxml (line 1621 of
>> /usr

snort on openbsd with PF

[Paolo Supino]

Hi

  When snort on the external interface of an OpenBSD firewall, which 
scenario will be the one happening:
1. Snort captures all incoming traffic before it reaches PF (there's 
also NAT on the external interface).
2. Snort captures and analyzes only traffic that the firewall let 
through on the interface.











--
TIA
Paolo

Re: snort on openbsd with PF

[Paolo Supino]

Hi

  I apologize for not first RTFMing before asking. Section 4.4 of the 
Snort FAQ clearly states that scenario 1 is the one that will be ...



--
TIA
Paolo


On 2/8/10 3:18 PM, Paolo Supino wrote:

Hi

When snort on the external interface of an OpenBSD firewall, which
scenario will be the one happening:
1. Snort captures all incoming traffic before it reaches PF (there's
also NAT on the external interface).
2. Snort captures and analyzes only traffic that the firewall let
through on the interface.










--
TIA
Paolo

def/(ip-option)

[Paolo Supino]

Hi

  I've setup a new firewall and I'm getting the following line in PF's 
log ...


Jan 31 08:14:34 X OPF: Jan 31 15:17:40.495167 rule def/(ip-option) 
pass in on em3: 172.16.1.59 > 224.0.0.22: igmp-2 [v2] (DF) [tos 0xc0] 
[ttl 1]


What does def/(ip-option) mean and why does it get passed? I don't have 
any rules passing multicast traffic and in sysctl(8)  multicast 
forwarding is disabled:

# sysctl -a | grep forw
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=0
net.inet6.ip6.forwarding=0
net.inet6.ip6.mforwarding=0
#



--
TIA
Paolo