Secure storage of config files (was Re: Bootable installation partition on a hard drive?)

[Paul Suh]

On Sep 7, 2020, at 5:48 AM, Stuart Henderson  wrote:
> 
> My suggestions would be to keep the config files in a management system
> of some sort. Whether that's a full-blown config management system like
> ansible/salt, one of the simpler tools like rset, judo, rdist, or even
> just commiting config files directly to a version control repository,

Folks, 

Do people have opinions on the best way to securely store sensitive config 
files in a management system or repo? For instance, the various private keys 
that live in the various nooks and crannies of /etc. 

And if they’re stored in encrypted form, what’s the best way to have them 
decrypted for zero-touch or minimal-touch config restores? 


—Paul



smime.p7s
Description: S/MIME cryptographic signature

Re: Select ssh key from ssh-agent?

[Paul Suh]

> On May 22, 2020, at 11:45 AM, Stuart Henderson  wrote:
> 
> Ahh I just realised that you might be wanting to use agent-forwarded
> keys to connect to bitbucket. What I described should work if you have
> local keys on the server where you run the git commands but it's not
> using them because it's using a key from the agent that you don't
> want it to use - but if you're trying to use one of several agent
> keys then I'm not sure if it will be possible.

Also, I noticed something which I think is working as intended, but seems odd. 
When I ssh to the intermediate server, I can do an ssh-add on there to load up 
a key that is only on the intermediate server. That key then is held in the 
ssh-agent on my workstation. 

After I disconnect from the intermediate server, the ssh-agent on my 
workstation retains the key and can use it for authentication to other hosts. I 
get why this happens, but it seems a little paradoxical. There also doesn’t 
seem to be a way to delete the key from the ssh-agent on the workstation after 
I disconnect (other than using ssh-add -D to blow away all of the keys.) 


—Paul



smime.p7s
Description: S/MIME cryptographic signature

Re: Select ssh key from ssh-agent?

[Paul Suh]

On May 22, 2020, at 10:08 PM, David A. Pocock  wrote:
> 
> Consider:
> 
> workstation$ eval $(ssh-agent)
> workstation$ ssh-add ~/.ssh/my_primary_key
> workstation$ ssh-add ~/.ssh/my_secondary_key
> workstation$ ssh-add -l
>    hash /home/user/.ssh/my_primary_key
>    hash /home/user/.ssh/my_secondary_key
> 
> workstation$ ssh -A intermediaryhost
> 
> intermediaryhost$ ssh-add -l
>    hash /home/user/.ssh/my_primary_key
>    hash /home/user/.ssh/my_secondary_key

David, 

It doesn’t seem to work. When I do a ssh-add -l I get file paths only for rsa 
keys, not ecdsa keys. I’m running OpenSSH 8.1 (OpenBSD 6.6 - yes I need to run 
sysupgrade), 8.1p1 (macOS 10.15.4), and 8.2p1 (Ubuntu server 20.04 LTS). 

In any case I tried specifying the original key file paths to ssh on my 
intermediate server 

> ssh -v -i /Users/myusername/.ssh/id_ecdsa g...@bitbucket.org


but got the warning: 

> Warning: Identity file /Users/myusername/.ssh/id_ecdsa not accessible: No 
> such file or directory.

According to the debug trace, the authentication then went through using a 
different key from my ssh-agent’s store. 


—Paul




smime.p7s
Description: S/MIME cryptographic signature

Re: Select ssh key from ssh-agent?

[Paul Suh]

> On May 22, 2020, at 3:35 AM, Stuart Henderson  wrote:
> 
> On 2020-05-21, Paul Suh  wrote:
>> However, if you are loading multiple keys into ssh-agent and forwarding keys 
>> to other hosts, there doesn’t seem to be a way to select which key will be 
>> presented to the destination by the ssh client.
> 
> See IdentitiesOnly.
> 
>> The particular case I’m working with is using git with bitbucket.org, where 
>> user accounts are identified by the key. I have two accounts that have two 
>> different keys, and when I’m logged into another server via ssh I can only 
>> access one BitBucket account since that’s the one whose keys ssh-agent 
>> presents first. 
> 
> You may find it useful to set Host blocks in .ssh/config with
> IdentityFile, e.g. (untested but I think it's right):
> 
> IdentitiesOnly yes
> 
> Host bitbucket-foo
>  User git
>  HostName bitbucket.org
>  IdentityFile ~/.ssh/bb-foo.ed25519 
>  ControlMaster auto
>  ControlPersist 30
>  ControlPath /tmp/ssh.bitbucket-foo
> 
> Host bitbucket-bar
>  User git
>  HostName bitbucket.org
>  IdentityFile ~/.ssh/bb-bar.ed25519 
>  ControlMaster auto
>  ControlPersist 30
>  ControlPath /tmp/ssh.bitbucket-bar\

Stuart, 

Thanks for you kind assistance. Do these go into the .ssh/config file on my 
local host (where I’m physically typing), on the server that I’m connected to, 
or both? I haven’t used the ControlMaster option before. 


—Paul




smime.p7s
Description: S/MIME cryptographic signature

Select ssh key from ssh-agent?

[Paul Suh]

Folks, 

I’m not sure this is the right place to ask, but I hope someone can point me in 
the right direction. 

When using ssh with keys that are in files on the local host, you can specify 
which key is used for the connection by using the -i option and giving the path 
to the key file. 

However, if you are loading multiple keys into ssh-agent and forwarding keys to 
other hosts, there doesn’t seem to be a way to select which key will be 
presented to the destination by the ssh client. The -i option does not find the 
original key file of course (since it’s on another machine) and there doesn’t 
seem to be an option to tell ssh-agent which key to present. 

The particular case I’m working with is using git with bitbucket.org, where 
user accounts are identified by the key. I have two accounts that have two 
different keys, and when I’m logged into another server via ssh I can only 
access one BitBucket account since that’s the one whose keys ssh-agent presents 
first. 

I can think of a couple of workarounds, but I also wanted to see if I’m missing 
something. 


—Paul



smime.p7s
Description: S/MIME cryptographic signature

Re: Automated OS builds?

[Paul Suh]

On Jan 5, 2020, at 12:43 PM, Morten Gade Liebach  wrote:
> 
> Read release(8), then write a script runs through the described process.

I can do that, and will if I have to, but if someone has already done it or has 
a base to start from that would be better. (I’ve been building OpenBSD releases 
that way since 3.2? 3.3? Something like that.) 


—Paul

Automated OS builds?

[Paul Suh]

Folks,

My DuckDuckGo-fu seems to be weak right now. 

Is there a set of automated scripts somewhere that: 

1) Checks anoncvs*.*.openbsd.org:/cvs for updates to the patch branch source 
tree
2) Checks them out
3) Builds them
4) Builds a release

Then notifies me when this has happened? 

I’m looking to follow the patch branch but since I’m using flashrd I can’t use 
syspatch on my production systems. (Yes I know I’m not asking for help with 
flashrd, but with an automated build system for the base system.) 

I can hack something like this together but I’m kinda surprised that I can’t 
find something that someone else has already done. Or maybe I’m just bad with 
search engines. 


—Paul

Re: 6.5 PowerPC Packages

[Paul Suh]

On May 9, 2019, at 11:41 AM, danieljb...@icloud.com wrote:
> 
> On Thu, May 09, 2019 at 08:55:40AM -0600, Theo de Raadt wrote:
>> The real reason is because we're low on current for the flux capacitor,
>> after shifting time for the early 6.5 release.  Not all the machines
>> were able to fit into back seat of the Delorian.
>> 
> 
> Come on Theo, everybody knows that you can't run a flux capacitor
> without 1.21 gigawatts. Great Scott
> 

Not a problem. We can get a Mr. Fusion from Amazon to power the flux capacitor: 

https://www.amazon.com/Back-Future-Mr-Fusion-Replica/dp/B00NPADMRK

I'm off to setup a GoFundMe page for contributions towards one for the OpenBSD 
project. ;-D


--Paul

Linux equivalent of ifstated?

[Paul Suh]

Folks, 

Sorry to pollute with with non-OpenBSD but it's sorta related. I need to work 
on a Linux system and I need the functionality of ifstated(8), in particular 
with respect to arbitrary tests as well as interface state. The ifupdown 
scripts are not sufficient. Can anyone tell me the equivalent in Linux-land? My 
Google-fu seems to be weak. 

Thanks! 


--Paul



smime.p7s
Description: S/MIME cryptographic signature

Re: serial console images for installing on vmd based guests

[Paul Suh]

> On Mar 13, 2019, at 6:30 PM, Chris Cappuccio  wrote:
> 
> I think I'm just too stupid to use Linux. I know grub-based boot loaders give
> you that option, but then I went to try Alpine Linux, and from what I'm 
> finding, I have to setup a config file put it back into the ISO. 

Chris, 

I've been fooling with Alpine Linux a lot in the past few years. It's gotten a 
lot of love recently since it's heavily used in the Docker community. 

IMHO it's as close as you can get to something OpenBSD-ish within the Linux 
space. I definitely appreciate the leanness and built-in ability to run from 
RAM à la flashrd and resflash. However, compared to other Linux distro's it's 
kinda "special" and has more than a few quirks. 


--Paul



smime.p7s
Description: S/MIME cryptographic signature

Re: Are there open source firewall distributions which are built on top of OpenBSD?

[Paul Suh]

> On Mar 13, 2019, at 6:05 AM, Stuart Henderson  wrote:
> 
> On 2019-03-13, Mehma Sarja  wrote:
>> My current setup is basic firewall with DHCP, NAT and routing. But there is
>> power in the simplicity. When something goes wrong -and it has happened
>> twice due to power failures, there is so much less to deal with to bring
>> the box back up.
> 
> A standard OpenBSD installation is somewhat susceptible to power failures
> though. Especially fail/back/fail again during the startup procedure while
> it's relinking libraries in random order. Not saying it can't be used but
> some thought is needed if you know that it's *likely* to be powered off
> without shutdown, or if the power is flaky.

If you want to run a system that is resistant to damage from power faults, take 
a look at Resflash. 

 https://stable.rcesoftware.com/resflash/

It's more tolerant of power faults since the running system has all of its 
actual disks in read-only mode and anything writable is done to mfs-based 
mounts, including /usr/lib and /usr/libexec during the re-linking process. It 
also has a very nice upgrade and rollback process, useful if you're maintaining 
remote routers/firewalls. 

Don't ask for support on this list since it's not base OpenBSD, but the author 
is pretty good about helping people out. 


--Paul



smime.p7s
Description: S/MIME cryptographic signature

Re: Cheaper alternatives for APC UPS

[Paul Suh]

On Dec 23, 2018, at 7:13 AM, Stuart Henderson  wrote:
> 
> I have had APCs that required a crowbar to remove the batteries before ;)
> Whatever brand, it's probably a good idea to schedule a battery inspection
> from time to time.

I would second this and go further. I spent four years working in the Bahamas 
where the power reliability is awful, to be charitable. Power cuts averaged 
about two per month. Some of it just the usual problems of living in an area 
with a small grid and lots of lightning storms, some of it due to poor 
maintenance at the electric company. 

The batteries in an UPS are generally rated for 3-5 years, so: 

1) Plan and budget for replacing them in 3 years, including proper recycling. 

2) Put a label on the UPS with the date on which the battery was last replaced, 
and also when it was last inspected. This will save you a lot of grief. 


--Paul



smime.p7s
Description: S/MIME cryptographic signature

Mac laptop to iked errors

[Paul Suh]

Folks,

Fiddling with a basic iked configuration: 

ikev2 roadwarrior \
from any to 172.31.0.0/20 \
local 172.31.15.102 peer any \
config address 172.31.0.224/28 \
config protected-subnet 172.31.0.0/20 \
tag "IKED"

I created a ca and certs using ikectl using hostnames. 

When I try to connect from my Mac laptop, I get the following errors (running 
iked with -d -vvv flags): 

> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 
> length 8
> ikev2_pld_ts: count 1 length 0
> ikev2_pld_ts: malformed payload: too short for ts (4 < 8)
> ikev2_msg_send: IKE_AUTH response from 172.31.15.102:4500 to 
> 108.31.7.69:39749 msgid 1, 1456 bytes, NAT-T
> pfkey_sa_add: update spi 0x8b007e45
> pfkey_sa: udpencap port 39749
> ikev2_childsa_enable: loaded CHILD SA spi 0x8b007e45
> pfkey_sa_add: add spi 0x0758c03b
> pfkey_sa: udpencap port 39749
> ikev2_childsa_enable: loaded CHILD SA spi 0x0758c03b
> pfkey_flow: unsupported address family 0
> ikev2_childsa_enable: failed to load flow
> ikev2_dispatch_cert: failed to send ike auth

What am I doing wrong? 


--Paul



smime.p7s
Description: S/MIME cryptographic signature

Re: TLS suddenly not working over IKED site-to-site

[Paul Suh]

> On Dec 3, 2018, at 12:18 PM, Rachel Roch  wrote:
> 
> I hope someone here can shed light on an infuriating problem I’ve spent a 
> week trying to resolve without luck.
> 
> The problem concerns an IKED site-to-site VPN on OpenBSD 6.3 (both endpoints 
> fully syspatched).
> 
> The VPN worked absolutely perfectly until it suddenly started behaving 
> strangely.  Seriously, I’m talking about “pass any traffic you can think of”, 
> then I go on holiday for a week (nobody else has physical or remote access to 
> the machines, and I did not connect on holiday), then this behaviour starts.
> 
> Basically the behaviour I am seeing is that anything that uses TLS is no 
> longer able to connect (or at least gets no further than trying to do a TLS 
> handshake, e.g. Firefox hangs showing "performing TLS handshake..." at the 
> bottom of the screen), so that means:
> 
> - HTTPS websites
> - VoIP
> - IMAP over TLS
> - RDP over TLS
> 
> Are all broken on the VPN, but all TLS-based services continue to work 
> perfectly off-site (or when the site-to-site VPN is bypassed with a 
> third-party VPN).  This impacts multiple servers and multiple clients, so its 
> not just one server or one desktop PC, its anything that tries to talk TLS 
> over that VPN !
> 
> 
> However:
> - Ping (including large packet size, e.g. “-s 1600”)
> - SSH
> - DNS
> - Anything else you care to name that doesn’t use TLS
> 
> All continue to work perfectly over the VPN.
> 
> My PF rules (which cannot possibly be the problem, because they have not 
> changed a single bit between “working” and “not working) don’t even 
> differentiate between traffic types, so it can’t be some sudden PF oddity :
> 
> pass in on enc from  to  keep state (if-bound) 
> $midPriority
> pass out on enc from  to  keep state (if-bound) 
> $midPriority
> 
> Similarly, my IKED config is also completely unchanged between "working" and 
> "not working", and ipsecctl -sa continues to show everything correctly 
> established
> 
> ikev2 "to remote" active esp from $a_net to $b_net\
> local $local_ext peer $remote_ext \
> ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group 
> curve25519 \
> childsa enc chacha20-poly1305 group curve25519 \
> srcid $local_ext dstid $remote_ext \
> ikelifetime 4h lifetime 3h bytes 512M \
> ecdsa384
> 
> 
> This whole thing is just driving me crazy !
> 

Rachel, 

As a first step, try using s_client to connect to a TLS service and see what 
comes back: 

$ openssl s_client -connect : -showcerts

There are more possible options on s_client to debug more deeply but this is a 
good start. 


--Paul




smime.p7s
Description: S/MIME cryptographic signature

Pass through a single external IP address and NAT others

[Paul Suh]

Folks,

I'm about to make a change in my external networking setup. I have 5 public IPs 
from Verizon FIOS and all 5 are coming into an OpenBSD 6.3 (shortly to be 6.4) 
box using pf and NAT. I would like to have four of the IPs continue to come 
into the OpenBSD box but pass through the fifth IP to another device without 
NAT. What would be the best way to do this? I have an extra physical ethernet 
port on my OpenBSD box so it's no problem to hook up an additional cable 
between the two. 

Really horrible diagram here: 

https://drive.google.com/file/d/1vD7lLAXPfhmHtU8b60KGeHiAgb3k1Pa2/view?usp=sharing

Would I need to bridge em0 and em2? Or is there a better way to think about how 
to approach the problem? 


--Paul



smime.p7s
Description: S/MIME cryptographic signature

IPSec Flow and SA to unexpected subnet

[Paul Suh]

Folks, 

I set up a router using 6.2-stable, and created IKEv1 tunnels using isakmpd, 
something I've done many times before. The other end is a Sonicwall NSA 4500, 
which I've used as an endpoint before as well. My ipsec.conf file is: 

> ike active esp \
> from 192.168.144.0/24 \
> to {   10.101.0.0/16, \
> 10.102.0.0/16, \
> 10.103.0.0/16, \
> 10.104.0.0/16, \
> 172.27.199.0/24 } \
> peer [Sonicwall IP] \
> main \
> auth hmac-sha1 \
> enc aes-128 \
> group modp2048 \
> lifetime 28800 \
> quick \
> auth hmac-sha1 \
> enc aes-128 \
> group modp2048 \
> lifetime 28800 \
> psk [PSK redacted]

However, the output of ipsecctl -s flow is: 

> # ipsecctl -s flow
>
> FLOWS:
> flow esp in from 10.104.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.104.0.16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.103.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.103.0.16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.102.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.102.0.16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.104.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.104.0.0/16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.103.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.103.0.0/16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.102.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.102.0.0/16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> * flow esp in from 172.16.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 
> srcid 24.51.107.65/32 dstid 65.75.99.66/32 type use
> * flow esp out from 192.168.144.0/24 to 172.16.0.0/16 peer 65.75.99.66 
> srcid 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 172.27.199.0/24 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 172.27.199.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.101.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.101.0.0/16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require

Note the two starred flows that are not listed in my ipsec.conf configuration. 
The 172.16.0.0/16 subnet does exist on the Sonicwall end, and I'm pretty sure 
that the Sonicwall is requesting that a flow be set up for that subnet. 
However, I would think that my OpenBSD router would not create that flow since 
it's not in my ipsec.conf. 

Any ideas why it's being created anyway? I won't be in a position to see if the 
flow is really live until tomorrow morning. 


--Paul

DNS hijacking (was Re: Is this an intrusion?)

[Paul Suh]

On Jun 16, 2017, at 9:32 PM, Joe Holden  wrote:
> 
> It is done by the VM dns servers, if you visit a domain that doesn't
> exist you should be directed to the advanced search page, there *should*
> be a link to disable it there, but if not login to your account and
> disable it, can't remember what it is called...
> 
> Hosts file won't solve the problem really since anything else will also
> get the same result

Folks, 

My understanding of the way that this is done is by returning a CNAME when the 
ISP's DNS recursive DNS server would otherwise return a NXDOMAIN result, 
followed by a  HTTP 302 when the browser attempts to reach the host via the 
bogus CNAME. 

My question is would running my own internal recursive DNS resolver be 
sufficient to stop this from happening? (I run my own DNS server anyway, but 
I'm curious to see whether it would be sufficient to bypass the search page 
redirection stupidity.) 

Thanks for any insights. 


--Paul



smime.p7s
Description: S/MIME cryptographic signature

Re: OT: Recommendations for a CMS?

[Paul Suh]

> On May 12, 2017, at 11:34 AM, Michael Hekeler  wrote:
> 
> Am Wed, 10 May 2017 15:58:18 -0400
> schrieb Paul Suh :
> 
>> (...)
>>> https://redaxo.org
>> 
>> I guess it's ok, but the site is entirely in German, und mein Deutsch
>> ist nicht gut. My staff's German is non-existent. 
> 
> Ooops - I didn´t realise that :-/
> hehe - You are right...
> 
> Short time ago they updated theit website and maybe they forgot or
> didn´t have time yet to make a language switch.
> But the software is in english -> https://github.com/redaxo/redaxo
> ...and it runs fine with httpd in base

The GitHub pages are also all in German, along with the majority of the commit 
messages and at least some of the comments in the code. All of the 
documentation is in German as well. It may run OK in English, but it's not a 
good choice for someone whose German is as poor as mine. 

I18n is a lot harder than many people realize. At one place where I worked, UI 
freeze was very early in each release cycle due to the requirement to get 
everything translated. It led to some suboptimal releases since we couldn't 
change UI when we discovered a problem late in the process. 


--Paul



smime.p7s
Description: S/MIME cryptographic signature

Re: OT: Recommendations for a CMS?

[Paul Suh]

Thanks to everyone for suggestions and ideas. 

My comments on some of the suggestions, in more or less chronological order: 

> I would recommend something like Magento

Magento is total overkill -- this is not an e-commerce site and the additional 
exposed attack surface is horrendous. 

> https://www.locomotivecms.com/

Worth looking into, at first glance. Thanks! 

> https://redaxo.org

I guess it's ok, but the site is entirely in German, und mein Deutsch ist nicht 
gut. My staff's German is non-existent. 

About Drupal: 

> every major version of drupal is a pain. They generally don't have any
> kind of same migration plan from version to version.  Especially the user
> interface, which changed a lot, so you're often better off reimporting
> your data and starting the menu design from scratch

This is a serious negative for me. Also that it's PHP-based -- I know PHP has 
gotten better, but there's been just too many potential problems in PHP for me 
to really feel good about it. 

> So, the suggestion is.. to just start setting up an OpenBSD web stack.
> You are going to make good progress, just better compared to other OS.

Actually, I can spin up OpenBSD pretty easily for myself, either in VirtualBox 
or vmm, but the point is to make it sustainable by my staff, who just don't 
have the technical skills to sysadmin OpenBSD or another unix variant, for that 
matter. The choice of a CMS is almost orthogonal to the choice of the 
underlying OS, since they're all pretty much built on common web programming 
languages (PHP, Python, Ruby, etc.) and databases (MySQL/MariaDB, Postgresql), 
all of which run on a variety of server OS platforms. 

> erpnext.com is the most featurefull free erp I have found, including cms.
> may take a little work to port to OpenBSD and unfortunately uses nodejs

Ugh, again complete overkill. This is using a tactical nuke to kill an ant. I'm 
not looking for a full ERP solution, really! And I'm not thrilled with anything 
based on node.js. Node.js has a really strange dependency system and any 
language that allows the JSF*ck mess is not something that I would trust in 
terms of security. 

Thanks again to everyone who chimed in. 


--Paul



smime.p7s
Description: S/MIME cryptographic signature

Re: IPsec and certificates

[Paul Suh]

> On May 7, 2017, at 2:10 PM, Steve Shockley  
> wrote:
> 
> I'm trying to get IPsec set up in transport mode using isakmpd, between 
> OpenBSD 6.0, Windows 2008R2+, and i5/OS 7.1.  I've already gotten everything 
> working using PSK, but I'd like to use certificates.
> 
> I've created a certificate from our CA for each machine.  I've put the CA 
> root chain in /etc/isakmpd/ca, the local machine's private key in 
> private/local.key, the local machine's cert in certs/[ip addr].crt, and the 
> remote machine's cert in certs/[ip addr].crt.  The certificates have a 
> subject of CN=hostname.domain.com, and a SAN with DNS=hostname.domain.com, 
> DNS=[ip addr], IP=[ip addr].
> 
> I'm thinking that I'm just putting the certs in the wrong place.  I've run 
> isakmpd with -D A=99, which is confusing because it appears to still be 
> looking in /etc/isakmpd/keynote despite using -K.
> 
> Has anyone else used isakmpd with certificates signed by a non-dedicated CA, 
> or see anything I'm likely doing wrong here?  Thanks.
> 


> Current uncommented lines in ipsec.conf:
> ike esp transport from a.b.c.d to d.b.c.a \
>mainauth hmac-sha1  enc 3desgroup modp1024 \
>quick   auth hmac-sha1  enc 3desgroup none

> ike esp transport from d.b.c.a to a.b.c.d \
>mainauth hmac-sha1  enc 3desgroup modp1024 \
>quick   auth hmac-sha1  enc 3desgroup none


Steve, 

Have you tried using the DNS names in your ipsec.conf, and in the filenames in 
the /etc/isakmpd/certs directory? Generally, certificates are applied against 
the DNS name for servers, rather than the IP address. Maybe a bug in isakmpd or 
one of the other hosts that doesn't handle IP addresses in the SAN field 
correctly since it's such a rare usage? 


--Paul




smime.p7s
Description: S/MIME cryptographic signature

OT: Recommendations for a CMS?

[Paul Suh]

Folks,

Completely off topic, but I'd value input from this community in particular. I 
need to recommend a (replacement) CMS for the public-facing web site for my day 
job. My wants: 

1) NOT Wordpress -- I don't need the security headaches. 
2) Allows updates by users who don't know HTML and for whom Markdown is a 
stretch. (Marketing people.)
3) Has commercial support and hosting available -- if it was just me I could 
run almost anything on my own. For my day job, however, I need to make sure 
that the rest of the IT department can still handle things if I get hit by a 
bus. 
4) Minimal customization -- certainly no custom code or scripting. Again, if it 
was just me..., but it needs to be maintainable down the road. 

The site has very little necessary in the way of server-side processing; in 
fact, a CMS is borderline overkill. A good templating system would almost do 
the trick. A really good templating system that can automatically post selected 
news item links to Twitter, Instagram, Facebook, etc. would be great. The only 
problem is that the marketing types can't be trusted even with Markdown. :-P

The site needs to be really flashy and eye-catching for marketing purposes, so 
whatever solution needs to support (or at least not get in the way of) the 
latest & greatest HTML5/CSS/JS. (I know that the crowd here is generally going 
to pooh-pooh that, but it's actually appropriate for selling to the target 
audience. I'm mostly the same way, and have to check my first instincts when 
dealing with this site.) 

I've used Plone in the past, but support seems a little thin these days and 
it's pretty heavyweight for this project. 

I saw the thread about "Creating a blog..." a year ago, but time has passed and 
his use case is significantly different from mine. 

I'm looking for actual, recent experience with a CMS, not "I know a guy who 
used to run..." kinds of things. 

Suggestions? 


--Paul 

smime.p7s
Description: S/MIME cryptographic signature

Re: Hardware recommendations for compact 1U firewall

[Paul Suh]

> On Dec 16, 2016, at 8:32 PM, Predrag Punosevac 
wrote:
>
> This is my favorite Ebay seller and they have lots of nice network
> equipment for home, small, and large business.
>
> http://stores.ebay.com/MITXPC/

+1 for MITXPC. I've purchased several systems from them over the years and
they've always been responsive and helpful.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: OpenBSD 6.0 bsd.rd doesn't boot on soekris net4801 [solved, but ...]

[Paul Suh]

> On Oct 2, 2016, at 3:06 PM, Peer Janssen  wrote:
>
> Now I reinstalled on another CF-Disk (4GB Transcend) with another method
> (miniboot.fs), this went through and first-rebooted just fine.
>
> But now halting the machine produces a panic:

Peer,

I suspect that part of the problem with your 4801 is just old age. I'm phasing
out the four units that I own, since they're all becoming unreliable with
inexplicable and unrepeatable crashes, freezes, and panics. Some of the
problem can be traced to bad power supplies, but overall a big part is just
plain old age. Any 4801 must be at least ten to twelve years old (date of
manufacture, not date of sale). I think by now enough of the capacitors have
gone bad or are on the way to going bad that they're dying. :-(

Also, for my use they don't have enough CPU power to run IPSec tunnels at full
WAN speed so I need new hardware anyway.

Hope this helps.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Looking for a way to deal with unwanted HTTP requests using mod_perl

[Paul Suh]

On Sep 28, 2016, at 10:04 PM, Chris Bennett
 wrote:
>
> I don't think bruteforce will be helpful in my case. I do occasionally
> get bruteforce attacks, but not very often.
> What I usually get are identical attacks of a certain set of variations
> of URLs from one IP address. A little later the same thing from another
> IP, then another, etc.
>
> One of the reasons I am thinking of a mod_perl solution is that mod_perl
> can step in very early in the Apache process. All kinds of things can be
> done long before normal access is available to other processes.
> But I have no experience using any of these parts of mod_perl. I have
> only used later functions in the cycle.

Just as a random thought, have you considered reverse proxying through
something like squid? This would allow you to catch bad requests long before
any kind of processing happens in httpd. I think squid even has direct pf
integration if you want to go that route.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Long life on SSD in a firewall environment

[Paul Suh]

> On Jun 19, 2016, at 5:56 AM, Sjöholm Per-Olov  wrote:
>
> Hi
>
> Does anyone know if there exist any list of recommendations about how to
make
> an SSD disk to live as long as possible when using it for firewall purpose
on
> OpenBSD?  It seems that OpenBSD lack some features related to SSDs like
TRIM.
> SSDs are getting more popular, but I cannot find much info in the OpenBSD
FAQ
> or on misc. Also, it is not that easy to get a good understanding of how
long
> an average good SSD will really live with average disk writes from the
specs.
> And there a more than one way to give specs about this where DWPD is one
and
> MTBF is another.
>
> Therefor I at least want to do the easy steps to make it long lived...
>
> Softdep is probably a good thing. What else? And I think of rewriting the
> logging handling with dates in /var/log to avoid a move of all logs every
day.
> Or is that waste of time? Any special handling/settings for swap and /tmp?

Sjöholm,

Take a look at:

https://github.com/yellowman/flashrd
https://github.com/markhellewell/resflash

Hope this helps.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: I am thankful for OpenBSD quality docs

[Paul Suh]

> On May 17, 2016, at 11:17 AM, Donald Allen  wrote:
>
> My point is that good documentation is not
> easy to do, something I think many of us tend to forget. It's also
> less fun than writing code. Things like K&R that explain their subject
> so concisely and yet completely take tremendous skill. I myself am in
> the process of writing a document for a suite of personal financial
> management tools that I will release on github and I said to my wife
> the other day that writing the documentation is more difficult than
> writing the software.

Don,

I would agree with you 100%. I find that for my own software, the release
engineering (including writing and editing docs, taking screenshots, making
sure that the installer works correctly, making sure that the uninstaller
works correctly, testing on multiple systems with multiple configurations,
etc.) takes as much or more time than just writing the software. *Keeping* any
docs up to date (including screenshots and videos) is also a lot of work that
has to be factored in to update releases.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

I am thankful for OpenBSD quality docs

[Paul Suh]

Folks,

I've been playing over at Alpine Linux, to get support for a WiFi card that is
not supported under OpenBSD. Their installation instructions and general
documentation are horribly confused and outdated. Makes me long for our
goodness here.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: your mail

[Paul Suh]

Bah, humbug! TECO Rulez! 


> On May 17, 2016, at 5:47 AM, Roderick  wrote:
> 
> On Mon, 16 May 2016, 1 9 wrote:
> 
>> What editor? vim or emacs? what is the reason?

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Support for Realtek wifi card?

[Paul Suh]

Folks,

Can someone give me a read on support for Realtek WiFi cards -- specifically
the support for the 8723BE? I'm thinking it's along the lines of
"ba-ha-ha-ha-ha you're joking right?". It's not critical for me -- I got the
little box because it has 4 GigE ports and a Atom D525, the WiFi would just be
a bonus.

I know it's not in the known working hardware list in the FAQ or man pages.

There is a somewhat old message indicating that there isn't a maintainer for
Realtek WiFi cards on FreeBSD:




...which would indicate to me that it's not a priority in the general BSD
community. However, the message is four years old.

There seems to be active Linux driver here:



At first glance it looks like it needs a firmware blob.

Inquiring minds want to know...


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Syntax error in pf rules

[Paul Suh]

> On Mar 30, 2016, at 10:58 PM, Adam Smith  wrote:
> 
> Are you the owner of misc@openbsd.org?
> 
>> --- dera...@cvs.openbsd.org wrote:
>> 
>> From: Theo de Raadt 
>> To: ken...@dcemail.com
>> 
>>> I know. Do you have proof that I hadn't put in my minimum effort
>>> before jumping to conclusions?

This guy has clearly just provided proof! :-D 

Now where did I put that spray can of troll repellent? 


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: 5.8 IKEv2 with OSX 10.11.3

[Paul Suh]

DY -

First things first. Can you please post a printout of the certificate in text
and PEM format? Clearly the OS X machine doesn't like the subjectAltName, but
there may be other issues as well.


--Paul



> On Jan 31, 2016, at 1:16 AM, Dot Yet  wrote:
>
> Forgot to mention that I know the problem is here:
>
> ca_x509_subjectaltname: FQDN/server.obsd57.com
> ca_x509_subjectaltname_cmp: FQDN/server.obsd57.com mismatched
> ca_validate_cert:
>
/C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress=
> ad...@obsd57.com invalid subjectAltName extension
>
> Just don't know how to fix this.
>
> Thanks,
> dot.yet
>
> On Sun, Jan 31, 2016 at 1:12 AM Dot Yet  wrote:
>
>> Hello,
>>
>> I am trying to setup IKEv2 roadwarrior based VPN. I've the client
>> functional in Windows 7 using the native client. I am trying to get the
>> same functional on OSX, but facing problems.
>>
>> The authentication is being done using certificates. I used ikectl to
>> generate, CA, server's certificate as well as a client certificate. Used
>> the ikectl export option to generate the zip file containing ca and client
>> p12 files.
>>
>> I am using Apple Configurator 2, from the appstore to create the profile
>> file. The profile contains the two certificates as well as the ikev2
>> configuration. Starting the VPN client, I see the following in the server
>> side logs:
>>
>> OSX 10.11.3 Unsuccessful Connection Log entry:
>> sa_stateok: VALID flags 0x18, require 0x1f
cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>> config_free_proposals: free 0x71d6d207180
>> ca_setauth: auth length 256
>> ca_x509_subjectaltname: FQDN/server.obsd57.com
>> ca_x509_subjectaltname_cmp: FQDN/server.obsd57.com mismatched
>> ca_validate_cert:
>>
/C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress=
>> ad...@obsd57.com invalid subjectAltName extension
>> ikev2_getimsgdata: imsg 23 rspi 0xf9048b97fef10e03 ispi 0xa01ca6865f9c0754
>> initiator 0 sa valid type 1 data length 256
>> ikev2_dispatch_cert: AUTH type 1 len 256
>> sa_stateflags: 0x18 -> 0x1c auth,authvalid,sa (required 0x1f
>> cert,certvalid,auth,authvalid,sa)
>> sa_stateok: VALID flags 0x1c, require 0x1f
cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>> ikev2_dispatch_cert: peer certificate is invalid
>> sa_stateok: VALID flags 0x1c, require 0x1f
cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>>
>>
>> Compared to a successful connection in Windows 7:
>>
>> Windows Successful Connection Log entry:
>> sa_stateok: VALID flags 0x18, require 0x1f
cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>> config_free_proposals: free 0x71d9dda6e00
>> ca_getreq: found CA
>> /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=obsd57/emailAddress=
>> ad...@obsd57.com
>> ca_x509_subjectaltname: FQDN/server.obsd57.com
>> ca_getreq: found local certificate
>> /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=
>> server.obsd57.com/emailAddress=ad...@obsd57.com
>> ca_setauth: auth length 256
>> ca_validate_cert:
>>
/C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress=
>> ad...@obsd57.com ok
>> ikev2_getimsgdata: imsg 18 rspi 0xd4cd1307801a4461 ispi 0x0e3d4164b4884c93
>> initiator 0 sa valid type 4 data length 1011
>> ikev2_dispatch_cert: cert type X509_CERT length 1011, ok
>> sa_stateflags: 0x18 -> 0x19 cert,authvalid,sa (required 0x1f
>> cert,certvalid,auth,authvalid,sa)
>> sa_stateok: VALID flags 0x19, require 0x1f
cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>>
>> Inside /etc/ssl/x509v3.cnf file, my CERTFQDN has the value
>> server.obsd57.com
>>
>> In Apple Configurator profile, I've the following:
>>
>> Remote Identifier: server.obsd57.com
>> Local Identifier: client-number-1
>>
>> I've tried populating the following fields, but neither of them helps:
>> Server Certificate Issuer Common Name: obsd57 (Thats the CN for my CA)
>> Server Certificate Common Name: server.obsd57.com (Thats the CN for my
>> server certificate)
>>
>> Not sure where to go from here. Can you help point me to the right
>> direction on what maybe wrong here?
>>
>> Thanks,
>> dot.yet

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: random.seed question

[Paul Suh]

> On Thu, Nov 26, 2015 at 01:30:51PM +0100, Marko Cupa?? wrote:
>
> | The reason why I am asking is the fact that I am preparing pcengines
> | apu box which needs to be read-only because of reduced sdcard wear but
> | also because it is going to be placed in remote environment with
> | frequent power outages (daily manual fscks expected if / is rw).
> |
> | I am achieving this by putting ro record in fstab for (the only) /
> | partition and moving /dev, /var and /tmp to mfs and tmpfs mounts.
> |
> | I am concerned about shutdown message about inability to dd random.seed
> | because of read-only file system. What would be the implications of not
> | writing it on shutdown?

Marko,

Rather than rolling your own (unless you are masochistic or have a serious
hacking itch), it might be easier to use one of the existing flash read-only
projects:

http://nmedia.net/flashrd
https://github.com/bconway/resflash

Just a couple of suggestions.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Update OpenBSD Remotely

[Paul Suh]

On May 17, 2015, at 10:08 AM, Peter Leber  wrote:
>
> I want to build a test system based on OpenBSD 5.7 which updates
> in an automated fashion.
> The goal is to have a remotely located machine which runs OpenBSD 5.7
> and is constantly updated. While restarting the machine remotely via SSH
> is perfectly fine to me, I do not want to access the machine locally in
> order to interrupt the automatic reboot in order to trigger the manual
> upgrading process. I'm fine with following -stable and -current alike.



Peter,

Have you looked into flashrd?

http://nmedia.net/flashrd
https://github.com/yellowman/flashrd/

See the section in the FAQ on how to upgrade a running system:

http://www.nmedia.net/flashrd/flashrd-faq.html

It’s a matter of copying over three files and re-booting. I’ve done remote
upgrades many times, but have not scripted the process.

Hope this helps.


—Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Creating and protecting flash installed OpenBSD image

[Paul Suh]

> On Apr 3, 2015, at 5:30 AM, Denis Lapshin  wrote:
>
> Interesting does anybody have experience of creating flash memory image with
OpenBSD system running.
> I see this like extracting all of soldered FLASH memory contents in to RAM
and running from where.
>
> Flash memory image protection from reading and modifying is interesting
aspect also.
>
> Please suggest.
>
> Denis
>

Denis,

Have you looked into flashrd? I’ve been using it for several years now, and
it’s been very useful in maintaining routers.

http://www.nmedia.net/flashrd/


—Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Quad-Gigabit 1U mini-itx board recommendations?

[Paul Suh]

On Aug 30, 2011, at 2:34 AM, Martin Schrvder wrote:

> 2011/8/30 Paul Suh :
>> I'm looking for a mini-ITX motherboard with at least 4 x Gig-E ports. I
would
>
> Not a board, but full computers:
>
http://www.lannerinc.com/Embedded_Computing/All-Purpose_Box_Computers/LEC-212
6
>
http://www.lannerinc.com/Embedded_Computing/All-Purpose_Box_Computers/LEC-202
6
>
http://www.lannerinc.com/x86_Network_Appliances/x86_Desktop_Appliances/FW-753
0
>
http://www.lannerinc.com/x86_Network_Appliances/x86_Desktop_Appliances/FW-753
5

Martin,

These look very interesting, but I haven't been able to locate where to buy
any of them on a small scale. Do you know of a good distributor for them?


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Quad-Gigabit 1U mini-itx board recommendations?

[Paul Suh]

On Aug 30, 2011, at 9:47 AM, Stuart Henderson wrote:

> On 2011-08-29, Paul Suh  wrote:
>> I'm looking for a mini-ITX motherboard with at least 4 x Gig-E ports. I
would
>> like to fit two of them into a 1U, dual mini-ITX case to have a
CARP/SASYNC
>> pair with connections to external, internal, and DMZ zones.
>>
>> <http://www.casetronic.com/product_d.php?id=16>
>
> I strongly recommend against that type of chassis for two redundant
firewalls,
> I think it's better to use two short depth boxes back-to-back (with ports
on
> the front, like supermicro 503L-200), or some type of chassis where you can
at
> least swap the PSUs without taking both machines down.
>
> If the hardware requirements were lower something like the Yawarra cases
for
> PCEngines alix boards aren't bad (two in a single 1U case, but they can be
> removed independently) but that's not going to be good for 4x1Gb.

Stuart,

Thanks, I know that two short cases back-to-back would be better (in fact I
have a very nice single short depth case in there right now), but other
equipment on the other side makes that setup infeasible. Space is kinda tight
and I don't want to have to start paying for a whole other rack. Because it's
a data center with multiple machines behind the routers I really want
something that can support ~500 Gbps so that we can use the full speed that we
are paying for.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Quad-Gigabit 1U mini-itx board recommendations?

[Paul Suh]

On Aug 30, 2011, at 2:03 AM, Johan Linner wrote:

> We're running OpenBSD 4.9 on:
> http://www.mini-itx.com/store/?c=47#jnc92-330
> 
> with Jetway 3x Gigabit LAN Motherboard Modules:
> http://www.mini-itx.com/store/?c=34#modules
> 
> Works great.

Johan,

Thanks for the info! 


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Quad-Gigabit 1U mini-itx board recommendations?

[Paul Suh]

On Aug 30, 2011, at 3:18 AM, Paul de Weerd wrote:

> Are you putting two boards in one case for redundancy / high
> availability ?  So that, when one fails the other can ... be taken
> down too to fix the first one ?

Paul,

As far as I can tell. The two sides are fully independent of each other. As
long as the cabling is long enough to slide out the case, each side can be
worked on without affecting the other.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Quad-Gigabit 1U mini-itx board recommendations?

[Paul Suh]

On Aug 30, 2011, at 3:08 AM, Henrique Antsnio Evaristo wrote:

> Humm, nice ... I was interested in knowing the power consumption of that
setup.
> Do you have any possibility to provide that ?
> Thanks.
>
> Best regards,
> Henrique

Henrique,

I will be in a position to post on power consumption of my current setup in a
couple of weeks, when we transition to a new power distribution unit.



This is booted from CF with an additional two Gig-E ports from a SuperMicro
PCIe card. I would expect power consumption to be similar for each side.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Quad-Gigabit 1U mini-itx board recommendations?

[Paul Suh]

Folks,

I'm looking for a mini-ITX motherboard with at least 4 x Gig-E ports. I would
like to fit two of them into a 1U, dual mini-ITX case to have a CARP/SASYNC
pair with connections to external, internal, and DMZ zones.



Using Google i've found a board by Jetway (JNC74-2007) that has a Gig-E port,
and can support an add-on board with three more Gig-E ports. Has anyone tried
this motherboard with OpenBSD, or can recommend a similar motherboard?



Thanks in advance.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Jail-System for OpenBSD

[Paul Suh]

Folks,

I would add that sysjail (not the FreeBSD implementation but the
implementation  based on systrace(4)) has known holes
that make it unsuitable as a security tool; please don't use it. I had the
privilege of speaking with Robert Watson directly at a conference a few years
ago, and he explained to me exactly how systrace is vulnerable to practical
attacks based on race conditions. His paper on this is at:




--Paul


On Jul 21, 2011, at 9:05 AM, Kristaps Dzonsons wrote:

>> I think the question is not new but I only found an old talk for version
>> 3.x, so I want to ask again:
>>
>> Is there anything comparable to FreeBSD jails (now)?
>>
>> I found sysjail but I am not sure, if it is working under 4.9 (maybe I
>> will try it in the next few days):
>> http://richizo.wordpress.com/2008/12/31/jailing-openbsd-in-5-steps/
>
> I haven't touched sysjail since 4.3 and nobody's sent patches to update it
since then (though some hot air's been blown around).  The linked tutorial is
also wrong: it just copies around some ifdefs instead of actually making sure
nothing's changed between versions.  Bad.  Please contact me off-list if
you're SERIOUS about maintaining sysjail between versions (no patches = don't
bother).  Of course, this won't change that sysjail is breakable (and, note
significantly, NOT part of OpenBSD proper).
>
> Kristaps.

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Bug Tracking system does not work

[Paul Suh]

On Jul 18, 2011, at 6:24 PM, Ted Unangst wrote:

> On Mon, Jul 18, 2011, Sergey Bronnikov wrote:
>> may be proper link is http://www.openbsd.org/query-pr.html
> 
> The bug tracker is down and will still that way for some time.

Ted,

Is there something that we can do to help? 


--Paul



> 
>> 
>> On 17:28 Mon 18 Jul , ciscoad...@mail.ru wrote:
>>> Hello.
>>> 
>>> Today I tried to search in the Bug Tracking system
>>> but got:
>>> 
>>> Not Found
>>> The requested URL /cgi-bin/query-pr-wrapper was not found on this server.
>>> 
>>> Apache/1.3.29 Server at cvs.openbsd.org Port 80

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: ISAKMPD

[Paul Suh]

Folks,

Hmm -- it's not showing on the 4.9 or 4.8 Errata pages:

http://www.openbsd.org/errata49.html
http://www.openbsd.org/errata48.html

If it's easy to pull the diff it shouldn't be hard to post it, and it would be
a nice thing to do for folks have scripts that notify them on changes of the
errata pages.


--Paul



On Jul 14, 2011, at 10:45 AM, Otto Moerbeek wrote:

> On Thu, Jul 14, 2011 at 10:36:54AM -0400, Wade, Daniel wrote:
>
>> It's tagged for 4.9-STABLE
>>
>> http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/dh.c
>
> And I just comitted a corresponding diff into 4.8 stable.
>
> Dunno if this warrants a patch. It's easy to pull the diff from cvs.
>
>   -Otto
>
>>
>>
>>
>> -Original Message-
>> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
>> Steve
>> Sent: Thursday, July 14, 2011 9:41 AM
>> To: misc@openbsd.org
>> Subject: ISAKMPD
>>
>> Hi all,
>>
>> Sorry this has been asked before but I can find no answer.
>>
>> Is there going to be an official patch for ISAKMPD for 4.8 4.9.
>>
>> I did see something in the bug tracking a while back but I now get the
>> following error when I try to access it.
>>
>> Not FoundThe requested URL /cgi-bin/query-pr-wrapper was not found on this
>> server.
>> Apache/1.3.29 Server at cvs.openbsd.org Port 80
>>
>> With thanks

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: apache ssl behind nat problems

[Paul Suh]

On Jul 12, 2011, at 9:35 PM, Jacob L. Leifman wrote:

>> FWIW, I'm guessing that the problem is at the router. The packet trace is
>> showing a TCP SYN coming from the client, followed correctly by a SYN-ACK
>> going back from the server. The client should send an ACK packet back, but
>> instead it waits several seconds (i.e., timeout) then sends another TCP
SYN,
>> which would be what happens when the client does not receive the SYN-ACK
from
>> the server. Can you get a packet trace from the outside interface of the
>> router?
>
> I believe you are right; or at the very least it is some kind of weird
> interaction with the router. Unfortunately, this is a consumer DSL
> device with no packet capture/trace capability.

Jacob,

Just to confirm this, can you get a packet trace from the client showing
whether it's receiving the SYN-ACK, and/or if it's sending an ACK back?

Also, check to see if the router is expecting to be managed from the outside
via https on port 443, so that it is listening on port 443 from the outside
but the redirect rule on port 443 is then causing all kinds of weirdness
inside the router.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: How does OpenBSD compare to Ubuntu Server?

[Paul Suh]

brraaiiinsss. B-)


On Jul 12, 2011, at 7:25 PM, Zeb Packard wrote:

> I think it worked.
>
> Sent from my iclone.
>
> On Tue, Jul 12, 2011 at 4:23 PM, Marco Peereboom 
wrote:
>> shoot it again son.
>>
>> On Tue, Jul 12, 2011 at 03:59:31PM -0700, Zeb Packard wrote:
>>> Help, i shot it three times and I'm on my fourth monitor, 3 bullets
>>> left. What next?
>>>
>>> On Tue, Jul 12, 2011 at 2:21 PM, Eric Furman 
> wrote:
 Please don't. This whole thread has gotten really stupid.
 Unless you have something funny to add, let's kill it now.

 On Tue, 12 Jul 2011 14:11 -0700, "Mehma Sarja" 
 wrote:
> On 7/11/11 10:48 PM, Andres Perera wrote:
>> On Mon, Jul 11, 2011 at 11:43 PM, patrick
> keshishian
>>> wrote:
>>> you failed at making any point.
>> i'll rebrand it into convenient twitter format:
>>
>> debian splits packages to the point where a single service is a
>> associated to a single top level package, meaning that there's never
> a
>> reason for unused installed services
>>
>> openbsd limitations do not apply 1:1 to other systems unless they
>> happen to be openbsd. in the previous sentence, "openbsd" can be
>> replaced by any word
>>
> OK, I got the first paragraph but not the second. Could you please
> "rebrand" it so people like me can unnerstand? I just got off the boat.
> To be clear, which is my thing today, here is how I read the "openbsd
> limitations..." sentence: OpenBSD limitations apply only to OpenBSD. As
> my 4-year old would say, "Hello..." Your last sentence is equally
> baffling. I understand you may be mad at some responders, but the lack
> of clarity makes us haze over your argument and take the topic off on a
> tangent that you do not like. And that makes you mad, it is a Type A
> thing - we understand.
>
> Simple, clear sentences sting the most.
>
> Mehma

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: apache ssl behind nat problems

[Paul Suh]

On Jul 11, 2011, at 5:57 PM, Jacob L. Leifman wrote:

> Environment:
> - OpenBSD 4.9, stock (base) apache with self-signed certificate
> - behind a SOHO NAT router (with relevant in-bound redirects)
>
> Problem: non-local SSL connections never complete the handshake
> (verified while monitoring the interface with tcpdump, see below)
>
> During troubleshooting I was able to eliminate a few suspects:
> - Regular un-encrypted HTTP (port 80) works every time;
> - https:// from the same LAN (i.e. no NAT) always works;
> - SSH always works (whether local or remote);
> - PF seems to have no bearing -- no difference in behavior whether
> enabled, enabled with "pass in quick" for the remote test host, or even
> altogether disabled.
>
> Unfortunately, I cannot eliminate the NAT device and need to find a way
> to work with it.

*snip*

Jacob,

A few things to try:

1) Try a non-OpenBSD server on the inside, just to see if the problem is
specific to OpenBSD or occurs with other server types.

2) Try using

openssl s_client -connect hostname:443

from the outside and see what kind of error message you get back.

3) Try connecting from the outside using wget or curl and see what kind of
error message you get back.

FWIW, I'm guessing that the problem is at the router. The packet trace is
showing a TCP SYN coming from the client, followed correctly by a SYN-ACK
going back from the server. The client should send an ACK packet back, but
instead it waits several seconds (i.e., timeout) then sends another TCP SYN,
which would be what happens when the client does not receive the SYN-ACK from
the server. Can you get a packet trace from the outside interface of the
router?

Hope this helps.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: isakmpd and INVALID_COOKIE

[Paul Suh]

Hmm.. sounds like this might be a candidate for -STABLE?


--Paul


On Jul 8, 2011, at 10:09 AM, Stuart Henderson wrote:

> On 2011-07-08, Tony Sarendal  wrote:
 If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull
 up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly
 see problems from time to time.
>>> 
>> 
>> Is this a cosmetic thing or does it affect connectivity ?
> 
> dh.c r1.14 affects stability. Between 4.7 and 4.8 isakmpd switched
> from internal to openssl DH; an openssl function wasn't padding with
> leading 0's where it was expected that they would, so there was junk
> at the end of the key, causing key mismatches.

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: How does OpenBSD compare to Ubuntu Server?

[Paul Suh]

On Jul 9, 2011, at 11:34 AM, Nico Kadel-Garcia wrote:

> On Thu, Jul 7, 2011 at 1:45 PM, Alexander Schrijver
>  wrote:
>>> For starters, there is 100% consensus among developers that we'll never
>>> use newfangled overengineered stuff like System V init.
>>> 
>> 
>> You mean Upstart!
>> 
>> or wait
>> 
>> You mean systemd!
> 
> Or the oddness that is daemontools!!
> 

Hey, wait for me -- launchd from the Mac! :-)

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Anyone know of an smtp-proxy (or other mechanism) for routing mail to different IMAP servers depending recipient address?

[Paul Suh]

On Jul 7, 2011, at 1:42 PM, IT Guy wrote:

> Hi all,
>
> I'm in the process of migrating our company from a certain proprietary mail
system to a new OpenBSD mailserver (IMAP + Postfix).
>
> I'd like to be able to migrate our users one at a time rather than do the
whole company in one fell swoop.
>
> Does anyone know of a good/easy way to conditionally route incoming mail
based on the envelope recipient address?
> (Basically I want migrated users to start getting their mail from the new
box, while the other users continue to connect to the old server)


Dre,

One way to do this would be to use the Postfix re-write rules to divert
certain addresses to the full hostname. All mail needs to go to the new mail
server first, then be relayed on to the old server using the relay_domains
parameter. Make sure that this relay works and that the new server is not
accepting mail for the @example.com domain first.

Then, put something like this in /etc/postfix/aliases for each user that you
want to have moved over to the new server:

john@example.com:   john@newmailserver.example.com

This should transparently get Postfix to deliver the mail locally. As you
migrate people, add their addresses to the aliases file.

The Postfix docs might help.

<http://www.postfix.org/aliases.5.html>
<http://www.postfix.org/ADDRESS_REWRITING_README.html#aliases>
<http://www.postfix.org/postconf.5.html#relay_domains>

You might also want to try asking on a Postfix-oriented mailing list.

Hope this helps.


--Paul



Paul Suh http://www.ps-enable.com/
paul@ps-enable.com   (240) 672-4212

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Is your switch a single point of failure?

[Paul Suh]

Sam,

On Jul 6, 2011, at 3:31 AM, Sam Vaughan wrote:

> I should be able to avoid the need for a switch on the upstream side by
> getting the ISP to provide me with two links from the rack router, one for
> each firewall board.  These links would be CARP'd to share one external
static
> IP.

I'd be really careful about this. The rack router may not expect to see the
same IP address move between ports, and act funny if it does. Most CARP/pfsync
setups put a switch in between the upstream router and the two boxes for this
reason. Check with your service provider -- they may just be giving you two
drops to a switch, in which case you have other single points of failure in
your system already.

> My question relates to the third port on each board, making up the CARP'd
> internal interface on the DMZ side.  How can I avoid plugging these two
ports
> straight into the same switch, thereby adding a really obvious single point
of
> failure to the entire setup?

While you can use a pair of switches to do switch-level failover, it gets
*expensive*. Nortel has the SMLT, DSMLT, and RSMLT protocols. Cisco has
something sort of similar with their Virtual Switching System technology.



Given the relatively high reliability of switches as well as the costs
involved, most people don't bother.

Of course, if you have the kind of budget that will support things like
this... :-)

Hope this helps.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Can one interface have an IP address and bridge as well?

[Paul Suh]

Folks,

I could add another physical interface for the internal end of the bridge, but
not for the external end. Would this work?


--Paul


On Jun 22, 2011, at 6:56 AM, Stuart Henderson wrote:

> Seconded, or alternatively can you add another interface (physical
> or vlan) to place the server on?
>
> It might be possible to do bridging and nat on the same interface
> (possibly using bridge rules and PF tags) but at best you're setting
> yourself up for a complicated and fragile ruleset.
>
> On 2011-06-22, Shane Lazarus  wrote:
>> Heya
>>
>> On Wed, Jun 22, 2011 at 12:13 PM, Paul Suh  wrote:
>>
>>> Folks,
>>>
>>> Is this possible and/or a good idea? I have a router with three
interfaces:
>>>
>>> sis0: external interface, IPv4 address 1.2.3.4/24
>>> sis1: internal interface, IPv4 address 192.168.1.1/24
>>> sis2 <http://192.168.1.1/24sis2>: DMZ interface, IPv4 address
>>> 192.168.2.1/24
>>>
>>> NAT rules pass all traffic from the internal and DMZ zones through the
>>> external IP address. I have a couple of servers with IPv4 addresses
>>> 192.168.2.2 and 192.168.2.3 in the DMZ, with rdr-to rules that send
traffic
>>> in
>>> to them from 1.2.3.4.
>>>
>>> I need to place a server at 1.2.3.5, and the software I have to run needs
>>> the
>>> server itself to have the IPv4 address 1.2.3.5 -- I can't NAT it and give
>>> the
>>> server the address 192.168.2.4 in the DMZ. (Don't ask. *shudder*) Can I
set
>>> up
>>> a bridge between sis0 and sis2 so that traffic for 1.2.3.5 gets passed
>>> through
>>> to the server via sis2 as well as having the IPv4 address 1.2.3.4 on
sis0?
>>> Or
>>> is there a better way to do this?
>>>
>>>
>>> --Paul
>>>
>>> [demime 1.01d removed an attachment of type application/pkcs7-signature
>>> which had a name of smime.p7s]
>>>
>>>
>> I personally would check to see if you could get a /30 routed to 1.2.3.4.
>> 5.6.7.8 - 5.6.7.11
>>
>> Append one of the /30 to the sis2 interface, and the other to your new
>> server.
>>
>> If 1.2.3.4 & 1.2.3.5 are part of a bigger block that you own, see if you
>> can't allocate a /30 from that larger pool.
>> ( 1.2.3.8 - 1.2.3.11 ?? )
>>
>>
>> Shane

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Can one interface have an IP address and bridge as well?

[Paul Suh]

Folks,

Is this possible and/or a good idea? I have a router with three interfaces:

sis0: external interface, IPv4 address 1.2.3.4/24
sis1: internal interface, IPv4 address 192.168.1.1/24
sis2: DMZ interface, IPv4 address 192.168.2.1/24

NAT rules pass all traffic from the internal and DMZ zones through the
external IP address. I have a couple of servers with IPv4 addresses
192.168.2.2 and 192.168.2.3 in the DMZ, with rdr-to rules that send traffic in
to them from 1.2.3.4.

I need to place a server at 1.2.3.5, and the software I have to run needs the
server itself to have the IPv4 address 1.2.3.5 -- I can't NAT it and give the
server the address 192.168.2.4 in the DMZ. (Don't ask. *shudder*) Can I set up
a bridge between sis0 and sis2 so that traffic for 1.2.3.5 gets passed through
to the server via sis2 as well as having the IPv4 address 1.2.3.4 on sis0? Or
is there a better way to do this?


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: website down from here

[Paul Suh]

On Jun 21, 2011, at 12:37 AM, Samuel Baldwin wrote:

> 2011/6/21 patric conant :
>> $ ping www.openbsd.org
>> PING www.openbsd.org (142.244.12.42): 56 data bytes
>> --- www.openbsd.org ping statistics ---
>> 7 packets transmitted, 0 packets received, 100.0% packet loss
>> also cannot connect via browser.
> 
> http://www.downforeveryoneorjustme.com/www.openbsd.org
> 
> Simply "openbsd.org" works, however.

Man pages via CGI are down -- they have to go to www.openbsd.org. 


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Hardware recommendation?

[Paul Suh]

Nick,

I'm getting about 40 Mbit/sec throughput with a Soekris Net4801, so the 5501
or 2d13 are both more than enough box for basic filtering. A lot depends on
how much content filtering you want to do. Some simple QoS and squid rules
won't place any serious load on it, but if you want to use something like
DansGuardian or SpamAssasin that dives deeper into the content you may want to
step up to the mini-ITX. (Note that spamd is a much lighter on resources than
either of these.) It also depends on what kinds of traffic you get from your
home network -- if all 10 nodes tend to stream or torrent tons of stuff,
stepping up the hardware isn't a bad idea. Also, separating the filtering
hardware from the routing hardware isn't a bad idea either.

May I also point you to the flashrd system for these kinds of installations?
It makes in-place upgrades a lot easier.

http://www.nmedia.net/flashrd/

Hope this helps.


--Paul


On Jun 20, 2011, at 3:08 AM, Nick Hasser wrote:

> I want to replace my current firewall (Compaq DL360) with something smaller,
quieter (preferably fanless), and less power-hungry. It is currently only
NAT'ing my home network, which is about 10 clients. I have a 15Mbps/1Mbps
cable internet connection, with D-Link Gigabit switches on the internal
network. I want to add QoS and Squid with ad and content filtering to the
replacement. I may want to add a dedicated network for wireless clients in the
future.
>
> I'm looking at Soekris net5501, Alix2d13, or a mini-itx atom board. I'm sure
the Atom would have enough CPU, but I don't know how much overkill it would
be. Will the Soekris or Alix be enough CPU to add QoS and squid with ad and
content filtering to a basic NAT box?
>
> I'm familiar with PXE installations, so no worries there for installing on
either the Soekris or Alix boards.
>
> Have a great day!
> Nick

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Flag to move isakmpd default keys dir?

[Paul Suh]

On Jun 7, 2011, at 11:29 AM, Rodolfo Gouveia wrote:

> On 06/05/2011 02:37 AM, Paul Suh wrote:
>> Folks,
>>
>> I've been working with the flashrd system for booting from compact flash
>> media, and ran across a case where I'd like to make some changes to
isakmpd,
>> but before I do so I'm not sure that it's a good idea.
>>
>> The location for certificates, CA's, private keys, etc. is hard-coded in
>> /usr/src/sbin/isakmpd/conf.h and conf.c to be /etc/isakmpd/. I'd like to
be
>
> I thought you could change those in isakmpd.conf:
> # Certificates stored in PEM format
> [X509-certificates]
> CA-directory=   /etc/isakmpd/ca/
> Cert-directory= /etc/isakmpd/certs/
> CRL-directory=  /etc/isakmpd/crls/
> Private-key=/etc/isakmpd/private/local.key
> I took the above from the isakmpd.conf(5).

Rodolfo,

Thanks for the input, but the lockout to /etc/isakmpd actually happens in the
code -- see my reply to Stuart Henderson's post. Changing the values in
isakmpd.conf won't do anything.

Also, I'm not using isakmpd.conf -- I'm using ipsec.conf and running "isakmpd
-K" so that I can use ipsecctl. This is a lot simpler than isakmpd.conf and is
(I believe) the preferred way to do IPSec these days.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Flag to move isakmpd default keys dir?

[Paul Suh]

On Jun 5, 2011, at 2:42 PM, Stuart Henderson wrote:

> On 2011/06/05 13:09, Paul Suh wrote:
>> Stuart,
>>
>> I tried using a symlink, but isakmpd didn't seem to like it.
>
> For the file or the whole directory?
> It seems to work with /etc/isakmpd -> /somewhere/else.

Stuart,

Sorry about the delay but my day job has been busy. When I try to move the
isakmpd directory and make it a symlink, I get a series of errors that look
like:

> Jun 14 16:27:25 redoubt isakmpd[24833]: exchange_run: doi->initiator
(0x88ecda80) failed
> Jun 14 16:29:34 redoubt isakmpd[19190]: m_priv_getfd: illegal path
"/etc/isakmpd/private//71.163.154.173"
> Jun 14 16:29:34 redoubt isakmpd[24833]: ike_auth_get_key: failed opening
"/etc/isakmpd/private//71.163.154.173"
> Jun 14 16:29:34 redoubt isakmpd[19190]: m_priv_getfd: illegal path
"/etc/isakmpd/private/local.key"
> Jun 14 16:29:34 redoubt isakmpd[24833]: ike_auth_get_key: failed opening
"/etc/isakmpd/private/local.key"
> Jun 14 16:29:34 redoubt isakmpd[24833]: rsa_sig_encode_hash: could not get
private key
> Jun 14 16:29:34 redoubt isakmpd[24833]: exchange_run: doi->initiator
(0x88ecd580) failed

It looks to me like the check happens in monitor.c, in m_priv_getfd(), which
calls m_priv_local_sanitize_path():

> /* Check that path/mode is permitted.  */
> static int
> m_priv_local_sanitize_path(char *path, size_t pmax, int flags)
> {
>   char new_path[PATH_MAX], var_run[PATH_MAX];
>
>   /*
>* We only permit paths starting with
>*  /etc/isakmpd/   (read only)
>*  /var/run/   (rw)
>  */

...

>   if (strncmp(ISAKMPD_ROOT, new_path, strlen(ISAKMPD_ROOT)) == 0 &&
>   (flags & O_ACCMODE) == O_RDONLY)
>   return 0;
>
> bad_path:
>   return 1;
> }
>

So it's going to take a patch to the code. That said, to go back to my
original question, can anyone tell me why this would be implemented in such a
fashion that forces isakmpd to have its true directory in /etc/isakmpd? I can
understand why there would be a runtime check against ISAKMPD_ROOT, but what
if I want to move ISAKMPD_ROOT to somewhere else specified by a runtime flag
(but still fixed in place)? Does that have any negative security implications?

Thanks in advance to anyone who has any insights.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Flag to move isakmpd default keys dir?

[Paul Suh]

Stuart,

I tried using a symlink, but isakmpd didn't seem to like it.


--Paul


On Jun 5, 2011, at 7:00 AM, Stuart Henderson wrote:

> Can't you just use symlinks?
>
> On 2011-06-05, Paul Suh  wrote:
>> Folks,
>>
>> I've been working with the flashrd system for booting from compact flash
>> media, and ran across a case where I'd like to make some changes to
isakmpd,
>> but before I do so I'm not sure that it's a good idea.
>>
>> The location for certificates, CA's, private keys, etc. is hard-coded in
>> /usr/src/sbin/isakmpd/conf.h and conf.c to be /etc/isakmpd/. I'd like to
be
>> able to set a flag on isakmpd at launch time that it should read the
>> information from a different path, such as /flash/isakmpd, so that such
>> system-specific information can be more easily preserved across upgrades
of
>> the base system. However, since this is getting into crypto and security
>> territory, I'm not sure that it's a good idea to allow this path to be
>> changed.
>>
>> I'm fairly certain that this is innocuous, but opinions, anyone, before I
>> start hacking?

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Flag to move isakmpd default keys dir?

[Paul Suh]

Folks,

I've been working with the flashrd system for booting from compact flash
media, and ran across a case where I'd like to make some changes to isakmpd,
but before I do so I'm not sure that it's a good idea.

The location for certificates, CA's, private keys, etc. is hard-coded in
/usr/src/sbin/isakmpd/conf.h and conf.c to be /etc/isakmpd/. I'd like to be
able to set a flag on isakmpd at launch time that it should read the
information from a different path, such as /flash/isakmpd, so that such
system-specific information can be more easily preserved across upgrades of
the base system. However, since this is getting into crypto and security
territory, I'm not sure that it's a good idea to allow this path to be
changed.

I'm fairly certain that this is innocuous, but opinions, anyone, before I
start hacking?


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Asymmetric load balancing?

[Paul Suh]

Folks,

I've been looking at the pf FAQ and there are instructions for symmetric load
balancing for outgoing traffic. Is there a way to do *asymmetric* load
balancing? E.g., I have a 20 Mbps FIOS line and a 6 Mbps ADSL line. I'd like
to either (A) send all outgoing traffic up to 20 Mbps through the FIOS link,
then send any overflow to the ADSL line, or (B) set the pf load balancing so
that it favors the FIOS link over the ADSL link by a 10:3 ratio.

Is there a pf config that does this, or do I need to get hacking?


--Paul


Paul Suh http://www.ps-enable.com/
paul@ps-enable.com   (240) 672-4212

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: ipsec packets don't show up at destination enc0 interface

[Paul Suh]

That seems to have fixed it, thanks!


--Paul


On Feb 2, 2011, at 5:12 AM, Otto Moerbeek wrote:

> On Wed, Feb 02, 2011 at 03:05:49AM -0500, Paul Suh wrote:
>
>> Folks,
>>
>> I'm running 4.8-stable on one end and 4.5-stable at the other of a
>> site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are
>> working before upgrading the 4.5-stable end.) The tunnel is configured
using
>> ipsec.conf and ipsecctl, and the relevant portions of the configs are:
>
> http://www.openbsd.org/faq/upgrade47.html#hmac-sha2
>
>   -Otto
>
>>
>> 4.8 side
>> --
>> ike esp from $internal_subnet \
>>to $outpost_subnet \
>>local $fios_tunnel_host \
>>peer $outpost_tunnel_host
>>
>> 4.5 side
>> --
>> ike passive esp from $local_network to $remote_network peer
>> $remote_gateway_ip
>>
>> The flows and SAs that come up are:
>>
>> 4.8 side
>> --
>> FLOWS:
>> flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79
srcid
>> 71.163.154.173/32 dstid 64.237.99.79/32 type use
>> flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79
srcid
>> 71.163.154.173/32 dstid 64.237.99.79/32 type require
>>
>> SAD:
>> esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
>> hmac-sha2-256 enc aes
>> esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth
>> hmac-sha2-256 enc aes
>>
>> 4.5 side
>> --
>> FLOWS:
>> flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173
>> srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use
>> flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173
>> srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require
>>
>> SAD:
>> esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
>> hmac-sha2-256 enc aes
>> esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth
>> hmac-sha2-256 enc aes
>>
>> Relevant pf rules are:
>>
>> 4.8 side
>> --
>> pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173
port
>> = isakmp keep state
>> pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173
keep
>> state
>> pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79
port
>> = isakmp keep state
>> pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79
keep
>> state
>>
>> 4.5 side
>> --
>> pass log quick on enc0
>> pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79
port
>> 500
>> pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173
port
>> 500
>> pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79
port
>> 4500
>> pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173
port
>> 4500
>> pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79
>> pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173
>>
>>
>> The security associations come up just fine, and I can see packets going
into
>> the tunnel at the 4.8 end on enc0, and I can see the packets going out
over
>> ESP to the destination, but they never show up on enc0 at the 4.5 end.
What's
>> really frustrating is that
>>
>>  a) other tunnels to Sonicwall devices work just fine from the 4.8 side
>>
>>  b) I am upgrading the device that is now 4.8 from a 4.5 installation, 
>> and
the
>> tunnel worked just fine before.
>>
>> Any ideas on what might be happening or how to further troubleshoot this?
>>
>>
>>
>> --Paul
>>
>> [demime 1.01d removed an attachment of type application/pkcs7-signature
which had a name of smime.p7s]

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

ipsec packets don't show up at destination enc0 interface

[Paul Suh]

Folks,

I'm running 4.8-stable on one end and 4.5-stable at the other of a
site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are
working before upgrading the 4.5-stable end.) The tunnel is configured using
ipsec.conf and ipsecctl, and the relevant portions of the configs are:

4.8 side
--
ike esp from $internal_subnet \
to $outpost_subnet \
local $fios_tunnel_host \
peer $outpost_tunnel_host

4.5 side
--
ike passive esp from $local_network to $remote_network peer
$remote_gateway_ip

The flows and SAs that come up are:

4.8 side
--
FLOWS:
flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79 srcid
71.163.154.173/32 dstid 64.237.99.79/32 type use
flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79 srcid
71.163.154.173/32 dstid 64.237.99.79/32 type require

SAD:
esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
hmac-sha2-256 enc aes
esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth
hmac-sha2-256 enc aes

4.5 side
--
FLOWS:
flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173
srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use
flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173
srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require

SAD:
esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
hmac-sha2-256 enc aes
esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth
hmac-sha2-256 enc aes

Relevant pf rules are:

4.8 side
--
pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173 port
= isakmp keep state
pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173 keep
state
pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79 port
= isakmp keep state
pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79 keep
state

4.5 side
--
pass log quick on enc0
pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port
500
pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port
500
pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port
4500
pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port
4500
pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79
pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173


The security associations come up just fine, and I can see packets going into
the tunnel at the 4.8 end on enc0, and I can see the packets going out over
ESP to the destination, but they never show up on enc0 at the 4.5 end. What's
really frustrating is that

a) other tunnels to Sonicwall devices work just fine from the 4.8 side

b) I am upgrading the device that is now 4.8 from a 4.5 installation, 
and the
tunnel worked just fine before.

Any ideas on what might be happening or how to further troubleshoot this?



--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]