Re: SSH "Honey Keys" Security
Don’t. Generally, these things should be used to alert if an internal service has been compromised (akin to using Canary Tokens), and the key copied. It is, at best, a way to hear someone knocking. On Wed, May 8, 2019 at 15:59 Stefan R. Filipek wrote: > There's a blog post going around that has an interesting use of SSH > authorized_keys restrict + command: > https://kulinacs.com/ssh-honey-keys/ > > If you don't want to follow the link, it basically uses the > well-documented authorized_keys feature to restrict a login for an ssh > key to invoking a single binary which logs the access attempt: > > restrict,command="/usr/local/bin/honeypot_logger" ssh-rsa 1C8...32Tv== > honeypot_...@example.com > > Without devolving into an argument about the efficacy of honey keys or > honey pots in general, I'm wondering if this is truly safe from a > security perspective to run on a regular server (not a dedicated honey > pot). Is there anything that an attacker can control that 'restrict' > does not cover, assuming the targeted command is a shell script? > Perhaps with a malicious SSH client as well? By the man page, > 'restrict' turns on all restrictions available to the authorized_keys > configuration, but it's not clear if that is really sufficient for > this attack scenario. > > Apologies if you feel this is off-topic for the mailing list, but > there's no general OpenSSH discussion list anymore listed on the > openssh site. > > -Stefan > > -- Semt form my Apqle iPhnoe 4s and gMal Mobble.
Re: SSH extremely quickly dropped from T-Mobile phone hotspot
You can also just set client keepalives. Set TCPKeepAlive in ~/.ssh/config. This has solved a bunch of random timeout problems due to carrier NAT or similar. On Sat, Sep 15, 2018 at 15:36 Constantine A. Murenin wrote: > On 15 September 2018 at 09:50, Chris Bennett < > cpb_m...@bennettconstruction.us> wrote: > > > I am using my phone's hotspot, which may or may not be secure, but is > > not censoring my choice of sites to visit. Public WiFi in the USA does > > so all over the place. Worse, when I lived in Washington State, I was > > next to a Naval Air Station, which certainly eavesdrops, not OK, but > > this is the land of the free? Now I am living in the Capital of Texas, > > Austin which also leaves public WiFi under the same problems > > (legislature meets here). > > > > I cannot maintain an SSH connection unattended long enough to go to the > > bathroom and get a cup of coffee without the connection being dropped > > halfway through reading my email. > > > > Is autossh the right choice or is there a better way? > > The flow of data seems to be the problem. A static page disconnects. > > > > Thanks, > > Chris Bennett > > > > I also have T-Mobile US, and I cannot reproduce your problem. > > In fact, because my laptop gets a public IPv6 address from T-Mobile US — a > standard feature in Android 7.1.1, where you get at least a whole /64 from > the carrier — I can put it to sleep, disable AndroidAP, go get coffee, > lunch, dinner, or attend a meetup, or all of the above, come back home, > turn AndroidAP back on, turn my laptop on, and my vanilla ssh connection > will come back to live after a single keystroke (provided the phone was > never turned off and didn't itself lose network connectivity, e.g., still > has the same /64 assigned to itself). > > I did have to configure my laptop to `sysctl -w > net.inet6.ip6.prefer_tempaddr=0`, and also make sure I'm not running > something that'd be constantly refreshing the screen of the terminal I'm > accessing through ssh, e.g., you definitely do have to disconnect tmux with > the timestamp before you attempt this, and doing socks proxying would > obviously interfere with it as well if any connections remain open when you > attempt to turns things off like that, and — viola, problem solved. > > So, my suggestion — move to IPv6 for the killer features, and stop worrying > about the disconnects. > > But if you don't have a public IP address on your laptop and do get your > internet through NAT/CGNAT and/or a stateful firewall, then you might have > to play with `-oServerAliveInterval=480` or some such, as per > http://mdoc.su/o/ssh_config.5, but, otherwise, this option is actually not > only unnecessary, but is, in fact, harmful, as it may "detect" brief > periods of connectivity loss that you don't necessarily care about. > > P.S. Another option, if you don't necessarily care about scrolling, and/or > already use tmux within your ssh, is to use http://ports.su/net/mosh. > Personally, I prefer straight ssh through IPv6 to mosh, although sometimes > it does cause me to use my AndroidAP even in venues where the public > internet is available. > > Cheers, > Constantine.SU. >
Re: is what this guy is saying even anywhere close to reasonable, about ssh everywhere?
no. Sent form my iFoe. > On Jan 4, 2015, at 05:34, bofh wrote: > > https://medium.com/@shazow/ssh-how-does-it-even-9e43586e4ffc > > -- > http://www.glumbert.com/media/shift > http://www.youtube.com/watch?v=tGvHNNOLnCk > "This officer's men seem to follow him merely out of idle curiosity." -- > Sandhurst officer cadet evaluation. > "Securing an environment of Windows platforms from abuse - external or > internal - is akin to trying to install sprinklers in a fireworks factory > where smoking on the job is permitted." -- Gene Spafford > learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: maybe OT 10 year anniversay of Chuck Yerkes death
Man. Thanks for the reminder. +1 Sent form my iFoe. > On Aug 27, 2014, at 16:21, Diana Eichert wrote: > > I don't think it's off topic but others might. I'm writing this post to > remember Chuck Yerkes, a long time contributor to the misc@openbsd list. > While riding his motorcycle 10 years ago Chuck was involved in an accident > and passed away as a result of his injuries. > > http://web.archive.org/web/20041012235249/http://www.contracostatimes.com/mld/cctimes/news/9511974.htm > http://marc.info/?l=openbsd-misc&m=109385676632581&w=2 > http://web.archive.org/web/20040901013204/http://www.adownie.net:/vqwiki/jsp/Wiki?ChuckStories > > Just wanted to remember you Chuck, take it easy wherever you are. > > diana
Re: new OpenSSL flaws
On Thu, Jun 5, 2014 at 5:09 PM, Giancarlo Razzolini wrote: > Em 05-06-2014 20:45, Eric Furman escreveu: >> I predict that within a year OpenSSL will go the way of IPF. >> For much the same reason... >> > IPF? Care to elaborate? Well, in 2001 there was this drama around Darren Reed's IPF, that caused it to be removed from OpenBSD's source code. This removal and license problem directly to the development of OpenBSD's pf firewall by Daniel Hartmeier. And the rest, as they say, is history.
Re: Strange route entry from China
On Wed, May 14, 2014 at 12:40 AM, Kevin Lyda wrote: > > On 14 May 2014 08:20, "Johan Beisser" wrote: >> >> On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek wrote: >> > >> > Op 14 mei 2014 om 07:48 heeft Johan Beisser het >> > volgende geschreven: >> > >> > There are more reasons dynamic route entries are createf. For example to >> > record results of mtu path discovery. >> >> That implies a successful TCP connection to the router itself, doesn't it? >> > > Sure. But connecting to port 22 in order to fail to auth is a successful TCP > connection. Yes. Path MTU implies the connection is held open for larger packets than just during the handshake and SSH negotiation. Or am I misunderstanding when MTU is negotiated?
Re: Strange route entry from China
On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek wrote: > > Op 14 mei 2014 om 07:48 heeft Johan Beisser het volgende > geschreven: > > > There are more reasons dynamic route entries are createf. For example to > record results of mtu path discovery. That implies a successful TCP connection to the router itself, doesn't it?
Re: Strange route entry from China
On Tue, May 13, 2014 at 10:31 PM, Johan Ryberg wrote: > Yes, it's related to a SSH brute force attack. > > I have just never seen the the "client" IP in the routing table before. My > IP does not exist in the routing table when I SSH to the host. The IP shouldn't be there, at all. But, according to the route flags ('D' in this case), it's in there due to a redirect. > I have a hard time to understand the mechanism that added the IP to the > table. > > Is this something that can be explained? My assumption is there was an ICMP redirect that added the IP to your table. Check to see if you're accepting redirects. By default, OpenBSD has them as off.
Re: Strange route entry from China
>> On May 13, 2014, at 18:47, Stuart McMurray wrote: >> >> >> And, 163data.com.cn is a large source of shady activity. I blocked the bulk of China and Asia outright at the router. Quick solution, if not clean.
Re: Multihoming with carp possible? and ipsec failover?
On Tue, May 13, 2014 at 4:58 AM, Magnus wrote: > Hello Misc-Users, > > I'm looking in to the possibility to do multihoming (more than one isp) > on a Carp setup. > To do live failover if one isp goes down, the other takes over. > Just as carp does if one of the routers goes down. You can do this with OpenBGPd, but CARP can only fail out between two routers sharing the same IP (at its most basic setup, more complicated setups are possible, obviously). If both ISPs are routing to the same netblock, then you can fail in the way you want. Otherwise, take a look at ifstated(8), and modify your routing tables or do dynamic routing. > I'm thinking that in combination with ifstated it might be possible, but > have yet to find someone that has actually done it sofar. A solution I've used in the past is a controlled endpoint that represents the exit for the network. The ISPs acted as pure transit for the external network, the VPN carried to a common end point(s). > Next issue if the first one is possible. > > The proposed router in question is a IPSEC gateway, with several nodes > connected to it. > Fail over here with just the carp and one isp is no issues. > But if the remote node, has only one isp, and it has no carp or such, > its just a plain obsd box running a site-to-site tunnel, > routing everything (0.0.0.0/0) over the tunnel. > How would one manage to do a failover to the second isp of the above > box, without loss of the tunnel during fail over. Take a look at sasyncd(8).
Re: where are translated web-pages?
On Thu, Apr 17, 2014 at 3:18 PM, Alex Naumov wrote: > Thank you for link, but... why? I mean, we are not going to continue work on > translation anymore? Reason? Read this thread on the topic from earlier this month. http://marc.info/?t=13965139876&r=1&w=2
Re: where are translated web-pages?
http://marc.info/?l=openbsd-cvs&m=139637003025491&w=2 You did. On Thu, Apr 17, 2014 at 3:08 PM, Alex Naumov wrote: > Hello, > > I just want to ask about "not English" (translated) pages. I can't find > these. > Also translation.html and steelix are not avaliable. > Did I missed something? > > Thank you, > Alex
Re: Where can I find a list of error codes in smtpd?
I feel like a bit of a jackass for the response. Check smtpd/smtp_session.c http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/smtp_session.c?rev=1.192 On Thu, Jan 30, 2014 at 7:41 AM, Johan Beisser wrote: > http://www.faqs.org/rfcs/rfc821.html (1982) > > Section 4.2.1. > > https://www.ietf.org/rfc/rfc2821.txt (2001) > > Section 4.2.1 defines the groups, and 4.2.2.x defines specific codes. > > https://www.rfc-editor.org/rfc/rfc2487.txt (1999) > > Secure SMTP over TLS. > > > On Thu, Jan 30, 2014 at 3:19 AM, STeve Andre' wrote: >> So far, I'm not finding them. I'm interested in learning more >> about "150 IO error" and "442 i/o error 5", but a general list >> of them would be good. I know I'm missing something... >> >> Thanks, STeve Andre'
Re: Where can I find a list of error codes in smtpd?
http://www.faqs.org/rfcs/rfc821.html (1982) Section 4.2.1. https://www.ietf.org/rfc/rfc2821.txt (2001) Section 4.2.1 defines the groups, and 4.2.2.x defines specific codes. https://www.rfc-editor.org/rfc/rfc2487.txt (1999) Secure SMTP over TLS. On Thu, Jan 30, 2014 at 3:19 AM, STeve Andre' wrote: > So far, I'm not finding them. I'm interested in learning more > about "150 IO error" and "442 i/o error 5", but a general list > of them would be good. I know I'm missing something... > > Thanks, STeve Andre'
Re: Is Soekris OpenBSD friendly?
On Fri, Nov 15, 2013 at 9:00 PM, jordon wrote: > A few years back I put m0n0wall (FreeBSD-based) on it, hooked it up to 2 > machines (1 WAN, 1 LAN) and pushed a file through it. Its max bandwidth was > well under my Internet connection speed. > > It was replaced with a net5501. > It's not below mine. I can saturate it, but my inbound is still well below what the hardware can handle. I'll upgrade eventually.
Re: Is Soekris OpenBSD friendly?
I'm not sure what you mean by "too slow to route." I've a net4501 with 64mb of RAM that's handling all of my IP traffic at home. Biggest problem is swapping taking out available interrupts. Modern networks are actually just too fast for the hardware these days. It works fine for home stuff. On Fri, Nov 15, 2013 at 5:39 PM, jordon wrote: > I have an old net4511 running 5.4. It’s too old/slow to route but it’s too > fun to not have running because how many other OS’es can run on a 486 100MHz > with 32MB RAM? > > > > > On Nov 15, 2013, at 6:03 PM, SmithS wrote: > >> Greetings misc@. After coming across a link[1] to make an OpenBSD >> router using a "Soekris" device, I think I will make one. Does anyone >> else have this hardware and can verify all the components work? >> I think Intel NICs are good, but everything else? I have never heard >> of this brand before so I want to be safe before buying. The model >> number[2] is "6501-30" >> >> [1] http://www.bsdnow.tv/tutorials/openbsd-router >> [2] https://soekris.com/products/net6501/net6501-30-board-case.html >> >> greetz, >> SmithS
Re: why icmp timestamping is enabled by default ?
> On Oct 21, 2013, at 2:57, Henning Brauer wrote: > > * Илья Шипицин [2013-10-11 04:52]: >> I was just curious why that timestamping is enabled by default. > > 'cause there is no reason to disable it. > > why is tcp enabled by default? > Everyone knows that TCP, like IP, and the Internet is just a passing fad.
Re: new queueing subsystem
On Wed, Oct 16, 2013 at 11:04 AM, Norman Golisz wrote: > On Wed Oct 16 2013 08:54, Johan Beisser wrote: >> Or cam I still just do very basic priority queueing in 5.5? > > See pf.conf(5), 'set prio'. This doesn't even require you to define > queues, etc. Right. I guess if I want to define multiple queues for matching traffic, I need to either redo the filter rules to use tagging*, or simply do it per outbound bit of traffic. The change is a pretty powerful one. * match on FOO inet proto tcp from BAR to BAZ port {X,Y} tag PRIO_Z [...] pass out on egress tagged PRIO_X set prio 4 pass out on egress tagged PRIO_Z set prio (3, 7)
Re: new queueing subsystem
> On Oct 16, 2013, at 8:05, Otto Moerbeek wrote: > This will not be in 5.4, it wil be in 5.5. If you see shortcomings in > the docs explain in more detail. I just read the QUEUEING section in the man page. Seems fairly clear to me, and in some ways more clear. One thing I'd like to see is a suggestion for how to figure out your actual bandwidth, to better define the queues. For example, I've got a 10Mbit outbound link, and three priority queues. The only reason I define a total bandwidth is that "altq" requires it, so I've set it at 9.5Mbit. With the move to HFSC, do I have to break down major queues, and the children? Or cam I still just do very basic priority queueing in 5.5?
Re: DNS Proxy
Use the D option in ssh(1) and the SOCKS proxy will do lookups through the tunnel. Make sure you use version 5 (OpenSSH supports 4 and 5). On Sun, Sep 15, 2013 at 12:42 PM, Joel Wirāmu Pauling wrote: > Also given dns is a user of UDP by default you need to use some other tunnel > mechanism other than ssh. > > -Joel > > > Johan Beisser wrote: >> >> DNS proxy uses less bandwidth on your end. >> >> There are a dozen DNS proxy services out there for media, they all >> work on the same basic principle. >> >> On Sun, Sep 15, 2013 at 4:55 AM, Monah Baki wrote: >>> >>> Hi all, >>> >>> >>> I'm running OpenBSD 5.2 with squid for a friend who owns an ISP outside >>> the >>> U.S and uses my OpenBSD squid proxy to access netflix. I've been told >>> this >>> can be also accomplished via DNS Proxy. Is it true? >>> >>> If yes which one do you recommend? >>> >>> >>> Thanks >> >> > > -- > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: DNS Proxy
DNS proxy uses less bandwidth on your end. There are a dozen DNS proxy services out there for media, they all work on the same basic principle. On Sun, Sep 15, 2013 at 4:55 AM, Monah Baki wrote: > Hi all, > > > I'm running OpenBSD 5.2 with squid for a friend who owns an ISP outside the > U.S and uses my OpenBSD squid proxy to access netflix. I've been told this > can be also accomplished via DNS Proxy. Is it true? > > If yes which one do you recommend? > > > Thanks
Re: OpenBSD pxe automated install
On Tue, Aug 13, 2013 at 9:48 AM, Marian Hettwer wrote: > Hi Loic, > > > Am 13.08.13 15:43, schrieb � Blot: > >> Hello Marian, >> i think you are right, because bsd.rd is required for last chance to >> repair system, among others. >> > > right. And I'd like to leave it untouched. This hopefully also increases the > possibility that whatever we come up with might get added upstream... ;) There's nothing preventing you from building your own installer within the RAMDISK kernel. I've done it in the past to handle some personalized extensions. > I agree that the most pressing point is automatic network configuration in > order to be able to download additional configs, like disk config, package > config, ... It's doable within the base tools, if you assemble things correctly. No reason to not have these stuff off of NFS or TFTP to pull in the config. > > PS.: personal opinion: I like FAI (www.fai.org) much more then debians > preseed.cfg... check it out ;) http://fai-project.org/ is the correct URL. I've had some interesting problems with FAI in the past. Once it's working, it's quite wonderful.
Re: OpenBSD pxe automated install
Please read the FAQ entry I sent you, pay close attention to install.site and upgrade.site. Both of those are scripts that are executed by the installer. Fully automatic installs have been done, usually by modifying the installer script or root's .profile. Basically: automatic, unattended installation of openbsd is possible, but you have to build the glue for it. Sent form my iFoe. On Aug 12, 2013, at 12:52, Loïc BLOT wrote: > Hello, > thanks for your reply Johan, but this is not why i want. site.tgz > contain a set of preconfigured files to deploy with other sets to deploy > similar machines. > > My need is to install a clean OpenBSD with an automated mean: > The server boot in PXE and install OpenBSD, configure network, hostname, > disk, install sets by network and reboots without any human > intervention. After, the server can use siteXX.tgz, yes, but this is not > the main problem here > > -- > Best regards, > Loïc BLOT, > UNIX systems, security and network expert > http://www.unix-experience.fr > > > Le lundi 12 août 2013 à 12:09 -0700, Johan Beisser a écrit : >> read the FAQ, Loic. >> >> http://openbsd.org/faq/faq4.html#site >> >> Site*.tgz, install.site and upgrade.site are a good starting point. >> >> On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT >> wrote: >>> Hello @misc. >>> >>> Today i'm working on automated deploy with PXE. I have successful found >>> and made automated PXE install on Debian with pxelinux. >>> >>> I know OpenBSD have a pxe boot image to netinstall the system > http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution >>> -environment/ >>> >>> Is there any options to automate the installation ? >>> I want a machine to boot on bsd.rd, read a configuration file (url >>> passed by etc/boot.conf, for example) and install with the read >>> parameters. >>> Is there any issue to do this or i do it myself ? >>> >>> Thanks for advance >>> -- >>> Best regards, >>> Loïc BLOT, >>> UNIX systems, security and network expert >>> http://www.unix-experience.fr >>> >>> [demime 1.01d removed an attachment of type application/pgp-signature > which had a name of signature.asc] > > [demime 1.01d removed an attachment of type application/pgp-signature which > had a name of signature.asc]
Re: OpenBSD pxe automated install
read the FAQ, Loic. http://openbsd.org/faq/faq4.html#site Site*.tgz, install.site and upgrade.site are a good starting point. On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT wrote: > Hello @misc. > > Today i'm working on automated deploy with PXE. I have successful found > and made automated PXE install on Debian with pxelinux. > > I know OpenBSD have a pxe boot image to netinstall the system > http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution > -environment/ > > Is there any options to automate the installation ? > I want a machine to boot on bsd.rd, read a configuration file (url > passed by etc/boot.conf, for example) and install with the read > parameters. > Is there any issue to do this or i do it myself ? > > Thanks for advance > -- > Best regards, > Loïc BLOT, > UNIX systems, security and network expert > http://www.unix-experience.fr > > [demime 1.01d removed an attachment of type application/pgp-signature which > had a name of signature.asc]
Re: new topic: blind support for OpenBSD.
On Jul 6, 2013, at 21:53, Nick Holland wrote: > > Feel free to take this off list with me if you prefer. > I kind of hope you keep this on list, actually. While I'm not affected by the problem, I'm interested in the problem and solutions.
Re: Fuse on OpenBSD
On Jul 3, 2013, at 20:23, Brad Smith wrote: > On 03/07/13 11:07 PM, openda...@hushmail.com wrote: >> Why do we need FUSE anyway? > > To be able to utilize FUSE based filesystems. > Fuse is a terrible hack. But, a useful one that solves all kinds of problems. Sent form my iFoe.
Re: rtsol with IPv6 forwarding turned on
On Tue, May 14, 2013 at 3:13 PM, Stuart Henderson wrote: > On 2013-05-14, Mattias Lindgren wrote: >> Hello, >> >> I'm using a OpenBSD 5.3 (release) machine as my router connecting >> to Comcast. Comcast provides native IPv6 access, however it does >> so a little bit differently than what is probably best practice. >> I use wide-dhcpv6-20080615p2 from ports to get an address on my >> outside interface, as well as a prefix which gets assigned to my >> inside interface. However, the default route is announced via Route >> Advertisements. > > That is pretty common practice for ISPs doing IPv6 (see RFC 6204), > but OpenBSD doesn't support it at present. I tried to use the DHCPv6 client but found it didn't quite work right (no assigned IP to the interface). Rtsold gets the prefix and gateway just fine, but Comcast assigns a /64 prefix to my firewall. But, the DHCPv6 server won't actually issue me a V6 IP (as of yet..) I've assigned an arbitrary IPv6 address to my firewall, and it can reach out over Comcast's network with no problem. I started to look at setting up an internal local network before getting distracted by paying work. >> However since I would also like for my router to forward >> IPv6 packets, I'm not sure of how to make it work. Rtsol states that >> net.inet6.ip6.forwarding=0. I've tried running rtsol with forwarding >> set to 1, but it complains and does not grab a default route. The other >> option would be to manually set the v6 default route, but I'd prefer to >> not have to do that. Does anyone know of a workaround for this issue? > > Manually setting the route is the only current workaround afaik. I might give that a shot. The RA (at least the one near me) gives a link local advert (fe80::) with a /64 prefix. > > FreeBSD turned accept_rtadv into a per-interface flag which can be > set (only) on the "upstream" interface so you can continue to send > adv's on the "downstream" interfaces. That seems to be a good solution, but not necessarily the "right" one.
Re: NFS cluestick needed
Back in the day I'd abuse lndir(1) to link to the nfs mounted source directory. http://www.openbsd.org/cgi-bin/man.cgi?query=lndir&sektion=1 Sent form my iFoe. On Mar 31, 2013, at 7:48, David Higgs wrote: > In trying to avoid multiple copies of OpenBSD source on my VMs, I am > trying to use NFS; however, permissions don't seem to be working > right. I would very much appreciate help in figuring out what I'm > doing wrong, and am also interested in tips on how to compile from > read-only source trees. > > Thanks in advance, > > --david > > SERVER VM > > [vm@vm ~]$ dmesg | head > OpenBSD 5.2 (GENERIC) #2: Mon Nov 5 10:42:07 EST 2012 >root@vm.localdomain:/usr/src/sys/arch/i386/compile/GENERIC > cpu0: Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz ("GenuineIntel" > 686-class) 2.45 GHz > cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,NXE,LONG,SSE3,SSSE3,CX16,LAHF > real mem = 267907072 (255MB) > avail mem = 252665856 (240MB) > mainbus0 at root > bios0 at mainbus0: AT/286+ BIOS, date 09/20/12, BIOS32 rev. 0 @ > 0xfd780, SMBIOS rev. 2.4 @ 0xe0010 (364 entries) > bios0: vendor Phoenix Technologies LTD version "6.00" date 09/20/2012 > bios0: VMware, Inc. VMware Virtual Platform > > [vm@vm ~]$ cat /etc/exports > # $OpenBSD: exports,v 1.2 2002/05/31 08:15:44 pjanzen Exp $ > # > # NFS exports Database > # See exports(5) for more information. Be very careful: misconfiguration > # of this file can result in your filesystems being readable by the world. > /usr/src /usr/ports /usr/xenocara -maproot=root:wheel > -network=172.16.223.0 -mask=255.255.255.0 > > [vm@vm ~]$ showmount -a > All mount points on localhost: > 172.16.223.129:/usr/ports > 172.16.223.129:/usr/src > 172.16.223.129:/usr/xenocara > > CLIENT VM > > # dmesg | head > OpenBSD 5.2-stable (GENERIC) #2: Wed Dec 26 12:19:49 EST 2012 >root@vm.localdomain:/usr/src/sys/arch/amd64/compile/GENERIC > real mem = 267321344 (254MB) > avail mem = 237985792 (226MB) > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries) > bios0: vendor Phoenix Technologies LTD version "6.00" date 09/20/2012 > bios0: VMware, Inc. VMware Virtual Platform > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S1 S4 S5 > > # mount > /dev/wd0a on / type ffs (local, softdep) > /dev/wd0f on /home type ffs (local, noatime, nodev, nosuid, softdep) > /dev/wd0d on /tmp type ffs (local, nodev, nosuid, softdep) > /dev/wd0g on /usr type ffs (local, noatime, nodev, softdep) > /dev/wd0e on /var type ffs (local, nodev, nosuid, softdep) > 172.16.223.128:/usr/src on /usr/src type nfs (noatime, nodev, noexec, > nosuid, v3, udp, timeo=100, retrans=101) > 172.16.223.128:/usr/ports on /usr/ports type nfs (noatime, nodev, > noexec, nosuid, v3, udp, timeo=100, retrans=101) > 172.16.223.128:/usr/xenocara on /usr/xenocara type nfs (noatime, > nodev, noexec, nosuid, v3, udp, timeo=100, retrans=101) > > # id > uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), > 5(operator), 20(staff), 31(guest) > > # ls -la /usr/src/sys/arch/amd64/compile/ > total 16 > drwxr-xr-x 3 root wheel 512 Feb 27 2009 . > drwxr-xr-x 10 root wheel 512 Nov 29 2010 .. > -rw-r--r-- 1 root wheel 38 Jun 25 2004 .cvsignore > drwxr-xr-x 2 root wheel 512 Mar 30 16:37 CVS > > # mkdir /usr/src/sys/arch/amd64/compile/GENERIC > mkdir: /usr/src/sys/arch/amd64/compile/GENERIC: Permission denied
Re: npppd not communicating in 5.2
I had a problem with tun interfaces and npppd. Try the pppx interface instead. Sent form my iFoe. On Mar 5, 2013, at 13:35, Jason Markowitz wrote: > Hello, > > > I'm receiving the following errors when attempting to establish a vpn > session via l2tp, the ipsec side works fine and phase 1 authenticates > perfectly, i dont see pf blocking anything in pf log (egress wide > open, inbound is set to block in log all, with holes opened for the > appropriate ports for vpn and ssh) > > 2013-03-05 16:26:10:NOTICE: Starting npppd pid=5729 version=5.0.0 > 2013-03-05 16:26:10:NOTICE: Load configuration > from='/etc/npppd/npppd.conf' successfully. > 2013-03-05 16:26:10:WARNING: write() failed in in_route0 on RTM_ADD : > File exists > 2013-03-05 16:26:10:INFO: tun0 Started ip4addr=10.101.0.1 > 2013-03-05 16:26:10:INFO: Listening /var/run/npppd_ctl (npppd_ctl) > 2013-03-05 16:26:10:INFO: Added 2 routes for new pool addresses > 2013-03-05 16:26:10:INFO: Loading pool config successfully. > 2013-03-05 16:26:10:INFO: realm name=local(local) Loaded users > from='/etc/npppd/npppd-users.csv' successfully. 1 users > 2013-03-05 16:26:10:INFO: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP] > 2013-03-05 16:26:10:INFO: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP] > 2013-03-05 16:26:10:INFO: tun0 is using ipcp=default(1 pools). > 2013-03-05 16:26:19:NOTICE: l2tpd ctrl=1 logtype=Started RecvSCCRQ > from=x.x.x.247:65028/udp tunnel_id=1/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:19:INFO: l2tpd ctrl=1 SendSCCRP > 2013-03-05 16:26:21:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ > from=x.x.x.252.247:65028/udp tunnel_id=2/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:21:INFO: l2tpd ctrl=2 SendSCCRP > 2013-03-05 16:26:25:NOTICE: l2tpd ctrl=3 logtype=Started RecvSCCRQ > from=x.x.x..247:65028/udp tunnel_id=3/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:25:INFO: l2tpd ctrl=3 SendSCCRP > 2013-03-05 16:26:29:NOTICE: l2tpd ctrl=4 logtype=Started RecvSCCRQ > from=x.x.x.247:65028/udp tunnel_id=4/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:29:INFO: l2tpd ctrl=4 SendSCCRP > 2013-03-05 16:26:31:NOTICE: l2tpd ctrl=1 timeout waiting ack for ctrl packets. > 2013-03-05 16:26:31:NOTICE: l2tpd ctrl=1 logtype=Finished > 2013-03-05 16:26:33:NOTICE: l2tpd ctrl=5 logtype=Started RecvSCCRQ > from=xx.x.x.247:65028/udp tunnel_id=5/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:33:INFO: l2tpd ctrl=5 SendSCCRP > 2013-03-05 16:26:33:NOTICE: l2tpd ctrl=2 timeout waiting ack for ctrl packets. > 2013-03-05 16:26:33:NOTICE: l2tpd ctrl=2 logtype=Finished > 2013-03-05 16:26:37:NOTICE: l2tpd ctrl=6 logtype=Started RecvSCCRQ > from=xxx.x.x.247:65028/udp tunnel_id=6/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:37:INFO: l2tpd ctrl=6 SendSCCRP > 2013-03-05 16:26:37:NOTICE: l2tpd ctrl=3 timeout waiting ack for ctrl packets. > 2013-03-05 16:26:37:NOTICE: l2tpd ctrl=3 logtype=Finished > 2013-03-05 16:26:41:NOTICE: l2tpd ctrl=4 timeout waiting ack for ctrl packets. > 2013-03-05 16:26:41:NOTICE: l2tpd ctrl=4 logtype=Finished > > > > npppd.conf: > > interface_list: tun0 > interface.tun0.ip4addr: 10.101.0.1 > > # IP Address Pool > pool.dyna_pool: 10.101.0.0/25 > pool.pool: 10.101.0.128/25 > > # local file auth > auth.local.realm_list: local > auth.local.realm.acctlist: /etc/npppd/npppd-users.csv > realm.local.concentrate: tun0 > > lcp.mru:1400 > lcp.timeout:18 > auth.method:mschapv2 > # auth.method: mschapv2 chap pap > ipcp.assign_fixed: true > ipcp.assign_userselect:true > > pptpd.enabled: false > pptpd.ip4_allow:0.0.0.0/0 > #pptpd.listener_in: PPTP 192.168.0.1 > > # L2TP daemon > l2tpd.enabled: true > l2tpd.ip4_allow:0.0.0.0/0 > #l2tpd.listener_in: L2TP 10.101.0.1 > l2tpd.purge_ipsec_sa: false > l2tpd.require_ipsec:true > l2tpd.accept_dialin:true > > pipex.enabled: true > > > Any Thoughts? System is amd64 running 5.2
Re: Microsoft VPN PPTP
On Thu, Jan 31, 2013 at 4:06 PM, Aaron Mason wrote: > If you can, change to a different type of VPN. Not because of the storm, > but because PPTP has been broken security-wise. Good results have been > achieved with OpenVPN. I'm having remarkable success with npppd(8) and L2TP. I'm using it with MacOS and iOS clients, no problems. I'll be testing with Linux ones later this week (including Android, etc). Outside of the tun(4) bug that bit me, it's been rock solid.
Re: CARP best practices
On Wed, Jan 30, 2013 at 2:03 PM, Jiri B wrote: > On Wed, Jan 30, 2013 at 09:29:42AM -0800, Johan Beisser wrote: >> Don't monitor SSH on the CARP address. > > Doesn't it depend on the purpose of this SSH service? > If it is to manage individual boxes, then sshd should not listen > on CARP ip address. Maybe. Or, perhaps you have a pool of servers that are essentially identical, and the failover service runs over SSH. In that case, having identical host keys would clear up that specific error. But, if a host fails out of the pool, you may not know right away. > If it is authentication for external users like authpf, > file uploads, I would create another sshd instance which would > flow between boxes sharing same key, still keeping individual > sshd for each box. We were doing this for a file upload cluster, > though that was not OpenBSD but the issue about the key and "virtual" > ip is the same. Yes. I covered that in a later email. But, that's defined by the function you're trying to use. The orginal complaint was "I'm sshing in to the CARP address, and the host keys keep changing making SSH throw an error." Like any doctor who gets a complaint of "it hurts when I do this!", the first answer is "well, don't do that." Until you get more information, and can actually help the person out.
Re: CARP best practices
On Wed, Jan 30, 2013 at 9:44 AM, System Administrator wrote: > On 30 Jan 2013 at 9:29, Johan Beisser wrote: > >> > While testing the failover and trying to ssh to a carp address I got >> > hit with the server key mismatch; hence this email. What is considered >> > best practice wrt ssh keys in a carp cluster -- install the same keys >> > on all member nodes to avoid the alerts or just live with the >> > occasional mismatch? >> >> Don't monitor SSH on the CARP address. > > Sorry, I'm not following you Do you need to be able to ssh in to the firewall(s) via the CARP addresses? If the answer is yes, share the host keys between them. Or set up a redirect for the CARP addresses that goes to an alternate sshd port from port 22. Which uses the same host keys between the systems.
Re: CARP best practices
On Wed, Jan 30, 2013 at 8:56 AM, System Administrator wrote: > I finally got to deploy a CARP firewall cluster (HA failover for now). > Using only the official OpenBSD.org documentation, everything went very > smoothly even though the setup is not quite trivial (14 carp addresses > on 6 active interfaces). I even got system replication going using > rdist(1). > > While testing the failover and trying to ssh to a carp address I got > hit with the server key mismatch; hence this email. What is considered > best practice wrt ssh keys in a carp cluster -- install the same keys > on all member nodes to avoid the alerts or just live with the > occasional mismatch? Don't monitor SSH on the CARP address.
Re: Android mobile - OpenBSD IPSEC
Are you using just ipsec, or L2TP? On Wed, Jan 23, 2013 at 11:48 PM, Jan Lambertz wrote: > Hi, > > Running OpenBSD 5.2 AMD64 release as homeserver. > Got Andoid 2.3 Samsung Mobile. > Want to connect via vpn IPSEC. > Config: > ike passive esp tunnel from any to any \ > main auth hmac-sha1 enc des \ > quick auth hmac-sha1 enc des \ > srcid dstid (testted different things here without effect) \ > psk "test123" > > > Also changed any to any to more concise settings, without effect. > local ip and peer any didnt help, too. > > > Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC > Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC > Jan 24 08:41:38 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:38 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > Jan 24 08:41:50 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:50 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > Jan 24 08:41:58 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:58 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > > > 89.204.138.90 seems to be the mobile > 10.166.112.90 ?? whats this ? > > btw. im using the standard vpn client built in android. before i can > connect i have to enter a username / pw (not psk). is ipsec about username > / pw stuff ? could find it anywhere in the manuals. > > > thanks
Re: Still possible to get OpenBSD onto Soekris net5501 via qemu install to flashcard?.
I just upgrade in place via bsd.rd on my net4501. Guess I could do the other methods as well. Sent form my iFoe. On Jan 14, 2013, at 10:59, Nick Holland wrote: > On 01/14/2013 10:15 AM, Sarah Caswell wrote: >> Hi all, >> >> I'm having a frustrating problem getting OpenBSD-current (or >> snapshot) to run on my Soekris net5501. >> >> With previous versions of OBSD I was able to use qemu to install to a >> compact flashcard directly, by connecting the flashcard to my laptop >> and then starting qemu like so: >> >> sudo qemu -hda /dev/sd0i -cdrom install52.iso -boot d (and many >> variations of this command mostly pertaining to the /dev/sd0 >> section) > > funny definition of "directly". > ... >> P.S.: I know there are other ways to get OpenBSD running on a >> Soekris but I've always liked the utter simplicity of the qemu-based >> install. > > using an emulator = simple? > If you don't understand the tools well enough to troubleshoot the problem, I > really don't believe your assessment there. I don't know much about qemu, but > I see a problem in the command line. > > This is what *I* call simple: > Take your USB flash card reader to a free machine with a USB port. Put an > OpenBSD CD in it. Boot off CD. Install to CF device. Use DUIDs. Create a > /etc/hostname.vr0 (or whatever your soekris uses for its primary NIC), and do > other network configuration as needed. Put flash device in Soekris. Done. > "direct", "simple", bare minimum of extra tools. Machine doesn't even have > to be able to boot from the USB port, though you can't test it before > installing on soekris if it isn't. > > (variation: install bare minimum system on flash drive, move to Soekris, at > the boot> prompt, tell it bsd.rd and re-install exactly as you wish. If *I* > were doing that, I could do it from an installed OpenBSD machine of the same > platform without taking down the machine or booting from a CD. I'd call that > simple, but I understand some basic tools that we try to keep normal people > from having to use. The info for figuring out how to do that is all in the > OpenBSD FAQ, though not in recipe form.) > > Nick.
Re: PF filtering on MAC address
On Thu, Jan 10, 2013 at 6:54 PM, Erling Westenvik wrote: > Is it possible to have PF filter on MAC address on a machine with only > one physical nic? I'm aware that MAC filtering can only be done on a > machine configured as a bridge, but how to configure such a bridge? Add the single interface to the bridge. Tag the packets from a specific MAC. Filter the tag. > ---8<--- > # /etc/hostname.bridge0 > add bge0 > add > rule pass in on bge0 src f8:db:7f:4d:bb:10 tag WWW > rule pass in on bge0 src 00:08:02:85:6c:90 tag SSH > rule pass in on bge0 src 00:16:ea:b3:65:d0 tag SSH > --->8--- > > Regards, > > Erling
Re: Running OpenBSD on Raspberry Pi
On Fri, Jan 4, 2013 at 4:41 PM, Aaron Mason wrote: > On Sat, Jan 5, 2013 at 7:58 AM, Dan Shechter wrote: >> You have all failed to mention that the ALIX devices come with Swiss >> chocolates in the package! >> > > I've ordered direct from PCEngines before and never got that. Perhaps you should ask more pleasantly.
Re: Running OpenBSD on Raspberry Pi
On Dec 30, 2012, at 8:31, pe...@bsdly.net (Peter N. M. Hansteen) wrote: > A case in point: one of the firewalls I maintain for old friends is a > Pentium III box with a whopping 512 MB of RAM, 8GB hard drive, you get > the idea. As in, seriously, you'll get better hardware for free or the > price of a bus ticket. 486DX2, 64mb of ram, 1gb of disk. It's my firewall at home. Has been reliably pushing packets since 2000.
Re: openbsd clusters
On Sat, Dec 22, 2012 at 7:43 PM, Nick Holland wrote: > On 12/22/12 07:54, Friedrich Locke wrote: > ... >> But for other services i don't have now what i could use. A example: i need >> a file system that must expand by adding more machine in the network in a >> simple way. > > in plain English: "I'm not thinking out the design carefully, so I'm > going to rely on fancy shit to haul my ass out of the fire when the > predictable (and not so predictable) happens. Yes and no. Yes, the design is important. No, I actually do have a need for linear storage that can be easily expanded upon. I could use a NetApp or similar setup, but then I can't throw more CPU at the other side of the problem: using the stored data. So the bigger problem isn't storage space (disk is cheap, after all), rather than being able to slice and dice the data that's stored on the system. Processing huge files is much easier when when you have a dozen nodes to do it on. I fully agree that being able to later extract and migrate away from any storage solution is important. Along with that comes migration paths to new hardware, software, and simple failure recovery (bad disks, broken node, etc). Big data takes quite a bit of planning, but it's gotten much easier. Good thing I don't need to do this quickly...
Re: Unified BSD?
On Tue, Nov 13, 2012 at 2:45 AM, Ignatios Souvatzis wrote: > At least a sixth, IIRC. You left out MirBSD from your distribution list. > Also, you could argue that Minix, with its NetBSD compatibility, > is a seventh and MacOS-X, with its partially (Free-/Net-)BSD compatible > userland, an eighth. OS X has benefitted greatly from FreeBSD, Apple hiring former FreeBSD core team members. And indirectly from OpenBSD as well, with modern versions of OS X, 10.7+, have pf. Cross pollination is a huge benefit to the BSD community.
Re: Unified BSD?
On Mon, Nov 12, 2012 at 5:14 PM, Greg 'groggy' Lehey wrote: > - Then DragonflyBSD split from FreeBSD. Mainly personality driven > AFAICT. Again, this doesn't imply any criticism of the founder of > the new project. There were some very valid technical reasons at the time as well, IMHO.
Re: Low latency High Frequency Trading
On Thu, Nov 8, 2012 at 9:58 AM, Ariel Burbaickij wrote: > If money is not a problem -- go buy high-trading on the chip solutions and > have sub-microsecond resolution. > > http://lmgtfy.com/?q=high+frequency+trading+FPGA I'd love to see PF offloading on to something like that. Not that I can justify the expense for my work, but it'd be useful.
Re: Low latency High Frequency Trading
On Thu, Nov 8, 2012 at 4:12 AM, Dan Shechter wrote: > Hi All, > > > A windows 2008 server is receiving TCP traffic from a stock exchange > and sends it, almost as is, using UDP multicast to automated high > frequancy traders. > > StockExchange --TCP---> windows2008 ---MCAST-UDP> > > On average, the time it take to do the TCP to UDP translation, using > winsock, is 240 micro seconds. It can even be as high as 60,000 micro > seconds. > > > > 1. Use port mirroring to get the TCP data sent to a dedicated OpenBSD > box with two NICs. One for the TCP, the other for the multicast UDP. You'll incur an extra penalty offloading to the kernel. Winsock is already doing that, though. > 2. Put the TCP port in a promiscuous mode. Why? You can just set up the right bits to listen to on the network, and pull raw frames to be processed. Or, just let the network stack behave as it should. > 3. Write my TCP->UDP logic directly into ether_input.c Any reason to not use pf for this translation? > > > Now for the questions: > 1. Am I on the right track? or in other words how crazy is my idea? Pretty crazy. You may want to see if there's hardware accelerated or on NIC TCP off-load options instead. > 2. What would be the latency? Can I achieve 50 microseconds between > getting the interrupt and until sending the new packet through the > NIC? See above. You'll end up having to do some tuning. > 3. Which NIC/CPU/Memory should I use? Money is not a problem. Custom order a few NICs, hire a developer to write a driver to offload TCP/UDP on the NIC, and enable as little kernel interference as possible. Money's not a problem, right?
Re: The little ssh that (sometimes) couldn't
On Oct 28, 2012, at 8:02, pe...@bsdly.net (Peter N. M. Hansteen) wrote: > I stumbled across this little gem of a blog post, I think this deserves > a wider audience, via my twitter feed: > http://mina.naguib.ca/blog/2012/10/22/the-little-ssh-that-sometimes-couldnt.html > > To be filed under "tcpdump is your friend" and I must say I admire their > perseverance in finding the root cause of the problem. Wow. That's a bit past perseverance and in to being obsessive. Fascinating read. Thank you. > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. Imagine if this had flipped the evil bit! How would we know if the packet was evil or not? Ugly.
Re: pfsense and or OpenBSD Home router.
On Tue, Sep 11, 2012 at 9:06 PM, Sean Kamath wrote: > I ended up buying direct from PC Engines for my alix 2d13's. Even though I'm > in the US, it was cheaper than netgate (where I bought a bunch of the exact > same thing for work). I ended up getting the red metal cases because they > were cheaper and in stock. ;-) > > And as far as I'm concerned, these little alix boards rock. Just to throw fuel on the fire, I've got a 10+ year old Soekris net4501 that still works as a home router. The onboard battery died, and the clock loses ticks quickly enough that I'm using rdate in cron to correct it. Outside of that, I found that npppd, when running l2tp for the system, can cause the kernel to hang so thoroughly only a power off can fix it. I'm still diagnosing it, but I'm assuming it's a problem with the CPU being overwhelmed with decrypting/encrypting traffic. Eventually, I'll catch the crash and get a backtrace on console (I've reenabled snapshot debugging and DDB to get this) for the devs. But, 10 years old and still running full network loads at home. I can't complain about the hardware. OpenBSD 5.2-current (GENERIC) #8: Tue Sep 4 02:16:50 MDT 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 ("AuthenticAMD" 486-class) cpu0: FPU real mem = 66646016 (63MB) avail mem = 54689792 (52MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 20/50/27, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 [...] wdc0 at isa0 port 0x1f0/8 irq 14 wd0 at wdc0 channel 0 drive 0: wd0: 1-sector PIO, LBA48, 3815MB, 7813120 sectors wd0(wdc0:0:0): using BIOS timings
Re: vpn access for Macos, windows clients
On Aug 30, 2012, at 22:28, "Simon ALFRED" wrote: > > Thank you for this first reply. > So, the only way is to use OpenBSD-current with npppd, and there's no other way to do it ? I can't say there's no other way to do it. PPTP is an option, via PoPToP. I just found that npppd worked better for me, and that it was much improved by the snapshot.
Re: vpn access for Macos, windows clients
On Thu, Aug 30, 2012 at 12:05 PM, Simon ALFRED wrote: > Hi everyone, > > I have a firewall at work running OpenBSD 5.1-RELEASE > I need to make a vpn access for outside clients, they use MacOs 10.6 and > Windows XP/7. > I can't add thrid software on theses clients. So i need a VPN Server on the > OpenBSD Gateway that can works natively with MacOS and Windows clients. I've had very good success with npppd's L2TP VPN on OpenBSD snapshots. Due to it not being linked, it's not built by default. With OpenBSD 5.1, I found an odd keepalive failure that prevented my tunnel from staying active for more than 10 minutes. I do have odd issues with my old-as-dirt soekris crashing, but I blame memory exhaustion more than running beta versions of OpenBSD. A couple other oddities you'll encounter deal with routing (if you don't want to route *all* traffic to the VPN), and the lack of any real documentation outside of the code itself, and no alternative ways to authenticate other than RADIUS and a flat file. Do a quick search of the archives for NPPPD and check out a brief article on undeadly giving some overview. Then read the code: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/ > I know TheGreenBow works great with isakmpd, but here we can't add software > on clients. > > Is it possible to make a pptp server ? npppd does support PPTP as well. I'd suggest using L2TP instead, though. > Any idea ?
Re: npppd and iOS 5.1.1 on OpenBSD 5.1
Yep, that was exactly it. Thank you, again. On Aug 15, 2012, at 16:01, YASUOKA Masahiko wrote: > Hi, > >> real.local.concentrate: tun0 > > this should be > > realm.local.concentrate: tun0 > > I hope this will help you. > > --yasuoka > > On Wed, 15 Aug 2012 09:11:06 -0700 > Johan Beisser wrote: >> I've hit a bit of a wall digging around getting L2TP working with OpenBSD 5.1. >> >> I've enabled pipex in kernel: >> # sysctl -a | grep -E '(pipex|gre)' >> net.inet.gre.allow=0 >> net.inet.gre.wccp=0 >> net.pipex.enable=1 >> >> Before anyone asks, yes, I had GRE enabled as well. But, I'm not >> looking to run PPTP via npppd, only L2TP. I've tested with it >> activated, and the config with pptpd.enabled: false >> >> I've configured a very basic npppd.conf, per the instructions in >> http://www.undeadly.org/cgi?action=article&sid=20120427125048 and >> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.tx t?rev=1.8 >> >> Everything connects, it appears to authenticate fine, but after that >> iOS attempts to negotiate ppp. I'm assuming this is the relevant part >> of the npppd debugging output (for my own privacy, I've replaced >> non-RFC addresses with A.B.C.D for the client and E.F.G.H for the >> server, respectively): >> >> 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ >> from=A.B.C.D:50002/udp tunnel_id=2/21 protocol=1.0 winsize=4 >> hostname=users-thing vendor=(no vendorname) firm= >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendSCCRP >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 RecvSCCN >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendZLB >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICRQ session_id=948 >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendICRP session_id=9490 >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICCN >> session_id=948 calling_number= tx_conn_speed=100 framing=async >> 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPBind ppp=1 >> 2012-08-15 08:37:03:INFO: ppp id=1 layer=base logtype=Started >> tunnel=L2TP(A.B.C.D:50002) >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendZLB >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=lcp logtype=Opened >> mru=1400/1400 auth=MS-CHAP-V2 magic=3adadd39/37d59f4b >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=chap proto=mschap_v2 >> logtype=Success username="user" realm=local >> 2012-08-15 08:37:22:WARNING: ppp id=1 layer=base No interface binding. >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=base unhandled protocol >> ip6cp, 32855(8057) >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 SendCDN >> result=ERROR_CODE/2 error=GENERIC_ERROR/6 messsage=Disconnected by >> local PPP >> 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPUnbind >> 2012-08-15 08:37:22:NOTICE: ppp id=1 layer=base logtype=TUNNELUSAGE >> user="user" duration=19sec layer2=L2TP layer2from=A.B.C.D:50002 >> auth=MS-CHAP-V2 data_in=271bytes,12packets data_out=333bytes,15packets >> error_in=1 error_out=0 mppe=no iface=(not binding) >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 Received CDN in >> unexpected state=cleanup-wait >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 RecvStopCCN result=UNKNOWN/256 >> error=UNKNOWN/28261 tunnel_id=21 message="cted" >> 2012-08-15 08:37:22:DEBUG: l2tpd ctrl=2 SendZLB >> 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 logtype=Finished >> 2012-08-15 08:37:23:INFO: l2tpd Received from=A.B.C.D:42138: bad >> control message: tunnelId=2 is not found. mestype=CDN >> >> >> Isakmpd does throw some errors, but they don't seem to be related to >> anything except protocol negotiation. >> >> Aug 15 08:37:00 soekris isakmpd[1079]: attribute_unacceptable: >> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC >> Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: phase 1 done (as >> responder): initiator id 10.70.108.213, responder id E.F.G.H, src: >> A.B.C.D dst: A.B.C.D >> Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: quick mode done (as >> responder): src: E.F.G.H dst: A.B.C.D >> >> >> It acts the same if pf is enabled or disabled. I'm debating if I >> should update to a snapshot or not, at this point. Due to the hardware >> being weak, and kind of old, I'd rather not have the debugging flags, >> etc, running a snapshot would entail. >> >> Any pointers on where to look would be appreciated. >> >> -jb >> >> >> npppd.conf:
Re: npppd and iOS 5.1.1 on OpenBSD 5.1
Thank you for the catch, I was prett damn tired when I wrote that. On Aug 15, 2012, at 16:01, YASUOKA Masahiko wrote: > Hi, > >> real.local.concentrate: tun0 > > this should be > > realm.local.concentrate: tun0 > > I hope this will help you. > > --yasuoka > > On Wed, 15 Aug 2012 09:11:06 -0700 > Johan Beisser wrote: >> I've hit a bit of a wall digging around getting L2TP working with OpenBSD 5.1. >> >> I've enabled pipex in kernel: >> # sysctl -a | grep -E '(pipex|gre)' >> net.inet.gre.allow=0 >> net.inet.gre.wccp=0 >> net.pipex.enable=1 >> >> Before anyone asks, yes, I had GRE enabled as well. But, I'm not >> looking to run PPTP via npppd, only L2TP. I've tested with it >> activated, and the config with pptpd.enabled: false >> >> I've configured a very basic npppd.conf, per the instructions in >> http://www.undeadly.org/cgi?action=article&sid=20120427125048 and >> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.tx t?rev=1.8 >> >> Everything connects, it appears to authenticate fine, but after that >> iOS attempts to negotiate ppp. I'm assuming this is the relevant part >> of the npppd debugging output (for my own privacy, I've replaced >> non-RFC addresses with A.B.C.D for the client and E.F.G.H for the >> server, respectively): >> >> 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ >> from=A.B.C.D:50002/udp tunnel_id=2/21 protocol=1.0 winsize=4 >> hostname=users-thing vendor=(no vendorname) firm= >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendSCCRP >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 RecvSCCN >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendZLB >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICRQ session_id=948 >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendICRP session_id=9490 >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICCN >> session_id=948 calling_number= tx_conn_speed=100 framing=async >> 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPBind ppp=1 >> 2012-08-15 08:37:03:INFO: ppp id=1 layer=base logtype=Started >> tunnel=L2TP(A.B.C.D:50002) >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendZLB >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=lcp logtype=Opened >> mru=1400/1400 auth=MS-CHAP-V2 magic=3adadd39/37d59f4b >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=chap proto=mschap_v2 >> logtype=Success username="user" realm=local >> 2012-08-15 08:37:22:WARNING: ppp id=1 layer=base No interface binding. >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=base unhandled protocol >> ip6cp, 32855(8057) >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 SendCDN >> result=ERROR_CODE/2 error=GENERIC_ERROR/6 messsage=Disconnected by >> local PPP >> 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPUnbind >> 2012-08-15 08:37:22:NOTICE: ppp id=1 layer=base logtype=TUNNELUSAGE >> user="user" duration=19sec layer2=L2TP layer2from=A.B.C.D:50002 >> auth=MS-CHAP-V2 data_in=271bytes,12packets data_out=333bytes,15packets >> error_in=1 error_out=0 mppe=no iface=(not binding) >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 Received CDN in >> unexpected state=cleanup-wait >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 RecvStopCCN result=UNKNOWN/256 >> error=UNKNOWN/28261 tunnel_id=21 message="cted" >> 2012-08-15 08:37:22:DEBUG: l2tpd ctrl=2 SendZLB >> 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 logtype=Finished >> 2012-08-15 08:37:23:INFO: l2tpd Received from=A.B.C.D:42138: bad >> control message: tunnelId=2 is not found. mestype=CDN >> >> >> Isakmpd does throw some errors, but they don't seem to be related to >> anything except protocol negotiation. >> >> Aug 15 08:37:00 soekris isakmpd[1079]: attribute_unacceptable: >> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC >> Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: phase 1 done (as >> responder): initiator id 10.70.108.213, responder id E.F.G.H, src: >> A.B.C.D dst: A.B.C.D >> Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: quick mode done (as >> responder): src: E.F.G.H dst: A.B.C.D >> >> >> It acts the same if pf is enabled or disabled. I'm debating if I >> should update to a snapshot or not, at this point. Due to the hardware >> being weak, and kind of old, I'd rather not have the debugging flags, >> etc, running a snapshot would entail. >> >> Any pointers on where to look would be appreciated. >> >> -jb >> >> >> npppd.conf:
npppd and iOS 5.1.1 on OpenBSD 5.1
I've hit a bit of a wall digging around getting L2TP working with OpenBSD 5.1. I've enabled pipex in kernel: # sysctl -a | grep -E '(pipex|gre)' net.inet.gre.allow=0 net.inet.gre.wccp=0 net.pipex.enable=1 Before anyone asks, yes, I had GRE enabled as well. But, I'm not looking to run PPTP via npppd, only L2TP. I've tested with it activated, and the config with pptpd.enabled: false I've configured a very basic npppd.conf, per the instructions in http://www.undeadly.org/cgi?action=article&sid=20120427125048 and http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt?rev=1.8 Everything connects, it appears to authenticate fine, but after that iOS attempts to negotiate ppp. I'm assuming this is the relevant part of the npppd debugging output (for my own privacy, I've replaced non-RFC addresses with A.B.C.D for the client and E.F.G.H for the server, respectively): 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ from=A.B.C.D:50002/udp tunnel_id=2/21 protocol=1.0 winsize=4 hostname=users-thing vendor=(no vendorname) firm= 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendSCCRP 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 RecvSCCN 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendZLB 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICRQ session_id=948 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendICRP session_id=9490 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICCN session_id=948 calling_number= tx_conn_speed=100 framing=async 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPBind ppp=1 2012-08-15 08:37:03:INFO: ppp id=1 layer=base logtype=Started tunnel=L2TP(A.B.C.D:50002) 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendZLB 2012-08-15 08:37:22:INFO: ppp id=1 layer=lcp logtype=Opened mru=1400/1400 auth=MS-CHAP-V2 magic=3adadd39/37d59f4b 2012-08-15 08:37:22:INFO: ppp id=1 layer=chap proto=mschap_v2 logtype=Success username="user" realm=local 2012-08-15 08:37:22:WARNING: ppp id=1 layer=base No interface binding. 2012-08-15 08:37:22:INFO: ppp id=1 layer=base unhandled protocol ip6cp, 32855(8057) 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 SendCDN result=ERROR_CODE/2 error=GENERIC_ERROR/6 messsage=Disconnected by local PPP 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPUnbind 2012-08-15 08:37:22:NOTICE: ppp id=1 layer=base logtype=TUNNELUSAGE user="user" duration=19sec layer2=L2TP layer2from=A.B.C.D:50002 auth=MS-CHAP-V2 data_in=271bytes,12packets data_out=333bytes,15packets error_in=1 error_out=0 mppe=no iface=(not binding) 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 Received CDN in unexpected state=cleanup-wait 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 RecvStopCCN result=UNKNOWN/256 error=UNKNOWN/28261 tunnel_id=21 message="cted" 2012-08-15 08:37:22:DEBUG: l2tpd ctrl=2 SendZLB 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 logtype=Finished 2012-08-15 08:37:23:INFO: l2tpd Received from=A.B.C.D:42138: bad control message: tunnelId=2 is not found. mestype=CDN Isakmpd does throw some errors, but they don't seem to be related to anything except protocol negotiation. Aug 15 08:37:00 soekris isakmpd[1079]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: phase 1 done (as responder): initiator id 10.70.108.213, responder id E.F.G.H, src: A.B.C.D dst: A.B.C.D Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: quick mode done (as responder): src: E.F.G.H dst: A.B.C.D It acts the same if pf is enabled or disabled. I'm debating if I should update to a snapshot or not, at this point. Due to the hardware being weak, and kind of old, I'd rather not have the debugging flags, etc, running a snapshot would entail. Any pointers on where to look would be appreciated. -jb npppd.conf: interface_list: tun0 interface.tun0.ip4addr: 172.23.0.1 # IP Address Pool pool.dyna_pool: 172.23.0.0/25 pool.pool: 172.23.0.128/25 # local file auth auth.local.realm_list: local auth.local.realm.acctlist: /etc/npppd/npppd-users.csv real.local.concentrate: tun0 lcp.mru:1400 lcp.timeout:18 auth.method:mschapv2 # auth.method: mschapv2 chap pap ipcp.assign_fixed: true ipcp.assign_userselect:true pptpd.enabled: false pptpd.ip4_allow:0.0.0.0/0 #pptpd.listener_in: PPTP 192.168.0.1 # L2TP daemon l2tpd.enabled: true l2tpd.ip4_allow:0.0.0.0/0 #l2tpd.listener_in: L2TP 192.168.0.1 l2tpd.purge_ipsec_sa: false l2tpd.require_ipsec:true l2tpd.accept_dialin:true pipex.enabled: true ipsec.conf: ike passive esp transport \ proto udp from A.B.C.D to any port 1701 \ main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" \ psk "PASSWORD"
Re: is it legal?
On Mon, Jul 23, 2012 at 9:01 AM, Wojciech Puchar wrote: > http://www.gwebtools.com/ns-spy/ > > Anyone know from what data does it get such an info? By scanning every > possible registered domain ? Legal? I don't know. Ask a lawyer who specializes in these things. They exist. My assumption is "yes." > I do not want other to get list of what domains my DNS server serve. You're making the data available to be queried. If you don't want it served, set up split views NS and ACLs. Or, keep the DNS unpublished and internal. > And this works - never gives complete list but always a good part.
Re: ssh tunneling with -D option
You're confusing a SOCKS proxy with a HTTP proxy. They are not the same thing. Sent form my iFoe. On Jul 18, 2012, at 16:07, Paolo Aglialoro wrote: > @Abel > > I've had a look at dsocks page, the "instructions" are kinda criptic but > just did something this way: > > # ssh -D 1080 user@sshdhost > # dsocks.sh lynx google.com > > it looks like working (yeaah!!! great piece of advice, mate!!!) but > also produces lotsa garbage on the screen bottom like: > > "lynx: (dsocks4) error reading reply: Connection refused" > (even if, eventually, I get connection and the desired page) > > Issuing the following: > # dsocks.sh lynx google.com 2>&1 /dev/null > > does not get rid of those messages. Maybe something wrong with v4/v5??? > > > @Alex > > So it looks I've been misled by the many people on internet who claim they > can use firefox establishing a ssh -D connection before. Actually I tried > to configure both firefox and netsurf but just had no results. > > So, can I use ssh to proxy my http without dsocks or not? > > > > > On Thu, Jul 19, 2012 at 12:47 AM, wrote: > >> Hi Paolo, >> >>> http_proxy="http://127.0.0.1:12345/"; lynx google.com >> AFAIK, you should test SOCKS proxy, not HTTP. >> >> Regards, >> Alex
Re: OpenBSD forked
On Fri, Jun 22, 2012 at 5:57 AM, Eric Furman wrote: > So what is wrong with perl?? > It is nearly a standard in the UNIX Admin world. It's a terrible language, and you should feel terrible for using it.
Re: VPN on OpenBSD: OpenSSH or OpenVPN?
On Tue, Apr 24, 2012 at 6:07 AM, Otto Bretz wrote: > On Tue, Apr 17, 2012 at 21:20, mxb wrote: >> I rolled out L2TP/IPSec (npppd) on OpenBSD-current with RADIUS-auth. >> Used mostly by OSX and Win7. Stable and works without any additional >> third-party software. > > If you could write an article for undeadly (or only some short notes) > on how you did this, it would be much appreciated. I'm sure there are > lots of people besides me that are interested in this topic. Count me in for those notes. I haven't had time to properly set up a VPN service for myself, and want something compatible with everything I deploy and use.
Re: DynDNS client
On Mon, Apr 16, 2012 at 9:43 AM, Ingo Schwarze wrote: > Hi, > > Johan Beisser wrote on Mon, Apr 16, 2012 at 09:18:22AM -0700: >> On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort >> wrote: > >>> Is there a DynDNS client for OpenBSD? > >> Rolled my own in Python a while back. There are a few that're utter >> overkill for "simple updater." > > If IP changes are rare for you and just want to update your IP manually > now and then, using the web interface most providers offer is probably > sufficient, and you don't even need your own script. Mine are rare, but referencing the developer site ( http://dyn.com/support/developers/api/ ) does give you enough information to avoid having your client blocked, and how to make it comply with their TOS. > If you want to run the client as a daemon, i'd advise against > rolling your own. Most providers block accounts that update too > frequently, and getting the logic right to prevent excessive > updates is tricky. Not really. It's dead simple: check against a state file that has the last known IP, compare to the interface or a web site that returns the external IP address, and update if that changes. If there's a change, update dyn.com, update your state file, and exit. I run mine every 5 minutes or so from cron. If nothing else, it's a good scripting exercise and a very basic one as well. Dyn.com offers up testing DNS entries for developers to test their code against. > My experience is mostly with ddclient; i have contributed a few > patches that were accepted upstream. The maintainer is a nice > guy, not very actively supporting ddclient, but not letting it > rot completely either. For home use, it is clearly good enough. > For enterprise use, it is usable (if you are willing to help > and fix the occasional bug), but certainly not great. > > However, the code quality is positively revolting. I have rarely > seen Perl code looking that ugly. Still, as it is a small code base, > you can find your way around it. But hacking into it is not fun, > and if you value reliability a lot, you should probably look into > other options, too, and compare. All the more reason to write your own updater. You get to know what features you really need, vs the ugly crap that people include in their scripts.
Re: DynDNS client
On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort wrote: > Hello, > > Is there a DynDNS client for OpenBSD? Rolled my own in Python a while back. There are a few that're utter overkill for "simple updater." You could do it in shell with tools in base with a little bit of scripting effort. http://dyn.com/support/developers/api/
Re: Mosh? seems dangerous!
On Wed, Apr 11, 2012 at 11:02 AM, Christian Weisgerber wrote: > Gilles Chehade wrote: > This must be satire. Right? > I mean, "local-echo mode"? What is this? 1975? In lossy or high latency environments I find a local echo to be really useful. To the point I occasionally dump stdout through my ssh tunnel locally instead of trying to run an interactive shell.
Re: Recent DELL hardware support
Dell has an ugly habit of changing components even within the same model year of hardware. You can't predict how well supported something is based on "PowerEdge R410" until you have your specific one in front of you. On Wed, Apr 4, 2012 at 1:14 PM, Kostas Zorbadelos wrote: > Hello all, > > we are about to engage a procurement procedure of servers. There is a > high probability to purchase DELL hardware. I want OpenBSD to be > supported on the hardware. I have 2 broad options > > - Go with PowerEdge R410 > - Go with PowerEdge R620 (latest generation of servers) > > The first option has only a single PCIe slot so I cannot have hot > swappable disks AND Intel Ethernet interfaces (preferred from Broadcom > but unfortunately Broadcom is on-board and I cannot get rid of them). > > The second option has the disadvantages of recent hardware (= can be > unsupported). My main concerns are the PERC controller, where I saw that > PERC 310 is supported in mfi(4) and the Intel NICs (these servers come > with Intel Ethernet I350, still unsupported from what I saw, they are on > the hardware wanted list). > > The machines will be bought and put to use in at least 6 months from > now, one or two OpenBSD releases will have been made. What do you think? > Will the hardware be supported by then? > > As you can tell I do not control the procurement procedure, but I can > ask for specific DELL hardware. > > Regards, > > Kostas > > -- > Kostas Zorbadelos > twitter:@kzorbadelos http://gr.linkedin.com/in/kzorba > > () www.asciiribbon.org - against HTML e-mail & proprietary attachments > /\
Re: My OpenBSD 5.0 installation experience (long rant)
On Sat, Mar 10, 2012 at 9:15 AM, Nico Kadel-Garcia wrote: > With multiple drives, especially for bulky softraid setups, it might get > overwhelming pretty fast. > > The idea is interesting, and especially helpful if the machine was > previously built and the drives ordered differently in a different OS or > BIOS configuration, changes in hardware RAID or drive controller > manipulation in the BIOS, or the drives were installed in a different > machine. I don't see why it's hard to shell out. ! # dmesg | grep [hs]d[0-9] # exit
Re: Snappy Answers to Stupid Questions - WTF?
Sent form my iFoe. On Mar 9, 2012, at 10:19, Nick Holland wrote: > > > Hey, if having an OS which takes the quality of its product -- and not much else! -- seriously is important to you, this would be a good time to make a donation to the project. Make Theo smile! > Theo never smiles. Not once.
Re: smartphones and managing openbsd servers
On Feb 20, 2012, at 8:49, Jan Stary wrote: > On Feb 20 10:19:48, Daniel mora wrote: >> I've worked with several different OS and phone brands (Nokia/Symbian, >> iPhone, HTC/Android). >> The one I feel more comfortable is the Nokia N900 it runs Maemo 5, is >> a Debian like Linux, you can use it as a normal Linux machine. Maybe >> another phones running Maemo could bring a similar experience. >> >> The cons... >> I Really don't know if Nokia is going to continue supporting Maemo. > > Correction: > >I Really don't know if Nokia is going to continue Nokia already said they'd kill Maemo and Symbian. I've heard the n900 has some stability issues. Any truth to this?
Re: smartphones and managing openbsd servers
On Sat, Feb 18, 2012 at 3:06 PM, Marcos Ariel Laufer wrote: > What newer smartphones do you recommend for using also as a tool for > managing OpenBSD servers (maybe windogs too) ? What experiences had you had > with smartphones and OpenBSD managing? Your experience really depends on a few things: the phone network's bandwidth, CPU speed, and the ability to read the returned output without strain. Everything else is just extras and features. Bandwidth and lag can make your session unusable. Almost all modern smartphones have WiFi capability built in, which helps reduce your data rate during the SSH session, and decreases lag. That throughput will also make a big difference in receiving data from the server. In my experience if there's any amount of retransmission happening due to packet loss, the clients hang up abruptly. So, ideally, the client will emulate a modern terminal well enough to use tmux or screen really well. Most modern phones have more than enough CPU power to handle SSH. The problem is that few have the ability to offload the crypto from the CPU, and so SSH chews up already precious battery time. To help offset typing lag some clients permit you to queue a longer string to send to the session. The advantage of this is that fewer packets are sent, and the block of data can be sent out as (hopefully) a single chunk. I believe some Android Market clients support this feature, and I know at least one SSH client on blackberry has it, and at least two of the clients on iOS (iPhone/iPad) have the ability to assign shortcuts. Phone form-factor is a major issue you should consider. I know a few people who regularly use their phones for SSH, and are unwilling to up a physical keyboard. Slider and flip configurations permit you to use most of the screen real estate for your session, but the overall market is moving toward the touchscreen candybar configuration. Because of this, the SSH client has to be able to either 'shadow' the keyboard, allowing you to look through it, or permit you to hide the keyboard and read scrollback easily. As far as what's superior? None of them are really any better than the others. What works for you will matter more. Most modern smartphones are roughly the same, just with a different level of hype or features people want.* - jb * although, I'll be damned if I could find a GSM/LTE, CDMA and wifi capable Android phone with a physical keyboard that didn't utterly suck. I settled on an iPhone 4s, with a decent SSH client.
Re: smartphones and managing openbsd servers
On Sun, Feb 19, 2012 at 9:14 AM, Anonymous wrote: > BlackBerry has built in VPN and you can also buy a few different SSH and > SFTP apps. If you're cheap, there's also BBSSH. While it's not perfect, it is under active -if slow- development. As of November 2011, the developer claims there's an scp client coming as well. When I still had a Blackberry, I pretty actively used the app for emergency work. My only real complaint was the small type. http://bbssh.org/
Re: smartphones and managing openbsd servers
On Sun, Feb 19, 2012 at 7:14 AM, Luke Tymowski wrote: > I use iSSH on an iPhone. But only in an emergency when I don't have > anything else. I wouldn't make regular use of it. (ie, twice in the > last year) I've grown to like Panic's Prompt, and found it does really well with tmux, etc as well. On the iPad, it's almost a pleasure to use. It works really well off of the iPhone as well. http://itunes.apple.com/us/app/prompt/id421507115?mt=8
Re: Longsoon/Godson MIPS boxes, where to buy?
On Mon, Jan 2, 2012 at 10:59 AM, ropers wrote: > On 2 January 2012 18:10, Nomen Nescio wrote: >> I don't rely on anyone's work. > > Ladies and gentlemen: The great American delusion. Randian delusion. It's not purely American, and never has been.
Where do I buy Lemote Loongson/Godson MIPS hardware? (was Re: Longsoon/Godson MIPS boxes, where to buy?)
On Tue, Dec 27, 2011 at 10:09 AM, Dave U. Random wrote: > Are the Longson/Godson MIPS boxes available over the counter yet? If so > where is the best place to order one? Thanks. A brief search of the archives gives a few resources. Spelling the architecture right helps, but searching for "lemote" does wonders. Start reading here: http://openbsd.org/loongson.html Relevant threads on misc@: http://marc.info/?l=openbsd-misc&w=2&r=1&s=lemote&q=b http://marc.info/?l=openbsd-misc&w=2&r=1&s=loongson&q=b Acquiring hardware: International: http://www.aliexpress.com/wholesale?SearchText=loongson&catId=0 http://www.aliexpress.com/wholesale?SearchText=lemote&catId=0 In China (drop shipment to a forwarder may be necessary): http://loogson.taobao.com/ In Europe: http://www.tekmote.nl In the US, Amazon has a direct sales from Freedom Included. Prime eligible. http://www.amazon.com/s?ie=UTF8&search-alias=computers&field-manufacturer=Lemote http://freedomincluded.com/ Compiled for the archives, YMMV.. Special thanks to Miod, Diana and others for their postings.
Re: CF Card setup
On Tue, Dec 20, 2011 at 2:41 PM, Jannik Pruitt wrote: > Hi everyone. > i am brand new purchased my open bsd 5.0 on 11 Nov 2011. > > I booted the CD on another computer installed every thing on a 32GB CF card. > Placed in my old thin client and it booked. > > But the network card does not work. > It did work on the other computer after the install. > > Is there a way to make the setup come up again? You really didn't provide enough information for anyone to help you. Let's start with what's missing. - dmesg - what hardware you're running - did you check your hostname.if in /etc matches the interface? - have you read the FAQ? (http://www.openbsd.org/faq) - did you check man pages?
Re: OpenVPN issues on 5.0
On Wed, Dec 14, 2011 at 5:54 PM, Erling Westenvik wrote: > After upgrading (re-installing from scratch) my firewall from 4.6 (or > 4.7) to 5.0, I have not been able to get OpenVPN back working. Please > forgive me for asking here at misc but I have spent two days Googling, > reading tons of HOWTO's and trying out different solutions, but without > being able to solve the issue. What are your current pf.conf rules? Did you check that the syntax is right? Have you checked it for errors? Have you looked at the output for pflog? What's your current routing table? Does that look correct?
Re: Narcicism?
On Thu, Dec 1, 2011 at 8:02 AM, Rares Aioanei wrote: > As a citizen of an English-speaking country AND a guru, John, you should > at least know how to spell. David's right, you know. You don't need to know how to spell. People have spell checkers these days.
Re: dhclient, resolv.conf
On Thu, Oct 20, 2011 at 11:11 AM, wrote: > Johan Beisser wrote: > >> Check dhclient.conf(5) and read about the supersede statement. > > Thank you very much for your kind answer. Of course I read not > only dhclient.conf (5), but also a lot of man pages, a lot of > postings in the internet. I think, you misunderstood my question. No, I really didn't. You don't want dhclient(8) to touch resolve.conf. I'm simply suggesting you set up dhclient.conf(5) to use supersede to set some things statically. Specifically set domain-name-servers and domain-name there, and when dhclient(8) fires off, it'll use your settings in resolv.conf. > Again: I dont want that dhclient touch my resolv.conf. > > This means that I am also unhappy even if dhclient creates a > resolv.conf containing exactly what I wanted that it contains, > I am also unhapy if dhclient fakes the file metadata, the dates, > in order that it appears as the file were untouched. You're screwed. You may want to check chmod(1) instead. Set resolv.conf(5) to be read only. I don't know if that'll prevent dhclient(8) from overwriting the file. I doubt it. > If that were the goal, I have another question: I want no > search statement in resolv.conf, the most near to that I get > is a line containing "search ." in resolv.conf with a line > containing > > supersede domain-name "."; > > in dhclient.conf. Do you how to get dhclient without it? I'm not sure what you mean. What may get you what you want (search domains) is in resolve.conf(5): On a machine whose network connection does not change frequently (such as a desktop machine on a local-area network), the resolv.conf.tail file should not be necessary. However the resolv.conf.tail file may be useful on notebooks, to search multiple domains, to refer to hard-coded informa- tion in local files, or otherwise override the defaults. > But again, I insist in my first question: how I get that > dhclient respect my resolv.conf and do not touch it? You read man pages.
Re: dhclient, resolv.conf
Check dhclient.conf(5) and read about the supersede statement. jb Semt frim my ipHnoe. On Oct 20, 2011, at 8:35, sophia.ort...@googlemail.com wrote: > Dear Sirs! > > I realy do not want that dhclient touch resolv.conf. > > The recomendation in > > http://www.openbsd.org/faq/faq6.html#DHCPclient > > namely, uncommenting "request", errasing "domain-name" and > "domain-name-servers", does not work. The only idea I have is > to change "/sbin/dhclient-script", but I think that is a delicate > thing. Do someone know a better solution? > > I am sure I am not the only one with this problem, but I did not > find a solution with google. > > Best regards, > SO.
Re: Dennis Ritchie
I pointed out that Dennis Ritchie did something we all should admire: Got to watch what he created blossom, and change the world. Remarkably, for the better. We should all be so lucky. On Thu, Oct 13, 2011 at 10:38 AM, Stefan Midjich wrote: > So many lives touched, so many that don't even know about it. That > saddens me the most, that so many are using products of his > achievements daily to make their lives comfortable and only a small > minority know what it took to get here. > > 2011/10/13 Marc Smith : >>> #include >>> >>> int main() >>> { >>> printf("goodbye, dad\n"); >>> return 0; >>> } >> >> That was really touching. >> >> Rest in peace, Dennis Ritchie. >> >> > > > > -- > > > Med vdnliga hdlsningar / With kind regards > > Stefan Midjich
Re: Blocking Trojans with PF
"block all" Permit inbound port 80, but do not permit new outbound connections. Consider each interface a separate firewall, with separate flows entirely, then use policy enforcement (see tagging: http://cvs.openbsd.org/faq/pf/tagging.html) to ensure only properly tagged packets are passed out from the firewall. Nice thing about pf: stateful tracking of connections. It makes tracking sessions, blocking unwanted traffic, and tagging systems much easier. http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html On Sun, Sep 25, 2011 at 11:18 PM, Hassan Monfared wrote: > Hi, > Any idea for denying connection initiation to outside from any web server > protected by PF? ( wanna block Trojans and reverse connections while > incomming http traffic is allowed) . > > Regards, > Hassan H. Monfared
Re: Why aren't you running -current?
On Wed, Sep 7, 2011 at 5:24 PM, roberth wrote: > don't be sorry, just tell me why, i am just curious. - Following -stable with security patches matches my existing in house corporate policy for Linux. - It reduces variations between configurations of a given machine function (simple transfer of /etc to the new install, and go) - I know what I'm getting with each install, even if I don't get the latest PF feature. - I get 1 year of support from the community, before I have to migrate to a new -stable. - the systems are stable, known good, and work very very well. - The drivers are debugged, the man pages complete. I could go on. But, why?
Re: all libc of my openbsd/i386
find / -type f -perm -0111 -exec ldd {} 2>/dev/null \; -print | awk '/libc.so/ {print $7}' | sort | uniq On Fri, Jul 29, 2011 at 8:50 AM, johnw wrote: > (23:24:04) john@pdc:[~]$ du -sh /usr/lib/libc.so.* > 704K /usr/lib/libc.so.34.2 > 704K /usr/lib/libc.so.35.0 [snip] > 2.4M /usr/lib/libc.so.57.0 > 2.4M /usr/lib/libc.so.58.0 > 2.4M /usr/lib/libc.so.58.1 > 2.5M /usr/lib/libc.so.58.2 > 2.5M /usr/lib/libc.so.58.3 > 2.5M /usr/lib/libc.so.60.0
Re: Transparent smtp/pop3 proxy
On Thu, Jul 28, 2011 at 2:00 PM, R0me0 *** wrote: > Hello misc. > > I would like to know if is possible do the following: > > clients--OpenBSD_FWExternal_mail_server > > when clients send or receive an email, OpenBSD catch this mail and send a > copy of this to another email account, it must be transparently to user. Yes it's possible. And trivial. > Please, anybody, can indicate the correctly way to do this? No.
Re: Bug Tracking system does not work
On Tue, Jul 19, 2011 at 1:20 PM, Nico Kadel-Garcia wrote: > On Tue, Jul 19, 2011 at 12:59 PM, Johan Beisser wrote: > It takes significant, thoughtful re-organizaton and a saner workflow. Yes. It's non-trivial to make that happen as a default. > What would be considered to "not suck"? Stability? Security? > Flexibility? Reliable database on the back end? Ease of email > submissions for newbs? RT's stability is fine. It's a webapp with a database back end, and the database is occasionally less than happy. Not a huge problem, sine I can just bounce the DB if need be (it's MySQL, many problems are fixed fairly quickly that way, I've learned). For what it is, it works decently. It's flexible enough to work for use in tracking trouble tickets, but it's been painful enough to upgrade that I hesitate to run a newer version. Even if that newer version might fix some of my UI issues. To make it not suck: - easy to extend, modify, or add in plugins for new features (no patching, please) - simple database schema, no dumping required to upgrade - functional search - merging of tickets - automatically scheduled repeating tickets (heh) - ability to make API calls to the ticket software (i sometimes want to open/list/etc tickets remotely, without using the webt interface directly) You get the idea.
Re: Bug Tracking system does not work
On Tue, Jul 19, 2011 at 11:38 AM, Amit Kulkarni wrote: > Can you elaborate? Where they suck? RT: written in perl, painful to upgrade (painful enough, that we've not touched ours in over a year). Ugly interface, but that's the least of its problems. Without a good way to manage users, access, or set up quickly through the UI, it's easier to try to manipulate the DB tables. Perhaps I'm just doing it wrong(tm). So far I've not had enough time to really track upgrades easily or quickly, and haven't had time to fix all the infrastructure that it sits on (MySQL, perl versions, libs, etc) to ensure an upgrade goes cleanly. The biggest advantage RT provides is easy creation of new tickets through email, but it still takes a human on the other end to actually classify what that ticket is. It's bad enough that at my work, we have a general Operations email, that we then handle tickets in the ops group. It wastes time, but it's easier than dealing with engineering misfiring a ticket. Then there's creating sub-users of a larger account... TRAC: nice integration with SVN, but still limited by a complex ACL system and the fact SVN doesn't provide a good user management system in itself, preferring system users (or PAM auth, LDAP, etc). Trouble is that it's not a good general ticket tracking system, and breaks just often enough to be annoying to admin. Given that I have to deal with at work, I don't have time to babysit TRAC's stupid more often than I care for. TRAC also suffers from trying to please a bunch of different people with different needs at once. Is it floorwax or a dessert topping? Wait, no, it's BOTH! Bugzilla: Perl. OpenSource UI, backend of pain (MySQL, PostgreSQL, or SQLite3!). I've not used it (administered) in a few years, but my experience with it has never been close to what one would call "positive." Painful, breaks in weird ways, and sometimes just had errors. Haven't used Jira yet. So, I have no opinion. I don't think bug tracking needs to be difficult, ugly, or annoying to navigate. The problem is that every bug tracking utility is built to solve problems for a large set of implementors. Not, say, solve one specific need really well. Many violate the prime directive of dealing with software and users: KISS.
Re: Bug Tracking system does not work
2011/7/19 Mikael Vsterdahl : > Terrible? In what way? I use it in my work and I think it works great. > > What ticket software do you think is better? I don't have one. I think they all suck equally.
Re: Bug Tracking system does not work
On Tue, Jul 19, 2011 at 9:57 AM, Amit Kulkarni wrote: > > http://openports.se/www/rt > ? > written in perl. As someone who uses this for ticket tracking, let me be the first to say it's terrible.
Re: Mac Mini Server
On Wed, Jul 13, 2011 at 1:01 PM, Paolo Aglialoro wrote: > Watch out for using apple desktop boxes as servers: apple has always put > "style" in front of reliability and, especially for such "big" boxes when > run 24/7, airflow and heat can become serious issues when you least expect > it. Not exactly what I'd call a workhorse... The MacMini Server is specifically designed to work in low airflow environments. I've had mine sitting in my entertainment center for over a year (it's working as my Media center), with no issues due to heat at all. I've had more problems from the couple drive enclosures than the hardware they put in there. There is a company that's been using the Mini for co-located servers for the last few years. My understanding is that the hardware failure rate is extremely low, even compared to what you should expect for commodity hardware.
Re: Internet bonding
On Jul 4, 2011, at 12:26, Wesley MOUEDINE ASSABY wrote: > Hi, > > I have a question : > Is it possible with OpenBSD to bond 2 adsl connections (download=8Mb/s ; > upload=1Mb/s) with different ISP? No. Unless you have your own IP space, and both ISPs are willing to advertise those for you. > And so have a virtual ADSL connection with a speed : 16Mb/s and an upload > of : 2Mb/s > I have already read man pages of trunk, lap seems to me good, but i think > it work on level 2 (OSI) ... > Any idea? Look at load balancing the traffic over both links.
Re: Unix source code (was Re: Can command-line options be specified in any place?)
On Thu, Jun 23, 2011 at 11:57 AM, Brett wrote: >>Sure. Not to mention it came with source code, which you only got from > >> AT&T if you had a source license, and those were*expensive*. I was >> fortunate enough to work for a company that had exactly that source >> license during the 1980:s, and I learned a*lot* just by reading the >> code. Wish I still had a copy of it today, for nostalgia. :-) > > Copies can be found free on the net, and in book form: > > http://www.softpanorama.org/Bookshelf/Classic/lions_book.shtml Let me add to that. OCR'd text of first edition UNIX, from June of 1972. http://code.google.com/p/unix-jun72/
Re: Can command-line options be specified in any place?
On Jun 21, 2011, at 20:20, vadi...@gmail.com wrote: > Sorry I really did not want to start any flame. I just thought that > getting answer from the mailing list would be faster than spending my > time studying source code of the new system. > >> What you should do is relearn the proper way. :-) > > Ok, let me turn my question the other way around. Suppose I typed > > ls -l /some/very/long/path/to/file > > and the file is too big so I want to use -h option. I use a text > terminal so I can not use mouse to position cursor. How people usually > handle this on *BSD systems? I use Bash and OpenBSD's ksh. In both CTRL-a gets me back to the beginning of the line. A short google search turns up these two handy references for Bash, the favored son of shells on Linux. Vi mode: http://www.catonmat.net/blog/bash-vi-editing-mode-cheat-sheet Alternatively, emacs mode: http://www.catonmat.net/blog/bash-emacs-editing-mode-cheat-sheet/
Re: Can command-line options be specified in any place?
On Jun 21, 2011, at 18:48, Benny Lofgren wrote: > On 2011-06-22 03.03, vadi...@gmail.com wrote: >>> Please continue to use Linux. >>> That's ugly, useless and dangerous. >> >> Oops, looks like that was a "holy war" type of question. Sorry I did >> not want to start that. It's not. > Linus didn't do his homework properly. That, combined with the fact that > Linux became such a huge success is both a blessing and a curse to us > in the unix community; on the one hand Linux provides us with plenty of > young blood in a new generation of hackers... while on the other hand > they can't speak properly! Laying the blame on Linus isn't really correct. The environment of the Linux toolchain is from GNU. Blame starts and ends there.
Re: License
On Wed, Jun 1, 2011 at 6:02 PM, Simranjit Gill wrote: > Hello, > > > > I want to use the IPv6 source code in one of the products manufactured by my > company and need to know if there are any restrictions or limitations > regarding the use of source code in commercial products. Please let me know > if this is not right place to enquire regarding the license. Thank you. Check the FAQ and check the source. http://openbsd.org/faq/faq1.html#ReallyFree http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6.h?rev=1.53
Re: Loggin dmesge
On May 28, 2011, at 5:36, Jean-FranC'ois SIMON wrote: > All > > Thanks for your answers, I've set up my question not accurately enought. I > would like to have a file logging the activity of dmesg after boot as well. > I'm not sure it is the reight way to set it up. > > Here's my problem, I've seen on the screen in console tty0 the blue lines of > kernel messages which were related to hard drive hardware failures being > catched and automatically repaires in the way the hard disk are able to > manage them. > > Those informations were as I said coming from kernel and therefore I would > like to log them and have a review after a while, e.g. if the machine is > rebooted meanwhile they are not lost. > > So I assumed they were shown through dmesg, but I'm not sure about this. > Maybe you could help me a bit. > Take a look for the strings you're looking for in /var/log/messages. I bet they're there.
Re: pfctl: DIOCADDRULE: Operation not supported by device
On Sun, May 8, 2011 at 3:25 PM, roberth wrote: > Uhum. Sure that's a way to approach this. > That's the supported way. With that ammount of "support" required. > Fine with that. I usually build the new kernel, major utilities that require the new kernel as per http://openbsd.org/faq/current.html and http://openbsd.org/upgrade*.html. Then reboot to the new kernel, and build userland. I assume the machine is out of production until it's done. > On the otherhand, i have been running -current for years and never have > had any problem with building source with the previouse kernel (without > reboot) that i can remember. The occasional problem exists. Mostly due to a kernel call after a library is installed before the userland is upgraded. > Concerning remote-updates, "from source" will run into more problems > than "from a known good set of tarballs". That's simple statistics, > because of how many binarys are involved. > (remote console access helps, but still might mess up your sla.) I always build release from an already upgraded master build server, so there's no potentially off binaries being distributed. jb
Re: nat static-port option
On Feb 3, 2011, at 5:17, Martin SchrC6der wrote: > 2011/2/3 Bret Lambert : >> Counting my toaster? > > Your toaster has an IP? > Yours doesn't?
Re: Writing to remote tape
I prefer to tar(1)... On 1/7/11, Jeff Ross wrote: > Hi, > > I have 2 servers that get backed up to tape. I was scping the daily > dump files to the server with the tape attached but now I no longer have > hard disk room to do that. > > So I read the man page for rdump/dump and that led me to rmt but I have > been unable to make this work. It fails with a connection refused > error, and I could not glean from the rmt manpage why. > > jr...@dukkha:/home/jross $ sudo sh -x /etc/scripts/tape_backup.sh > Password: > + dump -0a -f nirvana.internal:/dev/nrst0 /dev/sd0a > nirvana.internal: Connection refused > + exit > > nirvana does have pf enabled, but it uses a pass all ruleset. > > So I next wrote a quick shell script that pushes the dump data across > the lan with ssh and uses dd to write it to the tape drive. > > #!/bin/sh > #section 1 --/ > dump -0a -f - /dev/sd0a | ssh nirvana "dd of=/dev/nrst0 bs=1024" > #section 2 --/cvs > dump -0a -f - /dev/sd1g | ssh nirvana "dd of=/dev/nrst0 bs=1024" > #section 3 --/home > dump -0a -f - /dev/sd0k | ssh nirvana "dd of=/dev/nrst0 bs=1024" > #section 4 --/profiles > dump -0a -f - /dev/sd1b | ssh nirvana "dd of=/dev/nrst0 bs=1024" > #section 5 --/shared > dump -0a -f - /dev/sd1d | ssh nirvana "dd of=/dev/nrst0 bs=1024" > #section 6 --/stars > dump -0a -f - /dev/sd1e | ssh nirvana "dd of=/dev/nrst0 bs=1024" > #section 7 --/bookkeeping > dump -0a -f - /dev/sd0n | ssh nirvana "dd of=/dev/nrst0 bs=1024" > #done > ssh nirvana mt rewoffl > > After a little trial and error this works, with one caveat--when a tape > fills up the section it is working on aborts rather than calling for the > second tape as a local dump-to-tape would. > > I can manually split this into two sections but that won't scale. > > Thanks in advance for any cluesticks or hints! > > Jeff Ross > > -- Sent from my mobile device
Re: pfsync nic problem.
On Thu, Dec 23, 2010 at 9:19 AM, Alessandro Baggi wrote: > > Hi list, I've tried to use the groups field for pfsync. I've changed in my > pf rules, the wan interface ext="xl0" with ext="egress", then when I try to > get a fault with firewall 1, firewall 2 become master, but all connections > die. In state tables of firewall 2 there are "syncronized" states for xl0, > but the "wan" interface is rl2. It's normal that all connections die, there > are not valid states for rl2. Then at this point the problem persist. > There is something that I've missed with ifconfig groups field? This is my > misconfiguration or "the use of groups field" is not a valid issue for this > problem? Please post your pf.conf, ifconfig output and dmesg. There may be another issue not addressed.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Tue, Dec 14, 2010 at 2:06 PM, Tomas Vavrys wrote: > Is there a light at the end of the tunnel somewhere to make email > secure even for amateurs who don't know how to use PGP? I'm very > curious about the future of email, especially now. I would like to > hear opinions of OpenBSD wizards. The thing is that it is very hard to > persuade someone to use PGP all the time. PGP has gotten easier with various front ends. Take a look at GPG Made Easy for an example of simplifying the library calls for application access to PGP encryption. jb
Re: suggestion for a new/additional OpenBSD release media option
On Sun, Oct 31, 2010 at 3:39 PM, Jamie Paul Griffin wrote: >> Everytime one of you write to Theo directly, >> I feel like I'm watching gay porn. > > would someone please block this prick. it was funny to start with but now > it's intensely annoying. You could just toss his email in to your killfile.
Re: Most barebones pf.conf
"pass all" On Wed, Aug 4, 2010 at 3:32 PM, Peter Merritt wrote: > What would be the most barebones pf.conf for a OpenBSD 4.7 nat firewall > with 2 nics, that passes everything. > > Peter
Re: It is 2010. Still no >3GB support by default?
On Mon, Jun 7, 2010 at 4:35 PM, Jacob L. Leifman wrote: > (yes, I am aware that there are > specialized applications that do require the use of a monster-sized > dump truck with an engine to match, but in reality how many places have > a genuine need of a database that even with fully optimized design > requires that much physical RAM?) I can name a couple right off the top of my head.
pfsync: bulk update failed
I have a pair of freshly installed OpenBSD 4.7/amd64-RELEASE systems. They're running redundant failover pairs with fw1 being the master. It seems I've got a problem getting pfsync to properly pass a full bulk update over, so longer term sessions time out when the MASTER takes over for the BACKUP system. In both failover cases (MASTER fails or BACKUP fails) the pf state rules seem to miss transferring over the full ruleset to the recently brought up system. Usually, if both have been up for 30 minutes and older rules have timed out, there's no issue. It's just during the recovery of the "failed" firewall where problems seem to occur. Both systems are identical in hardware, installed OS, and (mostly) configuration (hostname.if differences do exist). Any tips on where to start looking would be appreciated. em0: external interface - fw0: 192.168.10.217; fw1: 192.168.10.218 em1: internal interface - fw0: 10.254.0.2; fw1: 10.254.0.3 em2: pfsync interface - fw0: 172.253.0.1; fw1: 172.253.02 carp0: external CARP - 192.168.10.216 carp1: internal CARP - 10.254.0.1 pfsync0: syncdev em2 maxupd: 128 defer: off (cat hostname.pfsync0: up syncdev em2) fw0 hostname.carp0: inet 192.168.10.216 255.255.255.0 192.168.10.255 vhid 1 carpdev em0 pass pass0 advbase 1 advskew 0 fw1 hostname.carp0: inet 192.168.10.216 255.255.255.0 192.168.10.255 vhid 1 carpdev em0 pass pass0 advbase 1 advskew 100 fw0 hostname.carp1: inet 10.254.0.1 255.255.255.0 10.254.0.255 vhid 2 pass pass1 carpdev em1 advbase 1 advskew 0 fw1 hostname.carp1: inet 10.254.0.1 255.255.255.0 10.254.0.255 vhid 2 pass pass1 carpdev em1 advbase 1 advskew 100 Some pfsync messages: fw0: messages.0.gz:May 21 19:56:43 fw0 /bsd: pfsync: received bulk update request messages.0.gz:May 21 19:59:13 fw0 /bsd: pfsync: received bulk update request messages.1.gz:May 21 17:35:10 fw0 /bsd: pfsync: failed to receive bulk update messages.1.gz:May 21 18:25:59 fw0 /bsd: pfsync: failed to receive bulk update fw1: messages.0.gz:May 21 18:41:38 fw1 /bsd: pfsync: failed to receive bulk update messages.0.gz:May 21 19:17:12 fw1 /bsd: pfsync: failed to receive bulk update messages.0.gz:May 21 19:56:43 fw1 /bsd: pfsync: requesting bulk update messages.0.gz:May 21 19:56:43 fw1 /bsd: pfsync: received bulk update start messages.0.gz:May 21 19:56:43 fw1 /bsd: pfsync: received valid bulk update end pf.conf (identical on both systems): #;77$Id$# # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # firewall settings set block-policy return set skip on lo set skip on carp set skip on em2 # internal sync interface between the firewalls altq on em0 priq bandwidth 1.9Mb queue {std, ssh_im, dns, tcp_ack} queue std priq(default) queue ssh_im priority 4 priq(red) queue dns priority 5 queue tcp_ack priority 6 ## tables and macros # firewall self identification table const {self} # trusted IPstable const { 192.168.10.216, 192.168.10.217, 192.168.10.218,\ 192.168.10.219, 192.168.10.220, 192.168.10.221, 192.168.10.222, 192.168.10.223 , \ 10.122.19.56/29 } table const { 192.168.24.109, 192.168.36.168/29 } table const { 10.124.148.0/24, 172.123.152.0/21 } table const { 172.253.0.0/29 } ext_if="em0" ext_vip="192.168.10.216" int_if="em1" int_net="10.254.0.0/24" int_vip="10.254.0.1" im_port = "{ 706 1863 5190 5222 6667 6668 }" ## base filter rules # block everything by default block in log all block in log quick from urpf-failed pass out quick from to any pass quick on em2 proto pfsync keep state (no-sync) pass quick on egress proto carp keep state (no-sync) pass quick on ingress proto carp keep state (no-sync) ## NAT match out on egress from (self) to any tag NAT nat-to (egress) match out on egress from $int_net to !$int_net received-on ingress \ tagged OUT \ tag NAT \ nat-to $ext_vip static-port ## external interface pass in on egress inet proto icmp from any to (egress) pass in on egress inet proto tcp from { , } to (egress) port 22 pass out on egress inet proto tcp from any to any \ tagged NAT \ queue (std, tcp_ack) pass out quick on egress inet proto { udp, tcp } from any to any \ port 53 \ tagged NAT \ queue dns7 pass out quick on egress inet proto tcp from any to any \ port 22 \ tagged NAT \ queue (std, ssh_im) pass out quick on egress inet proto {udp, tcp} from any to any \ port $im_port \ tagged NAT \ queue (ssh_im, tcp_ack) pass out quick on egress inet proto icmp from any to any \ tagged NAT \ queue std ## internal interface pass in on ingress inet proto tcp from $int_if:network to self port 22 pass in on ingress inet from $int_if:network to any tag OUT dmesg: OpenBSD 4.7 (GENERIC.MP) #130: Wed Mar 17 20:48:50 MDT 2010 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 1013747712 (966MB) avail mem = 975212544 (930MB) mainbus0 at root bios0 at mainbus0: SMBIOS re
Re: time based rules on pf
Build an anchor, have a ruleset loaded to it by cron, and removed at the specified time later. On Mon, May 17, 2010 at 7:03 AM, Leonardo Carneiro - Veltrac wrote: > There is a way to do time-based rules on pf? Something like "this packet > will /pass/ from 10h to 13h" or "this packet will /pass/ until 22h, 13 > june". I mean, there is a built-in mechanic to do this in pf or i'll > need to write a script in cron to add and remove rules? > > Tks in advance > --
Re: licensing
On Thu, Apr 15, 2010 at 10:34 AM, Thomas Pfaff wrote: > There's non-free software in the ports tree. Good thing it's in ports, then. Keeps that shady license where we can see it, and choose to suffer with it or not.
Re: is skype using encryption?
On Sat, Apr 10, 2010 at 7:55 AM, Jozsi Vadkan wrote: > Can someone [same subnet, e.g.: with a hub, not switch..] sniff my skype > password when i'm using Skype? Is it encrypted? Why are you asking a Skype support question on an OpenBSD mailing list? The best way to know is to dump the data yourself via BPF or PCAP. Then analyze the traffic packet by packet. jb
Re: selling bsd in cd for profit??
On Fri, Feb 26, 2010 at 4:44 PM, Citra Cool wrote: > Can I selling openBSD in CD for profit?? The OpenBSD project has a hard enough time making money on the CDs they're selling to fund the project. But, give this a read anyway. http://openbsd.org/policy.html