pf documentation
Hi all, I need some easy beginner's pf documentation as well as some intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I haven't done this in ten years, and imagine pf and the process of turning OpenBSD into a firewall have changed in that time. Thanks, SteveT Steve Litt March 2022 featured book: Making Mental Models: Advanced Edition http://www.troubleshooters.com/mmm
Re: pf documentation
Den tors 7 apr. 2022 kl 11:12 skrev Steve Litt : > > Hi all, > > I need some easy beginner's pf documentation as well as some > intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I > haven't done this in ten years, and imagine pf and the process of > turning OpenBSD into a firewall have changed in that time. Might be worth looking around the OpenBSD webpage, perhaps it has a section with Frequently Asked Questions that contain PF information one might learn from? -- May the most significant bit of your life be positive.
Re: pf documentation
To be honest, I just used the handbook/FAQ. https://www.openbsd.org/faq/pf/example1.html Note that some grammar and syntax from Google search results will not work in newer versions of pf. Sent from my iPhone > On Apr 7, 2022, at 05:13, Steve Litt wrote: > > Hi all, > > I need some easy beginner's pf documentation as well as some > intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I > haven't done this in ten years, and imagine pf and the process of > turning OpenBSD into a firewall have changed in that time. > > Thanks, > > SteveT > > Steve Litt > March 2022 featured book: Making Mental Models: Advanced Edition > http://www.troubleshooters.com/mmm >
Re: TLS library problme: tlsv1 alert protocol
On 2022-04-06, Tom Smyth wrote: > Hi Stephan, > at a guess I would say that there is no overlap between supported TLS > protool versions and ciphers > available on the client vs the server. This message explicitly suggests protocol version rather than cipher > if your system is using a recent version of an Os and you are trying > to relay to an older legacy system, > ideally ask the older system to uprade / enable higher ciphers > or you can be more permissive on your tls configuration... > I hope this is helpful It's Postfix which is by default fairly lenient for standard SMTP connections from other MXes (it requires something more modern for authenticated users but there's not much point for standard SMTP as most people will be accepting plaintext anyway). In terms of protocol it's >=TLSv1.0 So unless Stephan's config is using stronger TLS settings than the defaults it's more likely to be either very old software on the client (which seems unlikely for web.de) or some incompatibility. > On Wed, 6 Apr 2022 at 23:32, Stephan Mending wrote: >> >> Hi *, >> I've noticed on my mail relays, that tls handshake with one certain email >> relay keep failing. I was wondering what the >> reason for that may be. >> >> Following error from postfix: >> >> connect from mout.web.de[ IP ]:44003 >> SSL_accept error from mout.web.de[ IP ]:44003: -1 >> warning: TLS library problem: error:1404A42E:SSL >> routines:ST_ACCEPT:tlsv1 alert protocol >> version:/usr/src/lib/libssl/tls13_lib.c:150: >> lost connection after STARTTLS from mout.web.de >> >> Can anybody with more knowledge of libressl and it's error messages tell by >> this error what is wrong? I would bump up Postfix log settings and see if it gives more clues smtpd_tls_loglevel = 2 If this was mail you were sending *out* and had TLS problems with a specific destination, you could use smtp_tls_policy_maps to disable it individually. I don't think there's a similar method built-in to Postfix for controlling whether to advertise STARTTLS to a particular client, but if you need to receive the mail and want a way to do that, you can have Postfix listen on another port for SMTP without advertising STARTTLS 127.0.0.1:10025 inet n - y - - smtpd -o syslog_name=postfix/smtpd/tlsdisabled -o smtpd_tls_security_level=none and use PF rdr-to to direct connections from the relevant IP to it. (Also you don't say what version of things you're running, but make sure they're up to date?) -- Please keep replies on the mailing list.
Re: pf documentation
Hi Steve, Im going to give my usual answer here Peter Hansteen and Max Stucchi have an amazing tutorial on PF https://home.nuug.no/~peter/pftutorial/#1 but they explain the concepts really well recommend the class that they do in person .. for the latest features about PF in the version of Openbsd you are running ... man pfctl or man pf.conf will help you ... if you need a intro to the intro ... https://openbsdjumpstart.org by Wesley is pretty cool and gets you started on OpenBSD and PF Hope this helps, Tom Smyth On Thu, 7 Apr 2022 at 10:28, Brodey Dover wrote: > > To be honest, I just used the handbook/FAQ. > > https://www.openbsd.org/faq/pf/example1.html > > Note that some grammar and syntax from Google search results will not work in > newer versions of pf. > > Sent from my iPhone > > > On Apr 7, 2022, at 05:13, Steve Litt wrote: > > > > Hi all, > > > > I need some easy beginner's pf documentation as well as some > > intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I > > haven't done this in ten years, and imagine pf and the process of > > turning OpenBSD into a firewall have changed in that time. > > > > Thanks, > > > > SteveT > > > > Steve Litt > > March 2022 featured book: Making Mental Models: Advanced Edition > > http://www.troubleshooters.com/mmm > > -- Kindest regards, Tom Smyth.
Re: pf documentation
Steve, if you like books ... Peter Hansteen has written a book the book of pf which I have read and would recommend https://nostarch.com/pf3 and if you are interested in firewalls ingeneral and comparing features On Thu, 7 Apr 2022 at 10:40, Tom Smyth wrote: > > Hi Steve, > Im going to give my usual answer here > > > Peter Hansteen and Max Stucchi have an amazing tutorial on PF > https://home.nuug.no/~peter/pftutorial/#1 > > but they explain the concepts really well > recommend the class that they do in person .. > > for the latest features about PF in the version of Openbsd you are running ... > > man pfctl or man pf.conf will help you ... > > if you need a intro to the intro ... > https://openbsdjumpstart.org by Wesley is pretty cool and gets you > started on OpenBSD and PF > > > > Hope this helps, > > Tom Smyth > > On Thu, 7 Apr 2022 at 10:28, Brodey Dover wrote: > > > > To be honest, I just used the handbook/FAQ. > > > > https://www.openbsd.org/faq/pf/example1.html > > > > Note that some grammar and syntax from Google search results will not work > > in newer versions of pf. > > > > Sent from my iPhone > > > > > On Apr 7, 2022, at 05:13, Steve Litt wrote: > > > > > > Hi all, > > > > > > I need some easy beginner's pf documentation as well as some > > > intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I > > > haven't done this in ten years, and imagine pf and the process of > > > turning OpenBSD into a firewall have changed in that time. > > > > > > Thanks, > > > > > > SteveT > > > > > > Steve Litt > > > March 2022 featured book: Making Mental Models: Advanced Edition > > > http://www.troubleshooters.com/mmm > > > > > > > -- > Kindest regards, > Tom Smyth. -- Kindest regards, Tom Smyth.
[www] ports: delete note about $OpenBSD$
This advice no longer needed. diff --git a/faq/ports/guide.html b/faq/ports/guide.html index 9cfe0db80..ae3d1d79c 100644 --- a/faq/ports/guide.html +++ b/faq/ports/guide.html @@ -1303,12 +1303,6 @@ OpenBSD is strongly security-oriented. You should read and understand this page's security section. - -Be sure to add the $OpenBSD$ CVS tag to the Makefile. -The account name, version number, etc., will be filled in automatically -by CVS during commit, you do not need to add those or touch those lines -in an update. - The goal is to get all ported applications to support OpenBSD. To achieve this goal, feed patches to support running on OpenBSD back to
Re: pf documentation
On 2022-04-07, Steve Litt wrote: > I need some easy beginner's pf documentation as well as some > intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I > haven't done this in ten years, and imagine pf and the process of > turning OpenBSD into a firewall have changed in that time. The pf.conf(5) manual is the primary reference, if you prefer to have a nicely formatted printable version you can get one with $ man -T pdf pf.conf > pf.conf.pdf There are many many online guides about configuring PF; some are helpful, many less so. If you do use these, cross-referring to pf.conf(5) is a good idea. IMHO the "building a router" example on the FAQ complicates things a bit too much (it is actually "how to setup dhcp, wifi hostap [which few people actually use and doesn't work on many adapters], and a DNS resolver", and uses some PF features which I think it's really better if you understand what they do before using them. My main tips would be: - start the ruleset with a "block" or "block log" rule so that no packets match the implicit default "rule 0", which is effectively "pass all no state". This avoids one of the main hard-to-diagnose cases where some packets accepted without creating firewall state. - tags and received-on can be pretty helpful and most guides don't use them. - if you can't figure out which rules are matching a packet, put a "match log(matches)" rule at the top of the ruleset (maybe with a from/to or port restriction if it's on a busy machine), and watch "tcpdump -nevvipflog0" - when a packet traverses the PF ruleset, you'll get some output for every rule matching that packet, with a final line showing the overall pass/drop outcome. the rule numbers shown can be looked up with "pfctl -sr -R XX -v".
Re: [www] ports: delete note about $OpenBSD$
On Thu, Apr 07, 2022 at 02:33:36PM +0300, Mikhail wrote: > This advice no longer needed. > > diff --git a/faq/ports/guide.html b/faq/ports/guide.html > index 9cfe0db80..ae3d1d79c 100644 > --- a/faq/ports/guide.html > +++ b/faq/ports/guide.html > @@ -1303,12 +1303,6 @@ OpenBSD is strongly security-oriented. > You should read and understand this page's > security section. > > - > -Be sure to add the $OpenBSD$ CVS tag to the Makefile. > -The account name, version number, etc., will be filled in automatically > -by CVS during commit, you do not need to add those or touch those lines > -in an update. > - > > The goal is to get all ported applications to support OpenBSD. > To achieve this goal, feed patches to support running on OpenBSD back to > > Committed thx
Re: sysupgrade fails due to "CHECK AND RESET DATE" ?
> It seems that problem is not having any display device during sysupgrade > process. I don't think sysupgrade has any requirements regarding a display device: headless machines get sysupgraded regularly
Re: sysupgrade fails due to "CHECK AND RESET DATE" ?
> 7 апр. 2022 г., в 17:13, Jan Stary написал(а): > > >> >> It seems that problem is not having any display device during sysupgrade >> process. > > I don't think sysupgrade has any requirements regarding a display device: > headless machines get sysupgraded regularly Yes. I have some another headless machines, but this pc not updating without display. And some guys on reddit also had this issue
map/mount a directory/partition into memory
Hello, Since my computer is struggling with chromium and I suspect it's the disk access being too slow, I want to map the directory accessed by chromium ( i think it is ~/.cache) into the memory. Looking in the man, i spotted rd, but i think i need to setup this in the kernel. The next choice is tmpfs. The next one is mfs. I have no experience with this stuff, so does it worth to take this approach? If so, what is the recommended fs, please? Is it possible to map/mount a directory from a partition only, or is it the entire partition only accepted as a mount argument? Thank you.
OpenSMTPD + Dovecot + Dkimsign configuration?
Hello i have had 1 Personal server for years with httpd and OpenSMTPD mail server working correctly; thanks OpenBSD Team. But now i have another server for 500 Colleagues with OSMTPD + Dovecot + Dkimsign working well; but i ask, if it were possible to use only OSMTPD with virtual users + Dkimsign? Please tell me what i might read. Thanks .
Re: OpenSMTPD + Dovecot + Dkimsign configuration?
On Thu, 2022-04-07 at 21:04 -0700, latin...@vcn.bc.ca wrote: > Hello > > i have had 1 Personal server for years with httpd and OpenSMTPD mail > server working correctly; thanks OpenBSD Team. > > But now i have another server for 500 Colleagues with OSMTPD + Dovecot + > Dkimsign working well; but i ask, if it were possible to use only OSMTPD > with virtual users + Dkimsign? > > Please tell me what i might read. > > Thanks . > I'm not 100% sure what your question is, but filter-dkimsign doesn't care about users; virtual or otherwise. filter-dkimsign uses the domain part of the first mailbox from the >From field if it matches any of the domains specified by '-d'. This should be conferment to RFC7489 (DMARC). If none of the '-d'-specified domains match it defaults back to the first '-d' domain. Hope this answers your question. martijn@
