Re: How do you do "family remote support"?
On Thu, Jul 13, 2017 at 09:45:55AM +0100, Etienne wrote: > On 13/07/17 09:36, Philippe wrote: > > The best option to me was a reverse SSH. A script connect them > > automatically to my server @home, opening a specific port so I can > > connect to their computers. > > > > It works, it's simple, they don't have to do anything, they even can go > > anywhere I'll still be able to help them. You don't have to worry about > > NAT and dynamic IP addresses anymore. :-) > > > +1. And the script they run to start a reverse SSH session can also create a > tunnel for VNC, and start x11vnc. > Many ways to do this: 1) I use iStat menus on the MacOS. The network icon can be configured to tell you what IP addresses your Mac is on. The disavantages are that iStat menus isn't free and I'll have to tell my family how to get their IP address which is simpler with iStat but not drop dead simple. Alternatives to this approach would be iTerm configured to launch an appropriate ssh session to my house by default. 2) When I did a lot of "family-support" with my father-in-law, I ran an OpenBSD box as his firewall/edge router. I had an IPSec VPN up between our houses all the time. The router used bootp via mac address rather than dhcp for family Mac's where I had to do support so I always knew where to VNC to. This was pretty simple for me because I use OpenBSD as my edge router and and OpenBSD <--> OpenBSD IPSec tunnel is pretty simple to setup. The disadvantages here are at this point you really own this network and if your family calls their ISP for support they will probably screw things up pretty badly. But I found OpenBSD on Soekris to be stable enough that this wasn't really a problem. If forced into a situation where I had to do support without an IPSec VPN via the NATed and LAN IP's I'd probably spend an afternoon writing a python-tkinter program to display that information. Something really simple like: Your Lan IP is: x.x.x.x / Your outside IP is: y.y.y.y and then an exit button. Then I would enable VNC. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: FreeBSD daemon(8)-like command for OpenBSD
On Wed, Jan 29, 2020 at 09:46:10AM +, Kevin Chadwick wrote: > On 2020-01-27 19:13, Patrick Kristiansen wrote: > > Is there something like the FreeBSD daemon(8) command for OpenBSD, which > > can run a process in the background and restart it if it crashes? > > Of course init does this for getty but as others have pointed out, restarting > daemons listening to the network during unexpected occurrences, like the > kernel > killing it during exploitation is a terrible default. I hear it in GoLang all > the time and it irks me. I am against panic handling in Go generally but > perhaps > there will be some occasion where it may be of some use for semi-unexpected > issues (perhaps hw redundancy, though generally that is better handled by > having > redundant complete systems). > > You can always use monit from pkg/ports for anything you have decided is an > exception but it is good that OpenBSD makes people stop and think and maybe > fix > first. > I understand the security issues involved and I *completely* agree with all who posted on them above. Having said that, I'll add that the complete source code from the FreeBSD daemon(8) program is on any FreeBSD system that has source code package installed at: your-freebsd-system.your-domain.your-tld:/usr/src/usr.sbin/daemon free for you to grab. It should therefore be trivial to get FreeBSD's daemon(8) onto your OpenBSD box by grabbing the source from a FreeBSD box and building it on your OpenBSD system. I would emphasize that this is only the best option if, you're most comfortable with daemon(8) as opposed to something from OpenBSD's pkg/ports tree, and you can build it from source. Otherwise you'd be better off installing one of the many ports/packages designed to manage and restart daemons mentioned above. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)_ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
OpenSMTPD/mail stuck in queue with incorrect relay
Hi all, I'm replacing a security appliance that was on OpenBSD 5.5 with the new hotness on OpenBS 5.8. Everything is going smoothly except email. The box is connected to a private network, it has no route to the internet. I'd like it to listen on localhost only and relay all mail to a host running smtp on the private network. I can see from the logs that opensmtpd has used DNS to find the MX record for my domain smtp.example.com and it trying to contact that host directly. That's due to a mistake in my previous mail configuration. /etc/mail/smtpd.conf now reads: ## # $OpenBSD: smtpd.conf,v 1.7 2014/03/12 18:21:34 tedu Exp $ listen on lo0 table aliases db:/etc/mail/aliases.db accept for local alias deliver to mbox accept from local for any \ relay via smtp://smtp.pvt.example.com as @example.com ## New mail to ch...@example.com works fine. How to I tell smtpd to re-route massages currently in the queue to the smarthost at smtp.pvt.example.com? -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._____ Christopher Sean Hilton[chris/at/vindaloo/dot/com] [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OpenSMTPD/mail stuck in queue with incorrect relay
On Sat, Nov 21, 2015 at 07:06:51PM +0100, Denis Fondras wrote: > > How to I tell smtpd to re-route massages currently in the queue to the > > smarthost at smtp.pvt.example.com? > > > > I haven't checked lately but it was not possible last time I asked. > Sucks to be me. At least I've got the routing problem fixed and I have confirmation that mail is going to the right smarthost now. I'll temporarily hook this into the front side network and attempt delivery to clear the queue. Thank you for the quick reply! -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com] [demime 1.01d removed an attachment of type application/pgp-signature]
Re: NSD/Unbound clarifications
On Mon, Nov 23, 2015 at 12:24:53PM +0100, Alessandro Baggi wrote: > Hi list, > I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back to > Obsd. I prefer it. > Great choice. [snip] > Now today I've nsd and unbound that I can use on my firewall. > I don't need authoritative server, and I should use unbound. > nsd and unbound have similar syntax and I reading from web I can resolve dns > with each of them. > > Now I'm confused...who use? Correct me if I'm wrong: > > 1) I must use only nsd for authoritative server (internet exposed) for my > ipotetic zone (I can use it in my lan for dns resolver?). > > 2) I can use only unbound for lan dns resolving/caching/validating with > zones if not needed an authoritative domain. > > 3) I can use nsd for authoritative server (internet exposed) and for lan use > unbound as recursive/cache dns with the authoritative server. > > 4) I can use unbound as authoritative server and for recursing and other. > > > 5) NSD is the best for authoritative and unbound for other things. As others have said: unbound is a recursive resolver that can forward dns queries upstream. It can perform in a limited role as an authoritative server using local-zone but the configuration there is cumbersome if you have more than a handful of hosts. nsd is an authoritative server that's flexible enough to easily replace bind as your authoritative server if that what you need. You can combine the forwarding capabilities of unbound with the authoritative capabilities of nsd to do everything that bind did. I'm assuming the advantage of this setup is that the combination of unbound and nsd has a smaller footprint or is more secure or more than likely not both. The configuration isn't that difficult but there are some gotcha's. In my example I needed to be authoritative for a domain so I configured nsd to serve the domain. The man pages for nsd explained this well and it's quite simple. The trick is to have nsd serve the domain on localhost only and not on port 53. Then I configured unbound to be a recursive resolver that forwarded requests for "example.com" to the local nsd. Here's the configuration snippet. In my example the network is running at 192.168.10.0 so I forwarded two zones: ## server: ... ## This setting is critical. Without it unbound won't forward ## requests to nsd running on localhost. do-not-query-localhost: no ... forward-zone: name: "example.com." forward-addr: 127.0.0.1@5300 forward-zone: name: "168.192.in-addr.arpa." forward-addr: 127.0.0.1@5300 ## forward-zone: ## name: "." # use for ALL queries ## forward-addr: 8.8.8.8 ## forward-addr: 8.8.4.4 ## If you can setup bind then you shouldn't have problems setting up and testing nsd to serve forward and reverse for a domain. Configuring nsd on a alternate port is pretty simple. The config snippet about redirects unbound to the local nsd. That's probably answers more than you wanted. But I could see this combination of nsd and unbound being popular among people looking for a lighter weight alternative to bind. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com] [demime 1.01d removed an attachment of type application/pgp-signature]
python uwsgi port/package
Hi, I'm looking for a uwsgi port for use with nginx and django. Searching the ports collection I don't find anything. I'd like to know if that's not done because no one has needed it yet or because of some security implication that I don't know about. I'd prefer a port since I don't want to use two packaging systems, pkg and pip. If I build a port I'd also eventually add a rc-script since under the uwsgi model of the web the backend web process gets started seperately. I can take an existing python port and create something which I would gladly share with the project. But if uwsgi is excluding because of security issues then building a port would be silly. Thanks for any information, -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...____ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: pf, anchors, and macros
On Wed, Dec 02, 2015 at 01:37:52PM -0200, Giancarlo Razzolini wrote:
> Macros need to be present in each anchor file. Tables don't need to. I
> have a little script that copies all my macros after I edit /etc/pf.conf
> to the anchors. I use commented marks on /etc/pf.con to know where to
> begin copying and where to end. But you get the point.
>
I think it's always been this way. This may have changed but if you
specify filter conditions in your anchor definition the screening you
get is combination of the screen on the anchor from the base pf.conf
file and the filters specified in the anchor file itself. I use
anchors on FreeBSD which is using an older version of pf but I got
around the issue this way:
--- /etc/pf.conf ---
...
anchor imapd in on $ext_if from any to ($ext_if)
load anchor imapd from "/etc/pf-anchor-home/imapd.conf"
...
--- /etc/pf-anchor-home/imapd.conf -
imapd_ports="{ 143, 993 }"
pass in proto tcp to any port $imapd_ports keep state
That's a simple example. It would honestly be better without the
anchor since using the anchor divides the rule up into two places. I
do it that way because I can easily split firewalling up across two
puppet rules. As Giancarlo wrote, the anchor can use your tables. He
didn't mention that the anchor can define it's own macros. The net
result of this is:
pass in on $ext_if \
from any \
to ($ext_if) port { 143, 993 } \
keep state
--
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*)____.___o____..___..o...ooO..._
Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: python uwsgi port/package
On Wed, Dec 02, 2015 at 07:19:25PM +, Pedro Tender wrote: > Node.js modules have been removed also in favor of npm. > I highly recommend virtualenv and pip to keep your system cleaner if not > every other reason (package versions, incompatibilities, etc). > Keep Python packages away from your system and into their own environment. While I love pip and virtualenv in development, I don't understand the advantage they offer over the system package manager on a production machine. In addition, I feel that a reasonable uwsgi package would include an rc-script to start your app automatically at system boot time. [1] Combine all of this with puppet, git and some git-hook magic for your custom bits and you end up with an easily managed system. There's no doubt that all of this could be hand hacked but the way I see it the less hand hacking on production machines, the better. It might just be my style, but I feel that the less work I have to do on a production system from the command line, the more reliable that system will be. [1] As an aside, my efforts might be better spent adding an rc script to the current gunicorn package. But, if I'm correct uwsgi is written in C so I expect it to be a little more performant. My project is going to run on a Soekris Net5501 at the end of the day and the whole reason I'm going here is because apache/mod_wsgi has horrible first time startup costs serving django applications and tuning it is a bear. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...____ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: python uwsgi port/package
On Wed, Dec 02, 2015 at 07:54:48PM +, Pedro Tender wrote: > If you have multiple apps in production with different versions of packages > that break compatibility then you'll be in a world of pain. I do see that advantage. > You also have supervisor to make it rc-able. pip/virtualenv includes a supervisor or I have to write a script that sets up virtualenv for startup and launches the app. -- Chris [demime 1.01d removed an attachment of type application/pgp-signature]
Re: python uwsgi port/package
On Wed, Dec 02, 2015 at 09:16:05PM +0100, Kamil CholewiÅski wrote: > Everything boils down to whether you'd like to run more than one app on > your box. > > > While I love pip and virtualenv in development, I don't understand the > > advantage they offer over the system package manager on a production > > machine. > > Easy: whenever you can't be bothered with proper containers. App X > requires package foo version 1.2, app Y requires foo version 1.4. > > Docker solves this universally. You can also achieve a similar effect by > building a chroot. virtualenv's advantage is it doesn't require root, > and is (subjectively) easier to use. > I agree with this completely but I tend to be in the one VM per app category which puts me solidly in the "one app per box" square. I like what I've heard about Docker because it commercializes and commoditizes the one app per box management philosophy. [... snip ...] > > In addition, I feel that a reasonable uwsgi package would include an > > rc-script to start your app automatically at system boot time. > > I prefer to run my application servers with runit. Traditional RC > scripts usually assume one package = one application instance. Usually > that's a sane assumption (what would be your reason for running two > instances of Apache?) but again, if you can't be bothered with > containers, virtualenv+runit make it easy to just put app X in /home/x, > app Y in /home/y, then run two uwsgi's. > I looked at runit but the documentation bills it as a replacement for init which I find to be very heavyweight. Am I missing something about runit, like a way to use it to manage a set of processes under init? > You've mentioned Puppet. Also check out Ansible. I would have said that I'm with Winston Churchill [1] on puppet but I have to say that I'm not. Right now, puppet's what I know. I'm aware of chef and I have seen Ansible in the space. If Ansible is the on that's written in python I think I want to look at that one next. Thank you very much, -- Chris [1] "Indeed it has been said that democracy is the worst form of Government except for all those other forms that have been tried from time to time." -- Winston Churchill to the House of Commons - 11-Nov, 1947 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: python uwsgi port/package
On Wed, Dec 02, 2015 at 09:19:25PM +, Pedro Tender wrote: >You have a port http://ports.su/sysutils/supervisor > Thanks for the tip, that's exactly what I'm looking for!! I also wanted to say thanks for the input. I understand what you are saying and when I run into version incompatiblity issues I usually run to: Create a user that does this app, Create an environment for the app to run it. It's just not where I'd like to be by default. Thanks again for the tips! -- Chris [demime 1.01d removed an attachment of type application/pgp-signature]
Re: a little help with ipsec
On Wed, Dec 02, 2015 at 03:53:46PM +0100, Marko CupaÄ wrote: > On Tue, 1 Dec 2015 23:49:37 + (UTC) > Stuart Henderson wrote: > > > Neither isakmpd nor iked tracks DNS changes. > > This is good to know, thank you for the information. > > > On the central side use "passive" not "dynamic". Remove the "peer > > $gw_branche" to set this for the 'default peer' (i.e. to avoid > > matching on IP address). > > [ ...snip ] > > It might be easier to get the basic setup working with psk first, but > > when you have that up and running, see the PUBLIC KEY AUTHENTICATION > > section in isakmpd(8) and get that setup, it is pretty simple to use > > and much safer than psk. > > That was the idea from the beginning, didn't want to complicate further > before having basic setup working. > You have things working as well as they can if you have a Dynamic IP address for one endpoint. It's really too bad that ipsec is such a black box in this area. You really have to deconstruct IPSec to understand the mechanisms that it uses to identify a peer and choose a configuration. When your ipsec.conf file specifies multiple stanzas corresponding to different tunnels, the isakmpd or iked has to figure out which peer it's talking to. Let's call this peer endpoint identification. It has to do this so it can apply the correct stanza to the connecting peer. It can identify a peer via IP address, FQDN from DNS, or via a key or certificate. Alternatively your static side configuration can specify a default and if the dynamic side only needs to present the correct key, the static side can establish the tunnel. As someone mentioned above, both isakmpd, and iked do a DNS lookup at program startup and then never consult DNS again. The implication of "once at startup DNS" is that using FQDN via DNS with a dynamic IP is always going to be problematic. You know that the tunnel parameters you have are setup correctly on both sides because the tunnel works initially. If your dynamic side is truly dynamic what's happening is this: The dynamic side tries to renegotiate because it's IP address changed; The static side rejects the negotiation because it hasn't updated it's config to match the new state in DNS. Moving to public keys will fix the renegotiation problem by using an identification token that's independent of DNS. -- Chris [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
dpb build box performance suggestions.
I'm trying to dpb to maintain a small set of packages for a handfull of OpenBSD boxes that I run. These boxes will all be single purpose servers of some type or another. Many of them will run with limited disk space and memory on Soekris hardware. What resources do I want on my dpb/build box to make it fast? My dpb/build box is a VMWare virtual machine on a host with SSD storage. Tweaking the number of available CPU's, the memory, or the type of storage is relatively simple further, I can split the task and have a fast build VM and an install virtual machine which shares httpd available storage via NFS. Thanks in advance for any help/advice. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: dpb build box performance suggestions.
On Wed, Dec 16, 2015 at 11:15:29PM +, Tati Chevron wrote: > >Or both. Drop VMWare on the floor NOW, if you need virtualisation use > >generic QEMU/KVM in any recent Linux distribution of your choice and > >plan to wipe it clean after you're done fiddling with it. Yes, really > >seriously remove the virtualisation for a build machine, go bare metal. > >Try without hyperthreading for a comparison. Before you notice and get > >to complain you need VM for something just use the native OpenBSD > >hypervisor. > > Our build machines both run on bare metal. To be honest, once you've > pulled the entire set of source distfiles for one release, you don't even > need much in the way of connectivity to stay up to date. > Virtual is the only option but I'm not trying to mirror the entire ports collection. I'm trying run a puppet/package server for a tiny fleet of soekris boxen. > From the way the OP described the setup, it does look like he intends to > run the build machine remotely, as a VPS. I wouldn't recommend using a > VPS as a build machine, as you need CPU and RAM with little connectivity, > which is the opposite of what most VPS providers will offer. Our build > machines are on-site, and we just send the resulting binary packages > wherever they need to go. > It's not remote. It runs as one virtual server of two on a 2010 MacPro. My host is modest. It's a 2.8GHz Zeon with 24Gb of RAM and 0.5Tb of SSD. My ports list is equally modest. I generally run OpenBSD as a server role. If I were to build an OpenBSD desktop, I would rely on project's mirrors. There's a good argument to be made that me using dpb is a fools errand but I like to rely on myself. My ports list is equally modest at 24 ports right now. I expect it to grow but not by much. > >>Also, be aware that some ports have a mass of unnecessary dependencies, > >>and that tweaking this can reduce the build time substantially, especially > >>if you are building the same packages repeatedly for some reason. > > > >Use a "virtual" axe ;-) virtually "axing" around. > > Really, have a look at the dependencies for ImageMagick, and ask yourself > who really uses djvu, for example. Removing it and ghostscript reduces > the dependencies from: > > 5.8-release: > > # make print-build-depends [ massive dependency list snipped... ] Thank you!!! This hits the nail on the head. One of the twenty four things I currently want is editors/emacs,gtk2. That wants ImageMagick... I stopped the dpb build this morning at I=417 ports. As far as I'm concerned that's off the chain. I'm trying to decide between figuring out who the big players are in my dependency chain or just going with editors/emacs,no_x11 and using tramp and or git when I want bells and whistles emacs. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)_ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: python uwsgi port/package
On Wed, Dec 02, 2015 at 07:22:27PM +, Stuart Henderson wrote:
> On 2015-12-02, Christopher Sean Hilton wrote:
> >
> > Thanks for any information,
>
> I made a start at a port, I was going to use it for something but it
> didn't happen in the end so I left it in openbsd-wip in case anyone
> wants to pick it up. The basics are there (though may need updating)
> and IIRC it did work, it'll want a bit of polish though - rc script,
> probably its own uid/gid, maybe a readme etc.
>
Stuart,
Thank you very much for your port of uwsgi. I got it going on my test
instance without much trouble a couple of weeks ago and I'm putting it
into production. If you are interested, I read the docs on the rc.d
system and came up with this:
#!/bin/sh
#
daemon="/usr/local/sbin/uwsgi"
. /etc/rc.d/rc.subr
pexp="${daemon} .*--master"
rc_reload=NO
rc_cmd $1
## -
I kept with the emperor/vassals theme and created a directory:
/etc/uwsgi/vassals for configs and ran in master/emperor mode. To run
the script you'll want:
uwsgi_flags="--daemonize --master --emperor /etc/uwsgi/vassals"
in your /etc/rc.conf.local
You'll also probably want to add a user or a few, perhaps one per
uwsgi service instance and create an ini file for each like this.
[uwsgi]
plugins = python
socket = 127.0.0.1:8001
uid = service_user
gid = service_user
chdir = /var/www/htdocs/my_django_site/code
module = my_django_service.wsgi:application
Thanks again for your help. Without it things would have been much
more difficult.
--
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*).___o..___..o...ooO..._
Christopher Sean Hilton[chris/at/vindaloo/dot/com]
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
IPsec config with dynamic IP.
I have an IPSec VPN endpoint running on OpenBSD on a cable modem. Technically it has a dynamic IP but in practice the IP only changes about once every 3 ~ 5 years. I run ddclient on the OpenBSD box to maintain the dns name of the box so I can find it and that's working well. My ipsec configuration is base on certificates. Thus, my single point of failure is DNS resolution. And my failure modality is that things won't configure if DNS is unavailable. Specifically, my problem is with startup of the ipsec infrastructure. I get this error at startup: starting early daemons: syslogd pflogd ntpd isakmpd. no IP address found for ike-v1.example.com /etc/ipsec.conf: 15: could not parse host specification no IP address found for ike-v1.example.com /etc/ipsec.conf: 26: could not parse host specification no IP address found for ike-v1.example.com /etc/ipsec.conf: 35: could not parse host specification ipsecctl: Syntax error in config file: ipsec rules not loaded starting RPC daemons:. savecore: no core dump checking quotas: done. clearing /tmp kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd snmpd rtadvd smtpd. starting package daemons: squid isc_named netsnmpd. starting local daemons: cron. Logging into the box and doing: # rcctl restart isakmpd ... # ipsecctl -F -f /etc/ipsec.conf ... Makes everything good again. This leads to a few questions: My box cannot resolve the name "ike-v1.example.com" until after isc_named is started which happens way late in the bootup process. I've noticed that the rcctl manpage mentions changing the startup order. * Can I affect this change at all since isakmpd is a base system service and isc_named is in pkg_scripts? Just restarting isakmpd doesn't load /etc/ipsec.conf. Without a configuration, I'm not sure how useful isakmpd is. * Would it be wise to just add cron job that fires at reboot and uses rcctl to reload isakmpd and then reloads the ipsec configuration? As always, it's possible that I'm completely missing something here. I'm always interested in better solutions. Thank you very much, -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o____..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: IPsec config with dynamic IP.
On Fri, Feb 19, 2016 at 11:36:04AM +, Stuart Henderson wrote: > On 2016-02-18, Christopher Sean Hilton wrote: > > My box cannot resolve the name "ike-v1.example.com" until > > after isc_named is started which happens way late in the bootup > > That seems like a misconfiguration - apart from this issue, what if BIND > crashes or you need to update it? can't you list another nameserver > in resolv.conf? I've always run servers that have bind with resolv.conf as: search example.com nameserver 127.0.0.1 so, as a dynamic configured ip on a cable modem, this server has: 'supersede domain-name-servers 127.0.0.1;' in /etc/dhclient.conf. But I've recently found that changing that from supersede to prepend can be useful in other situations. I can do that here also. > You could run isakmpd/ipsecctl from rc.local which always runs after > the main startup scripts. Otherwise you're into modifyong /etc/rc. > That's a good tip. There are pieces of it that I like better than my solution of an @reboot cron job. Thanks! -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
How does isakmpd determine which config stanza to use?
I have an ipsec setup using certificate/ca based authentication. The
config looks like this:
# $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
#
my_fqdn="dynamic-0.example.com"
my_v4_ip="192.168.1.1"
my_v4_net="10.0.0.0/23"
remote_fqdn="dynamic-1.example.com"
remote_v4_net="10.0.2.0/24"
## -- Remote router
ike passive esp from { $my_v4_ip, $my_v4_net } to { $remote_fqdn,
$remote_v4_net } \
local $my_v4_ip peer $remote_fqdn \
main auth hmac-sha256 enc aes-128 group modp1024 lifetime 1800 \
quick auth hmac-sha256 enc aes-128 group none \
srcid $my_fqdn dstid $remote_fqdn
## -- Laptop(s)
ike passive esp from { $my_v4_ip, $my_v4_net } to any \
local $my_v4_ip peer any \
main auth hmac-sha256 enc aes-128 group modp1024 lifetime 1800 \
quick auth hmac-sha256 enc aes-128 group none \
srcid $my_fqdn
I'm trying to configure for two kinds of tunnels. One to a small
soekris box that provides it's own network, and one for laptop(s) that
connect ad-hoc from a coffee shops or clients work sites.
The soekris box as a fqdn certificate. The laptops have user-fqdn
certs. My question is:
* Am I right to assume that when connecting to isakmpd the soekris
box will match to the "Remote router" stanza because it's trying
to build a tunnel from "srcid <-> dstid" or is isakmpd using the
"local <-> peer" to choose the stanza?
I ask the question to get a better understanding of how isakmpd choses
the configuration stanza in case I have to expand on this
config. Also, I find this a little tricky because both sides of the
tunnel are on dynamic IPs although one side changes very very rarely.
Another question I have is:
* Would it be worth my while to move this config out of
isakmpd/ikev1 into ike/ikev2?
With the soekris, I'm tunnelling IPv6 traffic over a gif v4/v6
tunnel. While this works, it's a tremendous kludge. And my ipv6 mtu
ends up being something like 1320 bytes after all the overhead from
UDP NAT-T and ESP overhead. I'd heard that ikev2 lowers the overhead
but if it's just in the negotiation exchange it may not be worth the
work.
Thanks
--
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*).___o..___..o...ooO..._
Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Dhcpleased feature request.
So, today I was attempting to replace dhcpleased with /sbin/dhclient and long story short, I discovered that /sbin/dhclient has been nerfed to just execl /sbin/dhcpleased. As documented the reason is you want to smoke out whatever features people need from a dhcp client that dhcpleased doesn't support. I'm writing to say that I'd be fine with dhcpleased if I can set an option to ask the dhcp server for a specific lease time. I know that the server need not honor my request but the dhcp server that I'm using will honor a reasonable duration, say a fraction of a day. The default lease length is 30 minutes. I'm reading through the dhclient code now to see how it implements the lease time option. If I'm capable, I'll send in a patch. I want to say thank you for all the improvements in OpenBSD over the years. I just upgraded my firewall from OpenBSD 7.0 to 7.3 and the improvements are awesome. Thanks again! -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o____..___..o...____ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Both serial and pc consoles on Super Micro A1SRi-2758F machine
I run my firewall on a SuperMicro A1SRi-2758F. On this hardware, I've noticed that I seem to have the choice of either a PC console or a serial console. If I ask for a serial console *on this hardware* I get a console on uart:com0 and it works great but I don't have any PC/VGA consoles. On the other hand, if I configure for a PC console, hoping to just enable the serial port in /etc/ttys, I have a getty running against the UART hardware but it can't use it as a console. Hitting return in a cu window from my oob server doesn't get any output. I can solve my problems in one of two ways. If I can boot with serial consoles by setting them up in /etc/boot.conf and also have terminals on the pc consoles, I'd be happy. I'd also be happy if I could figure out how to configure the BIOS to make enable the serial port as just a plain serial port. Super Micro seems to have other ideas and I understand that this is *my* problem. I'll tak any suggestions here. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o____..___..o...____ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: Both serial and pc consoles on Super Micro A1SRi-2758F machine
On Mon, Aug 28, 2023 at 07:41:19AM +0200, Otto Moerbeek wrote: > On Sun, Aug 27, 2023 at 08:40:44PM -0400, Christopher Sean Hilton wrote: > [ ...snip... ] > > I can solve my problems in one of two ways. If I can boot with serial > > consoles by setting them up in /etc/boot.conf and also have terminals > > on the pc consoles, I'd be happy. I'd also be happy if I could figure > > out how to configure the BIOS to make enable the serial port as just > > a plain serial port. Super Micro seems to have other ideas and I > > understand that this is *my* problem. > > > > I'll tak any suggestions here. > > What did you put into /etc/ttys when using a VGA console? > > -Otto > I've moved it to the serial console config. Admitting in advance that I could be mistaken, I've posted the relevant files below. I annotated the dmesg output with marks to show where the serial port is detected and that the wsdisplay *does not attach* to the detected vga1 device. I think that if I could make the wsdisplay device attach then my problem would be solved. Thanks again -- Chris Attached output follows: == /etc/boot.conf == stty com0 115200 set tty com0 == /etc/ttys == # # $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $ # # name getty typestatus comments # console "/usr/libexec/getty std.9600" vt220 off secure ttyC0 "/usr/libexec/getty std.9600" vt220 on secure ttyC1 "/usr/libexec/getty std.9600" vt220 on secure ttyC2 "/usr/libexec/getty std.9600" vt220 on secure ttyC3 "/usr/libexec/getty std.9600" vt220 on secure ttyC4 "/usr/libexec/getty std.9600" vt220 off secure ttyC5 "/usr/libexec/getty std.9600" vt220 on secure ttyC6 "/usr/libexec/getty std.9600" vt220 off secure ttyC7 "/usr/libexec/getty std.9600" vt220 off secure ttyC8 "/usr/libexec/getty std.9600" vt220 off secure ttyC9 "/usr/libexec/getty std.9600" vt220 off secure ttyCa "/usr/libexec/getty std.9600" vt220 off secure ttyCb "/usr/libexec/getty std.9600" vt220 off secure tty00 "/usr/libexec/getty std.115200" unknown on secure tty01 "/usr/libexec/getty std.115200" unknown on secure tty02 "/usr/libexec/getty std.9600" unknown off tty03 "/usr/libexec/getty std.9600" unknown off tty04 "/usr/libexec/getty std.9600" unknown off tty05 "/usr/libexec/getty std.9600" unknown off tty06 "/usr/libexec/getty std.9600" unknown off tty07 "/usr/libexec/getty std.9600" unknown off ... == dmesg.boot == OpenBSD 7.3 (GENERIC.MP) #3: Tue Jul 25 08:20:26 MDT 2023 r...@syspatch-73-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8541495296 (8145MB) avail mem = 8263225344 (7880MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f4d8000 (50 entries) bios0: vendor American Megatrends Inc. version "2.1" date 01/18/2018 bios0: Supermicro A1SRi-2758F acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP FPDT FIDT SPMI MCFG WDAT UEFI APIC BDAT HPET SSDT SPCR HEST BERT ERST EINJ acpi0: wakeup devices PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.37 MHz, 06-4d-08 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64, cpu0: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.66 MHz, 06-4d-08 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64, cpu1: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 ... cpu7 at mainbus0: apid 14 (application processor) cpu7: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2402.94 MHz, 06-4d-08 cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS
Re: Both serial and pc consoles on Super Micro A1SRi-2758F machine
On Mon, Aug 28, 2023 at 04:50:37PM +0200, Otto Moerbeek wrote: > On Mon, Aug 28, 2023 at 10:33:23AM -0400, Christopher Sean Hilton wrote: > > > On Mon, Aug 28, 2023 at 07:41:19AM +0200, Otto Moerbeek wrote: > > > On Sun, Aug 27, 2023 at 08:40:44PM -0400, Christopher Sean Hilton wrote: > > > > > > > [ ...snip... ] > > > > > > I can solve my problems in one of two ways. If I can boot with serial > > > > consoles by setting them up in /etc/boot.conf and also have terminals > > > > on the pc consoles, I'd be happy. I'd also be happy if I could figure > > > > out how to configure the BIOS to make enable the serial port as just > > > > a plain serial port. Super Micro seems to have other ideas and I > > > > understand that this is *my* problem. > > > > > > > > I'll tak any suggestions here. > > > > > > What did you put into /etc/ttys when using a VGA console? > > > > > > -Otto > > > > > > > I've moved it to the serial console config. Admitting in advance that > > I could be mistaken, I've posted the relevant files below. I annotated > > the dmesg output with marks to show where the serial port is detected > > and that the wsdisplay *does not attach* to the detected vga1 > > device. I think that if I could make the wsdisplay device attach then > > my problem would be solved. > > Having wsdisplay(4) without being the under;ying device being marked > as console is atypical. Don't know if it is possible at all. > Here's part of a dmesg for a different OpenBSD machine that I run, also as a packet filter. It has slightly different hardware but in this case, wsdisplay attaches and I get 5 pc terminals as well as a serial console. === dmesg output === acpiprt6 at acpi0: bus 2 (P0P8) acpiprt7 at acpi0: bus 3 (P0P9) acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x acpicmos0 at acpi0 *> com0 at acpi0 UAR1 addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo *> com0: console acpibtn0 at acpi0: PWRB acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) acpicpu2 at acpi0: C1(@1 halt!) acpicpu3 at acpi0: C1(@1 halt!) ipmi at mainbus0 not configured pci0 at mainbus0 bus 0 *> pchb0 at pci0 dev 0 function 0 "Intel Pineview DMI" rev 0x02 *> inteldrm0 at pci0 dev 2 function 0 "Intel Pineview Video" rev 0x02 *> drm0 at inteldrm0 *> intagp0 at inteldrm0 *> agp0 at intagp0: aperture at 0xd000, size 0x1000 *> inteldrm0: apic 4 int 16, PINEVIEW, gen 3 *> "Intel Pineview Video" rev 0x02 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 26 function 0 "Intel 82801I USB" rev 0x02: apic 4 int 16 uhci1 at pci0 dev 26 function 1 "Intel 82801I USB" rev 0x02: apic 4 int 21 ... isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0 mux 1 *> vga0 at isa0 port 0x3b0/48 iomem 0xa/131072 *> wsdisplay at vga0 not configured pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0 mux 1 *> vga0 at isa0 port 0x3b0/48 iomem 0xa/131072 *> wsdisplay at vga0 not configured pcppi0 at isa0 port 0x61 ... *> inteldrm0: 1024x768, 32bpp *> wsdisplay0 at inteldrm0 mux 1 pckbd_enable: command error *> wsdisplay0: screen 0-5 added (std, vt100 emulation) In this case wsdisplay is attaching to the intel graphics card built into the chipset. The motherboard here is a much older, much lower performance Intel Atom D525. On the target hardware, when /etc/boot.conf is missing or empty, wsdisplay0 attaches to the vga[01]. As I said in my original post, SuperMicro is doing something *fancy* with the serial port on this motherboard to *enhance* the usefulness of the remote sessions on the serial hardware. Whatever trick that they are pulling is not working correctly. I've scoured the BIOS to find a configuration that make com1: 0x3f8/irq 4, just be a serial UART. I can't find it. I was hoping that either there's a way to configure the kernel to attach vga1 to wsdisplay through `boot -c` or that someone has experience with the BIOS on these machines and has convinced the motherboard to remove the *fancy sauce* attached to the serial ports. Thank you again for your help Otto, -- Chris > > > > Thanks again > > > > -- Chris > > > > Attached output follows: > > > > > > == /etc/boot.conf == > > > > stty com0 115200 > > set tty com0 > > > > > > == /etc/ttys == > > > > # > > #
Re: Dhcpleased feature request.
On Tue, Aug 29, 2023 at 08:53:14AM -, Stuart Henderson wrote: > On 2023-08-28, Christopher Sean Hilton wrote: > > I'd be fine with > > dhcpleased if I can set an option to ask the dhcp server for a > > specific lease time. I know that the server need not honor my request > > but the dhcp server that I'm using will honor a reasonable duration, > > say a fraction of a day. The default lease length is 30 minutes. > > I do think this is a useful thing to be able to add to the request and > probably is something that dhcpleased should have. > > > I'm reading through the dhclient code now to see how it implements the > > lease time option. If I'm capable, I'll send in a patch. > > You probably won't find dhclient code to be particularly helpful in > implementing this. In dhclient the set of all requested options is built up in > one place, then written to the packet separately, and it's all dine in > one process so it's just stored in memory. In dhcpleased the values > for a fixed set of config options are passed through a message-passing > framework between several processes and the request packet is built, > using the options values if they were set but otherwise ignoring them. > > It's easiest to first hardcode the actual requested lease time and get > the packet sending to work (a few lines of code in one function) before > looking at making it configurable (not difficult, but requires changes > in various pieces of code in different files). > > You would need to add to the request in dhcpleased/frontend.c's > build_packet() function. See how the various options are appended to the > buffer dhcp_packet by incrementing the pointer p and writing/copying to > it. See how existing config options like hostname and client id are > added (first byte is the option number using the relevant DHO_DHCP_xxx > #define, followed by the number of bytes used to encode that option > value, followed by the value). > > In this case it's DHO_DHCP_LEASE_TIME (numerically that's 51), and it's > always 4 bytes and written as an unsigned integer (number of seconds). > (https://datatracker.ietf.org/doc/html/rfc2132#section-9.2) > > Note the value must be in network byte order; htonl will be needed to > convert from host byte order. > > To make it configurable in dhcpleased a bunch of 'plumbing' is needed, > follow how an existing option like hostname is passed through from the > config parser to the engine to where the request packets are actually > built via messages sent through the imsg api. Nothing really tricky > but it's a bit of a pipeline of different pieces that need connecting > and it's probably more encouraging to see your efforts show up in the > transmitted packet before starting on that. > > You might find the graphical wireshark utility to be helpful in the > initial stage of changing build-packet() as you can click on the decoded > DHCP options in the request and see how they translate to bytes in the > packet. Or tcpdump, but the concise output format used by the dhcp > decoder isn't very obvious at first. > > Stuart, Thanks for the tips. That will save me a bucket of time. I have a couple of hours on the train this afternoon. I'll look into things then. Thanks again -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Soekris equivalent
Is anyone aware of an equivalent for the Soekris Net 5501-70. I'm looking to prototype an OpenBSD border gateway that offers web proxy capabilities through squid cache but squid is a bit of a memory hog and I'd like to have something with a Gig of RAM. Power footprint is a consideration which is why the Soekris is at the top of the list. -- Chris Chris Hilton tildeChris -- http://myblog.vindaloo.com email -- chris/at/vindaloo/ dot/com .~ ~ .--.~ ~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~. "I'm on the outside looking inside, What do I see? Much confusion, disillution, all around me." -- Ian McDonald / Peter Sinfield
Split Horizon DNS issues....
I'm trying to track down a split horizon DNS issue. On initial startup everything works great. Internal hosts can resolve names against my complete zone and can resolve names for other internal hosts just fine. External hosts get the abbreviated views that I've setup. But after a period of time named stops responding to external host. Requests to it just time out. I'm running stock named on OpenBSD 4.3. I've attached my named.conf file to this message. Sorry about the Mime attachment. -- Chris Chris Hilton e: chris|at|vindaloo| dot|com "The pattern juggler lifts his hand; The orchestra begin. As slowly turns the grinding wheel in the court of the crimson king." -- Ian McDonald / Peter Sinfield [demime 1.01d removed an attachment of type application/octet-stream which had a name of named.conf-split-obsd]
Re: Split Horizon DNS issues w/named.conf
Repost with conf file included:
I'm trying to track down a split horizon DNS issue. On initial startup
everything works great. Internal hosts can resolve names against my
complete zone and can resolve names for other internal hosts just
fine. External hosts get the abbreviated views that I've setup. But
after a period of time named stops responding to external host.
Requests to it just time out. I'm running stock named on OpenBSD 4.3.
I've attached my named.conf file to this message:
// $OpenBSD: named-dual.conf,v 1.6 2004/08/16 15:48:28 jakob Exp $
//
acl clients {
127.0.0.0/8;
192.168.0.0/23;
::1;
};
options {
version ""; // remove this to allow version queries
listen-on{ any; };
listen-on-v6 { any; };
};
logging {
category lame-servers { null; };
};
view "internal" {
match-clients { clients; };
match-recursive-only yes;
//
-
// Standard zones
//
zone "." {
type hint;
file "standard/root.hint";
};
zone "localhost" {
type master;
file "standard/localhost";
allow-transfer { localhost; };
};
zone "127.in-addr.arpa" {
type master;
file "standard/loopback";
allow-transfer { localhost; };
};
zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "standard/loopback6.arpa";
allow-transfer { localhost; };
};
//
-
// Slave zones
//
zone "example.com" IN {
type slave;
file "slave/db.example.com";
check-names ignore;
masters { 192.168.1.34; };
allow-transfer { localhost; 192.168.1.34; 192.168.0.34; };
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "slave/db.192.168.0";
masters { 192.168.1.34; };
allow-transfer { localhost; 192.168.1.34; 192.168.0.34; };
};
zone "1.168.192.in-addr.arpa" IN {
type slave;
file "slave/db.192.168.1";
masters { 192.168.1.34; };
allow-transfer { localhost; 192.168.1.34; 192.168.0.34; };
};
};
view "external" {
match-clients { "any"; };
recursion no;
additional-from-auth no;
additional-from-cache no;
//
-
// Master zones
zone "example.com" {
type master;
file "master/db.example.com";
};
};
// Local variables:
// mode: fundamental
// mode: font-lock
// tab-width: 4
// End:
-- Chris
--
Chris Hilton chris-at-vindaloo-dot-com
"All I was doing was trying to get home from work!"
-- Rosa Parks
Isakmpd Cert question.
I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD 6.0. This also manages a VPN between Mac OS X/ IPsecuritas and OpenBSD 6.0. The example describes a situation where you have one self signed root certificate located in /etc/isakmpd/ca/root.crt and otherside::client.crt from the other side which should be signed by root.crt. My situation is slightly different. I have: otherside::client.crt (signed by) /etc/isakmpd/ca/intermediate.crt (signed by) /etc/isakmpd/ca/root.crt But I'm having trouble getting this going. As I read the source code in x509.c I can see that isakmpd is at least reading and hashing all the certs in /etc/isakmpd/ca. Is there something special that I have to do to have it chain intermediate.crt -> root.crt so it can use client.crt without having to put client.crt into /etc/isakmpd/certs? Thanks for all your help! -- Chris
Isakmpd vs iked
How hard is it to transition from an isakmpd managed IPsec VPN to iked managment? I have a certificate based isakmpd solution that works. It is mainly just a matter of rsyncing the directories and using a little editor magic on the ipsec.conf file to create iked.conf? Thanks in advance, -- Chris
Re: Isakmpd Cert question.
On Tue, Feb 07, 2017 at 11:23:29AM -0500, Christopher Sean Hilton wrote: > I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD > 6.0. This also manages a VPN between Mac OS X/ IPsecuritas and OpenBSD 6.0. > Some more information on this and possibly a real question: Here's the logs from the OpenBSD 5.8 machine: 130142.003702 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/ca/ 130142.004443 Cryp 60 x509_read_from_dir: reading certificate /etc/isakmpd/ca/Readme.md 130142.004825 Default x509_read_from_dir: PEM_read_X509 failed for /etc/isakmpd/ca/Readme.md 130142.004921 Cryp 60 x509_read_from_dir: reading certificate /etc/isakmpd/ca/ca.crt 130142.006237 Cryp 60 x509_read_from_dir: reading certificate /etc/isakmpd/ca/root.crt 130142.007072 Cryp 60 x509_read_from_dir: reading certificate /etc/isakmpd/ca/sign.crt 130142.008005 Cryp 50 x509_read_from_dir: X509_STORE_add_cert failed for /etc/isakmpd/ca/sign.crt 130142.008133 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/certs/ The intermediate cert: .../ca/sign.crt is an x509 CA cert which is signed by .../ca/root.crt yet X509_STORE_add_cert fails to add it to the chain. I'm expecting sign.crt to be accepted because it's issued by root.crt. Q: Is X509_STORE_add_cert trying to build a chain or is it expecting a list of self-signed root certificates? -- Chris
Solved -- Was: Isakmpd Cert question.
On Tue, Feb 07, 2017 at 01:30:13PM -0500, Christopher Sean Hilton wrote: > On Tue, Feb 07, 2017 at 11:23:29AM -0500, Christopher Sean Hilton wrote: > > I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD > > 6.0. This also manages a VPN between Mac OS X/ IPsecuritas and OpenBSD 6.0. > > > > Some more information on this and possibly a real question: > > Here's the logs from the OpenBSD 5.8 machine: > > 130142.003702 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/ca/ > 130142.004443 Cryp 60 x509_read_from_dir: reading certificate > /etc/isakmpd/ca/Readme.md > 130142.004825 Default x509_read_from_dir: PEM_read_X509 failed for > /etc/isakmpd/ca/Readme.md > 130142.004921 Cryp 60 x509_read_from_dir: reading certificate > /etc/isakmpd/ca/ca.crt > 130142.006237 Cryp 60 x509_read_from_dir: reading certificate > /etc/isakmpd/ca/root.crt > 130142.007072 Cryp 60 x509_read_from_dir: reading certificate > /etc/isakmpd/ca/sign.crt > 130142.008005 Cryp 50 x509_read_from_dir: X509_STORE_add_cert failed for > /etc/isakmpd/ca/sign.crt > 130142.008133 Cryp 40 x509_read_from_dir: reading certs from > /etc/isakmpd/certs/ > Looks like the ../ca/ca.crt and ../ca/sign.crt had the same cert. isakmpd was rejecting both from it's internal CA as a duplicate so there was no issuer for my peer certs. Removing the duplicate solved the problem. Thanks if you looked or even if you didn't -- Chris
Policy question regarding OpenBSD -STABLE and ports.
I'm trying to use dpb to build a collection of ports that I use in my shop. I took the following steps: Primed /usr/ports from .../OpenBSD/6.0/.../ports.tar.gz Used CVS to update ports from an anoncvs report to -rOPENBSD_6_0 Ran dpb to build my short list of ports. The issue that I have is that devel/leatherman is not compiling because of a conflict with net/curl. A little digging around in CVSWeb reveals that net/curl was updated in -rOPENBSD_6_0 and that devel/leatherman received a patch to work against net/curl. But that patch was backed out when devel/leatherman updated from version 0.7.4 to version 0.8.1. It looks like devel/leatherman depends on net/curl; net/curl was updated in both -STABLE and -CURRENT; devel/leatherman was only updated in -CURRENT. I'm assuming that my mistake was that I didn't run dpb to build ports against the primed tree where I guess devel/leatherman would build against the older net/curl. Is this correct? Thanks in advance, Chris -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._____ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Gif tunnel / pf / queueing
I would like to apply queueing to packets traversing a gif tunnel. I'd like to know what works better, Tagging outbound packets on the gif interface and applying them to queues by tag when they leave on the external interface? Or assigning packets to the queues directly when they are on the gif interface? If I understand things correctly queues work on interfaces. That leads me to think that tagging for later queueing is the better approach. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._____ Christopher Sean Hilton[chris/at/vindaloo/dot/com] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Gif tunnel / pf / queueing
On Wed, Mar 02, 2016 at 10:46:08PM +1000, David Gwynne wrote:
> > On 2 Mar 2016, at 1:51 AM, Christopher Sean Hilton
> > wrote:
> >
> > I would like to apply queueing to packets traversing a gif tunnel. I'd
> > like to know what works better, Tagging outbound packets on the gif
> > interface and applying them to queues by tag when they leave on the
> > external interface? Or assigning packets to the queues directly when
> > they are on the gif interface?
> >
> > If I understand things correctly queues work on interfaces. That leads
> > me to think that tagging for later queueing is the better approach.
>
> in this instance it shouldn't matter. however, if you have multiple
> outgoing interfaces the gif traffic can leave on, it's better to
> apply the policy on the gif interface.
I think I can re-phrase the question in a better way: I'm using gif0
to tunnel IPv6 over IPv4 from my local network via Hurricane Electric
to the internet. Since gif0 is a tunnelling interface all my outbound
traffic will ultimately traverse my external interface, ext_if, which
has a set of queues. I want my IPv6 traffic to be subject to queues on
ext_if.
My understanding is that queues are interface specific so I suspect
that doing this:
queue ob_root on $ext_if bandwidth 1000M qlimit 304
queue ob_ext parent ob_root bandwidth 40M qlimit 48
queue ob_ext_priority parent ob_ext ...
queue ob_ext_ssh parent ob_ext ...
queue ob_ext_default parent ob_ext ... default
queue ob_ext_low parent ob_ext ...
queue ob_local parent ob_root bandwidth 960M qlimit 256
...
## Example (1): Will this work?
pass out on gif0 proto tcp to any port 22 \
flags S/SA keep state \
queue (ob_ext_ssh, ob_ext_priority) prio (4, 5)
## Example (2): I expect this to work because tags are designed to be sticky
match out on gif0 proto { udp, tcp } to any port 53 \
flags S/SA keep state \
tag OB_EXT_PRIORITY
...
match out on $ext_if tagged OB_EXT_PRIORITY \
queue ob_ext_priority prio 5
I don't know what will happen with example (1). But I expect that
example (2) will work because tags are designed to be sticky.
This thread implies that at one time queues were not sticky:
http://misc.openbsd.narkive.com/BXucT1to/pf-queue-filter-directive-sticky
The pf man page and later threads imply that queues have become sticky
but the man page only refers to the match keyword.
Is it the match keyword that makes queues sticky or did the change in
pf way back when, change them from non-sticky to sticky?
--
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*).___o..___..o...ooO..._
Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Debugging queues on pf
I'm seeing something very strange when I try to debug queues on
pf. I'm simply trying to view queue activity on the net using either:
# pfctl -vvsq
or
# systat queue
I'm trying to assign all udp traffic from my iPad to a priority queue
with a ruleset in pf like this:
...
match out on $ext_if inet proto { udp, icmp } \
set queue ob_default set prio 3
match out on $ext_if inet proto tcp \
set queue (ob_default, ob_priorty) set prio (3, 4)
match out on $ext_if inet proto { tcp, udp } to any port 53 \
set queue ob_priority set prio 5
match out on $ext_if inet proto udp from \
set queue ob_priority set prio 5
When I start a video chat on the iPad to a friend I'm expecting
the packet and byte counts in the ob_priority queue shown with
# systat queue
to increase. But I didn't initially see that. When I first looked, the
packets in the default queue were increasing and that queue showed A
little less than 2Mbit/s of traffic. I found that consistant with my
video chat being carried on the ob_default queue. No amount of playing
with queueing in my ruleset seemed to fix that, including setting the
default queue to ob_priority and deleting any assignments to the
ob_default queue. In a fit of pique, I rebooted the box against the
"everything goes in the priority queue" config. After that I noticed
that now everything went into the priority queue. And nothing would
change that. I put the box back to the configuration that I thought
would work with both priority and default queues and it appears to
work now.
My question is:
Is there some way besides rebooting the machine to get pf to
recognize a change in the queuing and queueing assignment setup
in /etc/pf.conf without rebooting the box?
I've tried:
# pfctl -Frules -f/etc/pf.conf
# pfctl -Fstate
# pfctl -Fall -f /etc/pf.conf
# shutdown -r now
and the only thing that updated the queueing was the reboot.
Thanks for any help
-- Chris
Re: Debugging queues on pf
On Thu, Mar 03, 2016 at 08:00:11PM -0600, Lists wrote: > pfctl -vvf /etc/pf.conf will reload the rules. > > Match rule with nat for the ext_if may not match because your > internal ips are not seen on the ext_if. > > systat q to check usage. Every pfctl -f /etc/pf.conf clears the > queue counters. > > I would match in on int_if from to any. This way the nat > translation will assign the queue rule. > Thanks for your reply. Without putting words in your mouth: Queue's are now sticky (they weren't in the past); I'll try: match in on $int_if \ set queue default set prio 3 match in on $int_if proto tcp \ set queue (default, priority) set prio (3, 4) match in on $int_if proto udp from \ set queue (priority) set prio 4 ... match out on $ext_if from $int_if:network \ nat-to ($ext_if) That won't be perfect because I do static-port nat for some things but I think I can arrange it. Thanks again! -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o____..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: how to submit bug report regarding pf queueing?
On Wed, Mar 09, 2016 at 03:38:30PM +0100, Marko Cupać wrote: > Hi, > [ ...snip... ] > So, what exactly do I need to do to submit bug report? Any outputs of > any commands? Logs? I understand developers won't take my word for it, > but I simply don't know how to prove it, except watching output of > systat queues and monitoring queue bandwidth in real time. > You can use the sendbug(1) utility to report bugs to the project. As far as bugs in queuing go, I think that it's going to be a hard report to write well. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o____..___..o...____ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: how to submit bug report regarding pf queueing?
On Wed, Mar 09, 2016 at 03:38:30PM +0100, Marko CupaÄ wrote: > Hi, > [... snip ...] I've also been trying to get help with queuing. Perhaps we can help each other out. I'm using queuing to alleviate bufferbloat and make my son's gaming performance better. I'm on an asymetric cablemodem connection here in the U.S. My download is 100M and my upload is 40M. I use a queue definition similar to this: queue ext_iface on $ext_if bandwidth 1000M max 1000M qlimit 512 queue download parent ext_iface bandwidth 120M max 120M qlimit 128 default queue ext_extra parent ext_iface bandwidth 880M max 880M qlimit 384 queue int_iface on $int_if bandwidth 1000M max 1000M qlimit 512 queue upload parent int_iface bandwidth 40M max 40M qlimit 48 queue int_internal parent int_iface bandwidth 960M max 960M qlimit 464 I found several things. Firstly, I found that all queues seem to have an implied parent queue that based on their interface with a bandwidth of their interface speed. Thus: queue download on $ext_if bandwith 120M default really meant: queue download on $ext_if bandwidth 120M max 1000M default hence my specification of the interface queue. I'm trying to limit the bufferbloat so the depth of the queue is very important. I chose values for qlimit that keep the amount of time that a packet would traverse a queue down at the 0.015ms range: 40Mbit/s / ( 8 bit/byte * 1500 byte/packet) * 0.015s = 50 packets I used 48 because I'm keen on multiples of 16. Have you tried anything like this? -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o____..___..o...____ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: unbound eats up buffer space
On Wed, Mar 09, 2016 at 02:04:10PM +0100, Marko CupaÄ wrote:
> On Tue, 8 Mar 2016 12:24:59 +0100
> Otto Moerbeek wrote:
>
> > Give unbound more file descriptors; put in login.conf:
> It's already there, by default on 5.8.
>
> > And do not forget to set the class of the user _unbound to unbound:
> It's already set by default on 5.8.
>
>
> On Tue, 8 Mar 2016 07:36:06 -0600
> Brian Conway wrote:
>
> > Are you using pf queues? I most frequently see that happen when
> > there's no space left in a queue. `pfctl -v -s queue`
> That's probably it. I am going to try to create separate queue for dns
> traffic originating from the firewall.
I saw this on one of my machines. Correctly or incorrectly, I deduced
that it was caused by unbound losing the ability to send a packet on
its interface after a dhclient controlled interface state
transition. These transitions happened at dhcp lease renew time. I run
isc_bind behind a cablemodem and had the same issue there. Isc_bind
listens at each interface individually:
$ netstat -an | grep "\.53 "
tcp 0 0 169.254.0.1.53 *.*
LISTEN
tcp 0 0 127.0.0.1.53 *.*
LISTEN
udp 0 0 169.254.0.1.53 *.*
udp 0 0 127.0.0.1.53 *.*
Rather than:
$ netstat -an | grep "\.53 "
tcp 0 0 *.53 *.*
LISTEN
udp 0 0 *.53 *.*
For isc_bind at least, when dhclient renewed the ip address, the
listening socket at 169.254.0.1:53 became invalid and the query socket
at 169.254.0.1:53 couldn't send packets.
YMMV
--
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*).___o..___..o...ooO..._
Christopher Sean Hilton[chris/at/vindaloo/dot/com]
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: how to submit bug report regarding pf queueing?
On Wed, Mar 09, 2016 at 02:45:36PM -0700, Daniel Melameth wrote: > On Wed, Mar 9, 2016 at 10:58 AM, Christopher Sean Hilton > wrote: > > I'm using queuing to alleviate bufferbloat and make my son's gaming > > performance better. I'm on an asymetric cablemodem connection here in > > the U.S. My download is 100M and my upload is 40M. I use a queue > > definition similar to this: > > > > queue ext_iface on $ext_if bandwidth 1000M max 1000M qlimit 512 > > This will mostly be a no op. Your max MUST be at or below your real > bandwidth (not interface bandwidth) and your child queues will need to > reflect this accordingly. > For me that no-op line is a reminder of what you are working with. It's also a reflection of a weird situation that I once tested with. > > I'm trying to limit the bufferbloat so the depth of the queue is very > > important. I chose values for qlimit that keep the amount of time that > > a packet would traverse a queue down at the 0.015ms range: > > > > 40Mbit/s / ( 8 bit/byte * 1500 byte/packet) * 0.015s = 50 packets > > > > I used 48 because I'm keen on multiples of 16. > > This will be difficult to get right with pf. Does the game always use > 1500 byte packets? Ultimately you'll want a small queue limit (expect > to see more dropped packets). > That's just an example. In my case I derived the actual packet size and queue depth by running "systat queue". Thanks for the advice -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Performance tuning PF.
I have a packet filtering bridge running on PF and OpenBSD 6.8. My hardware is a SuperMicro Atom D525 service with dual Intel Gigabit Nics. I've added a second dual Intel card in a PCIe slot. When I run iPerf across this bridge, I max out at about 550Mbit/s. I'm running systat on the bridge. At peak load, I'm seeing 1500 ~ 1700 interrupts per second for each interface in the bridge via systat. I'm noticing similar limitations from another OpenBSD 6.8 firewall that I run. This is an Atom C2758 machine. And in this case, I'm getting about 650 ~ 700 Mbit/s from the slightly faster hardware. My questions are: * Where should I be looking for the bottleneck on this problem? * Is it possible with tuning to forward packets over this hardware at full gigabit speeds, ~950 Mbit/s? Thanks for any help you can give, -- Chris -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._____ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: Performance tuning PF.
On Fri, Jul 23, 2021 at 10:04:25AM -, Stuart Henderson wrote: > On 2021-07-22, Sebastian Benoit wrote: [ ...snip ] > > > > The IO paths of those Atoms are slow. Disk IO is also lacking. > > The D525, yes. > > The C2758 should cope with much more than 650-700Mb/s though maybe > not with OpenBSD as-is, they're not as good as the Xeon D (especially > single-threaded performance) but they are still pretty capable. > > If I was running into a performance wall with C2758 I'd add a NIC with > a driver that already supports multiple queues (ix is probably most > common, em doesn't have this yet) and see gow things go with the > "forwarding in parallel" diffs over on tech@. > I'll upgrade the NIC in the C2758 and retest. Thank you very much for your help. -- Chris -- -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)_ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: Performance tuning PF.
On Thu, Jul 22, 2021 at 08:24:25PM +0200, Sebastian Benoit wrote: [ ...snip] > > If you can get the later generation Xeon-D machines with similar form > factor. Much better hardware. > So, I'm running the Atom machines because of power concerns. I'm not familiar with the Xeon-D line of processors. Is there any nod to power consumption in their design? I'm familiar with LGA1150 Xeons. I use these to run ESXi. I find that they offer a good balance of power consumption against performance. Again, thanks for any help you can provide, -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)_________ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: Performance tuning PF.
On Fri, Jul 23, 2021 at 11:19:35AM -0400, Chris Hilton wrote: > On Thu, Jul 22, 2021 at 08:24:25PM +0200, Sebastian Benoit wrote: > [ ...snip] > > > > > If you can get the later generation Xeon-D machines with similar form > > factor. Much better hardware. > > > > So, I'm running the Atom machines because of power concerns. I'm not > familiar with the Xeon-D line of processors. Is there any nod to power > consumption in their design? I'm familiar with LGA1150 Xeons. I use > these to run ESXi. I find that they offer a good balance of power > consumption against performance. > > > Again, thanks for any help you can provide, > Answering my own question, it looks like the Xeon D is intels newest low power stuff. I'll look there. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)_ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Resolved - Was: Performance tuning PF.
On Sat, Jul 24, 2021 at 10:24:28AM -, Stuart Henderson wrote: > On 2021-07-23, Christopher Sean Hilton wrote: > > On Fri, Jul 23, 2021 at 11:19:35AM -0400, Chris Hilton wrote: [ ...snip... ] > > > > Answering my own question, it looks like the Xeon D is intels newest > > low power stuff. I'll look there. > > Not particularly new, Xeon D 1500 series are from 2016 or so and still > seem to be the range to go for if you care about good power use. Look > at supermicro X10SDV (Xeon D 1500 series) or M11SDV (AMD EPYC). Sadly > the M11SDV only has copper nics, X10SDV have decent ix(4) SFP+ plus > some copper. (X10 is an older supermicro range, I'm not sure what the > availability is like). > > supermicro, if you're reading, an EPYC board with a couple of SFP28 > onboard would be nice... > > Sample dmesg from one of the X10SDV models - em and ix are onboard, > ixl is a card: > > OpenBSD 6.8-current (GENERIC.MP) #220: Thu Dec 10 20:03:29 MST 2020 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP [ ...snip ] Thanks to everyone for the answers that they provided. Just a late followup here. I thought through my testing rig and realized that it was slightly flawed. I was originally using one of the Atoms as an iperf endpoint. That obviously messed up the tests. I retested using a pair of machine which I know can saturate a 1Gb/s connection. My new test rig is a pair of MacBook Pro's with Thunderbolt Ethernet adapters: * With just a GigE switch connecting the test machines, I measured a transfer rate of 942 Mb/s. The test program was iperf3. * With OpenBSD 6.8 running a bridged configuration on an Intel Atom D525 with internal and external "em" nics, and filtering using pf. I measured a rate of 775 ~ 850 Mb/s. Again, the test program was iperf3. Testing the routed configuration on my Atom C2758 is a little more difficult. I'll set that up next week. I expect that the transfer rate through that combination will be a little lower since routing is more difficult than bridging. I am currently shopping Intel Xeon-D hardware. I plan to eventually replace the D525 bridge with the C2758 running in a bridged configuration and use new Xeon-D hardware for the router. -- Chris -- -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)_ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
A pair of pf questions...
Hi, My goal is to use OpenBSD to filter packets between my wireless segment and my DMZ. I've protected my wireless with WEP but in the long haul I'd like to be able to remove any authentication, WEP or WPA from the wireless segment. My first question is this: This strategy seemed to make sense a couple of years ago. Is there a better way to go now? If this is a reasonable way to go I have a question about how to filter packets with pf in a bridged environment. I'd like to use a bridge because it means the least amount of work for me with regard to providing services to the wireless network (dhcp etc). In my implementation I'm filtering at the interfaces. My machine has a quad tulip card: - de0 connects to the internet - de1 connects to and has an ip address for my DMZ - de2 connects to my wireless access point and has no ip - bridge0 consists of interfaces de1 and de2 In my configuration I seem to be leaking packets from the bridge into the kernel where they hit a keep state rule that allows their passage. e.g. my simplified ruleset reads: block in all block out all pass out on de0 from $my_network to any port 5222 flags S/SA keep state pass in on de1 pass out on de1 pass in on de2 proto tcp \ from $wireless_network \ to any port 993 flags S/SA keep state When I test this I find that a client on the wireless network can go to Google Talk (tcp port 5222) and the rule that allowed passage is: pass in on de1 I'm obviously confused about the way packets pass through the bridge. Any help would be appreciated. Please cc my address. I am subscribed to the list and I do read it but it's slightly easier. I will post my results to list for future Google searchers. Thanks -- Chris -- Chris Hilton chris-at-vindaloo-dot-com "All I was doing was trying to get home from work!" -- Rosa Parks
Re: A pair of pf questions...
On Mar 31, 2008, at 4:58 PM, Christopher Sean Hilton wrote: Hi, Just a followup. I figured that I might have better luck with this configuration. de0 - External interface to Internet de1 - Internal interface to DMZ de2 - No IP interface to DMZ de3 - No IP interface to wireless bridge0 (de3 <-> de2) It works a little better. I'm able to screen packets going to my own network. But packets that come on in the wifi interface that are destined for the internet are getting natted before they go out onto the DMZ via de2. This causes them to be rejected when they again appear on de1 for having an invalid source address. I'm really not understanding how packets pass through the filter. I would expect that packets wouldn't be natted until they appeared as an outbound packet on de0. Any help... Thanks again -- Chris
Re: A pair of pf questions...
On Mar 31, 2008, at 8:53 PM, Jon Radel wrote: Christopher Sean Hilton wrote: On Mar 31, 2008, at 4:58 PM, Christopher Sean Hilton wrote: Hi, Just a followup. I figured that I might have better luck with this configuration. de0 - External interface to Internet de1 - Internal interface to DMZ de2 - No IP interface to DMZ de3 - No IP interface to wireless bridge0 (de3 <-> de2) It works a little better. I'm able to screen packets going to my own network. But packets that come on in the wifi interface that are destined for the internet are getting natted before they go out onto the DMZ via de2. This causes them to be rejected when they again appear on de1 for having an invalid source address. I'm really not understanding how packets pass through the filter. I would expect that packets wouldn't be natted until they appeared as an outbound packet on de0. Any help... Thanks again -- Chris You haven't shared any NAT statements from your config; rather hard to guess what you might, or might not, be doing. There's only the one: nat on $ext_if from $internal_net to any -> ($ext_if) -- Chris Hilton chris-at-vindaloo-dot-com "All I was doing was trying to get home from work!" -- Rosa Parks
OpenBSD 4.2 ipsecctl isakmpd netgear FVS114
Hi, I'm trying to connect a Netgear FVS114 to my OpenBSD 4.2 machine. I seem to be stuck getting the following three error lines when I use isakmpd -K -d 205022.882116 Default attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG 205022.882456 Default message_negotiate_sa: no compatible proposal found 205022.882710 Default dropped message from 76.252.200.204 port 500 due to notification type NO_PROPOSAL_CHOSEN I'm assuming that the problem is that OpenBSD is insisting on using RSA_SIG for authentication and my Netgear box want to use PRE_SHARED keys. While I want to have RSA authentication in the long run it's quite a lot of steps and I'd like to have an intermediate configuration with pre shared keys. How do I configure that in isakmpd? -- Chris -- Chris Hilton chris-at-vindaloo-dot-com "All I was doing was trying to get home from work!" -- Rosa Parks
E450 stuff
Hi, I inherited an E450 from my old job. It booted Solaris just fine but I was never able to get any of (Free|Net|Open)BSD to install on it. I feel that this is probably more do to me than anything else. As time has passed it's become pretty obvious between the problems with the install and the cost for power to run, my chances of running this machine in my environment are NULL. I'd like to make just one more attempt at getting the machine running. But ultimately I will have it carted away. This is what I have: Sun E450 4 x 400 MHz UltraSparc II processors (Sun P/N 501-5446) 4 x DC power regulator boards (Sun P/N 300-1322) 4GB of RAM (16 x Sun P/N 501-4743) Spare E450 Mainboard 2 x 300 MHz UltraSparc II processors (Sun P/N 501-4849) 2 x DC power regulator boards (Sun P/N 300-1322) 4GB of RAM (16 x Sun P/N 501-4743) I'm going to spend an hour today working on this to see if I can get a working install but even if I do the whole things going to have to go away. If anyone is interested in any of this equipment please feel free to email or xmpp me ([EMAIL PROTECTED]) Thanks -- Chris Hilton
Re: E450 stuff
On May 23, 2008, at 11:06 AM, Christopher Sean Hilton wrote: Hi, I inherited an E450 from my old job. It booted Solaris just fine but I was never able to get any of (Free|Net|Open)BSD to install on it. I feel that this is probably more do to me than anything else. As time has passed it's become pretty obvious between the problems with the install and the cost for power to run, my chances of running this machine in my environment are NULL. I'd like to make just one more attempt at getting the machine running. But ultimately I will have it carted away. This is what I have: Sun E450 4 x 400 MHz UltraSparc II processors (Sun P/N 501-5446) 4 x DC power regulator boards (Sun P/N 300-1322) 4GB of RAM (16 x Sun P/N 501-4743) Spare E450 Mainboard 2 x 300 MHz UltraSparc II processors (Sun P/N 501-4849) 2 x DC power regulator boards (Sun P/N 300-1322) 4GB of RAM (16 x Sun P/N 501-4743) I'm going to spend an hour today working on this to see if I can get a working install but even if I do the whole things going to have to go away. If anyone is interested in any of this equipment please feel free to email or xmpp me ([EMAIL PROTECTED]) I forgot to mention that I'm located in Southern CT, USA (roughly 80 miles north of NYC on I-95) -- Chris
Re: E450 stuff
On Sat, May 24, 2008 at 08:03:53AM -0400, Nick Holland wrote: > Johan SANCHEZ wrote: > > On Fri, 23 May 2008 11:08:32 -0400 > > Christopher Sean Hilton <[EMAIL PROTECTED]> wrote: > > [ snip ] > > > > Can i ask what is the problem you are experiencing with this ? > > what version of OBP are you using and what OBSD version did you > > tried ? > > > > Johan > > > > I do believe you will find OpenBSD will Just Work, and bsd.mp > should spin up all four processors. > I seem to recall there was some work done relatively recently on > the sensors on an E450, and one usually has to be fully functional > on a system before you worry much about the sensors. :) > > HOWEVER... IF you have only worked with PCs, Sun systems are > different. Also, the average E450 has sucked a lot of dust through > its CDROM drive, and functional SCSI CDROM drives are relatively > rare in most people's spare parts pile. Fortunately, Suns offer a > lot of other options for bootstrapping the system, but none of the > rest are something the average PC user has ever done before. > > But man, E450s are big. But I'm sure you have noticed that. :) > > Nick. > Thanks, My first crack at this box was probably 2 years ago, perhaps more. I do know that the sparc64 MP code was reasonably new in NetBSD at the time. I didn't really try to hard but OpenBSD (unknown version) wouldn't boot and NetBSD (2.0, 2.1, 3.0) would all stall at various places in the boot process. Since I couldn't get Stop-A to bring the machine back to the OpenBoot prompt reliably I figured that it was a bad mainboard. I requested another and received one with 2 300MHz UltraSparc II processors. That's where I went wrong. I installed one of the 400MHz processors onto the "new" mainboard and attempted to boot and got nowhere. I don't claim to be very versed in Sun hardware. If I can make it boot off of the CD-ROM then I can generally make it work. I can netboot Intel Machines with PXE ok. I hate floppy drives... On the advice of a friend who knows Sun Hardware much better than I I put the 2 300MHZ CPU's back on the second mainboard and the machine is happily installing NetBSD 4.0 right now. It's still not recognizing all the disk drives that I have in it but at least it installs now. Once I can get it to install I'm happy because I don't like giving away junk. Residential electricity in New England is currently $0.16 / kWh which means that this machine would probably cost more than $30.00 / month to run 24/7. It will never be a main line production machine for me but after successfully installing NetBSD and OpenBSD on it I can report that it works... -- Chris -- -- Chris Hilton chilton-at-vindaloo-dot-com "All I was doing was trying to get home from work!" -- Rosa Parks
dhcrelay question
I'm running OpenBSD as an IP less bridge between a DMZ and a protected
internet. The protection comes from using a set of pf rules on the
exterior interface of the bridge. My pf rules block all traffic on UDP/
67 and UDP/68 from traversing the bridge so I currently run two DHCP
servers, one in the DMZ and one on the protected network. I'd like to
run dhcrelay on the bridge and add some sort of token to dhcp requests
coming from the DMZ (From new and test servers) so I a can
differentiate them from dhcp requests on the protected network.
Basically I'd like to hand out addresses from one IP range on the DMZ
and from another IP range on the protected network.
I'd imagine that to start I'd want to configure dhcrelay to startup
similar to:
# dhcrelay -i ${dmz_if} ${prot_dhcp_server}
but how do I set this up to differentiate the requests from one another.
Has anyone done this before?
-- Chris
Chris Hilton tildeChris -- http://myblog.vindaloo.com
email -- chris/at/vindaloo/
dot/com
.~
~
.--.~
~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.
"I'm on the outside looking inside, What do
I see?
Much confusion, disillution, all
around me."
-- Ian McDonald / Peter
Sinfield
IPSec head check question.
I have isakmpd running quite well with certificates. I'm now trying to do
something that may or may not be simple.
I wish to establish two tunnels between my ipsec central server on a static IP
two dynamic points on the internet. The first case is an openbsd box which
wants to connect a remote lan. The second case is an openbsd laptop which just
needs remote access for itself.
I've done this in my ipsec.conf:
##
---
my_fqdn="ipsec-hub.example.com"
my_network="10.0.0.0/24"
## Allow the remote box access
remote_fqdn="myremote.dyndns.org"
remote_network="10.0.1.0/24"
ike passive esp \
from { $my_fqdn $my_network } \
to { $remote_fqdn $remote_network } \
local $my_fqdn peer any \
srcid $my_fqdn dstid $remote_fqdn
## Allow the laptop access
laptop_fqdn="mylaptop.dyndns.org"
ike passive esp \
from { $my_fqdn $my_network } \
to any \
local $my_fqdn peer any \
srcid $my_fqdn dstid $laptop_fqdn
##
---
I think that I've over-specified things because either configuration works if
they are alone in the file but putting them both together results in an
error?
There's more. If you choose to call me an idiot over this please do so in
private :-)...
This file works:
my_fqdn="ipsec-hub.example.com"
my_network="10.0.0.1/24"
ike passive esp
from { $my_fqdn $my_network } to any \
local $my_fqdn peer any \
srcid $my_fqdn
I would like to believe that the reason it works is because my peers both have
signed certificate which verify as okay using the ca.crt that I've configured
in "/etc/isakmpd/ca". However if I'm wrong then I've just opened up my LAN to
attack from the entire internet. Which -D options do I need to set in isakmpd
E.g.
# isakmpd -Kd -D 3=10 -D 8=10
to see the identity of the peers and get confirmation that the reason that
negotiation was successful is because A the peer provided a certificate and B
the certificate verified with my CA?
-- Chris
"There will be an answer, Let it be."
ch...@vindaloo.com
ipsec.conf ipsecctl isakmpd
I have a couple of questions regarding setting up ipsec. I've read the "4 minutes" page and modified the older setup to work with 2 OpenBSD 4.5 boxes. That's enough to get me going with an IPsec tunnel by IP addresses but one side of my connection is a consumer grade DSL line which wants to have it's address changed every 5 minutes (sigh). I obviously need to setup ipsec with FQDN. I initially tried to do this with certificates but I couldn't get things to work so I've rolled back to using public keys and everything appears to be okay. My question is this: When you use certficates does isakmpd still use /etc/isakmpd/private/local.key as the private key for the crypto negotiation or can that be changed. -- Chris Chris Hilton tildeChris -- http://myblog.vindaloo.com email -- chris/at/vindaloo/ dot/com .~ ~ .--.~ ~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~. "I'm on the outside looking inside, What do I see? Much confusion, disillution, all around me." -- Ian McDonald / Peter Sinfield
Re: ipsec.conf ipsecctl isakmpd
On Aug 10, 2009, at 6:37 PM, Christopher Sean Hilton wrote: I have a couple of questions regarding setting up ipsec. I've read the "4 minutes" page and modified the older setup to work with 2 OpenBSD 4.5 boxes. That's enough to get me going with an IPsec tunnel by IP addresses but one side of my connection is a consumer grade DSL line which wants to have it's address changed every 5 minutes (sigh). I obviously need to setup ipsec with FQDN. I initially tried to do this with certificates but I couldn't get things to work so I've rolled back to using public keys and everything appears to be okay. My question is this: When you use certficates does isakmpd still use /etc/isakmpd/private/local.key as the private key for the crypto negotiation or can that be changed. Thanks for the followups. IT looks like local.key is the key if you don't use the local tag in your configuration as in: ike passive esp from hisname.hisnet.histld to myname.mynet.mytld \ local my_identifier Thanks again. -- Chris Chris Hilton tildeChris -- http://myblog.vindaloo.com email -- chris/at/vindaloo/ dot/com .~ ~ .--.~ ~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~. "I'm on the outside looking inside, What do I see? Much confusion, disillution, all around me." -- Ian McDonald / Peter Sinfield
Thanks again!
I wanted to say thanks to the OpenBSD team. I use OpenBSD and pf to filter and route traffic. I recently updated my home router to from OpenBSD 7.3 to OpenBSD 7.5 and process couldn't have been easier thanks to `syspatch` and `sysupgrade`. I noticed a post earlier about hardware to filter and route at speeds greater than 100Mb/s. I've been able to do this on OpenBSD for a while. I'm writing this not only because my upgrade when well but also because I have the same question as the previous poster. I run OpenBSD 7.5 on relatively low CPU power Intel hardware for routers. I favor Intel 1Gb/s NICs managed by the `em` driver but in the market those are being replaced by other 2.5Gb/s NICs. I recently tried out a box from Qotom with Intel I226V NICs managed by the `igc` driver. My initial experience was not good but once I figured out that the issue was between the NIC and my switch, things got much better. Thank you again -- Chris -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._____ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: OpenBSD IKEv2 VPN -- default split tunnel / some hosts full tunnel
On Sat, Dec 14, 2024 at 02:07:13PM +1000, David Gwynne wrote: > On Thu, Dec 12, 2024 at 06:01:37PM -0400, Christopher Sean Hilton wrote: > > Hi, > > > > I'm trying to setup a pair of OpenBSD machines to handle their respective > > home networks and > > create a IKEv2 VPN tunnel between them. If I call one side _home_ and one > > side _remote_ I > > think that defines things. The main function of the tunnel is to allow > > stuff on the _remote_ > > network to access services in the _home_ network. As a second function, I > > want a handful of > > hosts in the _remote_ network to consume the internet via the _home_ > > network's ISP. My > > `iked.conf` files look like this: > > > > [...snip...] > > the thing i think you're missing is that enc0 is not a real interface. > it largely exists so you can see what the ipsec stack is doing with > things like tcpdump via bpf. however, assigning an IP to it and > expecting to be able to route over it is not supported, even if some of > that appears to work. > > > [...snip...] > > ok. ive written this up before, so i'll paste it and tweak it here: > > For a packet going through an OpenBSD router, these are the main > steps: > > 1. Packet is received by the incoming network interface > 2. Packet is shown to BPF > 3. PF processing for incoming packets > 4. IP routing/stack processing > 5. PF processing for outgoing packets > 6. Packet is shown to BPF on outgoing interface > 7. Transmission on the outgoing interface > > There are a couple of interesting things to note here. > > PF is run twice for packets going through a router/firewall. Once when > the packet is received by a network interface and before the IP stack, > and again when the packet leaves the IP stack and goes out to a network > interface. > Thanks for this! It will help me to debug and fix the problem. If I have to, I'm assuming that I can something like this ``` ## Remote iked.conf ... from $full-vpn-subnet to any \ ... ``` And this? ``` ## Home side pf.conf ... match in on enc0 from to ! nat to ($ext_if) ... ``` If that doesn't work, I've read the man page for the sec interface and that may help me out with the problem that I have. Before I set this up I had figured out how to do a split-tunnel VPN between OpenBSD and a MacOS client. I experimented and figured out how to change that into a full-tunnel VPN. That solves my problem in a different way but this is still interesting to me. I'd love to have a VPN setup remotely and to determine where packets "leave my infrastructure" based on the address they get from the DHCP server. > [...snip...] > > Just to be clear, the source IP or the network interface a packet was > received on does not affect the route lookup performed by the IP stack, > it is only the destination IP address that is used. Also, packets in > each direction of a connection are routed independently, meaning replies > need to be routed correctly too. > > Generally, by the time pf gets to see a packet going out an interface, > it is too late to affect where it's going because that decision has > already been made by the route lookup in the IP stack. > > [...snip...]> > > these steps ignore ipsec processing though. the ipsec policy database > (SPD) is consulted between steps 4 and 5 above. if a packet matches the > SPD, it's taken away from the stack processing, encrypted (and shown to > bpf on enc0) and then injected back into the stack at step 4 so it can > figure out where the encrypted packet is supposed to be routed to. > > the stuff above also ignores what pf can do to a packet. if pf rewrites > or reroutes a packet in step 5, the packet is basically taken back > to step 4 for a new route lookup, and then skips step 5 again. > > so what does this mean for what you're trying to achieve? > > firstly, if you want to send packets from hosts in the table > over the vpn, you need to do more than just change the source ip. as > described above, the routing table sends packets somewhere based > entirely on the destination address, which nat-to doesn't affect at all. > > it is possible that you could write ipsec config that will generate SPD > entries that will take these packets and move them over the ipsec link. > that config might look like this: > > home_network="192.168.1.0/24" > remote_network="192.168.2.0/24" > > ikev2 passive esp \ > from any to dynamic \ >
OpenBSD IKEv2 VPN -- default split tunnel / some hosts full tunnel
Hi, I'm trying to setup a pair of OpenBSD machines to handle their respective home networks and create a IKEv2 VPN tunnel between them. If I call one side _home_ and one side _remote_ I think that defines things. The main function of the tunnel is to allow stuff on the _remote_ network to access services in the _home_ network. As a second function, I want a handful of hosts in the _remote_ network to consume the internet via the _home_ network's ISP. My `iked.conf` files look like this: ``` ## Home: (responder) home_network="192.168.1.0/24" remote_network="192.168.2.0/24" ikev2 passive esp \ from any to dynamic \ from $home_network to $remote_network \ ... config address 192.168.128.16/32 \ config access-server 192.168.128.1 ## ## Remote: (Initiator) ## ikev2 passive esp \ ## from dynamic to any\ ## from $remote_network to $home_network \ ## ... ## request address any \ ## iface enc0 ``` I've shown both configs here. The _remote_ config is commented out. The otherside `iked.conf` is vice-versa. This gets the tunnel up and running. All works as I expect it to and when I do this: ``` # traceroute -s 192.168.128.16 8.8.8.8 ... ``` The traceroute goes over the VPN tunner first as I expect it to. I figured, **incorrectly** that at this point it would be just a matter of some _pf_ magic to get a host on the remote side NATted to tunnel address such that it's packets would traverse the tunnel and then shuffle off to their designed destination. I've tried this: ``` ## pf.conf ext_if=em0 vpn_if=enc0 match out on $ext_if from !($ext_if) to any tag "USE-PLAIN-NAT" match out on $vpn_if from to any tag "USE-FULL-VPN" match out on $ext_if tagged "USE-PLAIN-NAT" nat-to ($ext_if) ... match out on $vpn_if tagged "USE-FULL-VPN" nat-to ($vpn_if) ``` But I get no joy. At best, the packets which should be tagged "USE-FULL-VPN" get natted and emitted out of my "$ext_if". I'm clearly missing something. I'm referencing these links in the web: * https://www.openbsd.org/faq/faq17.html * https://man.openbsd.org/iked.conf As my gotos but I'm clearly missing some which may be really obvious. As an aside, In a VPN situation like this, how does the kernel make decisions about where the packets pass through? Thanks! -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
