CARP with a single public IP address
Hi misc, I've been thinking about this for a while but can't seem to figure out a proper solution. Perhaps you have seen an scenario like this before and have ideas on how to tackle it. I have two OpenBSD 4.4 boxes configured in active/backup CARP, connected to an ADSL router. I want to reconfigure the ADSL router an turn it into a bridge. This way, my public IP address will move from the ADSL router into the CARP interface and will be shared by both OpenBSD machines. The ADSL router has a built-in hub where both OpenBSD machines are plugged into. While the machine whose CARP interface is in ACTIVE won't have problems sending and processing traffic, the OpenBSD machine whose CARP interface is in BACKUP will. The machine whose CARP interface is in BACKUP will be able to send traffic to the Internet from its public IP address, but will not be able to process any response, for example to contact a NTP server: the UDP response from the NTP server will arrive at both OpenBSD machines (since both are sharing the public IP address), but the machine whose CARP interface is BACKUP will likely ignore the NTP response. For TCP is also very similar. I have no idea how to deploy an scenario like this, while allowing the machine whose CARP interface is in BACKUP to access the Internet. A workaround is having the machine whose CARP interface is in BACKUP have a default route installed pointing to the machine whose CARP interface is ACTIVE. The problem is the setup is more complex and requires a way of dynamically adjusting the default route. A possible solution is using ifstated(8). Is it possible to use OSPF instead? Thanks in advance! -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: CARP with a single public IP address
On Fri, Dec 5, 2008 at 12:11 PM, Paul de Weerd <[EMAIL PROTECTED]> wrote: > Hey Felipe, > > On Fri, Dec 05, 2008 at 11:51:05AM +0100, Felipe Alfaro Solana wrote: > | Hi misc, > | > | I've been thinking about this for a while but can't seem to figure out > | a proper solution. Perhaps you have seen an scenario like this before > | and have ideas on how to tackle it. > | > | I have two OpenBSD 4.4 boxes configured in active/backup CARP, > | connected to an ADSL router. I want to reconfigure the ADSL router an > | turn it into a bridge. This way, my public IP address will move from > | the ADSL router into the CARP interface and will be shared by both > | OpenBSD machines. The ADSL router has a built-in hub where both > | OpenBSD machines are plugged into. > > Some years ago, I did exactly this. Configured a ADSL modem for > rfc1483 mode (which my ISP supported) and had two machines behind it > for routing (NATting) my local network out. > > | While the machine whose CARP interface is in ACTIVE won't have > | problems sending and processing traffic, the OpenBSD machine whose > | CARP interface is in BACKUP will. The machine whose CARP interface is > | in BACKUP will be able to send traffic to the Internet from its public > | IP address, but will not be able to process any response, for example > | to contact a NTP server: the UDP response from the NTP server will > | arrive at both OpenBSD machines (since both are sharing the public IP > | address), but the machine whose CARP interface is BACKUP will likely > | ignore the NTP response. For TCP is also very similar. > > I did this before we had openntpd and didn't run "that other" ntpd on > my machines. Internet access was only available when the machine was > CARP master. I think there's two solutions here, both of which have > issues. First solution (only solves the ntp issue), configure your > CARP'ed routers to use an ntpd on your local network (which gets its > time via the same set of CARP'ed routers). The other option is to get > more public IP's from your ISP. This makes your routers accessible > from the internet. These are a very interesting ideas. I'm now thinking of running two openntpd daemons, one on each machine. openntpd can be configured to use a NTP server from the internet and the other OpenBSD peer. For the active CARP, it can reach both NTP servers. For the backup CARP, it can only reach its peer and still keep the time up to date. > Downsides are that the first solution requires an extra machine and > the second solution is probably difficult with most ISPs. My ISP won't give me any more IP addresses, unfortunately. It's Telefonica, and I was one of the very first lucky customers to get a public, fixed IP address in 1999. Nowadays, they don't hand out public IP addresses anymore and I can feel myself lucky by not getting mine withdrawn. | I have no idea how to deploy an scenario like this, while allowing the > | machine whose CARP interface is in BACKUP to access the Internet. A > | workaround is having the machine whose CARP interface is in BACKUP > | have a default route installed pointing to the machine whose CARP > | interface is ACTIVE. The problem is the setup is more complex and > | requires a way of dynamically adjusting the default route. A possible > | solution is using ifstated(8). Is it possible to use OSPF instead? > > I don't really like that solution. My suggestion would be to try and > minimize the amount of traffic the machines need to send to the > internet (preferably to 0). Maybe use IPv6 (if your ISP does native > v6 on the link) when you can't work around this. No native IPv6 either. Same problem as with IPv4. In Spain, IPv6 is just SciFi, unless you use a tunnel broker like SixXS. And since this requires IPv4, I have a dead lock :( Thanks for your suggestions, Paul! Cheers ;) > > Paul 'WEiRD' de Weerd > > -- > >[<++>-]<+++.>+++[<-->-]<.>+++[<+ > +++>-]<.>++[<>-]<+.--.[-] > http://www.weirdnet.nl/ > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: The New Secure Operating System
On Tue, Dec 9, 2008 at 4:14 PM, Sunnz <[EMAIL PROTECTED]> wrote: > The secure operating system standard will never be the same now that a > National Security Agency-certified OS has gone commercial, but few > mainstream enterprises today need an airtight OS tuned to run on > fighter jets. And many organizations aren't properly securing their > existing commercial OSes, anyway, security experts say. > > > http://www.darkreading.com/security/management/showArticle.jhtml?articleID=212201490 This article sounds like pure and cheap marketing to me. EAL certification has never meant anything to me, except the vendor went through a certification process. Has EAL certification to be renewed every year? Windows has been certified EAL4+ and it has never (and probably will never) been secure. RHEL is also EAL4+ and it also had security problems. Commercial operating systems, as long as its source code is closed for professionals to study it, will never be secure. This new operating system is a commercial one and the Web page of the vendor doesn't look very open source friendly.
Re: The New Secure Operating System
On Wed, Dec 10, 2008 at 4:06 AM, Sunnz <[EMAIL PROTECTED]> wrote: > 2008/12/10 Adriaan <[EMAIL PROTECTED]>: > >> Oh my god. Let me migrate everything to this new secure OS immediately! > >> > > > > Yea, you should run this new secure OS under Xen or Vmware for even > > more security ;) > > > > =Adriaan= > > > > Hmm I don't know... they claim that Linux, Windows and VMware aren't > secure, they haven't mentioned Xen though I would think it would be in > the same boat as VMware. Xen uses parts of Linux, so it will suffer some of the Linux problems. VMware ESX also uses some parts of Linux, so the same thing applies.
Re: Running another OS under OpenBSD
On Thu, Dec 11, 2008 at 7:30 PM, Jeff_1981 wrote: > Dear All, > > Please can you indicate me how to run Windows or Linux under OpenBSD ? > Under Linux for example there is possibility to virtualize another OS. > If the other OS is hacked from the web does it compromizes the security of > OpenBSD ? Does QEMU work under OpenBSD? But even if it does, it's probably too slow to use it in production. Also, it might contain bugs and crash, decrease the security of the host or guest, etc. If I were you and decided on using virtualization, I'd go with a proven, mature solution. I don't think QEMU is that mature or that it got enough exposure. > Another question is if I run a server under OpenBSD is this impossible to > hack it from the web ? Nothing is impossible (or impossible is nothing). Even operating systems certified as EAL4+ have been hacked, and some of them have horrible security tracks, despite being certified. No software is bug-free, so forget about the concept of "unbreakable" or "unhackable". It does not exist at all. > The standard install of OpenBSD has no security holes anymore if I > understand, does this mean noone can hack it from the web ? what about an > OpenBSD on which wa have activated one or more services, like mail server / > web server and file sharing for within network (if used as NAS / server as > example ? Being hackable from the Web is just too vague. Your system might have SSH enabled and a poor password for a particular user, such as that a hacker can log in and, from there, launch a local attack against the system (local exploit instead of a remote exploit, like crashing the box), launching a DoS attack, etc. As usual, the security of the system depends on the weakest chain. That's typically the user, or a poor password, or an unpatched system, or a misconfigured system, or an unqualified administrator, or ... :) Thanks a lot for your help. > > Regards, > JF > -- > View this message in context: > http://www.nabble.com/Running-another-OS-under-OpenBSD-tp20961548p20961548.html > Sent from the openbsd user - misc mailing list archive at Nabble.com. > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: CARP under heavy load
On Fri, Dec 12, 2008 at 3:12 PM, Stephan A. Rickauer < stephan.ricka...@ini.phys.ethz.ch> wrote: > On Fri, 2008-12-12 at 14:57 +0100, ropers wrote: > > Maybe --possibly-- my own understanding is sorely lacking. Let me try > > to explain. The following requires a non-proportional font: > > > > Is this what your CARP setup looks like? > > > > external network > > || > > OpenBSD#0OpenBSD#1 > > || > > internal network > > > > If so, are the CARP advertisements being sent via the external or > > internal network? > > Your diagram would use two CARP interfaces, not just one. One for the > external and one for the internal network. Thus, you'd have carp0 > (external) and carp1 (internal), both would exchange ads via multicast > by default over their underlying physical interfaces. > > Yes, this is our setup ;) - at least the relevant part of it. > > > I was under the impression that it should be possible to exchange CARP > > advertisements via the dedicated link (), though I have to > > admit that I haven't actually built such a network yet -- I'm planning > > to do that shortly. Maybe others can weigh in? > > One can use 'carppeer' to not send multicast but unicast. However, I was > under the impression one still needs to do peering on the same link as > the carp interfaces sit. > > Can one use the same 'carppeer ded.ica.ted.ip' statement for all carp > interfaces altogether (and the other dedicated peer IP on the other)? What's the point on using CARP to send advertisements over a dedicated link? The dedicated link is typically a cross-over cable (i.e. used for pfsync) and hence, in case of a switch port failure (or cable failure), CARP won't be able to see this.
Re: CARP under heavy load
On Sat, Dec 13, 2008 at 6:56 AM, Stephan A. Rickauer < stephan.ricka...@ini.phys.ethz.ch> wrote: > On Fri, 2008-12-12 at 17:32 +0100, Felipe Alfaro Solana wrote: > > > > > What's the point on using CARP to send advertisements over a dedicated > > link? The dedicated link is typically a cross-over cable (i.e. used > > for pfsync) and hence, in case of a switch port failure (or cable > > failure), CARP won't be able to see this. > > That's true, of course. Then I don't see a chance to make CARP behave > under heavy load, cause it can always be misinterpreted as a link > failure by CARP. I'll try prioritizing carp ads with altq and see how > that goes. If the two machines that are part of the same CARP group are connected to the same switch, and you are experiencing packet loss, then something really bad is going on. How many ports does your switch have? Perhaps the total aggregated switching capacity of the switch is not enough in your deployment. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: CARP under heavy load
On Mon, Dec 15, 2008 at 9:14 AM, Jussi Peltola wrote: > On Mon, Dec 15, 2008 at 03:43:43AM +0100, Felipe Alfaro Solana wrote: > > If the two machines that are part of the same CARP group are connected to > > the same switch, and you are experiencing packet loss, then something > really > > bad is going on. How many ports does your switch have? Perhaps the total > > aggregated switching capacity of the switch is not enough in your > > deployment. > > Who says the switch is losing the packets, if your router is overloaded > it's forwarding at 100% speed and you have no room for CARP > announcements. One solution would be to increase the time between > advertisements and hope for the best. What does "overloaded" mean? It's CPU overload? NIC overload? If it's CPU, it might be possible that CARP packets will get lost but who cares? Because if the router's CPU is at 100% you have a problem and need to scale up. If the NIC is overloaded, it means you have too much non-TCP traffic and are not using Ethernet flow control. Perhaps using Ethernet flow control might help. IME forwarded packets seem to somehow have a higher priority than > self-originated traffic in most OS's; don't know why this is, just a gut > feeling. Probably related to interrupts taking away CPU time from other > things; if the machine is so loaded the physical console is slow as > molasses, I doubt that CARP can work very well either. > > -- > Jussi Peltola > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
On Tue, Dec 23, 2008 at 12:34 PM, Henning Brauer wrote: > * Douglas A. Tutty [2008-12-23 05:45]: > > On Tue, Dec 23, 2008 at 02:41:08AM +0100, Henning Brauer wrote: > > > * Jussi Peltola [2008-12-11 20:52]: > > > > On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: > > > > > > That said, OpenBSD base services are extremely secure, compared to > the > > > > competition, when properly configured and patched. Note that no > security > > > > audits are done to software in the ports tree; you're on your own > with > > > > 3rd party software. > > > > > > many thing from ports are patched or otherwise modified for security > > > reasons, and many things are deliberately NOT in ports due to security > > > considerations. nontheless there is truth in your above statement; > > > averaged things from ports are not on the same level as openbsd. > > > > Has anybody done any comparisons to see how things from ports > > (especially commone things like firefox) compare to the competition's > > packages (rpms, debs, whatever)? I know that the ports don't get > > audited like base, but then I don't think anyone else's does either. > > > > In other words, if you need a box with multiple third-party apps, (lets > > say that none of them are server apps), (eg, firefox, a window manager or > > DTE, mutt, LaTex, gv, a pdf reader), which box would be more secure > > (with the same admin): OpenBSD with ports or a Linux (e.g. Debian)? > > easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, > randomized library addresses etc yadda yadda yadda. RedHat has been shipping a version of glibc that does randomized library addresses for, at least, a year. Libraries have to be compiled with -fPIC, however, but that's the case for most. Not sure about other distros. > crappy applications are still crappy applications on OpenBSD, but > worse on pretty much any other OS. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
On Wed, Dec 24, 2008 at 11:13 AM, Henning Brauer wrote: > * Felipe Alfaro Solana [2008-12-24 06:17]: > > > easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, > > > randomized library addresses etc yadda yadda yadda. > > RedHat has been shipping a version of glibc that does randomized library > > addresses for, at least, a year. > > wow. one thing out of dozens we do. sure a killer argument. Who said this is a killer argument? I was just pointing out that nearly any mainstream OS currently has randomized library address space. > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
On Thu, Dec 25, 2008 at 10:50 PM, Marco Peereboom wrote: > > RedHat has been shipping a version of glibc that does randomized library > > addresses for, at least, a year. Libraries have to be compiled with > -fPIC, > > however, but that's the case for most. Not sure about other distros. > > Right, now tell me again about strl* What's so special about strl*? Anyone can implement it in glibc. But applications must be changed anyways to use it. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: AH+ESP and IPv6
On Tue, Dec 30, 2008 at 9:29 PM, wrote: > I'm trying to use both AH and ESP to setup IPsec using Transport mode > between two IPv6 OpenBSD 4.4 hosts. > > So far it worked for AH Transport mode or ESP Transport mode but I don't > quite know how to do both AH and ESP. Any ideas? > > Here's a snippet from /etc/ipsec.conf : > > ike esp transport from 2001::10 to 2001::5 psk "secret" > > The tried the following (and vice versa - ah vice esp). > > ike esp transport from 2001::10 to 2001::5 psk "secret" > flow ah from 2001::10 to 2001::5 > > I'm not sure either. Since you can apply ESP then AH, or apply AH and then ESP (depending on what's more important for you, the digital signature or the encryption) it's not obvious to me how to do it. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: AH+ESP and IPv6
On Fri, Jan 2, 2009 at 7:52 PM, Todd T. Fries wrote: > The other answer is, ESP provides AH, therefore AH is deprecated. What do you mean? That OpenBSD's implementation of ESP automatically uses AH too? (payload inside AH inside ESP?) Because ESP only provides authentication for the payload only but not for the IP header. That's why AH is useful. Unless you really really want to play with AH to verify it works and such > (which the below suggests it does not) ... > -- > Todd Fries .. t...@fries.net > > _ > | \ 1.636.410.0632 (voice) > | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) > | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) > | "..in support of free software solutions." \ 250797 (FWD) > | \ > \\ > > 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A > http://todd.fries.net/pgp.txt > > Penned by Felipe Alfaro Solana on 20090102 17:38.51, we have: > | On Tue, Dec 30, 2008 at 9:29 PM, > wrote: > | > | > I'm trying to use both AH and ESP to setup IPsec using Transport mode > | > between two IPv6 OpenBSD 4.4 hosts. > | > > | > So far it worked for AH Transport mode or ESP Transport mode but I > don't > | > quite know how to do both AH and ESP. Any ideas? > | > > | > Here's a snippet from /etc/ipsec.conf : > | > > | > ike esp transport from 2001::10 to 2001::5 psk "secret" > | > > | > The tried the following (and vice versa - ah vice esp). > | > > | > ike esp transport from 2001::10 to 2001::5 psk "secret" > | > flow ah from 2001::10 to 2001::5 > | > > | > I'm not sure either. > | > | Since you can apply ESP then AH, or apply AH and then ESP (depending on > | what's more important for you, the digital signature or the encryption) > it's > | not obvious to me how to do it. > | > | -- > | http://www.felipe-alfaro.org/blog/disclaimer/ > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: AH+ESP and IPv6
On Fri, Jan 2, 2009 at 8:36 PM, wrote: > If ESP does not decrypt, the payload is invalid. Adding AH adds no further > functionality other than to thwart any attempts at NAT. AH is not meant to thwart any attempts at NAT. For that, you have IPSec over UDP. AH prevents any tampering with the IP header, which can be very useful. > > -- > Todd Fries .. t...@fries.net > > _ > | \ 1.636.410.0632 (voice) > | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) > | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) > | "..in support of free software solutions." \ 250797 (FWD) > | \ > \\ > > 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A > http://todd.fries.net/pgp.txt > > Penned by Felipe Alfaro Solana on 20090102 20:29.56, we have: > | On Fri, Jan 2, 2009 at 7:52 PM, Todd T. Fries wrote: > | > | > The other answer is, ESP provides AH, therefore AH is deprecated. > | > | > | What do you mean? That OpenBSD's implementation of ESP automatically uses > AH > | too? (payload inside AH inside ESP?) Because ESP only provides > | authentication for the payload only but not for the IP header. That's why > AH > | is useful. > | > | Unless you really really want to play with AH to verify it works and such > | > (which the below suggests it does not) ... > | > -- > | > Todd Fries .. t...@fries.net > | > > | > _ > | > | \ 1.636.410.0632 (voice) > | > | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) > | > | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) > | > | "..in support of free software solutions." \ 250797 (FWD) > | > | \ > | > \\\\\\\\\\ > | > > | > 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A > | >http://todd.fries.net/pgp.txt > | > > | > Penned by Felipe Alfaro Solana on 20090102 17:38.51, we have: > | > | On Tue, Dec 30, 2008 at 9:29 PM, > | > wrote: > | > | > | > | > I'm trying to use both AH and ESP to setup IPsec using Transport > mode > | > | > between two IPv6 OpenBSD 4.4 hosts. > | > | > > | > | > So far it worked for AH Transport mode or ESP Transport mode but I > | > don't > | > | > quite know how to do both AH and ESP. Any ideas? > | > | > > | > | > Here's a snippet from /etc/ipsec.conf : > | > | > > | > | > ike esp transport from 2001::10 to 2001::5 psk "secret" > | > | > > | > | > The tried the following (and vice versa - ah vice esp). > | > | > > | > | > ike esp transport from 2001::10 to 2001::5 psk "secret" > | > | > flow ah from 2001::10 to 2001::5 > | > | > > | > | > I'm not sure either. > | > | > | > | Since you can apply ESP then AH, or apply AH and then ESP (depending > on > | > | what's more important for you, the digital signature or the > encryption) > | > it's > | > | not obvious to me how to do it. > | > | > | > | -- > | > | http://www.felipe-alfaro.org/blog/disclaimer/ > | > > | > | > | > | -- > | http://www.felipe-alfaro.org/blog/disclaimer/ > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: CARP under heavy load
On Tue, Jan 6, 2009 at 3:51 PM, ropers wrote: > > * ropers [2008-12-12 15:01]: > >> > >> Maybe --possibly-- my own understanding is sorely lacking. Let me try > >> to explain. The following requires a non-proportional font: > >> > > (...) > > >> OTOH, if you have a dedicated link, maybe your setup looks like this? > >> > >> external network > >> || > >> OpenBSD#0OpenBSD#1 > >> || > >> internal network > >> > >> I was under the impression that it should be possible to exchange CARP > >> advertisements via the dedicated link (), though I have to > >> admit that I haven't actually built such a network yet -- I'm planning > >> to do that shortly. Maybe others can weigh in? > > 2008/12/23 Henning Brauer : > > that would defeat carp's purpose. if, in your scenario above, > > OpenBSD#0 loses link to the external network, wouldn't you want > > OpenBSD#1 to become master? > > Thanks for that. But I have a follow-up: To fully work, the OpenBSD > hosts in the above scenario need working external and internal > interfaces. So if CARP talked over the external network, that would > just test the external interfaces. OTOH, if CARP talked over the > internal network, that would just test the internal interfaces. Is > there a way for a CARPed host to detect if either its external or > internal links go down? > > Please forgive the sort of stupid question, but I'm curious. I don't think you need that. When deploying multiple CARP interfaces, you can enable CARP preempt. When CARP preempt is enabled (via sysctl), if one CARP interface goes into backup mode, all other CARP interfaces will also failover to backup. So, if you have carp0 (internal network) and carp1 (external network) and carp0 fails over because e.g. the network link goes down or the cable gets unplugged, carp1 will also fail over. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: System security question
On Wed, Feb 25, 2009 at 10:08 PM, Jean-Francois wrote: > Hi All, > > I actually built the following system : > > - OpenBSD running on a standard AMD platform > - This box is actually used as firewall > - This box is also used as webserver > - This box is finally used as local shared drives via NFS file but only > open to subnetwork through PF > > Assuming that subnetwork computers might be hacked or infected by any > threat > Assuming that there is no mistake in PF rules > Assuming that there is nothing of a third party installed on the box > (basically it's only a tuned system) > > -> Would you please confirm that hacking is almost impossible ? We would never do that. It'd be stupid to think that hacking this machine is almost impossible. There exists no unhackable or unbreakable software, not even OpenBSD. > -> Would you confirm any personnal datas hosted on server are safe as > long as the (subnet is not compromised by false manipulation of course) Never, because you are running a Web server on the machine, and possibly an SSH server and lots of code that might contain security holes. > > > Thanks for care, > JF > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: System security question
On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze wrote: > Hi Jean-Francois, > > Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: > > > I actually built the following system : > > - OpenBSD running on a standard AMD platform > > - This box is actually used as firewall > > - This box is also used as webserver > > - This box is finally used as local shared drives via NFS file > > but only open to subnetwork through PF > > It's hard to tell what this is supposed to say, but in case you intend > to use the same physical machine as a firewall, as a public webserver > and as a private NFS server, that's almost certainly a very bad idea > and not at all secure. > > Never put your private NFS server on the same host as either your > firewall or your webserver. Never. If you don't own and can't > afford enough hardware to physically seperate the NFS server > from the firewall and the webserver, do not use NFS at all. > If your network is so small that you consider putting everything > on one single server, just use some old 200MHz i386 for the firewall > and some old 500MHz i386 for the NFS server. People will almost > certainly give you such hardware for free, at least in Europe. > That's probably sufficient, and lets you use your shiny new amd64 > box as the webserver. Just to clarify, NFSv4 does not necessarily transmit data in clear text. NFSv4 allows one to use encryption and/or data authentication. NFSv3 and older versions do not use encryption at all, but you can use IPSec to protect it at the network layer. NFS is not designed with security in mind. It transmits data > unencrypted. It has no real authentication and no real access > control. If is designed for strictly private networks with > no external access that no potential attackers have access to. > > If you can afford it, also seperate the webserver from the > firewall. Webservers tend to run lots of crappy software, > and thus, they tend to get hacked. Well, perhaps that's > somewhat mitigated by running the webserver chrooted, but > anyway, it is clearly better to make the firewall a three-leg > router and physically seperate the network segment containing the > webserver (DMZ) and the internal NFS server (private intranet). > > > Assuming that subnetwork computers might be hacked or infected by > > any threat > > You mean, attackers might gain access to either the hardware of > your internal network, or any of the computers in your internal > network might get hacked from the Internet? > > If i understood that correctly, you cannot use NFS at all, > not even on a dedicated server inside your intranet, physically > well seperated from the firewall. There is basically no way to > secure it. > > > Assuming that there is no mistake in PF rules > > Assuming that there is nothing of a third party installed > > on the box (basically it's only a tuned system) > > -> Would you please confirm that hacking is almost impossible ? > > If i understood your setup and threat scenario correctly -- > computers inside your internal network might be compromised, > and you want to run an NFS server inside your internal network -- > then no, that's not secure. Spying out the private data on the > NFS server is trivial and does not even need script kiddie skills. > All the attacker needs to do is: Use an IP number having access > to the NFS server, locally create an account with the UID he is > interested in, mount the NFS volume(s) and read the data. > No hacking is required. This is completely insecure. > > > -> Would you confirm any personnal datas hosted on server are safe > > as long as the (subnet is not compromised by false manipulation > > of course) > > I don't know what you mean by "subnet is not compromised", but > it doesn't matter. If "subnetwork computers might be hacked", > then the data is not at all secure. > > No idea why so many other posters said there's no problem... :-( > > Yours > Ingo > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: System security question
On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze wrote: > Hi Felipe, > > Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM +0100: > > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze > wrote: > >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: > > >>> I actually built the following system : > >>> - OpenBSD running on a standard AMD platform > >>> - This box is actually used as firewall > >>> - This box is also used as webserver > >>> - This box is finally used as local shared drives via NFS file > >>> but only open to subnetwork through PF > > >> NFS is not designed with security in mind. It transmits data > >> unencrypted. It has no real authentication and no real access > >> control. If is designed for strictly private networks with > >> no external access that no potential attackers have access to. > > > Just to clarify, > > On an OpenBSD list, i am talking about NFS on OpenBSD (-current > and -stable), and that's NFSv3. ;-) > Of course, you are right that i could have mentioned that. > > > NFSv4 does not necessarily transmit data in clear text. > > NFSv4 allows one to use encryption and/or data authentication. > > That doesn't help the original poster because NFSv4 is not > available on OpenBSD. See > > http://marc.info/?l=openbsd-misc&m=123469849717017 > Peter Hessler wrote on Feb 15, 2009: > "openbsd uses nfsv3 over ipv4. > nfsv4 is still being worked on, but is not ready." Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS on OpenBSD is a very poor choice due to lack of proper authentication and encryption :) > > NFSv3 and older versions do not use encryption at all, > > but you can use IPSec to protect it at the network layer. > > I do not know enough about IPSec to judge whether and under which > conditions it's viable, effective and efficient to secure NFS usage > in an internal network that attackers have access to by using IPSec > between the NFS server and each NFS client. Maybe this could be > an option. Of course if the attacker can gain remote access to the machine, IPSec is not very useful since the attacker can probably retrieve the encryption keys from the kernel :) IPSec is only useful to prevent attacks (replay, sniff, etc.) from the network. Thanks for pointing this out. But even if that's sound, which i neither claim nor deny, it's still > a bad idea to run purely internal services on a firewall, no matter > whether they use encrtption or not. And I totally agree with you, Mixing firewall services with services like Web or file/print services is a recipe for disaster.
Re: System security question
On Sat, Feb 28, 2009 at 6:40 PM, Jean-Francois wrote: > Hi, > "And I totally agree with you, Mixing firewall services with services > like Web or file/print services is a recipe for disaster." > > True since hacking the web server is entering the firewall itself. > But the web server, httpd, is chrooted ... so why would there be a > problem here ? There are ways to evade chroots, although I'm not sure how feasible they are for OpenBSD. > Le samedi 28 fC)vrier 2009 C 17:49 +0100, Felipe Alfaro Solana a C)crit : > > On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze > > wrote: > > Hi Felipe, > > > > Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM > > +0100: > > > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze > > wrote: > > > > >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM > > +0100: > > > > >>> I actually built the following system : > > >>> - OpenBSD running on a standard AMD platform > > >>> - This box is actually used as firewall > > >>> - This box is also used as webserver > > >>> - This box is finally used as local shared drives via NFS > > file > > >>> but only open to subnetwork through PF > > > > > > >> NFS is not designed with security in mind. It transmits > > data > > >> unencrypted. It has no real authentication and no real > > access > > >> control. If is designed for strictly private networks with > > >> no external access that no potential attackers have access > > to. > > > > > > > Just to clarify, > > > > On an OpenBSD list, i am talking about NFS on OpenBSD > > (-current > > and -stable), and that's NFSv3. ;-) > > Of course, you are right that i could have mentioned that. > > > > > NFSv4 does not necessarily transmit data in clear text. > > > NFSv4 allows one to use encryption and/or data > > authentication. > > > > > > That doesn't help the original poster because NFSv4 is not > > available on OpenBSD. See > > > > http://marc.info/?l=openbsd-misc&m=123469849717017 > > Peter Hessler wrote on Feb 15, 2009: > > "openbsd uses nfsv3 over ipv4. > > nfsv4 is still being worked on, but is not ready." > > > > > > Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS > > on OpenBSD is a very poor choice due to lack of proper authentication > > and encryption :) > > > > > NFSv3 and older versions do not use encryption at all, > > > but you can use IPSec to protect it at the network layer. > > > > > > I do not know enough about IPSec to judge whether and under > > which > > conditions it's viable, effective and efficient to secure NFS > > usage > > in an internal network that attackers have access to by using > > IPSec > > between the NFS server and each NFS client. Maybe this could > > be > > an option. > > > > > > Of course if the attacker can gain remote access to the machine, IPSec > > is not very useful since the attacker can probably retrieve the > > encryption keys from the kernel :) > > > > > > IPSec is only useful to prevent attacks (replay, sniff, etc.) from the > > network. > > Thanks for pointing this out. > > > > > > But even if that's sound, which i neither claim nor deny, it's > > still > > a bad idea to run purely internal services on a firewall, no > > matter > > whether they use encrtption or not. > > > > > > And I totally agree with you, Mixing firewall services with services > > like Web or file/print services is a recipe for disaster. > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Where is "Secure by default" ?
On Mon, Mar 9, 2009 at 3:36 PM, irix wrote: > Hello Misc, > > In www.openbsd.org wrote "Only two remote holes in the default > install, in more than 10 years!", this not true. I using OpenBSD > like customer, not like administrator. And my OpenBSD were attacked, > by simple MiTM attack in arp protocol. How then can we talk about the " > security by default" > For example, FreeBSD is decided very simply, with this patch > http://freecap.ru/if_ether.c.patch > When this is introduced in OpenBSD, so you can say with confidence > that the system really "Secure by default" ? ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND.
Re: arp MiTM
On Mon, Mar 9, 2009 at 1:11 PM, irix wrote: > Hello Misc, > > How to protect your server from such attacks without the use of static arp > entries? > By freebsd 5.0 patch was written arp_antidote ( > http://freecap.ru/if_ether.c.patch), > somebody could port it on openbsd? > > Also, in freebsd it is possible to specify a flag through the ifconfig > on the interface "staticarp", while "If the Address Resolution Protocol is > enabled, > the host will only reply to requests for its addresses, and will never send > anyrequests." > May you made this flag in openbsd ? ARP is insecure, no matter how many patches you apply or how many hacks you try. If you want something more secure, use 802.1X, use security on the switch, use IPv6+IPSec/SeND, etc.
Re: NFS or SAMBA ?
On Mon, Mar 9, 2009 at 4:56 PM, Henning Brauer wrote: > * Guillermo Bernaldo de Quiros Maraver [2009-02-13 > 21:06]: > > if you have a shared network between WINDOWS and OpenBSD i recommend > > Samba if not, NFS > > > > NFS => Insecure > > SAMBA => Have a problems, but, it's more secure. > > that is the most ridiculous bullshit I have ever read here in some time. Why do you exactly thing that is bullshit?
Re: question about net.inet.carp.preempt
On Thu, Apr 23, 2009 at 12:05 PM, Imre Oolberg wrote: > Hallo! > > I would like to confirm my understanding of how carp works and if the > following holds generally true. > > After having on all participating nodes set to > > # sysctl -w net.inet.carp.preempt=0 AFAIK CARP preempt has meaning only in the context of the machine to which it applies. When CARP preempt is enabled, in a machine with multiple CARP interfaces, whenever one CARP interface fails over, all other CARP interfaces in the machine fail over too. I'm using this on my 2-firewall configuration (active-passive) where each machine has two CARP interfaces: internal interface and Internet-facing interface. Whenever one of the interfaces failover, the other does too. This way, both interfaces are either master or backup, at the same time. This avoids the case where the internal interface is master and the Internet-facing interface is backup (or the opposite). > > one could change advskew value and actually no carp takeover takes place > automatically until issuing on the becoming master node > > # ifconfig carp-interface-name state master > > or on becoming backup node > > # ifconfig carp-interface-name state backup > > After that the carp master and backup change roles. > > On the other hand, if all participating nodes are set to > > # sysctl -w net.inet.carp.preempt=1 > > then under similar changes in advskew carp takeover happes automatically > .i.e master and backup change roles and 'state master' or 'state backup' > aint needed to be issued manually. (As merriam-webster says in one case for > preemtive being 'marked by the seizing of the initiative; initiated by > oneself') > > > Imre > > PS The scope of this experiment is takeover within paticular carp group > (practically between two physical interfaceses) and not for all carp groups > as in case with firewall with several physical interfaces. > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Fri, Apr 24, 2009 at 12:12 PM, openbsder wrote: > I am currently interested in setting up a three-legged network topology, > using OBSD+PF as the firewall appliance. Originally, I was going to simply > have the firewall equipped with three network cards: one for DMZ, one for > LAN, the other for EXT/WAN/Internet (whatever you call this). The idea was > for a switch to be used on both DMZ and LAN, providing NAT on both > segments. > Pretty straight forward. > > Recently, it has been suggested that a transparent firewall implementation > is ideal where possible. But as far as I understand, transparency is only > available when the firewall acts as a bridge between TWO networks. How > would > I keep my DMZ and LAN both while using a bridging firewall. Is it even > possible? What do you mean? Whether OpenBSD supports bridging? Whether PF supports L2-based filtering? Whether you can have two interfaces in a bridge and have, at the same time, L2-based filtering and L3-based filtering? By L2-based filtering I mean having the firewall inspect frames/packets from interfaces that are bridged together that do not have an IP address configured (i.e. L2-switching). -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer wrote: > * openbsder [2009-04-24 12:19]: > > Recently, it has been suggested that a transparent firewall > implementation > > is ideal where possible. But as far as I understand, transparency is only > > available when the firewall acts as a bridge between TWO networks. How > would > > I keep my DMZ and LAN both while using a bridging firewall. Is it even > > possible? > > yes. lots of idiots do it. Really? What's wrong with transparent bridging? What's wrong with a transparent, in-line IDS? What's wrong with a software tap? All of these technologies use some sort of transparent bridging and are not being used exclusively by idiots, but also smart people [1] [2] [1] http://eatingsecurity.blogspot.com/2007/09/transparent-bridging-mmap-pcap-and.html [2] http://www.shiftedbit.net/IDS.txt [3] http://www.securityfocus.com/infocus/1737 bridging is stupid. don't. there are cases where you can't avoid it, > but deliberately? about as clever as knowingly drinking methanol. Bridging, in the ample sense, is not stupid. Your switch is doing that. Bridging, in the sense of firewalls, is also not stupid. There are reasons why you want to use a transparent bridging-mode firewall. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Sun, Apr 26, 2009 at 9:21 PM, bofh wrote: > Anyone who puts in an inline IDS is a damned idiot. D stands for > detection, so you should always use a tap or something else. Only IPS > should be inline. You should provide arguments, not empty words. At least, if you are calling people idiot. > You obviously do not know what you're talking about. Things like NAT > have their uses to, but people who design networks including DMZs and > networks that require external routing but put them behind NATs > deserve everything they get. I don't know what DMZ and NAT has to do with what we're discussing here. Instead of calling people idiots you could provide a valid reasoning supported by arguments. > > > On 4/26/09, Felipe Alfaro Solana wrote: > > On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer > > wrote: > > > >> * openbsder [2009-04-24 12:19]: > >> > Recently, it has been suggested that a transparent firewall > >> implementation > >> > is ideal where possible. But as far as I understand, transparency is > >> > only > >> > available when the firewall acts as a bridge between TWO networks. How > >> would > >> > I keep my DMZ and LAN both while using a bridging firewall. Is it even > >> > possible? > >> > >> yes. lots of idiots do it. > > > > > > Really? What's wrong with transparent bridging? What's wrong with a > > transparent, in-line IDS? What's wrong with a software tap? All of these > > technologies use some sort of transparent bridging and are not being used > > exclusively by idiots, but also smart people [1] [2] > > > > [1] > > > http://eatingsecurity.blogspot.com/2007/09/transparent-bridging-mmap-pcap-and.html > > [2] http://www.shiftedbit.net/IDS.txt > > [3] http://www.securityfocus.com/infocus/1737 > > > > bridging is stupid. don't. there are cases where you can't avoid it, > >> but deliberately? about as clever as knowingly drinking methanol. > > > > > > Bridging, in the ample sense, is not stupid. Your switch is doing that. > > Bridging, in the sense of firewalls, is also not stupid. There are > reasons > > why you want to use a transparent bridging-mode firewall. > > > > > >> > >> -- > >> Henning Brauer, h...@bsws.de, henn...@openbsd.org > >> BS Web Services, http://bsws.de > >> Full-Service ISP - Secure Hosting, Mail and DNS Services > >> Dedicated Servers, Rootservers, Application Hosting - Hamburg & > Amsterdam > >> > >> > > > > > > -- > > http://www.felipe-alfaro.org/blog/disclaimer/ > > > > > > -- > Sent from my mobile device > > http://www.glumbert.com/media/shift > http://www.youtube.com/watch?v=tGvHNNOLnCk > "This officer's men seem to follow him merely out of idle curiosity." > -- Sandhurst officer cadet evaluation. > "Securing an environment of Windows platforms from abuse - external or > internal - is akin to trying to install sprinklers in a fireworks > factory where smoking on the job is permitted." -- Gene Spafford > learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 1:10 AM, bofh wrote: > It's called going off on a related tangent - whenever I hear people > talking about using something because someone has published a paper > and here's all these smart people using it (transparent bridging, etc, > or in my case natting externally accessible/routable hosts), it pisses > me off. > > People use it because they have a need to do something. When you're > told there's a better way to do things, pay attention, instead of > telling the experts here (and I'm talking about the openbsd developers > in this thread - not me, I'm in management now, no brain cells left) > they're wrong because you have all these great URLs - if you want to > listen to those people, then you should be using the OS they use too. Still no arguments on why idiots use transparent firewalls. Good to know. > On 4/26/09, Felipe Alfaro Solana wrote: > > On Sun, Apr 26, 2009 at 9:21 PM, bofh wrote: > > > >> Anyone who puts in an inline IDS is a damned idiot. D stands for > >> detection, so you should always use a tap or something else. Only IPS > >> should be inline. > > > > > > You should provide arguments, not empty words. At least, if you are > calling > > people idiot. > > > > > >> You obviously do not know what you're talking about. Things like NAT > >> have their uses to, but people who design networks including DMZs and > >> networks that require external routing but put them behind NATs > >> deserve everything they get. > > > > > > I don't know what DMZ and NAT has to do with what we're discussing here. > > Instead of calling people idiots you could provide a valid reasoning > > supported by arguments. > > > > > >> > >> > >> On 4/26/09, Felipe Alfaro Solana wrote: > >> > On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer > >> > wrote: > >> > > >> >> * openbsder [2009-04-24 12:19]: > >> >> > Recently, it has been suggested that a transparent firewall > >> >> implementation > >> >> > is ideal where possible. But as far as I understand, transparency > is > >> >> > only > >> >> > available when the firewall acts as a bridge between TWO networks. > >> >> > How > >> >> would > >> >> > I keep my DMZ and LAN both while using a bridging firewall. Is it > >> >> > even > >> >> > possible? > >> >> > >> >> yes. lots of idiots do it. > >> > > >> > > >> > Really? What's wrong with transparent bridging? What's wrong with a > >> > transparent, in-line IDS? What's wrong with a software tap? All of > >> > these > >> > technologies use some sort of transparent bridging and are not being > >> > used > >> > exclusively by idiots, but also smart people [1] [2] > >> > > >> > [1] > >> > > >> > http://eatingsecurity.blogspot.com/2007/09/transparent-bridging-mmap-pcap-and.html > >> > [2] http://www.shiftedbit.net/IDS.txt > >> > [3] http://www.securityfocus.com/infocus/1737 > >> > > >> > bridging is stupid. don't. there are cases where you can't avoid it, > >> >> but deliberately? about as clever as knowingly drinking methanol. > >> > > >> > > >> > Bridging, in the ample sense, is not stupid. Your switch is doing > that. > >> > Bridging, in the sense of firewalls, is also not stupid. There are > >> reasons > >> > why you want to use a transparent bridging-mode firewall. > >> > > >> > > >> >> > >> >> -- > >> >> Henning Brauer, h...@bsws.de, henn...@openbsd.org > >> >> BS Web Services, http://bsws.de > >> >> Full-Service ISP - Secure Hosting, Mail and DNS Services > >> >> Dedicated Servers, Rootservers, Application Hosting - Hamburg & > >> Amsterdam > >> >> > >> >> > >> > > >> > > >> > -- > >> > http://www.felipe-alfaro.org/blog/disclaimer/ > >> > > >> > > >> > >> -- > >> Sent from my mobile device > >> > >> http://www.glumbert.com/media/shift > >> http://www.youtube.com/watch?v=tGvHNNOLnCk > >> "This officer's men seem to follow him merely out of idle curiosity." > >> -- Sandhurst officer cadet evaluation. > >> "Securing an environment of Windows platforms from abuse - external or > >> internal - is akin to trying to install sprinklers in a fireworks > >> factory where smoking on the job is permitted." -- Gene Spafford > >> learn french: > http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related > >> > >> > > > > > > -- > > http://www.felipe-alfaro.org/blog/disclaimer/ > > > > -- > Sent from my mobile device > > http://www.glumbert.com/media/shift > http://www.youtube.com/watch?v=tGvHNNOLnCk > "This officer's men seem to follow him merely out of idle curiosity." > -- Sandhurst officer cadet evaluation. > "Securing an environment of Windows platforms from abuse - external or > internal - is akin to trying to install sprinklers in a fireworks > factory where smoking on the job is permitted." -- Gene Spafford > learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 5:10 AM, Daniel Ouellet wrote: > patrick keshishian wrote: > >> On Sun, Apr 26, 2009 at 4:10 PM, bofh wrote: >> >>> It's called going off on a related tangent - whenever I hear people >>> talking about using something because someone has published a paper >>> and here's all these smart people using it (transparent bridging, etc, >>> or in my case natting externally accessible/routable hosts), it pisses >>> me off. >>> >>> People use it because they have a need to do something. B When you're >>> told there's a better way to do things, pay attention, instead of >>> telling the experts here (and I'm talking about the openbsd developers >>> in this thread - not me, I'm in management now, no brain cells left) >>> they're wrong because you have all these great URLs - if you want to >>> listen to those people, then you should be using the OS they use too. >>> >> >> so you prefer to take someone's word blindly without any backing >> evidence or facts, so long as you believe they are a credible source? >> > > Well, let say that if they spend years developing the system, including PF > and the capability of bridge and the same people tells me that it's bad to > do so. Well, HELL yes I would listen to them. They are better mind then me > and they have the code to back it up as well as their saying too. > > So, to that answer yes. They are a credible source, they design it for > crying wolf. > > Maybe management is a good place for you, but I'd hate to be a >> shareholder in a company people like you may have any sort of >> influential role in steering its goals and/or direction. >> > > Not relevant at all. But even if that was, contrary to the majority of > managers that only listen to marketing vapor ware, or oppose to dig up > themselves, this might, may be very good to listen to the source of reason, > and not to say as well the origin of the product oppose to marketing people, > then yes. I would. Most manager wouldn't even understand it anyway and there > is exceptions, but by all mean not the norm, so your analogy is pointless > and off topic. > > "Perhaps as one of the older generation, I should preach a >> little sermon to you, but I do not propose to do so. I shall, >> instead, give you a word of advice about how to behave >> toward your elders. When an old and distinguished person >> apeaks to you, listen to him carefully and with respect -- but >> do not believe him. Never put your trust in anything but your >> own intellect. Your elder, no matter whether he has gray hair >> or lost his hair, no matter whether he is a Nobel Laureate, >> may be wrong... So you must always be skeptical -- always >> think for yourself." >> > > I am so glad for you that you are born with the knowledge you need already > and do not need to listen to anyone that might speak from years of > experience. I envy you really I do! I can't claim that gift from birth > itself. > > Some might become senile at old age, yes, by the simple fact of getting > older. Still the natural path of life as we know it. May you be bless as to > never suffer that sad outcome. > > But, many are still very sound and a few of them oppose to the "young > padawan" with the hope to may be, become Jedi one day, don't need to proof > anything to anyone anymore, and actually provide valuable informations from > experiences without asking anything in return and without alternate > motivations other then helping who ever are welling to listen. Many are not > withholding knowledge in the hopes of getting ahead ans screwing you over in > the process to get an edge over you. Yes, it's rare, but there is still many > people like that. I guess it comes with self confidence and actual real > knowledge. I actually welcome their input. But do as you wish, no one is > stoping you rally. (;> > > As for why not to do bridge setup. May be something as simple as for one > example that comes to mind. Your bridge needs to work in promiscuous mode > and will see, received and process all kind of crap that it wouldn't need to > do otherwise. For a two-interface router/firewall, most of the traffic that reaches is will probably have to traverse it anyways, so I don't see how a two-interface bridge or a two-interface router will have different workloads. But, fortunately, someone on this thread pointed out good technical arguments on why bridging in OpenBSD is perhaps not a good idea. But, to me, it doesn't mean that bridging firewalls are a bad idea in other platforms. > > More resources will be use on the bridge that could be better use else > where. Should I also add that a miss configuration of a bridge can stay > undetected for years, oppose to a miss configuration of a decent firewall > not in bridge mode would become more obvious sooner in most cases anyway. > Call that security by default setup if you like. (;> > > Don't forget that the simple action to put a box in bridge mode have the > effect to pass all traffic across it. You may think
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 1:00 PM, Henning Brauer wrote: > * Felipe Alfaro Solana [2009-04-27 11:56]: > > For a two-interface router/firewall, most of the traffic that reaches is > > will probably have to traverse it anyways, so I don't see how a > > two-interface bridge or a two-interface router will have different > > workloads. > > it has been pointed out, but if you don't read it the first time there > is no point in repeating... I saw some pretty good arguments from Daniel, but no data backing them up. I will need to search a bit around to understand why a two-interface bridging firewall will see more interrupts and data traffic than a two-interface routing firewall. > But, fortunately, someone on this thread pointed out good technical > > arguments on why bridging in OpenBSD is perhaps not a good idea. > > . > > > But, to me, > > it doesn't mean that bridging firewalls are a bad idea in other > platforms. > > That is because, to you, networking an operating system internals are > apparently black magic. It is not an OpenBSD problem. Again, not a single or valid technical argument on why a bridging firewall is a bad idea. Just a moot and offensive responsive, and a very strong assessment from someone that doesn't know me at all. It's also very sad to see so many impolite answers in this list. Perhaps saying "are apparently black magic" would be more appropriate. -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 2:52 PM, Marcello Cruz wrote: > Hey guys, > > There are some articles that may bring some light to the discussion: > * http://en.wikipedia.org/wiki/Network_bridge (best bet) > * http://en.wikipedia.org/wiki/Bridging_(networking) > * http://en.wikipedia.org/wiki/Transparent_bridge > * > http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Bridging-Basics.html > I was talking about something like: http://www.snort.org/docs/snort_manual/node16.html http://snort-inline.sourceforge.net/ http://en.hakin9.org/attachments/hakin9_6-2006_str22-33_snort_EN.pdf and not a pure bridge, as described in the links you sent. > > Best, > Marcello > > - Original Message - From: "Daniel Ouellet" > To: "Openbsd-Misc" > Sent: Monday, April 27, 2009 12:10 AM > Subject: Re: Transparent firewall (bridge) with DMZ + LAN > > > > patrick keshishian wrote: >> >>> On Sun, Apr 26, 2009 at 4:10 PM, bofh wrote: >>> It's called going off on a related tangent - whenever I hear people talking about using something because someone has published a paper and here's all these smart people using it (transparent bridging, etc, or in my case natting externally accessible/routable hosts), it pisses me off. People use it because they have a need to do something. B When you're told there's a better way to do things, pay attention, instead of telling the experts here (and I'm talking about the openbsd developers in this thread - not me, I'm in management now, no brain cells left) they're wrong because you have all these great URLs - if you want to listen to those people, then you should be using the OS they use too. >>> >>> so you prefer to take someone's word blindly without any backing >>> evidence or facts, so long as you believe they are a credible source? >>> >> >> Well, let say that if they spend years developing the system, including PF >> and the capability of bridge and the same people tells me that it's bad to >> do so. Well, HELL yes I would listen to them. They are better mind then me >> and they have the code to back it up as well as their saying too. >> >> So, to that answer yes. They are a credible source, they design it for >> crying wolf. >> >> Maybe management is a good place for you, but I'd hate to be a >>> shareholder in a company people like you may have any sort of >>> influential role in steering its goals and/or direction. >>> >> >> Not relevant at all. But even if that was, contrary to the majority of >> managers that only listen to marketing vapor ware, or oppose to dig up >> themselves, this might, may be very good to listen to the source of reason, >> and not to say as well the origin of the product oppose to marketing people, >> then yes. I would. Most manager wouldn't even understand it anyway and there >> is exceptions, but by all mean not the norm, so your analogy is pointless >> and off topic. >> >> "Perhaps as one of the older generation, I should preach a >>> little sermon to you, but I do not propose to do so. I shall, >>> instead, give you a word of advice about how to behave >>> toward your elders. When an old and distinguished person >>> apeaks to you, listen to him carefully and with respect -- but >>> do not believe him. Never put your trust in anything but your >>> own intellect. Your elder, no matter whether he has gray hair >>> or lost his hair, no matter whether he is a Nobel Laureate, >>> may be wrong... So you must always be skeptical -- always >>> think for yourself." >>> >> >> I am so glad for you that you are born with the knowledge you need already >> and do not need to listen to anyone that might speak from years of >> experience. I envy you really I do! I can't claim that gift from birth >> itself. >> >> Some might become senile at old age, yes, by the simple fact of getting >> older. Still the natural path of life as we know it. May you be bless as to >> never suffer that sad outcome. >> >> But, many are still very sound and a few of them oppose to the "young >> padawan" with the hope to may be, become Jedi one day, don't need to proof >> anything to anyone anymore, and actually provide valuable informations from >> experiences without asking anything in return and without alternate >> motivations other then helping who ever are welling to listen. Many are not >> withholding knowledge in the hopes of getting ahead ans screwing you over in >> the process to get an edge over you. Yes, it's rare, but there is still many >> people like that. I guess it comes with self confidence and actual real >> knowledge. I actually welcome their input. But do as you wish, no one is >> stoping you rally. (;> >> >> As for why not to do bridge setup. May be something as simple as for one >> example that comes to mind. Your bridge needs to work in promiscuous mode >> and will see, received and process all kind of crap that it wouldn't need to >> do otherwise. >> >> More resources will be use on the
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst wrote: > On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana > wrote: > > Again, not a single or valid technical argument on why a bridging > firewall > > is a bad idea. Just a moot and offensive responsive, and a very > > strong assessment from someone that doesn't know me at all. It's also > very > > sad to see so many impolite answers in this list. Perhaps saying "are > > apparently black magic" would be more appropriate. > > http://marc.info/?l=openbsd-misc&m=124082008204226&w=2 > > You can either read the code or listen to somebody who has. I don't > know you either, but I know Henning and I know the bridge code, and > the short version is he's right. > And again, I think you mean that running a bridge under OpenBSD is perhaps not the fastest or brightest solution. And I trust you, But again, I have yet to hear a single technical argument on why running, for example, Snort inline on other platforms is a bad idea and makes one stupid. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Tue, Apr 28, 2009 at 1:16 AM, Robert wrote: > On Mon, 27 Apr 2009 23:20:07 +0200 > Felipe Alfaro Solana wrote: > > > And again, I think you mean that running a bridge under OpenBSD is > > perhaps not the fastest or brightest solution. And I trust you, But > > again, I have yet to hear a single technical argument on why running, > > for example, Snort inline on other platforms is a bad idea and makes > > one stupid. > > (Looks like we aren't out of trollfood, yet. ;) Are you calling me a troll? :) > You want an example why it is bad to put sensors inline? > One word: Downtime. The same holds true for a firewall. If you have a firewall between your DMZ and your internal network and it goes down, unless you are using a HA solution (like one using CARP), then you are screwed anyways. > If your bridge breakes the network, you can be happy if the insurance > covers it the first time it happens. > Contracts and lawyers will get involved and that isn't fun. > And even if you don't end up having to pay anything, the hair and years > of life expectancy lost isn't worse it. > > Why risk it, when a tap is so much better? A tap is not a firewall. You can't use the tap to filter traffic you don't want. > > (Exeptions proof the rule of sumthin :) > > - Robert > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Tue, Apr 28, 2009 at 1:29 AM, Fred Crowson wrote: > On 4/27/09, Felipe Alfaro Solana wrote: > > On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst > wrote: > > > >> On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana > >> wrote: > >> > Again, not a single or valid technical argument on why a bridging > >> firewall > >> > is a bad idea. Just a moot and offensive responsive, and a very > >> > strong assessment from someone that doesn't know me at all. It's also > >> very > >> > sad to see so many impolite answers in this list. Perhaps saying "are > >> > apparently black magic" would be more appropriate. > >> > >> http://marc.info/?l=openbsd-misc&m=124082008204226&w=2 > >> > >> You can either read the code or listen to somebody who has. I don't > >> know you either, but I know Henning and I know the bridge code, and > >> the short version is he's right. > >> > > > > And again, I think you mean that running a bridge under OpenBSD is > perhaps > > not the fastest or brightest solution. And I trust you, But again, I have > > yet to hear a single technical argument on why running, for example, > Snort > > inline on other platforms is a bad idea and makes one stupid. > > You are free to read: > > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c Is it something in the "on other platforms" sentence that you don't understand? The link you provide is for OpenBSD code. And it's now clear to me that bridging in OpenBSD consumes a lot of resources and developers dislike it. So I don't get your point. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Tue, Apr 28, 2009 at 8:35 AM, Claudio Jeker wrote: > Did you ever check the security record of snort? It is at least as bad as > wireshark's but it is sitting in the middle of your network passing > packets. I couldn't sleep with such a system in my core. > It is also a lot easier to bypass unnoticed a bridging FW/IDS then a box > that does actual routing. I checked and it doesn't look that bad: http://secunia.com/advisories/product/16919/?task=statistics http://secunia.com/advisories/product/13116/?task=statistics In CERT, it looks like there were 4 vulnerabilities in 2008, 4 in 2007 and currently 2 in 2009 (one of them is related to libpng which Snort doesn't link to by default in Linux and other one is not specific to Snort). But I agree that using snort_inline is probably questionable, given how complex it is and it's security record. I also agree that, for passive systems, using a Tap is safer and better. > Go ahead, use it and get burned, I think you need pain to realize that it is > bad. Isn't this how humans learn? By making mistakes and learning from them? :)
Re: Spanish BSD Group
On Wed, Apr 29, 2009 at 9:44 AM, Daniel Gracia Garallar wrote: > Nice! > > I must confess I have a strong bias towards english language when talking > about programming, but as a spanish OpenBSD user I'll try to support the > group as far as possible. > > !Mucha suerte en la singladura! ;) QuizC! sea un buen momento para empezar a utilizar el espaC1ol cuando se hable de temas relacionados con la programaciC3n. Al fin y al cabo, el espaC1ol es un idioma muy rico y no es necesario utilizar anglicismos (a no ser que sea estrictamente necesario).
dhclient and dynamic IP address
Hi misc, I've been reading dhclient(8) but still it is not clear to me if dhclient(8) is supposed to stay in the background to automatically renew leases. In the manual page it says: -d Forces dhclient to always run as a foreground process. By de- fault, dhclient runs in the foreground until it has configured the interface, and then will revert to running in the back- ground. So apparently dhclient(8) should be kept in the background waiting for leases to be renewed. However, if I run "ps ax" I can't see anything that looks like dhclient(8) is running in the background at all. How is this supposed to work for DHCP leases for cable/residential users that are not guaranteed to always keep the same IP? Thanks in advance. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: dhclient and dynamic IP address
On Thu, May 7, 2009 at 10:09 AM, Owain Ainsworth wrote: > On Thu, May 07, 2009 at 09:57:57AM +0200, Felipe Alfaro Solana wrote: >> Hi misc, >> >> I've been reading dhclient(8) but still it is not clear to me if >> dhclient(8) is supposed to stay in the background to automatically >> renew leases. In the manual page it says: >> >> B B B -d B B B Forces dhclient to always run as a foreground process. B By de- >> B B B B B B B fault, dhclient runs in the foreground until it has configured >> B B B B B B B the interface, and then will revert to running in the back- >> B B B B B B B ground. >> >> So apparently dhclient(8) should be kept in the background waiting for >> leases to be renewed. However, if I run "ps ax" I can't see anything >> that looks like dhclient(8) is running in the background at all. How >> is this supposed to work for DHCP leases for cable/residential users >> that are not guaranteed to always keep the same IP? >> >> Thanks in advance. > > o...@stephanie/pj:~$ pgrep -lf dhclient > 30516 dhclient: iwn0 > 12511 dhclient: iwn0 [priv] > 13402 dhclient: em0 > 27486 dhclient: em0 [priv] I already said before that dhclient is _not_ running at all: $ pgrep -lf dhclient $ Any more ideas?
Re: dhclient and dynamic IP address
On Thu, May 7, 2009 at 10:20 AM, Vadim Zhukov wrote: > On Thursday 07 May 2009 11:57:57 Felipe Alfaro Solana wrote: >> Hi misc, >> >> I've been reading dhclient(8) but still it is not clear to me if >> dhclient(8) is supposed to stay in the background to automatically >> renew leases. In the manual page it says: >> >> B B B -d B B B Forces dhclient to always run as a foreground process. >> By de- fault, dhclient runs in the foreground until it has configured >> the interface, and then will revert to running in the back- ground. >> >> So apparently dhclient(8) should be kept in the background waiting for >> leases to be renewed. However, if I run "ps ax" I can't see anything >> that looks like dhclient(8) is running in the background at all. How >> is this supposed to work for DHCP leases for cable/residential users >> that are not guaranteed to always keep the same IP? >> >> Thanks in advance. > > Check your /var/log/daemon for messages from dhclient. If interface is > disabled on dhclient start and dhclient can't enable it, then it'll put > its hands off. There's nothing in the logs. I've found out what the problem is. My /etc/hostname.vr2 looked like this: # cat /etc/hostname.vr2 dhcp inet 10.255.255.1 255.255.255.0 NONE alias up /etc/netstart gets confused about the dhcp and static definitions.
Re: dhclient and dynamic IP address
On Fri, May 8, 2009 at 12:00 AM, Felipe Alfaro Solana
wrote:
> On Thu, May 7, 2009 at 10:20 AM, Vadim Zhukov wrote:
>> On Thursday 07 May 2009 11:57:57 Felipe Alfaro Solana wrote:
>>> Hi misc,
>>>
>>> I've been reading dhclient(8) but still it is not clear to me if
>>> dhclient(8) is supposed to stay in the background to automatically
>>> renew leases. In the manual page it says:
>>>
>>> B B B -d B B B Forces dhclient to always run as a foreground
process.
>>> By de- fault, dhclient runs in the foreground until it has configured
>>> the interface, and then will revert to running in the back- ground.
>>>
>>> So apparently dhclient(8) should be kept in the background waiting for
>>> leases to be renewed. However, if I run "ps ax" I can't see anything
>>> that looks like dhclient(8) is running in the background at all. How
>>> is this supposed to work for DHCP leases for cable/residential users
>>> that are not guaranteed to always keep the same IP?
>>>
>>> Thanks in advance.
>>
>> Check your /var/log/daemon for messages from dhclient. If interface is
>> disabled on dhclient start and dhclient can't enable it, then it'll put
>> its hands off.
>
> There's nothing in the logs. I've found out what the problem is. My
> /etc/hostname.vr2 looked like this:
>
> # cat /etc/hostname.vr2
> dhcp
> inet 10.255.255.1 255.255.255.0 NONE alias
> up
>
> /etc/netstart gets confused about the dhcp and static definitions.
>
Just in case anyone is curious about how I solved the problem:
# cat /etc/dhclient.conf
interface "vr2" {
supersede domain-name "example.com";
supersede domain-name-servers 1.2.3.4;
}
alias {
interface "vr2";
fixed-address 4.5.6.7;
option subnet-mask 255.255.255.0;
}
--
http://www.felipe-alfaro.org/blog/disclaimer/
Re: No OS safe??
On Fri, May 8, 2009 at 12:34 PM, Chris Harries wrote: > This is more of a grammar/wording question, but it does go on to the > security of OS's in general. > > > > Was having a read of this; > > http://www.cbc.ca/technology/story/2009/04/15/ibotnet-trojan.html > > > > And the last comment made me think about OpenBSD. The article closes by > saying "this shows that no OS in inherently safe" but they are comparing Mac > and Windows. Could the same also be said about OpenBSD. This here problem of > downloading a dodgy copy of Photoshop which opens you up for a BotNet is > something that can effect all OS's.but is that completely true? Can the same > thing happen to an OpenBSD machine and is there no way around this? Oh my God! Not again a thread about absolute and inherent security! > An OS is ultimately about the user as well, My XP machine is fine, but my > friends are all ridden to shit, not so much these days with new'er Windows, > but few years ago everyone's PC was a nightmare, so you take the risk > downloading a file from BitTorrent of course, but is there measures to > prevent this happening in the first place, is OpenBSD as open to this as > Mac/Windows or is it inherently more secure (of course I know it is but im > aiming that question more specifically at this kind of scenario) We could debate why OpenBSD is inherently more secure than Windows (in fact we could debate why almost any operating system is inherently more secure than Windows). The point here is OpenBSD is inherently more secure because of the development process, because it's completely open source software, because there are great developers that understand problems and know how to solve them and code it properly, because there is a big community behind, etc, etc. In one sentence: please, use whatever you think it suits you. There are things you can't easily do in OpenBSD, like running Quake, so use the best tool at your disposal. For me, Linux and OpenBSD are the best tools at my disposal.
Re: No OS safe??
On Fri, May 8, 2009 at 2:48 PM, Ian Turner wrote: > On Fri, May 8, 2009 at 8:17 AM, Felipe Alfaro Solana > wrote: >> We could debate why OpenBSD is inherently more secure than Windows (in >> fact we could debate why almost any operating system is inherently >> more secure than Windows). The point here is OpenBSD is inherently >> more secure because of the development process, because it's >> completely open source software, because there are great developers >> that understand problems and know how to solve them and code it >> properly, because there is a big community behind, etc, etc. > > The key point of what you said, which I think is important to note, is > that OpenBSD is "more secure." B It's easy to prove, and correct to > say, that OpenBSD is more secure than other operating systems. B It's > much harder to prove that OpenBSD is secure. B But, that's also up for > debate depending on if you interpret "secure" to be synonymous with > "secure enough" or with "completely secure." Also, if you throw the end-user into the equation, the definition of what "completely secure" is becomes meaningless: as long as a user is logged into the system, even if the software is perfectly secure the system is very likely to not be completely secure. Nothing will prevent your end-user from downloading some stupid binary and running it locally, compromising the end-user's data or the system's integrity.
sendmail vs. other MTAs
Hi misc, May I ask what's the reason behind having sendmail be the default MTA in OpenBSD? Why not switching to something that is easier to configure like Postfix or EXIM? -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: sendmail vs. other MTAs
On Sun, May 10, 2009 at 2:02 PM, Jasper Valentijn wrote: > 2009/5/10 Felipe Alfaro Solana : >> Hi misc, >> >> May I ask what's the reason behind having sendmail be the default MTA >> in OpenBSD? Why not switching to something that is easier to configure >> like Postfix or EXIM? >> > > <http://openbsd.com/faq/faq1.html#HowAbout> :) Why isn't Postfix included? The license is not free, and thus can not be considered. And anyways, I found that switching from sendmail to postfix is extremely easy in OpenBSD. Thanks!
Re: sendmail vs. other MTAs
On Mon, May 11, 2009 at 7:45 PM, Henning Brauer wrote: > * Felipe Alfaro Solana [2009-05-10 13:58]: >> Hi misc, >> >> May I ask what's the reason behind having sendmail be the default MTA >> in OpenBSD? Why not switching to something that is easier to configure >> like Postfix or EXIM? > > exim is a piece of shit using the wrong design that sendmail abondoned > long ago.and wasn't it GPL or some other unfree license anyway? > postfix is not free. > but there is some rumor in usr.sbin/smtpd/ ... I'm really looking forward for this smtpd thing :)
Re: sendmail vs. other MTAs
On Tue, May 12, 2009 at 7:26 PM, bofh wrote: > On Tue, May 12, 2009 at 5:35 AM, Henning Brauer wrote: >> * Dan [2009-05-11 22:24]: >>> Henning Brauer(lists-open...@bsws.de)@2009.05.11 19:45:57 +0200: >>> > but there is some rumor in usr.sbin/smtpd/ ... >>> >>> This new smtpd better be at least as good as qmail, otherwise - what's >>> the point? >> >> is anyone really thinking it won't be? > > Oh boy, this is so rocking my world! B I can't wait for it! B I went > from sendmail to vmail/postfix, but they were all still too big and > complicated for what I really want, just simple mail delivery for my > home box. B This is starting to sound so good! B Of course, you guys > will design it well and make it work for big places, but, damnit, > openbsd appears to be the only folks who care about usability > (ipf/ipfilter, I'm looking at you). I'm also looking for a very simple MTA that I can use at home and have it configured to relay e-mail without having to write 75 directives in 3 configuration files (and then use m4 or generate the hash-map files, then reload and cross my fingers). And if people think usr.sbin/smtpd is not what they are expecting, they can always use any other MTA. Diversity is good.
Re: sendmail vs. other MTAs
On Tue, May 12, 2009 at 8:07 PM, L. V. Lammert wrote: > On Tue, 12 May 2009, Felipe Alfaro Solana wrote: > >> On Tue, May 12, 2009 at 7:26 PM, bofh wrote: >> I'm also looking for a very simple MTA that I can use at home and have >> it configured to relay e-mail without having to write 75 directives in >> 3 configuration files (and then use m4 or generate the hash-map files, >> then reload and cross my fingers). >> > If you want simple, install Webmin. Runs fine with sendmail, default > install! I'm not that crazy to combine something that remembers passwords in clear text with an MTA that has a horrible security track record.
Re: sendmail vs. other MTAs
On Tue, May 12, 2009 at 9:31 PM, L. V. Lammert wrote: > At 09:16 PM 5/12/2009 +0200, Felipe Alfaro Solana wrote: >> >> > If you want simple, install Webmin. Runs fine with sendmail, default >> > install! >> >> I'm not that crazy to combine something that remembers passwords in >> clear text with an MTA that has a horrible security track record. > > If this is clear text, I want to know where you got your glasses: > > B B B B admin:XXl2dzFGzv.Yk:0 > > Also, if sendmail has such a horrible track record, why is it the default > MTA on this system? We handle 40K+ emails daily on a single box with no > problems at all. http://en.securitylab.ru/nvd/378946.php
route add -interface
Hi misc, route add allows one to specify a directly-connected route reachable over an interface, using the -interface switch. However, I can't seem to figure out if it's possible to specify just the interface name to the -interface switch. According to the manual page, only an IP address is allowed: """ If the destination is directly reachable via an interface requiring no intermediary system to act as a gateway, the -interface modifier should be specified; the gateway given is the address of this host on the common network, indicating the interface to be used for transmission. """ The thing is the interface I want to use with the -interface switch does not have a static IP address. I could script something to get the current IP address of that interface but looks hacky to me. Is it possible to do something like? # route add -net 128.0.0.0/16 -interface vr2 instead in OpenBSD? I'm a little bit confused since adding the route while using the IP address yields the following entry in the routing table: 128.0/16 link#3 UCS00 - 8 vr2 So, why is exactly that -interface wants an IP address but does not like interface names? Thanks in advance. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: route add -interface
On Sun, May 17, 2009 at 9:57 AM, Claudio Jeker wrote:
> On Sun, May 17, 2009 at 01:13:29AM +0200, Felipe Alfaro Solana wrote:
> > Hi misc,
> > route add allows one to specify a directly-connected route reachable over
> an
> > interface, using the -interface switch. However, I can't seem to figure
> out
> > if it's possible to specify just the interface name to the -interface
> > switch. According to the manual page, only an IP address is allowed:
> >
> > """
> > If the destination is directly reachable via an interface requiring
> no
> > intermediary system to act as a gateway, the -interface modifier
> should
> > be specified; the gateway given is the address of this host on the
> > common
> > network, indicating the interface to be used for transmission.
> > """
> >
> > The thing is the interface I want to use with the -interface switch does
> not
> > have a static IP address. I could script something to get the current IP
> > address of that interface but looks hacky to me. Is it possible to do
> > something like?
> >
> > # route add -net 128.0.0.0/16 -interface vr2
> >
> > instead in OpenBSD? I'm a little bit confused since adding the route
> while
> > using the IP address yields the following entry in the routing table:
> >
> > 128.0/16 link#3 UCS00 - 8
> vr2
> >
> > So, why is exactly that -interface wants an IP address but does not like
> > interface names?
> >
>
> ifconfig vr2 alias 128.0.0.1/16
>
> This will ensure that everything is correctly set up.
> Doing it with route will most probably cause issues because it will not
> setup everything correctly. You need an IP on that interface in that
> network or it will not work.
Thanks for your reply, Claudio.
Initially, I tried setting up the alias directly in the vr2 interface.
However, I had problems because vr2 is an Internet-facing interface
that uses DHCP. I
used to use a custom dhclient.conf configuration file as described in [1]
but, for some reason, when the lease is renewed, I start to suffer
packet loss. A tcpdump capture shows that some TCP connections are
being sourced with the IP
alias address and not the public IP address. That's why I tried using a
loopback interface.
This was my custom dhclient.conf:
interface "vr2" {
supersede domain-name "my.domain";
supersede domain-name-servers 1.2.3.4;
}
alias {
interface "vr2";
fixed-address 128.0.0.1;
option subnet-mask 255.255.0.0;
}
First time I invoke dhclient, everything seems to work fine:
# dhclient vr2
DHCPREQUEST on vr2 to 255.255.255.255 port 67
DHCPACK from 10.177.128.1
bound to A.B.C.D -- renewal in 2590 seconds.
# ifconfig vr2
vr2: flags=8843 mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
However, if I call dhclient one more time, the martian IP address seems to
become the primary IP address and the public IP address the alias:
# dhclient vr2
DHCPREQUEST on vr2 to 255.255.255.255 port 67
DHCPACK from 10.177.128.1
bound to A.B.C.D -- renewal in 2579 seconds.
# ifconfig vr2
vr2: flags=8843 mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
Even more funny, if I want to entirely remove the martian IP address I need
to remove it twice:
# ifconfig vr2
vr2: flags=8843 mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
# ifconfig vr2 delete 128.0.0.1
# ifconfig vr2
vr2: flags=8843 mtu 1500
lladdr 00:0d:b9:18:9b:fa
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
inet 128.0.0.1 netmask 0x broadcast 128.0.255.25
Re: route add -interface
On Sun, May 17, 2009 at 11:39 AM, Felipe Alfaro Solana <
felipe.alf...@gmail.com> wrote:
> On Sun, May 17, 2009 at 9:57 AM, Claudio Jeker
> wrote:
>
>> On Sun, May 17, 2009 at 01:13:29AM +0200, Felipe Alfaro Solana wrote:
>> > Hi misc,
>> > route add allows one to specify a directly-connected route reachable
>> over an
>> > interface, using the -interface switch. However, I can't seem to figure
>> out
>> > if it's possible to specify just the interface name to the -interface
>> > switch. According to the manual page, only an IP address is allowed:
>> >
>> > """
>> > If the destination is directly reachable via an interface requiring
>> no
>> > intermediary system to act as a gateway, the -interface modifier
>> should
>> > be specified; the gateway given is the address of this host on the
>> > common
>> > network, indicating the interface to be used for transmission.
>> > """
>> >
>> > The thing is the interface I want to use with the -interface switch does
>> not
>> > have a static IP address. I could script something to get the current IP
>> > address of that interface but looks hacky to me. Is it possible to do
>> > something like?
>> >
>> > # route add -net 128.0.0.0/16 -interface vr2
>> >
>> > instead in OpenBSD? I'm a little bit confused since adding the route
>> while
>> > using the IP address yields the following entry in the routing table:
>> >
>> > 128.0/16 link#3 UCS00 - 8
>> vr2
>> >
>> > So, why is exactly that -interface wants an IP address but does not like
>> > interface names?
>> >
>>
>> ifconfig vr2 alias 128.0.0.1/16
>>
>> This will ensure that everything is correctly set up.
>> Doing it with route will most probably cause issues because it will not
>> setup everything correctly. You need an IP on that interface in that
>> network or it will not work.
>
>
> Thanks for your reply, Claudio.
>
> Initially, I tried setting up the alias directly in the vr2 interface.
> However, I had problems because vr2 is an Internet-facing interface that uses
> DHCP. I
> used to use a custom dhclient.conf configuration file as described in [1]
> but, for some reason, when the lease is renewed, I start to suffer packet
> loss. A tcpdump capture shows that some TCP connections are being sourced
> with the IP
> alias address and not the public IP address. That's why I tried using a
> loopback interface.
>
The problem with incorrectly-sourced IP datagrams seems to be NAT:
nat on vr2 inet from 172.16.0.1/24 to any -> (vr2) round-robin
This rule is created as:
nat on $ext_if from $int_if:network to any -> ($ext_if)
I understand the problem is the (vr2) round-robin. I have no idea, however,
how to prevent PF from using the two IP addresses (the public IP and the IP
alias). Any ideas how to force NAT to only use 1 IP address (the public IP
address)?
>
> This was my custom dhclient.conf:
>
> interface "vr2" {
> supersede domain-name "my.domain";
> supersede domain-name-servers 1.2.3.4;
> }
>
> alias {
> interface "vr2";
> fixed-address 128.0.0.1;
> option subnet-mask 255.255.0.0;
> }
>
> First time I invoke dhclient, everything seems to work fine:
>
> # dhclient vr2
>
> DHCPREQUEST on vr2 to 255.255.255.255 port 67
> DHCPACK from 10.177.128.1
> bound to A.B.C.D -- renewal in 2590 seconds.
> # ifconfig vr2
> vr2: flags=8843 mtu 1500
> lladdr 00:0d:b9:18:9b:fa
> priority: 0
> groups: egress
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
> inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
> inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
>
> However, if I call dhclient one more time, the martian IP address seems to
> become the primary IP address and the public IP address the alias:
>
> # dhclient vr2
> DHCPREQUEST on vr2 to 255.255.255.255 port 67
> DHCPACK from 10.177.128.1
> bound to A.B.C.D -- renewal in 2579 seconds.
> # ifconfig vr2
> vr2: flags=8843 mtu 1500
> lladdr 00:0d:b9:18:9b:fa
> priority: 0
> groups: egress
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
>
Re: route add -interface
On Sun, May 17, 2009 at 3:38 PM, Stuart Henderson wrote: > On 2009-05-17, Felipe Alfaro Solana wrote: > > > > The problem with incorrectly-sourced IP datagrams seems to be NAT: > > > > nat on vr2 inet from 172.16.0.1/24 to any -> (vr2) round-robin > > > > This rule is created as: > > > > nat on $ext_if from $int_if:network to any -> ($ext_if) > > > > I understand the problem is the (vr2) round-robin. I have no idea, > however, > > how to prevent PF from using the two IP addresses (the public IP and the > IP > > alias). Any ideas how to force NAT to only use 1 IP address (the public > IP > > address)? > > (vr2:0) > > Yes and no. The problem seems to be in dhclient-script. Somehow, it has a funky behavior that leads to what I described above: the IP alias becomes the primary address and the public IP address becomes a secondary address. If I "hack" dhclient-script to always keep the IP alias a secondary address then using (vr2:0) works. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: route add -interface
On Sun, May 17, 2009 at 3:52 PM, Claudio Jeker wrote: > On Sun, May 17, 2009 at 01:38:07PM +, Stuart Henderson wrote: > > On 2009-05-17, Felipe Alfaro Solana wrote: > > > > > > The problem with incorrectly-sourced IP datagrams seems to be NAT: > > > > > > nat on vr2 inet from 172.16.0.1/24 to any -> (vr2) round-robin > > > > > > This rule is created as: > > > > > > nat on $ext_if from $int_if:network to any -> ($ext_if) > > > > > > I understand the problem is the (vr2) round-robin. I have no idea, > however, > > > how to prevent PF from using the two IP addresses (the public IP and > the IP > > > alias). Any ideas how to force NAT to only use 1 IP address (the public > IP > > > address)? > > > > (vr2:0) > > > > May not work correctly when an address is reassigned because of the way > how ifconfig vr0 delete works. It can happen that after a lease refresh > the two networks are shuffled and so (vr2:0) may get the wrong address. I think I found the root cause and fixed it: --- /etc/dhclient-scriptSun May 17 13:30:02 2009 +++ /sbin/dhclient-script Sat Feb 28 22:33:05 2009 @@ -182,6 +182,8 @@ delete_old_address delete_old_routes fi + # XXX Why add alias we just deleted above? + add_new_alias if [ -f /etc/resolv.conf.save ]; then cat /etc/resolv.conf.save > /etc/resolv.conf fi this seems to avoid the problem where the addresses get shuffled and the alias becomes the primary but, honestly, I'm not entirely sure why. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: route add -interface
On Sun, May 17, 2009 at 4:13 PM, Claudio Jeker wrote:
> On Sun, May 17, 2009 at 11:39:43AM +0200, Felipe Alfaro Solana wrote:
> > On Sun, May 17, 2009 at 9:57 AM, Claudio Jeker >wrote:
> >
> > > On Sun, May 17, 2009 at 01:13:29AM +0200, Felipe Alfaro Solana wrote:
> > > > Hi misc,
> > > > route add allows one to specify a directly-connected route reachable
> over
> > > an
> > > > interface, using the -interface switch. However, I can't seem to
> figure
> > > out
> > > > if it's possible to specify just the interface name to the -interface
> > > > switch. According to the manual page, only an IP address is allowed:
> > > >
> > > > """
> > > > If the destination is directly reachable via an interface
> requiring
> > > no
> > > > intermediary system to act as a gateway, the -interface modifier
> > > should
> > > > be specified; the gateway given is the address of this host on
> the
> > > > common
> > > > network, indicating the interface to be used for transmission.
> > > > """
> > > >
> > > > The thing is the interface I want to use with the -interface switch
> does
> > > not
> > > > have a static IP address. I could script something to get the current
> IP
> > > > address of that interface but looks hacky to me. Is it possible to do
> > > > something like?
> > > >
> > > > # route add -net 128.0.0.0/16 -interface vr2
> > > >
> > > > instead in OpenBSD? I'm a little bit confused since adding the route
> > > while
> > > > using the IP address yields the following entry in the routing table:
> > > >
> > > > 128.0/16 link#3 UCS00 -
> 8
> > > vr2
> > > >
> > > > So, why is exactly that -interface wants an IP address but does not
> like
> > > > interface names?
> > > >
> > >
> > > ifconfig vr2 alias 128.0.0.1/16
> > >
> > > This will ensure that everything is correctly set up.
> > > Doing it with route will most probably cause issues because it will not
> > > setup everything correctly. You need an IP on that interface in that
> > > network or it will not work.
> >
> >
> > Thanks for your reply, Claudio.
> >
> > Initially, I tried setting up the alias directly in the vr2 interface.
> > However, I had problems because vr2 is an Internet-facing interface
> > that uses DHCP. I
> > used to use a custom dhclient.conf configuration file as described in [1]
> > but, for some reason, when the lease is renewed, I start to suffer
> > packet loss. A tcpdump capture shows that some TCP connections are
> > being sourced with the IP
> > alias address and not the public IP address. That's why I tried using a
> > loopback interface.
> >
> > This was my custom dhclient.conf:
> >
> > interface "vr2" {
> > supersede domain-name "my.domain";
> > supersede domain-name-servers 1.2.3.4;
> > }
> >
> > alias {
> > interface "vr2";
> > fixed-address 128.0.0.1;
> > option subnet-mask 255.255.0.0;
> > }
> >
> > First time I invoke dhclient, everything seems to work fine:
> >
> > # dhclient vr2
> >
> > DHCPREQUEST on vr2 to 255.255.255.255 port 67
> > DHCPACK from 10.177.128.1
> > bound to A.B.C.D -- renewal in 2590 seconds.
> > # ifconfig vr2
> > vr2: flags=8843 mtu 1500
> > lladdr 00:0d:b9:18:9b:fa
> > priority: 0
> > groups: egress
> > media: Ethernet autoselect (100baseTX full-duplex)
> > status: active
> > inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3
> > inet A.B.C.D netmask 0xfe00 broadcast 255.255.255.255
> > inet 128.0.0.1 netmask 0x broadcast 128.0.255.255
> >
> > However, if I call dhclient one more time, the martian IP address seems
> to
> > become the primary IP address and the public IP address the alias:
> >
> > # dhclient vr2
> > DHCPREQUEST on vr2 to 255.255.255.255 port 67
> > DHCPACK from 10.177.128.1
> > bound to A.B.C.D -- renewal in 2579 seconds.
> > # ifconfig vr2
> > vr2: flags=8843 mtu 1500
> > lladdr 00:0d:b9:18:9b:fa
> > priority: 0
> > groups: egress
> >
Re: Kylin
On Mon, May 18, 2009 at 9:31 AM, ropers wrote: > 2009/5/18 (private) HKS : > > > > intellectual property > > Hello oxymoron. Another one: military intelligence :) -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: multiple videocards... for console text
On Fri, May 22, 2009 at 6:37 AM, Joel Wiramu Pauling wrote: > Just use USB to RS323 convert cables and have as many heads as you like off > of dumb terminals. Or old laptops. RS323? Is that a new "standard"? Or do you mean RS232? :)
Multiple default gateways with different metrics?
Hi openbsd-misc, Is there a way to have two entries in the routing table for the default gateway, one with a low metric (typically 0) and another one with a higher metric? Usually, the route with the lowest metric should be used unless marked invalid or removed. I'm currently using AICCU in a active/active firewall environment. AICCU sets up a default route for the IPv6 internet. If AICCU goes down the entry is removed so a manual route has to be injected in the routing table pointing to the other firewall in the HA group (AICCU can only run in one of the firewalls due to limitations). It would be nice to have a second default route with a higher metric such as that if AICCU goes down and removes it's default route, the other default route (the one with a higher) metric is left in the routing table and used from there on. Then, the IPv6 internet can be reached over this higher metric router. When AICCU is started again, a new entry will be injected by AICCU using a very low metric, and the route with the high metric won't be used anymore. Is there a way to achieve this other than using ifstated or shell scripts? OSPF won't do the job as it doesn't support IPv6. Thanks for your time. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: load balanced carp and local routes
On Thu, Oct 23, 2008 at 6:24 AM, <[EMAIL PROTECTED]> wrote: > Greetings list. > > I have a set of four load-balanced carp servers. Here are there > hostname.carp files: > > box1: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth > carpnodes 1:0,2:100,3:100,4:100 > > box2: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth > carpnodes 1:100,2:0,3:100,4:100 > > box3: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth > carpnodes 1:100,2:100,3:0,4:100 > > box4: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth > carpnodes 1:100,2:100,3:100,4:0 > > We notice that the first box (or whichever box holds vhid 1, advskew 0) > has the following route: > 10.104.72.010.104.72.0UH 04 - carp0 > > Thus when box1 pings the carp IP, it responds to itself and none of the > other carp hosts sees the traffic. Not sure about this. I would agree if with what you say if instead of carp0 you'd have lo0 in the entry. Having carp0 means the packet will be sent to the CARP interface for processing and hence over the network to the muticast MAC address of the CARP interface, where all nodes in the group will see it. > > This behavior is expected, and useful to us. > > The other three boxes however do not have this route, possessing instead > a route for the carp IP that points to em0: > 10.104.72.0 00:00:5e:00:01:01 UHLc127000 - em0 > > When one of the other three boxes attempts to ping the carp IP all four > boxes sees the traffic and none of them responds. > > This behaviour is neither expected, nor useful to us. > > So my question is, what is carp thinking in this configuration? Am I > wrong to expect that all four load balanced carp hosts should contain a > local route to the carpdev for a shared carp IP? Why would > vhid1,advskew0 be different than the other three? I don't think CARP works they way you expect. For each incoming packet, and when using IP balancing, all nodes in the CARP group have to see the traffic (this is achieved by using a multicast MAC address). Even if it's one of the nodes pinging the CARP IP, this process will still apply (loopback processing should not be done). The nodes will apply a hash function to (source IP, destination IP) modulo 4 of the packet received on the CARP interface and the one that sees the result match its vhid will process the packet. Only one node will have the result of the previous function match its vhid when its master. > > Thanks in advance. > > --dave josephsen > > [demime 1.01d removed an attachment of type application/pgp-signature] > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Modern operating systems are flawed by design, including OpenBSD.
On Fri, Oct 24, 2008 at 3:32 AM, Brian <[EMAIL PROTECTED]> wrote: > --- On Thu, 10/23/08, mak maxie <[EMAIL PROTECTED]> wrote: > >> From: mak maxie <[EMAIL PROTECTED]> >> Subject: Modern operating systems are flawed by design, including OpenBSD. >> To: misc@openbsd.org >> Date: Thursday, October 23, 2008, 3:54 AM >> http://www.computerworld.com.au/index.php?id=264209080&rid=-219 >> >> Microsoft Windows is the only operating that supports >> signed binaries. > > This is the same dude that still hasn't provided good answers to djbdns as to > what supposedly was found wrong with their dns program. Signed binaries mean nothing. They only provide meaningful ways to assert the source of the code but not its intentions. As long as the intentions are not enforceable and authenticated, signed binaries are worthless. > Here's the related thread: > > http://marc.info/?t=1219834&r=1&w=2 > > -- http://www.felipe-alfaro.org/blog/disclaimer/
OSPF6?
Hi misc, Does OpenBSD's default ospdf daemon support IPv6? I'm confused as the manual page implies that only IPv4 is supported, but /etc/passwd has a user named ospf6d. Is the manual page incorrect? Is it Zebra/Quagga the only option? Thanks! -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: new home box for secure data storage
On Wed, Oct 29, 2008 at 9:14 PM, Douglas A. Tutty <[EMAIL PROTECTED]> wrote: > I'll be setting up a new box for the house and I want to use OpenBSD for > it, both for its security and since it will be an older box it will run > better than with Debian. > > Roles: > > main firewall for dialup internet access. > fetchmail and sendmail to ISP smarthost > other simple stuff (have another box for insecure stuff like watching >videos, surfing the net with javascript and flash). > > > We've moved and now our main security threat is physical security. We > don't want the data on the computer (i.e. in the /home directories) to > be readable if someone steals the box. > > I'm thinking I could go two routes: > > 1. encrypt all of /home with an encrypted virtualfs file. However, > then the data is unencrypted whenever the box is powered on. Is your data that important? :) > 2. I wonder if there's a way to have per-user home directory > encryption so that the user's directory is accessed/unencrypted/mounted > (whatever the semantics) on login and recrypted/unmounted on logout. > > Have swap and /tmp encrypted too. Also, perhaps per-user $TMP > directories if go with plan 2, above. > > I think I want root to be able to mount/access the directories so that > the data can be included in a backup set (which is then piped through > openssl for encryption) on a file-by-file basis rather than just backing > up a filesystem image and risking the whole thing if that image becomes > corrupted. > > Ideas? What do others do to secure /home? I read on undeadly an idea > of putting the /home filesystem on a removable drive and putting it into > a safe but then you have to have the safe mounted securely. > > Doug. > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Interactions between PF and enc0
Hi misc, I'm experiencing interaction problems between PF and the enc0 interface. I've been reading several OpenBSD manual pages about how IPSec traffic filtering is supposed to work, but so far I'm unable to get IPSec filtering working for me. I have created an IPSec/IPv6-based VPN between two sites, one in Madrid and another in ZC B::2: C::1 > D::1: icmp6: echo request (len 16, hlim 63) (len 56, hlim 64) # Tunneled ICMPv6 Echo request from C::1 to D::1 (from A::2 to B::2). 14:15:19.769682 (authentic,confidential): SPI 0xef18f14a: esp A::2 > B::2 spi 0x27151066 seq 30 len 100 (len 100, hlim 64) # ESP - encapsulated ICMPv6 Echo Request from C::1 to D::1. 14:15:19.913539 (authentic,confidential): SPI 0xcefeac0c: truncated-ip6 - 48 bytes missing!esp B::2 > A::2 spi 0xF2FC992F seq 30 len 148 (len 148, hlim 63) # ESP - encapsulated ICMPv6 Echo Reply from D::1 to C::1. 14:15:19.913620 (authentic,confidential): SPI 0xf2fc992f: truncated-ip6 - 92 bytes missing!B::2 > A: D::1 > C::1: icmp6: echo reply (len 16, hlim 63) (len 148, hlim 63) # Tunneled ICMPv6 Echo Reply from D::1 to C::1 (from B::2 to A::2). The second thing that strikes me is the "XX bytes missing" that tcpdump is reporting. Is this normal? Take into account that the snaplen that I used when running tcpdump is larger than the MTU of enc0. Everything else looks fine to me. The third thing that confuses me complete is that pftop does not display any hits on both PF rules. So does pfctl: # pfctl -s rules -v pass in on enc0 all no state [ Evaluations: 141 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 26751 ] pass out on enc0 all no state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 26751 ] Do you have any idea what's going on? Thanks in advance. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD 4.4 released, Nov 1. Enjoy!
On Sat, Nov 1, 2008 at 11:31 AM, Lars NoodC)n <[EMAIL PROTECTED]> wrote: > A very heartfelt thankyou, to you and the rest of the developers. > Congratulations, again. Yes! I love OpenBSD and I'm sure OpenBSD 4.4 will be an awesome release.
fatal in rtadvd: getpwnam
Hi there, After upgrading to OpenBSD 4.4, rtadvd now fails to come up: # rtadvd -d -s carp0 RA timer on carp0 is set to 16:0 fatal in rtadvd: getpwnam # cat /etc/rtadvd.conf carp0:\ :addr="2001::::":prefixlen#64:nolladdr: Any ideas? Thanks! -- http://www.felipe-alfaro.org/blog/disclaimer/ -- http://www.felipe-alfaro.org/blog/disclaimer/
Source address algorithm
Hi misc, How does the OpenBSD source address selection algorithm works? Is there a way to override the source address? I have two interfaces on my box: tun0 and vr0. tun0 uses A::2/64 as its IPv6 address. vr0 uses B::2/48 as its IPv6 address. The default route ::/0 is on the tun0 interface. Hence, when sending IPv6 packets, the source address is the one from tun0 (A::2/64). Is there a way to override the source address for _all_ traffic (i.e. not having to bind services to an specific IP) to be B::2/48 instead? Thanks! -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: VPN Ipsec
On Thu, Nov 6, 2008 at 9:39 AM, Louis Opter <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I am trying to set up an ipsec vpn between two networks. But, I can't
> figure out why it doesn't work.
>
> I get some errors like (here on the "malenfant gate", see network map
> below) :
> Plcy 30 keynote_cert_obtain: failed to open
> "/etc/isakmpd/keynote//192.168.1.159/credentials"
> Default rsa_sig_decode_hash: no public key found
> Default dropped message from $dugny_addr port 4500 due to notification
> type INVALID_ID_INFORMATION
These messages typically mean that the identifiers used by the peers
do not match. Try adding "srcid foo" and "dstid bar" on your ike esp
tunnel lines:
- on nemoto :
st_cyr_net="192.168.2.0/24"
dugny_net="192.168.3.0/24"
st_cyr_addr="xx.xx.xx.xx"
ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr srcid
nemoto dstid malenfant
- on malenfant :
st_cyr_net="192.168.2.0/24"
dugny_net="192.168.3.0/24"
dugny_addr="yy.yy.yy.yy"
ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr srcid
malenfant dsitd nemoto
Also, if your machine is multi-homed, you will probably want to
specify "local" to remove any ambiguity with respect the source IP
address that will be used in the outer (encapsulating) IP datagram.
> I don't understand why I have messages about keynote, because isakmpd is
> launched with the -K flag (and why 192.168.1.159 instead of
> $dugny_addr ?).
>
> And, I don't understand why it doesn't find the public key. I have
> correctly copied for each gate /etc/isakmpd/local.pub to the other gate
> at /etc/isakmpd/pubkeys/ipv4/gate_ip
>
>
> Here is my network map :
>
> { st_cyr_net : 192.168.2.0/24 }
>|
> xl1 : 192.168.2.1
> [gate "malenfant"] Openbsd 4.4-current (as of 10/18) on the
> "livebox"'s DMZ
> xl0 : 192.168.1.183
>|
> 192.168.1.1
> [adsl router/modem "livebox"]
> $st_cyr_addr
>"
>"
> @@@
> @@@ Internet
> @@@
>"
>"
> $dugny_addr
> [adsl router/modem "livebox"]
> 192.168.1.1
>|
> xl0 : 192.168.1.159
> [gate "nemoto"] Openbsd 4.4-release on the "livebox"'s DMZ
> xl1 : 192.168.3.1
>|
> { dugny_net : 192.168.3.0/24 }
>
> By DMZ I mean that all ports for tcp and udp are rediriged on the gate.
>
> I don't see why the liveboxes can be the problem, they redirect all the
> traffic. How nat on the liveboxes can cause troubles ?
>
> Because the two gates run a different version of OpenBSD ?
> I don't think so, however malenfant will be upgraded to 4.4-release
> tomorrow evening.
>
> My ipsec.confs :
> - on nemoto :
> st_cyr_net="192.168.2.0/24"
> dugny_net="192.168.3.0/24"
> st_cyr_addr="xx.xx.xx.xx"
> ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr
> - on malenfant :
> st_cyr_net="192.168.2.0/24"
> dugny_net="192.168.3.0/24"
> dugny_addr="yy.yy.yy.yy"
> ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr
>
> pf is correctly (I hope) configured on both gates with (here is a
> snippet from malenfant's pf.conf) :
> set skip on { lo enc0 }
> block in
> pass out
> pass in on $ext_if proto { tcp udp } \
> from $dugny_addr to ($ext_if) port ipsec-nat-t
> pass in on $ext_if proto udp to ($ext_if) port isakmp
>
> My two enc0 interfaces are up.
>
> If you find my mistake(s), have ideas, or need more informations please
> tell me. Full configuration files and isakmpd log are available at :
> http://www.kalessin.fr/stuff/openbsd_ipsec.tar.gz
>
> Best Regards, Louis Opter.
>
>
--
http://www.felipe-alfaro.org/blog/disclaimer/
Re: 4-port firewall device
On Fri, Nov 7, 2008 at 10:22 PM, marrandy <[EMAIL PROTECTED]> wrote: > Hello. > > Been a bit out IT the last year or so. > > My last firewall projects used LE-564 embedded. > > http://www.commell.com.tw/product/sbc/le-564.htm > > What are people using now ? I'm using PC Engines GmbH PC ALIX boxes running, of course, OpenBSD 4.4. They use AMD Geode processors, with 256MB of RAM, 3 Ethernet NICs, 1 Wireless NIC, 2 USB ports and 4GB of CF storage. Pretty neat boxes, very small and extremely silent (no moving parts). > > Regards...Martin > > -- http://www.felipe-alfaro.org/blog/disclaimer/
quagga-0.99.11
Hi misc, Are there any plans on bumping net/quagga to 0.99.11? I tried to compile it myself, from the vanilla sources while applying the following two patches: patch-configure patch-zebra_kernel_socket_c But the resulting zebra daemon always fails with an "Abort trap" message. I've seen people reporting this for quagga-0.99.9 and they claimed that the patch-zebra_kernel_socket_c patch fixes the problem but apparently it does not work for quagga-0.99.11. Any ideas? Thanks in advance. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: quagga-0.99.11
On Mon, Nov 10, 2008 at 11:09 AM, Gregory Edigarov <[EMAIL PROTECTED]> wrote: > Felipe Alfaro Solana wrote: >> >> Are there any plans on bumping net/quagga to 0.99.11? I tried to >> compile it myself, from the vanilla sources while applying the >> following two patches: >> > > Are you sure you still want to run that piece of shit(quagga)? > There is much much better realization of routing protocols readily available > to you in the base system. Well, you can quagga what you want but the base system does not (yet) have support for OSPFv3 (IPv6). What do you propose? :) -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: quagga-0.99.11
On Mon, Nov 10, 2008 at 1:21 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote: > ** Please honour reply-to: ports@ ** > > On 2008-11-10, Gregory Edigarov <[EMAIL PROTECTED]> wrote: >> Felipe Alfaro Solana wrote: >>> Are there any plans on bumping net/quagga to 0.99.11? I tried to >>> compile it myself, from the vanilla sources while applying the >>> following two patches: >>> >> Are you sure you still want to run that piece of shit(quagga)? >> There is much much better realization of routing protocols readily >> available to you in the base system. >> > > quagga does some things you can't do with base OS, and it's > useful to have a second implementation in ports to test against. > > the quagga we have now definitely needs an update, a lot changed > since 0.99.6. > > felipe, please send *dmesg output* (why do we have to ask for > this every time!) and details of your config and what you're > running. ifconfig -A might help too. which daemon is it that > has the fault? check the logs (use verbose logging), do you > get any log output before it dies first? BTW, if anybody is interested, I have a patch to bring quagga up to 0.99.11. Not very well tested so far (only lightly). -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: quagga-0.99.11
On Mon, Nov 10, 2008 at 1:21 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote: > ** Please honour reply-to: ports@ ** > > On 2008-11-10, Gregory Edigarov <[EMAIL PROTECTED]> wrote: >> Felipe Alfaro Solana wrote: >>> Are there any plans on bumping net/quagga to 0.99.11? I tried to >>> compile it myself, from the vanilla sources while applying the >>> following two patches: >>> >> Are you sure you still want to run that piece of shit(quagga)? >> There is much much better realization of routing protocols readily >> available to you in the base system. >> > > quagga does some things you can't do with base OS, and it's > useful to have a second implementation in ports to test against. > > the quagga we have now definitely needs an update, a lot changed > since 0.99.6. > > felipe, please send *dmesg output* (why do we have to ask for > this every time!) and details of your config and what you're > running. ifconfig -A might help too. which daemon is it that > has the fault? check the logs (use verbose logging), do you > get any log output before it dies first? I fixed it already. I had the two listed patches for, but some reason, the ports package failed to get rebuilt so I was installing 0.99.11 without the two patches. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: quagga-0.99.11
On Mon, Nov 10, 2008 at 2:30 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2008/11/10 14:13, Felipe Alfaro Solana wrote:
>> I fixed it already. I had the two listed patches for, but some reason,
>> the ports package failed to get rebuilt so I was installing 0.99.11
>> without the two patches.
>
> ah, ok - thanks..
>
> here is a diff to update the port, but it doesn't fix FLAVOR=snmp
> (which is currently broken).
Can you resend as an attachment? I think there are some tabs in the
patch that are expanded into blanks. Hence, if I try to apply this
patch it fails. For example, it fails for Makefile.
Thanks!
>
> Index: Makefile
> ===
> RCS file: /cvs/ports/net/quagga/Makefile,v
> retrieving revision 1.11
> diff -u -p -r1.11 Makefile
> --- Makefile23 May 2008 12:55:58 - 1.11
> +++ Makefile10 Nov 2008 13:29:10 -
> @@ -2,8 +2,7 @@
>
> COMMENT= multi-threaded routing daemon
>
> -DISTNAME= quagga-0.99.9
> -PKGNAME= ${DISTNAME}p0
> +DISTNAME= quagga-0.99.11
> SHARED_LIBS=ospf 0.0 \
> zebra 0.0
> CATEGORIES=net
> Index: distinfo
> ===
> RCS file: /cvs/ports/net/quagga/distinfo,v
> retrieving revision 1.5
> diff -u -p -r1.5 distinfo
> --- distinfo12 Sep 2007 20:31:17 - 1.5
> +++ distinfo10 Nov 2008 13:29:10 -
> @@ -1,5 +1,5 @@
> -MD5 (quagga-0.99.9.tar.gz) = Tb2vkb9mCYA4Gdl9X8zEyQ==
> -RMD160 (quagga-0.99.9.tar.gz) = x61o0Mco0TwZF+xyeqET4+xgco8=
> -SHA1 (quagga-0.99.9.tar.gz) = uyj/3lhaPHV9iD/XXcwdXzoa/nA=
> -SHA256 (quagga-0.99.9.tar.gz) = kqv0TFI5yKGHYs8nyv0DtG1YHxgLxBFwYxS4uNHpTbA=
> -SIZE (quagga-0.99.9.tar.gz) = 2341067
> +MD5 (quagga-0.99.11.tar.gz) = kD5Ax0RzCtTWK+6HLuuBOw==
> +RMD160 (quagga-0.99.11.tar.gz) = ZUEHN4lVwkxQcwxMnnVEoWO8M7g=
> +SHA1 (quagga-0.99.11.tar.gz) = ZUKqtrVYy4isCAbM4Qszvg8Ayic=
> +SHA256 (quagga-0.99.11.tar.gz) = qDo1fW3iPXBiNgypMTcdLWXA4aK6EcV8ejXG42tHpkY=
> +SIZE (quagga-0.99.11.tar.gz) = 2192249
> Index: patches/patch-bgpd_bgp_snmp_c
> ===
> RCS file: patches/patch-bgpd_bgp_snmp_c
> diff -N patches/patch-bgpd_bgp_snmp_c
> --- patches/patch-bgpd_bgp_snmp_c 12 Sep 2007 20:31:18 - 1.3
> +++ /dev/null 1 Jan 1970 00:00:00 -
> @@ -1,17 +0,0 @@
> -$OpenBSD: patch-bgpd_bgp_snmp_c,v 1.3 2007/09/12 20:31:18 rui Exp $
> bgpd/bgp_snmp.c.orig Fri May 4 19:50:58 2007
> -+++ bgpd/bgp_snmp.cTue Sep 11 16:52:20 2007
> -@@ -21,12 +21,8 @@ Software Foundation, Inc., 59 Temple Place - Suite 330
> - #include
> -
> - #ifdef HAVE_SNMP
> --#ifdef HAVE_NETSNMP
> - #include
> --#endif
> --#include
> --#include
> --#include
> -+#include
> -
> - #include "if.h"
> - #include "log.h"
> Index: patches/patch-configure
> ===
> RCS file: /cvs/ports/net/quagga/patches/patch-configure,v
> retrieving revision 1.4
> diff -u -p -r1.4 patch-configure
> --- patches/patch-configure 12 Sep 2007 20:31:18 - 1.4
> +++ patches/patch-configure 10 Nov 2008 13:29:10 -
> @@ -1,7 +1,7 @@
> $OpenBSD: patch-configure,v 1.4 2007/09/12 20:31:18 rui Exp $
> configure.orig Fri Sep 7 17:54:55 2007
> -+++ configure Tue Sep 11 16:52:20 2007
> -@@ -21131,6 +21131,15 @@ cat confdefs.h >>conftest.$ac_ext
> +--- configure.orig Thu Oct 2 09:31:36 2008
> configure Mon Nov 10 09:14:15 2008
> +@@ -21359,6 +21359,15 @@ cat confdefs.h >>conftest.$ac_ext
> cat >>conftest.$ac_ext <<_ACEOF
> /* end confdefs.h. */
> $ac_includes_default
> @@ -17,7 +17,7 @@ $OpenBSD: patch-configure,v 1.4 2007/09/
> #include <$ac_header>
> _ACEOF
> rm -f conftest.$ac_objext
> -@@ -24842,6 +24851,18 @@ cat confdefs.h >>conftest.$ac_ext
> +@@ -25070,6 +25079,18 @@ cat confdefs.h >>conftest.$ac_ext
> cat >>conftest.$ac_ext <<_ACEOF
> /* end confdefs.h. */
> $ac_includes_default
> @@ -36,7 +36,7 @@ $OpenBSD: patch-configure,v 1.4 2007/09/
> #include <$ac_header>
> _ACEOF
> rm -f conftest.$ac_objext
> -@@ -35776,10 +35797,3 @@ log file mask : ${enable_logfile_mask}
> +@@ -37195,10 +37216,3 @@ log file mask : ${enable_logfile_mask}
>
> The above user and group must have read/write access to the state file
> directory and to the config files in the config file directory."
> Index: patches/patch-doc_Makefile_in
> ===
&
quagga ospf6d crashes on interface change
Hi misc, Do you have experience running quagga's ospf6d in OpenBSD? I've been using it for a while in combination with AICCU (AYIYA tunnel to tunnel IPv6 over IPv4 using a tun0 tunnel) but ospf6d crashes whenever the tun0 tunnel interface goes up and down. Have seen this before? Thanks. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Can't SSH into CARP'd system from the outside
On Wed, Nov 12, 2008 at 12:53 AM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> Here's my current configuration for my entire network. Two routers
> working as one using IP balancing and two web servers on the inside
> working as one using IP balancing. I'm still getting issues as to
> reaching the web servers from the outside. I just feel like it's
> gotten too complicated CARPing the systems. The server could be
> reached from the outside previously when I only had one router and
> server. The router uses carpnodes 1,2,3 and 4 while the web server
> used 5 and 6 if that makes any difference at all.
Can you reach the system at the non-CARP address? It seems to me that
what might be happening is that you are sending SSH traffic to the
CARP interface but since you are NAT-ting, the reply packets have the
source address of the Ethernet interface (ext_if) and not the CARP
interface. This will confuse your SSH client.
>
> Here's my router pf.conf:
> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> # macros
> ext_if = "re0" # External Interface (169.229.158.0/24)
> int_if = "xl0" # Internal Interface (192.168.1.0/24)
> localnet = $int_if:network
> webserver = "192.168.1.50" # Redundant Sun Servers
> nameserver = "192.168.1.101" # Dell L400 Celeron
> webports = "{ http , https }"
> domainport = "{ domain }"
> tcp_services = "{ ssh }"
> icmp_types = "echoreq"
> carpdevs = "{ carp0 , carp1 }"
> syncdev = "{ re1 }"
> ssh_allowed = "192.168.1.100"
> carp_mcast = "224.0.0.18"
>
> # extra tweaks
> set skip on lo
> set block-policy return
> set loginterface $ext_if
> scrub in all
>
> # nat/rdr
> nat on $ext_if from $localnet to any -> ($ext_if)
> nat on $int_if proto tcp from $localnet to $webserver port $webports ->
> $int_if
> no nat on $int_if proto tcp from $int_if to $localnet
> rdr on $ext_if proto tcp from any to any port $webports -> $webserver
> rdr on $int_if proto tcp from $localnet to $ext_if port $webports ->
> $webserver
> rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
> rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
> $nameserver
> rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
> rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
> $nameserver
>
> # pass rules
> # block in # Default Deny
> pass out keep state
> pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
> pass in quick on $int_if
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
> pass in on $ext_if inet proto tcp from any to $webserver port $webports \
> flags S/SA synproxy state
> pass in on $ext_if inet proto udp from any to $nameserver port $domainport
> pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
> flags S/SA synproxy state
>
> # CARP/pfsync pass rules
> pass on $carpdevs proto carp keep state
> pass quick on $ext_if proto carp \
> from $ext_if:network to $carp_mcast keep state
> pass on $syncdev proto pfsync
> pass in on $carpdevs inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
> pass in on $carpdevs inet proto tcp from any to $webserver port $webports \
> flags S/SA synproxy state
> pass in on $carpdevs inet proto udp from any to $nameserver port $domainport
> pass in on $carpdevs inet proto tcp from any to $nameserver port $domainport \
> flags S/SA synproxy state
>
> pass in on $int_if from $ssh_allowed to self keep state (no-sync)
> antispoof quick for { lo $int_if }
>
>
> And here'e my web server pf.conf:
>
> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> # macros
> ext_if="gem0" # External Interface (192.168.1.0/24)
> tcp_services = "{ ssh, www, https }"
> udp_services = "{ 123 }"
> icmp_types = "echoreq"
> carpdev = "{ carp0 }"
> syncdev = "{ re0 }"
> carp_mcast = "224.0.0.18"
>
> # extra tweaks
> set skip on lo
> set skip on gem0
> set block-policy return
> set loginterface $ext_if
> scrub in all
>
> # pass rules
> # block in
> # pass out proto tcp to any port $tcp_services
> # pass proto udp to any port $udp_services
> # pass in inet proto icmp all icmp-type $icmp_types keep state
>
> # CARP/pfsync pass rules
> pass on $carpdev proto carp keep state
> pass quick on $ext_if proto carp \
> from $ext_if:network to $carp_mcast keep state
> pass on $syncdev proto pfsync
>
> antispoof quick for { lo }
>
> Help appreciated!
> Vivek
>
> On Mon, Oct 20, 2008
OpenBSD 4.4 panics when using AICCU
Hi misc, Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take AICCU down, then up, after a while the system panics. I can reproduce this reliably, although the timing is not always the same: sometimes the system panics in a few seconds, sometimes it takes longer. Have you experienced this? Thanks in advance. PS: I have crash dumps for each panic. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD 4.4 panics when using AICCU
On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana <[EMAIL PROTECTED]> wrote: > Hi misc, > > Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you > experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take > AICCU down, then up, after a while the system panics. I can reproduce > this reliably, although the timing is not always the same: sometimes > the system panics in a few seconds, sometimes it takes longer. > > Have you experienced this? I've been trying to chase down what is causing the panic. Apparently, it's related to IPSec/IPv6: when I reboot the system with no IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't panic when I take aiccu down and then up. The system panics here: uvm_fault(0xd623f758, 0x0, 0, 1) -> e kernel: page fault trap, code=0 Stopped at in6_selecthlim+0x29:movzbl 0x1c(%eax),%eax > > Thanks in advance. > > PS: I have crash dumps for each panic. > > -- > http://www.felipe-alfaro.org/blog/disclaimer/ > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD 4.4 panics when using AICCU
On Fri, Nov 14, 2008 at 12:58 AM, Felipe Alfaro Solana <[EMAIL PROTECTED]> wrote: > On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana > <[EMAIL PROTECTED]> wrote: >> Hi misc, >> >> Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you >> experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take >> AICCU down, then up, after a while the system panics. I can reproduce >> this reliably, although the timing is not always the same: sometimes >> the system panics in a few seconds, sometimes it takes longer. >> >> Have you experienced this? > > I've been trying to chase down what is causing the panic. Apparently, > it's related to IPSec/IPv6: when I reboot the system with no > IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't > panic when I take aiccu down and then up. > > The system panics here: > > uvm_fault(0xd623f758, 0x0, 0, 1) -> e > kernel: page fault trap, code=0 > Stopped at in6_selecthlim+0x29:movzbl 0x1c(%eax),%eax Looks to me that the IPSec/IPv6 code is holding a reference to a in6pcb structure (that represents or is associated the aiccu tun0 interface) that gets destroyed when I take aiccu down. When I start aiccu again, the in6_selecthlim ends up being called with an old reference to tun0 interface that does not exist anymore (was freed) and that causes the trap. >> >> Thanks in advance. >> >> PS: I have crash dumps for each panic. >> >> -- >> http://www.felipe-alfaro.org/blog/disclaimer/ >> > > > > -- > http://www.felipe-alfaro.org/blog/disclaimer/ > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD 4.4 panics when using AICCU
On Fri, Nov 14, 2008 at 12:58 AM, Felipe Alfaro Solana <[EMAIL PROTECTED]> wrote: > On Fri, Nov 14, 2008 at 12:00 AM, Felipe Alfaro Solana > <[EMAIL PROTECTED]> wrote: >> Hi misc, >> >> Are any of you using AICCU on OpenBSD 4.4 patched to 005? Have you >> experienced panics? Since I upgraded to OpenBSD 4.4, whenever I take >> AICCU down, then up, after a while the system panics. I can reproduce >> this reliably, although the timing is not always the same: sometimes >> the system panics in a few seconds, sometimes it takes longer. >> >> Have you experienced this? > > I've been trying to chase down what is causing the panic. Apparently, > it's related to IPSec/IPv6: when I reboot the system with no > IPSec/IPv6 tunnels enabled (no sasync, no isakmpd) the system doesn't > panic when I take aiccu down and then up. > > The system panics here: > > uvm_fault(0xd623f758, 0x0, 0, 1) -> e > kernel: page fault trap, code=0 > Stopped at in6_selecthlim+0x29:movzbl 0x1c(%eax),%eax Another datapoint: When bringing aiccu down, the kernel logs the following message: in6_purgeaddr: failed to remove a route to the p2p destination: 2001::::2 on tun0, errno=3. This looks very suspicious to me, and wrong, by the way, since tun0 interface is using 2001::::2 as the local IPv6 address, while 2001::::1 is the remote end point. Hence, there is no route in the routing table that is bound to tun0 and has 2001::::2 as the destination (there is one but is bound to lo0). It leads me to think that some data structures are not properly freed/referenced counted which leads eventually to the panic. Any ideas? > >> >> Thanks in advance. >> >> PS: I have crash dumps for each panic. >> >> -- >> http://www.felipe-alfaro.org/blog/disclaimer/ >> > > > > -- > http://www.felipe-alfaro.org/blog/disclaimer/ > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD and XenSource
On Wed, Dec 3, 2008 at 4:45 AM, Dongsheng Song <[EMAIL PROTECTED]> wrote: > Yes, I running OpenBSD amd64 in Debian 5.0(lenny) kvm box for OpenBSD > Translation > Status[1] at lease one month, it's fine! For me, OpenBSD 4.4 on KVM/HVM in 32-bit mode is painful: I keep getting a watchdog message from the OpenBSD kernel related to the NIC that causes any ongoing TCP transfer from halt for a few seconds. Have you seen this? > > [1] http://repo.e2echina.com/status/ > > --- > Dongsheng Song > > 2008/12/3 Vinicius Vianna <[EMAIL PROTECTED]>: >> tico escreveu: >>> >>> Stephan A. Rickauer wrote: Those of you interested in running OpenBSD as a Xen guest in XenEnterprise might want to use this opportunity to raise their voice: http://forums.citrix.com/thread.jspa?threadID=151525 >>> >>> Stephan, thanks for the notice -- I just posted my $0.02 on that board as >>> well. If you manage to make any progress in your efforts (or any one else's) >>> to run OpenBSD under Xen with any amount of usefulness, I'd be interested to >>> hear about it. Feel free to contact me off-list. >>> >>> Cheers! >>> -Tico >> >> Don't know if it fits your project, but have you tried KVM? Read at least >> Ubuntu is moving to it since some issues with licenses and code with Xen, >> don't know in depth what was. >> I have some OpenBSD's installed in KVM with no issues using the e1000 >> emulated nic (em0 in OpenBSD) for some network test setups. >> >> HTH, >> DS > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Why I Love Open Source - NSA helped with Windows 7 development
On Fri, Nov 20, 2009 at 12:43 AM, Obiozor Okeke wrote: > From Network World: > > NSA helped with Windows 7 development > Privacy expert voices 'backdoor' concerns, security researchers dismiss > idea > By Gregg Keizer , Computerworld , 11/18/2009 > Why would NSA need backdoors when they have a front-door via DHS, national security and things like that? > This story appeared on Network World at > http://www.networkworld.com/news/2009/111809-nsa-helped-with-windows-7.html > > > http://www.stumbleupon.com/s/#1uLpIW/www.networkworld.com/news/2009/111809-nsa-helped-with-windows-7.html?source=NWWNLE_nlt_daily_am_2009-11-19/ > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Why I Love Open Source - NSA helped with Windows 7 development
On Fri, Nov 20, 2009 at 9:19 AM, patrick keshishian wrote: > On Thu, Nov 19, 2009 at 11:40 PM, Felipe Alfaro Solana > wrote: > > On Fri, Nov 20, 2009 at 12:43 AM, Obiozor Okeke >wrote: > > > >> From Network World: > >> > >> NSA helped with Windows 7 development > >> Privacy expert voices 'backdoor' concerns, security researchers dismiss > >> idea > >> By Gregg Keizer , Computerworld , 11/18/2009 > >> > > > > Why would NSA need backdoors when they have a front-door via DHS, > national > > security and things like that? > > Same reason there exist unconstitutional congressional acts/bills that > allow for secret torture prisons, detention of persons without due > process, complete bypassing of fouth and sixth amendments, voiding of > the Posse Comitatus Act, etc. etc. ... naive voters like you are the > reason we are in this shithole right now. > I'm neither a US citizen nor a greencard holder, so I'm not a voter in the US (still can be naive, and naiver voter in another country, though).
Re: Hardware versus Software RAID
On Sat, Nov 21, 2009 at 12:06 AM, Mauro Rezzonico wrote: > Darrin Chandler wrote: > >> If you're doing RAID for redundancy/safety then there are some things to >> consider: >> > > No. I am considering Raid, RAID1, in this case, mainly for *UPTIME*... > > * with RAID, you should still do backups >> > > I do my backups very well, thanks... > > Point here is that I am not considering raid as an alternative to backup, > but as a way to keep the system up... > > Please correct me if I am wrong, but when your drive fails you have *TWO* > problems: > > 1) you have to restore from your (well kept, well done, well designed and > well verified) backups (a big *IF*, if I can say); > > 2) the system is down until you restore everything; > > So, either you have the luxury (or the need) of a hot spare machine... > Or a raid solution can /help/ you recover more quickly... or not? > > Please note that although raid and/or backups and how they are configured > in respect to each other and how they are deployed is a *very* fascinating > topic (and I am *very* interested in hearing everybody's ideas, opinions, > experiences on this) actually this is an off topic debate... Because my > original question was indeed very narrow: "Hardware or Software?" > Software. If you go hardware you will get married to your hardware's vendor, which is typically costly and requires you to have +X spares for the controller. Software is hardware independent (you only depend on the OS). With hardware RAID you depend on the hardware (to run the RAID) and the OS (to use the filesystem or volumes on top of the RAID). > > I think we all got sucked into a very > serious/complex/fascinating/interesting/whatever issue, that of how to make > your system more reliable, in these difficult days of complex network > architectures... > > But this is just a "can of worms"... I wouldn't dare to mail such a > question to the list... > You see: >- what if you have raid level whatever everywhere? >- what if you can implement hot spare machines? >- what if your valuable data is mainly into a RDMS? >- what if your disks are cheap and your cpus are expensive? >- what if your disks are expensive and your cpus are cheap? >- what if you are using VMs? >- what if you just use ZFS everywhere (sorry I couldn't resist)? >- what if you are on the "cloud" (sorry I couldn't resist)? > > I appreciate your post, don't get me wrong, the problem of making a network > infrastructure rock solid and totally reliable is probably the secret dream > of every respectable net administrator... > But I think we must chop the problem in swallow-able pieces... > > -- > Mauro Rezzonico , Como, Italia > "Maybe this world is another planet's hell" - H.Huxley > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Security via the NSA?
On Sat, Nov 21, 2009 at 8:29 PM, Doug Milam wrote: > Will OpenBSD be the next to be 'helped'? > > http://www.npr.org/blogs/thetwo-way/2009/11/nsa_microsoft_windows_7.html > > NSA also helped Linux with SElinux. As long as OpenBSD remains open source, I don't see the problem.
Re: Security via the NSA?
On Sat, Nov 21, 2009 at 11:32 PM, AG wrote: > Felipe Alfaro Solana wrote: > > On Sat, Nov 21, 2009 at 8:29 PM, Doug Milam > wrote: > > > > > >> Will OpenBSD be the next to be 'helped'? > >> > >> > http://www.npr.org/blogs/thetwo-way/2009/11/nsa_microsoft_windows_7.html > >> > >> NSA also helped Linux with SElinux. As long as OpenBSD remains open > source, > >> > > I don't see the problem. > > > > > > > > Depends on whether one trusts the NSA or not. > > This is about trusting OpenBSD and its developers (which I personally do), not the NSA. OpenBSD developers do code reviews and audits of all code that is to be committed (except perhaps the ports tree), so what's the problem here? Again, I don't see the problem.
Re: How to PF
On Mon, Nov 16, 2009 at 12:50 AM, phil wrote: > Hi All > > I know that is a stupid question but where can I find a doc about pf and > 4.6 ? > http://www.openbsd.org/faq/pf/index.html ? (I got that just by Googling)
