Re: FreeBSD daemon(8)-like command for OpenBSD
Irresponsible people like myself have been known to put cron jobs in place to look for, and if necessary restart crashy daemons. This could referred to as a kludge, though many would argue that is to mild an aspersion to cast upon it. PID=`pgrep gloob` if [ -z "$PID" ] then /usr/local/bin/gloob -f poor_security_a_bad_idea_to_run.conf fi Dag H. Richards - Distinguished Dunning-Kruger Fellow 2020 as seen on unixadminsgonewild.com On Mon, 27 Jan 2020 22:41:00 +0100, Ingo Schwarze wrote: Hi Patrick, Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100: > Is there something like the FreeBSD daemon(8) command for OpenBSD, > which can run a process in the background and restart it if it > crashes? Absolutely not, we are strongly convinced this is an utterly stupid idea and a serious security risk. If a daemon crashes, it has a bug. Many bugs that cause crashes are also exploitable. So if a daemon crashes, you first have to understand why it crashed, fix or at least mitigate the bug, and can only restart it afterwards. Restarting it automatically is an irresponsible thing to do. If a daemon keeps crashing so frequently that you can only run it in production with automatic restarts, then running it at all is irresponsible in the first place. Yours, Ingo Hi Patrick, Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100: > Is there something like the FreeBSD daemon(8) command for OpenBSD, > which can run a process in the background and restart it if it > crashes? Absolutely not, we are strongly convinced this is an utterly stupid idea and a serious security risk. If a daemon crashes, it has a bug. Many bugs that cause crashes are also exploitable. So if a daemon crashes, you first have to understand why it crashed, fix or at least mitigate the bug, and can only restart it afterwards. Restarting it automatically is an irresponsible thing to do. If a daemon keeps crashing so frequently that you can only run it in production with automatic restarts, then running it at all is irresponsible in the first place. Yours, Ingo
Is there chennel bonding for network cards
Does open BSD support Trunking as Sun calls it, or Etherchannel as Cisco calls it. Or aggregating seperate Ethernet cards to increase bandwidth and provide rendundancy as I call it ? I have seen the queston asked on the list but never answered.
Ipsec vpn tunnel x509 phase 2 does not start.
Having trouble brining up a tunnel. I have followed these instructions http://mirror.huxley.org.ar/ipsec/isakmpd.htm and used the included script to gen my certs. This seems to complete phase 1 see snip1 Though never seems to move on to phase 2 see snip 2 the licesnsees line gives me some pause as that is not the common can of the cert, though that is what prints in the debug. The name in the subject field on the cert is loanerxppc2.xxx.gov configs are included after snips client is an XP box running ipsec.exe from e.bootis behind a nat on a Openbsd fw. This works with preshared keys through the fw isakmpd -dDA=50 snip 1 173611.209764 Exch 40 exchange_run: exchange 0x893c00 finished step 5, advancing... 173611.210067 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for this exchange 173611.210410 Exch 10 exchange_finalize: 0x893c00 xpws Default-main-mode policy responder phase 1 doi 1 exchange 2 step 6 173611.210685 Exch 10 exchange_finalize: icookie 90d893da9f1f4816 rcookie 83c51437d4efd48e 173611.210921 Exch 10 exchange_finalize: msgid 173611.212348 Exch 10 exchange_finalize: phase 1 done: initiator id /C=US/ST=California/L=Martinez/O=ccchsd/OU=IS/CN=loanerxppc2..gov, responder id [EMAIL PROTECTED], src: 172.16.5.241 dst: 172.16.4.230 17361 --snip 2 - ghri_fw:root:/etc/isakmpd #isakmpd -dD9=99 173331.863667 Default log_debug_cmd: log level changed from 0 to 99 for class 9 [priv] 173332.317663 Plcy 30 policy_init: initializing 173332.321123 Default x509_read_from_dir: PEM_read_X509 failed for ca.srl 173338.331292 Plcy 90 x509_generate_kn: generating KeyNote policy for certificate 0x88da00 173338.332119 Plcy 60 x509_generate_kn: added credential 173338.332481 Plcy 80 x509_generate_kn: added credential: Authorizer: "DN:/C=US/ST=California/L=Martinez/O=ccchsd/OU=IS/CN=555ghrifw..gov" Licensees: "DN:/C=US/ST=California/L=Martinez/O=ccchsd/OU=IS/CN=loanerxppc2. 173338.335104 Plcy 30 keynote_cert_obtain: failed to open "/etc/isakmpd/keynote//[EMAIL PROTECTED]/credentials" ghri_fw:root:/etc/isakmpd #cat isakmpd.conf [General] Retransmits=5 Exchange-max-time= 120 Listen-on= 172.16.5.241 # X.509 certificate locations [X509-certificates] Accept-self-signed= 1 CA-directory= /etc/isakmpd/ca/ Cert-directory= /etc/isakmpd/certs/ Private-key=/etc/isakmpd/private/[EMAIL PROTECTED] [Phase 1] 172.16.4.230= xpws [xpws] Phase= 1 Transport= udp Local-address= 172.16.5.241 Address= 0.0.0.0 Configuration= Default-main-mode ID= My-ID [My-ID] ID-type=USER_FQDN # this is the certificate for this gateway Name= [EMAIL PROTECTED] [Phase 2] Connections=winxp [winxp] Phase= 2 ISAKMP-peer=xpws Configuration= Default-quick-mode Local-ID= dmz Remote-ID= Unknown-address [loanerxp] ID-type=IPV4_ADDR Address=192.168.10.15 [dmz] ID-type=IPV4_ADDR_SUBNET Network=192.168.12.0 Netmask=255.255.255.0 [Unknown-address] ID-Type=IPV4_ADDR Address=0.0.0.0 [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-RSA_SIG # Encryption/Authentication suite definitions [3DES-SHA-RSA_SIG] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= RSA_SIG ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA ghri_fw:root:/etc/isakmpd #cat isakmpd.policy KeyNote-Version: 2 Comment: This policy accepts ESP SAs from a remote that uses the right password $OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $ $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $ Authorizer: "POLICY" Licensees: "DN:/C=US/ST=California/L=Martinez/O=ccchsd/OU=IS/CN=555ghrifw.ccchsd.gov" || "passphrase:1234" || "passphrase:0291ff014dccdd03874d9e8e4cdf3e6" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; # --- [EMAIL PROTECTED] --- authorizer: "[EMAIL PROTECTED]" licensees:"DN:" conditions: remote_id_type =="ASN1 DN" && remote_id =="" -> "true"; # --- [EMAIL PROTECTED] --- authorizer: "[EMAIL PROTECTED]" licensees:"DN:" conditions: remote_id_type =="ASN1 DN" && remote_id =="" -> "true";
Statefull VPN failover a fork from "Re: iptables vs pf"
I have been moving a single Linux FW to a pair of OBSD machines, lured by carp and pfsync. This has been working well in my test environment. This also lead me to vpns running with ISAKMPD, replaceing a Freeswan box, and forestalling purchasing proprietary products for site to site partner vpns. THE POINT: Where will I find docs that explains how this is done "Oh, and when your 3.8 VPNs failover statefully, too. :)" ? > -Original Message- > From: Jason Dixon [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 20, 2005 02:07 AM > To: 'Edy Purnomo' > Cc: misc@openbsd.org > Subject: Re: iptables vs pf > > On Oct 19, 2005, at 6:21 PM, Edy Purnomo wrote: > > > i suggested to my friend to replace his linux box to openbsd. > > he uses mailnly for internet gateway : pf + squid proxy > > after 2 weeks later he switched it back linux and said : linux much > > faster to respond the http requests (he had a same configuration on > > openbsd, pf + squid proxy). > > > > is there any program that can proof what he says ? > > thanks. > > Three points: > > 1) No way in hell is iptables faster than PF. > > 2) His box _may_ pass traffic faster, but this is almost certainly > due to the support level of the hardware. Without real information, > it's hard to qualify this. > > 3) Who cares? Why are you worried about what your friend uses? If > it works for him, so be it. Rather than trying to bring him over > "cuz PF is l33t", just make sure you mention how cool it is when your > stateful firewalls run 24x7. Oh, and when your 3.8 VPNs failover > statefully, too. :) > > http://www.openbsd.org/goals.html > > > -- > Jason Dixon > DixonGroup Consulting > http://www.dixongroup.net
Re: Statefull VPN failover a fork from
I'll see if I can cobble some docs together or at least submit an example sasync.conf file. I pre-ordered 3.8, and am _now_ eagerly looking forward to bringing this up. I was not asking the list for a howto, I really had not even heard about this feature. The man page seems pretty straight forward, in fact OBSD's man pages are in general very useable, making howto's in general unnecessary. Theo pointed out that sasync will not yet fail back after a dead peer has been brought back online. This could be a minor problem, i.e only bring failed units back online after hours. So I guess we would use ifstatd to sysctl net.inet.carp.allow=0 and keep the new master pegged until we can actually restart isakmpd Does that make sense?. if the SADB is being propagated around shouldn't we be able to run a tunnel from anyone who has a valid copy of the DB? I guess I have some poking to do, and interesting entries for November's TPS reports. > -Original Message- > From: Brian A. Seklecki [mailto:[EMAIL PROTECTED] > Sent: Friday, October 21, 2005 06:22 PM > To: [EMAIL PROTECTED] > Cc: misc@openbsd.org, 'Jason Dixon' > Subject: Re: Statefull VPN failover a fork from "Re: iptables vs pf" > > More to the point, "how to find this info". > > 1: Go to http://www.openbsd.org/cgi-bin/man.cgi > 2: click "apropos" > 3: make sure "current" is selected > 4: query "sync" > 5: click on "sasynchd(8)" and "sasychd.conf(5)" > > http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncd&sektion=8&apropos=0&manpath=OpenBSD+Current&arch=i386 > http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncd&sektion=8&apropos=0&manpath=OpenBSD+Current&arch=i386 > > 6: Once intimately familar with the process, write some Docs and submit > them for translation. > > Also, someone at NYC BSDcon 05 gave a presentation and had slides. Try to > find those too. > > Best of luck. > > ~BAS > > On Thu, 20 Oct 2005, [EMAIL PROTECTED] wrote: > > > I have been moving a single Linux FW to a pair of OBSD machines, lured by > > carp and pfsync. This has been working well in my test environment. This > > also lead me to vpns running with ISAKMPD, replaceing a Freeswan box, and > > forestalling purchasing proprietary products for site to site partner vpns. > > > > > > > > > > > > THE POINT: Where will I find docs that explains how this is done "Oh, and > > when your 3.8 VPNs failover statefully, too. :)" ? > > > > > > > > > >> -Original Message- > >> From: Jason Dixon [mailto:[EMAIL PROTECTED] > >> Sent: Thursday, October 20, 2005 02:07 AM > >> To: 'Edy Purnomo' > >> Cc: misc@openbsd.org > >> Subject: Re: iptables vs pf > >> > >> On Oct 19, 2005, at 6:21 PM, Edy Purnomo wrote: > >> > >>> i suggested to my friend to replace his linux box to openbsd. > >>> he uses mailnly for internet gateway : pf + squid proxy > >>> after 2 weeks later he switched it back linux and said : linux much > >>> faster to respond the http requests (he had a same configuration on > >>> openbsd, pf + squid proxy). > >>> > >>> is there any program that can proof what he says ? > >>> thanks. > >> > >> Three points: > >> > >> 1) No way in hell is iptables faster than PF. > >> > >> 2) His box _may_ pass traffic faster, but this is almost certainly > >> due to the support level of the hardware. Without real information, > >> it's hard to qualify this. > >> > >> 3) Who cares? Why are you worried about what your friend uses? If > >> it works for him, so be it. Rather than trying to bring him over > >> "cuz PF is l33t", just make sure you mention how cool it is when your > >> stateful firewalls run 24x7. Oh, and when your 3.8 VPNs failover > >> statefully, too. :) > >> > >> http://www.openbsd.org/goals.html > >> > >> > >> -- > >> Jason Dixon > >> DixonGroup Consulting > >> http://www.dixongroup.net > > > > > > l8* > -lava > > x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
