Em maio 10, 2016 9:07 Kamil CholewiĆski escreveu:
On Tue, 10 May 2016, Giancarlo Razzolini wrote:
This is of limited usefulness.
All you need to do (as a mitm) is to block the connection on port 443,
client will now automagically fall back to using 80 and plain text...
It's even easier
every UA is changed
to first try TLS and *only then* fall back to clear text http, this kind of
measure has its uses.
Cheers,
Giancarlo Razzolini
Em maio 9, 2016 18:39 Theo de Raadt escreveu:
Giancarlo Razzolini wrote:
> It is really nice to finally see TLS on openbsd.org. How about
redirecting
> http to https?
I dislike the idea.
Let me be more clear, both of you.
Those decisions will made by the people (Bob et all) who ma
o, it seems STS isn't being used. I don't know if this is a
testing phase, but it would be nice to have those nevertheless.
Cheers,
Giancarlo Razzolini
happens because kombu is using an
internal python function that got removed from 2.7.9 to 2.7.10, if I recall it
correctly. I had this same issue recently.
Cheers,
Giancarlo Razzolini
Em 19-02-2016 12:42, Jorge Luis escreveu:
> "What is LibertyBSD?
> OpenBSD is universally known as an operating system designed with security
> in mind, proudly being able to say that it has had "Only two remote holes in
> the default install, in a heck of a long time!"
Will you please, please, go
completely? At least if you trust your fist access to the site. But I
think this thread followed its course, lets move on.
Cheers,
Giancarlo Razzolini
#x27;s and
tor, etc.
The TLS could be implemented on a non mandatory way, you don't need to
redirect HTTP connections to HTTPS ones. But it would be nice to have
the option, at least.
Cheers,
Giancarlo Razzolini
the client shouldn't connect to it,
because it already has the fingerprint pinned. It is the same rationale
as ssh host keys, trust on first use.
But, by the way this thread evolved, we're beating a dead horse here now.
Cheers,
Giancarlo Razzolini
servers. Having them in clear text as
they are today, isn't very secure.
Also, now that we have two free TLS certs providers, one can use HPKP
and completely disregard the CA's, which is a security benefit.
Cheers,
Giancarlo Razzolini
?
Macros need to be present in each anchor file. Tables don't need to. I
have a little script that copies all my macros after I edit /etc/pf.conf
to the anchors. I use commented marks on /etc/pf.con to know where to
begin copying and where to end. But you get the point.
Cheers,
Giancarlo Razzolini
fact that the num
lock switch was on (or off). At first I thought it wasn't tmux related.
But now it seems otherwise.
Cheers,
Giancarlo Razzolini
). My question is malformed, sorry.
Take a look at bro. It's on ports.
Cheers,
Giancarlo Razzolini
on. Now
you made it even more clear how things operate.
Cheers,
Giancarlo Razzolini
D's but
do not get them delivery. That way Theo saves the shipping, and you
contribute directly to him. Which, isn't different from contributing to
OpenBSD.
Cheers,
Giancarlo Razzolini
mall bursary as well from some people who
> understand the importance, otherwise I'd be looking for a cashier job.
I really don't want to see this happen, but I'd imagine you wouldn't
stress yourself as much.
Keep the good work,
Giancarlo Razzolini
e delivery. You can download the iso from the internet, safely
verify them and write your own USB stick with it. And Theo gets pay for
the wonderful job he (and others of course) do with OpenBSD.
Cheers,
Giancarlo Razzolini
Em 27-11-2015 18:35, bofh escreveu:
> Why do you continue by asking about blobs in FreeBSD?
Troll Detected. Troll Fed. End of Thread.
using the self
keyword. You can also have success using the user directive.
Cheers,
Giancarlo Razzolini
elevant for the OpenBSD installation.
Everything is signed using signify. The transfer medium can (and is) be
unencrypted. Of course this pretty much means anyone listening knows
you're downloading/installing OpenBSD. If your concern is this, then
you'll need to figure it for yourself how to hide the fact that you're
installing OpenBSD.
Cheers,
Giancarlo Razzolini
th this is using a proxy. Relayd can work quite well
for simple cases.
Cheers,
Giancarlo Razzolini
e unbound with local-zones or a unbound + nsd combo, if you
also need authoritative. I think you'll need to hack your /etc/rc file
to load them before your pf.conf is loaded.
Cheers,
Giancarlo Razzolini
ace with the inet6
-autoconf option, so you'll get only the link-local address. When you
run dhcpcd it will configure only a private address on the interface
thus solving your issue. You don't need to make pf prefer the privacy
address, because there will only be one address on the interface.
Cheers,
Giancarlo Razzolini
necessary. In
my case I need to monitor changes so I can update DNS records, I was
just extending that so the OP could do another thing (restart rtadvd). I
don't know anything that could be done in my case, since my ISP and CPE
will change the prefix anytime the CPE restarts or the CPE connection to
the ISP is lost.
Cheers,
Giancarlo Razzolini
5.8 that
might help you, if you're willing to run -current. These days I prefer
using ULA and making nat, so I can assure my internal address space will
never change.
Cheers,
Giancarlo Razzolini
han that. Webmin
is a very intrusive piece of software. Unless you understand everything
it is doing in the background, you'll always face up problems for which
you won't know the answer, at least, not easily.
Cheers,
Giancarlo Razzolini
open f: No such file or directory
> Nov 6 08:25:46 janus dhcpd[24427]: exiting.
It seems you have two instances of dhcpd running. It might explain your
problem.
Cheers,
Giancarlo Razzolini
the trick
for me.
Cheers,
Giancarlo Razzolini
an ip address on the bridge, only on the internal LAN interface.
Cheers,
Giancarlo Razzolini
e a look into that. If your CPE doesn't have the
internal lan prefix, you can't expect it to work.
Cheers,
Giancarlo Razzolini
know) ipv6 packets to my external lan address. I will try to
port some of the ndp proxy solutions available to OpenBSD. Everyone I
found are linux centric. OpenBSD ndp(8) has proxy functionality. I
couldn't make it work, and you also need to add entries host by host to it.
Cheers,
Giancarlo Razzolini
advance), Marcus
Don't try to implement the same thing ftp does on top of other
protocols. That being said, using OpenSSH you can have everything ftp
has even better. You can even chroot every user to his/her home. With
the benefit of, you know, talking ssh protocol, instead of ftp.
Cheers,
Giancarlo Razzolini
can
make it easier to visualize where you're packets are going.
Cheers,
Giancarlo Razzolini
ng triggered. Also, you can (should) always use tags. Not
only they make your ruleset "debugable", but any stray packet should hit
a block rule (possibly logging it). I suspect your first three rules
aren't matching because you're using the external interface. Try using
the internal on them.
Cheers,
Giancarlo Razzolini
ce name with () won't work with IPv6,
and the rules don't get reloaded when the addresses change.
I will (unfortunately) still use IPv4 based internal LAN's, as long as
these IPv6 woes don't get sorted out. I think things will get much
worse, before they get better.
Cheers,
Giancarlo Razzolini
v.
I don't understand it either. From my point of view, the OpenVPN project
has slowed down a lot on the past few years. Coincidentally, it's
commercial solution, didn't.
> so did Tamas, it's in ports.
Good to know. I don't think my code still compiles against newer OpenVPN
versions.
Cheers,
Giancarlo Razzolini
I beg you. Every time an
admin starts a ftp server, a puppy dies. Consider using SSH. Or, if you
must, DAV.
Cheers,
Giancarlo Razzolini
it up if you want, but I don't even know if it
compiles with recent OpenVPN code.
Cheers,
Giancarlo Razzolini
as text here. Without it, it's
difficult to help you.
Cheers,
Giancarlo Razzolini
ecially if you do not change it after a key
replacement.
Cheers,
Giancarlo Razzolini
. You can also do
this the other way around: make the route-to rules for your customers
and let your OpenBSD use whatever default gateway you want. If your
networks are static, you can hard code them in your pf rules.
Cheers,
Giancarlo Razzolini
t
> want using that queue and add a match rule to pf.conf to push it into my
> bulk queue.
>
> But I am wondering if there is a way to log what traffic is using a
> queue or which packets are being dropped.
>
> Thanks,
> jh
>
match log
man pflow(4)
pkg_add nfsen
Happy!
Cheers,
Giancarlo Razzolini
different
gateways. If they have the same routing priority, OpenBSD would
round-robin between them. This is where ifstated can be used, to detect
failures and add/remove the routes as needed.
Cheers,
Giancarlo Razzolini
ing, or your OpenBSD firewall is also running a proxy or dns server.
In this case I find that using mpath along side with ifstated, it's
easier than use rdomain. Specially if your network layout is simple.
Cheers,
Giancarlo Razzolini
set the priority passing two of them, so packets with lowdelay TOS and
empty acks can go to a higher priority, hence improving your interactive
browsing and your downloads.
Cheers,
Giancarlo Razzolini
onnected through
the internet, making all of them pass through the subnet 2, will slow
things down.
Cheers,
Giancarlo Razzolini
f custom
CA's, and firefox has an option also. But that is not true for every
browser (or lib that some app might be using). To complicate things
further, there is HPKP. You can also use pflow(4) with nfsen for
detecting odd behaviour in your network, and try to catch anything that
might have passed.
Cheers,
Giancarlo Razzolini
; immediately use https for your domain without going through the redirect.
The redirect is still necessary, given the fact that STS headers have a
expiration time. So, configure and forget the redirect and always
maintain your TLS setup working, and you should be fine.
Cheers,
Giancarlo Razzolini
ces in the IPv6 world, the so called internet of
things, nat will have a performance hit on that, so it will eventually
fade away, hopefully.
Cheers,
Giancarlo Razzolini
box, then no. My CPE is only routed, unfortunately. But this discussion
gave me the idea of making a bridge for my dmz and using ULA with nat on
my internal networks, that don't need much external connectivity. This
also solve my problem of having only one /64 prefix.
Cheers,
Giancarlo Razzolini
ding dhcpv6 servers, rtadvd, and anchors, etc.
>
> Also it's good for winding up IPv6 purists :-)
Wound up me. :-)
Cheers,
Giancarlo Razzolini
see only the OpenBSD router's address so it should work.
I ended up setting up a bridge for that. It's harder to filter on them
though. I plan to port some NDP proxy to OpenBSD, but all of the
candidates looked very cumbersome to my taste. I'll have eventually to
do it, unless someone else beat me to it.
Cheers,
Giancarlo Razzolini
it thinks the prefix
is reachable using NDP. Hence the need for a proxy, which OpenBSD
currently doesn't have.
Cheers,
Giancarlo Razzolini
r to
DHCPv6 requests. If so, and if it follows RFC 7084, you could ask a
IA_NA from it, and you'd get an address which is not the privacy
address, but also is not based on your MAC address.
Cheers,
Giancarlo Razzolini
7084 compliant. Luckily enough, many CPE responds to this address as
your default route (fe80::1). If it didn't, you would have a lot of
problems.
Cheers,
Giancarlo Razzolini
net connectivity
going to the right interfaces.
Cheers,
Giancarlo Razzolini
n I switched sides. As I said, you should try and see. But, in
general, you will benefit from mp. Yes, I'm being vague, as you were.
P.s.: Don't use anything you read on calomel.org. Want to learn pf, read
the manual or buy the book of pf.
Cheers,
Giancarlo Razzolini
mmended here on this
list is soekris. But there are other options too.
P.s.: Talking about this kind of embedded system, you'll most likely end
up with a single core one. Pay attention to the RAM speed and bus speed too.
Cheers,
Giancarlo Razzolini
is so fast, that the bottleneck almost never
is it. If you ever reach a point where pf is giving you trouble, than
I'm guessing you're a backbone with tons of GB/s of traffic. And even
then it can adjusted to not give you trouble. Clearer now?
Cheers,
Giancarlo Razzolini
, then it will consume more RAM and CPU than pf. Having
more of both in this case is better. Again, each case is different and
you should really try and see. Also, all of this might become somewhat
irrelevant when (if) the mp pf patch enters base.
Cheers,
Giancarlo Razzolini
easure it, and only then decide. pflow(4) and nfsen come to mind. symon
is another good candidate. With that, you can deploy only the amount of
hardware needed.
Cheers,
Giancarlo Razzolini
h mp,
you're seeking validation to go through with a single core. If you're
only using pf, dhcpd and dns server, it will work. But don't expect it
to scale too well if your small office becomes a medium sized office.
Cheers,
Giancarlo Razzolini
enefits (yet) from MP,
it doesn't mean these other programs won't. That being said, you'll
probably be ok with a single core. But, if you machine have no problems
with it, using MP won't hurt, and will definitely improve your performance.
Cheers,
Giancarlo Razzolini
,
and I had to hard reset it. These events had nothing to do with the
OpenBSD machine per se. Since the OpenBSD machine is using the virtio
ballooned memory, I guess it might have something with it, but I fail to
see exactly what. Anyone got any clues?
Cheers,
Giancarlo Razzolini
I don't want to use any routing protocol for this, but just simple
> firewall rules to allow or deny the traffic.
You won't need to. The pf man pages are great, and they provide lots of
examples. Also, if you take some time to learn BNF, it will surely help you.
Cheers,
Giancarlo Razzolini
uming the OpenBSD machine can communicate with every
network and every machine on it, you have plenty of options.
Cheers,
Giancarlo Razzolini
options. If you don't care
about UDP, you can use http://www.openbsd.org/faq/pf/rdr.html#tcpproxy.
You can have a L2 VPN to your OpenBSD machine, so that you would
effectively be "inside" the same network the machine is. You problem
isn't unsolvable.
Cheers, Giancarlo Razzolini
anging
them. And ask your provider to enable the other ports if it doesn't.
Cheers,
Giancarlo Razzolini
router should stop
advertising when it doesn't have global IPv6 connectivity. But, not
every manufacturer is fond of RFC's.
Cheers,
Giancarlo Razzolini
[0] https://tools.ietf.org/html/rfc7084
tion, none.
I don't think IPv6 is the problem though. Remember, SLAAC is ICMPv6 only
and DHCPv6 is UDP based, just as DHCPv4 is. So your ruleset must
accommodate for that.
Cheers,
Giancarlo Razzolini
nd packages. There have
been some IPv6 changes between 5.6 and 5.7 and even more with -current.
So, it might be worth.
Cheers,
Giancarlo Razzolini
ess told
otherwise, your OpenBSD firewall will happily route any incoming packets
directly to their intended destination. Keep that in mind when writing
your ruleset.
Cheers,
Giancarlo Razzolini
[0] https://tools.ietf.org/html/rfc4861
So the impact should be minimal, if you do so
only on LAN interfaces.
Cheers,
Giancarlo Razzolini
your
friend here. That way you can be sure you have network level
communication with them. You can also try to disable PF and turn on ndp
debugging, net.inet6.icmp6.nd6_debug.
Cheers,
Giancarlo Razzolini
Em 04-08-2015 18:28, openda...@hushmail.com escreveu:
> a) Discourse is not a conventional Rails app. It has been abstracted to the
> point of insanity and will require you to make a ton of modifications and
> disable a ton of stuff if you decide to go that route,
Kind figured. To me, any syste
ins
or sysadmins (if you can call them that) being lazy. I bet that a lot of
the good old fashioned admins got replaced by a new "devop" who can
deploy everything really fast cutting every corner possible. And people
still want it to be ported to OpenBSD.
Cheers,
Giancarlo Razzolini
take a image and
install something, that can, with some work and thinking, be installed
on the metal. This is wrong. And is also part of the security problem.
Cheers,
Giancarlo Razzolini
lling it
outside a docker. Unless their software is stupid and try to verify if
you're inside a docker and refuses to run if not.
Cheers,
Giancarlo Razzolini
or pass rules, not block ones.
Cheers,
Giancarlo Razzolini
domains.
Cheers,
Giancarlo Razzolini
Em 31-07-2015 03:07, Peter Hessler escreveu:
> this is a real problem for real people.
Which was pretty much solved with PKP [0]. As I mentioned, custom CA's
have their uses, but in the end, they are just one more thing waiting to
bite you in the ass. You can pretend to have a decent OPSEC for a wh
Since most people don't even care about tls
warnings, they got their uses. But, as it is becoming clearer and
clearer to the OP, you need to maintain it yourself, and not screw up.
Cheers,
Giancarlo Razzolini
s? Given
the plethora of options for getting free (valid) certificates.
Cheers,
Giancarlo Razzolini
ghbor solicitation messages, and won't route the packets.
Unless I use NDP proxying, I can't do normal routing. As I stated, I did
a bridge. When I have some free time I'll visit the NDP proxy again.
Perhaps I'll be able to port some of the existing solutions to OpenBSD.
Cheers,
Giancarlo Razzolini
nce to support your claim, as you can't even manage to
provide enough information for some good soul on this list to help you.
Come back when you sorted this out.
Cheers,
Giancarlo Razzolini
as static PD). Others are doing it
because of plain and simple lack of knowledge.
Cheers,
Giancarlo Razzolini
Em 27-07-2015 09:13, Kimmo Paasiala escreveu:
> It's next to impossible identify the make and
> model of the NIC that holds an IP address
With IPv6 and poor configuration, a remote attacker already have that
information. MAC addresses reveal a lot of information about a NIC.
Cheers
Em 24-07-2015 14:27, Kevin Chadwick escreveu:
> The guidance is to use pubkey or long passwords in which case you
> should either have no problem or notice the cpu cycles if your an admin
> worth any salt.
There are tons of info regarding OpenSSH best practices. The link bellow
[1] is one of them.
this off list. I already sorted things out with
the OP. But, truth is, that this bug is being sold by others, including
news sites, as "The BUG". It's hard to stay over the fence when things
like this happen. Perhaps I need to drink less coffee and see what that
thing called medi
enough to secure it. The patch wasn't provided because
of a bug in OpenSSH code, it was provided because people are lazy, and
wouldn't fix their own PAM configuration.
Cheers,
Giancarlo Razzolini
ot;yes" default. If there are any forms of PAM authentication
delays, they still apply. But that could perhaps be overcome with some
kind of distributed attack, with many connections opened.
Cheers,
Giancarlo Razzolini
Konsole output
015/q3/156
It seems to affect only FreeBSD. But it's bad, and affect a lot of
versions, dating back to 2007. And also, as I guessed, interaction with
PAM is the culprit.
Cheers,
Giancarlo Razzolini
any
FreeBSD machine available to test it. But it seems to be the only OS
affected. I'm betting that they have some bad interaction between the
openssh configuration and their PAM configuration.
Cheers,
Giancarlo Razzolini
t ideal, but it worked. My ISP
had a broken configuration where more than one concentrator would reply.
They eventually fixed it, but I had to debug a lot to get to this.
Perhaps you're seeing something similar. But without more information
it's difficult to know.
Cheers,
Giancarlo Razzolini
ilovers, lots of anchors.
This was almost 10 years ago. Things have changed. But some didn't.
Cheers,
Giancarlo Razzolini
ue and solved it using (egress). Since your
interfaces will have default routes, they will be all part of the egress
group. You can exploit that. Use tags and tcpdump to debug your rules, I
believe you can find a solution.
Cheers,
Giancarlo Razzolini
there will be a lot of people that will be caught off guard,
specially because almost every OS (except OpenBSD) will automatically
configure IPv6 if present.
Cheers,
Giancarlo Razzolini
ubset of ICMPv6 messages need to be
allowed both on the router and clients.
Cheers,
Giancarlo Razzolini
y for a site to site VPN, I'll stay with it
for a while. But my ISP is implementing native IPv6 and sooner or later
I'll have to deal with this. So will you.
Cheers,
Giancarlo Razzolini
ecall if the openbsd base dhclient have it, but you could
possibly use some that is on ports and make it not add the default
routes. And, you could make it call a script that creates them. They
need to be created with the -mpath modifier anyway.
Cheers,
Giancarlo Razzolini
1 - 100 of 522 matches
Mail list logo
