Am 28.10.2024 05:35 schrieb void:
HostKeyAlgorithms +ssh-rsa,+ssh-dss
That's not how the config parser works - i think.
Anyway, I was juggling this for a while to access hp
switches from the same era (hp2940s) and the minimum
settings to make that to work is only this:
PubkeyAcceptedKeyTypes +
Am 28.10.2024 04:36 schrieb void:
# old-ilo
Host [redacted_ip]
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1,umac...@openssh.com
HostKeyAlgorithms ssh-rsa,ssh-dss
KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
VerifyHostKeyDNS n
Am 13.02.2024 19:07 schrieb Samuel Jayden:
Also I've another question:
Is it feasible to achieve CARP and VRRP interoperability through a
user-space application?
One step back.. you're looking for using one cisco router and one
OpenBSD box as a redundant pair? I've no idea and in over 20y I did
Am 20.11.2023 14:15 schrieb Nowarez Market:
Prefance, I have some simple expectations: be able to do
something like artifact configuration and deployment from my local
settings (OpenBSD) to the cloud (Linux, testing or production
whatever).
Do you have any suggestion about a good (non commerci
Am 24.10.2023 03:08 schrieb Andy Lemin:
So I have to run;
‘route -T0 exec syspatch’ for example.
but 0 is the "default"!?
How do I set/override the default rdomain for system level CLI
commands?
route -T9 exec /bin/ksh
everything in that shell will be in rdomain 9
HTH,
PS: or tmux ..
--
Am 12.08.2023 03:13 schrieb Chris Bennett:
I can't figure out how to match the outgoing mails to the correct IP/mx
they are coming from. Just one server, different A records for the mx
versus domain name.
Difficult to understand what you're trying there...
I kinda understand that you have multi
Am 29.07.2023 21:29 schrieb Chris Bennett:
The other IP's are randomly missing or give this:
link#2 UHLc 0 450 - 3 em1
Each route flush;sh -x /etc/nestart or a reboot changes the result.
Oh, you need an alias for each IP that should be bound on em1
so, like:
#
Am 29.07.2023 20:04 schrieb Chris Bennett:
inet 103.103.103.168/29
That's wrong, you put the "first" IP-address you want to
use/have on em1. So that would be 170/29
(168 is this network's BSD-broadcast or "net address")
/etc/mygate is
103.103.103.169
Cannot forsee what your ISP provide
Moin Chris,
Am 29.07.2023 04:17 schrieb Chris Bennett:
The network is 108.181.26.176/28.
Right now,the first IP is 108.181.26.178 and the last regular address
is
108.181.26.190, which might be wrong. I'm too tired to read any more
man pages or web pages. I needed more than 2hrs of sleep.
I'm
Am 18.07.2023 19:26 schrieb Ibsen S Ripsbusker:
Dear colleagues,
About 20 years ago I read in some OpenBSD documentation, likely the
installation instructions, that we want people to copy our OpenBSD even
if to use it even in proprietary products, because the alternative is
that incompetent peop
Am 18.06.2023 20:35 schrieb Stephan Neuhaus:
Here you can see that the "from" part is what the
above description calls the src_addr, not the
ext_addr, as it claims. This makes much more sense and
is consistent with all the other documentation that
I've seen.
The "match" is rewriting to ext_add
Am 06.05.2023 02:03 schrieb Nino Sidoti:
Hello,
I am trying to work out how to change the “From address” for when the
daily output reports are run. I want to use a real email address
rather than the default of Charlie Root “root@hostname”.
It takes the name from /etc/passwd. See vipw(8) for cha
Am 04.05.2023 09:31 schrieb Luca Di Gregorio:
To be honest, I don't know if the modification of GRUB in Debian is
needed.
Or, installing with Whole disk MBR (w) is enough.
But it works, OpenBSD is automatically started at reboot.
The modification in grub configuration would make it possible t
Am 16.02.2023 08:27 schrieb Daniele B.:
3) Can you advise about hosting providers in terms of managed VPS with
OpenBSD, in North America and Europe?
For some years now with https://transip.eu - spotless IPv6 and OpenBSD
included. The web/vnc console just works, too.
I think I had only one (may
Am 29.12.2022 15:40 schrieb Jurjen Oskam:
From the host dmesg I noticed the following line:
It has been this way since day-1 of -B -- unclear if you want to call
it expected, feature or bug :-)
Noticed this early on the vagrant+packer works.. -B is adhoc and
thus vmd is not aware of it after t
Am 22.12.2022 21:37 schrieb J Doe:
set skip on lo0
. . .
antispoof quick for $ext_if
This one will be faster (a tad) if you do not plan for more
detailled filtering (and who does so on lo0 besides the
esoteric ones).
ciao
--
pb
Am 13.12.2022 22:11 schrieb J Doe:
set skip on !$ext_if
... with the idea that this skips all interfaces (virtual or
otherwise) _EXCEPT_ em0, which is the real Ethernet NIC that I want to
perform filtering on ?
Yes, but likely to need a space between ! and $.
ciao
--
pb
Am 13.12.2022 06:02 schrieb J Doe:
set skip on { lo0, vif* }
in pf.conf(5) the GRAMMAR shows:
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
"{" interface-list "}"
So you could do "set skip on { lo0 vif0 vif1 }" for explicit, or you
use inter
Am 10.09.2022 21:29 schrieb Stuart Henderson:
With the web as it is, I can't see a text-mode browser as being
comfortable for day-to-day desktop usage. In addition, some of the gui
browsers have some degree of process separation and jailing, and active
enough development there's a better chance t
Am 08.07.2022 15:49 schrieb Dave Voutila:
$ openssl s_client -showcerts -servername mail.thinkerwim.org -connect
mail.thinkerwim.org:587
`-starttls smtp` helps a lot. The cert is there (also on :25 ftm) and
signed by LE.
The rub is that the mutt client machine does not know that issuer,
See
Am 16.05.2022 10:20 schrieb Elias Carter:
One possible advantage of randomizing source ports is that it helps
prevent fingerprinting of the devices behind the NAT? Are there any
other reasons?
Back in the days outgoing (tcp) connections had predictable port
numbers,
sequence numbers, time ba
Am 16.04.2022 01:31 schrieb open...@maniaphobic.org:
the representative told me, "OpenBSD has very
special configurations that are required on our end to work properly
with our virtualization software". It lowers my confidence in Vultr as
a reliable OpenBSD host.
Crucial question (likely on beh
Am 21.03.2022 19:04 schrieb rea...@catastrophe.net:
The flows look correct in the SA table on server-west and traffic
leaves on
enc0, hits vio0 on server-east as ESP traffic, but then is dropped.
Again,
only when I also start a ping on server-east (10.254.255.1) to
server-west
(10.255.255.1) d
Am 13.07.2020 07:08 schrieb Gabri Tofano:
"Redirections cannot reflect packets back through the interface they
arrive on, they can only be redirected to hosts connected to different
interfaces or to the firewall itself."
- Keep my current configuration with HAproxy
- Add another network inter
Am 13.06.2020 09:29 schrieb jungle boogie:
Hi,
Here's an old news clip about OpenBSD many folks haven't seen or have
forgotten about. I don't know what year it's from or the hackathon
that was taking place. Maybe someone can fill us in on the details?
I can see a pf2k4 Tshirt as "newest".. mig
Am 08.06.2020 00:29 schrieb Paul B. Henson:
However, for only two firewalls, when you're using the syncpeer
directive for the pfsync interface, it seems it would be better not to
default to belonging to the carp group? With only two firewalls, if
one of them has broken synchronization, so does th
Am 06.05.2020 15:54 schrieb Ingo Schwarze:
Your misunderstandiing is that file names consist of characters.
They do not. They consist of bytes, and to match two bytes,
you need two question marks.
One can hold for the OP; the ksh(1) manpage talks about
"characters" in 'File name patterns' thro
Hey Paul,
Am 25.01.2020 11:43 schrieb Paul de Weerd:
block in on $IntIF inet proto { tcp, udp } from $IntIF:network to !
$IntIF:0 port domain
block in on $IntIF inet6 proto { tcp, udp } from $IntIF:network to !
$IntIF:0 port domain
I just tested this with "IntIF=vio0" and works on 6.6-stable
Am 15.01.2020 18:50 schrieb Dante F. B. Colò:
Hello everyone
I maintain some ipsec gateway using isakmpd on OpenBSD no problem at
all, but i need to setup a new one but now with NAT on phase 2 , is
this possible with iked or isakmpd ?
outgoing NAT is like this:
http://man.openbsd.org/ipsec.con
Am 09.01.2020 16:10 schrieb Ingo Schwarze:
https://www.youtube.com/watch?v=HTD9Gow1wTU
And Bob gave a talk about VFS hacking the very same
event. Might be an eye-opener of those "proposing to help".
https://www.youtube.com/watch?v=rVb8jdlP4gE
(somehow the slides didn't made it to /papers/?)
Am 10.12.2019 17:07 schrieb Evan Silberman:
Is there a way to placate security(8) that I'm just not seeing? Or is
my goal fundamentally misguided for some reason I'm not seeing? The
user in this case is semi-trusted (e.g. yes, we'll let you login using
an unprivileged account to run bgpctl in
Hi,
just a head's up / for the archives. Do more important things first :)
While testing my packer-vmm port "across the board", I just noticed that
bsd.rd older 5.7
will just hang in 'vmctl start -c' for.. forever?
Dec 9 12:24:12 ssfnhv011 vmd[48696]: myvm: started vm 1 successfully,
tty /d
Am 02.01.2019 21:35 schrieb Klemens Nanni:
Anchor 11 is the twelfth rule in your main ruleset (the anchor rule),
in which the first rule established this state.
Ouch, overlooked this one. Thanks..
Provide your ruleset so we can look at actual rules without guessing in
case your problem persis
Hello,
in the midst of debugging ruleset/migrations, I came across this output
in 'pfctl -vvss':
all tcp 10.45.30.7:993 (public-nat:993) <- remote-ip:4690
ESTABLISHED:ESTABLISHED
[1683650613 + 66296] wscale 7 [3702552199 + 16768] wscale 2
age 04:32:22, expires in 00:09:25, 745:737
Am 20.12.2018 19:24 schrieb cho...@jtan.com:
I'm not sure what you mean by that. The script I posted the other day
is part of a (working, tested) process to create an openbsd image
within openbsd and then upload it to aws as an iam. I based it on, I
think, an earlier version of the instructions l
Am 20.12.2018 18:13 schrieb David Diggles:
However it's possible to build for AWS.
https://github.com/ajacoutot/aws-openbsd
and there's more stuff "in the pipe", since the above
needs a Linux or OSX environment
Next year ;) it'll be possible to do this on OpenBSD
(vmm/packer/vagrant).
ciao
Hi,
Am 30.08.2018 10:27 schrieb Sebastian Reitenbach:
Hi,
I'm wondering if it would be possible to add iked to my box already
running isakmpd.
I found this quite old thread:
http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html
Why is it "always" my old thre
Am 15.06.2018 10:27 schrieb Holger Glaess:
ist see the forwarded bootreqest from dhcrelay but it is not possible ,
for me ,
to shift this reqest to an other rdom .
just lift the outgoing (directed) request from dhcrelay with pf?
--
pb
Hello Andre,
Am 14.05.2018 13:38 schrieb Andre Ruppert:
I got the tips from this 2013 undeadly.org article:
Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway
https://undeadly.org/cgi?action=article&sid=20131125041429
Apparently I wrote that article, and I feel your pain :-)
2.) les
Am 25.03.2018 08:49 schrieb Z Ero:
Is 6.3 release almost here? Is that why? If you are using your
computer for production and are not actively developing / debugging
OpenBSD why would you run a current snapshot rather than the stable
release? Just curious.
Because with a "myriad" of snapshot te
Am 26.02.2018 02:33 schrieb Constantine A. Murenin:
I recently got 10k on StackOverflow, which is the minimum reputation
required to see not just any deleted stuff, but even your own deleted
questions and answers; and the sheer volume of my own questions and
answers that got deleted (some of whic
Am 09.02.2018 10:27 schrieb Consus:
It is possible to list all block devices (with type and size) with one
command? You now, like lsblk(8) in Linux.
You're implying..
# lsblk
bash: lsblk: command not found
And just that is already a reason, I do not like "Linux" very much.
--
pb
Hello,
Am 01.09.2017 00:33 schrieb Maxim Bourmistrov:
0/232/64 mbuf 2048 byte clusters in use (current/peak/max)
423/2865/120 mbuf 2112 byte clusters in use (current/peak/max)
0/160/64 mbuf 4096 byte clusters in use (current/peak/max)
0/200/64 mbuf 8192 byte clusters in use (current/peak/max)
Am 29.06.2017 12:32 schrieb Luescher Claude:
Why are you using ipsec in the 21th century:
https://serverfault.com/questions/202917/openvpn-vs-ipsec-pros-and-cons-what-to-use
just a week after four CVEs (incl RCE) in openvpn? Great.
--
pb
Am 28.06.2017 11:18 schrieb Liviu Daia:
set skip on { lo, enc }
pass in quick on egress inet proto udp to any port { isakmp,
ipsec-nat-t }
needs (on both) a 'pass quick inet proto esp', too
--
pb
Am 23.06.2017 07:19 schrieb Indunil Jayasooriya:
I am running darkstat as well. It also does NOT give it either. I think
This pf box has been rebooted after removing that PC.
See darkstat documentation, you can save/reload statistics across
restarts/reboots.
For the next time..
--
pb
Am 20.06.2017 11:13 schrieb claudiu vasadi:
Now some question:
1) On fw2, I omit the ipsecctl command and start only isakmpd and
sasyncd.
If I check the SA's and flows, they will be synced from fw1 but is this
how
it should be or do I need to have ipsec.conf on fw2 as well and issue
the
"ipse
Am 19.06.2017 18:51 schrieb Harald Dunkel:
some reliable response time
I've to decide between popcorn and other stuff with flames.
--
pb
Am 30.04.2017 00:07 schrieb Mihai Popescu:
Do you know a method like this to disable kernel panic screen, too?
Also something for hidding the dmesg scroll on boot will be nice.
Maybe something to show a nice picture with a text like "sit back and
relax while your OS is loading ..." - the last t
Am 07.04.2017 18:38 schrieb Peter N. M. Hansteen:
On 04/07/17 18:00, I love OpenBSD wrote:
I second to more IPv6 related information.
I am curious about blocking port scanning in IPv6 Web. Does pf let me
put a CIDR into the named table based on offending IPv6 address and
64-bit mask? I mean so
Am 19.03.2017 15:36 schrieb Jurjen Oskam:
So, to validate that I'm indeed hitting this bug (and also as a
workaround)
I tried to set up the OpenBSD side to not use SHA2. I haven't been able
to
get this running yet: isakmpd always seems to offer HMAC_SHA2_256.
It's not offering that - but acc
Am 14.03.2017 01:46 schrieb Mik J:
Hello Sebastien,I'm not sure there's something special to force nat-t,
it's
automatic.The natted side has to initiate the flow to the non natted
side.If
the two sides are natted then there should be a port forward to one of
them.There should be a nat keepalive
Am 17.12.2016 02:32 schrieb Predrag Punosevac:
SYS-5018A-FTN4 are really nice boxes. This one has 16GB of RAM and was
btw.. just got SYS-1028R-WMRT and the dual I350 isnt "supported", likely
because of the weird PPB/riser.
--
pb
Am 24.11.2016 22:58 schrieb Damian McGuckin:
Can you mix the use of 'isakmpd.conf' and 'ipsec.conf'?
You can.. ipsecctl just translates ipsec.conf syntax into isakmpd.conf
style
and injects that (or removes with -d) into the running isakmpd.
Just take a config-dump after loading with ipsecct
Am 30.10.2016 18:28 schrieb Jeff Ross:
It seems like I should be able to use pf to redirect all inbound
traffic except ssh to the new server. I tried redirecting web traffic
as a test with the following rule in pf.conf:
#pass all non-ssl web traffic to luna
pass in quick proto tcp to port www r
Am 14.08.2016 07:06 schrieb niya levi:
if yes can someone show me an example of how the route-to rule would be
written,
if no what would be the best way to go about this.
Easier is to put an ip-address on the parent (carpdev) that can be
reached from
the ntp, mailserver, ..preferable w/o ro
Am 27.05.2016 06:27 schrieb Chris Bennett:
This question has probably been asked before, but a lot has changed
since then.
I want to buy a new one, sent to the USA. Looked at Amazon briefly. Not
sure if there may be a better place to order from.
http://www.pckeyboard.com/page/product/KBDCFG
o
Am 24.05.2016 10:53 schrieb Bruno Flueckiger:
As a result of my tests I've created the diff below for ipsec.conf(5).
Is
this ok or did I miss something?
You missed the 'set skip on enc0' a bit up.
--
pb
just realized I didnt reply to the list so someone could pick up the
diff for commit consideration
Originalnachricht
Betreff: Re: hostname.carp - CARP Bootup Woes Correct layout / format
for >=5.9 - man page for hostname.carp
Datum: 20.05.2016 17:30
Von: Philipp Buehler
Am 12.05.2016 11:52 schrieb Gabriele Tozzi:
I did not know about the "new" parentheses feature.
It was brand-new with the 3.2 release :-)
--
pb
Am 19.02.2016 15:31 schrieb Christopher Sean Hilton:
* Am I right to assume that when connecting to isakmpd the soekris
box will match to the "Remote router" stanza because it's trying
to build a tunnel from "srcid <-> dstid" or is isakmpd using the
"local <-> peer" to choose th
Am 01.02.2016 23:52 schrieb Stuart Henderson:
i.e. it's just missing support for a quirky chip that needs the OS
to do some weird setup.
Or just use only that first SATA (and PATA) port?
e.g., Gabriele, if there's only one disk in there, try to recable it to
the other SATA slot.
--
pb
Am 31.12.2015 06:56 schrieb Julian Hsiao:
How do I configure isakmpd such that phase 2 parameters must also
match on both ends in order to establish security associations?
Just a guess, but do:
echo r > /var/run/isakmpd.fifo
and look into the /var/run/isakmpd.report
My bet is, that you had a hm
63 matches
Mail list logo
