Re: Default rdomain for CLI commands

Le mar. 24 oct. 2023 à 03:24, Andy Lemin a écrit : > How do I set/override the default rdomain for system level CLI commands? > You can do that at ssh level. From sshd_config(5): RDomain Specifies an explicit routing domain that is applied after authentication has

Re: blacklistd analogue

Le jeu. 25 mars 2021 à 19:45, Kapetanakis Giannis a écrit : > > How about a distributed setup? > > Has anyone thought of a way getting IPs from various servers (say linux > & fail2ban) to the central OpenBSD (pf) firewall? I send all my logs to a centralised syslog which runs fail2ban, and instea

Re: base LoC & committers

Le mar. 8 déc. 2020 à 19:46, Salvatore Cuzzilla a écrit : > > do you know if it's possible to see some statistics about the > committers? like for example number of commits per committer. There's at least http://www.oxide.org/cvs/index.html

Re: wg(4) listen on a specific interface / address

Le jeu. 29 oct. 2020 à 21:17, Theo de Raadt a écrit : > > Or, don't try to overlay stuff onto a single port. Look, we can tell > what is going on here, you want to tunnel over the least-filtered port > on the internet, but if you do that trying to use that port for another > thing is quite a prob

Re: wg(4) listen on a specific interface / address

Le jeu. 29 oct. 2020 à 21:03, Stuart Henderson a écrit : > > Which DNS server do you have bound on 53? unwind > > Is there a reason why wg needs such a large bind? > > Unless/until it gets an option to bind to a specific IP that's all it > can sanely do. It would definitely be useful IMO. This

Re: wg(4) listen on a specific interface / address

Le jeu. 29 oct. 2020 à 18:00, Brian Brombacher a écrit : > > > Then there’s a misconfiguration, wg driver bug, or the driver documentation > is wrong in ifconfig about wgrtable. > > Routing domains are where you can specify multiple conflicting port binds and > be fine, INADDR_ANY included. On

Re: wg(4) listen on a specific interface / address

Le jeu. 29 oct. 2020 à 16:40, Theo de Raadt a écrit : > > > Is there a reason why wg needs such a large bind? > > I don't know why wg does that, because I haven't looked at the code. > Your configuration is definately pushing the limits. Allright many thanks Theo. Maybe Jason can chime in on this

Re: wg(4) listen on a specific interface / address

Le jeu. 29 oct. 2020 à 01:20, Theo de Raadt a écrit : > > I believe you are running into the restriction that we don't allow an > INADDR_ANY:port binding to be done after a ipaddr:port binding has been > done. It must be done beforehands. Sorry Theo, maybe things got lost in translation, but if

Re: wg(4) listen on a specific interface / address

Le jeu. 29 oct. 2020 à 00:09, Brian Brombacher a écrit : > > Scratch that, use the ifconfig wgrtable option to specify separate routing > domains for the port 53. This lets you initiate many. You still need to > deal with getting the IP pointing at the right routing domain now. I'm already us

Re: wg(4) listen on a specific interface / address

Le mar. 27 oct. 2020 à 23:46, j...@snoopy.net.nz a écrit : > > > > Hi Pierre, > > The error may indicate that port 53 on 127.0.0.1 is already used by another > service. This appears to be confirmed by your netstat example. This is > probably a dns service. Thanks Joe. This is indeed a dns daemo

Re: wg(4) listen on a specific interface / address

Hi Brian Le mar. 27 oct. 2020 à 23:07, Brian Brombacher a écrit : > > I wonder if multiple ports, 5053, 5153 (and so on) redirected using pf rdr-to > rules may work? That way you can setup rules like first IP + port 53 > redirect to 5053, second IP + 53 redirect to 5153? > > May be worth a sho

wg(4) listen on a specific interface / address

Howdy misc@, I have a fairly complicated setup with lots of interfaces, a couple of rdomains etc. I'd like wireguard to listen only on an IP address, not all. But if my understanding of ifconfig(8) is correct, this doesn't seem possible currently: wgport port Set the UDP port that t

Re: Any idea/suggestion for old Cisco router to be use running OpenBSD current for WG?

Le mer. 24 juin 2020 à 13:01, Stuart Henderson a écrit : > > On 2020-06-23, Daniel Ouellet wrote: > > OpenBSD does run on some old Cisco routers, it's been done before. Sure > > it's not officially supported nor does it support all the various > > interfaces but it's known to work on some. Not a

Re: VM with default gateway on different subnet, not working

Try this: $ cat /etc/hostname.vio0 inet 158.69.128.109 255.255.255.255 !route add 198.27.74.254 -link -iface vio0 The "gateway" to 198.27.74.254 should show as its mac address.

Re: Source address selection algorithm w/ bgp

Le jeu. 28 mai 2020 à 17:19, Denis Fondras a écrit : > > I have a pf.conf with : > pass out on $if_ix from $ip_ix to !$subnet_ix nat-to $ip_router > > Not a definitve solution but does the work on a low-traffic bgp router :/ Thanks Denis, this is what I'm currently doing, but this is more a kludg

Re: Source address selection algorithm w/ bgp

Le jeu. 28 mai 2020 à 16:09, Theo de Raadt a écrit : > > A few tools have options like -s, but it is a problem. > > I'm also frustrated by this solution, and working on a better method. thanks for acknowledging this issue Theo. Just wanted to check if I hadn't missed anything obvious.

Source address selection algorithm w/ bgp

Hello Hi misc@ What is the current canonical way to tweak source address selection? I have a bgp multi-homed router, and while answers do use the correct source address, host-generated traffic uses the outgoing interface IP address: $ route -n get 194.2.0.20 route to: 194.2.0.20 destination:

Re: password-less user (without bothering security(8))?

Le mar. 10 déc. 2019 à 16:52, Adam Thompson a écrit : > > Is there a way to placate security(8) that I'm just not seeing? Or is > my goal fundamentally misguided for some reason I'm not seeing? The > user in this case is semi-trusted (e.g. yes, we'll let you login using > an unprivileged account

Re: What is you motivational to use OpenBSD

Le mer. 28 août 2019 à 16:38, Mohamed salah a écrit : > > I wanna put something in discussion, what's your motivational to use > OPENBSD what not other bsd's what not gnu/Linux, if something doesn't work > fine on openbsd and you love this os so much what will do? Almost everything I need is in b

Re: Display current kernel date?

x Le ven. 16 août 2019 à 12:34, Tor Houghton a écrit : > > Is there a way to get this information without using 'strings' and 'grep'? $ doas what /bsd /bsd OpenBSD 6.5-current (GENERIC.MP) #158: Tue Jul 30 15:25:51 MDT 2019 $ what /home/_sysupgrade/bsd* /home/_sysupgrade/bsd OpenBSD 6.6

dmesg for Lenovo ThinkPad L380 20M50013

Works ootb: - touchpad, trackpoint - sound - video - suspend - hibernate - webcam ("5986:2113 Acer, Inc" / SunplusIT Inc Integrated Camera) - wireless after running fw_update - vga out via usb-c dongles - 03f0:274a Hewlett-Packard "HP USB-C to VGA Adapter" - 2109:0100 VIA Technologies Inc "

Re: Add current rtable to PS1

Le mar. 2 avr. 2019 à 23:00, Henry Bonath a écrit : > > Hello, > Does anyone have any suggestions as to how to add the current rtable to the > $PS1 prompt? > > I tend to flip back and forth between routing domains and tend to lose track > of which rdomain I am currently using. > > I've been attemp

Re: bgpd: announce loopback / local prefix

Le lun. 29 oct. 2018 à 22:44, Claudio Jeker a écrit : > > This is a problem of the parser. Use "42" with the quotes to make the > number a string. Or use a non-digit label (as you figured out already). Thanks Claudio, this is a handy workaround.

Re: bgpd: announce loopback / local prefix

Le lun. 29 oct. 2018 à 22:26, Pierre Emeriaud a écrit : > > Le lun. 29 oct. 2018 à 22:04, Claudio Jeker a > écrit : > > > > Another option is to set the rtlabel on the interface and then use network > > rtlabel to redistribute it. > > I tried that, but it

Re: bgpd: announce loopback / local prefix

Le lun. 29 oct. 2018 à 22:04, Claudio Jeker a écrit : > > Another option is to set the rtlabel on the interface and then use network > rtlabel to redistribute it. I tried that, but it's refused by bgpd parser: $ doas bgpd -n /etc/bgpd.conf:39: syntax error $ doas nl -ba -nln /etc/bgpd.conf | gre

Re: bgpd: announce loopback / local prefix

Le lun. 29 oct. 2018 à 14:43, Pierre Emeriaud a écrit : > > Is there a good way to redistribute those local prefixes? like what > "network local" would do. denis@ informed me about the recently introduced "network inet6 priority 1", I guess that could fit with some appropriate filtering. Thanks!

bgpd: announce loopback / local prefix

Hello misc, I'm currently advertising my prefix with "network $mynet", so as redistributing connected networks with "network (inet6) connected". However, loopback prefixes are not announced. They are seen as local instead of connected: $ route -n get 2001:db8:3cc:10:1000::1/128 route to: 2001

Re: BGP over IKED, routes not being installed ?

Le mer. 12 sept. 2018 à 19:09, Tim Jones a écrit : > > 2/ The BGP sessions come up > > 3/ "bgpctl sho ri" shows all routes. But none of them have any flags, not > even the *=valid flag. > > 4/ Setting "nexthop qualify via default" gets the valid & select flags, but > doing a traceroute sees the

Re: Duplicate IP Address -> Spoof/Verizon???

Le sam. 8 sept. 2018 à 18:06, Jay Hart a écrit : > > > Le sam. 8 sept. 2018 à 13:40, Jay Hart a écrit : > >> -ifconfig -A from the router-- > >> re1: flags=8843 mtu 1500 > >> lladdr 00:22:4d:d1:48:d5 > >> inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.

Re: Duplicate IP Address -> Spoof/Verizon???

Le sam. 8 sept. 2018 à 13:40, Jay Hart a écrit : > -ifconfig -A from the router-- > re1: flags=8843 mtu 1500 > lladdr 00:22:4d:d1:48:d5 > inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 Some CPEs have 192.168.1.1 hardcoded as management ip address,

Re: door opening sensor HW for OpenBSD?

2018-03-24 23:22 GMT+01:00 Lyndon Nerenberg : > By far the easiest way to do this is to connect a switch to the door that > opens/closes as the door opens/closes. This assumes that when you say "the > door moves" you really meant "is opened or closed". > > Whether the switch is normally open or

Re: spamd.conf with rsync and DNS-based lists

2017-11-08 17:01 GMT+01:00 Mark Carroll : > I am looking to expand my spamd.conf's blacklisting and I now see that > some providers prefer one to rsync their blacklist rather than simply > fetching it and more others make their lists queryable by DNS only. > Is there a "good" OpenBSD way to do it

Re: Dell R210 II crashing on boot

2017-07-06 15:07 GMT+02:00 Dimitris Papastamos : > > I think one of the NICs is shared and when OpenBSD boots up and > enumerates them, it also resets the NIC which upsets idrac. You > can probably figure out which NIC is shared and hack the kernel > to skip enumerating it. > > Someone had the sam

Re: Dell R210 II crashing on boot

2017-07-06 0:06 GMT+02:00 Mihai Popescu : > http://marc.info/?t=14986422261&r=1&w=2 Thanks Mihai, I've read that thread already. I don't care about ipmi readings from the OS. I just want my server to boot correctly. The thing that rings a bell however is the "hardware ipmi watchdog", which cou

Dell R210 II crashing on boot

Hello misc@, I'm trying to use a Dell R210 II server, remotely hosted at online.net (LT 1701.3 model). Installation was done from a qemu on a live "rescue" linux with both 6.1 and current as of 20170705. When it boots, it crashes at some point, and when it does the idrac (on a port shared with e

Re: tinc on openBSD?

> Are there security concerns against running tinc on an OpenBSD > gateway as an alternative to IPsec and openvpn in a +50 road > warriors setup? What is your impression of this tool in daily > usage? Which VPN solution would you prefer? I'm using tinc 1.1pre14 (not the port) with hostname.if in t

Re: ipv6 router ping6 = good, web = bad

2017-04-09 16:33 GMT+02:00 Edgar Pettijohn : > On 04/09/17 04:45, Florian Ermisch wrote: >> >> Hi Edgar, >> >> check the MTU on your tunnel device. >> You can give it a try with >>doas ifconfig gif0 MTU 1400 > Unfortunantly that didn't do it. I think I'll just wait until my ISP offers > it.

typo in radiusd.conf.5

Index: radiusd.conf.5 === RCS file: /cvs/src/usr.sbin/radiusd/radiusd.conf.5,v retrieving revision 1.7 diff -u -p -r1.7 radiusd.conf.5 --- radiusd.conf.5 26 Oct 2015 06:44:40 - 1.7 +++ radiusd.conf.5 13 Mar 2017 20:5

Re: Hardware recommendations for compact 1U firewall

2016-12-17 4:59 GMT+01:00 Nick Holland : > > heh. Little secret: if you look in many data centers, you will find > lots of 1U boxes with various titles -- security appliances, load > balancing devices, etc. A lot of them, under the covers, are just PCs. > And a lot of data centers have 'em rottin

Re: ratble and rdomain support on dhcpd and openvpn

2016-07-13 1:37 GMT+02:00 Difan Zhao : > Thank you Chris! I come from the Cisco world with a little Linux experience > but It does make sense to me. It looks like I could run two DHCP processes > this way. > > However the problem is that I still can't set the rtable.. Also tried the > "rdomain"

Re: ratble and rdomain support on dhcpd and openvpn

2016-07-12 7:41 GMT+02:00 Difan Zhao : > > So I have been playing with rdomain and I am able to get dhcp and openvpn > working but with some hacking. I am seeking a proper way to do this. rcctl(8) is the way to go: # rcctl set dhcpd rtable 200 # rcctl get dhcpd dhcpd_class=daemon dhcpd_flags= d

Re: pppoe (kernel) works but doesn't

Hi George, > pppoe0: flags=8855 mtu 1492 > priority: 0 > dev: em0 state: session > sid: 0x1d1e PADI retries: 0 PADR retries: 0 time: 00:13:01 > sppp: phase network authproto pap authname "user" > groups: pppoe egress > status: active > inet 1

Re: openbgpd & rdomain/rtable (vrf-lite)

Hi Pierre, > I tried to do a similar setup. I tried different configuration without > success. Yup, I saw your post on misc@ a few days ago when I was looking for some pointers. > Then I found this in the manpage : "Currently the routing table must belong > to the default routing domain and ne

openbgpd & rdomain/rtable (vrf-lite)

Hello misc@, I'd like to set up bgpd with multiple routing tables, a la vrf-lite (ie without mpls and mp-bgp). What works: - peering within a rtable/rdomain - receiving the routes What doesn't work: - nexthop is never "validated" -> routes are never installed in fib Configuration is pretty s