Re: iked rsa pki configuration

On Wed, Aug 19, 2015 at 02:04:47PM +1000, Jonathan Gray wrote: > On Tue, Aug 18, 2015 at 09:22:14PM +0200, Reyk Floeter wrote: > > On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote: > > > Hi, > > > I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between > > > two OpenBSD

SuperMicro thin mini itx?

We need to build some OpenBSD-based network devices that we'd strongly prefer to be based on SuperMicro hardware. Does anyone know offhand if they offer any products that conform to the Thin-Mini-ITX standard? Their website is unhelpful and so far their marketing email hasn't responded to inqui

Re: iked rsa pki configuration

On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote: > > I attached a diff that generates new .cnf files by expanding the > variables in the source .cnf files and generating target .cnf files. > It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings), > but you/we should instal

Re: iked rsa pki configuration

On 2015-08-19, Reyk Floeter wrote: > On Wed, Aug 19, 2015 at 02:04:47PM +1000, Jonathan Gray wrote: >> On Tue, Aug 18, 2015 at 09:22:14PM +0200, Reyk Floeter wrote: >> > On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote: >> > > Hi, >> > > I'm currently trying to setup a road warrior IKE

Re: iked rsa pki configuration

On 2015-08-19, Sebastien Marie wrote: > On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote: >> >> I attached a diff that generates new .cnf files by expanding the >> variables in the source .cnf files and generating target .cnf files. >> It works with both, ikeca.cnf and x508v3.cnf (ign

problems compiling latest 5.7 patches

I'm not an expert but am trying to follow the instructions to rebuild my 5.7 stable system with the latest patches, using the commands below. I'm pretty sure this same script has worked for me in the past It fails at the last line with exit code 1. I've duplicated the problem more than once,

Re: redirect nor vpn (as I know it) solves this problem

On Fri, Aug 14, 2015 at 3:20 AM, Stuart Henderson wrote: > Config for this would be fairly similar to this example: > http://www.openbsd.org/faq/pf/rdr.html#rdrnat I'm guessing you mean this example (?). == With an additional NAT rule on the internal interf

Re: USB mouse spontaneously detaching

howdee, im monitoring this thread cautiously since i dont know what im doing sometimes... i noticed similar behaviour with my mouse - but had attributed the messages to the fact that i use a manual kvm-switch... so whenever i "switched" i was certain it had triggered... i will enclose my dmesg a

Re: USB mouse spontaneously detaching

"i dont know what im doing" - mistake... i sent an abbreviated dmesg, sorry... h. :) On Wed, Aug 19, 2015 at 6:36 AM, harold felton wrote: > howdee, > > im monitoring this thread cautiously since i dont know what im doing > sometimes... > > i noticed similar behaviour with my mouse - but had

Re: iked rsa pki configuration

On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote: > > In this case, "LibreSSL" was Theo who unintentionally broke ikectl. > > I attached a diff that generates new .cnf files by expanding the > variables in the source .cnf files and generating target .cnf files. > It works with both, i

Re: Openbsd 5.7: IPv6 autoconf not working

Em 18-08-2015 23:34, Alexandre Westfahl escreveu: > 6c00 0020 3aff fe80 > > 0001 ff02 > > 0001 8600 fa6d 40c0 0708 > > 0101 fc48 efc3 41fe

Re: iked rsa pki configuration

On Wed, Aug 19, 2015 at 03:50:47PM +0200, Sebastien Marie wrote: > On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote: > > > > In this case, "LibreSSL" was Theo who unintentionally broke ikectl. > > > > I attached a diff that generates new .cnf files by expanding the > > variables in th

openbsd 5.8 pre-orders

We have just activated pre-orders for openbsd 5.8. The release date is oct 18, which seems a long time from now. This is being stretched out to ensure the CD2 production problems happen again. Oct 18, 2015 is the 20th anniversary of the creation of the CVS tree that we develop all our software i

Re: openbsd 5.8 pre-orders

> This is being stretched out to ensure the CD2 production > problems happen again. ARGh, to ensure they DON'T happen again.

Re: openbsd 5.8 pre-orders

On 19 August 2015 at 16:29, Theo de Raadt wrote: >> This is being stretched out to ensure the CD2 production >> problems happen again. > > ARGh, to ensure they DON'T happen again. I just assumed you were being sarcastic ;-)

Re: redirect nor vpn (as I know it) solves this problem

Em 19-08-2015 09:27, Sonic escreveu: > I'm guessing you mean this example (?). > == > With an additional NAT rule on the internal interface, the lacking > source address translation described above can be achieved. > > pass in on $int_if proto tcp from $int_n

Pre-orders for 5.8

To celebrate the upcoming 20 years anniversary release of OpenBSD, four (instead of the usual one) songs are contributed and will be included in the release. The song I contributed is being released today: http://www.openbsd.org/lyrics.html#58c By the way, pre-orders for 5.8 CDs and posters w

Re: openbsd 5.8 pre-orders

On Wed, Aug 19, 2015 at 09:29:45AM -0600, Theo de Raadt wrote: > > This is being stretched out to ensure the CD2 production > > problems happen again. > > ARGh, to ensure they DON'T happen again. Parity error.

Re: lxde

For what it's worth: xfce might work for you. At least, I used to use lxde on debian as my desktop and loved it, but on OpenBSD I tried xfce (which *is* found in ports) and for my purposes it works very similarly and well. On 08/14/15 10:03, Joseph Oficre wrote: Hello, friends. Can someone t

Re: securing web browser

On 08/14/15 12:08, dan mclaughlin wrote: On Fri, 14 Aug 2015 16:45:52 + Frank White wrote: Hi, anyone has some advices to make more secure a browser like firefox ? chroot + systrace ? Thank you. apparently it's been done. David Coppa reported that he succeeded chrooting firefox here:

weird carp failover behavior

I'm trying to understand an odd behavior during carp failover where one uplink goes numb until the demarc equipment is power cycled. Consider the following: ISP1-demarc ISP2-demarc | | SW1 (Net1) SW2 (Net2) - C |\ /| | X | |/ \| FW-A - FW-B

IPv6 source addresse selection

Hi, I have an OpenBSD5.7 router with IPv6 enabled. I have multiple IPv6 addresses : - em0 : 2a00:6060::1/64 - em1 : 2001:7f8:81::6:983:1/64 - gif0 : 2001:470:11:c8::2/128 IPv6 access is provided by HurricaneElectric tunnel with BGP. When I try to reach 2001:7a8:b5ad::1, 2001:7f8:81::6:983:1 is s

Multiple VLANs & PF rules

Hello, I am replacing a Cisco ASA at my home with an openbsd server. I've pf with nat and some basic rules in place. my internal machines are able to reach out to the internet with no problems. I've a separate lab network of servers which are segregated into multiple VLANs. I've been able to creat

per-vlan traffic control

hi, This is my first mail to the list. It's possible limit traffic by Vlan with openbsd? For example I would like to limit 50mb for Vlan 100. Br, Paulo Coimbra -- br, Paulo Coimbra

Re: SuperMicro thin mini itx?

Try the X10SBA Quartz [qua...@sneakertech.com] wrote: > We need to build some OpenBSD-based network devices that we'd strongly > prefer to be based on SuperMicro hardware. Does anyone know offhand if they > offer any products that conform to the Thin-Mini-ITX standard? Their website > is unhelpful

Re: Multiple VLANs & PF rules

Em 19-08-2015 16:50, Dot Yet escreveu: > So, can one of you help me understand how I can write the pf rules to allow > communication between em1 and vlan 12/15 or communication between vlan 12 > and vlan 15 etc. If all machines have OpenBSD as their gateway, simple pass rules should do. No need fo

Re: Multiple VLANs & PF rules

OK, great, that's helpful. The machines are all pointing to the openbsd server as their default gateway. the nat is only being used to get out to the internet (em0). internal subnets do not use nat to communicate. I don't want to use any routing protocol for this, but just simple firewall rules to

Re: Multiple VLANs & PF rules

Em 19-08-2015 18:25, Dot Yet escreveu: > The machines are all pointing to the openbsd server as their default > gateway. Nice. > the nat is only being used to get out to the internet (em0). internal > subnets do not use nat to communicate. So you have the setup I outlined. > I don't want to use

Re: redirect nor vpn (as I know it) solves this problem

On Wed, Aug 19, 2015 at 12:53 PM, Giancarlo Razzolini wrote: > Just to be clear, your setup is something like this?: > > |GW | <- machine -> |OpenBSD| - > Internet > > So, when your connect using OpenBSD as the router, the packets get to the > machine, but since the machine doesn't have a direct r

Re: redirect nor vpn (as I know it) solves this problem

On 2015-08-19, Sonic wrote: > On Fri, Aug 14, 2015 at 3:20 AM, Stuart Henderson > wrote: >> Config for this would be fairly similar to this example: >> http://www.openbsd.org/faq/pf/rdr.html#rdrnat > > I'm guessing you mean this example (?). >== > With an

Re: Multiple VLANs & PF rules

I have multiple blans and a trunk port. I have hostname.vlan100 hostname.200 in /etc. then my pf.conf file uses packet tagging to separate the vlan traffic On Wednesday, August 19, 2015, Dot Yet wrote: > Hello, > > I am replacing a Cisco ASA at my home with an openbsd server. I've pf with > na

Re: SuperMicro thin mini itx?

Try the X10SBA Doesn't appear to fit the bill, unfortunately. That hdmi+displayport stack is too high, and while it has onboard DC12V it's missing the standardized plug on the back. Given that no one else has responded, I'm assuming that SuperMicro just doesn't make boards in this form fact

Re: per-vlan traffic control

On 8/19/2015 3:39 PM, Paulo Coimbra wrote: > hi, > This is my first mail to the list. It's possible limit traffic by Vlan with > openbsd? For example I would like to limit 50mb for Vlan 100. > > Br, > > Paulo Coimbra > > http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?que

Re: Openbsd 5.7: IPv6 autoconf not working

On Wed, Aug 19, 2015 at 10:54 PM, Giancarlo Razzolini wrote: > Em 18-08-2015 23:34, Alexandre Westfahl escreveu: > > 6c00 0020 3aff fe80 > > > > 0001 ff02 > > > > 0001 8600 fa6d 40c0

dmesg: OneRNG hardware RNG plugged into Soekris 5501

I've got one of the early units from , intended for providing input data to /dev/random. They currently have support for Linux via a simple command set to the device. (See the shell scripts in the tarball listed at .) I figured I'd plug this into