On 05/08/17 12:26, Markus Rosjat wrote:
Hi,
I have something like
bgp-spamd:\
:black:\
:msg="Your address %A has sent mail to a spamtrap\n\
within the last 24 hours":\
:method=file:\
:file=/var/mail/spamd.black:
in /etc/mail/spamd.conf
and a cro
On 05/08/17 09:59, Markus Rosjat wrote:
match from group "spam-bgp" community $spamASN:666 set pftable "bgp_spamd"
Try to remove this line from your /etc/bgpd.conf, it is not in the
example on http://bgp-spamd.net
Checked it gainst my working setup and it is missing there
On 05/08/17 14:13, Markus Rosjat wrote:
Am 08.05.2017 um 13:58 schrieb Kim Zeitler:
On 05/08/17 09:59, Markus Rosjat wrote:
match from group "spam-bgp" community $spamASN:666 set pftable
"bgp_spamd"
Try to remove this line from your /etc/bgpd.conf, it is not in the
e
On 05/08/17 14:42, Markus Rosjat wrote:
Am 08.05.2017 um 14:37 schrieb Kim Zeitler:
Could you check
bgpctl s
are there any messages received?
You can also check
bgpctl s neigh | grep state
This should give you least 2 connections claiming to be established
regards
Cheers
Kim
I
On 05/08/17 15:12, Markus Rosjat wrote:
Am 08.05.2017 um 15:02 schrieb Kim Zeitler:
Did you allow BGP on your firewall?
I was not aware there need to be special rules for bgp
I meant your outer-bound firewall, that you pass towards the internet.
Depending on your network setup you need
hello misc,
I got the requirement for a more exotic setup in which some road
warriors are required to be in a different network segment.
From strongSWAN I know it is possible to match connections based on
userid/cert.
iked.conf(5) only gives examples for different gateways.
To cut a long st
On 07/18/18 11:37, Adonis Peralta wrote:
Will definitely do that, but still looking for any explanation from devs :).
https://marc.info/?l=openbsd-tech&m=135203532704213&w=2
Seems there have been some errors with offloading and I350 in the past
Cheers
Kim
smime.p7s
Description: S/MIME Cryp
On 10/28/18 3:04 PM, Radek wrote:
Hello,
I really need your help.
I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road
warriors clients (Windows).
The problem is that it works ONLY if clients are in the same subnet as VPN
Gateway (A.B.C.0/23).
Clients from out of the gateway'
On 10/31/18 10:42 AM, Markus Rosjat wrote:
...
doas vi /etc/doas.conf
# Edit in vi
:w
:! doas -C %
You don't even have to leave your editor
smime.p7s
Description: S/MIME Cryptographic Signature
Hello Radek,
On 11/2/18 10:16 PM, Radek wrote:
Thank you for your response,
Following your suggestion I removed IP from enc0 and changed iked.conf as below:
$ cat /etc/iked.conf
dns1 = "8.8.8.8"
dns2 = "8.8.4.4"
ikev2 "roadWarrior" ipcomp esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
Good morning Radek,
I have a suspicion ...
For (1), (2) and (3) VPN is working just fine with Win7_warrior and
puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if
warrior has public IP or it is behind NAT). The rest of the world fails to
connect the VPN_server.
My qu
Hello
I have iked running connecting to a Fortigate FW.
Running 'ipsecctl -s a' gives me the correct flows, but a rising number
of SADs. The tunnel has been up 5 days and I got 212 SADs installed.
Do I need to set up some kind of dpd to have the old SADs pulled down,
or is my error, that ikel
66, 0 Oct 5 15:48 /dev/ttyU0
Any help how to debug this further is much appreciated.
Cheers Kim
--
Kim Zeitler
Hello
On 10/05/15 19:59, Nicholas Marriott wrote:
On Mon, Oct 05, 2015 at 10:07:21AM -0700, Philip Guenther wrote:
On Mon, Oct 5, 2015 at 6:54 AM, Kim Zeitler wrote:
I am trying to transfer a new firmware to a switch using cu(1) with XMODEM
using a USB-to-RS232 adapter and running on
Hello
Running -current I have currently got a minor issue with iked.
Trying to connect a security gateway running OpenIKED to a Fortinet
IPSEC fw. Connection is set up and seems to work (mostly) but following
behaviour is a bit of an issue.
IKED sends one CHILD_SA request containing all Traf
I just tried updating an EdgeRouterLite to the latest octeon snapshot
after replacing the kernel and unpacking base58.tgz
Literally all commands lead to
: pledge: Function not implemented
I would offer a ktrace/kdump but sadly my kdump also returns with said
error.
Cheers,
Kim
Hello
On 10/19/15 19:58, Sebastien Marie wrote:
RELEASE 5.8 returns ENOSYS ("Function not implemented") on tame(2) call
(which is the old name for pledge, so with the same syscall number).
I pulled the kernel down from the same URL path as the tgz I used.
Before reinstalling the system I notic
Hello Sebastien, hello Jonathan
@Sebastien thank you for your valuable hints and advice, I did learn
quite a bit from it. The machine has been reinstalled to the latest
snapshot, as it is needed.
On 10/20/15 12:30, Jonathan Gray wrote:
There is no OpenBSD bootloader for armv7 or octeon, in pa
Sorry for the last empty answer - you shouldnt try to multi-task
boot bsd.rd and select upgrade in the installer. (i hope.)
Thanks for the answer Ted, I will try it with the next snapshot and
will give feedback
Cheers
Kim
On 10/20/15 15:30, Ted Unangst wrote:
Kim Zeitler wrote:
Hello Sebastien, hello Jonathan
@Sebastien thank you for your valuable hints and advice, I did learn
quite a bit from it. The machine has been reinstalled to the latest
snapshot, as it is needed.
On 10/20/15 12:30, Jonathan Gray wrote
Might be a stupid question, but I haven't found an answer to it yet
- how does one update to a new snapshot/kernel on an octeon system?
boot bsd.rd and select upgrade in the installer. (i hope.)
I'm afraid this is not as simple as this, yet. You will also need to
copy your kernel to the fat16
What about the B50-80 (80LT003C): i3, Intel HD 4400, wifi B/G/N/AC,
Gigabit Ethernet, 2x USB3.
Got some for testing here ( meant to run Windows actually) and had
some minor issues with them and sadly not enough time to look
fully into it. But first impressions weren't that 'impressive'
My x220
Hello all
currently I try to solve the phenomenon, that certain SSL sites are slow
when accessed via squid on OpenBSD. Mostly ownCloud in my case as well
as several web shops. The login screen alone taking minutes to load.
I tested this also with squid running on a debian vm showing no proble
On 01/28/16 23:04, Stuart Henderson wrote:
On 2016-01-28, Kim Zeitler wrote:
currently I try to solve the phenomenon, that certain SSL sites are slow
when accessed via squid on OpenBSD. Mostly ownCloud in my case as well
as several web shops. The login screen alone taking minutes to load
On 01/29/16 15:00, Stuart Henderson wrote:
$ curl https://owncloud.XX/apps/files_pdfviewer/js/previewplugin.js
curl: (7) Failed to connect to owncloud.XX port 443: Operation timed out
I have access to the logs and they show a mixture of 200 and 503
...and that pretty much ma
Sorry for the long wait, but had a free weekend and none of the site
techs got back to me until later today.
On 01/29/16 22:03, Stuart Henderson wrote:
If you have contact with any of the site admins see if they are
running on linux with tcp_tw_recycle=1, I think there is a strong
possibility t
Hello
I have a question concerning routes and ospf.
We are using iked(8) with a gif(4) interface and ospfd(8) to set up
routing.
If the ipsec tunnel is down, no ospf route is set and the default route
used.
Is it sensible and possible to add a null-route from the vpn-gateway to
the remote-
On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Stuart Henderson wrote:
I have a question concerning routes and ospf.
We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
routing.
If the ipsec tunnel is down, no ospf route is set and the default rou
On 11/07/17 16:13, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Kim Zeitler wrote:
On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Stuart Henderson wrote:
I have a question concerning routes and ospf.
We are using iked(8) with a gif(4) interface and ospfd
On 11/08/17 08:37, Claudio Jeker wrote:
On Tue, Nov 07, 2017 at 04:13:51PM +0100, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Kim Zeitler wrote:
On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Stuart Henderson wrote:
I have a question concerning routes
Hello
On 01/30/18 22:00, Peter Müller wrote:
Hello *,
I am trying to set up an IPsec connection between OpenBSD 6.2
and an IPFire firewall, while the OpenBSD is a road warrior.
There, I use "iked", while the firewall is running "strongswan".
After struggling with some cryptography issues (curv
Hello,
before I start getting creative with openssl(1) on my ikectl(8) created ca.
Yesterday my ca certificate expired and I need to renew it (without
loosing all the client certificates)
Is there a recommended way of renewing the ca.crt created using ikectl
ca create?
I didn't find anything
Hello Stuart
thanks for the reply, already suspected something along those lines.
On 12/10/18 7:14 PM, Stuart Henderson wrote:
It's a bit awkward but can be done, you'll find some information at
https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewa
Hello
On 10/28/16 08:55, Mik J wrote:
Hello,
I have FTP clients behind my Openbsd firewall and they want to access ftp sites
on the internet
I have read numerous documentations but haven't found the answer yet.
* I start the ftp-proxy like this
/usr/sbin/ftp-proxy -D7 -v
* I have rules in m
Hi Markus
On 01/27/17 09:44, Markus Rosjat wrote:
> Hi there,
>
> so my question is what is the best strategy to migrate an exsiting LDAP
> directory from a system that has sendmail and courier running to a
> system with openSMTP and Dovecot.
>
Couple of years ago we changed from Courier to Doveco
Hello,
On 07/13/15 22:29, Stuart Henderson wrote:
On 2015-07-13, Indunil Jayasooriya wrote:
I delted 30 from that line. Now it looks like this.
/var/squid/logs/access.log _squid:_squid 640 14 *
@T00Z /var/squid/logs/squid.pid
Now it seems to work
But now it sen
Here are my notes, which are basic, but should be enough to get you through if
you're familiar with openbsd.
http://www.tedunangst.com/flak/post/OpenBSD-on-ERL
Hi Ted,
I just worked through the /pub/OpenBSD/snapshots/octeon/INSTALL.octeon
write up and also read through your notes.
Had proble
Hi
I'm currently trying to set up a OpenIKED GW running 5.7-stable with a
proprietary fw/VPN hosted at one of our clients.
Seemingly worked so far ipsecctl shows flows and SADs. I was able to
ping a machine on the 'other-side' but this stopped without apparent reason.
Diving deeper into the
Hello
maybe a stupid question, but is it possible to run a carp(4) interface
on vlan(4) interfaces?
In the following setup we have the problem that both boxes can be pinged
on their address associated with their respective vlan(4) interface, but
not on the carp(4) interface IP. Both boxes ar
Hello Martin, hello Sebastian
On 04/25/16 10:15, Martin Pieuchot wrote:
On 25/04/16(Mon) 09:48, Sebastian Reitenbach wrote:
I'm trying to upgrade a HA carped firewall cluster to 5.9 but run into
issues.
Which issues? After reading your whole email I still don't understand
your problem(s). W
Hello Martin
On 04/25/16 11:12, Martin Pieuchot wrote:
On 25/04/16(Mon) 10:47, Kim Zeitler wrote:
He is running a carp interface on top of a vlan interface. In this scenario
the carp interface can not be pinged but the vlan interfaces can.
Do you mean the CARP node does not answer to ping
Hello Martin
before I go further - I just run a ping test with the tcpdump as you
requested and it did work. The only thing that was changed was an
upgrade from GENERIC.MP#1983 -> GENERIC.MP#1997.
On 04/25/16 11:56, Martin Pieuchot wrote:
He is running a carp interface on top of a vlan int
Hello
having run a 'pure' ipsec tunnel for some years now I was wondering if
there are more advantages in using a tunnel like gre(4),gif(4) or
ehterip(4) over ipsec except being able to set the mtu or pass Layer2
traffic?
Thanks for your answer
Kim
libiconv
Update candidates: quirks-1.113 -> quirks-1.113 (ok)
Can't install libiconv-1.14p1 because of libraries
|library c.73.1 not found
| /usr/lib/libc.so.75.0 (system): bad major
Cheers,
--
Kim Zeitler
On 22.07.2014 17:55, Philip Guenther wrote:
>> OpenBSD gaia 5.5 GENERIC.MP#126 amd64
>>
>
> That's not the 5.5 release. The 5.5 release GENERIC.MP for amd64 had a
> banner of:
> OpenBSD 5.5 (GENERIC.MP) #315: Wed Mar 5 09:37:46 MST 2014
>
> so the build number is clearly off.
>
>
> You h
Hello Waldemar,
On 24.07.2014 17:44, Waldemar Brodkorb wrote:
> Hi Peter,
> Peter Hessler wrote,
>
>> if the addresses on the carp interface are out of sync, then the hashes
>> won't mash, and the firewalls *WILL* conflict with each other.
>>
>> I recommend one IP per carp interface. Far nicer i
Hello Adrian,
On 31.07.2014 18:59, Adrian Jervolino wrote:
>
> My questions to you are: Has anybody ran into similar issues and was
> able to resolve them? Do you think this is a OpenBSD related issue and
> actually solveable (in a reasonable amount of time)?
>
> Swaping the motherboard is curre
t; How can I configure firewalls so they are resistant to those power
> failures (ie do not need fsck)? How should I partition? Which partitions
> should be mount read-only? Which should be mount as memory disks? Which
> size shoud I allocate for memory disks (RAM is a constraint here as I
> have only 256Mb)? Any other advices?
>
> Thank you in advance,
>
--
Kim Zeitler
Master on A and B.
Is there a possibility to join the CARP state of 2 interfaces i.e. both
Master or both Backup, no mix.
Thanks in advance
Kim Zeitler
> All in all the default install is pretty useless in itself and I am going
> to quote "Absolute OpenBSD" by Michael Lucas:
>
> «You're installed OpenBSD and rebooted into a bare-bones system. Of
> course, a minimal Unix-like system is actually pretty boring. While it
> makes a powerful foundat
50 matches
Mail list logo
