SolarScale Blog

Wildcarddnsd with authpf

Yesterday, I downloaded and installed OpenBSD 4.5. Today while I was configuring it I noticed the login group "authpf" and this got me started on making wildcarddnsd complete. I created a new subnet with vmware workstation and placed two of my virtual hosts inside it (Solaris and Windows XP). The new OpenBSD vmware guest acts as a firewall for both but locks them down if they haven't got their IP in the table "authpf_users". Here is what I did to my firewall rules:

table <authpf_users> persist
rdr pass on $int_if proto udp from !<authpf_users> to any port 53 \
        -> 127.0.0.1 port 8053

pass in on $int_if proto tcp from <authpf_users> to any keep state
pass out on $ext_if proto tcp from <authpf_users> to any keep state
pass in on $int_if proto udp from <authpf_users> to any keep state
pass out on $ext_if proto udp from <authpf_users> to any keep state
pass in on $int_if proto icmp from <authpf_users> to any keep state
pass out on $ext_if proto icmp from <authpf_users> to any keep state

So anyone whose IP isn't in the table authpf_users will get denied and also a custom non-recursing/non-tunneling wildcarddnsd will deliver them DNS errors. The wildcarddnsd is set up this way in /etc/rc.local:

# Add your local startup actions here.

/usr/local/sbin/wildcarddnsd -f /etc/wildcarddns.conf-1 -l -b2001:a60:f074::2
/usr/local/sbin/wildcarddnsd -f /etc/wildcarddns.conf-2 -l -b 127.0.0.1 -p 8053

echo '.'

There is really two of them but we'll not worry about the IPv6 one that one answers for ipv6.solarscale.de. You see that the second one is bound to localhost port 8053. It's configuration looks like this:

*,soa,1,neptune.ATLAS.,pbug.neptune.ATLAS,1,1,1800,7200,3600

Then I added users and in the adduser command you can specify whether I would like authpf and I did. Then I had to create two files in /etc/authpf/ called authpf.conf and authpf.rules which are blank (touch does this). And I was ready for testing it out.

This is how it looks like:

[root@uranus network-scripts]# ssh -p 1022 desdemona@192.168.0.31
The authenticity of host '192.168.0.31 (192.168.0.31)' can't be established.
RSA key fingerprint is b8:2d:37:4a:a3:35:36:56:e6:15:af:fb:44:93:7d:e8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.31' (RSA) to the list of known hosts.
desdemona@192.168.0.31's password: 
Last login: Sat May  2 14:58:43 2009 from 172.16.0.13
/usr/X11R6/bin/xauth:  creating new authority file /usr/home/desdemona/.Xauthority

Hello desdemona. You are authenticated from host "192.168.0.1"
^CRead from remote host 192.168.0.31: Connection reset by peer
Connection to 192.168.0.31 closed.

Why do I do this? Because I don't want people tunneling out via DNS, that's what wildcarddnsd was written for. I have no users but this is a sandbox for the program that I write.

PS: The wildcarddnsd dishing out non-resolvable addresses gives almost the same error message as the "unable to connect" firefox message when there is no wildcarddnsd. Unfortunately originally I wanted wildcarddnsd to answer with a wildcard IP but after testing this on solaris I noticed this breaks OS's like solaris that do caching of dns names. Also if you set the TTL low as in 1, eventually the real zone's ttl will surpass this but may not go lower again when the TTL is 1 again after unauthenticating as I suspect it is the case with mac os x. So in total my efforts for the last 3 years in developing wildcarddnsd were wasted and I busted my theory that this was possible, it may work on non-dns-caching OS's but not on ones that cache. I still use wildcarddnsd on the Internet for which I may still do development for it, but it's not the same intent as before.

Random Hackepedia

Often when downloading a file from the Internet, you will see either KB or Kb, however they are not the same thing:

Read more about Bytes at Hackepedia.

Solaris 10, configuring IPv6

This is just a reminder for myself on how I configured IPv6 on solaris because the box is needed for IPv4 only.

In /etc/hostname6.pcn0 should be: addif 2001:a60:f074::2/48 up
This is the same as is stated in the ifconfig manpage
In a script in /etc/rc2.d is a file called S69inet6 which has the contents:
#!/bin/sh
echo routing default ipv6
route add -inet6 default 2001:a60:f074::1
#

OpenBSD donation

I donated 15 euros to Theo De Raadt via bank transfer to his Munich bank account. In the exchange this is 24 dollars (CA) and is half of what I'd pay for an OpenBSD CD (in canada). I'm not buying 4.5 which is due tomorrow on the FTP servers and I'll just ftp it instead. For anyone wanting to donate some money to de Raadt should go here.

Random Hackepedia

When a system call fails inside a process, the system sets a variable called errno in the process with a certain integer. Usually a subsequent error message will contain the human readable string associated with the errno. Ie. if you do:

Read more about errno from Hackepedia.

Postfix Message Limit

I recently ran into a problem where someone wanted to send me a file larger than 10 MB. The limit in postfix is 10 MB exactly I think so here is the main.cf variables to set:

mailbox_size_limit = 0
message_size_limit = 102400000

This should increase the mail acceptable to 100 MB.

Random Hackepedia

A file descriptor is a handle in a program that allows data to be read and written. It is assigned a number starting at 0 and going to the file descriptor limit. A descriptor of -1 indicates an error. File descriptors are limited to files in filesystems but there is other sorts of descriptors (like sockets) that behave similarly so we bunch them together here.

Read more about File Descriptors from Hackepedia.

Mail with spam protection

I've installed postfix on my DSL link. It's protected from spammers by OpenBSD's spamd. Spamd rocks. Also I was sorta stuck getting the TLS to work with postfix, but I finally have this sorted out now I think. Here is a script that I made to create the certificates in $HOME/ssl, those get copied then (with tar) to /etc/postfix and the config for smtpd tls looks like this:

smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_client_new_tls_session_rate_limit = 0
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_starttls_timeout = 300s
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_CApath = 
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtpd_tls_dcert_file = 
smtpd_tls_dh1024_param_file = 
smtpd_tls_dh512_param_file = 
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers = 
smtpd_tls_fingerprint_digest = md5
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = 
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = 
smtpd_tls_session_cache_database = 
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit_tls_clientcerts

It works now and I'm glad it's over. I'm bleeding now after having gone through books and google trying to get this right. I'm glad to be sharing it with you.

RFC 2460 Reading change

I've found and taken out 2 comments out of the audio RFC 2460 (IPv6) in the RFC audio section of this website. They were just screwing around and didn't really help with the professionalism of the reading.

Happy Equinox!

Tomorrow is vernal equinox. Happy equinox!