OpenBSD Bridge

Bridge Interfaces on APU

Let’s assume you have an APU2/3/4 and you wanna Bridge some of it’s Interfaces, em0/em1/em2

Create Bridge, add Interfaces

cat << 'EOF' > /etc/hostname.bridge0
add vether0
add em0
add em1
add em2
up
EOF

Create Interfaces

echo "up" >> /etc/hostname.em0
echo "up" >> /etc/hostname.em1
echo "up" >> /etc/hostname.em2

Create L3 Interface

cat << 'EOF' > /etc/hostname.vether0
inet  autoconf
inet6 autoconf -temporary -soii
up
EOF

Bring Up all together

sh /etc/netstart

or do a simpy reload

OpenBSD 7.5

OpenBSD 7.5 finally released

The 56th Release of OpenBSD was announced. My Upgrade Script is available here.

Highlights

  • added support for various new hardware, numerous performance improvements and of course security enhancements.
  • IPv6 support in ppp(4)

see the Post on Undeadly for more Details, or the OpenBSD Page

Script

doas su -
cd /root
ftp https://blog.stoege.net/scripts/{.helpers,upgrade_to_75.sh}
chmod u+x upgrade_to_75.sh

Execute

do the Upgrade

./upgrade_to_75.sh

after the reboot

Upgrade Packages

just run the Script again

FreeSwitch

Basic Commands

Logging

set Level 1..7

fsctl loglevel 7

Any Comments ?

sha256: c8bd29c15fa6239c45d9f1c161bf625e6ced9ae690a971b4ead212769dfba55f

PF Basics

Basic Ruleset

  • Full Connectifity v4/v6
  • allow SSH in from RFC1918
  • allow all outgoing
# Backup
cp /etc/pf.conf /etc/pf.conf.bak-$(date "+%s")

# Paste new Ruleset
cat << 'EOF' > /etc/pf.conf

#######################################################################################################################
#
# OpenBSD PF Template
#
#######################################################################################################################

########################
### DEFAULT SETTINGS ###
########################

set block-policy drop
set limit states 100000
set limit table-entries 1000000
set optimization normal
set ruleset-optimization none
set skip on { lo0 enc0  }
set syncookies adaptive (start 25%, end 12%)


########################
### MACROS           ###
########################

# log block
lb  = "log"

# log pass
lp  = "log"


########################
### NORMALIZATION    ###
########################

match inet  scrub (no-df max-mss 1380)
match inet6 scrub (max-mss 1360)


########################
### Block all / uRPF ###
########################

block     log
block in  log quick from urpf-failed label uRPF


############################
### DHCP & IPv6 Stuff    ###
############################

# Allow DHCP
pass      $lp quick inet  proto udp       from  any     port 68   to 255.255.255.255  port 67
pass      $lp quick inet  proto udp       from  any     port 68   to (self)           port 67
pass      $lp quick inet  proto udp       from  (self)  port 67   to any              port 68

# In
pass in   $lp quick inet6 proto ipv6-icmp all                           icmp6-type { unreach toobig neighbrsol neighbradv } keep state

# Out
pass out  $lp quick inet6 proto ipv6-icmp from (self)     to fe80::/10  icmp6-type { echoreq echorep neighbradv neighbrsol routeradv routersol } keep state
pass out  $lp quick inet6 proto ipv6-icmp from (self)     to ff02::/16  icmp6-type { echoreq echorep neighbradv neighbrsol routeradv routersol } keep state

# In
pass in   $lp quick inet6 proto ipv6-icmp from fe80::/10  to fe80::/10  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from fe80::/10  to ff02::/16  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from ff02::/16  to fe80::/10  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from ::         to ff02::/16  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state


############################
### MyTrust for Hosts    ###
############################

# Allow RFC1918
pass in   $lp quick inet  proto tcp   from { 10/8 172.16/12 192.168/16 }             to (self) port 22

# Allow all Out
pass out  $lp quick


#######################################################################################################################
# End
#######################################################################################################################
EOF

# check & reload
pfctl -nf /etc/pf.confad && pfctl -f /etc/pf.conf

Any Comments ?

sha256: e41b3f0d6bbb5edf23921f2f8bdc7fc83b9ed8676d7e3e62b746af25aae2f30c

OpenBSD RDomains

Intro

Let’s assume you have a Mikrotik Router which got a Mgmt Interface with IP: ‘192.168.88.1/24’ and DHCP Server enabled. You wann Access the Router via HTTP/HTTPS while offering Internet Services for the Mikrotik Router. You have an APU and OpenBSD running. What do you do ?

Setup

  • 2 NIC’s
  • em0: dhcp client, default route, rdomain 0
  • em3: dhcp client, rdomain 3

Interfaces

Interface em0

cat << 'EOF' > /etc/hostname.em0
# Public Internet
inet 	autoconf
inet6	autoconf
EOF

Interface em3

Mikrotik

Some Commands for Mikrotik NewBees

Quick Guide - CCR2004-1G-12S+2XS

CCR2004-1G-12S+2XS - User Manual

MikroTik wired interface compatibility

Copper SFP (not able todo Auto Negotiation)

/interface/ethernet/set sfp-sfpplus1 auto-negotiation=no

Update Packages

/system package update check-for-updates
/system package update install
reboot

Upgrade Firmware

/system routerboard print
/system routerboard upgrade
/system reboot; 

Reset Config

/system/reset-configuration
  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.10.1 (c) 1999-2023       https://www.mikrotik.com/

Press F1 for help

-------------------------------------------------------------------------------
The following default configuration has been installed on your router:

Welcome to RouterOS!
   1) Set a strong router password in the System > Users menu
   2) Upgrade the software in the System > Packages menu
   3) Enable firewall on untrusted networks
-----------------------------------------------------------------------------
LAN:
    IP on ether1:    192.168.88.1/24;

-------------------------------------------------------------------------------
You can type "v" to see the exact commands that are used to add and remove
this default configuration, or you can view them later with
'/system default-configuration print' command.
To remove this default configuration type "r" or hit any other key to continue.
If you are connected using the above IP and you remove it, you will be disconnected.

Initial Config

/interface bridge add name=local
/interface bridge port add interface=ether2 bridge=local
/ip address add address=192.168.88.1/24 interface=local

Backup Config

# show full Config
export

# show non defaults
export compact

# show non defaults, hide sensitive stuff
export compact hide-sensitive

# write config to myconfig
export compact hide-sensitive file=myconfig

Any Comments ?

sha256: 4cffb5ddbd4d0059c71e311bc75a67839be888f15291cec9ac6d0c24478fffdd

.vimrc

use vim ? i’m happy with the following settings …

.vimrc

cat << 'EOF' > ~/.vimrc
" Use 2 spaces for tabs
set shiftwidth=2
set tabstop=2
set expandtab
set softtabstop=0
set ruler
set mouse=r

" Disable backup and swap files because they cause more problems than they solve
set nobackup
set noswapfile

" Color
syntax on
" colorscheme delek

" Display line numbers
"set number
EOF

Any Comments ?

sha256: 809ddad49fd2f2b3cae0a89099e148c4c8ed6ae56940ac04e1b0f1fe32afc0a1

Cisco - SSH Key Auth

Intro

do you wanna login into your cisco switches with ssh & public key. you can build your config easily and copy/paste it to your switch(es).

Set & Check Variables

  • pubkey: read from ~/.ssh/id_rsa.pub
  • username: root
  • password: will be generated. or set it by hand
# get & convert public key
pubkey=$(cat ~/.ssh/id_rsa.pub |cut -d' ' -f 2 |fold -b -w 72)

# Username Switch
username=root

# Password for User
password=$(openssl rand -hex 12)

# Full Line
echo "username $username privilege 15 password $password"

SSH Pubkey Auth Config Snippet

# Build Config
cat  << EOF


############################################
# Copy/Paste to your Cisco Devices - START #
############################################

conf t

# Set Version
ip ssh version 2
no aaa new-model

# Set User
username $username privilege 15 password $password

# Set Key
ip ssh pubkey-chain 
username $username 
key-string
$pubkey
exit
exit
exit

# vty Stuff
line vty 0 15
 login local
 transport input ssh

end
write
exit

############################################
# Copy/Paste to your Cisco Devices - END   #
############################################


EOF

you should test it in a lab environment before running on productiv switches ;)

RSA - Weak Keys

Intro

Did you ever try to generate a small RSA Key ? Today, you should go with 3072 oder 4096 Bits, or use ECC.

With current Versions of OpenSSL, you can’t generate Key Smaller than 512 Bit.

128 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(128)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

32 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(32)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

16 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(16)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

sample with 16Bit RSA Key

Git - Mass Updater

Intro

Let’s assume you have a bunch of GIT Repos in a Folder like this:

/project1/
    /repo1/
    /repo2/
    /repoN/

and you would like to update all of them ? here a little helper.

  • Loop over all Folders
  • check if ‘.git’ exists
  • if so, do a git pull –all

Script

Copy/Paste it to your Terminal and you get a executable Script called ‘git_update_all.sh’.

cat << 'EOF' > git_update_all.sh
#!/usr/bin/env bash

# Get the current script directory
script_dir=$(dirname "$(readlink -f "$0")")

# Change into each directory in the script folder
for dir in "$script_dir"/*; do

    if [ -d "$dir" ]; then

        cd "$dir" || exit 1

        if [ -d ".git" ]; then

            echo "Updating Git repository in $dir"
            git pull --all

        else

            echo "Skipping $dir - not a Git repository"

        fi

        cd "$script_dir" || exit 1

    fi

done

echo "Git update for all repositories completed."
EOF

# make it executable
chmod u+x git_update_all.sh

Usage

and then run it, like it, use it :)