cynicalsecurity is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.


@aag @benno sync’d over pfsync as you cannot pfsync over four firewalls two of which are on a different provider. What I thought would happen is that OSPF would carp demote, the gateway IP would flip to the primary of the backup pair and internal connections would continue working simply because this is just a routing glitch. The fact that they die seems to imply that some rewriting is taking place.

@benno @aag Oh, sorry, I wasn’t asking for remote debugging, I was thinking out loud as I thought about the issue.

I’m pretty sure that PF states cannot possibly transfer for connections to externally routable IPs: that is totally obvious. I am now wondering if there’s a mistake in the PF configuration which is somehow adding states for connections across the internal OSPF-routed network which shouldn’t be there and therefore dying when transferred to the backup firewall pair which cannot be…

@aag well, the question here is how to “move” internal connections from primary to secondary link. Clearly those to the public IPs will fail (different external IPs) but I would have liked the re-routing to work well via OSPF but it doesn’t. For some reason all the internal connections die instead of re-routing when the gateway changes from the now-dead primary firewall couple to the secondary couple. The routes re-converge rapidly but obviously something else is amiss.

An update to my iOS Gopher client is now out.

The main changes:

- fix crashes when searching for non-ASCII characters.
- fix display of directories with servers that do not send the proper line endings
- fix settings display on iPad
- recognizes errors (type 3)

Work on the next update will commence next week. (I'm hoping to improve the history handling, make improvements to the settings screen, and finish support for the 'w' type from @kensanata)

For those who were interested in my IKEv2 issue on the situation is currently as follows:

• the fibre the two firewalls is connected to suffers from micro-outages of 30-50 seconds,
• the symptom is that the SAs eventually disappear from ipsecctl -s all
• the solution is, currently, to route traffic via the backup firewalls with another provider with 1/2 the bandwidth… thank goodness for carp demote and OSPF integration :)

#OpenSSH just gained it's first post-quantum signature algorithm, the eXtended Merkle Signature Scheme (XMSS):

@spacerog I tried to open a new one, “Cabal”, but failed to attract anything better than sporadic (but “heavy”) discussion.

At the moment my best recommendation is to have a huge OPML file which collects over 300 RSS feeds and use r2e to have them emailed to you daily. So far it has worked pretty well!

I have rarely been caught by surprise on the bird site except for “drama”.

where is SeaBIOS built for /etc/firmware/vmm-bios? where can I find out more about SGABIOS for SeaBIOS? I want to try my hand at building my own SeaBIOS images for vmm(4). All I've found are release note bullet points, and undeadly articles linking to mailing list archives.


@cynicalsecurity KubeADM doesn't like swap partitions. Now, no where (except the depths of GitHub Issues, perhaps) does it say why. Only that it does not. So I go to disable swap partitions on Ubuntu.

sudo swapoff -a
edit /etc/fstab

but no! a challenger appears -- systemd automounts a swap partition if it detects one!!!



so much frustration...

@aag I feel for you: been handed a CentOS VM to “maintain”. Nothing makes sense, can’t even figure out where stuff is configured.

Today, I'd like to thank @phessler for creating and maintaining the instance.

I am rapidly losing hope of finding a suitable replacement for my hosted x86 boxen at home using ARM :( This saddens me infinitely.

I had promised an update about my PINE64-LTS project (

* discovered the hard way that you cannot boot from eMMC,
* discovered the hard way that no image boots on the PINE64-LTS
* about to try one of their horrible Linsux images.

For reference: the PINE64-LTS “looks like” a SOPINE, *NOT* a PINE64 (which is currently available only in 512M/1G variants and does not support eMMC which I wanted).

I would also recommend waiting for the PINE64H...

the link where this is occurring and the other links is that this one is somewhat less reliable (routing flaps, etc.) but, as one side is passive and the other active, I am assuming that even if the link is interrupted during rekeying it should “insist” and eventually rekey.

I cannot find any other logical explanation as everything else is setup identically (iked.conf & ipsec.conf are auto-generated, etc.).

Anyone with ideas? I have already increased logging and am waiting for the SAs to drop.

Am having an interesting problem with 6.1 iked:

I have 80 IPsec transports set up to “cover” GIF tunnels between static IP endpoints, all OpenBSD 6.1. They were recently migrated from an ISAKMPd setup to IKEv2 using iked and they work splendidly except four of them.

For some bizarre reason two firewalls eventually “drop” off and the only symptom is that the SAs disappear as if the rekeying by iked fails and yet there is nothing obvious in the logs.

The only difference between...

ice cold take Show more

About 1/3 of people with depression have high levels of inflammation markers in their blood. An explanation of the correlation is that inflammation appears to reduce signaling between brain regions associated with ability to experience pleasure: motivation and reward.

So, not a surprise that there is a strong dietary quality correlation: processed food eaters (controlling for an array of other factors) were 58% more likely to suffer depression.

@dildog welcome to a quieter, more civilised social network where we have, so far, had extremely interesting and civilised conversations on, for example, CPU design & faults :)

I am looking for tests of an #OpenBSD #wifi diff that affects several drivers: iwn(4), iwm(4), athn(4), wpi(4)

This is in response to (⚠️ potential confusion alert: That post contains top-posting!)