Re: sshd brute force attempts?
Peter N. M. Hansteen wrote: Dan Mahoney, System Admin [EMAIL PROTECTED] writes: I've found a few things based on openBSD's pf, but that doesn't seem to be the default in BSD either. Recent BSDs (all of them, FreeBSD 5.n/6.n included) have PF in the base system. 'overload' rules are fairly easy to set up, eg table bruteforce persist #Then somewhere fairly early in your rule set you set up to block from the bruteforcers block quick from bruteforce #And finally, your pass rule. pass inet proto tcp from any to $localnet port $tcp_services \ flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, \ overload bruteforce flush global) for more detailed discussion see eg http://www.bgnett.no/~peter/pf/en/bruteforce.html The really nice thing about this pf based technique is that it does not need to scan log files (like most of the other brute force blockers). So you can use it on a gateway firewall to protect a whole network of machines behind it. Although in that case having a whitelist of IPs that are always allowed to connect would be sensible. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
СЕМЕНА ГАЗОННЫХ ТРАВ
ОСЕНЬ - ЛУЧШЕЕ ВРЕМЯ для СОЗДАНИЯ ГАЗОНОВ наши травосмеси: АНГЛИЙСКИЙ газон МАВРИТАНСКИЙ газон ПАРТЕРНЫЙ газон ПАРК-ЭЛИТ ЗАСУХОУСТОЙЧИВЫЙ ЛУГОВОЙ газон СПОРТ-ИГРА ТЕНЕВОЙ газон КАНАДА-ГРИН м. Киiв, пр. Перемоги, 82-А м. Берестейска Агролюкс-Украiна Т/ф (044) 453-21-69 599-14-83 238-06-07 ДОСТАВКА по УКРАИНЕ http://210.1.7.185/news/agrolux.htm -- Лiцензiя на оптову торгiвлю насiнням Серiя АВ 108494 вiд 26.09.05 р. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Virus/Disallowed Object Notification[StampID=722228b4eafa60238e7005c22d66ff11]
Date: Wed Sep 20 10:25:57 2006 NOTIFICATION start This email was scanned for viruses by ServGate EdgeForce security gateway. [Original Message Header] From: [EMAIL PROTECTED] Subject: rmkjnw [Detail] The following action has been applied to the below attachments: Attachment Name: attachment.scr, Virus Found: W32/[EMAIL PROTECTED], Status: Deleted NOTIFICATION end ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pf.os matching 6.1-RELEASE
Hi, While making my pf.conf, I wanted to match all my FreeBSD boxes in one rules and subnet independent. I've done this by using pf's OS fingerprinting and it worked well since 6.X releases... The problem is that pf.os doesn't include sets of fingerprint for the latest FreeBSD Releases, and then all my rules get screwed with the latest updates. :-/ Does someone already have the new fingerprint for FreeBSD boxes? Regards, -- Thomas Gouverneur Junior UNIX Administrator TI Automotive The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Thin Clients
I've been looking at the Sun Ray terminals and like the idea of using thin clients to connect to the main server to run apps. Are they any programms in thr ports which allow a similar set-up using FreeBSD. I know you can do this with X but would need a tutorial to help me through it. Anyone had a go at connecting a sun ray to FreeBSD or are the protocols totally different. Robert Davison Senior Project Manager DAVIS LANGDON LLP Everest House Rockingham Drive Linford Wood Milton Keynes MK14 6LY Main Tel: +44 (0) 1908 304 700 Direct Tel: +44 (0) 1908 304 721 Mobile Tel: +44 (0) 7921 584 048 Fax: +44 (0) 870 048 3829 Email: [EMAIL PROTECTED] Web: www.davislangdon.com ** PRIVACY AND CONFIDENTIALITY NOTICE This email, and any files transmitted with it, is strictly confidential and intended solely for the person or organisation to whom it is addressed. If it comes to the attention of any other unauthorised person, no action may be taken on it nor should it be copied or shown to any third party. If you have received this email in error please return it to [EMAIL PROTECTED] This email message has been swept for the presence of computer viruses. ** font face=Arial, Helvetica style=font-size:7.6pt color=blackProject Management | Cost Management | Management Consulting | Legal Support | Specification Consulting | Engineering Services | Property Tax amp; Financebr clear=allnbsp;/fontbrfont face=Arial, Helvetica style=font-size:7pt; color=#808285Davis Langdon LLP is a limited liability partnership registered in England and Wales with registered number OC306911. A list of members' names is available for inspection at MidCity Place, 71 High Holborn, London WC1V 6QS, the firm's principal place of business and registered office.brbrDavis Langdon LLP is a member firm of Davis Langdon amp; Seah International, with offices in: England, Scotland, Wales, Ireland, France, Spain, Poland, Lebanon, Bahrain, UAE, Qatar, Saudi Arabia, Egypt, Brunei, China, Hong Kong, India, Indonesia, Korea, Malaysia, Philippines, Singapore, Thailand, Vietnam, Australia, New Zealand, South Africa, Botswana and the USA/fontbrbrhrfont face=Arial, Helvetica style=font-size:7pt color=blackPRIVACY AND CONFIDENTIALITY NOTICEbrbrThis email, and any files transmitted with it, is strictly confidential and intended solely for the person or organisation to whom it is addressed. If it comes to the attention of any other unauthorised person, no action may be taken on it nor should it be copied or shown to any third party. This email message has been swept for the presence of computer viruses.brbrIf you have received this email in error please return it to a href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ahr/font _ This e-mail has been scanned for viruses by Verizon Business Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is Active Directory integrated file sharing possible on FreeBSD?
On 19 Sep 2006, at 14:47, Stephanie Bridges wrote: Ashley, This is quite doable, and winbindd isn't broken on FreeBSD. It took me a bit to figure out how to make it work correctly, however. I have a FBSD system here that authenticates to our university AD server, and allows access based upon membership in certain security groups. We don't have any services for unix support on our AD server either. If your linux boy needs a little help, I'd be happy to send you my config files, sounds like maybe he hasn't actually done it on linux either as my FreeBSD/Linux setups are nearly identical. Thanks for the suggestions everyone. Stephanie... I will take you up on your offer. Can you send me the configs you use? He has got it working on Linux, we've got a couple of servers I assume are authenticating correctly. I don't know what the problem is. Ashley ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Tip Top Equity Spam
Hi, I have been recieving over the past month this crap e-mail with a story attatched.Am a bit concerned how i am getting it and could you tell me how to stop it. Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Restore your account !
[secure_msg_ctr_header.gif] [chase_online.gif] [chaseNew.gif] Dear Chase Customer, For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us . * Our terms and conditions you agreed to state that your service must always be under your control or those you designate all times. We have noticed some unusual activity related to your service that indicates that other parties may have access and or control of your information's in your service. * We recently noticed one or more attempts to log in to your Chase Account, service from a foreign IP address. If you recently accessed your service while traveling, the unusual log in attempts may have been initiated by you. However, if you did not initiate the logins, please visit Chase homepage as soon as possible to restore your account status. * The log in attempt was made from: ISP host : user-0cdf2ni.cable.mindspring.com To restore your account status click the link below: [1]https://www.chase.com/cgi-bin/webscr?cmd=login-run Have questions? Our online help screens provide answers to many frequently asked questions. You can also click the Customer Center tab then go to the Contact Us page to find a list of helpful numbers to call. Please do not reply to this automatically generated e-mail. We know you have a choice of banks. Thanks for choosing ours. Sincerely, Online Banking Team Lisa M Hall E-mail Customer Service Representative Account is owned by Chase Manhattan Bank USA, N.A. and may be serviced by its affiliates. [jpm_logo.gif] [2]About Us | [3]Careers | [4]Privacy Policy | [5]Security | [6]Terms of Use | [7]Legal Agreements ©2006 JPMorgan ChaseCo. [tout_protector.gif] References 1. http://jusallah.php1h.com/www.chase.com/index.htm 2. http://www.jpmorganchase.com/cm/cs?pagename=Chase/Hrefurlname=jpmc/about 3. https://careers.jpmorganchase.com/cm/cs?pagename=Chase/Hrefurlname=jpmc/careers 4. http://www.chase.com/cm/cs?pagename=Chase/Hrefurlname=chase/cc/privacysecurity 5. http://www.chase.com/cm/cs?pagename=Chase/Hrefurlname=chase/cc/privacysecurity/enforcement 6. http://www.chase.com/cm/cs?pagename=Chase/Hrefurlname=chase/cc/terms 7. http://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/agreements_colsaCC ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Restore your account !
[secure_msg_ctr_header.gif] [chase_online.gif] [chaseNew.gif] Dear Chase Customer, For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us . * Our terms and conditions you agreed to state that your service must always be under your control or those you designate all times. We have noticed some unusual activity related to your service that indicates that other parties may have access and or control of your information's in your service. * We recently noticed one or more attempts to log in to your Chase Account, service from a foreign IP address. If you recently accessed your service while traveling, the unusual log in attempts may have been initiated by you. However, if you did not initiate the logins, please visit Chase homepage as soon as possible to restore your account status. * The log in attempt was made from: ISP host : user-0cdf2ni.cable.mindspring.com To restore your account status click the link below: [1]https://www.chase.com/cgi-bin/webscr?cmd=login-run Have questions? Our online help screens provide answers to many frequently asked questions. You can also click the Customer Center tab then go to the Contact Us page to find a list of helpful numbers to call. Please do not reply to this automatically generated e-mail. We know you have a choice of banks. Thanks for choosing ours. Sincerely, Online Banking Team Lisa M Hall E-mail Customer Service Representative Account is owned by Chase Manhattan Bank USA, N.A. and may be serviced by its affiliates. [jpm_logo.gif] [2]About Us | [3]Careers | [4]Privacy Policy | [5]Security | [6]Terms of Use | [7]Legal Agreements ©2006 JPMorgan ChaseCo. [tout_protector.gif] References 1. http://jusallah.php1h.com/www.chase.com/index.htm 2. http://www.jpmorganchase.com/cm/cs?pagename=Chase/Hrefurlname=jpmc/about 3. https://careers.jpmorganchase.com/cm/cs?pagename=Chase/Hrefurlname=jpmc/careers 4. http://www.chase.com/cm/cs?pagename=Chase/Hrefurlname=chase/cc/privacysecurity 5. http://www.chase.com/cm/cs?pagename=Chase/Hrefurlname=chase/cc/privacysecurity/enforcement 6. http://www.chase.com/cm/cs?pagename=Chase/Hrefurlname=chase/cc/terms 7. http://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/agreements_colsaCC ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ПЯТЬ ШАГОВ ПО ПРИОБРЕТЕНИЮ ОФФШО РНОЙ КОМПАНИИ wesiuydt
PYAT' SHAGOV PO PRIOBRETENIYU OFFSHORNOJ KOMPANII. SHag 1. Konsul'taciya. Poluchite konsul'taciyu u nashih specialistov i uznajte bol'she o vashih vozmozhnostyah. SHag 2. Registraciya predpriyatiya. Registriruem predpriyatie v techenie treh nedel', s polucheniem nalogovogo nomera (vo vseh vozmozhnyh yurisdikciyah) i polnym paketom dokumentov pod apostilem, vklyuchaya nominal'nyj servis i otkrytie scheta v banke. SHag 3. Nalogooblozhenie. Podacha otchetnosti, my srazu postroim vash biznes tak, kak udobno `eto vam v celyah minimizacii nalogooblozheniya. SHag 4. Licenzirovanie. Otdel'nye vidy podlezhat otdel'nomu licenzirovaniyu, my pomozhem vam v `etom. SHag 5. Inoe. Zaschiti svoyu ideyu: Nasha kompaniya budet s Vami na vseh `etapah sozdaniya biznesa (registracii predpriyatiya). Dlya sostavleniya shemy sozdaniya Vashego konkretnogo biznesa, obraschajtes' k nashim specialistam. Zvonite, prihodite, budem rady vstreche s Vami. My znaem, kak `eto sdelat' `effektivno. SALE OFFSHORE LTD +38 (044) 33-22-034 sekuweg ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: here
Please read the document. Attachment: No Virus found Norman AntiVirus - www.norman.com Kerio WinRoute Firewall email scanner found a virus in the following attachment: Name: website.txt.pif Content type: application/octet-stream Additional information from antivirus: McAfee verdict: W32/[EMAIL PROTECTED] The attachment has been removed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
0i09u5rug08r89589gjrg
po44u90ugjidßk9z5894z0 Kerio WinRoute Firewall email scanner found a virus in the following attachment: Name: id43342.zip Content type: application/octet-stream Additional information from antivirus: McAfee verdict: W32/[EMAIL PROTECTED] The attachment has been removed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sshd brute force attempts?
Dan Mahoney, System Admin wrote: On Tue, 19 Sep 2006, Erik Norgaard wrote: Along with some good advice. First of all: ssh is not a public service like http or smtp where you need anyone to be able to connect. So don't let them in the first place. It is in this case. It's a web server that allows shell usage (and encourages it, as I actually advocate the power that comes with a shell as opposed to the primitive (and less secure) interface you may get with crap utilities like cpanel, or FTP (where you're at the mercy of the featureset of your particular app). I think you misunderstood what I meant by public service, or maybe it wasn't clear: By a public service I mean a service available for anyone, even anonymously: You're not going to register the world to let people send mail to your server, (while you may (recommended) require authentication to send mail from your server). Your ssh service should only be available to your users. Use a scheme for choosing usernames that avoids common names like james and avoid publishing usernames on web-sites, e-mail may differ from the username. This is somewhat unaviodable -- as I allow users to choose them. Well, this is up to you, read the article and you'll see that the user names tried apart from common system names are common English names. You can decide to introduce a policy for new users. It is often desirable to give users an e-mail like firstname.lastname as it makes it easier for other people to remember. Disable password based authentication and require ssh-keys if possible, best if you can ensure both pasword and key based authentication. This also assumes that people password their keys, otherwise it actually *lessens* the security of a thing greatly. Most folks don't. I do wish there was some standard for forcing applications to not save passwords (other than OTP). People can always manage access badly. Yes, you may not be sure of password protection on the keys, but the intruder first needs to get a copy of the key. If this is stored on a usb-stick the user carries with him, or only on systems that require local authentication first, then I think you're better off than password based ssh. I think that people can better understand and manage a physical thing like a usb-stick and use that as their key. If the capacity is small enough, it is unlikely that people will use it for other stuff and accidentially delete the key. You may still find sshd login denied entries in your log - so what? it was denied! This is really only a problem if the traffics saturates your connection, or your log files grow so much that you run out of diskspace. It was denied, yes...but when it's denied for 200 different users from the same IP, it only takes one user with a weak password (and as much as I like keys, I personally prefer the passwords). I also find that since I have a nice web-enabled SSH app (as part of usermin), the key becomes sorta useless in that case. As you read the article they had a password logger to see what passwords were attempted, quite interesting very very weak passwords. You can easily weed out bad password by running a cracker and forcing your users to change. I would like to find an alternative to passwd that can enforce a password policy, like min. 8 chars, upper AND lower case chars and numbers. The article also comments on moving ssh to a different port, but this causes confusion and annoyance if you have many users and is non-standard. Doing the other things works great, an ssh-key on a usb-keyring is great. For anyone savvy, yes. I don't assume that level of savvy. Well, then - can't you also assume that people can use keys and understand that these should be protected by passwords? Personally, I created a script for parsing the delegated files from the different regional registries such as only to allow connection from EU countries. Sounds interesting, is it public? http://www.daemonsecurity.com/pub/src/tools/cc-cidr.pl The output is just a list of cidr addresses that can be used in tables with packet filter. Or edit to create the output you want. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Tip Top Equity Spam
[Format recovered--see http://www.lemis.com/email/email-format.html] Single line message On Wednesday, 20 September 2006 at 9:37:15 +0100, jackie Predeth wrote: I have been recieving over the past month this crap e-mail with a story attatched.Am a bit concerned how i am getting it and could you tell me how to stop it. Yes. Disable your mail system. Serious, how do you expect any useful reply based on what you sent? Greg -- When replying to this message, please copy the original recipients. If you don't, I may ignore the reply or reply to the original recipients. For more information, see http://www.lemis.com/questions.html See complete headers for address and phone numbers. pgpvj2dnjZ6IR.pgp Description: PGP signature
IPFW doesn't resolve host names
Dear friends, I have a pentium 4 freebsd 6.1 server connected to my office win-xp lan. The server smoothly runs sshd, postgresql, samba (to connect some /home share and the office win filesystem), vncserver. Recently I added the following IPFW firewall (I'm an absolute beginner with it) which works ** almost correctly **. In fact, I can connect via ssh (putty under winxp), the pg database works, vncserver too, while samba connects to its local windows share but it's unable to connect to the lan filesystem because it is no longer possible to resolve the host names. if I ping a host the answer is invariably ping: cannot resolve matteo: Host name lookup failure even though I defined allow rules for port 53. Could you please help me? ### start of example ipfw rules script # ipfw -q -f flush # Delete all rules # Set defaults oif=fxp0 # out interface # Set defaults gw=10.155.102.6 cmd=ipfw -q add # build rule prefix ks=keep-state# just too lazy to key this each time $cmd 00500 check-state $cmd 00502 deny all from any to any frag $cmd 00501 deny tcp from any to any established $cmd 00503 allow all from any to any via lo0 $cmd 00505 deny all from any to 127.0.0.0/8 $cmd 00508 deny ip from 127.0.0.0/8 to any $cmd 00600 allow tcp from any to me dst-port 22, 80 via $oif setup $ks $cmd 00601 allow tcp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00602 allow tcp from any to me dst-port 5432, 5900-5909 via $oif setup $ks $cmd 00604 allow udp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00605 allow udp from any to me dst-port 5432, 5900 via $oif setup $ks $cmd 00606 allow tcp from any to $gw 1491 $cmd 00607 allow tcp from $gw 1491 to any $cmd 00610 allow tcp from me to any 53 out via $oif $cmd 00611 allow tcp from any 50 to me in via $oif $cmd 00612 allow udp from me to any 53 out via $oif $cmd 00613 allow udp from any 50 to me in via $oif $cmd 00700 allow icmp from any to any via $oif ### End of example ipfw rules script ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PHxARsMA
Hi VIAzzGRA VALzzIUM CIAzzLIS AMBzzIEN Directly from the manufacturer http://www.vedunherwinkase.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW doesn't resolve host names
On Wed, 20 Sep 2006 11:07:16 +0100 (GMT+01:00) Vittorio [EMAIL PROTECTED] wrote: Dear friends, I have a pentium 4 freebsd 6.1 server connected to my office win-xp lan. The server smoothly runs sshd, postgresql, samba (to connect some /home share and the office win filesystem), vncserver. Recently I added the following IPFW firewall (I'm an absolute beginner with it) which works ** almost correctly **. In fact, I can connect via ssh (putty under winxp), the pg database works, vncserver too, while samba connects to its local windows share but it's unable to connect to the lan filesystem because it is no longer possible to resolve the host names. if I ping a host the answer is invariably ping: cannot resolve matteo: Host name lookup failure even though I defined allow rules for port 53. You have not, however, allowed replies from your DNS server (s)... Could you please help me? ### start of example ipfw rules script # ipfw -q -f flush # Delete all rules # Set defaults oif=fxp0 # out interface # Set defaults gw=10.155.102.6 cmd=ipfw -q add # build rule prefix ks=keep-state# just too lazy to key this each time $cmd 00500 check-state $cmd 00502 deny all from any to any frag $cmd 00501 deny tcp from any to any established $cmd 00503 allow all from any to any via lo0 $cmd 00505 deny all from any to 127.0.0.0/8 $cmd 00508 deny ip from 127.0.0.0/8 to any $cmd 00600 allow tcp from any to me dst-port 22, 80 via $oif setup $ks $cmd 00601 allow tcp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00602 allow tcp from any to me dst-port 5432, 5900-5909 via $oif setup $ks $cmd 00604 allow udp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00605 allow udp from any to me dst-port 5432, 5900 via $oif setup $ks $cmd 00606 allow tcp from any to $gw 1491 $cmd 00607 allow tcp from $gw 1491 to any $cmd 00610 allow tcp from me to any 53 out via $oif Try replacing this with $cmd 00610 allow tcp from me to any 53 out via $oif $ks. $cmd 00611 allow tcp from any 50 to me in via $oif $cmd 00612 allow udp from me to any 53 out via $oif $cmd 00613 allow udp from any 50 to me in via $oif $cmd 00700 allow icmp from any to any via $oif ### End of example ipfw rules script -- Nick Withers email: [EMAIL PROTECTED] Web: http://www.nickwithers.com Mobile: +61 414 397 446 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW doesn't resolve host names
On Wed, 20 Sep 2006 20:12:18 +1000 Nick Withers [EMAIL PROTECTED] wrote: On Wed, 20 Sep 2006 11:07:16 +0100 (GMT+01:00) Vittorio [EMAIL PROTECTED] wrote: Dear friends, I have a pentium 4 freebsd 6.1 server connected to my office win-xp lan. The server smoothly runs sshd, postgresql, samba (to connect some /home share and the office win filesystem), vncserver. Recently I added the following IPFW firewall (I'm an absolute beginner with it) which works ** almost correctly **. In fact, I can connect via ssh (putty under winxp), the pg database works, vncserver too, while samba connects to its local windows share but it's unable to connect to the lan filesystem because it is no longer possible to resolve the host names. if I ping a host the answer is invariably ping: cannot resolve matteo: Host name lookup failure even though I defined allow rules for port 53. You have not, however, allowed replies from your DNS server (s)... Could you please help me? ### start of example ipfw rules script # ipfw -q -f flush # Delete all rules # Set defaults oif=fxp0 # out interface # Set defaults gw=10.155.102.6 cmd=ipfw -q add # build rule prefix ks=keep-state# just too lazy to key this each time $cmd 00500 check-state $cmd 00502 deny all from any to any frag $cmd 00501 deny tcp from any to any established You may want to change the ordering of the rules above in the file so that it reads the way it'll be implemented by IPFW (I'm guessing this is an accident, anyway). $cmd 00503 allow all from any to any via lo0 $cmd 00505 deny all from any to 127.0.0.0/8 $cmd 00508 deny ip from 127.0.0.0/8 to any $cmd 00600 allow tcp from any to me dst-port 22, 80 via $oif setup $ks $cmd 00601 allow tcp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00602 allow tcp from any to me dst-port 5432, 5900-5909 via $oif setup $ks $cmd 00604 allow udp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00605 allow udp from any to me dst-port 5432, 5900 via $oif setup $ks $cmd 00606 allow tcp from any to $gw 1491 $cmd 00607 allow tcp from $gw 1491 to any $cmd 00610 allow tcp from me to any 53 out via $oif Try replacing this with $cmd 00610 allow tcp from me to any 53 out via $oif $ks. $cmd 00611 allow tcp from any 50 to me in via $oif $cmd 00612 allow udp from me to any 53 out via $oif Sorry... and this with $cmd 00612 allow udp from me to any 53 out via $oif $ks. $cmd 00613 allow udp from any 50 to me in via $oif $cmd 00700 allow icmp from any to any via $oif ### End of example ipfw rules script -- Nick Withers email: [EMAIL PROTECTED] Web: http://www.nickwithers.com Mobile: +61 414 397 446 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
cu
Hi: I am using cu to connect to a device on a serial port (/dev/cuaa0) How do I setup the option to capture output to a file ? Thanks in advance. thanks Saifi. TWINCLING Society http://www.twincling.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: sshd brute force attempts?
Hello Joao, Tuesday, September 19, 2006, 11:12:37 PM, you wrote: On 9/19/06, Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: Hey all, I've looked around and found several linux-centric things designed to block brute-force SSH attempts. Anyone out there know of something a bit more BSD savvy? I've found a few things based on openBSD's pf, but that doesn't seem to be the default in BSD either. Any response appreciated. I'm using BruteForceBlocker quite successfully. I take the opportunity to thank danger for it :-) you're welcome ;-) http://www.freshports.org/security/bruteforceblocker/ -- Best regards, Danielmailto:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
¿Quieres estudiar en el exterior?
¿Quieres estudiar en el exterior? No pierdas esta oportunidad...Inscríbete ahora En Octubre llega a Bogotá y a Medellín la EXPO Cursos En El Exterior, donde tendrás la oportunidad de conocer las mejores opciones para que puedas estudiar en el extranjero. Encuéntrate con los directores y representantes de instituciones de todas partes del mundo, para que puedas aclarar todas tus dudas y conocer en detalle cómo puedes irte a estudiaral exterior. Habrá muchos cursos distintos para elegir ademaacute;s de conferencias sobre las distintas instituciones participantes - Cursos de idiomas - Cursos universitarios - Secundaria - - Postgrados- MBA - Pasantías - Trabajo Rentado - y mucho más... Inscríbete GRATUITAMENTE haciendo click aquí BOGOTÁ Domingo, 1 de Octubre Lunes, 2 de Octubre Hotel Radisson Royal Calle 114 #9-65, Teleport Business Park Domingo 1 de 2:00 a 7:00 PM Lunes 2 de 4:00 a 9:00 PM MEDELLÍN Mieacute;rcoles, 4 de Octubre Hotel Dann Carlton Medellín Carrera 43A #7-50 El Poblado De 4:00 a 9:00 PM Luego de tu inscripción mira las instrucciones para participar en el sorteo de: 4 semanas de curso de inglés en Canadá y 4 semanas de curso de portugués en Brasil Inscríbete ahora Aprovecha esta
¿Quieres estudiar en el exterior?
¿Quieres estudiar en el exterior? No pierdas esta oportunidad...Inscríbete ahora En Octubre llega a Bogotá y a Medellín la EXPO Cursos En El Exterior, donde tendrás la oportunidad de conocer las mejores opciones para que puedas estudiar en el extranjero. Encuéntrate con los directores y representantes de instituciones de todas partes del mundo, para que puedas aclarar todas tus dudas y conocer en detalle cómo puedes irte a estudiaral exterior. Habrá muchos cursos distintos para elegir ademaacute;s de conferencias sobre las distintas instituciones participantes - Cursos de idiomas - Cursos universitarios - Secundaria - - Postgrados- MBA - Pasantías - Trabajo Rentado - y mucho más... Inscríbete GRATUITAMENTE haciendo click aquí BOGOTÁ Domingo, 1 de Octubre Lunes, 2 de Octubre Hotel Radisson Royal Calle 114 #9-65, Teleport Business Park Domingo 1 de 2:00 a 7:00 PM Lunes 2 de 4:00 a 9:00 PM MEDELLÍN Mieacute;rcoles, 4 de Octubre Hotel Dann Carlton Medellín Carrera 43A #7-50 El Poblado De 4:00 a 9:00 PM Luego de tu inscripción mira las instrucciones para participar en el sorteo de: 4 semanas de curso de inglés en Canadá y 4 semanas de curso de portugués en Brasil Inscríbete ahora Aprovecha esta
RE: pf.os matching 6.1-RELEASE
Sorry for double-post, I've found the solution of my problem by adding theses lines to pf.os: 65535:64:1:64:M*,N,W1,N,N,T,S: FreeBSD:6.x-4::FreeBSD 6.x (1) 65535:64:1:64:M*,N,W0,N,N,T,S: FreeBSD:6.x-2::FreeBSD 6.x (2) 65535:64:1:64:M*,N,N,S,N,W1,N,N,T: FreeBSD:5.4::FreeBSD 5.4 Regards, -- Thomas Gouverneur Junior UNIX Administrator TI Automotive -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gouverneur, Thomas Sent: mercredi 20 septembre 2006 10:16 To: 'freebsd-questions@freebsd.org' Subject: pf.os matching 6.1-RELEASE Hi, While making my pf.conf, I wanted to match all my FreeBSD boxes in one rules and subnet independent. I've done this by using pf's OS fingerprinting and it worked well since 6.X releases... The problem is that pf.os doesn't include sets of fingerprint for the latest FreeBSD Releases, and then all my rules get screwed with the latest updates. :-/ Does someone already have the new fingerprint for FreeBSD boxes? Regards, -- Thomas Gouverneur Junior UNIX Administrator TI Automotive The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
amd ports
Hi Just a general question about the ports for freebsd. I am now running 6.1 on amd64. Got most of what I need, but noticed that some ports are only i386 - like the flock browser and skype. Obviously I can live without these but was just wondering if there is a place I could check to see whether these would be available for amd in the future? Also, in relation to the flash questions recently on the list: I installed the linux-flock port (on amd) and it works great. I installed flash through the broswer itself (when you go to a site that requires flash and prompts you to download the additional software). So sites like youtube work perfect with that, in case anyone wanted to use this instead of firefox (which its based on I believe). Thanks Eoghan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Packet loss simulation with ALTQ
On Tuesday 19 September 2006 18:24, Norberto Meijome wrote: hi there :) I was planning to migrate a 4.11 firewall using a combo of ipf/ipnat and ipfw pipe/dummynets to pf + ALTQ. pf/ipf/ipfw dummynet/ALTQ are available since 5.3-R if I recall correctly. One thing I haven't figured out how to do with pf is the plr option to the dummynet configuration - we use it to simulate modem connections or just simply bad links. pf.conf manual(6.1-STABLE) probability number A probability attribute can be attached to a rule, with a value set between 0 and 1, bounds not included. In that case, the rule will be honoured using the given probability value only. For example, the following rule will drop 20% of incoming ICMP packets: block in proto icmp probability 20% Also, is it definitely possibly to simulate the 'delay' option of dummynet with pf+ALTQ ? No, ALTQ cannot delay packets, you have to use dummynet for this. HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: amd ports
eoghan wrote: Hi Just a general question about the ports for freebsd. I am now running 6.1 on amd64. Got most of what I need, but noticed that some ports are only i386 - like the flock browser and skype. Obviously I can live without these but was just wondering if there is a place I could check to see whether these would be available for amd in the future? http://pointyhat.freebsd.org/errorlogs/ might have what you want. It's all the errors from building packages from ports. But it the port is specifically deprecated on amd64 it might not actually even try to build the package - not sure. For specific ports, I would suggest contacting the maintainer and asking them about amd64. You could also consider just running i386 version. The consensus seems to be that for desktop use the performance difference won't be much. Never found time to try amd64 and i386 works fine for me :-) --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: E- MAIL TICKET NUMBER 212005600545188 YOU ARE A WINNER!!!
Wilfred Alberto (Lottery Director) wrote: INTERNATIONAL PROMOTION/PRIZE AWARD DEPT. CALLE GRANVIA 32N 1C MADRID SPAIN REF: RSSL/61-ILGI0509/45 BATCH:RSSL/15/096/WRCS DATE:20/09/2006 Dear Winner, AWARD NOTIFICATION FINAL NOTICE This is to inform you of the release of the Royal Spainish Sweepstake Lottery Email Promotional Program held on the 7st September 2006, this result was initially delayed due to mix up of email addresses, the results were finally released on the 18th September 2006, and your e-mail attached to Ticket number: 212005600545 188 with Serial number: 4888/02, which drew the Lucky numbers: 41-6-76-13-45-8, which consequently won the lottery in the Second category of the year 2006. You are therefore approved. for a lump sum payout of 1,000,000.00 (ONE MILLION EUROS ONLY) in cash accredited to file reference number: KPC/908008/03 this is from a total cash prize of 19,000,000.00 (NINTEEN MILLION EUROS ONLY) Shared among the nineteen international winners in this category. Your fund is now deposited in a security company with your prize money insured in your e-mail.Due to mix up of some email addresses, we ask that you keep this award from public notice until your claim has been processed and money remitted to your account as this is part of our security protocol to avoid double claiming or unwarranted abuse of this program by participants as it has happened in the past. All participants were selected randomly from World Wide Web site through computer draw system and extracted from over 100,000 companies,this promotion takes place annually. We hope your lucky email address will draw a bigger cash prize in the next high stake promotion agenda of 30,000,000.00 (THIRTY MILLION EUROS) To begin your lottery claim, please contact your claim agent, AGRO CONSULTANCY AND SECURITIES S.L. MADRID SPAIN DR.RICHARD ANTONIO ( Remittance/foreign operations manager) Tel:+34-619-693-930 Email:[EMAIL PROTECTED] For due processing and remittance of your winning prize money to designated account of your choice. Remember, all prize money must be claimed. (not later than 15st October 2006. After this date, this fund will be returned to the MINISTERIO DE ECONOMIA Y HACIENDA as unclaimed fund. NOTE: In order to avoid unnecessary delay and complication, please remember to quote your reference and batch numbers in every correspondence with your agent or us. Furthermore, should there be any change of your contact email address, do inform your claim agent as soon as possible. Congratulation once again from all members of our staff and thank you for being part of our International promotion program. We wish you continued good fortunes. Yours Sincerely, Wilfred Alberto (Lottery Director) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] just incase anyones tempted http://www.hoax-slayer.com/royal-spanish-sweepstake-lottery.html -- *Alistair Prestidge* TECHNICAL CONSULTANT Global Media (UK) 3rd Floor Maclaren House Talbot Road Manchester M32 0FP T +44 (0) 161 249 F +44 (0) 161 877 1050 [EMAIL PROTECTED] www.globalmedia-webmarketing.com globalmedia webmarketing http://www.globalmedia-webmarketing.com/emailnews/mailredirect.php?img=1lang=uk globalmedia webmarketing http://www.globalmedia-webmarketing.com/emailnews/mailredirect.php?img=2lang=uk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Using Xorg with NFS /home
I am working on using FreeBSD while I rebuild my system after recently buying an amd64 CPU. I hope that I can eventually swap out my (i386) Debian installation with FreeBSD. My /home is mounted from a Debian NFS server. (This is the network at home so security is not paramount). User and Group IDs are managed with libpam_ldap and libnss_ldap by an LDAP server (incidentally the same Debian machine).[1] This is all fine and dandy (except that /bin/bash didn't exist but a symlink sorted that out) until I start X. As root, it is fine. startx runs and gives me an (arguably beautiful) twm desktop. However running it as a user is not so much fun. Only the first line is printed and then the entire /home filesystem hangs. I don't remember now precisely what the message is but I believe it comes before the X binary is called. It is not an error message. Until this is resolved I am stuck in my old Debian desktop but I could reboot and find out easily enough what the line is. I don't believe the kernel says anything relevant. I am running 6.1-RELEASE with few extra packages installed (mainly like bash, nfs, X). Matthew [1] Out of curiosity, my existing Debian machines have a getent utility to examine the various databases controlled by nsswitch.conf. (Where) Is there an equivalent in FreeBSD? -- I must take issue with the term a mere child, for it has been my invariable experience that the company of a mere child is infinitely preferable to that of a mere adult. -- Fran Lebowitz ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[OT] spam on freebsd-question@
Hi List, recently (last few days) a lot of spam has begun to arrive on this list could anyone concerned ([EMAIL PROTECTED], ...) check/upgrade the filters? Thanx -- Pietro Cerutti ICQ: 117293691 PGP: 0x9571F78E - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Thin Terminals
I've been looking at the Sun Ray terminals and like the idea of using thin clients to connect to the main server to run apps. Are they any programms in thr ports which allow a similar set-up using FreeBSD. I know you can do this with X but would need a tutorial to help me through it. Anyone had a go at connecting a sun ray to FreeBSD or are the protocols totally different. Message sent by BlackBerry from Vodafone ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
(BRMA) Mensagem não autorizada
Mensagem não autorizada Vírus encontrado no email de entrada Found the W32/[EMAIL PROTECTED] virus !!! Para: [EMAIL PROTECTED] Assunto: robos! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Packet loss simulation with ALTQ
On Wed, 20 Sep 2006 14:20:19 +0300
Nikos Vassiliadis [EMAIL PROTECTED] wrote:
On Tuesday 19 September 2006 18:24, Norberto Meijome wrote:
hi there :)
I was planning to migrate a 4.11 firewall using a combo of ipf/ipnat and
ipfw pipe/dummynets to pf + ALTQ.
pf/ipf/ipfw dummynet/ALTQ are available since 5.3-R if I recall correctly.
Yes, of course - sorry, i meant to say 'I have a 4.11 which will be upgrading
to 6.2' :) thanks for making me right.
One thing I haven't figured out how to do with pf is the plr option to the
dummynet configuration - we use it to simulate modem connections or just
simply bad links.
pf.conf manual(6.1-STABLE)
probability number
A probability attribute can be attached to a rule, with a value set
between 0 and 1, bounds not included. In that case, the rule will
be honoured using the given probability value only. For example,
the following rule will drop 20% of incoming ICMP packets:
block in proto icmp probability 20%
thanks :) i didn't realise it could be done this way :)
Also, is it definitely possibly to simulate the 'delay' option of dummynet
with pf+ALTQ ?
No, ALTQ cannot delay packets, you have to use dummynet for this.
gotcha, so i may end up using 2 firewalls anyway... :-) I think I may go with
ipfw and dummynet to keep it to one set I'll have to read on some
comparisons before making up my mind...
The alternative would be to use netgraph to add this delay... not sure if there
is a ng_delay node ...
thanks for your help,
B
_
{Beto|Norberto|Numard} Meijome
Q. How do you make God laugh?
A. Tell him your plans.
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
ПЯТЬ ШАГОВ ПО ПРИОБРЕТЕНИЮ ОФФШО РНОЙ КОМПАНИИ xmjetbsd
PYAT' SHAGOV PO PRIOBRETENIYU OFFSHORNOJ KOMPANII. SHag 1. Konsul'taciya. Poluchite konsul'taciyu u nashih specialistov i uznajte bol'she o vashih vozmozhnostyah. SHag 2. Registraciya predpriyatiya. Registriruem predpriyatie v techenie treh nedel', s polucheniem nalogovogo nomera (vo vseh vozmozhnyh yurisdikciyah) i polnym paketom dokumentov pod apostilem, vklyuchaya nominal'nyj servis i otkrytie scheta v banke. SHag 3. Nalogooblozhenie. Podacha otchetnosti, my srazu postroim vash biznes tak, kak udobno `eto vam v celyah minimizacii nalogooblozheniya. SHag 4. Licenzirovanie. Otdel'nye vidy podlezhat otdel'nomu licenzirovaniyu, my pomozhem vam v `etom. SHag 5. Inoe. Zaschiti svoyu ideyu: Nasha kompaniya budet s Vami na vseh `etapah sozdaniya biznesa (registracii predpriyatiya). Dlya sostavleniya shemy sozdaniya Vashego konkretnogo biznesa, obraschajtes' k nashim specialistam. Zvonite, prihodite, budem rady vstreche s Vami. My znaem, kak `eto sdelat' `effektivno. SALE OFFSHORE LTD +38 (044) 33-22-034 igjkym ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Why is GNATs refusing my posts?
I recently tried to send a PR (for an updated port), and got the following response: --- 8--- This is a canned auto-reply to your recent email to the bug submission address. Your message has been identified as likely spam and has been discarded. If you feel this is an error, please submit your report via the web interface or directly on the freebsd-bugs mailing list. --- 8--- Frankly this is just DUMB. Autoresponding to (as opposed to bouncing) spam is most likely going to hit someone other than the spammer. It gives me ZERO information as to why the mail system didn't like my post, so I have no means of working out what I should change to appear less like a source of spam. Since the mail sent was a properly formatted PR (generated by devel/porttools), and the mail system got as far as accepting my email before generating an autoresponse, it could/should at least have parsed the email to see if it looked like a PR before rejecting it. Furthermore it doesn't even seem to be consistent, since a PR submitted the self same way about 4 days ago got through just fine. I've now got to rewrite the description part of the bug submission (since it didn't copy my message back to me) and try and work out a way of getting past the filter (there's no point in trying to submit the PR through the web, as the web form clearly states Note: copy/paste will destroy TABs and spacing, and this web form should not be used to submit code as plain text.). Spam is a major, worldwide problem - but transferring the problem to someone else is NOT a solution. Oh - and if you hadn't guessed - this has really cheesed me off! -- Thomas Sandford ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Thin Terminals
Robert Davison wrote: I've been looking at the Sun Ray terminals and like the idea of using thin clients to connect to the main server to run apps. Are they any programms in thr ports which allow a similar set-up using FreeBSD. I know you can do this with X but would need a tutorial to help me through it. I think the common solution today is diskless clients where the server is merely a fileserver and the applications actually run on the client. I do not know which scales better - the diskless may cause more network traffic as applications are read but do not continuously communicate with the server. With diskless you need less processing power on the server, but the total processing power may be higher with less utilization. You can build diskless and silent clients with Mini-ITX boards from VIA at a reasonable price. The advantage is that you will have everything in common i386/FreeBSD working environment. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Packet loss simulation with ALTQ
On Wednesday 20 September 2006 15:50, Norberto Meijome wrote: gotcha, so i may end up using 2 firewalls anyway... :-) I think I may go with ipfw and dummynet to keep it to one set I'll have to read on some comparisons before making up my mind... Perhaps you can combine ipfw/dummynet and pf/ALTQ. I know for sure that you can use pf and ipfw at the same time. The filtering is done in a serial way(packets that are allowed through the first packet filter, go through the second etc). You can load the modules in any order you like and this will be the order packets flow through the packet filters... Don't know if that's the case with dummynet and ALTQ... Also, ipfw can inject packets to altq. You still have to use pf for setting up the queues. HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Unable to compile libapreq2
Hi guys, I'm using FBSD6.0. I've done the latest cvsup on the ports, installed apache 2.0.59 and mod_perl 2.0.2,3 and and trying to install libapreq2-2.0.08. Halfway through the compilation, I get this error: cc -shared .libs/util.o .libs/version.o .libs/cookie.o .libs/param.o .libs/parser.o .libs/parser_urlencoded.o .libs/parser_header.o .libs/parser_multipart.o .libs/module.o .libs/module_custom.o .libs/module_cgi.o .libs/error.o -Wl,--rpath -Wl,/usr/local/lib/apache2 -Wl,--rpath -Wl,/usr/local/lib/apache2 /usr/local/lib/apache2/libapr-0.so /usr/local/lib/apache2/libaprutil-0.so -lexpat -liconv -lm -lcrypt -L/usr/local -Wl,-soname -Wl,libapreq2.so.8 -o .libs/libapreq2.so.8 /usr/bin/ld: cannot find -lexpat gmake[2]: *** [libapreq2.la] Error 1 gmake[2]: Leaving directory `/usr/ports/www/libapreq2/work/libapreq2-2.08/library' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/usr/ports/www/libapreq2/work/libapreq2-2.08/library' gmake: *** [all-recursive] Error 1 I've tried recompiling expat, but that did not change the problem. Can any kind soul please drop some hints as to what may be the problem? Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Unable to compile libapreq2
Foo JH wrote: Hi guys, I'm using FBSD6.0. I've done the latest cvsup on the ports, installed apache 2.0.59 and mod_perl 2.0.2,3 and and trying to install libapreq2-2.0.08. Unfortunately its something in your local setup. I do the FAMP stack ports compile almost daily. cc -shared .libs/util.o .libs/version.o .libs/cookie.o .libs/param.o .libs/parser.o .libs/parser_urlencoded.o .libs/parser_header.o .libs/parser_multipart.o .libs/module.o .libs/module_custom.o .libs/module_cgi.o .libs/error.o -Wl,--rpath -Wl,/usr/local/lib/apache2 -Wl,--rpath -Wl,/usr/local/lib/apache2 /usr/local/lib/apache2/libapr-0.so /usr/local/lib/apache2/libaprutil-0.so -lexpat -liconv -lm -lcrypt -L/usr/local -Wl,-soname -Wl,libapreq2.so.8 -o .libs/libapreq2.so.8 /usr/bin/ld: cannot find -lexpat First of all, in FBSD libexpat ins in /usr/local which is not in the default search path hence: --with-expat=/usr/local should be in your configure line. FreeBSD ports should do this for you. I know this version works I'm currently using it. expat-2.0.0_1(/usr/ports/textproc/expat2) /usr/local/include/expat.h /usr/local/include/expat_external.h /usr/local/lib/libexpat.a /usr/local/lib/libexpat.la /usr/local/lib/libexpat.so /usr/local/lib/libexpat.so.6 I tend to compile like such: cd /usr/ports/www/p5-libapreq2 sudo make APACHE_PORT=www/apache20WITH_PERL=yes \ WITH_MODPERL2=yes WITH_APACHE2_APR=yes \ WITH_AUTH_CATEGORY=yes \ WITH_AUTHN_CATEGORY=yes \ WITH_AUTHZ_CATEGORY=yes \ WITH_CACHE_CATEGORY=yes \ WITH_DAV_CATEGORY=yes \ WITH_LDAP_CATEGORY=yes \ WITH_MISC_CATEGORY=yes \ WITH_PROXY_CATEGORY=yes \ WITH_SSL_CATEGORY=yes \ WITH_SUEXEC_CATEGORY=yes \ which should build: perl, httpd 2.0.x and its bundled apr/apr-util, mod_perl 2, mod_apreq2 AND all available mod_* that come bundled with httpd. + and dependencies. -- Philip M. Gollucci ([EMAIL PROTECTED]) 323.219.4708 Consultant / http://p6m7g8.net/Resume/resume.shtml Senior Software Engineer - TicketMaster - http://ticketmaster.com 1024D/A79997FA F357 0FDD 2301 6296 690F 6A47 D55A 7172 A799 97F In all that I've done wrong I know I must have done something right to deserve a hug every morning and butterfly kisses at night. __ ___ ___ __ / |/ /_ __/ __/ __ \/ / / /|_/ / // /\ \/ /_/ / /__ /_/ /_/\_, /___/\___\_\___/ ___/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sshd brute force attempts?
Joao Barros wrote: On 9/19/06, Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: Hey all, I've looked around and found several linux-centric things designed to block brute-force SSH attempts. Anyone out there know of something a bit more BSD savvy? My best attempt will be to get this: http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html running and adapt it. I've found a few things based on openBSD's pf, but that doesn't seem to be the default in BSD either. Any response appreciated. I'm using BruteForceBlocker quite successfully. I take the opportunity to thank danger for it :-) http://www.freshports.org/security/bruteforceblocker/ I use /usr/ports/security/denyhost It was very easy to install and setup the config file is commented so well and has so many different parameters. I get reports like this anytime my thresholds are crossed. Added the following hosts to /etc/hosts.deniedssh: 124.107.6.37 (124.107.6.37.pldt.net) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Crash; shutdown
I have one system that also has an Nvidia video, after I update ports will crash if I don't rebuild the nvidia driver and X screensaver The screensaver makes it crash otherwise. -Derek At 06:33 PM 9/19/2006, Laurence Sanford wrote: So I got up and walked away from my computer this afternoon, and came back to find it in the middle of shutting down. No good reason, no crash dump (yes, they're configured) no nothing, just this: Sep 19 18:14:53 colossus syslogd: exiting on signal 15 At this point, everything sync'd up and the system shut down, completely, and powered off. I've had it suggested that this could be a power supply going south. Any other ideas? uname: [EMAIL PROTECTED](/var/log)# uname -a FreeBSD colossus.cotharyus.net 6.1-STABLE FreeBSD 6.1-STABLE #6: Sat Sep 2 04:56:20 CDT 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/Colossus i386 dmesg: [EMAIL PROTECTED](/var/log)# dmesg Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.1-STABLE #6: Sat Sep 2 04:56:20 CDT 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/Colossus Timecounter i8254 frequency 1193182 Hz quality 0 CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ (2010.31-MHz 686-class CPU) Origin = AuthenticAMD Id = 0x20fb1 Stepping = 1 Features=0x178bfbffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT Features2=0x1SSE3 AMD Features=0xe2500800SYSCALL,NX,MMX+,FFXSR,LM,3DNow+,3DNow AMD Features2=0x3LAHF,CMP Cores per package: 2 real memory = 1073676288 (1023 MB) avail memory = 1037369344 (989 MB) ACPI APIC Table: Nvidia AWRDACPI FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 ioapic0: Changing APIC ID to 2 ioapic0 Version 1.1 irqs 0-23 on motherboard acpi0: Nvidia AWRDACPI on motherboard acpi_bus_number: can't get _ADR acpi_bus_number: can't get _ADR acpi0: Power Button (fixed) acpi_bus_number: can't get _ADR acpi_bus_number: can't get _ADR acpi_bus_number: can't get _ADR acpi_bus_number: can't get _ADR Timecounter ACPI-fast frequency 3579545 Hz quality 1000 acpi_timer0: 24-bit timer at 3.579545MHz port 0x4008-0x400b on acpi0 cpu0: ACPI CPU on acpi0 cpu1: ACPI CPU on acpi0 acpi_button0: Power Button on acpi0 pcib0: ACPI Host-PCI bridge port 0xcf8-0xcff on acpi0 pci0: ACPI PCI bus on pcib0 pci0: memory at device 0.0 (no driver attached) isab0: PCI-ISA bridge at device 1.0 on pci0 isa0: ISA bus on isab0 pci0: serial bus, SMBus at device 1.1 (no driver attached) ohci0: OHCI (generic) USB controller mem 0xdb102000-0xdb102fff irq 21 at device 2.0 on pci0 ohci0: [GIANT-LOCKED] usb0: OHCI version 1.0, legacy support usb0: SMM does not respond, resetting usb0: OHCI (generic) USB controller on ohci0 usb0: USB revision 1.0 uhub0: nVidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 10 ports with 10 removable, self powered ehci0: NVIDIA nForce4 USB 2.0 controller mem 0xfeb0-0xfeb000ff irq 22 at device 2.1 on pci0 ehci0: [GIANT-LOCKED] usb1: EHCI version 1.0 usb1: companion controller, 4 ports each: usb0 usb1: NVIDIA nForce4 USB 2.0 controller on ehci0 usb1: USB revision 2.0 uhub1: nVidia EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub1: 10 ports with 10 removable, self powered pcm0: nVidia nForce4 port 0xd400-0xd4ff,0xd800-0xd8ff mem 0xdb101000-0xdb101fff irq 23 at device 4.0 on pci0 pcm0: Avance Logic ALC850 AC97 Codec atapci0: nVidia nForce CK804 UDMA133 controller port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xf000-0xf00f at device 6.0 on pci0 ata0: ATA channel 0 on atapci0 ata1: ATA channel 1 on atapci0 pcib1: ACPI PCI-PCI bridge at device 9.0 on pci0 pci5: ACPI PCI bus on pcib1 fwohci0: Texas Instruments TSB43AB22/A mem 0xdb004000-0xdb0047ff,0xdb00-0xdb003fff irq 16 at device 11.0 on pci5 fwohci0: OHCI version 1.10 (ROM=1) fwohci0: No. of Isochronous channels is 4. fwohci0: EUI64 00:11:d8:00:00:86:18:47 fwohci0: Phy 1394a available S400, 2 ports. fwohci0: Link S400, max_rec 2048 bytes. firewire0: IEEE1394(FireWire) bus on fwohci0 sbp0: SBP-2/SCSI over FireWire on firewire0 fwohci0: Initiate bus reset fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode firewire0: 1 nodes, maxhop = 0, cable IRM = 0 (me) firewire0: bus manager 0 (me) nve0: NVIDIA nForce MCP9 Networking Adapter port 0xd000-0xd007 mem 0xdb10-0xdb100fff irq 21 at device 10.0 on pci0 nve0: Ethernet address 00:15:f2:7f:80:86 miibus0: MII bus on nve0 ukphy0: Generic IEEE 802.3u media interface on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto nve0: Ethernet address: 00:15:f2:7f:80:86 pcib2: ACPI PCI-PCI bridge at device 11.0 on pci0 pci4: ACPI PCI bus on pcib2 pcib3: ACPI PCI-PCI bridge at device 12.0 on pci0 pci3: ACPI PCI bus on pcib3 pcib4: ACPI PCI-PCI bridge at device 13.0 on pci0 pci2: ACPI PCI bus
Re: sshd brute force attempts?
Elijah Savage wrote: Joao Barros wrote: On 9/19/06, Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: Hey all, I've looked around and found several linux-centric things designed to block brute-force SSH attempts. Anyone out there know of something a bit more BSD savvy? I use /usr/ports/security/denyhost It was very easy to install and setup the config file is commented so well and has so many different parameters. I get reports like this anytime my thresholds are crossed. Added the following hosts to /etc/hosts.deniedssh: 124.107.6.37 (124.107.6.37.pldt.net) another vote for denyhost. it works well and stops the attacks. Even tho i use keys and not passwords, i still use it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD 5.4 no inodes left
Hi All, I am running FreeBSD 5.4 and have recently received the following message on our box for the /var partiton. No inodes left. I have checked the statistics and there was an apache httpd log which was maxing out the usable space. I have since removed this file and the available space has dropped to over 50%. However I still get the 'no inodes left' message even though I have freed the space. Does anyone know how I can get the inodes to be freed up on the /var partition. Thanks in advance. Regards Phil. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: csh as default root Shell
On Tue, Sep 19, 2006 at 05:59:03PM -0700, jekillen wrote: On Sep 18, 2006, at 7:43 PM, Jerry McAllister wrote: On Mon, Sep 18, 2006 at 07:34:09PM -0700, jekillen wrote: Hello; Since I have been advised by way of correspondence with UUASC (Unix Users of Association of Southern California) that changing the root shell in FreeBSD is not advised and I have two machines up and running and a third on the way, I have purchased a text from (I don't know if it is appropriate for this list to mention the publisher by name but it is closely connected to the publisher of Absolute BSD). Has anyone any comments regarding this text based on familiarity (Using Csh and Tcsh). I noticed the publication date is 1995. It's a manual of sorts, I'll read it before stumbling around on lists for answers to awk ward questions. You can mention any text you want. Do we ban books in this country? well, it was the publisher that seemed, for some unspecified reason to cause a sort of silence in responses. It is O'Reilly and I also didn't want to come across as promoting it because this is a noncommercial list. Don't worry. You can mention your sources and even favorites here as long as you are not blatantly advertising. I am learning as I go and do try using man pages as I go along but find them hard to digest. There's nothing wrong with the man pages, it is my lack of knowledge that I run up against when reading them. I have bought a ton of tech books from many different sources to get a reasonable perspective on important subjects. Take c programming, for instance; no one book can cover every aspect of c programming, and what is covered might not trip my light switches, whereas another author on the same aspect of the same subject might explain some thing in a way I can more easily understand. The two FreeBSD books I think most people find most useful besides the official FreeBSD Handbook are The Complete FreeBSD by Greg Leahy and FreeBSD Unleashed by Michael Urban and Brian Tiemann. The others are pretty good, but those have kept up to date the best with new editions. Greg Leahy has said he will not make another new edition and has made his entire text available free over the net, but I hope he will finally get his arm twisted to make one that accomodates FreeBSD 6.xxx and 7.xxx which have some significant changes in file systems and kernel structure done for multi-threading. But, 1995 is kind of old as things go. The book may have more recent editions. Another source is the the FreeBSD Handbook that is available free online at the FreeBSD website and also in printed versions some places. I believe it is the same one I got when I purchased the install cd and tools set; User's guide and Administrator's guide, or am I mistaken? It probably follows it closely, but I don't think it is quite the same document. If you go to the FreeBSD web site and click on the FreeBSD Handbook link, you will find it all there. It is pretty good. I don't know that there is enough of a difference between 5x and 6x to warrant a new edition, but it covers 5x and not 6x which I have (6.0). Notable difference is switch to xorg from xFree86. But the display configuration was good at detecting my display and graphics card for me on the one machine I have Xwindows installed on. There are some big changes inside, but not ones you would probably notice as a basic user. If you start doing some programming, you will run in to them. I do prefer tcsh to the other shells. But, everyone seems to have their own preference. But, leave the main root shell as /bin/sh just because it is those times when things are down and you need it most that it will come and bite you. jerry jerry Thanks for the response, I have big gaps in my knowledge and have gotten by with very specific problems and solutions. I am trying to bulk out my understanding. I'll spend more time with the stuff I have to hand. Jeff K Thanks in advance. Jeff K. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 5.4 no inodes left
On Wed, 20 Sep 2006 15:54:39 +0100 Philip Radford [EMAIL PROTECTED] wrote: I am running FreeBSD 5.4 and have recently received the following message on our box for the /var partiton. No inodes left. I have checked the statistics and there was an apache httpd log which was maxing out the usable space. I have since removed this file and the available space has dropped to over 50%. However I still get the 'no inodes left' message even though I have freed the space. Does anyone know how I can get the inodes to be freed up on the /var partition. if possible i would do the following, take down the machine, make a backup of /var, wipe out the data on /var, reformat, restore backup -- grtjs, albi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Dummynet in an IPFilter setup
Hiya,
Since freebsd-ipfw is dead and mostly for spammers, let me try my luck
here once more ;)
I am trying to prove a point to a customer - that he can save the cost
of expensive routing hardware by just having a FreeBSD box on their LAN.
Unfortunately, this also means that I need to spend days reading about
IPFW, which, sincerely, is not one of those firewall implementations
that is easy for me. I therefore need help to prove a point and keep
a customer..
The scenario:
I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two
interfaces at the moment, external interface connected to the hostile
Internet and internal interface connected to a switch for the LAN.
The ISP gives 256Kbit/s on the external interface. Out of this, I
need to dedicate/guarantee 128Kbit/s to just one machine.
A streaming server has been introduced on the LAN, and it is considered
a VIP host as far as bandwidth allocation is concerned.
The problem is that p2p is also officially allowed on the LAN. I hate
it but it is allowed. Period. No argument about it.
I need to guarantee 128Kbit/s of the available bandwidth to the
streaming host (server, if you can call it).
My thinking/plan:
1. Add one more NIC to the FreeBSD box (it's also the router,
firewall, _everything_ server) and put this on a separate IP block.
To this NIC I will connect the VIP host, which needs the guaranteed
bandwidth. I will therefore NAT traffic to/from it.
2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me,
this means that:
(a) They cannot go beyond 128Kbit/s
(b) The VIP box will go above 128K/bit's in case the throttled
LAN is not using all of the 128Kbit/s
I need to control bandwidth on the external interface only, not on the
LAN (internal interfaces).
Is this rightful thinking or sheer imagination which is not practical?
My problem:
Most important is being dumb when it comes to IPFW and hence the pipes
and all that pertains to it.
Here is my ipfw configuration, in black and white (firewall_type=OPEN)
# Outside interface network and netmask and ip
oif=bfe0
iif=xl0
onet=62.8.68.0
omask=255.255.255.252
oip=62.8.68.22
# Inside interface network and netmask and ip
iif=xl0
inet=10.0.0.0
imask=255.255.255.0
iip=10.0.0.2
ipfw pipe 1 config bw 128Kbit/s
# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${iip} to ${inet}:${imask}
${fwcmd} add pass all from ${inet}:${imask} to ${iip}
# Throttle now
ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} state
${fwcmd} add 65000 pass all from any to any
With this configuration, it seems like even LAN-LAN communication is
being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
Can someone tell me why that is happening?
Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
bandwidth limitation configuration, is it not true that I will have
achieved my goal?
I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
have a static route for the VIP box, with NAT for any connections
to/from it.
I'll really appreciate any help/advise towards a perfect configuration
for the firewall, and how I can get this to work.
Thanks in advance.
-Wash
http://www.netmeister.org/news/learn2quote.html
DISCLAIMER: See http://www.wananchi.com/bms/terms.php
--
+==+
|\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED]
Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com
|,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922
'---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121
+==+
Minnie Mouse is a slow maze learner.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 5.4 no inodes left
In response to Philip Radford [EMAIL PROTECTED]: Hi All, I am running FreeBSD 5.4 and have recently received the following message on our box for the /var partiton. No inodes left. I have checked the statistics and there was an apache httpd log which was maxing out the usable space. I have since removed this file and the available space has dropped to over 50%. However I still get the 'no inodes left' message even though I have freed the space. Does anyone know how I can get the inodes to be freed up on the /var partition. inodes are used for file entries. Each file/directory uses an inode. When you run out of inodes, you can't create any more files, no matter how much space you have left. df -i will show inode usage. The only way to free up inodes is to delete some files/directories. You must have a lot of files or directories somewhere to be using up all your inodes when you have 50% of the disk left. Once you find out where all the files are, you can delete some, or possible tar them up so they only take up a single inode. -- Bill Moran Collaborative Fusion Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 5.4 no inodes left
In response to albi [EMAIL PROTECTED]: On Wed, 20 Sep 2006 15:54:39 +0100 Philip Radford [EMAIL PROTECTED] wrote: I am running FreeBSD 5.4 and have recently received the following message on our box for the /var partiton. No inodes left. I have checked the statistics and there was an apache httpd log which was maxing out the usable space. I have since removed this file and the available space has dropped to over 50%. However I still get the 'no inodes left' message even though I have freed the space. Does anyone know how I can get the inodes to be freed up on the /var partition. if possible i would do the following, take down the machine, make a backup of /var, wipe out the data on /var, reformat, restore backup What would be your rationale for such an approach? Sounds like reinstalling Windows to get rid of 1 virus. -- Bill Moran Collaborative Fusion Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dial in modem
It may be the modem needs to be rest as someone else called into it. I always save any modem settings to nvram on the modem so if it is reset the settings are correct. -Derek At 08:45 PM 9/19/2006, Geeta Nagpal wrote: Dear Problem Solver, Greetings from Singapore J I have had a strange problem with my dial up modem. It is connected to a unix server, and I was able to dial in and connect to the server for 2 days. Now suddenly, when I dial in, I get some junk characters , instead of a login prompt!!! I read on the net that this happens when the modem speed is different from the getty speed.. but the strange part is that I have been using the same settings for 2 days, when suddenly today morning I started seeing the junk chars !! Any suggestions ? J Kind regards, Geeta Luck is Opportunity meeting Preparedness... - New and Improved Yahoo! Mail - 1GB free storage! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet in an IPFilter setup
In response to Odhiambo Washington [EMAIL PROTECTED]:
[snip]
The scenario:
I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two
interfaces at the moment, external interface connected to the hostile
Internet and internal interface connected to a switch for the LAN.
The ISP gives 256Kbit/s on the external interface. Out of this, I
need to dedicate/guarantee 128Kbit/s to just one machine.
A streaming server has been introduced on the LAN, and it is considered
a VIP host as far as bandwidth allocation is concerned.
The problem is that p2p is also officially allowed on the LAN. I hate
it but it is allowed. Period. No argument about it.
I need to guarantee 128Kbit/s of the available bandwidth to the
streaming host (server, if you can call it).
My thinking/plan:
1. Add one more NIC to the FreeBSD box (it's also the router,
firewall, _everything_ server) and put this on a separate IP block.
To this NIC I will connect the VIP host, which needs the guaranteed
bandwidth. I will therefore NAT traffic to/from it.
2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me,
this means that:
(a) They cannot go beyond 128Kbit/s
(b) The VIP box will go above 128K/bit's in case the throttled
LAN is not using all of the 128Kbit/s
I need to control bandwidth on the external interface only, not on the
LAN (internal interfaces).
Is this rightful thinking or sheer imagination which is not practical?
Seems reasonable. See below ...
My problem:
Most important is being dumb when it comes to IPFW and hence the pipes
and all that pertains to it.
Here is my ipfw configuration, in black and white (firewall_type=OPEN)
# Outside interface network and netmask and ip
oif=bfe0
iif=xl0
onet=62.8.68.0
omask=255.255.255.252
oip=62.8.68.22
# Inside interface network and netmask and ip
iif=xl0
inet=10.0.0.0
imask=255.255.255.0
iip=10.0.0.2
ipfw pipe 1 config bw 128Kbit/s
# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${iip} to ${inet}:${imask}
${fwcmd} add pass all from ${inet}:${imask} to ${iip}
# Throttle now
ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif} state
^^
Is this direct cut/paste? If so, you've got a sticky $ key.
${fwcmd} add 65000 pass all from any to any
With this configuration, it seems like even LAN-LAN communication is
being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
Can someone tell me why that is happening?
Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
bandwidth limitation configuration, is it not true that I will have
achieved my goal?
I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
have a static route for the VIP box, with NAT for any connections
to/from it.
I'll really appreciate any help/advise towards a perfect configuration
for the firewall, and how I can get this to work.
Thanks in advance.
--
Bill Moran
Collaborative Fusion Inc.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet in an IPFilter setup
Odhiambo Washington wrote: I need to control bandwidth on the external interface only, not on the LAN (internal interfaces). Is this rightful thinking or sheer imagination which is not practical? If you're happy with IPFilter and need to ensure minimum bandwidth for some network segment, take a look at packet filter, you can take much of your knowledge with you and then set up queues that will ensure the minimum bandwidth. And you don't need extra interfaces. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 5.4 no inodes left
Philip Radford wrote: Hi All, I am running FreeBSD 5.4 and have recently received the following message on our box for the /var partiton. No inodes left. I have checked the statistics and there was an apache httpd log which was maxing out the usable space. I have since removed this file and the available space has dropped to over 50%. However I still get the 'no inodes left' message even though I have freed the space. Does anyone know how I can get the inodes to be freed up on the /var partition. You have *not* run out of space. A single inode corresponds to a single file or directory, so deleting one large file frees precisely one inode which isn't going to last long. (And if the file you deleted was still held open, you won't even have freed that inode). Do a df -i /var to see how many inodes are left. Something has created a large *number* of files on /var - they might be 0 bytes each and it wouldn't matter. Try man inode for more information. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet in an IPFilter setup
* On 20/09/06 11:16 -0400, Bill Moran wrote:
| In response to Odhiambo Washington [EMAIL PROTECTED]:
|
| [snip]
|
| The scenario:
|
| I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two
| interfaces at the moment, external interface connected to the hostile
| Internet and internal interface connected to a switch for the LAN.
|
| The ISP gives 256Kbit/s on the external interface. Out of this, I
| need to dedicate/guarantee 128Kbit/s to just one machine.
|
| A streaming server has been introduced on the LAN, and it is considered
| a VIP host as far as bandwidth allocation is concerned.
| The problem is that p2p is also officially allowed on the LAN. I hate
| it but it is allowed. Period. No argument about it.
|
| I need to guarantee 128Kbit/s of the available bandwidth to the
| streaming host (server, if you can call it).
|
|
| My thinking/plan:
|
| 1. Add one more NIC to the FreeBSD box (it's also the router,
|firewall, _everything_ server) and put this on a separate IP block.
|To this NIC I will connect the VIP host, which needs the guaranteed
|bandwidth. I will therefore NAT traffic to/from it.
|
| 2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me,
| this means that:
| (a) They cannot go beyond 128Kbit/s
| (b) The VIP box will go above 128K/bit's in case the throttled
| LAN is not using all of the 128Kbit/s
|
| I need to control bandwidth on the external interface only, not on the
| LAN (internal interfaces).
|
| Is this rightful thinking or sheer imagination which is not practical?
|
| Seems reasonable. See below ...
Thanks, Bill for that verification.
| My problem:
|
|
| Most important is being dumb when it comes to IPFW and hence the pipes
| and all that pertains to it.
|
| Here is my ipfw configuration, in black and white (firewall_type=OPEN)
|
|
| # Outside interface network and netmask and ip
| oif=bfe0
| iif=xl0
| onet=62.8.68.0
| omask=255.255.255.252
| oip=62.8.68.22
|
| # Inside interface network and netmask and ip
| iif=xl0
| inet=10.0.0.0
| imask=255.255.255.0
| iip=10.0.0.2
|
| ipfw pipe 1 config bw 128Kbit/s
|
| # Allow any traffic to or from my own net.
| ${fwcmd} add pass all from ${iip} to ${inet}:${imask}
| ${fwcmd} add pass all from ${inet}:${imask} to ${iip}
|
| # Throttle now
| ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif}
state
|^^
|
| Is this direct cut/paste? If so, you've got a sticky $ key.
Yes, it was a paste in the process of modifying ;)
Noted with thanks.
|
| ${fwcmd} add 65000 pass all from any to any
|
|
| With this configuration, it seems like even LAN-LAN communication is
| being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
| Can someone tell me why that is happening?
|
| Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
| bandwidth limitation configuration, is it not true that I will have
| achieved my goal?
|
| I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
| have a static route for the VIP box, with NAT for any connections
| to/from it.
|
|
| I'll really appreciate any help/advise towards a perfect configuration
| for the firewall, and how I can get this to work.
|
| Thanks in advance.
Bill, you did not say anything on my problem with intra-LAN traffic.
Does that mean this configuration is okay, and should not at all affect
traffic within the LAN?
Best regards,
Odhiambo Washington
Systems Admin,
Wananchi Online Ltd.
Are you hosting your domain name with the leaders??:
See http://webhosting.info/webhosts/tophosts/Country/KE
DISCLAIMER: See http://www.wananchi.com/bms/terms.php
--+-
Odhiambo WASHINGTON. WANANCHI ONLINE LTD (Nairobi, KE)
http://www.wananchi.com/email/ . 1ere Etage, Laptrust Plaza, Loita St.,
Mobile: (+254) 722 743 223 . # 10286, 00100 NAIROBI
--+-
Many are the plans in a man's heart,
but it is the Lord's purpose that prevails.
Proverbs 19:21
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sshd brute force attempts?
Elijah Savage wrote: another vote for denyhost. it works well and stops the attacks. Even tho i use keys and not passwords, i still use it. just a DITTO great piece of soft! -- Pietro Cerutti ICQ: 117293691 PGP: 0x9571F78E - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sshd brute force attempts?
Elijah Savage wrote: Joao Barros wrote: I'm using BruteForceBlocker quite successfully. I take the opportunity to thank danger for it :-) http://www.freshports.org/security/bruteforceblocker/ I use /usr/ports/security/denyhost It was very easy to install and setup the config file is commented so well and has so many different parameters. I get reports like this anytime my thresholds are crossed. Both seem to do the same thing, react to failed attempts by maintaining statistics of offending hosts. But this is a loosing game, it assumes a default permit policy - you might wish to read Ranum's The Six Dumbest Ideas in Computer Security: http://www.ranum.com/security/computer_security/index.html So, great you block an ip from some offending host - after it stopped. And if the same host comes back then it will likely have a different ip. Nothing gained. Taking the consequences, employ a default deny policy. Then allow what you can trust. 1) As I wrote elsewhere, almost everyone can block out the large part of the Internet. Allow only the countries that you know your users are likely to visit, a filter is here http://www.daemonsecurity.com/pub/src/tools/cc-cidr.pl Ofcourse, this won't be perfect, there are also compromised machines in good countries. When you see the remaining attacks, don't just block the ip but the whole network as registered with whois. whois.cyberabuse.org produces output that can easily be scripted. You can be more restrictive and enforce stronger authentication, and it is very simple to implement: 2) Do you trust any system? Packet filter includes passive OS fingerprinting that allows you to block untrusted systems. Why allow your users to login from depreciated Windows 95/98/ME hosts? 3) Disable shell access, or at least ssh access, for common system users. 4) Enforce strong passwords or switch to ssh-keys. Finally: Relax! Yes, there are some entries in your log, but evidently no one got in, so why care? There are tons of cracking attempts in your apache log files, there are tons of relaying attempts in your maillog. All these attempts consume bandwidth and diskspace as the connection is attempted and logged. But if this does not interrupt your service there is really no need to worry about it. Blocking failed login attempts does not make your system safer - the attempt failed! The log will just be in your firewall log. In the vast majority of cases, these are scripted attacks and are defeated by simple means such as those described above. You will be wasting your time trying to block individual hosts as events occur. Meanwhile other problems do not get your attention, spam is much more difficult to handle and a much greater problem than failed ssh attempts. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet in an IPFilter setup
* On 20/09/06 17:16 +0200, Erik Norgaard wrote: | Odhiambo Washington wrote: | | I need to control bandwidth on the external interface only, not on the | LAN (internal interfaces). | | Is this rightful thinking or sheer imagination which is not practical? | | If you're happy with IPFilter and need to ensure minimum bandwidth for | some network segment, take a look at packet filter, you can take much of | your knowledge with you and then set up queues that will ensure the | minimum bandwidth. And you don't need extra interfaces. That is the way to go ultimately, but I am still a newbie with PF. I would not want to transfer my newbie-ness into a customers network ;) I am happy with IPFilter, yes, but I am gradually shifting to PF, but I have to graduate before I can put that out there. At the moment, I just want to solve an immediate problem which has presented itself. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ A university is what a college becomes when the faculty loses interest in students. -- John Ciardi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dummynet in an IPFilter setup
In response to Odhiambo Washington [EMAIL PROTECTED]:
* On 20/09/06 11:16 -0400, Bill Moran wrote:
| In response to Odhiambo Washington [EMAIL PROTECTED]:
|
| [snip]
|
| The scenario:
|
| I am running a FreeBSD 5.x box with IPFilter/IPNAT. The box has two
| interfaces at the moment, external interface connected to the hostile
| Internet and internal interface connected to a switch for the LAN.
|
| The ISP gives 256Kbit/s on the external interface. Out of this, I
| need to dedicate/guarantee 128Kbit/s to just one machine.
|
| A streaming server has been introduced on the LAN, and it is considered
| a VIP host as far as bandwidth allocation is concerned.
| The problem is that p2p is also officially allowed on the LAN. I hate
| it but it is allowed. Period. No argument about it.
|
| I need to guarantee 128Kbit/s of the available bandwidth to the
| streaming host (server, if you can call it).
|
|
| My thinking/plan:
|
| 1. Add one more NIC to the FreeBSD box (it's also the router,
|firewall, _everything_ server) and put this on a separate IP block.
|To this NIC I will connect the VIP host, which needs the guaranteed
|bandwidth. I will therefore NAT traffic to/from it.
|
| 2. Restrict the current LAN hosts to 128Kbit/s via ipfw pipe. To me,
| this means that:
| (a) They cannot go beyond 128Kbit/s
| (b) The VIP box will go above 128K/bit's in case the throttled
| LAN is not using all of the 128Kbit/s
|
| I need to control bandwidth on the external interface only, not on the
| LAN (internal interfaces).
|
| Is this rightful thinking or sheer imagination which is not practical?
|
| Seems reasonable. See below ...
Thanks, Bill for that verification.
| My problem:
|
|
| Most important is being dumb when it comes to IPFW and hence the pipes
| and all that pertains to it.
|
| Here is my ipfw configuration, in black and white (firewall_type=OPEN)
|
|
| # Outside interface network and netmask and ip
| oif=bfe0
| iif=xl0
| onet=62.8.68.0
| omask=255.255.255.252
| oip=62.8.68.22
|
| # Inside interface network and netmask and ip
| iif=xl0
| inet=10.0.0.0
| imask=255.255.255.0
| iip=10.0.0.2
|
| ipfw pipe 1 config bw 128Kbit/s
|
| # Allow any traffic to or from my own net.
| ${fwcmd} add pass all from ${iip} to ${inet}:${imask}
| ${fwcmd} add pass all from ${inet}:${imask} to ${iip}
|
| # Throttle now
| ipfw add pipe 1 tcp from $${inet}:${imask} to any out via ${oif}
state
|^^
|
| Is this direct cut/paste? If so, you've got a sticky $ key.
Yes, it was a paste in the process of modifying ;)
Noted with thanks.
|
| ${fwcmd} add 65000 pass all from any to any
|
|
| With this configuration, it seems like even LAN-LAN communication is
| being restricted to 128Kbit/s. I am not sure why, as simple as it looks!
| Can someone tell me why that is happening?
|
| Now, supposing the 3rd NIC was on 10.0.1.0/24 network, and there is no
| bandwidth limitation configuration, is it not true that I will have
| achieved my goal?
|
| I'll simply give the FreeBSD box 10.0.1.1 and the VIP box 10.0.1.2 and
| have a static route for the VIP box, with NAT for any connections
| to/from it.
|
|
| I'll really appreciate any help/advise towards a perfect configuration
| for the firewall, and how I can get this to work.
|
| Thanks in advance.
Bill, you did not say anything on my problem with intra-LAN traffic.
Does that mean this configuration is okay, and should not at all affect
traffic within the LAN?
I assumed that any problems you were seeing were a result of the typo.
Seems to me that the config you propose will do what you want, but I
haven't spent a lot of time thinking about it.
Besides, these kind of configs rarely work perfectly on the first try,
it usually takes a bit of tweaking after you implement them, as a result
of unforseen consequences. I think you've got a good starting point
and you should just monitor the set up for a while after implementation.
--
Bill Moran
Collaborative Fusion Inc.
IMPORTANT: This message contains confidential information and is
intended only for the individual named. If the reader of this
message is not an intended recipient (or the individual
responsible for the delivery of this message to an intended
recipient), please be advised that any re-use, dissemination,
distribution or copying of this message is prohibited. Please
notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure
Re: Why is GNATs refusing my posts?
Thomas Sandford wrote: I recently tried to send a PR (for an updated port), and got the following response: --- 8--- This is a canned auto-reply to your recent email to the bug submission address. Your message has been identified as likely spam and has been discarded. If you feel this is an error, please submit your report via the web interface or directly on the freebsd-bugs mailing list. --- 8--- Frankly this is just DUMB. Autoresponding to (as opposed to bouncing) spam is most likely going to hit someone other than the spammer. It gives me ZERO information as to why the mail system didn't like my post, so I have no means of working out what I should change to appear less like a source of spam. Since the mail sent was a properly formatted PR (generated by devel/porttools), and the mail system got as far as accepting my email before generating an autoresponse, it could/should at least have parsed the email to see if it looked like a PR before rejecting it. Furthermore it doesn't even seem to be consistent, since a PR submitted the self same way about 4 days ago got through just fine. I've now got to rewrite the description part of the bug submission (since it didn't copy my message back to me) and try and work out a way of getting past the filter (there's no point in trying to submit the PR through the web, as the web form clearly states Note: copy/paste will destroy TABs and spacing, and this web form should not be used to submit code as plain text.). Spam is a major, worldwide problem - but transferring the problem to someone else is NOT a solution. Oh - and if you hadn't guessed - this has really cheesed me off! The same thing happened to me today. I just sent the mail again, with one line changed and it got through. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Using FreeBSD as a router
It's time to upgrade my old Cisco 10Mbps router and I am seriously considering using FreeBSD. I have found some solutions and wonder what one would recommend here on the list... Solution 1: http://tomclegg.net/256-router Solution 2: http://m0n0.ch/wall/index.php I want to duplicate my Cisco setup. It has 4 Ethernet ports with the WAN subnet assigned to the WAN port and 3 different subnets assigned to each of the remaining 3 ports leading to their VLANs on the switch. Looking for advise from those who have used the above solutions and their experiences. Thanks in advance! -- Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Using FreeBSD as a router
Robert Fitzpatrick skrev: It's time to upgrade my old Cisco 10Mbps router and I am seriously considering using FreeBSD. I have found some solutions and wonder what one would recommend here on the list... Solution 1: http://tomclegg.net/256-router Solution 2: http://m0n0.ch/wall/index.php pfSense is also very nice! http://www.pfsense.com/ /Henrik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sshd brute force attempts?
On Wed, 20 Sep 2006, Erik Norgaard wrote: Dan Mahoney, System Admin wrote: On Tue, 19 Sep 2006, Erik Norgaard wrote: Along with some good advice. First of all: ssh is not a public service like http or smtp where you need anyone to be able to connect. So don't let them in the first place. It is in this case. It's a web server that allows shell usage (and encourages it, as I actually advocate the power that comes with a shell as opposed to the primitive (and less secure) interface you may get with crap utilities like cpanel, or FTP (where you're at the mercy of the featureset of your particular app). I think you misunderstood what I meant by public service, or maybe it wasn't clear: By a public service I mean a service available for anyone, even anonymously: You're not going to register the world to let people send mail to your server, (while you may (recommended) require authentication to send mail from your server). Your ssh service should only be available to your users. True enough, but so is/should pop3, and we're not having this problem there. Nor is there even an option for publickey auth (even though it uses PAM). People can always manage access badly. Yes, you may not be sure of password protection on the keys, but the intruder first needs to get a copy of the key. If this is stored on a usb-stick the user carries with him, or only on systems that require local authentication first, then I think you're better off than password based ssh. I think that people can better understand and manage a physical thing like a usb-stick and use that as their key. If the capacity is small enough, it is unlikely that people will use it for other stuff and accidentially delete the key. Yes, and then if/WHEN they do lose it, it's all the much MORE trouble to regenerate it and walk them through the motions of re-uploading it. You may still find sshd login denied entries in your log - so what? it was denied! This is really only a problem if the traffics saturates your connection, or your log files grow so much that you run out of diskspace. It was denied, yes...but when it's denied for 200 different users from the same IP, it only takes one user with a weak password (and as much as I like keys, I personally prefer the passwords). I also find that since I have a nice web-enabled SSH app (as part of usermin), the key becomes sorta useless in that case. As you read the article they had a password logger to see what passwords were attempted, quite interesting very very weak passwords. You can easily weed out bad password by running a cracker and forcing your users to change. This is definitely in the plan -- password crackers eat CPU like nobody's business so it would have to run off site but I've done this before with crack. I may try John this time. I would like to find an alternative to passwd that can enforce a password policy, like min. 8 chars, upper AND lower case chars and numbers. I've managed to very easily compile passwd against cracklib. Cracklib is in ports and easy to build -- FreeBSD could use (but I haven't filed the requests) a) an option in make.conf to prevent passwd from getting built on a buildworld and b) the patched passwd/yppasswd tree in ports. If you want a few easy ports to maintain, these could be it :) The article also comments on moving ssh to a different port, but this causes confusion and annoyance if you have many users and is non-standard. Doing the other things works great, an ssh-key on a usb-keyring is great. For anyone savvy, yes. I don't assume that level of savvy. Well, then - can't you also assume that people can use keys and understand that these should be protected by passwords? No, my assumption for the sake of simplicity has been to tell people use this hostname for everything, and this ONE method of logging in should work for everything. Yes, some of my more savvy users CAN set up keys. But for someone who wants the quick method to fix a few broken files, bad permissions, etc, it' far easier to tell them get putty, log in..., and then cd to your homedir and type I've been through this dance. Get putty. Get puttygen. Now make a keyfile with options you really don't understand. Now find a way that, in the spirit of SSH you can upload that keyfile without using your password since I was told to disallow it...now password protect your key with something LONG and COMPLICATED when you can't even remember a password that you were emailed, and trusted your FTP app to remember...okay, now have that key with you everywhere you go (and you can't cheat and upload it to someplace like your xdrive.com or other service, you have to carry physical media. You understand all that? Okay, now cd to your homedir and type... Personally, I created a script for parsing the delegated files from the different regional registries such as only to allow connection from EU countries.
gmirror HD failure detection
After using Dru Lavigne's excellent article http://tinyurl.com/da66a about Raid-1 I have a full Raid-1 mirror on a new rack server. I'm wondering if anyone can tell me how best to monitor the hardware status to detect imminent failure of one of the disks? Do I use something like smartctl in a cron or what? -- Robin Becker ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: amd ports
On Sep 20, 2006, at 4:19 AM, eoghan wrote: Just a general question about the ports for freebsd. I am now running 6.1 on amd64. Got most of what I need, but noticed that some ports are only i386 - like the flock browser and skype. Obviously I can live without these but was just wondering if there is a place I could check to see whether these would be available for amd in the future? Certainly. The best place would be with the port maintainer, if any is listed, and with the project-specific mailing list, webforum, original developer(s), or whatever. The latter may be more helpful, as not all port maintainers may have access to AMD64/EM64T hardware. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: gmirror HD failure detection
On 9/20/06, Robin Becker [EMAIL PROTECTED] wrote: After using Dru Lavigne's excellent article http://tinyurl.com/da66a about Raid-1 I have a full Raid-1 mirror on a new rack server. I'm wondering if anyone can tell me how best to monitor the hardware status to detect imminent failure of one of the disks? Do I use something like smartctl in a cron or what? When you installed smartmontools to get smartctl, it should have also installed smartd. It will run in the background and notify you of significant changes. man smartd for details. - Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sshd brute force attempts?
--- Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: On Tue, 19 Sep 2006, backyard wrote: In reality using passwords with SSH kinda defeats the purpose of SSH. Keeping passwords from being sent across the network as cleartext? -Dan ssh will encrypt them of course but... the nosey snoop watching over your shoulder can see the keys you type, or the tricky guy that has installed a STDIN monitor hack, or enabling debugging of the console by mistake and having it appear in the syslogs. Using keys means you never have to use a password, other then locking the key. The key should always have a different password from the login. Using keys is the point of SSH so you can eliminate passworded logins making sure no one sees them at all. -brian -- Of course she's gonna be upset! You're dealing with a woman here Dan, what the hell's wrong with you? -S. Kennedy, 11/11/01 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portmanager ftp question.
Here's the situation, I have 3 BSD servers sitting behind a pfsense firewall. When I run portmanager on any of the 3 servers, inevitably it runs into a distfile that can't be downloaded from an FTP site. Although I haven't checked the log files on the firewall, I'm fairly positive this is an active / passive issue. My workaround right now is to download the required distfile to a machine on the LAN (sitting behind the pfsense firewall), and SCP it to the server, and restart portmanager. I've played around with the FTP helper settings on pfsense, to no avail. Is there a way to globally set active or passive FTP connections on the servers so portmanager will work correctly? I'll occasionally run into the same issue when building a new port as well. I'm not sure what app the machine is using to download the distfiles, wget? If this is the case, my question would be is there a way to set a configuration for wget to use either active or passive ftp connections all the time, no matter which process is calling it? Best regards, Greg Groth ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: gmirror HD failure detection
Hi, I've got smartd going on a gmirror system, however when smartd starts up it says it can't find the various drives. I've tried both the autodetection line as well as specifying the individual drives. If this does work i'd like to know about it as i believe i might have one failing drive, but am not sure which one. Thanks. Dave. - Original Message - From: Bob Johnson [EMAIL PROTECTED] To: Robin Becker [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Sent: Wednesday, September 20, 2006 1:02 PM Subject: Re: gmirror HD failure detection On 9/20/06, Robin Becker [EMAIL PROTECTED] wrote: After using Dru Lavigne's excellent article http://tinyurl.com/da66a about Raid-1 I have a full Raid-1 mirror on a new rack server. I'm wondering if anyone can tell me how best to monitor the hardware status to detect imminent failure of one of the disks? Do I use something like smartctl in a cron or what? When you installed smartmontools to get smartctl, it should have also installed smartd. It will run in the background and notify you of significant changes. man smartd for details. - Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: gmirror HD failure detection
Robin Becker wrote: After using Dru Lavigne's excellent article http://tinyurl.com/da66a about Raid-1 I have a full Raid-1 mirror on a new rack server. I'm wondering if anyone can tell me how best to monitor the hardware status to detect imminent failure of one of the disks? Do I use something like smartctl in a cron or what? Assuming that the disks support SMART then just read the man page for smartd. No need for cron. You can also schedule short and long tests to run in off hours. smartmontools is easy to uninstall if it doesn't work for you. However, this will tell you that a disk is failing (or failed) which is not quite the same as array status. An array (theoretically) might be sub-optimal for non-SMART reasons. Someone familiar with gmirror will have to answer that bit... but gmirror status -s looks from the man page like it might be interesting and *that* could be run from cron and parsed to weed out status OK results. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: gmirror HD failure detection
Dave wrote: Hi, I've got smartd going on a gmirror system, however when smartd starts up it says it can't find the various drives. I've tried both the autodetection line as well as specifying the individual drives. If this does work i'd like to know about it as i believe i might have one failing drive, but am not sure which one. Thanks. Dave. well as root I can certainly run smartctl -a /dev/ad4 (or /dev/ad6) so I assume smartd could. I like the idea of using gmirror status -s , but I don't know what the results would be if one of the disks were going bad. Would it change from COMPLETE to DEGRADED suddenly? -- Robin Becker ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw and temporary port access
Peter N. M. Hansteen wrote: Noah [EMAIL PROTECTED] writes: Any clues if a system like this is a already coded and out there somewhere? Apart from the ipfw reqirement, you have just described authpf, see eg http://www.freebsd.org/cgi/man.cgi?query=authpfapropos=0sektion=0manpath=FreeBSD+6.1-RELEASEformat=html Hi there, authpf needs ssh access which is not something we have universally open - is there a way to integrate authpf without granting ssh access? Cheer,s Noah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portmanager ftp question.
On Wednesday 20 September 2006 18:13, Greg Groth wrote: Here's the situation, I have 3 BSD servers sitting behind a pfsense firewall. When I run portmanager on any of the 3 servers, inevitably it runs into a distfile that can't be downloaded from an FTP site. Although I haven't checked the log files on the firewall, I'm fairly positive this is an active / passive issue. My workaround right now is to download the required distfile to a machine on the LAN (sitting behind the pfsense firewall), and SCP it to the server, and restart portmanager. I've played around with the FTP helper settings on pfsense, to no avail. Is there a way to globally set active or passive FTP connections on the servers so portmanager will work correctly? I'll occasionally run into the same issue when building a new port as well. I'm not sure what app the machine is using to download the distfiles, wget? If this is the case, my question would be is there a way to set a configuration for wget to use either active or passive ftp connections all the time, no matter which process is calling it? What does make -V FETCH_CMD say? The default is fetch -ApRr where -p means passive. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portmanager ftp question.
What does make -V FETCH_CMD say? The default is fetch -ApRr where -p means passive. /usr/bin/fetch -ARr Best regards, Greg Groth ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD 5.4 no inodes left
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philip Radford Sent: Wednesday, September 20, 2006 7:55 AM To: freebsd-questions@freebsd.org Subject: FreeBSD 5.4 no inodes left Hi All, I am running FreeBSD 5.4 and have recently received the following message on our box for the /var partiton. No inodes left. I have checked the statistics and there was an apache httpd log which was maxing out the usable space. I have since removed this file and the available space has dropped to over 50%. However I still get the 'no inodes left' message even though I have freed the space. Does anyone know how I can get the inodes to be freed up on the /var partition. Thanks in advance. Regards Phil. Hey all, I recently had the *exact* same problem on a 4.11-STABLE box. Plenty of disc space on /var but out of inodes. Also, the system was incredibly sluggish despite showing loads of 0.00 across the board in uptime and top. This problem coincided with a LOT of sleeping and zombie processes. I had a cron job running every 5 minutes and couldn't even edit the crontab because of the lack of inodes. I ended up just wiping out all the directories under /var/db/pkg (since these can easily be downloaded again) and shut off the cron jobs that were spawning new procs. Turns out (part of?) the problem was qmail had a very large amount of messages in its queue. Once I flushed qmail's queue and the messages were sent out, the system returned to normal. Hope this helps you or someone else. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
extracting base names from package listing
pkg_info provides a nice listing of package names that include version numbers. I'd like to have a list of the names without the version numbers so that I can write a script to install the newer versions after a clean installation. Looking at the package names, I'm having a hard time coming up with an algorithm for separating the package names from the version numbers. Many package names have dashes (postgresql-server), and some have letters in the version numbers (libid3tag-0.15.1b). Does anyone have a good way of separating the package names from the version numbers? Is there a better way of identifying and installing a set of packages after a clean installation? Any help would be appreciated. Thanks, Andrew L. Gould ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeNX and NX tutorials?
Does anyone know of any tutorials for running FreeNX and NX on FreeBSD? Thanks, Andrew L. Gould ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: extracting base names from package listing
On Wednesday 20 September 2006 19:45, Andrew Gould wrote: pkg_info provides a nice listing of package names that include version numbers. I'd like to have a list of the names without the version numbers so that I can write a script to install the newer versions after a clean installation. Looking at the package names, I'm having a hard time coming up with an algorithm for separating the package names from the version numbers. Many package names have dashes (postgresql-server), and some have letters in the version numbers (libid3tag-0.15.1b). Does anyone have a good way of separating the package names from the version numbers? Is there a better way of identifying and installing a set of packages after a clean installation? What you actually want is the origins, pkg_info -oq * will give you that. What I think is a better idea is to get a list of the leaf origins, and let the ports sytem sort out the rest itself - you may end up with a cleaner set of dependencies. See the thread Moving to new PC above for a way to get these from portmanager. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: imap-uw question
On Mon, 18 Sep 2006, [EMAIL PROTECTED] wrote: On Tue, 19 Sep 2006, Jonathan Chen wrote: On Mon, Sep 18, 2006 at 03:16:26PM -0400, [EMAIL PROTECTED] wrote: Has anyone configure imap-uw to accept plaintext passwords? The options listed in the doumentation do not work. I have tried various combinations of PASSWDTYPE, SSLTYPE, and WITH_SSL_AND_PLAINTEXT with no success. Or is there a better imap/pop daemon to use? Thanks for any help. You have to make sure that BOTH mail/imap-uw and mail/cclient have been compiled with -DWITH_SSL_AND_PLAINTEXT. Cheers. -- Jonathan Chen [EMAIL PROTECTED] -- Power corrupts, Absolute Power is pretty neat That (eventually) did it - thanks. From reading the UW docs, I had tried: make WITH_SSL_AND_PLAINTEXT=yes which looked liked reading the make file do the right thing. What's the difference or where can I read about it? I other confusion came from having to restart inetd. I would have thought that was not necessary. The answer at least for imap-uw is do not pay too much attention to the makes files and docs in the source, rather use /usr/ports/mail/imap-uw/Makefile. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portmanager ftp question.
On Wednesday 20 September 2006 19:07, Greg Groth wrote: What does make -V FETCH_CMD say? The default is fetch -ApRr where -p means passive. /usr/bin/fetch -ARr Check that you don't have this defined in the environment, or make.conf. Updating your ports tree should bring in the new default, or you can simple define it in make.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: extracting base names from package listing
Thanks. --- RW [EMAIL PROTECTED] wrote: On Wednesday 20 September 2006 19:45, Andrew Gould wrote: pkg_info provides a nice listing of package names that include version numbers. I'd like to have a list of the names without the version numbers so that I can write a script to install the newer versions after a clean installation. Looking at the package names, I'm having a hard time coming up with an algorithm for separating the package names from the version numbers. Many package names have dashes (postgresql-server), and some have letters in the version numbers (libid3tag-0.15.1b). Does anyone have a good way of separating the package names from the version numbers? Is there a better way of identifying and installing a set of packages after a clean installation? What you actually want is the origins, pkg_info -oq * will give you that. What I think is a better idea is to get a list of the leaf origins, and let the ports sytem sort out the rest itself - you may end up with a cleaner set of dependencies. See the thread Moving to new PC above for a way to get these from portmanager. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dell PE850 and FreeBSD 6.1-RELEASE - Boot Issues
On 2006 Sep 19 , at 10:38, Jeff Cross wrote: Adam Martin wrote: On 2006 Sep 18 , at 17:39, Jeff Cross wrote: Adam Martin wrote: On 2006 Sep 18 , at 16:25, Jeff Cross wrote: I am trying to run FreeBSD 6.1-RELEASE on a Dell PowerEdge 850 with some booting issues. I have searched the archives and found someone having a problem with the machine booting too fast but my problem is a little different. My machine hangs up after the following line is displayed during boot: acd0: CDROM TEAC CD-ROM CD-224E-N/3.AB at ata0-master UDMA33 [ Trimmed for brevity ] Thanks for the reply, Adam. I actually tried the verbose_logging=YES in my /boot/loader.conf file prior to posting but it still hangs after the CD-ROM line for some reason. Hey, no problem, Jeff. To be frank, I just signed up for Questions, after Google Summer of Code, and yours is the first one I've answered. Glad to see that I've started on the right foot though. It appears the only way the machine will boot up properly is if I hit 5 on the boot menu. This obviously doesn't make remote reboots very admin friendly! I know that I setup something like this once, because I needed it to always drop to command line. I can help you emulate what's in menu option 5, in a loader.4th script. But you'll have to drop the pretty menu, and logo... If you're willing let me know. Thanks again for your reply! Like I said, no problem. Thanks for your enthusiastic support. Regards, -- ADAM David Alan Martin P.S.: It's still me, the same Adam. Just figured I should use my FreeBSD From: address instead of fsl. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hey, Adam. I unplugged the CD-ROM from the mainboard and the first time it came back up it booted up fine. However, I immediately rebooted and it hung on the Timecounters tick every 1.000 msec. So, since this is the line that displays before the acd0: CDROM TEAC CD-ROM CD-224E-N/3.AB at ata0-master UDMA33 line, I wonder if it is hanging on whatever is *after* these in the boot process. ata2-slave: pio=PIO3 wdma=UNSUPPORTED udma=UNSUPPORTED cable=40 wire ata2-master: pio=PIO3 wdma=UNSUPPORTED udma=UNSUPPORTED cable=40 wire afd0: setting PIO3 on SiI 0680 chip device_attach: afd0 attach returned 6 acd1: setting PIO3 on SiI 0680 chip acd1: VIRTUALCDROM DRIVE/ CDROM drive at ata2 as slave acd1: PIO3 acd1: Reads: acd1: Writes: acd1: Mechanism: caddy acd1: Medium: CD-ROM unknown ata4-master: pio=PIO4 wdma=WDMA2 udma=UDMA133 cable=40 wire Hm... afd0... just noticed this... I have never used ATA floppy drives. Doesn't mean they're bad, but I wonder what would happen if you disabled this device too? Maybe the virtual devices is hosing it up. I know there is a virtual floppy drive in here somewhere too... I can see it in the BIOS but I can't figure out how to disable it. Is your CPU hyperthreaded? You might want to go in the BIOS and try turning that off too... (Hyperthreading on FreeBSD doesn't give you that much extra in performance... And exposes a few potential hardware issues.) At this point, I'm kinda poking around in the dark as to what device could be causing it. In these situations, I start with the bare-minimum to boot it up, and keep adding devices until it fails... then remove everything, and try adding the failing device first. (This means physically removing cables and such. This screens for interactions between devices, and devices that may fail.) Jeff Cross http://www.averageadmins.com/ How long is it sitting and hanging? How long have you left it? I have one machine that needs about 3 or 5 minutes after the copyright line, to boot the kernel. Of course you may have stumbled upon a timing bug too. If that's the case, we should try to find as much information as possible, and pass this one up to the people who can track it down. I can help you force the machine to boot as you wanted... but there may be other issues. Hopefully someone can help you more than just forcing it to boot in option 5 all the time. -- Adam David Alan Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: extracting base names from package listing
On Wed, Sep 20, 2006 at 08:12:22PM +0100, RW wrote: On Wednesday 20 September 2006 19:45, Andrew Gould wrote: pkg_info provides a nice listing of package names that include version numbers. I'd like to have a list of the names without the version numbers so that I can write a script to install the newer versions after a clean installation. Looking at the package names, I'm having a hard time coming up with an algorithm for separating the package names from the version numbers. Many package names have dashes (postgresql-server), and some have letters in the version numbers (libid3tag-0.15.1b). Does anyone have a good way of separating the package names from the version numbers? Is there a better way of identifying and installing a set of packages after a clean installation? What you actually want is the origins, pkg_info -oq * will give you that. Or look up the package name in the INDEX file. Kris pgp5k6pIPP5FP.pgp Description: PGP signature
Re: [OT] spam on freebsd-question@
On 2006 Sep 20 , at 08:28, Pietro Cerutti wrote: Hi List, recently (last few days) a lot of spam has begun to arrive on this list could anyone concerned ([EMAIL PROTECTED], ...) check/upgrade the filters? Incidentally I'm subscribed to about a dozen other FreeBSD mailing lists. It's probably not the right place to report this, but these past few days a lot of spam has hit the other lists too. So, I'll tack on a request for them to check the filters on the other lists too. -- Adam David Alan Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: amd ports
On 20 Sep 2006, at 17:51, Chuck Swiger wrote: On Sep 20, 2006, at 4:19 AM, eoghan wrote: Just a general question about the ports for freebsd. I am now running 6.1 on amd64. Got most of what I need, but noticed that some ports are only i386 - like the flock browser and skype. Obviously I can live without these but was just wondering if there is a place I could check to see whether these would be available for amd in the future? Certainly. The best place would be with the port maintainer, if any is listed, and with the project-specific mailing list, webforum, original developer(s), or whatever. The latter may be more helpful, as not all port maintainers may have access to AMD64/ EM64T hardware. Ok thanks for the info everyone. Eoghan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw and temporary port access
Noah [EMAIL PROTECTED] writes: authpf needs ssh access which is not something we have universally open - is there a way to integrate authpf without granting ssh access? Out of the box, no. Then again, you only need ssh in to the authenticating gateway. It's up to you to decide which OpenSSH supported authentication methods you require before loading the rules which actually let traffic through. Cheers, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [OT] spam on freebsd-question@
On Wed, Sep 20, 2006 at 03:52:41PM -0400, Adam Martin wrote: On 2006 Sep 20 , at 08:28, Pietro Cerutti wrote: Hi List, recently (last few days) a lot of spam has begun to arrive on this list could anyone concerned ([EMAIL PROTECTED], ...) check/upgrade the filters? Incidentally I'm subscribed to about a dozen other FreeBSD mailing lists. It's probably not the right place to report this, but these past few days a lot of spam has hit the other lists too. So, I'll tack on a request for them to check the filters on the other lists too. See freebsd-chat@ Kris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [OT] spam on freebsd-question@
On Wed, Sep 20, 2006, Adam Martin wrote: On 2006 Sep 20 , at 08:28, Pietro Cerutti wrote: Hi List, recently (last few days) a lot of spam has begun to arrive on this list could anyone concerned ([EMAIL PROTECTED], ...) check/upgrade the filters? Incidentally I'm subscribed to about a dozen other FreeBSD mailing lists. It's probably not the right place to report this, but these past few days a lot of spam has hit the other lists too. So, I'll tack on a request for them to check the filters on the other lists too. FWIW, the spam that has hit the lists has also failed to trigger my somewhat draconian spamassassin checks as well. One of the most effective things I've found on the Mailman mailing lists I maintain and host is to restrict postings to list members only. While this does generate some moderation requests when list members post from addresses other than their subscribed address, it also catches many spam/phishing messages that don't cause the spamassassin score to exceed our cutoff score. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Systems, Inc. UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Guns are no more responsible for killing people than the spoon is responsible for making Rosie O'Donnell fat.'' ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Using FreeBSD as a router
You can easily do the Freebsd firewall just by following the FBSD handbook or go to http://mostgraveconcern.com/freebsd/ and look at the article on Setting up a network gateway -- Brent Bailey CCNA Bmyster LLC Computer Networking and Webhosting Network Sytems Engineer, President [EMAIL PROTECTED] --RIP Brother Dime-- -- Original Message --- From: Robert Fitzpatrick [EMAIL PROTECTED] To: FreeBSD freebsd-questions@freebsd.org Sent: Wed, 20 Sep 2006 12:11:32 -0400 Subject: Using FreeBSD as a router It's time to upgrade my old Cisco 10Mbps router and I am seriously considering using FreeBSD. I have found some solutions and wonder what one would recommend here on the list... Solution 1: http://tomclegg.net/256-router Solution 2: http://m0n0.ch/wall/index.php I want to duplicate my Cisco setup. It has 4 Ethernet ports with the WAN subnet assigned to the WAN port and 3 different subnets assigned to each of the remaining 3 ports leading to their VLANs on the switch. Looking for advise from those who have used the above solutions and their experiences. Thanks in advance! -- Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] --- End of Original Message --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sshd brute force attempts?
On 2006 Sep 19 , at 17:25, Nicolas Blais wrote: On Tuesday 19 September 2006 17:12, Joao Barros wrote: On 9/19/06, Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: Hey all, I've looked around and found several linux-centric things designed to block brute-force SSH attempts. Anyone out there know of something a bit more BSD savvy? My best attempt will be to get this: http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html running and adapt it. I've found a few things based on openBSD's pf, but that doesn't seem to be the default in BSD either. Any response appreciated. I'm using BruteForceBlocker quite successfully. I take the opportunity to thank danger for it :-) http://www.freshports.org/security/bruteforceblocker/ This has been a recent annoyance for me too, so I did a bit of research. At my site I run a number of Solaris, FreeBSD, NetBSD, and OpenBSD based machines (very few Linux machines.) So I googled for a very BSD specific solution to the problem. The issue of actual cracking doesn't concern me. (All user passwords are strong, and users have strong limitations.) What bothers me is that there's several hundred kilobytes worth of invalid user entries in my /var/log/auth.log. It's been rotated about 30 times these past 2 weeks. I preserve ALL logs (/etc/newsyslog.conf has 500 count for each log.) There is also the DoS potential that worries me. The solutions I read were for OpenBSD pf (which is my router) but could be used on FreeBSD pf, too. It seems that most of these bruteforce ssh attempts come from compromised Linux boxes. As a simple solution, one could add a pf rule which just drops linux hosts on port 22. As a stopgap measure for valid users, who login from linux boxes, I leave open port , and inform these users to use that port. In addition to all of this, I also run bruteforceblocker, and maintain my own list of denied hosts. (Any host with more than 5 entries for all different invalid users is permanently banned.) I like to protect myself by hiding what I have, which will reduce the amount of direct or random attacks by a lot, then deal with attacks using tools (like bruteforceblocker). Hiding your services is always a good idea. But it also potentially invites portscans, or other evils. This is especially useful when attackers are using ip-range tools to scan common ports for their associated service. Eventually when we all do that, the attackers will just develop (or in most cases, one will, and the others will borrow) new tools to harass us more. Why keep sshd on port 22? Why not keep it there? Why should we all resort to migrating our standard services to non-standard ports, simply because a few [expletives deleted] script kiddies can't keep their packets to themselves? It's also advocating security by obscurity, to hide sshd on another port. Eventually the bad guys will just test every port, and we'll have more unnecessary traffic to the box. I don't know about you, but I'm not going to let a few immature teenagers who've hijacked a network of Linux boxes, setup by a know-it-all Linux newbie for his folks, bully me out of doing things the right way, or hiding outside of standardized channels. Certainly never invite trouble... But running from it doesn't make you much safer. (Maybe it's time somebody whipped up a rule for pf, that would direct garbage replies in response to packets we want to deny, instead of just dropping them? Actually, it probably won't do much to the attackers, besides confuse them.) Nicolas -- Adam David Alan Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FastTrak100 RAID-Controller
Hi, are there any issues known with the FastTrak100 RAID-Controller? I'd like to run it in HW RAID-1 and setup FreeBSD 6.1 onto that RAID-Volume. Thx in advance, cheers -Martin- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FW: postfix + maildrop and virtual mailboxes
Hi, I'm trying to set up maildrop to act as virtual transport for my hosted domains to configure maildrop to deliver spam-mail into the users INBOX.spam IMAP folder. In main.cf I set virtual_transport=maildrop and of course virtual_mailbox_maps (works with the default postfix mda). Trying this with maildrop will not work (see excerpt from maillog): --- snip -- Sep 20 22:01:51 web01 postfix/pipe[67339]: 627BF5C9F: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=maildrop, delay=0.04, delays=0.01/0.01/0/0.03, dsn=5.1.1, status=bounced (user unknown. Command output: Invalid user specified. ) --- snip -- Although [EMAIL PROTECTED] is of course defined in the virtual mailbox map! The postfix MAILDROP_README didn't really help. Any ideas? Thx in advance, cheers, -Martin- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 5.4 no inodes left
On Wed, Sep 20, 2006 at 11:14:38AM -0700, Alex Franks wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philip Radford Sent: Wednesday, September 20, 2006 7:55 AM To: freebsd-questions@freebsd.org Subject: FreeBSD 5.4 no inodes left Hi All, I am running FreeBSD 5.4 and have recently received the following message on our box for the /var partiton. No inodes left. I have checked the statistics and there was an apache httpd log which was maxing out the usable space. I have since removed this file and the available space has dropped to over 50%. However I still get the 'no inodes left' message even though I have freed the space. Does anyone know how I can get the inodes to be freed up on the /var partition. Yes.Delete some files. Then, when you have it cleared up temporarily (deleting files is only a brief temporary fix), back the file system up somewhere and remake it. In the newfs command, use bytes, block-size and frag-size arguments to force it to create more inodes in the filesystem and then restore the backup. Possibly just setting bytes=2 will be enough to cover it, but you may also need to set block-size=8192 and frag-size=1024 (which is kind of small). If you run out of inodes, it tends to mean you are creating a lot of small files.This can happen with some utilities that create a new file for each piece of data.But, the default values for bytes, block-size and frag-size usually provide plenty of inodes for most things. So, maybe some job you are running is overdoing creating small files for some reason or you have a database designed less efficiently or something. By using a smaller block and fragment size, you get more inodes, but you make reading and writing large files less efficient. Of course, if you have a hoard of small files, that isn't important. In fact, if the file system if full of small files, then it is less efficient to have large block and fragment sizes. jerry Thanks in advance. Regards Phil. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
postfix + maildrop and virtual mailboxes
Hi, I'm trying to set up maildrop to act as virtual transport for my hosted domains to configure maildrop to deliver spam-mail into the users INBOX.spam IMAP folder. In main.cf I set virtual_transport=maildrop and of course virtual_mailbox_maps (works with the default postfix mda). Trying this with maildrop will not work (see excerpt from maillog): --- snip -- Sep 20 22:01:51 web01 postfix/pipe[67339]: 627BF5C9F: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=maildrop, delay=0.04, delays=0.01/0.01/0/0.03, dsn=5.1.1, status=bounced (user unknown. Command output: Invalid user specified. ) --- snip -- Although [EMAIL PROTECTED] is of course defined in the virtual mailbox map! The postfix MAILDROP_README didn't really help. Any ideas? Thx in advance, cheers, -Martin- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
postfix + maildrop and virtual mailboxes
Hi, I'm trying to set up maildrop to act as virtual transport for my hosted domains to configure maildrop to deliver spam-mail into the users INBOX.spam IMAP folder. In main.cf I set virtual_transport=maildrop and of course virtual_mailbox_maps (works with the default postfix mda). Trying this with maildrop will not work (see excerpt from maillog): --- snip -- Sep 20 22:01:51 web01 postfix/pipe[67339]: 627BF5C9F: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=maildrop, delay=0.04, delays=0.01/0.01/0/0.03, dsn=5.1.1, status=bounced (user unknown. Command output: Invalid user specified. ) --- snip -- Although [EMAIL PROTECTED] is of course defined in the virtual mailbox map! The postfix MAILDROP_README didn't really help. Any ideas? Thx in advance, cheers, -Martin- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
can't find my hard drive
Hi, i've got a Windows XP pro computer with two drives. Ones a 80gb western digital raptor, and the other is a 7200.10 seagate 320gb drive. The 320 gb drive has two partitionsone thats 29.5 gb and is in fat32 mode (i'm hoping to use it for freebsd) and then the rest is for my media. My boot and copy of xp are on the raptor. I'm trying to install freebsd 6.1 release but its not seeing my other drive (i don't think?) all I can see at the install screen is my raptor drive. I even tried unplugging my main raptor drive and installing to the seagate, but it says no drives found. It discovers it in the registry and stuffanyone have some ideas? -Brett McLain ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: postfix + maildrop and virtual mailboxes
On Wed, 20 Sep 2006 22:07:36 +0200 Martin Werner [EMAIL PROTECTED] wrote: I'm trying to set up maildrop to act as virtual transport for my hosted domains to configure maildrop to deliver spam-mail into the users INBOX.spam IMAP folder. In main.cf I set virtual_transport=maildrop and of course virtual_mailbox_maps (works with the default postfix mda). Trying this with maildrop will not work (see excerpt from maillog): --- snip -- Sep 20 22:01:51 web01 postfix/pipe[67339]: 627BF5C9F: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=maildrop, delay=0.04, delays=0.01/0.01/0/0.03, dsn=5.1.1, status=bounced (user unknown. Command output: Invalid user specified. ) --- snip -- Although [EMAIL PROTECTED] is of course defined in the virtual mailbox map! The postfix MAILDROP_README didn't really help. are you using mysql or postgresql or not ? if so, you need another config-file -- grtjs, albi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FastTrak100 RAID-Controller
Hi, are there any issues known with the FastTrak100 RAID-Controller? I'd like to run it in HW RAID-1 and setup FreeBSD 6.1 onto that RAID-Volume. Thx in advance, cheers -Martin- Have a server running it for couple of months so far with no issues (knock on the wood) Tamouh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
help please
Hi everybody, I recently install freebsd 5.4, bind9, isc-dhcp-server, openldap on my machine. DNS server is working oke, but since I'm running ipfw firewall on the machine, my windows client (internet Explorer kan reach my freeBsd webserver. can anyone tell me wich protocol and port I have to open up on my ipfw firewall so that windows client kan reach my webserver _ Zoeken is nog nooit zo eenvoudig geweest! http://toolbar.live.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: postfix + maildrop and virtual mailboxes
On Wed, September 20, 2006 10:43 pm, albi wrote: On Wed, 20 Sep 2006 22:07:36 +0200 Martin Werner [EMAIL PROTECTED] wrote: I'm trying to set up maildrop to act as virtual transport for my hosted domains to configure maildrop to deliver spam-mail into the users INBOX.spam IMAP folder. In main.cf I set virtual_transport=maildrop and of course virtual_mailbox_maps (works with the default postfix mda). Trying this with maildrop will not work (see excerpt from maillog): --- snip -- Sep 20 22:01:51 web01 postfix/pipe[67339]: 627BF5C9F: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=maildrop, delay=0.04, delays=0.01/0.01/0/0.03, dsn=5.1.1, status=bounced (user unknown. Command output: Invalid user specified. ) --- snip -- Although [EMAIL PROTECTED] is of course defined in the virtual mailbox map! The postfix MAILDROP_README didn't really help. are you using mysql or postgresql or not ? if so, you need another config-file Hi, for postfix I'm using the regular flat files for mapping, for dovecot I'm using a mysql-Database for my user-Information (Password, uid, Home-Directory). Any chance of using that one then? -- grtjs, albi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: can't find my hard drive
Does the second drive show up correctly in your BIOS? Or are you using a device driver to use the drive with windows? -Derek At 03:42 PM 9/20/2006, Brett McLain wrote: Hi, i've got a Windows XP pro computer with two drives. Ones a 80gb western digital raptor, and the other is a 7200.10 seagate 320gb drive. The 320 gb drive has two partitionsone thats 29.5 gb and is in fat32 mode (i'm hoping to use it for freebsd) and then the rest is for my media. My boot and copy of xp are on the raptor. I'm trying to install freebsd 6.1 release but its not seeing my other drive (i don't think?) all I can see at the install screen is my raptor drive. I even tried unplugging my main raptor drive and installing to the seagate, but it says no drives found. It discovers it in the registry and stuffanyone have some ideas? -Brett McLain ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: can't find my hard drive
Er yeah sorry, I mean BIOS not registry haha. It shows up fine...when I tried unplugging my main 80gb drive, I tried booting twice to the other drive and it would just sit there after attempting to detect DMI settings or some such other thing. I found it odd because I expected an Operating System Not Found error. -Brett Derek Ragona wrote: Does the second drive show up correctly in your BIOS? Or are you using a device driver to use the drive with windows? -Derek At 03:42 PM 9/20/2006, Brett McLain wrote: Hi, i've got a Windows XP pro computer with two drives. Ones a 80gb western digital raptor, and the other is a 7200.10 seagate 320gb drive. The 320 gb drive has two partitionsone thats 29.5 gb and is in fat32 mode (i'm hoping to use it for freebsd) and then the rest is for my media. My boot and copy of xp are on the raptor. I'm trying to install freebsd 6.1 release but its not seeing my other drive (i don't think?) all I can see at the install screen is my raptor drive. I even tried unplugging my main raptor drive and installing to the seagate, but it says no drives found. It discovers it in the registry and stuffanyone have some ideas? -Brett McLain ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: can't find my hard drive
To use the second drive you will probably need to also change a switch or jumper on the drive changing it from a slave drive to a master. At that point the BIOS should show it correctly as a master drive. In most BIOS these days there is a setting for boot device order, you may need to check that the second drive is in that list. -Derek At 04:49 PM 9/20/2006, Brett J McLain wrote: Er yeah sorry, I mean BIOS not registry haha. It shows up fine...when I tried unplugging my main 80gb drive, I tried booting twice to the other drive and it would just sit there after attempting to detect DMI settings or some such other thing. I found it odd because I expected an Operating System Not Found error. -Brett Derek Ragona wrote: Does the second drive show up correctly in your BIOS? Or are you using a device driver to use the drive with windows? -Derek At 03:42 PM 9/20/2006, Brett McLain wrote: Hi, i've got a Windows XP pro computer with two drives. Ones a 80gb western digital raptor, and the other is a 7200.10 seagate 320gb drive. The 320 gb drive has two partitionsone thats 29.5 gb and is in fat32 mode (i'm hoping to use it for freebsd) and then the rest is for my media. My boot and copy of xp are on the raptor. I'm trying to install freebsd 6.1 release but its not seeing my other drive (i don't think?) all I can see at the install screen is my raptor drive. I even tried unplugging my main raptor drive and installing to the seagate, but it says no drives found. It discovers it in the registry and stuffanyone have some ideas? -Brett McLain ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
