RTL8111C driver for FBSD7
Hey, hey... I made a boo boo and ordered a unit with this nic onboard (truthfully, I never thought I'd have any trouble since I had done this before). Loaded 7 and couldn't find the nic. A little investigation found that the nic was the above, and a little further found that there was no support for it in the hcl's. Now I do find it hard to believe there is no way around this- I found a driver for FBSD4.5-6, is there one for 6.2 or higher? Or will this one work? Anyone know how to install it? The driver is only a c and a h file- Makefile is an empty file, and the readme tells me to rebuild the kernel after removing rl and re in the conf. Then I build the driver, and kldload it. Any idea why I'd have to rebuild the kernel? Cheers guys ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD 7.0 Install Problem [acd0: FAILURE READ_BIG MEDIUM ERROR asc=0x11 ascq=0x05]
Hi Friends, Am installing FreeBSD 7.0 on an AMD Athlon XP 2000 | 256MB RAM | 80GB HDD Am not able to enter Install mode using FreeBSD 7.0 Disk1-i368 The Error message is : acd0: FAILURE READ_BIG MEDIUM ERROR asc=0x11 ascq=0x05 ... ... Manual root filesystem specification .. Am sure that the CDROM and CDRW Drive Works 100% Perfect; because it works fine in other machines !!! i gave a try by disabling DMA in BIOS also attempted to set hw.ata.atapi_dma=0 (by escaping to loader prompt; googled and found this; i dont know what it is) No away !! if any one have a solution; please help; or help me how to search in this mailing list for any such previous post Thanks in Advance ;) -- // Susanth K // ---[ Knowledge is the only treasure that increase on sharing ]--- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD 7.0 Install Problem [acd0: FAILURE READ_BIG MEDIUM ERROR asc=0x11 ascq=0x05]
Hi Friends, Am installing FreeBSD 7.0 on an AMD Athlon XP 2000 | 256MB RAM | 80GB HDD Am not able to enter Install mode using FreeBSD 7.0 Disk1-i368 The Error message is : acd0: FAILURE READ_BIG MEDIUM ERROR asc=0x11 ascq=0x05 ... ... Manual root filesystem specification .. Am sure that the CDROM and CDRW Drive Works 100% Perfect; because it works fine in other machines !!! i gave a try by disabling DMA in BIOS also attempted to set hw.ata.atapi_dma=0 (by escaping to loader prompt; googled and found this; i dont know what it is) No away !! if any one have a solution; please help; or help me how to search in this mailing list for any such previous post Thanks in Advance ;) -- // Susanth K // ---[ Knowledge is the only treasure that increase on sharing ]--- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RTL8111C driver for FBSD7
Da Rock wrote: Hey, hey... I made a boo boo and ordered a unit with this nic onboard (truthfully, I never thought I'd have any trouble since I had done this before). Loaded 7 and couldn't find the nic. A little investigation found that the nic was the above, and a little further found that there was no support for it in the hcl's. Now I do find it hard to believe there is no way around this- I found a driver for FBSD4.5-6, is there one for 6.2 or higher? Or will this one work? Anyone know how to install it? The driver is only a c and a h file- Makefile is an empty file, and the readme tells me to rebuild the kernel after removing rl and re in the conf. Then I build the driver, and kldload it. Any idea why I'd have to rebuild the kernel? Cheers guys I've seen this driver too (I've investigated for a friend who bought a similar motherboard that otherwise works with 7). The readme describes two methods of installation but the first one simply does not apply (there is no modules directory in the download). I have not tried the second method (looks reasonable though). Removing the rl and re from the kernel will remove the built-in support (it could conflict with the new driver) and create a module for the new driver. Note that you are also asked to replace the files in the FreeBSD src directories. In fact it is better to build as a module - building it into the kernel may well leave you with an unbootable kernel if it is not compatible. As I said, I have not done this (my friend will be running Linux on this box) but as more and more recent mobos seem to use this NIC - and I may be buying one- if you are willing to give it a try, I will be interested in the results. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RTL8111C driver for FBSD7
On Fri, 2008-04-18 at 10:11 +0300, Manolis Kiagias wrote: Da Rock wrote: Hey, hey... I made a boo boo and ordered a unit with this nic onboard (truthfully, I never thought I'd have any trouble since I had done this before). Loaded 7 and couldn't find the nic. A little investigation found that the nic was the above, and a little further found that there was no support for it in the hcl's. Now I do find it hard to believe there is no way around this- I found a driver for FBSD4.5-6, is there one for 6.2 or higher? Or will this one work? Anyone know how to install it? The driver is only a c and a h file- Makefile is an empty file, and the readme tells me to rebuild the kernel after removing rl and re in the conf. Then I build the driver, and kldload it. Any idea why I'd have to rebuild the kernel? Cheers guys I've seen this driver too (I've investigated for a friend who bought a similar motherboard that otherwise works with 7). The readme describes two methods of installation but the first one simply does not apply (there is no modules directory in the download). I have not tried the second method (looks reasonable though). Removing the rl and re from the kernel will remove the built-in support (it could conflict with the new driver) and create a module for the new driver. Note that you are also asked to replace the files in the FreeBSD src directories. In fact it is better to build as a module - building it into the kernel may well leave you with an unbootable kernel if it is not compatible. As I said, I have not done this (my friend will be running Linux on this box) but as more and more recent mobos seem to use this NIC - and I may be buying one- if you are willing to give it a try, I will be interested in the results. Well I just tried it- I put this out there for some feedback mainly- the kernel rebuild is to remove the old rl and re drivers completely, and the build for the driver is for a module. Unfortunately the result is a failure: compatibility issues or some sort (argument warnings, not enough args, invalid variables and functions). My question is will I find something to work for 7? If not, will it work on 6.2 or 6.3 (it only says 6 in the readme's)? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RTL8111C driver for FBSD7
Da Rock wrote: On Fri, 2008-04-18 at 10:11 +0300, Manolis Kiagias wrote: Da Rock wrote: Hey, hey... I made a boo boo and ordered a unit with this nic onboard (truthfully, I never thought I'd have any trouble since I had done this before). Loaded 7 and couldn't find the nic. A little investigation found that the nic was the above, and a little further found that there was no support for it in the hcl's. Now I do find it hard to believe there is no way around this- I found a driver for FBSD4.5-6, is there one for 6.2 or higher? Or will this one work? Anyone know how to install it? The driver is only a c and a h file- Makefile is an empty file, and the readme tells me to rebuild the kernel after removing rl and re in the conf. Then I build the driver, and kldload it. Any idea why I'd have to rebuild the kernel? Cheers guys I've seen this driver too (I've investigated for a friend who bought a similar motherboard that otherwise works with 7). The readme describes two methods of installation but the first one simply does not apply (there is no modules directory in the download). I have not tried the second method (looks reasonable though). Removing the rl and re from the kernel will remove the built-in support (it could conflict with the new driver) and create a module for the new driver. Note that you are also asked to replace the files in the FreeBSD src directories. In fact it is better to build as a module - building it into the kernel may well leave you with an unbootable kernel if it is not compatible. As I said, I have not done this (my friend will be running Linux on this box) but as more and more recent mobos seem to use this NIC - and I may be buying one- if you are willing to give it a try, I will be interested in the results. Well I just tried it- I put this out there for some feedback mainly- the kernel rebuild is to remove the old rl and re drivers completely, and the build for the driver is for a module. Unfortunately the result is a failure: compatibility issues or some sort (argument warnings, not enough args, invalid variables and functions). My question is will I find something to work for 7? If not, will it work on 6.2 or 6.3 (it only says 6 in the readme's)? I hope realtek releases a driver for 7. I would not want to go back to 6.X for this. I have a 6.3 server, and can give it a try - as far as compiling the module, not actually using it, I don't have the NIC. I will post the results later today. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FTP server behind firewall?
On Thu, 17 Apr 2008 07:59:20 +0300, Manolis Kiagias [EMAIL PROTECTED] wrote: Running an FTP behind a home DSL router is perfectly possible. You will just have to open a range of ports on the router itself eg 25000-25050 and forward them to your ftp server internal IP address. Then set the FTP server to only use these ports for passive transfers. Thanks guys, I think I'll try this, as it's the easiest to allow VB clients to upload files. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Gilles wrote: Hello I have a couple of questions about running SSHd: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? I tend to use a firewall anyway so thats what works best for me, on machine that I dont firewall, /etc/hosts.allow (which is TCP-wrappers) is a good quick and easy solution. Its very much a whatever works best for you type question. 2. Although it's up and running, I can't find SSHd in the list of installed apps: $ which sshd /usr/sbin/sshd $ pkg_info | grep -i ssh = Nada. How come? ssh is part of the base system. Its also in ports so you can have a more recent version if you like or so you have have things like the ssh hpn patches (http://www.psc.edu/networking/projects/hpn-ssh/) etc etc. Vince Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Hi Gilles, ssh is part of the base system, not an installed port (by default anyway) so you won't see it with pkg_info which will only list installed packages. The config file is /etc/ssh/sshd_config. To limit connections, you should be using the firewall. I do use hosts.allow too, but the firewall is your primary defence. hth, Gary On Fri, 18 Apr 2008 10:51:45 +0200 Gilles [EMAIL PROTECTED] wrote: Hello I have a couple of questions about running SSHd: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? 2. Although it's up and running, I can't find SSHd in the list of installed apps: $ which sshd /usr/sbin/sshd $ pkg_info | grep -i ssh = Nada. How come? Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Friday 18 April 2008 10:51:45 Gilles wrote: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? hosts.allow == TCP wrapper. I recommend firewall, with hosts.allow backup. In the event the firewall gets disabled, hosts.allow takes over. Note though, that with setups like this, you will have to call someone to add your IP to the lists, when your IP changes or you're on a location you didn't think you'd need access from. I personally prefer sshd to be world accessible and block scans, since I consider being locked out of the machines a security risk as well... 2. Although it's up and running, I can't find SSHd in the list of installed apps: $ which sshd /usr/sbin/sshd It's not a port, comes with the base system. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[SSHd] Limiting access from authorized IP's
Hello I have a couple of questions about running SSHd: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? 2. Although it's up and running, I can't find SSHd in the list of installed apps: $ which sshd /usr/sbin/sshd $ pkg_info | grep -i ssh = Nada. How come? Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Hi, Gilles wrote: Hello I have a couple of questions about running SSHd: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? You can limit the access using one of the packet filters available, ipfw(8), ipf(8) or pf(4). 2. Although it's up and running, I can't find SSHd in the list of installed apps: sshd(8) is part of the base system, which is a FreeBSD patched version of OpenSSH. Although, you can find some ports of bulk OpenSSH in /usr/ports/security. Pedro ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
usb serial line speed limits
I'm trying to get better speed from ubsa(4) to use a 3G modem att full speed. Editing ubsa.c up to 921600 is fine but if I go to 1228800 compile fails: cc -O2 -fno-strict-aliasing -pipe -D_KERNEL -DKLD_MODULE -std=c99 -nostdinc -DHAVE_KERNEL_OPTION_HEADERS -include /usr/obj/usr/src/sys/HUNTER/opt_global.h -I. -I@ -I@/contrib/altq -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -fno-common -g -I/usr/obj/usr/src/sys/HUNTER -mno-align-long-strings -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -mno-sse3 -ffreestanding -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -c /usr/src/sys/modules/ubsa/../../dev/usb/ubsa.c /usr/src/sys/modules/ubsa/../../dev/usb/ubsa.c: In function 'ubsa_baudrate': /usr/src/sys/modules/ubsa/../../dev/usb/ubsa.c:534: error: 'B1228800' undeclared (first use in this function) /usr/src/sys/modules/ubsa/../../dev/usb/ubsa.c:534: error: (Each undeclared identifier is reported only once /usr/src/sys/modules/ubsa/../../dev/usb/ubsa.c:534: error: for each function it appears in.) *** Error code 1 Where can I dig out more info on how to proceed? Unfortunately my understanding of C and the rest is rather limited... Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PowerD Processor Not Recognised!!
Hi Just installed FreeBSD 7 and get the following error. It doesn't make any difference, but can someone add this CPU to the list of recognized CPU's? Would be nice if powerd could use the adaptive mode correctly. Hardware info from from dsmsg.today ACPI APIC Table: HP ML110 G4 FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 ioapic0 Version 2.0 irqs 0-23 on motherboard kbd1 at kbdmux0 acpi0: HP on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) acpi0: reservation of fed13000, 1000 (3) failed Timecounter ACPI-fast frequency 3579545 Hz quality 1000 acpi_timer0: 24-bit timer at 3.579545MHz port 0x1008-0x100b on acpi0 cpu0: ACPI CPU on acpi0 est0: Enhanced SpeedStep Frequency Control on cpu0 est: CPU supports Enhanced Speedstep, but is not recognized. est: cpu_vendor GenuineIntel, msr 728072806000728 device_attach: est0 attach returned 6 p4tcc0: CPU Frequency Thermal Control on cpu0 cpu1: ACPI CPU on acpi0 est1: Enhanced SpeedStep Frequency Control on cpu1 est: CPU supports Enhanced Speedstep, but is not recognized. est: cpu_vendor GenuineIntel, msr 728072806000728 device_attach: est1 attach returned 6 Kind regards Gordon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: usb serial line speed limits
On Friday 18 April 2008 11:50:46 Per olof Ljungmark wrote: 'B1228800' undeclared (first use in this function) /usr/src/sys/modules/ubsa/../../dev/usb/ubsa.c:534: error: (Each undeclared identifier is reported only once /usr/src/sys/modules/ubsa/../../dev/usb/ubsa.c:534: error: for each function it appears in.) *** Error code 1 Where can I dig out more info on how to proceed? Unfortunately my understanding of C and the rest is rather limited... /usr/src/sys/sys/termios.h defines the baud rates. Next one up from 115200 is B230400. Max is B921600. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Pkg_info corrupt for some packages
On Mon, Apr 14, 2008 at 10:47:01PM +0200, Aijaz Baig wrote: Hello, I tried running the script suggested by mel and after that I was able to see that some of those packages got registered as installed. However some of the packages were not being found and as an example I saw the following: Restoring doodle-0.6.6_1 Failed: cannot find doodle-0.6.6_1 in /usr/ports/INDEX-7* *Then as suggested by andrew I tried to see just how many packages have been messed and to my shock the figure for the first command was 336 and for the second command was 326. Well...how do I 'extract the port origins' from pkgdb.db?I am sorry if I sound naive but im a bit new to freebsd. Ten lost ports is easy enough to do by hand - look what packages miss their contents and find them in the ports tree. Then just cd to each /usr/ports/whatever/whenever and run make install -DFORCE_PKG_REGISTER That should do it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RTL8111C driver for FBSD7
On Fri, 2008-04-18 at 11:08 +0300, Manolis Kiagias wrote: Da Rock wrote: On Fri, 2008-04-18 at 10:11 +0300, Manolis Kiagias wrote: Da Rock wrote: Hey, hey... I made a boo boo and ordered a unit with this nic onboard (truthfully, I never thought I'd have any trouble since I had done this before). Loaded 7 and couldn't find the nic. A little investigation found that the nic was the above, and a little further found that there was no support for it in the hcl's. Now I do find it hard to believe there is no way around this- I found a driver for FBSD4.5-6, is there one for 6.2 or higher? Or will this one work? Anyone know how to install it? The driver is only a c and a h file- Makefile is an empty file, and the readme tells me to rebuild the kernel after removing rl and re in the conf. Then I build the driver, and kldload it. Any idea why I'd have to rebuild the kernel? Cheers guys I've seen this driver too (I've investigated for a friend who bought a similar motherboard that otherwise works with 7). The readme describes two methods of installation but the first one simply does not apply (there is no modules directory in the download). I have not tried the second method (looks reasonable though). Removing the rl and re from the kernel will remove the built-in support (it could conflict with the new driver) and create a module for the new driver. Note that you are also asked to replace the files in the FreeBSD src directories. In fact it is better to build as a module - building it into the kernel may well leave you with an unbootable kernel if it is not compatible. As I said, I have not done this (my friend will be running Linux on this box) but as more and more recent mobos seem to use this NIC - and I may be buying one- if you are willing to give it a try, I will be interested in the results. Well I just tried it- I put this out there for some feedback mainly- the kernel rebuild is to remove the old rl and re drivers completely, and the build for the driver is for a module. Unfortunately the result is a failure: compatibility issues or some sort (argument warnings, not enough args, invalid variables and functions). My question is will I find something to work for 7? If not, will it work on 6.2 or 6.3 (it only says 6 in the readme's)? I hope realtek releases a driver for 7. I would not want to go back to 6.X for this. I have a 6.3 server, and can give it a try - as far as compiling the module, not actually using it, I don't have the NIC. I will post the results later today. Ok, I have good news and bad news. Good news: the driver compiles under 6.2. Bad news: it doesn't work. I tried a new cable, dhcp, manual config- could not get it to communicate. First sign was that it couldn't get an ip from dhcp. Then I tried pinging dns name, then local address- NG. When I tried the cable the NIC led didn't come back on, and the indication leds on the switch were slowly blinking. Something is seriously wrong... Any ideas about this guys? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RTL8111C driver for FBSD7
Da Rock wrote: On Fri, 2008-04-18 at 11:08 +0300, Manolis Kiagias wrote: Da Rock wrote: On Fri, 2008-04-18 at 10:11 +0300, Manolis Kiagias wrote: Da Rock wrote: Hey, hey... I made a boo boo and ordered a unit with this nic onboard (truthfully, I never thought I'd have any trouble since I had done this before). Loaded 7 and couldn't find the nic. A little investigation found that the nic was the above, and a little further found that there was no support for it in the hcl's. Now I do find it hard to believe there is no way around this- I found a driver for FBSD4.5-6, is there one for 6.2 or higher? Or will this one work? Anyone know how to install it? The driver is only a c and a h file- Makefile is an empty file, and the readme tells me to rebuild the kernel after removing rl and re in the conf. Then I build the driver, and kldload it. Any idea why I'd have to rebuild the kernel? Cheers guys I've seen this driver too (I've investigated for a friend who bought a similar motherboard that otherwise works with 7). The readme describes two methods of installation but the first one simply does not apply (there is no modules directory in the download). I have not tried the second method (looks reasonable though). Removing the rl and re from the kernel will remove the built-in support (it could conflict with the new driver) and create a module for the new driver. Note that you are also asked to replace the files in the FreeBSD src directories. In fact it is better to build as a module - building it into the kernel may well leave you with an unbootable kernel if it is not compatible. As I said, I have not done this (my friend will be running Linux on this box) but as more and more recent mobos seem to use this NIC - and I may be buying one- if you are willing to give it a try, I will be interested in the results. Well I just tried it- I put this out there for some feedback mainly- the kernel rebuild is to remove the old rl and re drivers completely, and the build for the driver is for a module. Unfortunately the result is a failure: compatibility issues or some sort (argument warnings, not enough args, invalid variables and functions). My question is will I find something to work for 7? If not, will it work on 6.2 or 6.3 (it only says 6 in the readme's)? I hope realtek releases a driver for 7. I would not want to go back to 6.X for this. I have a 6.3 server, and can give it a try - as far as compiling the module, not actually using it, I don't have the NIC. I will post the results later today. Ok, I have good news and bad news. Good news: the driver compiles under 6.2. Bad news: it doesn't work. I tried a new cable, dhcp, manual config- could not get it to communicate. First sign was that it couldn't get an ip from dhcp. Then I tried pinging dns name, then local address- NG. When I tried the cable the NIC led didn't come back on, and the indication leds on the switch were slowly blinking. Something is seriously wrong... Any ideas about this guys? Maybe it gets stuck in the auto-negotiation phase, trying to determine link speed? Give it a bit of manual help, something like: ifconfig rl0 inet 192.168.0.25 netmask 255.255.255.0 media 100baseTX ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: UFS2 Journaling implementation detail
--- Ivan Voras [EMAIL PROTECTED] wrote: Unga wrote: Hi all I'm looking for papers or documentation covering details of the UFS2 Journaling implementation of the FreeBSD. Please give me links to them if you guys know any. Many thanks in advance. There's no such thing as UFS2 Journalling in FreeBSD (yet). There's gjournal which is journaling on the data layer (below the file system, and only with very limited integration with the file system). This implementation is not documented (except for usage here: http://www.freebsd.org/cgi/man.cgi?query=gjournalmanpath=FreeBSD+7.0-RELEASE), but there's a small (and very old) high-level overview in my proposal on which the current gjournal is based, here: http://wiki.freebsd.org/gjournal_proposal . Ignore the bits about delay-commit. See also here: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3624+0+/usr/local/www/db/text/2006/freebsd-geom/20060625.freebsd-geom Ivan, thanks for the links. What I mean is configure journaling via gjournal(8) for the UFS file system. I lost some files, specially Firefox's book marks, history, etc. after a power failure on FreeBSD 7.0. What else lost is not known yet. I'm looking for a file system protection mechanism. I understand there are two mechanism in FreeBSD: Soft Update and gjournal. I have following questions in this regard: 1. Pawel (pjd) has reimplemented gjournal with hooks in the file system code so it can properly do file system journaling. - http://wiki.freebsd.org/gjournal) So, the gjournal is a Journaled File System which can be used against file system corruptions in the event of power failure or system crash? 2. Unfortunately, gjournal cannot replace a journaling filesystem. At least, a fsck is still needed on the journaled device/filesystem after a crash. -(http://wiki.freebsd.org/gjournal) Is it now confirmed that gjournal does not require fsck after a power failure or system crash? 3. To ensure that data is stored on the data provider, the gjournal sync command should be used after calling sync(2). - gjournal(8) Who should issue this command? user manually? 4. Size should be chosen based on provider's load, and not on its size. It is not recommended to use gjournal for small file systems - gjournal(8) So how do I know what should be the size of the journal before it is created? Does it log anywhere if the journal size is too small for the system load? 5. Some UFS implementations avoid journaling and instead implement soft updates: they order their writes in such a way that the on-disk file system is never inconsistent, or that the only inconsistency that can be created in the event of a crash is a storage leak. To recover from these leaks, the free space map is reconciled against a full walk of the file system at next mount. - (http://en.wikipedia.org/wiki/Journaling_file_system) So the disadvantage of Soft Update is it is necessary to run fsck after reboot in event of a crash or power failure? 6. On the same hard disk for various BSD partitions, is it possible to use both Soft Update and gjournal, Eg. Soft Update for / , gjournal for /usr? 7. In, gjournal label [-fhv] [-s jsize] dataprov [jprov] What is the unit of the size? Kind regards Unga Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: freebsd-update for patches, make world for upgrades?
Andreas Pettersson [EMAIL PROTECTED] writes: Does freebsd-update take care of all things mergemaster does? Or can I use freebsd-update to apply security patches and still use csup, make world and mergemaster to upgrade to a new release? You certainly *can* use both. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: UFS2 Journaling implementation detail
Unga wrote: --- Ivan Voras [EMAIL PROTECTED] wrote: Unga wrote: Hi all I'm looking for papers or documentation covering details of the UFS2 Journaling implementation of the FreeBSD. Please give me links to them if you guys know any. Many thanks in advance. There's no such thing as UFS2 Journalling in FreeBSD (yet). There's gjournal which is journaling on the data layer (below the file system, and only with very limited integration with the file system). This implementation is not documented (except for usage here: http://www.freebsd.org/cgi/man.cgi?query=gjournalmanpath=FreeBSD+7.0-RELEASE), but there's a small (and very old) high-level overview in my proposal on which the current gjournal is based, here: http://wiki.freebsd.org/gjournal_proposal . Ignore the bits about delay-commit. See also here: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3624+0+/usr/local/www/db/text/2006/freebsd-geom/20060625.freebsd-geom Ivan, thanks for the links. What I mean is configure journaling via gjournal(8) for the UFS file system. I lost some files, specially Firefox's book marks, history, etc. after a power failure on FreeBSD 7.0. What else lost is not known yet. I'm looking for a file system protection mechanism. I understand there are two mechanism in FreeBSD: Soft Update and gjournal. I have following questions in this regard: 1. Pawel (pjd) has reimplemented gjournal with hooks in the file system code so it can properly do file system journaling. - http://wiki.freebsd.org/gjournal) So, the gjournal is a Journaled File System which can be used against file system corruptions in the event of power failure or system crash? 2. Unfortunately, gjournal cannot replace a journaling filesystem. At least, a fsck is still needed on the journaled device/filesystem after a crash. -(http://wiki.freebsd.org/gjournal) Is it now confirmed that gjournal does not require fsck after a power failure or system crash? 3. To ensure that data is stored on the data provider, the gjournal sync command should be used after calling sync(2). - gjournal(8) Who should issue this command? user manually? 4. Size should be chosen based on provider's load, and not on its size. It is not recommended to use gjournal for small file systems - gjournal(8) So how do I know what should be the size of the journal before it is created? Does it log anywhere if the journal size is too small for the system load? 5. Some UFS implementations avoid journaling and instead implement soft updates: they order their writes in such a way that the on-disk file system is never inconsistent, or that the only inconsistency that can be created in the event of a crash is a storage leak. To recover from these leaks, the free space map is reconciled against a full walk of the file system at next mount. - (http://en.wikipedia.org/wiki/Journaling_file_system) So the disadvantage of Soft Update is it is necessary to run fsck after reboot in event of a crash or power failure? 6. On the same hard disk for various BSD partitions, is it possible to use both Soft Update and gjournal, Eg. Soft Update for / , gjournal for /usr? 7. In, gjournal label [-fhv] [-s jsize] dataprov [jprov] What is the unit of the size? Kind regards Unga Funny thing, I am currently writing a tutorial / article on how to implement gjournal on a desktop PC and I expect to finish the first version by Monday / Tuesday. It goes step by step explaining how to implement journaling on /usr (and possibly /var) when installing FreeBSD 7. I've kept the steps as simple as possible, so anyone with a basic understanding of FreeBSD and sysinstall should be able to implement it. Needless to say I am using journaling on all my 7.0 systems now. I will be posting a link here and in -doc so that people have a chance to review it. I hope I can count on your reviews too ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RTL8111C driver for FBSD7
On Fri, 2008-04-18 at 14:38 +0300, Manolis Kiagias wrote: Da Rock wrote: On Fri, 2008-04-18 at 11:08 +0300, Manolis Kiagias wrote: Da Rock wrote: On Fri, 2008-04-18 at 10:11 +0300, Manolis Kiagias wrote: Da Rock wrote: Hey, hey... I made a boo boo and ordered a unit with this nic onboard (truthfully, I never thought I'd have any trouble since I had done this before). Loaded 7 and couldn't find the nic. A little investigation found that the nic was the above, and a little further found that there was no support for it in the hcl's. Now I do find it hard to believe there is no way around this- I found a driver for FBSD4.5-6, is there one for 6.2 or higher? Or will this one work? Anyone know how to install it? The driver is only a c and a h file- Makefile is an empty file, and the readme tells me to rebuild the kernel after removing rl and re in the conf. Then I build the driver, and kldload it. Any idea why I'd have to rebuild the kernel? Cheers guys I've seen this driver too (I've investigated for a friend who bought a similar motherboard that otherwise works with 7). The readme describes two methods of installation but the first one simply does not apply (there is no modules directory in the download). I have not tried the second method (looks reasonable though). Removing the rl and re from the kernel will remove the built-in support (it could conflict with the new driver) and create a module for the new driver. Note that you are also asked to replace the files in the FreeBSD src directories. In fact it is better to build as a module - building it into the kernel may well leave you with an unbootable kernel if it is not compatible. As I said, I have not done this (my friend will be running Linux on this box) but as more and more recent mobos seem to use this NIC - and I may be buying one- if you are willing to give it a try, I will be interested in the results. Well I just tried it- I put this out there for some feedback mainly- the kernel rebuild is to remove the old rl and re drivers completely, and the build for the driver is for a module. Unfortunately the result is a failure: compatibility issues or some sort (argument warnings, not enough args, invalid variables and functions). My question is will I find something to work for 7? If not, will it work on 6.2 or 6.3 (it only says 6 in the readme's)? I hope realtek releases a driver for 7. I would not want to go back to 6.X for this. I have a 6.3 server, and can give it a try - as far as compiling the module, not actually using it, I don't have the NIC. I will post the results later today. Ok, I have good news and bad news. Good news: the driver compiles under 6.2. Bad news: it doesn't work. I tried a new cable, dhcp, manual config- could not get it to communicate. First sign was that it couldn't get an ip from dhcp. Then I tried pinging dns name, then local address- NG. When I tried the cable the NIC led didn't come back on, and the indication leds on the switch were slowly blinking. Something is seriously wrong... Any ideas about this guys? Maybe it gets stuck in the auto-negotiation phase, trying to determine link speed? Give it a bit of manual help, something like: ifconfig rl0 inet 192.168.0.25 netmask 255.255.255.0 media 100baseTX I have to admit I hadn't thought of that, and I did just check it now, but thats not the case here. The NIC led is not on at all, only the switch led is blinking slowly. No, I believe this could be one for the experts- any out there? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Mel wrote: On Friday 18 April 2008 10:51:45 Gilles wrote: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? hosts.allow == TCP wrapper. I recommend firewall, with hosts.allow backup. In the event the firewall gets disabled, hosts.allow takes over. Note though, that with setups like this, you will have to call someone to add your IP to the lists, when your IP changes or you're on a location you didn't think you'd need access from. I personally prefer sshd to be world accessible and block scans, since I consider being locked out of the machines a security risk as well... Some additional thoughts: If you want to control which users can connect from which IP addresses, use the AllowUsers, etc. statements in sshd_config. That's the big advantage of doing it at that level. If you're not going to get that granular, I'd stick with the advice others have already given. Also, some of us are convinced that we further reduce our risk from scanning by turning off password access and forcing the use of keys. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: RTL8111C driver for FBSD7
Hello... I had another NIC from marvell (I did not remember if it was a nve or nfe) that refuses to work until I put the word UP in the ifconfig command in /etc/rc.conf. ifconfig_xx0=up DHCP == may be is it not the case what the command ifconfig shows??? does the kernel detect the NIC??? Hope it can help ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
(no subject)
am Brenda from Canada, i am the assistant manager of Canadian Hotels,i wish to inform you that the hotel need man and woman who can work and live in omni hotel Canada , A Division Of Delta Chelsea Canadian Hotel Canada , hotel will care of your tickets,accommodation lodging and the visa assistance in your country,if you are interested ,you should please contact me back via the mail box, [EMAIL PROTECTED] N/B MANAGEMENT ARE NOT RESPONSIBLE FOR YOUR CANADA CLEARANCE VISA FEE. TAKE CARE ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 19:14:49 +1000 Gary Newcombe [EMAIL PROTECTED] wrote: ssh is part of the base system, not an installed port (by default anyway) so you won't see it with pkg_info which will only list installed packages. The config file is /etc/ssh/sshd_config. To limit connections, you should be using the firewall. I do use hosts.allow too, but the firewall is your primary defence. I see this statement all the time, and I wonder why. What does a firewall on an individual host accomplish? I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. For an individual host it makes a great deal more sense to only run those services you intend to use ***and keep them up to date and properly configured***. If you're running syslogd on 514/tcp (because it installs that way be default) and you're not running a syslogd server, then that is an error on your part [1]. If you're running cupsd listening on 631/tcp, but you're not running a print server, then that's an error [2]. Secondly, for those services that you *must* have publicly available, research what protections are available (e.g. mod_security for apache, hosts.allow for other services.) Read the man pages. Learn to lock down your box properly. Then, spend your time and attention on the services that *are* exposed (because they have to be) and make sure you have those fully patched and properly configured. Never, ever, ever, run a service that you do not intend to use and have it listening on a port! Those are the doors hackers use to get in. Firewalls are too often crutches for people that don't want to learn how to properly maintain a host. If *everyone* knew how to properly configure and maintain a host, even enterprise firewalls would be completely unnecessary. To the OP, you *must* run sshd to remotely access your box. There are several things you can (and should) do. 1) Don't allow root logins (that is now the default configuration) 2) Only allow protocol 2 (now also the default) 3) Consider not allowing any logins and requiring cert exchange instead [3] 4) Consider using ChallengeResponseAuthentication (see [3]) 5) Consider running sshd on a different port [4] 6) Consider using /etc/hosts.allow to restrict access [1] # grep syslogd /etc/rc.conf syslogd_flags=-b 127.0.0.1 # sockstat | grep syslogd root syslogd850 4 dgram /var/run/log root syslogd850 5 dgram /var/run/logpriv root syslogd850 6 udp4 127.0.0.1:514 *:* [2] # grep -i LISTEN /usr/local/etc/cups/cupsd.conf # Only listen for connections from the local machine. Use unix sockets and disable ip completely when possible. #Listen localhost:631 Listen /var/run/cups.sock # sockstat | grep cupsd root cupsd 6208 3 stream /var/run/cups.sock root cupsd 6208 4 udp4 *:631 *:* (If anyone knows how to disable the udp port as well, let me know.) [3] man (5) sshd_config - see AuthorizedKeysFile, ChallengeResponseAuthentication [4] # grep sshd /etc/defaults/rc.conf sshd_enable=NO# Enable sshd sshd_program=/usr/sbin/sshd # path to sshd, if you want a different one. sshd_flags= # Additional flags for sshd. man (8) sshd -p port flag -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RTL8111C driver for FBSD7
--On Friday, April 18, 2008 22:30:41 +1000 Da Rock [EMAIL PROTECTED] wrote: Give it a bit of manual help, something like: ifconfig rl0 inet 192.168.0.25 netmask 255.255.255.0 media 100baseTX I have to admit I hadn't thought of that, and I did just check it now, but thats not the case here. The NIC led is not on at all, only the switch led is blinking slowly. No, I believe this could be one for the experts- any out there? No expert here, but grep the .h file for that driver and see if it even supports your card. If the model number isn't there, you're probably out of luck unless you can find a programmer to add the necessary pieces. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RTL8111C driver for FBSD7
--On Friday, April 18, 2008 10:06:42 -0300 sergio lenzi [EMAIL PROTECTED] wrote: Hello... I had another NIC from marvell (I did not remember if it was a nve or nfe) that refuses to work until I put the word UP in the ifconfig command in /etc/rc.conf. ifconfig_xx0=up DHCP == may be is it not the case If you want your NIC to come up on boot, you need to tell the OS that. # grep ifconfig /etc/rc.conf ifconfig_em0=DHCP For yours: ifconfig_xx0=DHCP should work fine. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: usb serial line speed limits
Mel wrote: On Friday 18 April 2008 11:50:46 Per olof Ljungmark wrote: 'B1228800' undeclared (first use in this function) /usr/src/sys/modules/ubsa/../../dev/usb/ubsa.c:534: error: (Each undeclared identifier is reported only once /usr/src/sys/modules/ubsa/../../dev/usb/ubsa.c:534: error: for each function it appears in.) *** Error code 1 Where can I dig out more info on how to proceed? Unfortunately my understanding of C and the rest is rather limited... /usr/src/sys/sys/termios.h defines the baud rates. Next one up from 115200 is B230400. Max is B921600. Well, I recompiled with B1228800 defined in termios.h but when i start ppp i get a complaint that the speed does not exist so it seems to be more complicated than that. Furthermore, testing ftp with XP I get about 2mbit/second downstream, same ftp server with FreeBSD it's about 240kbit/s with serial speed 921600. Anyone on the list who managed to crank the speed up? Hardware is ThinkPad T42 with a Huawei E220 modem and 7-STABLE. --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Paul Schmehl wrote: I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. On the whole I agree with you -- you should be able to view a firewall as a luxury rather than a necessity on a well configured server. However there is one rather nasty loophole that you can block with a firewall which otherwise is pretty impossible to deal with, at least on FreeBSD machines. It's all to do with the weak routing model -- that is, a network packet to an IP on one of a host's interfaces will be accepted on *any* interface on that host[*]. So even though you protect services that are not meant to be for public consumption by binding them to the loopback address, some one can still send you a spoofed packet to 127.0.0.1 that arrives on your external network i/f /and it will let you connect to the service bound to the loopback/ The attacker has to have access to the same layer 2 network as your host, but sending the spoofed packet is as simple as tweaking the routing table. See eg: http://seclists.org/bugtraq/2001/Mar/0042.html Blocking this sort of attack against the loopback address can be done with the following 3 line PF firewall config. Extending this to back-end networks etc. is left as an exercise for the student: scrub in all pass all antispoof log quick for lo0 Cheers, Matthew [*] Which is not without its legitimate uses, as anyone who as ever configured a load balancer using DSR mode will attest. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: [SSHd] Limiting access from authorized IP's
On Fri, Apr 18, 2008 at 8:59 AM, Matthew Seaman [EMAIL PROTECTED] wrote: Paul Schmehl wrote: I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. On the whole I agree with you -- you should be able to view a firewall as a luxury rather than a necessity on a well configured server. However there is one rather nasty loophole that you can block with a firewall which otherwise is pretty impossible to deal with, at least on FreeBSD machines. It's all to do with the weak routing model -- that is, a network packet to an IP on one of a host's interfaces will be accepted on *any* interface on that host[*]. So even though you protect services that are not meant to be for public consumption by binding them to the loopback address, some one can still send you a spoofed packet to 127.0.0.1 that arrives on your external network i/f /and it will let you connect to the service bound to the loopback/ The attacker has to have access to the same layer 2 network as your host, but sending the spoofed packet is as simple as tweaking the routing table. See eg: http://seclists.org/bugtraq/2001/Mar/0042.html Blocking this sort of attack against the loopback address can be done with the following 3 line PF firewall config. Extending this to back-end networks etc. is left as an exercise for the student: scrub in all pass all antispoof log quick for lo0 Cheers, Matthew [*] Which is not without its legitimate uses, as anyone who as ever configured a load balancer using DSR mode will attest. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW Not to detour this conversation too much, I hope, but I'm in a different situation, and this is going to be an issue for me. I'm putting together a box that's going to be a router for our company, using BGP to give access to our T1 and frac DS3. That's all it should be doing, it will have no other services. It'll be in our server room, though, so I won't have to get at it from anywhere, except perhaps home, and even that could be avoided by simply traveling the 10 miles to work. So, I'm wondering how to lock it down - I'm even contemplating eliminating any MTA and sshd, and just running the routing daemon, but sshd is just so useful that it's hard to do without, and eliminating the MTA denies me the goodness of the periodic reports. 'Casting syslog to my internal syslog host is also problematic, but possible, I suppose. Then there's the problem of managing and monitoring the thing once it's installed. Being able to use mrtg/cacti/something to query SNMP would be extraordinarily useful, as we will be paying extra for bandwidth above our fractional rate on the DS3, and also to monitor the health of the box. I haven't found any good guides for this, but I do have Security Power Tools, Mastering FreeBSD and OpenBSD Security, and a couple of other books, including one on OpenBSD and PF, but haven't teased out all that I need from them regarding doing this in a sane/secure manner. At any rate, locking down ssh access is one of my concerns, for sure, so this discussion is helpful. Kurt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Kurt Buff wrote: On Fri, Apr 18, 2008 at 8:59 AM, Matthew Seaman [EMAIL PROTECTED] wrote: At any rate, locking down ssh access is one of my concerns, for sure, so this discussion is helpful. Wouldn't turning off password based logins and using public and private keys (with a strong password) for ssh logins do the trick? if you limit yourself based on IP addresses, its inevitable that you will need access from an IP NOT on your exemption list at some time (like when you are on vacation, at relatives, etc). Using keys to authenticate ssh sessions has worked very well for me. if you are concerned about the brute force attempts (which cant work without the private key which you put a strong password on), you can use something like denyhosts to block those hosts from even connecting. hth Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Is Marvell 88E1116 network adapter supported in 7.0?
I'm planning on building a new PC to run Rev.7. The motherboard I have in mind is a Foxconn 6150M2MA-KRS2H http://preview.tinyurl.com/5k47tv with a GeForce 6150 + nForce 430 chipset, the network adapter is described as Marvell 88E1116. I gather, from some discussion in this list last January concerning Rev 6, that it uses the nve driver but I'm a little uncertain since the Rev.7 hardware compatibility list doesn't mention the 88E1116. -- Mike Clarke ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: UFS2 Journaling implementation detail
Ivan, thanks for the links. What I mean is configure journaling via gjournal(8) for the UFS file system. Just follow the example in gjournal(8) :) I have following questions in this regard: 1. Pawel (pjd) has reimplemented gjournal with hooks in the file system code so it can properly do file system journaling. - http://wiki.freebsd.org/gjournal) So, the gjournal is a Journaled File System which can be used against file system corruptions in the event of power failure or system crash? No, gjournal is a layer below the file system (think of it as a virtual disk drive) that does journalling. You need to create a file system on top of gjournal. Pawel added some necessary integration for UFS. 2. Unfortunately, gjournal cannot replace a journaling filesystem. At least, a fsck is still needed on the journaled device/filesystem after a crash. -(http://wiki.freebsd.org/gjournal) Is it now confirmed that gjournal does not require fsck after a power failure or system crash? Yes, this is old information. The current gjournal implementation works without fsck. 3. To ensure that data is stored on the data provider, the gjournal sync command should be used after calling sync(2). - gjournal(8) Who should issue this command? user manually? I don't think so. I think this is also old information. There are some hard drives and controller that don't support BIO_FLUSH (which could theoretically need the above commands) but you are notified about these drives on boot. 4. Size should be chosen based on provider's load, and not on its size. It is not recommended to use gjournal for small file systems - gjournal(8) So how do I know what should be the size of the journal before it is created? Theoretically, there's a fairly complex calculation based on your disk drive capacity and journal delay time, but unless you are using fast server-class drive, 1 GB should be enough for the journal. Does it log anywhere if the journal size is too small for the system load? Yes, you'll get a system panic in this case. Yes, it's a bad solution, complain to Pawel :) 5. Some UFS implementations avoid journaling and instead implement soft updates: they order their writes in such a way that the on-disk file system is never inconsistent, or that the only inconsistency that can be created in the event of a crash is a storage leak. To recover from these leaks, the free space map is reconciled against a full walk of the file system at next mount. - (http://en.wikipedia.org/wiki/Journaling_file_system) So the disadvantage of Soft Update is it is necessary to run fsck after reboot in event of a crash or power failure? Yes. The advantage is that practically, the data is as safe as with journalling. 6. On the same hard disk for various BSD partitions, is it possible to use both Soft Update and gjournal, Eg. Soft Update for / , gjournal for /usr? Yes, but it doesn't make much sense to do it this way. It won't crash but there are no benefits to it. Note also that you can't add a gjournal-supported journal on existing file systems without using external journals. In other words: if you already created all your file systems and don't have any free space on the drive to create additional partitions, you can't use gjournal. 7. In, gjournal label [-fhv] [-s jsize] dataprov [jprov] What is the unit of the size? Whatever you want it to be, for example 1M means megabyte. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Fri, 18 Apr 2008 10:04:37 +0100, FreeBSD - Wire Consulting [EMAIL PROTECTED] wrote: sshd(8) is part of the base system, which is a FreeBSD patched version of OpenSSH. Although, you can find some ports of bulk OpenSSH in /usr/ports/security. I don't have a firewall on that host because there's already a NAT router connecting the LAN to the Net. I'll just add the following to /etc/ssh/sshd_config, and restart the service: AllowHosts 192.168.0 82.x.x.x BTW, is the SSHd that comes with the system good enough, or should I upgrade to what's in /usr/ports/security/ssh2? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: New to FreeBSD issues with multicast DNS.
Joe Dunn writes: Joe Hi All, Joe I'm new to FreeBSD, but I am running into an issue I can't seem to solve Joe after a few days. Joe I have a FreeBSD 7.0 amd64 set up. I installed mt-daapd/avahi from ports. Joe For some reason, I can see the share on the fileserver but not on the Joe network. Its like everything just stops when it get to the em0 (interface Joe plugged into the switch). Joe I can browse multicast dns locally as seen below Joe [EMAIL PROTECTED] /usr/ports]# avahi-browse _daap._tcp Joe + em0 IPv4 freebsd _daap._tcp local I didn't use Mac. I've a FreeBSD 7.0-RELEASE (amd64) + Ubuntu Linux 8.04 (development/amd64) network at my place. How about doing host name resolution over mDNS using avahi-resolve-host-name or similar utility in your Mac ? Also, start a tcpdump on em0 at FreeBSD end, to see if it receives any mDNS request ? It also works, when any Windows box running Bonjour service, joins the network. [snip] Joe mbp:~ jdunn$ mDNS -B _daap._tcp Joe Browsing for _daap._tcp Joe Talking to DNS SD Daemon at Mach port 4099 Joe If i have itunes running on either of my macs it shows up during this Joe request. Does you iTunes also show up on FreeBSD end, hmm..? HTH -- Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/ ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- pgpwG1QEhgrC8.pgp Description: PGP signature
How to get best results from FreeBSD-questions
How to get the best results from FreeBSD questions. === Last update $Date: 2005/08/10 02:21:44 $ This is a regular posting to the FreeBSD questions mailing list. If you got it in answer to a message you sent, it means that the sender thinks that at least one of the following things was wrong with your message: - You left out a subject line, or the subject line was not appropriate. - You formatted it in such a way that it was difficult to read. - You asked more than one unrelated question in one message. - You sent out a message with an incorrect date, time or time zone. - You sent out the same message more than once. - You sent an 'unsubscribe' message to FreeBSD-questions. If you have done any of these things, there is a good chance that you will get more than one copy of this message from different people. Read on, and your next message will be more successful. This document is also available on the web at http://www.lemis.com/questions.html. = Contents: I:Introduction II: How to unsubscribe from FreeBSD-questions III: Should I ask -questions or -hackers? IV: How to submit a question to FreeBSD-questions V:How to answer a question to FreeBSD-questions I: Introduction === This is a regular posting aimed to help both those seeking advice from FreeBSD-questions (the newcomers), and also those who answer the questions (the hackers). Note that the term hacker has nothing to do with breaking into other people's computers. The correct term for the latter activity is cracker, but the popular press hasn't found out yet. The FreeBSD hackers disapprove strongly of cracking security, and have nothing to do with it. In the past, there has been some friction which stems from the different viewpoints of the two groups. The newcomers accused the hackers of being arrogant, stuck-up, and unhelpful, while the hackers accused the newcomers of being stupid, unable to read plain English, and expecting everything to be handed to them on a silver platter. Of course, there's an element of truth in both these claims, but for the most part these viewpoints come from a sense of frustration. In this document, I'd like to do something to relieve this frustration and help everybody get better results from FreeBSD-questions. In the following section, I recommend how to submit a question; after that, we'll look at how to answer one. II: How to unsubscribe from FreeBSD-questions == When you subscribed to FreeBSD-questions, you got a welcome message from [EMAIL PROTECTED] In this message, amongst other things, it told you how to unsubscribe. Here's a typical message: Welcome to the freebsd-questions@freebsd.org mailing list! If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: http://lists.freebsd.org/mailman/options/freebsd-questions/[EMAIL PROTECTED] (obviously, substitute your mail address for [EMAIL PROTECTED]). You can also make such adjustments via email by sending a message to: [EMAIL PROTECTED] with the word 'help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe. Normally, Mailman will remind you of your freebsd.org mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. Here's the general information for the list you've subscribed to, in case you don't already have it: FREEBSD-QUESTIONS User questions This is the mailing list for questions about FreeBSD. You should not send how to questions to the technical lists unless you consider the question to be pretty technical. Normally, unsubscribing is even simpler than the message suggests: you don't need to specify your mail ID unless it is different from the one which you specified when you subscribed. If Majordomo replies and tells you (incorrectly) that you're not on the list, this may mean one of two things: 1. You have changed your mail ID since you subscribed. That's where keeping the original message from majordomo comes in handy. For example, the sample message above shows my mail ID as [EMAIL PROTECTED] Since then, I have changed it to [EMAIL PROTECTED] If I were to try to remove [EMAIL PROTECTED] from the list, it would fail: I would have to specify the name with which I joined. 2. You're subscribed to a mailing list which is subscribed to
The Complete FreeBSD: errata and addenda
The trouble with books is that you can't update them the way you can a web page or any other online documentation. The result is that most leading edge computer books are out of date almost before they are printed. Unfortunately, The Complete FreeBSD, published by O'Reilly, is no exception. Inevitably, a number of bugs and changes have surfaced. The Complete FreeBSD has been through a total of five editions, including its predecessor Installing and Running FreeBSD. Two of these have been reprinted with corrections. I maintain a series of errata pages. Start at http://www.lemis.com/errata-4.html to find out how to get the errata information. Note also that the book has now been released for free download in PDF form. Instead of downloading the changed pages, you may prefer to download the entire book. See http://www.lemis.com/grog/Documentation/CFBSD/ for more information. Have you found a problem with the book, or maybe something confusing? Please let me know: I'm no longer constantly updating it, but I may be able to help Greg ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Fri, Apr 18, 2008 at 04:59:07PM +0100, Matthew Seaman wrote: Paul Schmehl wrote: I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. On the whole I agree with you -- you should be able to view a firewall as a luxury rather than a necessity on a well configured server. However there is one rather nasty loophole that you can block with a firewall which otherwise is pretty impossible to deal with, at least on FreeBSD machines. It's all to do with the weak routing model -- that is, a network packet to an IP on one of a host's interfaces will be accepted on *any* interface on that host[*]. So even though you protect services that are not meant to be for public consumption by binding them to the loopback address, some one can still send you a spoofed packet to 127.0.0.1 that arrives on your external network i/f /and it will let you connect to the service bound to the loopback/ The attacker has to have access to the same layer 2 network as your host, but sending the spoofed packet is as simple as tweaking the routing table. See eg: http://seclists.org/bugtraq/2001/Mar/0042.html Blocking this sort of attack against the loopback address can be done with the following 3 line PF firewall config. Extending this to back-end networks etc. is left as an exercise for the student: scrub in all pass all antispoof log quick for lo0 Cheers, Matthew [*] Which is not without its legitimate uses, as anyone who as ever configured a load balancer using DSR mode will attest. I don't think that it's enough to say that this is the only case where a firewall is useful. Modern firewalls can do simple DOS protection, and on a multi-user system, they can prevent services from being started by your users. Egress firewalls on servers can stop unprivileged user compromises from wreaking havoc on external hosts. I'm sure that are other circumstances where a firewall is useful. Now I believe that there are other ways to address the above requirements, but they may require tradeoffs. mac_portacl allows restricting binding of ports (though I've never actually heard of anyone using it--this alone may be a reason ot go with a more tride-and-true solution.) This, however, requires compiling a custom kernel, which may be undesirable for other reasons. Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Hi, Gilles wrote: I don't have a firewall on that host because there's already a NAT router connecting the LAN to the Net. I don't know your setup, but I'm pretty sure you can run the packet filter on your host anyway. You don't need to configure NAT to run your host firewall. I'll just add the following to /etc/ssh/sshd_config, and restart the service: AllowHosts 192.168.0 82.x.x.x OK! BTW, is the SSHd that comes with the system good enough, or should I upgrade to what's in /usr/ports/security/ssh2? For me base system ssh works like a sharm. IMO, you only want to upgrade if you need a specific feature that is not available on system SSH. Pedro ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Paul Schmehl wrote: I see this statement all the time, and I wonder why. What does a firewall on an individual host accomplish? I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. Yes, in a world where nothing ever breaks, all system administrators never make dumb mistakes, and no one ever breaks into your box to install services that you certainly wouldn't approve of, the defense-in-depth techniques being discussed here are pretty much a waste of time. Alas, alack, my machines prove every couple of years that they don't live in such a world. Must be me. ;-) If *everyone* knew how to properly configure and maintain a host, even enterprise firewalls would be completely unnecessary. And if you've got users on your network Oh, my, users do the darnedest things. As one little example: My firewall blocks outbound traffic to port 25 from all those pesky workstations to anywhere other than the local SMTP servers. Why? Makes me worry just a bit less about some Windows box pumping spam out to the world due to an unfortunate choice made by a user. I doubt there's an enterprise in the world where every user both knows enough about host security *and* is disciplined enough to apply that knowledge every minute of every day. But then, I'm the guy who takes the time to put on his seatbelt each and every time he starts the car, despite never, not once, having to actually use it in 3 decades of driving. Firewalls are too often crutches for people that don't want to learn how to properly maintain a host. Now that, on the other hand, I can completely agree with. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: gmirror disk fail questions...
Gary Newcombe wrote: [...] # gmirror status [mesh:/var/log]# gmirror status NameStatus Components mirror/gm0 DEGRADED ad4 looking in /dev/ however, we have crw-r- 1 root operator0, 83 17 Apr 13:58 ad4 crw-r- 1 root operator0, 91 17 Apr 13:58 ad4s1 crw-r- 1 root operator0, 84 17 Apr 13:58 ad6 crw-r- 1 root operator0, 92 17 Apr 13:58 ad6a crw-r- 1 root operator0, 99 17 Apr 13:58 ad6as1 crw-r- 1 root operator0, 93 17 Apr 13:58 ad6b crw-r- 1 root operator0, 94 17 Apr 13:58 ad6c crw-r- 1 root operator0, 100 17 Apr 13:58 ad6cs1 crw-r- 1 root operator0, 95 17 Apr 13:58 ad6d crw-r- 1 root operator0, 96 17 Apr 13:58 ad6e crw-r- 1 root operator0, 97 17 Apr 13:58 ad6f crw-r- 1 root operator0, 98 17 Apr 13:58 ad6s1 crw-r- 1 root operator0, 101 17 Apr 13:58 ad6s1a crw-r- 1 root operator0, 102 17 Apr 13:58 ad6s1b crw-r- 1 root operator0, 103 17 Apr 13:58 ad6s1c crw-r- 1 root operator0, 104 17 Apr 13:58 ad6s1d crw-r- 1 root operator0, 105 17 Apr 13:58 ad6s1e crw-r- 1 root operator0, 106 17 Apr 13:58 ad6s1f I am guessing that a failing disk is responsible for the data corruption, but I have no errors in /var/log/messages or console.log. On every boot, the mirror is marked clean ad there's no warnings about a disk failing anywhere? Where should I be looking for or what should I be doing to get any warnings? Also, how-come if ad4 is the working disk, ad4's slices seem to be labelled as ad6. What's going on here? To me, ad6 appears to have correct labelling for the mirror from ad6s1a-f I believe the kernel hides individual labels for a gmirror volume. The labels on ad4 should be visible in /dev/mirror/. Because gmirror really just mirrors the data block by block (with a little bit of meta data at the very end of the drive), once the drive is no longer a member of an array, the kernel treats it as an individual drive and allows visibility of all the labels. How can I test for sure whether the disk is damaged or dying, or whether this is just a temporary glitch in the mirror? This is the first time I've had a gmirror raid give me problems. The first time a drive gets kicked out, I typically try to re-insert it. We have monitoring, so we receive notifications if it fails again. After that, I get the vendor to replace it. Assuming ad6 has been deactivated/disconnected, I was thinking of trying: gmirror activate gm0 ad6 gmirror rebuild gm0 ad6 Is this safe? You have to kick ad6 out and re-insert it: # gmirror forget # gmirror insert gm0 /dev/ad6 After doing that, I would watch closely for a while in case your drive is actually failing. I've written a small nagios check for gmirror; let me know if you'd like me to send it (it could easily be adapted to a cron job). You can also get `gmirror status' output in your dailies by adding daily_status_gmirror_enable=YES to /etc/periodic.conf. But, given it's timing out on boot, I would personally bag the drive and replace it. You'll still need to run the same 2 commands above. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp8qKDBrFFs1.pgp Description: PGP signature
Trouble Upgrading gvfs
System: 6.3-STABLE as of 1300 UTC today. I've been having trouble with the gvfs port. First it started with libcdio: test -z /usr/local/libdata/pkgconfig || /usr/ports/sysutils/libcdio/work/libcdio-0.78.2/install-sh -d /usr/local/libdata/pkgconfig install -o root -g wheel -m 444 'libcdio.pc' '/usr/local/libdata/pkgconfig/libcdio.pc' install -o root -g wheel -m 444 'libiso9660.pc' '/usr/local/libdata/pkgconfig/libiso9660.pc' gmake[2]: Leaving directory `/usr/ports/sysutils/libcdio/work/libcdio-0.78.2' gmake[1]: Leaving directory `/usr/ports/sysutils/libcdio/work/libcdio-0.78.2' install-info --quiet /usr/local/info/libcdio.info /usr/local/info/dir === Running ldconfig /sbin/ldconfig -m /usr/local/lib === Registering installation for libcdio-0.78.2_1 This was failing, claiming that libcdio was already installed. I 'fixed' this by setting FORCE_PACKAGE_REGISTER. However, when it then goes on to do the gvfs upgrade, I get an installation of what appears to still be a broken port: === Returning to build of gvfs-0.2.3_3 Error: shared library cdio_paranoia.0 does not exist *** Error code 1 Stop in /usr/ports/devel/gvfs. *** Error code 1 The installation is forced at this point, but I suspect the port is broken. Ideas? -- Tim Daneliuk [EMAIL PROTECTED] PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: overnight upgrade interrupted by questions
On Tue, 15 Apr 2008 20:02:19 +0200 Mel [EMAIL PROTECTED] wrote: If you wanted to script the first case, you'd do the following in every origin that needs updating: I have a similar script, that works globally, recursing down from each out-of-date port through any missing origins. If you call it with -a it runs over all installed ports - useful if you want to clear everything and start again. # cat /root/bin/portsconf #!/bin/sh IFS= : ${PORTSDIR:=/usr/ports} if [ ${1}x = -ax ] ; then pvflags='-oq' else pvflags=-oql\\ fi visited_origins= recurse_origins(){ cd ${PORTSDIR}/${1} # need to configure before recursing in case dependencies change make config-conditional for d in `make build-depends-list run-depends-list | grep -Eo [^/]+/[^/]+$` ;do installed=`pkg_info -qO ${d}` if [ -z $installed ] ;then if ! echo $visited_origins | grep $d /dev/null ; then visited_origins=$visited_origins $d recurse_origins $d fi fi done } for orig in `pkg_version ${pvflags} ` ; do recurse_origins $orig done ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Trouble Upgrading gvfs
On Fri, Apr 18, 2008 at 1:58 PM, Tim Daneliuk [EMAIL PROTECTED] wrote: System: 6.3-STABLE as of 1300 UTC today. I've been having trouble with the gvfs port. First it started with libcdio: run 'make config' in libcdio and select PARANOIA then reinstall libcdio test -z /usr/local/libdata/pkgconfig || /usr/ports/sysutils/libcdio/work/libcdio-0.78.2/install-sh -d /usr/local/libdata/pkgconfig install -o root -g wheel -m 444 'libcdio.pc' '/usr/local/libdata/pkgconfig/libcdio.pc' install -o root -g wheel -m 444 'libiso9660.pc' '/usr/local/libdata/pkgconfig/libiso9660.pc' gmake[2]: Leaving directory `/usr/ports/sysutils/libcdio/work/libcdio-0.78.2' gmake[1]: Leaving directory `/usr/ports/sysutils/libcdio/work/libcdio-0.78.2' install-info --quiet /usr/local/info/libcdio.info /usr/local/info/dir === Running ldconfig /sbin/ldconfig -m /usr/local/lib === Registering installation for libcdio-0.78.2_1 This was failing, claiming that libcdio was already installed. I 'fixed' this by setting FORCE_PACKAGE_REGISTER. However, when it then goes on to do the gvfs upgrade, I get an installation of what appears to still be a broken port: === Returning to build of gvfs-0.2.3_3 Error: shared library cdio_paranoia.0 does not exist *** Error code 1 Stop in /usr/ports/devel/gvfs. *** Error code 1 The installation is forced at this point, but I suspect the port is broken. Ideas? -- Tim Daneliuk [EMAIL PROTECTED] PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Trouble Upgrading gvfs
Michael Johnson wrote: On Fri, Apr 18, 2008 at 1:58 PM, Tim Daneliuk [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: System: 6.3-STABLE as of 1300 UTC today. I've been having trouble with the gvfs port. First it started with libcdio: run 'make config' in libcdio and select PARANOIA then reinstall libcdio Yup that did it ... many thanks. -- Tim Daneliuk [EMAIL PROTECTED] PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Friday 18 April 2008 16:53:49 Paul Schmehl wrote: I see this statement all the time, and I wonder why. What does a firewall on an individual host accomplish? ... Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. That's your assumption. First of all, firewalls are for preventing unwanted connections, this is not necessarily the same as access to running services. Prime examples: cable modem and windows hosts broadcast spam on an ISP's network, ping floods. User scans [1], vulnerability scans, open relay scanners, spammers fall into running services category. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. Or, when you do know what you're doing and don't see the firewall as a single entity but as a node in the security tree, where tools like grok come in as well. For an individual host it makes a great deal more sense to only run those services you intend to use ***and keep them up to date and properly configured***. It is an illusion to think that the patch always comes before the exposure. Secondly, pending the ammount of services you offer, this can be a full task and especially for the hobby category, it is more time-efficient to shut off any unauthorized traffic to begin with. Say, some webapp allows uploading a file and executing it. It is then quite easy to add a daemon to your server, that you have not configured. With a firewall in default block mode, this daemon does not receive connections. Even when the patch is released before exposure, you could be, say sleeping and it can be too late. For some this is paranoia, for others common sense. Firewalls are too often crutches for people that don't want to learn how to properly maintain a host. Or save time, till it can be properly done. You're also assuming that you have full control over installed software. The hobby case you mention or a hosting environment this isn't always reality. # sockstat | grep cupsd root cupsd 6208 3 stream /var/run/cups.sock root cupsd 6208 4 udp4 *:631 *:* Sure, block in proto udp from any to any port 631 Works for nfs and rpc as well :) [4] # grep sshd /etc/defaults/rc.conf sshd_enable=NO# Enable sshd No? Surely you're not using inetd? sshd has tcp wrapper support built in, so you can set everything from /etc/ssh/sshd_config, including the port and using tcp wrappers. So in the event, inetd is vulnerable, sshd won't be. [1] # cat /etc/pf/grok-ssh.conf file /var/log/auth.log { type ssh-illegal-user { match = Invalid user %USERNAME% from %IP%; threshold = 5; # 5 hits ... key = %IP%;# from a single ip ... interval = 60; # in 1 minutes reaction = /sbin/pfctl -t scans -Tadd %IP%; }; type ssh-scan-possible { match = Did not receive identification string from %IP%; threshold = 3; interval = 60; reaction = /sbin/pfctl -t scans -Tadd %IP%; }; }; -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Updating - Free 7
Hi, After finish the updating process, the HD (sata) has changed of ad5 to ad8 driver. So, during the boot process, I've received the message: Trying to mount root from ufs:/dev/ad5s2a Manual root filesystem specification: . .. ... . .. ... mountroot ? How can I fix it using a secure way ? Aguiar Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! http://br.mail.yahoo.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: New to FreeBSD issues with multicast DNS.
Joe Dunn writes: Joe Hi All, Joe I'm new to FreeBSD, but I am running into an issue I can't seem to solve Joe after a few days. Joe I have a FreeBSD 7.0 amd64 set up. I installed mt-daapd/avahi from ports. Joe For some reason, I can see the share on the fileserver but not on the Joe network. Its like everything just stops when it get to the em0 (interface Joe plugged into the switch). Joe I can browse multicast dns locally as seen below Joe [EMAIL PROTECTED] /usr/ports]# avahi-browse _daap._tcp Joe + em0 IPv4 freebsd _daap._tcp local I didn't use Mac. I've a FreeBSD 7.0-RELEASE (amd64) + Ubuntu Linux 8.04 (development/amd64) network at my place. How about doing host name resolution over mDNS using avahi-resolve-host-name or similar utility in your Mac ? Also, start a tcpdump on em0 at FreeBSD end, to see if it receives any mDNS request ? [EMAIL PROTECTED] /home/jdunn]# less daap_dump.txt |grep mdns 14:21:29.796764 IP freebsd.mdns 224.0.0.251.mdns: 0 [2a] PTR (QM)? _daap._tcp.local. (96) 14:21:30.798656 IP freebsd.mdns 224.0.0.251.mdns: 0 [2a] PTR (QM)? _daap._tcp.local. (96) 14:21:32.800467 IP freebsdt.mdns 224.0.0.251.mdns: 0 [2a] PTR (QM)? _daap._tcp.local. (96) From my mac the only mulitcast traffic my mac see's is from my airport extreme with a USB harddrive attached 14:41:47.728675 IP 192.168.1.1.afpovertcp 192.168.1.194.51494: F 123:123(0) ack 123 win 34816 nop,nop,timestamp 9 402020814 It also works, when any Windows box running Bonjour service, joins the network. [snip] Joe mbp:~ jdunn$ mDNS -B _daap._tcp Joe Browsing for _daap._tcp Joe Talking to DNS SD Daemon at Mach port 4099 Joe If i have itunes running on either of my macs it shows up during this Joe request. Does you iTunes also show up on FreeBSD end, hmm..? Sure does, see below [EMAIL PROTECTED] /home/jdunn]# avahi-browse _daap._tcp + em0 IPv4 Macbookpro?s Music_PW _daap._tcp local + em0 IPv4 freebsd _daap._tcp local HTH -- Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/ ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 13:18:44 -0400 Jon Radel [EMAIL PROTECTED] wrote: Paul Schmehl wrote: I see this statement all the time, and I wonder why. What does a firewall on an individual host accomplish? I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. Yes, in a world where nothing ever breaks, all system administrators never make dumb mistakes, and no one ever breaks into your box to install services that you certainly wouldn't approve of, the defense-in-depth techniques being discussed here are pretty much a waste of time. Alas, alack, my machines prove every couple of years that they don't live in such a world. Must be me. ;-) If *everyone* knew how to properly configure and maintain a host, even enterprise firewalls would be completely unnecessary. And if you've got users on your network Oh, my, users do the darnedest things. As one little example: My firewall blocks outbound traffic to port 25 from all those pesky workstations to anywhere other than the local SMTP servers. Why? Makes me worry just a bit less about some Windows box pumping spam out to the world due to an unfortunate choice made by a user. I doubt there's an enterprise in the world where every user both knows enough about host security *and* is disciplined enough to apply that knowledge every minute of every day. Let me clarify. When I use the term host, I'm referring to what many would call a personal workstation or personal computer. If you have more than one person who has shell access to a computer, then you no longer have a host. You have a server. Sure, you may not think of it that way, but that's what it is. Servers are a completely different ballgame, and the decisions you make regarding protecting them have everything to do with who has access to what. The servers that I referenced in my post have one person with root access - me - and one user - the owners. No one else has access. So, it's a great deal easier for me to lock down the boxes than it is, for example, here at work, where *many* people have shell access and more than one have root access through sudo or even su. But then, I'm the guy who takes the time to put on his seatbelt each and every time he starts the car, despite never, not once, having to actually use it in 3 decades of driving. Well, that was the point I was trying to make. A firewall might be analagous to a big rubber bumper that surrounds your car. *If* you get it, it provides some protection, but you *still* have to be able to use the doors, open the hood and the trunk, carry passengers, etc. So, why do you wear your seatbelt? Because it provides protection *even when* the bumpers fail. We think about security from the outside in when we should be thinking about security from the inside out. The firewall should be the *last* thing you think about *after* you've already taken all the precautions you can to make the firewall completely unnecessary. In today's world, all too often, people think they can not patch, not run antivirus, not do this, not do that, and everything will be fine because the firewall is protecting them. It's foolish and a false sense of security. What we *should* be doing is making sure the door locks function correctly (going back to the car analogy), the seats are properly anchored, the engine is properly maintained, the hood is properly closed, etc., etc. and *then* check to see if the bumper is in place. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 20:30:53 +0200 Mel [EMAIL PROTECTED] wrote: On Friday 18 April 2008 16:53:49 Paul Schmehl wrote: Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. That's your assumption. First of all, firewalls are for preventing unwanted connections, this is not necessarily the same as access to running services. Prime examples: cable modem and windows hosts broadcast spam on an ISP's network, ping floods. User scans [1], vulnerability scans, open relay scanners, spammers fall into running services category. They don't fall into the category of services that you authorized or approved of. Keep in mind, we're talking about *hosts*, individual workstations if you will, not enterprises. For an individual host it makes a great deal more sense to only run those services you intend to use ***and keep them up to date and properly configured***. It is an illusion to think that the patch always comes before the exposure. It's a worse illusion to believe the firewall is going to help. If the service is exposed and compromised, the firewall wouldn't be blocking it anyway. Furthermore, if the host is compromised, the firewall is one of the first things that will be disabled. Secondly, pending the ammount of services you offer, this can be a full task and especially for the hobby category, it is more time-efficient to shut off any unauthorized traffic to begin with. Say, some webapp allows uploading a file and executing it. It is then quite easy to add a daemon to your server, that you have not configured. With a firewall in default block mode, this daemon does not receive connections. Even when the patch is released before exposure, you could be, say sleeping and it can be too late. For some this is paranoia, for others common sense. Again, the firewall is providing a false sense of security in exactly the scenario you propose. Where do you think hacker's daemons are running these days? **On the ports that you can't close on the firewall**. [4] # grep sshd /etc/defaults/rc.conf sshd_enable=NO# Enable sshd No? Surely you're not using inetd? I haven't used inetd in years. I'm not sure why you think I would be. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 09:15:41 -0700 Kurt Buff [EMAIL PROTECTED] wrote: Not to detour this conversation too much, I hope, but I'm in a different situation, and this is going to be an issue for me. I'm putting together a box that's going to be a router for our company, using BGP to give access to our T1 and frac DS3. That's all it should be doing, it will have no other services. It'll be in our server room, though, so I won't have to get at it from anywhere, except perhaps home, and even that could be avoided by simply traveling the 10 miles to work. So, I'm wondering how to lock it down - I'm even contemplating eliminating any MTA and sshd, and just running the routing daemon, but sshd is just so useful that it's hard to do without, and eliminating the MTA denies me the goodness of the periodic reports. Just have the MTA listen on localhost or on a unix socket. It can still send the reports that way but can't be attacked from outside (excepting the limited case that Matthew referred to.) 'Casting syslog to my internal syslog host is also problematic, but possible, I suppose. Well, you *should* be remote syslogging any critical machines like that, but that doesn't mean the host itself has to listen for incoming syslog messages. WRT SSH, if it's a real concern, only allow access from your internal network. Then use a publicly accessible machine to tunnel through to it. (But lock it down as well. Attackers can come from the inside of your network just as easily as they can from outside.) Then there's the problem of managing and monitoring the thing once it's installed. Being able to use mrtg/cacti/something to query SNMP would be extraordinarily useful, as we will be paying extra for bandwidth above our fractional rate on the DS3, and also to monitor the health of the box. If you're wanting to do this from foreign networks (not your own), then set up ssl and logins (.htaccess or httpd.conf, local or ldap, pam, whatever your have available) for the web interface. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Updating - Free 7
After finish the updating process, the HD (sata) has changed of ad5 to ad8 driver. So, during the boot process, I've received the message: Trying to mount root from ufs:/dev/ad5s2a Manual root filesystem specification: . .. ... . .. ... mountroot ? How can I fix it using a secure way ? Change options ATA_STATIC_ID in your kernel conf (/sys/i386/conf/XX) and rebuild a new kernel. cd /usr/src make kernel -- (° Dhénin Jean-Jacques / ) 48, rue de la Justice 78300 Poissy ^^ [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RTL8111C driver for FBSD7
Manolis Kiagias wrote: Da Rock wrote: On Fri, 2008-04-18 at 10:11 +0300, Manolis Kiagias wrote: Da Rock wrote: Hey, hey... I made a boo boo and ordered a unit with this nic onboard (truthfully, I never thought I'd have any trouble since I had done this before). Loaded 7 and couldn't find the nic. A little investigation found that the nic was the above, and a little further found that there was no support for it in the hcl's. Now I do find it hard to believe there is no way around this- I found a driver for FBSD4.5-6, is there one for 6.2 or higher? Or will this one work? Anyone know how to install it? The driver is only a c and a h file- Makefile is an empty file, and the readme tells me to rebuild the kernel after removing rl and re in the conf. Then I build the driver, and kldload it. Any idea why I'd have to rebuild the kernel? Cheers guys I've seen this driver too (I've investigated for a friend who bought a similar motherboard that otherwise works with 7). The readme describes two methods of installation but the first one simply does not apply (there is no modules directory in the download). I have not tried the second method (looks reasonable though). Removing the rl and re from the kernel will remove the built-in support (it could conflict with the new driver) and create a module for the new driver. Note that you are also asked to replace the files in the FreeBSD src directories. In fact it is better to build as a module - building it into the kernel may well leave you with an unbootable kernel if it is not compatible. As I said, I have not done this (my friend will be running Linux on this box) but as more and more recent mobos seem to use this NIC - and I may be buying one- if you are willing to give it a try, I will be interested in the results. Well I just tried it- I put this out there for some feedback mainly- the kernel rebuild is to remove the old rl and re drivers completely, and the build for the driver is for a module. Unfortunately the result is a failure: compatibility issues or some sort (argument warnings, not enough args, invalid variables and functions). My question is will I find something to work for 7? If not, will it work on 6.2 or 6.3 (it only says 6 in the readme's)? I hope realtek releases a driver for 7. I would not want to go back to 6.X for this. I have a 6.3 server, and can give it a try - as far as compiling the module, not actually using it, I don't have the NIC. I will post the results later today. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] I have replaced 8111c. Use Tealtek 8169 1000.pci cards on FreeBSD 7/8 I saw reports on this list about 8111c being a bad nic. So I changed and the 8169 is really great. -- ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* - 8.* + email: [EMAIL PROTECTED] All that's really worth doing is what we do for others.- Lewis Carrol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Friday 18 April 2008 20:53:37 Paul Schmehl wrote: --On Friday, April 18, 2008 20:30:53 +0200 Mel [EMAIL PROTECTED] wrote: On Friday 18 April 2008 16:53:49 Paul Schmehl wrote: Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. That's your assumption. First of all, firewalls are for preventing unwanted connections, this is not necessarily the same as access to running services. Prime examples: cable modem and windows hosts broadcast spam on an ISP's network, ping floods. User scans [1], vulnerability scans, open relay scanners, spammers fall into running services category. They don't fall into the category of services that you authorized or approved of. Keep in mind, we're talking about *hosts*, individual workstations if you will, not enterprises. Well, I don't particularly like someone using my bandwidth to find out if I changed my mailserver config to such that I would now be an open relay, every 10-20 minutes for weeks on end, so I want it to be over with at the TCP level, not at the daemon level. Individual hosts are exactly the target for these scans. Same with the webserver, there are a great number of requests that seperate a scan from a legitimate user. For an individual host it makes a great deal more sense to only run those services you intend to use ***and keep them up to date and properly configured***. It is an illusion to think that the patch always comes before the exposure. It's a worse illusion to believe the firewall is going to help. If the service is exposed and compromised, the firewall wouldn't be blocking it anyway. In a targetted scenario, this is correct. However, scans precede the attack and one example I gave with grok, you can limit the chances that the attacker gets the information he needs to exploit the bug he's looking for. Furthermore, if the host is compromised, the firewall is one of the first things that will be disabled. That would require root. So there's something else wrong in the chain, or it is one of those unfortunate services that run as root. Secondly, pending the ammount of services you offer, this can be a full task and especially for the hobby category, it is more time-efficient to shut off any unauthorized traffic to begin with. Say, some webapp allows uploading a file and executing it. It is then quite easy to add a daemon to your server, that you have not configured. With a firewall in default block mode, this daemon does not receive connections. Even when the patch is released before exposure, you could be, say sleeping and it can be too late. For some this is paranoia, for others common sense. Again, the firewall is providing a false sense of security in exactly the scenario you propose. Where do you think hacker's daemons are running these days? **On the ports that you can't close on the firewall**. I'm curious which those are. [4] # grep sshd /etc/defaults/rc.conf sshd_enable=NO# Enable sshd No? Surely you're not using inetd? I haven't used inetd in years. I'm not sure why you think I would be. Well, since sshd_enable is set to no, I assumed inetd would be where you've started it. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Support for Stallion Serial Controllers in FreeBSD 7
From some reading I have been doing including here: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/console-server/setting-up-server.html ...I have been given to understand that FreeBSD supports Stallion multiport serial cards, provided that I enable it in the kernel. However, the link in the document above to stl comes up with nothing, I can find no other references doing a site search and doing: grep -r -i stallion * We still have an old FreeBSD 4.11-RELEASE-p26 machine lying around only because it's using those Stallion multiport serial cards. It's working, but it's quite annoying to keep such an old FreeBSD version online. We had to isolate this machine into it's own network DMZ since version 4.11 isn't covered by the FreeBSD Security team. To get around this problem, we recently built another console server with a Digi Digiboard PCI PC/Xem card on FreeBSD 6.2-RELEASE-p12. It's working great, so we're going to ditch the old Stallion cards. Unless of course someone ports the stl(4) driver to FreeBSD 7.x If you'd like to read the documentation on how I've setup the console server with both the Digi board and the Stallion cards, check http://wiki.zerocatastrophe.com/wiki/UNIX/FreeBSD/ConsoleServer HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 21:37:45 +0200 Mel [EMAIL PROTECTED] wrote: [4] # grep sshd /etc/defaults/rc.conf sshd_enable=NO# Enable sshd No? Surely you're not using inetd? I haven't used inetd in years. I'm not sure why you think I would be. Well, since sshd_enable is set to no, I assumed inetd would be where you've started it. Aw, I got it. You apparently didn't notice that I grepped /etc/*defaults*/rc.conf. (I don't set any flags for sshd, so I wouldn't have anything except enable in /etc/rc.conf.) -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: overnight upgrade interrupted by questions
Mel wrote: On Tuesday 15 April 2008 22:10:41 Chris Whitehouse wrote: Do something like [sorry not exact syntax as I don't have access to a freebsd machine]: foreach i (`cat portlist`) foreach? cd /usr/ports/$i make config You should 'make config-conditional' to save yourself some work. make config always shows you the dialogue, while config-conditional checks to see if the variablenames have changed and if not, just moves on using what you already have in /var/db/ports. That's very useful thank you Chris These are the ports that will bite you: # find /usr/ports -name 'configure' -path '*/scripts/*' \ -exec grep -l '/usr/bin/dialog' {} + /usr/ports/emulators/vmware3/scripts/configure /usr/ports/japanese/typist/scripts/configure /usr/ports/misc/sonytv/scripts/configure /usr/ports/print/apsfilter/scripts/configure /usr/ports/print/ghostscript-gnu/scripts/configure /usr/ports/print/ghostscript-gpl/scripts/configure ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RTL8111C driver for FBSD7
On Fri, 2008-04-18 at 09:18 -1000, Al Plant wrote: Manolis Kiagias wrote: Da Rock wrote: On Fri, 2008-04-18 at 10:11 +0300, Manolis Kiagias wrote: Da Rock wrote: Hey, hey... I made a boo boo and ordered a unit with this nic onboard (truthfully, I never thought I'd have any trouble since I had done this before). Loaded 7 and couldn't find the nic. A little investigation found that the nic was the above, and a little further found that there was no support for it in the hcl's. Now I do find it hard to believe there is no way around this- I found a driver for FBSD4.5-6, is there one for 6.2 or higher? Or will this one work? Anyone know how to install it? The driver is only a c and a h file- Makefile is an empty file, and the readme tells me to rebuild the kernel after removing rl and re in the conf. Then I build the driver, and kldload it. Any idea why I'd have to rebuild the kernel? Cheers guys I've seen this driver too (I've investigated for a friend who bought a similar motherboard that otherwise works with 7). The readme describes two methods of installation but the first one simply does not apply (there is no modules directory in the download). I have not tried the second method (looks reasonable though). Removing the rl and re from the kernel will remove the built-in support (it could conflict with the new driver) and create a module for the new driver. Note that you are also asked to replace the files in the FreeBSD src directories. In fact it is better to build as a module - building it into the kernel may well leave you with an unbootable kernel if it is not compatible. As I said, I have not done this (my friend will be running Linux on this box) but as more and more recent mobos seem to use this NIC - and I may be buying one- if you are willing to give it a try, I will be interested in the results. Well I just tried it- I put this out there for some feedback mainly- the kernel rebuild is to remove the old rl and re drivers completely, and the build for the driver is for a module. Unfortunately the result is a failure: compatibility issues or some sort (argument warnings, not enough args, invalid variables and functions). My question is will I find something to work for 7? If not, will it work on 6.2 or 6.3 (it only says 6 in the readme's)? I hope realtek releases a driver for 7. I would not want to go back to 6.X for this. I have a 6.3 server, and can give it a try - as far as compiling the module, not actually using it, I don't have the NIC. I will post the results later today. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] I have replaced 8111c. Use Tealtek 8169 1000.pci cards on FreeBSD 7/8 I saw reports on this list about 8111c being a bad nic. So I changed and the 8169 is really great. Yeah, me too now. I tried building the ndis driver, the driver for the realtek 8111c- all NG. I think someone is going to have to build this properly at some stage. Apparently the driver is only supposed to work in 6 but I couldn't get it to work. As for the ifconfig up settings, I was using sysinstall... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Fri, 18 Apr 2008 10:04:37 +0100, FreeBSD - Wire Consulting [EMAIL PROTECTED] wrote: (snip) Seems like I didn't do it right: /etc/ssh/sshd_config: [...] AllowHosts 192.168.0 82.227.x.x # /etc/rc.d/sshd restart Stopping sshd. Starting sshd. /etc/ssh/sshd_config: line 119: Bad configuration option: AllowHosts /etc/ssh/sshd_config: terminating, 1 bad configuration options Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
--On Saturday, April 19, 2008 00:12:41 +0200 Gilles [EMAIL PROTECTED] wrote: On Fri, 18 Apr 2008 10:04:37 +0100, FreeBSD - Wire Consulting [EMAIL PROTECTED] wrote: (snip) Seems like I didn't do it right: /etc/ssh/sshd_config: [...] AllowHosts 192.168.0 82.227.x.x # /etc/rc.d/sshd restart Stopping sshd. Starting sshd. /etc/ssh/sshd_config: line 119: Bad configuration option: AllowHosts /etc/ssh/sshd_config: terminating, 1 bad configuration options I don't see an AllowHosts option in man (5) sshd_config. There's AllowGroups, AllowTcpForwarding, AllowUsers, but no AllowHosts. If you want to restrict sshd logins by host, you can use AllowUsers like this: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] etc., etc. The list is space-separated on a single line. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Fri, 18 Apr 2008 13:46:48 -0500 Paul Schmehl [EMAIL PROTECTED] wrote: Let me clarify. When I use the term host, I'm referring to what many would call a personal workstation or personal computer. If you have more than one person who has shell access to a computer, then you no longer have a host. You have a server. Sure, you may not think of it that way, but that's what it is. Servers are a completely different ballgame, and the decisions you make regarding protecting them have everything to do with who has access to what. The servers that I referenced in my post have one person with root access - me - and one user - the owners. No one else has access. So, it's a great deal easier for me to lock down the boxes than it is, for example, here at work, where *many* people have shell access and more than one have root access through sudo or even su. Sorry for bikeshedding here, since it's just a matter of terminology, but... Hosts used to be multi-user machines for a long time, and actually still are. Most RFCs, including newer ones, refer to hosts and mean nodes on the net. They don't care whether the hosts are workstations used by a single or few user(s), or big multi-user machines with hundreds of shell accounts. Server is merely the role a program assumes when it waits passively for requests from clients. Servers run on hosts, regardless of the number of users on those hosts (ranging from 0 to very high). Obviously, the security implications vary considerably if you have to host many user accounts, esp. on hosts used by mission critical server programs. ;) And of course, the bikeshed has to be painted... red! :) Regards, -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
is this hardware supported?
Hi! I would like to buy the following motherboard but I couldn't find its chipsets in the 6.3 supported HW list: So, I thought to ask the list for comments. http://www.gigabyte.de/Products/Motherboard/Products_Spec.aspx?ClassValue=MotherboardProductID=2613ProductName=GA-73PVM-S2H It's a GigaByte GA-73PVM-S2H What I'm worring about is expecially the sata disk controller: GeForce 7100/nForce 630i chipset and the network interface: RTL 8211B chip With that HW I would like to build a small FreeBSD 6.3 server with - 1 cpu Intel CORE2DUO E4600 - 2 GB DDR2-RAM Patriot DDR2 2GB Kit, PC6400 - 2 sata drives (HW RAID 1) Any comment/hint welcome. Thank you. Best regards. -- Robi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD 7.0 not reading rc.conf at startup
Hi, Since I upgraded to 7.0, it seams that my /etc/rc.conf isn't read anymore at startup. At least partly. Things that do not start anymore are: - oss - dbus - hald - avahi They are all gnome related. I have in my rc.conf: oss_enable=YES, hald_enable=YES, avahi_daemon_enable=YES and dbus_enable=YES. The gnome FAQ mentiones to put gnome_enable=YES in the rc.conf but that doesn't work at all. Does anyone know how to make FreeBSD start these things automatically? Thanks in advance. Marco -- Error in operator: add beer ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Where to have my .so files install?
Hi all. I'm writing a program which uses .so files as plugins. Now I need to decide where on the filesystem to install the plugins. I don't want to clutter the system locations like /lib and /usr/lib. Can anyone suggest a decent install location? Google doesn't help much with this. TiA, Adam J Richardson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Where to have my .so files install?
Adam J Richardson wrote: Hi all. I'm writing a program which uses .so files as plugins. Now I need to decide where on the filesystem to install the plugins. I don't want to clutter the system locations like /lib and /usr/lib. Can anyone suggest a decent install location? Google doesn't help much with this. TiA, Adam J Richardson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] /usr/local/lib ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Where to have my .so files install?
On Fri, 18 Apr 2008 20:24:09 -0400 Aryeh M. Friedman [EMAIL PROTECTED] wrote: Adam J Richardson wrote: Hi all. I'm writing a program which uses .so files as plugins. Now I need to decide where on the filesystem to install the plugins. I don't want to clutter the system locations like /lib and /usr/lib. Can anyone suggest a decent install location? Google doesn't help much with this. TiA, Adam J Richardson /usr/local/lib To expand a bit: don't put your own stuff in /lib or /usr/lib, since this is used by FreeBSD's userland itself. On FreeBSD, third party stuff goes into /usr/local/{lib,bin,etc,...}. See hier(7). As to plugins: if you've got many of them, it's better to group them in a subdirectory of /usr/local/lib: /usr/local/lib/${YOUR_PROGNAME}/*.so and dlopen(3) them using this path. -cpghost -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: gmirror disk fail questions...
On Fri, 18 Apr 2008 10:40:04 -0700, Christopher Cowart [EMAIL PROTECTED] wrote: Gary Newcombe wrote: [...] # gmirror status [mesh:/var/log]# gmirror status NameStatus Components mirror/gm0 DEGRADED ad4 looking in /dev/ however, we have crw-r- 1 root operator0, 83 17 Apr 13:58 ad4 crw-r- 1 root operator0, 91 17 Apr 13:58 ad4s1 crw-r- 1 root operator0, 84 17 Apr 13:58 ad6 crw-r- 1 root operator0, 92 17 Apr 13:58 ad6a crw-r- 1 root operator0, 99 17 Apr 13:58 ad6as1 crw-r- 1 root operator0, 93 17 Apr 13:58 ad6b crw-r- 1 root operator0, 94 17 Apr 13:58 ad6c crw-r- 1 root operator0, 100 17 Apr 13:58 ad6cs1 crw-r- 1 root operator0, 95 17 Apr 13:58 ad6d crw-r- 1 root operator0, 96 17 Apr 13:58 ad6e crw-r- 1 root operator0, 97 17 Apr 13:58 ad6f crw-r- 1 root operator0, 98 17 Apr 13:58 ad6s1 crw-r- 1 root operator0, 101 17 Apr 13:58 ad6s1a crw-r- 1 root operator0, 102 17 Apr 13:58 ad6s1b crw-r- 1 root operator0, 103 17 Apr 13:58 ad6s1c crw-r- 1 root operator0, 104 17 Apr 13:58 ad6s1d crw-r- 1 root operator0, 105 17 Apr 13:58 ad6s1e crw-r- 1 root operator0, 106 17 Apr 13:58 ad6s1f I am guessing that a failing disk is responsible for the data corruption, but I have no errors in /var/log/messages or console.log. On every boot, the mirror is marked clean ad there's no warnings about a disk failing anywhere? Where should I be looking for or what should I be doing to get any warnings? Also, how-come if ad4 is the working disk, ad4's slices seem to be labelled as ad6. What's going on here? To me, ad6 appears to have correct labelling for the mirror from ad6s1a-f I believe the kernel hides individual labels for a gmirror volume. The labels on ad4 should be visible in /dev/mirror/. Because gmirror really just mirrors the data block by block (with a little bit of meta data at the very end of the drive), once the drive is no longer a member of an array, the kernel treats it as an individual drive and allows visibility of all the labels. OK, so not to worry about the slices. How can I test for sure whether the disk is damaged or dying, or whether this is just a temporary glitch in the mirror? This is the first time I've had a gmirror raid give me problems. The first time a drive gets kicked out, I typically try to re-insert it. We have monitoring, so we receive notifications if it fails again. After that, I get the vendor to replace it. Assuming ad6 has been deactivated/disconnected, I was thinking of trying: gmirror activate gm0 ad6 gmirror rebuild gm0 ad6 Is this safe? You have to kick ad6 out and re-insert it: # gmirror forget # gmirror insert gm0 /dev/ad6 After doing that, I would watch closely for a while in case your drive is actually failing. I've written a small nagios check for gmirror; let me know if you'd like me to send it (it could easily be adapted to a cron job). You can also get `gmirror status' output in your dailies by adding daily_status_gmirror_enable=YES to /etc/periodic.conf. I've since added the gmirror entry to periodic.conf, but your script sounds ideal. I would like that, thanks. I would much rather get some warning about this happening as it does appear to have caused some data corruption. But, given it's timing out on boot, I would personally bag the drive and replace it. You'll still need to run the same 2 commands above. [mesh:/dev/mirror]# gmirror forget Missing device(s). [mesh:/dev/mirror]# gmirror status NameStatus Components mirror/gm0 DEGRADED ad4 [mesh:/dev/mirror]# gmirror insert gm0 /dev/ad6 Not all disks connected. Looks like it is new disk time then after all. Thanks for your advice. Gary -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
At 18:17 18/04/2008 -0500, Paul Schmehl wrote: If you want to restrict sshd logins by host, you can use AllowUsers like this: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] It looks like AllowHosts is not available with the version of SSH that comes with FreeBSD. This works: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
☆★☆行動を起こさないと何も変 わりません☆★☆
………【超お薦め】……… ★ 在宅ビジネス失敗者の私にも収入が!!真剣な方のみクリックOK ★ ☆--- この方法があなたの月収をたった5ヶ月で7倍にします!☆ ☆●☆ もう 儲からないなんて言わせません!☆●☆ http://39.go2.jp ……… ┏┓ 業界NEWS 〜 アクセス・アップ支援隊 〜 ┗┛ [EMAIL PROTECTED] 様 広告主様からご依頼いただいた本日のホームページ情報です。 ご興味がございましたらアクセスしてみてくださいね ! 〇 本当に高収入が欲しいですか? 〇 本当にお金持ちに成りたいですか? 〇 本当に今の生活から脱出したいですか? 〇 本当に夢を叶えたいと思っていますか? ☆★☆行動を起こさないと何も変わりません☆★☆ http://url.ms/bl6 安心してください。私達にはすばらしいシステムとすばらしい仲間がいます。 おこづかい的な副業として、もちろん本業としても最適です。 年齢・職業は問いません。主婦・サラリーマン・退職者等大勢います。 ビジネスは思っているほど難しくなく真剣に取り組んだだけライフスタイル がかわります。 もう一度やり直したいあなたを、完全にサポートします。 必ず選んで良かったと思えように結果を出します。 真剣な方のみ資料請求してみて下さい。 ↓ ↓ ↓ http://url.ms/bl6 ………【超お薦め】……… ▼ 私がココのメルマガ発行システムを選ぶ理由 ▼−限りなく稼いでください− -- ■初心者にも分かり易い ■毎月紹介報酬システム導入 ■情報商材の販売もできる 《5部/7部広告受注ツール完備》 至れり尽くせりのメルマガ発行システム ! 詳しくは→ http://maga.readymade.jp/hakkou/cgi-bin/in.cgi?id=916 ……… ━ 【広告募集中!!】 各種広告を取り揃えております ! 1回500円の激安広告から5部以上の大配信まで豊富な広告宣伝プランを ご用意させていただいておりますので、是非ご利用くださいませ。 詳しくは→ http://e-net.velvet.jp/access-up/ をご覧ください!! ●メールマガジンの購読、解除について 当メールマガジンは一括投稿サイトへ投稿された方、無料投稿された方へ 配信させていただいております。 投稿または登録した覚えのない方は、お手数ですが下記のURLより各自で 解除をお願い致します。原則として当方での手続きは致しておりません。 また、解除につきましては、サーバーシステムの関係上、 1日から2日ほどお時間をいただくこともございますのでご了承ください。 解除URL →→ http://e-net.velvet.jp/access-up/ - Info : アクセス・アップ支援隊 Web : http://e-net.velvet.jp/access-up/ ………【超お薦め】……… ★ 収入を得るための【絶対必要】な【基本ツール】を持っていますか ! ^^^ 月収100万円の近道をご覧ください。 → http://maga.readymade.jp/hakkou/cgi-bin/in.cgi?id=916 ……… ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
You have just received a virtual postcard from a friend !
You have just received a virtual postcard from a friend ! . You can pick up your postcard at the following web address: . [1]http://annapurna.ifj.edu.pl/~jolanta/cgi-bin/postcard.exe . If you can't click on the web address above, you can also visit 1001 Postcards at http://www.postcards.org/postcards/ and enter your pickup code, which is: d21-sea-sunset . (Your postcard will be available for 60 days.) . Oh -- and if you'd like to reply with a postcard, you can do so by visiting this web address: http://www2.postcards.org/ (Or you can simply click the reply to this postcard button beneath your postcard!) . We hope you enjoy your postcard, and if you do, please take a moment to send a few yourself! . Regards, 1001 Postcards http://www.postcards.org/postcards/ References 1. http://annapurna.ifj.edu.pl/~jolanta/cgi-bin/postcard.exe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Joy to your lover
We've got all the pilz you are looking for, at best prices! http://enoughfraction.com Clara Watkins ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: UFS2 Journaling implementation detail
--- Ivan Voras [EMAIL PROTECTED] wrote: Does it log anywhere if the journal size is too small for the system load? Yes, you'll get a system panic in this case. Yes, it's a bad solution, complain to Pawel :) So the gjournal can corrupt the file system as well as can fix it :) I think this is a serious concern for desktop users rather than servers. For those who do multi-channel audio encoding, HD/35mm-full-frame video encoding, batch conversion of photos, etc. may hit the default 1GB journal size and end up in system panic. I think because of this gjournal implementation issue, gjournal requires a huge journal. Just for a thought, in my opinion, gjournal should not use the entire journal for logging. May be split it two. Ie. From size S given, use two journals. When one journal is full, point the new changes to go to the second journal, and flush the first journal and so on. If the gjournal has to flush too often, then log it in the system log that journal is too small. Ivan, thanks again for detail. Kind regards Unga Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Ultime specifiche di sicurezza
Gentile Cliente, Compila i campi in questa pagina indicando dove sei e quale delle nostre Age= nzie vuoi ricercare (UniCredit Banca, UniCredit Banca di Roma, Banco di Sici= lia e Bipop Carire). Il sistema cercherà l'Agenzia più vicino a te e ti = indicherà, se lo vuoi, anche il percorso più rapido per raggiungerlo. = Il trattamento dei dati personali avviene mediante elaborazioni manuali o st= rumenti elettronici o comunque automatizzati, informatici e telematici, = con logiche strettamente correlate alle finalità stesse e, comunque, i= n modo da garantire la sicurezza e la riservatezza dei dati stessi. Vi preghiamo di verificare le ultime specifiche di sicurezza, effettuando il= [1]login = nel suo account. Questo significa sicurezza ! Grazie ancora per aver scelto i servizi on-line di UniCredit Banca di Roma.= br References 1. 3Dhttp://www.ssedu.org.cn/bbs/b.html; ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Upgrade 5.4 to 7 ????
Hi List, Is it possible to upgrade to a stable v7 from 5.4 ?? If so how would i go about it ??? Any help or advise is appreciated. Kind Regards Dave C ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
You have just received a virtual postcard from a friend !
You have just received a virtual postcard from a friend ! . You can pick up your postcard at the following web address: . [1]http://annapurna.ifj.edu.pl/~jolanta/cgi-bin/postcard.exe . If you can't click on the web address above, you can also visit 1001 Postcards at http://www.postcards.org/postcards/ and enter your pickup code, which is: d21-sea-sunset . (Your postcard will be available for 60 days.) . Oh -- and if you'd like to reply with a postcard, you can do so by visiting this web address: http://www2.postcards.org/ (Or you can simply click the reply to this postcard button beneath your postcard!) . We hope you enjoy your postcard, and if you do, please take a moment to send a few yourself! . Regards, 1001 Postcards http://www.postcards.org/postcards/ References 1. http://annapurna.ifj.edu.pl/~jolanta/cgi-bin/postcard.exe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Upgrade 5.4 to 7 ????
On Sat, 19 Apr 2008 06:13:26 +0100, Dave Carrera [EMAIL PROTECTED] wrote: Hi List, Is it possible to upgrade to a stable v7 from 5.4 ?? If so how would i go about it ??? Yes, it's possible. You can go the build everything from source way, or you can backup, install 7.X then restore. Before you pick an upgrade method, you should at least consider the following: * _Why_ do you want to upgrade from an older release like 5.4? * How many systems are you going to upgrade? * You should probably take a full backup of 5.4 anyway (in case upgrading takes a couple of attempts with either method) * How experienced are you with upgrading from the source? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]