Re: Best practices for securing SSH server
On Mon,06/22/09 [21:16:35], Daniel Underwood wrote: On a BSD box at work (at an extremely fast connection and static IP), I run an SSH server. I am the only person who uses the server, but I use it from some locations that are behind a dynamic IP (so I can't set pf rules to filter by IP). I will always, however, use the same laptop to connect to the server. Due to the speed and location of the connection, it's a relatively high-risk target. What are some good practices for securing this SSH server. Is using a stored key safer than a password in this instance? I have no experience with port-knocking, but I'd appreciate some tips or suggested beginning references... I welcome any and all advice. Note: I do require X11 forwarding (not sure whether that's relevant information) TIA, Daniel To block bruteforce probes on ssh I use pf with it's great function 'max-src-conn-rate'. man pf.conf provides some useful hints. -- Best regards, Jeff | Nobody wants to say how this works. | | Maybe nobody knows ... | | Xorg.conf(5)| ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Disk Quota Full Error
OFL amd64 - -(kar...@spark.ofloo.net)-(22:06:40) -(~)- mkdir vor2 mkdir: vor2: Disc quota exceeded Any help appricated. Is this a problem on my end, or server side? ___ you've got the exact message. why you don't read them? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
connection, it's a relatively high-risk target. What are some good practices for securing this SSH server. Is using a stored key safer than a password in this instance? I have no If your password is not trivial, then it is secure. using RSA/DSA keys is as good, if you are sure nobody will get it from your laptop. i use keyfiles on every place i have to use ssh regularly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
If for some reason you would prefer to use password authentication, I would recommend that you look into automatic brute force detection. There are a number of utilities in ports available for this purpose, including security/sshguard and security/denyhosts. good, but not really important with properly chosen password. You can't do more than maybe 10 attempts/second this way, while cracking 10 character password consisting of just small letters and digits needs 36^10=3656158440062976 possible passwords, and over 11 milion years to check all possibilities, so say 10 years if someone is really lucky and will get it after checking 1% possible password. Of course - you must not look at logs in 10 years and not see this 10 attempts per second. I give this example against common paranoia that exist on that group - mix of real security paranoid persons and pseudo-experts that like to repeat intelligent phrases to show up themselves. Actually - there is no need for extra protection for ssh, but for humans. 99% of crack attempts are done by kevin mitnick methods, not password cracking. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
The worldwide search for CircusPrincess 2009 is on!
The worldwide search for CircusPrincess 2009 is on! The CircusPrincess, a fairytale come true, is no ordinary circus. It's the ultimate celebration of female grace, beauty and talent. And now, for the first time in history, we're inviting the global Internet audience to join us in the nomination, voting and selection process. We're searching for the most entertaining, completely original female circus act or performance. You can perform by yourself or with a group, on land or in the air - whether you're an acrobat, comedian, dancer, singer or an entirely new type of performer. Apply now on our website for the chance to be one of 14 finalists. The winner will receive a prize, the title of CircusPrincess 2009, a three-month contract with Circus Scott, a distinctive, irreplaceable Kosta Boda trophy and the prestige of being recognized as the best female circus performer in the world. Buy your tickets today to reserve your seats for one of five amazing evenings! To browse through the history of past performances, view the contributions or book tickets, simply visit cirkusprinsessan2009.se Welcome to the greatest show on earth! / Robert Bronet ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
you guys aren't going to believe what i just found on the web for the ASUS Eee-901 [or is it the 900]. it was for the 9- and 10-inch screens. i was using konq which just segv'd so i am taking a break and thought i'd share this. last night, i could barely believe the ten-inch with a 40GB SSD. these mini-notebooks take two memory chips. they just plug in. i was googling around and found they have 32's and even 128's. so you can get 64 or up to 256Gigs of solid state disk ... not in a year or two (or five or six), but now. today we have huge flash disks for really cheap, but still don't have native flash filesystem in any OS, be it FreeBSD or windoze or mac os x or whatever. This flash chips have to emulate hard drive, which slows them down manyfold ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
Wojciech Puchar wrote: If for some reason you would prefer to use password authentication, I would recommend that you look into automatic brute force detection. There are a number of utilities in ports available for this purpose, including security/sshguard and security/denyhosts. good, but not really important with properly chosen password. You can't do more than maybe 10 attempts/second this way, while cracking 10 character password consisting of just small letters and digits needs 10 characters is a longer than usual password. Most people have been conditioned into using a 7 or 8 character password, which is at least a 1000 times easier to crack using your measure. (Still a pretty big possible space though). 36^10=3656158440062976 possible passwords, and over 11 milion years to check all possibilities, so say 10 years if someone is really lucky and will get it after checking 1% possible password. There is a very big flaw in your analysis here. You're assuming that the passwords people might use are randomly and evenly distributed over the whole possible password space. That is simply untrue. A lot of people -- perhaps the majority -- will use a password consisting of an English word, possibly with StUdLy CaPs or 3lite SP3LL1NG and with some random extra characters!*99 tacked on[*]. That's a whole lot smaller search space -- and it must be possible to brute-force passwords or it wouldn't be worthwhile for the brute-force attackers to keep trying. Agreed however that if people can be educated to use good passwords then a brute force attack like this really is unfeasible. I like apg(1) for generating passwords where there is no alternative to using strong crypto. Of course - you must not look at logs in 10 years and not see this 10 attempts per second. Sure. My experience is that any machine on the internet with a port 22 listener will attract about 2 to 5 brute force attackers a day -- that is, a sequence of brute force attempts originating from 2 -- 5 independent IPs per day. In fact, given that you have taken reasonable measures like using ssh keys exclusively or enforcing strong passwords then the biggest problems caused by these sort of attacks are the drain on system resources and the excess verbiage in log files. Getting rid of that is why I like to implement connection-rate based SSH blocking via pf(4) -- not because it gives any extra security. I give this example against common paranoia that exist on that group - mix of real security paranoid persons and pseudo-experts that like to repeat intelligent phrases to show up themselves. Actually - there is no need for extra protection for ssh, but for humans. 99% of crack attempts are done by kevin mitnick methods, not password cracking. Absolutely true. Mitnick was an early exponent of Social Engineering attacks, which are still the easiest and most effective methods for breaking computer security. Now, if we could just get rid of all the users, our lives as Sys Admins would be a whole lot easier... Cheers, Matthew [*] It's amazing how many people, when you tell them to use a mix of upper and lower case letters, just capitalize the *first* letter of their password. -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK signature.asc Description: OpenPGP digital signature
Re: Best practices for securing SSH server
You can't do more than maybe 10 attempts/second this way, while cracking 10 character password consisting of just small letters and digits needs 10 characters is a longer than usual password. Most people have been conditioned into using a 7 or 8 character password, which is at least a so that's the answer how to secure SSH server. use 10 letter random passwords. 36^10=3656158440062976 possible passwords, and over 11 milion years to check all possibilities, so say 10 years if someone is really lucky and will get it after checking 1% possible password. There is a very big flaw in your analysis here. You're assuming that the passwords people might use are randomly and evenly distributed over So you already confirmed what i say. It's human problem - for example not using random passwords. Talking about security within that context is a joke. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
2009/6/23 Wojciech Puchar woj...@wojtek.tensor.gdynia.pl: If for some reason you would prefer to use password authentication, I would recommend that you look into automatic brute force detection. There are a number of utilities in ports available for this purpose, including security/sshguard and security/denyhosts. good, but not really important with properly chosen password. You can't do more than maybe 10 attempts/second this way, while cracking 10 character password consisting of just small letters and digits needs 36^10=3656158440062976 possible passwords, and over 11 milion years to check all possibilities, so say 10 years if someone is really lucky and will get it after checking 1% possible password. Of course - you must not look at logs in 10 years and not see this 10 attempts per second. I give this example against common paranoia that exist on that group - mix of real security paranoid persons and pseudo-experts that like to repeat intelligent phrases to show up themselves. Actually - there is no need for extra protection for ssh, but for humans. 99% of crack attempts are done by kevin mitnick methods, not password cracking. You're right about the probability of password breaking, but personally I installed denyhosts just because I got sick of this: Aug 22 00:46:21 amnesiac sshd[63107]: error: PAM: authentication error for illegal user adrian from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:21 amnesiac sshd[63107]: Failed keyboard-interactive/pam for invalid user adrian from 76.193.128.193 port 2901 ssh2 Aug 22 00:46:23 amnesiac sshd[63110]: error: PAM: authentication error for illegal user agfa from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:23 amnesiac sshd[63110]: Failed keyboard-interactive/pam for invalid user agfa from 76.193.128.193 port 3165 ssh2 Aug 22 00:46:26 amnesiac sshd[63113]: error: PAM: authentication error for illegal user agneta from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:26 amnesiac sshd[63113]: Failed keyboard-interactive/pam for invalid user agneta from 76.193.128.193 port 3338 ssh2 Aug 22 00:46:29 amnesiac sshd[63116]: error: PAM: authentication error for illegal user ahren from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:29 amnesiac sshd[63116]: Failed keyboard-interactive/pam for invalid user ahren from 76.193.128.193 port 3499 ssh2 10,000 lines of this in _every_ security digest I get off my server. No I haven't changed any IP addresses, either. Now I get: Added the following hosts to /etc/hosts.evil: 89.232.63.160 87.117.236.15 Much easier to read... Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: freebsd-questions Digest, Vol 264, Issue 3
DA Forsyth wrote: On 22 Jun 2009 , freebsd-questions-requ...@freebsd.org entreated about freebsd-questions Digest, Vol 264, Issue 3: I am trying to find out the temperature of my CPU. After a whole night from dusk till dawn of searching the Web like a furious spider, I got the following results: it can be done via either ISA or SMB, with one of the ports: lmmon, healthd, consolehm or mbmon, and there are also few modules that are required in the kernel: smb, smbus, intpm, ichsmb I used a TUSL2 board for a while for one of my servers and mbmon worked fine with it. I did have to compile mbmon without SMB support though (just look inside the Makefile for the right thing to define to prevent smb support). Then when you do a 'mbmon -d' it will tell you what it finds. I never even tried adding smb support to the kernel until after I upgraded both the motherboard and BSD to 7.1 and was curious to see what it might give me. cya -- DA Fo rsythNetwork Supervisor Principal Technical Officer -- Institute for Water Research http://www.ru.ac.za/institutes/iwr/ Holy cahones de la... *skipping few languages* ...rear of Vyagrimukha and Leviathan!! I'm so happy, de merde!.. So, like... When installing mbmon, it gives you an option to disable SMB support; I did never even think about disabling it because where would it take the data from?!.. I do not have ISA or I2C, so SMB seemed like the only way. But, with this support, it's completely impossible to read the temperatures (and -d says that, like, ICH found but there is hardware monitor on it...), and when you disable this support - it reads everything properly!! Thank you very much, my new old CPU will now rest happily knowing that I always watch carefully after its temperature... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: slowloris, accf_http and POST requests
On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed: In the last episode (Jun 22), Ruben de Groot said: My main concern here is if applying the trivial patch I posted would break anything in the http protocol layer. And if not, why isn't the POST method included in the http accept filter in the first place? The filter wasn't designed to be an anti-DOS tool; it was an optimization to save some context switches at the beginning of every request. POSTs are I know this. But in this particular case, it *works* as an anti-DOS tool. And a pretty good one too. infrequent, always include extra trailing data after the headers, and end up doing more processing at the server end than plain GET or HEADs, so buffering the first line of the request doesn't really help much. Well, it helps against this slowloris script. And I don't see it costing much. You're better off adding a request-max-time limit to your webserver, or doing random-drops of existing connections if you get close to your fd or thread limit. I'm exploring these options as well, but they have their own drawbacks. Anyway, since it doesn't look like I'm breaking anything by buffering the POST headers, I'm gonna maintain this as a local patch until something better comes along. Thanks for your input, Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
99% of crack attempts are done by kevin mitnick methods, not password cracking. You're right about the probability of password breaking, but personally I installed denyhosts just because I got sick of this: indeed, it's very useful but it's not a requirement at all to be secure :) The only requirements for security are: 1) use proper passwords, or keyfiles but with keyfiles stored on properly protected machine (geli, proper password for geli too) 2) it's not really wrong to use same (but well done - random) passwords in many places YOU administer, but never use the same password on any foreign places. 3) Store that password ONLY in brain. As herds of morons don't really understand what are passwords for, all points are usually not respected, point 3 being the most common :) You want to crack into company server - just look at monitors and notes glued to it. If you can't - ask a charwoman working there ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
99% of crack attempts are done by kevin mitnick methods, not password cracking. Absolutely true. Mitnick was an early exponent of Social Engineering attacks, which are still the easiest and most effective methods for Mitnick just chose the best possible friend - human stupidity. It never fails. breaking computer security. Now, if we could just get rid of all the users, our lives as Sys Admins would be a whole lot easier... Just make sure that one user can't do mess to others, and to log every logins. Then it's no more your problem, as users can only hurt themselves. Don't care about their security if they don't care by themselves. Cheers, Matthew [*] It's amazing how many people, when you tell them to use a mix of upper and lower case letters, just capitalize the *first* letter of their password. because most people don't understand what are passwords for. They just treat them as a part of required ceremony. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: cannot find -lltdl
2009/6/23 kalin m ka...@el.net: hi all.. this is a bit awkward i'm building php 5.2.10 from source on freebsd 7.0. using: ./configure --with-layout=GNU --with-config-file-scan-dir=/usr/local/etc/php --disable-all --enable-libxml --with-libxml-dir=/usr/local --enable-reflection --program-prefix= --disable-cgi --with-apxs2=/etc/httpd/bin/apxs --with-regex=php --with-zend-vm=CALL --prefix=/usr/local --mandir=/usr/local/man --infodir=/usr/local/info/ --with-pcre-regex --with-mysql=/usr/local/mysql --with-curl --enable-ctype --enable-dom --enable-exif --enable-filter --with-gd --with-openssl --enable-json --with-iconv --with-mhash --with-mcrypt the configuration runs fine but the build breaks: .. main/internal_functions.lo -lcrypt -lcrypt -lmysqlclient -lmhash -lmcrypt -lltdl -liconv -lpng -lz -lcurl -lssl -lcrypto -lm -lxml2 -lz -liconv -lm -lcurl -lssl -lcrypto -lz -lxml2 -lz -liconv -lm -lcrypt -lcrypt -o libphp5.la /usr/bin/ld: cannot find -lltdl *** Error code 1 Stop in /usr/local/src/php-5.2.10. # locate ltdl /usr/local/share/aclocal/ltdl.m4 /usr/local/share/libtool/libltdl ... the thing is it already build once with the same configuration options. an hour ago. and it is working. but i need to add more stuff to this. if i take off --with-mcrypt it builds fine. i have mcrypt already and i need it. and don't want to reinstall without it any help? thanks... Why aren't you using ports? Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Checksum mismatches when csup-ing.
On 23 jun 2009, at 05:55, Frank Shute wrote: On Mon, Jun 22, 2009 at 07:17:40PM +0200, Paul van der Zwan wrote: The last few days I see a dozens of Checksum mismatches when csup-ing src-all from cvsup.freebsd.org. No errors appear on ports-all. Is there a problem with the cvs repository ? Most people will use a local mirror as listed in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html Check and see if you have the same problem with one of the mirror sites. I have tried both cvsup.freebsd.org and cvsup.nl.freebsd.org with both csup and cvsup and I get checksum mismatches on all attempts. If you've got the same problem, then your cvsup config file for src could be up the creek. I have deleted /usr/sup/src-all/* bun that did not fix the checksum errors, just gave me a lot of SetAttr messages the first run. If you mean my c{v}sup config file, that hasn't been changed in years and how would an error in that file cause errors on src-all but none on ports-all ? If the problem disappears, then the server is up the creek. I am stumped, as far as I can tell it's no local config problem, but what's causing it? I have no idea.. Am I the only one seeing these errors ? Paul The fact that all errors are on src-all and none on ports-all make me suspect it is not a local problem on my system as both end up on the same filesystem here. Paul PS I am not on this list so please reply directly as well Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
The Gimp
Due to some meteorological disasters I've had to replace my 6.1 FreeBSD system and I've installed 7.2 on the refurbished i386 computer: freebsd [22:03] ~uname -a FreeBSD freebsd.connect-a.com.au 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 08:49:13 UTC 2009 My desktop is KDE Version 4.2.2 (not yet sure that this is an improvement over the previous version). I'm starting to re-install software using portupgrade (portinstall). I've a few problems with that, but I'll leave that to another post. The immediate problem is that I've used portinstall to install gimp (picture processing software) which I was happily using on the previous version. It installs OK (after a fearful amount of time) but when I start it, I get a segmentation fault: freebsd [22:07] ~gimp [1] 3696 freebsd [22:09] ~ [1]Segmentation faultgimp freebsd [22:09] ~ If I run as root, there is no problem: freebsd [22:09] ~sudo gimp [1] 3700 freebsd [22:10] ~ [1] + Suspended (tty output)sudo gimp freebsd [22:10] ~fg sudo gimp Password: freebsd [22:11] ~ It starts OK and I can use it fine. The config file .gimp-2.6 is saved in root's home directory. I've tried RTFM, but there is no information on this problem. Maybe it's due to some library having the wrong permissions and I should search the system for files with 544 permissions or something. Does anyone have a clue as to what's going on, or should I report a bug? Thanks heaps. Rob Hurle -- - Rob Hurle Research School of Pacific and Asian Studies, ANU e-mail: rob1...@gmail.com Telephone (ANU): +61 2 6125 3169 Mobile (in VN): +84 948 243 538 (Currently in Australia) Mobile (in OZ): +61 417 293 603 (Currently in Australia) - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
why does the speed of a connection make it a higher risk? Super-fast connections are ideal targets for people to install private fileservers (among other things). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: No sound, no mouse and now X applications won't start
Message: 11 Date: Sat, 20 Jun 2009 16:34:00 -0400 From: Jerry ges...@yahoo.com Subject: Re: No sound, no mouse and now X applications won't start To: freebsd-questions@freebsd.org Message-ID: 20090620163400.62143...@scorpio.seibercom.net Content-Type: text/plain; charset=US-ASCII On Sun, 21 Jun 2009 01:31:45 +0530 Manish Jain invalid.poin...@gmail.com wrote: Looks like nobody at freebsd-questions has any answers for me. Maybe 7.2-x86 doesn't like newish amd hardware. post the output of: pciconf -lv as well as dmesg. Also your rc.conf and PolicyKit.conf files might be useful. -- Jerry ges...@yahoo.com Hi, I have solved most of the problems listed in my previous message with help from Roland Smith. The fact still remains that FreeBSD-7.2 has some definite problems on AMD hardware : 1) On multi-core systems, the cores don't get initialized properly and you get messages like : AP #1 (PHY# 1) failed ! followed by panic. The solution is to reboot, maybe as many as 6-7 times. 2) The uhub/ums module fails to load and /dev/ums0 consequently won't get created. The workaround is to unplug your USB mouse just before the boot process begins, and plug it back in once you get the console. I have googled for the above 2 problems and there seem to many folks suffering from the ills, with no solution except the ones I have listed above. And these problems almost always occur on AMD multi-core systems. I hope the next release will address these problems, as well as a pretty reasonable request from me much earlier to move vi from /usr/bin to /bin. Even in single-user mode, you almost always need an editor. -- Regards Manish Jain invalid.poin...@gmail.com +91-96500-10329 Laast year I kudn't spell Software Engineer. Now I are won. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Checksum mismatches when csup-ing.
On Tue, Jun 23, 2009 at 02:43:36PM +0200, Paul van der Zwan wrote: On 23 jun 2009, at 05:55, Frank Shute wrote: On Mon, Jun 22, 2009 at 07:17:40PM +0200, Paul van der Zwan wrote: The last few days I see a dozens of Checksum mismatches when csup-ing src-all from cvsup.freebsd.org. No errors appear on ports-all. Is there a problem with the cvs repository ? Most people will use a local mirror as listed in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html Check and see if you have the same problem with one of the mirror sites. I have tried both cvsup.freebsd.org and cvsup.nl.freebsd.org with both csup and cvsup and I get checksum mismatches on all attempts. Haven't tried those 2 but I'm OK on cvsup3.uk.freebsd.org so I suspect the problem is with your end. If you've got the same problem, then your cvsup config file for src could be up the creek. I have deleted /usr/sup/src-all/* bun that did not fix the checksum errors, just gave me a lot of SetAttr messages the first run. I wonder if it is some sort of permission problem. Runlevel OK? You might want to check if somebody has done something funny with extended attributes (setextattr(8) etc.). If you mean my c{v}sup config file, that hasn't been changed in years and how would an error in that file cause errors on src-all but none on ports-all ? I didn't know you had ports and src in the same config. I keep mine separately. Where do you put your ports btw? Under /usr/sup/ or /usr/ports/ ? If the problem disappears, then the server is up the creek. I am stumped, as far as I can tell it's no local config problem, but what's causing it? I have no idea.. Am I the only one seeing these errors ? Maybe you could cut paste the output from a run post it. (Or the bits that look relevant). Use script(1) to capture the output. Paul The fact that all errors are on src-all and none on ports-all make me suspect it is not a local problem on my system as both end up on the same filesystem here. Paul PS I am not on this list so please reply directly as well Regards, -- Frank Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Multi-homed FreeBSD
Hi, we have a FreeBSD machine currently using PPPoE with NAT. As we already have the cable connection which is about the same speed, I was just wondering of doing some load balancing for the outside connection. I have no experiences with that and will be really glad if someone could point some things, where to look and what to read. Also your configurations and experiences regarding this fact are very welcome. Thanks, Matej ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
I do not believe that tricks like running ssh on a non standard port or using port-knocking provide much extra security. I can understand that varying the port is not a very strong defensive measure, but I don't understand your point about port-knocking. If you configure a complex and seemingly random sequence of knocks before allowing an IP access to your ssh port, have you not significantly strengthened your ssh server? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Checksum mismatches when csup-ing.
On Tue, Jun 23, 2009 at 02:43:36PM +0200, Paul van der Zwan wrote: On 23 jun 2009, at 05:55, Frank Shute wrote: On Mon, Jun 22, 2009 at 07:17:40PM +0200, Paul van der Zwan wrote: The last few days I see a dozens of Checksum mismatches when csup-ing src-all from cvsup.freebsd.org. No errors appear on ports-all. Is there a problem with the cvs repository ? Most people will use a local mirror as listed in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html Check and see if you have the same problem with one of the mirror sites. I have tried both cvsup.freebsd.org and cvsup.nl.freebsd.org with both csup and cvsup and I get checksum mismatches on all attempts. If you've got the same problem, then your cvsup config file for src could be up the creek. I have deleted /usr/sup/src-all/* bun that did not fix the checksum errors, just gave me a lot of SetAttr messages the first run. If you mean my c{v}sup config file, that hasn't been changed in years and how would an error in that file cause errors on src-all but none on ports-all ? If the problem disappears, then the server is up the creek. I am stumped, as far as I can tell it's no local config problem, but what's causing it? I have no idea.. Am I the only one seeing these errors ? Nope, I am seeing exactly the same thing. (And I am using different mirrors than you are.) Since I too am only seeing this for src-all and not ports-all I suspect it may be a problem with the svn-cvs export. (src-all is nowadays maintained in a subversion repository and the changes automatically exported to the cvs repository, while ports-all is still maintained directly in the cvs repository.) Note: I use cvsup to maintain a local copy of the cvs repository. It is not clear if you too is doing that, or if you use cvsup to check out just the latest version. Paul The fact that all errors are on src-all and none on ports-all make me suspect it is not a local problem on my system as both end up on the same filesystem here. Paul PS I am not on this list so please reply directly as well -- Insert your favourite quote here. Erik Trulsson ertr1...@student.uu.se ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
links for hal and hplip
For those of you, like myself, struggling with hal and printing (separate issues), check out the links below. You will note that the freebsd gnome page is at freebsd.org, but the freebsd kde page is at freebsd.kde.org. The hplip information at the kde site is not specific to kde. The hal faq at the gnome page has some information that is not specific to gnome. gnome: http://www.freebsd.org/gnome hal:http://www.freebsd.org/gnome/docs/halfaq.html kde: http://freebsd.kde.org hplip: http://freebsd.kde.org/howtos/hplip.php Best of luck, Andrew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
~/.ssh directory permissions
Looking at my ~/.ssh directory, I see the following permissions: -rw-r--r-- Which I understand to be equivalent to 644. I read here http://sial.org/howto/openssh/publickey-auth/ that ~/.ssh ought to have permissions 700. Which is preferable, and why? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Thanks [upgrading installed ports: time to do it ?]
Hello ! Thanks alll of you for taking time to answer my mail. I really appreciate it. I have (well...the system has) succesfully done the upgrade. I used both pkg_updating and portupdate-scan to scan UPDATING [pkg_updating did not show an entry suggesting to update python to version 2.6 (which Portupdate-scan did)]. AS UPDATING suggests, I made the switch from python 2.5 to python 2.6 (using portupgrade). Then I did a mass upgrade... portupgrade -ab --batch ... It took 6h30 upgrading 40 ports (not many ports because I installed this system only few months ago). [Now I should find where the backup packages have been sent] Thanks again and see you here ! d p.s. Robert I meant to say if you prefer to upgrade just a selection of the ports or all of the ports together ;-) On Tuesday 23 June 2009 00:34:59 Charlie Kester wrote: On Mon 22 Jun 2009 at 13:48:02 PDT RW wrote: On Mon, 22 Jun 2009 20:58:41 +0100 Chris Whitehouse cwhi...@onetel.com wrote: I'll probably get flamed for this but since I've been using ports-mgmt/portmanager I've almost forgotten about /usr/ports/UPDATING and all that pkgdb -Fu stuff or whatever it was. I've upgraded ports just by doing 'portmanager -u' over one or two quite major changes and not had any problems that haven't been down to an individual ports. You still need to read UPDATING, portmanager handles some of the issues automatically, but not all. that durned human element again! would be nice if a port upgrade tool did that for you, displayed any entries related to ports that need updating, and gave you a chance to postpone the update until you've taken whatever actions UPDATING suggests would require UPDATING to be written in a consistent, machine-readable format ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ~/.ssh directory permissions
On Tue, Jun 23, 2009 at 10:06:03AM -0400, Daniel Underwood wrote: Looking at my ~/.ssh directory, I see the following permissions: -rw-r--r-- Which I understand to be equivalent to 644. I read here http://sial.org/howto/openssh/publickey-auth/ that ~/.ssh ought to have permissions 700. Which is preferable, and why? Well, generically, 700 allows you to do anything you want with the file as owner, but no other id (except root) can touch it in any way - not even look at it. I don't really know if it would hurt to allow others to read it or not, but in the philosophy of if access is not needed, then don't provide it, I would make it limited to 700. I just looked at mine and it is set to 700. jerry ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ~/.ssh directory permissions
Thanks. Might as well set to 700 then. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Checksum mismatches when csup-ing.
Paul van der Zwan wrote: On 23 jun 2009, at 05:55, Frank Shute wrote: On Mon, Jun 22, 2009 at 07:17:40PM +0200, Paul van der Zwan wrote: The last few days I see a dozens of Checksum mismatches when csup-ing src-all from cvsup.freebsd.org. No errors appear on ports-all. Is there a problem with the cvs repository ? Most people will use a local mirror as listed in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html Check and see if you have the same problem with one of the mirror sites. I have tried both cvsup.freebsd.org and cvsup.nl.freebsd.org with both csup and cvsup and I get checksum mismatches on all attempts. [snip] About a week ago I csup'ed src-all from cvsup.nl.freebsd.org and rebuilt my systems. I just did it again to test, although since it was up to date nothing new was changed/downloaded. No checksum errors at all with either event. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: cannot find -lltdl
Chris Rees wrote: 2009/6/23 kalin m ka...@el.net: hi all.. this is a bit awkward i'm building php 5.2.10 from source on freebsd 7.0. using: ./configure --with-layout=GNU --with-config-file-scan-dir=/usr/local/etc/php --disable-all --enable-libxml --with-libxml-dir=/usr/local --enable-reflection --program-prefix= --disable-cgi --with-apxs2=/etc/httpd/bin/apxs --with-regex=php --with-zend-vm=CALL --prefix=/usr/local --mandir=/usr/local/man --infodir=/usr/local/info/ --with-pcre-regex --with-mysql=/usr/local/mysql --with-curl --enable-ctype --enable-dom --enable-exif --enable-filter --with-gd --with-openssl --enable-json --with-iconv --with-mhash --with-mcrypt the configuration runs fine but the build breaks: .. main/internal_functions.lo -lcrypt -lcrypt -lmysqlclient -lmhash -lmcrypt -lltdl -liconv -lpng -lz -lcurl -lssl -lcrypto -lm -lxml2 -lz -liconv -lm -lcurl -lssl -lcrypto -lz -lxml2 -lz -liconv -lm -lcrypt -lcrypt -o libphp5.la /usr/bin/ld: cannot find -lltdl *** Error code 1 Stop in /usr/local/src/php-5.2.10. # locate ltdl /usr/local/share/aclocal/ltdl.m4 /usr/local/share/libtool/libltdl ... the thing is it already build once with the same configuration options. an hour ago. and it is working. but i need to add more stuff to this. if i take off --with-mcrypt it builds fine. i have mcrypt already and i need it. and don't want to reinstall without it any help? thanks... Why aren't you using ports? there isn't ports for all that i need compiling with 5.2.10. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: slowloris, accf_http and POST requests
Ruben de Groot wrote: On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed: In the last episode (Jun 22), Ruben de Groot said: My main concern here is if applying the trivial patch I posted would break anything in the http protocol layer. And if not, why isn't the POST method included in the http accept filter in the first place? The filter wasn't designed to be an anti-DOS tool; it was an optimization to save some context switches at the beginning of every request. POSTs are I know this. But in this particular case, it *works* as an anti-DOS tool. And a pretty good one too. infrequent, always include extra trailing data after the headers, and end up doing more processing at the server end than plain GET or HEADs, so buffering the first line of the request doesn't really help much. Well, it helps against this slowloris script. And I don't see it costing much. You're better off adding a request-max-time limit to your webserver, or doing random-drops of existing connections if you get close to your fd or thread limit. I'm exploring these options as well, but they have their own drawbacks. Anyway, since it doesn't look like I'm breaking anything by buffering the POST headers, I'm gonna maintain this as a local patch until something better comes along. I was interested to follow this, as I was under the impression http accept filter was more for performance rather than security. Since I use it anyway I was happy to learn of these facts. Although not directly related, per se, you may also be interested in: http://www.modsecurity.org/projects/modsecurity/apache/index.html It can be useful in narrowing the scope of allowable POST content to mitigate SQL injection techniques. The default pattern is overly broad but if you are only intent on tightening up one web app on one server it is possible to tune it to be more specific. Not a magic bullet, but every layer in the onion helps. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Problem starting slapd
FreeBSD-7.2 openldap-server-2.4.16_1 I just installed this port. For some reason it will not start correctly. I have all of the information entered in the /etc/rc.conf file and the slapd.conf and ldap.conf files are configured correctly. There is no 'PID' file created. Below is what I receive when I attempt to start or stop the program. /usr/local/etc/rc.d # ./slapd start Starting slapd. /usr/local/etc/rc.d # ./slapd stop slapd not running? (check /var/run/openldap/slapd.pid). /usr/local/etc/rc.d # ls /var/run/openldap ldapi= /usr/local/etc/rc.d # There is a 'socket' created, but that is it. I a pulling my hair out, what is left of it, trying to figure out what the problem is. Any suggestions? Thanks! -- Carmel car...@hotmail.com I would have made a good pope. Richard Nixon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Multi-homed FreeBSD
On 6/23/09, Matej Šerc matej.s...@gmail.com wrote: Hi, we have a FreeBSD machine currently using PPPoE with NAT. As we already have the cable connection which is about the same speed, I was just wondering of doing some load balancing for the outside connection. I have no experiences with that and will be really glad if someone could point some things, where to look and what to read. Also your configurations and experiences regarding this fact are very welcome. Thanks, Matej This question has been asked very frequently on this list, starting with my thread about multiple gateways on may 31st. Best option is by using firewall routing options, since bsd itself cannot add more than one gateway (which I think is the TCP/IP standard, being only one gateway) please google and read, and if you have further questions, follow up and ask questions. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problem starting slapd
On 6/23/09, Carmel NY carmel...@hotmail.com wrote: FreeBSD-7.2 openldap-server-2.4.16_1 I just installed this port. For some reason it will not start correctly. I have all of the information entered in the /etc/rc.conf file and the slapd.conf and ldap.conf files are configured correctly. There is no 'PID' file created. Below is what I receive when I attempt to start or stop the program. /usr/local/etc/rc.d # ./slapd start Starting slapd. /usr/local/etc/rc.d # ./slapd stop slapd not running? (check /var/run/openldap/slapd.pid). /usr/local/etc/rc.d # ls /var/run/openldap ldapi= /usr/local/etc/rc.d # There is a 'socket' created, but that is it. I a pulling my hair out, what is left of it, trying to figure out what the problem is. Any suggestions? Thanks! is there a /usr/local/etc/openldap/slapd.conf? does it pass muster, config check 'n all? did you enable logging? would you pastebin your slapd.conf - masking out any passwords or sensitive information? I've run slapd plenty times, I bet it's something with your config file. Posting your /usr/ports/net/openldap24-server make showconfigwould be appreciative too. --TJ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problem starting slapd
On 23 jun 2009, at 16:39, Carmel NY carmel...@hotmail.com wrote: FreeBSD-7.2 openldap-server-2.4.16_1 I just installed this port. For some reason it will not start correctly. I have all of the information entered in the /etc/rc.conf file and the slapd.conf and ldap.conf files are configured correctly. There is no 'PID' file created. Below is what I receive when I attempt to start or stop the program. /usr/local/etc/rc.d # ./slapd start Starting slapd. /usr/local/etc/rc.d # ./slapd stop slapd not running? (check /var/run/openldap/slapd.pid). /usr/local/etc/rc.d # ls /var/run/openldap ldapi= /usr/local/etc/rc.d # There is a 'socket' created, but that is it. I a pulling my hair out, what is left of it, trying to figure out what the problem is. Any suggestions? Thanks! Check permissions on /var/run/openldap Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Checksum mismatches when csup-ing.
On 23 jun 2009, at 15:53, Erik Trulsson wrote: On Tue, Jun 23, 2009 at 02:43:36PM +0200, Paul van der Zwan wrote: On 23 jun 2009, at 05:55, Frank Shute wrote: On Mon, Jun 22, 2009 at 07:17:40PM +0200, Paul van der Zwan wrote: The last few days I see a dozens of Checksum mismatches when csup- ing src-all from cvsup.freebsd.org. No errors appear on ports-all. Is there a problem with the cvs repository ? Most people will use a local mirror as listed in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html Check and see if you have the same problem with one of the mirror sites. I have tried both cvsup.freebsd.org and cvsup.nl.freebsd.org with both csup and cvsup and I get checksum mismatches on all attempts. If you've got the same problem, then your cvsup config file for src could be up the creek. I have deleted /usr/sup/src-all/* bun that did not fix the checksum errors, just gave me a lot of SetAttr messages the first run. If you mean my c{v}sup config file, that hasn't been changed in years and how would an error in that file cause errors on src-all but none on ports-all ? If the problem disappears, then the server is up the creek. I am stumped, as far as I can tell it's no local config problem, but what's causing it? I have no idea.. Am I the only one seeing these errors ? Nope, I am seeing exactly the same thing. (And I am using different mirrors than you are.) Since I too am only seeing this for src-all and not ports-all I suspect it may be a problem with the svn-cvs export. (src-all is nowadays maintained in a subversion repository and the changes automatically exported to the cvs repository, while ports-all is still maintained directly in the cvs repository.) Well at least I am not the only one seeing these errors. I think we can rule out a local problem and will have to wait for someone to fix this. Note: I use cvsup to maintain a local copy of the cvs repository. It is not clear if you too is doing that, or if you use cvsup to check out just the latest version. I use cvsup/csup to mirror the cvs repo and I do a local cvs checkout. But until these errors are fixed I will not be doing any checkouts and build for src. I don't think I can trust the repository... Paul Paul The fact that all errors are on src-all and none on ports-all make me suspect it is not a local problem on my system as both end up on the same filesystem here. Paul PS I am not on this list so please reply directly as well -- Insert your favourite quote here. Erik Trulsson ertr1...@student.uu.se ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ~/.ssh directory permissions
On 23 jun 2009, at 16:06, Daniel Underwood djuatde...@gmail.com wrote: Looking at my ~/.ssh directory, I see the following permissions: -rw-r--r-- Which I understand to be equivalent to 644. I read here http://sial.org/howto/openssh/publickey-auth/ that ~/.ssh ought to have permissions 700. Which is preferable, and why? __ 700, you private key(s) go in there. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 09:31:06AM +0200, Wojciech Puchar wrote: you guys aren't going to believe what i just found on the web for the ASUS Eee-901 [or is it the 900]. it was for the 9- and 10-inch screens. i was using konq which just segv'd so i am taking a break and thought i'd share this. last night, i could barely believe the ten-inch with a 40GB SSD. these mini-notebooks take two memory chips. they just plug in. i was googling around and found they have 32's and even 128's. so you can get 64 or up to 256Gigs of solid state disk ... not in a year or two (or five or six), but now. today we have huge flash disks for really cheap, but still don't have native flash filesystem in any OS, be it FreeBSD or windoze or mac os x or whatever. This flash chips have to emulate hard drive, which slows them down manyfold so is there any best guess regarding what timeframe a filesystem for freebsd might exist? on the you-tube demo they were using [i think] XP. i'll see if i can find the site. gary -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix http://jottings.thought.org http://transfinite.thought.org For FBSD list: http://transfinite.thought.org/slicejourney.php The 4.98a release of Jottings: http://jottings.thought.org/index.php ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problem starting slapd
On Tue, 23 Jun 2009 16:46:42 +0200 Peter Boosten pe...@boosten.org wrote: Check permissions on /var/run/openldap drwxr-xr-x 2 ldapldap 512B Jun 23 10:57 openldap/ They appear to be correct. I might add, that I did a complete deinstall of the port, removed the /usr/local/etc/openldap directory and the start up script and then reinstalled the port. The only thing I have not done is remove DB46 and reinstall that. I really don't think that would effect anything anyway. -- Carmel car...@hotmail.com Do not do unto others as you would they should do unto you. Their tastes may not be the same. George Bernard Shaw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: cannot find -lltdl
kalin m wrote: Chris Rees wrote: 2009/6/23 kalin m ka...@el.net: [snip] Why aren't you using ports? there isn't ports for all that i need compiling with 5.2.10. Yes there is. You install the main PHP5 port first, then follow up by installing the php5-extensions port. When you either do it the first time, or subsequently do make config you will be presented with a menu listing all the php extension options. This is where you build the individual module(s) which you require. For example, the most common is probably MySQL support. You would tick the box next to the mysql module in the menu. Even if you chose to build all of them you can deactivate any you don't need after the fact in /usr/local/etc/php/extensions.ini file. Strongly recommended for you to use the ports system. You will find your system much more easily maintainable for the future. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: No sound, no mouse and now X applications won't start
On Tuesday 23 June 2009 15:41:48 Manish Jain wrote: I hope the next release will address these problems, as well as a pretty reasonable request from me much earlier to move vi from /usr/bin to /bin. Even in single-user mode, you almost always need an editor. Which is why you have ed(1) - both in /bin and in /rescue - and /rescue/vi (although that needs a bit of tweaking due to the /etc/termcap problem). Bear in mind that /usr/bin/vi is over 300K, compared to the whole of /bin which is ~950K (if you avoid double-counting entries like /bin/csh and /bin/tcsh which are hardlinks to the same file), so you need to convince people who think /bin should stay small to let it grow by a third to save people learning ed(1). Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Checksum mismatches when csup-ing.
Paul van der Zwan wrote: [snip] Well at least I am not the only one seeing these errors. I think we can rule out a local problem and will have to wait for someone to fix this. Note: I use cvsup to maintain a local copy of the cvs repository. It is not clear if you too is doing that, or if you use cvsup to check out just the latest version. I use cvsup/csup to mirror the cvs repo and I do a local cvs checkout. But until these errors are fixed I will not be doing any checkouts and build for src. I don't think I can trust the repository... [snip] Ah - OK. Got it now. Maintaining you own local repository, e.g. not just a simple src upgrade/download such as I do here for basic updating. I recently saw something about this, IIRC on the -Current, or possible - Stable list explaining this. It had something to do with the export from SVN back to CVS. I believe the developers are aware of this. Search the archive for their comments. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: slowloris, accf_http and POST requests
Ruben de Groot mai...@bzerk.org wrote: On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed: In the last episode (Jun 22), Ruben de Groot said: My main concern here is if applying the trivial patch I posted would break anything in the http protocol layer. And if not, why isn't the POST method included in the http accept filter in the first place? The filter wasn't designed to be an anti-DOS tool; it was an optimization to save some context switches at the beginning of every request. POSTs are I know this. But in this particular case, it *works* as an anti-DOS tool. And a pretty good one too. How did you verify this? accf_http doesn't require a complete request but will also pass the connection to the userland if its buffer is full. If you continue to send headers that will happen eventually and if you're impatient, you simply have to send a bit more headers at the beginning to reach the application faster. Fabian signature.asc Description: PGP signature
What's happening
Can anyone explain this: Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP What's causing this??? Thanks for yout time Jack Raats ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: self-serving redeux/revisited, and more questions?
On Mon, 22 Jun 2009 08:14:47 -0700, Gary Kline kl...@thought.org wrote: ok, sorry. Brain fault: Core dump :-) Core fault: brain dump. :-) -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 07:52:27AM -0700, Gary Kline wrote: On Tue, Jun 23, 2009 at 09:31:06AM +0200, Wojciech Puchar wrote: today we have huge flash disks for really cheap, but still don't have native flash filesystem in any OS, be it FreeBSD or windoze or mac os x or whatever. This flash chips have to emulate hard drive, which slows them down manyfold so is there any best guess regarding what timeframe a filesystem for freebsd might exist? on the you-tube demo they were using [i think] XP. Don't worry about it. Buy your SSD (Solid state Storage Device) and mount with the noatime option. Don't let someone scare you away from the 99.8% solution waiting for the 99.9% solution. As for emulating a hard drive, its only slow relative to potential FLASH speeds. Its fast relative to hard drive speeds. Writing may not be as fast as a real HD, YMMV. -- David Kelly N4HHE, dke...@hiwaay.net Whom computers would destroy, they must first drive mad. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What's happening
On Tue, Jun 23, 2009 at 05:28:51PM +0200, Jack Raats wrote: Can anyone explain this: Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP What's causing this??? The wire was disconnected during that time. Possibly the hub/switch lost power, or the modem was down. -- David Kelly N4HHE, dke...@hiwaay.net Whom computers would destroy, they must first drive mad. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, 23 Jun 2009 09:31:06 +0200 (CEST), Wojciech Puchar woj...@wojtek.tensor.gdynia.pl wrote: today we have huge flash disks for really cheap, but still don't have native flash filesystem in any OS, be it FreeBSD or windoze or mac os x or whatever. This flash chips have to emulate hard drive, which slows them down manyfold Article: NILFS: A File System to Make SSDs Scream http://www.linux-mag.com/cache/7345/1.html -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ~/.ssh directory permissions
2009/6/23 Peter Boosten pe...@boosten.org: On 23 jun 2009, at 16:06, Daniel Underwood djuatde...@gmail.com wrote: Looking at my ~/.ssh directory, I see the following permissions: -rw-r--r-- Which I understand to be equivalent to 644. I read here http://sial.org/howto/openssh/publickey-auth/ that ~/.ssh ought to have permissions 700. Which is preferable, and why? __ 700, you private key(s) go in there. Interesting, I never noticed the 700 permissions on .ssh... [ch...@amnesiac]~% ls -ld .ssh drwx-- 2 chris chris 512 Nov 22 2008 .ssh/ [ch...@amnesiac]~% ls -l .ssh total 18 -rw-r--r-- 1 chris chris 3281 Jan 8 21:21 authorized_keys -rw--- 1 chris chris 1675 Oct 1 2008 id_rsa -rw-r--r-- 1 chris chris 409 Oct 1 2008 id_rsa.pub -rw-r--r-- 1 chris chris 8379 Jun 11 22:01 known_hosts [ch...@amnesiac]~% Although I think it's not a big deal, as long as your id_?sa has permissions 600 like mine, or even 400. Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
Daniel Underwood wrote: I do not believe that tricks like running ssh on a non standard port or using port-knocking provide much extra security. I can understand that varying the port is not a very strong defensive measure, but I don't understand your point about port-knocking. If you configure a complex and seemingly random sequence of knocks before allowing an IP access to your ssh port, have you not significantly strengthened your ssh server? A port-knocking sequence is really nothing different than a shared password. Since there is no user dialog, the sequence has to be known by all users accessing the system. Basically you ask your users to authenticate twice - don't you think you could get the same security with a standard deployment insisting on good passwords or better yet, using keys? You add an extra layer of inconvenience and complexity, more things that can fail and possibly result in an insecure server: - dynamically updating firewall rules on the interface facing the Internet is not on my list of good practices. loading or flushing rules continuously is the recipe for service interruption or exposing your server to the net. - nor is having a sniffer daemon putting the network interface in promiscuous mode, a daemon that listen on lots of ports! that really sounds attractive. (yup: that's the latest version on portknocking.org). And it can result in people being unable to access if the knocks are filtered at the source. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Thanks [upgrading installed ports: time to do it ?]
On Tue 23 Jun 2009 at 07:09:28 PDT dan wrote: I used both pkg_updating and portupdate-scan to scan UPDATING [pkg_updating did not show an entry suggesting to update python to version 2.6 (which Portupdate-scan did)]. Well, I just learned something from this thread. I didn't know about these tools. Thanks for mentioning them! I usually use portupgrade, in a rather simple-minded way. Now you've inspired me to spend some time reading the manpages, to see how I can improve my routine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 09:31:06AM +0200, Wojciech Puchar wrote: you guys aren't going to believe what i just found on the web for the ASUS Eee-901 [or is it the 900]. it was for the 9- and 10-inch screens. i was using konq which just segv'd so i am taking a break and thought i'd share this. last night, i could barely believe the ten-inch with a 40GB SSD. these mini-notebooks take two memory chips. they just plug in. i was googling around and found they have 32's and even 128's. so you can get 64 or up to 256Gigs of solid state disk ... not in a year or two (or five or six), but now. today we have huge flash disks for really cheap, but still don't have native flash filesystem in any OS, be it FreeBSD or windoze or mac os x or whatever. Not so. See http://en.wikipedia.org/wiki/Flash_file_system Most flash devices sold as harddisks have hardware that emulates a traditional harddisk, representing it as a (P/S)ATA block device. Unless you can bypass this, there is no need for a special filesystem. The only downside is that one has no idea how good or bad this interface hardware is. The abovementioned Wikipedia article provides insight into the unique issues surrounding flash-based filesystems. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpf0WCcyUrGg.pgp Description: PGP signature
Re: Problem starting slapd (FIXED)
On Tue, 23 Jun 2009 11:03:16 -0400 Carmel NY carmel...@hotmail.com wrote: On Tue, 23 Jun 2009 16:46:42 +0200 Peter Boosten pe...@boosten.org wrote: Check permissions on /var/run/openldap drwxr-xr-x 2 ldapldap 512B Jun 23 10:57 openldap/ They appear to be correct. I might add, that I did a complete deinstall of the port, removed the /usr/local/etc/openldap directory and the start up script and then reinstalled the port. The only thing I have not done is remove DB46 and reinstall that. I really don't think that would effect anything anyway. FIXED! Apparently, I had a corrupted schema file. Replaced it and now all is well. -- Carmel car...@hotmail.com Don't eat yellow snow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
In response to Erik Norgaard norga...@locolomo.org: Daniel Underwood wrote: I do not believe that tricks like running ssh on a non standard port or using port-knocking provide much extra security. I can understand that varying the port is not a very strong defensive measure, but I don't understand your point about port-knocking. If you configure a complex and seemingly random sequence of knocks before allowing an IP access to your ssh port, have you not significantly strengthened your ssh server? A port-knocking sequence is really nothing different than a shared password. Since there is no user dialog, the sequence has to be known by all users accessing the system. Basically you ask your users to authenticate twice - don't you think you could get the same security with a standard deployment insisting on good passwords or better yet, using keys? You add an extra layer of inconvenience and complexity, more things that can fail and possibly result in an insecure server: I would agree with you, except ... - dynamically updating firewall rules on the interface facing the Internet is not on my list of good practices. loading or flushing rules continuously is the recipe for service interruption or exposing your server to the net. What crappy firewall are you using that needs flushed or reloaded to update rules? Has your packet filtering software been updated since the 80s? - nor is having a sniffer daemon putting the network interface in promiscuous mode, a daemon that listen on lots of ports! that really sounds attractive. (yup: that's the latest version on portknocking.org). Listening on multiple ports is not synonymous with promiscuous interfaces. You should take some time to understand the difference between those two techniques. And it can result in people being unable to access if the knocks are filtered at the source. Which can happen anyway if you have an ISP who filters out ssh traffic (which isn't unheard of). What _is_ accomplished by both using a nonstandard port and using knock techniques, is that you don't have the annoyance of all those botnets filling up your logs with attempts to log in as root (if you don't monitor your access logs daily, then I don't want to hear any argument about this). With a knock solution, or running on a nonstandard port, then you know that any login attempts are serious attack attempts, and not just some random, mindless bots. If you're doing proper security monitoring, then reducing that log load is worthwhile. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
whatever. Not so. See http://en.wikipedia.org/wiki/Flash_file_system Most flash devices sold as harddisks have hardware that emulates a traditional harddisk, representing it as a (P/S)ATA block device. Unless you can bypass this, there is no need for a special filesystem. yes this is exactly a problem. it emulates hard disk, which lowers performance much. for example wear leveling and emulation small blocks requires moving of data within flash, this lowers both performance and lifetime. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
99.8% solution waiting for the 99.9% solution. As for emulating a hard drive, its only slow relative to potential it's a nonsense to pay for emulation layer that slows down real devices. And random filesystem writes could be much faster on flash than on disk - if properly designed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: you're not going to believe this.
If it's fast enough to allow one to work unimpeded, has acceptable lifetime/reliability, and uses less power/generates less heat than traditional platter HD - I'd say it's a good solution. It's not a one size fits all world. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Wojciech Puchar Sent: Tuesday, June 23, 2009 12:25 PM To: FreeBSD Mailing List Cc: Gary Kline Subject: Re: you're not going to believe this. 99.8% solution waiting for the 99.9% solution. As for emulating a hard drive, its only slow relative to potential it's a nonsense to pay for emulation layer that slows down real devices. And random filesystem writes could be much faster on flash than on disk - if properly designed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can't boot 7.2-RELEASE i386 or AMD64 on an Abit KV8 Pro motherboard with Sempron 3100+ CPU
On Sat, Jun 20, 2009 at 3:10 PM, Kent Stewart kstew...@owt.com wrote: On Saturday 20 June 2009 11:00:45 am ericr wrote: Hi, As the subject says, I can't get the 7.2-RELEASE i386 CD to boot on a system that has: Abit KV8 Pro (K8T800P-8237-6A7L1A1BC-26) motherboard with the most recent BIOS - BIOS release 26 4/20/2007 ( http://www.abit.com.tw/page/en/motherboard/motherboard_detail.php?pMODEL_NA ME=KV8+ProfMTYPE=Socket+754) An AMD Sempron 3100+ 1.8Ghz CPU 1 Gb RAM An ATI 1050 256mb AGP video card I think I have turned off everything ACPI related in the BIOS setup. When I boot the i386 ISO, the kernel boots to the point of probing the PCI bus and then hangs completely, even the keyboard is locked up. I've unplugged all the disks, so the only things in the system are the CD drive, the floppy drive, and the video card. I have turned off acpi at boot time, and when I boot the i386 ISO verbosely, the last few lines the kernel spews are: pci_open(1): mode 1 addr port (0x0cf8) is 0x8000c060 pci_open(1a): mode1res=0x8000 (0x8000) pci_cfgcheck: device 0 [class=06] [hdr=80] is there (id=02821106) pcibios: BIOS version 2.10 pcib0: MPTable Host-PCI bridge pcibus 0 on motherboard pci0: PCI Bus on pcib0 pci0: domain=0, physical bus=0 There's no PCI cards plugged in, just the AGP video card. When I try booting the AMD64 ISO, the boot loader runs, I get the boot menu, and regardless of what boot options I give the kernel, I get the message CPU doesn't support long mode and then I get the OK prompt. I'm pretty sure it doesn't have a h/w problem, it'll boot and install Fedora 11, Win2K, WinXP, and runs every DOS based diagnostic app I can find with no problems. Anyone have any suggestions, or should I file a PR? Did you follow the suggestion on the release announcement of using the other CDs and switching before you start the install. Yes. None of the FreeBSD kernels will boot on this system. Doesn't matter if I use the livefs disk, or the install disk, it only gets as far as described above, then hangs. - ericr ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: No sound, no mouse and now X applications won't start
On Tue, Jun 23, 2009 at 07:11:48PM +0530, Manish Jain wrote: Hi, I have solved most of the problems listed in my previous message with help from Roland Smith. The fact still remains that FreeBSD-7.2 has some definite problems on AMD hardware : 1) On multi-core systems, the cores don't get initialized properly and you get messages like : AP #1 (PHY# 1) failed ! followed by panic. The solution is to reboot, maybe as many as 6-7 times. Can you run the mptable command as root and post the output? 2) The uhub/ums module fails to load and /dev/ums0 consequently won't get created. The workaround is to unplug your USB mouse just before the boot process begins, and plug it back in once you get the console. Since the USB stack has been replaced in 8-CURRENT, I'm not sure if many developers will want to spend time on this... I have googled for the above 2 problems and there seem to many folks suffering from the ills, with no solution except the ones I have listed above. And these problems almost always occur on AMD multi-core systems. Most posts about the AP #1 (PHY# 1) failed ! message that I found are several years old. I hope the next release will address these problems, as well as a pretty reasonable request from me much earlier to move vi from /usr/bin to /bin. Even in single-user mode, you almost always need an editor. There is always /rescue/vi. And in single-user mode, you can always mount /usr if it is on a separate partition. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpzxBEF0g59U.pgp Description: PGP signature
Re: What's happening
David Kelly writes: Can anyone explain this: Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP What's causing this??? The wire was disconnected during that time. Possibly the hub/switch lost power, or the modem was down. It also happens to some cards during boot-up. I have an Intel Pro/1000, connected to a live switch; during boot I get an UP-DOWN-UP transition. As far as I can tell, it's harmless. To the OP: does this transition affect traffic? Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
Bill Moran wrote: In response to Erik Norgaard norga...@locolomo.org: You add an extra layer of inconvenience and complexity, more things that can fail and possibly result in an insecure server: I would agree with you, except ... - dynamically updating firewall rules on the interface facing the Internet is not on my list of good practices. loading or flushing rules continuously is the recipe for service interruption or exposing your server to the net. What crappy firewall are you using that needs flushed or reloaded to update rules? Has your packet filtering software been updated since the 80s? Whether you flush or add rules to ipf or update tables in pf etc. you are modifying your firewall live. - nor is having a sniffer daemon putting the network interface in promiscuous mode, a daemon that listen on lots of ports! that really sounds attractive. (yup: that's the latest version on portknocking.org). Listening on multiple ports is not synonymous with promiscuous interfaces. You should take some time to understand the difference between those two techniques. I do, you can put your interface in promiscuous mode and let the daemon grab packets before they are filtered by the firewall, or open in your firewall for a range of port your knock deamon will listen to. In either case you add an extra daemon, an extra point of failure, an extra piece of code that can undermine your security. And it can result in people being unable to access if the knocks are filtered at the source. Which can happen anyway if you have an ISP who filters out ssh traffic (which isn't unheard of). There's no point in adding this argument, in that case you have no connection with or without port knocking. Sticking to standard protocols on standard ports is the best way to ensure your ISP doesn't get in your way. What _is_ accomplished by both using a nonstandard port and using knock techniques, is that you don't have the annoyance of all those botnets filling up your logs with attempts to log in as root (if you don't monitor your access logs daily, then I don't want to hear any argument about this). With a knock solution, or running on a nonstandard port, then you know that any login attempts are serious attack attempts, and not just some random, mindless bots. I must be in the safe end of the internet, I don't get that much logs. So your argument about port knocking boils down to getting rid of some log entries, while annoying your users? Now, how about your logs of failed port knocking attempts? Because, you log that, right? If your idea gains traction, then attackers will start knocking ports randomly ... you'll just have those logs filling up instead. If you're doing proper security monitoring, then reducing that log load is worthwhile. if this is your main concern, why don't you just filter out the failed attempts? after all they failed. If you do proper security monitoring, your tools can be tuned to look at the interesting part of the logs. There are other tricks that work well too, take a look at LoginGraceTime MaxAuthTries MaxSessions MaxStartups Also, very effective, identify address ranges where your users will never connect from and black list them in the first place. It's fairly easy to get rid of a huge chunk of these logs - and getting your system safer - by simply restricting access to address ranges where your users are likely to connect from. Let them know that if they go to some weird place, not on the official white list then a temporary exception can be made for the period of their travel. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What's happening
Robert Huff wrote: David Kelly writes: Can anyone explain this: Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP What's causing this??? The wire was disconnected during that time. Possibly the hub/switch lost power, or the modem was down. It also happens to some cards during boot-up. I have an Intel Pro/1000, connected to a live switch; during boot I get an UP-DOWN-UP transition. As far as I can tell, it's harmless. To the OP: does this transition affect traffic? Robert Huff depending in the switch, it could be negotiating speed/duplex. Some if configured to auto switch will do it continuously ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 07:23:22PM +0200, Wojciech Puchar wrote: whatever. Not so. See http://en.wikipedia.org/wiki/Flash_file_system Most flash devices sold as harddisks have hardware that emulates a traditional harddisk, representing it as a (P/S)ATA block device. Unless you can bypass this, there is no need for a special filesystem. yes this is exactly a problem. it emulates hard disk, which lowers performance much. for example wear leveling and emulation small blocks requires moving of data within flash, this lowers both performance and lifetime. Even a flash filesystem will have to do wear levelling. And you'll have to gather writes to minimize the (slow) wiping of eraseblocks. In other words, you'll be doing more or less the same that current hardware does. But then in software, which is generally slower than dedicated hardware. The big difference is that it is much easier to tweak and change algorithms when doing it in software. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpZ3J9a7kwNL.pgp Description: PGP signature
Re: Best practices for securing SSH server
On Mon, Jun 22, 2009 at 22:50, pradp...@towardsfreedom.com wrote: On Mon, 22 Jun 2009 21:16:35 -0400 Daniel Underwood djuatde...@gmail.com wrote: Due to the speed and location of the connection, it's a relatively high-risk target. why does the speed of a connection make it a higher risk? is it because bruteforce techniques can capitalize on the speed? I's suspect it's a higher risk because the target is higher value. A high speed connection means more ability to do, well, whatever. Just a guess on my part, though. Kurt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can't boot 7.2-RELEASE i386 or AMD64 on an Abit KV8 Pro motherboard with Sempron 3100+ CPU
--- On Tue, 6/23/09, ericr erobi...@gmail.com wrote: From: ericr erobi...@gmail.com Subject: Re: Can't boot 7.2-RELEASE i386 or AMD64 on an Abit KV8 Pro motherboard with Sempron 3100+ CPU To: Kent Stewart kstew...@owt.com, freebsd-questions@freebsd.org Date: Tuesday, June 23, 2009, 12:44 PM On Sat, Jun 20, 2009 at 3:10 PM, Kent Stewart kstew...@owt.com wrote: On Saturday 20 June 2009 11:00:45 am ericr wrote: Hi, As the subject says, I can't get the 7.2-RELEASE i386 CD to boot on a system that has: Abit KV8 Pro (K8T800P-8237-6A7L1A1BC-26) motherboard with the most recent BIOS - BIOS release 26 4/20/2007 ( http://www.abit.com.tw/page/en/motherboard/motherboard_detail.php?pMODEL_NA ME=KV8+ProfMTYPE=Socket+754) An AMD Sempron 3100+ 1.8Ghz CPU 1 Gb RAM An ATI 1050 256mb AGP video card I think I have turned off everything ACPI related in the BIOS setup. When I boot the i386 ISO, the kernel boots to the point of probing the PCI bus and then hangs completely, even the keyboard is locked up. I've unplugged all the disks, so the only things in the system are the CD drive, the floppy drive, and the video card. I have turned off acpi at boot time, and when I boot the i386 ISO verbosely, the last few lines the kernel spews are: pci_open(1): mode 1 addr port (0x0cf8) is 0x8000c060 pci_open(1a): mode1res=0x8000 (0x8000) pci_cfgcheck: device 0 [class=06] [hdr=80] is there (id=02821106) pcibios: BIOS version 2.10 pcib0: MPTable Host-PCI bridge pcibus 0 on motherboard pci0: PCI Bus on pcib0 pci0: domain=0, physical bus=0 There's no PCI cards plugged in, just the AGP video card. When I try booting the AMD64 ISO, the boot loader runs, I get the boot menu, and regardless of what boot options I give the kernel, I get the message CPU doesn't support long mode and then I get the OK prompt. I'm pretty sure it doesn't have a h/w problem, it'll boot and install Fedora 11, Win2K, WinXP, and runs every DOS based diagnostic app I can find with no problems. Anyone have any suggestions, or should I file a PR? Did you follow the suggestion on the release announcement of using the other CDs and switching before you start the install. Yes. None of the FreeBSD kernels will boot on this system. Doesn't matter if I use the livefs disk, or the install disk, it only gets as far as described above, then hangs. - ericr I'll risk the flames, and say go back to basics. Make sure of the drive cabling and jumpers. I was reloading a home-grown nas the other day and the cable and jumpers gave me a bugger of a time. 7.2 would start to boot and then just hang. I unplugged everything except the harddrive on the primary and the optical drive on the secondary. After the OS was loaded, I was able move everything where I wanted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can't boot 7.2-RELEASE i386 or AMD64 on an Abit KV8 Pro motherboard with Sempron 3100+ CPU
ericr wrote: On Sat, Jun 20, 2009 at 3:10 PM, Kent Stewart kstew...@owt.com wrote: On Saturday 20 June 2009 11:00:45 am ericr wrote: Hi, As the subject says, I can't get the 7.2-RELEASE i386 CD to boot on a system that has: Abit KV8 Pro (K8T800P-8237-6A7L1A1BC-26) motherboard with the most recent BIOS - BIOS release 26 4/20/2007 ( snip Anyone have any suggestions, or should I file a PR? Did you follow the suggestion on the release announcement of using the other CDs and switching before you start the install. Yes. None of the FreeBSD kernels will boot on this system. Doesn't matter if I use the livefs disk, or the install disk, it only gets as far as described above, then hangs. - ericrCan Try leaving it for a few minutes at the hang http://www.freebsd.org/cgi/getmsg.cgi?fetch=1705690+0+/usr/local/www/db/text/2009/freebsd-questions/20090517.freebsd-questions I got mine going by putting the hard disk in another machine, installing fbsd on that and building a kernel with most stuff taken out, after which I could boot my motherboard with that hard disk. Once it was booting I kept putting drivers back into the kernel until I found what was stopping it (device sbp in my case). You can use an external usb caddy and another machine with capability to boot from usb to do the same thing. You might have to modify /etc/fstab. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Mon, Jun 22, 2009 at 16:07, Gary Klinekl...@thought.org wrote: you guys aren't going to believe what i just found on the web for the ASUS Eee-901 [or is it the 900]. it was for the 9- and 10-inch screens. i was using konq which just segv'd so i am taking a break and thought i'd share this. last night, i could barely believe the ten-inch with a 40GB SSD. these mini-notebooks take two memory chips. they just plug in. i was googling around and found they have 32's and even 128's. so you can get 64 or up to 256Gigs of solid state disk ... not in a year or two (or five or six), but now. i'll double and triple check to make sure this isn't a sham, but they had a thing on you-tube... Oh, and next time i see the speech therapist, i'll lug my hugmongous thinkpad and demo what i've done with my scripts and flite 8 kilobux for a Doze speech dev my butt. with berkeley unix and open source tools, you can have it for a few hundred bux. gary For a small unit like this, SSD is really nice. But, for my workstations/servers, I'm wondering if a pure battery-backed RAM disk, in RAID1 with a regular hard drive, might be the real screamer. Kurt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
and lifetime. Even a flash filesystem will have to do wear levelling. yes - but it don't have to copy blocks that are free. with disk emulation - it doesn't know anything about filesystem and don't know what blocks are free. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What's happening
Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP look at time. it's 13 minutes down ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: slowloris, accf_http and POST requests
On Tue, Jun 23, 2009 at 05:23:19PM +0200, Fabian Keil typed: Ruben de Groot mai...@bzerk.org wrote: On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed: In the last episode (Jun 22), Ruben de Groot said: My main concern here is if applying the trivial patch I posted would break anything in the http protocol layer. And if not, why isn't the POST method included in the http accept filter in the first place? The filter wasn't designed to be an anti-DOS tool; it was an optimization to save some context switches at the beginning of every request. POSTs are I know this. But in this particular case, it *works* as an anti-DOS tool. And a pretty good one too. How did you verify this? By using the slowloris script against my own servers. Running the script from a single client pc: ./slowloris.pl -dns myserver.domain.tld -port 80 -timeout 2000 -num 500 -tcpto 5 -httpready brings apache to its knees. No more connections are accepted as there are allready MaxClients processes running (150) and they're all just sitting there waiting. With accf_http just slightly adjusted as posted, nothing happens at all. Apache just doesn't see the connections, even with multiple clients running the DOS. (Off course, there'll be memory buffers in the kernel filling, but from that I haven't seen any negative side effects yet) accf_http doesn't require a complete request but will also pass the connection to the userland if its buffer is full. Haven't seen that, but it sounds sane. If you continue to send headers that will happen eventually and if you're impatient, you simply have to send a bit more headers at the beginning to reach the application faster. Yes. A real and prolonged DDOS is hard to counter. And the accept filter was not designed for that. It was just an observation about this particular script. cheers, Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Certified Hardware
Hi, Is it possible for you to provide us with an updated hardware certified vendor list for FreeBsd. We would like to know if FreeBSD is supported on HP Blades and which models, network cards, HBA cards for connecting to SAN's. Any help will be greatly appreciated. We need this information as soon as possible.The current supported hardware vendor list on the web site does not appear to be current and does not include many other vendors. Looking forward to hearing from you. Kind Regards, Rhett Thompson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Certified Hardware
On Tue, Jun 23, 2009 at 3:18 PM, Thompson, Rhettrhett.thomp...@soroc.com wrote: Hi, Is it possible for you to provide us with an updated hardware certified vendor list for FreeBsd. We would like to know if FreeBSD is supported on HP Blades and which models, network cards, HBA cards for connecting to SAN's. Any help will be greatly appreciated. We need this information as soon as possible. The current supported hardware vendor list on the web site does not appear to be current and does not include many other vendors. Looking forward to hearing from you. http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/hardware.html -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 12:22:19PM -0700, Kurt Buff wrote: On Mon, Jun 22, 2009 at 16:07, Gary Klinekl...@thought.org wrote: For a small unit like this, SSD is really nice. But, for my workstations/servers, I'm wondering if a pure battery-backed RAM disk, in RAID1 with a regular hard drive, might be the real screamer. battery-backed ram sound great for the time being! if not now [this minute], then relatively soon, i'm guessing within a few years somebody will have a solid-state device that emulates the current mechanical technology. it will wind up being considerably faster than the current drives and suck Much less juice. oh yeah, and in a few years *every* computer will have a battery back up --not just our laptops. after some N minutes everything will be saved. much less lost data due to sudden power outtages. gary Kurt -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix http://jottings.thought.org http://transfinite.thought.org For FBSD list: http://transfinite.thought.org/slicejourney.php The 4.98a release of Jottings: http://jottings.thought.org/index.php ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
A port-knocking sequence is really nothing different than a shared password. Technically and conceptually, that's true. But practically, I'm not sure you're right. If in addition to attempting to enumerate the space of possible passwords, an attacker also enumerates the space of possible port-knocking sequences, then, yes, you're right. But I am willing to bet that the vast majority of attackers DO NOT attempt this. For this reason, I think well-designed port-knocking DOES add significant strength to the server. If I'm misunderstanding port-knocking, please jump in and correct me... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 09:46:01PM +0200, Wojciech Puchar wrote: and lifetime. Even a flash filesystem will have to do wear levelling. yes - but it don't have to copy blocks that are free. with disk emulation - it doesn't know anything about filesystem and don't know what blocks are free. If it is swapping from heavily used blocks to lightly used blocks then so what if there is an unnecessary read/write? Perhaps its harder to determine if unused than to simply move the data. I seem to recall something like this in comments in the FreeBSD virtual memory manager in 6.0-RELEASE. Don't want to leave the old data laying around for security reasons so even if the blocks are unused the formerly heavily used blocks need to be scrubbed. As I originally said to Gary Kline, Don't let someone scare you away from the 99.8% solution waiting on the 99.9% solution. -- David Kelly N4HHE, dke...@hiwaay.net Whom computers would destroy, they must first drive mad. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
Daniel Underwood wrote: A port-knocking sequence is really nothing different than a shared password. Technically and conceptually, that's true. But practically, I'm not sure you're right. If in addition to attempting to enumerate the space of possible passwords, an attacker also enumerates the space of possible port-knocking sequences, then, yes, you're right. But I am willing to bet that the vast majority of attackers DO NOT attempt this. For this reason, I think well-designed port-knocking DOES add significant strength to the server. You're right, as long as port-knocking as a first pass authentication scheme is not in wide spread use, then any attackers will not waste time port-knocking. If ever port-knocking becomes common, attackers will adapt and start knocking. Or: if you want to keep port-knocking useful then don't recommend it to anyone! I think it is a bad idea, a wrong route to go. I think that there are so many other options for improving security that are well tested, much easier to deploy, cause less user annoyance etc etc. Since, as said, the knocking sequence is a shared secret, the more users you have the more likely it will be disclosed, and the more difficult it is to distribute new knocking sequences as more users are affected. More complexity, more possible failures and errors means more resources spent on user support, and more resources spend on configuring the new toy. Resources that could be well spent on improving actual security and monitoring actual threats. You may deploy port-knocking at home for your own curriousity, but it has no value on your curriculum. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 01:10:41PM -0700, Gary Kline wrote: battery-backed ram sound great for the time being! if not now [this minute], then relatively soon, i'm guessing within a few years somebody will have a solid-state device that emulates the current mechanical technology. it will wind up being considerably faster than the current drives and suck Much less juice. We are already there. SSDs are not slower than mechanical disk drives, they are faster. The only detriments are 1) cost, 2) limited write life. -- David Kelly N4HHE, dke...@hiwaay.net Whom computers would destroy, they must first drive mad. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: What's happening
There's not NEARLY enough info in OP to answer this - I can't believe anyone is even trying. It could be many dozen different things. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Wojciech Puchar Sent: Tuesday, June 23, 2009 2:47 PM To: Robert Huff Cc: FreeBSD-Questions@freebsd.org Subject: Re: What's happening Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP look at time. it's 13 minutes down ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 13:59, David Kellydke...@hiwaay.net wrote: On Tue, Jun 23, 2009 at 01:10:41PM -0700, Gary Kline wrote: battery-backed ram sound great for the time being! if not now [this minute], then relatively soon, i'm guessing within a few years somebody will have a solid-state device that emulates the current mechanical technology. it will wind up being considerably faster than the current drives and suck Much less juice. We are already there. SSDs are not slower than mechanical disk drives, they are faster. The only detriments are 1) cost, 2) limited write life. Not completely there, AFAIK - FlashRAM write speeds are still significantly slower than standard RAM. Of course, standard RAM is significantly more expensive than FlashRAM, especially with the battery backup, but it doesn't have the limited write life. Kurt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, 23 Jun 2009 15:59:44 -0500, David Kelly dke...@hiwaay.net wrote: We are already there. SSDs are not slower than mechanical disk drives, they are faster. The only detriments are 1) cost, 2) limited write life. What about power consumption? Because they seem to be primarily intended for portable devices, it should be better than tradidional hard disks, but as I read, it's worse (less efficient, because higher current drain). -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: upgrading installed ports: time to do it ?
RW wrote: On Mon, 22 Jun 2009 20:58:41 +0100 Chris Whitehouse cwhi...@onetel.com wrote: I'll probably get flamed for this but since I've been using ports-mgmt/portmanager I've almost forgotten about /usr/ports/UPDATING and all that pkgdb -Fu stuff or whatever it was. I've upgraded ports just by doing 'portmanager -u' over one or two quite major changes and not had any problems that haven't been down to an individual ports. You still need to read UPDATING, portmanager handles some of the issues automatically, but not all. Not trolling but can you give me some examples? Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
In response to Erik Norgaard norga...@locolomo.org: Bill Moran wrote: In response to Erik Norgaard norga...@locolomo.org: - dynamically updating firewall rules on the interface facing the Internet is not on my list of good practices. loading or flushing rules continuously is the recipe for service interruption or exposing your server to the net. What crappy firewall are you using that needs flushed or reloaded to update rules? Has your packet filtering software been updated since the 80s? Whether you flush or add rules to ipf or update tables in pf etc. you are modifying your firewall live. There's a _HUGE_ difference between reloading the entire ruleset and updating a table. Don't trivialize that difference. - nor is having a sniffer daemon putting the network interface in promiscuous mode, a daemon that listen on lots of ports! that really sounds attractive. (yup: that's the latest version on portknocking.org). Listening on multiple ports is not synonymous with promiscuous interfaces. You should take some time to understand the difference between those two techniques. I do, you can put your interface in promiscuous mode and let the daemon grab packets before they are filtered by the firewall, or open in your firewall for a range of port your knock deamon will listen to. In either case you add an extra daemon, an extra point of failure, an extra piece of code that can undermine your security. In your earlier message you argued that promiscuous mode is a bad idea, and when I show that it's not the case, you magically change your argument to be about extra processes running. Please keep your argument consistent. And it can result in people being unable to access if the knocks are filtered at the source. Which can happen anyway if you have an ISP who filters out ssh traffic (which isn't unheard of). There's no point in adding this argument, in that case you have no connection with or without port knocking. Sticking to standard protocols on standard ports is the best way to ensure your ISP doesn't get in your way. Both false. Quite frequently I've moved services to a nonstandard port because it was the _only_ way to get a service. ... an the _best_ way to ensure your ISP doesn't pull that kind of crap on you is to use an ISP that won't do that. Not everyone has that option, though. What _is_ accomplished by both using a nonstandard port and using knock techniques, is that you don't have the annoyance of all those botnets filling up your logs with attempts to log in as root (if you don't monitor your access logs daily, then I don't want to hear any argument about this). With a knock solution, or running on a nonstandard port, then you know that any login attempts are serious attack attempts, and not just some random, mindless bots. I must be in the safe end of the internet, I don't get that much logs. Must be. I get multiple attacks per day. So your argument about port knocking boils down to getting rid of some log entries, while annoying your users? Nay. It boils down to making log entries _useful_. And if your users are annoyed, you're not doing your job. Something like puTTY (for example) allows you to set up a profile. Just set the port in the profile and the user never need remember it again. And if catering to users who don't know how to switch ports is more important than making your logs useful, then do that instead. I'm not arguing that it's the correct solution for everyone, I'm simply arguing that it's not totally useless, which seems to be your point. Now, how about your logs of failed port knocking attempts? Because, you log that, right? If your idea gains traction, then attackers will start knocking ports randomly ... you'll just have those logs filling up instead. Once attackers start trying random keys instead of passwords, will you abandon PKI as well? Security has been, and always will be, keeping one step ahead of your attackers. Take the opinion that you can't stay ahead of them, and you've already lost the war. If you're doing proper security monitoring, then reducing that log load is worthwhile. if this is your main concern, why don't you just filter out the failed attempts? after all they failed. If you do proper security monitoring, your tools can be tuned to look at the interesting part of the logs. Because a successful attack is already too late. I want to know who is _attempting_ to break in and prevent them from having additional time to keep trying. There are other tricks that work well too, take a look at LoginGraceTime MaxAuthTries MaxSessions MaxStartups All of these are valid _parts_ of a comprehensive security approach to SSH. Any one of them alone is not very strong, but combine them with a strong password policy and other tools, and you'll have a site that's very secure. Also, very effective, identify address ranges
Re: What's happening
Well, sorta true. We know that he lost connectivity for 13 minutes. As you said, there are many reasons why this might be so, and several were suggested. The two most likely are: 1) power loss to the switch 2) somebody disconnected the cable, then replaced it Clearly, however, it isn't port negotiation - not over 13 minutes. Unfortunately, he probably doesn't have a central syslog server that collects data from hosts and other equipment, because that's the only way to tell for sure. Things like UPS power loss/fluctuation notifications, switch bootup notifications, etc., in the syslog would provide the necessary data. Kurt On Tue, Jun 23, 2009 at 14:00, Gary Gattenggat...@waddell.com wrote: There's not NEARLY enough info in OP to answer this - I can't believe anyone is even trying. It could be many dozen different things. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Wojciech Puchar Sent: Tuesday, June 23, 2009 2:47 PM To: Robert Huff Cc: FreeBSD-Questions@freebsd.org Subject: Re: What's happening Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP look at time. it's 13 minutes down ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: upgrading installed ports: time to do it ?
Jerry wrote: On Mon, 22 Jun 2009 20:58:41 +0100 Chris Whitehouse cwhi...@onetel.com wrote: I'll probably get flamed for this but since I've been using ports-mgmt/portmanager I've almost forgotten about /usr/ports/UPDATING and all that pkgdb -Fu stuff or whatever it was. I've upgraded ports just by doing 'portmanager -u' over one or two quite major changes and not had any problems that haven't been down to an individual ports. I've never seen any reasons given for not using portmanager, just it seems to be getting quietly deprecated, which is a shame because it works supremely well. Having said that why not check out http://freebsd-custom.wikidot.com/, the new binary ports upgrade system and save yourself a bunch of compile time. Chris I use it myself, It just works. I would also add -p -l to the command line. that way you have a log created if something does go wrong. It will also fix up any outdated dependencies. I do use logging. In fact I do 'portmanager -s somefile', extract a list of ports to be upgraded and run the list through a loop which does 'make config' for each port, _then_ run 'portmanager -l -u' so it runs completely unattended. It does indeed just works which is down to the way it works out to do leaf ports first and work backwards. portmaster looks like it has some nice features, including doing all the configs first, but I don't know if it does as good a job as portmanager in deciding what order to do things. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 01:10:41PM -0700, Gary Kline wrote: On Tue, Jun 23, 2009 at 12:22:19PM -0700, Kurt Buff wrote: On Mon, Jun 22, 2009 at 16:07, Gary Klinekl...@thought.org wrote: For a small unit like this, SSD is really nice. But, for my workstations/servers, I'm wondering if a pure battery-backed RAM disk, in RAID1 with a regular hard drive, might be the real screamer. battery-backed ram sound great for the time being! The downside is low capacity: 4-8 RAM modules, limiting these devices to 64GiB. And they consume more power than HDDs when idle! [http://techreport.com/articles.x/16255/11] if not now [this minute], then relatively soon, i'm guessing within a few years somebody will have a solid-state device that emulates the current mechanical technology. it will wind up being considerably faster than the current drives and suck Much less juice. Intel's X25 is already faster [http://www.intel.com/design/flash/nand/extreme/index.htm] and consumes less electricity than a HDD [http://techreport.com/articles.x/16255/11]. Of course RAM-based disks kick ass when writing files. [http://techreport.com/articles.x/16255/6] oh yeah, and in a few years *every* computer will have a battery back up --not just our laptops. after some N minutes everything will be saved. much less lost data due to sudden power outtages. I don't think so. Not every part of the world suffers from regular power outages. And efficient batteries require rare raw materials like lithium, with demand far outstripping winnable reserves. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpOhDxS8Qm49.pgp Description: PGP signature
Re: upgrading installed ports: time to do it ?
On Tuesday 23 June 2009 23:21:21 Chris Whitehouse wrote: RW wrote: On Mon, 22 Jun 2009 20:58:41 +0100 Chris Whitehouse cwhi...@onetel.com wrote: I'll probably get flamed for this but since I've been using ports-mgmt/portmanager I've almost forgotten about /usr/ports/UPDATING and all that pkgdb -Fu stuff or whatever it was. I've upgraded ports just by doing 'portmanager -u' over one or two quite major changes and not had any problems that haven't been down to an individual ports. You still need to read UPDATING, portmanager handles some of the issues automatically, but not all. Not trolling but can you give me some examples? Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Yes. I think there is at least one. Please, consider to correct me if I am wrong. Yesterday, reading the contents of /usr/src/UPDATING in the source tree (using portupdate-scan) I found : [...] 20090608: AFFECTS: users of lang/python* and py-* AUTHOR: m...@freebsd.org The default version of Python has been changed from 2.5.x to 2.6.x. If you have 2.5.x installed, perform an upgrade of lang/python25 to lang/python26 with the following command: [...] Can portmanager know that the default version of a port has been changed and then you need to do the upgrade to the newer major version ? And if it can know that... can also portmanager know that [...] Once the installed Python has been updated to 2.6, by using the method above, it is required to run the upgrade-site-packages target in lang/python to assure that site-packages are made available to the new Python version. [...] ? If, otherwise, using portmanager you end up with a newer version of python 2.5 (for example)... are you sure that every upgrade in the future will work flawlessly ? After Reading the UPDATING file a guy will [...] set the PYTHON_DEFAULT_VERSION variable to 'python2.5' without quotes in make.conf, then go to lang/python and perform the following command: [...] will portmanager do the same ? d ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: What's happening
Since we're speculating, could be the switch disabled the port due to a security event of some sort (flapping, bpdu guard/filter, etc.) and it's configured to auto-enable after n minutes. It's all speculation without more info. If this is the only info available, it's nearly worthless. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Kurt Buff Sent: Tuesday, June 23, 2009 4:24 PM To: freebsd-questions@freebsd.org Subject: Re: What's happening Well, sorta true. We know that he lost connectivity for 13 minutes. As you said, there are many reasons why this might be so, and several were suggested. The two most likely are: 1) power loss to the switch 2) somebody disconnected the cable, then replaced it Clearly, however, it isn't port negotiation - not over 13 minutes. Unfortunately, he probably doesn't have a central syslog server that collects data from hosts and other equipment, because that's the only way to tell for sure. Things like UPS power loss/fluctuation notifications, switch bootup notifications, etc., in the syslog would provide the necessary data. Kurt On Tue, Jun 23, 2009 at 14:00, Gary Gattenggat...@waddell.com wrote: There's not NEARLY enough info in OP to answer this - I can't believe anyone is even trying. It could be many dozen different things. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Wojciech Puchar Sent: Tuesday, June 23, 2009 2:47 PM To: Robert Huff Cc: FreeBSD-Questions@freebsd.org Subject: Re: What's happening Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP look at time. it's 13 minutes down ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 11:12:05PM +0200, Polytropon wrote: On Tue, 23 Jun 2009 15:59:44 -0500, David Kelly dke...@hiwaay.net wrote: We are already there. SSDs are not slower than mechanical disk drives, they are faster. The only detriments are 1) cost, 2) limited write life. What about power consumption? Because they seem to be primarily intended for portable devices, it should be better than tradidional hard disks, but as I read, it's worse (less efficient, because higher current drain). Don't think generic generalizations can be made this early in the life of the technology. Shop for SSDs while looking at the properties that interest you. In general, reading is much faster than for mechanical HD. Also seek time is nil. And read power consumption is low. A serious contender for use in servers where lots of unchanging data is needed quickly. Probably not as good of an idea for use in a mail server, but ideal for a web server. -- David Kelly N4HHE, dke...@hiwaay.net Whom computers would destroy, they must first drive mad. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices for securing SSH server
Bill Moran wrote: In response to Erik Norgaard norga...@locolomo.org: Bill Moran wrote: In response to Erik Norgaard norga...@locolomo.org: I do, you can put your interface in promiscuous mode and let the daemon grab packets before they are filtered by the firewall, or open in your firewall for a range of port your knock deamon will listen to. In either case you add an extra daemon, an extra point of failure, an extra piece of code that can undermine your security. In your earlier message you argued that promiscuous mode is a bad idea, and when I show that it's not the case, you magically change your argument to be about extra processes running. Please keep your argument consistent. My argument is consistent: I still think promiscuous mode is a bad idea as it allows to circumvent the firewall. I then argue that the alternative is also a bad idea since, while you may have got rid of the promiscuous mode problem which in itself is a bad idea, you still introduce a service that will need to listen on a number of ports. The alternative is to have a daemon parsing firewall log files, this is the old solution which has been abandoned if you check portknocking.org And it can result in people being unable to access if the knocks are filtered at the source. Which can happen anyway if you have an ISP who filters out ssh traffic (which isn't unheard of). There's no point in adding this argument, in that case you have no connection with or without port knocking. Sticking to standard protocols on standard ports is the best way to ensure your ISP doesn't get in your way. Both false. Quite frequently I've moved services to a nonstandard port because it was the _only_ way to get a service. Please read again. I here argue against port knocking not against running on a non-standard port. If you have a problem running your ssh on some port - standard or not - then you will likely also have trouble getting port-knocking working. If you don't have a problem running you ssh on the standard port, then you may still find problems deploying port-knocking. Your argument is logically inconsistent. ... an the _best_ way to ensure your ISP doesn't pull that kind of crap on you is to use an ISP that won't do that. Not everyone has that option, though. The best way to get your ISP to allow connections is to use standard well documented protocols on standard ports as it is fairly easy to convince them that this is a standard service and should be enabled. And it's not only ISPs, it's also the other sites your users visit, businesses that may employ their policies. The more you divert from standards the more likely you are to have your connection blocked by a policy some where, and the more difficulty you'll have convincing that a change should be made. So your argument about port knocking boils down to getting rid of some log entries, while annoying your users? Nay. It boils down to making log entries _useful_. And if your users are annoyed, you're not doing your job. Something like puTTY (for example) allows you to set up a profile. Just set the port in the profile and the user never need remember it again. Yes, changing to a non-standard port is not excessively annoying and I agree that this measure cannot compromise the security. But I think port-knocking is annoying, it may cause security problems and it does not add any real security. And if catering to users who don't know how to switch ports is more important than making your logs useful, then do that instead. I'm not arguing that it's the correct solution for everyone, I'm simply arguing that it's not totally useless, which seems to be your point. It is security by obscurity not adding any real security but potentially worsening it or causing denial of service - no in the sense of DOS attacks but in the sense that it doesn't allow ordinary users to login and get stuff done. Now, how about your logs of failed port knocking attempts? Because, you log that, right? If your idea gains traction, then attackers will start knocking ports randomly ... you'll just have those logs filling up instead. Once attackers start trying random keys instead of passwords, will you abandon PKI as well? Bad example. The only valid point you have demonstrated thus far is that you get less log entries. I am not convinced that this compensates for the problems you face deploying it. And, then also I argue that your only valid point only remains valid as long as I am correct in my analysis Security has been, and always will be, keeping one step ahead of your attackers. Take the opinion that you can't stay ahead of them, and you've already lost the war. Best way to stay ahead is to deploy solutions that add real security and not solutions that add complexity and obscurity. if this is your main concern, why don't you just filter out the failed attempts? after all they failed. If you do proper security
Re: 3d video driver for x1950 / Dawn of war via wine
On Tue, Jun 23, 2009 at 09:54:02PM +, Brad Davison wrote: I have a 7.2-RELEASE system for audio processing (Ardour, JACK, etc.) running on a dual Xeon 2.8, 2gb ram drm0: ATI Radeon X1950 on vgapci0 with xorg7.4_2 xorg-server-1.16.1,1 xfce-4.6.1 I was wondering if I was using the right driver for video. I have run glxgears, and I get 3d, I can play 'tuxracer' which is a 3d game, when I do a glxinfo, I get direct rendering: Yes (full glxinfo and xvinfo attached). I am just running the 'radeon' driver. Both the xf86-video-ati and xf86-video-radeonhd from ports should work with this realease and hardware. I'm using radeonhd on an X1650. Works fine. I had read a really old thread in the FreeBSD wiki saying that the x1950 should be using the radeondrm driver. (which I do not have, I tried changing that in my xorg.conf and it told me that the module does not exist. This is referring to the radeon/drm kernel modules. Since you get direct rendering, I'm assuming you've already have those modules loaded or built into the kernel. I have the following modules loaded: slackbox:~ kldstat Id Refs AddressSize Name 18 0x8010 681588 kernel 22 0x80782000 ee78 agp.ko 32 0x80791000 220f8drm.ko 41 0x807b4000 71110radeon.ko (This won't show drivers built into the kernel) I have wine-1.1.24,1, and in the downtimes, I'd really love to be able to play Dawn of War, which has Platinum rating in wine, but I get an error that my video driver is not supported as well as: fixme:win:EnumDisplayDevicesW ((null),0,0xb2ec58,0x), stub! fixme:gl_compat:add_gl_compat_wrappers GL implementation supports GL_ARB_fragment_program but not GL_EXT_fog_coord fixme:gl_compat:add_gl_compat_wrappers The fog coord emulation will most likely fail This is probably a bug in wine: http://archives.free.net.ph/message/20080418.104819.53073efd.en.html Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpt5nWKSvAQ6.pgp Description: PGP signature
The worldwide search for CircusPrincess 2009 is on!
The worldwide search for CircusPrincess 2009 is on! The CircusPrincess, a fairytale come true, is no ordinary circus. It's the ultimate celebration of female grace, beauty and talent. And now, for the first time in history, we're inviting the global Internet audience to join us in the nomination, voting and selection process. We're searching for the most entertaining, completely original female circus act or performance. You can perform by yourself or with a group, on land or in the air - whether you're an acrobat, comedian, dancer, singer or an entirely new type of performer. Apply now on our website for the chance to be one of 14 finalists. The winner will receive a prize, the title of CircusPrincess 2009, a three-month contract with Circus Scott, a distinctive, irreplaceable Kosta Boda trophy and the prestige of being recognized as the best female circus performer in the world. Buy your tickets today to reserve your seats for one of five amazing evenings! To browse through the history of past performances, view the contributions or book tickets, simply visit cirkusprinsessan2009.se Welcome to the greatest show on earth! / Robert Bronet ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Certified Hardware
On Tue, Jun 23, 2009 at 03:18:33PM -0400, Thompson, Rhett wrote: Is it possible for you to provide us with an updated hardware certified vendor list for FreeBsd. There is no such thing, AFAIK. The volunteers who form the FreeBSD project spend their time improving FreeBSD, not doing formal certification tests. That should be the job of the vendor. The hardware vendors list that you can find on the site [http://www.freebsd.org/commercial/hardware.html] is driven by submissions from the vendors. We would like to know if FreeBSD is supported on HP Blades and which models, network cards, HBA cards for connecting to SAN's. First, ask the vendors of the hardware in question. If they are unwilling or unable to give an answer, would you want to buy their stuff? If you want information on particular models of hardware, search through the archives of the freebsd-questions list. If problems exist with particular models, that is where it will probably turn up first. If you have specific questions, you can ask on the list. Or use zgrep to search the manual pages in drivers category (/usr/share/man/man4). If you want a particular piece of hardware supported, you could hire a developer to do that for you. Maybe ask on the hackers@ list. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpg3VjMjWzcu.pgp Description: PGP signature
upgrading openoffice.org with portmaster
when I start upgrading openoffice.org it switches from my localized language build to standard us en. Anyone have an idea how to force upgrade to stick with my norwegian build with portmaster ?? Platform freebsd 7.2 stable (x86) Blessed be ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Untrusted X11 forwarding setup failed
Whenever I $ ssh -X u...@server from my FreeBSD machine, I get the following message (and am successfully logged in): Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. When I log in to the same servers from my Ubuntu machines, I do NOT get that message. What's wrong here? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 12:30:25PM -0500, Gary Gatten wrote: If it's fast enough to allow one to work unimpeded, has acceptable lifetime/reliability, and uses less power/generates less heat than traditional platter HD - I'd say it's a good solution. It's not a one size fits all world. hm. but then, the rhetorical question might be: Does any one thing fit everyone? seriously, i did check the specs sheet for this flavor of SSD. the most noteworthy thing was the statement that this device lasts ten years before it fails to hold state. the youtube video demo'd the narrator using windoze XP and editing a video, then task-switching and browsing the net. it showed some girl talking; her voice was audible. i'll post the site if i ever find it, but i gather it was from dec, '08. gary -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix http://jottings.thought.org http://transfinite.thought.org For FBSD list: http://transfinite.thought.org/slicejourney.php The 4.98a release of Jottings: http://jottings.thought.org/index.php ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: upgrading installed ports: time to do it ?
On Tue, 23 Jun 2009 22:21:21 +0100 Chris Whitehouse cwhi...@onetel.com wrote: RW wrote: On Mon, 22 Jun 2009 20:58:41 +0100 Chris Whitehouse cwhi...@onetel.com wrote: I'll probably get flamed for this but since I've been using ports-mgmt/portmanager I've almost forgotten about /usr/ports/UPDATING and all that pkgdb -Fu stuff or whatever it was. I've upgraded ports just by doing 'portmanager -u' over one or two quite major changes and not had any problems that haven't been down to an individual ports. You still need to read UPDATING, portmanager handles some of the issues automatically, but not all. Not trolling but can you give me some examples? Many of of the entries aren't solely to do with guiding portmaster/portupgrade through the upgrade, they may also involve migrating configuration or user data, or performing other administrative tasks. Portmanger does cope with most of the portupgrade -o and portupgrade -r entries, although sometime it will need to be run (or rerun) in pristine-mode. However, it doesn't always work correctly when software has been repackaged because this can create temporary unrecorded conflicts which are difficult for any tool to deal with. If you see any instructions to remove packages before upgrading, it's prudent to follow them. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: you're not going to believe this.
On Tue, Jun 23, 2009 at 03:59:44PM -0500, David Kelly wrote: On Tue, Jun 23, 2009 at 01:10:41PM -0700, Gary Kline wrote: battery-backed ram sound great for the time being! if not now [this minute], then relatively soon, i'm guessing within a few years somebody will have a solid-state device that emulates the current mechanical technology. it will wind up being considerably faster than the current drives and suck Much less juice. We are already there. SSDs are not slower than mechanical disk drives, they are faster. The only detriments are 1) cost, 2) limited write life. FOUND IT: URL IS: Http://www.mydigitaldiscount.com/SPD/runcore-64gb-pata-mini-pci-e-pcie-ssd-for-asus-eee-pc-901-and-1000---backorder-runcore-64gb-pata-mini-pci-e-pcie-ssd-for-asus-eee-pc-901-and-1000--88DB-1224129741.jsp YOU were right about the cost. i thought it was half the $220. the 10k r/w cycle isn't that bad -- David Kelly N4HHE, dke...@hiwaay.net Whom computers would destroy, they must first drive mad. -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix http://jottings.thought.org http://transfinite.thought.org For FBSD list: http://transfinite.thought.org/slicejourney.php The 4.98a release of Jottings: http://jottings.thought.org/index.php ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
cupssamba jailed
Attempting to setup cups and samba into a jail. How do you mount/add device node /dev/ulpt0 within a jail. Essentially I would like to know, how to add device nodes within jail /dev for specifically the devices I want? I have read man pages and tutorials on setting up jails but none show examples of actually putting specific device nodes within jail /dev. It would also be nice to know, how to build a minimal install into a jail? What I have read so far from search does not show this either. Reading mostly states to refer to man pages and man pages state see also other man pages. I missing the tie together. Derek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
PCI-X SATA card for FreeBSD
--- Start of forwarded message --- Hi, I am not sure if any card of the type exists, but I am looking for a PCI-X card with external SATA connector (1 or 2) to supports port multiplier. Idea is to attach a bank of disk to use a backup media. TIA, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
security/pgp on amd64
--- Start of forwarded message --- Hi, Is the port security/pgp working on amd64 system? I copied my public and private keyrings from i386 to amd64 system and I cannot decipher any file, it keeps on complaining that the pass phrase is bad. I already tried to export the key on the i386 and import on the amd64, but it did not change a thing. TIA, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org