jail and uname
From the console of a jail I issue uname –r and get 8.0-RELEASE-p3, which is the release level of the host. I know the jail is running a pristine minimum install of 8.0-RELEASE. I would think issuing uname from within a jail environment should respond with the info of the jail environment. Is this not a security violation? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and uname
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/07/2010 07:13:13, Aiza wrote: From the console of a jail I issue uname –r and get 8.0-RELEASE-p3, which is the release level of the host. I know the jail is running a pristine minimum install of 8.0-RELEASE. The uname information is compiled into the kernel -- so all jails will show the information relevant to the host system. The problem arises when a security patch applies to userland, and not the kernel, as updating the host system does not necessarily mean the update has been applied to the jails. I would think issuing uname from within a jail environment should respond with the info of the jail environment. Is this not a security violation? It can result in security problems, yes. The real problem there is an incorrect approach to applying security updates to jailed systems. Even so, not having a reliable means of telling per-jail that patches have or have not been applied is a flaw. Whether you can do this within the POSIX specification for uname without adversely affecting backwards compatibility is a good question (http://www.opengroup.org/onlinepubs/009695399/utilities/uname.html). Perhaps a simple solution would be to compile a constant string value showing system version and patch level into libc.so and have a small utility to print that data out. Since this is independent of the kernel, it should fulfill the requirements, but it does mean that *every* system update requires a new libc.so and hence a restart of all running processes to apply fully. While I'm here -- why doesn't FreeBSD use a simple version number like 7.3.4 rather than saying 7.3-RELEASE-p4? I realize that historically there have been point releases like 5.2.1-RELEASE but the whole Security/Errata branch concept was developed partly in response to such things, and the whole release engineering process is done differently now. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwu4aMACgkQ8Mjk52CukIzd2wCfQSLaRz+G5FK62+DQ0ZT4gXA0 gAQAn0eu7SY28lrfElvlwVWtRieiWk5W =PuxL -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and uname
Le Sat, 03 Jul 2010 14:13:13 +0800, Aiza aiz...@comclark.com a écrit : From the console of a jail I issue uname –r and get 8.0-RELEASE-p3, which is the release level of the host. I know the jail is running a pristine minimum install of 8.0-RELEASE. I would think issuing uname from within a jail environment should respond with the info of the jail environment. Uname uses some sysctl to retrieve OS information, so they are stored in the kernel. For example : kern.ostype: FreeBSD kern.osrelease: 8.1-PRERELEASE Is this not a security violation? No I don't think. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and uname
On Sat, Jul 03, 2010 at 02:13:13PM +0800, Aiza wrote: From the console of a jail I issue uname -r and get 8.0-RELEASE-p3, which is the release level of the host. I know the jail is running a pristine minimum install of 8.0-RELEASE. I would think issuing uname from within a jail environment should respond with the info of the jail environment. Is this not a security violation? I'm guessing your understanding of jails is a bit off. A FreeBSD jail isn't a fully virtualised system. As implemented, jails share the host system's kernel. The Handbook makes clear that a jail is essentially defined by a directory subtree, a hostname, an IP address, and a command. Well, that, and things like user accounts. So when you run uname, what's reported is kernel information as stored in various sysctl(8) MIBs (kern.ostype, kern.osrelease, kern.osrevision, kern.version, etc.). And because there's only one kernel, you'll get the same output from running uname on the host as you would get from running it inside a jail. -- George ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: i386 wine on amd64 - DRI a lost cause?
On Fri, Jul 02, 2010 at 09:04:43AM +0200, David Naylor wrote: On Friday 02 July 2010 01:35:05 xorquew...@googlemail.com wrote: On 2010-07-01 22:16:26, David Naylor wrote: Have you tried the packages from http://people.freebsd.org/~ivoras/wine/ They worked for me with nvidia and intel. Thanks, but as I mentioned in the hackers@ thread (and possibly this one), it's actually DRI that's the problem. I can't even run 32-bit glxinfo reliably in the chroot. libGL often receives EFAULT when doing various ioctls on /dev/dri/card0 and sometimes crashes outright. That is interesting as I am able to play Warcraft 3 on an intel laptop. I don't think it is using software rendering. Wine runs without crashing and does require libGL to launch the game. I have also played Command and Conquer 3 on nvidia (but the proprietry nvidia driver does not use dri). I'm got (unjailed) wine/i386 on amd64, and it plays DirectX 9 games with no problems; eg EVE-Online. I'm using the nvidia-drivers, which have to be installed on the 32-bit base, as well as the 64-bit driver on the /usr/local -- Jonathan Chen | To do is to be -- Nietzsche j...@chen.org.nz | To be is to do -- Sartre | Scooby do be do -- Scooby ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
text to html
input: http://pastebin.com/raw.php?i=MqPXZwc3 output: http://pastebin.com/raw.php?i=8QCkp4yv it will be a long day.. :D could someone please help with it? i have to make a one liner that get's the input, and gives the mentioned output. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: text to html
On Sat, Jul 3, 2010 at 11:07 AM, Jozsi Avadkan jozsi.avad...@gmail.com wrote: input: http://pastebin.com/raw.php?i=MqPXZwc3 output: http://pastebin.com/raw.php?i=8QCkp4yv it will be a long day.. :D could someone please help with it? i have to make a one liner that get's the input, and gives the mentioned output. Sed version: # cat raw_input | sed 's#\(.*\)/\(.*\)#brfont size=4\1/fontbr \ a href=\2/a'# /Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: i386 wine on amd64 - DRI a lost cause?
On 2010-07-03 19:30:36, Jonathan Chen wrote: I'm got (unjailed) wine/i386 on amd64, and it plays DirectX 9 games with no problems; eg EVE-Online. I'm using the nvidia-drivers, which have to be installed on the 32-bit base, as well as the 64-bit driver on the /usr/local Have noticed that everybody that has said it works is using the nvidia drivers (whilst I'm using the open ATI drivers)... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: text to html
On Sat, Jul 03, 2010 at 11:07:29AM +0200, Jozsi Avadkan wrote:
input:
http://pastebin.com/raw.php?i=MqPXZwc3
output:
http://pastebin.com/raw.php?i=8QCkp4yv
it will be a long day.. :D
could someone please help with it?
i have to make a one liner that get's the input, and gives the
mentioned output.
A one-liner, huh? LOL. Add semi-colons?
The following should accomplish what you want.
#!/bin/sh
sample_data=\
debian/hosts/hosts.html
debian/use-other-users-when-using-wine-eg-dude.html
debian/java-chromium-etc.html
dns/dns-server-szakszon-mihaly-hungarian.html
netbsd/sshd.html
netbsd/installing-removing-programs.html
netbsd/install-from-pendrive/install-from-pendrive.html
openwrt/wrt160nl/wrt160nl-flash.html
routeros/home-soho-router.html
routeros/turn-off-watchdog.html
seen='nothing_to_see_yet_move_along'
echo $sample_data | while read target; do
topic=${target%%/*} # debian/hosts/hosts.html - debian
filename=${target##*/} # debian/hosts/hosts.html - hosts.html
title=${filename%.*}# hosts.html - hosts
if [ $topic = $seen ]; then
echo | a href=\${target}\${title}/a
else
echo br br font size=4${topic}/font br
echo a href=\${target}\${title}/a
fi
seen=$topic
done
--
George
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: 'file' Command Giving False Positives
One thing I noticed about the file command's output might be useful: For the file in question, it says MS-DOS executable (built-in) For real Windows programs, it gives more information. One that I tried said PE32 executable for MS Windows (GUI) Intel 80386 32-bit. I remember that some others have said COFF instead of PE32. So maybe you could just assume that unless the file command is able to figure out what _kind_ of executable the file is, it's a false positive. It depends how likely you are to run into a really ancient DOS program (which would probably just get the generic description).___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Just want to ask
On 29 June 2010 19:18, Roger B.A. Klorese rog...@queernet.org wrote: On Jun 29, 2010, at 11:13 AM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: Whether or not he agrees with them is a matter of philosophical interest only, so long as he keeps to the terms. Agree TO them, not agree WITH them. ___ As I remember, agree _to_ is valid only when followed by a verb infinitive (which is indeed where the `to' comes from); I agree to abide by these terms. -- and -- I agree with these terms. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Just want to ask
From utis...@gmail.com Sat Jul 3 09:36:02 2010 From: Chris Rees utis...@gmail.com Date: Sat, 3 Jul 2010 15:36:00 +0100 Subject: Re: Just want to ask To: Roger B.A. Klorese rog...@queernet.org Cc: Matthew Seaman m.sea...@infracaninophile.co.uk, questi...@freebsd.org questi...@freebsd.org, esra_peranginan...@yahoo.com esra_peranginan...@yahoo.com, Robert Bonomi bon...@mail.r-bonomi.com On 29 June 2010 19:18, Roger B.A. Klorese rog...@queernet.org wrote: On Jun 29, 2010, at 11:13 AM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: Whether or not he agrees with them is a matter of philosophical interest only, so long as he keeps to the terms. Agree TO them, not agree WITH them. ___ As I remember, agree _to_ is valid only when followed by a verb infinitive (which is indeed where the `to' comes from); False to fact. To 'agree to' a _thing_, means you will comply with the permissions, terms, limitations, restrictions, etc. that that 'thing' specifies -- e.g., I agree to the terms of your offer. Note, the 'to' above, is a preposition, _not_ part of an infinitive verb. :) To 'agree with' something is merely a satement of 'emotional viewpoint', and is not binding in any way. To 'agree to' something is a binding (to whatever degree) commitment to comply with the constraints that that 'something' lays out. I agree to abide by these terms. -- and -- I agree with these terms. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: text to html
my own solution: http://pastebin.com/raw.php?i=kqQXCpD5 input: http://pastebin.com/raw.php?i=MqPXZwc3 output: http://pastebin.com/raw.php?i=8QCkp4yv it will be a long day.. :D could someone please help with it? i have to make a one liner that get's the input, and gives the mentioned output. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pxe LiveCD setup
Is there a quick way to set up a PXE boot menu for booting into a number of ISO images? There's net/pxe, but it looks like only part of the solution. Ideally, there'd just be a minimal setup with a directory of ISO files and a built-in loader that lets the user choose which ISO to boot. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pxe LiveCD setup
On Sat, Jul 3, 2010 at 2:07 PM, Warren Block wbl...@wonkity.com wrote: Is there a quick way to set up a PXE boot menu for booting into a number of ISO images? There's net/pxe, but it looks like only part of the solution. Ideally, there'd just be a minimal setup with a directory of ISO files and a built-in loader that lets the user choose which ISO to boot. I have been looking for this solution as well I want to boot install ISO's I wonder if we could pxe boot grub2? Sam Fourman Jr. Fourman Networks http://www.fourmannetworks.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: BIND Refusing to Resolve for External Hosts
On Thu, Jul 1, 2010 at 7:33 AM, Matthew Seaman
m.sea...@infracaninophile.co.uk wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/07/2010 15:05:37, Chris Maness wrote:
Can a sub block of IP address space be used, and if so, what is the
wild card?
Yes. You can use lists of IPs or address-and-mask in BIND ACLs. See:
http://www.isc.org/files/arm96.html#address_match_lists
and
http://www.isc.org/files/arm96.html#id2553419
So, for example, I use this in my own BIND configuration:
acl public-nets {
127.0.0.1;
::1;
81.187.76.160/29;
81.187.220.164;
2001:8b0:151:1::/64;
};
Cheers,
Matthew
- --
Including the line:
acl public-nets { 127.0.0.1; ::1; }
for testing resulted in a failure to launch with the following error code:
/etc/namedb/named.conf:23: unknown option 'acl'
/etc/rc.d/named: ERROR: named-checkconf for $named_conf failed
It seems as though BIND did not recognize this option. Is there
something that I need to enable in order to use this option?
Thanks,
Chris Maness
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: BIND Refusing to Resolve for External Hosts
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/2010 20:28:27, Chris Maness wrote:
Including the line:
acl public-nets { 127.0.0.1; ::1; }
^
You need a semi-colon here __|
for testing resulted in a failure to launch with the following error code:
/etc/namedb/named.conf:23: unknown option 'acl'
/etc/rc.d/named: ERROR: named-checkconf for $named_conf failed
Just defining the acl won't do a great deal on its own -- you need to
add it to an allow-recursion {}; or similar block.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwvlQMACgkQ8Mjk52CukIy3igCfXVI0Hvq4VYLMFOWa5mR0E6JK
zuEAn2Lt3SZbmm0z/chH1FimEtWQxaSI
=DV8h
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Trying to Install VirtualboxOSE
Trying to install virtual box. It looks like one of the dependencies failed to build. Any suggestions? In file included from socket/qabstractsocket.cpp:2793: .moc/release-shared/moc_qabstractsocket.cpp:14:2: error: #error This file was generated using the moc from 4.5.3. It .moc/release-shared/moc_qabstractsocket.cpp:15:2: error: #error cannot be used with the include files from this version of Qt. .moc/release-shared/moc_qabstractsocket.cpp:16:2: error: #error (The moc has changed too much.) c++ -c -O2 -pipe -DNO_IDEA -fno-strict-aliasing -O2 -fvisibility=hidden -fvisibility-inlines-hidden -Wall -W -fPIC -DQT_SHARED -DQT_BUILD_NETWORK_LIB -DQT_NO_USING_NAMESPACE -DQT_NO_CAST_TO_ASCII -DQT_ASCII_CAST_WARNINGS -DQT3_SUPPORT -DQT_MOC_COMPAT -DQT_NO_DEBUG -DQT_CORE_LIB -D_LARGEFILE64_SOURCE -D_LARGEFILE_SOURCE -I/usr/local/share/qt4/mkspecs/freebsd-g++ -I. -I../../include/QtCore -I../../include -I../../include/QtNetwork -I.rcc/release-shared -Ikernel -I.moc/release-shared -I/usr/local/include -o .obj/release-shared/qtcpserver.o socket/qtcpserver.cpp In file included from socket/qtcpserver.cpp:666: .moc/release-shared/moc_qtcpserver.cpp:14:2: error: #error This file was generated using the moc from 4.5.3. It .moc/release-shared/moc_qtcpserver.cpp:15:2: error: #error cannot be used with the include files from this version of Qt. .moc/release-shared/moc_qtcpserver.cpp:16:2: error: #error (The moc has changed too much.) *** Error code 1 *** Error code 1 2 errors *** Error code 1 Stop in /usr/ports/net/qt4-network. *** Error code 1 Stop in /usr/ports/devel/qt4-designer. *** Error code 1 Stop in /usr/ports/devel/qt4-linguist. *** Error code 1 Stop in /usr/ports/emulators/virtualbox-ose. *** Error code 1 Stop in /usr/ports/emulators/virtualbox-ose. ## Thanks, Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pxe LiveCD setup
On Sat, Jul 3, 2010 at 3:07 PM, Warren Block wbl...@wonkity.com wrote: Is there a quick way to set up a PXE boot menu for booting into a number of ISO images? There's net/pxe, but it looks like only part of the solution. Ideally, there'd just be a minimal setup with a directory of ISO files and a built-in loader that lets the user choose which ISO to boot. ___ I've had a lot of luck with grub4dos. At work I use it to present a menu to the PXE client. I've had most success booting .iso files by having grub4dos memory map them, so having a fair amount of ram is helpful. I've used it to boot damn small linux, puppy linux, Dell diagnostic cd .iso, dban iso, spinrite .iso etc. See the grub4dos section of this forum for good info: http://www.boot-land.net/forums/index.php?showforum=66 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: BIND Refusing to Resolve for External Hosts
On Sat, Jul 3, 2010 at 12:52 PM, Matthew Seaman
m.sea...@infracaninophile.co.uk wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/2010 20:28:27, Chris Maness wrote:
Including the line:
acl public-nets { 127.0.0.1; ::1; }
^
You need a semi-colon here __|
I am on gmail with variable width font. I am not sure exactly where I
need the semi colon.
Just defining the acl won't do a great deal on its own -- you need to
add it to an allow-recursion {}; or similar block.
Sorry, Matt. I haven't had to mess with the configuration file in 10
years. Everything just worked until recently (probably the upgrade).
I am running a small Web/DNS/Mail server in my house. I like using a
local recursive server as it has been faster than the alternatives in
the past. Currently, my local net is using the DSL router as its
upstream DNS. So without rambling too much. I am a bit simple at
this stuff, and a little confused. I could switch to another DNS
server, but for academic purposes, I want to learn this stuff. I am
looking at some example files from the ISC link you sent me:
http://www.isc.org/files/arm96.html#sample_configuration
I was thinking of just rebuilding the file from scratch as my current
file is greek to me. However, the examples posted are for recursive
only and authoritative only. Since my server is a hybrid, I am
wondering which directives might interfere with the other.
Moreover I had a look at the security section from that link:
http://www.isc.org/files/arm96.html#Bv9ARM.ch07
Here is what I added to my named.conf. I guess over time they have
increased the default security of BIND so that old files don't allow
recursion from outside hosts by default.
// Set up an ACL called our-nets. Replace this with the real IP numbers.
acl our-nets { 192.168.1.0/24; };
options {
// Relative to the chroot directory, if any
directory /etc/namedb;
pid-file/var/run/named/pid;
dump-file /var/dump/named_dump.db;
statistics-file /var/stats/named.stats;
allow-transfer {
76.238.148.146;
allow-query { our-nets; };
allow-recursion { our-nets; };
};
Thanks,
Chris Maness
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: BIND Refusing to Resolve for External Hosts
Ok, it is working for the local net now, but it is no longer working
as an authoritative server for my zones.
Here is the current config:
// $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2.2.1 2008/11/25
02:59:29 kensmith Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
// Set up an ACL called our-nets. Replace this with the real IP numbers.
acl our-nets { 192.168.1.0/24; 76.238.148.145/24; 127.0.0.1; };
options {
// Relative to the chroot directory, if any
directory /etc/namedb;
pid-file/var/run/named/pid;
dump-file /var/dump/named_dump.db;
statistics-file /var/stats/named.stats;
allow-transfer {
76.238.148.146; };
allow-query { our-nets; };
allow-recursion { our-nets; };
};
// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
// listen-on { 127.0.0.1; };
// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword any.
// listen-on-v6{ ::1; };
// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
/*
disable-empty-zone 255.255.255.255.IN-ADDR.ARPA;
disable-empty-zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA;
disable-empty-zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA;
*/
// In addition to the forwarders clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
// forward only;
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
forwarders {
127.0.0.1;
};
*/
/*
Modern versions of BIND use a random UDP port for each outgoing
query by default in order to dramatically reduce the possibility
of cache poisoning. All users are strongly encouraged to utilize
this feature, and to configure their firewalls to accommodate it.
AS A LAST RESORT in order to get around a restrictive firewall
policy you can try enabling the option below. Use of this option
will significantly reduce your ability to withstand cache poisoning
attacks, and should be avoided if at all possible.
Replace N in the example with a number between 49160 and 65530.
*/
// query-source address * port N;
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.
// The traditional root hints mechanism. Use this, OR the slave zones below.
zone . { type hint; file named.root; };
/* Slaving the following zones from the root name servers has some
significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
3. Greater resilience to any potential root server failure/DDoS
On the other hand, this method requires more monitoring than the
hints file to be sure that an unexpected failure mode has not
incapacitated your server. Name servers that are serving a lot
of clients will benefit more from this approach than individual
hosts. Use with caution.
To use this mechanism, uncomment the entries below, and comment
the hint zone above.
*/
/*
zone . {
type slave;
file slave/root.slave;
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
notify no;
};
zone 0.0.127.IN-ADDR.ARPA {
type master;
file master/localhost.rev;
};
zone in-addr.arpa {
type slave;
file slave/in-addr.arpa.slave;
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
notify no;
};
*/
/* Serving the following zones locally will prevent any queries
for these zones leaving your network and going to the root
name servers. This has two significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be
Re: BIND Refusing to Resolve for External Hosts
Ahhh, I see I need to add:
allow-query { any; };
to my authoritative zones.
Thanks it all works now.
Chris Maness
p.s. So was this a change in the default behavior of BIND over the
years? Because I don't think my named.conf has been changed, and this
used to work for any hosts.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
fetchmail certificate verification messages
Hi, I'm seeing in my logfiles a lot of messages like these from fetchmail: Jul 3 22:02:54 yokozuna fetchmail[1437]: Server certificate verification error: self signed certificate in certificate chain Jul 3 22:02:54 yokozuna fetchmail[1437]: This means that the root signing certificate (issued for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of sslcertpath and sslcertfile in the manual page. Does anyone know what these messages mean and if they are harmless or not? Thanks in advance Regards, Marco -- Writing is easy; all you do is sit staring at the blank sheet of paper until drops of blood form on your forehead. -- Gene Fowler ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Just want to ask
On Sat, 3 Jul 2010 15:36:00 +0100 Chris Rees utis...@gmail.com wrote: On 29 June 2010 19:18, Roger B.A. Klorese rog...@queernet.org wrote: On Jun 29, 2010, at 11:13 AM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: Whether or not he agrees with them is a matter of philosophical interest only, so long as he keeps to the terms. Agree TO them, not agree WITH them. ___ As I remember, agree _to_ is valid only when followed by a verb infinitive (which is indeed where the `to' comes from); To can be part of an infinitive, but in this case it's a preposition. Agree to them and agree with them have different meanings: roughly comply and concur. I presume he was trying to precis the answer, rather than correct the grammar. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Samba gives invalid PT_PHDR after upgrading from 7.2-RELEASE to 7.3-RELEASE
I apologize if this has been asked before; I tried searching the list, but the search engine on lists.freebsd.org keeps giving me an error message. Today I upgraded my system from FreeBSD 7.2-RELEASE to FreeBSD 7.3- RELEASE using freebsd-update. Samba no longer runs. I get the following error messages: Starting nmbd. /libexec/ld-elf.so.1: /usr/local/sbin/nmbd: invalid PT_PHDR Starting smbd. /libexec/ld-elf.so.1: /usr/local/sbin/smbd: invalid PT_PHDR My upgrade sequence was to run 'freebsd-update upgrade -r 7.3-RELEASE' and 'freebsd-update install', followed by a reboot, then 'freebsd- update install' again, followed by a second reboot. I tried rebuilding the Samba port, thinking maybe it was an ABI change, but it still doesn't work. Can someone point me in the right direction? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pxe LiveCD setup
On Sat, 3 Jul 2010, Carl Chave wrote: On Sat, Jul 3, 2010 at 3:07 PM, Warren Block wbl...@wonkity.com wrote: Is there a quick way to set up a PXE boot menu for booting into a number of ISO images? There's net/pxe, but it looks like only part of the solution. Ideally, there'd just be a minimal setup with a directory of ISO files and a built-in loader that lets the user choose which ISO to boot. ___ I've had a lot of luck with grub4dos. At work I use it to present a menu to the PXE client. I've had most success booting .iso files by having grub4dos memory map them, so having a fair amount of ram is helpful. I've used it to boot damn small linux, puppy linux, Dell diagnostic cd .iso, dban iso, spinrite .iso etc. After a very cursory setup, it works! I took notes and will write it up in a bit. The only complaint I have so far is the speed of download via tftp. A 236M ISO took two minutes to load, or about 2M per second. A full CD takes a long, long time. Is that typical, or maybe just the poor Ethernet on this Aspire One D250?___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pxe LiveCD setup
After a very cursory setup, it works! I took notes and will write it up in a bit. The only complaint I have so far is the speed of download via tftp. A 236M ISO took two minutes to load, or about 2M per second. A full CD takes a long, long time. Is that typical, or maybe just the poor Ethernet on this Aspire One D250? I haven't timed them so I can't say for sure. The biggest file I currently use is a windows PE .iso and it does take a bit to transfer. I'll breakout the stopwatch next week and see. My DHCP/tftp server is a Sunfire V240 with Solaris 10. I was having a horrible time with the default tftp server and switched to tftpd-hpa which helped a lot, especially with being able to remap \ to /. Floppy images work well also. I've got a Freedos boot disk floppy image with 3com's universal PXE ethernet driver for dumping and restoring ghost images. Works out of the box with every PXE client I've tried, no need to have custom boot disks with different nic drivers. One of the tweaks I did with the grldr file was to hex edit a section so it goes straight to the menu instead of cycling though the mac address variations. Then I added the company logo to the background of the menu... and ... nobody sees it but me! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: BIND Refusing to Resolve for External Hosts
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/2010 22:29:46, Chris Maness wrote:
Ahhh, I see I need to add:
allow-query { any; };
to my authoritative zones.
Thanks it all works now.
Great.
p.s. So was this a change in the default behavior of BIND over the
years? Because I don't think my named.conf has been changed, and this
used to work for any hosts.
The built-in access control rules have evolved over time, certainly.
However, this hasn't changed since BIND 9.6 was released, and possibly
longer than that. RELENG_8 and above have contained BIND 9.6.x from the
point where the branch was created, but RELENG_7 contains BIND 9.4.x --
so if you've done an upgrade from 7.x to 8.x recently it might explain
your experiences.
The pre-canned configuration that comes with FreeBSD is suitable for use
as a localhost-only recursive resolver: if you want to serve a whole
network of machines or add authoritative data then you will need to
modify it or craft your own named.conf, an important part of which is
setting up ACLs to control what you will serve to who. This is a very
useful reference:
http://www.cymru.com/Documents/secure-bind-template.html
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwwG9kACgkQ8Mjk52CukIyPdwCeKKNIRAl3xfGRlyRovx4tMu/f
flcAn1aoYlhHv1VO4hCrLFKCyBGG8N/R
=3N80
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: fetchmail certificate verification messages
In the last episode (Jul 03), Marco Beishuizen said: I'm seeing in my logfiles a lot of messages like these from fetchmail: Jul 3 22:02:54 yokozuna fetchmail[1437]: Server certificate verification error: self signed certificate in certificate chain Jul 3 22:02:54 yokozuna fetchmail[1437]: This means that the root signing certificate (issued for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of sslcertpath and sslcertfile in the manual page. Does anyone know what these messages mean and if they are harmless or not? Probably harmless, unless someone has forged a certificate chain using a fake AddTrust External CA Root cert at the top. Installing the security/ca_root_nss port (make sure you enable the ETCSYMLINK option) will probably silence it. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
