Re: Upgrading libxul, dependency on Firefox 3

[Eduardo Morras]

At 02:54 22/10/2011, Joe Altman wrote:

Greetings...

I was running portupgrade on libxul and noticed it depends on Firefox
3.x. I cancelled the upgrade, because I thought FF3.x was insecure and
therefore deprecated while FF7 was recommended and secure.

My questions:

1) is the dependency libxul has for FF3 a security problem?

2) is the dependency on FF3 a bug in libxul? If it is a bug, who
   should receive a report: gecko@ or the Mozilla project?

FYI: I'm pretty sure it was portsclean -D (and not me) that deleted
FF3...yet libxul tried to pull it in during the portupgrade.


As far as i know, the libxul port is inside ff3. Installing libxul 
doesn't install ff3, only libxul. Perhaps it's an old libxul and the 
newr one is inside ff7, so libxul port should point there, don't know that.



Best regards,

Joe
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: csup: How do I know I have correct version?

[Thomas Mueller]

From: Damien Fleuriot m...@my.gd:

  Maybe also I should put this releng9-supfile in a safer place where
  it won't be deleted by the next installation/upgrade?

 
 Indeed you should.
 
 
 From my /etc/make.conf:
 SUP_UPDATE= yes
 SUP=/usr/bin/csup
 SUPFLAGS=   -zgL 2
 SUPHOST=cvsup1.fr.freebsd.org
 SUPFILE=/etc/cvsup/stable-supfile
 PORTSSUPFILE=   /etc/cvsup/ports-supfile
 DOCSUPFILE= /etc/cvsup/doc-supfile



 Then, you just have to copy the sample supfiles to /etc/cvsup/

Then how do you update the system source, ports tree or doc?
Something with 'make'?  'make update' ?

For ports, I run
portsnap fetch update

For system source, I run 
csup /usr/share/examples/releng9-supfile

though I subsequently moved the releng9-supfile to /myconfig .


from Matthew Seaman m.sea...@infracaninophile.co.uk:

 The file you want is /usr/src/sys/conf/newvers.sh  This is a script that
 edits version information into various source code files.  The bit you
 need is near the top of the file -- just following line 33:
 
 33  TYPE=FreeBSD
 34  REVISION=9.0
 35  BRANCH=RC1
 36  if [ X${BRANCH_OVERRIDE} != X ]; then
 37  BRANCH=${BRANCH_OVERRIDE}
 38  fi
 39  RELEASE=${REVISION}-${BRANCH}
 40  VERSION=${TYPE} ${RELEASE}
 41  SYSDIR=$(dirname $0)/..
 
 Unfortunately the value want is RELEASE, which is assembled from parts,
 so not trivially grep'able.  But you can easily see the REVISION is set
 to 9.0 and BRANCH is RC1 so the whole things comes to 9.0-RC1.  Simple.

That's the file I was looking for, I was not familiar with that particular file 
name.

It's easy to find a needle in the haystack when somebody points it out to me!  
My thanks!

  Maybe also I should put this releng9-supfile in a safer place where
  it won't be deleted by the next installation/upgrade?
  
 No -- you shouldn't need to worry about that.  The name
 'releng9-supfile' you chose doesn't match anything produced by the
 system, so it won't be overwritten.  (Not that you shouldn't keep a
 backup somewhere -- that's only sensible.)
 
 Hmmm actually you have highlighted a small omission in the
 procedures for branching RELENG_9 and RELENG_9_0 -- the cvsup example
 supfiles  /usr/src/share/examples/{stable,standard}-supfile should be
 updated to match the branch they are installed from.  In your case both
 of those files should use the RELENG_9 tag, but that hasn't been
 commmitted yet.
  
 Cheers
 
 Matthew

Good point.  I had to make the little modification in the stable-supfile to 
accommodate RELENG_9 .

Since my current efforts are directed toward a working FreeBSD 9.0 system, I am 
not currently doing anything with 10-current.

Tom

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Upgrading libxul, dependency on Firefox 3

[Polytropon]

On Sat, 22 Oct 2011 09:32:47 +0200, Eduardo Morras wrote:
 As far as i know, the libxul port is inside ff3. Installing libxul 
 doesn't install ff3, only libxul. Perhaps it's an old libxul and the 
 newr one is inside ff7, so libxul port should point there, don't know that.

I'm not sure if it still applies, but in earlier Firefox
version transitions (and the consideration of dependencies)
some programs depending on libxul would install an outdated
Firefox version. The solution has been WITH_GECKO=libxul in
/etc/make.conf so only the current version of this library
would have been installed in the end.


-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: csup: How do I know I have correct version?

[Matthew Seaman]

On 22/10/2011 10:22, Thomas Mueller wrote:
 From: Damien Fleuriot m...@my.gd:

  From my /etc/make.conf:
  SUP_UPDATE= yes
  SUP=/usr/bin/csup
  SUPFLAGS=   -zgL 2
  SUPHOST=cvsup1.fr.freebsd.org
  SUPFILE=/etc/cvsup/stable-supfile
  PORTSSUPFILE=   /etc/cvsup/ports-supfile
  DOCSUPFILE= /etc/cvsup/doc-supfile
 
 
  Then, you just have to copy the sample supfiles to /etc/cvsup/
 Then how do you update the system source, ports tree or doc?
 Something with 'make'?  'make update' ?

make update is the correct command.

 For ports, I run
 portsnap fetch update
 
 For system source, I run 
 csup /usr/share/examples/releng9-supfile
 
 though I subsequently moved the releng9-supfile to /myconfig .

Don't define PORTSSUPFILE in /etc/make.conf if you're using portsnap(1).
 Apart from anything else, typing 'make update' in /usr/src will attempt
to cvsup not just the system sources but as well any of PORTS, DOC where
you've defined a ...SUPFILE.

In fact, without PORTSUPFILE defined in /etc/make.conf typing 'make
update' in /usr/ports will invoke portsnap for you, so long as you
obtained the ports tree by 'portsnap fetch extract' originally.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: Help needed: sound/audio only semi-working

[Polytropon]

On Fri, 21 Oct 2011 18:29:25 -0700, Ronald F. Guilmette wrote:
 The really strange thing is that after I followed all the directions here:
 
http://www.freebsd.org/doc/en/books/handbook/sound-setup.html
 
 This command:
 
 cat /dev/random  /dev/dsp
 
 *does* produce quite a bit of white noise sound.  However when I perform
 the other officially recommended basic audio functionality test:
 
 cdcontrol -f /dev/acd0 play 1
 
 with one of my favorite old audo CDs in the drive (AND with that special
 little wire running from the back of the drive to my motherboard) all that
 happens is that the CD/DVD drive apparently _does_ start to read some stuff...
 as evidenced by the blinking access light in the front of the drive... but I
 still get no sound out, and YouTube videos still aren't giving me any audio
 even though the video seems to be playing perfectly.

Does the Handbook mention to check your mixer settings?
Make sure to try that. Use any simple-enough media
player to play some MP3, OGG or WAV file (e. g. per xmms
or whatever comes with your preferred desktop environment).
Make sure you have vol and pcm up.

% mixer
Mixer vol  is currently set to 100:100  --- This.
Mixer pcm  is currently set to  84:84   --- And this.
Mixer line is currently set to  75:75
Mixer mic  is currently set to   0:0
Mixer cd   is currently set to  75:75   --- This too.
Mixer rec  is currently set to  75:75
Mixer igainis currently set to   0:0
Mixer monitor  is currently set to  75:75
Recording source: mic

The problem regarding audio CDs seems to be quite modern.
I also cannot play them anymore (but I don't have that
special wire installed at the moment). Audio is VIA HDA.



 So, um, I am grasping for ideas here on how I can debug this problem furher.

Check mixer and play simple stuff. :-)



 So how can it be that this works just fine:
 
cat /dev/random  /dev/dsp
 
 even while this:
 
   cdcontrol -f /dev/acd0 play 1
 
 causes the disk to spin up and read, but otherwise produces utter silence?

CD audio subsystem has been modernized. :-)



 P.S.  My motherboard (w/ onboard audio) is a Gigabyte GA-M55Plus-S3G.  Here
 is what a get when I cat /dev/sndstat:
 
 FreeBSD Audio Driver (newpcm: 64bit 2009061500/amd64)
 Installed devices:
 pcm0: HDA Realtek ALC883 PCM #0 Analog (play/rec) default
 pcm1: HDA Realtek ALC883 PCM #1 Analog (play/rec)
 pcm2: HDA Realtek ALC883 PCM #2 Digital (play/rec)


-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Upgrading libxul, dependency on Firefox 3

[Jerry]

On Sat, 22 Oct 2011 12:45:11 +0200
Polytropon articulated:

 I'm not sure if it still applies, but in earlier Firefox
 version transitions (and the consideration of dependencies)
 some programs depending on libxul would install an outdated
 Firefox version. The solution has been WITH_GECKO=libxul in
 /etc/make.conf so only the current version of this library
 would have been installed in the end.

I haven't had that notation in my /etc/make.conf file in ages and I
am not experiencing the problems that the OP is reporting. Perhaps if
the OP gave a fuller description of his system, and perhaps a perusal
of his /etc/make.conf file a solution could be more readily deduced.

-- 
Jerry ✌
jerry+f...@seibercom.net

Disclaimer: off-list followups get on-list replies or ignored.
Do not CC this poster. Please do not ignore the Reply-To header.

http://www.catb.org/~esr/faqs/smart-questions.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Breakin attempt

[Admin ValhallaProjectet]

Hello all

 

FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22
10:14:48 CEST 2011 ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN
i386

Firewall PF. 

Blocking China and some other related countries in that region. 
Disabled ssh root logins

 

Apparently, I'm under some kind of attack,  for the last 3 days.

Lots of attempts to ssh in as root from many different IP addresses.

No bruteforce attempts.

This just puzzles me. Using all these resources ? To achieve what ?

Below is a one hour snip from my auth.log

Nothing unusual in pflog

Appreciate all ideas of how to proceed with this mather.

 

Best regards Hasse

 

Oct 22 12:00:19 odin sshd[14359]: error: PAM: authentication error for root
from server.fabian.cz

Oct 22 12:01:08 odin sshd[14365]: Address 87.105.187.194 maps to
client-arsmedica-2.wroclaw.dialog.net.pl, but this does not map back to the
address - POSSIBLE BREAK-IN ATTEMPT!

Oct 22 12:01:09 odin sshd[14365]: error: PAM: authentication error for root
from 87.105.187.194

Oct 22 12:02:59 odin sshd[14422]: error: PAM: authentication error for root
from 87.229.7.163

Oct 22 12:03:36 odin sshd[14865]: error: PAM: authentication error for root
from 201.25.53.34

Oct 22 12:03:53 odin sshd[15571]: error: PAM: authentication error for root
from 109.237.210.147

Oct 22 12:05:18 odin sshd[18357]: error: PAM: authentication error for root
from 12.222.202.34

Oct 22 12:05:36 odin sshd[18375]: error: PAM: authentication error for root
from mx.aysor.am

Oct 22 12:05:53 odin sshd[18537]: error: PAM: authentication error for root
from 190.129.11.76

Oct 22 12:07:06 odin sshd[19429]: Address 80.188.13.214 maps to
www.profitaxi.cz, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!

Oct 22 12:07:06 odin sshd[19429]: error: PAM: authentication error for root
from 80.188.13.214

Oct 22 12:07:27 odin sshd[19542]: error: PAM: authentication error for root
from 85.185.180.48

Oct 22 12:08:05 odin sshd[19591]: error: PAM: authentication error for root
from 208.125.137.121

Oct 22 12:09:45 odin sshd[19629]: error: PAM: authentication error for root
from 83.14.240.10

Oct 22 12:10:53 odin sshd[19699]: error: PAM: authentication error for root
from 200.160.121.246

Oct 22 12:10:59 odin sshd[19702]: error: PAM: authentication error for root
from 151.1.183.216

Oct 22 12:11:38 odin sshd[19787]: error: PAM: authentication error for root
from crm.nepinc.com

Oct 22 12:12:16 odin sshd[19830]: error: PAM: authentication error for root
from 189.16.12.146

Oct 22 12:12:45 odin sshd[19843]: error: PAM: authentication error for root
from narro.uaaan.mx

Oct 22 12:14:14 odin sshd[19913]: error: PAM: authentication error for root
from 217.128.151.181

Oct 22 12:14:56 odin sshd[19925]: reverse mapping checking getaddrinfo for
panda.zsuvoz.cz [195.178.81.116] failed - POSSIBLE BREAK-IN ATTEMPT!

Oct 22 12:14:56 odin sshd[19925]: error: PAM: authentication error for root
from 195.178.81.116

Oct 22 12:16:14 odin sshd[19995]: error: PAM: authentication error for root
from 87.193.246.26

Oct 22 12:16:23 odin sshd[20008]: error: PAM: authentication error for root
from 219.94.144.230

Oct 22 12:16:39 odin sshd[20026]: error: PAM: authentication error for root
from 82.130.143.216

Oct 22 12:17:41 odin sshd[20073]: error: PAM: authentication error for root
from 87.193.246.26

Oct 22 12:17:52 odin sshd[20102]: error: PAM: authentication error for root
from 82.130.143.216

Oct 22 12:21:16 odin sshd[20268]: error: PAM: authentication error for root
from 203.141.158.120

Oct 22 12:21:34 odin sshd[20286]: error: PAM: authentication error for root
from 208.125.137.121

Oct 22 12:22:05 odin sshd[20326]: reverse mapping checking getaddrinfo for
86-100-134-185-ip.balticum.lt [86.100.134.185] failed - POSSIBLE BREAK-IN
ATTEMPT!

Oct 22 12:22:05 odin sshd[20326]: error: PAM: authentication error for root
from 86.100.134.185

Oct 22 12:22:22 odin sshd[20339]: error: PAM: authentication error for root
from 201.232.69.113

Oct 22 12:23:35 odin sshd[20428]: error: PAM: authentication error for root
from 87.229.7.163

Oct 22 12:23:58 odin sshd[20486]: error: PAM: authentication error for root
from 65.161.248.26

Oct 22 12:24:39 odin sshd[20605]: error: PAM: authentication error for root
from 210.238.91.147

Oct 22 12:25:08 odin sshd[21400]: error: PAM: authentication error for root
from 12.222.202.34

Oct 22 12:26:08 odin sshd[23744]: error: PAM: authentication error for root
from zodiaq3d.info

Oct 22 12:26:56 odin sshd[23747]: error: PAM: authentication error for root
from mx.cbc-group.kz

Oct 22 12:30:26 odin sshd[23752]: error: PAM: authentication error for root
from 190.152.145.53

Oct 22 12:30:54 odin sshd[23757]: error: PAM: authentication error for root
from 80.24.95.85

Oct 22 12:30:59 odin sshd[23759]: error: PAM: authentication error for root
from 200.183.172.2

Oct 22 12:31:13 odin sshd[23755]: error: PAM: authentication error for root
from starless.com.pl

Oct 22 12:31:38 odin 

Configuring IPFW

[Carmel]

I am attempting to set up a firewall using IPFW with a stateful
behavior.

While I have investigated how to set up these rules, I have run into
conflicting opinions as to whether to all or deny established
behavior.

EXAMPLE: (preceded by a checkstate rule)

allow tcp from any to any established


Some documentation states that it should be denied and others say it
should be allowed. Neither has given me a convincing reason to follow
either scenario or any real documentation either for that fact.

If possible, could someone with some real firewall knowledge and
familiarity with IPFW please give me some advice.

Thanks!

-- 
Carmel ✌
carmel...@hotmail.com

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Breakin attempt

[Matthias Apitz]

El día Saturday, October 22, 2011 a las 03:43:44PM +0200, Admin 
ValhallaProjectet escribió:

 Hello all
 
  
 
 FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22
 10:14:48 CEST 2011 ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN
 i386
 
 Firewall PF. 
 
 Blocking China and some other related countries in that region. 

This 'rule' is interesting. What are 'other related countries in that
region' exactly or as regular expression? United States? :-)

 Disabled ssh root logins

Disable PAM, i.e. set ChallengeResponseAuthentication to 'no'.

HIH

matthias
-- 
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e g...@unixarea.de - w http://www.unixarea.de/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: trying to learn systems programming, fear I have not understood and thus messed up

[Christopher J. Ruwe]

On Fri, 21 Oct 2011 18:53:33 +0200
Christopher J. Ruwe c...@cruwe.de wrote:

 [...]
 
 I have tried to follow the suggestion from the comment by modifiying
 the else-statement thus:
 
 } else {
   struct passwd *trgpwd;
   if (!(trgpwd = GETPWNAM(arg-val)))
  errx(EX_DATAERR, User %s does not exist, arg-val);

if (strcmp(a_name-val,root) == 0)
   errx(EX_DATAERR, can't change uid of `root' account);
if (strcmp(trgpwd-pw_name, root) == 0)
   warnx(WARNING: account `%s' will have a uid of 0 (superuser
 access!), pwd-pw_name);
 
pwd-pw_uid = (uid_t) (trgpwd-pw_uid);
edited = 1;
 } 
 
 What happens is not what I intended. I invoke as sudo ./pw usermod
 testuser1 -u testuser2. I can get testuser2's pwd-entry by GETPWNAM
 allright, but when I assign the pw_uid, so as to make testuser2's uid
 the same as testuser1's and imgaining to retain all other values, ./pw
 reports pw: user 'testuser2' disappeared during update and the
 testuser2's /etc/passwd entry is replaced by testuser1's.
 
 I fear I have not understood GETPWNAM correctly, as it seems to
 replace the struct pwd as some sort of sideeffect. I could manually
 set all pwd-members to the correct ones (those of testuser2), but I
 fear that I have messed something up beforehand.
 
 I am grateful for any suggestions and/or correction. 

It seems I have indeed not understood GETPWNAM correctly. I have worked
out a method which works by calling GETPWNAM twice:

   else {
   /*
* operation as follows:
* a_name-val is passed as usermod uname
* arg-val is passed as -u uname
*
* first check if we do someting stupid, i.e., want
* to set root uid to some other users uid or
* to set some user accout's uid to root uid.
* then get pwd to that of uname passed as -u uname.
* store uid from that pwdent.
* get pwd to that of uname passed as usermod uname
* change uid of that latter uid to the one stored
*/

if(strcmp(a_name-val,root) == 0)
  errx(EX_DATAERR, can't change uid of `root' account);

if(strcmp(arg-val, root) == 0)
  warnx(WARNING: account `%s' will have a uid of 0 (superuser
access!), pwd-pw_name);

if(!(pwd = GETPWNAM(arg-val))) /* -u uname*/
  errx(EX_DATAERR, User %s does not exist, arg-val);
int alias_uid = pwd-pw_uid; 

if(!(pwd = GETPWNAM(a_name-val))) /*usermod uname*/
  errx(EX_DATAERR, User %s does not exist, a_name-val);

pwd-pw_uid = (uid_t) alias_uid;
warnx(User %s's uid changed to %d, pwd-pw_name, pwd-pw_uid);
edited = 1;
  }

As I stil do not know why the latter variant of my code worked and the
former does not, I would still appreciate any comment or explanation which 
would help me understanding GETPWNAM and getpwnam.

Thanks and cheers,
-- 
Christopher J. Ruwe
TZ GMT + 2



signature.asc
Description: PGP signature

Re: Breakin attempt

[Bruce Cran]

On 22/10/2011 14:43, Admin ValhallaProjectet wrote:

Apparently, I'm under some kind of attack,  for the last 3 days.

Lots of attempts to ssh in as root from many different IP addresses.

No bruteforce attempts.



Appreciate all ideas of how to proceed with this mather.



Keep calm and carry on?
I suspect that these sorts of attacks are fairly normal if you're 
running ssh on the standard port. I used to have lots of 'break-in 
attempts' before I moved the ssh server to a different port.


--
Bruce Cran
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Breakin attempt

[Polytropon]

On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote:
 I suspect that these sorts of attacks are fairly normal if you're 
 running ssh on the standard port. I used to have lots of 'break-in 
 attempts' before I moved the ssh server to a different port.

Is there _any_ reason why moving from port 22 to something
different is _not_ a solution?

Reason why I'm asking: Moving SSH away from its default port
seems to be a relatively good solution as break-in attempts
concentrate on default ports. So in case a sysadmin decides
to move SSH to a hidden location, what could be an argument
against this decision?




-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Breakin attempt

[Bruce Cran]

On 22 Oct 2011, at 15:12, Polytropon wrote:

 On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote:
 I suspect that these sorts of attacks are fairly normal if you're 
 running ssh on the standard port. I used to have lots of 'break-in 
 attempts' before I moved the ssh server to a different port.
 
 Is there _any_ reason why moving from port 22 to something
 different is _not_ a solution?

If you run some sort of shell server, or where many people need to login using 
ssh, you'll have a bit of a support problem telling people to select the 
non-default port. Also, some might consider it security through obscurity, 
which is often said to be a bad thing.

-- 
Bruce Cran

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

SV: Breakin attempt

[Hasse Hansson]

-Oprindelig meddelelse-
Fra: owner-freebsd-questi...@freebsd.org
[mailto:owner-freebsd-questi...@freebsd.org] På vegne af Matthias Apitz
Sendt: den 22 oktober 2011 15:59
Til: Admin ValhallaProjectet
Cc: freebsd-questions@freebsd.org
Emne: Re: Breakin attempt

El día Saturday, October 22, 2011 a las 03:43:44PM +0200, Admin
ValhallaProjectet escribió:

 Hello all
 
  
 
 FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22
 10:14:48 CEST 2011
ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN
 i386
 
 Firewall PF. 
 
 Blocking China and some other related countries in that region. 

This 'rule' is interesting. What are 'other related countries in that
region' exactly or as regular expression? United States? :-)

 Disabled ssh root logins

Disable PAM, i.e. set ChallengeResponseAuthentication to 'no'.

HIH

matthias
-- 
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e g...@unixarea.de - w http://www.unixarea.de/

Thank you for your answer.
Well, I meant The Far East region. Without going in to details, that's where
I've
received most of my spam and hack attacks from this far.
Will start with changing port and see how far that will take me.

Best regards
Hasse. 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Breakin attempt

[Michael Powell]

Polytropon wrote:

 On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote:
 I suspect that these sorts of attacks are fairly normal if you're
 running ssh on the standard port. I used to have lots of 'break-in
 attempts' before I moved the ssh server to a different port.
 
 Is there _any_ reason why moving from port 22 to something
 different is _not_ a solution?
 
 Reason why I'm asking: Moving SSH away from its default port
 seems to be a relatively good solution as break-in attempts
 concentrate on default ports. So in case a sysadmin decides
 to move SSH to a hidden location, what could be an argument
 against this decision?
 

One such relatively minor argument might be the use by external entities for 
the ability to connect in a standardized way. Such a client may need to 
connect but has no way of knowing in advance what port to use. The only 
readily available means for them to locate you might be DNS, with them only 
knowing you by hostname. 

I tend to discount this as they would still need some form of auth, whether 
a user account/password combination or a certificate. In either case, this 
needs to be configured in advance - so there's no reason a port number 
couldn't be included when communicating how to login to the third party.

There is also some remote possibility that the third party has some internal 
(albeit brain-dead) policy of mandating the use of some software that cannot 
be configured to use a port other than 22. I would consider such a software 
to be inherently 'broken by design', and not a good enough reason for me to 
'break' my system just to make them happy. After all, aren't they the ones 
who want to connect to me and shouldn't the responsibility be on them to do 
it in accordance with what I have configured?

I restrict any SSH access to my systems to certificate only, with password 
turned off. Only a trusted few will have these certificates, and these people 
will know what port to use because I told them. Just changing the port to 
some high number non well-known will not entirely stop a port scan if said 
scan is walking up every single port one after another. But simply changing 
it to something like 42347 works wonders for knocking down about 90% of 
script-kiddies.

I just don't see SSH as the best tool for giving anonymous remote-access to 
the general public of the IntarWebZ in general. If access is not anonymous 
there must be some admin config done previous to the access. Providing 
anonymous access via SSH sort of defeats the purpose for using SSH in the 
first place.   :-)

Just my $.02 - Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: trying to learn systems programming, fear I have not understood and thus messed up

[Fabian Keil]

Christopher J. Ruwe c...@cruwe.de wrote:

 On Fri, 21 Oct 2011 18:53:33 +0200
 Christopher J. Ruwe c...@cruwe.de wrote:
 
  [...]
  
  I have tried to follow the suggestion from the comment by modifiying
  the else-statement thus:
  
  } else {
struct passwd *trgpwd;
if (!(trgpwd = GETPWNAM(arg-val)))
   errx(EX_DATAERR, User %s does not exist, arg-val);
 
 if (strcmp(a_name-val,root) == 0)
errx(EX_DATAERR, can't change uid of `root' account);
 if (strcmp(trgpwd-pw_name, root) == 0)
warnx(WARNING: account `%s' will have a uid of 0 (superuser
  access!), pwd-pw_name);
  
 pwd-pw_uid = (uid_t) (trgpwd-pw_uid);  
 edited = 1;
  } 
  
  What happens is not what I intended. I invoke as sudo ./pw usermod
  testuser1 -u testuser2. I can get testuser2's pwd-entry by GETPWNAM
  allright, but when I assign the pw_uid, so as to make testuser2's uid
  the same as testuser1's and imgaining to retain all other values, ./pw
  reports pw: user 'testuser2' disappeared during update and the
  testuser2's /etc/passwd entry is replaced by testuser1's.
  
  I fear I have not understood GETPWNAM correctly, as it seems to
  replace the struct pwd as some sort of sideeffect. I could manually
  set all pwd-members to the correct ones (those of testuser2), but I
  fear that I have messed something up beforehand.
  
  I am grateful for any suggestions and/or correction. 
 
 It seems I have indeed not understood GETPWNAM correctly. I have worked
 out a method which works by calling GETPWNAM twice:
 
else {
/*
 * operation as follows:
 * a_name-val is passed as usermod uname
 * arg-val is passed as -u uname
 *
 * first check if we do someting stupid, i.e., want
 * to set root uid to some other users uid or
 * to set some user accout's uid to root uid.
 * then get pwd to that of uname passed as -u uname.
 * store uid from that pwdent.
 * get pwd to that of uname passed as usermod uname
 * change uid of that latter uid to the one stored
 */
   
 if(strcmp(a_name-val,root) == 0)
   errx(EX_DATAERR, can't change uid of `root' account);
 
 if(strcmp(arg-val, root) == 0)
   warnx(WARNING: account `%s' will have a uid of 0 (superuser
 access!), pwd-pw_name);
 
 if(!(pwd = GETPWNAM(arg-val))) /* -u uname*/
   errx(EX_DATAERR, User %s does not exist, arg-val);
 int alias_uid = pwd-pw_uid; 
 
 if(!(pwd = GETPWNAM(a_name-val))) /*usermod uname*/
   errx(EX_DATAERR, User %s does not exist, a_name-val);
 
 pwd-pw_uid = (uid_t) alias_uid;
 warnx(User %s's uid changed to %d, pwd-pw_name, pwd-pw_uid);
 edited = 1;
   }
 
 As I stil do not know why the latter variant of my code worked and the
 former does not, I would still appreciate any comment or explanation
 which would help me understanding GETPWNAM and getpwnam.

I'm not familiar with the code you're working with,
but according to the man page getpwnam() isn't thread
safe so you probably shouldn't mess with the returned
pointer in the first place and only treat the one
returned by the last call as valid.

Did you try using getpwnam_r() instead?

Fabian


signature.asc
Description: PGP signature

Groupware like OX for FreeBSD?

[Hartmann, O.]

I'd like to know whether the power to serve OS FreeBSD is also capable
of hosting a groupware like OX. I want to build a grupware server and
found OX really nice. Our lab's administration is using OX.
I can't find equivalent software for FreeBSD, but I may lack in the
right termini and so I do not find something suitable in the ports.

Does anyone has suggestions?

Regards,
Oliver

P.S. I doubt that OX is ever working for FreeBSD as a native application?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Breakin attempt

[Polytropon]

Thanks for your statement.

On Sat, 22 Oct 2011 10:54:49 -0400, Michael Powell wrote:
 One such relatively minor argument might be the use by external entities for 
 the ability to connect in a standardized way. Such a client may need to 
 connect but has no way of knowing in advance what port to use. The only 
 readily available means for them to locate you might be DNS, with them only 
 knowing you by hostname. 

This might be debatable in case of public services, but
is not a problem in a somewhat contract-driven service
where terms of use exist, as well as instructions on how
to use the service. That's why I said this argument would
go to the pragmatic (or organisatoric) section, not to the
technical one. :-)



 I tend to discount this as they would still need some form of auth, whether 
 a user account/password combination or a certificate. In either case, this 
 needs to be configured in advance - so there's no reason a port number 
 couldn't be included when communicating how to login to the third party.

Fully agree.



 There is also some remote possibility that the third party has some internal 
 (albeit brain-dead) policy of mandating the use of some software that cannot 
 be configured to use a port other than 22. I would consider such a software 
 to be inherently 'broken by design', and not a good enough reason for me to 
 'break' my system just to make them happy. After all, aren't they the ones 
 who want to connect to me and shouldn't the responsibility be on them to do 
 it in accordance with what I have configured?

That would have been my next idea: The problem that
suddenly appears when someone tries to connect to the
system with a program _not_ supplied with the contract,
trying :22 and complaining it no workin! -- that's not
a problem at all: You are not supposed to use that program
or try to login that way. Please refer to the documentation
on how to properly do it. It's comparable to someone trying
to connect to a web server with a MUA. :-)



 I restrict any SSH access to my systems to certificate only, with password 
 turned off. Only a trusted few will have these certificates, and these people 
 will know what port to use because I told them.

Usable approach, although I try to educate about strong (!)
passwords and strong password rules. I see certificates as
the next stage of security _added_ to username/password.



 Just changing the port to 
 some high number non well-known will not entirely stop a port scan if said 
 scan is walking up every single port one after another.

Yes, I didn't assume the approach would _not_ show up in a
portscan. :-)

Still a portscan is the minority in wide-area attacks.



 But simply changing 
 it to something like 42347 works wonders for knocking down about 90% of 
 script-kiddies.

I thought so. The main attacks address the _default_ port,
and those are mostly static, i. e. they don't try other
ports or search for them.



 I just don't see SSH as the best tool for giving anonymous remote-access to 
 the general public of the IntarWebZ in general.

Oh, I was _not_ asking about anonymous access, that's what
the WebTuberZ'n'Stuff'Load is for. :-)



 If access is not anonymous 
 there must be some admin config done previous to the access.

The only valid choice here.



 Providing 
 anonymous access via SSH sort of defeats the purpose for using SSH in the 
 first place.   :-)

The words anonymous access and secure shell do contradict.
My EUR 0.02. :-)



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

SV: Breakin attempt

[Hasse Hansson]

-Oprindelig meddelelse-
Fra: owner-freebsd-questi...@freebsd.org
[mailto:owner-freebsd-questi...@freebsd.org] På vegne af Polytropon
Sendt: den 22 oktober 2011 16:13
Til: Bruce Cran
Cc: freebsd-questions@freebsd.org
Emne: Re: Breakin attempt

On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote:
 I suspect that these sorts of attacks are fairly normal if you're 
 running ssh on the standard port. I used to have lots of 'break-in 
 attempts' before I moved the ssh server to a different port.

Is there _any_ reason why moving from port 22 to something
different is _not_ a solution?

Reason why I'm asking: Moving SSH away from its default port
seems to be a relatively good solution as break-in attempts
concentrate on default ports. So in case a sysadmin decides
to move SSH to a hidden location, what could be an argument
against this decision?




-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

Thank you all Polytropon, Matthias, Bruce and Michael for your answers.
No, no reason at all to not change from port 22, and I will follow that
advice.
And my plan is to move away from password based ssh logins in the future.
I've been running this server for educational purposes for several years,
But this is first time I've had a Break in attempt going on for this long
time.

It don't bother me more than cluttering up my logfiles, but I got curious if
this
Attempt was originating from one person.

All the Best to you all
Hasse


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: SV: Breakin attempt

[Polytropon]

On Sat, 22 Oct 2011 17:10:44 +0200, Hasse Hansson wrote:
 It don't bother me more than cluttering up my logfiles, but I got curious if
 this
 Attempt was originating from one person.

That's problematic... in many cases, attackers do hijack
home PCs or corporate networks to do their dirty work
without the actual users noticing. In such a case, you
could conclude that the attacks has been originated by
one person, but carried out by several ones (or, to be
precise, by their PCs). Attackers explore networks and
turn them into tools they use theirselves, or they sell
them to others who then use them (e. g. for further
exploration, SSH attacks, spamming, illegal data storage
and so on).



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Breakin attempt

[Robert Bonomi]

 Date: Sat, 22 Oct 2011 16:12:42 +0200
 From: Polytropon free...@edvax.de
 Subject: Re: Breakin attempt

 On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote:
  I suspect that these sorts of attacks are fairly normal if you're 
  running ssh on the standard port. I used to have lots of 'break-in 
  attempts' before I moved the ssh server to a different port.

 Is there _any_ reason why moving from port 22 to something
 different is _not_ a solution?

 Reason why I'm asking: Moving SSH away from its default port
 seems to be a relatively good solution as break-in attempts
 concentrate on default ports. So in case a sysadmin decides
 to move SSH to a hidden location, what could be an argument
 against this decision?

Arguements aginst doing so are generally based on the 'security by
obscurity' is not security concept.

That argument _is_ 'technically accurate'. grin

Moving sshd to a non-standard port does _not_ do anything to make the 
system any more secure.

Of course, as long as one understands that that _is_ the case, and
is doing it for 'some other' defensible reason -- such as to eliminate
logfile 'noise' from script-kiddie 'doorknob rattlers' -- doing so
*is* perfectly reasonable.

*I* do it on _my_ machines, expressly for the reason stated in the prior
paragraph.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: [freebsd-questions] Breakin attempt

[Howard Jones]

On 22/10/2011 15:37, Bruce Cran wrote:
 If you run some sort of shell server, or where many people need to
 login using ssh, you'll have a bit of a support problem telling people
 to select the non-default port. Also, some might consider it security
 through obscurity, which is often said to be a bad thing. 
Security through obscurity is only really a bad thing if it's your ONLY
security. It doesn't hurt to make things harder for someone in addition
to your other measures (strong passwords, large keys, limited network
ranges etc)

Howie
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: [freebsd-questions] Breakin attempt

[Chad Perrin]

On Sat, Oct 22, 2011 at 03:58:20PM +0100, Howard Jones wrote:
 On 22/10/2011 15:37, Bruce Cran wrote:
  If you run some sort of shell server, or where many people need to
  login using ssh, you'll have a bit of a support problem telling people
  to select the non-default port. Also, some might consider it security
  through obscurity, which is often said to be a bad thing. 
 Security through obscurity is only really a bad thing if it's your ONLY
 security. It doesn't hurt to make things harder for someone in addition
 to your other measures (strong passwords, large keys, limited network
 ranges etc)

Actually, security through obscurity is always bad.  The fact, however,
is that something that could be used for security through obscurity is
not automatically always a security through obscurity measure.  Are you
using a nonstandard port assignment for security, or just to make your
logs cleaner?  If you realize that moving SSH to a nonstandard port will
not in any way protect you from a targeted attack, and only do so to
clean up logs and reduce local SSH daemon activity from pointless
low-hanging fruit attacks, while using other (better) techniques to
actually properly secure the box, you aren't using employing a security
through obscurity plan at all.

Security through obscurity isn't the technique; it's the purpose to
which a technique is directed.  If what you're doing isn't intended as a
security measure, it's something other than security through obscurity,
and you shouldn't beat yourself up over it.

If you have no specific need to keep SSH on 22, definitely move a
public-facing SSH server to a nonstandard port, for reasons unrelated to
actual intrusion security.

-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]


pgpwkEgeduOxT.pgp
Description: PGP signature

Re: Breakin attempt

[Chad Perrin]

On Sat, Oct 22, 2011 at 10:23:23AM -0500, Robert Bonomi wrote:
 
 Arguements aginst doing so are generally based on the 'security by
 obscurity' is not security concept.
 
 That argument _is_ 'technically accurate'. grin
 
 Moving sshd to a non-standard port does _not_ do anything to make the 
 system any more secure.
 
 Of course, as long as one understands that that _is_ the case, and
 is doing it for 'some other' defensible reason -- such as to eliminate
 logfile 'noise' from script-kiddie 'doorknob rattlers' -- doing so
 *is* perfectly reasonable.
 
 *I* do it on _my_ machines, expressly for the reason stated in the prior
 paragraph.

I should have finished reading the thread before sending my own reply on
a different branch of the discussion.  This is (stated differently)
pretty much exactly the message I meant to convey.

-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]


pgplvMknduAif.pgp
Description: PGP signature

Fwd: re: thefish-0.6.6_5 is marked as broken: does not build [FreeBSD9.0]

[Alexander Kapshuk]

howdy,

when attempting to build x11/gnome2-power-tools from ports on my 
FreeBSD9.0 desktop, the package failed to build spitting out the error 
message below: gnome2-power-tools-2.32.1_2 depends on executable:


thefish - not found === Verifying install for thefish in 
/usr/ports/sysutils/thefish === thefish-0.6.6_5 is marked as broken: 
does not build. *** Error code 1 Stop in /usr/ports/sysutils/thefish. 
*** Error code 1 Stop in /usr/ports/x11/gnome2-power-tools


:; uname -a FreeBSD localhost 9.0-BETA3 FreeBSD 9.0-BETA3 #0: Sat Sep 24 
20:46:57 UTC 2011 
r...@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386


is there a fix for this?

thanks.

Alexander Kapshuk
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Updating emacs fails

[John Levine]

For at least several weeks, attempts to rebuild emacs from ports fails
with an odd linker error saying it can't find symbols in the termcap
library.  I poked around a little, the makefile does include the
appropriate library and adding it again at the end of the line in
the makefile didn't help.

This is on 8.2, building it with no nonstandard options I'm aware of.

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies,
Please consider the environment before reading this e-mail. http://jl.ly

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: trying to learn systems programming, fear I have not understood and thus messed up

[Christopher J. Ruwe]

On Sat, 22 Oct 2011 16:45:08 +0200
Fabian Keil freebsd-lis...@fabiankeil.de wrote:

 Christopher J. Ruwe c...@cruwe.de wrote:
 
  On Fri, 21 Oct 2011 18:53:33 +0200
  Christopher J. Ruwe c...@cruwe.de wrote:
  
   [...]
   
   I have tried to follow the suggestion from the comment by
   modifiying the else-statement thus:
   
   } else {
 struct passwd *trgpwd;
 if (!(trgpwd = GETPWNAM(arg-val)))
errx(EX_DATAERR, User %s does not exist, arg-val);
  
  if (strcmp(a_name-val,root) == 0)
 errx(EX_DATAERR, can't change uid of `root' account);
  if (strcmp(trgpwd-pw_name, root) == 0)
 warnx(WARNING: account `%s' will have a uid of 0 (superuser
   access!), pwd-pw_name);
   
  pwd-pw_uid = (uid_t) (trgpwd-pw_uid);
  edited = 1;
   } 
   
   What happens is not what I intended. I invoke as sudo ./pw
   usermod testuser1 -u testuser2. I can get testuser2's pwd-entry
   by GETPWNAM allright, but when I assign the pw_uid, so as to make
   testuser2's uid the same as testuser1's and imgaining to retain
   all other values, ./pw reports pw: user 'testuser2' disappeared
   during update and the testuser2's /etc/passwd entry is replaced
   by testuser1's.
   
   I fear I have not understood GETPWNAM correctly, as it seems to
   replace the struct pwd as some sort of sideeffect. I could
   manually set all pwd-members to the correct ones (those of
   testuser2), but I fear that I have messed something up beforehand.
   
   I am grateful for any suggestions and/or correction. 
  
  It seems I have indeed not understood GETPWNAM correctly. I have
  worked out a method which works by calling GETPWNAM twice:
  
 else {
 /*
  * operation as follows:
  * a_name-val is passed as usermod uname
  * arg-val is passed as -u uname
  *
  * first check if we do someting stupid, i.e., want
  * to set root uid to some other users uid or
  * to set some user accout's uid to root uid.
  * then get pwd to that of uname passed as -u uname.
  * store uid from that pwdent.
  * get pwd to that of uname passed as usermod uname
  * change uid of that latter uid to the one stored
  */
  
  if(strcmp(a_name-val,root) == 0)
errx(EX_DATAERR, can't change uid of `root' account);
  
  if(strcmp(arg-val, root) == 0)
warnx(WARNING: account `%s' will have a uid of 0 (superuser
  access!), pwd-pw_name);
  
  if(!(pwd = GETPWNAM(arg-val))) /* -u uname*/
errx(EX_DATAERR, User %s does not exist, arg-val);
  int alias_uid = pwd-pw_uid; 
  
  if(!(pwd = GETPWNAM(a_name-val))) /*usermod uname*/
errx(EX_DATAERR, User %s does not exist, a_name-val);
  
  pwd-pw_uid = (uid_t) alias_uid;
  warnx(User %s's uid changed to %d, pwd-pw_name,
  pwd-pw_uid); edited = 1;
}
  
  As I stil do not know why the latter variant of my code worked and
  the former does not, I would still appreciate any comment or
  explanation which would help me understanding GETPWNAM and getpwnam.
 
 I'm not familiar with the code you're working with,
 but according to the man page getpwnam() isn't thread
 safe so you probably shouldn't mess with the returned
 pointer in the first place and only treat the one
 returned by the last call as valid.
 
 Did you try using getpwnam_r() instead?
 
 Fabian

You are quite right, GETPWNAM() is a macro to getpwnam(), which is not
thread safe. GETPWNAM() is called throughout the code of pw and pw
itself is not threaded, so it should not matter whether the functions
called are thread-safe or not. I am not completely sure on my last
statement though. Do you have other experience regarding this topic?

Anyways, thanks and cheers,
-- 
Christopher J. Ruwe
TZ GMT + 2



signature.asc
Description: PGP signature

RE: Groupware like OX for FreeBSD?

[Dale Scott]

 I'd like to know whether the power to serve OS FreeBSD is also capable
of
 hosting a groupware like OX. I want to build a grupware server and found
OX
 really nice. Our lab's administration is using OX.

Googling open-xchange freebsd turns up a few circa-2005 tutorials and
quite a bit of discussion. 

Dale

---
Transparency with Trust
http://www.dalescott.net



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW

[RW]

On Sat, 22 Oct 2011 09:56:12 -0400
Carmel wrote:

 I am attempting to set up a firewall using IPFW with a stateful
 behavior.
 
 While I have investigated how to set up these rules, I have run into
 conflicting opinions as to whether to all or deny established
 behavior.
 
 EXAMPLE: (preceded by a checkstate rule)
 
 allow tcp from any to any established
 
 
 Some documentation states that it should be denied and others say it
 should be allowed. Neither has given me a convincing reason to follow
 either scenario or any real documentation either for that fact.


Normally if the rules are stateless you would allow established tcp
packets, but would deny them with stateful rules. In the latter case,
established traffic would be passed by the check-state
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Breakin attempt

[Michael Sierchio]

On Sat, Oct 22, 2011 at 7:12 AM, Polytropon free...@edvax.de wrote:

 Is there _any_ reason why moving from port 22 to something
 different is _not_ a solution?

 Reason why I'm asking: Moving SSH away from its default port
 seems to be a relatively good solution as break-in attempts
 concentrate on default ports. So in case a sysadmin decides
 to move SSH to a hidden location, what could be an argument
 against this decision?

Moving SSH to another port doesn't add appreciably to security, but it
reduces the noise in the logs. ;-)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW

[Conrad J. Sabatier]

On Sat, 22 Oct 2011 09:56:12 -0400
Carmel carmel...@hotmail.com wrote:

 I am attempting to set up a firewall using IPFW with a stateful
 behavior.
 
 While I have investigated how to set up these rules, I have run into
 conflicting opinions as to whether to all or deny established
 behavior.
 
 EXAMPLE: (preceded by a checkstate rule)
 
 allow tcp from any to any established
 
 
 Some documentation states that it should be denied and others say it
 should be allowed. Neither has given me a convincing reason to follow
 either scenario or any real documentation either for that fact.
 
 If possible, could someone with some real firewall knowledge and
 familiarity with IPFW please give me some advice.
 
 Thanks!
 

Well, assuming that you're only allowing the connections you actually
want to be be established to be setup in the first place, then the
logical thing is to then allow any already established connections.

All of your tcp allow rules should include the setup keyword, as well
as keep-state.  This way, only connections that are doing a first-time
setup will be allowed, and their state will be remembered, for later
checking using the check-state keyword.

In other words, create setup/keep-state rules for all tcp connections
you want to allow, and deny the rest.  Just be sure the check-state and
established rules precede the deny rules.

Similarly, for udp rules, be sure to include the keep-state (but not
setup) keyword.

Hope this makes sense.  :-)

-- 
Conrad J. Sabatier
conr...@cox.net
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW

[Michael Sierchio]

On Sat, Oct 22, 2011 at 9:54 AM, RW rwmailli...@googlemail.com wrote:

 Normally if the rules are stateless you would allow established tcp
 packets, but would deny them with stateful rules. In the latter case,
 established traffic would be passed by the check-state

You need to pay attention to direction as well.  Suppose you wanted to
permit outbound TCP connections using stateful rules.  If em0 is the
outside interface of your firewall
If you're using stateful rules, you would do something like this:


ipfw add 1000 check-state
ipfw add 2500 allow tcp from any to any out xmit em0 setup keep-state
ipfw add 2550 deny tcp from any to any

The check-state rule checks for established dynamic flows, 2500
permits outbound TCP with SYN,!ACK (the first part of the 3-way
handshake), and 2550 denies all TCP traffic that is not permitted.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Breakin attempt

[Lowell Gilbert]

Polytropon free...@edvax.de writes:

 On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote:
 I suspect that these sorts of attacks are fairly normal if you're 
 running ssh on the standard port. I used to have lots of 'break-in 
 attempts' before I moved the ssh server to a different port.

 Is there _any_ reason why moving from port 22 to something
 different is _not_ a solution?

 Reason why I'm asking: Moving SSH away from its default port
 seems to be a relatively good solution as break-in attempts
 concentrate on default ports. So in case a sysadmin decides
 to move SSH to a hidden location, what could be an argument
 against this decision?

Connecting from behind other people's paranoid firewalls gets difficult
on other ports.  
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Updating emacs fails

[Matthew Seaman]

On 22/10/2011 17:24, John Levine wrote:
 For at least several weeks, attempts to rebuild emacs from ports fails
 with an odd linker error saying it can't find symbols in the termcap
 library.  I poked around a little, the makefile does include the
 appropriate library and adding it again at the end of the line in
 the makefile didn't help.
 
 This is on 8.2, building it with no nonstandard options I'm aware of.

No errors are on record for building editors/emacs according to
pointyhat/portsmon:

http://portsmon.freebsd.org/portoverview.py?category=editorsportname=emacswildcard=

Therefore I diagnose something specific to your system is broken.
Unfortunately your report is too lacking in detail to be able to say
anything useful that might help you to fix the problem.  We'd need to see

   * Your choice of options for the port (ie. 'make showconfig' output)

   * A complete build log showing the problem occurring. (ie  'make
 clean build' output)

   * The config.log from $WRKSRC showing what autoconf did.

That should give a fighting chance of being able to work out what's wrong.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: Breakin attempt

[Lowell Gilbert]

Lowell Gilbert freebsd-questions-lo...@be-well.ilk.org writes:

 Polytropon free...@edvax.de writes:

 On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote:
 I suspect that these sorts of attacks are fairly normal if you're 
 running ssh on the standard port. I used to have lots of 'break-in 
 attempts' before I moved the ssh server to a different port.

 Is there _any_ reason why moving from port 22 to something
 different is _not_ a solution?

 Reason why I'm asking: Moving SSH away from its default port
 seems to be a relatively good solution as break-in attempts
 concentrate on default ports. So in case a sysadmin decides
 to move SSH to a hidden location, what could be an argument
 against this decision?

 Connecting from behind other people's paranoid firewalls gets difficult
 on other ports.  

And, yes, I realize this isn't a problem for most people, but I'm pretty
sure I'm not the only one who runs into it, either.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Configuring IPFW

[Michael Sierchio]

On Sat, Oct 22, 2011 at 10:08 AM, Conrad J. Sabatier conr...@cox.net wrote:


 Similarly, for udp rules, be sure to include the keep-state (but not
 setup) keyword.


RIght - if you're just protecting a single host, for example, your
ruleset might be something like

ipfw add 1000 allow ip from any to any via lo0
ipfw add 1100 check-state
ipfw add 1200 allow tcp from me to any setup keep-state
ipfw add 1300 allow udp from me to any keep-state
# stateful rules for ICMP sometimes work, and sometimes don't -
traceroute for example
ipfw add 1400 allow icmp from me to any
ipfw add 1500 allow icmp from any to me icmptypes 0,3,8,11
# if you don't want to permit inbound echo requests, then use the next
one instead
# ipfw add 1500 allow icmp from any to me icmptypes 0,3,11

ipfw add 1600 deny ip from any to any


There are sysctl variables you may want to look at: sysctl net.inet.ip.fw

These are described in the man page, and some of these affect the
behavior of dynamic rule sets.  You generally don't need to worry
about them for outbound connections, but they are critical for inbound
connections - it's trivial to DOS a firewall with dynamic rules.

Regards,

M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Breakin attempt

[Eric S Pulley]

Actually this looks like fairly normal white noise you can expect on a 
public facing ssh server. There are a lot of bots out there, looking for 
another box to own. If you're running PF put in something like the 
following.


block in quick log from {BADGUYS}
.
.
.
pass in log on $ext_if proto tcp to ($ext_if)  port { ssh } \
   flags S/SA modulate state \
   (max-src-conn-rate 3/60, overload BADGUYS flush global)

And remember that that you need to wait a minute if you (for some reason) 
make more than x (3 in this case) connections from the same source in a 
minutes time.  Tune as needed.


The disable root logins and only use keys if you can, strong PWs if you 
can't and you should be good.



--On Saturday, October 22, 2011 03:43:44 PM +0200 Admin ValhallaProjectet 
ad...@thorshammare.org wrote:



Hello all



FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22
10:14:48 CEST 2011
ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN i386

Firewall PF.

Blocking China and some other related countries in that region.
Disabled ssh root logins



Apparently, I'm under some kind of attack,  for the last 3 days.

Lots of attempts to ssh in as root from many different IP addresses.

No bruteforce attempts.

This just puzzles me. Using all these resources ? To achieve what ?

Below is a one hour snip from my auth.log

Nothing unusual in pflog

Appreciate all ideas of how to proceed with this mather.



Best regards Hasse



Oct 22 12:00:19 odin sshd[14359]: error: PAM: authentication error for
root from server.fabian.cz

Oct 22 12:01:08 odin sshd[14365]: Address 87.105.187.194 maps to
client-arsmedica-2.wroclaw.dialog.net.pl, but this does not map back to
the address - POSSIBLE BREAK-IN ATTEMPT!

Oct 22 12:01:09 odin sshd[14365]: error: PAM: authentication error for
root from 87.105.187.194

Oct 22 12:02:59 odin sshd[14422]: error: PAM: authentication error for
root from 87.229.7.163

Oct 22 12:03:36 odin sshd[14865]: error: PAM: authentication error for
root from 201.25.53.34

Oct 22 12:03:53 odin sshd[15571]: error: PAM: authentication error for
root from 109.237.210.147

Oct 22 12:05:18 odin sshd[18357]: error: PAM: authentication error for
root from 12.222.202.34

Oct 22 12:05:36 odin sshd[18375]: error: PAM: authentication error for
root from mx.aysor.am

Oct 22 12:05:53 odin sshd[18537]: error: PAM: authentication error for
root from 190.129.11.76

Oct 22 12:07:06 odin sshd[19429]: Address 80.188.13.214 maps to
www.profitaxi.cz, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!

Oct 22 12:07:06 odin sshd[19429]: error: PAM: authentication error for
root from 80.188.13.214

Oct 22 12:07:27 odin sshd[19542]: error: PAM: authentication error for
root from 85.185.180.48

Oct 22 12:08:05 odin sshd[19591]: error: PAM: authentication error for
root from 208.125.137.121

Oct 22 12:09:45 odin sshd[19629]: error: PAM: authentication error for
root from 83.14.240.10

Oct 22 12:10:53 odin sshd[19699]: error: PAM: authentication error for
root from 200.160.121.246

Oct 22 12:10:59 odin sshd[19702]: error: PAM: authentication error for
root from 151.1.183.216

Oct 22 12:11:38 odin sshd[19787]: error: PAM: authentication error for
root from crm.nepinc.com

Oct 22 12:12:16 odin sshd[19830]: error: PAM: authentication error for
root from 189.16.12.146

Oct 22 12:12:45 odin sshd[19843]: error: PAM: authentication error for
root from narro.uaaan.mx

Oct 22 12:14:14 odin sshd[19913]: error: PAM: authentication error for
root from 217.128.151.181

Oct 22 12:14:56 odin sshd[19925]: reverse mapping checking getaddrinfo for
panda.zsuvoz.cz [195.178.81.116] failed - POSSIBLE BREAK-IN ATTEMPT!

Oct 22 12:14:56 odin sshd[19925]: error: PAM: authentication error for
root from 195.178.81.116

Oct 22 12:16:14 odin sshd[19995]: error: PAM: authentication error for
root from 87.193.246.26

Oct 22 12:16:23 odin sshd[20008]: error: PAM: authentication error for
root from 219.94.144.230

Oct 22 12:16:39 odin sshd[20026]: error: PAM: authentication error for
root from 82.130.143.216

Oct 22 12:17:41 odin sshd[20073]: error: PAM: authentication error for
root from 87.193.246.26

Oct 22 12:17:52 odin sshd[20102]: error: PAM: authentication error for
root from 82.130.143.216

Oct 22 12:21:16 odin sshd[20268]: error: PAM: authentication error for
root from 203.141.158.120

Oct 22 12:21:34 odin sshd[20286]: error: PAM: authentication error for
root from 208.125.137.121

Oct 22 12:22:05 odin sshd[20326]: reverse mapping checking getaddrinfo for
86-100-134-185-ip.balticum.lt [86.100.134.185] failed - POSSIBLE BREAK-IN
ATTEMPT!

Oct 22 12:22:05 odin sshd[20326]: error: PAM: authentication error for
root from 86.100.134.185

Oct 22 12:22:22 odin sshd[20339]: error: PAM: authentication error for
root from 201.232.69.113

Oct 22 12:23:35 odin sshd[20428]: error: PAM: authentication error for
root from 87.229.7.163

Oct 22 12:23:58 odin sshd[20486]: error: PAM: authentication error for
root from 

Re: Configuring IPFW

[Robert Bonomi]

 Date: Sat, 22 Oct 2011 12:08:56 -0500
 To: FreeBSD freebsd-questions@freebsd.org
 Subject: Re: Configuring IPFW

 On Sat, 22 Oct 2011 09:56:12 -0400
 Carmel carmel...@hotmail.com wrote:

  I am attempting to set up a firewall using IPFW with a stateful
  behavior.
  
  While I have investigated how to set up these rules, I have run into
  conflicting opinions as to whether to all or deny established
  behavior.
  
  EXAMPLE: (preceded by a checkstate rule)
  
  allow tcp from any to any established
  
  
  Some documentation states that it should be denied and others say it
  should be allowed. Neither has given me a convincing reason to follow
  either scenario or any real documentation either for that fact.
  
  If possible, could someone with some real firewall knowledge and
  familiarity with IPFW please give me some advice.
  
  Thanks!
  

 Well, assuming that you're only allowing the connections you actually
 want to be be established to be setup in the first place, then the
 logical thing is to then allow any already established connections.

This, of course, ignores the possibility that a 'bad guy' might send
an initial packet _without_ the 'SYN' flag set.  grin

 All of your tcp allow rules should include the setup keyword, as well
 as keep-state.  This way, only connections that are doing a first-time
 setup will be allowed, and their state will be remembered, for later
 checking using the check-state keyword.

Now *THAT*, done _properly_, closes the aforementioned hole. :)



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Breakin attempt

[Randal L. Schwartz]

 Lowell == Lowell Gilbert freebsd-questions-lo...@be-well.ilk.org 
 writes:

Lowell Connecting from behind other people's paranoid firewalls gets difficult
Lowell on other ports.  

That's why mine's on 443.  Doubly useful when I want to connect to it
from behind an outbound web proxy. :)

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.posterous.com/ for Smalltalk discussion
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: trying to learn systems programming, fear I have not understood and thus messed up

[Fabian Keil]

Christopher J. Ruwe c...@cruwe.de wrote:

 On Sat, 22 Oct 2011 16:45:08 +0200
 Fabian Keil freebsd-lis...@fabiankeil.de wrote:
 
  Christopher J. Ruwe c...@cruwe.de wrote:
  
   On Fri, 21 Oct 2011 18:53:33 +0200
   Christopher J. Ruwe c...@cruwe.de wrote:

   As I stil do not know why the latter variant of my code worked and
   the former does not, I would still appreciate any comment or
   explanation which would help me understanding GETPWNAM and getpwnam.
  
  I'm not familiar with the code you're working with,
  but according to the man page getpwnam() isn't thread
  safe so you probably shouldn't mess with the returned
  pointer in the first place and only treat the one
  returned by the last call as valid.
  
  Did you try using getpwnam_r() instead?

 You are quite right, GETPWNAM() is a macro to getpwnam(), which is not
 thread safe. GETPWNAM() is called throughout the code of pw and pw
 itself is not threaded, so it should not matter whether the functions
 called are thread-safe or not. I am not completely sure on my last
 statement though. Do you have other experience regarding this topic?

My point is that if getpwnam() isn't thread safe because
separate calls are using the same static buffer to return
their result (which I didn't verify), and you do something
like:

pwd = GETPWNAM(...)
[...]
trgpwd = GETPWNAM(...)
pwd-pw_uid = (uid_t) (trgpwd-pw_uid);

the second getpwnam() call is going to reuse the memory
pointed to by pwd. While I assume your intention was to
only change pwd-pw_uid, the second getpwnam() call already
had the side effect of overwriting all the other members as
well.

This would happen in a single-threaded application as well.

Fabian


signature.asc
Description: PGP signature

Re: Breakin attempt

[Erik Nørgaard]

On 22/10/2011 16:12, Polytropon wrote:

Is there _any_ reason why moving from port 22 to something
different is _not_ a solution?

Yes

Reason why I'm asking: Moving SSH away from its default port
seems to be a relatively good solution as break-in attempts
concentrate on default ports. So in case a sysadmin decides
to move SSH to a hidden location, what could be an argument
against this decision?
Moving to a non standard port does not provide you any additional real 
security. The random scannings and occasional attacks will disappear 
from your logs but these are not interesting, they fail because you 
already hardened your server. Those who are determined to break into 
your server will also find your ssh running on a non-standard port.


On the other hand, those legitimate users who rely on ssh to connect 
remotely to their account may not be able to because the firewall on the 
network only allows access to standard ports for whatever reason, and 
running ssh on port, say, 24 is a non-standard port. It is actually 
common to block access to most ports and allow access only through a 
proxy, and then open for those particular services that will not run 
through a proxy. Hence, if you want to be sure to be able to connect 
remotely, your best bet is to run your services on standard ports.


In summary, nothing is won moving ssh to a nonstandard port except for 
potential problems.


BR, Erik


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Upgrading libxul, dependency on Firefox 3

[Beat Gätzi]

On Oct 22, 2011, at 2:54 AM, Joe Altman wrote:
 Greetings...
 
 I was running portupgrade on libxul and noticed it depends on Firefox
 3.x. I cancelled the upgrade, because I thought FF3.x was insecure and
 therefore deprecated while FF7 was recommended and secure.
 
 My questions:
 
 1) is the dependency libxul has for FF3 a security problem?

libxul doesn't depend on FF3. We just use the FF3.6 source tarball
to build xulrunner (libxul) as upstream no longer provides tarballs
for the latest xulrunner 1.9.2.x releases. Nevertheless FF3.6 is still
supported upstream and security problems get fixed regularly during
the normal Mozilla release cycle.

 2) is the dependency on FF3 a bug in libxul? If it is a bug, who
   should receive a report: gecko@ or the Mozilla project?

There is no FF3 dependency in libxul.

HTH,
Beat

 FYI: I'm pretty sure it was portsclean -D (and not me) that deleted
 FF3...yet libxul tried to pull it in during the portupgrade.
 
 Best regards,
 
 Joe
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Upgrading libxul, dependency on Firefox 3

[Joe Altman]

On Sat, Oct 22, 2011 at 09:28:40PM +0200, Beat G?tzi wrote:
 On Oct 22, 2011, at 2:54 AM, Joe Altman wrote:
  Greetings...
  
  I was running portupgrade on libxul and noticed it depends on Firefox
  3.x. I cancelled the upgrade, because I thought FF3.x was insecure and
  therefore deprecated while FF7 was recommended and secure.
  
  My questions:
  
  1) is the dependency libxul has for FF3 a security problem?
 
 libxul doesn't depend on FF3. 

Got it. Thanks, and best regards,

Joe
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: trying to learn systems programming, fear I have not understood and thus messed up

[Frank Shute]

On Fri, Oct 21, 2011 at 06:53:33PM +0200, Christopher J. Ruwe wrote:

 To improve on my C and to learn something about systems programming, I
 have begun to pick out bite-size bits from the bin-PRs. Currently, I
 am dispairing about bin/149972, which is about 1) adding error handling
 to pw being invoced pw -u username and 2) trying to get a uid from
 the (incorrectly) passed username. Currently, I cannot accomplish want
 I wanted to do, so I turn here for hints or help.
 

[snip]

Christopher, you're probably best off posting to hackers@ for
programming problems pertaining to FreeBSD.


Regards,

-- 

 Frank

 Contact info: http://www.shute.org.uk/misc/contact.html




pgpMvw7dgrm0F.pgp
Description: PGP signature

Re: Help needed: sound/audio only semi-working

[Ronald F. Guilmette]

In message 20111022125209.9ba97a1f.free...@edvax.de, 
Polytropon free...@edvax.de wrote:

On Fri, 21 Oct 2011 18:29:25 -0700, Ronald F. Guilmette wrote:
 The really strange thing is that after I followed all the directions here:
 
http://www.freebsd.org/doc/en/books/handbook/sound-setup.html
 
 This command:
 
 cat /dev/random  /dev/dsp
 
 *does* produce quite a bit of white noise sound.  However when I perform
 the other officially recommended basic audio functionality test:
 
 cdcontrol -f /dev/acd0 play 1
 
 with one of my favorite old audo CDs in the drive (AND with that special
 little wire running from the back of the drive to my motherboard) all that
 happens is that the CD/DVD drive apparently _does_ start to read some stuff.
..
 as evidenced by the blinking access light in the front of the drive... but I
 still get no sound out, and YouTube videos still aren't giving me any audio
 even though the video seems to be playing perfectly.

Does the Handbook mention to check your mixer settings?

No, but I _did_ look at that anyway, because something I read while resarching
this problem indicated that I should.  And those (mixer) settings are all OK.

Anyway... NEVERMIND!  I fiddled a few things some more last night... nothing
that really should have made any difference at all... and I re-booted and
today, now, the sound _is_ playing when I watch YouTube videos in Firefox.
I really don't understand why because I really didn't change anything.  I did
install mplayer and cdparanoia, and then I used the latter to suck some .wav
files off of one of my old CDs and then used mplayer to play them (which
worked OK) but I don't see how any of that should have had any effect on
the audio coming out of the flash plugin for Firefox.  Oh well!  It works
now, and mplayer can play .wav and .mp3 files too.  So mostly everything is
working now, and I am happy.

But playing a CD using cdcontrol still is not working.  That's OK.  I can
easily live without that.  I was only using it for testing purposes anyway.
Still, it is a shame it doesn't just work.

The problem regarding audio CDs seems to be quite modern.

I assume by that you mean quite recent. Yes?

I also cannot play them anymore (but I don't have that
special wire installed at the moment). Audio is VIA HDA.

I do believe that the little wire is manditory.  So that explains why it
doesn't work for you.  But I have the little grey wire installed, so I don't
know why it doesn't work for me.

 So how can it be that this works just fine:
 
cat /dev/random  /dev/dsp
 
 even while this:
 
   cdcontrol -f /dev/acd0 play 1
 
 causes the disk to spin up and read, but otherwise produces utter silence?

CD audio subsystem has been modernized. :-)

I wouldn't know about that.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Help needed: sound/audio only semi-working

[Polytropon]

On Sat, 22 Oct 2011 16:03:27 -0700, Ronald F. Guilmette wrote:
 I did
 install mplayer and cdparanoia, and then I used the latter to suck some .wav
 files off of one of my old CDs and then used mplayer to play them (which
 worked OK) but I don't see how any of that should have had any effect on
 the audio coming out of the flash plugin for Firefox.  Oh well!  It works
 now, and mplayer can play .wav and .mp3 files too.  So mostly everything is
 working now, and I am happy.

Both the Flash plugin and mplayer use the mixer's pcm
channel for output (unlike CD audio). Maybe you'll find
that mplayer is able to play *.mp3, but isn't the optimal
program to do so - in this case have a look at xmms which
can play both *.mp3 and *.ogg (a popular format when you
want to make your CDs' content available on your system).
And xmms also is able to play CD audio.



 But playing a CD using cdcontrol still is not working.  That's OK.  I can
 easily live without that.  I was only using it for testing purposes anyway.
 Still, it is a shame it doesn't just work.

Doesn't work _anymore_. :-)



 The problem regarding audio CDs seems to be quite modern.
 
 I assume by that you mean quite recent. Yes?

No, modern (note the quotes) indicates disimprovement,
reduction and removal of functionality that has been
taken as granted for many years. :-)



 I also cannot play them anymore (but I don't have that
 special wire installed at the moment). Audio is VIA HDA.
 
 I do believe that the little wire is manditory. 

In this specific case, it is. In my old PC, I had one to
connect the ATAPI drive to the sound card (a CMI based
PCI card, no onboard stuff). This _did_ work perfectly
using cdcontrol play track and the mixer's CD channel.



 So that explains why it
 doesn't work for you.  But I have the little grey wire installed, so I don't
 know why it doesn't work for me.

I'll install that wire tomorrow, just to check - I just
hope my cheap (and nearly crappy) mainboard does have
support for it. I can't use external wiring (to the
sound card's line-in connector) as the drive doesn't
have a front connector anymore. See modern. :-)

OS is 8.2-STABLE/x86 of late August.



  So how can it be that this works just fine:
  
 cat /dev/random  /dev/dsp
  
  even while this:
  
cdcontrol -f /dev/acd0 play 1
  
  causes the disk to spin up and read, but otherwise produces utter silence?
 
 CD audio subsystem has been modernized. :-)
 
 I wouldn't know about that.

As far as I could understand, the track files /dev/acdXtYY
will be gone in the upcoming 9.0, as well as the acd device
files in favour of cd (the optional, but very nice ATAPICAM
interface used by recording programs). Basically, I do
appreciate merging acd and cd (so one device file per
device becomes true), but if the price is that CD audio
doesn't work anymore... we'll see.





-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: pkg_version: corrupted record (pkgdep line without argument), ignoring

[b. f.]

On 10/22/11, b. f. bf1...@googlemail.com wrote:
 Jerry wrote:
 After attempting unsuccessfully to update KDE4 via portmaster, I
 found a number of errors printed out when using pkg_version-vIL=.

 I eventually used portmanager to update the KDE4 port successfully;
 however, I am still receiving the following error messages.

 These ports need updating:
 pkg_version: corrupted record (pkgdep line without argument), ignoring
 pkg_version: corrupted record (pkgdep line without argument), ignoring
 pkg_version: corrupted record (pkgdep line without argument), ignoring
 koffice-kde4-2.3.3_3   needs updating (index has
 2.3.3_5)
 postgresql-client-8.2.21   needs updating (index has
 8.2.22_1)

 I have not found a way to ascertain which ports contain the corrupted
 records. Originally, there were over a dozen of them but portmanager
 fixed most of them for me. How can I determine what ports are still
 damaged so that I might correct them.

 As the others have written, you could use sed, grep, or visual
 inspection to examine the pkgdb.  Alternatively, you could try testing
 one port at a time, to see what ports pkg_version chokes on, by using
 something like:

  pkg_info -aE | xargs -tI @ pkg_version -vIL= -s @


Bah, sent this to freebsd-ports by mistake.  Sorry.

b.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org