Re: FreeBSD 6 Apache Port
On 11/30/05, Grant Peel [EMAIL PROTECTED] wrote: And, the php (cli version) went fine, but it did come up with a few gui questions, but non about --with-gd -enable-mysql etc etc. How to do I deal with that? I was thinking, after make, do I go to the work directory and add them to the configure line? then make again, and install again? OR can you add them directly to the make line? These are both available as php4 modules and plugin to php just like apache modules do: databases/php4-mysql graphics/php4-gd A nice way to get these is to just run a 'make install' on lang/php4-extensions which will give you a menu to select which extensions you would like installed in one shot, with common defaults already selected. Aaron ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RELENG_5_3 to RELENG_5 make installworld fails
Hello World, Just got 5.3-RELEASE installed yesterday on this system and was cvsup'ing to 5-STABLE today. Used the following process, based on /usr/src/UPDATING (as well as the countless times I've done this before), and got the error below during 'installworld'. I did this same update (from 5.3-RELEASE to 5.4-PRERELEASE) a week ago and it worked fine, however I also noticed that mergemaster -p wanted a few user accounts setup prior to installworld, related to pf/pfauth - that no longer seems to be a requirement so I'm concerned I missed a step or made some other bonehead move that I'm not aware of. cvsup'ed w/ the following basic values in supfile (no, this is not the entirety of the file) *default host=cvsup17.FreeBSD.org *default base=/var/db *default prefix=/usr *default release=cvs tag=RELENG_5 *default delete use-rel-suffix # cd /usr/src # make buildworld # make buildkernel KERNCONF=GENERIC # mergemaster -p # make installkernel KERNCONF=GENERIC # make installworld At this point - it gets started and then dies here: snip -- Installing everything -- cd /usr/src; make -f Makefile.inc1 install === share/info === include creating osreldate.h from newvers.sh touch: not found *** Error code 127 Stop in /usr/src/include. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. /snip I've check through the archives - not exhaustively - and found a few references to the touch: not found error - but nothing which led me toward getting this fixed. Ideas? Perhaps a better place to ask? At this point - I've got the kernel installed and can't get world installed - I could cvsup back to -RELEASE and get back to a safe state, but I'd rather get this little wrinkle worked out. Thanks, Aaron ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RELENG_5_3 to RELENG_5 make installworld fails
On Thu, 3 Mar 2005 14:39:16 -0800, Kent Stewart [EMAIL PROTECTED] wrote: You missed a step. Your system clock is off and that makes the installworld try to use touch. Set your system clock and you may have to remake your world but it should install. Kent Infact it was off - can you give me some detail as to why that matters? Not that I doubt that having my system clock set to a date 8 months prior to the date of files in cvs might cause a problem - but I'm curious about the details. If you can even point me at a URL and I'll read for myself - I'm just curious. If that was the problem (buildworld happenning as I type) then thank you and my apologies for the oversight. New system, didn't bother to make sure the BIOS date was right and ntp wasn't yet setup. Thanks, Aaron ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Re[2]: combining 2 ADSL Lines
On Sat, 18 Dec 2004 03:40:56 +0100, Hexren [EMAIL PROTECTED] wrote: Could this not be circumvented by using a server in the Internet as second Gateway. If I route all traffic (both lines) from my LAN Gateway through a VPN to a second Gateway NAT it there and only then go to the Internet. The Net should just see the second Gateways IP. Or am I talking crap ? *a bit confused here* Hexren I try not to use absolutes - and I think this idea is probably the most likely way to do what you want. However, there are a number of things that make me question whether this will work as you think it should. Depending on the type of VPN you use, you are going to be dependent upon the routing method used by the VPN to balance the traffic. In the case of IPSec - I'm not sure that having two SA's with the same remote network will be balanced. I suspect one or the other SA will be used but perhaps that's not true. To get an increase in aggregate bandwidth (not just the ability to use both lines) you need to have per-packet load balancing across both VPN's. I have no idea if the underlying code supports this type of load-balancing over multiple VPN's. Assuming this works brings me to the 2nd problem Since the link from this public gateway to each DSL line is via a number of other devices, most likely, you wont have the traditional ability to monitor the queue for each link to determine which path a packet takes. Normally the less congested link would be used when the other path becomes busy, keeping the two connections relatively balanced and providing you with higher aggregate bandwidth. How do you determine which path is congested if you are 3 hops away via a VPN? You can assume that it's safe to simply send every other packet over each link, but then what if one link starts to experience packet loss or slows down? Then you will probably severely impact your overall bandwidth since there is no way for this upstream gateway to choose to send more traffic over the working path. An extreme example of a problematic scenario from above (albeit highly unlikely) is a mix of large packets and small packets. You could have a majority of large packets sent over one link and small packets over the other - leaving one link relatively underutilized while the other becomes saturated. The gateway has no way to know that one line is underutilized and thus should send more data over that line to provide more bandwidth. Also, if one link goes down, how quickly will this upstream gateway know that the VPN is not available? Again, depending on the type of VPN, this can take from a few seconds if a keepalive is used, to a few minutes or many minutes if not. In the case of IPSec on FreeBSD, which I don't think implements Dead Peer Detection, it's likely to take quite a while for the gateway to realize that a particular link is no longer available. During this time traffic will still be sent over both links resulting in consistent 50% packet loss. Again, this is all theoretical - I've never done it. Some or all of this may be able to be worked around with other tools. I'd be very interested in whether you are able to get this working - I don't have the facilities to try it out. This would be much easier if the two DSL links could cooperate so that you would at least resolve the issues above. If you want to just use per-session load balancing (each connection goes via one or the other DSL line and sticks with that one) there are a number of options which will certainly link. Those options have been suggested by others on the list and there are many threads regarding doing this. This doesn't buy you higher aggregate throughput as far as I know. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: combining 2 ADSL Lines
On Fri, 17 Dec 2004 15:32:50 +0100, Hexren [EMAIL PROTECTED] wrote: I have the following problem, I have 2 ADSl Lines and would like to combine those 2 into 1 big. I have full control of both the gateway from my LAN and another Server in the internet which I coud use as a second gateway. What I am thinking of is something like virtualizing so that in the end I have VirtualInterface1 which is DSL1 and DSL2. Assuming these are just normal DSL lines with no special options which would allow them to be combined, your options are limited I think. This message assumes these are your typical Residental/business type DSL lines which provide a few IP's to the end Customer. In general, when using two different connections (DSL, T1 or otherwise) between two different providers you have to pick one connection or the other to send traffic over when communicating with a given host on the Internet. There are many ways to share the two connections in an automated way, so that some traffic goes over one connection and some traffic goes over the other, but this doesn't allow you to bond the two connections. Bonding being defined as the ability to combine the bandwidth of both connections to provide higher peak transfer rates. The basic problem is that each ISP is only going to route traffic to the IP address they provide you. Since it's highly unlikley that both providers are providing the same IP you have to use NAT. When you send traffic out of your network, it has to originate from one or ther other IP address and response traffic is only going to come back to that IP address, thus only using that DSL line. You can certainly send the next connection out the other DSL line, but again, it will only use that one DSL line. There have been threads in the past discussion the use of policy routing to send traffic from different parts of your network over different connections - thus sharing the overall load between the two connections. This gives you some additional capacity, but does not provide higher throughput that a bonded connection would provide. Setting up each connection individually on the FreeBSD gateway and then investigating the use of pf or ipfw to provide policy routing is probably the closest you are going to get to using both connections at the same time. Perhaps someone else has some suggestions for options I'm not aware of. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Multiple Mail Servers
On Fri, 17 Dec 2004 11:52:12 -0800, Sean Murphy [EMAIL PROTECTED] wrote: We have more than one mail server. I would like to have all emails be able to be sent to @calarts.edu and go to the correct server with that email account on it. The current set up is @calarts.edu goes to our main mail server but if you have an account on a separate mail server you must mail it to @servername.calarts.edu All servers are running FreeBSD 4.10 and sendmail. Is there a way for sendmail to be smart and redirect the email messages from the main server to the other servers? be, send any mail to [EMAIL PROTECTED] Isn't this what the aliases file is for? If mail is being delivered locally and you put in an alias entry like: username:[EMAIL PROTECTED] It should be directed to the appropriate location. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FFS vs. UFS vs. UFS2
First hit on google: http://sixshooter.v6.thrupoint.net/jeroen/faq.html On Mon, 15 Nov 2004 03:08:59 -0800, Loren M. Lang [EMAIL PROTECTED] wrote: FreeBSD's main file system is currently UFS2, but I've also heard reference to UFS and the Berkeley Fast File System(FFS). Looking through the kernel source I've found directories for both ufs and ffs, but not ufs2 (/sys/ufs/{ufs|ffs}/). Also, it seems like Solaris and/or other commercial unices also used ufs, is this the same ufs used in BSD and how does this relate to ffs and ufs2? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipf firewall questions
On Mon, 15 Nov 2004 15:21:47 -0500, Andrew Smith [EMAIL PROTECTED] wrote: I'm using ipf as my firewall, and I can't figure out why OWA is being blocked going to 172.20.0.11. Below is the current config file which works. But if I removed the fourth line, my users can't access OWA externally. I would have thought the lines: pass out quick from 172.20.0.0/24 to any keep state and pass in quick from any to 172.20.0.0/24 would have superceded the line block out log proto tcp from any to any port = 80. Any suggestions would be helpful. Andrew # # Permit Outlook Web Access # pass in quick proto tcp from any to 172.20.0.11 port = 80 keep state # # Allow All College Traffic # pass in quick from 10.0.0.0/8 to any pass out quick from any to 10.0.0.0/8 # # Permit all Network Critical Machines Access # pass out quick from 172.20.0.0/24 to any keep state pass in quick from any to 172.20.0.0/24 # # Permit all Network Teacher/Staff Computers Access # pass out quick from 172.20.1.0/24 to any keep state pass in quick from any to 172.20.1.0/24 If you remove rule #4 - then there's nothing to allow response traffic that I can see (unless I'm missing something). I'd guess that if you remove #4 and add 'keep state' to #5 it'll work. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipf firewall questions
On Mon, 15 Nov 2004 15:21:47 -0500, Andrew Smith [EMAIL PROTECTED] wrote: I'm using ipf as my firewall, and I can't figure out why OWA is being blocked going to 172.20.0.11. Below is the current config file which works. But if I removed the fourth line, my users can't access OWA externally. I would have thought the lines: pass out quick from 172.20.0.0/24 to any keep state and pass in quick from any to 172.20.0.0/24 would have superceded the line block out log proto tcp from any to any port = 80. Any suggestions would be helpful. Andrew # # Permit Outlook Web Access # pass in quick proto tcp from any to 172.20.0.11 port = 80 keep state Sorry - I missed the very first rule - how thorough of me. Given that - and my lack of familiarity with ipf vs. ipfw or pf - I'd say the problem may be the lack of any check state type rule which applies to the response traffic. I haven't exhaustively looked at the man page on ipf to verify this, but reviewing what rules will cause ipf to check for any existing states may help. If they are hitting that rule and nothing below is catching response traffic based on existing states then I'm guessing that is what's needed. Sorry for the confusion on the last post and my apologies if this one causes any more. Aaron Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Postfix does not log
On Fri, 12 Nov 2004 15:00:35 +0200, Ksenia Marasanova [EMAIL PROTECTED] wrote: Hi all, I need some help with Postfix, but I am asking it here, because I am not sure what causes the problem - Postfix or syslog. Have you tried defining the following (yes, they are the defaults I know) in your main.cf? syslog_facility = mail syslog_name = postfix Also - you could try adding a line to your syslog.conf that looks something like (correct me if I'm wrong on this folks - I've never tried this): !postfix *.* /var/log/postfix.log (don't copy paste this btw - it'll break syslog) While it's not the right way to log mail events - it would catch messages if they are being sent to the wrong facility, etc. If you shutdown postfix and fire up sendmail (if possible) do you get anything in maillog? This may help indicate if the problem is syslog or postfix. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Simple Network Traffic script
On Fri, 12 Nov 2004 12:56:57 -0800, Tim Traver [EMAIL PROTECTED] wrote: Hi all, ok, this may be a dumb question, but does anyone know where I can find a simple script that shows the network traffic to and from your local box ? snip there must be a simpler way... If you are running 5.3-RELEASE there is systat # systat -ifstat systat exists in 4.x releases but I don't believe it has the -ifstat option. It's only realtime - if you want long-term logging I would suggest either mrtg or better, cacti + rrdtool which is much easier (IMO) to setup (www.raxnet.net) and gives you the flexibility to monitor just about anything. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw configuration to intercept SMTP traffic
I believe you'll have one additional problem to resolve. Even if you successfully modify the destination IP address and get it pointed to the upstream server, the source IP will be unmodified and will still be the originator. Since the source IP is unmodified - the upstream mail server will send an ACK back to the originators IP (not yours) which will most likely get discarded and the connection will fail. Most sane TCP/IP stacks will reject an ACK from an IP address to which it did not send a request. Since the ACK is not going to run back through your host (thus allowing natd another go at reversing the translation) this likely wont work. Sorry all - I had missed the post regarding use of the -proxy_rule option, which may address this issue. Didn't mean to futher confuse the issue. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VPN questions
On Wed, 27 Oct 2004 11:47:43 -0500, Michael Clark [EMAIL PROTECTED] wrote: Any suggestions for something compatible with Cisco's 3080 VPN product? Something that will work from behind my home NAT box, ideally? There is nothing that I know of, I have a 3000 at work and wanted to do the same thing. There is a cli client for the 3000 in ports that I did manage to get working at one time, its not site to site though. The Cisco 3000 is a difficult beast in this case. I have a site to site VPN between the Cisco and an OpenBSD host which works fine, I assume it would also work for FreeBSD. The challenge however, is that for site to site (known as Lan to Lan in the Cisco) a static IP must be used, this mode does not support a dynamic client that I know of. You can connect a dynamic client to the Cisco using the Base Group, but their PSK structure for dynamic clients basically requires that you use the same PSK for all clients, not exactly ideal. I believe you can use certificates to get around this, but I've not tried. The Cisco client itself uses XAUTH to allow user/pass type authentication and can then be pointed to a backend authentication service (RADIUS, AD, etc) - if there is some software for FreeBSD that can do XAUTH you would be much closer to getting this to work - I don''t think such a thing exists however. If you have a static IP from your ISP and want to use Lan to Lan, I'm pretty sure that would work (though I'm currently battling this specific scenario on the FreeBSD side trying to get NAT working on the VPN itself to masquerade the LAN behind the VPN). As a Hint, you'll want to use aggressive mode and some identifier for the client other than the IP (I use an email address). I've resigned to having a few different VPN concentrators for clients to connect to as each seems to have it's own specific strengths and weaknesses and our company has a wide variety of clients connecting. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problems with NAT on gif interface for VPN (long post)
All, I'm having a problem getting nat to work on a gif interface. My goal here is to have a FreeBSD host (which is the gateway for a home network) connect to a VPN using a client vpn setup and masquerade (nat) the network behind the FreeBSD host using a single IP provided by the corporate VPN server. At this point I have racoon/ipfw/natd working to the point that I can pass traffic over the VPN from the FreeBSD host itself just fine. However, if I send traffic from a client on the LAN, it goes all the way across the VPN, I see the destination host send a response and I see the incoming ESP packet on the FreeBSD hosts wan interface, but I never see the packet sent out the LAN and I'm having trouble tracking where it is being dropped. If I perform a packet capture on gif0, I see neither the outgoing or incoming traffic, which seems incorrect to me since I do know the traffic is going out and is coming back when I initiate it from the FreeBSD host itself. I have started two natd processes bound to two different ports for divert use on each interface, they are shown below. Anyways, here are the details: Host A (FreeBSD) LAN: 192.168.1.1/24 WAN: a.b.c.d (dynamic IP from cable provider) Host B (VPN server) LAN: 10.1.8.12/24 (larger /8 behind this) WAN: w.x.y.z VPN client IP is 10.1.13.100 --- setkey -DP: w.x.y.z[any] a.b.c.d[any] ip4 in ipsec esp/tunnel/w.x.y.z-a.b.c.d/require spid=67 seq=3 pid=94282 refcnt=1 10.0.0.0/8[any] 10.1.13.100[any] any in ipsec esp/tunnel/w.x.y.z-a.b.c.d/require spid=69 seq=2 pid=94282 refcnt=1 a.b.c.d[any] w.x.y.z[any] ip4 out ipsec esp/tunnel/a.b.c.d-w.x.y.z/require spid=66 seq=1 pid=94282 refcnt=1 10.1.13.100[any] 10.0.0.0/8[any] any out ipsec esp/tunnel/a.b.c.d-w.x.y.z/require spid=68 seq=0 pid=94282 refcnt=1 --- Relevant routing entries DestinationGatewayFlagsRefs Use Netif Expire 10 10.1.8.12 UGSc1 9098 gif0 10.1.8.12 10.1.13.100UH 10 gif0 --- ifconfig: xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::260:8ff:fea5:d095%xl0 prefixlen 64 scopeid 0x1 inet a.b.c.d netmask 0xfe00 broadcast 255.255.255.255 ether 00:60:08:a5:d0:95 media: Ethernet autoselect (100baseTX full-duplex) status: active vr0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::250:8dff:fe5d:c6d%vr0 prefixlen 64 scopeid 0x2 inet 192.168.1.2 netmask 0x broadcast 192.168.1.2 ether 00:50:8d:5d:0c:6d media: Ethernet autoselect (100baseTX full-duplex) status: active gif0: flags=28151UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST mtu 1280 tunnel inet a.b.c.d -- w.x.y.z inet6 fe80::260:8ff:fea5:d095%gif0 prefixlen 64 scopeid 0x8 inet 10.1.13.100 -- 10.1.8.12 netmask 0x --- natd processes (latter is setup for debugging): /sbin/natd -dynamic -use_sockets -unregistered_only -n xl0 /sbin/natd -v -l -n gif0 -log_denied -p 8669 --- ipfw show (Yes, this set isn't that clean - it's been hacked up while trying to figure out this issue - please forgive any redundancies or ineficiencies you see unless they may impact this problem) 00100 1458262 852524563 divert 8668 ip from any to any via xl0 002003436370488 divert 8669 ip from any to any via gif0 00300 0 0 check-state 00400 890895 403006370 allow ip from any to any keep-state out xmit xl0 00500 0 0 allow ip from any to any keep-state via gif0 00600 4 432 allow esp from any to any 00700 0 0 allow udp from any to me 500 in 008002770 5371008 allow ip from any to any via lo0 00900 1364895 918328465 allow ip from any to any keep-state via vr0 010006699 1015786 allow tcp from any to any 22 keep-state in 01100 44273 13145900 allow tcp from any to any 25 keep-state in 012003361 1924613 allow tcp from any to any 80 keep-state in 01300 392 26364 allow icmp from any to any 01400 55996 18161747 deny log ip from any to any 65535 104 11992 deny ip from any to any -- So, at this point when I send traffic from a machine on the LAN, I can confirm the following: NAT seems to work based on the debug output of natd: Out [ICMP] [ICMP] 192.168.1.101 - 10.1.2.115 8(0) aliased to [ICMP] 10.1.13.100 - 10.1.2.115 8(0) I see the icmp packet reach the other side of the VPN via tcpdump, and I see an icmp echo response sent back. If I sniff my xl0 interface while doing this I see the following: 11:03:34.093263 a.b.c.d w.x.y.z: ESP(spi=0xa9c55011,seq=0x5) 11:03:34.128605 w.x.y.z a.b.c.d.167: ESP(spi=0x0dcf2aab,seq=0x5) These packets correspond w/ the ICMP request/response I see on the other side of the
Re: 2 Network Cards 2 IP's?
On Tue, 26 Oct 2004 11:00:45 -0600, Adam Seniuk [EMAIL PROTECTED] wrote: xl0 arp: 192.168.1.100 is on fxp0 but got reply from 00:02:b3:9f:74:89 on xl0 arp: 192.168.1.1 is on fxp0 but got reply from 00:07:e9:10:43:78 on I get these messages in my logs (quite a few) So I am not sure what is wrong. I noticed in another thread that freebsd does not allow ips from the same netmask so how does the blundering windows do it? Those messages are probably technically correct. Since both NIC's are on the same wire, they are both going to see the same ARP request/responses. I assume this error is just indicating that there is already an ARP entry for 192.168.1.100 which indicates that it can be found via fxp0 and it just saw an ARP response indicating that it is also available via xl0 - so which should it use? It's a bit confusing to a machine which has to select the correct NIC to send traffic out. What is the goal of all this? Typically for multipe IP's on the same subnet you would just use an alias - I assume that's not suitable in this case but am not sure why. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 2 Network Cards 2 IP's?
On Tue, 26 Oct 2004 11:14:21 -0600, Adam Seniuk [EMAIL PROTECTED] wrote: This is more for redundancy, I have 2 on board nic's so if I can use both of them to do basic dns round robin load balancing and manual failover its more useful then one network card doing nothing :D There is a sysctl variable which can be set to zero and would stop the log events I think net.link.ether.inet.log_arp_wrong_iface: 1 Hopefully that helps. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]