Dialog on some ports looks odd
Hey there, Can people confirm some brokenness to me? When I'm on a system over SSH, I find that doing the following: cd /usr/ports/mail/alpine; make config looks fine, but cd /usr/ports/mail/opendkim; make config seems to corrupt the headings and not display correctly, the OK/Cancel buttons get mangled (it may or may not work on the system console). Could I get some confirmation before I do a send-pr? -- I can feel it, comin' back again...Like a rolling thunder chasin' the wind... -Dan Mahoney, JS, JB SL, May 10th, 1997, Approx 1AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
portupgrade -- is there a way to only build and update ports that actually NEED it?
Hey there, I'm presently in the process of trying to do a portupgrade from rt-3.8.8 to 3.8.13. By all estimations, this is a minor bump. Already, I've encountered several annoyances due to ABI changes, such as the libtool2.4 fun. With normal portupgrade, this forces you to go fix the dependent port. Finally, I just applied -r, which should update all dependent packages, but it seems to upgrade them unconditionally. Ergo, I've since built a new version of perl, a new verion of python, rebuilt every perl module on the system, am presently rebuilding apache22, and I'm sure the system will turn around and require me to rebuild postgres real soon. You would think there's an option to portupgrade that says don't upgrade every single package I've got, but if somewhere in the dependency chain I need a newer version of a thing, then do it. Am I just missing it in the manpages, or does such a thing really not exist? -Dan -- You recreate the stars in the sky with cows? -Furrball, March 7 2005, on Katamari Damacy Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
possbility of a port for older versions of libintl?
Hey there, I recently discovered that the vmware-tools package is compiled against libintl.so.8 -- yes, this is probably something that should be fixed at the vmware level, but VMware's love for FreeBSD isn't there. As a workaround, it might be useful to have a port which compiles an older version of libintl (potential security issues notwithstanding, since it's assumed it will only be used by this one tool). This seems to me to be somewhat *less* destabilizing than the commonly-suggested (and perhaps, oft-used) suggestion of symlinking /usr/lib/libintl.so.8 -- libintl.so.9 Thoughts? -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Don't know how to make /usr/ports/dns/bind96/work/.build....
On Wed, 29 Jul 2009, Doug Barton wrote: Mel Flynn wrote: On Tuesday 28 July 2009 20:24:27 Dan Mahoney, System Admin wrote: make: don't know how to make /usr/ports/dns/bind96/work/.build_done.bind96._usr_local. Stop *** Error code 2 Someone else had the same problem, and they also chose overwrite-base: http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2007-08/msg00035. html But it was dismissed because he was using sudo, however the real reason is because this problem goes away a second time. Most likely because that option changes PREFIX, so the BUILD_COOKIE changed, but the target was already in make's list of targets to make. After options are stored in /var/db/ports, BUILD_COOKIE will end in ._usr. I believe Mel is right here. 'make clean ; make config ; make' worked for me. As does a second make after getting this error, but it's nonintuitive, and probably a ports bug. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Don't know how to make /usr/ports/dns/bind96/work/.build....
On Wed, 29 Jul 2009, Doug Barton wrote: Dan Mahoney, System Admin wrote: I believe Mel is right here. 'make clean ; make config ; make' worked for me. As does a second make after getting this error, but it's nonintuitive, and probably a ports bug. I'm not sure why 'make clean' is nonintuitive in the context of changing OPTIONS. What is your expectation of how it should work? The fact that the error occurs AT ALL is the bug and what is counterintuitive, and many people would not think to try typing make again, and instead would just assume the thing's broken. (See previously referenced email) Make clean isn't solving the problem, but I can see how you're getting that thought. The problem only occurs on a virgin, untouched, un-configged port. The solution to the problem in this case is to just re-run make. There's nothing to CLEAN, since you haven't made yet. The reason it seems like make clean fixes it may also because make clean does not do a make rmconfig: when I do an rmconfig I can successfully duplicate this problem, however: Running make config then make: fine Running just make, with no config: this error. Thoughts? -- If you aren't going to try something, then we might as well just be friends. We can't have that now, can we? -SK Dan Mahoney, December 9, 1998 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Don't know how to make /usr/ports/dns/bind96/work/.build....
On Wed, 29 Jul 2009, Doug Barton wrote: Mel Flynn wrote: On Wednesday 29 July 2009 10:57:05 Doug Barton wrote: Dan Mahoney, System Admin wrote: I believe Mel is right here. 'make clean ; make config ; make' worked for me. As does a second make after getting this error, but it's nonintuitive, and probably a ports bug. I'm not sure why 'make clean' is nonintuitive in the context of changing OPTIONS. What is your expectation of how it should work? What he means is that make without arguments or make install as per handbook, will build the build target which will invoke the config target if OPTIONS changed or no options file is found. In the original post the build was already done, but it had been done with a different set of OPTIONS choices. My question is, why is running 'make clean' in the scenario of: 1. build 2. change options [make clean should happen here] 3. install not intuitive? Because in my case, the thing was already clean beforehand? Two systems, one 6.4-PRERELEASE (6.4 release, really, it missed the release date by hours), the other 6.4-STABLE. Both exhibit this with a ports tree cvsupped hours before this report. make clean (or even make distclean), make rmconfig, then make still gives me this issue. run clean after changing options is intuitive and is common sense, yes. run clean after running config and before building code that you haven't built before does not make sense. On a virgin port, you are thrown into the options screen by default unless you have BATCH set. That's the counterintuitive part. -Dan -- Happy, Sad, Happy, Sad, Happy, Sad, Happy, Intruiged! I've never been so in touch with my emotions! -AndrAIa as Hexadecimal, Reboot Episode 3.2.3 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Don't know how to make /usr/ports/dns/bind96/work/.build....
On Wed, 29 Jul 2009, Doug Barton wrote: Dan Mahoney, System Admin wrote: The fact that the error occurs AT ALL is the bug and what is counterintuitive, and many people would not think to try typing make again, and instead would just assume the thing's broken. Ok, I actually misunderstood the problem that you were reporting. I thought that the reference to .build_done.bind96._usr_local indicated that the port had already been built once, but that is not the case. To reproduce the bug, you need to do the following: 1. Make sure there is nothing in /var/db/ports/bind96 2. cd /usr/ports/dns/bind96 3. make 4. Enable the replace base option 5. Save the config You will then see the following error: make: don't know how to make /usr/local/tmp/usr/local/ports/dns/bind96/work/.build_done.bind96._usr_local. Stop *** Error code 2 I think Mel is right that the problem is changing PREFIX, but that's the whole purpose of the option. Could you please open a PR about this with a subject something to the effect of OPTIONS that change PREFIX cause an error after 'make config' and describe how to reproduce this? Done, just got the mail from gnats: 137250. -Dan -- Pika Pika Pika! -Pikachu, of Pokemon fame. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Don't know how to make /usr/ports/dns/bind96/work/.build....
Hey all, I'm having a problem on multiple systems: With a clean port, in dns/bind96: I get the options screen, I select only overwrite base in addition to the defaults:, and after, I get this: make: don't know how to make /usr/ports/dns/bind96/work/.build_done.bind96._usr_local. Stop *** Error code 2 Stop in /usr/ports/dns/bind96. s1# Additional builds go fine. Someone else had the same problem, and they also chose overwrite-base: http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2007-08/msg00035.html But it was dismissed because he was using sudo, however the real reason is because this problem goes away a second time. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Health Monitoring on Dell 600SC
On Sun, 8 Mar 2009, Polytropon wrote: On Sat, 7 Mar 2009 23:04:45 -0500 (EST), Dan Mahoney, System Admin d...@prime.gushi.org wrote: Hey all, I've got a dell 600SC in a remote location, and it's started freezing up (I'm thinking I've got a dying fan). I'm not familiar with this special Dell system, but maybe the tools mbmon and healthd (from ports) can help you to monitor at least fan speeds and temperatures (as well as voltages). They're using the kernel's SMB facility. pciconf -l -v doesn't show an smbus on this system, even with the kernel options compiled in. healthd, I've tried, and it talks to some chips directly, but it hasn't been updated in forever. bsdhwmon looks like it did two releases and went unsupported, reports this board as unsupported. It would appear that older linux kernels find the hardware as follows on this link http://hausheer.osola.com/docs/8 (I realize BSD and linux are different, but perhaps the output there could help someone to know if something there is supported). Sadly, porting lm_sensors to BSD is hard because of all the kernel dependencies and abstraction. But something more universal under BSD as opposed to several years-outdated ports would be REALLY COOL. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Health Monitoring on Dell 600SC
On Sun, 8 Mar 2009, Tim Judd wrote: On Sun, Mar 8, 2009 at 2:02 AM, Dan Mahoney, System Admin d...@prime.gushi.org wrote: On Sun, 8 Mar 2009, Polytropon wrote: On Sat, 7 Mar 2009 23:04:45 -0500 (EST), Dan Mahoney, System Admin d...@prime.gushi.org wrote: Hey all, I've got a dell 600SC in a remote location, and it's started freezing up (I'm thinking I've got a dying fan). I'm not familiar with this special Dell system, but maybe the tools mbmon and healthd (from ports) can help you to monitor at least fan speeds and temperatures (as well as voltages). They're using the kernel's SMB facility. pciconf -l -v doesn't show an smbus on this system, even with the kernel options compiled in. healthd, I've tried, and it talks to some chips directly, but it hasn't been updated in forever. bsdhwmon looks like it did two releases and went unsupported, reports this board as unsupported. It would appear that older linux kernels find the hardware as follows on this link http://hausheer.osola.com/docs/8 (I realize BSD and linux are different, but perhaps the output there could help someone to know if something there is supported). Sadly, porting lm_sensors to BSD is hard because of all the kernel dependencies and abstraction. But something more universal under BSD as opposed to several years-outdated ports would be REALLY COOL. Dan, I'm curious... and only curious. Have you discovered if the OpenManage suite works with any drivers on the Linux system? Because if OpenManage is a userland utility only, running OpenManage with linux compatibility should work, right? It would appear that the openmanage stuff requires kernel modules to be loaded. As the way the linuxemu under BSD works, it basically includes a whole linux-kernel into the BSD kernel, I doubt any of those modules would load. This is a shame, we've gotten to the point where we can drop in windows drivers for things like modems and network cards (which I can easily slap a compatible one into my system and ignore the noncompatible one). But I can't exactly toss another hw monitoring chip in. :( My understanding of Linux compat is the ability to run userland apps (not drivers) under BSD. The closed minded attitude of Dell that will support X but not Y is offensive to me and that is what makes me steer clear of the Dell branded stuff. The systems came to me free, other than this dying fan thing, they've proven ROCK solid (and I have a bank of spare systems). I hope this might have sparked a interest - but I can't help with the Linux compat at all. I run BSD because it's not Linux. As do I. But linux excels in this area. lm_sensors is better than anything available under BSD. Given the drastic age of the ports I mentioned above, what ARE people using to gauge their systems? Or do people just not care about this stuff? -Dan -- You recreate the stars in the sky with cows? -Furrball, March 7 2005, on Katamari Damacy Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Health Monitoring on Dell 600SC
Hey all, I've got a dell 600SC in a remote location, and it's started freezing up (I'm thinking I've got a dying fan). I've seen a thread from this user: http://lists.freebsd.org/pipermail/freebsd-hardware/2004-September/001883.html But seem to recall that non of this worked for me either. Since there's been no good port of the dell openmanage stuff to BSD (as far as I'm aware), anyone have any ideas how I can poll it? -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
(no subject)
Okay, new problem with regard to netgroups, NIS, and Pam: Given the following situation: * I want to be able to have su work normally in the event of an NIS disconnect, since I will likely need to su to fix said disconnect. * The wheel group needs to stay local * I want su to still use group ownership as a check I recently could not get an admin account (defined in NIS) to su to root. Even though groups username showed he was in wheel (and the wheel group has been propagated into NIS), pam_group and pw groupshow show him as not.) This is probably because the local wheel group overrode the NIS wheel group. (I'm not that thrilled by having the wheel group in NIS anyway). Since pam_group is requisite, there's no easy way to call it multiple times, and no easy pam syntax to say one of these two must pass. Required won't help, Otherwise I'd simply define an extra group, call it NISwheel or something, and configure access accordingly. What I instead would propose is for pam_group to take an optional argument list instead of a single group (or possibly, multiple group= requirements). Doing something with pam_exec is an option here as well, but I feel this functionality should be fairly elementary to add, moving forward. -Dan -- You're a daddy. I'm a mommy. She's our baby. Deal with it. -Cali, 11/7/02, about 1:35 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
How to block NIS logins via ssh?
Hello all, I'm noticing that when following the directions given here: http://www.freebsd.org/doc/en/books/handbook/network-nis.html For how to disable logins, the recommended action is to set the shell to /sbin/nologin. However, this is sloppy as it allows the user to log in, get the motd, do everything short of getting a shell. I've tried starring out the password in the +: entry, (and putting in a bad password, like x), and those don't seem to work. I am still able to connect via sshd and prove that the account works. What's happening here? -Dan -- Wrin quick, somebody tell me the moon phase please? Dan_Wood Wrin: Plummeting. -Undernet #reboot, 9/11/01 (day of the WTC bombing) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to block NIS logins via ssh?
On Wed, 10 Dec 2008, Dan Nelson wrote: In the last episode (Dec 10), Dan Mahoney, System Admin said: I'm noticing that when following the directions given here: http://www.freebsd.org/doc/en/books/handbook/network-nis.html For how to disable logins, the recommended action is to set the shell to /sbin/nologin. However, this is sloppy as it allows the user to log in, get the motd, do everything short of getting a shell. I've tried starring out the password in the +: entry, (and putting in a bad password, like x), and those don't seem to work. I am still able to connect via sshd and prove that the account works. By default, the passwd field is ignored in an NIS + or - line. It looks like if you rebuild libc with PW_OVERRIDE_PASSWD=1, you will get the behaviour you're looking for (see the compat_set_template function in src/lib/libc/gen/getpwent.c). Okay, let's look at it from an alternate tack then -- what else renders an account invalid? Is there a pam knob to check /etc/shells? Or an sshd option? I found these: http://osdir.com/ml/linux.admin.managers/2003-08/msg00016.html for a user who had a similar problem, but freebsd doesn't appear to have the requisite module. This could also be implemented as an option to pam_unix (which could check either /etc/shells or the NIS equivalent, since it already has the NIS hooks.) I'll make a separate post to -hackers requesting this. it's probably pretty trivial to port, but I'm leery to do so not-being a c-coder. -Dan -- Of course she's gonna be upset! You're dealing with a woman here Dan, what the hell's wrong with you? -S. Kennedy, 11/11/01 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to block NIS logins via ssh?
On Wed, 10 Dec 2008, Dan Nelson wrote: In the last episode (Dec 10), Dan Mahoney, System Admin said: On Wed, 10 Dec 2008, Dan Nelson wrote: In the last episode (Dec 10), Dan Mahoney, System Admin said: I'm noticing that when following the directions given here: http://www.freebsd.org/doc/en/books/handbook/network-nis.html For how to disable logins, the recommended action is to set the shell to /sbin/nologin. However, this is sloppy as it allows the user to log in, get the motd, do everything short of getting a shell. I've tried starring out the password in the +: entry, (and putting in a bad password, like x), and those don't seem to work. I am still able to connect via sshd and prove that the account works. By default, the passwd field is ignored in an NIS + or - line. It looks like if you rebuild libc with PW_OVERRIDE_PASSWD=1, you will get the behaviour you're looking for (see the compat_set_template function in src/lib/libc/gen/getpwent.c). Okay, let's look at it from an alternate tack then -- what else renders an account invalid? Is there a pam knob to check /etc/shells? Or an sshd option? There's a pam_exec module which launches a program of your choice. You could look up the user's shell from there using whatever script you're comfortable with. Or, if all your NIS users are members of a certain group, you could use the pam_group module to deny them. I found these: http://osdir.com/ml/linux.admin.managers/2003-08/msg00016.html for a user who had a similar problem, but freebsd doesn't appear to have the requisite module. This could also be implemented as an option to pam_unix (which could check either /etc/shells or the NIS equivalent, since it already has the NIS hooks.) It looks like our pam_unix module has a local_pass option, whch claims to disallow NIS logins. Have you tried that? No, I'm using netgroups -- i.e. allow one user (or, rather, allow the @STAFF group, import the whole map, disallow the rest from logging in.) Actually, I just found the answer to this...instead of putting nologin in, put in something bogus (I'm using /nonexistent)...and the password will just loop. This is something sshd does internally. Given, there's several solutions to this: 1) The Kluge as above. 2) A pam module to check /etc/group (this is standard login behavior, and historically supported, and available on other platforms, adding a module, even to ports, is trivial. 3) A patch to openssh to do /etc/shells checking (I'll note that openSSH has the UseLogin option, which may also do this. 4) An option to pam_unix to check this. Differs from #2 in that it's a change to an existing module instead of one in ports. -Dan -- The first annual 5th of July party...have you been invited? It's a Jack Party. Okay, so Long Island's been invited. --Cali and Gushi, 6/23/02 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
/var/yp/securenets and ipv6?
Hello all... I searched for this everywhere and I guess it's a question that's never been asked. What's the syntax under FreeBSD for ipv6 addresses in securenets? Please reply off-list. -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW uid logging...
Hey all, I have the following rule set up in ipfw to limit the exposure of bad php scripts and trojans that try to send mail directly. allow tcp from any to any dst-port 25 uid root deny log tcp from any to any dst-port 25 out However, the log messages I get look like this: Sep 8 13:21:11 security.info prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0 Sep 8 13:21:16 security.info prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 202.12.31.144:25 out via em0 Sep 8 13:21:16 security.info prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58131 209.85.133.27:25 out via em0 Sep 8 13:21:28 security.info prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0 Sep 8 13:21:32 security.info prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58131 209.85.133.27:25 out via em0 Sep 8 13:22:45 security.info prime kernel: ipfw: 610 Deny TCP 72.9.101.130:65313 64.202.166.12:25 out via em0 Sep 8 13:22:45 security.info prime kernel: ipfw: 610 Deny TCP 72.9.101.130:65313 64.202.166.12:25 out via em0 Sep 8 13:22:46 security.info prime kernel: ipfw: 610 Deny TCP 72.9.101.130:65313 64.202.166.12:25 out via em0 Sep 8 13:22:49 security.info prime kernel: ipfw: 610 Deny TCP 72.9.101.130:65313 64.202.166.12:25 out via em0 Which is to say, they don't include the UID -- and I have several hundred sites, each with its own UID. Yes, I could go ahead and set up a thousand deny rules, one for each UID -- but being able to log this info (since it IS being checked) would be great. Thoughts? -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW uid logging...
On Mon, 8 Sep 2008, Dan Nelson wrote: In the last episode (Sep 08), Dan Mahoney, System Admin said: I have the following rule set up in ipfw to limit the exposure of bad php scripts and trojans that try to send mail directly. allow tcp from any to any dst-port 25 uid root deny log tcp from any to any dst-port 25 out However, the log messages I get look like this: Sep 8 13:21:11 security.info prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0 Sep 8 13:21:16 security.info prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 202.12.31.144:25 out via em0 Which is to say, they don't include the UID -- and I have several hundred sites, each with its own UID. Yes, I could go ahead and set up a thousand deny rules, one for each UID -- but being able to log this info (since it IS being checked) would be great. It should be possible to add a couple more arguments to ipfw_log() so that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the fw_ugid_cache struct. Then you can edit ipfw_log to print the contents of that struct if ugid_lookup==1. That would result in the logging of uid for any failed packet that had to go through a uid check on the way to the deny rule. Okay, so if it's fairly easy to do, the question would be since I don't feel right hacking in this change myself -- how could I propose this as a feature? It's not a BUG per-se, but I think it could be useful to others as well. -Dan -- Pika Pika Pika! -Pikachu, of Pokemon fame. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Circumstance leading up to removal of perl from base?
On Sat, 21 Jun 2008, Kris Kennaway wrote: Dan Mahoney, System Admin wrote: Hello all, I know it was a long time ago, but I was talking with a co-worker about why perl was removed from the base in v5 -- I seem to recall a discussion on some mailing list about either the number of arguments or the format of the arguments and/or output of a base perl function having changed between 5.005 and 5.6.1. Thing is, that's a very vague thing to try to google for, and I can't seem to find it. Are there any old-timers who remember the system call in question? I dont think it was that. AFAICR the issue was mostly that it was a *lot* of work to mangle the perl build into bmake format so it would build with make world, and it was also difficult to avoid conflicts with other versions of perl that needed to be installed for port builds. It was just too difficult to maintain in the base system, especially when nothing used it. Yeah, most of my recent re-reading is showing that...but there's something so distinct in my mind that I'm recalling, some function that changed its meaning, return values, and/or number of arguements around that time. I realize that may not be the ONLY reason, and I'm seeing a lot of the predominant otherstill, this is going to bug me, now. I could of course just be insane. Personally, I miss the adduser written in perl -- there's a feature that was in that version that's not in the current (integration with /var/yp and the ability to automagically run make in that dir). -Dan -- When I'm lost, and confused, and trying to make a U-turn, nothing annoys me more than someone telling me to watch out for the tombstone! How often does that happen, Fab? -David Feld Tom Fabry, sometime in High School. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Circumstance leading up to removal of perl from base?
On Sat, 21 Jun 2008, Wojciech Puchar wrote: Yes I know how to use the OS, I'm more sking for historical rivia reasons. -Dan I know it was a long time ago, but I was talking with a co-worker about why perl was removed from the base in v5 -- I seem to recall a discussion on some mailing list about either the number of arguments or the format of the arguments and/or output of a base perl function having changed between 5.005 and 5.6.1. because it's not needed for programs in base system, but you have ports and always can install it. the rule is keep base system simple and small. it's BSD anyway :) -- One...plus two...plus one...plus one. -Tim Curry, Clue Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Circumstance leading up to removal of perl from base?
Hello all, I know it was a long time ago, but I was talking with a co-worker about why perl was removed from the base in v5 -- I seem to recall a discussion on some mailing list about either the number of arguments or the format of the arguments and/or output of a base perl function having changed between 5.005 and 5.6.1. Thing is, that's a very vague thing to try to google for, and I can't seem to find it. Are there any old-timers who remember the system call in question? Please let me know, -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
mailcap documentation?
Hello all, There's apparently an RFC-standard file called /etc/mailcap (as well as .mailcap), but I can't find any docs on this file. Would it be worthwhile to rework the RFC into a manpage (I am willing to do it), or should I bother the providers of ports that use it (such as, say, alpine (and possibly others)? The problem is, they likely don't bundle it because other OSes have it already. It's a fairly standard file, but FreeBSD doesn't ship with an MUA that uses it (I *think*). I know mail(1) does not. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Manpage for rpc.ypupdated?
With all the recent changeover in namespace for rpc/yp stuff, there's been a lot moved around, but in all my searches, the ypd.upupdated daemon is completely undocumented. (even with a grep through the rest of the man directories provides no mention). Near as I can tell, it allows nis clients to make updates to the NIS maps (which is a dangerous functionality)...shouldn't there be SOME docs for this? If this should be opened as a bug, let me know. -Dan Mahoney -- She's NOT my girlfriend! -Dan Mahoney, Quite a bit recently. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Shell Menu that populates from /var/db/pkg
Hello all, I'd like to have a shell menu on my system that gives them available programs they can learn, but that also learns from ports/packages which options are available. (I.e. it won't list every branch port, but will list things from, say, editors, games, and possibly only certain things from graphics (for example I'd like to list imagemagick's commands and/or man page), but not gd (since gd is useless from a shell context). Has anyone written something like this? Or even close to? -Dan Mahoney -- It's like GTA, except you pay for it, and you're allowed to use the car. -Josh, on Zipcar on-demand car-rental, 3/20/05 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
DigiBoard Classic
Hello All, I have a digiboard classic PCI, and I am trying to build a system to monitor many serial systems (UPSes) using FreeBSD. I cannot find any documentation referring to this driver -- it seems that everything digi related in the BSD tree refers to the intelligent cards, whereas the ClassicBoard is not intelligent, but does manage to do interrupt sharing. (It's also frequently available on ebay, which makes it an ideal candidate for experimentation). Linux drivers are here: http://www.digi.com/support/productdetl.jsp?pid=1694osvid=102tp=1 I'm going to try basing some tests on COM_MULTIPORT and on best-guesses for configs, however I'd really love to hear from anyone who knows for sure if this board will work or not. If someone can read C and feels like having a quick LOOK at the driver (or at my test system), I could try to compensate you for some time. -Dan Mahoney -- Tonite on reboot! People misspelling as many words with sexual connotations as possible... -Keyo-Chan, February 10th 1999, Undernet #reboot Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Portsnap -- update claims up to date but it's not.
Maybe I'm just doing this completely wrong: prime# portsnap update Ports tree is already up to date. prime# portsnap fetch Looking up portsnap.FreeBSD.org mirrors... 4 mirrors found. Fetching snapshot tag from portsnap3.FreeBSD.org... done. Fetching snapshot metadata... done. Updating from Mon Nov 12 18:16:16 EST 2007 to Tue Dec 25 21:36:54 EST 2007. Fetching 4 metadata patches... done. Applying metadata patches... done. Fetching 4 metadata files... [and so on] Am I using this thing wrong? -Dan -- I can feel it, comin' back again...Like a rolling thunder chasin' the wind... -Dan Mahoney, JS, JB SL, May 10th, 1997, Approx 1AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Portsnap -- update claims up to date but it's not.
On Tue, 25 Dec 2007, Jay Chandler wrote: Dan Mahoney, System Admin wrote: Maybe I'm just doing this completely wrong: prime# portsnap update Ports tree is already up to date. prime# portsnap fetch Looking up portsnap.FreeBSD.org mirrors... 4 mirrors found. Fetching snapshot tag from portsnap3.FreeBSD.org... done. Fetching snapshot metadata... done. Updating from Mon Nov 12 18:16:16 EST 2007 to Tue Dec 25 21:36:54 EST 2007. Fetching 4 metadata patches... done. Applying metadata patches... done. Fetching 4 metadata files... [and so on] Am I using this thing wrong? -Dan Yup. 'portsnap fetch update' is the command I use-- the reverse order that you're using 'em in. Shouldn't I just need one of the two? -Dan -- You can't call yourself a dork if you don't use UNIX! -Dan Mahoney, May 1997 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Notes for a first-time porter
All, I am thinking of doing a quick port of the zsu zone file serial number bumper for FreeBSD. However, I have a couple of questions regarding ports that aren't clear to me, nor do they seem to be in the porter's handbook. 1) What provision is made for when a port's distsite is simply CPAN. Does the ports tree have any kinds of smarts regarding CPAN mirrors, locality, etc? 2) Is freeBSD's bastardization of CPAN files into packages (i.e. the BSDPAN) stuff documented anywhere? 3) Unrelated to my port but I'll ask anyway: I'm vaguely aware that SourceForge has a command-line fetching utility for a while (you could only use it if you were a supporter tho). I'm not sure if this is still the case. At any rate, is there any special provision for local sourceforge mirrors, as above? -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Passwd and pam?
Hello all, In looking through some pam stuff I find that there's a pam_passwdqc module to do password quality control. However, in reading the passwd man page, NO mention is made of either pam, or /etc/pam.d/passwd Is passwd a legacy tool which doesn't support this pam feature? -Dan -- Man, this is such a trip -Dan Mahoney, October 25, 1997 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD mail forwarder and SPF
Hello all, I secure my outbound e-mail with SPF. One of the ports maintainers ([EMAIL PROTECTED]) also secures his INBOUND e-mail with SPF. I tried to e-mail garga about a minor doc-bug, and got a bounce, since his mailserver didn't recognize mx2.freebsd.org as a valid MX for [EMAIL PROTECTED] http://www.openspf.org/Why?id=danm%40prime.gushi.orgip=69.147.83.53receiver=parati.mdbrasil.com.br My solution to the problem was a workaround (screw being nice, open a send-pr). However, the fact that this person is protecting his inbox in the same way as I am presents a problem: he's listed as a contact for these ports, and isn't reachable via it (but ironically WOULD be if I had no spf record). In the mean, I recognize that FreeBSD is a volunteer organization, but can there be some kind of either: a) policy requirement that people configure allow rules for the freeBSD mx? or b) modification to the forwarder so it re-sends instead of forwarding? I'd offer to help but my postfix foo isn't what it needs to be. x As technical types, coders, porters, etc, I feel we're beyond the level of end user for whom this would be too complicated. -Dan Mahoney -- Check it out, it's just like Christmas. Except it sucks. -Jason Seguerra, 3/2/05 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Maybe this is a bug, should I report it?
But why is it that portupgrade feels the need to upgrade gpg to gpg2, when gpg is still in the tree? I'm running a portupgrade -rf gettext, and didn't previously have gpg2 installed. -Dan -- this is too stupid even for irc -mtreal, EFnet #macintosh, 09/15/2K, 12:33 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
viability of QUOTA support as a KLD?
Hey all, It seems most of the things I want to do under freeBSD have been turned into nice KLD modules. However, I'm still forced to do a kernel recompile for QUOTA support. Is there some major reason it cannot be made into a KLD as well? -Dan Mahoney -- It would be bad. -Egon Spengler, Ghostbusters Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
What's unknown about i386-unknown?
Hey all. I see i386-unknown as a build target all the time. So my (possibly silly) question is: what's the unknown variable here? And why isn't it? -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Build Frustrations
On Tue, 20 Nov 2007, Jerry McAllister wrote: Apache2 is a complete piece of crap. Portable Runtime my ass. Was there something so wrong with APACI? Apache1.3 built out of the box on every system in the world. Using ports is no better. And again, I'll take anything anyone can offer to explain half this behavior: I am using Apache 2.xx with no problem on several machines. I installed it from ports with no problem. Since you are determined to proceed against recommendations it is hard to help you.I wouldn't be surprised if you do not get many responses. You know, there was a time when the handbook and man security actually recommended NOT using the port and building from scratch -- and if you want the finest-grained control over what you're building this is still the case, especially when some features haven't made it into ports yet. (Like, oh...when the whole of the ports tree goes into a freeze for a release that's upcoming but doesn't have a todo list, a schedule, or anything else on the FBSD site). Actually, someone (two different someones) managed to answer both issues. The ports issue was caused by stale cruft in /var/db/pkg and the fix was to remove basically all the automake/autotools/autoconf packages and start over. I also said screw it and nuked the apr-db42 port (for reasons mentioned earlier). Apache from ports then built fine (which meant I had an option to fall back on, if need be). Someone on the APR-devel list pointed out that I can do a setenv to define CFLAGS and LDFLAGS to include /usr/local/lib to fix build issues. This allowed apache2-non-ports to compile. However the question in my mind that still bears answering is: why apr would FIND such a library as installed (i.e. not fail at configure-time) but then fail to compile. I.e. why does the APR not set CFLAGS and LDFLAGS correctly. This is not a question for -questions, but I'm stating it here in case anyone has similar issues. -Dan -- Is Gushi a person or an entity? Yes -Bad Karma, August 25th 2001, Ezzi Computers, Quoting himself earler, referring to Gushi Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Build Frustrations
On Tue, 20 Nov 2007, Philip M. Gollucci wrote: This allowed apache2-non-ports to compile. However the question in my mind that still bears answering is: why apr would FIND such a library as installed (i.e. not fail at configure-time) but then fail to compile. I.e. why does the APR not set CFLAGS and LDFLAGS correctly. This you should post to [EMAIL PROTECTED], I might even answer it there, but the answer lies in the configure script logic which was chosen very carefully. I have done so. Also, I think I can confirm that if I unsetenv those two variables my build will again fail -- if you have additional commands you'd like me to run, for diagnostic or testing purposes -- or hell, if you want a shell, please just let me know. -Dan Mahoney -- You're a nomad billygoat! -Juston, July 18th, 2002 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Build Frustrations
All, I'm of the realization that FreeBSD is a volunteer project, but there's a recent issue I've hit, and I've contacted nearly EVERYONE I can think of about it to try and fix, and the response I've gotten has been a deafening silence. I'm having trouble building apache2.2.6, it relates I feel to an inconsitent libexpat library under FreeBSD, COMBINED with a badly made and inconsistent apr port, and some libiconv incompatibilities. I've emailed ports maintainers, APR developers, the general apache mailing list, and gotten nothing. I'm posting this to the straight-off questions list because I feel my other attempts have failed. Can someone sanity check me? I'm well aware of how to ask intelligent questions, to document what I have and have not done, of explaining WHY I have or have not done those things. I'm going to send it here, in the hopes maybe someone else has encountered this or might spot something I'm missing. If ANYONE can shed some light here, I'd appreciate it and am willing to compensate in some small way, if I can. Here's what I sent to the maintainers of the above two ports: Subject: apr versus apr-db42, as well as some other issues: Hello, First and foremost: I assume you're both reasonably busy professionals. That said, I believe there's either a bug in the core operating system here, or a bug in the way some of the critical ports are built, and I cannot figure it out alone. It is enough of a problem that it has confused at least one apache committer. That said, if you'd like to be compensated in some small way for your time, please point me to your amazon wishlists, paypal accounts, et cetera, and I'll try to do the right thing. I am mailing you because you are the maintainers of the apache-2.2.6 and apr ports. If there are other people I should be mailing, please let me know. This is a post about building apache2.2 from scratch, not from ports -- however it raises several issues with port-installed tools that lead me to believe they may still be at fault. I apologize in advance for the length of this post, but having all the data is sometimes important. I believe it's reproducable but I don't have the spare machines to try on. First, the basics: 1) Is it possible to get some documentation in either the short or long description as to what the difference between apr and apr-db42 is? 2) Also, is it at all possible to get some kind of documentation for the apr-svn port (if it still exists). 3) My big problem: (I'm going to post everything from here down to the apache-users mailing list, as well). I just tried to build apache 2.2.6 from scratch. I, for various reasons of wanting to keep apache separate from other things, for example, to virtualize my apache users, prefer everything in a single dir -- so the ports route isn't for me. Because apr-db42 had been installed as part of a subversion requirement (not sure why), it caused my apache build to look in nonexistent places for libraries. %apr-1-config --apr-libtool /usr/local/build-1/libtool (the above path doesn't even exist) To fix this (and not break the svn port), I resorted to using --with-included-apr. The build THEN failed, claiming it could not find the installed expat libraries, in an error exactly like what this gentleman had: http://www.zulustips.com/2007/10/06/problems-compiling-apache-226-on-freebsd-62.html#more-54 And in fact, this apache developer had the same issue: http://www.mail-archive.com/[EMAIL PROTECTED]/msg18793.html (search the page for wtf) Like them, I had an installed expat, and had it listed in ldconfig -r (I also note there's a libexpat in /usr/src but don't know what it's there for). (I did not copy my errors because I thought I had found a solution, but it's the same error, I assure you). After that, I tried resorting to building apache with --with-expat=builtin I then got THIS error: /home/danm/httpd-2.2.6/srclib/apr/libtool --silent --mode=link gcc -g -O2 -o htpasswd htpasswd.lo -lm /home/danm/httpd-2.2.6/srclib/pcre/libpcre.la /home/danm/httpd-2.2.6/srclib/apr-util/libaprutil-1.la /home/danm/httpd-2.2.6/srclib/apr-util/xml/expat/lib/libexpat.la /home/danm/httpd-2.2.6/srclib/apr/libapr-1.la -lcrypt -lpthread /home/danm/httpd-2.2.6/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `libiconv_open' /home/danm/httpd-2.2.6/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `libiconv_close' /home/danm/httpd-2.2.6/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `libiconv' *** Error code 1 Stop in /home5/danm/httpd-2.2.6/support. *** Error code 1 Stop in /home5/danm/httpd-2.2.6/support. *** Error code 1 Stop in /home5/danm/httpd-2.2.6. prime# So that's it. I don't know how to fix this one -- and if it's upgrading my libiconv will fix it (but will require me to upgrade every program -- both binary and port) that depends on it, I'm willing, but pkg_info -f -g
Re: Build Frustrations
On Mon, 19 Nov 2007, Jerry McAllister wrote: On Mon, Nov 19, 2007 at 07:19:34PM -0500, Dan Mahoney, System Admin wrote: All, I'm of the realization that FreeBSD is a volunteer project, but there's a recent issue I've hit, and I've contacted nearly EVERYONE I can think of about it to try and fix, and the response I've gotten has been a deafening silence. I'm having trouble building apache2.2.6, it relates I feel to an inconsitent libexpat library under FreeBSD, COMBINED with a badly made and inconsistent apr port, and some libiconv incompatibilities. I've emailed ports maintainers, APR developers, the general apache mailing list, and gotten nothing. ... This is a post about building apache2.2 from scratch, not from ports -- however it raises several issues with port-installed tools that lead me to believe they may still be at fault. I apologize in advance for the length of this post, but having all the data is sometimes important. I believe it's reproducable but I don't have the spare machines to try on. ... 3) My big problem: I just tried to build apache 2.2.6 from scratch. I, for various reasons of wanting to keep apache separate from other things, for example, to virtualize my apache users, prefer everything in a single dir -- so the ports route isn't for me. You can tell ports where to install something. We used to install all of Apache in its own directory to make it easy to manipulate in a system we were installing in a lot of places. Check the ports doc and such. *headdesk, repeatedly* Apache2 is a complete piece of crap. Portable Runtime my ass. Was there something so wrong with APACI? Apache1.3 built out of the box on every system in the world. Using ports is no better. And again, I'll take anything anyone can offer to explain half this behavior: prime# make PREFIX=/usr/local/apache2-fa WITH_MPM=worker === apache-worker-2.2.6_2 depends on file: /usr/local/bin/perl5.8.8 - found === apache-worker-2.2.6_2 depends on file: /usr/local/bin/autoconf-2.61 - not found ===Verifying install for /usr/local/bin/autoconf-2.61 in /usr/ports/devel/autoconf261 === Returning to build of apache-worker-2.2.6_2 === apache-worker-2.2.6_2 depends on file: /usr/local/bin/libtool - found === apache-worker-2.2.6_2 depends on shared library: expat.6 - found === apache-worker-2.2.6_2 depends on shared library: iconv.3 - found === Configuring for apache-worker-2.2.6_2 found apr source: srclib/apr found apr-util source: srclib/apr-util rebuilding srclib/apr/configure buildconf: checking installation... buildconf: autoconf not found. You need autoconf version 2.50 or newer installed to build APR from SVN. ./buildconf failed for apr *** Error code 1 Stop in /usr/ports/www/apache22. *** Error code 1 Stop in /usr/ports/www/apache22. prime# ls /var/db/pkg | grep auto autoconf-2.13.000227_5 autoconf-2.59_2 autoconf-2.61 autoconf-2.61_2 autoconf-wrapper-20071109 automake-1.10 automake-1.4.6_2 automake-1.9.6 -- If you need web space, give him a hard drive. If you need to do something really heavy, build him a computer. -Ilzarion, late friday night Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Build Frustrations
On Mon, 19 Nov 2007, Jerry McAllister wrote:
You can tell ports where to install something. We used to install
all of Apache in its own directory to make it easy to manipulate
in a system we were installing in a lot of places. Check the ports
doc and such.
Actually, I just tried this. This is not what I want. If I go to cd
/usr/ports/www/apache22, and do a make PREFIX=/some/other/directory, I do
NOT get the same thing I'd get building apache from source. I get ALL the
apache prerequisites installed under /some/other/dir, as opposed to the
apache standards places (for example config files which would normally be
in /usr/local/apache/conf now get installed in /some/other/directory/etc
(the port installs them in /usr/local/etc). As a bonus, dependent
packages get added to my package database under the same prefix, which
shouldn't happen. (i.e. I want ONLY the apache2.2 stuff in a
self-contained directory).
And the apache layout is hard coded (the only configure argument to be
so):
CONFIGURE_ARGS= --prefix=${PREFIX_RELDEST} \
--enable-layout=FreeBSD \
--with-perl=${PERL5} \
--with-port=${WITH_HTTP_PORT} \
--with-expat=${LOCALBASE} \
--with-iconv=${LOCALBASE} \
--enable-http
In short, not at all the same. Plus, doesn't solve the issue. I have all
the necessary binaries I need to build apache, it simply outright refuses
to build (and also, the APR version in ports is badly broken, nearly a
year old, and the APR maintainer can't even commit changes without making
a PR).
Also, this may seem silly as heck, but it should definitely be POSSIBLE to
build apache outside of the port (so, again, I feel use the port is not
the right answer...there's a deeper problem here).
I mean, obviously if they've got a standard layout defined in the apache
tree, the apache people expect the code to build on this OS (otherwise if
the ports-patches are so necessary, we would just define the layout there
too)
-Dan
--
This Is Not Goodbye!
-DM, August 11th 2001, 10 PMish Chicago Time
Dan Mahoney
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
6.3-PRERELEASE
Hey All, I recently CVSUPPED to what I thought would be 6.2-STABLE but instead got 6.3-PRERELEASE. However, I look at www.freebsd.org/releng and I see no reference to the release cycle of 6.3. Was this a mistake of some sort? -Dan -- Man, this is such a trip -Dan Mahoney, October 25, 1997 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 6.3-PRERELEASE
On Tue, 13 Nov 2007, Tino Engel wrote: No, I wanted to track the 6-release chain, but was just a little surprised...I thought this kind of CVS naming scheme didn't take place till much later in the release engineering process. -Dan Dan Mahoney, System Admin schrieb: Hey All, I recently CVSUPPED to what I thought would be 6.2-STABLE but instead got 6.3-PRERELEASE. However, I look at www.freebsd.org/releng and I see no reference to the release cycle of 6.3. Was this a mistake of some sort? -Dan -- Man, this is such a trip -Dan Mahoney, October 25, 1997 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] The tag you want is RELENG_6_2 -- There is no right and wrong, there is only fun and boring. -Fisher Stevens, Hackers Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Two questions about UNIX(r) certification.
I recently noticed that Apple's new OS, Leopard, is Unix certified. I'd imagine that the big reason that FreeBSD hasn't done this yet is: It costs a lot of money. That said, if in theory one were to try to get the operating system certified (say, to increase awareness and market share versus the penguinistas)... a) approximately how much money is a lot? and b) How far short, technically, does FreeBSD fall from the standard (we'll ignore operational semantics for the time being) -Dan -- It's like GTA, except you pay for it, and you're allowed to use the car. -Josh, on Zipcar on-demand car-rental, 3/20/05 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Two questions about UNIX(r) certification.
On Thu, 18 Oct 2007, Aryeh M. Friedman wrote: Dan Mahoney, System Admin wrote: I recently noticed that Apple's new OS, Leopard, is Unix certified. UNIX Certified what the [EMAIL PROTECTED]@ does that mean as far I know no one is in a position to make such a statement except maybe the current owner of the Unix trademark (sco if I am not mistaken) From here: http://www.apple.com/macosx/features/300.html#unix Mac OS X is now a fully certified UNIX operating system, conforming to both the Single UNIX Specification (SUSv3) and POSIX 1003.1. Deploy Leopard in environments that demand full UNIX conformance and enjoy expanded support for open standards popular in the UNIX community such as the OASIS Open Document Format (ODF) or ECMAs Office XML. I'd imagine that the big reason that FreeBSD hasn't done this yet is: It costs a lot of money. And give SCO a reason to actually consolidate it's illegitimate claim to be the steward of Unix when there is no such thing beyond the holder of the trademark. That said, if in theory one were to try to get the operating system certified (say, to increase awareness and market share versus the penguinistas)... a) approximately how much money is a lot? and b) How far short, technically, does FreeBSD fall from the standard (we'll ignore operational semantics for the time being) MacOS-X is FreeBSD at it's core thus we are ready now (actually all that is required is POSIX complience) Well, apple has also made changes to the OS in some ways, which was why I was asking. -- Don't think of it as beer, think of it as a flavored motor oil. -Jeremiah Kristal, on Guinness 3/29/05, 9:52 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW with DNSBL
Hey all, Has anyone found a way to have ipfw work with a DNS blocklist? I realize the core functionality is not in IPFW, but I am thinking somehow, of having a table dynamically maintained by some kind of divert daemon? Couple this with some kind of a connection delay (perhaps also in the divert pipe), and this could be potentially useful. Also, could someone please commit a table-save-state startup/shutdown script for ipfw as exists in pf? Thanks, Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sysinstall: No Floppy Devices Found
On Tue, 16 Jan 2007, Kevin Kobb wrote: I have found that when I do an install with an install.cfg file on a floppy, I must insert the floppy right after the system begins to boot from CD. If I don't when I tell sysinstall to read the floppy I get an error. As a work around, if I go into the options and select rescan for hardware devices (not sure if that is the exact wording) after inserting the floppy disk, it will work OK as well. Might be worth a try. No luck. I've rescanned time after time, and get nothing. No sloppy devices show up in dmesg, cannot use mount_msdosfs to access the floppy, etc. This is truly, truly frustrating, as I am trying to follow THESE instructions: http://3ware.com/KB/article.aspx?id=14850 I've even tried installing to an external (non-raid) drive in an attempt to use that drive as a really big floppy. The boot loader doesn't know how to see the BSD partition on it, and apparently can only see raw bios drives. Another possible approach was to try and boot from the single drive and then use sysinstall to install onto the RAID array, but I've had issues with that before. As an aside, the module HAS to be loaded before the boot process, so I can't use kldload to load the module from a fixit floppy or something like that. My workaround at the moment is that I am downloading a snapshot ISO of -STABLE It might be nice if the loading modules from floppy procedure (while rarely required) was better documented. -Dan -- It's three o'clock in the morning. It's too late for 'oops'. After Locate Updates, don't even go there. -Paul Baecker January 3, 2k Indeed, sometime after 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Floppy IO Errors
All, I am trying to load a kernel module from a floppy disk (ms dos formatted). Is there anything special I have to do to format these disks, or make them readable? I can boot from an MS DOS startup disk (as generated by XP) but BSD returns an IO error when trying to read any floppy. I've tried multiple drives, cables, and disks. It's on a tyan dual opteron system. Help much appreciated -- next plan is to create a scratch SATA volume to play host to the raid card, but I would like to fix this somehow. -Dan -- I love you forever eternally. -Connaian Expression Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Building UNSTRIPPED binaries in ports?
Hello, I am encountering a bug with named-9.4.1-P1 that I am attempting to work with ISC on, that I have built from ports (dns/bind94). However, I need a non-stripped version of the binary to get a backtrace. I can't roll my own binary because it may be related to some way that the port is built so I need to maintain a similar build environment. Is there some make.conf or compile time flag that I can set that would prevent the stripping from happening? Or would I just have to manually edit the makefile someplace -- and if so, can anyone give a pointer as to where? Setting the strip command to /bin/true or something, perhaps -- but I can't be sure if the strip_command is being used. I've found references in the porter's handbook that state all binaries should be stripped, but I think in cases like this it would be useful to give the user a universal option to not do so. -Dan -- Man, this is such a trip -Dan Mahoney, October 25, 1997 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: number of processes reported by top versus ps
On Thu, 15 Feb 2007, Christian Walther wrote: Aah, that's right, threads. Forgot about those. -Dan On 15/02/07, Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: Hey all, I'm getting about a hundred more processes reported by ps aux|wc -l versus the total number of processes in top. Is this a normal thing? My system's been under some heavy load in the past couple days, but it's all presumably stable now. ps -aux and top hide different processes by default. Use top -S to show all system processes, too. This is the same as doing a ps -auxH Read the manpages of both commands for more information of what all these options do. -Dan HTH Christian -- It doesn't matter where I live, because I live in dataspace. That's my hometown. -Steve Roberts, Builder of BEHEMOTH Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
number of processes reported by top versus ps
Hey all, I'm getting about a hundred more processes reported by ps aux|wc -l versus the total number of processes in top. Is this a normal thing? My system's been under some heavy load in the past couple days, but it's all presumably stable now. -Dan -- Man, this is such a trip -Dan Mahoney, October 25, 1997 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
commented LINT?
Hey all, Back in 4.x, LINT was a fully-commented entity. Now it appears to be built-on-the-fly, which is great for being sure every-option is in in a programmatic manner, but bad as far as being able to look at LINT for syntax or notes as to which options need to be added together (or are mutually exclusive). Is there any way to get the restored version? -Dan -- I hate Windows -Tigerwolf, Anthrocon 2004 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with ipfw flush
On Fri, 26 Jan 2007, Ian Smith wrote:
Excellent. I'll read up on this for a bit.
I suppose my biggest confusion was as to why I could do:
kldload ipfw ipfw add 65000 allow ip from any to any
but not
ipfw flush ipfw add 65000 allow ip from any to any
Clearly, the devil is in the output being sent.
Also, the manpage had -q and -f as mutually exclusive, and I missed the
part about -q implying -f.
There IS one other issue that I encountered. I have tables and pipes in
play, and I believe a regular ipfw flush doesn't clear them. Is there a
universal reset EVERYTHING command?
-Dan
Re: freebsd-questions Digest, Vol 162, Issue 11
Message: 31
On Wed, 24 Jan 2007 19:20:47 -0500 (EST), Dan Mahoney wrote:
On Wed, 24 Jan 2007, Kevin Kinsey wrote:
Dan Mahoney, System Admin wrote:
Hey all.
In trying to tweak my firewall setup I'm using a file called
/etc/ipfw.rules
However, it seems even though I copy my rules perfectly to that file, the
system freezes up and locks me out when I do:
/usr/share/examples/ipfw/change_rules.sh?
That is a very cool script, however, it appears as though it calls
firewall_script on line 131 with sh, not with ipfw.
nohup sh ${firewall_script} ${firewall_type}.new
Whereas, etc/rc.firewall calls ipfw on line 299 via the ipfw command:
${fwcmd} ${firewall_flags} ${firewall_type}
The difference is that the resulting rules file would not be parseable by
sh since the lines in the file would not contain the ipfw command but
only the arguments. As one's in examples and the other's in a live
startup script, I'd assume the latter to be the correct method.
Either. Check /etc/defaults/rc.conf and you'll notice that the default
for firewall_script=/etc/rc.firewall so 'sh ${firewall_script}' runs
'sh /etc/rc.firewall' which runs ipfw -f flush, denying all connections,
then later, in your case with a given filename, ipfw $flags $pathname
Do you have firewall_quiet=YES ? This will help a lot, otherwise ipfw
writes to the terminal, which after the flush, it can't. From ipfw(8):
o If you are logged in over a network, loading the kld(4) version of
ipfw is probably not as straightforward as you would think. I recom-
mend the following command line:
kldload ipfw \
ipfw add 32000 allow ip from any to any
Along the same lines, doing an
ipfw flush
in similar surroundings is also a bad idea.
That said, this still does not tell me why a subsequent flush-and-rerun
isn't working via ssh. It works totally fine via the command line, but
over ssh it gives:
Jan 24 19:10:55 ads-bsh-fwa4 sshd[845]: fatal: Write failed: Permission
denied on the console (but by that point my connection's already dropped).
Exactly.
However, this shouldn't actually stop an already-typed command, should it?
Yes, if it's trying to write to the terminal. The bottom line is that
if you want to run it from a command line over ssh, the command must say
nothing to the terminal until finished. Even then, if your ssh session
was being permitted by a keep-state rule you'll still lose your session,
but as someone else (sorry) mentioned, you can log straight back in.
Additionally, it doesn't appear that /etc/rc.firewall has the smarts to do
I think you mean /etc/rc.d/ipfw here?
this, as the stop command it lists only disables the kernel firewall
structure via sysctl, but does NOT flush the rules, pipes, counts, or the
like, so it's not a true restart. (the idea being that otherwise, every
rule will be added twice -- the flush is a necessary step there).
It is necessary, and it's done on (re)start. If you're using
rc.firewall, as it seems you are, then in /etc/rc.d/ipfw:
ipfw_start()
{
# set the firewall rules script if none was specified
[ -z ${firewall_script} ] firewall_script=/etc/rc.firewall
Right? Then:
if [ -r ${firewall_script} ]; then
# .. nat stuff ..
. ${firewall_script}
which runs /etc/rc.firewall (in the current shell), starting with a)
setting firewall_type - in your case, to your rules file, b) setting
fwcmd='ipfw -q' if firewall_quiet=yes (you do want this!) and then does
the '${fwcmd} -f flush' then (if not wedged) your rules.
Even if I add the flush command directly to /etc/ipfw.rules, and run
ipfw -f /etc/ipfw.rules right from the command line, my connection gets
dropped and the rest of the commands do not run.
Try with -q instead (this also implies -f) RTFM on -q, until grokked.
In experimenting a bit more, I've found that I can do:
nohup ipfw -f /etc/ipfw.rules
This allows the rest of the ipfw command to run, but the HUP-on-disconnect
still doesn't explain why the command doesn't even finish running.
I think it will IFF you use ipfw_quiet=yes - and perhaps add a static
allow rule for your ssh access, before using any stateful rules, as any
existing dynamic connections will get clobbered
Problem with ipfw flush
Hey all. In trying to tweak my firewall setup I'm using a file called /etc/ipfw.rules However, it seems even though I copy my rules perfectly to that file, the system freezes up and locks me out when I do: ipfw -f flush; ipfw /etc/ipfw.rules I've also tried doing it as ipfw -f flush ipfw /etc/ipfw.rules But to no avail. if it matters, ipfw is loaded as a kernel module, not compiled in. -Dan -- [23:49:00] LarpGM: Did my little TP comment scare you off? [23:49:22] ilzarion: no, the shrieking retarded child eating people did -Feb 06, 2001, times apparent. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with ipfw flush
On Thu, 25 Jan 2007, [EMAIL PROTECTED] wrote:
In trying to tweak my firewall setup I'm using a file called
/etc/ipfw.rules
However, it seems even though I copy my rules perfectly to that file, the
system freezes up and locks me out when I do:
ipfw -f flush; ipfw /etc/ipfw.rules
I've also tried doing it as
ipfw -f flush ipfw /etc/ipfw.rules
But to no avail.
Firewall script is a common shell script. You don't need to run 'ipfw
script'.
Flushing the rules is usually done by script itself.
For example:
#!/bin/sh
ipfw=/sbin/ipfw
${ipfw} -f flush
${ipfw} rule
${ipfw} rule
${ipfw} rule
...
This file should be executable (chmod +x). You can also put any non-ipfw
additional commands in this file if you want.
Try to make such script, execute it and write again about the results.
Well, I'm trying to be compliant with /etc/rc.firewall's expectations for
a rules file, which IS called with ipfw rules.file
-Dan
--
Gushi And hello kitty does not have a mouth.
bizzy . o O ( oh yes she does )
EfNet #macintosh, 2/21/01, some ridiculous hour of the morning
Dan Mahoney
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with ipfw flush
On Wed, 24 Jan 2007, Kevin Kinsey wrote:
Dan Mahoney, System Admin wrote:
Hey all.
In trying to tweak my firewall setup I'm using a file called
/etc/ipfw.rules
However, it seems even though I copy my rules perfectly to that file, the
system freezes up and locks me out when I do:
/usr/share/examples/ipfw/change_rules.sh?
That is a very cool script, however, it appears as though it calls
firewall_script on line 131 with sh, not with ipfw.
nohup sh ${firewall_script} ${firewall_type}.new
Whereas, etc/rc.firewall calls ipfw on line 299 via the ipfw command:
${fwcmd} ${firewall_flags} ${firewall_type}
The difference is that the resulting rules file would not be parseable by
sh since the lines in the file would not contain the ipfw command but
only the arguments. As one's in examples and the other's in a live
startup script, I'd assume the latter to be the correct method.
That said, this still does not tell me why a subsequent flush-and-rerun
isn't working via ssh. It works totally fine via the command line, but
over ssh it gives:
Jan 24 19:10:55 ads-bsh-fwa4 sshd[845]: fatal: Write failed: Permission
denied on the console (but by that point my connection's already dropped).
However, this shouldn't actually stop an already-typed command, should it?
Additionally, it doesn't appear that /etc/rc.firewall has the smarts to do
this, as the stop command it lists only disables the kernel firewall
structure via sysctl, but does NOT flush the rules, pipes, counts, or the
like, so it's not a true restart. (the idea being that otherwise, every
rule will be added twice -- the flush is a necessary step there).
Even if I add the flush command directly to /etc/ipfw.rules, and run
ipfw -f /etc/ipfw.rules right from the command line, my connection gets
dropped and the rest of the commands do not run.
In experimenting a bit more, I've found that I can do:
nohup ipfw -f /etc/ipfw.rules
This allows the rest of the ipfw command to run, but the HUP-on-disconnect
still doesn't explain why the command doesn't even finish running.
-Dan
--
What's with the server farm down in the basement?
-Spider, Three Skulls Commons at Selden House, 4/15/00
Dan Mahoney
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Broadcom Nics in Tyan Transport GT24 (B3992)
On Wed, 17 Jan 2007, Ted Mittelstaedt wrote: yes, but guess what - FBSD 6.2 is now released, so just install that and the updated driver is already in the kernel You were just waiting to say that weren't you :) -Dan Ted - Original Message - From: Dan Mahoney, System Admin [EMAIL PROTECTED] To: Ted Mittelstaedt [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, January 15, 2007 7:27 AM Subject: Re: Broadcom Nics in Tyan Transport GT24 (B3992) On Mon, 15 Jan 2007, Ted Mittelstaedt wrote: Is the bge driver enabled by default? -Dan I don't know what broadcom chip your MB has but the majority of those cards are supported here: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/dev/bge/ You should be able to just copy over the 2 files to your src/sys/dev/bge/ directory and recompile your 6.1-release kernel with no problems. I did. Look carefully at the chip on your MB and post the BCM model number on it if this doesen't work. Ted - Original Message - From: Dan Mahoney, System Admin [EMAIL PROTECTED] To: Ted Mittelstaedt [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, January 13, 2007 5:34 AM Subject: Re: Broadcom Nics in Tyan Transport GT24 (B3992) On Fri, 12 Jan 2007, Ted Mittelstaedt wrote: Use the latest Broadcom driver from FreeBSD CVS. The one included in 6.1 release is buggy. Which driver is that? My 6.1 install won't see them at all: pci4: PCI bus on pcib4 pci4: network, ethernet at device 4.0 (no driver attached) pci4: network, ethernet at device 4.1 (no driver attached) Also, I'm running 6.1-RELEASE, will the cvs drivers from CURRENT work? -Dan Ted - Original Message - From: Dan Mahoney, System Admin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 12, 2007 5:02 PM Subject: Broadcom Nics in Tyan Transport GT24 (B3992) Hey all, I have a Transport GT24 (B3992 Motherboard), and while it has one intel nic which works well, I'd like to be able to use the onboard broadcom network cards. Is there a known way of making them work? I seem to recall some dealy where you could use a windows driver? -Dan -- I love you forever eternally. -Connaian Expression Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- You're not normal! -Michael G. Kessler, referring to my modem online time. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- -- [23:49:00] LarpGM: Did my little TP comment scare you off? [23:49:22] ilzarion: no, the shrieking retarded child eating people did -Feb 06, 2001, times apparent. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- When I'm lost, and confused, and trying to make a U-turn, nothing annoys me more than someone telling me to watch out for the tombstone! How often does that happen, Fab? -David Feld Tom Fabry, sometime in High School. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transport Mode IPSEC
On Wed, 17 Jan 2007, Ted Mittelstaedt wrote: Dan, You do realize, don't you, that since both of these hosts are on a switch, and are using unicast traffic to communicate with each other, that they cannot be sniffed, don't you? That implies trust of the switch, trust against arp-cache poisoning, and the like. The idea of ipsec is not trusting the wire. With NIS/NFS known for being this inherently secure, would it get me a better answer if I said with only a single router between them? -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transport Mode IPSEC
On Thu, 18 Jan 2007, Andrew Pantyukhin wrote: On 1/18/07, Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: It's not that simple. The difficulty is in key exchange, and it stays. I can show you how to implement it with static keys: As I read through the article (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html)...I get the distinct impression the howto actually is somewhat adaptable -- one just needs to ignore everything it says about tunnels, and the GIF device. I'd still install raccoon, still do everything like that -- the change comes in the lines in /etc/ipsec.conf spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require; spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require; which would be I think modified to your lines below. I'm not sure if you still need the additional policy definition (between the slashes). Perhaps you can clarify for me? I'm liking doing things with raccoon only because it allows you to use those nice non-static keys. -Dan = 192.168.17.1:/etc/ipsec.conf flush ; spdflush ; add 192.168.17.69 192.168.17.1 ah 4567 -A hmac-sha2-512 Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy ; add 192.168.17.1 192.168.17.69 ah 4567 -A hmac-sha2-512 Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy ; spdadd 192.168.17.69 192.168.17.1 any -P in ipsec ah/transport//require ; spdadd 192.168.17.1 192.168.17.69 any -P out ipsec ah/transport//require ; = 192.168.17.69:/etc/ipsec.conf flush ; spdflush ; add 192.168.17.69 192.168.17.1 ah 4567 -A hmac-sha2-512 Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy ; add 192.168.17.1 192.168.17.69 ah 4567 -A hmac-sha2-512 Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy ; spdadd 192.168.17.69 192.168.17.1 any -P out ipsec ah/transport//require ; spdadd 192.168.17.1 192.168.17.69 any -P in ipsec ah/transport//require ; Then add ipsec_enable=YES to rc.conf(5) on both hosts and run /etc/rc.d/ipsec start. That should set up authenticated relationship between the two hosts. See setkey(8) for encryption and other options. -- Don't try to out-wierd me. I get stranger things than you free with my breakfast cereal. -Button seen at I-CON XVII (and subsequently purchased) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Dummynet howto?
Hey all, In dummynet, what's an appropriate queue size for a 50 Megabit pipe? And is there a general rule-of-thumb or calcluation I should be doing (i.e. limitation size times some number or something?) -Dan -- Hitler, Satan, those Hanson kids, anything. Just not the curious anteater. -Peter Scolari, as Wayne Szalinki in Honey, I Shrunk The Kids--The Series Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Transport Mode IPSEC
Hey all, I see the handbook has a nice howto on tunnel mode ipsec. I just want to protect my NFS/NIS traffic between two hosts on a switch (neither NAT'd) -- is there a reference as to transport-mode ipsec anywhere, or has anyone done it that can outline it? I would imagine it would be drastically simpler than tunnel mode, but I'm not sure where it would break off. -Dan -- A mother can be an inspiration to her little son, change his thoughts, his mind, his life, just with her gentle hum. -No Doubt, Different People, from Tragic Kingdom Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sysinstall: No Floppy Devices Found
On Tue, 16 Jan 2007, Kevin Kobb wrote: I have found that when I do an install with an install.cfg file on a floppy, I must insert the floppy right after the system begins to boot from CD. If I don't when I tell sysinstall to read the floppy I get an error. I've found the floppy works okay when I escape to the bootloader, so I can load my KLD at that time. As a work around, if I go into the options and select rescan for hardware devices (not sure if that is the exact wording) after inserting the floppy disk, it will work OK as well. Might be worth a try. I'll be sure to try that, thanks. Any idea why it's not found initially, tho? I mean, the CONTROLLER is found, so... Is this the type of thing I should send-pr over? -Dan -- Be happy. Try not to hurt each other. Hope you fall in love. --Mallory, Family Ties Finale (on the meaning of life) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Dummynet with vlans
Hey all, Note: I'm cc'ing Luigi Rizzo because, well, he's authoritative. This is NOT the same issue I asked about a couple years ago (which related to vlans, and bridging -- there is no bridge in play here). Anyway... We have a machine playing vlan aggregator. Gigabit nics (intels). em0 is the uplink to the core router. Straight gigabit link over copper to a 6500-series cisco switch (speaks OSPF using quagga). em1 is the downlink (over fiber) to the switch, and has no interface on it, but it IS a parent interface to 48 vlan entries, numbered vlan101 through vlan148 (where each is relative to a switch port). This setup works fine. Each vlan entry has it's own /29 IP address. That said, what is the proper syntax for adding dummynet rules to this? For example, to constrain one of those ports to (say) 50 megabits. I'm using pipe 440 config bw 50mbit/s pipe 441 config bw 50mbit/s add 44000 pipe 440 ip from any to any recv vlan144 in add 44001 pipe 441 ip from any to any xmit vlan144 out But this seems not to work. Do I need to define queues as well? The manpage cites examples similar to this, but I can't find any definitive reference. Should I just not use the vlan interfaces, and instead go by IP on the outside interface? -Dan -- It's buttery kettle ASS corn! -Dan Mahoney, Ezzi Computers, 10/22/03, 2AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Origin of LINT?
I know it's probably off-topic, but I've searched google for a bit with no results, and because I'm curious: Does anyone (maybe one of the old guard) know the origin of the term lint for the all-inclusive feature set. I know SpamAssassin uses it as well (it's the command line argument to just regression-test everything). Merely curious, Dan Mahoney -- You recreate the stars in the sky with cows? -Furrball, March 7 2005, on Katamari Damacy Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Broadcom Nics in Tyan Transport GT24 (B3992)
On Mon, 15 Jan 2007, Ted Mittelstaedt wrote: Is the bge driver enabled by default? -Dan I don't know what broadcom chip your MB has but the majority of those cards are supported here: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/dev/bge/ You should be able to just copy over the 2 files to your src/sys/dev/bge/ directory and recompile your 6.1-release kernel with no problems. I did. Look carefully at the chip on your MB and post the BCM model number on it if this doesen't work. Ted - Original Message - From: Dan Mahoney, System Admin [EMAIL PROTECTED] To: Ted Mittelstaedt [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, January 13, 2007 5:34 AM Subject: Re: Broadcom Nics in Tyan Transport GT24 (B3992) On Fri, 12 Jan 2007, Ted Mittelstaedt wrote: Use the latest Broadcom driver from FreeBSD CVS. The one included in 6.1 release is buggy. Which driver is that? My 6.1 install won't see them at all: pci4: PCI bus on pcib4 pci4: network, ethernet at device 4.0 (no driver attached) pci4: network, ethernet at device 4.1 (no driver attached) Also, I'm running 6.1-RELEASE, will the cvs drivers from CURRENT work? -Dan Ted - Original Message - From: Dan Mahoney, System Admin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 12, 2007 5:02 PM Subject: Broadcom Nics in Tyan Transport GT24 (B3992) Hey all, I have a Transport GT24 (B3992 Motherboard), and while it has one intel nic which works well, I'd like to be able to use the onboard broadcom network cards. Is there a known way of making them work? I seem to recall some dealy where you could use a windows driver? -Dan -- I love you forever eternally. -Connaian Expression Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- You're not normal! -Michael G. Kessler, referring to my modem online time. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- -- [23:49:00] LarpGM: Did my little TP comment scare you off? [23:49:22] ilzarion: no, the shrieking retarded child eating people did -Feb 06, 2001, times apparent. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Broadcom Nics in Tyan Transport GT24 (B3992)
On Fri, 12 Jan 2007, Ted Mittelstaedt wrote: Use the latest Broadcom driver from FreeBSD CVS. The one included in 6.1 release is buggy. Which driver is that? My 6.1 install won't see them at all: pci4: PCI bus on pcib4 pci4: network, ethernet at device 4.0 (no driver attached) pci4: network, ethernet at device 4.1 (no driver attached) Also, I'm running 6.1-RELEASE, will the cvs drivers from CURRENT work? -Dan Ted - Original Message - From: Dan Mahoney, System Admin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 12, 2007 5:02 PM Subject: Broadcom Nics in Tyan Transport GT24 (B3992) Hey all, I have a Transport GT24 (B3992 Motherboard), and while it has one intel nic which works well, I'd like to be able to use the onboard broadcom network cards. Is there a known way of making them work? I seem to recall some dealy where you could use a windows driver? -Dan -- I love you forever eternally. -Connaian Expression Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- You're not normal! -Michael G. Kessler, referring to my modem online time. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
On Sat, 13 Jan 2007, Erik Trulsson wrote: On Thu, Jan 11, 2007 at 12:01:48PM -0500, Dan Mahoney, System Admin wrote: yOn Wed, 10 Jan 2007, Erik Trulsson wrote: On Wed, Jan 10, 2007 at 05:24:26AM -0500, Dan Mahoney, System Admin wrote: On Wed, 3 Jan 2007, John Nielsen wrote: Apologies for top-posting. I've made some progress with this, but as I suspected, I'm screwed on namespace collision. I.e. I am unable to load a version of twa.ko that supports my 3ware card because a previous version of twa.ko that does not support it is already in the generic kernel. Changing the name of the loadable doesn't help, either. It looks like I might have to make my own release, and my own ISO, using the driver source from the 3ware site. Does anyone have an easier way of doing this? Might some of the following information from 3ware be of help? http://www.3ware.com/KB/article.aspx?id=15003 This details exactly what I need to do. However, the drivers that SHOULD be attached to the article are NOT. No, they were not. The people at 3ware seem to have noticed that mistake however and now the attachments seem to actually be attached to that article. Yes, I also need to state for the record that their support people are incredibly knowledgeable and responsive. I'm up and running now (thought I wasn't for a bit because the card takes a few MINUTES to probe during boot). What is the likelyness (read that as: who would I have to ask) of getting the driver source added to 6.2-R, or to CURRENT? While this has been an overall good experience for me, it would be decidedly nice if I could have just booted from the CD and run with it. -Dan -- No mowore webooting!!! -Paul, 10-16-99, 10 PM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Sysinstall: No Floppy Devices Found
Hey all, I'm getting the message when I try to load a KLD in Sysinstall, even though I KNOW my floppy drive works. In fact, I can load the KLD from the loader prompt just fine. Is there a difference/advantage to one way of doing this over the other? -Dan Mahoney -- Hitler, Satan, those Hanson kids, anything. Just not the curious anteater. -Peter Scolari, as Wayne Szalinki in Honey, I Shrunk The Kids--The Series Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Broadcom Nics in Tyan Transport GT24 (B3992)
Hey all, I have a Transport GT24 (B3992 Motherboard), and while it has one intel nic which works well, I'd like to be able to use the onboard broadcom network cards. Is there a known way of making them work? I seem to recall some dealy where you could use a windows driver? -Dan -- I love you forever eternally. -Connaian Expression Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
yOn Wed, 10 Jan 2007, Erik Trulsson wrote: On Wed, Jan 10, 2007 at 05:24:26AM -0500, Dan Mahoney, System Admin wrote: On Wed, 3 Jan 2007, John Nielsen wrote: Apologies for top-posting. I've made some progress with this, but as I suspected, I'm screwed on namespace collision. I.e. I am unable to load a version of twa.ko that supports my 3ware card because a previous version of twa.ko that does not support it is already in the generic kernel. Changing the name of the loadable doesn't help, either. It looks like I might have to make my own release, and my own ISO, using the driver source from the 3ware site. Does anyone have an easier way of doing this? Might some of the following information from 3ware be of help? http://www.3ware.com/KB/article.aspx?id=15003 This details exactly what I need to do. However, the drivers that SHOULD be attached to the article are NOT. -Dan Mahoney -- GO HOME AND COOK!!! Donielle Cocossa, Taco Bell, 2:30 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
On Wed, 10 Jan 2007, Peter Giessel wrote: On Wednesday, January 10, 2007, at 01:22AM, Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: I am unable to load a version of twa.ko that supports my 3ware card because a previous version of twa.ko that does not support it is already in the generic kernel. Changing the name of the loadable doesn't help, either. P.S. 6.1 on AMD64 and i386 supports the 9550: http://www.freebsd.org/releases/6.1R/relnotes-amd64.html http://www.freebsd.org/releases/6.1R/relnotes-i386.html http://www.freebsd.org/cgi/man.cgi?query=twasektion=4manpath=FreeBSD+6.1-RELEASE Yeah, this is the 9650SE. I've emailed Scott Long to ask about its inclustion. No reply thusfar. -Dan -- One...plus two...plus one...plus one. -Tim Curry, Clue Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
On Wed, 3 Jan 2007, John Nielsen wrote: Apologies for top-posting. I've made some progress with this, but as I suspected, I'm screwed on namespace collision. I.e. I am unable to load a version of twa.ko that supports my 3ware card because a previous version of twa.ko that does not support it is already in the generic kernel. Changing the name of the loadable doesn't help, either. It looks like I might have to make my own release, and my own ISO, using the driver source from the 3ware site. Does anyone have an easier way of doing this? I've already emailed Scott Long asking about the possibility of the inclusion of the new twa driver in the next FreeBSD, but I fear we're too far down the release process, so it could be a YEAR before there's a RELEASE that supports it. -Dan You were on the right track with the emergency shell, but the Fixit mode (now included on disk 1 for your convenience) gives you a lot more flexibility (inclusion of ls is just the start!). Have you tried something like this? 1) Boot to complete install CD 2) Go into Fixit mode (not just the emergency shell) 3) # sysctl kern.module_path=/dist/boot/kernel 4) # kldload twa 5) # exit 6) proceed with installation This shouldn't be necessary though, since twa is included in GENERIC for both FreeBSD 6.1 and 6.2 (did you say what version you were trying to install?). Now, if your controller is too new to be included in the shipping version of twa then that's another matter. If you have a binary kernel module that uses a different driver name from the vendor you could use the same general approach, but you'd want to configure your network interface and set up your NFS mount prior to step 3, and include the appropriate NFS path in the sysctl command in step 3. Forgot to mention you'd also need to manually copy the vendor driver and modify /boot/loader.conf on the newly installed system so it could actually boot.. you could easily take care of that from the fixit mode shell after the installation, though. -- And, a special guest, from the future, miss Ria Pischell. Miss Pischell, as you all know, is the inventor of the Statiophonic Oxygenetic Amplifiagraphaphonadelaverberator, and it's pretty hard to imagine life without one of those. -Rufus, Bill Ted's Bogus Journey Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
On Wed, 10 Jan 2007, Erik Trulsson wrote: On Wed, Jan 10, 2007 at 05:24:26AM -0500, Dan Mahoney, System Admin wrote: On Wed, 3 Jan 2007, John Nielsen wrote: Apologies for top-posting. I've made some progress with this, but as I suspected, I'm screwed on namespace collision. I.e. I am unable to load a version of twa.ko that supports my 3ware card because a previous version of twa.ko that does not support it is already in the generic kernel. Changing the name of the loadable doesn't help, either. It looks like I might have to make my own release, and my own ISO, using the driver source from the 3ware site. Does anyone have an easier way of doing this? Might some of the following information from 3ware be of help? http://www.3ware.com/KB/article.aspx?id=15003 http://www.3ware.com/KB/article.aspx?id=14850 I saw (and tried) an earlier version of these instructions, basically the issue was that I couldn't LOAD a module because said module was already in the kernel. In this case I don't think such a module is so it might work better, not 100 percent sure. Well, I'll have to modify them somewhat -- no floppy support here (lame, I know), but perhaps it'll work, I'll give it a try tomorrow. Thanks for the tip. -Dan I've already emailed Scott Long asking about the possibility of the inclusion of the new twa driver in the next FreeBSD, but I fear we're too far down the release process, so it could be a YEAR before there's a RELEASE that supports it. -Dan You were on the right track with the emergency shell, but the Fixit mode (now included on disk 1 for your convenience) gives you a lot more flexibility (inclusion of ls is just the start!). Have you tried something like this? 1) Boot to complete install CD 2) Go into Fixit mode (not just the emergency shell) 3) # sysctl kern.module_path=/dist/boot/kernel 4) # kldload twa 5) # exit 6) proceed with installation This shouldn't be necessary though, since twa is included in GENERIC for both FreeBSD 6.1 and 6.2 (did you say what version you were trying to install?). Now, if your controller is too new to be included in the shipping version of twa then that's another matter. If you have a binary kernel module that uses a different driver name from the vendor you could use the same general approach, but you'd want to configure your network interface and set up your NFS mount prior to step 3, and include the appropriate NFS path in the sysctl command in step 3. Forgot to mention you'd also need to manually copy the vendor driver and modify /boot/loader.conf on the newly installed system so it could actually boot.. you could easily take care of that from the fixit mode shell after the installation, though. -- I'll commit ritual suicide before I whore myself out to Disney. --Emi Bryant April 26, 2004 On the animation industry Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
On Wed, 10 Jan 2007, Dimitar Vasilev wrote: Dan, comment out the twa lines in the kernel. Rebuild it and include the new modules. should be easy. the module in the kernel it's conflicting with is on an INSTALL CD. But I don't think I'll have the namespace conflicts with the NEW module. -Dan -- It's like GTA, except you pay for it, and you're allowed to use the car. -Josh, on Zipcar on-demand car-rental, 3/20/05 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
On Wed, 10 Jan 2007, Peter Giessel wrote: On Wednesday, January 10, 2007, at 01:22AM, Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: I am unable to load a version of twa.ko that supports my 3ware card because a previous version of twa.ko that does not support it is already in the generic kernel. Changing the name of the loadable doesn't help, either. P.S. 6.1 on AMD64 and i386 supports the 9550: http://www.freebsd.org/releases/6.1R/relnotes-amd64.html http://www.freebsd.org/releases/6.1R/relnotes-i386.html http://www.freebsd.org/cgi/man.cgi?query=twasektion=4manpath=FreeBSD+6.1-RELEASE It's the 9650SE I'm having trouble with, as I realized. -Dan -- I can feel it, comin' back again...Like a rolling thunder chasin' the wind... -Dan Mahoney, JS, JB SL, May 10th, 1997, Approx 1AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Easier way to install on 3ware 9550 card?
Hey all, I have a new system with NO FLOPPY CONTROLLER and a 3ware 9550 card. It's a 1u system -- sticking extra things into PCI slots as a workaround is likely to be impossible. I found this document on how to get it installed, in theory: http://www.3ware.com/kb/article.aspx?id=14850 But with no floppy, this is probably going to involve either transplanting the card (and drive array) to another machine JUST to do the install (translated: a serious pain in the ass). If someone could explain why any of the following aren't possible, I'd love to know: 1) Making this driver part of the boot-time probe. I can understand not including every SOUND CARD and MULTI-PORT SERIAL CARD in the generic kernel, but could we at least include the rest of the STORAGE modules? 2) Giving the ability to load a kernel module from somewhere else (an http/ftp url, maybe?) 3) Adding the kldload command to the emergency holographic shell (I was able to do an NFS mount from within it, but had no way to load the driver). 4) Allowing non-standard modules to reside on the CD, instead of loading from floppy (i.e. I see there's a twa module in the base system, why aren't the .ko's sitting around easily-accessible for sysinstall?) If I'm missing some really obvious way of doing this, please let me know. Thanks, Dan Mahoney -- Long live little fat girls! -Recent Taco Bell Ad Slogan, Literally Translated. (Viva Gorditas) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
On Wed, 3 Jan 2007, [EMAIL PROTECTED] wrote: I have a new system with NO FLOPPY CONTROLLER and a 3ware 9550 card. It's a 1u system -- sticking extra things into PCI slots as a workaround is likely to be impossible. Any possibility of using a USB floppy drive? Will the BSD installer recognize a USB floppy drive? 3) Adding the kldload command to the emergency holographic shell (I was able to do an NFS mount from within it, but had no way to load the driver). Maybe put kldload on that NFS mount along with the module to be loaded, and run it from there? I had considered that, but feared hitting version issues. Obviously sysinstall needs both mount and kldload functionality -- why aren't they in the emergency shell (For that matter, why isn't ls?) If this many years later we're still emulating floppies, there's a problem, folks. -Dan -- A mother can be an inspiration to her little son, change his thoughts, his mind, his life, just with her gentle hum. -No Doubt, Different People, from Tragic Kingdom Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
On Wed, 3 Jan 2007, Per olof Ljungmark wrote: Dan Mahoney, System Admin wrote: Hey all, I have a new system with NO FLOPPY CONTROLLER and a 3ware 9550 card. It's a 1u system -- sticking extra things into PCI slots as a workaround is likely to be impossible. I don't think you need a driver - it's already there. apropos 3ware twa(4)- 3ware 9000/9500/9550 series SATA RAID controllers driver twe(4)- 3ware 5000/6000/7000/8000 series PATA/SATA RAID adapter driver Oh I'm sorry, then why didn't I just install the OS? Because it said no drives found! The card doesn't probe at boot, and there's an elaborate howto on 3ware's site that describes HOW to get it to probe at boot. While I myself stated that the driver DOES appear to be in the base, for whatever reason the kernel on the install CD doesn't include it, nor the ability to kldload a module from anyplace easy. -Dan -- SOY BOMB! -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
On Wed, 3 Jan 2007, Tom Judge wrote: Dan Mahoney, System Admin wrote: Hi Dan, I have installed FreeBSD on several systems with 9550 controllers. The driver is available in sysinstall from 6.1 Release. (I installed from a 6.1 Release CD) This was the 9650, actually. -Dan -- It would be bad. -Egon Spengler, Ghostbusters Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
3ware 9650 Support
According to the 3ware site this card is supported as of FreeBSD 6.1. I previously posted with it as the 9550, but the end result is I hadn't slept enough, it's the 9650SE-4LPML. I checked the CVS sources for the twa driver, they haven't been touched in many months so I don't feel it's likely support has been added within there. Anyone have any idea how to make this card work? -Dan Mahoney -- I am a professional drinker, and I know that that was NOT Jose Cuervo! Well, what was it then? I think it was some mixture of Rubbing Alcohol, and Desenex(TM) Foot Powder, because my feet feel okay, and my back doesn't hurt, but my stomach is killing me! -Dan Mahoney, Costa Rica, August 12th, 1994 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
On Wed, 3 Jan 2007, John Nielsen wrote: 1) Boot to complete install CD 2) Go into Fixit mode (not just the emergency shell) 3) # sysctl kern.module_path=/dist/boot/kernel 4) # kldload twa 5) # exit 6) proceed with installation This shouldn't be necessary though, since twa is included in GENERIC for both FreeBSD 6.1 and 6.2 (did you say what version you were trying to install?). Now, if your controller is too new to be included in the shipping version of twa then that's another matter. If you have a binary kernel module that uses a different driver name from the vendor you could use the same general approach, but you'd want to configure your network interface and set up your NFS mount prior to step 3, and include the appropriate NFS path in the sysctl command in step 3. This is the case. I've emailed the folks in charge so that the new version of the 3ware drivers can be included in newer versions of FreeBSD. Forgot to mention you'd also need to manually copy the vendor driver and modify /boot/loader.conf on the newly installed system so it could actually boot.. you could easily take care of that from the fixit mode shell after the installation, though. Yup. In the case of a module name collision, is it safe to rename my module so that subsequent system builds won't overwrite it (i.e. rename if from twa.ko to twa2.ko) or will that break something?) -Dan -- Station! -Bill Ted's Bogus Journey Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Easier way to install on 3ware 9550 card?
On Wed, 3 Jan 2007, Mike Tancsa wrote: On Wed, 3 Jan 2007 02:56:40 -0500 (EST), in sentex.lists.freebsd.questions you wrote: 4) Allowing non-standard modules to reside on the CD, instead of loading from floppy (i.e. I see there's a twa module in the base system, why aren't the .ko's sitting around easily-accessible for sysinstall?) If I'm missing some really obvious way of doing this, please let me know. What version of FreeBSD are you trying to install ? I thought 6.2RC2 would work with this controller That's the typo. It's the 9650SE. -Dan HARDWARE The twa driver supports the following SATA RAID controllers: o AMCC's 3ware 9500S-4LP o AMCC's 3ware 9500S-8 o AMCC's 3ware 9500S-8MI o AMCC's 3ware 9500S-12 o AMCC's 3ware 9500S-12MI o AMCC's 3ware 9500SX-4LP o AMCC's 3ware 9500SX-8LP o AMCC's 3ware 9500SX-12 o AMCC's 3ware 9500SX-12MI o AMCC's 3ware 9500SX-16ML o AMCC's 3ware 9550SX-4LP o AMCC's 3ware 9550SX-8LP o AMCC's 3ware 9550SX-12 o AMCC's 3ware 9550SX-12MI o AMCC's 3ware 9550SX-16ML I am running with da0 at twa0 bus 0 target 0 lun 0 da0: AMCC 9550SX-4LP DISK 3.01 Fixed Direct Access SCSI-3 device da0: 100.000MB/s transfers da0: 152566MB (312455168 512 byte sectors: 255H 63S/T 19449C) ---Mike Mike Tancsa, Sentex communications http://www.sentex.net Providing Internet Access since 1994 [EMAIL PROTECTED], (http://www.tancsa.com) -- You're a thucking reyer! -Richard Bozzello, who believed tongue piercing was painless. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Command to dump firewall rules to be persistent across reboots.
Hey all, I'm experimenting with ipfw as means of controlling some interesting anomalies like with portsenty or some ssh anti-brute-force scripts (i.e. adding bad hosts to tables, adding deny rules for certain hosts, etc), and I was wondering if there was (either in the form of a script, or a builtin command I can't find) some way to just dump all the ipfw data (pipes, queues, tables, etc) to a single file to be re-read on boot? I'd be willing to try and write something like this if it doesn't already exist, but I'm rather surprised it doesn't. -Dan Mahoney -- A single death is a tragedy. A million deaths is a statistic. -Josef Stalin, As quoted on the cover to Savatage's Dead Winter Dead Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW: delete range of rules?
Hey all, the ipfw man page says rules can be deleted individually or in groups, but I don't see (other than the sets) an easy way to craft deletion of rules in a range (for example, 500-550). As the system I'm using crafts client rules by client numbers, this is a kinda useful feature, is it available somewhere? -Dan -- There is no right and wrong, there is only fun and boring. -Fisher Stevens, Hackers Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
MultiPath routing support
Hey all, Are there any supported methods for enabling multipath routing under FreeBSD. I currently have a couple BSD boxes which potentially have two default gateways to our two core routers, and I'd like to be able to load-balance. Doing it in IPFW or DUMMYNET would seem to break OSPF recovery of a bad link. -Dan -- [23:49:00] LarpGM: Did my little TP comment scare you off? [23:49:22] ilzarion: no, the shrieking retarded child eating people did -Feb 06, 2001, times apparent. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sshd brute force attempts?
On Wed, 20 Sep 2006, Erik Norgaard wrote: Dan Mahoney, System Admin wrote: On Tue, 19 Sep 2006, Erik Norgaard wrote: Along with some good advice. First of all: ssh is not a public service like http or smtp where you need anyone to be able to connect. So don't let them in the first place. It is in this case. It's a web server that allows shell usage (and encourages it, as I actually advocate the power that comes with a shell as opposed to the primitive (and less secure) interface you may get with crap utilities like cpanel, or FTP (where you're at the mercy of the featureset of your particular app). I think you misunderstood what I meant by public service, or maybe it wasn't clear: By a public service I mean a service available for anyone, even anonymously: You're not going to register the world to let people send mail to your server, (while you may (recommended) require authentication to send mail from your server). Your ssh service should only be available to your users. True enough, but so is/should pop3, and we're not having this problem there. Nor is there even an option for publickey auth (even though it uses PAM). People can always manage access badly. Yes, you may not be sure of password protection on the keys, but the intruder first needs to get a copy of the key. If this is stored on a usb-stick the user carries with him, or only on systems that require local authentication first, then I think you're better off than password based ssh. I think that people can better understand and manage a physical thing like a usb-stick and use that as their key. If the capacity is small enough, it is unlikely that people will use it for other stuff and accidentially delete the key. Yes, and then if/WHEN they do lose it, it's all the much MORE trouble to regenerate it and walk them through the motions of re-uploading it. You may still find sshd login denied entries in your log - so what? it was denied! This is really only a problem if the traffics saturates your connection, or your log files grow so much that you run out of diskspace. It was denied, yes...but when it's denied for 200 different users from the same IP, it only takes one user with a weak password (and as much as I like keys, I personally prefer the passwords). I also find that since I have a nice web-enabled SSH app (as part of usermin), the key becomes sorta useless in that case. As you read the article they had a password logger to see what passwords were attempted, quite interesting very very weak passwords. You can easily weed out bad password by running a cracker and forcing your users to change. This is definitely in the plan -- password crackers eat CPU like nobody's business so it would have to run off site but I've done this before with crack. I may try John this time. I would like to find an alternative to passwd that can enforce a password policy, like min. 8 chars, upper AND lower case chars and numbers. I've managed to very easily compile passwd against cracklib. Cracklib is in ports and easy to build -- FreeBSD could use (but I haven't filed the requests) a) an option in make.conf to prevent passwd from getting built on a buildworld and b) the patched passwd/yppasswd tree in ports. If you want a few easy ports to maintain, these could be it :) The article also comments on moving ssh to a different port, but this causes confusion and annoyance if you have many users and is non-standard. Doing the other things works great, an ssh-key on a usb-keyring is great. For anyone savvy, yes. I don't assume that level of savvy. Well, then - can't you also assume that people can use keys and understand that these should be protected by passwords? No, my assumption for the sake of simplicity has been to tell people use this hostname for everything, and this ONE method of logging in should work for everything. Yes, some of my more savvy users CAN set up keys. But for someone who wants the quick method to fix a few broken files, bad permissions, etc, it' far easier to tell them get putty, log in..., and then cd to your homedir and type I've been through this dance. Get putty. Get puttygen. Now make a keyfile with options you really don't understand. Now find a way that, in the spirit of SSH you can upload that keyfile without using your password since I was told to disallow it...now password protect your key with something LONG and COMPLICATED when you can't even remember a password that you were emailed, and trusted your FTP app to remember...okay, now have that key with you everywhere you go (and you can't cheat and upload it to someplace like your xdrive.com or other service, you have to carry physical media. You understand all that? Okay, now cd to your homedir and type... Personally, I created a script for parsing the delegated files from the different regional registries such as only to allow connection from EU countries
sshd brute force attempts?
Hey all, I've looked around and found several linux-centric things designed to block brute-force SSH attempts. Anyone out there know of something a bit more BSD savvy? My best attempt will be to get this: http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html running and adapt it. I've found a few things based on openBSD's pf, but that doesn't seem to be the default in BSD either. Any response appreciated. -Dan -- Is Gushi a person or an entity? Yes -Bad Karma, August 25th 2001, Ezzi Computers, Quoting himself earler, referring to Gushi Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sshd brute force attempts?
On Tue, 19 Sep 2006, Erik Norgaard wrote: Along with some good advice. First of all: ssh is not a public service like http or smtp where you need anyone to be able to connect. So don't let them in the first place. It is in this case. It's a web server that allows shell usage (and encourages it, as I actually advocate the power that comes with a shell as opposed to the primitive (and less secure) interface you may get with crap utilities like cpanel, or FTP (where you're at the mercy of the featureset of your particular app). Disable direct root login, in the article more than a third attempted to login as root. Disable shell access for service accounts such as mysql, www or ldap. Already being done. At this point I should mention that root has a login option whereby it can be done ONLY with publickey auth. Use a scheme for choosing usernames that avoids common names like james and avoid publishing usernames on web-sites, e-mail may differ from the username. This is somewhat unaviodable -- as I allow users to choose them. Disable password based authentication and require ssh-keys if possible, best if you can ensure both pasword and key based authentication. This also assumes that people password their keys, otherwise it actually *lessens* the security of a thing greatly. Most folks don't. I do wish there was some standard for forcing applications to not save passwords (other than OTP). You may still find sshd login denied entries in your log - so what? it was denied! This is really only a problem if the traffics saturates your connection, or your log files grow so much that you run out of diskspace. It was denied, yes...but when it's denied for 200 different users from the same IP, it only takes one user with a weak password (and as much as I like keys, I personally prefer the passwords). I also find that since I have a nice web-enabled SSH app (as part of usermin), the key becomes sorta useless in that case. The article also comments on moving ssh to a different port, but this causes confusion and annoyance if you have many users and is non-standard. Doing the other things works great, an ssh-key on a usb-keyring is great. For anyone savvy, yes. I don't assume that level of savvy. Personally, I created a script for parsing the delegated files from the different regional registries such as only to allow connection from EU countries. Sounds interesting, is it public? Since then, I get at most one attempt a week, few enough to manually look up the ip with whois and decide if the host or network should be blocked. Cheers, Erik -- Wrin quick, somebody tell me the moon phase please? Dan_Wood Wrin: Plummeting. -Undernet #reboot, 9/11/01 (day of the WTC bombing) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sshd brute force attempts?
On Tue, 19 Sep 2006, backyard wrote: In reality using passwords with SSH kinda defeats the purpose of SSH. Keeping passwords from being sent across the network as cleartext? -Dan -- Of course she's gonna be upset! You're dealing with a woman here Dan, what the hell's wrong with you? -S. Kennedy, 11/11/01 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
include format for /etc/rc.conf
Hey all, Are there any supported formats for INCLUDES in /etc/rc.conf such that I can drop default configs into /etc/rc.conf and then have files in a certain directory (ala includerc) override them? Basically, I'd like to do mass-updates of several dozen machines' configs normally found in /etc/rc.conf, but then have per-machine configs (like hostnames) elsewhere. -Dan Mahoney -- Don't be so depressed dear. I have no endorphins, what am I supposed to do? -DM and SK, February 10th, 1999 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Deny large number of IPs via ipfw
Hey all, I've got a file that I just synced from a major RBL, and I'd like to just use it to globally deny access to my system. Is there an easy way to do this within ipfw -- the file is about 3 *million* lines, and is from cbl.abuseat.org. -Dan -- SOY BOMB! -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Deny large number of IPs via ipfw
On Sun, 11 Jun 2006, fbsd wrote: Using such an list of ip address from a major rbl is flawed at the core of the idea. Over 85% of those 3 million ip address are spoofed in the first place. Most are what would be called false positives. Reread the info at the source cbl.abuseat.org it says the data is not intended to be used the way you are trying to use it. All it says is: We're getting a lot of reports of spurious blocking caused by sites using the CBL to block authenticated access to smarthosts / outgoing mail servers. THE CBL is only designed to be used on INCOMING mail, i.e. on the hosts that your MX records point to. Which I take to mean, yeah, if you're using it on sendmail, you allow SMTP AUTH to override blacklists (this is the case by default.) Whereas my intention would be to use it to block ports such as 80 and 22. Every system I've found trying to brute-force SSH on my box has already been in this database, and by using mod_access_rbl for apache I was able to catch and block a dozen or so attempts to post spammish content to guestbooks and the like (but I'd like to do this without the overhead of apache DNS lookups). Thanks for your input, though. -Dan You really need to rethink what you are doing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Mahoney, System Admin Sent: Sunday, June 11, 2006 8:36 AM To: [EMAIL PROTECTED] Subject: Deny large number of IPs via ipfw Hey all, I've got a file that I just synced from a major RBL, and I'd like to just use it to globally deny access to my system. Is there an easy way to do this within ipfw -- the file is about 3 *million* lines, and is from cbl.abuseat.org. -Dan -- SOY BOMB! -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I am a professional drinker, and I know that that was NOT Jose Cuervo! Well, what was it then? I think it was some mixture of Rubbing Alcohol, and Desenex(TM) Foot Powder, because my feet feel okay, and my back doesn't hurt, but my stomach is killing me! -Dan Mahoney, Costa Rica, August 12th, 1994 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
named/bind hangup
Hey all, I have caching DNS servers running on two BSD 5.4 machines, and what happens on both of them is that the processes will just lock up, and while they may still answer some queries, they don't refresh or update, or respond to proper signals. For example: s2# sh /etc/rc.d/named stop Stopping named. Waiting for PIDS: 278, 278, 278, 278, 278, 278, 278, 278, 278, 278^C s2# kill -9 278 s2# sh /etc/rc.d/named start Starting named. They're running bind 9.3.1 -- I'm in the process of bumping one of my boxes up to FBSD 6.1 to run the latest and greatest named to see if this resolves things, but is this otherwise a known issue? The servers are authoritative for about 75 domains each, and only do recursive lookups for our network. Any ideas? If this was just on a single machine I'd scratch my head a bit less here. Please reply to me personally, I'm not on [EMAIL PROTECTED] -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PAM and OPIE and su
Hey all, this is sort of a wierd question, but bear with me. I notice that pam_securetty has a function that allows people to have to be secure before it will let them do something (for example, use login as root). I've recently enabled telnetd on my system because of people trapped behind library terminals at school, or behind retarded proxies on computer labs where ssh apps are not installed. The issue, of course, is that there's still technically the possibility of someone using su(1) as a wheel user, over a session which is now insecure. What I'd like to be able to do is be able to know which sessions are ssh'd, and which sessions are telnet'd, and either require OTP for the ones which HAVE been used for telnet -- or allow normal passwords for the SSHable ones. This would probably require modifications to either telnetd or sshd, as most of the playing I've done with PS to make a proof-of-concept shows both daemons as listing their terminals as ??, as opposed to showing the terminalid's being used. If nothing else, a PAM module that can tell what method a user is in via would be useful. Any ideas? -Dan -- She's NOT my girlfriend! -Dan Mahoney, Quite a bit recently. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
build ports without X -- make.conf
Hey all, In BSD 4.x, there was a section in the make.conf manpage that said you could define WITHOUT_X11 and ports would build without it (for things like ghostscript, cvsup, etc, which have distinctly different ports) For some reason this is gone in 5.x -- what's the appropriate way to do this now (since WITHOUT_X11 still worked on a couple ports I've tried.) If this is still the valid way, shouldn't it be documented as such? -Dan -- A mother can be an inspiration to her little son, change his thoughts, his mind, his life, just with her gentle hum. -No Doubt, Different People, from Tragic Kingdom Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: build ports without X -- make.conf
On Mon, 7 Nov 2005, Paul Waring wrote: On Mon, Nov 07, 2005 at 01:16:27PM -0500, Dan Mahoney, System Admin wrote: In BSD 4.x, there was a section in the make.conf manpage that said you could define WITHOUT_X11 and ports would build without it (for things like ghostscript, cvsup, etc, which have distinctly different ports) For some reason this is gone in 5.x -- what's the appropriate way to do this now (since WITHOUT_X11 still worked on a couple ports I've tried.) Who told you it had gone? I've been using WITHOUT_X11=yes ever since I started using FreeBSD as a server operating system, and it's always had the intended result, even up until now as I'm ready to go from 5.4-6.0. man make.conf has lost the entry for the option. I have to imagine it was removed for a reason. -Dan -- SOY BOMB! -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
building parallel builds of mysql40 and mysql41
Hey all, I'm presently running mysql40-server from ports. I'd like to jump up to mysql41-server. However, Ive tried to build the port for the new one before the old one is deinstalled (just so the dbs dont have to be down during a long build) and the ports tree doesn't seem to like this. Is there a way to override this? -Dan -- You can't call yourself a dork if you don't use UNIX! -Dan Mahoney, May 1997 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ssh behavior changes after upgrade to 4.1-portable
Hey all, I just upgraded to the latest 4.1-portable openssh, and now when trying to log into my system I get the following: [EMAIL PROTECTED]:/etc/ssh$ ssh [EMAIL PROTECTED] WARNING: DSA key found for host prime.gushi.org in /home/danm/.ssh/known_hosts:1 DSA key fingerprint d9:07:d0:eb:89:3d:04:73:33:e8:05:1c:6d:06:af:6b. The authenticity of host 'prime.gushi.org (65.125.228.130)' can't be established but keys of different type are already known for this host. RSA key fingerprint is ed:53:bd:52:65:9d:9d:9f:e8:bf:71:2a:82:03:1b:38. Are you sure you want to continue connecting (yes/no)? I have *always* had DSA *and* RSA keys available. Does the upgrade cause the server to offer the keys in a different order of some sort? According to a post on googlegroups (search for ssh patchset), this is because the SSH built into the OS prefers DSA to RSA, but openSSH prefers RSA to DSA Why neither the builtin nor openssh-portable has this as a config file variable is beyond me -- nor why the security/openssh-portable doesn't make the same patch. Is there any way I can force the thing to go back to its old behavior? -Dan Mahoney -- You're a nomad billygoat! -Juston, July 18th, 2002 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
preexec function in tcsh
Hey all, I'm reading here that a certain version of tcsh (starting with 6.09) has support for a preexec function. I'm not seeing this in the source or manpage. Is there any way to upgrade the tcsh version in FreeBSD? -Dan -- Station! -Bill Ted's Bogus Journey Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
5.4 -- bridging, ipfw, dot1q
Okay, here's the situation. PLEASE let me know if there's a better place to ask. (isp@, kernel@, something) I'm setting up a bridging firewall where the packets are passing through on dot1q trunks. The bridge works. Packet counts work (so I assume the bridge at least sees the packets). Problem is, any reasonable rules (such as those which actually say to block traffic by ip or port or anything) aren't working at all. Not even logging counts. Setting the bridged flag doesn't seem to help. My only guess is that ipfw doesn't have the brains to look beyond the VLAN tags. Is this the case? Is this supported under 4.x, or is there any way AT ALL that I can get this to work? As a note, snort and trafshow and everything else work fine analyzing the bridge traffic, it seems only the kernel has an issue. -- Of course she's gonna be upset! You're dealing with a woman here Dan, what the hell's wrong with you? -S. Kennedy, 11/11/01 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 5.4 -- bridging, ipfw, dot1q
On Thu, 11 Aug 2005, Glenn Dawson wrote: At 09:08 PM 8/11/2005, Dan Mahoney, System Admin wrote: Okay, here's the situation. PLEASE let me know if there's a better place to ask. (isp@, kernel@, something) I'm setting up a bridging firewall where the packets are passing through on dot1q trunks. The bridge works. Packet counts work (so I assume the bridge at least sees the packets). Problem is, any reasonable rules (such as those which actually say to block traffic by ip or port or anything) aren't working at all. Not even logging counts. Setting the bridged flag doesn't seem to help. Which bridged flag would that be? In the ipfw rule in question (which the ipfw command turns into layer2) i.e. fw# ipfw add 310 count ip from any to 56.199.242.178 bridged 00310 count ip from any to 56.199.242.178 layer2 fw# ipfw show 00200 00 deny udp from any to any dst-port 1433 0030097147200 deny tcp from any to any dst-port 1433 00310 00 count ip from any to 56.199.242.178 layer2 00330 144629234 70747652177 count ip from any to any layer2 00340 00 count ip from any to 56.199.242.82 layer2 003501146497505249814 count ip from any to 55.125.224.0/19 via em1 00360 154009046 73153382415 allow log logamount 100 ip from any to any 65535 1078777549 484619628567 allow ip from any to any (such a rule would report zero traffic, even when trafshow, snort, tcpdump all show there's a ton). My only guess is that ipfw doesn't have the brains to look beyond the VLAN tags. Is this the case? Is this supported under 4.x, or is there any way AT ALL that I can get this to work? What version are you using? You mention 4.x here, but your subject line suggests 5.4. Yes, I'm running 5.4, but asking if it may have been supported earlier on in the OS (with ipfw1 -- since I know it lacks the ability to even really do many mac-like things). As a note, snort and trafshow and everything else work fine analyzing the bridge traffic, it seems only the kernel has an issue. Do you have the net.link.ether.bridge_ipfw sysctl set to 1? fw# sysctl -a|grep net|grep ipfw net.link.ether.bridge.ipfw: 1 net.link.ether.bridge.ipfw_drop: 0 net.link.ether.bridge.ipfw_collisions: 1021 net.link.ether.bridge_ipfw: 1 net.link.ether.ipfw: 0 Need anything else? -Dan -- The first annual 5th of July party...have you been invited? It's a Jack Party. Okay, so Long Island's been invited. --Cali and Gushi, 6/23/02 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
BSDPAN versus CPAN
Hey all, I'm under the understanding that it's somehow preferable to install perl modules via the ports system, rather than the straight off perl -MCPAN -e shell system I normally use. Apparently the only advantage is this avoids the no origin recorded errors (although portupgrade can't handle BSDPAN modules). On that note, is there any sort of CPAN equivalent that will, upon trying to build a module will try the ports tree first, and failing that, will function as a wraparound to the CPAN module? -- A single death is a tragedy. A million deaths is a statistic. -Josef Stalin, As quoted on the cover to Savatage's Dead Winter Dead Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Custom Sendmail through /etc/make.conf
Hey all... I'm building a new box and thinking I'd like to stick with the base sendmail instead of building my own as I've traditionally been doing. Here is my devtools/Site/site.config.m4 file APPENDDEF(`confENVDEF', `-DSASL -DNETINET6') APPENDDEF(`confLIBDIRS', `-L/usr/local/lib') APPENDDEF(`confINCDIRS', `-I/usr/local/include') APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER -DSTARTTLS') APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE ') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto -lsasl') Fairly simple, turns on SASL, SSL, Milters, and inet6 What would I put in the /etc/make.conf, which expects things like: #SENDMAIL_CFLAGS= #SENDMAIL_LDFLAGS= #SENDMAIL_LDADD= #SENDMAIL_DPADD= to accomplish this? -- Ca. Tas. Tro. Phy. -John Smedley, March 28th 1998, 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
