from:"Dennis Olvany"

Re: named: invalid rndc key

2006-06-27 Thread Dennis Olvany


Kyrre Nygard wrote:

$ rndc reload
rndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.


su?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: MySQL RC script failing

2006-06-23 Thread Dennis Olvany

060622 23:54:39 [ERROR] Can't find messagefile 
'/usr/local/share/mysql/english/errmsg.sys'


http://bugs.mysql.com/bug.php?id=1455

This is typical for mixing files from different MySQL releases.
Your errmsg.sys is most probably dtalled file from older release.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: MySQL RC script failing

2006-06-22 Thread Dennis Olvany

I recall having to tinker with the rc script. Let's have a look at the 
script and also the log residing in the db root, probably /var/db/mysql.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Any generic (non-wm-specific) audio players?

2006-06-21 Thread Dennis Olvany


vlc
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Fwd: Fwd: Serious breach of copyright -- First post

2006-06-18 Thread Dennis Olvany


...facts are not eligible for copyright.



I'm afraid you're incorrect.  The work in question is indeed copyrightable
under the Berne Convention, which many countries have ratified, including
the United States, where the content is hosted.  The United States, as well
as many other countries, also have national laws which allow this work 
to be

copyrighted.


At best, the article may be considered a derivative work of the 
described software/hardware and therefore the intellectual property of 
the respective manufacturers.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD firewall, nat, kernel

2006-06-13 Thread Dennis Olvany

From a fresh install, a working nat should only require a few commands. 
Kernel compilation is not necessary.


kldload ipfw
kldload ipdivert
sysctl net.inet.ip.forwarding=1
dhclient xl0
natd -dynamic -n xl0
ipfw add divert natd ip from any to any via xl0
ipfw add allow ip from any to any
ifconfig rl0 192.168.100.253/24

To make the config permanent, you just need to use the rc equivalents of 
those commands.


/etc/rc.conf

firewall_enable=yes
firewall_type=/etc/ipfw.rules
gateway_enable=yes
ifconfig_xl0=dhcp
ifconfig_rl0=192.168.100.253/24
natd_enable=yes
natd_interface=xl0

/etc/ipfw.rules

add divert natd ip from any to any via xl0
add allow ip from any to any
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

[HOWTO] IPFW: Vector-Based Modularity

2006-06-03 Thread Dennis Olvany


IPFW: Vector-Based Modularity
by Dennis Olvany


I. Vectors
II. Modules
III. Examples
a. Simple Firewall
b. Complex Firewall
IV. NAT
V. Tips
a. Storing Rules
b. Ruleset
VI. Resources


A strategy for easy administration, greater efficiency and heightened 
security.



I. Vectors

A vector consists of a physical or virtual interface and a direction, 
ingress or egress. For this purpose the local host should be considered 
an interface of its own in the form of the IPFW alias, me. For example, 
consider a machine with the following interfaces. These two interfaces 
plus the local host would constitute a total of six vectors. The 
loopback interface should be considered part of me.


fxp0-in
`out

ste0-in
`out

me-in
  `out


II. Modules

Each vector may be associated with a rule module or may be allowed to 
match the default rule. The IPFW ruleset begins with a series of skipto 
rules directing matching traffic to a rule module. The default rule is 
then placed before the rule modules, greatly reducing the iterations 
required to reach it. IPFW sets offer a method for working with groups 
of rules and make modules easier to discern.



III. Examples

a. Simple Firewall

The default rule, 400, may be reached in as little as four iterations. 
This ruleset may be easily altered to offer services. Use dynamic rules 
only where absolutely needed. Also, the use of setup should be avoided. 
This may cause broken connections in the event that a dynamic rule times 
out. Setup may serve to block perfectly legitimate ingress and egress 
traffic.


00100 set 0 check-state
00200 set 1 skipto 1 ip from me to any out
00300 set 2 skipto 15000 ip from any to me in
00400 set 0 deny ip from any to any
1 set 1 count ip from any to any
10100 set 1 allow ip from any to any keep-state
15000 set 2 count ip from any to any
15100 set 2 deny ip from me to any
15200 set 2 allow icmp from any to any
15300 set 2 deny ip from any to any
65535 set 31 deny ip from any to any

b. Complex Firewall

This router has a total of 18 vectors, of which eight are restricted. 
The remaining ten match the default rule, 1000. This firewall contains 
49 rules, but the default rule may be reached in as little as ten 
iterations. The longest possible iteration through this ruleset is a 
mere 18 rules.


Tuning this firewall is quite simple. Rules 200-300 and 400-900 may be 
shuffled so the most-matched rules come first. Be mindful that the me 
vectors must always come first. Groups of allow rules within the modules 
may also be shuffled for increased performance.


00100 set 0 check-state
00200 set 2 skipto 15000 ip from any to me in
00300 set 1 skipto 1 ip from me to any out
00400 set 8 skipto 45000 ip from any to any out via vlan5
00500 set 4 skipto 25000 ip from any to any in via vlan2
00600 set 6 skipto 35000 ip from any to any in via fxp0
00700 set 3 skipto 2 ip from any to any in via vlan3
00800 set 7 skipto 4 ip from any to any out via vlan3
00900 set 5 skipto 3 ip from any to any out via fxp0
01000 set 0 allow ip from any to any
1 set 1 count ip from any to any
10100 set 1 allow ip from any to any keep-state
15000 set 2 count ip from any to any
15100 set 2 deny ip from me to any
15200 set 2 allow udp from 195.16.84.250 to any frag
15300 set 2 allow tcp from any to any dst-port 22 via fxp0
15400 set 2 allow udp from any to any dst-port 123
15500 set 2 allow udp from any to any dst-port 514
15600 set 2 allow icmp from any to any
15700 set 2 deny ip from any to any
2 set 3 count ip from any to any
20100 set 3 allow tcp from not 192.168.101.2 to any dst-port 80,443
20200 set 3 allow not icmp from any to { 192.168.102.2 or dst-ip 
192.168.102.7 } dst-port 53

20300 set 3 allow udp from any to any dst-port 123
20400 set 3 allow icmp from any to any
20500 set 3 deny ip from any to any
25000 set 4 count ip from any to any
25100 set 4 deny tcp from any to not 192.168.102.2 dst-port 25
25200 set 4 allow ip from any to any
3 set 5 count ip from any to any
30100 set 5 allow tcp from any to 192.168.102.2 dst-port 
25,53,80,110,443,587

30200 set 5 allow udp from any to 192.168.102.2 dst-port 53
30300 set 5 allow tcp from any to 192.168.102.7 dst-port 25,53
30400 set 5 allow udp from any to 192.168.102.7 dst-port 53,123
30500 set 5 allow udp from any to 192.168.102.4 dst-port 123
30600 set 5 allow udp from any to 192.168.102.10 dst-port 1194
30700 set 5 allow icmp from any to any
30800 set 5 deny ip from any to any
35000 set 6 count ip from any to any
35100 set 6 deny tcp from not 192.168.102.7 to any dst-port 25
35200 set 6 allow ip from any to any keep-state
4 set 7 count ip from any to any
40100 set 7 allow udp from any 123 to 192.168.101.2
40200 set 7 deny not icmp from any to 192.168.101.0/24
40300 set 7 allow ip from any to any
45000 set 8 count ip from any to any
45100 set 8 deny not icmp from any to 192.168.103.0/24
45200 set 8 allow ip from any to any
65535 set 31 deny ip

Re: Firewall with 3 NIC (1 wireless) problem

2006-05-26 Thread Dennis Olvany


Mark Moellering wrote:
	I am attempting to add a wireless capabilities to an existing network / 
firewall structure.  I added a wireless NIC card to the firewall (Netgear 
WPN311) and followed the wireless instructions.  I also added a similar card 
to an existing computer (Netgear WG311T).
	The Firewall's internal wired network is on 192.168.1.1 and the Wireless card 
is set to 192.168.2.1
	The client computer can find the wireless network and I can ping the wireless 
card (192.168.2.1)  However, I can get nowhere else.  I cannot get to the 
wired subnet nor outside access to the internet.  I tried adding a bridge 
from the wired to the wireless network interfaces but that did nothing.  I 
tried putting the wireless Nic to 192.168.1.249 but that made things worse.  
Any help would be greatly appreciated.
	Both client and firewall are running Freebsd 6.1  Relevant (that I can think 
of) files from the firewall are included...


The bridge is not necessary. If you're trying to make all the traffic 
traverse the wireless network, you'll have to change the default gateway 
on the client. Otherwise the traffic will traverse bge0 as indicated in 
the client routing table. Otherwise, I would examine the firewall. 
Change it to allow all traffic and see if that makes a difference. 
Verify that your nat configuration is correct.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Firewall with 3 NIC (1 wireless) problem

2006-05-24 Thread Dennis Olvany


net.link.ether.bridge.enable=1
net.link.ether.bridge.config=bge0, ath0


Let's have a look at ifconfig and netstat -r. Whats with this bridge? 
Think you'd be better off without it.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW - Two External Interfaces

2006-05-17 Thread Dennis Olvany


ISP 1
   [192.168.2.254]
  |
  |
[bge1:192.168.2.1]
  FIREWALL[bge0:10.0.0.1]---[10.0.0.2]internal_system
 [em0:192.168.1.1]
  |
  |
   [192.168.1.254]
ISP 2


Actually, if you bridge the NICs, you may be able to get something going 
as referenced at the link.


http://www.mail-archive.com/freebsd-ipfw@freebsd.org/msg00539.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW - Two External Interfaces

2006-05-16 Thread Dennis Olvany


PFS IT wrote:

I am complicating the use of IPFW...



Here is a pretty ascii picture. I drawed it meself.



ISP 1
   [192.168.2.254]
  |
  |
[bge1:192.168.2.1]
  FIREWALL[bge0:10.0.0.1]---[10.0.0.2]internal_system
 [em0:192.168.1.1]
  |
  |
   [192.168.1.254]
ISP 2





#Send traffic to natd
divert 8869 ip from any to any via bge1
divert 8868 ip from any to any via em0



#Send special traffic out via em0
fwd $isp2_gw ip from $internal_system to $remote_system 80



$internal_system# hping -STp 80 $remote_system

Should result in a trace across em0 to google

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfw: denied frags

2006-05-04 Thread Dennis Olvany

I've traced a problem to IPFW dropping frags, but have no idea what to 
make of the log or how to go about fixing the issue. Please advise.



Possibly, someone could decode this: (frag 13695:[EMAIL PROTECTED]).

10600 is a default deny and a dynamic rule exists to allow this traffic. 
The only problematic traffic is traffic that is near-mtu. Smaller pdu's 
have no problem.




May  4 19:05:36 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 13695:[EMAIL PROTECTED])
May  4 19:05:47 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 20569:[EMAIL PROTECTED])
May  4 19:05:47 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 20569:[EMAIL PROTECTED])
May  4 19:05:47 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 20570:[EMAIL PROTECTED])
May  4 19:05:47 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 20570:[EMAIL PROTECTED])
May  4 19:05:47 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 20571:[EMAIL PROTECTED])
May  4 19:05:47 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 20571:[EMAIL PROTECTED])
May  4 19:05:48 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 21244:[EMAIL PROTECTED])
May  4 19:05:48 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 21244:[EMAIL PROTECTED])
May  4 19:05:50 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 23141:[EMAIL PROTECTED])
May  4 19:05:50 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 23141:[EMAIL PROTECTED])
May  4 19:05:54 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 26828:[EMAIL PROTECTED])
May  4 19:05:54 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 26828:[EMAIL PROTECTED])
May  4 19:06:02 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 33624:[EMAIL PROTECTED])
May  4 19:06:02 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 33624:[EMAIL PROTECTED])

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw: denied frags

2006-05-04 Thread Dennis Olvany


Dennis Olvany wrote:
May  4 19:06:02 b1 kernel: ipfw: 10600 Deny UDP 195.16.84.250 
192.168.102.10 in via ste0 (frag 33624:[EMAIL PROTECTED])


I see. The frags don't contain ports and therefore do not match the 
dynamic rule. A static rule took care of it.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Newbie help!

2006-04-09 Thread Dennis Olvany


infernus - Bluelight wrote:

How do I enter some kind of interface, or desktop, like on the
screenshots? Is there a web-site or enything with tutorials
explaining how to do all this..


1) Install xorg. If you chose an x installation, such as x-user, then
you can skip this step. To see what's already installed, use pkg_info.
The command to install xorg is probably pkg_add -r xorg.

2) Configure xorg. Command is Xorg -configure (note the capital X, very
important). You'll then have to copy the configuration to the correct
location, /etc/X11/xorg.conf. Details in the handbook.

3) Install a window manager. Here's the command to install xfce4:
pkg_add -r xfce4.

4) Start the window manager. In the case of xfce4, the command is
startxfce4.

5) Install a web browser and such.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw and ssh

2006-04-05 Thread Dennis Olvany


# Allow person SSH access
mip=xxx.xxx.xxx.xxx
${fwcmd} allow tcp from any to any 22 out setup keep-state


I see two reasons that egress sshd traffic will not match the above 
rule. The destination port is incorrect and a syn/ack will not match.



${fwcmd} add pass tcp from ${mip} to me 22 setup limit src-addr 2

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding

2006-01-10 Thread Dennis Olvany

This should get you most of the way there or at least give you a good
idea of what's required.


 options IPFIREWALL_FORWARD_EXTENDED

I'm pretty sure this will be required.


 defaultrouter=24.85.92.1
 ifconfig_rl0=192.168.1.1
 ifconfig_vr0=142.179.109.xxx netmask 255.255.248.0
 ifconfig_vr1=216.232.85.xxx netmask 255.255.254.0
 ifconfig_rue0=24.85.9x.xxx netmask 255.255.252.0
 ifconfig_rue0_alias0=24.85.9x.xxx netmask 255.255.255.255


 Telus
 ext1_ip=142.179.109.xxx  # IP Address
 ext1_gw=142.179.104.254  # IP Gateway
 ext2_ip=216.232.85.xxx  # IP Address
 ext2_gw=216.232.84.254  # IP Gateway

 Shaw Cable
 shaw_ip=24.85.93.xxx  # IP Address
 shaw_gw=24.85.92.1  # IP Gateway
 srv2_ext=24.85.93.xxx  # External IP of server

 INTERNAL
 int_ip=192.168.1.1  # IP Address


 # And run our new NATd
 /sbin/natd -log_ipfw_denied -i ${nat_in} -o ${nat_out} -s -m -u -n
 ${shaw} -punch_fw 36000:100 -redirect_port tcp ${ext1_srv}:22
 ${ext1_ip}: -redirect_port tcp ${ext1_srv}:53 ${ext1_ip}:53
 -redirect_port tcp ${ext1_srv}:80 ${ext1_ip}:80 -redirect_port tcp
 ${ext1_srv}:443 ${ext1_ip}:443 -redirect_port udp ${ext1_srv}:53
 ${ext1_ip}:53 -redirect_port tcp ${ext2_srv}:80 ${ext2_ip}:80
 -redirect_port tcp ${ext2_srv}:443 ${ext2_ip}:443 -redirect_port tcp
 ${srv1_int}:22 ${shaw_ip}: -redirect_port tcp ${srv1_int}:53
 ${shaw_ip}:53 -redirect_port udp ${srv1_int}:53 ${shaw_ip}:53
 -redirect_port tcp ${srv1_int}:80 ${shaw_ip}:80 -redirect_port tcp
 ${srv1_int}:443 ${shaw_ip}:443 -redirect_port tcp ${srv2_int}:80
 ${srv2_ext}:80 -redirect_port tcp ${srv2_int}:443 ${srv2_ext}:443

That's a hefty nat command. Let's simplfy by putting it in a file. I
leave the port forwarding to you.

/etc/rc.conf

natd_enable=yes
natd_flags=-f /etc/natd.conf

/etc/natd.conf

instance default
interface vr0
port 8668

instance telus2
interface vr1
port 8669

instance shaw1
alias_address 24.85.93.xxx
port 8670

instance shaw2
alias_address 24.85.93.xxx
port 8671

globalport 8672


I see that your firewall is based on rc.firewall. Forget rc.firewall, it
is junk. Base your firewall on this structure.

1. Public Interface NAT Diversion

2. check-state

3. Public Interface Leak Prevention
3.1 deny egress from internal hosts
3.2 deny ingress to internal hosts

4. Antispoof
4.1 allow via loopback interface
4.2 deny ingress from router
4.3 deny ingress from internal hosts via public interface

5. Router
5.1 allow egress
5.2 deny egress
5.3 allow ingress
5.4 deny ingress

6. Internal Hosts
6.1 allow egress
6.2 deny egress
6.3 allow ingress
6.4 deny ingress

7. Default Deny


/etc/rc.conf

firewall_enable=yes
firewall_type=/etc/ipfw.rules

/etc/ipfw.rules

-f flush

add divert 8668 ip from any to any in via vr0
add divert 8669 ip from any to any in via vr1
add divert 8670 ip from any to 24.85.93.xxx in via rue0
add divert 8671 ip from any to 24.85.93.xxx in via rue0
#have never known the globalport to work on inbound
add divert 8672 ip from any to any out via { vr0 or vr1 or rue0 }
#not sure if that 'or' will work... may need to split it up

check-state

add deny ip from 192.168.1.1/24 to any via { vr0 or vr1 or rue0 }

add allow ip from me to me via lo0 keep-state
add deny ip from me to any in

add allow ip from me to { me or 192.168.1.1/24 or 142.179.109.xxx/21 or
216.232.85.xxx/23 or 24.85.9x.xxx/22 } keep-state
add forward 142.179.104.254 ip from 142.179.109.xxx to any keep-state
add forward 216.232.84.254 ip from 216.232.85.xxx to any keep-state
add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state
add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state
add allow ip from me to any keep-state
add deny ip from me to any
add allow icmp from any to me icmptypes 3,4,8,11 keep-state
add deny ip from any to me

add allow ip from 192.168.1.1/24 to any keep-state
add deny ip from 192.168.1.1/24 to any
add allow icmp from any to 192.168.1.1/24 icmptypes 3,4,11 keep-state
add deny ip from any to 192.168.1.1/24
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding

2006-01-10 Thread Dennis Olvany

Andrew Fremantle wrote:
 Dennis Olvany wrote:
 
 This should get you most of the way there or at least give you a
 good idea of what's required.
 
 
 
 
 options IPFIREWALL_FORWARD_EXTENDED
 
 
 
 I'm pretty sure this will be required.
 
 
 
 
 defaultrouter=24.85.92.1 ifconfig_rl0=192.168.1.1 
 ifconfig_vr0=142.179.109.xxx netmask 255.255.248.0 
 ifconfig_vr1=216.232.85.xxx netmask 255.255.254.0 
 ifconfig_rue0=24.85.9x.xxx netmask 255.255.252.0 
 ifconfig_rue0_alias0=24.85.9x.xxx netmask 255.255.255.255
 
 
 
 
 
 
 Telus ext1_ip=142.179.109.xxx  # IP Address 
 ext1_gw=142.179.104.254  # IP Gateway ext2_ip=216.232.85.xxx
 # IP Address ext2_gw=216.232.84.254  # IP Gateway
 
 
 
 
 
 Shaw Cable shaw_ip=24.85.93.xxx  # IP Address 
 shaw_gw=24.85.92.1  # IP Gateway srv2_ext=24.85.93.xxx  #
 External IP of server
 
 
 
 
 
 INTERNAL int_ip=192.168.1.1  # IP Address
 
 
 
 
 
 
 # And run our new NATd /sbin/natd -log_ipfw_denied -i ${nat_in}
 -o ${nat_out} -s -m -u -n ${shaw} -punch_fw 36000:100
 -redirect_port tcp ${ext1_srv}:22 ${ext1_ip}: -redirect_port
 tcp ${ext1_srv}:53 ${ext1_ip}:53 -redirect_port tcp
 ${ext1_srv}:80 ${ext1_ip}:80 -redirect_port tcp ${ext1_srv}:443
 ${ext1_ip}:443 -redirect_port udp ${ext1_srv}:53 ${ext1_ip}:53
 -redirect_port tcp ${ext2_srv}:80 ${ext2_ip}:80 -redirect_port
 tcp ${ext2_srv}:443 ${ext2_ip}:443 -redirect_port tcp 
 ${srv1_int}:22 ${shaw_ip}: -redirect_port tcp ${srv1_int}:53 
 ${shaw_ip}:53 -redirect_port udp ${srv1_int}:53 ${shaw_ip}:53 
 -redirect_port tcp ${srv1_int}:80 ${shaw_ip}:80 -redirect_port
 tcp ${srv1_int}:443 ${shaw_ip}:443 -redirect_port tcp
 ${srv2_int}:80 ${srv2_ext}:80 -redirect_port tcp ${srv2_int}:443
 ${srv2_ext}:443
 
 
 
 That's a hefty nat command. Let's simplfy by putting it in a file.
 I leave the port forwarding to you.
 
 /etc/rc.conf
 
 natd_enable=yes natd_flags=-f /etc/natd.conf
 
 /etc/natd.conf
 
 instance default interface vr0 port 8668
 
 instance telus2 interface vr1 port 8669
 
 instance shaw1 alias_address 24.85.93.xxx port 8670
 
 instance shaw2 alias_address 24.85.93.xxx port 8671
 
 globalport 8672
 
 
 I see that your firewall is based on rc.firewall. Forget
 rc.firewall, it is junk. Base your firewall on this structure.
 
 1. Public Interface NAT Diversion
 
 2. check-state
 
 3. Public Interface Leak Prevention 3.1 deny egress from internal
 hosts 3.2 deny ingress to internal hosts
 
 4. Antispoof 4.1 allow via loopback interface 4.2 deny ingress from
 router 4.3 deny ingress from internal hosts via public interface
 
 5. Router 5.1 allow egress 5.2 deny egress 5.3 allow ingress 5.4
 deny ingress
 
 6. Internal Hosts 6.1 allow egress 6.2 deny egress 6.3 allow
 ingress 6.4 deny ingress
 
 7. Default Deny
 
 
 /etc/rc.conf
 
 firewall_enable=yes firewall_type=/etc/ipfw.rules
 
 /etc/ipfw.rules
 
 -f flush
 
 add divert 8668 ip from any to any in via vr0 add divert 8669 ip
 from any to any in via vr1 add divert 8670 ip from any to
 24.85.93.xxx in via rue0 add divert 8671 ip from any to
 24.85.93.xxx in via rue0 #have never known the globalport to work
 on inbound add divert 8672 ip from any to any out via { vr0 or vr1
 or rue0 } #not sure if that 'or' will work... may need to split it
 up
 
 check-state
 
 add deny ip from 192.168.1.1/24 to any via { vr0 or vr1 or rue0 }
 
 add allow ip from me to me via lo0 keep-state add deny ip from me
 to any in
 
 add allow ip from me to { me or 192.168.1.1/24 or
 142.179.109.xxx/21 or 216.232.85.xxx/23 or 24.85.9x.xxx/22 }
 keep-state add forward 142.179.104.254 ip from 142.179.109.xxx to
 any keep-state add forward 216.232.84.254 ip from 216.232.85.xxx to
 any keep-state add forward 24.85.92.1 ip from 24.85.9x.xxx to any
 keep-state add forward 24.85.92.1 ip from 24.85.9x.xxx to any
 keep-state add allow ip from me to any keep-state add deny ip from
 me to any add allow icmp from any to me icmptypes 3,4,8,11
 keep-state add deny ip from any to me
 
 add allow ip from 192.168.1.1/24 to any keep-state add deny ip from
 192.168.1.1/24 to any add allow icmp from any to 192.168.1.1/24
 icmptypes 3,4,11 keep-state add deny ip from any to 192.168.1.1/24
 
 
 Thank for the quick reply.
 
 I just want to clarify a few things here Given that I only want 
 outbound NAT on one interface, is it really necessary to run four 
 instances of NATd? Can't one instance handle outbound NAT + inbound 
 sessions on all interfaces, as I have it setup?

I'm sure you'll need one instance for each public IP from which you wish
to originate traffic.

 Also, you're using a whole bunch of options and features here that
 are not documented on the natd man page. I found a writeup by the
 author of these features, but I'm not certain if that's in the
 -STABLE branch or not. (IE, will these options work with a
 6.0-RELEASE natd?)

Yes. I use these features with 6.0-release.

 Also, I'm not certain how your forward rules would work when mine do 
 not, as you're doing the same thing I did - NAT Translation

beta 6 usb keyboard issues

2005-07-26 Thread Dennis Olvany

I attempted to install 6 beta without success. As with earlier versions, the 
default installer does not recognize a usb keyboard. Earlier versions had the 
simple menu, Push 7 for usb keyboard. I don't want to know how to accomplish 
this in freebsd 6, I want it to be intuitive! Why not make it ultra-intuitive 
and support usb keyboards by default? This really needs to be ironed out by 
release time. There has got to be a better way. (Hint: The old way was better.) 
Any replies need to be directly addressed, I do not monitor the list.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

x11 help

2005-04-07 Thread Dennis Olvany

I'm attempting to run the Doom 3 Linux binary on FreeBSD 5.3. I really have no 
idea how to get x11/Doom 3 started. I've tested my x11 configuration with [Xorg 
-config xorg.conf.new] and it seems to work well. I'm sure Doom 3 expects x11 
to already be running in the form of KDE or Gnome, but I would like to run Doom 
3 directly from the command line. I have no idea how to get x11 started and 
then launch Doom 3.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

mysql upload_max_filesize

2005-03-31 Thread Dennis Olvany

Everything I've seen says to put the upload_max_filesize into php.ini, but I 
searched my drive and I don't have a php.ini. Anyone know the deal?

FreeBSD 5.3
PHP 4.3.10
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

mysql troubles

2005-03-14 Thread Dennis Olvany

just installed it and having trouble getting it going
fresh mysql4.1 install on fbsd5.3


bsd# mysqladmin flush-privileges
mysqladmin: connect to server at 'localhost' failed
error: 'Can't connect to local MySQL server through socket '/tmp/mysql.sock' 
(2)'
Check that mysqld is running and that the socket: '/tmp/mysql.sock' exists!
bsd# mysql_install_db --user=mysql
Installing all prepared tables
Fill help tables
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_category.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_category.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_keyword.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_keyword.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_relation.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_relation.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_category.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_category.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_category.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_category.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:34 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:35 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:35 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:35 [ERROR] /usr/local/libexec/mysqld: Can't find file: 
'./mysql/help_topic.frm' (errno: 13)
ERROR: 1017  Can't find file: './mysql/help_topic.frm' (errno: 13)
050314  7:15:35 [ERROR] /usr/local/libexec/mysqld:

cron mail

2005-03-13 Thread Dennis Olvany

How do I change the e-mail address and SMTP server cron uses to e-mail the 
daily root report?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

smbd bind problem

2005-03-09 Thread Dennis Olvany

Alright, looked at the log file. Seems the bind to *:139 is failing. Nmbd is
already bound to 139, so what's the solution? Which one is supposed to be
bound to 139? Someone please advise.
It seems that smbd will not run. It will not run from inetd.conf. It will
not run from the command line. Which is to say, it won't remain running,
even with the -D switch.
Nmbd runs fine from both. The server appears in the windows network browser
and is pingable by netbios name.
If I try to access the machine I get the following error.
The account is not authorized to log in from this station. 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: named: invalid rndc key

Re: MySQL RC script failing

Re: MySQL RC script failing

Re: Any generic (non-wm-specific) audio players?

Re: Fwd: Fwd: Serious breach of copyright -- First post

Re: FreeBSD firewall, nat, kernel

[HOWTO] IPFW: Vector-Based Modularity

Re: Firewall with 3 NIC (1 wireless) problem

Re: Firewall with 3 NIC (1 wireless) problem

Re: IPFW - Two External Interfaces

Re: IPFW - Two External Interfaces

ipfw: denied frags

Re: ipfw: denied frags

Re: Newbie help!

Re: ipfw and ssh

Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding

Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding

beta 6 usb keyboard issues

x11 help

mysql upload_max_filesize

mysql troubles

cron mail

smbd bind problem

23 matches

Site Navigation

Mail list logo

Footer information