Buildworld on flacky hardware
Hi: I previously wrote about buildworld failure, it turns out to be flacky hardware. Since then I have tried to reboot on every failure and start building againg. It compiles fine for a 3-5 hours, then fails at different places. It seems that a new make buildworld does not pickup from where it failed, but deletes files at the beginning or something. Is there a way to split the buildworld target into sub targets such as to not restart every time? I know there is the -DNO_CLEAN option, but I'd prefer to build succesfully each subtarget rather than resume upon failure. Thanks, Erik -- Erik Nørgaard Ph: +34.666334818http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Buildworld fail
Hi: I'm trying to upgrade to 8.2, just updated source, cleaned up any leftovers from previous build, but make buildworld fails. I have, alpha# uname -a FreeBSD alpha 8.1-STABLE FreeBSD 8.1-STABLE #0: Sat Oct 2 20:34:13 CEST 2010 root@alpha:/usr/local/obj/usr/local/src/sys/GENERIC i386 alpha# echo $MAKEOBJDIRPREFIX /usr/local/obj alpha# make buildworld -- World build started on Tue Mar 8 11:30:53 CET 2011 -- -- Rebuilding the temporary build tree -- rm -rf /usr/local/obj/usr/local/src/tmp mkdir -p /usr/local/obj/usr/local/src/tmp/lib mkdir -p /usr/local/obj/usr/local/src/tmp/usr mkdir -p /usr/local/obj/usr/local/src/tmp/legacy/usr mtree -deU -f /usr/local/src/etc/mtree/BSD.usr.dist -p /usr/local/obj/usr/local/src/tmp/legacy/usr /dev/null mtree -deU -f /usr/local/src/etc/mtree/BSD.usr.dist -p /usr/local/obj/usr/local/src/tmp/usr /dev/null mtree -deU -f /usr/local/src/etc/mtree/BSD.include.dist -p /usr/local/obj/usr/local/src/tmp/usr/include /dev/null ln -sf /usr/local/src/sys /usr/local/obj/usr/local/src/tmp -- stage 1.1: legacy release compatibility shims -- cd /usr/local/src; MAKEOBJDIRPREFIX=/usr/local/obj/usr/local/src/tmp INSTALL=sh /usr/local/src/tools/install.sh PATH=/usr/local/obj/usr/local/src/tmp/legacy/usr/sbin:/usr/local/obj/usr/local/src/tmp/legacy/usr/bin:/usr/local/obj/usr/local/src/tmp/legacy/usr/games:/sbin:/bin:/usr/sbin:/usr/bin WORLDTMP=/usr/local/obj/usr/local/src/tmp VERSION=FreeBSD 8.1-STABLE i386 801500 MAKEFLAGS=-m /usr/local/src/tools/build/mk -m /usr/local/src/share/mk make -f Makefile.inc1 DESTDIR= BOOTSTRAPPING=801500 SSP_CFLAGS= -DWITHOUT_HTML -DWITHOUT_INFO -DNO_LINT -DWITHOUT_MAN -DNO_PIC -DWITHOUT_PROFILE -DNO_SHARED -DNO_CPU_CFLAGS -DNO_WARNS -DNO_CTF legacy === tools/build (obj,includes,depend,all,install) /usr/local/obj/usr/local/src/tmp/usr/local/src/tools/build created for /usr/local/src/tools/build cd /usr/local/src/tools/build; make buildincludes; make installincludes rm -f .depend mkdep -f .depend -a -I/usr/local/obj/usr/local/src/tmp/legacy/usr/include /usr/local/src/tools/build/dummy.c built-in:0: internal compiler error: Segmentation fault: 11 Please submit a full bug report, with preprocessed source if appropriate. See URL:http://gcc.gnu.org/bugs.html for instructions. mkdep: compile failed *** Error code 1 Stop in /usr/local/src/tools/build. *** Error code 1 Stop in /usr/local/src. *** Error code 1 Stop in /usr/local/src. *** Error code 1 Stop in /usr/local/src. OK, so it quite clearly states, sumbit bug report, but .. Any clue? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Buildworld fail
On 08/03/2011 12:21, Damien Fleuriot wrote: Contents of your make.conf ? You never know... LOADER_TFTP_SUPPORT= YES #SUP_UPDATE= #SUP=/usr/bin/csup #SUPFLAGS= -g -L 2 SUPHOST=cvsup.uk.FreeBSD.org SUPFILE=/usr/local/src/standard-supfile PORTSSUPFILE= /usr/local/ports/ports-supfile PORTSDIR= /usr/local/ports WITHOUT_X11=YES WITH_BDB_VER=46 WITH_MODPERL2=YES PYTHON_VERSION=python2.6 PERL_VERSION=5.12.2 Nothing dramatic there... and in the csup file: *default host=cvsup.uk.FreeBSD.org *default base=/var/db *default prefix=/usr/local *default release=cvs tag=RELENG_8 *default delete use-rel-suffix *default compress src-all csup'ed the source right before build. Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Buildworld fail
On 08/03/2011 12:22, Robert Bonomi wrote: Something -- just what is unknown -- triggered an *INTERNAL*COMPILER*ERROR* doing a 'makedep'. Dig through the mailing-list archives for the last week or two. There was another report of the compiler choking. As I recall, there was a follow- up to -that- report that found an 'oops' in a header file, and a simple fix. I just checked the archives, indeed there was a thread but the failure was at a later point, state 1.2 and the fix was to remove some CFLAGS options which I don't have. I didn't find other threads. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Buildworld fail
On 08/03/2011 12:49, Damien Fleuriot wrote: Can you try with the release tag RELENG_8_2 ? I just nuked src and obj and did a fresh checkout of RELENG_8_2, but the problem persist :( -- stage 1.1: legacy release compatibility shims -- cd /usr/local/src; MAKEOBJDIRPREFIX=/usr/local/obj/usr/local/src/tmp INSTALL=sh /usr/local/src/tools/install.sh PATH=/usr/local/obj/usr/local/src/tmp/legacy/usr/sbin:/usr/local/obj/usr/local/src/tmp/legacy/usr/bin:/usr/local/obj/usr/local/src/tmp/legacy/usr/games:/sbin:/bin:/usr/sbin:/usr/bin WORLDTMP=/usr/local/obj/usr/local/src/tmp VERSION=FreeBSD 8.1-STABLE i386 801500 MAKEFLAGS=-m /usr/local/src/tools/build/mk -m /usr/local/src/share/mk make -f Makefile.inc1 DESTDIR= BOOTSTRAPPING=801500 SSP_CFLAGS= -DWITHOUT_HTML -DWITHOUT_INFO -DNO_LINT -DWITHOUT_MAN -DNO_PIC -DWITHOUT_PROFILE -DNO_SHARED -DNO_CPU_CFLAGS -DNO_WARNS -DNO_CTF legacy === tools/build (obj,includes,depend,all,install) /usr/local/obj/usr/local/src/tmp/usr/local/src/tools/build created for /usr/local/src/tools/build cd /usr/local/src/tools/build; make buildincludes; make installincludes rm -f .depend mkdep -f .depend -a -I/usr/local/obj/usr/local/src/tmp/legacy/usr/include /usr/local/src/tools/build/dummy.c built-in:0: internal compiler error: Segmentation fault: 11 Please submit a full bug report, with preprocessed source if appropriate. See URL:http://gcc.gnu.org/bugs.html for instructions. mkdep: compile failed *** Error code 1 Stop in /usr/local/src/tools/build. *** Error code 1 Stop in /usr/local/src. *** Error code 1 Stop in /usr/local/src. *** Error code 1 Stop in /usr/local/src. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Buildworld fail
On 08/03/2011 15:52, Greg Larkin wrote: A segfault might be indicative of hardware problems, you may want to check your ram chips ? Reference: http://www.bitwizard.nl/sig11/ Hi, thanks. Did a clean up again, reboot, fsck, reboot again and now it's building. Probably time for an upgrade, it's a three year old VIA itx system with even older RAM module. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Buildworld fail
On 08/03/2011 21:16, Michael J. Kearney wrote: Would anyone agree that it us possible the hardware console... logging in from a remote terminal has corrected my own segfaults on substandard hardware... Depends on the hardware I guess. I am building everything remotely. I do know however that these VIA EPIA boards are known for a flacky disk controler, and the RAM I have installed is slower than the recommended, so it's not really ideal for reliable operation. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: can't use godaddy SSL cert
On 28/11/10 18.51, bluethundr wrote: Yes the hostname is in the CN of the cert file. So I agree that -h is not the issue. :) [r...@vircent03:~]#ldapsearch -h ldap -b dc=summitnjhome,dc=com -Z -D cn=Manager,dc=summitnjhome,dc=com (objectclass=sudoRole) -W Maybe I didn't make myself clear: the host name you use to connect to (-h), in your command line example above, ldap, must be the same as the CN of the server certificate. It is irrelevant if the servers hostname is the same as the CN. That might be why you get ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Try -h LBSD2.summitnjhome.com BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: can't use godaddy SSL cert
On 25/11/10 17.26, bluethundr wrote:
I have setup the certificate chain in my slapd.conf like so:
[r...@lbsd2:/usr/home/bluethundr]#grep -i tls
/usr/local/etc/openldap/slapd.conf## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
I have tried each of the following certs with no luck in getting my
cert to talk to it's CA:
-rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt
-r--r- 1 root ldap4604 Nov 24 18:57 gd_bundle.crt
-r--r- 1 root ldap1537 Nov 25 02:00 sf_issuing.crt
As mentioned in my previous mail, there is no need to specify
TLSCACertificateFile in slapd.conf unless your server will request
client certificate for authentication. Nor is there any point in trying
multiple files, you can concatenate the CA certificates into a single fiel.
Since these are certificates you can leave global read access.
and I get the same result for each when I attempt to connect to SSL on
the LDAP server:
[r...@lcent01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
13730:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('sf_issuing.crt','r')
13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
13730:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:279:
CONNECTED(0003)
13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Can't find sf_issuing.crt, well, from your CWD it appears that the
certificate is not found in that path.
ldapsearch -h ldap.example.com -d -1 -ZZ dc=example,dc=com
TLS certificate verification: depth: 0, err: 20, subject:
/O=LBSD2.summitnjhome.com/OU=Domain Control
Validated/CN=LBSD2.summitnjhome.com, issuer:
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
: 15 03 01 00 02 02 30 ..0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It seems to indicate that it can't talk to it's CA...
does anyone have any suggestions on how to make this work?
No. I assume that your hostname is the CN indicated above, so your -h is
not the issue. When you do -ZZ then ldapsearch will fail if it cannot
validate the certificate. You can try with a single -Z to see if it works.
You have not included your ldap.conf above, the ldapsearch reads
ldap.conf, including where to find any ca certificates. Either you have
not installed the godaddy CA certificate or not updated our ldap.conf
accordingly.
BR, Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: TLS enabled LDAP, clients fail to connect
On 21/11/10 23.20, bluethundr wrote: I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD. ... [r...@virtcent08:/etc/openldap/cacerts]#openssl s_client -connect ldap.summitnjhome.com:389 -showcerts -CAfile gd_bundle.crt CONNECTED(0003) 3156:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: From the man page, s_client(1): If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the -bugs, -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1 options can be tried in case it is a buggy server. But rather than using s_client, you may try using ldapsearch(1) I use openldap-sasl-server-2.4.23, in slapd.conf: TLSCipherSuite HIGH TLSCertificateFile /path/to/server/certs/MyServerCert.cer TLSCertificateKeyFile /path/to/server/certs/MyServerKey.key The server need only be configured with TLSCACertificateFile options if you use TLS for client authentication. Multiple certificates can be stored in this file by concatenating the certificate files. in ldap.conf: TLS_CACERT /path/to/certs/MyCARoot.cer The MyCARoot.cer must be the CA root certificate used to issue the server certificate. You may add more certificates by concatenation. Other TLS options may be configured to enable TLS client authentication. Then with the command: ldapsearch -Z -h ldap.example.com -x -D cn=My Name, ou=Some Org, dc=example, dc=com -w UpsThisIsVerySecret -b dc=example, dc=com (telephoneNumber=*555*) cn sn telephoneNumber I connect, in paralel using snort -vCd port 389, I see this: 11/22-13:31:15.332512 172.16.1.127:52454 - 172.16.0.1:389 TCP TTL:64 TOS:0x0 ID:18677 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x1B6C4BE1 Ack: 0xB1212BEB Win: 0x8218 TcpLen: 32 TCP Options (3) = NOP NOP TS: 1062950892 2880608010 0w...1.3.6.1.4.1.1466.20037 That 1.3.6.1.4.1.1466.20037 is the OID for StartTLS. The rest is giberish, but it works. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
OT: Racoon error reference
Hi: I am trying to set up racoon, but have a number of error messages that I have no reference to their meaning or solution, like ERROR: Cannot record event: event queue overflow ERROR: no policy found ERROR: failed to get proposal from responder ERROR: unknown Informational exchange received Anyone have a reference to common racoon errors, their meaning and possible solution? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OT: Racoon error reference
On 22/10/10 12.32, Erik Norgaard wrote: ERROR: Cannot record event: event queue overflow ERROR: no policy found ERROR: failed to get proposal from responder ERROR: unknown Informational exchange received and: ERROR: policy found, but no IPsec requried Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: WiFi HotSpot
On 18/10/10 21.53, Maile Halatuituia wrote: Anybody have a hint how to implement software as an internet hotspot. OpenBSD based. This is usually a question of: - providing an interface that is reasonable user friendly for users to authenticate against, some sort of web interface, apache and friends. - some authentication system, I don't know if Radius or homebrewn - some management software to create temporary tokens or whatever - firewall solution with a script to easily update as access is granted and revoked and redirect unauthenticated users to the login page I don't know of any out of the box solution, on the other hand, you should be able to easily brew your own. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
IPSec/racoon key time to live
Hi: I'm up against configuring a number of different systems with host-host IPSec AH-only. The systems use different versions of racoon. Questions: - Must the key lifetime be the same in both ends? - Can key lifetime be configured per host-host connection? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
On 15/08/10 13.57, pe...@vfemail.net wrote: Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of additional mailer on the machine or another machine that's allowed to relay mail. How would I go about locating that other mailer? If the messages are indeed relayed through your server then you can see it in the logs and in the Received header field which host is sending the mail to your server. If somebody forges mail to appear to come from your domain, but not relayed through your server there is really not much you can do. Only the recipient server can reject the mails. Some servers support spf and you can help other servers know that mail from your domain must originate from your server by adding a txt entry in your dns. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: fetchmail ssl certificate verification problem in FreeBSD 8.1
On 15/08/10 21.38, Dan Strick wrote: I can get rid of the message by removing the ssl option from the user line but then fetchmail would not even try to use ssl. Why would the old fetchmail be better able to verify the server's ssl certificate? Has openssl changed? Where is the openssl certificate directory and why should the information needed to verify the server's certificate be found on my machine? Doesn't the openssl library contain something like a hardwired list of well known certificate authority systems? A little bit of searching around I found this (I don't know since when): # less /usr/src/crypto/openssl/certs/README.RootCerts The OpenSSL project does not (any longer) include root CA certificates. Please check out the FAQ: * How can I set up a bundle of commercial root CA certificates? The FAQ is here: /usr/src/crypto/openssl/FAQ Also, you might find this interesting: http://fetchmail.berlios.de/fetchmail-man.html#19 Check your fetchmail settings for sslcertck, maybe it's a compile time option to enable this by default. Fetchmail depends on ca_root_nss, check that one too. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
On 14/08/10 15.29, pe...@vfemail.net wrote: I have a machine running FreeBSD, sendmail and majordomo. I have someone who is on one of those majordomo lists complaining that they are receiving spam from me. The complainer says I have an open mail relay that I need to fix. When somebody complains that they receive spam via your relay they must the very least forward one of the offending mails to you so you can study the header. If they deleted the message simply instruct that the next spam mail is forwarded to you. In the header you can check the Received headers to see if it actually passed through your server first check ip hostname, then see if the message id appears in your logs. It is far to easy to forge a mail that appears to come from your server or domain. If so, the received fields will also show where the offending mail was sent from so you can act on it. If he's a subscriber to a list could it be that somebody send spam through the list? I went tohttp://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to test the machine using its IP address. Abuse.net gives a clean bill of health, saying relaying was denied in 17 separate tests. I've reviewed my mail logs for the past couple of days and I can't find any entries for any mail addressed to the complainer's domain name except mail that should have been sent. Is Abuse.net's test adequate to rule out an open mail relay problem? I don't know about this site, but it should be easy to check your logs for their connections and see what action is taken. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
On 10/08/10 05.13, Matt Emmerton wrote: I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? If the attack you're experiencing is trying to exhaust system resources by opening a large number of connections, then you may want to toggle these options in sshd_config: ClientAliveInterval LoginGraceTime MaxAuthTries MaxSessions MaxStartups Check the man-page. Secondly, check your logs if this attack is from a limited range of IPs, if so, you might want to try block those ranges. If your users will only connect from your country, then blocking other countries in your firewall is very effective. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Wifi AP behind FreeBSD
On 28/07/10 19.48, DadAN wrote: I wanna just ask if I really need setup nat? Because I think that it will by enought with nat by wifi router (dlink) connected to second nic ? And setup routing between nic's? In that setup, what you're looking for is bridging, take a look here: http://www.freebsd.org/doc/en/books/handbook/network-bridging.html I don't know if you then need to enable routing in the kernel as I mentioned, as these are different things. I haven't tried bridging. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Wifi AP behind FreeBSD
On 28/07/10 22.43, Maile Halatuituia wrote: If you will have a BSD Box you do not need to have that Dlink Router. Co's DHCP, Router can handle by the FreeBSD in addition to Hotspot Login. Lots and lots of manual for that on the Google. As I understand OP the DLink is required for the DSL connection and provides Ethernet to the FBSD box which then has a second interface connecting to the AP. I got a similar setup. You cannot take the DSL router out of that setup, but it should be possible with some routers to have that be the bridge (pppoe I think). In that setup the FBSD must do the nat. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Wifi AP behind FreeBSD
On 28/07/10 19.48, DadAN wrote: Hello, I wanna just ask if I really need setup nat? Because I think that it will by enought with nat by wifi router (dlink) connected to second nic ? And setup routing between nic's? Sorry, I think I misread or misunderstood your question in my previous reply. The typical configuration of a home AP that is /not/ also a router for internet access, the AP will be working as a simple bridge. I've understood you've got: wifi AP --- FBSD Router --- Internet and the router does nat, in which case you need not do it on the FBSD box. If this is not your setup, please explain. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipnat.conf - map and rdr won't work!
On 23/07/10 18.58, alexus wrote: i just did jail on public ip where i dont need to use ipnat, so obviously that works fine no problem not really what i wanted though but as a temporary fix its fine... With all respect, I think you should start liking this solution, because for all I understand, this is the right solution. If external access to the jail was otherwise through rdr, there is really no benefit at all, securitywise or otherwise. But allowing the jail to bind directly on the ip that external clients connect to you get simplicity and ease of configuration. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Help with setting up a mail server
On 20/07/10 15.26, Aryeh M. Friedman wrote: I am a consultant and was retained by my client to setup qmail or exim on a VPS running 8.0-STABLE (i386). After setting up the DNS (A record and MX record) we have been unable to send or receive mail. The client has/had a working script for installing qmail on 7.1-STABLE but it seems to not work on 8.0-STABLE. They are using the same VPS provider who this 7.1-STABLE install script worked under. I have tried everything I can think of to make it work including asking obvious questions on -questi...@. First, as everybody else: If you are not satisfied with the default sendmail the most popular alternative seems to be postfix, it will probably be much easier for you to get help with postfix should the problem turn out to be the mail configuration. When you modify your DNS it may take a while before the changes propagate, depending on the TTL setting in your zone configuration. You can check if the mail server is running and can deliver mail locally by, on the mail server, do $ telnet localhost 25 You can then type in manually the smtp commands, see rfc 2821. If you can, then it may be a dns problem. Next, can you send out? You may well be able to send out while you can't receive mail from external servers for local delivery. If this is the case, either your DNS is wrong or the changes has not yet propagated. If you can't, check the error messages, if there is some dns related error look in /etc/resolv.conf to see if you use the right dns server, do some dns queries to check that it works. If you use your own dns server, check the named.conf and verify any forwarders entries. If you can't receive mail from external servers for local delivery, but local delivery works - locally. Try from a different host to telnet to your mail server using the ip address, $ telnet mail-server-ip 25 If this works, maybe your dns changes has not yet propagated. If more time than the TTL has passed and your dns does not resolve correctly, check that you updated the serial number in the zone file, it must be incremented every time you make a modification or the changes won't propagate to dns slaves. If you can't connect, maybe you have a firewall issue. This I think should get you started trouble shooting. I informed the client that the task is likely beyond me capabilities but I would help recruit someone who would be able to do it at a reasonable fee paid to them If you found my advice useful, please donate a reasonable fee to the FreeBSD project, I am still endepted for the great effort of all the people involved in the project. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipnat.conf - map and rdr won't work!
On 20/07/10 18.02, alexus wrote: On Mon, Jul 19, 2010 at 12:38 PM, Erik Norgaardnorga...@locolomo.org wrote: On 19/07/10 16.46, alexus wrote: Can't help you more, really, you need to investigate where packets are dropped, tcpdump is a great tool and the man-page is excelent, can't explain it better, if you don't like tcpdump then use any other packet sniffing tool at hand, snort for example. ipmon: 20/07/2010 10:22:00.123106 @2 NAT:RDR 172.16.172.16,22- - 64.52.58.58,22 [69.10.67.106,6346 PR tcp] 20/07/2010 10:26:00.340436 @2 NAT:EXPIRE 172.16.172.16,22- - 64.52.58.58,22 [69.10.67.106,6346 PR tcp] Pkts 11/0 Bytes 640/0 tcpdump: tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 11:40:07.366519 IP (tos 0x0, ttl 49, id 48580, offset 0, flags [DF], proto TCP (6), length 64) 69.10.67.106.9408 64.52.58.58.22: S, cksum 0xc05d (correct), 208454974:208454974(0) win 65535mss 1380,nop,wscale 3,nop,nop,timestamp 91387932 0,sackOK,eol 0 packets dropped by kernel What tcpdump options did you use, on what interface? where did you run it? on the hosting system or within the jail? Do packets can get dropped because of your firewall default policy? For stealth it may be set to simply drop packets which result in a connection time-out rather than send a TCP-RST. i disabled ipfw, and i dont have any rules inside of ipfilter You do have the default rule. IIRC this is set when you compile ipfilter, it can be set to either block or pass. If you don't remember what it was, then you can override it by configuring two rules: pass in quick all pass out quick all Do you have any logs in the jail that indicate that the first packet is actually received? Do your firewall log connections? If not, see how you can enable logs on all rules to get more information. nothing gets to jail there for no logs inside of jail Ok, but you should be able to configure log on your firewall/nat rules. IIRC ipfilter does not permit log statement on nat rules, you can switch to packet filter it has almost same syntax and permits log. Can you connect out from the jail, to external servers? only to the jail hosting server? Did the jail's ssh log tell anything? no i can not connect out from jail, as map doesn't work either nothing gets to Nor to the hosting system? You wrote you can connect with ssh from the hosting server to the jail, but it took a long time, did you investigate this? Is there some DNS issue that times out and causes the connection to fail? what about that long time I recall you mentioned? Can you ping your jail? Can you ping out? Default route is configured? i can ping my jail within host environment once again nothing within jail works as map (nat) isn't working Are you sure you're actually ping'ing the jail? IIRC from your previous mail you have configured the jail IP both on the host environment and in the jail. So I suppose that from your host environment you can ssh into the jail? Did ssh start up, netstat -l? From the jail, can you ping the host environment? default router isn't configured in rc.conf (inside of jail) as per jail's man page its not needed it was working fine before without it There are tons of tests you can do to figure out what's failing. Do you have additional external ip addresses available? Last time I played around with jail, I had this: ifconfig_vr1=inet 172.16.0.1/23 # Hosting system ifconfig_vr1_alias0=inet 172.16.0.2/32 # Jail jail_test_ip=172.16.0.2 So that would create an alias for for the jail and bypasss the need for rdr. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipnat.conf - map and rdr won't work!
On 20/07/10 18.37, alexus wrote: You are running 2 different firewalls at the same time. comment out firewall_enable=YES firewall_type=open and reboot your system. do you know that for a fact or you just guessing?? because first of all it worked before just fine with 2 firewalls second i disabled firewall, so firewall is no longer an issue third i have another system just like that that runs 2 firewall and everything working just fine! if you dont know the answer there is no need to throw just any answer as its pretty clear that this isn't the right answer Regardless of your previous experience, it is a bad idea to have two different firewalls configured and enabled at the same time. It provides no additional security and makes debugging a mess. Have you considered the possibility of both ipfw and ipfilter doing both filtering and nat? Another thing, I think I've mentioned before, you may have to reload firewall/nat rules after the jail starts. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipnat.conf - map and rdr won't work!
On 20/07/10 20.07, alexus wrote: On Tue, Jul 20, 2010 at 12:57 PM, Erik Norgaardnorga...@locolomo.org wrote: plan b is to run natd, but i'd rather run ipnat especially that ipnat used to work before no problem! Maybe move away from what used to work and towards what is working :) Whichever you prefer, just stick to one solution only. su-3.2# ping -c1 lama PING lama (172.16.172.16): 56 data bytes 64 bytes from 172.16.172.16: icmp_seq=0 ttl=64 time=0.075 ms --- lama ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.075/0.075/0.075/0.000 ms su-3.2# ip address tells me that this is in fact jail's IP Yes and no, if you shut down your jail you should still be able to ping that ip as I read your snippet from your rc.conf. So I suppose that from your host environment you can ssh into the jail? Did ssh start up, netstat -l? From the jail, can you ping the host environment? su-3.2# jls JID IP Address Hostname Path 1 172.16.172.16 lama /usr/jail/lama su-3.2# jexec 1 /etc/rc.d/sshd status sshd is running as pid 1085. su-3.2# ps -p 1085 PID TT STAT TIME COMMAND 1085 ?? IsJ0:00.00 /usr/sbin/sshd su-3.2# OK, but you didn't check where your ssh binds. i know, i can run it that IP address as an alias on public interface, but we on purpose added another NIC to be private NIC. Well, read the man jail(8): ip4.addr A comma-separated list of IPv4 addresses assigned to the prison. If this is set, the jail is restricted to using only these address. Any attempts to use other addresses fail, and attempts to use wildcard addresses silently use the jailed address instead. ... If I understand this correctly, remove the line jail_lama_ip=172.16.172.16 from your rc.conf and your jail can then bind to port 22 on the external interface thus bypassing the need for nat. This is ok, since all you did was redirecting traffic. And the map rule shouldn't be necessary either, nor should the fxp interface. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipnat.conf - map and rdr won't work!
On 20/07/10 20.43, alexus wrote: On Tue, Jul 20, 2010 at 2:16 PM, Aizaaiz...@comclark.com wrote: Just because 2 firewalls at same time didn't blow up in your face before, sure don't mean they are working correctly. Thats one bad assumption to base debugging on. i never had any problem doing so, not that i'm saying it's a smart thing to do i'm well aware of that, and as i mention before both firewall doing different purposes its not like i'm filtering packets with both firewalls at the same time. You've never had a problem? Or maybe you didn't know: Picture this: You've got two competing firewall solutions loaded at the same time. How do you know which one handles what? In fact, all firewalls comes with a default policy which is in effect if no rules are loaded. First, they are not consulted in parallel, just how would that work? maybe some sort of load balancing? So, maybe both are consulted, but does that mean that if solution A is consulted first, then solution B only see what is passed by A? Or maybe it sees both what is passed and blocked with the power to change that? What about stateful filtering, if solution A creates a state and B don't? Maybe only one of the solutions is actually consulted and the other one just hangs around without any effect? Then how would you know which one is A and which one is B? If both are consulted you need to keep sure their rulesets are equivalent, or who knows what else might happen? And if only one, which one? OK, so you say you use ipnat for redirect and map and ipfw for packet filtering. Even if we assume that ipfilter packet filtering capabilities does not alter the anything, then the next question would be does ipfw filtering take place before or after ipnat? Because you have to write your ruleset taking this into account. Iirc, ipfilter wraps around the kernel and takes over all packet handling. That means that any other firewall solution you have configured that is more tightly integrated with the kernel just hangs around doing nothing. All that traffic shaping you've done have no effect at all. So, you said, but it worked.. or did it? Well, packets may get passed, some may get blocked, that's easy to check, but does it mean that everything works according to your design? You mentioned traffic shaping. Have you actually tested and shown that this takes place and works as expected? Mixing multiple different firewall solutions is a recipe for disaster. As for choice of firewall, chose one, whichever, but just one. It's five years since I switched from ipfilter to packet filter. I don't know if ipfilter is still actively developed, last time, last year I tried to find the source code for Solaris and only found dead ends. I recommend packet filter, it should have the traffic shaping capabilities you mentioned. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipnat.conf - map and rdr won't work!
On 19/07/10 16.46, alexus wrote: Use tcpdump, you should see if your rdr/map rules work as expected. Also, pfctl -ss and similar. i don't know how to use tcpdump, can you provide exact syntax so i can run it? The man-page is excelent. tried that, unfortunately not really sure what am i doing.. still Can't help you more, really, you need to investigate where packets are dropped, tcpdump is a great tool and the man-page is excelent, can't explain it better, if you don't like tcpdump then use any other packet sniffing tool at hand, snort for example. Do packets can get dropped because of your firewall default policy? For stealth it may be set to simply drop packets which result in a connection time-out rather than send a TCP-RST. Do packets get dropped because of nat on the way in? or on the way out? What if you just disable ipnat? What if you flush the firewall rules? (disconnect from the Internet first) Do you have any logs in the jail that indicate that the first packet is actually received? Do your firewall log connections? If not, see how you can enable logs on all rules to get more information. Can you connect out from the jail, to external servers? only to the jail hosting server? Did the jail's ssh log tell anything? You wrote you can connect with ssh from the hosting server to the jail, but it took a long time, did you investigate this? Is there some DNS issue that times out and causes the connection to fail? Can you ping your jail? Can you ping out? Default route is configured? There are tons of tests you can do to figure out what's failing. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipnat.conf - map and rdr won't work!
On 16/07/10 02.56, alexus wrote: su-3.2# cat /etc/ipnat.rules map fxp0 lama -0/32 rdr fxp0 64.52.58.58 port ssh -lama port ssh tcp What's that first rule supposed to do? provides a NAT within jail Just guessing, try to put the rdr rule first. Another thing, the firewall/nat may be loaded before starting the jail and thus unaware of interfaces etc assigned to the jail. su-3.2# ifconfig vr0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICASTmetric 0 mtu 1500 inet 172.16.172.16 netmask 0x broadcast 172.16.172.16 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICASTmetric 0 mtu 1500 inet 64.52.58.58 netmask 0xffe0 broadcast 64.52.58.63 Where is this? this su-3.2 is a bit confusing, would be useful to set your hostname to jail within the jail... su-3.2 is a host environment where jail is hosted And from within the jail, what do you see? From what I understand 172.16.172.16 is the jail IP? I think it is typical for jails to clone the loopback interface for this setup. not sure what you mean by this... if you referring this statement as if you though this is jail itself then this is not jail this is host environment (where jail is hosted) Use tcpdump, you should see if your rdr/map rules work as expected. Also, pfctl -ss and similar. su-3.2# pfctl -ss pfctl: /dev/pf: No such file or directory su-3.2# Ah, you use ipfilter? i don't know how to use tcpdump, can you provide exact syntax so i can run it? The man-page is excelent. anyone? If nobody replies, maybe try to rephrase your question, investigate further and provide additional information rather than just repost. i was under impression that i pretty much covered all basis, or at least i thought i so ... apparently not... Honestly, I don't have a clear picture of what works and what doesn't or where. You haven't posted your jail config from rc.conf and you could help by making it clear when running any command that this is in the jail, jail# this is on the hosting system hostname# and this is the client client# etc... BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipnat.conf - map and rdr won't work!
On 15/07/10 21.17, alexus wrote: On Wed, Jul 14, 2010 at 10:32 PM, alexusale...@gmail.com wrote: I can't put my mind around it, before reboot I was able to ssh in from outside to my jail and right now I can't! What did you change? su-3.2# cat /etc/ipnat.rules map fxp0 lama - 0/32 rdr fxp0 64.52.58.58 port ssh - lama port ssh tcp What's that first rule supposed to do? su-3.2# grep lama /etc/hosts 172.16.172.16 lama su-3.2# ifconfig vr0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=2808VLAN_MTU,WOL_UCAST,WOL_MAGIC ether 00:19:5b:68:9b:01 inet 172.16.172.16 netmask 0x broadcast 172.16.172.16 media: Ethernet autoselect (none) status: no carrier fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=2009RXCSUM,VLAN_MTU,WOL_MAGIC ether 00:0f:fe:aa:f4:61 inet 64.52.58.58 netmask 0xffe0 broadcast 64.52.58.63 media: Ethernet autoselect (100baseTXfull-duplex) status: active Where is this? this su-3.2 is a bit confusing, would be useful to set your hostname to jail within the jail... I think it is typical for jails to clone the loopback interface for this setup. su-3.2# jls JID IP Address Hostname Path 1 172.16.172.16 lama /usr/jail/lama and this is me from outside trying to ssh to my box and getting time out... mp:~ alexus$ ssh -v jothost.com OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 debug1: Reading configuration data /etc/ssh_config debug1: Connecting to jothost.com [64.52.58.58] port 22. debug1: connect to address 64.52.58.58 port 22: Operation timed out ssh: connect to host jothost.com port 22: Operation timed out Use tcpdump, you should see if your rdr/map rules work as expected. Also, pfctl -ss and similar. Can you ssh from the host system to the jail? anyone? If nobody replies, maybe try to rephrase your question, investigate further and provide additional information rather than just repost. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: iptables equivaelnt
On 21/06/10 20.06, pete wright wrote: On Jun 21, 2010, at 10:28 AM, Jean-Paul Natola wrote: I'm particuclary trying to implement some type of rate control as we are getting hammered by spam. I'd humbly suggest pf + spamd if you are concerned specifically about stopping spam, both are supported by freebsd and i have had great success using these tools to combat spam. spamd does not stop spam. It is intented to increase the cost of sending spam at little cost to your server by keeping the spammer busy trying. If you're concerned with blocking spam from a limited set of known sources, then you can create block lists in your firewall. If you know that you will not receive legitimate mails from certain countries, you can block their assigned IP ranges. If you're trying to block large number of unknown sources, then I suggest subscribing to spamhaus' lists and configure your server to adhere strictly to the protocols. You may wish to subscribe to lists of dynamic ip-ranges. These are often considered spam sources hosting a large number of bot-nets However, you may also block mail from legitimate servers run by people who like to run their own home server - such as FreeBSD users. There is only limited benefit of some kind of rate control and I believe that such controls must be implemented in your mail server. Implementing rate control mail also delay legitimate mail, and depending on how you do it, spammers may even cause a DOS against your server. Anyway, to avoid spammers eating up server resources, check your server config: 1. ensure that the spam decision is reached as fast as possible 2. consider early whitelisting of the most common legitimate mail sources 3. DNS block lists should be last as they add additional delay, possibly you can configure a local dns cache to shorten delay BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: LDAP and LDAPS on the same server ?
On 06/05/10 14.15, Frank Bonnet wrote: It runs nicely but I want to add LDAPS service on the SAME server. Is it possible ? Yes in fact with OpenLDAP you can have ldap, ldaps and ldap TLS with STARTTLS, the latter runs on the standard ldap port. I have generated cert.crt cert.csr cert.key as instructed in the FreeBSD howto but when I add the following lines in slapd.conf file it fails to restart TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt You do not need to specify TLSCACertificateFile unless you plan to require connecting clients to use a certificate. TLSCertificateFile/usr/local/etc/openldap/ssl/cert.crt TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key You only need to edit your rc.conf adding slapd_flags='-h ldap:/// ldaps:///' if you want to have old style ldaps (ldap with ssl) on port 636. Without any options OpenLDAP supports TLS on port 389. Unfortunately, common programs such as thunderbird does not support TLS for ldap (although it /is/ supported for smtp?!) in ldap.conf file I have the following # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASEdc=esiee,dc=fr URI ldap://ldap.esiee.fr ldaps://ldap.esiee.fr You do not need to edit ldap.conf for the server to start up correctly, this is for the client. In order to use ldapmodify (and family) with TLS you need to add TLS_CACERT /path/to/your/CA/certificate.cer Then you can do $ ldapmodify -ZZ ... to connect with TLS. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dhcpd doesn't sent route information
On 23/04/10 15:14, Onur Aslan wrote:
Do you have any idea?
Still haven't solved the problem?
I just looked over your dhclient.conf:
#prepend domain-name-servers 127.0.0.1;
prepend domain-name-servers 8.8.8.8, 8.8.8.4;
#request subnet-mask, broadcast-address, time-offset, routers,
# domain-name, domain-name-servers, domain-search, host-name,
# netbios-name-servers, netbios-scope, interface-mtu,
# rfc3442-classless-static-routes, ntp-servers;
request subnet-mask, broadcast-address;
Seems like you don't request router information.
As for dhcpd.conf, I don't know if you have a real need to keep static
addresses, if you do use fixed-address then your dhcpd.conf can only be
good for that subnet.
I have:
subnet 192.168.0.0 netmask 255.255.254.0 { # Server subnet
default-lease-time 3600;
max-lease-time 86400;
option routers 192.168.0.1;
option domain-name-servers ns1.example.com;
option domain-name example.com;
pool {
range 192.168.1.1 192.168.1.127;
deny unknown-clients;
}
pool {
range 192.168.1.128 192.168.1.254;
allow unknown-clients;
}
}
group {
use-host-decl-names on;
host myhost {
hardware ethernet 00:ab:cd:de:f0:12;
}
}
With this my host declarations are good for any subnet I may define, and
I can set special options for known clients as needed - say I only want
to send router information to known clients, unknown clients will only
have access to the local network. Of course, this kind of security is
easy to circumvent. But I do use it to avoid non-diskless clients
suddenly booting off the network.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ping: sendto: No buffer space available
Hi! I'm running FreeBSD 8.0. Some times my network just go down without leaving any errors behind, now this morning it went down but didn't cut my ssh connection to the box and I got this error: ping: sendto: No buffer space available From what I have found this relates to protocols like udp and icmp, I assume this can occur with p2p but also vpn protocols like l2tp. Is there some way that I can set limits on these protocols such that they will not use up all available buffer space? Or some way to increase buffer? Or is the problem something completely different? I've got two vr interfaces on a VIA Nehemiah ITX. Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dhcpd doesn't sent route information
On 24/04/10 17:41, Peter Boosten wrote: option domain-name-servers ns1.example.com; option domain-name example.com; A fqdn for a name server? That'll give you a chicken and egg problem, don't you think? No, the dhcpd server resolves the address and sends the ip to the clients. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
multishell user profile
Hi: I need to create a user profile that works in different shells, particularly bash, csh and ksh. It seems that these does not read the same files and/or in the same order. So, how do I configure the shell profiles without configuring each shell separately? Also, I can't find information if they use the same syntax, or what syntax they share so I can stick to that. Does POSIX specify any of this? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PXE + sysinstall(8) install.cfg: DHCP Attribute to map install config/policy to system MAC?
On 21/04/10 21:59, Brian A. Seklecki (CFI NOC) wrote: All: The install.cfg mechanism is pretty wicked. Unfortunately, there doesn't seem to be a really efficient way to provide new clients (or class of clients) an install.cfg without rebuilding an MFSROOT image. Possibly a TFTP or NFS URL passed from the DHCP server - boot loader - kernel sysctl - sysinstall(8). Thoughts or other ideas? You can configure sysinstall in your install.cfg to execute shell commands, including any fetch-like command. Some scripting should be possible to do what you require. I wrote about it here: http://www.locolomo.org/howto/pxeboot/automatic-installation.html However, I never really went on and tested this, let me know if this works. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: hacked?
On 15/04/10 00:56, Steve Franks wrote: I don't have bsdstats or similar that I'm aware of installed, so this smells bad: Firewall is showing repeated attempts from your FreeBSD machine to connect to port 25 (standard SMTP mail port) on a server in Belgium. This implies something on your system is trying to send mail out. Who's firewall? Is this above snip from some notice you have received from a third party claiming you are attempting to connect to their server? Who's the one notifying you? The owner of the server or network receiving these connections? Or your LAN Lord? [14/Apr/2010 15:11:09] DROP SMTP Deny packet from Local Area Connection - LAN, proto:TCP, len:48, ip/port:192.168.1.38:17343 - 81.247.120.78:25, flags: SYN , seq:43473770 ack:0, win:65535, tcplen:0 192.168.1.38 - is that you? always? Where would I start sniffing around as far as what got put on my box? How about ps ax sockstat -4 Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Syslog to log remote nodes
Hi: I want my syslog to log remote nodes, in particular my access point and router, which authenticates users against my freeradius server. In /etc/rc.conf I've got: syslogd_flags=-C -a 192.168.0.0/23 -a 172.16.0.0/23 -vv In /etc/syslog.conf I've got first the entries for the system, no networked clients specified, ... local0.*/var/log/radius.log ... # Remote systems +172.16.0.0/23 *.info /var/log/wlan.log +192.168.0.254 *.info /var/log/router.log Surprise, I've got my access point logs in the radius log file, not in the wlan.log, snip radius.log: Apr 10 17:54:15 local0.notice ap airport 80211: Rotated TKIP group key. Apr 10 18:02:19 local0.notice ap airport ntp: Clock synchronized to network time server ntp.locolomo.org (adjusted -1 seconds). Apr 10 18:43:11 local0.info alpha radiusd[79800]: Loaded virtual server inner-tunnel Apr 10 18:43:11 local0.info alpha radiusd[79800]: Loaded virtual server default The ap is the access point. I haven't got anything in router.log and can't really figure where it has ended up. What's wrong with my syslog.conf? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Outdoor wireless - has anyone used Ubiquiti power stations?
On 07/04/10 22:02, Modulok wrote: List, This might be a little off topic, but it still involves FreeBSD. I figured this list has many a smart folk, so I'd ask here. If I buy two of these Ubiquiti power station 2's, I can set them up to provide a long distance ethernet link to my BSD box right? Has anyone used these? Basically, I have an remote office with a FreeBSD box acting as a router, but no Internet connection. At the other side of the valley (15 miles) I have a DSL based Internet connection, but no office. In theory, I should be able to link them via a wireless bridge, right? That way I'd have local connection at the office on one interface, and a long distance link which hooks up to an ISP through their DSL router on the other. If I treat the link between the office and the DSL router as if it were the public Internet, I shouldn't need any encryption between me and it, right? Does this all sound like a reasonable approach? In theory it would work, but reallity may be something completely different. I recall there have been a lot of community initiatives back when geeks were more abundant than broadband. However, 15 miles sounds like stretching it. IIRC people were able to get around 1-5 miles on standard gear with a home made antenna and a clear line of sight. Even if you get connection over 15 miles, you might loose it on rainy or cloudy days. Wifi signals are easily absorbed by water and anything that contains water - that means leaves and other vegetation. I must add that I don't know the hardware you're looking at and I never experiented myself. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On 05/04/10 01:35, Marcin Wisnicki wrote: PasswordAuthentication is already disabled (by default). I need to disable ChallengeResponseAuthentication however: /etc/ssh/sshd_config line 131: Directive 'ChallengeResponseAuthentication' is not allowed within a Match block Same thing for UsePAM no (though I would like to keep pam for accounting and session management) You can configure two daemons one with root access allowed and the other without. Let the one with root access allowed run on a non-standard port. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On 04/04/10 23:04, Marcin Wisnicki wrote: Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive Yes, you can create a Match block with the criteria User, something like this I guess will work (haven't tested): PermitRootLogin yes Match User root PasswordAuthentication no check the man page. You might also want to restrict from where root can login with another match block. I assume that you have decided root login is acceptable with the increased security of key authentication. Just beware that the key must be password protected. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
OT: Programming perl, BerkeleyDB/MLDBM
Hi: I have been searching for the appropriate perl mailing list, but no avail. I'm trying to build a database with Berkeley DB and MLDBM for a multi dimensional hash structure, my $hdbm = tie %host, 'MLDBM', -Filename = $dbdir/host.db, -Flags = DB_CREATE|O_RDWR or die Cannot open database '$dbdir/host.db: $!\n; but I have some problems: I can read entries and create new ones, but I can't update existing entries. And I have a problem untieing cleanly: untie attempted while 1 inner references still exist at bin/smtp_reject.pl line 175. untie attempted while 1 inner references still exist at bin/smtp_reject.pl line 176. Any hints? or which mailing list should I post to? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: The download file is corrupt
On 25/03/10 07:57, trevor who wrote: Hi guy's, I downloaded the DVD version freeBSD version 8 and went to unpack it and got these messages from winrar. ! D:\FreeBSD\8.0-RELEASE-i386-dvd1.iso.gz: Unexpected end of archive ! D:\FreeBSD\8.0-RELEASE-i386-dvd1.iso.gz: CRC failed in 8.0-RELEASE-i386-dvd1.iso. The file is corrupt Can you let me know when it will be fine to download. Regards, Trevor There could have been a problem during download, try again. This is a lot of data, maybe just download the bootonly iso and install using ftp. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: diskless dhclient
On 22/03/10 21:35, Mats Lindberg wrote: I've tried to get my freebsd diskless system to get hold of some of the dhcp-options. E.g. my dhcp-server will always be the nfs-server as well. So I was hoping to create the /etc/fstab with the the dhcpd's ip as the nfs server. Thus not needing to have the hard coded nfsroot:/conf/'ip-address'/etc. Instead i'm looking for having almost all necessary files in the nfsroot:/conf/base/etc directory. you only need /conf/'ip-address' if you need different configurations for different clients. The ip-address is that of the diskless client, not the server. I've tried to set ifconfig_ETHDEV=DHCP in /etc/rc.conf and creating a bourne shell script /etc/dhclient_enter_hooks, but as far as I can detect the script is never run. I guess since the kernel already got the ip-address during pxeboot it does not care about renewing the ip-address, or?? No, when the client detects it is a diskless client, /etc/rc.initdiskless is executed. See documentation in that file. Anyway, iirc you can find the dhcp options with kenv(1). BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
On 21/03/10 02:27, Peter wrote: On the same line, portknocking with pf: Port knocking suck: If you have to knock a single time on the secret port you might just have no added security at all, could be that the port scanner first knocked on the secret port then on the ssh port. If you have to knock multiple times on the secret port, same thing, usually when you scan for open ports, multiple packets are sent in case of packet loss. You can't use timing between packets because this may change on the path. Yet you do need to implement timeouts to avoid a halfway knocked sequence. If you have to knock various ports, you can't rely on packets arriving in a particular sequence. And even if you did, the port scanner might just get that order right. If your secret is to knock port 1234 and then port 2345 nmap might do just that when scanning ports 0-1. And if the secret is the reverse order, again, nmap might just do that because multiple packets are sent to each port. If you require more than a single knock you have to monitor also for wrong knocks or a simple nmap scan may be just sufficient to expose your server as in the example above. A port knock or port knock sequence is a shared password that cannot be encrypted. Since there is no previous user identification the knocking is the same for all users. It's not encrypted because the secret is in the port number you knock. This is possibly the worst kind of secret you can manage. If you find yourself thinking you need port knocking, then your passwords are not strong enough. It is far better to use longer and more complex passwords: They are individual for each user and encrypted. Then you have the problem of monitoring established connections to flush the tables once a session is terminated. Port knocking adds complexity to your server, meaning more things can go wrong, and adding yet another attack vector for the intruder. Having a script to automatically update a live rule set is a recipe for disaster. It's as unuserfriendly and impractical as it gets: The more ports you have to knock the higher the probability that some packets will be filtered when you're behind somebody else's firewall. You can be most certain that you can't convince the admin of some corporate network to open up for your port knocking. Because of the build in stealth you have no way of knowing if packets are dropped or filtered. And the user will have to accept a delay for your port knocking script to update the rules. You add complexity for the user, now they have your special port knocking client, know the secret, on top of carrying around their private ssh keys etc. Port knocking suck at security: It does not solve a single existing problem but introduces a host of other problems. Use it at home for playing around and learning about protocols and stuff, but please don't give people the illusion that their security problems will be solved with port knocking. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
On 20/03/10 14:18, Jamie Griffin wrote: I've been reading up on securing sshd after being bombarded with attempted logins. Hi! First step to ssh security is: Don't panic! Take your time to read the logs and understand what's going on. So, you've got bombarded with login attempts, but they failed. Just because there is some log entry doesn't mean you have to act on it. I recall reading an analysis of this kind of brute force attacks on securityfocus.com. These brute force attacks are pretty harmless if you've got basic security in place. This was also discussed on the list two weeks ago, check the archives. * Disabled root login by ssh in /etc/ssh/sshd_config Good, if you read the logs you will see that about 50% of the attempts are against the root account. * Set myself as the only user able to login by ssh Good, if you read the logs you will see that about 40% of the attempts are against standard unix accounts, and guest. The remaining are against randomly generated user names usually based on common names (john, smith, etc) you can get this statistic from your logs. * Disabled password logins completely, and to only allow public key authentication This seems good for security, but not always practical. Now you have to walk around with a USB or have keys on your laptop and if you loose the USB or the laptop gets stolen you can't get access. Worse, you can't revoke the keys till you get back home. * Changed the default ssh port from 22 to something much higher Number is irrelevant and I discourage this. If you ever find yourself behind somebody else's firewall, if access is enabled it is enabled for the default port. I'm the only user that will ever need to log into the machine. I wondered, does this setup seem ok and are there any other methods used by anyone on list that might help me to secure remote logins even further? Since you're the only one on that system, you know where you're going to connect from, at least roughly. Why allow connections from anywhere? Restrict the client access to certain ranges of IPs. The different registries publish ip ranges assigned per country and you can create a list blocking countries you are certain not to visit, you can use my script: http://www.locolomo.org/pub/src/toolbox/inet.pl The last things I can think of is not to have your user name as in your mail address, not have mail password as your unix account password and remember to password protect your ssh keys. Run other services such as mail, http, dns etc. in jails - if possible separate jails. All this all depends on your paranoia. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
On 20/03/10 17:14, Jerry wrote: Seriously, disabling password log-ins and using key authentication is extremely secure. Do make sure that you password protect your keys however. In any event, if you laptop or whatever is stolen, you have more than just one problem to contend with anyway. I don't doubt that it is much harder to brute force a key than a password. I simply say that it is not always practical. Anyone stealing or finding your usb or laptop will likely not be too interested in your data. But, now you have to carry the key and protect it. If you travel a lot, and travel light, you bring just a usb stick which is easily lost, and being without access for months is not fun. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
On 20/03/10 18:23, Jamie Griffin wrote: The reason I went with that decision is because I only expect to be logging in to the server from two locations: at home or from a computer at my university In that case, the best thing you can do is figure out the IP ranges of either location. Check your log for your own successful logins to find the source IP, then look up the range with whois. You can be pretty sure that wherever you are on campus, the assigned IP will be in that range. Then just allow access from those ranges and block everything else in your firewall. Whitelists are far easier to manage than black lists. Having some daemon running to monitor illicit attempts to login and block the source is futile. You can be almost certain that you won't see that IP in your logs again, partly because these attempts may come from botnets, partly because the source may be assigned IP dynamically. Btw. I found two articles on securityfocus.com, the first is analysis using a honeypot, as you see these attacks are pretty lame: http://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts Then somebody having to respond, because security was pretty lame: http://www.symantec.com/connect/articles/responding-brute-force-ssh-attack?ref=rss BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: bruteforce protection howto
On 20/03/10 23:17, Vadkan Jozsef wrote: What's the best method to ban that ip [what is bruteforcig a server] what was logged on the logger? I need to ban the ip on the router pc. Take your time to think about if this is indeed the right solution. 1st: You need to decide which is the right policy to deploy. Basically you can opt for a default deny or a default allow. With default deny you create white lists for the exceptions that should be allows. With default allow you create black lists. Default deny and default allow roughly corresponds to the policies of OpenBSD vs. Microsoft Windows. So, when is white listing an option? When you have a limited set of exceptions, for example your local users that need ssh access. If this set is limited consider deploying default deny. On the other hand, this is not an option for your web service that you wish to provide for anyone anywhere. Blacklisting is futile (think, did anti-virus solve the virus problem?). Intruders may attempt to connect from anywhere, blocking a single IP won't solve your problem, most likely the next attempt will not come from that IP. This is because these attacks may be launched from a number of compromised pc's and because the attacking pc may have dynamically assigned address. So you need to block entire ranges, but which? I recently analysed my maillog to see where attempted spammers connected from. I found some 3500 hosts in 1600 ranges (using whois lookup). These ranges being typically /16. I haven't tried with ssh but I doubt it would be much different. If on top of this you make some auto-respond system, you expose yourself to a denial of service attack, blindly blocking anything that creates a log entry. Whether you use white or black listing this is effective only if you can make informed decisions. If you don't do business with say China and you know that 25% of all spam originates from China, it is only rational to block access from China. But, whenever possible, use white listing. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD and vmware
Hi: I have a dual boot Windows/FreeBSD which I use for work, I just tried today to create a virtual machine with vmware on windows to start up the installed FreeBSD. This works except for three problems: - The disk device is renamed, I suppose I can just dublicate the entries in the fstab, the devices not found won't be mounted, I'll get an error but problem solved? - I can't see the network devices from vmware - I can't start xwindows, no monitor is found Any clues? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD and vmware
On 17/03/10 21:40, Steve Polyack wrote: On 03/17/10 16:34, Erik Norgaard wrote: - I can't see the network devices from vmware Do you mean you can't see a NIC from within FreeBSD on top of VMware? You will have to choose Other (64-bit) for the OS type and/or choose the e1000/Intel1000 device within VMware for the virtual network card. FreeBSD has great support for this card, virtual attempt physical. I created Other/FreeBSD 64bit OS type. When setting vmware up without NAT I can configure the em0 interface and get direct access, but with NAT I can't see the virtual interfaces vmware create. Thanks for the your advices. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Generating a random hostname
On 17/03/10 23:06, Peter Steele wrote: Is there any facility in FreeBSD for generating a random hostname? We have a template with a fixed hostname that has to be changed after the template is closed. It would be useful to have a hostname generated randomly. uuidgen? this command may be used by / -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Generating a random hostname
On 17/03/10 23:06, Peter Steele wrote: Is there any facility in FreeBSD for generating a random hostname? We have a template with a fixed hostname that has to be changed after the template is closed. It would be useful to have a hostname generated randomly. uuidgen may do the job for you, BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Berkeley DB upgrade
Hi: I want to upgrade my BerkeleyDB, I have some 500MB in BDB 43. - What is the latest stable version? - Is there any way of determining if datafiles are compatible across versions? - Is there any tool for migrating between versions? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: [OT] ssh security
On 10/03/10 07:16, per...@pluto.rain.com wrote: but logic tends to tell me that is I have no prior knowledge about the person I am about to talk to, anybody (MIM) could pretend to be that person. True. Cryptography by it self does not solve the identity problem. The pre-shared information need not to be secret ... but there is need for pre-shared trusted information. Er, if the pre-shared information is not secret, how can I be sure that the person presenting it is in fact my intended correspondent and not a MIM? My impression is that Diffie-Hellman (somehow) solves this sort of problem. The preshared information, in this case the key fingerprint, is a fingerprint of the public key, without this, you cannot produce the fingerprint. Yes, the fingerprint is calculated from the public key, which is .. er .. public, but that's not a problem since anything encrypted with the public key can only be decrypted by the owner of the private key. In the session setup public keys are exchanged, on the basis of this key you calculate the fingerprint and compare with the one you have stored. If they do not match, connection is closed. So, the MIM attack must be launched the very first time a user connects. This is where the user trusts the identity of the owner of the private key. The known_hosts file is only kept so you don't have to verify and trust the key every time. If you worry about that kind of attack, then you should provide a method for verifying the fingerprint through a different channel, say users call support and have them read out the fingerprint, publish it on some separate server, or pre-install it on their computer when the account is created. Diffie-Hellman does not solve this problem. DH is a protocol for agreeing on a shared secret in public, but it does not solve the identity problem. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Thousands of ssh probes
On 08/03/10 18:56, Jason Garrett wrote: Much better, restrict the client access to certain ranges of IPs. The different registries publish ip ranges assigned per country and you can create a list blocking countries you are certain not to visit, you can use my script: http://www.locolomo.org/pub/src/toolbox/inet.pl Great script! Just one question. Where do you put the list of denied ip ranges? The output is written to be used with packet filter, if you use some other firewall you may need edit the script. If you use packet filter, then you can dump the list into a file and create tables like this: table blacklist persist file /etc/blacklist block in quick from blacklist I use blacklisting for mail while I use whitelisting for ssh. You should know the limits of the script, the problem is that some ranges have been assigned directly by IANA, particularly for US. These are not included. The list is limited as these are all /8 chunks, you can find it here: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml These ranges are managed by private organisations and assigned as they see fit. There is another thing I'd like to filter by: I'd like to eliminate dynamic ranges, particularly for mail. It's been recommended that reverse lookup resolves to something like dyn.example.com or dynamic.example.com, but there is no registry where you can simply look it up. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Thousands of ssh probes
On 07/03/10 21:41, dacoder wrote: has anybody suggested having sshd listen on a high port? Any number will do, think about it: a. The attacker doesn't really care which host is compromised any will do, and better yet someones home box as it is more difficult to trace him. In that case he will scan large ip-ranges for hosts listening on port 22. b. The attacker wants to gain control of a particular server. In that case he will scan all ports to see what services are running and determine which services are running on each port. In that case running ssh on a non-standard port is futile. However, I'm not really a fan of using non-standard ports for ssh, I don't believe it's the right solution to the problem: You have ssh access to the outside because people travel and need remote access. In that case they might find themselves under other security policies which block access to services deemed unnecessary. Running ssh on a non-standard port is likely to be blocked on the client network - unless you run on, say, port 80. The more uses you have, the more problems you will have running ssh on a non-standard port, the time you save checking your logs may easily be spent on end user support. OP referred to significant impact on bandwidth which I find difficult to believe. In case connections come from a single ip at a time then you should tweak LoginGraceTime, MaxAuthTries, MaxSessions to reduce the number of concurrent un-authenticate connections and slow down brute force attacks. Much better, restrict the client access to certain ranges of IPs. The different registries publish ip ranges assigned per country and you can create a list blocking countries you are certain not to visit, you can use my script: http://www.locolomo.org/pub/src/toolbox/inet.pl BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Thousands of ssh probes
On 05/03/10 13:54, John wrote: My nightly security logs have thousands upon thousands of ssh probes in them. One day, over 6500. This is enough that I can actually feel it in my network performance. Other than changing ssh to a non-standard port - is there a way to deal with these? Every day, they originate from several different IP addresses, so I can't just put in a static firewall rule. Is there a way to get ssh to quit responding to a port or a way to generate a dynamic pf rule in cases like this? This is a frequent question on the list, search the archives. Basically there are few things that you can do: 1. limit the access to a range of IPs, for example, even if you travel a lot you go to al limited number of countries, why permit access from other continents? 2. limit access to certain users, there is no need to allow games or root user to authenticate via ssh. Use AllowUsers or AllowGroups to restrict access to real users. 3. limit the amount of concurrent non-authenticated connections, number of failed attempts and similar. 4. prohibit password authentication. If the problem is that these attacks consume significant bandwidth then moving your service to a different port may be a good solution, but if your concern is security, then the above is more effective. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
static build of usr.bin/host fails to link
Hi: I am trying to build a custom crunch file for pxeboot/jumpstart. I have taken the make files from rescue as a template adding the extras I need. But I have problem linking usr.bin/host in the crunch file, I can't figure out what libraries to link with and include with CRUNCH_LIBS+= on the system dynamically linked binary I tried, ldd /usr/bin/host /usr/bin/host: libcrypto.so.6 = /lib/libcrypto.so.6 (0x281f4000) libthr.so.3 = /lib/libthr.so.3 (0x2835) libc.so.7 = /lib/libc.so.7 (0x28365000) and looking in the source files doesn't help much either, I can't figure out how to specify libraries en contrib/bind9. The make files I use are here: http://www.locolomo.org/pub/src/jumpstart.tgz How do I build host statically? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Sysinstall Post-install System Management
On 19/02/10 20:42, Programmer In Training wrote: Any clues or alternate ways of getting this done? IIRC you first need to load the linux and linprocfs kernel modules and mount linproc. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Cleaning up after attack?
On 15/02/10 11:13, Dr. Jennifer Nussbaum wrote: Hi. I have an up-to-date FreeBSD 7.2 box that has been compromised. Someone aparently got in to an account with certain admin priveleges and has been sending spam. I disabled the account, shut off my MTA and used pf to block all traffic to port 25 out for good measure. How do i analyse what might have happened and what has been installed? Andis there anything to do other than rebuild the entire system to ensure that its clean? If the attacker had privileged access then he may have got a copy of master.password, you should assume all accounts compromised, if user data are shared with other servers, then all should be considered compromised. Blocking certain access say port 25 is insufficient. You should get it off the net until you are sure the system is clean as the attacker may have installed some daemon that communicates on a non-standard port. If you had things like tripwire installed you could get an idea of files modified. Otherwise you can use find to create a list of files modified since the attack, but this is only useful insofar as the attacker did not bother to reset access or modification times. It may be faster to rebuild everything rather than trying to figure out what may have been modified, if your main concern is to get the system back up rather than investigate the incident. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: custom kernel
On 14/02/10 02:16, Derek Funk wrote: My kernel is basiclly is the generic kernel just with some added options and removed devices i don't have. I have built and installed many times after installation. I play around with this machine a lot and just want to be able to have my kernel installed at installation. It's beyond me why you reinstall so often even if only playing around. The only need AFAIK is if you need to repartition. In fact, reinstalling without repartitioning and formatting your drives may create a mess as leftovers from the previous install may not be properly deleted. Anyway, if the problem is that sysinstall overwrites your previously installed custom kernel in /boot/kernel, there's the option of installing your kernel in say /boot/mykernel and then in loader.conf set kernel=mykernel. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: custom kernel
On 13/02/10 04:08, Derek Funk wrote: I am trying to find how to install a custom kernel at installation. I have found an option in sysinstall to select a kernel. How do I add my own to the options so I can select it? I think the standard procedure is to install the generic kernel at installation then install your custom kernel afterwards. You should always keep the generic kernel to fall back on in case of any problems. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
How to run cron scripts (310.locate) in chrooted env.
Hi: I have a setup with diskless clients mounting /var/diskless/FreeBSD read-only as root file system. How do I configure cron/locate.rc to run on the server such that the locate database is relative to the root for the diskless systems? I could do a chroot and run it within this environment, at least it would work manually. Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
How to set loader password
Hi: I was looking in /boot/loader.rc and found these lines: \ Tests for password -- executes autoboot first if a password was defined check-password OK, great, so: How do I set this password? What does it protect? Didn't find documentation in loader(8) and no man-page for loader.rc. Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Howto run privileged commands on login/logout
Hi: I'm playing around with diskless operation. I'd like to be able to run privileged commands when a user logins or logs out: - on login, nfs mount the user's home directory (ok, not critical, I can mount /home) - on logout a system reboot to clean up any temporary files left from the session. Is this possible, without messing arround with sudo or adding users to wheel or operator groups? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
specifying nfs root in loader.conf with vfs.root.mountfrom
Hi: OK, I know I'm not doing this the easy way, don't try to convince me about other ways :) I'm doing PXE boot diskless, fetching the GENERIC kernel with TFTP. Problem is that since the kernel is fetched with tftp, there is no nfs root file system mounted when kernel finish loading. There are, as I see two solutions to this: Compile the kernel with BOOTP and BOOTP_COMPAT options to allow the kernel o rerequest root-path option set with dhcp. Or, configure the root path in loader.conf: (from defaults/loader.conf) #vfs.root.mountfrom= # Specify root partition in a way the # kernel understands So, I set in my diskless loader.conf: vfs.root.mountfrom=nfs:192.168.0.1:/var/diskless/FreeBSD Booting up I get: nfs_diskless: no NFS handle Trying to mount root from nfs:192.168.0.1:/var/diskless/FreeBSD nfs_diskless: no NFS handle ROOT MOUNT ERROR: If you have invalid mount options, reboot, and first try to the following from the loader prompt: set vfs.root.mountfrom.options=rw and then remove invalid options from /etc/fstab ... Question: How do I specify an nfs share as root path with vfs.root.mountfrom? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: adduser and single-user groups
On 27/01/10 19.05, John wrote: Could someone point me in the direction of enlightenment with regard to the value add of the group per user approach that adduser uses? Is that a FreeBSD thing, or a *BSD thing, or a unix-like-universe thing, or what? Many systems do this AFAIK. IIRC, the point is that you can set umask to 007 or 002 and your home directory with owner you, and group you will remain private or at least only writable by you. The umasks 007 or 002 are useful if you have some shared folder where you have multiple users with write access, say: drwxrwxr-x root:users /home/share With umask 002, when files are created in this directory by another user in the users group, all users in this group can edit that file, no need to modify permissions. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf rules
Doug Hardie wrote:
1. pf allows short cuts, but these also makes it more difficult to debug. I'd
separate NAT from filtering,
Ok. I guess you want some white space between them? Here it is with the white
space and comments:
ext_if=dc0
table blackhole persist file /etc/blackhole
table spamd persist
table spamd-white persist
table spamd-white-local persist file /etc/mail/whitelist
MAILHOSTS = {zool.lafn.org}
# NAT/RDR Rules
no rdr on { lo0, lo1 } from any to any
no rdr inet proto tcp from spamd-white-local to any port smtp
no rdr inet proto tcp from spamd-white to any port smtp
rdr pass log inet proto tcp from any to any port smtp - 127.0.0.1 port spamd
# Filter Rules
pass in log inet proto tcp to $MAILHOSTS port smtp keep state
pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any port
75 keep state
block in quick log on $ext_if from blackhole to any
Other than the comments I don't see the difference.
you didn't separate nat from filtering, and you didn't add interfaces on
your rdr rules. When you make these shortcuts, maybe your ruleset
becomes more compact, maybe it works, but it becomes more difficult to
debug.
that is never use rdr pass even though pf allows it. You also need to
understand when rdr takes place to write your filtering rules.
That would be really helpful if that information were available somewhere it could be found. I have not been able to find that anywhere.
Basically, for rdr, the address translation takes place before the
packet is parsed by the filter rules. For nat, it takes place after the
filtering. For binat, you can think of it as nat in one direction rdr in
the other.
This is for the first packet, keep state and you don't have to worry
about the rest.
se also,
http://www.openbsd.org/faq/pf/rdr.html
http://www.openbsd.org/faq/pf/nat.html
2. you can deploy one of two policies: Default block with a whitelist or
default pass with a black list. Mixing these is a bad idea.
This is one thing you should see to clarify in your ruleset above. When
you have both whitelist and blacklist what happens to those that are in
neither? what happens to those that are in both.
Which default policy makes sense depends on the service. You may want to
use black lists for smtp but whitelist for ssh for example.
anyway, to interpret the output of pflog, you need the output from pfctl -sr
and pfctl -sn rather than your config file.
zool# pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
pass in log inet proto tcp from any to 206.117.18.7 port = smtp flags S/SA keep
state
pass in log on sis0 reply-to (sis0 192.168.25.1) inet proto tcp from any to any
port = 75 flags S/SA keep state
block drop in log quick on dc0 from blackhole to any
so your filter rules are numbered 0, 1, 2
zool# pfctl -sn
No ALTQ support in kernel
ALTQ related functions disabled
no rdr on lo0 all
no rdr on lo1 all
no rdr inet proto tcp from spamd-white-local to any port = smtp
no rdr inet proto tcp from spamd-white to any port = smtp
rdr pass log inet proto tcp from any to any port = smtp - 127.0.0.1 port 8025
your rdr rules are numbered 0, .. 4, but you only have log in rule 4.
So, when you see matches in your pflog, rule 0 .. 2 are filter rules and
rule 4 is rdr rule, which you can also see from the action logged, pass,
block or rdr. That seems to explain why you have no matches for rule 3.
So, to solve your problem, separate first NAT and filtering. Things becomes so
much more clear.
Repeated: Get rid of that rdr pass make an rdr rule and a pass rule.
Yes, it's the rule recommended by the spamd man page, but if you want to
see and understand what's going on, that kind of rules can really make
things obscure.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: automating network configuration
Romain Garbage wrote: Hello, I am looking for a way to automate the configuration of my network depending on its topology (don't know if it's the good word) : I would like to check the wired interface to see if a cable is plugged in (by looking at carrier status), if so, bring up the wired interface, if no bring up the wireless interface. Is there a way to do this? I was wondering if it is possible to do so by scripting rc.conf? Normally you really don't have to think, just enable both, assuming you use dhcp. Wired configuration with dhcp will fail if there is no cable, wireless will fail if there is no signal. You usually won't experience problems even if both are configured. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf rules
Doug Hardie wrote:
This is quite interesting. I can't figure out the rules on my system.
Maybe try to simplify, clean up and structure your rules :)
Here is the pf.conf file with all comments removed:
table blackhole persist file /etc/blackhole
table spamd persist
table spamd-white persist
table spamd-white-local persist file /etc/mail/whitelist
MAILHOSTS = {zool.lafn.org}
no rdr on { lo0, lo1 } from any to any
no rdr inet proto tcp from spamd-white-local to any port smtp
no rdr inet proto tcp from spamd-white to any port smtp
rdr pass log inet proto tcp from any to any port smtp - 127.0.0.1 port spamd
pass in log inet proto tcp to $MAILHOSTS port smtp keep state
pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any port
75 keep state
block in quick log on $ext_if from blackhole to any
1. pf allows short cuts, but these also makes it more difficult to
debug. I'd separate NAT from filtering, that is never use rdr pass
even though pf allows it. You also need to understand when rdr takes
place to write your filtering rules.
2. you can deploy one of two policies: Default block with a whitelist or
default pass with a black list. Mixing these is a bad idea.
3. $ext_if = dc0?
4. rdr needs an interface, I'm surprised that pf will parse the above,
and have no idea what it does with it. pfctl -sn should show you the nat
rules.
5. Organize your rules as scetched in last mail, grouping rules for each
interface, it really helps locating where things go wrong.
I have log statements and catch all rules to ensure that if these are
triggered there is something in my ruleset I haven't taken into account.
I avoid using any except in default rules.
Note: the blackhole file is empty as is the whitelist file. There is an entry
for 216.54.240.150 in spamd database. This is a test system.
Here is the output of tcpdump where I have only taken one entry for each rule.
I have listed the rule number at the front of each line:
Rule 0: 14:01:27.133320 rule 0/0(match): pass in on dc0: 216.54.240.150.55782
206.117.18.7.25: S 2501333595:2501333595(0) win 65535 mss 1460,nop,nop,sackOK
Rule 1: 02:26:44.755650 rule 1/0(match): pass in on sis0: 71.109.144.133.40864
192.168.25.7.75: S 3941268770:3941268770(0) win 65535 mss 1460,nop,wscale
3,nop,nop,timestamp[|tcp]
Rule 2: 10:44:45.037918 rule 2/0(match): block in on dc0: 71.109.162.173.39529
206.117.18.7.75: . ack 145 win 65535 nop,nop,timestamp 705571170 1951648775
Rule 4: 13:51:16.022700 rule 4/0(match): rdr in on dc0: 216.54.240.150.49821
127.0.0.1.8025: S 2371633783:2371633783(0) win 65535 mss 1460,nop,nop,sackOK
I found no entries for rule 3. There is virtually no traffic on this system
other than from me.
As I look at pf.conf and tie the rules to the entries I get (rule number at
beginning of line):
no rdr on { lo0, lo1 } from any to any
no rdr inet proto tcp from spamd-white-local to any port smtp
0 - no rdr inet proto tcp from spamd-white to any port smtp
4 - rdr pass log inet proto tcp from any to any port smtp - 127.0.0.1 port
spamd
pass in log inet proto tcp to $MAILHOSTS port smtp keep state
1 - pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any
port 75 keep state
block in quick log on $ext_if from blackhole to any
I have no clue which one is rule 2. The only block is the last entry but that
should never be used because the blackhole file is empty. pfctl shows the
table is empty also.
The ordering seems to make no sense either. I also note that the man page for
pf.conf indicates in the BNF grammar for pf.conf that log is a valid entry for
no rdr. However, that always generates a syntax error. Apparently there is no
way to log the use of no rdr rules.
see, things seems to have been swapped around somehow, that rule 4 rdr
is really rule 0 again only now matches for the rdr action, in rule 0 it
matches pass action. or so it appears.
anyway, to interpret the output of pflog, you need the output from pfctl
-sr and pfctl -sn rather than your config file.
So, to solve your problem, separate first NAT and filtering. Things
becomes so much more clear.
Regards, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf rules
kalin m wrote:
tcp_in = { www, https }
ftp_in = { ftp }
udp = { domain, ntp }
ping = echoreq
set skip on lo
scrub in
antispoof for eth0 inet
block in all
pass out all keep state
pass proto udp to any port $udp
pass inet proto icmp all icmp-type $ping keep state
pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
pass proto tcp to any port ssh
To debug pf rules:
- always add direction to the rule, pass or block, add interface to all
rules except default policy, keep state on all pass rules
- group your rules per direction, then per interface
- add log to all rules and watch pflog to see which rule blocks or
passes traffic.
- use keyword quick for any decisive rule
- check the parsing of your ruleset, pfctl -sr
then come back and ask for help.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf rules
Doug Hardie wrote: On 22 January 2010, at 01:45, Erik Norgaard wrote: To debug pf rules: - always add direction to the rule, pass or block, add interface to all rules except default policy, keep state on all pass rules - group your rules per direction, then per interface - add log to all rules and watch pflog to see which rule blocks or passes traffic. - use keyword quick for any decisive rule - check the parsing of your ruleset, pfctl -sr then come back and ask for help. Where do you find the rule information in the pflog output from tcpdump? a snip: alpha# tcpdump -n -e -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 11:55:20.910140 rule 81/0(match): block in on vr1: 172.16.1.127.52444 172.16.0.1.23: tcp 44 [bad hdr length 0 - too short, 20] rule 81 blocks. Now, problem is that your rules may be more compact, you'll find the rule with pfctl -sr. Now admittedly, I got: pass in quick on vr1 inet proto udp from 172.16.0.0/23 to local_ip port = secret_service keep state ofcourse, that rule didn't block. But two lines down I found: block return in log quick on vr1 inet from 172.16.0.0/23 to local_ip This makes sence, so why the offset 2? The first line of the output from pfctl -sr is scrub all fragment reassemble that shouldn't count as a rule. And then, if pflog starts counting with 0 while vi counts from 1 that explains it. Yet another reason to check the rules as parsed using pfctl -sr. Anyway, not trying to cut corners is the first step, then add log so you can see whats going on, use quick to avoid some packet fall through and being matched by a different rule than intended, organizes your rules so you can easily separate things out. My rules are grouped together like this: # default policy block all block in log general condition pass in quick some packets keep state block in log quick general condition block out log general condition pass out quick some packets keep state block out log quick general condition # Default policy catch all should never apply block log all the conditions for the pass rules should match those of the first block and then be more specific, say, only apply to one port. Doing so, the pf rule parser will optimize the ruleset. Even if I know that a given rule can only match packets on the vr0 interface, I explicitly state the interface. It makes it clear what's going on. Once the ruleset is debugged and working you can remove the log statements. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/hosts.deniedssh
David Southwell wrote: Examples from hosts.deniedssh I seem to be on the receiving end of a concerted series of unsuccessful break in attacks on one of our systems. One small part of the attack has resulted in over 2000 entries in our hosts.deniedssh file in less than 1 hour. I would be interested in any comments on the small example shown below and any advice. 1. see thread from last week denying spam hosts ssh access 2. don't resolve ips 3. do a sort, you'll see that many come from the same network, possibly the same node with a new IP, block entire ranges, blocking individual ip's is futile. 4. consider blocking in your firewall 5. don't worry, unsuccesfull attacks are - well, unsuccesfull BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: denying spam hosts ssh access - good idea?
Anton Shterenlikht wrote: I'm thinking of denying ssh access to host from which I get brute force ssh attacks. This is a returning topic, search the archives. Anyway, the returning answer: - why not let your firewall do the blocking? If your blocking is IP based that's the place to block. - why do you default to allow? How about default block, and then add the few good networks you know that actually need access? Restricting access to your own continent is a good start. I made this tool to create lists of ip ranges for individual countries: http://www.locolomo.org/pub/src/toolbox/inet.pl if you're in US then it may not work since some US companies have ranges delegated directly by IANA rather than ARIN, but these are few so it's easy to add ranges manually, check the list here: http://www.iana.net/assignments/ipv4-address-space/ipv4-address-space.xml - why allow password based authentication? disable password based authentication and rely on keys, then you can ignore all the brute force attempts. - above not a solution? See if you can tweak the sshd_config: MaxAuthTries MaxStartups can slow down brute force attacks preventing it from sucking up resources. Disable root login, restrict login to real users, if you have a group users just restrict to that using AllowGroups. - trying to block individual offending hosts is futile, the attacker will usually try maybe a 1000 times, but the next one will likely come from a different address. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: denying spam hosts ssh access - good idea?
Anton Shterenlikht wrote: - why not let your firewall do the blocking? If your blocking is IP based that's the place to block. I'm already under the University firewall. Only port 22 is let through. But even that filles my logs. What I meant was that if you want to block IPs or ranges of IPs then a firewall is the place to block, it's efficient and simple. If your university firewall doesn't satisfy you there is nothing that hinders you from configuring firewall rules on your server. Cheers, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
System crashes under heavy disk i/o
Hi: I have had this problem for a while, both on 7.x and now with 8.0: I have a: FreeBSD 8.0-RELEASE-p1 #0: Fri Dec 11 11:53:19 CET 2009 norga...@localhost:/usr/local/obj/usr/local/src/sys/GENERIC Timecounter i8254 frequency 1193182 Hz quality 0 CPU: VIA Nehemiah (800.04-MHz 686-class CPU) Origin = CentaurHauls Id = 0x69a Stepping = 10 real memory = 268435456 (256 MB) avail memory = 231383040 (220 MB) atapci0: VIA 6420 SATA150 controller ad6: 476940MB Seagate ST3500320NS SN04 at ata3-master SATA150 In normal operation I have no problem, but when performing intensive read or write for a prolonged time the system crashes. This happens also even if the partition is read-only. The crash occurs both with single large files (1GB) as well as many small files (10kb-10MB). Currently, I'm backing up to an external drive over the network. I don't know if it's network related or disk related, but I guess it's disk related as I have no log of the failure. I don't know if it's the disk, contoller or something else. This is a headless machine, so I'm left guessing. My two questions: - is there any utility that I can use monitor the system to see what's going on, when or why? - is there any way that I can slow down the disk i/o? since the system works fine in normal operation, I hope that slowing down the disk operation would be a workaround, at least till I get my data onto the external drive. Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: System crashes under heavy disk i/o
Chuck Swiger wrote: Hi-- On Dec 17, 2009, at 1:26 PM, Erik Norgaard wrote: FreeBSD 8.0-RELEASE-p1 #0: Fri Dec 11 11:53:19 CET 2009 norga...@localhost:/usr/local/obj/usr/local/src/sys/GENERIC Timecounter i8254 frequency 1193182 Hz quality 0 CPU: VIA Nehemiah (800.04-MHz 686-class CPU) Origin = CentaurHauls Id = 0x69a Stepping = 10 real memory = 268435456 (256 MB) avail memory = 231383040 (220 MB) atapci0: VIA 6420 SATA150 controller ad6: 476940MB Seagate ST3500320NS SN04 at ata3-master SATA150 In normal operation I have no problem, but when performing intensive read or write for a prolonged time the system crashes. This happens also even if the partition is read-only. The crash occurs both with single large files (1GB) as well as many small files (10kb-10MB). That's probably a sign of either thermal problems from inadequate cooling, or possibly PSU not giving stable voltage rails and sagging a bit too low; also, at least the older VIA C3 EPIA hardware had somewhat flaky PATA interfaces; if I tried to use both PATA channels I'd see lockups, unless I turned everything down to UDMA-33 speeds. I doubt it's the cooling, processor is currently at 48C with passive cooling. But it could be PSU, I got the system for low power fanless silent operation, but after having disk crashes with laptop disks under heavy i/o, I got a server disk to sustain the continuous use. I'll try to slow it down and see if it helps, thanks for the advice. Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: System crashes under heavy disk i/o
Mel Flynn wrote: Turn down operating mode via atacontrol. If using dump(8) use the cache feature and/or do the backup from live disk, so no other services are running and disk isn't accessed other then by dump. Thanks, is there a way to set UDMA mode at boot? BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Why is sendmail is part of the system and not a package?
pete wright wrote: On Tue, Oct 27, 2009 at 7:14 PM, Frank Shute fr...@shute.org.uk wrote: FreeBSD: ? I can't think of a good reason why FreeBSD should get rid of it. Saying that, it would be neat if it was taken out of base and replaced with something minimal that could cope with the demands of cron and not much else. Then the user is expected to install a MTA of their choice out of ports. That would mean less code in base and fewer security advisories. yea i like where you are going with this frank - perhaps when opensmtpd is done we'll be in the position to import this into the freebsd tree? it sounds like it might fit the bill :) But, do we actually need an MTA in the base? The only arguments I have seen in this thread are: - because it's been there since the beginning of history - because cron requires it to send the daily reports For the first, that may be so, but what was a good idea at the beginning of history may not be so today. The argument is invalid. For the benefit of the project, it should continuously be considered if legacy code can be removed and offered as an optional component for those relying on it. For the second, honestly: If cron is the only application that requires an MTA then maybe it should be considered if that is a good solution. I think it is a very heavy requirement for what is otherwise very simple. If you deploy a SOHO network with FBSD at home, you may not use your own mailservice but depend on some other service. Then you likely don't read local mail regularly and it suffices for you to keep the output of cron in a plain text file in /var/log. Or you may have cron send mails to your mailservice. In either case, there is no need for an MTA like sendmail, you only need a simple client. If you deploy FBSD in larger networks, then you may opt for some other MTA. Let's face it, sendmail isn't exactly easy to setup for advanced features. And, you don't need an MTA on all systems, only on the mail gateway, other systems just need a mail client for cron - if you don't use some more advanced monitoring system, having a dedicated syslog server for example. It appears to me that having an MTA in base is obsolete. A simple client would do if anything at all. Further, if keeping an MTA costs resources in patching and testing for every new release, then it goes from being a remnant from history to slow down progress for the project. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Why is sendmail is part of the system and not a package?
Giorgos Keramidas wrote: So Sendmail is a pretty heavy-weight program, but it also supports a lot of features. Which was the point, if the only process in base that requires some way to dump output other than send to syslog, is cron, then Sendmail is disproportionate solution for the problem. A replacement that would merely support local delivery would be mostly ok for some users but then everyone who _needs_ the special stuff Sendmail can do now would have to install a port. I don't argue for a replacement but for the elimination. Install a port if you need an MTA, you're happy with that way for so many other standard services. It appears to me that having an MTA in base is obsolete. A simple client would do if anything at all. Further, if keeping an MTA costs resources in patching and testing for every new release, then it goes from being a remnant from history to slow down progress for the project. Having a local MTA, even in a SOHO network may be useful. Instead of going through the same hoops to configure 4 different email clients, you can set up the local MTA and tell all your local mailer programs send any of your messages to `localhost' and they will be delivered as usual. There are tons of things that may be useful for somebody on a SOHO network. I don't agree you need an MTA when the only application requiring is cron. The default should be to dump cron output to a file. No need to setup 4 mail clients. Only if you want to send the output to a remote address would you need to do this. Having an MTA in the base system may not be obsolete. The option remains to install from ports as with so many other things. My concern is if some heavy legacy application, because of history or tradition, remains in base will draw resources from advancing in other areas that are much more relevant today. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Why is sendmail is part of the system and not a package?
Ruben de Groot wrote: On Thu, Oct 29, 2009 at 06:55:20PM +0100, Erik Norgaard typed: Giorgos Keramidas wrote: I don't argue for a replacement but for the elimination. Install a port if you need an MTA, you're happy with that way for so many other standard services. Isn't this going a little too far? What other posix systems ship whith no default MTA at all? Not many I would say. That would be a valid argument if an MTA is required to comply with the posix standard. AFAIK it is not. The default should be to dump cron output to a file. No need to setup 4 mail clients. Only if you want to send the output to a remote address would you need to do this. No need to setup mail clients? How about you having to create an infrastructure to parse all these files on your servers? I like the way it is: create an alias for root and be done with it. What? This is silly. Currently cron sends you output to the root inbox, do you require an infrastructure to parse these mails? I suggest to dump this same output to a file which can easily be read using more. The option remains to install from ports as with so many other things. And many other things not. Or do you want to go the linux way: just a kernel and the rest in packages? I like a complete OS. That's the key to the discussion, when is the OS complete? I could do without Sendmail, FTP daemon and NIS. Or the other way, why is there no http daemon in base, or no ldap? There really is no right answer to that, things change. It is always a valid discussion to question what should be part of base, if new things should be included and other things removed or replaced. If you reject this discussion with arguments such as because it's always been there then you risk FreeBSD will simply become legacy itself. My concern is if some heavy legacy application, because of history or tradition, remains in base will draw resources from advancing in other areas that are much more relevant today. sendmail is NOT a legacy application. It's actively being developed ON FreeBSD. Actually, the maintainer(s) are doing a great job and are definetely NOT drawing resources from anyone or anything else. Of course it is being actively developed, it has to, it's in base. You suggest that if Sendmail was not in base, then these developers currently maintaining Sendmail would be doing nothing instead? Yes, it does take resources. How much resources are spent on Sendmail, I have no idea. These discussions are. Absolutely, I was just bored, so it seems are you :) Also the sources in /usr/src/contrib/sendmail/src are 2.2 MB. That's not heavy at all. File size is not a measure of code quality, or the effort required to maintain it. Regards, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Why is sendmail is part of the system and not a package?
Jonathan McKeown wrote: Just as a matter of interest, if you want to rip sendmail out of the base system, which MTA would you like to replace it with? Or are you suggesting the system ship with no way to handle mail? This thread moving of topic from OP, but it is always fair to debate what should be considered a base system. Is an MTA a requirement or a remnant from history? And if an MTA is a requirement then asking which one is the best choice is also a fair question. An equally fair answer could be whichever change requires the least work. No different than asking, why is NIS still in the base? Why no ldap? why BIND, but no http? Why NFS? etc... I think the only void answer is because of tradition, that just seems to show that noone really remembers why some choice was made. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Wifi Router and FreeeBSD - need some hints..
herbert langhans wrote: Hi Daemons, I need some basic information about Wifi routers - very little I know about it. There is my FreeBSD-server (the other one is Linux) and some clients are connected with a LAN-switch. Now I want to add a Wifi Router to the network. I am not sure if I can set up the router without using some Windows software what comes with the router. My questions: I just connect the Wifi router to the LAN and it should work? Or do I need any software (drivers) to keep the thing running? There must be some software to 'talk' to the router - for setup. Is there anything available for FreeBSD or do I need Windows environment (what I dont have available)? What did you use to install your Wifi-router? It depends on the router. Many if not most routers provide a web based configuration tool, but a special application may be needed to update firmware. I have an airport extreme, works great, but no web interface. My DSL is a 3Com with WiFi, it also has a web interface. I have seen routers that allows a commandline configuration tool, connect with ssh or telnet and upload or download the configuration with ftp. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
packet filter keep state doesn't
Hi: I have a setup like this: LAN SRV CLIENT --- FBSD --- GW/DSL Internet Now, I'd like my client to connect to the DSL box to manage it, so I have create the following rules in my pf.conf: pass in log quick on $FBSD_LAN inet proto tcp from CLIENT to GW \ port 80 flags S/SA keep state pass out log quick on $FBSD_SRV inet proto tcp from $FBSD_IP \ to Internet port 80 keep state block out log quick on $FBSD_SRV any I added the log keyword for debugging. It turns out that the packet is blocked by the last rule, despite the keep state. Am I doing something wrong or is this how it is supposed to be? I thought that I could just concentrate on the filtering the incomping packets using keep state, then the out rules would only apply to packets originating from the FBSD box. The curious thing is that since the FBSD box does NAT for connections with the Internet, packets destined for the Internet are not affected Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Whic mail server?
Aflatoon Aflatooni wrote: Hi, I am running a server that is acting as the mail server for only internal users (about 50 users). Currently we are running Sendmail, but reading on other discussions I noticed that qmail and other programs are suggested. I am wondering if qmail is thought to be better than sendmail. Is there a matrix of features and functionalities that would compare the different mail servers? Any suggestions on spam filters like spam-assassin? Qmail has a very limited set of features, it is simple efficient and pretty easy to setup, and has a track record as a secure alternative to sendmail. Postfix I think is the flexible and popular alternative to sendmail. It supports most if not all of sendmail features and easily integrates with a number of filtering solutions as well as imap and ldap servers. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: LDAP server gone - impossible to login locally!
Daniel O'Connor wrote: On Tue, 22 Sep 2009, O. Hartmann wrote: I run into trouble with FreeBSD and LDAP on a regular basis! Sometimes it is necessary to log in onto a bunch of servers with no LDAP service responding, due to service, crash, eletrically disconnetion, whatever. The problem is: I can't. Using all prerequisits from ports (pam_ldap/nss_ldap/ldap as most recent) my /etc/nsswitch.conf looks like this as it has been the most reasonable (and only working!) solution for the past 2 years: passwd: ldap [unavail=continue notfound=continue] files [success=return notfound=return] I just have passwd: cache files ldap group: cache files ldap and I can login as root locally without any delay. That said my LDAP server is on the same machine so perhaps it fails faster. I am using uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/ to connect to. This sounds like the correct solution, AFAIK it's the same concept as for NIS, first check local files, then ldap. You don't want your root credentials possibly be leaked accross the network. On the other hand you don't want or need user accounts in the local files. Default first check local files which is fast, then fall back on ldap if the user is not found. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What should be backed up?
Jeffrey Goldberg wrote: This is one of the several reasons that I use rsync (via rsnapshot). At each increment, it backs up the minimum that is need. With the cost of having a complete backup which duplicates what you would find in a reinstall, you have a complete system. For binaries, I find it much safer/easier to reinstall, then you're sure all dependencies are installed correctly as well as the pkg database is updated correctly. For the rest of the files, having a complete backup I'll have to trace through what differs from the distributed/default configuration etc. Doing that from the start is much easier. And, the default configuration comes with the source, so no need to backup that. Of course this is also because when the recovery stragety is to reinstall, I'll likely upgrade while at it. So I can't assume blindly old default configuration files will work without modifications. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What should be backed up?
John Almberg wrote: If you have any databases or ldap service, then you want to add those as well, but it is recommended to dump these rather than backup the files themselves. I'm learning a lot from this thread. Thanks for all the suggestions. The paragraph above raises one more question... how to use the backup_script feature of rsnapshot. I don't know your backup_script, but you can just add to it. It is usually possible to give read only remote access, with or without password, from the server where you store your backups. Then all you need is to add a few lines to your script. For ldap, you'll want to create an ldif format dump. For sql, check out the various dump formats. The more sql standard the more secure you are, but it comes at the price of time when recovering data. For sql, you may also consider whether to include statements for dropping existing tables and databases as well as include create statements. It really depends on which disaster you're preparing for. It may be possible to create one dump with drop/create statements to recover database structure, and another dump with data. The reason you'll want to dump ldap/sql data is that you ensure data integrity if your backup coincide with some update of the database. Also, you can use the backup when upgrading or even if you change database say from mysql to postgresql - for this you need as strict sql backup as possible, both allow some shortcuts that are faster for recovery but may be incompatible with other databases. Make the backup verbose, ensure that things like default character set is included in the dump, make sure that binary blobs are dumped in base64 etc... You _can_ do file backup of your databases, it is certainly faster to recover from a file backup, but you run the risk of inconsistencies. The same problem of data inconsistencies can happen with any other file backup: you may wish to temporarily stop local maildelivery while you backup user's mail boxes. Mail will remain in the queue till backup terminates and local mail delivery is reenabled. you may consider not to backup log files, or only files after they have been rotated so they are no longer written to. you may consider locking down user access while home directories are backed up, etc. It all depends on the time required to complete the backup and the normal activity on the systems while you backup. And - don't forget - now that you have everything nicely backed up, you need a data destruction policy to ensure that you don't accidentally keep personal data from old users. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Continuous backup of critical system files
Maxim Khitrov wrote: I'm setting up a firewall using FreeBSD 7.2 and thought that it may not be a bad idea to have a continuous backup for important files like pf and dnsmasq configurations. By continuous I mean some script that would be triggered every few minutes from cron to automatically create a backup of any monitored file if it was modified. ... so the continuous backup would really be for times when someone makes a mistake editing one of the config files and needs to revert it to a previous state. It appears to me that you review your procedures rather than deploying such a backup solution. Critical files rarely change (or should rarely be modified), there should be no need to backup every 10 minutes. The more critical the file and the change applied the more testing should be done beforehand and the more care should be taken during the process to ensure that the original can easily be reinstated. You don't want to spend time digging it up from some backup. If your files are very critical then you should have a cvs repository in place as well as a testing environment. I guess this is not the case. If they are less critical then good practices are the way to go: Before modifying anything create a backup in the same location, I add a serial number rather than .bak, .old, .tmp, .new etc which is really confusing. I use, .MMDDXX, and .orig for the original/default file. It's easy to see when a file was modified and make diffs with the original and also delete old backups this way, with .old you really have no continuity, you can't name your next backup .older. Further, for small tweaks, I comment/uncomment parameters and apply these for fast testing from another session, so I don't even exit the editor. Certainly, I may save and test the file multiple times while tweaking, but in the end, there are only two files worth keeping: the last stable and the current. Of course, I'm not saying it's a bad idea to keep backups, only that if you find a need to continuously backup files as mentioned, then you should review your procedures. See also the current thread on what should be backed up. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What should be backed up?
Jeffrey Goldberg wrote: On Aug 21, 2009, at 2:33 PM, John Almberg wrote: I am currently using rsnapshot to back up these directories on a FreeBSD 7.2 webserver: /etc /usr/home /usr/local /var/cron Here is my exclude list from my rsnapshot.conf exclude /var/log exclude /var/tmp exclude /usr/obj exclude /usr/ports/distfiles exclude /usr/local/squid Also I backup by file system, so I'm already excluding /tmp Yes, it's easy to miss something that should have been backed up. There is no point in backup of files other than those you modify yourself, unless you plan to create an exact image and recover using dd. After installation you can do # date /tmp/TIMESTAMP then you can create a list of files that have been modified after that time with find, # find / -newer /tmp/TIMESTAMP /tmp/backupfilelist If you have a backup cronjob, then you can use the same method to backup only files modified since last backup. On a base system with no services running, I'd restrict backup to /etc /home If you've got any ports installed, add /usr/local/etc /var/db/ports What else to add to the list really depends on which services you run, named, mail, cvs, web, ftp, nis, etc. and if these have critical files in other directories. If you have any databases or ldap service, then you want to add those as well, but it is recommended to dump these rather than backup the files themselves. I wouldn't backup source or the ports distribution, you have an online backup available :) If you rely on a particular snapshot, then you should configure that in your supfiles. But if you need to recover without network access you should backup source and the ports tree as well as distfiles or build packages whenever you install from ports and keep those backed up. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Recovering files after a crash
Roland Smith wrote: On Wed, Aug 19, 2009 at 09:59:32AM +0200, Erik Norgaard wrote: Thanks, I couldn't decipher these GEOM_LABEL messages, nice to know that I can stop worrying. But for future incidents, the second question remains: 1. How do I best protect my system from disk errors in case of a crash? One word: _backups_! I have a headless system with no spare head to attach and doing single-user blind-folded is further complicated by the fact that I'm not native to the US keyboard layout, so my top priority is that it boots. If you can connect it to another system (that has a monitor) via a serial null-modem cable and you enable the serial console (see the Handbook), you can watch the boot process from the other system. If you don't have anothe machine closeby, you should get a network-accessible KVM switch with serial connectors. [maybe something like this: http://www.knuerr.com/web/en/products/kvm/kvm-switch-dominion-ksx.html] With such a switch and the serial console you should be able to watch the boot of the machine remotely. Ok, maybe I didn't make myself clear: I wish to protect my filesystem against corruption in case of a crash such that it will boot. - How can I configure my system to reduce the probability that a crash will cause file system inconsistencies that require single user mode intervention? backups does not answer that question, they are great for recovering lost data but don't prevent the crash. KVM and serial console don't answer the question either. Certainly, it makes it easier to work headless. But neither prevent disk corruption. UPS reduces the likelyhood of a crash in case of a power failure, but that doesn't answer the question either. Asume that a crash will happen, how do I prevent or reduce the risk of a crash causing disk corruption such that the system will boot up nicely again? BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Recovering files after a crash
Roland Smith wrote: On Tue, Aug 18, 2009 at 09:30:15AM +0200, Erik Norgaard wrote: The problem is that I have no idea which files were affected. So, now some questions: First, how do I determine which files were corrupted? And how do I recover these files? From what you have shown it is impossible to tell. A short filesystem check (fsck -F) is run at boot time. If no major problems are found, the complete filesystem check is done later in the background. The result of that check will be visible in /var/log/messages. Thanks, I couldn't decipher these GEOM_LABEL messages, nice to know that I can stop worrying. But for future incidents, the second question remains: 1. How do I best protect my system from disk errors in case of a crash? I have a headless system with no spare head to attach and doing single-user blind-folded is further complicated by the fact that I'm not native to the US keyboard layout, so my top priority is that it boots. 2. When you have lost inodes or similar errors and stuff ends up in lost+found, how do you figure out what it was and recover the lost files? Is there a FBSD crash guide? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: freebsd
BONGANI MANGANYE wrote: I know freebsd is free but i would like to know how much will I pay if I need additional package like updates and other useful software,and can you tell how secure it is how protected i will be if i use freebsd FreeBSD is free, and any updates are free. Third party applications may or may not be free depending on the license terms and the intended usage. This is no different than for any other operating system. There is only one operating system (AFAIK) that claims a definite level of security: OpenBSD claims to be secure by default and shows an impresive track record. This is defined as there are no known remote exploits in the most resent version in the default instalation. However, any change to the default configuration or installation of third party applications may change that. Really, there is no common or objective scale for comparing the security of different systems. Regardless of any claims, all liability is disclaimed. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Recovering files after a crash
Hi: I woke op to a crash this morning after a powerfailure, and now dmesg shows this: WARNING: / was not properly dismounted GEOM_LABEL: Label ufsid/442f8ac1c0db9af2 removed. GEOM_LABEL: Label for provider ad6s1a is ufsid/442f8ac1c0db9af2. GEOM_LABEL: Label ufsid/442f8ac5a7fa5dda removed. GEOM_LABEL: Label for provider ad6s1d is ufsid/442f8ac5a7fa5dda. GEOM_LABEL: Label ufsid/442f8ac950b22b46 removed. GEOM_LABEL: Label for provider ad6s1e is ufsid/442f8ac950b22b46. GEOM_LABEL: Label ufsid/442f8ad3e5c88ab8 removed. GEOM_LABEL: Label for provider ad6s1f is ufsid/442f8ad3e5c88ab8. GEOM_LABEL: Label ufsid/442f8ad59f647596 removed. GEOM_LABEL: Label for provider ad6s1g is ufsid/442f8ad59f647596. GEOM_LABEL: Label ufsid/442f8ae2200a8064 removed. GEOM_LABEL: Label for provider ad6s1h is ufsid/442f8ae2200a8064. GEOM_LABEL: Label ufsid/442f8ac1c0db9af2 removed. GEOM_LABEL: Label ufsid/442f8ac5a7fa5dda removed. GEOM_LABEL: Label ufsid/442f8ac950b22b46 removed. GEOM_LABEL: Label ufsid/442f8ad3e5c88ab8 removed. GEOM_LABEL: Label ufsid/442f8ad59f647596 removed. GEOM_LABEL: Label ufsid/442f8ae2200a8064 removed. The problem is that I have no idea which files were affected. So, now some questions: First, how do I determine which files were corrupted? And how do I recover these files? Second, / is mostly read-only, in fact, I can't think of any file on that partition that should be modified at all: /tmp is on a separate partition, I have source files on /usr/local rather than the default, in fact, only root user files are modified during a normal day, but it's been days since I logged in as root. How do I protect read-only files from being corrupted in the first place? I have tried mounting / read-only but that gave a load of other problems. Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: please help to uninstall FreeBSD!!!
Raisa Brokhshtut wrote: My old desktop has FreeBSD that I have never used. One of the friends of my son installed it long ago, but no one used that PC since then. Now I want to get rid of this program and to install Windows. Every time when I boot this PC it prompts for a user login which I don't know. This guy who intalled FreeBSD is not around anymore. Anyway, I would greatly appreciate if you would guide me how to uninstall that program. I don't have windows reskue cd. So I want to completly remove that FreeBSD from my PC and to install the Windows operating system from CD. Simply boot the Windows install cd and install, no need to uninstall FreeBSD first. If the system doesn't boot the cd booting from cd is possibly disabled in the bios or set as second boot option. Check the bios that the system tries to boot from first from cdrom then hard disk. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Building home router: 192.168.0.x to access internet
Nerius Landys wrote: First, my choise of internal network IP addresses is 192.168.0.x. My router machine's IP address will be 192.168.0.254 (that's the interface facing the internal network). The IP addresses of the machines behind the router will start at 192.168.0.2 and go up. I'm wondering if this choice of IP addresses is conventional or good. Is this numbering scheme decent? This is the way I had it set up earlier. I've seen a lot of networks using 192.168.1.x and the router would be 192.168.1.1. Whichever works. I don't think there is reason to speculate in best practices as which gets to be number 1, however you may consider dividing the address space into ranges for different uses. You may like to group servers in a particular range and clients in another so that you can create firewall rules accordingly. My network is 172.16/23. The range 172.16.0/24 I use for statically configured nodes, servers, access points etc. The 172.16.1/24 I use for dynamically configured nodes, laptops. The reason is that I'm using dynamic dns on my LAN. The reverse map zones cannot be created for classless networks, you have to define reverse zone for a /16 or /24 network. So to ensure that my static servers reverse map cannot be modified I have split my range such that dynamic and static addresses can be separated. For my static range, I have divided it into two, 172.16.0.0/25 and 172.16.0.128/25, the first for production servers, the later for testing and development. This is just a convention I have established, I thought it might be a good idea, but it is not configured in any way. For my dynamic range, in my dhcpd configuration I have created two ranges, 172.16.1.0/25 and 172.16.1.128/25. The first I assign to known hosts, that is hosts I have registered the MAC address of and know the owner. I haven't statically assigned a particular ip to a particular MAC, I just created a host entry in the dhcpd.conf with the MAC. The later range I use for unknown hosts, so when somebody connects they are easy to identify as foreign. This also permits creating special rules in my firewall so that strangers do not get the same unlimited access as friends. Of course, this is very crude as anyone can just reconfigure their address to get unlimited access, but So now to the problem of being able to connect from a 192.168.0.x machine to an outside IP address. The way I did this before was by adding 'gateway_enable=YES' to /etc/rc.conf and then using the OpenBSD packet filter (pf) to do a NAT thing. I'm wondering if this, in your opinion, is the preferred way to do things in order to set up an internal network which can access the outside internet directly. Yes, that's a great idea. If so, can someone give me a really minimal yet secure packet filter rule set that would do the job? (I'm prepared to read the pf docs, which will take me a few hours.) The router will connect to the outside via DHCP, and from what I remember I had to add a rule to not drop packets that were DHCP-related. See the packet filter documentation, IIRC they have also sample filters for common setups such as yours. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Physically securing FreeBSD workstations /boot/boot2
Nerius Landys wrote: Hi. I am attempting to secure some workstations in such a way that a user would not be able gain full control of the computer (only user access). However, they are able to see and touch the physical workstation. I assume that users cannot tingle with the hardware, take it apart, add a different disk etc. and that only authorized users can physically access the computer. That's what physical security is about. I understand you may have some authorized user who will nevertheless try to gain elevated privileges. That's really logical security, local that is as opposed to remote/network security. 2. Go to loader menu and load (boot kernel) with some custom parameters or something. I've secured the loader menu by password-protecting it (/boot/loader.conf has password) and /boot/loader.conf is not world-readable. And I'm sure there are other things, I just forgot them. You can configure the loader such as not to present any loader menu but boot right away. If you need the option of booting into single user mode, then you can password protect single user mode. So my question is: Is this [securing of the workstation] worthwhile, or should I just forget about this kind of security? I want to make it so that the only way to gain full control of the computer is by physically opening up the box. You can always make it more difficult, which should give you less to worry about. You have to weigh how much work it takes against how much you really have to worry about, then decide when it's enough. How about running diskless? How about centralized authentication with NIS or LDAP? Another option is to disable root locally, that is the account still exist but with * in the password field.. If each workstation runs sshd you can use key based authentication to gain privileged access remotely while local access is disabled. I noticed that boot2 brings up a menu like this one when I press space during the initial boot blocks: FreeBSD/i386 BOOT Default: 0:ad(0,a)/boot/loader boot: I guess it would be possible to stick in a floppy disk or something and boot from there? So my question is, is this a threat to my plan, and if so, how can I disable this prompt? you've still got floppies? wow. How about trying to boot a floppy with your current configuration? I'm not sure that it will work at that stage if it has been disabled in the bios. It might be possible to load the kernel from the harddisk then tell the kernel to mount the floppy as root device. You could solve that by compiling a kernel without floppy support and delete the kernel module. You need to learn how to script the loader, read the source code, I don't recall finding much documentation on that last time I looked. Others suggest you encrypt the harddrive, I don't find it very useful in your case, I assume your users need to access the systems and use them for the intended purposes and you just want to protect against someone trying to escalate his privileges. If you encrypt partitions with geli then you'll have to enter the password every time somebody reboots. However, you should consider encrypted swap and temporary partition, together with forced reboot on logout you avoid session data getting in the hands of the next user. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to find real CPU temperature?
Unga wrote: Hi all I'm running FreeBSD 7.2 on Intel P4 computer. The lmmon -i shows 21C and when go to BIOS shows 65C! BIOS reading seems to be correct as the CPU heat pipe is very hot to the extent cannot touch. How do I read the real BIOS temperature readings when FreeBSD is running to check whether the computer is over heating? $ sysctl hw.acpi.thermal.tz0.temperature on my computer shows 56C -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
