Re: FreeBSD:: How to set VLAN priority?
On Jun 26, 2013, at 1:55 PM, Alex Liptsin al...@mellanox.com wrote: Hello. I work with FreeBSD 9.1 RELEASE. I had configured VLANs on my server, but I can't find a way to configure VLAN priority. How can I do it? Thanks. ??? vlan priority as in… ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
sshd - time out idle connections
Hello list, I'm facing this unusual demand at work where we need to time out idle SSH connections for security purposes. I've checked the following options from sshd_config but none seems to fit my needs : TCPKeepAlive ClientAliveCountMax ClientAliveInterval Basically, I'm trying to defeat the use of the following client-side option: ServerAliveInterval 5 I'm afraid all I've hit now is dead ends. Has anyone ever had the same requirements before and, perhaps, found a solution to this ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sshd - time out idle connections
Thanks for your response Markham, I'm afraid labor law is much too protective here for us to be able to educate users in this way ;) Your idea to run a cron job every X minutes has merit though, I'll try and check into that ! On May 3, 2013, at 4:51 PM, markham breitbach markham_breitb...@ssimicro.com wrote: Depending on the shell you are using, you may be able to set that to auto-logout, or you could set a cron job to run every 5 minutes and terminate tty's with 5min idle time. Honestly though, you will rarely find a good technical solution to a social problem--there's always a work-around--and this is a social problem. If there is a company security policy stating that ssh sessions are not to be left idling 5 min, then make sure everyone is aware of this policy and start handing out pink slips to people that violate it. -M On 13-05-03 8:28 AM, Fleuriot Damien wrote: Hello list, I'm facing this unusual demand at work where we need to time out idle SSH connections for security purposes. I've checked the following options from sshd_config but none seems to fit my needs : TCPKeepAlive ClientAliveCountMax ClientAliveInterval Basically, I'm trying to defeat the use of the following client-side option: ServerAliveInterval 5 I'm afraid all I've hit now is dead ends. Has anyone ever had the same requirements before and, perhaps, found a solution to this ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sshd - time out idle connections
Allow me to add a bit of context here. We're wrapping things up to obtain the PCI DSS certification which is awarded for running through a long and annoying series of hoops. This certification is rather important to our business so like it or not, we have to play along. Allowing the use of screen defeats the purpose of logging out idle connections, I don't think we're going to pass this specific requirement if we let users run screen. On May 3, 2013, at 5:18 PM, Mikel King mi...@olivent.com wrote: Firing people for violating the 5 minute rule seems a tad extreme. If there is indeed a company policy regarding the 5 minute idle window you and you intend to roll forward with a connection kill script then also make screen or tmux available. In my experience people tend to be more accepting of connection outages if they can reconnect to where the were when they were last on. Regards, Mikel King BSD News From: Fleuriot Damien [mailto:m...@my.gd] To: FreeBSD questions [mailto:freebsd-questions@freebsd.org] Sent: Fri, 03 May 2013 10:28:31 -0400 Subject: sshd - time out idle connections Hello list, I'm facing this unusual demand at work where we need to time out idle SSH connections for security purposes. I've checked the following options from sshd_config but none seems to fit my needs : TCPKeepAlive ClientAliveCountMax ClientAliveInterval Basically, I'm trying to defeat the use of the following client-side option: ServerAliveInterval 5 I'm afraid all I've hit now is dead ends. Has anyone ever had the same requirements before and, perhaps, found a solution to this ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sshd - time out idle connections
On May 3, 2013, at 5:16 PM, Arthur Chance free...@qeng-ho.org wrote: On 05/03/13 15:28, Fleuriot Damien wrote: Hello list, I'm facing this unusual demand at work where we need to time out idle SSH connections for security purposes. I've checked the following options from sshd_config but none seems to fit my needs : TCPKeepAlive ClientAliveCountMax ClientAliveInterval Basically, I'm trying to defeat the use of the following client-side option: ServerAliveInterval 5 I'm afraid all I've hit now is dead ends. Has anyone ever had the same requirements before and, perhaps, found a solution to this ? There's an idletime parameter in login.conf which will log out idle users. Normally sshd bypasses login, but the sshd config parameter UseLogin can change that, although it disables X11Forwarding. Note: this is all from a quick perusal of the source and manuals, I've not done it myself. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_ I've already tried using login.conf 's idle timeout option and was sad indeed that it didn't apply to SSH connections. It never occured to me that UseLogin might be involved there… I'll have a look at it as well, thanks for your help Arthur. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/sudoers
On Mar 27, 2013, at 4:54 PM, Joe fb...@a1poweruser.com wrote: I have been moving this file forward since about release 5.0. Today is tried the do a man sudoers and got no page found. The su man page does not reference it. Has the file been removed? Does it maybe belong to some port? Any ideas? Thanks The file is actually /usr/loal/etc/sudoers and is tied to /usr/ports/security/sudo Install sudo from there and you automagically get the man page. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: I made a mess. libc
On Feb 21, 2013, at 3:34 PM, Bernt Hansson b...@bananmonarki.se wrote: Hello list! It's me again. I was happily upgrading my jail make build* and so on. Make installworld failed with som chflag set on libc.so.7 so i left jail and went to the host and tought I fixit from there. I did remove the chflag and all was well I tought, but no. Copy it to the jail, someone screamed, ok I'll do that Well the problem is I copied it to the host amd64 and jail is i386. the host locked up hard and after a reboot I get libc.so.7 invalid file format. How do I get it back. I can not burn a cd with livefs, wich should be on memorystick anyway. Thanks for any help and it's needed. This is my libc.so.7 from the 19th, for 8-stable amd64, after the patch for the security advisory. root@pf1:/usr/ports/emulators/fuse # ls -l /lib/libc.so.7 -r--r--r-- 1 root wheel 1399225 Feb 19 15:27 /lib/libc.so.7 root@pf1:/usr/ports/emulators/fuse # md5 /lib/libc.so.7 MD5 (/lib/libc.so.7) = 9e4b09aa6dbc731bf56593b736e9fef1 root@pf1:/usr/ports/emulators/fuse # shasum /lib/libc.so.7 19e856f287586f52611aca9a4aa8a4104b65fb4e /lib/libc.so.7 root@pf1:/usr/ports/emulators/fuse # uname -a FreeBSD pf1.backbone.dev 8.3-STABLE FreeBSD 8.3-STABLE #6 r247008M: Tue Feb 19 20:14:57 UTC 2013 r...@pf1.backbone.dev:/usr/obj/usr/src/sys/UNIVERSAL amd64 I can host the file over HTTP if you want. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: I made a mess. libc
On Feb 21, 2013, at 6:22 PM, Bernt Hansson b...@bananmonarki.se wrote: 2013-02-21 18:01, Teske, Devin skrev: Is it the base machine that won't boot? I got this ... That is correct. So no cd burning no nothing...Well it want to drop in to a single shell bla bla bla press enter for /bin/sh enter libexec* libc.so.7: invalid file format I do not want to reinstall, have 4 encrypted disks. And you have absolutely no way to boot I don't know, PXE, USB ? Do you have remote console access, anything ? I'll tell you what, I'll still scp the file to a www and give you the link, if you should find a way to access your file system, you can always copy it over. http://my.gd/libc.so.7 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: I made a mess. libc
As per Devin's suggestion, I just set up a RCP server from which you'll be able to grab libc.so.7 using /rescue/rcp I'm gonna need, in private, your IP address so I can add you both to .rhosts and firewall rules. I'm leaving work now so I may not answer again before 2-3 hours. On Feb 21, 2013, at 6:46 PM, Teske, Devin devin.te...@fisglobal.com wrote: Can you specify perhaps /rescue/sh as the single-user shell? That should get you in. Then you have to stick to static executables like /rescue/rcp to remotely transfer files. Perhaps someone can host a file on a machine that can be reached via /rescue/rcp for you. -- Devin From: Bernt Hansson [b...@bananmonarki.se] Sent: Thursday, February 21, 2013 9:22 AM To: Teske, Devin Cc: Fleuriot Damien; questions FreeBSD Subject: Re: I made a mess. libc 2013-02-21 18:01, Teske, Devin skrev: Is it the base machine that won't boot? I got this ... That is correct. So no cd burning no nothing...Well it want to drop in to a single shell bla bla bla press enter for /bin/sh enter libexec* libc.so.7: invalid file format I do not want to reinstall, have 4 encrypted disks. My latest version of Druid has a very sophisticated Interactive Disk Repair script that will assemble your system humpty-dumpty style while booted from a CD or Thumb drive (you said you couldn't burn a CD, but it wasn't clear whether you could master a thumb drive). https://urldefense.proofpoint.com/v1/url?u=http://sourceforge.net/projects/druidbsd/files/FreeBSD-8.3_Druid-1.0b60.iso/downloadk=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0Ar=LTzUWWrRnz2iN3PtHDubWRSAh9itVJ%2BMUcNBCQ4tyeo%3D%0Am=07piZUd2tTTVmRt2abbbhXwBr9OUC7olyXwRy6BdjoM%3D%0As=a0b244b57abd48f38a1cd817513b96950f4c6f2f035b3d33ddee2a27938b2f04 When you run the Interactive Disk Repair (IDR) Shell option, it presents you with a few questions (like, I've found a saved network interface in rc.conf(5) -- would you like me to activate it for you?), and ultimately mounts your system to present a working shell to fix your problems. Important: when it asks you if you want to chroot into the mounted filesystem, say NO (you're libc isn't working, so that would be a bad idea) -- rather, run from the LiveFS environment where /mnt is your mounted system. There's even a copy of libc in the LiveFS environment that you can copy over your old one... cp /cdrom/freebsd/rescue/lib/libc.so.7 /mnt/lib/libc.so.7 (if I recall correctly) _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: cannot ssh into a box with DHCP assigned IP address
On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht me...@bristol.ac.uk wrote: I have a laptop with FreeBSD -current, with ip address assigned via DHCP. The laptop has neither a static ip address, nor a domain. I can ping the laptop fine, but cannot ssh into it. The sshd is running, /etc/ssh/ssd_config seems fine, /etc/hosts.allow is fine. However, /etc/hosts is just the default: # ::1 localhost localhost.my.domain 127.0.0.1 localhost localhost.my.domain # Is it the lack of a domain that prevents me from getting ssh access? I try to ssh with just a dynamic ip address, for which ping seems to work fine. Or is the problem somewhere else? I'm not even sure I'm asking the right questions. Thanks Anton First, check what ports SSH listens on: sockstat | grep ssh Then, assuming SSH indeed listens on *:22 , check if you have a firewall running that could be preventing packets from reaching your box. By the way, do you get a login prompt at all, over SSH, or just a plain timeout or connection reset ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: cannot ssh into a box with DHCP assigned IP address
On Feb 20, 2013, at 10:45 AM, Anton Shterenlikht me...@bristol.ac.uk wrote: From: Fleuriot Damien m...@my.gd To: me...@bristol.ac.uk Subject: Re: cannot ssh into a box with DHCP assigned IP address Date: Wed, 20 Feb 2013 10:31:22 +0100 Cc: freebsd-questions@freebsd.org On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht me...@bristol.ac.uk wrote: I have a laptop with FreeBSD -current, with ip address assigned via DHCP. The laptop has neither a static ip address, nor a domain. I can ping the laptop fine, but cannot ssh into it. The sshd is running, /etc/ssh/ssd_config seems fine, /etc/hosts.allow is fine. However, /etc/hosts is just the default: # ::1 localhost localhost.my.domain 127.0.0.1 localhost localhost.my.domain # Is it the lack of a domain that prevents me from getting ssh access? I try to ssh with just a dynamic ip address, for which ping seems to work fine. Or is the problem somewhere else? I'm not even sure I'm asking the right questions. Thanks Anton First, check what ports SSH listens on: sockstat | grep ssh root@zzz:~ # sockstat | grep ssh mexasssh16193 3 tcp4 172.21.220.12:20541 137.222.187.241:22 root sshd 1091 3 tcp6 *:22 *:* root sshd 1091 4 tcp4 *:22 *:* root@zzz:~ # I also see: /var/log/auth.log:Feb 18 11:54:25 zzz sshd[1091]: Server listening on :: port 22 . /var/log/auth.log:Feb 18 11:54:25 zzz sshd[1091]: Server listening on 0.0.0.0 po rt 22. Is 0.0.0.0 expected? 0.0.0.0 = * = all IPs / interfaces Anything else I should check in the logs? Not that I'm aware of Then, assuming SSH indeed listens on *:22 , check if you have a firewall running that could be preventing packets from reaching your box. I don't think so. There's nothing in the kernel config By the way, do you get a login prompt at all, over SSH, or just a plain timeout or connection reset ? Just a timeout: root@zzz:~ # ifconfig wlan0 wlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:21:5c:50:68:c3 inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g status: associated ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0 country US authmode WPA2/802.11i privacy ON deftxkey UNDEF AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10 scanvalid 450 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme roaming MANUAL root@zzz:~ # TZAV ping 172.21.220.12 PING 172.21.220.12 (172.21.220.12): 56 data bytes 64 bytes from 172.21.220.12: icmp_seq=0 ttl=60 time=2.056 ms 64 bytes from 172.21.220.12: icmp_seq=1 ttl=60 time=1.766 ms ^C TZAV ssh 172.21.220.12 ssh: connect to host 172.21.220.12 port 22: Operation timed out TZAV Thanks Anton Run this on your server: tcpdump -ni wlan0 ip and port 22 Then try to ssh to the box, see if SYN packets arrive, see if your box sends SYN/ACK back. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: cannot ssh into a box with DHCP assigned IP address
Ok I think you've got a DNS resolution problem here, so when you try to establish the connection, SSHD tries to resolve your client's hostname. It fails and times out, however your ssh login gracetime is already over. You have several options here: 1/ increase the login grace time in sshd_config 2/ set usedns no (or do both, btw) 3/ fix DNS resolution ;) I would definitely recommend turning off hostname resolution for sshd, it is of marginal value (to me at least). On Feb 20, 2013, at 11:21 AM, Anton Shterenlikht me...@bristol.ac.uk wrote: From m...@my.gd Wed Feb 20 10:11:12 2013 Run this on your server: tcpdump -ni wlan0 ip and port 22 Then try to ssh to the box, see if SYN packets arrive, see if your box sends SYN/ACK back. 172.21.220.12 is the ssh server 137.222.187.241 is the ssh client (where I login from) There's lots of output on the server: 10:13:40.396933 IP 172.21.220.12.20541 137.222.187.241.22: Flags [P.], seq 528 :576, ack 897, win 1040, options [nop,nop,TS val 166697722 ecr 2764601194], leng th 48 10:13:40.400142 IP 137.222.187.241.22 172.21.220.12.20541: Flags [P.], seq 897 :945, ack 576, win 1040, options [nop,nop,TS val 2764601829 ecr 166697722], leng th 48 10:13:40.499768 IP 172.21.220.12.20541 137.222.187.241.22: Flags [.], ack 945, win 1040, options [nop,nop,TS val 166697825 ecr 2764601829], length 0 10:13:41.126804 IP 172.21.220.12.20541 137.222.187.241.22: Flags [P.], seq 576 :624, ack 945, win 1040, options [nop,nop,TS val 166698452 ecr 2764601829], leng th 48 10:13:41.129465 IP 137.222.187.241.22 172.21.220.12.20541: Flags [P.], seq 945 :993, ack 624, win 1040, options [nop,nop,TS val 2764602558 ecr 166698452], leng th 48 10:13:41.229792 IP 172.21.220.12.20541 137.222.187.241.22: Flags [.], ack 993, win 1040, options [nop,nop,TS val 166698555 ecr 2764602558], length 0 10:14:06.042148 IP 137.222.187.241.22 172.21.220.12.46009: Flags [P.], seq 691 166491:691166555, ack 2147595671, win 1040, options [nop,nop,TS val 2121228740 e cr 166423364], length 64 10:14:06.043854 IP 172.21.220.12.46009 137.222.187.241.22: Flags [P.], seq 1:3 3, ack 64, win 1040, options [nop,nop,TS val 166723368 ecr 2121228740], length 3 2 10:14:06.144924 IP 137.222.187.241.22 172.21.220.12.46009: Flags [.], ack 33, win 1040, options [nop,nop,TS val 2121228843 ecr 166723368], length 0 10:15:02.017361 IP 137.222.187.241.22 172.21.220.12.46009: Flags [P.], seq 159 04:16240, ack 7169, win 1040, options [nop,nop,TS val 2121284715 ecr 166779337], length 336 10:15:02.017969 IP 137.222.187.241.22 172.21.220.12.46009: Flags [P.], seq 162 40:16576, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr 166779337], length 336 10:15:02.018079 IP 172.21.220.12.46009 137.222.187.241.22: Flags [.], ack 1657 6, win 1035, options [nop,nop,TS val 166779343 ecr 2121284715], length 0 10:15:02.018319 IP 137.222.187.241.22 172.21.220.12.46009: Flags [P.], seq 165 76:16896, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr 166779337], length 320 10:15:02.018510 IP 137.222.187.241.22 172.21.220.12.46009: Flags [P.], seq 168 96:17232, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr 166779337], length 336 10:15:02.018626 IP 172.21.220.12.46009 137.222.187.241.22: Flags [.], ack 1723 2, win 1030, options [nop,nop,TS val 166779344 ecr 2121284716], length 0 10:15:02.019583 IP 137.222.187.241.22 172.21.220.12.46009: Flags [P.], seq 172 32:17568, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr 166779337], length 336 10:15:02.019840 IP 137.222.187.241.22 172.21.220.12.46009: Flags [P.], seq 175 68:17840, ack 7169, win 1040, options [nop,nop,TS val 2121284717 ecr 166779337], length 272 10:15:02.019927 IP 172.21.220.12.46009 137.222.187.241.22: Flags [.], ack 1784 0, win 1036, options [nop,nop,TS val 166779345 ecr 2121284716], length 0 Thanks Anton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: cannot ssh into a box with DHCP assigned IP address
On Feb 20, 2013, at 2:55 PM, Anton Shterenlikht me...@bristol.ac.uk wrote: From feenb...@nber.org Wed Feb 20 13:39:28 2013 From: Fleuriot Damien m...@my.gd To: me...@bristol.ac.uk Subject: Re: cannot ssh into a box with DHCP assigned IP address Date: Wed, 20 Feb 2013 10:31:22 +0100 Cc: freebsd-questions@freebsd.org On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht me...@bristol.ac.uk wrote: I have a laptop with FreeBSD -current, with ip address assigned via DHCP. The laptop has neither a static ip address, nor a domain. I can ping the laptop fine, but cannot ssh into it. The sshd is running, /etc/ssh/ssd_config seems fine, /etc/hosts.allow is fine. However, /etc/hosts is just the default: While on the problem machine, can you ssh to localhost? ssh to the IP address? yes to both I would suspect the problem is in /etc/hosts.allow or /etc/hosts.deny, The first non-comment line in /etc/hosts.allow is ALL : ALL : allow and I don't have /etc/hosts.deny: root@zzz:~ # ls /etc/hosts* /etc/hosts /etc/hosts.equiv /etc/hosts.allow/etc/hosts.lpd root@zzz:~ # or perhaps the subnet mask is incorrect. Well.. what should it be? I have on the problem box (ssh server): wlan0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1 500 ether 00:21:5c:50:68:c3 inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g status: associated ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0 country US authmode WPA2/802.11i privacy ON deftxkey UNDEF AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10 scanvalid 450 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme roaming MANUAL I'm trying to ssh from 137.222.187.241. I wonder, perhaps it somehow built into the Eduroam wireless, provided by the University, that the devices connected to it cannot be accessible. They can only initiate outgoing connections, but all incoming connections are somehow blocked? Given that the majority of the devices will be unsecured MS boxes, maybe the university thought that this is wise idea for safety. Perhaps I can investigate this with my IT guys. Or I might be talking complete nonsense here, not my area at all. Thanks Anton Any luck with Daniel's suggestion to try it directly on the problematic host ? ssh 127.0.0.1 ssh localhost ssh 172.21.220.12 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ports Packages [Stable] in sync
On Feb 17, 2013, at 3:44 PM, Jeff Tipton jef...@mail.com wrote: On 02/17/2013 13:13, Damien Fleuriot wrote: On 16 Feb 2013, at 16:56, Jeff Tipton jef...@mail.com wrote: Hi, I upgraded 9.0 - 9.1 on my netbook and only then found out that there are no packages for 9.1-RELEASE. On my desktops, I keep ports and packages at the RELEASE versions, so I only have to compile when I need non-default options or when there are no packages. Would it be possible to get the ports snapshot that was used to compile the 9-STABLE packages? I think I could use subversion but then I need to know the revision number of that snapshot. What do you suggest? Thanks, Jeff Hi Jeff, I think you might be confused here. It is my understanding that there are ports for: - HEAD - x.y-RELEASE I don't think you're going to be able to get a snapshot from 9-STABLE, because -STABLE is a continuing work. What version do you consider to be 9-STABLE ? Every time there's a new commit you get a new 9-STABLE. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Thank you, Damien, for the reply. AFAIK, STABLE gets updated every 2 weeks but not every day, and it seems to be that because of the intrusion, it has not been updated for long. The versions of the ports that come with the 9.1-RELEASE are even slightly newer than those of 9-STABLE packages. I think if I don't get the revision number from which the 9-STABLE was updated last time I'll use the ports tree that comes with 9.1-RELEASE. I hope it won't cause much version incompatibilities. I'm not sure where you're getting your 9-STABLE ports from, Jeff. In the SVN repository I only see release tags and HEAD: http://svn.freebsd.org/ports/ I also second Gilbert's advice about using HEAD for your ports tree, we do this here in production with over 50 boxes and have had no problems so far. If you still want to use the branch from 9.1-RELEASE, it's here: svn://svn.freebsd.org/ports/tags/RELEASE_9_1_0/ Note that, unless I'm wrong, you will not be getting *ANY* update to the ports tree then, it's frozen. This means no security updates and all, AFAICT. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ZFS + iSCSI architecture
On Feb 19, 2013, at 11:20 PM, b...@todoo.biz b...@todoo.biz wrote: Hello, I am about to start deploying a large system (about 18 To which can grow up to 36 To) based on a big Intel platform with lot's of fancy features to have turbo boosted platform (ZIL on SSD + system on dongle if I go for FreeNAS). Since I want to move on quite fast I might decide to use FreeNAS in it's latest version. The idea behind all that was to grant 5 or six critical servers access to the NAS so that they can take advantage of : 1. space available on the NAS 2. ability of the NAS to use ZFS and of clients to support this file system (including snapshots) 3. Access the server using iSCSI (at least this is what I initially planned). 4. Mount part of their filesystem using data stored on the SAN (like /usr/local/ or other parts of the system). The server accessing the data will be of two types : 1. 2 x Ubuntu server 10.04 LTS 2. 4 x FreeBSD (mainly 8 and 9) with jail configured I have started reading about iSCSI and potential problems with FreeBSD. What problems do you mean ? So my main questions would be : • Should I go for iSCSI ? Well in all use cases, iscsi should perform faster than NFS. • Should I rather choose / prefer NFS ? • Should I export a Volume as UFS rather than ZFS (is ZFS supported as a target) ? I'm not sure what you mean here, when you export a zvol over ISCSI: - your SAN is the target and presents a block device (the zvol) - your client is the initiator - your client attaches to the ISCSI drive and formats it using filesystem XYZ, be it ext3, ufs or ntfs The main idea is stability, redundancy of data and ease of maintenance (in a headless FreeBSD / Linux world) before anything else ! ISCSI is a bit harder to setup IMO, however I think it''s more reliable than NFS, what with its auto retries if it loses the network link to a device. That's the big pictures, if you have any pointers, advise, they are all welcome. It is quite late where I leave, so I will reply to posts in 8 to 10 hours, but I hope to have enough answer(s) to start an interesting thread (as I think this question is very interesting and not so clearly explained (at least in my mind))… This is idd a very interesting topic and I hope to see more :) Thx very much for your infos and feedback. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
vmstat -w not honored
Hello list, I'm running 8.3-STABLE and apparently, vmstat won't honor both -i (interrupts) and -w (repeat display every wait delay seconds) flags at the same time. The problem also arises with -z. The manual doesn't mention these flags being incompatible with -w. Anyone knows if this is intended behavior ? I wanna make sure before filling a PR, either to get this fixed or the man pages adjusted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: VirtualBox 4.1.22 and Bridged Network problems
This was brought up a few weeks/months ago and I seem to recall that setting the interface in *promiscuous* mode (monitoring) in the Host configuration (read, in your hypervisor) was mandatory. See if that helps. On Feb 6, 2013, at 3:03 PM, CeDeROM cede...@tlen.pl wrote: Hello :-) I cannot get Bridged Network setup in VBox 4.1.22 on my 9.1RC3 AMD64 - I get no traffic to the host interface at all. Did anyone noticed this or related problems? I have tried to watch the host interface with WireShark. I have disabled local firewall. I have set net.inet.ip.forwarding=1. Still can't get the bridged connection working :-( Any hints appreciated :-) Tomek -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sysctl security.jail.* descriptions
# sysctl -d security.jail.socket_unixiproute_only security.jail.socket_unixiproute_only: Processes in jail are limited to creating UNIX/IP/route sockets only On Feb 6, 2013, at 4:02 PM, Fbsd8 fb...@a1poweruser.com wrote: Where do I find the descriptions of what these jail MIBs do? security.jail.param.allow.mount.zfs: 0 security.jail.param.allow.mount.procfs: 0 security.jail.param.allow.mount.nullfs: 0 security.jail.param.allow.mount.devfs: 0 security.jail.param.allow.mount.: 0 security.jail.param.allow.socket_af: 0 security.jail.param.allow.quotas: 0 security.jail.param.allow.chflags: 0 security.jail.param.allow.raw_sockets: 0 security.jail.param.allow.sysvipc: 0 security.jail.param.allow.set_hostname: 0 security.jail.param.ip6.saddrsel: 0 security.jail.param.ip6.: 0 security.jail.param.ip4.saddrsel: 0 security.jail.param.ip4.: 0 security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.host.: 0 security.jail.param.children.max: 0 security.jail.param.children.cur: 0 security.jail.param.dying: 0 security.jail.param.persist: 0 security.jail.param.devfs_ruleset: 0 security.jail.param.enforce_statfs: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.devfs_ruleset: 0 security.jail.enforce_statfs: 2 security.jail.mount_zfs_allowed: 0 security.jail.mount_procfs_allowed: 0 security.jail.mount_nullfs_allowed: 0 security.jail.mount_devfs_allowed: 0 security.jail.mount_allowed: 0 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 0 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 security.jail.jail_max_af_ips: 255 security.jail.jailed: 0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: setting MIBs on a per jail bases
Running 8.3 here and the answer is no. On Feb 6, 2013, at 5:39 PM, Fbsd8 fb...@a1poweruser.com wrote: Is there a way to set these MIBs on a per jail bases? allow.mount.nullfs allow.raw_sockets cpuset.id securelevel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: setting MIBs on a per jail bases
On Feb 6, 2013, at 5:57 PM, Fbsd8 fb...@a1poweruser.com wrote: Fleuriot Damien wrote: Running 8.3 here and the answer is no. On Feb 6, 2013, at 5:39 PM, Fbsd8 fb...@a1poweruser.com wrote: Is there a way to set these MIBs on a per jail bases? allow.mount.nullfs allow.raw_sockets cpuset.id securelevel Rereading the man jail for 9.1 talks about securelevel as a jail parammeter. So correct me if I an wrong. All the security.jail.param.* MIBs are set in rc.conf or /etc/jail.conf file on a per jail bases by changing the word parm to the jailname? I'm afraid I wouldn't know, I don't have a single 9.x box here. Does the man mention the secure level as a PER JAIL parameter, or as a systemwide parameter applied only to jails ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: make install package?
On Jan 10, 2013, at 10:21 PM, Fbsd8 fb...@a1poweruser.com wrote: Gökşin Akdeniz wrote: Thu, 10 Jan 2013 14:04:59 -0500 tarihinde Fbsd8 fb...@a1poweruser.com yazmış: What is the default path for the packages to be stored in? Is it /usr/packages? It is /usr/ports/packages/All. If that is indeed the default location, how do I get the make install package command put it there automatically? All packages will be stored in /usr/ports/packages/All/relevant/sub/directory. There is no need for any any configuration or files. # make package is the proper command for building packages which are/is installed via ports. Is the upcoming pkgng going to have any effect on this? Funny you should ask, I was toying with that just yesterday, as a matter of fact. Works well with pkgng, it lets me create static packages of already installed ports: # pkg create -nao /usr/ports/packages/All Then creating the repo.txz file for use by clients is rather easy # pkg repo -qf /usr/ports/packages And then, on your client host: # /usr/local/etc/pkg.conf PACKAGESITE : http://195.158.241.101 # pkg stats Local package database: Installed packages: 158 Disk space occupied: 797 MB Remote package database(s): Number of repositories: 1 Packages available: 182 Unique packages: 182 Total size of packages: 648 MB ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
make release doesn't correctly include EXTLOCALDIR ?
Hello list, I'm running 8.3-stable r245223 from a mere 2 days ago and am in the process of building a custom release for our internal use as preconfigured firewalls. make release works pretty fine except for a few quirks here and there. First of all, I have set EXTLOCALDIR so that the release contains my existing /usr/local/ , and thus the collection of installed ports. The problem here is that while /release/usr/local/ is correctly populated, the ISO images and ftp install directory have an empty usr/local/ Extracting the ISO's base.?? files doesn't yield the /usr/local/ contents either. The second problem I encounter is with the kernel's build. Apparently make release doesn't pull MODULES_OVERRIDE from /etc/make.conf and decides to build every single module, as opposed to my own restricted list. I'm going to try with with KERNEL_FLAGS=-DMODULES_OVERRIDE module1 module2 in /usr/src/release/Makefile Has anyone else ever experienced the same problem regarding the inclusion of /usr/local/ in their release ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Is csup still working?
On Jan 10, 2013, at 12:38 PM, Mario Lobo l...@bsd.com.br wrote: Hi; I have 8-STABLE and I just did, csup -L 2 src-supfile with *default host=cvsup.FreeBSD.org *default release=cvs tag=RELENG_8 and it finished with: Edit src/usr.sbin/zzz/zzz.sh Add delta 1.2.32.2 2012.11.17.10.37.28 svnexp Shutting down connection to server Finished successfully Can I trust this update to be correct, with the latest sources? Thanks, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio YET!!] (99% winblows FREE) Regarding the source tree, I've not found the notice for CVSup's retirement. Regarding the ports tree, this is from Beat Gaetzi on 07/09/2012 dd/mm/ : For those reasons by February 28th 2013 the FreeBSD ports tree will no longer be exported to CVS. Therefore ports tree updates via CVS or CVSup will no longer available after that date. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to change from STABLE to RELEASE?
On Jan 9, 2013, at 2:26 PM, Antonio Olivares olivares14...@gmail.com wrote: Give this a try setenv UNAME_r 9.0-RELEASE freebsd-update fetch update freebsd-update upgrade -r 9.1-RELEASE Thank you very much! It seems to be working: $ su - Password: %seten UNAME_r 9.0-RELEASE seten: Command not found. %setenv UNAME_r 9.0-RELEASE %freebsd-update fetch update usage: freebsd-update [options] command ... [path] Options: -b basedir -- Operate on a system mounted at basedir (default: /) -d workdir -- Store working files in workdir (default: /var/db/freebsd-update/) -f conffile -- Read configuration options from conffile (default: /etc/freebsd-update.conf) -k KEY -- Trust an RSA key with SHA256 hash of KEY -r release -- Target for upgrade (e.g., 6.2-RELEASE) -s server-- Server from which to fetch updates (default: update.FreeBSD.org) -t address -- Mail output of cron command, if any, to address (default: root) Commands: fetch-- Fetch updates from server cron -- Sleep rand(3600) seconds, fetch updates, and send an email if updates were found upgrade -- Fetch upgrades to FreeBSD version specified via -r option install -- Install downloaded updates or upgrades rollback -- Uninstall most recently installed updates IDS -- Compare the system against an index of known good files. %freebsd-update fetch Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching public key from update5.freebsd.org... done. Fetching metadata signature for 9.0-RELEASE from update5.freebsd.org... done. Fetching metadata index... done. Fetching 2 metadata files... done. Inspecting system... done. Preparing to download files... Will get back to see if it went through all the way! Best Regards, Antonio Dear folks, Everything almost worked. Now I get some errors. /etc/defaults/rc.conf: 18: Syntax error: redirection unexpected Enter full pathname of shell or RETURN for /bin/sh: I try to edit the file, but I cannot see it I get a readonly file system. There were some mistakes that I could not correct some lines like and then === were present in the file, but vi could not allow me to remove them I got error and I wanted to :wq! quickly and now I cannot boot. How can I get into the computer with read/write permission to fix this one and a /boot/device.hints error that is present here? Thanks for any pointers and help/advice. Regards, Antonio === When I reboot I get: Enter full pathname of shell or RETURN for /bin/sh: I press enter and try: # mount -a mount: not found # mount -urw / mount: not found # I try # /rescue/vi /etc/defaults/rc.conf which is the one that is borked, to fix it and remove the that present in there, I get ex/vi: Error: /var/tmp/vi.recover: Read-only file sytem ex/vi: Modifications not recoverable if the session fails ex/vi: Error: /etc/defaults/rc.conf: Read-only file sytem ex/vi: Error: Unable to create temporary file: Read-only file system I can boot the livedvd for FreeBSD 9.1 or 8.2/8.3 series as I have them available. There used to be the fixit command and I could use it. I try the advice in System Administration chapter of handbook, but it does not work here :( boot -s mount -a mount -urw / as found in: http://www.freebsd.org/doc/faq/admin.html#rcconf-readonly Words of advice and suggestions are greatly appreciated and would get me to fix the mess that I started by myself :( Regards, mount -o rw / Alternatively boot a livefs CD (or martin matuska's mfsbsd) and mount your / partition from there, read-write. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to change from STABLE to RELEASE?
On Jan 9, 2013, at 3:56 PM, Warren Block wbl...@wonkity.com wrote: On Tue, 8 Jan 2013, Antonio Olivares wrote: Dear folks, I am happily running FreeBSD 9.0-STABLE on one of my machines, but I want to move to FreeBSD-RELEASE and use # freebsd-update upgrade -r 9.1-RELEASE but it does not find a valid repository. How can I solve this issue to move to newer RELEASE and avoid staying on STABLE because I will have to compile/build world and it takes a good while to build and then may have to rebuild all the ports. As long as you stay on 9-STABLE, it is not necessary to rebuild all ports. Actually, that is what the stable part means, a stable ABI: http://www.wonkity.com/~wblock/docs/html/stable.html Interesting article, Warren. If I may say, you may want, on occasion, to update the section about csup. I'm going to take the opportunity to favorite your post, which I had read previously, regarding the simplification of kernel config files. http://www.wonkity.com/~wblock/docs/html/kernelconfig.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Which ports tree through svn?
On Jan 9, 2013, at 3:41 PM, Andrei Brezan andrei...@gmail.com wrote: Hello list, I'm using: FreeBSD myhost.mydomain.com 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 02:52:29 UTC 2012 r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 I want/need to use svn for my ports tree mainly because I need to downgrade ports. There is portdowngrade in the ports tree but that relies on cvs which is no longer available. The only way that I'm able to do this now is with svn log and svn up -r to the revision needed so I get the version that I need in the port. My problem is what do i need to checkout in the first place for 9.0-RELEASE? svn co svn://svn.freebsd.org/ports/head /usr/ports or svn co snv://svn.freebsd.org/tags/RELEASE_9_0_0 /usr/ports? The first one seems to be up to date but the latter has for eg apache version 2.2.21 from 2011; I presume from the portfreeze before 9 was released. Maybe there are any means to downgrade ports while using portsnap that I'm not aware of. Thank you, Andrei http://svn.freebsd.org/ports/tags/RELEASE_9_0_0/ Note that, unless I'm mistaken, this branch is frozen so you won't be getting any update. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: problem to compile lang/gcc
On Jan 7, 2013, at 2:15 PM, Xavier xavierfreebsdquesti...@gmail.com wrote: Hi to all, I try compile lang/gcc port but it stopped with required 'file to patch': root@casa:/usr/ports/lang/gcc # make Making GCC 4.6.3 for i386-portbld-freebsd9.1 [c,c++,objc,fortran,java] === Found saved configuration for gcc-4.6.3 === Extracting for gcc-4.6.3 = SHA256 Checksum OK for gcc-4.6.3.tar.bz2. = SHA256 Checksum OK for ecj-4.5.jar. === gcc-4.6.3 depends on file: /usr/local/bin/perl5.14.2 - found === Patching for gcc-4.6.3 === gcc-4.6.3 depends on file: /usr/local/bin/perl5.14.2 - found === Applying extra patch /usr/ports/lang/gcc/files/java-patch-hier File to patch: No file found--skip this patch? [n] File to patch: No file found--skip this patch? [n] y 1 out of 1 hunks ignored--saving rejects to libjava/Makefile.in.rej Can't create libjava/Makefile.in.rej, output is in /tmp//patchr1fhKR5: No such f ile or directory *** [do-patch] Error code 1 Stop in /usr/ports/lang/gcc. *** [build] Error code 1 Stop in /usr/ports/lang/gcc. root@casa:/usr/ports/lang/gcc # In this case, what to do for continue ? Thanks. First of all, ensure that your ports tree is up to date. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: uname -r output values?
mybsd dam ~ $ uname -r 8.2-STABLE On Dec 21, 2012, at 2:36 PM, Fbsd8 fb...@a1poweruser.com wrote: When issuing the uname -r command what are the different values possible to expect? So far I have this list. Where X.X = major release . Sub release numbers Where y = number 1 through 9 X.X-BETAy X.X-RCy X.X-RELEASE X.X-RELEASE-py X.X-PRERELEASE X.X-CURRENT ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On Dec 6, 2012, at 9:20 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: --On December 6, 2012 1:19:00 PM -0600 Tim Daneliuk tun...@tundraware.com wrote: I understand this. Even the organization in question understands this. They are not trying to *prevent* any kind of access. All they're trying to do *log* it. Why? To meet some obscure compliance requirement they have to adhere to in order to remain in business. rant I know all of this is silly but that's our future when you let Our Fine Government regulate pretty much anything. /rant I sent this last night, but for some reason it never showed up. /usr/ports/security/sudoscript I believe this will meet your requirements. I'm sorry to say it won't. Nothing will prevent a user from removing sudoscript's FIFO once he gets root privileges. Basically, what Tim wants to do sounds very akin to the PCI DSS requirements that every user's action be logged. The bad news is _this is not achievable on MS/nux/bsd_ systems. The kind of logging and security required can only be attained on mainframes (read: i/Series , z/Series) using RACF and other absolutely awesome features. The only thing Tim can do is try to approach the level of security that's required. Devin's suggestion of a kernel module is what comes closest to achieving the goal, provided that: - the functionnality is compiled in-kernel to prevent kldunload'ing the module - the system runs at a secure level high enough to prevent kldunloads , if it can't be compiled in-kernel - the functions used by the module cannot be overriden by another module (for example redeclare this module's sendlog() function with another dummy module, making sendlog() basically do a NOOP) Another contestant that comes a close second is the use of the AUDIT framework, however one would need to ensure: - audit trails cannot be tampered (chflags sappend) - the audit daemon cannot be killed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On Dec 6, 2012, at 12:47 AM, Tim Daneliuk tun...@tundraware.com wrote: On 12/05/2012 05:42 PM, Damien Fleuriot wrote: On 6 Dec 2012, at 00:19, Tim Daneliuk tun...@tundraware.com wrote: sudo chown root:wheel my_naughty_script sudo chmod 700 my_naughty script sudo ./my_naughty_script The sudo log will note that I ran the script, but not what it did. wow, way to complicate matters. Hey, I didn't dream up this problem :) sudo csh So Gentle Geniuses, is there prior art here that could be applied to give me full coverage logging of every action taken by any person or thing running with effective or actual root? P.S. I do not believe Now would be a good time to start, then. Well ... does auditd provide a record of every command issued within a script? I was under the impression (and I may well be wrong) that it noted only the name of the script being executed. While it won't log every single command invoked from inside a script, it *can* log every single file access that's made. Apart from IBM z/Series and i/Series mainframes, there is no hardware/software combination that I am aware of which will do that. The Audit framework is your next best bet IMHO. The only things you need to ensure are: - auditd cannot be killed off (this is an interesting bit actually, anyone knows how to do that ?) - the audit trail files can only be appended to ; man chflags An alternative would be lshell, however you'll have to whitelist commands people can execute. Remember that we want admins to be able to do *anything* but we just want to log what they do, in fact do. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On Dec 6, 2012, at 1:35 AM, Kurt Buff kurt.b...@gmail.com wrote: On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk tun...@tundraware.com wrote: On 12/05/2012 05:44 PM, Kurt Buff wrote: On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk tun...@tundraware.com wrote: I am working with an institution that today provides limited privilege escalation on their servers via very specific sudo rules. The problem is that the administrators can do 'sudo su -'. snip sudo is misconfigured. man 5 sudoers and man 8 visudo Kurt I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're saying. Are you suggesting that there is a way to configure sudo so that if someone does 'sudo su -' to become an admin, sudo can be made to log every command they execute thereafter? No, I'm saying that sudo should not be configured to allow 'sudo su -'. This is an ineffective solution. So what, you're going to forbid sudo su - Fine, I'll just run sudo csh . If you forbid csh, I'll just copy the existing `which csh` to ~/toto and sudo ~/toto . Basically, anything short of actually whitelisting what people can run won't do. And apparently that's not in Tim's list of desirable things ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
SOLVED - Re: CARP within VirtualBox Does it work?
On Dec 4, 2012, at 8:17 PM, dweimer dwei...@dweimer.net wrote: On 2012-12-01 03:14, Damien Fleuriot wrote: On 30 November 2012 20:44, dweimer dwei...@dweimer.net wrote: On 2012-11-29 14:07, dweimer wrote: On 2012-11-29 12:53, Fleuriot Damien wrote: On Nov 29, 2012, at 6:43 PM, dweimer dwei...@dweimer.net wrote: I was trying to setup a test of CARP on two virtual machines running in VirtualBox 4.2.4r81684 I am not sure if I have something wrong with my CARP configuration or if VirtualBox just doesn't work right with it. I can only ping the CARP interface IP address from the machine listed as MASTER, if I do an ifconfig carp0 down on the MASTER the other machine correctly switches form BACKUP to MASTER and then I can ping the interface from it but not from the Original system. The VirtualBox systems are both using bridged networking, and the host cannot ping the carp0 IP address but can ping the interface IP address. Before I go through more trouble shooting, does anyone know if CARP doesn't work with VirtualBox? carp configuration Machine1: ifconfig_em0=UP ifconfig_em0_name=LAN ipv4_addrs_LAN=10.20.190.201/16 defaultrouter=10.20.111.2 cloned_interfaces=carp0 ifconfig_carp0=vhid 1 advskew 100 pass ReduntantCarpTest 10.20.190.203/16 ifconfig carp0: carp0 flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 10.20.190.203 netmask 0x nd6 options=29PREFORMNUD,IFDISABLED,AUTO_LINKLOCAL carp: MASTER vhid 1 advbase 1 advskew 100 Machine2: ifconfig_em0=UP ifconfig_em0_name=LAN ipv4_addrs_LAN=10.20.190.202/16 defaultrouter=10.20.111.2 cloned_interfaces=carp0 ifconfig_carp0=vhid 1 pass ReduntantCarpTest 10.20.190.203/16 ifconfig carp0: carp0 flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 10.20.190.203 netmask 0x nd6 options=29PREFORMNUD,IFDISABLED,AUTO_LINKLOCAL carp: BACKUP vhid 1 advbase 1 advskew 0 FreeBSD version is 9.1RC3 on both test machines. We're using FreeBSD and CARP in virtualized environments at work, albeit not on VirtualBox but on Proxmox/KVM. First, I would advise replacing 10.20.190.203/16 with 10.20.190.203/32 I notice your carp0 is MASTER on machine1 with an advskew of 100 vs machine 2 advskew 0, same advbase. Confirm this is *after* you've set carp0 down on machine2. If both carps are up and machine1 with advskew 100 beats machine2 with advskew 0, you have an additional problem. See if you have any more luck with the /32 address on carp0 anyway. The documentation shows the mask matching that of the interface: hostname=hostb.example.org ifconfig_fxp0=inet 192.168.1.4 netmask 255.255.255.0 cloned_interfaces=carp0 ifconfig_carp0=vhid 2 pass testpass 192.168.1.51/24 This is consistent with the man page for CARP on the system as well. Regardless I tried with the /32 and had the same result as I did with the /16. I had done various UP/DOWN on interfaces so the current MASTER was just the last one to have not been DOWN. I think I might just copy these VMs to my VMWARE Workstation 9 install on my home PC after work tonight and see if the problem persists. The behavior definitely changed going from VirtualBox to VMWare, the only change in my configuration was the IP addresses to match the home network. However now I can talk to the carp interface form other machines, but they receive two response one from each of the test systems. TCPDUMP shows that they are each seeing the others broadcasts, but for some reason they are both running as MASTER. If you run a DOWN/UP on the interface, it briefly shows as BACKUP before switching to MASTER. I tried with both /24 subnet of my home network, and setting the carp0 interface to /32, both behaved the same. Any one have any other ideas, as to whether this comes down to a Virtual Network Issue, or a setup issue on my part. Well, it definitely works here for us on Proxmox/KVM. When you tcpdump on your either host, do you see the CARP advertisements from the other ? FInd below the advertisements as seen from our CARP backup firewall: $ sudo tcpdump -ni vlan14 vrrp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vlan14, link-type EN10MB (Ethernet), capture size 96 bytes 10:11:09.084568 IP 195.158.240.[snip] 224.0.0.18: VRRPv2, Advertisement, vrid 114, prio 50, authtype none, intvl 1s, length 36 10:11:10.282826 IP 195.158.240.[snip] 224.0.0.18: VRRPv2, Advertisement, vrid 114, prio 50, authtype none, intvl 1s, length 36 10:11:11.481075 IP 195.158.240.[snip] 224.0.0.18: VRRPv2, Advertisement, vrid 114, prio 50, authtype none, intvl 1s, length 36 Proabbly should have been more clear early when I mentioned I could see the others broadcasts, this is what I menat, yes they do see the others advertisements. It most definitely was virtual network related, found some information on the pfSense wiki that directed me to the advanced settings
Re: Install on Intel
On Dec 4, 2012, at 11:28 AM, ksg k...@teleguam.net wrote: Do you know if FreeBSD will install with a Intel Core 2 CPU 6400 @ 2.13 GHz Carlos Griffith Yes it will. You'll want the amd64 version, likely. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pfctl
On Nov 30, 2012, at 12:02 PM, Laszlo Danielisz laszlo_daniel...@yahoo.com wrote: Hi Everybody, Recently I've discover the following issues: I can't display my firewalls rules, and the firewall is enabled. Take a look what is happening: ktulu# pfctl -s rules No ALTQ support in kernel ALTQ related functions disabled ktulu# pfctl -e No ALTQ support in kernel ALTQ related functions disabled pfctl: pf already enabled ktulu# uname -a FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 Do you have any idea why I can not see them? Thx! Laszlo Kindly do not cross-post to -pf and -questions at the same time. I've replied on -pf , hope that helps. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: clearing /var/tmp in periodic.conf?
On Nov 29, 2012, at 5:19 PM, Gary Aitken free...@dreamchaser.org wrote: Any reasons why one should not clear /var/tmp via periodic.conf? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Hi Gary, Well, /var/tmp/nginx is reason enough, for starters ;) /var/tmp/vi.recover is another, if you use vi. Basically, there is really no awesome reason for emptying it periodically. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: CARP within VirtualBox Does it work?
On Nov 29, 2012, at 6:43 PM, dweimer dwei...@dweimer.net wrote: I was trying to setup a test of CARP on two virtual machines running in VirtualBox 4.2.4r81684 I am not sure if I have something wrong with my CARP configuration or if VirtualBox just doesn't work right with it. I can only ping the CARP interface IP address from the machine listed as MASTER, if I do an ifconfig carp0 down on the MASTER the other machine correctly switches form BACKUP to MASTER and then I can ping the interface from it but not from the Original system. The VirtualBox systems are both using bridged networking, and the host cannot ping the carp0 IP address but can ping the interface IP address. Before I go through more trouble shooting, does anyone know if CARP doesn't work with VirtualBox? carp configuration Machine1: ifconfig_em0=UP ifconfig_em0_name=LAN ipv4_addrs_LAN=10.20.190.201/16 defaultrouter=10.20.111.2 cloned_interfaces=carp0 ifconfig_carp0=vhid 1 advskew 100 pass ReduntantCarpTest 10.20.190.203/16 ifconfig carp0: carp0 flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 10.20.190.203 netmask 0x nd6 options=29PREFORMNUD,IFDISABLED,AUTO_LINKLOCAL carp: MASTER vhid 1 advbase 1 advskew 100 Machine2: ifconfig_em0=UP ifconfig_em0_name=LAN ipv4_addrs_LAN=10.20.190.202/16 defaultrouter=10.20.111.2 cloned_interfaces=carp0 ifconfig_carp0=vhid 1 pass ReduntantCarpTest 10.20.190.203/16 ifconfig carp0: carp0 flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 10.20.190.203 netmask 0x nd6 options=29PREFORMNUD,IFDISABLED,AUTO_LINKLOCAL carp: BACKUP vhid 1 advbase 1 advskew 0 FreeBSD version is 9.1RC3 on both test machines. We're using FreeBSD and CARP in virtualized environments at work, albeit not on VirtualBox but on Proxmox/KVM. First, I would advise replacing 10.20.190.203/16 with 10.20.190.203/32 I notice your carp0 is MASTER on machine1 with an advskew of 100 vs machine 2 advskew 0, same advbase. Confirm this is *after* you've set carp0 down on machine2. If both carps are up and machine1 with advskew 100 beats machine2 with advskew 0, you have an additional problem. See if you have any more luck with the /32 address on carp0 anyway. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: i386 vs amd64
On Nov 28, 2012, at 6:36 PM, mike miskulin birdf...@yahoo.com wrote: About to build a replacement system for an older i386 setup. A few years ago I had tried the amd64 port on it and found it was frustrating as things that just worked on i386 did not on amd64. IIRC ports were large annoyance too. Now I have a new system with 8GB, etc,etc and wonder if I am best off to stick with i386 and PAE or is the amd64 version finally on a par or close enough that I would not likely have many issues like in the past? Thanks for your thoughts/(recent) experiences. What port was that ? I've never had a *single* problem due to using amd64 over i386. From a professional point of view, we're using over 60 amd64 fbsd 8.0 8.1 8.2 and 8.3 boxes at work and they work just fine. I for one can recommend the 64 bits version. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: When Is The Ports Tree Going To Be Updated?
On Nov 27, 2012, at 4:27 PM, Greg Larkin glar...@freebsd.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/27/12 4:36 AM, Damien Fleuriot wrote: On 26 November 2012 21:15, jb jb.1234a...@gmail.com wrote: Tim Daneliuk tundra at tundraware.com writes: ... One wonders if using svn to keep the ports tree up-to-date might not be simpler, and perhaps, more reliable ... As managed by portsnap: $ du -hs /usr/ports/ 850M/usr/ports/ As managed by svn (it took much longer to checkout/download it by comparison): $ du -hs /usr/local/ports/ 1.4G /usr/local/ports/ $ du -hs /usr/local/ports/.svn/ 702M /usr/local/ports/.svn/ One thing about svn is that it is a developer's tool, with its own commands set (that should never be mixed with UNIX commands w/r to dir/file manipulation), and that should not be expected to be learned by non-devs. For that reasons alone the portsnap-managed ports repo is more generic, flexible to be handled by user and add-on apps/utilities, looks like more efficient without that svn overhead resulting from its requirements and characteristics as a source control system. But, svn offers to a user a unique view into ports repo, e.g. history, logs, info, attributes, etc. jb While we're on the binary vs SVN topic, I'd like to point out I'm *actually running out of inodes* on a virtualized machine (we use these a lot for our dev and preproduction environments) with 5gb of space, when checking out the ports tree. Of course 5gb is quite small but then, this was installed a while back. The transition to SVN means I'm going to have to reinstall these firewalls. There are a lot of them it's going to be a major pain. idk, I'm loathe to use portsnap, I liked CSup just fine. Unless you plan to use svn commands other than checkout in your ports tree, I would suggest switching to svn export or perhaps the svn-export script (http://xyne.archlinux.ca/projects/svn-export/) to fetch your ports tree. The export command will not create the .svn metadata directory and will save on inode usage. Of course, you could also create a new virtual disk for /usr/ports and tune it with more inodes if you'd rather use svn checkout. Hope that helps, Greg - -- Greg Larkin Well I definitely don't plan on making changes to local files or committing stuff, I'd just like to keep an updated ports tree and switch from CVS to SVN. I guess I'll have a look at svn export, thanks for the tip Greg. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Anyone using squid and pf?
On Nov 27, 2012, at 6:34 PM, Doug Sampson do...@dawnsign.com wrote:
[...]
Rules from pf.conf
# macros
ext_if=xl0
int_if=bge0
tcp_services={ 22, 993, 5910:5917 }
tcp_priv_services={ 389, 443 }
proxy_services = { 21, 80 }
icmp_types={ echoreq unreach squench timex }
internal_net = 172.18.0.0/16
proxy = 172.18.0.1
proxyport=8021
^
No whitespace here
# tables
table goodguys persist
table sshguard persist
# options
set block-policy return # ports are closed but can be seen
set loginterface $ext_if
set skip on lo0
# scrub
scrub in
rdr pass proto tcp from any to any port ftp - 127.0.0.1 port 8021
# redirect www trafic to proxy
rdr on $int_if inet proto tcp from $internal_net to any port
$proxy_services - $proxy port 8080
^
Whitespace here. Maybe that's the issue here?
Erm, working as intended, Doug.
He's redirecting from his internal net to any port defined as proxiable, to his
$proxy machine on port 8080.
Looks good to me.
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from !($ext_if) to any - ($ext_if)
[...]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: When Is The Ports Tree Going To Be Updated?
I don't get what you're trying to show here. What commands you've run indicate that: 1/ you have an up to date ports tree 2/ one of the installed ports needs to be updated So what ? Just run # portmaster libreoffice I think you might be confused, new version available means that you have version 1.2.3 installed and that 1.2.4 is available *from the local ports tree*. It does not indicate that there is a newer version of a package available remotely and that you should update your ports tree. Hope this helps. On Nov 26, 2012, at 4:21 PM, jb jb.1234a...@gmail.com wrote: Stas Verberkt legolas at legolasweb.nl writes: jb schreef op : Tim Daneliuk tundra at tundraware.com writes: ... I use portsnap fetch update and it works... Ah, maybe that was the problem. That works for me as well. Well, not quite ... I think, after the security incident, you had to obtain a fresh snapshot of the ports tree, i.e. you had to do portsnap fetch extract before usual service continued. May this be your problem? # portsnap fetch extract # ls -al /usr/ports/IN* -rw-r--r-- 1 root wheel 26879597 Nov 26 15:37 /usr/ports/INDEX-7 -rw-r--r-- 1 root wheel 26763600 Nov 26 15:38 /usr/ports/INDEX-8 -rw-r--r-- 1 root wheel 26744834 Nov 26 15:38 /usr/ports/INDEX-9 -rw-r--r-- 1 root wheel 1654048 Nov 11 11:45 /usr/ports/INDEX-9.bz2 # portsnap fetch update Looking up portsnap.FreeBSD.org mirrors... 6 mirrors found. Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done. Latest snapshot on server matches what we already have. No updates needed. Ports tree is already up to date. # This fixed it. But, let's see what happens with this test: # rm -rf /usr/ports/ # portsnap extract # ls -al /usr/ports/IN* -rw-r--r-- 1 root wheel 26879563 Nov 26 16:07 /usr/ports/INDEX-7 -rw-r--r-- 1 root wheel 26763566 Nov 26 16:07 /usr/ports/INDEX-8 -rw-r--r-- 1 root wheel 26744800 Nov 26 16:07 /usr/ports/INDEX-9 # portmaster -L | egrep '(ew|ort) version|total install' === New version available: java-zoneinfo-2012.j === New version available: liberation-fonts-ttf-2.00.1,1 === New version available: libxul-10.0.11 === New version available: firefox-17.0,1 === New version available: libreoffice-3.5.7 === New version available: vigra-1.9.0 === 545 total installed ports === 6 have new versions available # portmaster -L --index | egrep '(ew|ort) version|total install' /tmp/d-78227-index/INDEX-9.bz2100% of 1615 kB 176 kBps 00m00s === New version available: libreoffice-3.5.7 === 545 total installed ports === 1 has a new version available # portmaster -L --index-only | egrep '(ew|ort) version|total install' === New version available: libreoffice-3.5.7 === 545 total installed ports === 1 has a new version available # ls -al /usr/ports/IN* -rw-r--r-- 1 root wheel 26879563 Nov 26 16:07 /usr/ports/INDEX-7 -rw-r--r-- 1 root wheel 26763566 Nov 26 16:07 /usr/ports/INDEX-8 -rw-r--r-- 1 root wheel 26665016 Nov 26 16:12 /usr/ports/INDEX-9 -rw-r--r-- 1 root wheel 1654048 Nov 11 11:45 /usr/ports/INDEX-9.bz2 # portsnap update Ports tree is already up to date. # Well, what do you say about this ? jb ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF and tables for disabling network
On Nov 23, 2012, at 3:46 PM, David Demelier demelier.da...@gmail.com wrote: Hello, I would like to disable the network traffic for specific IPs, for the moment I just add to my pf.conf a rule that will block everything for a specified table like this : table closed [...] others rules [...] block from closed Then I just need to add my IP using pfctl, it will works, no packet can be send / recv to the machine, however if that machine had some active connections, these won't be closed and they can still use them (a SSH client, game, ...) How can I disable everything then? Cheers -- Demelier David First, you might want to use block in quick on $externalif inet from closed , to have: - a quick rule, which stops ruleset evaluation immediately - a more specific rule, which applies only to your WAN interface's inbound traffic Be careful with the quick keyword, it's going to match packets immediately and entirely block these IPs. Then, if you want to kill the active connections from people in the closed table, you might want to script a bit, like: for i in `pfctl -t closed -T show` do pfctl -kK $i done Would that do the trick for you ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: high performance server design approach
Define high performance , what are your expectations in terms of concurrent connections, requests/second and all ? Allow me to shed some measure of light here, we're running 16x web servers with nginx doing *permanent* (as in, for all requests) URL rewriting and serving 500 req/s each. These servers admittedly running debian are behind 4x freebsd boxes using a combination of PF, CARP and relayd on 8.3-STABLE. The web servers deliver 200mb/second worth of *small* files (roughly 1kb javascripts). They hardly ever reach 0.25 load average, on 8 cores + hyperthreading. What I'm getting at here is, nginx *totally rapes* performance-wise, at least for our own needs. If it is able to deliver 500 req/s (for each server) of small files, surely it can handle the load you're planning on throwing at it ? On Nov 13, 2012, at 11:28 AM, Friedrich Locke friedrich.lo...@gmail.com wrote: Thank you Mark for suggestion, but my doubt still remains. Regards. On Tue, Nov 13, 2012 at 8:26 AM, Mark Blackman m...@exonetric.com wrote: On 13 Nov 2012, at 10:23, Friedrich Locke friedrich.lo...@gmail.com wrote: Hi list members, i would like to be an http server for static content only. Due to this [snip] What you have to say benchmark nginx to see if it does the job already. - Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
