ipfw, NAT and CISCO IPSec VPNs
Hiya I've got a pretty standard network which uses a FreeBSD server to perform NAT between my internal IPs (192.168.0.x) and the outside world. Everything is working tickety-boo, but I'm trying to tweak my firewall rules (ipfw, based on the 'SsIiMmPpLlEe' firewall template in rc.firewall) to allow a CISCO IPSec-based VPN client on a local machine to connect to a remote server (tunnel). tcpdump shows that the client attempts to send packets to the remote VPN server on port 500 (isakmp) as you'd expect, but it's not getting any packets back and so the connection fails. The following suggests that you can solve the problem by not changing the source port of the NATed packets, but gives a sample using pf: http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008749.html Other posts I've read say you can simply forward packets from the remote VPN server to the machine running the VPN client, but (needless to say) I haven't been able to get this to work: http://groups.google.com/group/comp.unix.bsd/browse_thread/thread/85d775a73e352aa5/f62e6b0d67b2d576 Any suggestions from people who have done similar before? Cheers, --Jon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Performance problem with samba/zfs
Jonathan Belson wrote: I just moved my work to an exported UFS partition and I've seen the same problem appear a couple of times. It's possibly a little less frequent though. So with zfs off the hook, it's possible that the problem lies with samba (or maybe the editor itself, although I don't remember ever coming across the issue before). I've tried a different Windows editor and the problem still occurs, so it is mostly likely a problem with samba itself. I will try increasing the debug level of smbd and see if that throws up any clues. Cheers, --Jon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Performance problem with samba/zfs
Mel wrote:
On Monday 16 February 2009 07:56:02 Jonathan Belson wrote:
I export a few samba shares from a FreeBSD amd64 server and I've been
editing text files on one of the shares via a Windows box.
This /usually/ works fine, but occasionally I'll get a pause of several
seconds when I save back a modified file. No errors are generated on the
server, but it causes the smbd process takes a few % of available cpu time,
according to top.
Could this be due to the infamous seekdir/seekdir issue between samba and
FreeBSD? Some of the directories do contain hundreds of files. This post
suggests it has been fixed though: http://www.vnode.ch/fixing_seekdir
The server is running -STABLE ('FREEBSD 7.1-PRERELEASE'), as built on
2008/09/08. The file system is zfs. I'm using samba 3.0.34,1, built from
ports.
If you can reproduce this behavior using local access or ssh access (taking
samba out of the equivalent) I would take it over to freebsd-fs.
The seekdir is indeed fixed.
If not, increase verbosity for smbd, maybe it spits out a hint why it is
taking so long (smells like locking).
I just moved my work to an exported UFS partition and I've seen the same problem
appear a couple of times. It's possibly a little less frequent though.
So with zfs off the hook, it's possible that the problem lies with samba (or
maybe the editor itself, although I don't remember ever coming across the issue
before).
Cheers,
--Jon
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Performance problem with samba/zfs
Hiya
I export a few samba shares from a FreeBSD amd64 server and I've been editing
text files on one of the shares via a Windows box.
This /usually/ works fine, but occasionally I'll get a pause of several seconds
when I save back a modified file. No errors are generated on the server, but it
causes the smbd process takes a few % of available cpu time, according to top.
Could this be due to the infamous seekdir/seekdir issue between samba and
FreeBSD? Some of the directories do contain hundreds of files. This post
suggests it has been fixed though: http://www.vnode.ch/fixing_seekdir
The server is running -STABLE ('FREEBSD 7.1-PRERELEASE'), as built on
2008/09/08. The file system is zfs. I'm using samba 3.0.34,1, built from ports.
Any ideas, anyone?
Cheers,
--Jon
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Changing 'From:' address of periodic scripts
Jonathan Belson wrote: Matthew Seaman wrote: Yes. root is specifically exempted from all the masquerading stuff. There's an EXPOSED_USER macro you can use in $(hostname).mc to control that. Ah, that explains it. There doesn't seem to be a way to remove exposed users, but there is a web page explaining how to stop 'root' being added as a default exposed user: http://www.grok.org.uk/docs/smroot.html Instead of doing this, I've told periodic.conf to send its output to my local account on the server, and added a .forward file to pass the e-mail to my 'real' address. Hopefully this will play nicely with sendmail's masquerading. Of course it didn't as the e-mail's sender was still 'root' :-S I ended up following the instructions from the web page above, and after initially getting caught out by the difference between 'dnl' and '#' I finally have a configuration that works. Thanks, --Jon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Changing 'From:' address of periodic scripts
Greg Larkin wrote: Jonathan Belson wrote: | Hiya | | I set up a remote box to e-mail 'periodic' output to me directly. It | has now | stopped working, and I suspect it's because the 'From:' addresses of the | status | e-mails is of the form '[EMAIL PROTECTED]' and the ISP has upped its | anti-spam | checks. | | I see /usr/sbin/periodic itself uses the 'mail' command to send the | mails, but I | couldn't see a command line option to specify a 'From:'. I guess 'mail' | uses | 'sendmail' to send e-mail; is there a simple way of forcing a 'From:' | address | via 'sendmail' config? | Hi Jon, Have a look at this: http://www.sendmail.org/m4/masquerading.html and perhaps this, too: http://www.madboa.com/geek/sendmail-genericstable/ You can rewrite [EMAIL PROTECTED] to appear as though it's coming from a real email address by using the techniques on those pages. Please post back here if you run into any trouble! OK, thanks. After playing with MASQUERADE_AS(), MASQUERADE_DOMAIN() plus a few FEATURES(), I've managed to change the 'From:' address for e-mails sent via the command line. Unfortunately, e-mails sent via the cron-ed periodic scripts still don't get through, although if I run e.g. 'periodic daily' from the command line, the mail does reach me. The only difference I can think of is that cron runs the scripts as root. Could this cause the difference? Cheers, --Jon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Changing 'From:' address of periodic scripts
Matthew Seaman wrote: Jonathan Belson wrote: | | OK, thanks. After playing with MASQUERADE_AS(), MASQUERADE_DOMAIN() | plus a few FEATURES(), I've managed to change the 'From:' address for | e-mails sent via the command line. Unfortunately, e-mails sent via the | cron-ed periodic scripts still don't get through, although if I run e.g. | 'periodic daily' from the command line, the mail does reach me. | | The only difference I can think of is that cron runs the scripts as | root. Could this cause the difference? Yes. root is specifically exempted from all the masquerading stuff. There's an EXPOSED_USER macro you can use in $(hostname).mc to control that. Ah, that explains it. There doesn't seem to be a way to remove exposed users, but there is a web page explaining how to stop 'root' being added as a default exposed user: http://www.grok.org.uk/docs/smroot.html Instead of doing this, I've told periodic.conf to send its output to my local account on the server, and added a .forward file to pass the e-mail to my 'real' address. Hopefully this will play nicely with sendmail's masquerading. Cheers, --Jon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Changing 'From:' address of periodic scripts
Hiya I set up a remote box to e-mail 'periodic' output to me directly. It has now stopped working, and I suspect it's because the 'From:' addresses of the status e-mails is of the form '[EMAIL PROTECTED]' and the ISP has upped its anti-spam checks. I see /usr/sbin/periodic itself uses the 'mail' command to send the mails, but I couldn't see a command line option to specify a 'From:'. I guess 'mail' uses 'sendmail' to send e-mail; is there a simple way of forcing a 'From:' address via 'sendmail' config? Cheers, --Jon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problems with Dell/Seagate tape drive
Hiya I've installed FreeBSD-Stable on a Dell PowerEdge 600SC, and I'm having real problems getting the tape drive to work reliably. It's a Dell rebadged ATA Seagate/Certance STT2401A As I mentioned in a previous e-mail, I get the message 'ast0: FAILURE - REZERO timed out' when tar-ing files to it (after the files have been written, but before the drive starts to rewind). That message seems harmless enough, but I also keep getting intermittent kernel panics when I try to access it: 'supervisor read, page not present'. Has anyone else used this particular model of tape drive? If so, did you have any problems with it? I've tried switching cables and using master/slave/cable select, but it hasn't made any difference. Unfortunately, I don't have a spare tape drive to try in case it's a hardware fault. Cheers, --Jon http://www.witchspace.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Rewinding tapes
Hiya I've written a small script that backs up data to a tape, rewinds it, then reads back the data that was stored as a test. The problem I've run into is that 'mt rewind' is asynchronous, and subsequent tape operations will fail until the rewind operation has finished. Is there a way to find out when the tape has finished rewinding, or at least to rewind synchronously? The drive is an ATA Seagate STT2401A. Cheers, --Jon http://www.witchspace.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Rewinding tapes
Dan Nelson wrote: mt rewind is synchronous on all the tape drive I have used it on (dat, dlt, 9-track, 3490). Apologies, it's 'tar' that seems to return when the drive is still busy - attempting to access the tape device before it's finished making groaning noises gives an input/output error. # tar -cv /some/dir fx: groan whirr # tar t tar: Error opening archive: Error reading '/dev/ast0': Input/output error Cheers, --Jon http://www.witchspace.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Corrupted e-mails
Hiya Here is my .qmail, which runs SpamAssassin on the incoming e-mail for this account: |/usr/local/bin/spamassassin | /usr/local/bin/maildir /home/jon/Maildir/ #./Maildir/ well, Jon, if you look above the # in a dot qmail file means to drop the email and not deliver. I don't quite understand what you're saying. The second line is commented out; the first line tells qmail to pipe the e-mail through spamassassin, then write the result to my Maildir (using maildir). also, you are running S/A as a very expensive daemon above, calling the main S/A for each mail received... My server is a 1GHz Athlon that spends a lot of its time twiddling its thumbs... If you must do it this way, please see http://www.magma.com.ni/~jorge/spamassassin.html That's the page I got my .qmail config from. The only difference is that I don't use the '-P' flag since it's now the default for SA. Just to emphasise: my Qmail/Spamassassin setup has worked fine for years; it's only relatively recently that a very small number of e-mails have been getting corrupted. I think a better way is to use the S/A client in a .qmail file, and have the S/A daemon running... A very nice way to do this is at. http://www.gbnet.net/~jrg/qmail/ifspamh/ Thanks, I'll take a look. Cheers, -- Jon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Corrupted e-mails
Hiya For the last few months, I've had a problem where a small number (less than ~1 in 1000) of e-mails get corrupted. All I have in my Maildir is something like the following two lines: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] In case case it's a spam so it's no great loss, but I've had it happen to important e-mails too. Here are the appropriate lines from my maillog: Aug 18 05:35:17 dookie qmail: 1092803717.270465 new msg 2018 Aug 18 05:35:17 dookie qmail: 1092803717.270808 info msg 2018: bytes 6860 from [EMAIL PROTECTED] qp 66137 uid 82 Aug 18 05:35:17 dookie qmail: 1092803717.283085 starting delivery 1895: msg 2018 to local [EMAIL PROTECTED] snip Aug 18 05:35:32 dookie qmail: 1092803732.535421 end msg 2018 The original e-mail looks to have been ~6.5kB. Here is my .qmail, which runs SpamAssassin on the incoming e-mail for this account: |/usr/local/bin/spamassassin | /usr/local/bin/maildir /home/jon/Maildir/ #./Maildir/ I'm inclined to blame SpamAssassin since I saw a similar problem when I had it misconfigured before - that was easy to track down since it wrote error messages in the system log left (missing p5 package). This time there are no error messages, and the problem only occurs very occasionally. Has anyone else seen this before? Any clues on what could be going wrong? Disabling SpamAssassin would make e-mail unusable since I get hundreds of spam e-mails a day. Cheers, --Jon http://www.witchspace.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[Q] ipfw and 'me'
Hiya My ISP uses DHCP to allocate IP numbers, so currently every time the IP changes, I have to manually change my firewall rules. I've just been looking into the 'me' option for ipfw: me matches any IP address configured on an interface in the system. The address list is evaluated at the time the packet is analysed. Since the machine is a gateway, it has two network cards. Will 'me' match *both* IP address or just the first one it comes across? I only really want it to match the IP address of the external interface, not the internal one. Cheers, --Jon http://www.witchspace.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: [Q] ipfw and 'me'
Ceri Davies wrote: On Mon, Jan 06, 2003 at 05:02:01PM +, Jonathan Belson wrote: I've just been looking into the 'me' option for ipfw: me matches any IP address configured on an interface in the system. The address list is evaluated at the time the packet is analysed. Since the machine is a gateway, it has two network cards. Will 'me' match *both* IP address or just the first one it comes across? I only really want it to match the IP address of the external interface, not the internal one. Both, I'm afraid. Hmm, I suppose since tests for IP spoofing through the external interface have already been carried out by that point, it isn't that much of a problem. Does the fancy-pants new IPFW2 allow more control for 'me'? --Jon http://www.witchspace.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: [Q] ipfw and 'me'
Dan Nelson wrote:
me is me. Maybe the recv | xmit | via {ifX | if* | ipno | any}
options will help? What exactly are you trying to allow/block?
My firewall rules are based on the 'simple' pattern in rc.firewall.
I've got stuff like this to explicitly allow certain connections:
# ssh
${fwcmd} add pass tcp from any to ${oip} 22 setup
${fwcmd} add pass udp from any to ${oip} 22
${fwcmd} add pass udp from ${oip} 22 to any
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state
where ${oip} is my external IP adress (ie. the one that changes
every now and again)
--Jon
http://www.witchspace.com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: [Q] ipfw and 'me'
Jack L. Stone wrote:
The best way to do this is to use awk to determine and set a variable for
the external IP every time it changes and then refer to that variable in
your rules.
ifconfig | grep ^xl0 -1 | tail -n 1 | awk '{ print $2 }'
Any neater way? :-)
--Jon
http://www.witchspace.com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: [Q] ipfw and 'me'
Fernando Gleiser wrote:
ifconfig xl0 | awk '/^\tinet / {print $2}'
Nice! My awk isn't what it should be...
--Jon
http://www.witchspace.com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
[Q] Sockets verses message queues?
Hiya I'm writing an application which will fork into two processes (master/slave), and I require that the two be able to communicate asynchronously. The master will send commands to the slave then get on with other things, and the slave will send a message back when it's finished. Is there any advantage to using AF_UNIX sockets rather than message queues, or vice versa (I was thinking about speed, but sockets seem to be more complicated code-wise)? Cheers, --Jon http://www.witchspace.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
