from:"Nikos Vassiliadis"


On 2/10/2013 1:12 AM, Teske, Devin wrote:

On Sat, 9 Feb 2013, Fbsd8 wrote:

What I am doing is writing documentation that describes the new 9.1 jail
extensions for jail.conf and the rc.conf jail statements. I am going to
submit changes to /etc/defaults/rc.conf and as long as I was on the jail
subject thought I may as well include vnet because it was missing from
/etc/defaults/rc.conf.


Thanks for taking this on.


Thank you too. The documentation needs updating. This is very welcome.




I did google search and could only find 9.0 vnet jails using epair.


I'm surprised you didn't find my own page on vnet jails using netgraph:

http://druidbsd.sf.net/vimage.shtml


I have seen this but I got the idea that it is not in ports(?) and this
stopped me from trying.

Thanks for your efforts,

Nikos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: packages listing


On 2/10/2013 8:57 AM, Polytropon wrote:

On Sat, 9 Feb 2013 22:52:37 -0800 (PST), Dánielisz László wrote:

Hi Everybody,

Do you have any idea how can I list those installed packages
that are not required by any other?


You can use sysutils/pkg_cutleaves to determine those.




I use this:

#!/bin/sh
pkg_info -R '*' | sed -n '
/^Information for /{
N
N
/Required by:/d
s/^Information for \(.*\):\n\n$/\1/p
}
'

HTH, Nikos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: vnet without epair


On 2/10/2013 2:54 PM, Teske, Devin wrote:

It's not in ports only because I first wanted to see where jail.conf would take 
us w/respect to vimages.


I see.


However, this package not being in ports shouldn't prevented you from trying it 
-- it's extremely stable and as I mentioned, we've been using it heavily at 
$work for over 12 months now. When you download the package (*.tgz) and pkg_add 
it, it installs the following two files only:

/etc/rc.d/vimage
/etc/rc.conf.d/vimage

NOTE: The rc.conf.d file is the documentation on usage

If you haven't tried it, then I hope you will because I think the new jail.conf 
stuff falls short. Don't get me wrong, jail.conf is a great start, but simply 
adding the ability to manage the vnet aspect of a jail does not make a vimage 
(what's missing is the built-in support for generating bridges as vimages are 
brought up/down dynamically).

I feel that before I add this to ports I need to reprogram it to use jail.conf 
(not directly). That will simplify its code and [should] make it smaller. I was 
somewhat waiting on /etc/rc.d/jail to blaze the trail for me.

In short, the landscape has been changing fast enough that it's prevented me 
from adding this to ports, but in spite of that it's still very much real _and_ 
real stable.



Yes, of course.

I will try it and report back to you my findings.

What I - nikos - really need from a script like yours is the ability
to generate arbitrarily complex topologies with interconnected vnet
jails. Something like:
abc---d
 |
 |
hef---g
  |
  |
  i

Like a cut-down version of imunes[1] without the need of a graphical
user interface.

I understand that is not common case and that is why I was always using
ad hoc scripts.

But one can always hope(or write one himself/herself of course!).

1. 
http://web.archive.org/web/20120418053250/http://imunes.tel.fer.hr/imunes/


Thanks, Nikos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: packages listing


On 2/10/2013 3:09 PM, Teske, Devin wrote:

Just curious, why not use pkg_info -Ra instead of pkg_info -R '*' ?


Because I didnt know -a;)


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: vnet without epair


On 2/10/2013 3:56 PM, Teske, Devin wrote:


Excellent! This is precisely what I was after when I wrote the vimage package and its contents. I'm 
familiar with IMUNES and netgraph fits the bill well (especially with ngctl dot being 
useful in providing visual confirmation when you've achieved the desired network layout -- when 
ngctl dot | dot -Tsvg -o netgraph.svg starts to look like your IMUNES graph, then you 
know you're making progress toward having the right configuration).


You'll be soon hearing from me then!

Nikos



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: vnet without epair


On 2/10/2013 4:02 PM, Nikos Vassiliadis wrote:

On 2/10/2013 3:56 PM, Teske, Devin wrote:


Excellent! This is precisely what I was after when I wrote the vimage
package and its contents. I'm familiar with IMUNES and netgraph fits
the bill well (especially with ngctl dot being useful in providing
visual confirmation when you've achieved the desired network layout --
when ngctl dot | dot -Tsvg -o netgraph.svg starts to look like your
IMUNES graph, then you know you're making progress toward having the
right configuration).


You'll be soon hearing from me then!


Hi Devin,

A request. Could you create a pkgng package as well? 10 has
switched to pkgng...

Thanks in advance,

Nikos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: vnet without epair

2013-02-09 Thread Nikos Vassiliadis


On 2/9/2013 5:57 PM, Fbsd8 wrote:

Has any one been able to get RELEASE 9.1 to enable jail vnet without
having to use epair?


Yes, you can use vnet-enabled jails with several types of interfaces.
Physical ones like em0 etc, virtual ones like vlan0 etc, netgraph
ethernet-like interfaces like ngeth etc and if_epair interfaces.
What all these have in common is that they all are ethernet-like.

You don't mention what kind of use and more or less most interfaces
are usable in a vnet jail. Could you share more on what you are
trying to achieve?

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

assigning values to variables in the background

2013-01-15 Thread Nikos Vassiliadis


Hi,

 A bit of an OT question. I am writing a bourne shell script that
collects data from a router. Since netstat  vmstat can run for
a numbers of iterations I thought I would use just that:

stats()
(
   nstats=`netstat -I ng0 -q 1 60 | tail -1` 
   rawdata=`vmstat -c 2 60 | tail -1`
   wait
...

The logic was:
1. run the first process in the bg
2. run the second process
3. wait to make sure the first process has finished
4. continue further

It makes perfect sense why this doesn't work. Both commands
run in the foreground.

I am going to split the time between netstat and vmstat. So, it
will be 30 seconds of netstat and 30 seconds of vmstat.

But I am still interested/curious how one should go for this using
the shell. So, can this be done without files? Any thoughts?

Thanks, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: assigning values to variables in the background

2013-01-15 Thread Nikos Vassiliadis


On 1/15/2013 9:30 PM, Greg Larkin wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 1/15/13 12:42 PM, Nikos Vassiliadis wrote:

Hi,

A bit of an OT question. I am writing a bourne shell script that
collects data from a router. Since netstat  vmstat can run for a
numbers of iterations I thought I would use just that:

stats() ( nstats=`netstat -I ng0 -q 1 60 | tail -1` 
rawdata=`vmstat -c 2 60 | tail -1` wait ...

The logic was: 1. run the first process in the bg 2. run the second
process 3. wait to make sure the first process has finished 4.
continue further

It makes perfect sense why this doesn't work. Both commands run in
the foreground.

I am going to split the time between netstat and vmstat. So, it
will be 30 seconds of netstat and 30 seconds of vmstat.

But I am still interested/curious how one should go for this using
the shell. So, can this be done without files? Any thoughts?

Thanks, Nikos



Hi Nikos,

As far as I can tell, the backticks are what's causing the problem.
Even though you put the first command in the background (maybe with
the  inside the backticks, though), the assignment to the nstats
variables causes the script to block.

If you switch to using temp files, you may have more luck, e.g.:

netstat -w 1 -I ng0 -q 60 | tail -1  /tmp/netstat.$$ 
npid=`echo $!`
vmstat -w 2 -c 60 | tail -1  /tmp/vmstat.$$ 
vpid=`echo $!`
wait $npid
nstats=`cat /tmp/netstat.$$`
rm -f /tmp/netstat.$$
wait $vpid
rawdata=`cat /tmp/vmstat.$$`
rm -f /tmp/vmstat.$$`


Yes, this looks probably like something I will use too.

Just for the fun of it and using a separator(Robert's idea), I came up
with this:


delay=10

a=$(
(
echo netstat `netstat -I ng0 -q 1 $delay | tail -1` netstat
) 

(
echo vmstat `vmstat -c 2 $delay | tail -1` vmstat
)
)

echo $a


If someone else has something else to add I'll be glad to hear it,
no matter how crazy!

Thanks for your answers Greg  Robert,

Nikos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ipfwNG project?

2012-12-06 Thread Nikos Vassiliadis


On 12/4/2012 4:24 PM, Rick Miller wrote:

I came across the wiki doc for ipfwNG (http://wiki.freebsd.org/IpfwNg)
and wondered if any of the concepts of this project are currently
being developed for FreeBSD and when we might start seeing those
concepts included in releng/ code.



Hi,

I would ask first ipfw@, then net@ and last and most importantly the author
of the wiki page directly.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: List all hard drives on system (with capacities)... How?

2012-12-06 Thread Nikos Vassiliadis


On 12/7/2012 1:34 AM, Tim Daneliuk wrote:

On 12/06/2012 05:30 PM, Ronald F. Guilmette wrote:


I'd like to write a small program or shell script that simply lists all
of the physical hard drives attached to the local system, along with
their
product identifiers and their respective capacities.

The following simple script works well for both PATA/SATA and USB hard
drives,
but it does not list drive capacities:

#!/bin/sh

atacontrol list | grep ':  ad[0-9]' | sed 's/^.*:  //'
camcontrol devlist | grep '(da[0-9]' | sed -E 's/^(.*)
\((da[0-9]+).*$/\2 \1/'


How can I modify the script above in order to get it to print out the
respective drive capacities?


Look into fdisk -s




I think fdisk should need a valid partition table, or not?

diskinfo works nice with all disk-like devices be it a physical disk,
a slice, a partition, a swap-backed device etc. Its output is easily
parsable using a single line per device and if you use -v you will get
the same info in human-readable form.

HTH, Nikos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: /usr/sbin/ppp doubling connections on tun0

2012-11-20 Thread Nikos Vassiliadis


On 11/20/2012 2:49 AM, andrew clarke wrote:

I'm using /usr/sbin/ppp for PPPoE over an ADSL modem in bridged mode:

# ifconfig tun0
tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1492
 options=8LINKSTATE
 inet 203.217.27.170 -- 203.215.15.252 netmask 0x
 inet 203.214.46.107 -- 203.215.7.251 netmask 0x
 Opened by PID 49158

What would cause this?

Notice the two IP addresses assigned to the same interface. It should
just have one address assigned.


Yes, I think this is caused by NAT. It seems that this is feature:

 iface-alias
 Default: Enabled if -nat is specified.  This option simply tells
 ppp to add new interface addresses to the interface rather than
 replacing them.  The option can only be enabled if network
 address translation is enabled (``nat enable yes'').

 With this option enabled, ppp will pass traffic for old interface
 addresses through the NAT engine (see libalias(3)), resulting in
 the ability (in -auto mode) to properly connect the process that
 caused the PPP link to come up in the first place.

 Disabling NAT with ``nat enable no'' will also disable
 `iface-alias'.


One could say that it's a surprising one! But, yes, is deliberate.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: fsck on a mounted fs as read-only

2012-05-31 Thread Nikos Vassiliadis


On 5/31/2012 12:19 PM, dmi...@zhigulinet.ru wrote:

Good afternoon.
Could not tell whether you can run fsck on checking mounted file system as 
read-only, if prior to that with which the parameters


ftp # mount
...
/ dev/aacd0 on / var / ftp (ufs, NFS exported, local, read-only)


Could you copy  paste the exact lines?
The / dev/aacd0 on  on / var / ftp parts make no sense to me.
It should be:
some_dev on some_dir (ufs, NFS exported, local, read-only)



Launched with these parameters and this is what gives

ftp # fsck -yf / dev/aacd0
** / Dev/aacd0 (NO WRITE)
** Last Mounted on / var / ftp
** Phase 1 - Check Blocks and Sizes

As I understand it does not fix the fsck filesystem.



fsck filesystem_goes_here
for example fsck /dev/ada0s1a
or
fsck mount_point_goes_here
for example fsck /

You are probably trying to fsck the wrong device...

Rebooting to single user and fscking the RO mounted / fs works as usual.
Please provide more info.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Regarding PCI-E error display in FreeBSD

2012-05-23 Thread Nikos Vassiliadis


On 5/23/2012 1:45 PM, subramani.p wrote:

Does FreeBSD has provision to display PCI-E errors.

we are observing a FreeBSD OS hang while performing a phy break of an
expander during IOs on the drives attached to the expander.

The same test when run under linux we could see Linux OS popping up PCIe
related error messages which was detected through their AER module.

Please help me in understanding if there are any such modules in FreeBSD
through which PCIe related error message can be viewed.


Hi,

Check if this helps:
http://lists.freebsd.org/pipermail/freebsd-current/2012-May/033734.html

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: VLANs, default route not working on boot

2012-04-20 Thread Nikos Vassiliadis


On 4/20/2012 9:54 PM, Chad M Stewart wrote:

cloned_interfaces=vlan4 vlan7
ifconfig_vlan4=inet 192.168.4.21 netmask 255.255.255.0 vlan 4 vlandev em0
ifconfig_vlan7=inet 192.168.7.21 netmask 255.255.255.0 vlan 7 vlandev em0
ifconfig_vlan7=alias 192.168.7.31 netmask 255.255.255.255
ifconfig_vlan7=alias 192.168.7.41 netmask 255.255.255.255
ifconfig_vlan7=alias 192.168.7.41 netmask 255.255.255.255
ifconfig_vlan7=alias 192.168.7.51 netmask 255.255.255.255
ifconfig_vlan7=alias 192.168.7.61 netmask 255.255.255.255
ifconfig_vlan7=alias 192.168.7.71 netmask 255.255.255.255
defaultrouter=192.168.7.1


This is not the correct syntax. From the rc.conf manual page:


 ipv4_addrs_ed0=192.0.2.129/27 192.0.2.1-5/28

 It is also possible to add IP alias entries using ifconfig(8)
 syntax.  Assuming that the interface in question was ed0, it
 might look something like this:

 ifconfig_ed0_alias0=inet 127.0.0.253 netmask 0x
 ifconfig_ed0_alias1=inet 127.0.0.254 netmask 0x



HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Token Ring (really)

2012-04-08 Thread Nikos Vassiliadis


On 4/8/2012 4:41 PM, Jay West wrote:

Adam wrote...

Otherwise, it's time to abandon steamships for airplanes.  Sounds like you
have a primed business opportunity just waiting to be exploited.

---
Actually, this is for a historical re-creation project. Airplanes would be
entirely inappropriate for a historical display, so steamships it is. Last I
checked, there was no primed business opportunity in doing something for
non-profits (museums, etc.) :)

I guess I'll have to see how tough it would be to yank the TR code from 7x
and get it running under 9x. Probably above my skillset, but I'll have a
looksee.

J



Hi,

You could try finding an ethernet to token ring translating bridge,
though I am not aware of the budget will need - or if you'll find one
anyways.

Just a thought,

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: some kind of binary sed(1) command

2012-02-02 Thread Nikos Vassiliadis


On 2/2/2012 8:22 AM, Matthias Apitz wrote:


Hello,

I have a normal ASCII file wich has in some places two lines of '*',
separated by an empty line, i.e.

\n
*\n
\n
*\n
\n

and I want to substitute the \n between the star lines by \f; the
'binary' sed command would just be

s/*\n\n*/*\n\f*/

which ofc does not work with sed(1) because it is line oriented;
I could write something in perl, C, awk or whatever language, but I
would prefer to do it with the normal commands... any ideas?

Thanks

matthias


Perhaps, something like this:

raidmadi% sed '/\*\*\*\*/{ N;N;s/\(\*\*\*\*\n\)\(\n\)\(\*\*\*\*\)/\1\\f\
\3/; }; '




\f


foo


foo



Keep in mind that I am using zsh which allows you to write multi-line
commands.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: can not destroy ng interface

2012-01-11 Thread Nikos Vassiliadis


On 1/12/2012 7:53 AM, Коньков Евгений wrote:

Hi, Freebsd-questions.

# ifconfig ng0
ng0: flags=88d1UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST  metric 0 mtu 
1400
 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL
meta-up# ifconfig ng0 destroy
ifconfig: SIOCIFDESTROY: Invalid argument

why I can not destroy interface?



The destroy ifconfig command is meant to be used on clonable
interfaces. You can destroy a netgraph node using ngctl.
Try 'ngctl kill ng0:'.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: 2 distinct DSL lines with same endpoint (8-STABLE)

2012-01-09 Thread Nikos Vassiliadis


On 1/9/2012 10:20 PM, Christoph Egger wrote:

Hi all!

   I'm having a FreeBSD 8 gateway that is supposed to do NAT/firewall
stuff with internet coming through 2 distinct DSL modems from the same
carrier. Unfortunately I can only run ppp on one of these lines as the
endpoint address for both lines are the same so bringing up the second
line fails in

| PPp ON elephant  Warning: tun1: AIFADDR X.X.X.X -  Y.Y.Y.Y returns -1
| Warning: iface add: ioctl(SIOCAIFADDR, X.X.X.X -  Y.Y.Y.Y): File exists
| Error: ipcp_InterfaceUp: unable to set ip address

Where Y.Y.Y.Y is already also used for the other ppp connection.

   This seems to be a known Problem with FreeBSD ppp (google turns up
some results) but I haven't found any usefull workarounds. Can anyone
suggest some way to get this kind of setup working?



You need equal cost multipath routing support to do this. The *correct*
way is to build a kernel with option RADIX_MPATH and then add more than
one routing entries to the same destination, in your case:
a.b.c.d - e.f.g.h
i.j.k.l - e.f.g.h
0.0.0.0/0 via tun0
0.0.0.0/0 via tun1

There is also a hackish way to achieve the same thing by:
 changing the peer's address to something else arbitrary
 and using a firewall to forward there packets.
The first ppp on tun0 will be: a.b.c.d - e.f.g.h
You'll change it to a.b.c.d - 192.168.90.1
The second ppp on tun1 will be: i.j.k.l - e.f.g.h
Then you'll use your favorite firewall to send packets to
192.168.90.1 and e.f.g.h.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Forward error correction routines?

2011-12-14 Thread Nikos Vassiliadis


On 12/14/2011 5:45 AM, Dennis Glatting wrote:

I am looking for /any/ forward error correction code under FreeBSD,
whether Hamming Codes, Golay Codes, Reed-Solomon, BCH codes, etc. or
convolution encoders/decoders.

All I've found is:

* libfec, which only runs under i386 (I am 64 bit), and
* reed-solomon, which is merely a library and no executables.

Is there any usable utilities? Clue please.


You could try this:
http://users.softlab.ntua.gr/~ttsiod/rsbep.html

It is meant to be used with storage devices and does interleaving
so it can recover a lost sector.

Hint: the decoded output contains garbage at the end, you
have to use the included utility(or dd) to get the correct file size.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Disabling geom_journal

2011-12-13 Thread Nikos Vassiliadis


On 12/13/2011 5:59 PM, Vincent Hoffman wrote:

Hi all,
 I'm sure I have seen this come up before but a google doesnt
help. I am trying to disable gjournal on a disk so i can move to suj as
part of moving on to the 9.x series, I have umounted the FS but when i
try to stop the journal it automatically starts it on the gtpid of the
device and if i stop that it goes back to the original device name.

[root@ostracod ~/doc]# gjournal list
Geom name: gjournal 2909580316
ID: 2909580316
Providers:
1. Name: ada1p2.journal
Mediasize: 494739118080 (460G)
Sectorsize: 512
Mode: r0w0e0
Consumers:
1. Name: ada1p2
Mediasize: 495812860416 (461G)
Sectorsize: 512
Stripesize: 0
Stripeoffset: 17408
Mode: r1w1e1
Jend: 495812859904
Jstart: 494739118080
Role: Data,Journal

[root@ostracod ~/doc]# gjournal stop ada1p2.journal
[root@ostracod ~/doc]# gjournal list
Geom name: gjournal 2909580316
ID: 2909580316
Providers:
1. Name: gptid/9e1798be-b5f3-11de-a1eb-00012e273257.journal
Mediasize: 494739118080 (460G)
Sectorsize: 512
Mode: r0w0e0
Consumers:
1. Name: gptid/9e1798be-b5f3-11de-a1eb-00012e273257
Mediasize: 495812860416 (461G)
Sectorsize: 512
Stripesize: 0
Stripeoffset: 17408
Mode: r1w1e1
Jend: 495812859904
Jstart: 494739118080
Role: Data,Journal


Any idea how to stop this without setting kern.geom.label.gptid.enable=0
in my loader.conf and rebooting?


You don't have to reboot, just set kern.geom.label.gptid.enable to zero,
gjournal stop ada1p2, gjournal clear ada1p2 and re-enable gptid labels.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Do you run OSSEC on 9.0?

2011-11-24 Thread Nikos Vassiliadis


Since /dev contains a special filesystem which cannot
be used for simple files and directories, I would say
that the IDS needs some knowledge about it and generic
file-checking rules don't apply there.

This sounds like a false alert, something must have changed
from 8 to 9 and/or the ossec port (and/or ossec signatures).

Disclaimer: I am not an ossec user!

Nikos

On 11/24/2011 11:04 AM, Odhiambo Washington wrote:

Getting the same too, since I upgraded my 8.2 -  9.0-PRE.

Would be interested in the answers too.


On Thu, Nov 24, 2011 at 10:32, Rossbasarev...@gmail.com  wrote:


I am getting emails about hidden files in /dev. Before that (on 8.2)
everything was OK. What should I do?


OSSEC HIDS Notification.
2011 Nov 24 08:17:25

Received From: coffin-rootcheck
Rule: 510 fired (level 7) -  Host-based anomaly detection event
(rootcheck).
Portion of the log(s):

Files hidden inside directory '/dev'. Link count does not match number
of files (9,27).



  --END OF NOTIFICATION
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
freebsd-questions-unsubscr...@freebsd.org







___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: radiusd-cistron

2011-11-20 Thread Nikos Vassiliadis


On 11/19/2011 10:38 PM, Jim Pazarena wrote:

I recently switched from FBSD 7.0 i386
to FBSD 8.2 amd64

my radius only sees garbage in place of the password, so no one
can authenticate.

Since I changed both OS (7.0-8.2) AND platform (i386-amd64), I am
unsure where to start looking for an encryption problem.

Any suggestions would be appreciated. Yes, I could switch to
freeradius, but would that change/help an encryption issue?


I am not sure if cistron works correctly on 64bit architectures.
Is plain text authentication working?

Cistron is unmaintained, but there is a very low traffic
mailing list, you could ask there.
http://lists.cistron.nl/mailman/listinfo/cistron-radius

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Very large swap

2011-10-14 Thread Nikos Vassiliadis


On 10/14/2011 8:08 AM, Dennis Glatting wrote:


This is kind of stupid question but at a minimum I thought it would be
interesting to know.

What is the limitations in terms of swap devices under RELENG_8 (or 9)?

A single swap dev appears to be limited to 32GB (there are truncation
messages on boot). I am looking at a possible need of 2-20TB (probably
more) with as much main memory that is affordable.


The limit is raised to 256GB in HEAD and RELENG_8
http://svnweb.freebsd.org/base?view=revisionamp;revision=225076


I am working with large data sets and there are various ways of solving
the problem sets but simply letting the processors swap as they work
through a given problem is a possible technique.


I would advise against this technique. Possibly, it's easier to design
your program to user smaller amounts of memory and avoid swapping.

After all, designing your program to use big amounts of swapped out
memory *and* perform in a timely manner, can be very challenging.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Turning system accounting data into money

2011-10-11 Thread Nikos Vassiliadis


On 10/11/2011 5:06 PM, Polytropon wrote:

This is _not_ a spam message trying to sell something
stupid to the list. I'm just searching for a solution
to turn consumed computing resources into a number and
a currency symbol. :-)

Reason: A growing amount of (my) customers seems to
like this concept: They speed a low fee for access to
systems and applications, and they want to pay according
to what they did with that system. The access fee covers
access and some basic services (backup  quota), and for
anything more advanced they want to be charged per
units used, or per consumed resources. This can be dialog
time (SSH), disk I/O, disk occupied, pages printed (can happen)
or pages required to print on exceptional specific forms
(can happen once or twice a year and is charged with an
additional fee for fold, staple  mutilate).

Sounds stupid? I have _real_ customers intendedly
requesting that payment model (instead of just pay
amount n Euro a month and do whatever you like).

Accidentally, I remembered history.

So I thought: This funcitonality has been present on
UNIX systems for many decades. But _how_ to use it? I
know there's the command set for accounting, for example
the ac command. But what does its output total 7264.15
mean? There also are acct (process accounting), sa
(for system accounting) and pac (for printer accounting,
just dooesn't seem to work with CUPS).

I'd also like to use the /etc/csh.logout resp. ~/.logout
mechanism. When a user logs in, he will be presented the
program he uses (or a menu, in case he uses different ones).
This can also be a regular remote desktop session. When
he logs out, a message should be displayed that informs
him how much will be charged for the session. At the end
of the month, he should get an invoice with the proper
accumulated amount.

For example, if a user wishes to issue a make a backup
_now_, because I intendedly want _this_ current state
backed up _now_, this will be seen as additional I/O
load and disk occupation (because it's handled aside of
the regular backup runs that should be part of the
basic package charged with the conneciton fee).
Or as I said, he issues printing for stuff he cannot
print at home, so he will be charged for 500 pages.
And in case he transfers 10 GB data in, and 10 GB data
out, he will be charged for that traffic, as well as
for the I/O.

The sessions in questions will be SSH sessions (text mode)
as well as SSH/X sessions (remote desktops).

Maybe someone already uses something similar he wants
to share? Suggestions and inspirations are welcome.






Yes, the builtin accounting facilities do most of the stuff you
are interested in. Just add 'accounting_enable=YES' in your
/etc/rc.conf, run '/etc/rc.d/accounting start' and use sa to
examine the output. I believe the per-user accounting will fit
the bill nicely. You did not mention jails, right?

The networking part perhaps can be a firewall's job, though
I don't know if the per-user IP traffic rules work properly.
There were some problems regarding this ages ago...

The builtin printing stuff I believe is for use with the
ancient printing tools and I know nothing about CUPS...

Hey, these are pretty old stuff you are looking for or perhaps
this email was stuck in the mail server's queue for 25 years;)

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: need help with pf configuration

2011-10-09 Thread Nikos Vassiliadis


On 10/9/2011 10:39 AM, Victor Sudakov wrote:

Patrick Lamaiziere wrote:



I have a configuration with 2 inside interfaces, 1 outside and 1 dmz
interface. The traffic should be able to flow

1) from inside1 to any (and back)
2) from inside2 to any (and back)
3) from dmz to outside only (and back).

I need no details, just a general hint how to setup such security
levels, preferably independent of actual IP addressses behind the
interfaces (a :network macro is not always sufficient).


You may use urpf-failed instead :network
urpf-failed: Any source address that fails a unicast reverse path
forwarding (URPF) check, i.e. packets coming in on an interface other
than that which holds the route back to the packet's source address.


Excuse me, I do not see how this is relevant to my question (allowing
traffic to be initiated from a more secure interface to a less secure
interface and not vice versa).



What if you combine macros and lists?
The ruleset below seems scalable to any number of interfaces.

inside1 = em1
inside2 = em2
dmz = em0
insides = { $inside1:network $inside2:network }

pass in on $dmz from $dmz:network to any
block in on $dmz from any to $insides

This expands nicely to:
lab# pfctl -vf te
inside1 = em1
inside2 = em2
dmz = em0
insides = { em1:network em2:network }
pass in on em0 inet from 192.168.73.0/24 to any flags S/SA keep state
block drop in on em0 inet from any to 10.0.0.0/29
block drop in on em0 inet from any to 192.168.56.0/24

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: disappearing files

2011-07-28 Thread Nikos Vassiliadis


On 7/28/2011 10:15 AM, ad...@prnet.org wrote:

Hi,

I am using FreeBSD 8.2 with an UFS filesystem containing a jail. I do a
tar of the whole jail every night. Suddenly after a few weeks of
operation, tar complains about being unable to stat /usr/lib/libmilter.so.


From inside the jail:


ls /usr/lib | grep ^libmilter.so$ returns libmilter.so
ls /usr/lib/libmilter.so returns ls: libmilter.so: No such file or
directory
ls -l /usr/lib  /dev/null returns ls: libmilter.so: No such file or
directory

Trying to access the file from the main system gives the same result.

A reboot returns everything to normal.

Exactly the same also appeared on another machine some time ago, the only
difference was that it appeared on another file.

Does anyone know what can cause this problem ?


File system corruption would cause such behavior. And/Or perhaps
something is wrong with the underlying disk device.

I would search the logs for messages indicating that the storage
medium is failing. Does dmesg contain anything related?

I would also unmount and fsck the file system.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Can gpart create ntfs and FAT-32 partitions?

2011-07-28 Thread Nikos Vassiliadis


On 7/28/2011 7:55 AM, Kevin Oberman wrote:

I want to create a GPT disk structure that has the following partitions:
MBR
NTFS (1.2G)
NTFS (200G)
FreeBSD OS (250G)
NTFS (15G)
FAT-32 (100G) (needs to be RW for W7 and FreeBSD and ntfs-3g is just
not stable enough)
FreeBSD data only (380G)

The NTFS partitions are to place the Windows7 system, recovery
partition (which I may
not use), and Lenovo's odd SYSTEM_DRV that is required for booting.
gpart has no
indications of how to create an NTFS or FAT partition. Any way to so
this? Or, should I
use W7 to do that and leave the space for the FreeBSD ones?


No, you can do this with gpart.

gpart knows the following MS related GUIDs. The types you need
to use in -t are ms-basic-data, ms-ldm-data etc.


{ ms-basic-data, G_PART_ALIAS_MS_BASIC_DATA },
{ ms-ldm-data, G_PART_ALIAS_MS_LDM_DATA },
{ ms-ldm-metadata, G_PART_ALIAS_MS_LDM_METADATA },
{ ms-reserved, G_PART_ALIAS_MS_RESERVED },
{ ntfs, G_PART_ALIAS_MS_NTFS },


I don't know which partition types you should use for the
wanted partitioning scheme.

The struct that defines the known gpart GUIDs is in
/sys/geom/part/g_part.c at line 69(on HEAD).

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ARP tables in FreeBSD (vs Linux)

2011-05-24 Thread Nikos Vassiliadis


On 5/23/2011 10:46 PM, Rogelio wrote:

I found that a certain Linux gateway was having a difficult time with
thousands of ARP entries (about 13K concurrent ARP entries in 10 min
from ISP subscribers), so I put it behind a Cisco 7201 router and
added an IP helper to the interface.  Now it seems to be working much
much better.


Was the rate of ARPs the problem?
Or the size of the ARP table?

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: VIMAGE in fbsd 9.0

2011-05-16 Thread Nikos Vassiliadis


On 5/15/2011 7:49 PM, Fbsd8 wrote:

What is the current status of VIMAGE in Freebsd 9.0?


I *think* all VIMAGE related code in 9.0 has been merged to 8-STABLE.
It is still tagged experimental. Most things work. Is there something
that doesn't work for you?


Is VIMAGE going to be included in the basic 9.0 release as part of the
default kernel?


Speaking unofficially, VIMAGE will not be in the GENERIC kernel for
9.0-RELEASE. It will be tagged stable first, remain an optional feature
for some time and then I think there is the possibility of appearing in
the GENERIC kernel. I believe that's not going to happen soon, if ever.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Can I bridge the same subnet across a VPN?

2011-05-05 Thread Nikos Vassiliadis


On 5/5/2011 12:24 AM, David Brodbeck wrote:

The problem I've always found with bridged solutions is they don't
cope well under heavy traffic loads when the VPN link is slower than
the LANs they're bridging between.  And the VPN link is usually slower
if it's over a WAN.  The link tends to get saturated.


There is no inbuilt reason why a L2 VPN is more easily saturated
than a L3 VPN.

After all protocols doing bulk transfers should - and mostly - use
TCP which autotunes the rate of sent packets. And TCP should be
able to saturate the lower-bandwidth link of the whole path. That's
normal and desirable.

Some care must be taken with the broadcast and multicast traffic
which goes through the L2 VPN.

Just my 2 cents, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: lockf command

2011-04-13 Thread Nikos Vassiliadis


On 4/13/2011 12:08 PM, Bastien Semene wrote:

I wish that if command #2 can't acquire the lock, lockf exits (exit 0
would be nice).
If I set -t 1, lockf is quite what I'm waiting for. But I like to do
this in a clear way : if it can't acquire the lock it exits, no timeout
wait.

Am I misunderstanding something ? What should I change ?



You should use -t0, something like:

lab# lockf -t 0 /tmp/lock /bin/csh
You have mail.
lab# lockf -t 0 /tmp/lock /bin/csh
lockf: /tmp/lock: already locked
lab# echo $?
75
lab#


HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Strange behavior of MTU on loopback interfaces.

2011-02-25 Thread Nikos Vassiliadis


On 2/25/2011 9:29 AM, c0re wrote:

Hello all!

I'm testing setting lower MTU on loopback interfaces to avoid some MTU
problems with IPSEC in a path of traffic.

ifconfig lo1 create
ifconfig lo1 mtu 1300
ifconfig lo1 5.5.5.5/32

# ifconfig lo1
lo1: flags=8049UP,LOOPBACK,RUNNING,MULTICAST  metric 0 mtu 1300
 inet 5.5.5.5 netmask 0x

#ifconfig em0
em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST  metric 0 mtu 1500
 options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM
 ether 12:ac:29:7c:fa:39
 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
 media: Ethernet autoselect (1000baseTXfull-duplex)
 status: active


And I set only one Listen 5.5.5.5:80 in http.conf in apache 2.2

# sockstat -4 | grep 80
www  httpd  96843 3  tcp4   5.5.5.5:80*:*
www  httpd  96838 3  tcp4   5.5.5.5:80*:*
www  httpd  96837 3  tcp4   5.5.5.5:80*:*
www  httpd  96836 3  tcp4   5.5.5.5:80*:*
www  httpd  96835 3  tcp4   5.5.5.5:80*:*
www  httpd  96834 3  tcp4   5.5.5.5:80*:*
root httpd  96833 3  tcp4   5.5.5.5:80*:*

I run tcpdump -ni em0 port 80. And made telnet 5.5.5.5 80 from other
host and saw something wrong.

10:26:01.640866 IP 10.0.0.2.57553  5.5.5.5.80: S
1049284626:1049284626(0) win 65535mss 1460,sackOK,eol
10:26:01.640902 IP 5.5.5.5.80  10.0.0.2.57553: S
2144222949:2144222949(0) ack 1049284627 win 65535mss
1460,sackOK,eol
10:26:01.642632 IP 10.0.0.2.57553  5.5.5.5.80: . ack 1 win 65535

5.5.5.5:80 said that it has got tcp mss 1460. Why? I was waiting for
something like 1260.


It uses the MTU of the outgoing path, which is 1500.
You change the MTU for specific paths, using route and the mtu modifier.
Like this:


lab# ifconfig em0
em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM
ether 08:00:27:17:c3:de
inet 192.168.73.193 netmask 0xff00 broadcast 192.168.73.255
media: Ethernet autoselect (1000baseT full-duplex)
status: active
lab# route change 192.168.73.0 -mtu 1100
change net 192.168.73.0
lab# route -n get 192.168.73.0
   route to: 192.168.73.0
destination: 192.168.73.0
   mask: 255.255.255.0
  interface: em0
  flags: UP,DONE,STATIC
 recvpipe  sendpipe  ssthresh  rtt,msecmtuweightexpire
   0 0 0 0  1100 1 0
lab#


All packets going to 192.168.73.0/24 will use IP packet sizes up to
1100. IMHO it's better to leave the physical interface's MTU unchanged
and use the routing subsystem to define the maximum IP packet size per
path.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Tuning routing table size in FreeBSD 8.0 and 7.2

2011-02-24 Thread Nikos Vassiliadis


On 2/24/2011 4:51 PM, Damien Fleuriot wrote:

On 2/24/11 3:00 PM, nikitha wrote:

Hi,
Could you plz share the information on the maximum number of routes that can
be added (by default) in FREEBSD 8.0/7.2 kernel?
In Linux the sysctl rt_max_size is used. Is there a similar tunable
parameter in freeBSD?

[snip]


I could not find a sysctl that matched what you're looking for.

AFAIK, the routing table is limited only by the amount of RAM you can
allocate to it.


Yes. You can use vmstat -z | grep rtentry to examine it.
It seems trivial to add a limit there(without having thought of
multiple routing tables and vnet).

Out of curiosity, why would you want such a limit?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: How to label a GELI device

2011-01-25 Thread Nikos Vassiliadis


J. Porter Clark wrote:

I have an encrypted partition, /dev/da0s1d.  I can use geli
attach da0s1d and obtain a device /dev/da0s1d.eli, which is a
UFS filesystem.  All that works just fine.

I'd like to label /dev/da0s1d so that I don't have to refer to
the exact drive number, etc., which might change if I reboot
with a USB stick in the system or whatever.  But glabel puts the
label in the last sector, which is where GELI stores metadata.


You don't have to worry about this. geli uses the last sector for
its metadata and creates a device with one sector less to its clients.
The original device is 2048 sectors, the device geli provides is 2047
sectors:

moby# diskinfo /dev/md0 /dev/md0.eli
/dev/md0512 1048576 20480   0
/dev/md0.eli512 1048064 20470   0


There is no way for the internal GEOM to mess with the external's
metadata.


So, how do I make this work?



glabel apart from the generic device labeling, supports UFS labels which
are *part* of the filesystem, that is, you *don't* have external metadata
living in a sector outside the filesystem. Check tunefs manual page and
specifically the -L option.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: FTP server link aggregation

2010-12-16 Thread Nikos Vassiliadis


On 12/15/2010 3:11 PM, Matthew Law wrote:

I have a single FreeBSD box acting as an FTP server for multiple FreeBSD
and Linux clients on the same /24 subnet (all gigabit ethernet).  It is
currently connected by just one of it's two gig ethernet ports.  I also
have two cisco switches with an etherchannel between them (using 2 x gig
ports on each switch).  I would like to connect the remaining NIC on my
FreeBSD box to the other switch and enable 802.3ad on those switch ports
to aggregate traffic between them.

This is in the hope that it can better serve multiple FTP clients.  Is my
thinking correct?  Other than the network interface changes which are
documented here:
http://www.freebsd.org/doc/handbook/network-aggregation.html are there any
further tweaks I could make to improve things? -the server is a 'standard
install' and does not use ZFS.  It has an adaptec 5408 RAID card with 4 x
SATA II drives and, IIRC, 128K stripe size and plenty of RAM.

Is there a way of testing this other than initiating large file transfers
to this server from multiple hosts?



A simple ping from multiple sources to your server will do. LACP will
associate each SRCMAC and DSTMAC pair to one physical interface. Creating
traffic with many different SRCMAC and DSTMAC pairs will use both physical
interfaces. But, I do vaguely remember that if_lagg was not able to perform
at 2 * 1Gbps level. Use systat -ifstat to check what's happening and
please, post your performance findings to the list!

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Can a home LAN server use a jail as a router?

2010-12-07 Thread Nikos Vassiliadis


On 12/7/2010 8:15 PM, Xn Nooby wrote:

I hope this helps you in your investigation(s).


Yes, thank you and the previous poster.  It sounds like my outer box
needs to be the router, and everything else should be a jail. I will
do some more reading up on jails.  Thanks!


You can create infinitely complex network topologies,
using vnet jails. Check the URLs below to get the picture:

http://imunes.tel.fer.hr/virtnet/eurobsdcon07_tutorial.pdf
http://wiki.freebsd.org/Image/VNETSamples

Just my 2 cents, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ipfw fwd and ipfw allow

2010-09-08 Thread Nikos Vassiliadis


On 9/7/2010 5:52 PM, Victor Sudakov wrote:

A packet generated locally 1) should be forwarded by a 'fwd'
rule and 2) should create a dynamic 'allow' rule  for returning
traffic. Could you please suggest a ruleset for this.


The fw has the 10.0.0.1 IP address.
The 10.0.0.100 IP address belongs to another computer running a TCP
service at .

The IPFW rules:

fw# ipfw list
00100 fwd 10.0.0.100 tcp from any to 10.90.10.3 dst-port  keep-state
00200 deny ip from any to any
65535 allow ip from any to any


Trying to connect to TCP 9998 fails because of rule 200:

fw# nc -v 10.90.10.3 9998
nc: connect to 10.90.10.3 port 9998 (tcp) failed: Permission denied


While trying to connect to TCP  succeeds and creates a IPFW state:

fw# nc -v 10.90.10.3 
Connection to 10.90.10.3  port [tcp/*] succeeded!
^Z
Suspended
fw# ipfw -d show
00100 61 3315 fwd 10.0.0.100 tcp from any to 10.90.10.3 dst-port  keep-state
00200 45 2644 deny ip from any to any
65535  00 allow ip from any to any
## Dynamic rules (9):
00100  2  112 (292s) STATE tcp 10.0.0.1 27320 - 10.90.10.3 
fw#


HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ipfw fwd and ipfw allow

2010-09-07 Thread Nikos Vassiliadis


On 9/7/2010 12:00 PM, Victor Sudakov wrote:

Am I asking something unreasonable?


Not really, but if you ask, one could say that IPFW is a first
match wins firewall, so a fwd or an allow action would be the
terminal one. You must design your rules accordingly.

There is also the skipto action which can alter the way packets
flow through the rules.

Could you describe in a conrete example what you're trying to
achieve?

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ipfw fwd and ipfw allow

2010-09-07 Thread Nikos Vassiliadis


On 9/7/2010 2:00 PM, Victor Sudakov wrote:

Nikos Vassiliadis wrote:

Am I asking something unreasonable?


Not really, but if you ask, one could say that IPFW is a first
match wins firewall, so a fwd or an allow action would be the
terminal one. You must design your rules accordingly.

There is also the skipto action which can alter the way packets
flow through the rules.

Could you describe in a conrete example what you're trying to
achieve?


I want forwarded packets to create a dynamic allow rule.



You can combine fwd and keep-state. Could you be more specific?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Routing Question

2010-08-27 Thread Nikos Vassiliadis


On 8/27/2010 9:09 PM, Doug Hardie wrote:


On 27 August 2010, at 05:07, Patrick Lamaiziere wrote:


Le Thu, 26 Aug 2010 18:17:19 -0700, Doug Hardiebc...@lafn.org  a
écrit :


PF's route_to will return the packets to the proper router, but I
have not been able to figure out which ones those would be.  The
source IP address can be any on either network and its highly
likely that we will see packets from the same source network on
both at the same time.  The only distinction I see in the input
packets between the two paths is the MAC address of the router.
I don't see any way in pf or the system to use that to affect the
return path though.


the filter option reply-to looks to be what you need. It works
by keeping the state of a connection (see pf.conf(5)).


That works great on the output if you can figure out which packets to
use it on.  The only way I can see to separate the traffic is using
the router MAC address.  I don't find anything in pf that will look
at that.


Yes, pf cannot use the MAC address to classify a packet. The most
sensible sollution would be installing a single router to handle
both lines but I know it's not always feasible to do so for several
reasons. ipfw can use MAC addresses for classification, perhaps you
hack some rules using fwd, skipto and mac.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: NATD Question

2010-08-27 Thread Nikos Vassiliadis


On 8/27/2010 9:14 PM, Michael J. Kearney wrote:

Will natd forward rtmp://  ???


I am sure libalias and natd know nothing about rtmp.


freebsd# cat /etc/natd.conf

use_sockets
redirect_port tcp 192.168.0.3:3389 10.1.10.172:3389
redirect_port tcp 192.168.0.2:1935 10.1.10.172:1935
redirect_port tcp 192.168.0.2:8790 10.1.10.172:8790
redirect_port tcp 192.168.0.2:6000-6100 10.1.10.172:6000-6100
interface fxp0
log

Everything else seems to work just fine. What am I doing wrong ?


Some protos need special handling when an IP address is changed.
Are you sure rtmp can be redirected only by changing the destination
address?

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: any shortcuts to doc to ascii?

2010-05-28 Thread Nikos Vassiliadis


Polytropon wrote:

On Thu, 27 May 2010 16:36:08 -0700, Gary Kline kl...@thought.org wrote:

i don't see any ascii suffix [for OOo].  i saved as .txt.


This should be right. The .txt extension refers to ASCII text,
at least in standard-compliant operating systems.




same krap.  the \x94, x9d, \x9c...  same with catdoc.  i'll
try antiword.  [forgot about that.  ]


This makes me believe that the original DOC file has been created
with a wrong character set or language setting. Windows - as far
as I know - does not use standard locales such as all other systems
do, but uses an arbitrary setting.



It is a valid UTF-8 encoded text:
[...@moby ~]$ python -c 'print Don%c%c%ct % (0xe2, 0x80, 0x99)' | file -
/dev/stdin: UTF-8 Unicode text

You'll be able to see the character if you fire up a UTF-8 capable 
terminal with proper locale settings.

[...@moby ~]$ LC_ALL=en_US.UTF-8 xterm -u8

After that, just print the char:
python -c 'print Don%c%c%ct % (0xe2, 0x80, 0x99)'
and use copy  paste to pass it to tr to translate it to something else, 
for example:

tr ' '  $file  $output


Another idea may be that the character that you think should be
an apostrophe isn't an apostrophe. I often do see this in german
texts with misplaces apostrophes that are in fact accent grave
or accent acute, or a character from UTF-8 that just looks like
an apostrophe. For example, if the original document contains

We don`t

and this ` is not a real ', then conversion tools will of course
use the escape notation for this unknown character.


Indeed, the standard tool for encoding translations, iconv, chocks on 
this. Yet, it worked when I tried to convert from utf-8 to greek 
encoding('iconv -f utf-8 -t iso-8859-7'). Some info on the char:

http://www.fileformat.info/info/unicode/char/2019/index.htm

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: FreeBSD router - large scale

2010-05-28 Thread Nikos Vassiliadis


Svein Skogen (Listmail Account) wrote:
  Actually, I'd find an answer from the FreeBSD Networking gurus useful as

well. My trusted Cisco 3640 is getting old (had it's
ten-years-of-service birthday a little while ago), so I guess I must be
prepared to replace it with something new. Preferrably something that
can do proper NAT port mapping to the inside servers in an
RFC1918-adressed DMZ, proper NAT mapping for the client net, incoming
VPDN (virtual private dialin network, such as PPTP+MPE and L2TP+IPSEC
tunelling), sane IDS in the border-gateway, GRE or IPinIP tunelling with
crypto for remote-sites, etc

If somebody has a good starting-point for documentation on these
features, I'm more than willing to do a procject on it to create a
mini-howto/handbook-section on setting up FreeBSD as your border
gateway, provided I have someone to ask when the documentation is ...
flaky. ;)


Although I feel that you'll have to write book to cover all the things 
mentioned above, I'll try to reply to your question... These is just 
pointers...


Several forms of NAT are supported with the following tools:
ipfw
pf
ipf
ng_nat
I doubt there is some form of NAT you will miss.

the net/mpd5 port can do PPTP, the MPPE part is blurry to me. L2TP is 
supported for LNS/LAC scenarios. I don't know if you can/how difficult 
is to combine IPSEC with L2TP.


The most famous open source IDS is snort, you'll find it in the ports.

For GRE and IPIP read gre and gif manual pages. Again, IPSEC is not 
integrated to these, yet there is IKE support via ipsec-tools port.


You'll have to check for yourself the documentation. Though I can say that 
all the FreeBSD stuff mentioned above are well documented as usual and 
there is always this list if you have questions.


Good luck replacing the aging Cisco...

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: File system

2010-05-23 Thread Nikos Vassiliadis


Eitan Adler wrote:

gjournal will replay all write attempts

(metadata and data) before the failure, so you should be relatively
sure that all writes are done correctly.


As I understand it journals work by writing to disk a log of all the
changes that have to be made - waits for confirmation that it wrote
the data - and then attempts to make those changes. If after the
confirmation there is a crash the log file is replayed.
Certain virtual machines will report to the OS that it wrote the data
to disk before it actually does so. In that case journaling doesn't
actually help as the log file is still not on some form of stable
storage.



I am not an expert on the subject, I thought the journal will replay all 
logged write attempts and since the number of all write attempts logged 
in the journal will be much bigger than the number of requests a cache 
can hold you will be sure that all writes will be done on the 
filesystem. Again, I am not an expert on the subject...


Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: File system

2010-05-17 Thread Nikos Vassiliadis


Craig Whipp wrote:

On Mon, May 10, 2010 10:53 am, Nikos Vassiliadis wrote:

Ansar Mohammed wrote:

Hello All,
I have a FreeBSD VM running. Whenever I reboot the VM without a clean
shutdown it boots into single user mode and I have to run fsck.

When I run fsck, the file system clearly has issues.

Is there any way to have FreeBSD run on a better file system that wont
crap
out on me everytime I do and unclean shutdown?

I am really surprised no one proposed geom journaling. With gjournal,
I never had to do a manual full fsck and have had plenty of unclean
shutdowns. I also occasionally do fsck the filesystem and there were
no errors ever found. It definitely adds the ease factor I am looking
for in a journaling sollution in the case of an unclean shutdown...



Correct me if I'm wrong, but since this FreeBSD install is running inside
of a VM, in addition to any of the precautions suggested here to get data
written or journaled to the disk as safely as possible, isn't there still
the issue of whether the VM actuall commits these writes to the physical
disk?


I guess the time needed for some data to be committed to stable
storage will be bigger in a VM environment. But that's always the
case, be it a VM, or a disk controller. There will be always some
data in-flight, some delay and a cache which will hold your data before
they arrive to stable storage. gjournal will replay all write attempts
(metadata and data) before the failure, so you should be relatively
sure that all writes are done correctly. I think Ansar just want to
avoid fsck and gjournal provides that. To ensure real data integrity
one should use something else, perhaps ZFS and not a journaling fs.

PS: I didn't see your message in time...

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: File system

2010-05-10 Thread Nikos Vassiliadis


Ansar Mohammed wrote:

Hello All,
I have a FreeBSD VM running. Whenever I reboot the VM without a clean
shutdown it boots into single user mode and I have to run fsck.

When I run fsck, the file system clearly has issues.

Is there any way to have FreeBSD run on a better file system that wont crap
out on me everytime I do and unclean shutdown?


I am really surprised no one proposed geom journaling. With gjournal,
I never had to do a manual full fsck and have had plenty of unclean
shutdowns. I also occasionally do fsck the filesystem and there were
no errors ever found. It definitely adds the ease factor I am looking
for in a journaling sollution in the case of an unclean shutdown...

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Extended VLAN?

2010-04-16 Thread Nikos Vassiliadis


On 4/14/2010 1:04 AM, Dan D Niles wrote:

I have two FreeBSD routers.  I would like both locations to share the
10.10.0.0/16 network.  If I were using Cisco routers I would use
extended VLANs.  How would I do that with FreeBSD routers?

I already have a tunnel set up and routing different networks in the
192.168.0.0/16 range.

Router A:

ifconfig em2 inet 192.168.1.1 netmask 255.255.255.0
ifconfig gif0 create 192.168.1.1 192.168.2.1 netmask 255.255.255.0 tunnelrouterA  
routerB
route add 192.168.2.0/24 129.168.2.1

Router B:

ifconfig em2 inet 192.168.2.1 netmask 255.255.255.0
ifconfig gif0 create 192.168.2.1 192.168.1.1 netmask 255.255.255.0 tunnelrouterB  
routerA
route add 192.168.1.0/24 129.168.1.1

This routes traffic between 192.168.1.0/24 and 192.168.2.0/24 as I would
expect.

The docs say I can use a tunnel with a bridge, which seems like it would
do what I want.

Router A:

ifconfig em3 inet 10.10.1.1 netmask 255.255.0.0
ifconfig bridge0 create addm em3 addm gif0

Router B:

ifconfig em3 inet 10.10.2.1 netmask 255.255.0.0
ifconfig bridge0 create addm em3 addm gif0

I cannot ping 10.10.2.1 from router A or 10.10.1.1 from router B.

Should I be able to use a bridge this way?  Am I missing some piece?


If I recall correctly the recommended setup is to assign
the IP address to the bridge interface and leave the bridge
members unnumbered. These problems you are seeing must be
some corner case in FreeBSD's routing and/or ARP subsystems.
See if assigning the IP to bridge0 helps

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Extended VLAN?

2010-04-16 Thread Nikos Vassiliadis


On 4/14/2010 6:38 PM, Dan D Niles wrote:

OK, this is weird.  I ran wireshark on the destination side (across the
bridge).  When I try to ping the destination router, the arp request is
sent across the bridge, but there is no arp reply.

It seems like the destination router is not responding to arp requests
that come in over the bridge.


Since the router knows that 10.10.0.0/16 is attached to the em3
interface it sends the ARP reply over that interface and not the
gif0 one. That ARP reply does not goes to the other side of the bridge
as it should. I don't know the reasoning behind it but I have heard
it in the past. Perhaps assigning IP addresses to member interfaces of
a bridge is probably bad practice (at least regarding the particular
implementation).

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: sftp server with speed throttling

2010-03-22 Thread Nikos Vassiliadis


Dan Naumov wrote:

What are my options if I want to run an sftp server with speed
throttling? My understanding is that openssh (which includes sftp) in
base does not support this directly, so I would have to either use a
custom kernel with ALTQ (and I would really rather stick to GENERIC so
I can use freebsd-update) which sounds like a bit too much
configuration work or pass sftp traffic through PF and throttle it
(ugly, would also affect ssh traffic).


You could examine the possibility of using ipfw and dummynet:
1) ipfw and dummynet are availabe in the GENERIC kernel.
2) Most of the time you can classify bulk/interactive traffic
by examining the packet's length. IP packets carrying
sftp traffic tend to be limited by MTU size or PMTU
discovery. IP packets carrying ssh traffic tend to be
much smaller.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: kernel panic when if_lagg is not loaded.

2010-03-17 Thread Nikos Vassiliadis


Leslie Jensen wrote:


I have set upp aggregation of my wlan and and wired NIC following the 
instructions in the handbook.


http://www.freebsd.org/doc/handbook/network-aggregation.html

I forgot to add the if_lagg_load=YES in /boot/loader.conf. When I 
rebooted I got a kernel panic.


Should this be considerd normal or is it something I should report?



No, it's not normal. Please, report it in an explicit way, commands
given and/or changes to rc.conf, loader.conf etc. Try first here
questions@ and then n...@.

Nonetheless I see no such behavior on my system. if_lagg loads
automatically when needed(ifconfig lagg create etc).



Secondly I see there'a a reference to the lagg(4) man page. I think it 
would help future readers of the above page if a comment about loading 
if_lagg_load=YES in /boot/loader.conf would be added.



On 8.0-STABLE if_lagg loads automatically and I think it always
did load automatically, though I am not sure. What's the FreeBSD
version you are working on?

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: kernel panic when if_lagg is not loaded.

2010-03-17 Thread Nikos Vassiliadis


Leslie Jensen wrote:


I'm on a 8.0-RELEASE-p2 system.

Actually after more testing I found out that the line

ifconfig_iwn0=ether 00:16:ea:61:01:e8

in my rc.conf is the culprit. If I comment it out the system will start 
but only with the wired interface working.


If you don't comment the line it causes a kernel panic?
If that's the case, you should report it to n...@. If you
could include a backtrace of the panic, it would be most helpful.



I have if_lagg_load=YES in /boot/loader.conf

and the following in /etc/rc.conf

wpa_supplicant_enable=YES
ifconfig_em0=up
# ifconfig_iwn0=ether 00:16:ea:61:01:e8
wlans_iwn0=wlan0
ifconfig_wlan0=WPA
cloned_interfaces=lagg0
ifconfig_lagg0=laggproto failover laggport em0 laggport wlan0 DHCP

/Leslie


hm, what you do really matches the process described in the handbook.
It should work, please report it.

Nikos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

is there a native driver for 'Dell Wireless 1397'?


Hi,

 I am interested in buying a laptop from the
Dell Inspiron 15 series. Most of them are having
a wifi card branded as 'Dell Wireless 1397'.
Is there a driver for this?

I would prefer a native driver, but success
stories using it with NDIS or other general
comments regarding the Dell Inspiron 15 series
are welcome.

Thanks, Nikos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: is there a native driver for 'Dell Wireless 1397'?


On 3/10/2010 12:13 PM, George Liaskos wrote:

On Wed, Mar 10, 2010 at 10:05 AM, Nikos Vassiliadisnvass9...@gmx.com  wrote:

Hi,

  I am interested in buying a laptop from the
Dell Inspiron 15 series. Most of them are having
a wifi card branded as 'Dell Wireless 1397'.
Is there a driver for this?

I would prefer a native driver, but success
stories using it with NDIS or other general
comments regarding the Dell Inspiron 15 series
are welcome.



Hello,


 From a quick google query this card should have a Broadcom BCM43xx chipset.

http://www.freebsd.org/cgi/man.cgi?query=bwi


Thanks, but I've already done the quick google and
the not-so-quick google look. The results were not
that positive. Do you know by personal experience
that this card is working with bwi driver?

Or at least with NDIS and amd64?

Thanks, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: is there a native driver for 'Dell Wireless 1397'?


On 3/10/2010 12:41 PM, Leslie Jensen wrote:

I bought a Dell Latitude 6500 two years ago. The Dell Wireless was not
supported then by FreeBSD. I got an Intel card from Dell instead and the
iwn driver works well.

http://forums.freebsd.org/showthread.php?t=8041


I guess you have not looked back to 'Dell Wireless 1397'
with a recent FreeBSD?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: is there a native driver for 'Dell Wireless 1397'?


On 3/10/2010 1:00 PM, George Liaskos wrote:

No, i do not have this card but i trust the man pages :)


Me too. Yet I will not buy new/non-mainstream hardware based on
the manual. Hence the question...

All I am looking for is an I have and it works with FreeBSD-[89]
and amd64|x86.

 I found this post :
 http://www.linuxquestions.org/hcl/showproduct.php/product/4325/sl/i

 0c:00.0 Network controller: Broadcom Corporation BCM4312 802.11b/g 
(rev 01)


 Maybe what you find is based on experiences before May 16, 2009?

Yes, prior to the 8.0 release.
All I find online is about failure and references about the driver
being included in FreeBSD-8 branch.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: is there a native driver for 'Dell Wireless 1397'?


On 3/10/2010 10:50 AM, Mario Lobo wrote:

I have 8-STABLE amd64

I have a dell vostro 1320 with a 4315 wireless and got it working with the bwn
driver from HEAD (svn) and the net/bwn-firmware-kmod port.


That's good to hear, thanks!

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Detecting cards in USB card reader

2010-02-07 Thread Nikos Vassiliadis


On 2/7/2010 1:28 AM, Mike Clarke wrote:

curlew:/root# cat /dev/null  /dev/da0
curlew:/root# ls -l /dev/da0*
crw-r-  1 root  operator0, 176  6 Feb 23:15 /dev/da0
crw-r-  1 root  operator0, 129  6 Feb 23:18 /dev/da0s1

I can use this to initialise the card reader but I'd feel more
comfortable with something a bit less dangerous looking.


While it may feel dangerous, is perfectly safe. There is no
way doing an IO operation on a disk-like device using requests
othen than multiplies of the physical block which currently is
512 bytes. Opening the disk for writing and trying to do a
write request, will just force GEOM to re-examine the device.


lab# echo asd | cat  /dev/da0
cat: stdout: Invalid argument

failed


lab# echo  /dev/da0
lab# echo $?
1

failed


lab# /bin/echo asd  /dev/da0
/bin/echo: write: Invalid argument

failed

Closer look:

lab# truss sh -c echo  /dev/da0

snip

open(/dev/da0,O_WRONLY|O_CREAT|O_TRUNC,0666)   = 2 (0x2)
dup2(0x2,0x1,0x1b6,0x108,0x2830d040,0x2830235c) = 1 (0x1)
close(2) = 0 (0x0)
write(1,\n,1)  ERR#22 'Invalid argument'

failed

FreeBSD lost the ability of doing such transparent
transformations when the support for block devices
went away.

Yes, I know, it feels awkward.

Apparently, you can easily drop the support for block
devices but not the habitual feeling of danger of UNIX
tradition.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Cheating OS fingerprinting

2010-02-07 Thread Nikos Vassiliadis


On 2/7/2010 3:54 PM, yavuz wrote:

Hi all,

I want to cheat os fingerprinting tools ( primary nmap) in my freebsd
machine. Assume I am using freebsd 8 and I want to be seen as a windows xp
machine when someone scans my ports.

In order to determine target host's OS, nmap sends seven TCP/IP crafted
packets (called tests) and waits for the answer. Results are checked against
a database of known results (OS signatures database). If the answer matches
any of the entries in the database, it can guess that the remote OS is the
same that the one in the database...

snip

I want to implement a freebsd tool that cheats os fingerprinting.


If I recall correctly, honeyd does this and much more.
Check net/honeyd.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: gjournal on compact flash

2010-01-30 Thread Nikos Vassiliadis


On 1/30/2010 1:35 AM, Adam Vande More wrote:

There is an rc flags to automatically do a full fsck instead of
backgroud, but I am unsure exactly what you mean by user intervention.


Practice has shown that while softupdates handle most situations
cleanly, they don't handle ALL situations. In short, having to do
a blind_yes_to_all full fsck is not an option for me. OTOH a journaling
solution like gjournal or softupdates journaling, makes sure that
the filesystem will be surely consistent after an ungraceful power
cycle. I am not in a hurry and waiting for SUJ to hit the 8 branch
seems sensible.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: gjournal on compact flash

2010-01-29 Thread Nikos Vassiliadis


On 1/28/2010 6:51 PM, Adam Vande More wrote:

On Thu, Jan 28, 2010 at 10:42 AM, Nikos Vassiliadisnvass9...@gmx.comwrote:


Hi,

I am using a 40MB journal on a 500MB compact flash.
Would that be sane, or I am causing more harm than
good?

My concerns are:
1) wear leveling. The journal is on specific part
of the disk writing again and again. That
should be handled by the CF itself. Though
I am not sure it does a good job???
2) I do care about ungraceful power cycles and I've seen
posts on the net, mentioning:


More, If
   you interrupt power at arbitrary times while the device is writing,
   you can lose the integrity of the file system being modified. The loss
   is not limited to the 512 byte sector being modified, as it generally
   is  with rotating disks; you can lose an entire erase block, maybe 64K
   at once.


I guess the above comment renders the use
of a journaling filesystem useless. But, doing
some naive tests, power cycling the machine
while writing and checksumming the data after
fsck in preen mode, revealed no error.

Thanks in advance for any insights, Nikos



Soft Updates seem more appropriate for a 500MB CF drive than gjournal.
AFAIK, they are a wash in terms of reliability, and gjournal needs to write
all data twice meaning it's slower, and increases the wear on the drive.
The big drawback to soft updates is the fsck times after an unclean shutdown
which really shouldn't be an issue on a 500MB drive.



fsck time in my case is not an issue. What concerns me mostly is
a situation where user intervention is required. The CF filesystem
will be used in a embedded system and should work without user
intervention. I too feel that geom journaling is not the best
solution for my needs, but softupdates need more attention than
gjournal. Perhaps, I should wait for SUJ, which will be in the
tree soon.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

gjournal on compact flash

2010-01-28 Thread Nikos Vassiliadis


Hi,

I am using a 40MB journal on a 500MB compact flash.
Would that be sane, or I am causing more harm than
good?

My concerns are:
1) wear leveling. The journal is on specific part
of the disk writing again and again. That
should be handled by the CF itself. Though
I am not sure it does a good job???
2) I do care about ungraceful power cycles and I've seen
posts on the net, mentioning:

More, If
   you interrupt power at arbitrary times while the device is writing,
   you can lose the integrity of the file system being modified. The loss
   is not limited to the 512 byte sector being modified, as it generally
   is  with rotating disks; you can lose an entire erase block, maybe 64K
   at once.

I guess the above comment renders the use
of a journaling filesystem useless. But, doing
some naive tests, power cycling the machine
while writing and checksumming the data after
fsck in preen mode, revealed no error.

Thanks in advance for any insights, Nikos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: FreeBSD + exFAT

2010-01-15 Thread Nikos Vassiliadis


On 1/15/2010 3:19 PM, Jerry wrote:

I know that this was asked approximately 1 year ago; however, I was
wondering if there had been any movement on it. Specifically, getting
FreeBSD to recognize the 'exFAT' format. It is becoming a very common
format for use on removable drives.


It's patented and it probably comes with a multi-page aggrement and a
price.

Wikipedia (http://en.wikipedia.org/wiki/ExFAT#Licensing) says:
Companies can integrate exFAT into a specific group of consumer devices, 
including cameras, camcorders and digital photo frames for a flat fee. 
Mobile phones, PCs and networks have a different volume pricing model.


The above sound pretty much inappropriate for an open source operating
system like FreeBSD.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Buld echo

2010-01-12 Thread Nikos Vassiliadis


On 1/12/2010 12:21 PM, Jos Chrispijn wrote:

I have 35 log files that I want to flush once a day.
In order to keep them exist I now do an 'echo  logfile.log'
How can I do such in one command having the same effect on all log files?


You could use truncate(1). Something like:
truncate -s 0 file1 file2 file2 ...

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: which IP+gateway for Freebsd guest VM in VMware workstation

2009-12-28 Thread Nikos Vassiliadis

On 12/27/2009 2:36 PM, Len Conrad wrote:

Take a look here:
http://www.freebsd.org/doc/en/books/handbook/config-network-setup.html

thanks, I've been setting up FreeBSD for 10 years, and have multimple FreeBSD
VMs running in several ESXi hosts.

Sorry, I didn't mean to offend you. I just didn't know your experience
with FreeBSD.

[snip]

The physical Ethernet adapter has a fixed public IP. I have only one public IP from the ISP. In
the VMWare Virtual Network Editor, this i/f is listed as VNnet0, Type Bridged, Connected column is
-, and Subnet Address is -

[snip]

I'd like to stay with bridged.

You have only one IP address from your ISP, you can't use bridged, since
bridged configuration will connect the guest's ethernet to another
physical ethernet and that's all. You'll have to have another IP address
to assign to the guest. Since you don't, you have to use some form of
NAT to share the host's IP with the guest(s).

[snip]

ifconfig shows em0 with .98 and correct broadcast IP, but status: no carrier

This is interesting, why a virtual ethernet would report no carrier?
It probably indicates a hardware problem. Or at least a wrong
combination of FreeBSD driver + VMware virtual hardware version.

Could you boot another version of FreeBSD just to check if the em
interface finds the ethernet's carrier? Assuming that you are trying

to install 8.0 release, try the latest from the 7 branch...

I recall that there were some problems with FreeBSD-8.0-CURRENT
regarding em network interfaces a few months ago, but I never saw them

myself and I was a heavy user of VMware workstation the months before
8.0 release.

[snip]

I'd like to be able to ssh/ftp into the FreeBSD VM from Internet, so I'd prefer
to stay away from DHCP for the FreeBSD VM networking.

I am not really sure if you can achieve this, without a second IP
address from your ISP. Can VMware workstation do any other form
of NAT besides translating the host's IP to the guest's IP???

Anyway, investigate a bit more on the no carrier problem and
post back to the list. Perhaps, another list that's a good candidate
for such questions is:
http://lists.freebsd.org/mailman/listinfo/freebsd-emulation
Though it mainly is for solutions running *on* FreeBSD, guys and girls
there, tend to be knowledgeable about solutions running on *something*
and having FreeBSD as a guest OS.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Checksum mismatch -- will transfer entire file

2009-12-28 Thread Nikos Vassiliadis


On 12/28/2009 7:46 AM, Victor Sudakov wrote:

To cut a long story short, I would rather continue using cvs, perhaps
until there is subversion-light in the base system.


I use successfully cvs for the same reasons. Most of the time I use the
French mirror and I have also used the two USA ones. I haven't bother
with Japan and Taiwan, since they're far away. Check this out:

http://www.freebsd.org/doc/en/books/handbook/anoncvs.html

Most of the time(99%) anoncvs.fr.FreeBSD.org seems to be in-sync
with the main repositories...

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Checksum mismatch -- will transfer entire file

2009-12-28 Thread Nikos Vassiliadis


On 12/28/2009 11:11 AM, Victor Sudakov wrote:

Are you sure you understand me? I was talking about mirroring the
whole repository with cvsup/cvsupd protocol, that's where the
Checksum mismatch -- will transfer entire file error occurs.


Sorry, I missed the part of conversation about cvs mode in cvsup.
I thought you were talking about cvs not working...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: which IP+gateway for Freebsd guest VM in VMware workstation

2009-12-27 Thread Nikos Vassiliadis


On 12/27/2009 12:10 AM, Len Conrad wrote:


VMWare has lots of info how to set up the (Windows XP) VMWare Workstation 
networking side, but not much on setting up networking in the guest OS.

I've tried NAT and bridging, no DHCP, and can't ping anything except the 
localhost IPs.

XP ipconfig shows the fixed IP, plus 2 192.168.c.d IPs from VMnet1 and VMnet8.

I'm sure this is really simple, but my experimentation has come up with zilch.


Take a look here:
http://www.freebsd.org/doc/en/books/handbook/config-network-setup.html

The guest OS will have an em0 interface which is connected to
a host interface VMnet1, VMnet8 or similar. Actually the guest's
networking configuration is simpler than the host's one. You should
configure the em interface with an appropriate IP address:
1) Bridging: WinXP fixed IP and FreeBSD fixed IP
for example, WinXP 192.168.10.100 and FreeBSD 192.168.10.101

2) host to host: WinXP 192.168.c.d and FreeBSD 192.168.c.x
for example, WinXP 192.168.20.100 and FreeBSD 192.168.20.101

3) NAT: WinXP 192.168.e.d and FreeBSD 192.168.e.x
for example, WinXP 192.168.30.100 and FreeBSD 192.168.30.101

Keep in mind that using DHCP is much more easy as you don't have to
search for the appropriate address yourself, the VMware's DHCP server
will offer it. Using DHCP from the FreeBSD side is as easy as typing
dhclient em0.

HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Loadbalance outgoing traffic over two cable modems in same network

2009-12-21 Thread Nikos Vassiliadis


On 12/21/2009 6:03 AM, Mel Flynn wrote:

Hi,

I've looked over http://www.openbsd.org/faq/pf/pools.html but this assumes two
different gateways for the two interfaces.
I'm faced with two cable modems from the same ISP, with the same gateway. I
can't lagg(4) the interfaces, since specific IP's are bound to specific
modems.


This can probably be fixed from the ISP side. It should probably be some
antispoofing rule that drops the packets you are sending via the wrong
interface. You could try communicating the problem to the ISP and hope for
the best...


So I'm wondering if using stick-address with a round-robin nat pool is really
sufficient to do load balancing of outgoing traffic and not get into session
problems with various protocols. Has anybody had similar experiences?


I have no experience on this, but theoretically a state can expire while the
upper layers are still active... so, I *think* you may have problems...
Of course, you could increase the lifetime of states

A few, mostly random thoughts,
Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: cross-link serial console

2009-10-20 Thread Nikos Vassiliadis


Gary Gatten wrote:

Ahh  A Null modem cable?  Or, perhaps BSD will allow you to
configure the serial interface in the software - make one end a DCE type
and the other by default will remain a DTE.


He has to use a null-modem cable. The wires sending and receiving data
are fixed, so one cannot change these using software.

To the original poster:
Did you plan to run a getty/login on the serial link?
That would be messy, since login on system A will writing
data to login on system B and vice versa. I think creating
a PPP link between the two and using IP is the way to go.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Routes to local addresses through lo0 on 8.0-BETA4

2009-09-14 Thread Nikos Vassiliadis


Sergey Listopad wrote:

Hi!

On  8.0-BETA4 gate I see than in routing table are number of routes
(link# records) through lo0 for some local addresses:

hole netstat -rnfinet | grep lo0
127.0.0.1  link#7 UH  030764lo0
172.22.254.10  link#7 UHS 00lo0
192.168.253.254link#7 UHS 00lo0




Is it normal.
On older FreeBSD I see link# records only for network prefix.



Yes, it is normal. It's one of the user-visible changes from
the ARP and NDP rewrite in 8.0.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: me in ipfw rules - does it include aliases?

2009-09-08 Thread Nikos Vassiliadis


Tom Worster wrote:

the ipfw man page says:

  me   matches any IP address configured on an interface in the system.

which suggests that if i code my rules using me then when i add an alias
ip address to an interface with ifconfig, these me rules will immediately
work for the newly added address as they do for other addresses.



is that correct?


Yes, the me keyword is expanded to whatever IP address is
assigned on any interface in the system. It's updated whenever
an IP address is added to or removed from an interface. Use the
simple ruleset bellow to test it yourself:

lab# ipfw list
00100 allow ip from me to me
65535 deny ip from any to any

add alias  ping alias = success
remove alias  ping alias = failure

It's a really useful keyword, yet it's not panacea. When
using it, one has to think the possibility of an attacker
who uses me addresses. Use some interface checking as
well in your ruleset...

Nikos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: me in ipfw rules - does it include aliases?

2009-09-08 Thread Nikos Vassiliadis


Tom Worster wrote:


thanks, nikos.



You're welcome.



i'm interested in your other comment about the risks of using me. 


All I am saying is that you have to take care of attacks which use me
addresses. Packets with source address a me address coming from a network
interface, AKA spoofed packets. Apparently a me source address cannot
come from a wire[1], right?

It's not a great risk, but you better filter them out. Also, it is very
possible that such attacks are not applicable to your network. Or not.

I am just pointing the possible false sense of security when
using rules which match me addresses. Just be sure that me
is really your firewall and not somebody else...

for the

best possible security, i'll post my ruleset here for y'all to review ... or
maybe not :-)


You better not:)

[1] by the word wire, I mean every non-loopback interface

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ifconfig -alias - removed wrong ip ?

2009-09-01 Thread Nikos Vassiliadis


Adam Vande More wrote:

On Tue, Sep 1, 2009 at 8:20 AM, claudiu vasadi claudiu.vas...@gmail.comwrote:

1.) Is it normal for the ifconfig rl0 -alias to remove the normal IP and
not the alias one ? (I think that by this syntax it could be right but the
parameter -alias is specified and the OS should know to remove the alias
IP and not the normal IP)


Yes


Yes, there is no difference between normal and alias IP. alias is the
keyword used by the ifconfig utility to add an other IP address to an
interface. All IP addresses bound to an interface are equivalent, I mean
there is any hierarchy of importance of the addresses.

ifconfig int0 -alias just happens to remove the first IP address.
You really should use ifconfig int0 delete 192.168.0.1


2) I dnt really understand why am I not able to connect to the second
(alias) ip? It seems that somehow it's dependant to the normal one


Yup, you need to re-init networking to regain access.


Most probably, you rendered the default gateway unreachable with the removal
of the IP.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Can partitions span more than one drive?

2009-08-28 Thread Nikos Vassiliadis


Ruben de Groot wrote:

On Wed, Aug 26, 2009 at 04:56:03PM +0300, Nikos Vassiliadis typed:

RW wrote:

On Wed, 26 Aug 2009 08:45:47 -0400
John Almberg jalmb...@identry.com wrote:



Question: is it possible to just expand my existing /backup
partition to encompass both the current drive and the new drive? I'm
guessing not, since Chapter 8 in Absolute FreeBSD says that a
partition is part of a slice, 

You can join 2 partitions into 1 with gconcat. OTOH that would wipe any
existing data as you would need to put a new filesystem on the combined
partition.

No, you can always use growfs to expand the filesystem.
But of course, the usual warnings apply, read carefully the
growfs manual...


You can not use growfs to expand a gconcat provider to the new gconcat device.


What I mean is:
1) you have a filesystem on device A and a spare disk device B
2) concatenate A and B using gconcat
3) growfs the fs in the concatenated device and you are done.

Nikos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Can partitions span more than one drive?

2009-08-26 Thread Nikos Vassiliadis


RW wrote:

On Wed, 26 Aug 2009 08:45:47 -0400
John Almberg jalmb...@identry.com wrote:



Question: is it possible to just expand my existing /backup
partition to encompass both the current drive and the new drive? I'm
guessing not, since Chapter 8 in Absolute FreeBSD says that a
partition is part of a slice, 


You can join 2 partitions into 1 with gconcat. OTOH that would wipe any
existing data as you would need to put a new filesystem on the combined
partition.


No, you can always use growfs to expand the filesystem.
But of course, the usual warnings apply, read carefully the
growfs manual...

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Network card Intel and 802.1P tag


Andrey O.Sokolov wrote:

Any idea how I can see 802.1P tag on em?


You should, I guess, with no extra steps. Perhaps the em driver
has some hardware capability, which set the priority tag to zero?

Is the vlan hardware processing enabled?
Could you post the output of ifconfig em0?

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Network card Intel and 802.1P tag


Gary Gatten wrote:

Not ALL chipsets / drivers support 802.1Q / p , maybe this is one of them?


The vlan driver handles tagging itself in software. You don't need
support by the hardware driver or the NIC itself. That said, Intel
NICs are known to work correctly and support dot1Q tags natively in
hardware. Maybe this behavior is some regression with the priority
tags, which by the way are completely ignored by the vlan driver.
You cannot set a priority tag or have the vlan driver process it
in a special way. I guess processing priority tags is not very useful
since one cannot expect a FreeBSD box to replace a switch!

As I understand Andrey just runs tcpdump on the physical interface.
He doesn't use the vlan driver. He should see everything that reaches
the ethernet port. tagged or not.

Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Network card Intel and 802.1P tag


Andrey O.Sokolov wrote:

Is the vlan hardware processing enabled?


How I can enable this processing?



ifconfig em0 vlanhwtag enables vlan processing in hw
ifconfig em0 -vlanhwtag disables vlan processing in hw

Maybe one these will work correctly without the zeroing effect.

Perhaps off topic, but why are you interested in priority
tags, since FreeBSD will silently ignore them?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: [?? Probable Spam] Re: Network card Intel and 802.1P tag