RE: pf for FreeBSD
Hi, hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ I'm using pf without a problem. Not sure what exact version of FreeBSD 5.x you're using. According to /usr/src/UPDATING Since 08-Mar-2004 pf has been part of the base system and doesn't require the pf port to be installed. So, a way forward could be to ensure you've updated to latest 5.x version (cvs tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also contains some info on the pf groups users required. I have the following devices in my kernel: device PFIL_HOOKS device pf device pflog I have the following in /etc/rc.conf: pf_enable=YES pflog_enable=YES pf_rules=Path to rules You will also need the authpf group and the _pflogd user group. You can get the details by downloading the latest source and checking the passwd group files under /usr/src/etc. in /etc/passwd: _pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin in /etc/group: authpf:*:63: _pflogd:*:64: I will leave it to you on how you generate a ruleset. Personally I use fwbuilder.org . Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
Hi, I'm not sure of the dates of when 5.2.1 was released to tell you for sure whether pf is available in the kernel or not. I only started using 5.x when 5.3-Beta was released and pf has always been available in kernel for me. Never used the port. To check if pf is installed/available you could try the command line via which pf is configured i.e. # pfctl -sa (i.e. show all currently configured options for pf). To check if its available in the base system you could try configuring a kernel with the devices in my previous email and see if they're accepted. Thanks, Phil. -Original Message- From: Cristi Tauber [mailto:[EMAIL PROTECTED] Sent: 28 September 2004 11:19 To: Philip Payne Cc: FreeBSD Question Subject: RE: pf for FreeBSD Hello, i'm using 5.2.1 and i want to recompile pf to take advantage of ALTQ. This was the reason for reinstalling. What about that prefix in startup script ... this is were i have no clues ... what's the path ... And another thing ... if i want to install pf now it says that is allready installed ... strange ... because i can't find it now, not the binaries nor the modules . Cristi Hi, hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ I'm using pf without a problem. Not sure what exact version of FreeBSD 5.x you're using. According to /usr/src/UPDATING Since 08-Mar-2004 pf has been part of the base system and doesn't require the pf port to be installed. So, a way forward could be to ensure you've updated to latest 5.x version (cvs tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also contains some info on the pf groups users required. I have the following devices in my kernel: device PFIL_HOOKS device pf device pflog I have the following in /etc/rc.conf: pf_enable=YES pflog_enable=YES pf_rules=Path to rules You will also need the authpf group and the _pflogd user group. You can get the details by downloading the latest source and checking the passwd group files under /usr/src/etc. in /etc/passwd: _pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin in /etc/group: authpf:*:63: _pflogd:*:64: I will leave it to you on how you generate a ruleset. Personally I use fwbuilder.org . Thanks, Phil. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
IMHO its not very hard in FreeBSD 5.3 either now its in the base. The only additional step to what you describe below is adding the kernel options building/installing the kernel to include them, which is only 2 commands. However, some of the log analysis ports I've tried (fwanalog... another the name of which slips my mind, damn) do not work with the FreeBSD implementation of tcpdump :-( I suppose, with OpenBSD's complete focus on security if I was building a dedicated firewall I would very probably select OpenBSD. Depends what other things Cristi is using FreeBSD for. Phil. -Original Message- From: shane mullins [mailto:[EMAIL PROTECTED] Sent: 28 September 2004 13:34 To: Cristi Tauber Cc: [EMAIL PROTECTED] Subject: Re: pf for FreeBSD Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane - Original Message - From: Cristi Tauber [EMAIL PROTECTED] To: FreeBSD Question [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 12:54 AM Subject: pf for FreeBSD hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ Cristi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: correct routine of updating installed ports?
# cvsup -g -L 2 supfile # portsdb -uU # pkgdb -F # port_version # portupgrade -a And what does make index actually do? Do I need it? You missed a step between cvsup and portupgrade. less /usr/ports/UPGRADING ... and read, to check out what will happen when certain ports are updated. Looks much the same as I how I do it. I dont do a portversion. You might want to create a portupgrade log with the -l switch on portupgrade. Then, after its complete check for failed entries i.e. those marked with ! or * so you can manually check out the problem Also, you may want to add a portsclean at the end to remove old distfiles etc. man portsclean will give all the relevant options. Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Portinstall problem (config.guess not found)
Hi Adam, Am Donnerstag, 23. September 2004 01:54 schrieb Adam Smith: On Wed, Sep 22, 2004 at 02:59:35PM +0100, Philip Payne said: Didn't use Konsole but I am using KDE. It appears to be a problem in aterm xterm, but strangely not Eterm. Exactly what I found, too. Any compiles I do need to be done in an Eterm or directly on the console. For the time being you should use Eterm. I will upgrade to BETA5 and see if it still exists there. If it does, it would seem that a bug report needs to be filed. I'd like to x-reference this postings: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=666353+0+archive/ 2004/freebsd-current/20040919.freebsd-current with http://docs.freebsd.org/cgi/getmsg.cgi?fetch=1237945+0+current /freebsd-questions I hope this helps finding the solution. Thanks, -Mano I'm using BETA5 and problem still exists. I found a post suggesting it was an environment issue in a similar vein to Emanuel's link and found the workaround. It does appear that you need to either start you root xterm/aterm with -ls... or you need to su - instead of just su to be able to make properly. Eterm works because it starts as a login shell by default. xterm aterm do not. This bug also affected my ability to do a make installkernel. I'm not a coder so I have no idea what in the environment causes a login shell to work a non-login shell not work. Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Portinstall problem (config.guess not found) ANSWER (sort of)
Hi, Had another search of the archives and found someone having a similar problem making gtk12. http://lists.freebsd.org/mailman/htdig/freebsd-questions/2004-September/0581 90.html Saw an answer that the issue was running the make in X. So, I switched to a console and tried to install the port... bingo... no problem. Switch back to X and try in aterm or xterm, still same config.guess not found error. Bizarre bug.. but at least there's a workaround for now. Don't do any make functions in X. Phil. PS: This bug was also affecting my ability to make a new kernel. -Original Message- From: Philip Payne [mailto:[EMAIL PROTECTED] Sent: 21 September 2004 23:16 To: Lowell Gilbert Cc: FreeBSD Questions (E-mail) Subject: RE: Portinstall problem (config.guess not found) Snipped the rest of the debug cp: /usr/ports/devel/gmake/work/make-3.80/config /usr/ports/devel/gmake/work/make-3.80/config/config.guess: No such file or directory *** Error code 1 Stop in /usr/ports/devel/gmake. *** Error code 1 Stop in /usr/ports/lang/ezm3. *** Error code 1 Stop in /usr/ports/net/cvsup-without-gui. What is in your /etc/make.conf? Nothing special: cat /etc/make.conf # -- use.perl generated deltas -- # # Created: Tue Sep 21 12:41:08 2004 # Setting to use base perl from ports: PERL_VER=5.8.5 PERL_VERSION=5.8.5 PERL_ARCH=mach NOPERL=yo NO_PERL=yo NO_PERL_WRAPPER=yo Cheers, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Portinstall problem (config.guess not found)
I just rebuilt the machine as the problem was doing my head-in. Freebsd 5.3-beta5. Basically, X-Developer distro with KDE installed as desktop. The first port I try to to install is generally CVSUP. I get the config.guess not found error straight away... as below. I am not sure how to proceed. I'm tempted to fall back to 4-Stable which was working fine. Switching to FreeBSD-5 has been a nightmare. I just wanted to try PF Fwbuilder2 as a firewall. There doesn't seem to be a lot of posts on the list with this problem so I'm assuming its a problem specific to me... but weird. It's not specific to you, let me guess, you're using konsole from KDE? And you do a 'su'? Try to 'su -' and everything is fine again. Haven't had the time yet to figure out if it's a KDE problem or anything else but I reported this one too and got no answer. Didn't use Konsole but I am using KDE. It appears to be a problem in aterm xterm, but strangely not Eterm. I do use su rather than su - I'm really just a networky person rather than unix sysadmin so its way over my head as to what the problem is. I'm just happy there's a workaround rather than having a system I can't update. I'm happy to assist where possible in identifying what the issue is but wouldn't have the skill to do it myself. Cheers, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Portinstall problem (config.guess not found)
Philip Payne [EMAIL PROTECTED] writes: Hi, I'm getting the following error when trying to build any port. /usr/ports/portname/work/config.guess: No such file or directory. I've googled searched the mailing list archives which gave 2 suggestions. Autoconf or libtool have got fubar'd and I should reinstall and/or to cvsup update the ports index. I tried both neither succeeded. Boo :-( Now if a port tries to re-install libtool, it also bums out with the above error. I'm using Freebsd-5.3-beta4. Does anyone have further suggestions on what the error could be and how it can be resolved? Did you try completely *removing* all installed versions of autoconf, automake, and libtool? Yup... no autoconf, automake or libtool present. Problem still persits. Doesn't matter which port I try I get the same error. e.g. fwbuilder, gimp, gmake, portupgrade. Any help much appreciated. Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Portinstall problem (config.guess not found)
Ooer... this gets weirder... see below... Philip Payne [EMAIL PROTECTED] writes: Hi, I'm getting the following error when trying to build any port. /usr/ports/portname/work/config.guess: No such file or directory. I've googled searched the mailing list archives which gave 2 suggestions. Autoconf or libtool have got fubar'd and I should reinstall and/or to cvsup update the ports index. I tried both neither succeeded. Boo :-( Now if a port tries to re-install libtool, it also bums out with the above error. I'm using Freebsd-5.3-beta4. Does anyone have further suggestions on what the error could be and how it can be resolved? I just rebuilt the machine as the problem was doing my head-in. Freebsd 5.3-beta5. Basically, X-Developer distro with KDE installed as desktop. The first port I try to to install is generally CVSUP. I get the config.guess not found error straight away... as below. I am not sure how to proceed. I'm tempted to fall back to 4-Stable which was working fine. Switching to FreeBSD-5 has been a nightmare. I just wanted to try PF Fwbuilder2 as a firewall. There doesn't seem to be a lot of posts on the list with this problem so I'm assuming its a problem specific to me... but weird. Any help much appreciated. Cheers, Phil. w# cd /usr/ports/net/cvsup-without-gui/ gw# make install clean === Vulnerability check disabled, database not found cvsup-snap-16.1h.tar.gz doesn't seem to exist in /usr/ports/distfiles/. Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/development/CVSup/snapshots/. cvsup-snap-16.1h.tar.gz 100% of 420 kB 55 kBps === Extracting for cvsup-without-gui-16.1h Checksum OK for cvsup-snap-16.1h.tar.gz. === Patching for cvsup-without-gui-16.1h === cvsup-without-gui-16.1h depends on file: /usr/local/lib/m3/pkg/tcp/FreeBSD4/libm3tcp.a - not found ===Verifying install for /usr/local/lib/m3/pkg/tcp/FreeBSD4/libm3tcp.a in /usr/ports/lang/ezm3 === Vulnerability check disabled, database not found ezm3-1.2-FreeBSD4-boot.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/ezm3. Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/development/CVSup/ezm3/. ezm3-1.2-FreeBSD4-boot.tar.bz2100% of 1334 kB 55 kBps 00m00s ezm3-1.2-src.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/ezm3. Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/development/CVSup/ezm3/. ezm3-1.2-src.tar.bz2 100% of 10 MB 56 kBps 00m00s === Extracting for ezm3-1.2 Checksum OK for ezm3/ezm3-1.2-FreeBSD4-boot.tar.bz2. Checksum OK for ezm3/ezm3-1.2-src.tar.bz2. === Patching for ezm3-1.2 === Applying FreeBSD patches for ezm3-1.2 === ezm3-1.2 depends on executable: gmake - not found ===Verifying install for gmake in /usr/ports/devel/gmake === gmake-3.80_2 depends on shared library: intl - found === Configuring for gmake-3.80_2 cp: /usr/ports/devel/gmake/work/make-3.80/config /usr/ports/devel/gmake/work/make-3.80/config/config.guess: No such file or directory *** Error code 1 Stop in /usr/ports/devel/gmake. *** Error code 1 Stop in /usr/ports/lang/ezm3. *** Error code 1 Stop in /usr/ports/net/cvsup-without-gui. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Portinstall problem (config.guess not found)
Snipped the rest of the debug cp: /usr/ports/devel/gmake/work/make-3.80/config /usr/ports/devel/gmake/work/make-3.80/config/config.guess: No such file or directory *** Error code 1 Stop in /usr/ports/devel/gmake. *** Error code 1 Stop in /usr/ports/lang/ezm3. *** Error code 1 Stop in /usr/ports/net/cvsup-without-gui. What is in your /etc/make.conf? Nothing special: cat /etc/make.conf # -- use.perl generated deltas -- # # Created: Tue Sep 21 12:41:08 2004 # Setting to use base perl from ports: PERL_VER=5.8.5 PERL_VERSION=5.8.5 PERL_ARCH=mach NOPERL=yo NO_PERL=yo NO_PERL_WRAPPER=yo Cheers, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Portinstall problem (config.guess not found)
Hi, I'm getting the following error when trying to build any port. /usr/ports/portname/work/config.guess: No such file or directory. I've googled searched the mailing list archives which gave 2 suggestions. Autoconf or libtool have got fubar'd and I should reinstall and/or to cvsup update the ports index. I tried both neither succeeded. Boo :-( Now if a port tries to re-install libtool, it also bums out with the above error. I'm using Freebsd-5.3-beta4. Does anyone have further suggestions on what the error could be and how it can be resolved? Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Question about FreeBSD.
Hi, I'm quite new to the world of linux, and I are going to set up a linux server, and I'm looking aroud for a good linux system, and I find FreeBSD quite interesting. Does FreeBSD have a X-mode and is it easy to handle? Whats the difference between FreeBSD, Slackware and Redhat? Wow... what a can of worms. Most importantly FreeBSD is not Linux. Though you'll find lots of crossover in terms of applications (e.g. XOrg, XFree86, Gnome, KDE). You'll find lots of opinion on whether FreeBSD is better than Linux and vice versa. My suggestion is you read up about each Linux distro FreeBSD and decide for you personally which is best. FreeBSD can run X. I use it as a desktop. The things that make me come back to FreeBSD each time I try a different linux distro is: 1) The make buildworld, installworld, buildkernel, installkernel tools that make upgrading/updating your system a breeze. 2) The ports system that makes installing applications and dependencies a thoughtless stress-free task. 3) The portupgrade sysutil that makes managing the upgrade of your applications equally stress free. Laters, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Package version problem with portupgrade(1)
On Thursday 02 September 2004 01:45 am, Philip Payne wrote: Well, png is up to png-1.2.5_8 and if you did a recent cvsup and recreated your INDEXs, that is what you should be seeing. OK, portupgrade(1) _is_ looking for 1.2.5_8 but it is trying to get it from ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.9-release/All where the version of png is 1.2.5_2, so how to resolve the conflict? Seems to me that portupgrade(1) needs to be getting the packages from packages-4-stable/All instead? Staying behind is a good way to end up with a security black hole :). Precisely. A cvsup of ports-all and a portsdb -uU should be a good way to keep your system current. Will that change where portupgrade(1) tries to get the packages from? I believe the package updates will lag behind the ports source update i.e. if you use portupgrade -PP and use packages only there will be the occasional port that does not have a package available. I'm not sure how long the lag is... I guess different for different ports. I think you'll just have to accept a slight lag on when you can update certain ports. If this is not the real error I'm sure someone will correct me. His PACKAGESITE environment variable is set to a wrong location. I think that he needs to set it using something like setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4-stable/All or his favorite mirror, as all one line. and then run portupgrade -PPa. It defaults to the 4.9 release packages and they never change. I have only used PACKAGESITE once and that was to update KDE. The sites were so busy that my computer would build it almost as fast as I could download it. Ah, OK. That makes sense. Didn't realise the package path problem. If you're using portinstall then you can set alternative package sites in /usr/local/etc/pkgtools.conf rather than setting the PACKAGESITE environment variable. Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Package version problem with portupgrade(1)
Well, png is up to png-1.2.5_8 and if you did a recent cvsup and recreated your INDEXs, that is what you should be seeing. OK, portupgrade(1) _is_ looking for 1.2.5_8 but it is trying to get it from ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.9-release/All where the version of png is 1.2.5_2, so how to resolve the conflict? Seems to me that portupgrade(1) needs to be getting the packages from packages-4-stable/All instead? Staying behind is a good way to end up with a security black hole :). Precisely. A cvsup of ports-all and a portsdb -uU should be a good way to keep your system current. Will that change where portupgrade(1) tries to get the packages from? I believe the package updates will lag behind the ports source update i.e. if you use portupgrade -PP and use packages only there will be the occasional port that does not have a package available. I'm not sure how long the lag is... I guess different for different ports. I think you'll just have to accept a slight lag on when you can update certain ports. If this is not the real error I'm sure someone will correct me. Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Trouble with ipfw :( help!
Hi, SNIP #ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 allow icmp from any to any 00500 allow tcp from any to any established 00600 allow ip from any to any frag 00700 allow ip from me to any setup 00800 allow tcp from any to me dst-port 25,110,995,143,993 setup 00900 allow tcp from any to me dst-port 500,600 setup 01000 allow tcp from any to me dst-port 22,3 setup 01100 allow udp from me to any dst-port 53 keep-state 0 allow log ip from any to any 65500 deny log ip from any to any 65535 deny ip from any to any I assume the idea is that you allow the ports you want with the line: 00800 allow tcp from any to me dst-port 25,110,995,143,993 setup and then the sessions with: 00500 allow tcp from any to any established Now, I haven't used this approach myself so I can't guarantee it will work. The setup keyword allows any packets with SYN but no ACK. The established keyword will allow any packets with RST and ACK bits set. So, in theory the sessions you want should be able to pass, couldn't tell you why they're not. However, I don't believe this is as secure as using dynamic rules as you will accept any packet with those bits set, not packets on the ports you have allowed to setup. So, a different approach you could remove the line: 00500 allow tcp from any to any established And change 800 from: 00800 allow tcp from any to me dst-port 25,110,995,143,993 setup TO: 00800 allow tcp from any to me dst-port 25,110,995,143,993 setup keep-state This would create a dynamic rule allowing TCP on the right port between the source address your server. To allow further traffic on that dynamic rules you need a line something like 00050 check-state This is an approach I have used for sometime and it works fine. I hope its of use. Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Config freebsd as getway
Hi, Is this something obvious like the default gateway not being set on either of the PC's in question. Without seeing the IP setup its not obvious. Cheers, Phil. -Original Message- From: Andras Kende [mailto:[EMAIL PROTECTED] Sent: 18 August 2004 17:34 To: 'lily'; [EMAIL PROTECTED] Subject: RE: Config freebsd as getway -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of lily Sent: Tuesday, August 17, 2004 9:34 PM To: [EMAIL PROTECTED] Subject: Config freebsd as getway Dear all: I have install freebsd 4.x,and have two netcards. I want it as getway. I have config gateway_enable=YES in rc.conf,and then reboot. [a pc][freebsd]---[b pc] After reboot , I try to use a pc to ping b pc ,it`s not work ,but a pc and b pc can ping freebsd successful,why? Please give me a hand. Thanks!! LILY ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] LILY, There is a very easy guide: http://bsdguides.org/guides/freebsd/networking/ipfilter.php Andras Kende http://www.kende.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW Configuration
Hi Jonathan, will be able to work. My box is located at a datacebter and my box is allocated with about 90 IP addresses (and also the main server IP which was given to me when i first purchased the line). I would like to know how to configure /etc/rc.firewall to support my MAIN ip and also how to make sure the other IPS added to my box are recognized and protected by the firewall. Also I noticed in rc.firewall there are different modes to put the firewall in like simple mode, client mode, etc. (different firewall powers i guess). It would be greatly appreciated if someone can show me how to configure ipfw. I could not thank anyone more for the future help i might recieve on this issue. simple client mode are just different rulesets within rc.firewall. You can of course specify your very own ruleset and point rc.conf at a different file than rc.firewall. Two things which may help. 1) There is a keyword me that you can use in IPFW rules that prevents you needing to specify the server's actual IP's. 2) fwbuilder.org is a very handy tool for generating firewall config. if the me keyword is too generic, you may find it easier have a gui that can hold different objects for each IP address useful rather than write repetitive firewall script lines. Also, if you're new to firewall policy sometimes a gui can help. If you want advice on generating a firewall policy, well... there are some high level design rules you can follow that helps. I've posted on this topic a number of times to the list so just search the archives. Lastly, and not meant in any rude way, if you haven't man ipfw ... I personally found it very useful. Hope that helps Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW acting weird OR invalid ruleset?
steve, Yes everything else seems to work fine. There are currently 2 PCs with this issue. 1 is XP the other is Win2k. This ruleset worked fine on FreeBSD 5.1, but I reformatted the box, and install 5.2.1 uploaded the rc.firewall.rules and natd.conf files, since the network interfaces where the same I didn't really have to change anything. Ok... so reading the ruleset the traffic will behave (referring to your rc.firewall): Outgoing FTP session is passed first by rule 04109 (with a keep-state) and then by 61001 (without a keep-state). So, will the returning traffic get passed by the check-state on the way back in?... I'm not sure, possibly. Also, funny that it works for 5.1 and not 5.2.1, which implies bugs. The general consensus from my Steve's response is we don't understand the ruleset. Using skipto just to divert to natd and pass outgoing traffic does seem overly complicated and I've not seen anyone else use that approach. Maybe I am missing some advantage that it gives you. I figure you have two approaches to solve this: 1) If you want to debug the current ruleset add logging to the deny rules and check where the traffic is being dropped. If it is the ruleset at fault then the traffic MUST be being dropped by it on one of the rules. Remember logging is your friend. Or 2) There may be some benefit to re-writing the ruleset in a format you personally understand rather than using a template. Your general approach to firewall ruleset should be: a) First section contains any anti-spoofing and then rules to divert traffic going via the outside interface to natd and to check-state b) Second section to allow/deny traffic directly to the firewall. c) Then a section to allow the incoming services to your site. You should then end this section with something like deny all traffic coming in via my external interface as unless you specifically want the traffic you should drop it d) Then a section to permit the required traffic out from your site. You should end this section with something like deny log all traffic as if you haven't specified it to pass, it shouldn't. Then you can refine this approach by adding deny rules without logging to only log what's required and pick up on traffic that you should be passing but you are not. I'm afraid it's very difficult to be specific on writing firewall policy as it will be unique to your needs but I hope that general approach will help. Tools like /usr/ports/security/fwbuilder (home www.fwbuilder.org) can help in generating policy but the install features for IPFW are not quite working. I have posted a script to help with this previously. Thanks, Phil. I found these rules on this website: http://www.lugbe.ch/lostfound/contrib/freebsd_router/ here is the sample I used from the website: # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via ep0 add 00302 deny ip from 172.16.0.0/12 to any in via ep0 add 00303 deny ip from 192.168.0.0/16 to any in via ep0 # check if incoming packets belong to a natted session, allow through if yes add 01000 divert natd ip from any to me in via ep0 add 01001 check-state # allow some traffic from the local net to the router # SSH add 04000 allow tcp from 192.168.1.0/24 to me dst-port 22 in via ep1 setup keep-state # ICMP add 04001 allow icmp from 192.168.1.0/24 to me in via ep1 # NTP add 04002 allow tcp from 192.168.1.0/24 to me dst-port 123 in via ep1 setup keep-state add 04003 allow udp from 192.168.1.0/24 to me dst-port 123 in via ep1 keep-state # DNS add 04006 allow udp from 192.168.1.0/24 to me dst-port 53 in via ep1 # drop everything else add 04009 deny ip from 192.168.1.0/24 to me # pass outgoing packets (to be natted) on to a special NAT rule add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via ep1 keep-state # allow all outgoing traffic from the router (maybe you should be more restrictive) add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 5 deny ip from any to me dst-port 135,137-139,445,4665 add 6 deny log tcp from any to any established add 6 deny log ip from any to any # this is the NAT rule. Only outgoing packets from the local net will come here. # First, nat them, then pass them on (again, you may choose to be more restrictive) add 61000 divert natd ip from 192.168.1.0/24 to any out via ep0 add 61001 allow ip from any to
RE: IP bandwidth
John Lee wrote: dear all, i'm using a freebsd 4.10-stable server with 50 IP addresses. Is there any program i can install that will be able to tell me: - how much bandwidth (ie. kbps) each individual IP is using? trafcount seems to count total traffic only, any idea? I.e. ipfw + rrdtools or mrtg from ports (net-mgnt): netramet, bandwidthd Any of these make real time statistics like iptraf under linux. I also need something like this for both general interface (realtime) statistics and for traffic monitorring (i can use tcpdump for this but it would be nice to have both caracteristics in one program). I've used /usr/ports/net-mgmt/darkstat in the past on my home network. Its pretty simplistic but it might be of use. Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
KDM always starts failsafe
Hi, Upgraded KDE yesterday to 3.2.1 . KDM was upgraded. Now, whenever I try to login to KDE it always starts the failsafe i.e. a single xterm. It doesn't matter what session type I select in KDM, I always get failsafe so no KDE for me. If I start KDE using startx and a .xinitrc with exec startkde everything is fine and KDE starts. However, multiple users on the machine so having KDM working would be good. Any ideas what could be wrong?... if you need output from certain logs etc. just let me know. Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Why BSD?
This is not a troll. I've installed FreeBSD 5.2 on a spare SCSI drive and am compiling kernels, updating ports, etc,etc. Thus far, other than some minor hassles, it's equivilent to my Debian sid. I have to ask: Why FreeBSD rather than Linux? My personal experience. 4 years ago I had never installed a UNIX like OS, however I am an engineer so I read the manual first. I tried to find a coherent set of documentation in regards to Linux but because it is a huge munge of lots of different projects (Kernel, GNU, packages the distro has decided to add, everything else you actually need manually built by you) there is nothing coherent. I found a lot of arguments about licencing, source over binary, what should be in a distro and what shouldn't. Those arguments are still going on today. A friend pointed me a www.freebsd.org and loe-and-behold instructions on how to install and use the OS. Since then, I have never had to stray far from that site or this email list. - I have never experienced a failed system upgrade other than my own stupidity. - I have never experienced a system hang other than using alpha/beta software manually installed. - I have never been unable to install a port unless it was broken. - If that were'nt reason enough, I also can upgrade the whole thing once a month with NO pain. I guess this is a reflection of the managed, controlled environment under which system and ports are developed for FreeBSD. I guess what I'm saying is... it's dependable environment and I'm not just talking about the software. Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: NEWBIE QUESTION
I'm a newbie to your OS, Does Free BSD have the KDE and Gnome GUI already installed? Do you have plans in making the installation more user friendly in the future? Like any newbie I heartily recommend reading through the handbook under the documentation section of www.freebsd.org . I believe this has a good section on installing X and selecting a window manager. Also read the sections on updating source and buildworld, this will keep your system up to date. There's some good FreeBSD tutorials at http://www.onlamp.com/pub/ct/15 worth working through. Also, as well as ports being your friend I've found the utility portupgrade under /usr/ports/sysutils/portupgrade highly useful for managing my installed packages. Lastly, this list has always been welcoming when I've asked dumb questions and not full of trolls or people with superiority complexes unlike other open source lists (thanks). Good luck, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: firewall settings in rc.firewall
Hi Dan, Hello, i am trying to make my webserver accessible to the net, i tried to run the out of the box rc.firewall, but there was some default rules which blocked the 192.168.0 network which is my local lan lol, so killed it instead of helped it, anyway i tried setting it to open, but still wont allow access to port 1023 which is wot the server is running on, can someone please help me with an example rules which may get me going, let me know thanks. Firstly, man ipfw will help you understand ipfw Look on www.bsdvault.com and do a search on google for building an ipfw firewall on BSD. There are some good tutorials out there. If you really don't know where to start this will be valuable. As you get more familiar you may want to look at fwbuilder.org as this provides a graphical interface for policy generation but I do suggest you are familiar with the command line first so you understand what fwbuilder.org is doing. fwbuilder.org does have some tools to help generate basic policies. Some generic statements on how to develop a network policy if you have absolutely no idea. This is painful but if you don't know where to start and ignore the tutorials I'm not sure what else you can do: 1) Operate from a default deny scenario unless you have a good reason not to. If you don't want to break stuff then have a permit all. Set this rule to log. e.g ipfw add 65000 deny log ip from any to any or ipfw add 65000 permit log ip from any to any 2) View the log at /var/log/security As you have no other rules in your policy the log will quickly get swamped by the traffic through your firewall. 3) Work out from the log what traffic/packets are required, what traffic is not and add relevant rules. e.g. ipfw add 100 permit tcp from your internal network to any setup keep-state out via your external interface ipfw add 110 permit udp from your internal network to any keep-state out via your external interface ...is an obvious example if you want your internal network to be able to initiate any connection. 4) Clear the logs: ipfw resetlog 5) repeat step 2 3 until you're only denying and logging the things you want. 6) Check your logs frequently for unexpected events. 7) Review your policy on a regular basis to collate rules and remove unwanted ones. Hope that helps. Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW confusion
Hi, However, I can't get the config to work. I've commented out all the deny rules. In this instance, I can browse the web via SQUID that's installed on the IPFW box. I can't browse the web directly, though. That is the only external access I get. I can't ping any sites, DNS lookups fail (I've set the DNS servers on the client workstation to be that my ISP's. I also tried setting it to look at the IPFW box first, with no luck) Can anyone offer help on this one? I'm getting stuck in a muddle of mis-understanding At work so I don't have time to debug a whole policy or anything but Firstly, I agree with the comments about logging a deny all at the end of your policy. If you start logging too much rubbish insert specific deny rules that do NOT log just above the deny all to filter out things you don't want to see. To be honest, it's good practice to keep this approach permantently. Secondly, a handy tool is at fwbuilder.org . This provides a GUI interface for generating your policy. It's not perfect and theres the whole thing of sacrificing all the command line options for a GUI interface but I've found it more than useful on my own gateway device. Unfortunately, the NAT part is not working so you need to script how the rules are installed once compiled to ensure you get a NAT rule in place. I have posted a script to do this in previous emails but feel free to drop me a reply in future if you need to. Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: cvsup from 4.7-REL to stable
Hi, I'm 99% your sufile needs to read (but nowhere near my machine to check): src-all ports-all release=cvs ports-base release=cvs ports-all tag=. So that you get the head of the source tree for ports. Phil. /usr/sup/refuse looks like this: src/etc/sendmail/freebsd.mc* ports/astro ports/audio ports/biology ports/chinese ports/french ports/german ports/hebrew ports/japanese ports/korean ports/russian ports/ukrainian ports/vietnamese -- Adi Pircalabu ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD Version...
Hi, I am wondering why there was 4.9 release if the newest one it 5.1. Whick is better I am currently on 5.1. It's a little confusing. Well there be a 4.10 and 5.2 release at the same time? A lot of people are going to give you an RTFM style response back to the install instructions on www.freebsd.org to this question but to be a little more helpful: FreeBSD is released with two trains of code. STABLE and CURRENT. CURRENT as the name suggests has cutting edge code and aspects of it will be untested in the wider user community. 5.1 is the latest release in the CURRENT train. STABLE as the name suggests is stable code that has been widely used and should be bug free (as far as this is possible with software). 4.9 is the latest release in the STABLE train. If you want cutting edge, install current and be aware of the caveats of using it. If you have a production server install stable. At some point in the future I'm assuming there will be a 5.X release as part of the STABLE train. Me personally, I've always stuck with stable and appreciate it for that. The only time I've had a stability problem with the stable code is when using the NVIDIA driver, which naturally can't be attributed to the BSD code itself. PS: Great name Ta, Phil Payne. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW strange events
Hi Chris, The net address and subnet mask combination that is 96.0.0.0/3 covers the range 96.0.0.0 to 127.255.255.255. You are therefore blocking all traffic to the localhost address (127.0.0.0) Now, I'm a networking bloke not an MIS person but I would assume this is BAD as services/apps on your machine would want to use this address. What you need to do is have a rule ahead of this specifying: allow all from any to any via lo0 If you need a tool to help visualising firewall policy I would recommend /usr/ports/security/fwbuilder. It needs a bit of a hack to make NAT work which I've posted previously to this list. Thanks, Phil. -Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: 01 November 2003 16:56 To: [EMAIL PROTECTED] Subject: IPFW strange events Hello, This is occurring on a 4.8-RELEASE server using IPFW2... I have numerous rules that block bogus networks... one of which is: ipfw add 0104 deny log ip from 96.0.0.0/3 to any And I know it's working because using ipfw list I get: 00104 deny log ip from 96.0.0.0/3 to any Whenever that rule is active, it's blocking packets - ipfw show: 00104 21 1148 deny log ip from 96.0.0.0/3 to any BUT Various services stop working... so I look at /var/log/security and see NUMEROUS entries such as this: Nov 1 10:30:00 server /kernel: ipfw: 104 Deny TCP 127.0.0.1:1051 127.0.0.1:80 out via lo0 Now I don't see anything in the rule about the localhost address, yet that's what it's blocking. But a little bit ahead of that rule, I do have this one: ipfw add 082 divert natd all from any to any via fxp0 Would it help to put all the bogus network deny rules ahead of the divert rule? Stumped, Chris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
MozillaFirebird and Java
Hi, I thought I would've been the millionth person to ask this but I had a look in the archives and couldn't find anything so feel free to tell me to RTF relevant article. Can someone help me setup Java MozillaFirebird? I've installed both MozillaFirebird and JDK14 from ports but on java enabled pages mozilla still doesn't use it. Get nag about needing application/x-java-vm. I don't see anything in the options that allows me to specify the exact path to Java. Wild guess, do I need to symbolic link the default Mozilla java location to /usr/local/jdk1.4.1/jre/bin/java? or is there something else? Help. Much appreciated, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: MozillaFirebird and Java
On Fri, Aug 22, 2003 at 01:59:29PM +0100, Philip Payne wrote: I thought I would've been the millionth person to ask this but I had a look in the archives and couldn't find anything so feel free to tell me to RTF relevant article. Can someone help me setup Java MozillaFirebird? I've installed both MozillaFirebird and JDK14 from ports but on java enabled pages mozilla still doesn't use it. Get nag about needing application/x-java-vm. I don't see anything in the options that allows me to specify the exact path to Java. Wild guess, do I need to symbolic link the default Mozilla java location to /usr/local/jdk1.4.1/jre/bin/java? or is there something else? What you need is the java plugin -- it's a loadable object that adds java capabilities to Netscape, Mozilla and (I think) Mozilla derived browsers like Firebird. The plugin is a standard part of the JDK, except that the FreeBSD build of the plugin is disabled for JDK14 -- no one has committed patches to the code to allow it to build correctly on FreeBSD. To make this work, either install JDK13 (which will sit quite happily alongside JDK14), or go for one of the Linux versions of JDK14 and install a linux version of Firebird. Thanks... makes sense. I'll install JDK13. Cheers, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: MozillaFirebird and Java
On Fri, Aug 22, 2003 at 01:59:29PM +0100, Philip Payne wrote: What you need is the java plugin -- it's a loadable object that adds java capabilities to Netscape, Mozilla and (I think) Mozilla derived browsers like Firebird. The plugin is a standard part of the JDK, except that the FreeBSD build of the plugin is disabled for JDK14 -- no one has committed patches to the code to allow it to build correctly on FreeBSD. To make this work, either install JDK13 (which will sit quite happily alongside JDK14), or go for one of the Linux versions of JDK14 and install a linux version of Firebird. Just FYI to the list. I can confirm installing JDK13 instead of JDK14 allows MozillaFirebird to use java. Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: backup static routes for freebsd (default)
Hi, I have a gatway box running freebsd 4.8 and several links to the internet via different ISP's. This box is connected directly to one of the ISP's but also has access to the other gatways via the LAN. I would like to setup static backup (default) routes such that when and if the main link goes down, the default route for this box is automatically changed to point to another router on the LAN.I am having trouble implementing this on freebsd. Any ideas? First, I'm more of a router person than familiar with how FreeBSD calculates it's routing table so the following is all guesswork from man route. The issue with static routes is that they rarely have any idea of the status of their destination but this can be fudged if you're using point-to-point interfaces e.g. DSL, leased line. In general terms what you'd be doing on a router is: 1) Have a default route directed out a point-to-point interface connected to the ISP (not the IP address) so that when the interface is down, the static route is removed from the live routing table. 2) Have a weighted default route via an alternative IP address. The weight implies this route is only used when the former default route is not available. I've read man route and I get the impression you can add a route via an interface rather than a destination with the switch -interface so your first step is to add a default route along the lines route add default -interface int_name ... this is a guess as the man page isn't explicit. Also, I don't know whether this route remains live or is removed as required during a failure on the point-to-point interface you'd configure this to. It definitely won't work if your primary access method is a broadcast interface e.g. ethernet. Further, I can't find any details on adding a weight to a static route to create the secondary route so I'm not sure this is going to be possible via an automatic routing table kind of thing. So.(getting to the point very slowly) The only other method I can think of would be a script to ping the far end addresses regularly in order. Depending on which one is up, you could inject a default route statement as required to the correct destination. I'd be interested in other suggestions as this doesn't sound entirely great as there are many other reasons than link failure why an address wouldn't be pingable. Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: NATD Port Forwarding Problems
Hi, Hi all...I'm at a dead end here. I'm trying to setup my firewall/nat box to forward requests on externalIP:portA to internalPC:portB. I put 'natd_flags=-redirect_port tcp 1internalPC:portB portA ' in my rc.conf file, and I have the following three statements in my rc.firewall script: ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE ipfw add pass all from $LOCALNET_1 to any via $EXTERNAL_INTERFACE out ipfw add pass all from any to $LOCALNET_1 via $EXTERNAL_INTERFACE in Hmmm my first thought is the line: ipfw add pass all from $LOCALNET_1 to any via $EXTERNAL_INTERFACE out ... wouldn't the outgoing internal packets be going via an internal interface first?... are they allowed out properly somewhere else in your rulebase? If that's not it, my suggestion would be to temporarily switch on logging against those two pass rules for the internal host, any deny rules you have and if you don't have one already, a generic logging deny all as a final rule. These logs should tell you whether any traffic is being blocked and give an indication as to whether the nat is working properly. If your site is too busy to grab that much logging then as an alternative you could switch to a completely open ruleset (with NAT enabled) and this would allow you to tell whether it's the firewall rulebase or not. Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: CVSUP
I have a question about cvsup. I read the manual and can update my ports with no problem. Here is my question though...what if I was to change the Makefile for a port? Is there a way I can still use CVSup to update my ports and merge the changes I made in the old Makefile with the new Makefile instead of having cvsup just delete the old one. I guess it would depend on the changes you were making but is the file /usr/local/etc/pkgtools.conf any use? If not, then I think mirroring the CVS tree is probably the way to go. Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: How to remove ^M character
HI, I ftp'd a file from windows to freebsdnot its every line has ^M at its end. Is there some command in vi (or some way) by whcih ^M can be removed. Thanks Anil At the vi command line :1,$:s/here type ctrl-v then ctrl-M to get the ^M control character// Basically it's just saying from line 1 to end($) search for ctrl-M and replace with nothing. Get this all the time when working with people who write router configs on their windblows machines and send them to me. Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: How to get the software
Hi, Hi all of the freeBSD team, I'm from Indonesia, and I'm interest with the software, if it is a free software then where I can get it?? and download it, globaly I'm still learn the basic of the system, may I know the address to download FreeBSD software. Thank you As per anything new, take your time to read and understand first. Go to http://www.freebsd.org and take the links to the handbook. This will tell you everything you need to know about preparation and installing FreeBSD and where to download it. As per the other poster stick with the STABLE version if you are new to this. As someone who first installed FreeBSD only a couple of years ago and with no one around to help, I can assure you the handbook is well written and teaches you almost all you need to know... so take your time and use it. With the help of people on this list I'm yet to find a problem that wasn't solveable. Good luck, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Changing gnome fonts from KDE
Hi, Does anyone know how to change gnome fonts from KDE/command-line? I tried running gnome-control-center, which worked, but only the fonts for the control center and gthumb have changed. I posted recently about this. Look for subject Changing GTK fonts outside gnome in the archive. It may be relevant to what you're trying. Wasn't the easiest option though. Regards, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Why must I use firewall ?
Hi, So far, I known firewall is a choice when I want to protect my boxes from crackers but my question is if I closed the service I don't use (such as port 25 for STMP) so the cracker out there can't attack, what's the reason firewall come to play ? From a general viewpoint the more levels of security the better. i.e. shutting down the service=good, shutting down the service + filtering out unwanted traffic at the network edge (firewall) = better, shutting down the service + filtering out the unwanted traffic (firewall) + observing internal traffic for odd things (IDS) = even better. Firewalls are generally positioned at network gateways, where as servers are generally within the network. This means carrying out security at the firewall is much easier as it is the focal point for all network traffic. Firewalls generally have a much better logging ability, this is again helped by their positioning in the network. Logging will be important in the post-cracking examination of what went wrong. More importantly, you shouldn't be thinking Should I use a firewall? you should be thinking what should my security model look like? Firewalls are only a security tool to be used in addition to correct configuration of the server, security audits, IDS, penetration tests, account/password management and business practices/procedures. However any security procedure you put in place must be cost effective i.e. The cost of your security hardware/procedure/implementation must be less than the cost of total destruction of your data and it's replication in a disaster recovery procedure (1 times, 2 times or 3 times... your choice as to how often you think this will happen). Hope those general comments help. Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Selling FreeBSD
Paul Robinson ([EMAIL PROTECTED]) [030606 19:09]: If they aren't enthusiastic, it's because it's not solving any problems for them. The fact it works great as a high-traffic MX or HTTP server isn't something most businesses need. As for desktop use, well, it does suck compared to something like Mandrake for an average run-of-the-mill office worker. Even Mandrake sucks a little bit compared to Windows XP these days. I would question that. I just set my highly non-technical wife up with FreeBSD 4.8, KDE 3.1, Mozilla Firebird 0.6 (Linux binary) and OpenOffice.org 1.0.3 (Linux binary, as mentioned on this list ;-). It does require an administrator to at least run the ports or packages, but any office network will need an administrator. The only thing still missing is a drop-in replacement for Outlook. Other than that, it's probably more usable than Windows, and a Windows user should have no trouble. It works like Windows, but it doesn't crash! I have to back this up. My wife (a midwife) is totally non technical. She wants a computer to do office type stuff, send email to her family and do home-shopping (so POP3 email, docs for letters and opening word docs from others, web browsing). A combination of FreeBSD, KDE, KMAIL as I couldn't get evolution to install and OpenOffice + switch on the Redmond behaviour and style in KDE and she came out with the quote: So... this was all free... but it's great... how come the software for our other computer (windows) costs hundreds of pounds?... how can they get away with that Kind of says it all. OK, for an office you'd need an administrator to update the source/ports... but every office needs an administrator. NIS is a decent enough replacement for a windows domain. NFS/Samba for network shares. IPFW as a replacement for your Firewall-1 even. I keep trying different Linux distros and they install great... then every time I get to installing packages I just come running back to FreeBSD. People keep bigging up Linux's better hardware support but I'm yet to find an office computer I couldn't install FreeBSD on if you don't want 3d gaming you're sorted. I really can't think of a decent reason to go with Linux... the added support services someone like Suse or RedHat provide you could be important to some corporations. Am I missing some obvious advantage about Linux and why it's so popular or is it all hype? Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: How to add more swap space?
Hi, Hi all... I found this () I have FBSD 4.7 system...is this article still ok or even the best way to go? Any ideas welcome Keith There's a specific chapter in the handbook on adding swap... which includes a section on using a swapfile as you detailed: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/adding-swap-space. html Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
What the simplest way to do outgoing smtp?
Hi, This is a pretty basic question so I don't mind if the answer is an RTFM style link. ;-) I recently obtained some 3rd party POP3 mailboxes unrelated to my current ISP for email to a new domain... unfortunately my ISP's smtp server doesn't let me send any email addressed as anything other than it's own users, fair enough. I use FreeBSD as a network gateway and IPFW device but I'm a bit of an SMTP novice really. How and what can I configure to act as a sending SMTP server simply on FreeBSD? I don't need to receive email, the 3rd party will do that and host the POP3 collection, but I need to be able to send email locally via something other than my ISP's smtp server. The reason I want to do it this way is that the IP address of my FreeBSD box is DHCP and subject to change, so it isn't suitable as the primary MX record for the new domain. Thanks muchly, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Xfree86 help required since upgrade.
Hi, I recently upgraded Xfree4 via portupgrade (portupgrade -a) and I now have a problem. It appears X will only work in 8-bit mode. Before, my XF86Config specified the default bit depth as 24 and X was fine. Now X fails to start at anything over 8-bit... I mean, it starts... it just hangs after a lot of disk activity. Briefly, I'm running FreeBSD 4.X-Stable on a PC with an nvidia card and the nvidia driver from /usr/ports/x11/nvidia-driver and the latest version of Xfree4 from ports. I appreciate the nvidia driver is beta and could be the root cause of this problem but I've been using that driver for some time with no problems so far. I'm definitely no X-pert. I can work my way through an XF86Config file and X error log but that's about it. Nothing I can immediately identify in /var/log/Xfree86.0.log to cause the problem (that's not to say there isn't something in there). My question is: a) Is there anyone out there willing to help me resolve this? b) What information (hardware, config files) do you need to help me out? Let me know, by reply individually if you don't want to spam the list and I'll send everything relevant in one go. Thanks a lot, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Dual homed host routing problem
I'm running FreeBSD 4.7-RELEASE and I have trouble routing between two NIC's. On one side I have a 192.168.1.0/24 network and on the other a 212.110.94.64/27 network on which I have mail and web servers, which the 192.168.1.0/24 hosts should be able to reach. Here are the ifconfig and netstat -r outputs: wb0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 212.110.94.84 netmask 0xffe0 broadcast 212.110.94.95 inet6 fe80::280:48ff:feb5:af3%wb0 prefixlen 64 scopeid 0x1 ether 00:80:48:b5:0a:f3 media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::202:44ff:fe4f:958e%rl0 prefixlen 64 scopeid 0x2 ether 00:02:44:4f:95:8e media: Ethernet autoselect (10baseT/UTP) status: active Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default 212.110.94.65 UGSc40wb0 localhost localhost UH 00lo0 192.168.1 link#2 UC 1 0 rl0 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 1 45rl0 212.110.94.64/27 link#1 UC 80wb0 and I have net.inet.ip.forwarding set to 1 How do I get my box to route packets between the two interfaces 192.168.1.1 and 212.110.94.84? It may not be the actual dual-homed boxes issue. For this to work completely, the devices on the two networks you mention must also have the correct routing. So, devices on 192.168.1.0/24 must have a route for 212.110.94.64/27 via 192.168.1.1... most probably a default route as I assume the devices on 192.168.1.0/24 are reaching the net via this box. In addition, any device on 212.110.94.64/27 that is supposed to reach 192.168.1.0/24 devices must route 192.186.1.0/24 via 212.110.94.84. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: [URGENT] Bad MX record; very bad.
Hi, I don't know how much you know about DNS so if I aim too low then ignore me otherwise read on for a full explanation. I strongly suspect you're suffering from the fact that your old address is simply cached on various resolvers around the internet and you've just got to wait until it times out but I'll show how to check. $ORIGIN terrabionic.com. $TTL86400 @ IN SOA ns1.terrabionic.com. johann.ninja.terrabionic.com. ( 2003011901 ; Serial 10800 ; Refresh 3600; Retry 604800 ; Expire 86400 ) ; Minimum TTL IN A213.187.181.68 IN NS ns1.terrabionic.com. IN NS ns2.terrabionic.com. www IN CNAMEterrabionic.com. ninja IN A213.187.181.68 ninja6 IN 3ffe:4008:1b::1200 ns1 IN A213.187.181.68 ns2 IN A209.98.239.41 IN MX ninja.terrabionic.com. You should have dig on your freebsd machine right so you can check this out. I notice on my own ISP's resolver that --- happyclowndig @158.43.128.1 ninja.terrabionic.com a ; DiG 8.3 @158.43.128.1 ninja.terrabionic.com a ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; ninja.terrabionic.com, type = A, class = IN ;; ANSWER SECTION: ninja.terrabionic.com. 10h44m25s IN A 217.13.29.51 ;; Total query time: 1 msec ;; FROM: happyclown.cbg.eng.emea.uu.net to SERVER: 158.43.128.1 158.43.128.1 ;; WHEN: Fri Mar 14 09:40:18 2003 ;; MSG SIZE sent: 39 rcvd: 55 --- gives me a result that ninja is 217.13.29.51 (your old address) but the important thing to note is the 10h44m25s... this is the time left that this resolver will cache that record for. Until that time has passed this resolver simply will not bother even to check whether a new record exists. The way to check if the correct record will be propagated to this resolver when the record times out is to query the authoritative nameservers for the domain. You can tell what the authoritative nameservers are by doing: --- happyclowndig @a.gtld-servers.net terrabionic.com ns ; DiG 8.3 @a.gtld-servers.net terrabionic.com ns ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 ;; QUERY SECTION: ;; terrabionic.com, type = NS, class = IN ;; ANSWER SECTION: terrabionic.com.2D IN NSns1.terrabionic.com. terrabionic.com.2D IN NSns2.terrabionic.com. ;; ADDITIONAL SECTION: ns1.terrabionic.com.2D IN A 213.187.181.68 ns2.terrabionic.com.2D IN A 209.98.239.41 ;; Total query time: 87 msec ;; FROM: happyclown.cbg.eng.emea.uu.net to SERVER: a.gtld-servers.net 192.5.6.30 ;; WHEN: Fri Mar 14 09:49:26 2003 ;; MSG SIZE sent: 33 rcvd: 101 --- So, ns1 ns2 should be carrying records for terrabionic.com . If I query one of those name servers I should get an authoritative answer: --- happyclowndig @213.187.181.68 terrabionic.com mx ; DiG 8.3 @213.187.181.68 terrabionic.com mx ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; QUERY SECTION: ;; terrabionic.com, type = MX, class = IN ;; ANSWER SECTION: terrabionic.com.10h39m14s IN MX 10 ninja.terrabionic.com. ;; AUTHORITY SECTION: terrabionic.com.10h30m27s IN NS ns1.terrabionic.com. terrabionic.com.10h30m27s IN NS ns2.terrabionic.com. ;; ADDITIONAL SECTION: ninja.terrabionic.com. 10h30m27s IN A 217.13.29.51 ns1.terrabionic.com.10h30m27s IN A 217.13.29.51 ns2.terrabionic.com.1d10h30m27s IN A 209.98.239.41 ;; Total query time: 63 msec ;; FROM: happyclown.cbg.eng.emea.uu.net to SERVER: 213.187.181.68 213.187.181.68 ;; WHEN: Fri Mar 14 09:54:17 2003 ;; MSG SIZE sent: 33 rcvd: 139 --- Notice the flags section... if this name server was carrying an actual zone for this domain you would get an aa flag. I don't so it's probably secondaried to this machine and unfortunately the ninja.terrabionic.com still reads as the old address so... solution: 1) Update the serial number in your zonefile so you ensure the secondary picks up the new zone and hopefully the new address for ninja as you seem to have this specified correctly in the zonefile from the email. 2) Also, the ordering of entries in your zonefile is bad, in it's original order you're specifying an mx record for ns2.terrabionic.com instead
RE: CVSUP of 4.7 only?
Hi, CVS Tag list: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html Phil. -Original Message- From: Tuc [mailto:[EMAIL PROTECTED]] Sent: 21 February 2003 14:08 To: [EMAIL PROTECTED] Subject: CVSUP of 4.7 only? Hi, I have : *default release=cvs tag=RELENG_4 in my stable-supfile, and on one machine all of a sudden on the last update I have : FreeBSD vjofn.ttsg.com 4.8-PRERELEASE FreeBSD 4.8-PRERELEASE #1: Thu Feb 20 13:5 2:11 EST 2003 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/VJOFN i386 Heres my problem. I've been CVSUPing machines with RELENG_4, is there a way I can continue only with the 4.7 tree? I tried : *default release=cvs tag=RELENG_4_7 and it looked like it was re-checking out everything. Does that mean it was getting 4.7 as it was first released, and when I did RELENG_4 it was 4.X as current as it was? Is there another tag for 4.7 most current? Thanks, Tuc/TTSG Internet Services, Inc. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: CVSUP of 4.7 only?
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs- tags.html So if I read it right: RELENG_4_7_0_RELEASE - First ever 4.7 release. Oldest and never updated past that day it was tagged RELENG_4_7 - More current than _RELEASE, but only with critical updates. RELENG_4 - More current than 4_7, has non critical updates and tweaks, but doesn't guarantee it being 4_7 branch. Sounds right. So there isn't a way to make sure I stay in 4.7, but get all the fixes, right? Well... that would surely be RELENG_4_7 i.e. the 4.7 release + security fixes required. As soon as you want general updates to the system then you're talking about moving from 4.7-Release onto the 4-Stable branch. I'm no FreeBSD developer so if someone wants to explain better what each of the tags means feel free. Phil. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
FreeBSD 5.0 tunnelling X through SSH
Hi, Can anyone suggest a reason why I might see the following problem. Two remote FreeBSD machines. Box-1 is running 4.X-Stable and Box-2 is running 5.0-RELEASE. The same sshd_config on both. I'm ssh'ing to them from box-3 which is another 4.x-stable machine. If I ssh from box-3 to box-1 (4.X-Stable) I can tunnel X through ssh and start X based APPS that appear on box-3's local display. Great. If I ssh from box-3 to box-2 (5.0-Release) I cannot start X based APPS. This appears to be because the DISPLAY variable does not get set when I log in. Any help is much appreciated. Attached below is the sshd_config being used on both machines. Thanks, Phil. --- # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20021029 #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 120 #PermitRootLogin no #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp/usr/libexec/sftp-server X11Forwarding yes X11DisplayOffset 10 X11UseLocalHost yes IgnoreRhosts yes RhostsRSAAuthentication no RhostsAuthentication no IgnoreUserKnownHosts no PrintMotd no StrictModes yes RSAAuthentication yes PermitEmptyPasswords no PasswordAuthentication yes To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Updating Procedure
I was wondering can anyone tell me the correct procedure for updating my sources to the current 4.7 source. If you haven't already I can recommend reading the following chapter in the Handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cutting-edge.html I'd never attempted building the source on FreeBSD or used CVSUP before reading this chapter. It contained everything that was required. There is a specific section on using make buildworld and the correct procedure for rebuilding a FreeBSD machine. Phil. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: help
Also, scbus da are required to build including umass. Phil. -Original Message- From: Andrew Y Ng [mailto:[EMAIL PROTECTED]] Sent: 09 January 2003 15:30 To: jeremy Cc: [EMAIL PROTECTED] Subject: Re: help i saw one problem at least, device ed requires device miibus and it was commented out. /ayn On 0, jeremy [EMAIL PROTECTED] wrote: i am runing freebsd 4.5 and i can not compile my kernel i get Stop in /usr/src/sys/compile/MYKERNEL. here is my kernel file any help would be nice thanks jeremy # # GENERIC -- Generic kernel configuration file for FreeBSD/i386 # # For more information on this file, please read the handbook section on # Kernel Configuration Files: # #http://www.FreeBSD.org/handbook/kernelconfig-config.html # # The handbook is also available locally in /usr/share/doc/handbook # if you've installed the doc distribution, otherwise always see the # FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the # latest information. # # An exhaustive list of options and more detailed explanations of the # device lines is also present in the ./LINT configuration file. If you are # in doubt as to the purpose or necessity of a line, check first in LINT. # # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.37 2001/12/19 18:34:45 iedowse Exp $ machine i386 #cpuI386_CPU #cpuI486_CPU #cpuI586_CPU cpu I686_CPU ident GENERIC maxusers19 #makeoptionsDEBUG=-g#Build kernel with gdb(1) debug symbols #optionsMATH_EMULATE#Support for x87 emulation options INET#InterNETworking options INET6 #IPv6 communications protocols options FFS #Berkeley Fast Filesystem options FFS_ROOT#FFS usable as root device [keep this!] options SOFTUPDATES #Enable FFS soft updates support options UFS_DIRHASH #Improve performance on big directories options MFS #Memory Filesystem options MD_ROOT #MD is a potential root device options NFS #Network Filesystem options NFS_ROOT#NFS usable as root device, NFS required options MSDOSFS #MSDOS Filesystem options CD9660 #ISO 9660 Filesystem options CD9660_ROOT #CD-ROM usable as root, CD9660 required options PROCFS #Process filesystem options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=15000#Delay (in ms) before probing SCSI options UCONSOLE#Allow users to grab the console options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options KTRACE #ktrace(1) support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B#Posix P1003_1B real-time extensions options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM#Rate limit bad replies options KBD_INSTALL_CDEV# install a CDEV entry in /dev # To make an SMP kernel, the next two are needed #optionsSMP # Symmetric MultiProcessor Kernel #optionsAPIC_IO # Symmetric (APIC) I/O device isa #device eisa device pci # Floppy drives device fdc0at isa? port IO_FD1 irq 6 drq 2 device fd0 at fdc0 drive 0 device fd1 at fdc0 drive 1 # # If you have a Toshiba Libretto with its Y-E Data PCMCIA floppy, # don't use the above line for fdc0 but the following one: #device fdc0 # ATA and ATAPI devices device ata0at isa? port IO_WD1 irq 14 device ata1at isa? port IO_WD2 irq 15 device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives device atapifd # ATAPI floppy drives device atapist # ATAPI tape drives options ATA_STATIC_ID #Static device numbering # SCSI Controllers #device ahb # EISA AHA1742 family #device ahc # AHA2940 and onboard AIC7xxx devices #device amd # AMD 53C974 (Tekram DC-390(T)) #device isp # Qlogic family #device ncr # NCR/Symbios Logic #device sym # NCR/Symbios