Updating OpenSSL ...

2004-05-26 Thread Shaun T. Erickson
I'd like to install the OpenSSL port, and stay current with it in the 
future. It isn't clear to me what I have to do to have the system use 
the port, instead of what's in the base, and what I'll need to rebuild 
after installing the port.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


5.2.1: Wireless X questions

2004-05-19 Thread Shaun T. Erickson
Ok. I installed 5.2.1 on a laptop last night, which went quite nicely. 
During the install, it detected my wireless card, just fine. It wanted 
to dhcp for it, but that (correctly) failed, as my net uses wep. So, it 
punted me to the manual interface configuration screen, where I was 
easily able to tell it everything it needed to successfully get me on 
the air. I was a happy camper. :)

Questions:
1) How do I tell the system the ssid, wepmode, and key, and then have it 
get everything else via dhcp?

2) How do I *easily* handle multiple wireless nets? I will be using the 
laptop on a number of them.

3) How do I tell the system to cope, when I put a wired card in, instead 
of a wireless card, and I just want it to get me on the air with dhcp?

4) It's a Dell Lattitude CPx J. How do I configure X on it? That's 
really two questions ... I skipped the X setup during install, and don't 
know how to get back to that configuration screen, and I don't know 
anything about the video card and screen in the laptop. From the Dell 
support site's original configuration specs for this specific laptop, it 
 says this about the screen: Part# 4564E, Description: Liquid Crystal 
Display, TFT, 14.1, CRNA, Samsung.

TIA,
-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to allow 'User-A' to burn CD

2004-05-17 Thread Shaun T. Erickson
You will have to install the
security/sudo port and read up
on the sudoers(5) manual page and the visudo(8)
application used to
edit that file.
What do these numbers (5) and (8) referring to.  Page
number?
They refer to the section of the manual. To read them, issue these commands:
man 5 sudoers
man 8 visudo
-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: FreeBSD 4.7 Syslogs

2004-05-16 Thread Shaun T. Erickson
Sunil Sunder Raj wrote:
Just give 777 permissions to /var/log/messages
This is BAD advice, and you should NOT follow it. If you do, you will 
give anyone the ability to modify or delete your log entries, which yoou 
do NOT want. Find and fix the actual problem; don't bypass the symptom 
with something that reduces system security.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: FreeBSD 4.7 Syslogs

2004-05-16 Thread Shaun T. Erickson
Sunil Sunder Raj wrote:
Hi,
I did not mean to change the permissions to 777 permanently. Just to 
come to a conclusion on whether it is a permission problem. As 90% unix 
problems are related to permissions.
Then you should have said so. But you did not - you simply told an 
admitted noob to set the permissions to 777, without any explanation. 
He might have done that, and if it had fixed his problem, he might have 
left it that way, thinking everything was solved - but with his logfile 
open to attack.

Please think about the advice you give, and whom you are giving it to, 
before you give it.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


chkrootkit says 'date' is infected

2004-05-13 Thread Shaun T. Erickson
I just installed and ran the chkrootkit port on my 5.2.1-RELEASE-p5 
system. It says my date command is infected. Nothing else, just that. 
How can I determine if this is a false positive or if I'm truly hacked?

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Need vinum info/advice, fast.

2004-04-21 Thread Shaun T. Erickson
A client has hired me to do some work, part of which is replacing Red 
Hat 9, which is end-of-lifed at the end of this month. I'd convinced him 
to let me install FreeBSD, right up until I told him that - to my 
knowledge - you cannot trivially set up software raid on FreeBSD, during 
install, as you can with Red Hat Linux.

I'm supposed to build the new server tomorrow. *Is* there any way I can 
set up software raid of two ide disks, during install, and for all 
partitions? This is just to mirror the system disk, so that we can avoid 
downtime, and going to backups in case of a disk failure. If it can be 
done, how do I do it? I've never used vinum before, and only know what 
it is, but nothing about it.

I wish I had more than one night to figure this out, but I don't. If it 
isn't FreeBSD, he going to likely want me to install Fedora Core 2 
Linux, instead.

TIA,
-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Need vinum info/advice, fast.

2004-04-21 Thread Shaun T. Erickson
Greg 'groggy' Lehey wrote:

On Wednesday, 21 April 2004 at 18:28:47 -0400, Bill Moran wrote:

I believe this is still valid:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/vinum-root.html
Thanks. I just read that chapter, and, while it makes some sense, it 
didn't tell me anything about how to do mirroring during install, or how 
to mirror an existing drive after installation of the OS.

I don't see anything incorrect in it.  You may find the description at
http://www.vinumvm.org/cfbsd/vinum.pdf easier to understand.
Thanks. Will read that now, and then post any questions I have.

I appreciate the rapid responses, guys. :)

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Need vinum info/advice, fast.

2004-04-21 Thread Shaun T. Erickson
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/vinum-root.html 

http://www.vinumvm.org/cfbsd/vinum.pdf
Ok. I've read both documents, which were quite educational. Thanks. :)

It seems that what I want to do is install to the first system disk, as 
normally, and then convert that disk to a vinum disk, using the method 
described starting on page 237 of the above vinum.pdf.

The steps aren't entirely clear to me, after that, as to how to make the 
second disk a vinum drive that is a mirror of the first.

Do I just partition it as normally, but saying that the partition types 
are type vinum? Then do I format those new partitions, and then describe 
the volume, plexes and subdisks in the configuration file, adding each 
subdisk to the existing setup so it will mirror? Do I ever even have to 
format thos partitions, or does vinum just recreate the filesystems bit 
by bit?

I'm not sure I'm asking the right questions. Pointers are most welcome. :)

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: nslookup

2004-04-15 Thread Shaun T. Erickson
Brian Henning wrote:

is there a bsd tool that gives the domain name of an IP address? 
host?

nslookup?

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


/proc

2004-04-12 Thread Shaun T. Erickson
One of the things I really miss from my Linux system, is the /proc 
directory structure, where I could easily find out so much about my 
system and, in some cases, modify it.

Is there are way I can get such a thing under FreeBSD 5.2.1-RELEASE-p4?

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How can I remove this file ?

2004-04-10 Thread Shaun T. Erickson
Nick wrote:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Supote Leelasupphakorn
Sent: Friday, April 09, 2004 7:41 AM
To: [EMAIL PROTECTED]
Subject: How can I remove this file ?
Hi lists

 How can I delete file named prefix with - ?

TIA
Pote


rm ./-file
rm -- -file

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


OT: how do I get this to link?

2004-04-02 Thread Shaun T. Erickson
I'm trying to port a program to FreeBSD 5.2.1-RELEASE-p4, from Linux. 
First, I haven't tried to do anything like this since college, which was 
a looong time ago, so please forgive my ignorance ...

I can't get the program to link. In the output below, the things that 
c-client4.a is complaining about are found in the pam and ssl libs 
earlier in the line (I grep'd for a number of them, in /usr/lib/*.a, and 
they were found in those two libs). I have tried many different ways of 
ordering the libs, and this is the one that produces the least undefined 
references. I have all the libs found in /usr/lib first and the libs 
from /usr/local/lib second.

I'm pulling my hair out trying to get this to work. Can someone help me 
figure this out please?

Here's the output:

peter# make
gcc -c filtercmd.c 
-DSQUIRRELMAILCONFIGFILE='/usr/local/www/squirrelmail/config/config.php'
gcc -c checkcreds_cclient.c  -I/usr/local/include/c-client 
'-DMAIL_H=mail.h' '-DLINKAGE_C=linkage.c' -DIMAP_TIMEOUT=2 
'-DMAILBOXFLAGS=/norsh/tls/novalidate-cert'
gcc -o filtercmd filtercmd.o checkcreds_cclient.o -lpam -lssl -lcrypt 
-lkrb5 -lcom_err -lz -lcrypto -L/usr/local/lib -lc-client4 -lgssapi_krb5 
-lk5crypto -static
/usr/local/lib/libc-client4.a(osdep.o): In function `ssl_onceonlyinit':
osdep.o(.text+0x859d): warning: tmpnam() possibly used unsafely; 
consider using mkstemp()
/usr/local/lib/libc-client4.a(osdep.o): In function `checkpw':
osdep.o(.text+0x83f7): undefined reference to `pam_start'
osdep.o(.text+0x8417): undefined reference to `pam_set_item'
osdep.o(.text+0x842e): undefined reference to `pam_authenticate'
osdep.o(.text+0x8445): undefined reference to `pam_acct_mgmt'
osdep.o(.text+0x845c): undefined reference to `pam_setcred'
osdep.o(.text+0x847f): undefined reference to `pam_setcred'
osdep.o(.text+0x8492): undefined reference to `pam_end'
osdep.o(.text+0x84ac): undefined reference to `pam_end'
/usr/local/lib/libc-client4.a(osdep.o): In function `ssl_onceonlyinit':
osdep.o(.text+0x8690): undefined reference to `RAND_seed'
osdep.o(.text+0x86d9): undefined reference to `SSL_library_init'
/usr/local/lib/libc-client4.a(osdep.o): In function `ssl_start_work':
osdep.o(.text+0x899f): undefined reference to `TLSv1_client_method'
osdep.o(.text+0x89a6): undefined reference to `SSLv23_client_method'
osdep.o(.text+0x89ae): undefined reference to `SSL_CTX_new'
osdep.o(.text+0x89e1): undefined reference to `SSL_CTX_ctrl'
osdep.o(.text+0x8a17): undefined reference to `SSL_CTX_set_verify'
osdep.o(.text+0x8a22): undefined reference to 
`SSL_CTX_set_default_verify_paths'
osdep.o(.text+0x8a2d): undefined reference to `SSL_new'
osdep.o(.text+0x8a52): undefined reference to `BIO_new_socket'
osdep.o(.text+0x8a65): undefined reference to `SSL_set_bio'
osdep.o(.text+0x8a70): undefined reference to `SSL_set_connect_state'
osdep.o(.text+0x8a7b): undefined reference to `SSL_state'
osdep.o(.text+0x8aa3): undefined reference to `SSL_ctrl'
osdep.o(.text+0x8abe): undefined reference to `SSL_write'
osdep.o(.text+0x8af0): undefined reference to `SSL_get_peer_certificate'
/usr/local/lib/libc-client4.a(osdep.o): In function `ssl_open_verify':
osdep.o(.text+0x8bf2): undefined reference to `X509_STORE_CTX_get_error'
osdep.o(.text+0x8bfa): undefined reference to 
`X509_verify_cert_error_string'
osdep.o(.text+0x8c08): undefined reference to 
`X509_STORE_CTX_get_current_cert'
osdep.o(.text+0x8c10): undefined reference to `X509_get_subject_name'
osdep.o(.text+0x8c2a): undefined reference to `X509_NAME_oneline'
/usr/local/lib/libc-client4.a(osdep.o): In function `ssl_getdata':
osdep.o(.text+0x90e4): undefined reference to `SSL_get_fd'
osdep.o(.text+0x914e): undefined reference to `SSL_pending'
osdep.o(.text+0x9306): undefined reference to `SSL_read'
osdep.o(.text+0x9325): undefined reference to `SSL_get_error'
/usr/local/lib/libc-client4.a(osdep.o): In function `ssl_sout':
osdep.o(.text+0x942f): undefined reference to `SSL_write'
/usr/local/lib/libc-client4.a(osdep.o): In function `ssl_abort':
osdep.o(.text+0x94ca): undefined reference to `SSL_shutdown'
osdep.o(.text+0x94d5): undefined reference to `SSL_free'
osdep.o(.text+0x94ed): undefined reference to `SSL_CTX_free'
/usr/local/lib/libc-client4.a(osdep.o): In function `ssl_server_init':
osdep.o(.text+0x96eb): undefined reference to `ERR_load_crypto_strings'
osdep.o(.text+0x96f0): undefined reference to `SSL_load_error_strings'
osdep.o(.text+0x976a): undefined reference to `TLSv1_server_method'
osdep.o(.text+0x9771): undefined reference to `SSLv23_server_method'
osdep.o(.text+0x9779): undefined reference to `SSL_CTX_new'
osdep.o(.text+0x97bf): undefined reference to `SSL_CTX_ctrl'
osdep.o(.text+0x97d2): undefined reference to `SSL_CTX_set_cipher_list'
osdep.o(.text+0x9806): undefined reference to 
`SSL_CTX_use_certificate_chain_file'
osdep.o(.text+0x983e): undefined reference to 
`SSL_CTX_use_RSAPrivateKey_file'
osdep.o(.text+0x988b): undefined reference to `SSL_CTX_ctrl'
osdep.o(.text+0x98a2): undefined 

Re: OT: how do I get this to link?

2004-04-02 Thread Shaun T. Erickson
I wrote:
I can't get the program to link. In the output below, the things that 
c-client4.a is complaining about are found in the pam and ssl libs 
earlier in the line (I grep'd for a number of them, in /usr/lib/*.a, and 
they were found in those two libs). I have tried many different ways of 
ordering the libs, and this is the one that produces the least undefined 
references. I have all the libs found in /usr/lib first and the libs 
from /usr/local/lib second.

I'm pulling my hair out trying to get this to work. Can someone help me 
figure this out please?
I'm at my wits end with this. I've continued to try reordering the libs 
or adding them more than once, as 'man ld' says I can do (that only led 
to even more undefined references), and even tried to tell ld to search 
the libs multiple times, via the -( -) construct, but make barfed on that.

Any programmers out there that would be able to help me sort this out, 
off list, please? TIA.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: OT: how do I get this to link?

2004-04-02 Thread Shaun T. Erickson
Malcolm Kay wrote:

Maybe it is OK but to me the -static option at the end of the command looks 
strange. And I know the documentation says that mostly the command line order 
doesn't matter; but try it near the beginning.
Several of us tried and failed to get it to link statically in various 
ways, so we gave up, dropped -static, and went dynamic instead. It even 
required fewer libraries that way. My thanks to Matt Emmerton for the 
final solution that worked. :)

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: dircmp?

2004-03-29 Thread Shaun T. Erickson
Dan Nelson wrote:
In the last episode (Mar 28), Kris Kennaway said:

On Sun, Mar 28, 2004 at 08:28:31PM -0500, Shaun T. Erickson wrote:

Is there a dircmp command for 5.2.1-RELEASE-p3? I can't find one ...
Not in the base system.  Maybe it's available in a port with a
different name.  What does it do?


It compares two directory trees and tells you which files exist in one
or both, and tells you which files are the same in both.  SUSv2
deprecated it and recommended people use diff -r instead.  SUSv3
doesn't mention it at all.
I tried diff -r and didn't really like it at all. The output isn't 
anywhere near as nice as dircmp's.

Shaun: if you have access to a Tru64 or Solaris system, you can use
their dircmp commands, since they are shell scripts.
Unfortunately, I don't, or I'd lift a copy. :)

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: where is fortune on 5.2.1-RELEASE?

2004-03-29 Thread Shaun T. Erickson
Doug Poland wrote:

Hello,

I've googled for this but came up empty.  I cannot find the fortune 
program on this recently installed box.  On 4.9-STABLE it lives in 
/usr/games/fortune.


/usr/games/fortune on my 5.2.1-RELEASE-p3 box.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


dircmp?

2004-03-28 Thread Shaun T. Erickson
Is there a dircmp command for 5.2.1-RELEASE-p3? I can't find one ...

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: log off with process running

2004-03-25 Thread Shaun T. Erickson
 I'm surprised this hasn't been mentioned, but why not try screen? It's
 made for precisely this reason.

Screen is your friend. Screen is probably the tool I use most, as a
SysAdmin. I couldn't live without it.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Enabling linux compatibility

2004-03-23 Thread Shaun T. Erickson
When I installed my system, it asked if I wanted to enable linux
compatibility, and I said no. Now I think I may need it, and am
wondering if I need to do anything special to enable it, other than
setting
linux_enable=YES

in /etc/rc.conf.
You will need to install one of the linux-base packages from ports.  the
plain vanilla one is the most stable in my experience...
Thanks!

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Trying to run a Linux binary ...

2004-03-23 Thread Shaun T. Erickson
I installed linux_base, which turned on linux emulation:

# kldstat
Id Refs AddressSize Name
 17 0xc040 5b570c   kernel
 21 0xc09b6000 51ac8acpi.ko
 31 0xc462 19000linux.ko
#
When I run the file, I get:

	ELF binary type 0 not known.

# file filtercmd
filtercmd: setuid ELF 32-bit LSB executable, Intel 80386, version 1 
(SYSV), for GNU/Linux 2.2.5, statically linked, not stripped
#

I'm not sure what to do now ...

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Trying to run a Linux binary ...

2004-03-23 Thread Shaun T. Erickson
Lowell Gilbert wrote:
Shaun T. Erickson [EMAIL PROTECTED] writes:


I installed linux_base, which turned on linux emulation:

# kldstat
Id Refs AddressSize Name
 17 0xc040 5b570c   kernel
 21 0xc09b6000 51ac8acpi.ko
 31 0xc462 19000linux.ko
#


That installs the kernel support, but it doesn't turn it on.
Run linux(8) (at the command line).
I don't have any such command on my system. I looked at the package list 
for linux_base, and it doesn't install anything named that ...

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Enabling linux compatibility

2004-03-22 Thread Shaun T. Erickson
When I installed my system, it asked if I wanted to enable linux 
compatibility, and I said no. Now I think I may need it, and am 
wondering if I need to do anything special to enable it, other than setting

linux_enable=YES

in /etc/rc.conf.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: disconnecting keyboard: big trouble !?!

2004-03-22 Thread Shaun T. Erickson
Steve Ireland wrote:

This is a PS/2 thing, not an operating system thing. You really can
fry your motherboard plugging and unplugging PS/2 devices while the
system is powered up.
I suppose it's possible, but I know I 've never fry'd one. I'm always 
unplugging and pluging mine back in. The key to getting the keyboard 
re-initialized, when you plug it back in - at least under 
5.2.1-RELEASE-p3 - is to change

hint.atkbd.0.flags=0x1

to

hint.atkbd.0.flags=0x0

in /boot/device.hints and reboot. After that, you can plug and unplug to 
your heart's content. I'm told this setting may have to be made in the 
kernel, requiring a custom kernel, in 4.x releases.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


phpmyadmin forbidden?

2004-03-21 Thread Shaun T. Erickson
I wanted to install this on my 5.2.1-p3, but it's forbidden. Emailing 
the maintainer got no response. Does anyone know what's up with this? 
I'm told it will make my life much easier 

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


RE: Top posting

2004-03-21 Thread Shaun T. Erickson
 ... both top and bottom ...

All this talk of top and bottom is making me blush and breathe heavy,
LOL (j/k). :-)

Perhaps this dead horse has been sufficiently beaten, that we can let it
Rest In Peace, and move on? :-)

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


I messed up my system, please help. library missing

2004-03-20 Thread Shaun T. Erickson
I went to rebuild the mod_php4 port with openssl support (btw, is the 
correct way to do that this: make -DWITH_OPENSSL ?).

During the build, it wanted to upgrade expat, but said there was an 
older version installed and that if I wanted it upgraded that I should 
to a 'make deinstall' and a 'make reinstall' to do so, then come back to 
the mod_php4 build. So I did that. Now my system is missing an 
apparently important library 'libexpat.so.4' and things are broken that 
need it - notably, my web server is down.

How do I get the old version reinstalled, and have the new version as 
well, for things that need it?

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: I messed up my system, please help. library missing

2004-03-20 Thread Shaun T. Erickson
Jorn Argelo wrote:

I guess the best thing to do is to deinstall Apache as well, and
recompile it from the ports tree. (make sure to sync your ports-tree
first) Make sure you backup your website content, since I don't know if
the make deinstall will delete your content as well. Then recompile PHP
as well.

correct way to do that this: make -DWITH_OPENSSL ?).


I believe it was yes, though correct me if I am wrong.
What got me going again, was making a symbolic link from libexpat.so.5 
to libexpat.so.4. That got my webserver running, and allowed me to 
rebuild mod_php4 (and yes, that *was* the right way to get ssl support 
into it).

I probably should make the time to upgrade anything that relies on expat 
and remove that link though.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: I messed up my system, please help. library missing

2004-03-20 Thread Shaun T. Erickson
Kirk Strauser wrote:

From /usr/ports/UPDATING:

20040313:
  AFFECTS: users of textproc/expat2
Sigh. I'm still new to FreeBSD. I *really* need to get in the habit of 
checking that file. Thanks.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: openSSL certificate key's

2004-03-18 Thread Shaun T. Erickson
Matthew Seaman wrote:

On Thu, Mar 18, 2004 at 09:15:28AM +, Matthew Seaman wrote:

NB. Verb. Sap.  Some applications (*cough* Outlook *cough*) get upset
when the OU in the certificate is the same as the OU of your
certificate authority.


Ahem.  The CN or Common Name is what I should have said there.  Ooops.
Or, spend $49.00 and get a real SSL Cert from InstantSSL, like I did. 
Works like a charm. No, I don't work for them, and am not associated 
with them in any way, other than as a happy customer. Their cert was 
cheap enough to make getting a real one worth it.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Downgrading 4.9-stable to 4.9-release-p3

2004-03-18 Thread Shaun T. Erickson
Kent Stewart wrote:

How are you going to include the changed libraries in modules you don't 
rebuild? The advisory was even more specific, i.e., rebuild all ports 
that use OpenSSL.
That's not exactly what it said. It said to rebuild all statically 
linked ports and 3rd-party apps:

Note that any statically linked applications that are not part of the
base system (i.e. from the Ports Collection or other 3rd-party sources)
must be recompiled.
Dynamically linked programs do not have to be rebuilt.

-ste
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: rc script timing issues?

2004-03-10 Thread Shaun T. Erickson
Peter Risdon wrote:

 From man 8 rc.d:

The scripts within each directory are executed in lexicographical
order.  If a specific order is required, numbers may be used as a
prefix to the existing filenames, so for example 100.foo would be
executed before 200.bar; without the numeric prefixes the opposite
would be true.
You might be able to see this if you've installed, say, mysql-client 
which uses a script in /usr/local/etc/rc.d called 000.mysql-client.sh - 
the 000. forces an early startup. So I suggest you're better off moving 
the scripts back to /usr/local/etc/rc.d and prefixing them with numerals 
to get the startup order correct.
This was exactly the solution I needed and, per your later email, I also 
made sure the client script runs first.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ntpd question

2004-03-10 Thread Shaun T. Erickson
Matthew Seaman wrote:

Unfortuately if you're going to run ntpd, you can't get rid of these:
ntpd(8) will automatically bind to all interfaces on the system, and
there are no controls within ntpd to control that.
Darn. Thanks for the suggestions! I was already controlling access to 
the port with my ipfilter firewall, and will continue to do so. I just 
believe in not letting anything bind to a port, that isn't required to.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: sasl2--saslauthd--pam--mysql issue

2004-03-09 Thread Shaun T. Erickson
Aaron Peterson wrote:

If you have plain text passwords in your MySQL database, you don't need
PAM to look them up.  SASL2 has this ability natively.
I'm going through PAM because I don't want to store passwords in plain text.

I have everything set up right, as near as I can tell. It's just that 
saslauthd isn't passing the realm. I'm told, on another list, that this 
is a feature of saslauthd from the latest version of sasl, which I'm 
using. I'm told there is supposed to be a patch out there, somewhere, to 
restore this behavior.

I haven't been able to find it yet. :(

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


How do I add a local patch to a port?

2004-03-09 Thread Shaun T. Erickson
I have generated a patch that I want to apply to a port. I don't know 
how to tell the port to use it though. Just putting it in the files 
directory didn't seem to do the trick.

What else do I need to do to?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How do I add a local patch to a port?

2004-03-09 Thread Shaun T. Erickson
Shaun T. Erickson wrote:

I have generated a patch that I want to apply to a port. I don't know 
how to tell the port to use it though. Just putting it in the files 
directory didn't seem to do the trick.

What else do I need to do to?
I looked at the porter's handbook, and it says that simply dropping the 
patch into the files directory should get it automatically applied, but 
it's not. The patch is named patch-aa and is relative to the WRKSRC 
directory.

Suggestions?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How do I add a local patch to a port?

2004-03-09 Thread Shaun T. Erickson
Alexander Haderer wrote:

At 13:04 09.03.2004 -0500, Shaun T. Erickson wrote:

Shaun T. Erickson wrote:

...
I looked at the porter's handbook, and it says that simply dropping 
the patch into the files directory should get it automatically 
applied, but it's not. The patch is named patch-aa and is relative to 
the WRKSRC directory.

Suggestions?


Patching the wrong file?

Patching an already patched file?

Patching in wrong direction: old --- new exchanged by accident?

directory for patch ok? shouldn't it be relative to extracted sources
dir within WRKSRC?
Well, cd'ing into the work directory and then into the source directory 
and saying:

patch  patchfile

correctly patches the file ./dir/file2bepatched

So, if patchfile is in the files directory, it ough to just work, yes? 
But it isn't.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How do I add a local patch to a port?

2004-03-09 Thread Shaun T. Erickson
Alexander Haderer wrote:

Just another guess: Probably it makes a difference if the patchfile 
patches ./dir/tobepatched and dir/tobepatched. A brief look into other 
ports shows me that the latter is used. I don't know if it have to be 
this way or not.
Ok. I'm trying to patch 
/usr/ports/security/cyrus-sasl2-saslauthd/work/cyrus-sasl-2.1.17/saslauthd/auth_pam.c. 
The patchfile is named patch-aa and is located in 
/usr/ports/security/cyrus-sasl2-saslauthd/files. Here is the contents 
of the patchfile that works manually, when I cd to 
/usr/ports/security/cyrus-sasl2-saslauthd/work/cyrus-sasl-2.1.17 and 
run patch  /usr/ports/security/cyrus-sasl2-saslauthd/files/patch-aa:

Index: saslauthd/auth_pam.c
diff -u saslauthd/auth_pam.c.orig saslauthd/auth_pam.c
--- saslauthd/auth_pam.c.orig   Sat May 31 13:00:24 2003
+++ saslauthd/auth_pam.cTue Mar  9 11:53:44 2004
@@ -178,7 +178,7 @@
   const char *login,   /* I: plaintext authenticator */
   const char *password,/* I: plaintext password */
   const char *service, /* I: service name */
-  const char *realm __attribute__((unused))
+  const char *realm
   /* END PARAMETERS */
   )
 {
@@ -186,17 +186,25 @@
 pam_appdata my_appdata;/* application specific data */
 struct pam_conv my_conv;   /* pam conversion data */
 pam_handle_t *pamh;/* pointer to PAM handle */
+char user[256];
 int rc;/* return code holder */
 /* END VARIABLES */
-my_appdata.login = login;
+strlcpy(user, login, 256);
+
+if (realm) {
+strlcat(user, @, 256);
+strlcat(user, realm, 256);
+}
+
+my_appdata.login = user;
 my_appdata.password = password;
 my_appdata.pamh = NULL;
 my_conv.conv = saslauthd_pam_conv;
 my_conv.appdata_ptr = my_appdata;
-rc = pam_start(service, login, my_conv, pamh);
+rc = pam_start(service, user, my_conv, pamh);
 if (rc != PAM_SUCCESS) {
syslog(LOG_DEBUG, DEBUG: auth_pam: pam_start failed: %s,
   pam_strerror(pamh, rc));
It all looks right to me, but when I do a make clean follwed by a 
make, the file does not get patched. What am I doing wrong?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How do I add a local patch to a port?

2004-03-09 Thread Shaun T. Erickson
Dancho Penev wrote:

Put the patch in security/cyrus-sasl2/files directory. Take a look in
port's Makefile where ${PATCHDIR} is set to different location.
Aha! That solved it. Thanks.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


pam question

2004-03-09 Thread Shaun T. Erickson
I have pam configured so that when my virtual email users (well, the 
*users* aren't virtual, hehe) send email, they have to use smtpauth. I 
created a file in /etc/pam.d, called smtp. It has in it:

auth required pam_mysql.so user=postfix passwd=apassword host=localhost 
db=postfix table=mailbox usercolumn=username passwdcolumn=password 
crypt=1 sqllog=0
account sufficient pam_mysql.so user=postfix passwd=apassword 
host=localhost db=postfix table=mailbox usercolumn=username 
passwdcolumn=password crypt=1 sqllog=0

Everything works fine ... almost.

Remote users, in the system's local domain, also have to auth in order 
to relay. But their password is being looked up in my mysql database, 
instead of in the password file.

How can I modify pam's smtp file to allow for both conditions?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


ntpd question

2004-03-09 Thread Shaun T. Erickson
I run ntpd to keep my server's time in sync with a remote server. In my 
netstat -a output, I see:

Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
udp4   0  0  localhost.ntp  *.*
udp4   0  0  peter.ntp  *.*
udp4   0  0  *.ntp  *.*
I'm not running an ntp server, and would like these entries to go away. 
I've looked at the ntpd man page and haven't been able to find any 
option to tell it not to attach to ports. How can I do this? TIA.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


rc script timing issues?

2004-03-09 Thread Shaun T. Erickson
On 5.2.1-RELEASE-p1, in /usr/local/etc/rc.d, I have scripts that start 
my MySQL database, and that start my Courier-IMAP daemons. When the 
scripts for courier run, one of the first things they do is start 
authdaemond, which should fire up several authdaemond.mysql processes 
and then they start the imap daemons.

On reboot, the imap daemons are running, but the authdaemond.mysql 
processes aren't. If I stop the imap script, and re-run it, everything 
starts up just fine.

I suspect that the database isn't getting started before the imap 
scripts are run. So, I moved the database startup script to /etc/rc.d, 
but on reboot, the database wasn't started. I had hoped moving it to 
/etc/rc.d might start it earlier in the boot process.

Suggestions? TIA.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Installation - More user friendly

2004-03-08 Thread Shaun T. Erickson
JJB wrote:

WD
My web spider robot found this web site which is not on any of the
search engines yet.
www.a1poweruser.com
Looks like it offers what you want in the way of user-friendly
step-by-step instructions to installing FBSD.
1) Surreptitiously plugging your own site, is crass, at best.
2) Not telling him you charge for everything there, is devious.
Perhaps you should also tell him that when you respond to posts for 
help, on this list, that you frequently ignore the person's questions 
and instead rant on about the evils of whatever it is they are trying to 
do/use. Perhaps you should tell him that, at least in the area of 
networking, you haven't got a clue about what you are talking about (I 
specifically refer you to the completely inaccurate information you gave 
me regarding, for instance, the generation of fragments.)

Based on the many posts of yours that I've seen, on this list and 
another, I've concluded that you  do know some things and have some 
usefull information to impart, but that your ranting and mis-information 
obscure them to such a degree that you're comments are not worth paying 
much attention too.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Missing pam_mysql.so

2004-03-08 Thread Shaun T. Erickson
I seem to be missing pam_mysql.so on my 5.2.1-RELEASE_p1 system, and 
this is causing me problems, as I need pam to authenticate against a 
mysql 4.0.18 database.

I have no clue what provides that file. Can anyone help me, please. TIA.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Missing pam_mysql.so

2004-03-08 Thread Shaun T. Erickson
Shaun T. Erickson wrote:

I seem to be missing pam_mysql.so  ...
I guess I'm tired, as I found it in /usr/ports/security/pam_mysql.

Sorry for the noise.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


sasl2--saslauthd--pam--mysql issue

2004-03-08 Thread Shaun T. Erickson
If I set pwcheck_method to auxprop and authenticate against sasldb2 
which has a single user of [EMAIL PROTECTED] in it, along with it's 
password, I can auth just fine from mozilla, where I told it my user 
name was [EMAIL PROTECTED].

However, if I change it from auxprop to saslauthd, which calls pam, 
which does a mysql lookup instead, it fails. It opens the correct 
database and table, and selects the right fields, but it asks for a 
username of ste, instead of [EMAIL PROTECTED], so it doesn't find 
the password, and fails.

Why is it only asking for ste, and how do I get it to ask for the 
right value?

TIA

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


portsdb issues

2004-03-06 Thread Shaun T. Erickson
When I run portsdb -Uu on my 5.2.1-RELEASE-p1 system, I get:

Updating the ports index ... Generating INDEX.tmp - please wait..

followed by over 10,000 entries similar to this:

make_index: gnomemag-0.10.7: no entry for /usr/ports/textproc/libxml2

followed by:

Warning: Duplicate INDEX entry:
 Done.
done
[Updating the portsdb format:bdb1_btree in /usr/ports ... - 3795 port 
entries
found /usr/ports/INDEX-5:1:Port info line must consist of 10 fields.
/usr/ports/INDEX-5:2:Port info line must consist of 10 fields.
/usr/ports/INDEX-5:3:Port info line must consist of 10 fields.
/usr/ports/INDEX-5:4:Port info line must consist of 10 fields.
/usr/ports/INDEX-5:5:Port info line must consist of 10 fields.
.1000.2000.3000... . done]

There was only one duplicate entry reported. So, how do I get my system 
back into a happy state?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: portsdb issues

2004-03-06 Thread Shaun T. Erickson
Kent Stewart wrote:


There was a problem like this a couple of days ago but I haven't seen 
any problem generating INDEX today. I would re-cvsup and see if it goes 
away. 
I have been diligently keeping my system cvsup'd every day. It dawned on 
me that I haven't been running portsdb -Uu after every cvsup though, so 
I ran it, and that's what I got.

So what do I do now?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: portsdb issues

2004-03-06 Thread Shaun T. Erickson
Kent Stewart wrote:


Did you recvsup ...
Apparently I'm new enough to FreeBSD that I don't understand you. I ran 
cvsup on my docs, my system source and my ports, and ran portsdb -Uu 
afterwards. When I run them again, there is nothing to download. That 
tells me I have everything.

I guess I don't know what you want me to do.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: portsdb issues

2004-03-06 Thread Shaun T. Erickson
Kent Stewart wrote:

The mirrors mostly update on the hour. Cvsuping less than an hour apart 
may be using the same old data. You need to wait until 15-20 minutes 
after the hour for the mirror to be updated. I mirror most of the data 
and it takes around 8 minutes for a mirror update to finish. 
I waited a bit, then ran cvsup on the ports, once more, and this time 
there was more to download, including a new INDEX-5 file. I ran portsdb 
-Uu once more, and it worked perfectly. I guess my ports tree was out of 
sync somehow.

Thanks for the suggestions! :)

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


'pkg_delete port' vs 'cd /usr/ports/port;make deinstall'

2004-03-06 Thread Shaun T. Erickson
'pkg_delete port' vs 'cd /usr/ports/port;make deinstall'

What's the difference between these?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


mysql woes (self-inflicted)

2004-03-06 Thread Shaun T. Erickson
I was having trouble getting mysql40 running, so I removed the server 
and client packages. I then manually cleaned out the files under 
/var/db/mysql. Then I rebuilt the server and client.

Sadly, when I try to start the server, it complains that mysql.host - 
one of the files I deleted - doesn't exist.

How do I get all that stuff under var/db/mysql back, that I deleted?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: mysql woes (self-inflicted) SOLVED

2004-03-06 Thread Shaun T. Erickson
Shaun T. Erickson wrote:

I was having trouble getting mysql40 running, so I removed the server 
and client packages. I then manually cleaned out the files under 
/var/db/mysql. Then I rebuilt the server and client.

Sadly, when I try to start the server, it complains that mysql.host - 
one of the files I deleted - doesn't exist.

How do I get all that stuff under var/db/mysql back, that I deleted?
I had to rebuild the server with OVERWRITE_DB=yes.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: My ipfilter rules.

2004-03-04 Thread Shaun T. Erickson
In order to be a good netizen, I applied the bogon list to my outbound 
traffic, too. I also moved the bad packet checks to the head of the 
incoming rules, as they make more sense there - no point in letting them 
use any more cpu than needed, if they are junk.

At least 35 people have looked at my rules 
(http://www.ste-land.com/rules.html). I've updated the page, so be sure 
to hit refresh/reload, if you go to look at it again. So far, two people 
have responded. I took the suggestions of one. Anyone else? I'm putting 
the server on the Internet tonight, and would like the firewall done by 
then.

Two questions:

1) Should I be performing the bad packet checks on the outbound path, too?

2) I looked at using groups to keep outbound packets from traversing 
rules for inbound packets, and vice versa, but I still don't understand 
them well enough to set them up. Suggestions?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


ipfilter 'keep frags' question

2004-03-03 Thread Shaun T. Erickson
Are only tcp packets subject to fragmentation, or are udp and icmp, as well?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


My ipfilter rules.

2004-03-03 Thread Shaun T. Erickson
I've ported my iptables firewall rules to ipfilter. Since I'm new to 
firewalling under any *BSD, and because it never hurts to get a review, 
I was wondering if some of you, who are good at, would critique my 
rules. Rather than include the file here, I give a link to it, below. 
Feel free to critique both content and form. Note that I obfuscated my 
server's IP address in the one place it shows up.

The firewall is to harden a stand-alone server, with a single interface. 
 Policy is to let anything out, but be cautious about what is allowed in.

Here's the file: http://www.ste-land.com/rules.html

I'm sure I'll learn more, based on your responses. TIA.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: My ipfilter rules.

2004-03-03 Thread Shaun T. Erickson
I wrote:

I was wondering if some of you, who are good at, would critique my 
rules.

Here's the file: http://www.ste-land.com/rules.html
So far, I've gotten these suggestions:

Apply the bogon list to the outbound path.
Compress my blocking of netbios junk to one rule.
Move bad options  flags check to head of list.
Any other suggestions?

Question: Is there some way I can have all outbound packets skip being 
tested by rules for inbound packets, and vice versa?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


How do I test for NO tcp flags being set, in ipfilter?

2004-03-02 Thread Shaun T. Erickson
See subject. :)

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How do I test for NO tcp flags being set, in ipfilter?

2004-03-02 Thread Shaun T. Erickson
Jerry McAllister wrote:

See subject. :)


A note:   That is impolite and unhelpful.   You should put your 
information including the auestion in the body of the message.  
My sincere apologys. I was trying to be helpful by not repeating myself, 
and wasting bandwidth when my entire question was framed in the subject.

I won't do it again though, if it's considered impolite.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


How do I test for NO tcp flags being set, in ipfilter? (repost)

2004-03-02 Thread Shaun T. Erickson
How do I test for NO tcp flags being set, in ipfilter?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How do I test for NO tcp flags being set, in ipfilter? (repost)

2004-03-02 Thread Shaun T. Erickson
Danny Pansters wrote:

On Tuesday 02 March 2004 18:27, Shaun T. Erickson wrote:

How do I test for NO tcp flags being set, in ipfilter?


You can filter on TCP flags but seems to me what you really mean is how to 
check for no TCP options (nop) rather than no flags:

'with opt nop' is a syntax that should work.

WRT flags, it's my understanding that every TCP packet has at least the A or S 
flag set. 
Actually, I do mean no flags set. Nmap's null scan uses packets with all 
tcp flags turned off.

On linux, with iptables, I would say -tcp-flags ALL NONE to test for 
this (the bits to test and the mask are in reverse order to how we 
specify them in ipfilter). The closest ipfilter statement would be 
flags /FSRPAU, specifying no flags to be set, out of all flags. I 
don't believe this is legal syntax though.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


ipfilter frags question

2004-03-01 Thread Shaun T. Erickson
Having given up on ipfw and switching to ipfilter (much nicer!), I 
nearly have my firewall set up. Then I ran into a problem ...

On my Linux box, I can force all fragments to be re-assembled into whole 
packets before being presented to the firewall, and that's what I've 
done. However, as near as I can tell, FreeBSD (5.2.1-RELEASE) doesn't 
have that feature.

So what do I do with fragments? They are a valid part of a tcp 
conversation, so dropping them isn't good, but neither is just accepting 
them willy-nilly, either.

Suggestions, please, and TIA.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


ipfilter tcp flags question

2004-03-01 Thread Shaun T. Erickson
How do I test that none out of all flags are set? flags /FSRPAU isn't 
legal, I'm sure. Is ! flags FSRPAU or flags ! FSRPAU?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ipfilter tcp flags question

2004-03-01 Thread Shaun T. Erickson
Remko Lodder wrote:

i do it like this:

block in log quick proto tcp all flags FUP
block in log quick proto tcp all flags SAFRU/SAFRU
block in log quick proto tcp all flags SF/SF
block in log quick proto tcp all flags SR/SR
I'll have to scratch my head over that one for a bit, before I 
understand it, but I guess you're saying that the above 4 rules imply a 
fifth in that if none were set, it couldn't get through them, right?

I really dislike implied rules, and avoid them if at all possible, as 
they are hard to maintain. :) Is there no way to explicitly test for no 
flags being set?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: kernel compile errors - but how do I get the output

2004-03-01 Thread Shaun T. Erickson
Tadimeti Keshav wrote:

Hi all
I have problems compiling my kernel.
I have enabled:
device  udbp# USB Double Bulk Pipe devices
I get errors at link time with udbp.o. I am not able
to copy from aterm and paste to nedit. 

make  /home/abcd/make_log.log only says stop...
But is does not contain the error output. 

I would appreciate any help. 
Thanks
Use the script command. Type, for example:

script /var/tmp/make.out

then go ahead and run your make. When it's finished, tyoe a Control-D 
and then vi /var/tmp/make.out to look at all the output of the make run. :)

HTH :)

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


ipfw ruleset traversal question

2004-02-29 Thread Shaun T. Erickson
I'm trying to port my linux netfilter/iptables firewall to 5.2.1-RESLEASE.

Iptables has the concept of chains. There are three defined by the 
system: INPUT, FORWARD  OUTPUT. Packets coming into the system that are 
destined for a local process traverse the INPUT chain only, packet 
generated by the system, and leaving it, traverse the OUTPUT chain only, 
and packets that are simply passing through the system traverse the 
FORWARD chain only. One nice benefit of this, is that inbound packets 
don't have to traverse rules for outbound packets and vice-versa. This 
allows efficient grouping of rules and reduces the performance hit of 
packets having to be checked by all rules.

How can I set up my ipfw ruleset so that I can achieve that same benefit?

TIA

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ipfw ruleset traversal question

2004-02-29 Thread Shaun T. Erickson
Shaun T. Erickson wrote:

Iptables has the concept of chains.
Please forgive me for following up my own post. I know it's bad form ...

In addition to the system defined chains, iptables lets me create user 
defined chains, that I can jump to based on criteria I set, so as to 
further refine my rules such that packets only traverse the rules they must.

So, I'm trying to figure out how to simulate everything I've said about 
chains, in ipfw ...

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


LINT file?

2004-02-29 Thread Shaun T. Erickson
If I understand correctly, in previous releases there used to be a file 
/usr/src/sys/i386/conf/LINT, that listed all the things one could put 
in their kernel conf file. I can't find any such file on 5.2.1-RELEASE. 
Can someone please tell me where I can find it or it's replacement 
please? TIA

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: LINT file?

2004-02-29 Thread Shaun T. Erickson
Matt Emmerton wrote:

cd /usr/src/sys/i386/conf
make LINT
Note that the LINT kernel is _strictly_ a list of all the possible things to
put in your kernel config -- there are no explanatory comments anymore.
That's a shame. I was counting on the comments to educate me. Can you 
point me to any other documentation that might cover what I find in that 
file?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: LINT file?

2004-02-29 Thread Shaun T. Erickson
Rowdy wrote:

You would be looking for the NOTES file in /usr/src/sys/arch/conf?

There is also a NOTES file in, erm, /usr/src/sys/conf IIRC.
Thank you. That's exactly what I was looking for. I should have known to 
simply look for it under another name, instead of just giving up early 
when the ls for LINT turned up nothing.

Mea culpa.

	-ste

P.S.: Looking at it, I discovered that there is a ste device driver 
and man page, lol. When I pointed it out to my roommate, he said he 
wants to get in touch with the author. He says there's a few feature 
enhancements he'd like, and several nasty bugs he'd like worked out. :)

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Firewall enabling confusion.

2004-02-27 Thread Shaun T. Erickson
I put 'firewall_enable=YES' in /etc/rc.conf, in anticipation of 
rebuilding my kernel with the following options turned on:

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
I rebooted, for unrelated reasons, and now see in the messages file that 
ipfw2 has been enabled and, indeed, since I have no rules in place, my 
system is cut off from the network.

I haven't yet rebuilt my kernel, so I don't understand why this kicked 
in. Did adding that line in rc.conf suck in a kernel module that 
obsoletes the need for those kernel options? How do I check (I'd do an 
lsmod, on Linux - don't know what the equivalent FreeBSD command is)?
If it is a module, how do I enable logging, as adding 
'firewall_logging=YES' to /etc/rc.conf didn't turn it on, according to 
the messages file. Likewise for divert (though I don't currently need it).

Feb 27 14:37:22 peter kernel: ipfw2 initialized, divert disabled, 
rule-based forwarding enabled, default to deny, logging disabled

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Firewall enabling confusion.

2004-02-27 Thread Shaun T. Erickson
Remko Lodder wrote:

kldstat is the program you are looking for (like lsmod)
It can indeed be that the module is loaded with it's default
settings {block all}
Hope this solves your lsmod question, the rest i cannot help you
with since i don't understand ipfw :) {yet}
Thanks! Yes, the ipfw.ko module is getting loaded. So now I just need to 
know how to enable things like divert and logging.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Kernel modules question.

2004-02-27 Thread Shaun T. Erickson
In linux, I'd use /etc/modules.conf to list and configure any kernel 
modules I want loaded at boot time. How is that done in FreeBSD?

I see that there are a *lot* of kernel modules in /boot/kernel. How do I 
find out what each one is for and what their configuration options are?

Sorry for newbie questions. I'm trying to learn FreeBSD as fast as I can. :)

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Firewall enabling confusion.

2004-02-27 Thread Shaun T. Erickson
Warren Block wrote:

On Fri, 27 Feb 2004, Shaun T. Erickson wrote:


Thanks! Yes, the ipfw.ko module is getting loaded. So now I just need to
know how to enable things like divert and logging.


/etc/rc.firewall has examples.
I looked at that. That's not what I mean. :) I mean, if I do not have to 
build a new kernel to enable firewalling, logging and divert, then how 
do I enable them, such that the following line from my messages file 
would show that they have been enabled?

Adding firewall_enable=YES to rc.conf caused the ipfw module to be 
loaded, enabling firewalling. Adding firewall_logging=YES did *not* 
enable logging in the message file line shown below. How do I do that? 
How would I get that line to show divert as being enabled? I may be 
wrong (correct me if I am, please), but doesn't that line have to show 
them as enabled, before I can successfully make use of them in ipfw 
commands like those you pointed me to in rc.firewall? What if I want 
that line to report that the default is open, instead of deny?

Feb 27 14:37:22 peter kernel: ipfw2 initialized, divert disabled, 
rule-based forwarding enabled, default to deny, logging disabled

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Kernel modules question.

2004-02-27 Thread Shaun T. Erickson
Warren Block wrote:

On Fri, 27 Feb 2004, Shaun T. Erickson wrote:


In linux, I'd use /etc/modules.conf to list and configure any kernel
modules I want loaded at boot time. How is that done in FreeBSD?


It's /boot/loader.conf.  See 'man 5 loader.conf'.
Ah. Thank you. :) Where do I find documentation for the 341 or so modules?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Firewall enabling confusion.

2004-02-27 Thread Shaun T. Erickson
Ion-Mihai Tetcu wrote:

hint:
sysctl -a | grep ip.fw 
for logging do:
sysctl -w net.inet.ip.fw.verbose: 1
sysctl -w net.inet.ip.fw.verbose_limit: 5
Ah.

see also man ipfw, it will answer your questions.
I'm still wading through it - it's quite a long read. I'll finish before 
asking anything else. ;)

AFAIK recompile with IPFW_DEFAUL_TO_ACCEPT, but it would be a bad thing.
I don't disagree - I just wanted to know how. It helps me to understand 
the system better. ;)

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Quick newbie portupgrade question.

2004-02-26 Thread Shaun T. Erickson
Kevin D. Kinsey, DaleCo, S.P. wrote:

Shaun T. Erickson wrote:

I understand that 'portupgrade -arR' will upgrade everything. Some are 
packages and some are ports. Will portupgrade upgrade packages with 
packages, and ports with ports, or do packages get replaced with 
ports, so that all are ports after it's run?
Check out the -P and -PP CLI switches
to portupgrade(1).
If I read them correctly, I cannot have packages replaced with packages, 
and ports with ports. That is, unless I can figure out which are which, 
ahead of time, and select the right switches for the right things. Is 
there an easy way to determine which are which?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Looking for ipfw info.

2004-02-26 Thread Shaun T. Erickson
JJB wrote:

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Shaun T.
Erickson
Sent: Thursday, February 26, 2004 2:08 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Looking for ipfw info.
JJB wrote:


The problem with all those links is that what they write about is
outdated and complete mis-directs the reader into using IPFW's
legacy stateless rules when only stateful rules should be used to
get the max level of protection.


The rules she gives in her second article most certainly describe
creating a stateful firewall.
Yes for an firewall without an lan behind it
Which is exactly what I'm trying to set up.

www.a1poweruser.com  Is where you can purchase the complete results
of my in-depth research, as soon as I complete the buy now button
function. Check back in  a week.
Can someone who isn't trying to sell me something, corroborate anything 
he's said? It would be nice to hear from someone else, too. :)

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ruby ( final answer )

2004-02-26 Thread Shaun T. Erickson
Michael Sharp wrote:

pkgdb is still looking for /usr/local/bin/ruby which after the upgrade
dosent exist. Its now /usr/local/bin/ruby16
ln -s /usr/local/bin/ruby16 /usr/local/bin/ruby

fixes pkgdb and portsdb
I'm setting up a new 5.2.1-RELEASE system and was concerned about this, 
as I was about to install portupgrade, which would also install ruby. 
With all ports up to date, I crossed my fingers and did a make install 
clean. Everything installed and works fine. I got a ruby18 (yes, 18) 
that was linked to ruby.

Are you sure you have the latest portupgrade and ruby installed?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Quick newbie portupgrade question.

2004-02-26 Thread Shaun T. Erickson
I understand that 'portupgrade -arR' will upgrade everything. Some are 
packages and some are ports. Will portupgrade upgrade packages with 
packages, and ports with ports, or do packages get replaced with ports, 
so that all are ports after it's run?

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Looking for ipfw info.

2004-02-26 Thread Shaun T. Erickson
JJB wrote:

The problem with all those links is that what they write about is
outdated and complete mis-directs the reader into using IPFW's
legacy stateless rules when only stateful rules should be used to
get the max level of protection.
The rules she gives in her second article most certainly describe 
creating a stateful firewall.

They also completely ignore the
problem ipfw has with stateful rules not working when the
divert/naded subroutine call is used. IPFW has major legacy
stateful/NAT bug and ipfilter does not.
Can you provide me with links to information that documents this?

Ipfilter provides an much
higher level of protection in an LAN environment than IPFW can ever
do in it's current state. Even the openbsd pf port is an better
firewall solution for a firewall with an LAN behind it then IPFW.
Please provide me with links to documentation that objectively compares 
them, so that I can weigh the merits of what you say.

Please don't continue the FBSD's handbook mis-information about IPFW
being the only FBSD firewall solution or that it's the best
solution. The handbook is also way behind in it's content being
current and up to date.
As a new FreeBSD user, there's no way I could possibly know that, now is 
there? I simply passed along what I have found to be useful.

I still need to know the answer to my question about what changes I need 
to make to my kernel to support a firewall on my server.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Looking for ipfw info.

2004-02-26 Thread Shaun T. Erickson
I wrote:

I have read the following 5 excellent articles on ipfw, by Dru Lavigne. 
I forgot to include the links. Here they are:

BSD Firewalls: IPFW 
http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html

BSD Firewalls: IPFW Rulesets 
http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html

BSD Firewalls: Fine-Tuning Rulesets 
http://www.onlamp.com/pub/a/bsd/2001/06/01/FreeBSD_Basics.html

IPFW Logging http://www.onlamp.com/pub/a/bsd/2001/06/21/FreeBSD_Basics.html

Monitoring IPFW Logs 
http://www.onlamp.com/pub/a/bsd/2001/07/05/FreeBSD_Basics.html

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Looking for ipfw info.

2004-02-26 Thread Shaun T. Erickson
Thanks for the resources.

A couple of questions (because I'm new to FreeBSD):

The ipfw man page in 5.2.1-RELEASE says that ipfw in CURRENT is ipfw2 
and that ipfw in STABLE is ipfw1. I still don't understand the 
releationship between RELEASE and the other two, so I am not sure which 
ipfw I have in 5.2.1-RELEASE.

I have read the following 5 excellent articles on ipfw, by Dru Lavigne. 
Even though they were written in 2001, and thus pre-date ipfw2, I found 
them to be a great crash course in ipfw, and the ipfw manpage in 
5.2.1-RELEASE just adds to it.

In Dru's first article, she(?) discusses how the kernel must be modified 
to support a firewall. She looks into /usr/src/sys/i386/conf/LINT to 
find the relevant information that needs to be added to my kernel conf 
file. I cannot find a LINT file on my 5.2.1-RELEASE system. Where can I 
find complete information on what I need to do to my kernel?

TIA

	-ste

P.S.: I find that ipfw rules are far more human-readable than I thought, 
and when comparing my linux server's ipchains rules to 
/etc/rc.firewall's simple firewall rules, I found them to be very 
similar. :)

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


cvsupfile question

2004-02-25 Thread Shaun T. Erickson
I installed 5.2 from ISOs, then wanted to keep it up to date with the 
latest security fixes and to keep my ports  doc trees up to date as 
well. I tried the following cvsupfile, and got two thirds of what I 
wanted, so I must not quite understand it yet. My ports  docs are up to 
date, but instead of just getting security fixes to 5.2, my system 
source jumped to 5.2.1rc2. I don't want to go to 5.2.1 until it's 
officially released. I'm reinstalling from scratch, and want to do it 
right this time. Can someone help me correct my cvsupfile, please? TIA

peter# cat /etc/cvsupfile
*default  tag=RELENG_5_2
*default  host=cvsup12.us.freebsd.org
*default  prefix=/usr
*default  base=/usr/local/etc/cvsup
*default  release=cvs delete use-rel-suffix compress
src-all
*default tag=.
ports-all
doc-all
peter#
	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


How do I turn this off?

2004-02-25 Thread Shaun T. Erickson
When I login, I get a UNIX tip by Dru, printed on the screen. I'd like 
to turn that off, but haven't located where to do that ... TIA.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Looking for ipfw info.

2004-02-25 Thread Shaun T. Erickson
Can someone point me to a good, current ipfw HOW-TO? I'm very good with 
linux's ipchains/iptables firewall commands, but am replacing that 
server with a FreeBSD server and need to translate my firewall ...

TIA

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Configuring a Linux machine as a dynamic router

2004-02-25 Thread Shaun T. Erickson
CHANDANA S wrote:

Hello,
 I am trying to configure my Linux machine 
I believe you are on the wrong list. This list is for the FreeBSD 
operating system, not the Linux operating system. :)

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: imap question

2004-02-23 Thread Shaun T. Erickson
Louis LeBlanc wrote:

Might as well use POP, correct?


Yes and no.  POP is fine if you only ever check mail from one system.
Otherwise, imap is more appropriate.  Security is a separate issue
altogether when you look at it this way.
Well, you also have to take into consideration where you want your email 
stored. If you want it on the server, use IMAP, if you want it on your 
local system (where it's more likely to get blown away), use POP.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]