RE: Kind OFF Topic. FreeBSD for Blocking URLS? Nanny?
On Tue, 10 Apr 2012 at 05:27:24, Jorge Biquez wrote: Hello all. I am sorry if this is kind OFF Topic. I am looking for help from more experienced people in these areas. Please let me know if this question should be moved to FREEBSD-CHAT list. As I have mentioned before I am helping a school , non profit with their IT issues. As always there are some experts that controls everything and do not let you change anything because is their kingdom. Anyway, there we have Internet service from a cable company and they have some cisco routers to receive the access and from there some Cisco Switches. In the classrooms we have very old PCs running XP. In some of my classes I am using Freebsd and Ubuntu running on a USB. So each student have one USB and they work that way booting from their 4GB USB stick. (it is slow but it has worked until now). One of the managers asked me for help to block some web sites were some students in the other lab and people that helps there waste bandwithd seeing videos, movies (youtube, cuevana, serieid, etc) and spend lot of time on facebook also. Our bandwidth is only 4Mb and you understand that with a few that are seeing movies and videos the rest of us can not work at all. Thing is that other manager (you know how those things are sometimes) do not want us to do that since his guru and expert is the one that controls all the Network. So the best we could get until now is that we can do all we can without touching the Cisco routers and until now not administrative password for change anything on the PCs (that could change one we prove that we can have the solution and show it to the board of people that runs the place). The Internet provider gives the DNS servers to use and one of the routers gives the DHCP service. First thing I thought was to change the DNS servers and use the one from my small office (running Freebsd 7.3) using Bind there and simply block there pointing the sites to nothing in the Apache configuration. It does not work. Once changed the DNS values the PC does not resolve anything. It was a quick test but that does not work. Not sure if Internet provider is blocking in some way that we can not use other DNS server but theirs. Other solution I was thinking while coming home was to convert one machine there to a freebsd server and use it as a router (if they let me) so that way I can control from there and do filtering. Issue is that maybe they do not let me but connect the server as an extra machine without replacing the main router so in that case I would have 2 DHCP servers doing the same service in the same lan and could be conflicts I guess. Another solution a friend suggested was to buy one small router (from my money for sure) and let that small router to receive the internet (RJ45) and from that with the small 4 port switch included to provide the internet to the switches to feed the labs , library and administrative offices. I have never use one of those and I am short on money so I would like to explore other alternatives before if possible. Finally another solution would be to install in each PC a kind of Nanny software but only if free, otherwise is not a solution (I do not know of any yet but will do searching the following hours). I know all can be solved if the guru-expert guy would let me have passwords from PC's, router, etc but that won't be an option since they think we would try to take the control of those services (we do not want that) so the burocracy could be a problem there. He have told them that to block is not possible (they have been working that way for years). So, in this kind of schema. Do you think FreeBSD (even linux) could be of help if we do not have access to routers, switches and can not install new software on the PCs( the ones running XP)? Any comments you have that could help me to solve this challenge? You could ask the guru-expert guy to implement traffic shaping like weighted fair queuing and prioritizing SYN's etc. That way people can watch all the videos they want without it affecting the work of others. You can also implement it yourself transparently with a FreeBSD box with two adapters bridged and something like ipfw+dummynet, you'd just need to insert it somewhere in the route (before any masquerading is performed though). -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. smime.p7s Description: S/MIME cryptographic signature
RE: DNS - slaving the root zone
On Sun, 19 Feb 2012 at 01:14:47, Doug Barton wrote: On 02/18/2012 03:23, Damien Fleuriot wrote: On 2/18/12 12:57 AM, Doug Barton wrote: To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. Could you elaborate on the something changes/breaks, admin doesn't notice, results in a stale zone bit ? Most commonly whatever auth. server the user is axfr'ing from suddenly stops offering that ability. [snip] I'm just done converting from named.root to slaving the root, I checked which servers allow axfr (at least for me...) and added them all as masters. Multiple masters would substantially decrease the risk of stale zones, yes? I have attached the relevant portion of my config, maybe it's useful. Also, I was wondering, now that I slave . and arpa, is it still beneficial to retain the 'empty zones' that fall within those or are they redundant? I figure they are, as the comments say 'Serving the following zones locally will prevent any queries for these zones leaving your network and going to the root name servers.' and now my server *is* the root as far as it knows. Thanks. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. named.conf Description: Binary data ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Which mailinglist is appropriate for discussing uart changes?
Could someone point me to the right mailinglist to discuss adding support for the MCS9904 chip to uart? I'm working on it, but I have some questions regarding FIFO sizes and how they are currently determined. Thanks. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: buildkernel not honoring WITH_MODULES from make.conf ? (was: Re: Quick build of stripped-down kernel)
On Fri, 25 Nov 2011 at 19:27:54, Damien Fleuriot wrote: On 11/24/11 4:17 PM, b. f. wrote: If you are going to build most of the modules, but only want to exclude a few, then add the directories of the modules to be excluded (relative to /usr/src/sys/modules) to WITHOUT_MODULES, for example in /etc/make.conf. If you are only going to build a few modules, and want to exclude the majority of the modules, then add the directories of the modules that are to be built to MODULES_OVERRIDE. For no modules at all, set NO_MODULES. See /usr/src/sys/modules/Makefile and /usr/src/sys/conf/kern.post.mk for details. You may also save some time by using one of your faster machines to build the OS for the slower machines. b. Have I misunderstood WITH_MODULES' use ? The answer is in the post you quoted: use MODULES_OVERRIDE. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. smime.p7s Description: S/MIME cryptographic signature
RE: Shouldn't GNU tar be ignoring /proc with --one-file-system?
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Daniel Staal Sent: Friday, November 18, 2011 18:00 To: freebsd-questions@freebsd.org Subject: Re: Shouldn't GNU tar be ignoring /proc with --one-file- system? On Fri, November 18, 2011 10:34 am, Kirk Strauser wrote: I use Amanda to make nightly backups of a bunch of servers using GNU tar. However, gtar doesn't seem to respect its --one-file-system flag with /proc. Amanda runs a variation of this command: # /usr/local/bin/gtar --create --file - --directory / --one-file-system --sparse --ignore-failed-read --totals . /dev/null /usr/local/bin/gtar: ./proc: file changed as we read it Before I file a bug report, can anyone think of a legitimate reason why gtar would be touching /proc at all? Just a guess, really but: /proc is a file on /. /proc/* are files on /proc. The former is still on the root filesystem (if only as a directory stub to be used as a mountpoint), so reading it isn't leaving that filesystem. Reading anything *in* it would be. Just a thought. However, the file /proc on fs / should not be changing since a filesystem /proc is mounted over it. The message ./proc: file changed as we read it indicates whatever /proc it is trying to read did change... -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: putting /tmp to memory
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of kellyremo Sent: Sunday, January 23, 2011 14:47 To: FreeBSD Subject: putting /tmp to memory Importance: High to memory means: mounting a ~2 GByte filesystem [ tmpfs?, or ramfs? ], and put the /tmp on it. [ e.g.: 4 GByte ram in the pc ]. what to write in the /etc/fstab? I would like to collect the [ answers too:P ]: Advantages: - Memory is way faster then HDD/SSD, so it could speed things up - SSD amortization is less Disadvantages: - Security? [ how to set this up to be secure? any clear howtos/links regarding it? :O ] Really thank you for any good help... In rc.conf: tmpmfs=YES tmpsize=2G tmpmfs_flags=-S That'll do it :) -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: lightbulb? prob'ly not, but....
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Gary Kline Sent: Saturday, January 22, 2011 22:33 To: FreeBSD Mailing List Subject: lightbulb? prob'ly not, but [snip] # telnet 10.47.0.230 Trying ... telnet: connect to addr n.n.n.n: Connection refused telnet: Unable to connect to remotr host Does the Connection refused signify anything in the bind/dns world. ? BEfore i portupgraded to bind97 from bind9, this kind of stuff worked. Seeing as you're not resolving any hostname it's not DNS. You also have not specified a port for telnet to connect to so it'll default to 23, which you probably don't want. Try 'telnet 10.47.0.230 80' (80 is the standard port for http). BTW, the 'Connection Refused' message means that the port is closed and sending a RST, which means that either nothing is listening on the port or that the system is sending RST's because of a firewall rule. If you haven't setup such rules you can assume the first to be the case. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: lightbulb? prob'ly not, but....
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Gary Kline Sent: Sunday, January 23, 2011 00:26 To: Terrence Koeman Cc: Gary Kline; freebsd-questions@freebsd.org On Sat, Jan 22, 2011 at 11:22:51PM +0100, Terrence Koeman wrote: -Original Message- questi...@freebsd.org] On Behalf Of Gary Kline Sent: Saturday, January 22, 2011 22:33 [snip] # telnet 10.47.0.230 Trying ... telnet: connect to addr n.n.n.n: Connection refused telnet: Unable to connect to remotr host Does the Connection refused signify anything in the bind/dns world. [snip] Seeing as you're not resolving any hostname it's not DNS. You also have not specified a port for telnet to connect to so it'll default to 23, which you probably don't want. Try 'telnet 10.47.0.230 80' (80 is the standard port for http). YES. I get into ethic as with a normal telnet; when i hit return, I see index.php; the source, not the web file that lynx of firefox shows. I'll KVM over to my desktop and cut/paste from there. That is what is supposed to happen. This step is just to see what telnet returns: timeout, connection refused or some page. If you get some page then there's a webserver on port 80 that is serving you *something* at least. BTW, the 'Connection Refused' message means that the port is closed and sending a RST, which means that either nothing is listening on the port or that the system is sending RST's because of a firewall rule. If you haven't setup such rules you can assume the first to be the case. wHat _should_ be listening on port 80 that isn't? Well, if you saw page source then there's a webserver listening on port 80. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: no apache22, php5 cores
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Da Rock Sent: Saturday, January 22, 2011 02:22 To: freebsd-questions@freebsd.org Subject: Re: no apache22, php5 cores [snip] Apache will work with php, but some sites may be coded with it, so they will simply show the code- careful with security! Better stop apache to be sure until it works with php, OR comment out the sites using it. Afaik it's possible to protect yourself against this problem by configuring Apache to refuse serving some types of files (.php, etc.) as static. This provides a safeguard against serving up config files with passwords and whatnot. As I don't run Apache any longer I can't help with the details, but I remember it being quite simple to accomplish. There's also a script floating around on the internet that will detect a php load failure, send a mail about it, switch config files and start up apache without PHP and have it serve up a PHP load error page for all PHP requests. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: no apache22, php5 cores
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Brad Mettee Sent: Saturday, January 22, 2011 00:16 To: Gary Kline; FreeBSD Mailing List Subject: Re: no apache22, php5 cores [snip] Post your output from this: netstat -an | grep tcp This should show current connections AND current listening sockets. If you don't see anything on *.80, then httpd isn't running, or at least isn't listening on the right port. Might also want to try 'lsof -nPi |grep LISTEN', that shows what process is listening as well. Maybe not really added value here, but it sure helps when you're troubleshooting address/port in use errors and such. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: sendmail resolv.conf changes
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of tomasz dereszynski Sent: Tuesday, September 14, 2010 11:28 AM To: Matthias Apitz; freebsd-questions@freebsd.org Subject: Re: sendmail resolv.conf changes El día Tuesday, September 14, 2010 a las 09:15:49AM +0100, tomasz dereszynski escribió: Hello, When using a laptop it is normal that there are some changes in resolv.conf during the live, for example: boot time: no network available start of PPP over UMTS: resolv.conf from provider start VPN to connect to company: resolv.conf from company ... it seems that sendmail is not aware of such changes in the resolv.conf and always get stuck with the old DNS and ofc does not work on incoming mails (provided by fetchmail). A restart helps, but is there some better way to let sendmail switch to the new DNS environment when resolv.conf changes? Thanks My very wide guess would be that Sendmail starts before system obtain network settings from DHCP. Your guess is correct :-) What I wanted to say: sendmail runs and DHCP changes in certain situations the IP, routing and DNS, and sendmail does not adopt on these changes. delay Sendmail start to after network settings loaded from DHCP. not sure if there is any 'documentation correct' way of doing that but 'home crafted' one would be to move /etc/rc.sendmail to /usr/local/etc/rc.d/blah.sendmail.sh and remove it from rc.config hope someone here knows more proper way and can advise. It might be an idea to (mis)use the script option in dhclient.conf to restart sendmail (/etc/rc.d/sendmail restart) after a lease has been aquired. See 'man dhclient.conf'. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: BSD logo
[snip] Perhaps there are some ancient depictions/sculptures of the greek god Pan (god of the shepherds) around? Pan partially resembles a goat. This page has some articles on the subject: http://www.helium.com/knowledge/112455-where-did-the-image-used-to-represent-satan-come-from -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: BSD logo
Subject: Re: BSD logo On final analysis, I think the OP should abandon any desire for FreeBSD in favor of this: http://pudge.net/jesux/ Is this real? It looks like a page from landoverbaptist.com or something. I'm still deciding whether to laugh or cry... -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: BSD logo
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Chip Camden Sent: Wednesday, July 28, 2010 12:10 AM To: freebsd-questions@freebsd.org Subject: Re: BSD logo Quoth Paul Schmehl on Tuesday, 27 July 2010: --On Tuesday, July 27, 2010 15:49:47 -0500 Reid Linnemann lr...@cs.okstate.edu wrote: On final analysis, I think the OP should abandon any desire for FreeBSD in favor of this: http://pudge.net/jesux/ Sheesh. Now I really have seen everything. Not quite. Someone needs to come out with an OS named Atheix, and another called Agnostix. Then we'll be complete. I'm imagining Agnostix would need uncertain values for true and false, and Atheix wouldn't believe in the PATH and therefore won't look for it. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Backing up freebsd to 1 file?
-Original Message-
From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-
questi...@freebsd.org] On Behalf Of J.D. Bronson
Sent: Sunday, April 18, 2010 3:23 PM
To: freebsd-questions@freebsd.org
Subject: Backing up freebsd to 1 file?
I have a freebsd 8.0 install and was wondering if it is possible to tar
up the entire install...for backup purposes.
# cd /
# tar -cvf backup.tar {list of directories}
then I can ftp the tar file out to another machine.
This works in theory, but if I need to do a restore tar complains
on 'tar -xpf backup.tar'.
Under OpenBSD, this works as expected. It has given me an easy way
to backup/move/restore or anything I want to do w/o complaining.
I am running Freebsd on a machine that has no other drives/tapes or
anything so my options for backup are limited.
All I am trying to do is get a complete image (or snapshot) of my
entire
install on this machine and then if I needed to reload or reinstall, I
could do a bare bones freebsd install, copy over the tar'd up file and
extract it from within / and then reboot an I would be go to go.
Thoughts on this would be appreciated...
Perhaps http://ra.phid.ae/stuff/mm-backup-0.9.sh.txt has something that you
like.
--
Regards,
T. Koeman, MTh/BSc/BPsy; Technical Monk
MediaMonks B.V. (www.mediamonks.com)
Please quote all replies in correspondence.
smime.p7s
Description: S/MIME cryptographic signature
RE: licence question
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of M. Aschhoff Sent: Wednesday, April 14, 2010 4:22 PM To: freebsd-questions@freebsd.org Subject: licence question hey there, hope everythings all right? i´m using your devil image on my website. www.little-devil.de someone tould me that this image is not under bsd licence. am i allowed to use this image? i´ll would be pleased to use it. this is my private website i´m providing free software. thank you very much. hope to hear from you soon. See: http://www.mckusick.com/beastie/mainpage/copyright.html -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. smime.p7s Description: S/MIME cryptographic signature
RE: Force reboot after kernel panic.
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Paul Halliday Sent: Tuesday, April 13, 2010 3:17 PM To: questi...@freebsd.org Subject: Force reboot after kernel panic. How can I enforce this? Presently the system just hangs. Add to kernconf: options KDB_UNATTENDED -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. smime.p7s Description: S/MIME cryptographic signature
RE: ipfw weirdness after csup/buildworld
I've seen the same, see: http://forums.freebsd.org/showthread.php?p=75765 -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Tim Gustafson Sent: Thursday, April 01, 2010 7:12 PM To: freebsd-questions@freebsd.org Subject: ipfw weirdness after csup/buildworld I am running: FreeBSD 8.0-STABLE amd64 After recently csup'ing to the latest sources and then a build/install cycle, my ipfw started misbehaving badly. I'm seeing lots of: ipfw: install_state: entry already present, done and also lots of: ipfw: ouch!, skip past end of rules, denying packet When I did an ipfw list, I got something like this: 0 ip from any to any Note the rule number is all zeros, and there's no allow or deny. Adding rules or removing rules didn't fix anything, nor did an ipfw flush. Once it was in that state, attempting to kldunload ipfw caused the system to hang. The only fix for now was to disable the firewall. When I went into single user mode, and did: kldload ipfw ipfw /etc/firewall.rules (which is the same ruleset I had loaded on boot) everything worked fine, but when I went into multi-user mode and did the same thing, it failed with the symptoms listed above. Just to be sure, a day after this started happening I did a csup again and another build/install cycle but got exactly the same results. Any ideas? Tim Gustafson Baskin School of Engineering UC Santa Cruz t...@soe.ucsc.edu 831-459-5354 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Faking multiple physical adapters for DHCPDISCOVER
-Original Message- From: Chuck Swiger [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 6:17 PM Subject: Re: Faking multiple physical adapters for DHCPDISCOVER Terrence Koeman wrote: [ ... ] I need to 'clone' the xl1 adapter to appear as three adapters, each with a distinct MAC address. This because my provider has assigned me three semi-static addresses of which I want to use 1 for outbound NAT-traffic and two for static NAT. These addresses are semi-static because they are basically MAC-based reservations on the providers DHCP server, and it happens to be that I'm required to aquire a DHCP lease for all three addresses for routing to work properly. If I configure the addresses statically the connectivity 'disappears' after a while. The reason why your ISP has configured their system in such a fashion is to prevent people from claiming multiple static IPs from a single machine. If you're not happy with their AUP, use another provider, or pay for a dedicated IP allocation of whatever size you need. -- -Chuck That's not the case here, I'm actually trying to use less IP's. And besides that my ISP allows up to 16 IP's to be used in their AUP. I have about 5 clients that can share 1 IP with NAT and I have 2 other clients that need to have an IP of their own. If I can have all IP's bound to the server then I can simply NAT the 5 clients and static-NAT the remaining 2. Otherwise I'd need to bridge/route and do NAT at the same time, which is not possible here, because then the 5 NAT-ed clients would need to get their IP's from the local DHCP server and the 2 bridged clients would need to get them from the ISP DHCP server. I could block DHCP from being bridged and do DHCP proxying for the other 2 clients, but it'd make it all much more complicated. -- Regards, Terrence Koeman MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. smime.p7s Description: S/MIME cryptographic signature
Faking multiple physical adapters for DHCPDISCOVER
Hi, I'm trying to 'fake' multiple phisical adapters in my FreeBSD 6.1-PRERELEASE system, but I'm not getting anywhere. -There are two 3Com 905C cards in the system (xl0 and xl1). -xl1 is assigned a static private IP address and xl0 aquires an address from my provider using DHCP. -The system does NAT for several clients having private addresses. I need to 'clone' the xl1 adapter to appear as three adapters, each with a distinct MAC address. This because my provider has assigned me three semi-static addresses of which I want to use 1 for outbound NAT-traffic and two for static NAT. These addresses are semi-static because they are basically MAC-based reservations on the providers DHCP server, and it happens to be that I'm required to aquire a DHCP lease for all three addresses for routing to work properly. If I configure the addresses statically the connectivity 'disappears' after a while. I tried using netgraph as suggested here: http://ezine.daemonnews.org/200406/netgraph.html ifconfig xl1 delete ngctl mkpeer . eiface hook ether ifconfig ngeth0 up ngctl mkpeer ngeth0: bridge lower link0 ngctl name ngeth0:lower mybridge ngctl connect xl1: mybridge: lower link1 ngctl connect xl1: mybridge: upper link2 ngctl connect ngeth0: mybridge: upper link3 ngctl msg xl1: setautosrc 0 ngctl msg xl1: setpromisc 1 ifconfig ngeth0 link 00:50:04:32:8a:6b At this point everything seems OK, the MAC-address is correctly set and xl1 is in promiscous mode. However, when I try 'dhclient ngeth0' the adapter does not get any response/lease. I also tried using a vlan interface as following: ifconfig vlan create ngctl msg xl1: setautosrc 0 ifconfig vlan0 vlan 0 vlandev xl1 ifconfig vlan0 link 00:50:04:32:8a:6b The same here, 'dhclient vlan0' fails. I also thought that it'd be much simpler to have a dhcp client that I could instruct to spoof the MAC-addresses so that it would aquire leases for 3 distinct mac-addresses, and run as a daemon so that it renews them when they expire. I could then just configure the addresses statically and don't have to clone any adapters. However, I haven't found any client that could do this... At the moment I'm out of ideas and I was hoping that someone here could point me in the right direction with this problem. -- Regards, Terrence Koeman MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. smime.p7s Description: S/MIME cryptographic signature
RE: Network configuration
I had to do one more thing: I needed to bind the IP the box got to the other adapter too. So now the ip is bound twice, but once with a netmask of 255.255.255.255. It was needed to let the clients ping the bridge by its external ip. -- Regards, Terrence Koeman MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terrence Koeman Sent: Sunday, July 11, 2004 17:38 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Network configuration Hi, Thank you all for the help and time. I finally got it all working with bits from most emails. I'll include my configuration here for others in the same situation (any comments are welcome): It's now: -- | SDSL Modem | | Bridged | -- | -- | xl1: 217.1.1.155, DHCP | | Freebsd Box | |xl0: UP, no ip | -- | -- |---| SWITCH |---| | -- | | || --- --- --- | C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 | --- --- --- (Notice the switch of xl1 and xl0, this made it work). xl1 and xl0 are bridged so that all clients have full internet connectivity. Additionally the clients share the available bandwidth fairly, with ssh, telnet, dns and http having a higher priority than other traffic. Using a private ip on xl0 and adding natd is still possible for use in the future. FreeBSD samsara.mediamonks.net 5.2-CURRENT FreeBSD 5.2-CURRENT #5: Sat Jul 10 22:13:16 CEST 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SAMSARA i386 /sys/i386/conf/SAMSARA: machine i386 cpu I686_CPU ident SAMSARA options SCHED_ULE # ULE scheduler options INET# InterNETworking options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_DIRHASH # Improve performance on big directories options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS# Pseudo-filesystem framework options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!] options KBD_INSTALL_CDEV# install a CDEV entry in /dev options HZ=5000 options ATA_STATIC_ID # Static device numbering options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options DUMMYNET options BRIDGE device isa device pci device fdc device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives device atkbdc # AT keyboard controller device atkbd # AT keyboard device vga # VGA video card driver device sc device npx device miibus # MII bus support device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') device random # Entropy device device loop# Network loopback device ether # Ethernet support device pty # Pseudo-ttys (telnet etc) device bpf # Berkeley packet filter /etc/rc.conf: hostname=samsara.mediamonks.net ifconfig_xl1=DHCP ifconfig_xl0=UP jail_enable=NO kldxref_enable=NO kern_securelevel=3 kern_securelevel_enable=YES firewall_enable=YES firewall_script=/etc/rc.firewall firewall_type=/etc/ipfw.rules firewall_quiet=NO firewall_logging=YES firewall_flags= nfs_server_enable=NO gateway_enable=NO syslogd_flags=-ss sendmail_enable=NO sshd_enable=YES usbd_enable=NO sshd_enable=YES squid_enable=NO apache2_enable=YES oidentd_enable=YES snmpd_enable=YES snmpd_flags=-a -Lsd -p /var/run/snmpd.pid 127.0.0.1:161 /etc/sysctl.conf: security.bsd.see_other_uids=0 security.bsd.see_other_gids=0
RE: Network configuration
#all other ip #queues for local system queue 30 config pipe 1 weight 50 mask dst-ip 0x queue 31 config pipe 2 weight 50 mask src-ip 0x #allow traffic on loopback interface add 00100 allow ip from any to any via lo0 #deny lost/hostile packets to the loopback addresses, return host unreach add 00110 unreach host log logamount 20 ip from any to 127.0.0.0/8 via any #deny any private address, return host unreach add 00301 unreach host log logamount 20 ip from 10.0.0.0/8 to any in via any add 00302 unreach host log logamount 20 ip from 172.16.0.0/12 to any in via any add 00303 unreach host log logamount 20 ip from 192.168.0.0/16 to any in via any #deny windows networking, return RST add 00500 reset log logamount 20 ip from any to any 135,137-139 via any #for bridged traffic, skip add skipto 2 ip from any to any via any bridged #** natd divert is possible here, if xl0 gets a private IP. ** #deny packets with a source address known on a different interface, return host unreach add 00800 unreach host log logamount 20 ip from any to any not verrevpath in # for non-bridged traffic, skip add skipto 3 ip from any to any via any #push bridged traffic in appropriate queues add 2 queue 10 icmp from any to any in recv xl1 add 20100 queue 11 ip from any 22,23,53,80 to any in recv xl1 add 20200 queue 11 ip from any to any 22,23,53,80 in recv xl1 add 20300 queue 12 ip from any to any in recv xl1 add 21000 queue 20 icmp from any to any in recv xl0 add 21100 queue 21 ip from any to any 22,23,53,80 in recv xl0 add 21200 queue 21 ip from any 22,23,53,80 to any in recv xl0 add 21300 queue 22 ip from any to any in recv xl0 add skipto 5 log logamount 20 ip from any to any via any #push non-bridged (local) traffic in appropriate queues add 3 queue 30 icmp from any to any in recv xl1 add 30100 queue 30 ip from any to any in recv xl1 add 31000 queue 31 icmp from any to any out xmit xl1 add 31100 queue 31 ip from any to any out xmit xl1 add 5 pass all from any to any I hope this helps someone in the future :) -- Regards, Terrence Koeman MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. -Original Message- From: Randy Grafton [mailto:[EMAIL PROTECTED] Sent: Thursday, July 08, 2004 21:04 To: [EMAIL PROTECTED] Subject: RE: Network configuration I setup a little home network using my FreeBSD box as the 'router'. There are two boxes on my internal LAN that I wanted to have access to from the internet as well as provide full internet access to all internal clients/servers. Like I said, I recompiled my kernel with the nat options. I'll list the steps here, if you've already performed them then at least I got in some typing practice. Install the kernel sources. Insert your install disk and from the command line run /stand/sysinstall. Select the Configure option then the Distributions option then src and finally sys. Once the sources are installed you will go to /usr/src/sys/i386/conf. Within this directory are two files, GENERIC and LINT. Make a copy of GENERIC with a name of your choosing. Edit the GENERIC copy and add the following lines: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPDIVERT Save the modified file and compile your kernel. This is done by doing: config GENERIC COPY NAME cd ../../GENERIC COPY NAME make make install reboot Now you'll edit your /etc/rc.conf file. Add these lines to it: gateway_enable=YES ifconfig_xl0=inet 217.1.1.155 netmask your netmask ifconfig_xl0_alias0=inet 217.1.1.155 netmask your netmask ifconfig_xl0_alias1=inet 217.1.1.156 netmask your netmask ifconfig_xl0_alias2=inet 217.1.1.157 netmask your netmask ifconfig_xl0_alias3=inet 217.1.1.158 netmask your netmask ifconfig_xl1=inet 192.168.1.1 netmask 255.255.255.0 firewall_type=OPEN firewall_quiet=YES firewall_logging=YES natd_enable=YES natd_interface=xl0 natd_flags=-f /etc/natd.conf (explained below) Now create the /etc/natd.conf file with these lines: same ports yes dynamic yes redirect_port tcp 192.168.1.2 217.1.1.156 redirect_port udp 192.168.1.2 217.1.1.156 redirect_port tcp 192.168.1.3 217.1.1.157 redirect_port udp 192.168.1.3 217.1.1.157 redirect_port tcp 192.168.1.4 217.1.1.158 redirect_port udp 192.168.1.5 217.1.1.158 The redirect_port has this syntax: redirect_port tcp dest_internal_address src_external_address redirect_port udp dest_internal_address src_external_address -- | SDSL Modem | | Bridged | -- | -- |xl0: 217.1.1.155| |xl0: 217.1.1.156| |xl0: 217.1.1.157| |xl0: 217.1.1.158
Network configuration
Hi, I have been busy setting up a network the last 3 days, but I cannot get it working. Basically I have no clue what has to be setup etc. and if I need bridging or not. The situation is as follows: -- | SDSL Modem | | Bridged | -- | -- |xl0: 217.1.1.155| || |Freebsd Box | || | xl1 | -- | -- |---| SWITCH |---| | -- | || | --- --- --- | C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 | --- --- --- The FreeBSD box has full internet connectivity and I can also get NAT working, but the thing is that I need those non-private IP's bound to the clients and I need ipfw between the clients and the modem. Also I need the FreeBSD machine to have a non-private IP address. I have no clue as to getting the packets from those clients to the internet. I tried bridging xl0 and xl1 and using 217.1.1.155 as gateway, but that didn't work. Maybe someone that knows how to do something like this can shed some light on it for me? Thanks in advance. -- Regards, Terrence Koeman MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Network configuration
I haven't got any real config right now as I'm not sure about how to start with this. -- Regards, Terrence Koeman MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. -Original Message- From: JJB [mailto:[EMAIL PROTECTED] Sent: Thursday, July 08, 2004 17:58 To: [EMAIL PROTECTED] Subject: RE: Network configuration Post the full content of your rc.conf file and your ipfw rule set. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Terrence Koeman Sent: Thursday, July 08, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: Network configuration Hi, I have been busy setting up a network the last 3 days, but I cannot get it working. Basically I have no clue what has to be setup etc. and if I need bridging or not. The situation is as follows: -- | SDSL Modem | | Bridged | -- | -- |xl0: 217.1.1.155| || |Freebsd Box | || | xl1 | -- | -- |---| SWITCH |---| | -- | || | --- --- --- | C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 | --- --- --- The FreeBSD box has full internet connectivity and I can also get NAT working, but the thing is that I need those non-private IP's bound to the clients and I need ipfw between the clients and the modem. Also I need the FreeBSD machine to have a non-private IP address. I have no clue as to getting the packets from those clients to the internet. I tried bridging xl0 and xl1 and using 217.1.1.155 as gateway, but that didn't work. Maybe someone that knows how to do something like this can shed some light on it for me? Thanks in advance. -- Regards, Terrence Koeman MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IP Aliasing Question
Have you tried using: ifconfig vr0 alias 10.0.38.237 netmask 255.0.0.0 broadcast 10.255.255.255 ifconfig vr0 alias 10.255.38.237 netmask 255.255.255.255 broadcast 10.255.255.255 -- Regards, Terrence Koeman MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Kilpatrick Sent: Thursday, July 08, 2004 18:58 To: [EMAIL PROTECTED] Subject: IP Aliasing Question Hey, What I'm trying to do involves FreeBSD and IP aliases. Hopefully someone has some ideas. Here's the general idea of what I'm trying to do: I've got vr0, which is assigned to some IP address... let's say: 192.168.1.90 with a subnet mask of 255.255.255.0. This is all fine, and everything works. I'm implementing a protcol called ArtNet (which I didn't design) which uses 10.x.x.x network for controlling lighting. It's all UDP, and uses broadcast packets to 10.255.255.255. IP addresses of hosts are determined by a sort of shitty algorithm based on the MAC address, and can appear anywhere in the class A. This allows: a) IPv4 (yes, I know IPv6 would be better) and b) autoconfiguration without the need for a DHCP server. I didn't make it up, I'm just trying to make my stuff work with it. So, here's the deal I want to add 2 aliases to vr0 so that I can run 2 ArtNet services on the same machine. So, the aliases would look something like this: 10.0.38.237 netmask 255.0.0.0 10.255.38.237 netmask 255.0.0.0 Adding the first one like this works: ipconfig vr0 inet 10.0.38.237 netmask 255.0.0.0 alias However, adding the second fails, I'm assuming because the netmasks overlap. I can understand why this is so, but for my application I actually want this. Because programs listening on both addresses both need to receive broadcast packets sent to 10.255.255.255. So, how can this be done? Adding a second NIC is not an option. Cheers, Andrew ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Network configuration
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Kinkade Sent: Thursday, July 08, 2004 19:49 To: Terrence Koeman Cc: [EMAIL PROTECTED] Subject: Re: Network configuration On Thu, Jul 08, 2004 at 05:10:28PM +0200, Terrence Koeman wrote: Hi, I have been busy setting up a network the last 3 days, but I cannot get it working. Basically I have no clue what has to be setup etc. and if I need bridging or not. The situation is as follows: -- | SDSL Modem | | Bridged | -- | -- |xl0: 217.1.1.155| || |Freebsd Box | || | xl1 | -- | -- |---| SWITCH |---| | -- | || | --- --- --- | C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 | --- --- --- The FreeBSD box has full internet connectivity and I can also get NAT working, but the thing is that I need those non-private IP's bound to the clients and I need ipfw between the clients and the modem. Also I need the FreeBSD machine to have a non-private IP address. I have no clue as to getting the packets from those clients to the internet. I tried bridging xl0 and xl1 and using 217.1.1.155 as gateway, but that didn't work. Maybe someone that knows how to do something like this can shed some light on it for me? Thanks in advance. -- Regards, Terrence Koeman You could make the FreeBSD box a bridge and still use IFPW. It really depends on whether you will have other clients that will NOT have public IP addresses that will need NAT - you don't specify whether this is the case. For FreeBSD to be setup as a bridge/IPFW machine you will minimally need a kernel compiled with the following options: options IPFIREWALL options BRIDGE After you have built and installed this kernel add the following entries to /etc/sysctl.conf: net.link.ether.bridge=1 net.link.ether.bridge_cfg=xl0,xl1 net.link.ether.bridge_ipfw=1 net.inet.ip.fw.enable=0 You will probably want to add the following lines to /etc/rc.conf so that some IPFW rules will be loaded at boot: firewall_enable=YES firewall_type=your fw type Read the firewall(7) manpage for more information. If you don't have console access to the FreeBSD machine beware that the default rule is to deny packets. Therefore if you build IPFW into the kernel and don't allow for some basic rules to be added at boot you will likely be locked out from anything but console access. There might be more clients that will require nat later. I tried this with: -217.1.1.155 bound to xl0 -nothing bound to xl1 -xl0 and xl1 bridged. -no ipfw rules and default to accept. When I try this the box is dead, no connectivity out and 217.1.1.155 is not reachable. If I try the exact same setup and bind 192.168.0.1 to xl1 I can connect to it when bridged, but the rest remains the same. -- Regards, Terrence Koeman MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
