Re: How to get my Dad's Win2k system to access internet through my FreeBSD 6.2 system
On Wed, 2008-10-15 at 22:22 -0700, mdh wrote: --- On Thu, 10/16/08, Da Rock [EMAIL PROTECTED] wrote: From: Da Rock [EMAIL PROTECTED] Subject: Re: How to get my Dad's Win2k system to access internet through my FreeBSD 6.2 system To: freebsd-questions@freebsd.org Date: Thursday, October 16, 2008, 1:04 AM grin Actually I'm not sure... I'm just an innocent bystander :) Throughout the thread there was mention of enabling nat in the rc.conf, so whichever that was... My consideration was just in general. Someone mentioned enabling nat, another said don't double nat, so I thought routed would be better. But it seems routed is not the way to go, but to keep gateway_enable: question remains as to whether to use nat or not (I suppose in any form; but if you can enlighten me with regard if one form of nat is better than another especially in the case of double nat then I'd appreciate the information). The main reason I'm bring up this issue is to clarify (and possibly the OP will then get a better picture too) of precisely how to accomplish the result required. And maybe increase my knowledge of the subject too :) thats always a good thing. Essentially, you need three things to accomplish nat'ing via the way I'm going to describe. There're several ways to do it, but I'll only cover one here, because to describe others, I'd need to go look up docs, which you're more than welcome to do for yourself if you don't like the way I'm going to touch on. First, you need gateway_enable set to yes in /etc/rc.conf. This is universally true regardless of which method you use for nat'ing. What this does is instruct the kernel that it has multiple interfaces, and that it must pass packets across them, acting as a router. This has nothing to do with various route discovery protocols, it only sets a sysctl which tells the kernel to route packets across multiple interfaces. The default behavior is for the kernel not to do so. Second, you'll need some way for your NAT to get packets. In some cases, the NAT method is built into the way that it gets packets. With the way I'm discussing here, it's not. In this case, we'll use `ipfw`. You'll need a kernel that supports ipfw for this to work, obviously. The rule you'll need should look something like this: divert 8668 ip4 from any to any via sis0 Where sis0 is your EXTERNAL network interface (ie, the one facing your cable modem, modem, or whatever else.) The command to add this should look something like: `ipfw add rule number divert 8668 ip4 from any to any via interface` where rule number is the rule number you'll use (it should be a low one!) and interface is your external-facing network interface device. Third, you'll need natd itself. natd can be enabled via - you guessed it - the rc.conf variable natd_enable. That's not all, though. You'll also need to (in rc.conf) set natd_interface to the interface you specified in the firewall rule, and you'll almost certainly want to set natd_flags to -u. So all in all, you'll need the ipfw rule, ipfw enabled in your kernel, and the following lines in rc.conf: gateway_enable=YES natd_program=/sbin/natd natd_enable=YES natd_interface=sis0 natd_flags=-u You may also need to run dhclient or somesuch to get an address from your ISP, but that's a whole other story. Enjoy. - mdh Been there, done that before (at the time I was merely fumbling, but I have greater experience now)... interesting point in that is the fact that natd_enable tells the kernel to pass packets between interfaces. I'm assuming the problem with double nat'ing is the confusion in packet traffic. So if the OP is using his ADSL modem to connect to the net, then it could be safe to assume the public IP would be to the modem itself, and not his box (barring the possible use of USB), so then the nat'ing would already be done. Therefore, the best and easiest way would be to simply bridge his interfaces- correct? Less overheads, etc, plus simplicity of setup. Oh I love a good hypothetical- it lets me experiment with systems without touching anything or breaking it :) The fact that someone else might build on their knowledge is just a cherry on top. I've not come across another list that so freely shares knowledge... its great! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Interrupt storm detected on irq10:; throttling interrupt source
On Thu, Oct 16, 2008 at 12:20 PM, Jeremy Chadwick [EMAIL PROTECTED] wrote: On Wed, Oct 15, 2008 at 06:17:56PM -0700, mdh wrote: --- On Wed, 10/15/08, nazir [EMAIL PROTECTED] wrote: From: nazir [EMAIL PROTECTED] Subject: Interrupt storm detected on irq10:; throttling interrupt source To: freebsd-questions@freebsd.org Date: Wednesday, October 15, 2008, 8:44 PM Hi, I'm getting these on my HP-DL165 AMD Quad Qore interrupt storm detected on irq10:; throttling interrupt source What is on IRQ 10? You can determine this via the command: `dmesg |grep irq` then look for the line for IRQ 10 which specifies what device is there. It could be a driver problem, or it could be that the hardware there is bunk. - mdh vmstat -i output would also come in handy here. # vmstat -i interrupt total rate irq1: atkbd0 30 0 irq10: ohci0 ohci+ 8265418989 irq33: mpt049348 5 irq40: bge075482 9 cpu0: timer 16431874 1968 cpu2: timer 16424530 1967 cpu3: timer 16424557 1967 cpu1: timer 16424557 1967 cpu4: timer 16424556 1967 cpu6: timer 16424540 1967 cpu7: timer 16424521 1967 cpu5: timer 16424556 1967 Total 139793969 16743 -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Interrupt storm detected on irq10:; throttling interrupt source
On Thu, Oct 16, 2008 at 03:23:33PM +0800, nazir wrote: On Thu, Oct 16, 2008 at 12:20 PM, Jeremy Chadwick [EMAIL PROTECTED] wrote: On Wed, Oct 15, 2008 at 06:17:56PM -0700, mdh wrote: --- On Wed, 10/15/08, nazir [EMAIL PROTECTED] wrote: From: nazir [EMAIL PROTECTED] Subject: Interrupt storm detected on irq10:; throttling interrupt source To: freebsd-questions@freebsd.org Date: Wednesday, October 15, 2008, 8:44 PM Hi, I'm getting these on my HP-DL165 AMD Quad Qore interrupt storm detected on irq10:; throttling interrupt source What is on IRQ 10? You can determine this via the command: `dmesg |grep irq` then look for the line for IRQ 10 which specifies what device is there. It could be a driver problem, or it could be that the hardware there is bunk. - mdh vmstat -i output would also come in handy here. # vmstat -i interrupt total rate irq1: atkbd0 30 0 irq10: ohci0 ohci+ 8265418989 irq33: mpt049348 5 irq40: bge075482 9 cpu0: timer 16431874 1968 cpu2: timer 16424530 1967 cpu3: timer 16424557 1967 cpu1: timer 16424557 1967 cpu4: timer 16424556 1967 cpu6: timer 16424540 1967 cpu7: timer 16424521 1967 cpu5: timer 16424556 1967 Total 139793969 16743 Can you provide full output of dmesg? It appears you have an OCHI USB controller that is going crazy with interrupts, but there may be more devices attached to IRQ 10 which could be responsible (I think that's what the + indicates). -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: System lockup when out of space in /usr
On Wed, 15 Oct 2008 06:14:24 +
[EMAIL PROTECTED] wrote:
I personally have /usr/ports and /usr/src on their own partitions. Easy to
do and prevents lockups.
right ... still doesn't solve my problem .
Where is /usr currently mounted, on root(/)?
standard disk layout - /usr is a separate mount on /
/dev/ad0s1a on / (ufs, local, noatime)
devfs on /dev (devfs, local)
/dev/ad0s1e on /tmp (ufs, local, noatime, soft-updates)
/dev/ad0s1f on /usr (ufs, local, noatime, soft-updates)
/dev/ad0s1d on /var (ufs, local, noatime, soft-updates)
procfs on /proc (procfs, local)
linprocfs on /usr/compat/linux/proc (linprocfs, local)
devfs on /var/named/dev (devfs, local)
/dev/md12.eli on /usr/home/betom/_2 (ufs, local, noatime, soft-updates)
/dev/md11.eli on /usr/home/betom/_3 (ufs, local, noatime, soft-updates)
/dev/md13.eli on /usr/home/betom/_1 (ufs, local, noatime, soft-updates)
IIRC, it may also have happened when one of the GELI disks got full...
B
_
{Beto|Norberto|Numard} Meijome
Build a system that even a fool can use, and only a fool will want to use it.
George Bernard Shaw
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD and Nagios - permissions
Hi, I'm implementing a shell script as a Nagios plugin to check the status of the ciss(4) driver. However, there is a permission problem that I am not sure about the best way to get around in FreeBSD (7-STABLE). The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: camcontrol inquiry da0 The nagios user does not have a shell by default in FreeBSD: nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin so the script will obviously fail. I would assume there are several ways to get around this and would welcome best practice suggestions on how. Thanks, --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote: Hi, I'm implementing a shell script as a Nagios plugin to check the status of the ciss(4) driver. However, there is a permission problem that I am not sure about the best way to get around in FreeBSD (7-STABLE). The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: camcontrol inquiry da0 The nagios user does not have a shell by default in FreeBSD: nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin so the script will obviously fail. I cease to see what the users' shell has to do with the problem. A shell being set to /usr/sbin/nologin *does not* mean they cannot run shell scripts, it just means one cannot log in as that user. I think the problem is probably more along the lines of: you can't run camcontrol as user nagios, because root access is required to communicate with CAM (open /dev/xptX). I would assume there are several ways to get around this and would welcome best practice suggestions on how. Two recommendations: 1) Write wrapper program (this requires C) which calls camcontrol inquiry da0. The wrapper binary should be owned by root:nagios, and perms should be 4710 (so that individuals in the nagios group can run the binary, but no one else). This C program is very, very simple. 2) Use sudo and set up a ***VERY*** restrictive command list for user nagios, meaning, only allowed to run /sbin/camcontrol. I DO NOT recommend this method, as it's possible for someone to use nagios to run something like camcontrol reset or camcontrol eject as root, or even worse, camcontrol cmd (could induce a low-level format of one of your disks), -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Auto Backup Data and Delete for Account Expired
Dear all, is there any routines to check if some accounts expire then system would like to do backup all data to certain directory and then delete the account. Any help would be appreciate. Thank you Kalpin Erlangga Silaen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Auto Backup Data and Delete for Account Expired
On Thu, Oct 16, 2008 at 03:17:14PM +0700, Kalpin Erlangga Silaen wrote: Dear all, is there any routines to check if some accounts expire then system would like to do backup all data to certain directory and then delete the account. Any help would be appreciate. You sent this mail to the list yesterday. We saw it. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
I think the problem is with the permisions of the specific user. The way to get over it is to use sudo and configure it to allow the nagios user execute camcontrol. This way the line should be : sudo camcontrol inquiry da0 Regards, Ivailo Tanusheff Deputy Head of IT Department ProCredit Bank (Bulgaria) AD Per olof Ljungmark [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 16.10.2008 10:52 To freebsd-questions@freebsd.org cc Subject FreeBSD and Nagios - permissions Hi, I'm implementing a shell script as a Nagios plugin to check the status of the ciss(4) driver. However, there is a permission problem that I am not sure about the best way to get around in FreeBSD (7-STABLE). The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: camcontrol inquiry da0 The nagios user does not have a shell by default in FreeBSD: nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin so the script will obviously fail. I would assume there are several ways to get around this and would welcome best practice suggestions on how. Thanks, --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thu, Oct 16, 2008 at 01:04:52AM -0700, Jeremy Chadwick wrote: On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote: The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: camcontrol inquiry da0 The nagios user does not have a shell by default in FreeBSD: nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin so the script will obviously fail. I think the problem is probably more along the lines of: you can't run camcontrol as user nagios, because root access is required to communicate with CAM (open /dev/xptX). Two recommendations: 1) Write wrapper program (this requires C) which calls camcontrol inquiry da0. The wrapper binary should be owned by root:nagios, and perms should be 4710 (so that individuals in the nagios group can run the binary, but no one else). This C program is very, very simple. 2) Use sudo and set up a ***VERY*** restrictive command list for user nagios, meaning, only allowed to run /sbin/camcontrol. I DO NOT recommend this method, as it's possible for someone to use nagios to run something like camcontrol reset or camcontrol eject as root, or even worse, camcontrol cmd (could induce a low-level format of one of your disks), It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpeTPtDTfHCY.pgp Description: PGP signature
Re: FreeBSD and Nagios - permissions
On Thu, Oct 16, 2008 at 09:17:58PM +1100, Edwin Groothuis wrote: The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: First lines of the check_ciss.sh command: #!/bin/sh if [ $(whoami) != root ]; then sudo $* fi And allow in sudoerrs.conf the nagios user to run the check_ciss.sh command without passwords. Works fine here for years :-) Wow... all I can say. Wow. This is a *humongous* security hole. So what happens when someone finds a security hole in Nagios, allowing them to modify files or run checks with arguments of their choice? For a good time: check_ciss.sh camcontrol format da0 -y Yeah, uh, that script should be nuked. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Breach of Contract Reported for FREEBSD.ORG
On Thu, Oct 16, 2008 at 07:15:35AM -0400, Michael Powell wrote: David G Lawrence wrote: Dear Customer, It has been brought to our attention that some or all of the information associated with your domain name FREEBSD.ORG is outdated or incorrect. These types of complaints are brought to our attention in one of two ways. The most common type of complaint is received from the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN is the non-profit corporation responsible for accrediting domain name registrars. ICANN requires domain name registration customers to keep their account information current. ICANN mandates that outdated contact information can be grounds for domain name cancellation. Michelle, The registration information for freebsd.org is correct. The only thing that is out of date is one of the email addresses ([EMAIL PROTECTED]), which I have tried to change, but have been unable to due to a problem with the Network Solutions website. I don't know who reported that the information was incorrect, but they are mistaken. I will additionally follow up in the other ways mentioned in your message. [snip] ICANN requires registrars to verify the domain info once a year. I just went through this with GoDaddy. I think the registrars see this as an opportunity to market services. Different registrars bungle their marketing effort in different ways. GoDaddy sent me instructions on what to do in order to correct errors, but had absolutely nothing on how to proceed if the information was correct. So I viewed this as something they could take advantage of in order to get me to their site for a hard sell campaign. So how do you folks who comply with ICANN's requirement deal with this? http://blog.forret.com/2004/12/domain-registry-of-america-scam/ -- This organisation is now known as Domain Renewal Group, by the way. I'm quite interested in knowing; it might be tolerable if you've only one domain, but if you're a hosting provider and have 100? Let me know. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to get my Dad's Win2k system to access internet through my FreeBSD 6.2 system
On Thu, 2008-10-16 at 06:54 -0400, Michael Powell wrote: Da Rock wrote: [snip] I'm assuming the problem with double nat'ing is the confusion in packet traffic. So if the OP is using his ADSL modem to connect to the net, then it could be safe to assume the public IP would be to the modem itself, and not his box (barring the possible use of USB), so then the nat'ing would already be done. Therefore, the best and easiest way would be to simply bridge his interfaces- correct? Less overheads, etc, plus simplicity of setup. There is another option, a variant of which I use. My el cheapo deluxe DSL modem has really crappy broken firewall and DNS implementations. Wireshark showed Windows Messenger service spam leaking past and as soon as I saw that I assumed it was probably the tip of the iceberg. You can also bridge the modem (disabling it's NAT as well). In a fully bridged configuration your FreeBSD gateway will have to perform PPPoE handshake and login as well. Setting up the modem itself this way can be tricky at times, depending on the model and the service. One gotcha with this method can be if your ISP is using heartbeat, and so you'll have to either script yourself or find one that suits. I use a second option called split-bridge, which they have named IP Passthrough. This allows the DSL modem to be responsible for the PPPoE session. It works by passing the WAN public IP to the Internet facing NIC in my FreeBSD box via DHCP. So, while my interior LAN NIC is static, my outside NIC is ifconfig_xl0=DHCP. It gets assigned whatever IP Verizon sends. Is this also called IP spoofing? I just like this particular arrangement better. I run a caching/hybrid DNS server on the gateway as well. I've used this configuration for about 2 years now and it has served me well. I also use ALTQ to prioritize outgoing acks, as this seems to be helpful when using asymmetric DSL. Sounds very stable- I might have to look into the ALTQ (one day, when I finally get through my other projects... :) ). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to get my Dad's Win2k system to access internet through my FreeBSD 6.2 system
On Thu, Oct 16, 2008 at 09:29:04PM +1000, Da Rock wrote: On Thu, 2008-10-16 at 06:54 -0400, Michael Powell wrote: Da Rock wrote: [snip] I'm assuming the problem with double nat'ing is the confusion in packet traffic. So if the OP is using his ADSL modem to connect to the net, then it could be safe to assume the public IP would be to the modem itself, and not his box (barring the possible use of USB), so then the nat'ing would already be done. Therefore, the best and easiest way would be to simply bridge his interfaces- correct? Less overheads, etc, plus simplicity of setup. There is another option, a variant of which I use. My el cheapo deluxe DSL modem has really crappy broken firewall and DNS implementations. Wireshark showed Windows Messenger service spam leaking past and as soon as I saw that I assumed it was probably the tip of the iceberg. You can also bridge the modem (disabling it's NAT as well). In a fully bridged configuration your FreeBSD gateway will have to perform PPPoE handshake and login as well. Setting up the modem itself this way can be tricky at times, depending on the model and the service. One gotcha with this method can be if your ISP is using heartbeat, and so you'll have to either script yourself or find one that suits. I use a second option called split-bridge, which they have named IP Passthrough. This allows the DSL modem to be responsible for the PPPoE session. It works by passing the WAN public IP to the Internet facing NIC in my FreeBSD box via DHCP. So, while my interior LAN NIC is static, my outside NIC is ifconfig_xl0=DHCP. It gets assigned whatever IP Verizon sends. Is this also called IP spoofing? No, this is **NOT** IP spoofing. What Michael's describing is a feature many DSL modems offer. There is no official term for what it is, since DSL modems are supposed to be bridges (layer 2 devices), but in fact this feature causes the modem to act like something that sits between layer 2 and layer 3 -- yet is not a router. Different modems call it something different. If you enable this feature, what happens is this: The modem requires you to access its administrative web page. You insert your PPPoE Username and Password (which it saves to NVRAM/EEPROM), and click Connect. The DSL modem then continues to do the PPPoE encapsulation, so that your FreeBSD box, Windows box, or whatever (that's connected to the DSL modem on the LAN port) does not have to. The modem is given an IP address as part of the PPPoE hand-off. That IP address is, of course, a public Internet IP. The modem also enables use of a DHCP server, so that a machine connect to its LAN port can do a DHCP request and get an IP address -- but here's the kicker. The IP address the modem returns to the machine on the LAN is the public IP address the ISP gave the modem via PPPoE. So how does this work? All network I/O between the LAN port and the modem itself is done at layer 2 past that point -- meaning, the modem acts almost purely as a bridge from that point forward: but it still does the PPPoE encapsulation for you. So, like I said, the modem acts like a device that sits between layer 2 and layer 3. Does this make more sense? The reason this feature is HIGHLY desired is because not all PPPoE implementations are compatible with an ISPs implementation. It is *always* best to use whatever equipment they give you or guarantee works with them; using your own, or some other PPPoE daemon/method, can result in lots of trouble. I've personally used this method, I might add. I can give you reference material on how to set it up and use it, over at dslreports.com. Lots of DSL modems these days offer said feature. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Breach of Contract Reported for FREEBSD.ORG
David G Lawrence wrote: Dear Customer, It has been brought to our attention that some or all of the information associated with your domain name FREEBSD.ORG is outdated or incorrect. These types of complaints are brought to our attention in one of two ways. The most common type of complaint is received from the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN is the non-profit corporation responsible for accrediting domain name registrars. ICANN requires domain name registration customers to keep their account information current. ICANN mandates that outdated contact information can be grounds for domain name cancellation. Michelle, The registration information for freebsd.org is correct. The only thing that is out of date is one of the email addresses ([EMAIL PROTECTED]), which I have tried to change, but have been unable to due to a problem with the Network Solutions website. I don't know who reported that the information was incorrect, but they are mistaken. I will additionally follow up in the other ways mentioned in your message. [snip] ICANN requires registrars to verify the domain info once a year. I just went through this with GoDaddy. I think the registrars see this as an opportunity to market services. Different registrars bungle their marketing effort in different ways. GoDaddy sent me instructions on what to do in order to correct errors, but had absolutely nothing on how to proceed if the information was correct. So I viewed this as something they could take advantage of in order to get me to their site for a hard sell campaign. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD RELENG_7 scsi and usb, usb disks take precedence
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm writing this, in hope that someone has a quick-and-dirty trick to solve a minor problem I have. My home server, running RELENG_7 is booting off a 10Krpm scsi drive, connected to an adaptec controller. This device is /dev/da0. However, should I accidentally reboot the server with ANY usb block device, FreeBSD assumes that the USB controller is the first scsi chain in the computer, and assigns the lower da numbers to the usb block devices, placing the actual scsi disk as the last da device. Is there any way to tell FreeBSD permanently I want my adaptec controller's scsi chain to be the first, no matter what USB devices you find? If this is documented somewhere, feel free to point me to the correct man page. Regards, Svein Skogen -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj3Kl0ACgkQtVbTV+BEzaN0mACeJRcLvDU3W5mu7MUuQmL5Uqpt 5p8AnjcigRJQixlj2J5/WBqSmA2MdcDh =R+MG -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to get my Dad's Win2k system to access internet through my FreeBSD 6.2 system
On Thu, 2008-10-16 at 04:43 -0700, Jeremy Chadwick wrote: On Thu, Oct 16, 2008 at 09:29:04PM +1000, Da Rock wrote: On Thu, 2008-10-16 at 06:54 -0400, Michael Powell wrote: Da Rock wrote: [snip] I'm assuming the problem with double nat'ing is the confusion in packet traffic. So if the OP is using his ADSL modem to connect to the net, then it could be safe to assume the public IP would be to the modem itself, and not his box (barring the possible use of USB), so then the nat'ing would already be done. Therefore, the best and easiest way would be to simply bridge his interfaces- correct? Less overheads, etc, plus simplicity of setup. There is another option, a variant of which I use. My el cheapo deluxe DSL modem has really crappy broken firewall and DNS implementations. Wireshark showed Windows Messenger service spam leaking past and as soon as I saw that I assumed it was probably the tip of the iceberg. You can also bridge the modem (disabling it's NAT as well). In a fully bridged configuration your FreeBSD gateway will have to perform PPPoE handshake and login as well. Setting up the modem itself this way can be tricky at times, depending on the model and the service. One gotcha with this method can be if your ISP is using heartbeat, and so you'll have to either script yourself or find one that suits. I use a second option called split-bridge, which they have named IP Passthrough. This allows the DSL modem to be responsible for the PPPoE session. It works by passing the WAN public IP to the Internet facing NIC in my FreeBSD box via DHCP. So, while my interior LAN NIC is static, my outside NIC is ifconfig_xl0=DHCP. It gets assigned whatever IP Verizon sends. Is this also called IP spoofing? No, this is **NOT** IP spoofing. What Michael's describing is a feature many DSL modems offer. There is no official term for what it is, since DSL modems are supposed to be bridges (layer 2 devices), but in fact this feature causes the modem to act like something that sits between layer 2 and layer 3 -- yet is not a router. Different modems call it something different. If you enable this feature, what happens is this: The modem requires you to access its administrative web page. You insert your PPPoE Username and Password (which it saves to NVRAM/EEPROM), and click Connect. The DSL modem then continues to do the PPPoE encapsulation, so that your FreeBSD box, Windows box, or whatever (that's connected to the DSL modem on the LAN port) does not have to. The modem is given an IP address as part of the PPPoE hand-off. That IP address is, of course, a public Internet IP. The modem also enables use of a DHCP server, so that a machine connect to its LAN port can do a DHCP request and get an IP address -- but here's the kicker. The IP address the modem returns to the machine on the LAN is the public IP address the ISP gave the modem via PPPoE. So how does this work? All network I/O between the LAN port and the modem itself is done at layer 2 past that point -- meaning, the modem acts almost purely as a bridge from that point forward: but it still does the PPPoE encapsulation for you. So, like I said, the modem acts like a device that sits between layer 2 and layer 3. Does this make more sense? The reason this feature is HIGHLY desired is because not all PPPoE implementations are compatible with an ISPs implementation. It is *always* best to use whatever equipment they give you or guarantee works with them; using your own, or some other PPPoE daemon/method, can result in lots of trouble. I've personally used this method, I might add. I can give you reference material on how to set it up and use it, over at dslreports.com. Lots of DSL modems these days offer said feature. Ok, that explains it. The IP spoofing term comes from the Alcatel SpeedTouch systems used by Telstra in Oz. If there is no official term for it then thats why they've decided to call it that- right or wrong. They use firmware updates to enable this feature or others, and can be botched easily so for reference copy the original firmware as a backup if possible! It certainly would save trouble with their equipment because of the heartbeat feature. Sounds very cool... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
error compiling linux-glib2
Running FreeBSD 7.1-PreRelease, AMD64 KDE 4.1.2
=== Checking if devel/linux-glib2 already installed
cd /usr/ports/devel/linux-glib2/work /usr/bin/find * -type d -exec
/bin/mkdir -p /compat/linux/{} \;
cd /usr/ports/devel/linux-glib2/work /usr/bin/find * ! -type d |
/usr/bin/cpio -pm -R root:wheel /compat/linux
3914 blocks
=== Running linux ldconfig
/compat/linux/sbin/ldconfig -r /compat/linux
ELF binary type 3 not known.
/compat/linux/sbin/ldconfig: 1: Syntax error: ( unexpected
*** Error code 2
Stop in /usr/ports/devel/linux-glib2.
*** Error code 1
Stop in /usr/ports/devel/linux-glib2.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kopete and KDE4.1
Sdävtaker wrote: Did someone make kopete work in kde4.1 with msn and jabber networks? I tried a couple of recipes i found gogling, but nothing worked. Any ideas? Im running FBSD7.0 x64 Any info is appreciated, thanks! Sdav Try doing the following .. although for me it dosent compile, but it used to work to get kopete to work with MSN. Yes, thanks for your hint; here is what I did exactly this morning: # cd /usr/ports/net/kdenetwork4 # make [Ctrl-C iterrupt the proc after all configuration is done] # cd /usr/ports/net/kdenetwork4/work # svn co svn://anonsvn.kde.org/home/kde/trunk/KDE/kdenetwork ... A kdenetwork/kget/transfer- plugins/bittorrent/libbtcore/util/autorotatelogjob .h Akdenetwork/kget/transfer- plugins/bittorrent/libbtcore/util/error.cpp Checked out external at revision 850250. Checked out revision 850250. # mv kdenetwork-4.1.2 kdenetwork-4.1.2.portversion # mv kdenetwork kdenetwork-4.1.2 # cp -rp kdenetwork-4.1.2.portversion/build kdenetwork-4.1.2 # make # make deinstall # make reinstall after this kopete's version is really 0.60.80 and it works with MSN; btw: the version string comes from: kopete/libkopete/kopeteversion.h:#define KOPETE_VERSION_STRING 0.60.80 thx aganin; maybe it's worth to build a new file KDE/kdenetwork-4.1.2.tar.bz2 and update this port; matthias I builded success use this way ,kopete can login msn,version 0.6.80 But step for my used have a little different ;-) # cd /usr/ports/net/kdenetwork4 # make extract # cd work # svn co svn://anonsvn.kde.org/home/kde/trunk/KDE/kdenetwork # mv kdenetwork-4.1.2 kdenetwork-4.1.2.portversion # mv kdenetwork kdenetwork-4.1.2 # cd /usr/ports/net/kdenetwork4 # make FORCE_PKG_REGISTER=yes install clean whole compile and install is right,no error ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD RELENG_7 scsi and usb, usb disks take precedence
Svein Skogen (List Mail Account) [EMAIL PROTECTED] writes: Hi, Is there any way to tell FreeBSD permanently I want my adaptec controller's scsi chain to be the first, no matter what USB devices you find? You can circumvent this behaviour by using GEOM labels : http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/geom-glabel.html Regards -- CEJe ne sais pas si vous etes la personne adequat mais il y a un CEdégénéré mental qui veut enculer tous le monde sur frsf ne vous inquiétez pas, ce n'est pas possible via Usenet :) -+-LW in Guide du Neuneu Usenet - Après les mouches, à qui le tour ? -+- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS The sudoers man page has more information, and there is also a good tutorial by M Lucas on O'Reilly's Big Scary Daemons (it's from 2002, but still a good introduction): http://www.onlamp.com/pub/a/bsd/2002/08/29/Big_Scary_Daemons.html?page=1 Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgputr2fYSiXj.pgp Description: PGP signature
Radius Authentication
I would just like to know if anyone on earth has been able to get the pam_radius module working on FreeBSD, using a windows domain username through ssh... ??? This has become a mystery to me. My /etc/pam.d/sshd config looks like so: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the sshd service # # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient pam_radius.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient pam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass :confused: -- View this message in context: http://www.nabble.com/Radius-Authentication-tp20013780p20013780.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
I've just found a new and interesting spam source - legitimate bounce messages
In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. Thanks for any suggestions, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Hello, start with putting spf record on the domain, http://www.netdummy.net/stop-bounce-mail.html and finish with filtering bogus message-id wich was not orignated on your server with whatever software you using. Regards, Yury On Thu, Oct 16, 2008 at 4:01 PM, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. Thanks for any suggestions, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD and Nagios - permissions
The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: First lines of the check_ciss.sh command: #!/bin/sh if [ $(whoami) != root ]; then sudo $* fi And allow in sudoerrs.conf the nagios user to run the check_ciss.sh command without passwords. Works fine here for years :-) Edwin -- Edwin Groothuis Website: http://www.mavetju.org/ [EMAIL PROTECTED] Weblog: http://www.mavetju.org/weblog/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: error compiling linux-glib2
Warren Liddell [EMAIL PROTECTED] writes:
Running FreeBSD 7.1-PreRelease, AMD64 KDE 4.1.2
=== Checking if devel/linux-glib2 already installed
cd /usr/ports/devel/linux-glib2/work /usr/bin/find * -type d -exec
/bin/mkdir -p /compat/linux/{} \;
cd /usr/ports/devel/linux-glib2/work /usr/bin/find * ! -type d |
/usr/bin/cpio -pm -R root:wheel /compat/linux
3914 blocks
=== Running linux ldconfig
/compat/linux/sbin/ldconfig -r /compat/linux
ELF binary type 3 not known.
# kldload linux
And/or:
# echo 'linux_enable=YES' /etc/loader.conf
# reboot
/compat/linux/sbin/ldconfig: 1: Syntax error: ( unexpected
*** Error code 2
Stop in /usr/ports/devel/linux-glib2.
*** Error code 1
Stop in /usr/ports/devel/linux-glib2.
WBR
--
bsam
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to get my Dad's Win2k system to access internet through my FreeBSD 6.2 system
Da Rock wrote: [snip] I'm assuming the problem with double nat'ing is the confusion in packet traffic. So if the OP is using his ADSL modem to connect to the net, then it could be safe to assume the public IP would be to the modem itself, and not his box (barring the possible use of USB), so then the nat'ing would already be done. Therefore, the best and easiest way would be to simply bridge his interfaces- correct? Less overheads, etc, plus simplicity of setup. There is another option, a variant of which I use. My el cheapo deluxe DSL modem has really crappy broken firewall and DNS implementations. Wireshark showed Windows Messenger service spam leaking past and as soon as I saw that I assumed it was probably the tip of the iceberg. You can also bridge the modem (disabling it's NAT as well). In a fully bridged configuration your FreeBSD gateway will have to perform PPPoE handshake and login as well. I use a second option called split-bridge, which they have named IP Passthrough. This allows the DSL modem to be responsible for the PPPoE session. It works by passing the WAN public IP to the Internet facing NIC in my FreeBSD box via DHCP. So, while my interior LAN NIC is static, my outside NIC is ifconfig_xl0=DHCP. It gets assigned whatever IP Verizon sends. I just like this particular arrangement better. I run a caching/hybrid DNS server on the gateway as well. I've used this configuration for about 2 years now and it has served me well. I also use ALTQ to prioritize outgoing acks, as this seems to be helpful when using asymmetric DSL. [snip] -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
--On Thursday, October 16, 2008 09:01:02 -0500 [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. We call those bounceback spam. The only solution that I know of is to tag all outgoing messages with a special header and then check for that header on all returns and reject those that don't contain the header. All legitimate bounces would contain the header because they originated with your MTA. E.g. X-Bounceback-Check: 0987923874 The value of the header can be anything you want it to be, and you can change it periodically if you want to keep statistical data. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: FreeBSD RELENG_7 scsi and usb, usb disks take precedence
Svein Skogen (List Mail Account) [EMAIL PROTECTED] writes: Hi, With all due respect, if sysinstall isn't able to write those labels, this is hardly the solution to the problem... ;) Sysinstall, even if it has proven to be useful, is outdated in many respects, it doesn't cope really well with GEOM or ZFS for example. Using GEOM labels ensure that fstab will always be consistent, so *this is* a solution. Now, you can try to patch the kernel to make it probe devices in a predefined sorted order, but I guess it will be much more difficult ;) -- Car en normandie nous aimons beaucoup le jeu du saute-moutons. Et j'interdis ici les parisiens centralistes et snobinards de profiter de cet aveu pour briller d'un calembour à tendance zoophile et bocagophobe -+- LC in www.le-gnu.net - Sauter n'est pas jouir -+- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
open-vm-tools no more in ports
Hi all, This open-vm-tools isn't in 7.0 ports. Anyone know why? On Wed, 3 Sep 2008, John Nielsen wrote: |On Wednesday 03 September 2008, B. Cook wrote: | I am setting up FreeBSD 7.0 and he is asking about the vmware-tools. | | Ports has some things, but I am not sure what I need, and neither is he. | | Can anyone tell me what it needs? | |I usually create VM's with the Intel gigabit vNIC's which can use |FreeBSD's em driver. Since Xorg includes the vmmouse and vmware video |drivers already, the main things you should be looking for are the |memory balloon driver and the guestd service. In the past I have gotten |these to work by using the supplied tools (on the CD image that |is inserted when you select Install VMware tools from the host). |However it is much easier nowadays to use the free version in |ports/emulators/open-vm-tools (or open-vm-tools-nox11). | |JN |___ |freebsd-questions@freebsd.org mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-questions |To unsubscribe, send any mail to [EMAIL PROTECTED] | - Marcelo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, Oct 16, 2008 at 09:01:02AM -0500, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. The term coined for this type of mail is backscatter. There is no easy solution for this. The backscatter article on postfix.org, for example, caused our mail servers to start rejecting mail that was generated from PHP scripts and CGIs on our own systems, which makes no sense. The article: http://www.postfix.org/BACKSCATTER_README.html If the backscatter is all directed to a single Email address (rather than a series of addresses, e.g. [EMAIL PROTECTED], and you have [EMAIL PROTECTED] accepted), then a solution is to reject mail with an RCPT TO of an account or virtual address that does not exist on your machine. This, of course, has a wonderful side effect: spammers now have a way to detect what Email addresses on your box legitimately accept mail, thus once they find one which never gets a bounceback, will start pounding that address to kingdom come. Let me know if you do find a reliable, decent solution that does not involve SPF or postfix header_checks or body_checks. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: open-vm-tools no more in ports
On Thu, Oct 16, 2008 at 11:49:35AM -0300, [EMAIL PROTECTED] wrote: Hi all, This open-vm-tools isn't in 7.0 ports. Anyone know why? The ports tree does not have versions, so I don't know what 7.0 ports means for certain -- but I think you're saying When I installed FreeBSD 7.0 and I chose to install ports in the distributions I wanted, there was no open-vm-tools. Let's see if we can find out when it was added: http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/open-vm-tools/Makefile ...says March 28th of this year: Revision 1.1 Fri Mar 28 13:30:31 2008 UTC (6 months, 2 weeks ago) by mbr Please update your ports tree using csup. And if you DID install a copy of the ports tree during your FreeBSD install, you need to be aware that you must adopt the tree. The adoption process is described on the CVSup site, but applies to the csup tool as well. http://www.cvsup.org/faq.html#caniadopt Also note this applies to src, if you installed that too. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Auto Backup Data and Delete for Account Expired
Kalpin Erlangga Silaen [EMAIL PROTECTED] writes: is there any routines to check if some accounts expire then system would like to do backup all data to certain directory and then delete the account. Have you look in the ports collection? A quick search suggested that usermatic or dtc might help, but I'm sure a more thorough search would bring up more possibilities. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: error compiling linux-glib2
Boris Samorodov [EMAIL PROTECTED] writes: # echo 'linux_enable=YES' /etc/loader.conf Sorry, I've mixed two variants. They are: 'linux_load=YES' /boot/loader.conf 'inux_enable=YES' /etc/rc.conf[.local] # reboot WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Jeremy Chadwick wrote: | On Thu, Oct 16, 2008 at 09:01:02AM -0500, [EMAIL PROTECTED] wrote: | In the last hour, I've received over 200 legitimate bounce messages from | email services as a result of someone having used or worse is using my | email address in spam from multiple windows machines and ip addresses. | The end result is that I am getting the bounce messages. I'm sure that | others on this list have experienced the problem and maybe have a | solution that I don't have. | | The messages are allowed through my obspamd/pf and pf smtp bruteforce | blocking rules because they are completely legit. | | I guess the work around is to filter them on incoming together with our | local bounce messaages util the spammers get tired of my address. | | The term coined for this type of mail is backscatter. | | There is no easy solution for this. The backscatter article on | postfix.org, for example, caused our mail servers to start rejecting | mail that was generated from PHP scripts and CGIs on our own systems, | which makes no sense. The article: | | http://www.postfix.org/BACKSCATTER_README.html | | If the backscatter is all directed to a single Email address (rather | than a series of addresses, e.g. [EMAIL PROTECTED], and | you have [EMAIL PROTECTED] accepted), then a solution is to reject | mail with an RCPT TO of an account or virtual address that does not | exist on your machine. | | This, of course, has a wonderful side effect: spammers now have a way to | detect what Email addresses on your box legitimately accept mail, thus | once they find one which never gets a bounceback, will start pounding | that address to kingdom come. | | Let me know if you do find a reliable, decent solution that does not | involve SPF or postfix header_checks or body_checks. | Although not a solution to the immediate problems experienced by the OP in the long term, the most effective way to counter back-scatter spam is for every operator of a mail server to adopt the following behaviour: ~ * Reject e-mails *only* during the initial SMTP dialogue -- ie. respond ~ with a 5xx error code. No exceptions. This includes internal mail ~ submission of messages between users on the same system. ~ * Once your mail server has accepted a message for delivery, never ~ bounce it back to the sender as a result of spam or virus filtering ~ or for unknown destination address. Just drop it in the bit-bucket ~ in these cases. This means that your edge SMTP servers and all your MXes have to have an accurate list of all of the valid e-mail accounts on your system so that they can respond with 'user unknown' where required. The point of rejecting messages only during the initial SMTP dialogue is that at that point they are still the responsibility of the sending system. Chances are if it's a compromised machine attempting to inject spam, it's not even going to attempt resending failed messages, or send bounce-o-grammes on it's own behalf. Unfortunately, building anything beyond a single-server mail system with these characteristics is quite a lot harder than the simple-minded approach of accepting anything address to your domain at the edge, and only bouncing at the point of delivery to the mailbox. Especially if your backup MXes are a long way away from your main servers. Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. Cheers, Matthew [*] Unlikely to ever happen as technically they contradict the current RFCs. - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 ~ 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate ~ Kent, CT11 9PW, UK -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAkj3WogACgkQ3jDkPpsZ+VaqKwCeMPa4tGkwewH+l0EfgVwTvpmS IKoAoJ1ec2WTSwBQRsYq6rNYWqQc6P2Y =lFRk -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS The sudoers man page has more information, and there is also a good tutorial by M Lucas on O'Reilly's Big Scary Daemons (it's from 2002, but still a good introduction): Thank you very much for the detailed information. I will have a go at sudo while waiting for my collegue to return, he knows C and could probably write up the wrapper that Jeremy suggested. Thanks all for the tips! --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. If the names and numbers in the bouceback messages are to be believed, however, the spammers have defeated SPF by hijacking DNS. The poor recipients never see my SPF records because they're looking at the wrong IP address. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: new hdd numeration after mainboard change
Thank you very much, of course it was the AHCI configuration in the BIOS, luckily i can now switch between AHCI and compatibility mode when using Windows(otherwise it will result in a bluescreen) ;-) Best regards, Marco Josh Paetzel wrote: Jeremy Chadwick wrote: On Mon, Oct 13, 2008 at 07:12:20PM +0200, [EMAIL PROTECTED] wrote: i run FreeBSD 7.1-PRERELEASE i had a change of the mainboard of my lenovo notebook t60. after reboot the harddisk which was before recognized as ad0 is now ad4. i cannot find any other devices, no ad0/ad1/ad2 in /dev. even in the dmesg only ad4 The T60 is a laptop. It only has one hard disk -- so I'm not sure why you were seeing ad0, ad1, ad2 in the past. You shouldn't have been, unless you had 3 hard disks hooked up somehow. The bottom line here is this: absolutely *nothing* requires the device numbering to start at zero. And this is definitely the case. does fbsd create a uniqe identifier for harddisks in combination with the motherboard or something like that? where can i dig further into that issue? It's not really an issue. Very likely your computer has toggled some BIOS settings. The T60 series has the ability to run the SATA ports in two modes: AHCI, or Enhanced/Compatible. Chances are before the motherboard swap, yours was running in the opposite mode that it is now. I would highly recommend using the AHCI mode. It works quite well with FreeBSD under Intel controllers. Turn AHCI on (if it's not already), and do not mess with it. I can verify as a T60 owner, if you toggle the BIOS between AHCI and Compatability the hard drive will show up as either ad4 or ad0. It works fine in either mode with FreeBSD. Unless you are running another OS that doesn't have SATA support there's really no reason to use compatibility mode ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, Oct 16, 2008, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. Did these come from Barracuda boxes? Blowback like this is hardly new or legitimate as the From and Sender header addresses are often (usually) forged in spam, and it does not do anything useful to reply to them. The forged addresses may just be something scraped from the address book of a machine running the Microsoft virus, Windows, or a deliberate ``Joe Job'' where a spammer is targeting somebody who may have caused them problems. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Common sense is genius dressed in its working clothes. -- Ralph Waldo Emerson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD RELENG_7 scsi and usb, usb disks take precedence
In the last episode (Oct 16), Eric Masson said: Svein Skogen (List Mail Account) [EMAIL PROTECTED] writes: With all due respect, if sysinstall isn't able to write those labels, this is hardly the solution to the problem... ;) Sysinstall, even if it has proven to be useful, is outdated in many respects, it doesn't cope really well with GEOM or ZFS for example. Using GEOM labels ensure that fstab will always be consistent, so *this is* a solution. Now, you can try to patch the kernel to make it probe devices in a predefined sorted order, but I guess it will be much more difficult ;) No patching needed. You can wire down the unit number of your scsi bus and drive with boot hints as described in the scsi(4) manpage. Wire the adaptec card down as scbus0, and wire the device at scbus0.0 down as da0. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Yury Michurin [EMAIL PROTECTED] escribió: Hello, start with putting spf record on the domain, http://www.netdummy.net/stop-bounce-mail.html and finish with filtering bogus message-id wich was not orignated on your server with whatever software you using. I've had the spf record for a couple of years and I've started filtering. I guess I was just looking for something different. Thanks for helping me adapt to the real world. ed Regards, Yury On Thu, Oct 16, 2008 at 4:01 PM, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. Thanks for any suggestions, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
RW [EMAIL PROTECTED] escribió: On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. I feel the same way and thanks for adding some humor to the situation. ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Bill Campbell [EMAIL PROTECTED] escribió: On Thu, Oct 16, 2008, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. Did these come from Barracuda boxes? Blowback like this is hardly new or legitimate as the From and Sender header addresses are often (usually) forged in spam, and it does not do anything useful to reply to them. The forged addresses may just be something scraped from the address book of a machine running the Microsoft virus, Windows, or a deliberate ``Joe Job'' where a spammer is targeting somebody who may have caused them problems. It had just got up this morning and found my mailbox full of these and lost my cool. I probably sent the email too quickly. Thanks for helping me get it together. ed Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Common sense is genius dressed in its working clothes. -- Ralph Waldo Emerson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Luke Dean [EMAIL PROTECTED] escribió: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. If the names and numbers in the bouceback messages are to be believed, however, the spammers have defeated SPF by hijacking DNS. The poor recipients never see my SPF records because they're looking at the wrong IP address. Thanks, Matthew. I guess that is the root problem of spf, the spammers, that it is supposed to stop. It looks a bit like our economy, a loosing battle. It really make me feel impotent this morning. Have a great day, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
[EMAIL PROTECTED] wrote: RW [EMAIL PROTECTED] escribió: On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. I feel the same way and thanks for adding some humor to the situation. Most spammers aren't aiming to generate back-scatter as their primary means of disseminating their spam, so they'll do what they can to get the best chance of a successful delivery. That means sending SPF compliant e-mails where possible. It's actually quite simple for them to filter out SPF protected addresses from their target lists, so they do tend to do that, and it's typically the same list of target addresses they use for forged senders too. It's telling that both having a correct SPF record and having no SPF record at all have a zero score in SpamAssassin (ie. neutral) whereas non-compliance scores lots of spam points. Also see my point earlier about rejecting messages during the SMTP dialogue. SPF is easy to check early and lets you reject messages before acknowledging receiving them, which means a lot fewer bounce messages to (probably forged) sender addresses. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: I've just found a new and interesting spam source - legitimate bounce messages
Jeremy Chadwick [EMAIL PROTECTED] escribió: On Thu, Oct 16, 2008 at 09:01:02AM -0500, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. The term coined for this type of mail is backscatter. There is no easy solution for this. The backscatter article on postfix.org, for example, caused our mail servers to start rejecting mail that was generated from PHP scripts and CGIs on our own systems, which makes no sense. The article: http://www.postfix.org/BACKSCATTER_README.html Thanks for the article, Jeremy. I hadn't seen it. If the backscatter is all directed to a single Email address (rather than a series of addresses, e.g. [EMAIL PROTECTED], and you have [EMAIL PROTECTED] accepted), then a solution is to reject mail with an RCPT TO of an account or virtual address that does not exist on your machine. This, of course, has a wonderful side effect: spammers now have a way to detect what Email addresses on your box legitimately accept mail, thus once they find one which never gets a bounceback, will start pounding that address to kingdom come. Let me know if you do find a reliable, decent solution that does not involve SPF or postfix header_checks or body_checks. I wish ;) Thanks again, ed -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, 16 Oct 2008 11:58:44 -0500 [EMAIL PROTECTED] wrote: RW [EMAIL PROTECTED] escribi__: Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. I feel the same way and thanks for adding some humor to the situation. Actually that wasn't a joke, some people do cite that as the reason why SPF helps with backscatter, that spammers will leave your domain out of the mail from line if you publish SPF records for it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Oct 16, 2008, at 9:38 AM, RW wrote: SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. The main problem resulting in backscatter happens when forged spam from yourdomain.com get gets sent to a legit MX server which accepts the mail initially, and then generates a bounce due to later spam checking or failed delivery to an invalid user. The bounces which then get generated by the legit MX are likely to pass spam checking at yourdomain.com. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. SPF doesn't provide a magic solution to backscatter, but it helps simplify the problem. If spam can be rejected during the SMTP phase rather than accepted, then most spam-spewing malware simply drops the attempted message rather than actually send a bounce to yourdomain.com. After all, the spammer is looking to deliver spam to lots of different mailboxes, not deliver tons of DSNs to a single mailbox or domain. Failing that, however, any bounces which are being generated are coming from or at least closer to the source of the spam, rather than coming from gmail, hotmail, etc. And if the spamming machine is forging your domain, then yourdomain.com MX boxes have a decent shot of rejecting the forgeries via hello_checks, RBLs, or other methods. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Chuck Swiger [EMAIL PROTECTED] escribió: On Oct 16, 2008, at 9:38 AM, RW wrote: SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. The main problem resulting in backscatter happens when forged spam from yourdomain.com get gets sent to a legit MX server which accepts the mail initially, and then generates a bounce due to later spam checking or failed delivery to an invalid user. The bounces which then get generated by the legit MX are likely to pass spam checking at yourdomain.com. Exactly what seems to be happening. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. SPF doesn't provide a magic solution to backscatter, but it helps simplify the problem. It should. If spam can be rejected during the SMTP phase rather than accepted, then most spam-spewing malware simply drops the attempted message rather than actually send a bounce to yourdomain.com. After all, the spammer is looking to deliver spam to lots of different mailboxes, not deliver tons of DSNs to a single mailbox or domain. Failing that, however, any bounces which are being generated are coming from or at least closer to the source of the spam, rather than coming from gmail, hotmail, etc. And if the spamming machine is forging your domain, then yourdomain.com MX boxes have a decent shot of rejecting the forgeries via hello_checks, RBLs, or other methods. Thanks Chuck, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
RW [EMAIL PROTECTED] escribió: On Thu, 16 Oct 2008 11:58:44 -0500 [EMAIL PROTECTED] wrote: RW [EMAIL PROTECTED] escribi__: Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. I feel the same way and thanks for adding some humor to the situation. Actually that wasn't a joke, some people do cite that as the reason why SPF helps with backscatter, that spammers will leave your domain out of the mail from line if you publish SPF records for it. I see that but it still touched my funny bone but the problem is how many mail servers and admins completely ignore SPF and what happens to those who do try to comply? I'm sure that the hundreds of bounces that I have received are minimal in comparison to the delivered email. In fact many are reporting that a user is over quota Thanks, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Paul Schmehl [EMAIL PROTECTED] escribió: --On Thursday, October 16, 2008 09:01:02 -0500 [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. We call those bounceback spam. The only solution that I know of is to tag all outgoing messages with a special header and then check for that header on all returns and reject those that don't contain the header. All legitimate bounces would contain the header because they originated with your MTA. E.g. X-Bounceback-Check: 0987923874 I have added headers for years but unfortunately these didn't originate on my servers. My email address was used as the return address for spam sent from multiple windows machines to .ru addresses. Thanks for the suggestion, Paul. ed The value of the header can be anything you want it to be, and you can change it periodically if you want to keep statistical data. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Matthew Seaman [EMAIL PROTECTED] escribió: [EMAIL PROTECTED] wrote: RW [EMAIL PROTECTED] escribió: On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. I feel the same way and thanks for adding some humor to the situation. Most spammers aren't aiming to generate back-scatter as their primary means of disseminating their spam, so they'll do what they can to get the best chance of a successful delivery. That means sending SPF compliant e-mails where possible. It's actually quite simple for them to filter out SPF protected addresses from their target lists, so they do tend to do that, and it's typically the same list of target addresses they use for forged senders too. It's telling that both having a correct SPF record and having no SPF record at all have a zero score in SpamAssassin (ie. neutral) whereas non-compliance scores lots of spam points. Also see my point earlier about rejecting messages during the SMTP dialogue. SPF is easy to check early and lets you reject messages before acknowledging receiving them, which means a lot fewer bounce messages to (probably forged) sender addresses. Thanks, Matthew. That I've not done due to the possibility of rejecting legit email. I'm going to revisit that decision. ed Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, Oct 16, 2008 at 05:38:07PM +0100, RW wrote: On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Just a side comment for added clarity: this ultimately depends on how the mail server administrator implemented SPF. For example, our mail servers *do not* do SPF lookups at the SMTP level (e.g. in postfix) because 1) the added complexity is not worth it, and 2) spammers are now hijacking DNS. Instead, our servers use SPF in SpamAssassin, subtracting from the spam probability score if an SPF record is found and matches appropriately. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD RELENG_7 scsi and usb, usb disks take precedence
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Nelson wrote: In the last episode (Oct 16), Eric Masson said: Svein Skogen (List Mail Account) [EMAIL PROTECTED] writes: With all due respect, if sysinstall isn't able to write those labels, this is hardly the solution to the problem... ;) Sysinstall, even if it has proven to be useful, is outdated in many respects, it doesn't cope really well with GEOM or ZFS for example. Using GEOM labels ensure that fstab will always be consistent, so *this is* a solution. Now, you can try to patch the kernel to make it probe devices in a predefined sorted order, but I guess it will be much more difficult ;) No patching needed. You can wire down the unit number of your scsi bus and drive with boot hints as described in the scsi(4) manpage. Wire the adaptec card down as scbus0, and wire the device at scbus0.0 down as da0. Thank you. :) //Svein -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj3hWsACgkQtVbTV+BEzaOsfgCfWYOjk23XVQhESghcBb6IGuNH xkIAnRSpdXWZ9yLxQMiFlV++8cAsmTgT =Qkdr -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Lost the require meny alternative with Gimp upgrade
Hello I upgraded Gimp to version 2.6.1 and now I do not have the require (for scanning) meny choice anymore. Any ideas on how to get the function back. I can scan using xscanimage but it takes more steps to get the scanned image into Gimp. /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The idea is to let this be run as root, tho personally, I'd put nagios in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup devfs.rules properly and the let it execute a script that does the inquiry and the inquiry only. On a related note, it would be a 'nice to have', if the more dangerous commands of camcontrol had a sysctl knob that only allows them to be executed only as root. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Printing to a Lanier LD160c does not work
I am trying to setup a Lanier LD160c (admincolor) that has a network interface. I am new to FreeBSD and tried to follow the handbook. I am able to print to a HP 5SI (corp-admin) with no problems. There are no errors in the lpd-errs and the file is drained from the queue, but the printer does not print anything. And this is a working printer to Windows. lpr -P admincolor testfile.txt printcap: corp-admin|hp|laserjet|Hewlett Packard LaserJet 5Si:\ :lp=\ :sd=/var/spool/output/corp-admin:rm=corp-admin:\ :lf=/var/log/lpd-errs:\ :if=/usr/local/libexec/crlfilter:sh:tr=\f:mx#0: admincolor|hp|laserjet|LANIER LD160c RPCS:\ :lp=\ :sd=/var/spool/output/admincolor:rm=admincolor:\ :lf=/var/log/lpd-errs: I have tried to edit the printcap file and change the 1st line to see if it has any difference, restarted the lpd. chkprintcap does not generate any messages. Any clues where I can start troubleshooting? /var/spool/output drwxrwx--- 2 daemon daemon 512 Oct 10 14:46 admincolor drwxrwx--- 2 daemon daemon 512 Oct 10 14:05 corp-admin drwxr-xr-x 2 rootdaemon 512 Oct 10 13:37 lpd -rw-rw-r-- 1 rootdaemon5 Oct 10 14:28 lpd.lock I would appreciate any help on this. Pat Hanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
g4u and ftp
Hi all, I'm having an issue trying to write to my ftp server from linux- I just setup the ftp server with read and write access anonymous login From windows explorer no-problem from the mac's no problem- but when I try to upload an image using g4u (http://www.feyrer.de/g4u/) I get rejected by the MS ftp server Im not sure why it doesn't let me any thoughts? tia ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Printing to a Lanier LD160c does not work
On Thu, Oct 16, 2008 at 08:36:42PM +, [EMAIL PROTECTED] wrote: I am trying to setup a Lanier LD160c (admincolor) that has a network interface. I am new to FreeBSD and tried to follow the handbook. I am able to print to a HP 5SI (corp-admin) with no problems. There are no errors in the lpd-errs and the file is drained from the queue, but the printer does not print anything. And this is a working printer to Windows. lpr -P admincolor testfile.txt printcap: corp-admin|hp|laserjet|Hewlett Packard LaserJet 5Si:\ :lp=\ :sd=/var/spool/output/corp-admin:rm=corp-admin:\ :lf=/var/log/lpd-errs:\ :if=/usr/local/libexec/crlfilter:sh:tr=\f:mx#0: admincolor|hp|laserjet|LANIER LD160c RPCS:\ :lp=\ :sd=/var/spool/output/admincolor:rm=admincolor:\ :lf=/var/log/lpd-errs: If this printer is hooked up on the network (e.g. via Ethernet), I believe you need to set the lp variable to the hostname or IP address of the printer, e.g.: admincolor|hp|laserjet|LANIER LD160c RPCS:\ :lp=192.168.1.100\ :sd=/var/spool/output/admincolor:rm=admincolor:\ :lf=/var/log/lpd-errs: I think this also makes the assumption that the printer knows how to speak the LPR protocol. If it listens on a custom port, you can use [EMAIL PROTECTED] instead. See the printcap(5) man page, I guess. P.S. -- I've never done this, it's just something I remember from old days. :-) -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
Mel wrote: On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The idea is to let this be run as root, tho personally, I'd put nagios in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup devfs.rules properly and the let it execute a script that does the inquiry and the inquiry only. On a related note, it would be a 'nice to have', if the more dangerous commands of camcontrol had a sysctl knob that only allows them to be executed only as root. But... the command /sbin/camcontrol inquiry da0 IS run as root through the setup in sudoers above, but it is not enough or I'm overseeing something. Anyway, I've already decided to scrap the sudo idea, too kludgy for me. The idea of running nagios with rw access to the devices is not very appealing either as Jeremy pointed out. I will start from square one with a different approach that I need to dream up tomorrow. Thanks, -- per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thursday 16 October 2008 23:36:51 Per olof Ljungmark wrote: Mel wrote: On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: snip nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS This means: ALLOW nagios user from anywhere to run commands NAGIOS_CMNDS as user root without a password. For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The above sudo command, runs as nagios user, not as root. But... the command /sbin/camcontrol inquiry da0 IS run as root through the setup in sudoers above, See above. To test if it would work, you'd have to login as nagios then run sudo /sbin/camcontrol inquiry da0. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thu, Oct 16, 2008 at 11:36:51PM +0200, Per olof Ljungmark wrote: Mel wrote: On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The idea is to let this be run as root, tho personally, I'd put nagios in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup devfs.rules properly and the let it execute a script that does the inquiry and the inquiry only. On a related note, it would be a 'nice to have', if the more dangerous commands of camcontrol had a sysctl knob that only allows them to be executed only as root. But... the command /sbin/camcontrol inquiry da0 IS run as root through the setup in sudoers above, but it is not enough or I'm overseeing something. Anyway, I've already decided to scrap the sudo idea, too kludgy for me. Scrapping it is fine, but you still aren't understanding how to use sudo. The -u flag tells sudo what UID to switch to. Meaning, your above command (sudo -u nagios /sbin/camcontrol...) tells the system run /sbin/camcontrol as user nagios. This **does not** tell the system to run /sbin/camcontrol as user root. For example, let's say you're logged in as user nagios (or running commands as user nagios): [EMAIL PROTECTED] sudo -u nagios whoami nagios [EMAIL PROTECTED] This obviously isn't what you want -- this tells sudo to switch to UID nagios (you already ARE this user!) and run the whoami command. But this IS what you want: [EMAIL PROTECTED] sudo whoami root [EMAIL PROTECTED] You'll need to use visudo(8) to configure sudo to 1) permit user nagios to use sudo (and switch to UID root), and 2) to ONLY RUN /sbin/camcontrol when sudo is run, otherwise someone could do: [EMAIL PROTECTED] sudo rm -fr / You get the point now, I'm sure. The idea of running nagios with rw access to the devices is not very appealing either as Jeremy pointed out. I will start from square one with a different approach that I need to dream up tomorrow. I must again point out that using a C-based wrapper is a much better idea, especially if this is the only command you need to run as root. The wrapper is a 15-20 line C program, if that, and will only run one command: /sbin/camcontrol inquiry da0. It can't be used to do anything else. If you really want someone to write this for you, I will do it. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
Mel wrote: On Thursday 16 October 2008 23:36:51 Per olof Ljungmark wrote: Mel wrote: On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: snip nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS This means: ALLOW nagios user from anywhere to run commands NAGIOS_CMNDS as user root without a password. For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The above sudo command, runs as nagios user, not as root. But... the command /sbin/camcontrol inquiry da0 IS run as root through the setup in sudoers above, See above. To test if it would work, you'd have to login as nagios then run sudo /sbin/camcontrol inquiry da0. OK, I'm sure you're right, this was my first encounter with sudo. But, nagios, running in parallel, reported identical results as the ones I got from the command line. That is why I draw the conclusion that giving nagios root access to NAGIOS_CMNDS was not enough and the reported error (access to /dev/xpt0) was not part of any direct command. Maybe this is wrong and I made a mistake but because this is *nix I'm confident there are other less kludgy solutions to the problem. -- per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
Jeremy Chadwick wrote: On Thu, Oct 16, 2008 at 11:36:51PM +0200, Per olof Ljungmark wrote: Mel wrote: On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The idea is to let this be run as root, tho personally, I'd put nagios in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup devfs.rules properly and the let it execute a script that does the inquiry and the inquiry only. On a related note, it would be a 'nice to have', if the more dangerous commands of camcontrol had a sysctl knob that only allows them to be executed only as root. But... the command /sbin/camcontrol inquiry da0 IS run as root through the setup in sudoers above, but it is not enough or I'm overseeing something. Anyway, I've already decided to scrap the sudo idea, too kludgy for me. Scrapping it is fine, but you still aren't understanding how to use sudo. The -u flag tells sudo what UID to switch to. Meaning, your above command (sudo -u nagios /sbin/camcontrol...) tells the system run /sbin/camcontrol as user nagios. This **does not** tell the system to run /sbin/camcontrol as user root. For example, let's say you're logged in as user nagios (or running commands as user nagios): [EMAIL PROTECTED] sudo -u nagios whoami nagios [EMAIL PROTECTED] This obviously isn't what you want -- this tells sudo to switch to UID nagios (you already ARE this user!) and run the whoami command. But this IS what you want: [EMAIL PROTECTED] sudo whoami root [EMAIL PROTECTED] You'll need to use visudo(8) to configure sudo to 1) permit user nagios to use sudo (and switch to UID root), and 2) to ONLY RUN /sbin/camcontrol when sudo is run, otherwise someone could do: [EMAIL PROTECTED] sudo rm -fr / You get the point now, I'm sure. Yep, promise :-) I'm off to bed but will try to work out the sudo magic tomorrow although I'm still incloned to an alternative solution. -- per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
I've just found a new and interesting spam source - legitimate bounce messages
In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. When this happens I enable the move all messages from mailer-daemon to /dev/null rules in procmail for a day or two. And curse at the people who originated the original spam... Edwin -- Edwin Groothuis Website: http://www.mavetju.org/ [EMAIL PROTECTED] Weblog: http://www.mavetju.org/weblog/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Lost the require meny alternative with Gimp upgrade
On Thu, 16 Oct 2008, Leslie Jensen wrote: I upgraded Gimp to version 2.6.1 and now I do not have the require (for scanning) meny choice anymore. Acquire, maybe? Any ideas on how to get the function back. I can scan using xscanimage but it takes more steps to get the scanned image into Gimp. In gimp 2.6.1, the SANE scanner plugin is on the File/Create menu. -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SOLVED] Xircom 10/100 cardbus w/ 7-RELEASE
Steven Susbauer wrote: I have read a few places of people having issues with the Xircom cardbus networking adapter with -CURRENT and, I guess, with release 7. My card is an IBM EtherFast 10/100. This card works fine in 6.3. In 7 I get dc0: No station address in CIS! - same driver This problem appears to be mentioned in http://unix.derkeiler.com/Mailing-Lists/FreeBSD/current/2006-10/msg00226.html Any ideas on how to fix this issue? I do not have networking on the release cds nor through freebsd-upgrade with the 7-GENERIC kernel. I have to roll back the upgrade to get back online. Thanks I've since solved this problem with some help, but I'm hoping this will get up on Google if someone finds my original message. The fix is in a kernel patch at http://lists.freebsd.org/pipermail/freebsd-bugs/2007-December/027280.html - The problem has not been fixed in the -STABLE/-CURRENT sources as of today. Since the misbehaving file has not been changed in any of them the patch still works. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Printing to a Lanier LD160c does not work
On Thu, 16 Oct 2008, [EMAIL PROTECTED] wrote: I am trying to setup a Lanier LD160c (admincolor) that has a network interface. I am new to FreeBSD and tried to follow the handbook. I am able to print to a HP 5SI (corp-admin) with no problems. There are no errors in the lpd-errs and the file is drained from the queue, but the printer does not print anything. And this is a working printer to Windows. lpr -P admincolor testfile.txt printcap: corp-admin|hp|laserjet|Hewlett Packard LaserJet 5Si:\ :lp=\ :sd=/var/spool/output/corp-admin:rm=corp-admin:\ :lf=/var/log/lpd-errs:\ :if=/usr/local/libexec/crlfilter:sh:tr=\f:mx#0: admincolor|hp|laserjet|LANIER LD160c RPCS:\ :lp=\ :sd=/var/spool/output/admincolor:rm=admincolor:\ :lf=/var/log/lpd-errs: Note here that in the second entry you don't have the :sh: and :mx#0: entries. No :if=: either, but maybe that's because you don't need an input filter for this printer. At first guess, this printer may be touchy about the print queue name. That's the :rp=: parameter, which is not here at all. There are a couple of KB entries on the Lanier site that say to use lp. printcap entries are easier to read if you put one option per line: admincolor:\ :lp=:\ :sh:\ :mx#0:\ :rm=admincolor:\ :rp=lp:\ :sd=/var/spool/output/admincolor:\ :lf=/var/log/lpd-errs: -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to get my Dad's Win2k system to access internet through my FreeBSD 6.2 system
On Thu, 16 Oct 2008 04:43:48 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: What Michael's describing is a feature many DSL modems offer. There is no official term for what it is, They are commonly referred to as half-bridge modems. The reason this feature is HIGHLY desired is because not all PPPoE implementations are compatible with an ISPs implementation. Even more so if you have PPPoA with no, or poorly-supported, PPPoE. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Edwin Groothuis [EMAIL PROTECTED] escribió: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. When this happens I enable the move all messages from mailer-daemon to /dev/null rules in procmail for a day or two. And curse at the people who originated the original spam... Edwin Edwin,great idea especially the last part. I have done a good job of that today. ed -- Edwin Groothuis Website: http://www.mavetju.org/ [EMAIL PROTECTED] Weblog: http://www.mavetju.org/weblog/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Jeremy Chadwick [EMAIL PROTECTED] escribió: On Thu, Oct 16, 2008 at 05:38:07PM +0100, RW wrote: On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Just a side comment for added clarity: this ultimately depends on how the mail server administrator implemented SPF. For example, our mail servers *do not* do SPF lookups at the SMTP level (e.g. in postfix) because 1) the added complexity is not worth it, and 2) spammers are now hijacking DNS. Instead, our servers use SPF in SpamAssassin, subtracting from the spam probability score if an SPF record is found and matches appropriately. That sounds like it is definitely worth trying. Thanks, ed -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Radius Authentication
Hi Matt, The three important steps here are as follows: 1.) Confirm that authentication against the RADIUS server succeeds using any command line RADIUS util. 2.) configure /etc/radius.conf as per man pam_radius and man radius.conf 3.) Add a user on the FreeBSD machine whose name corresponds with the Windows domain account (if the name contains spaces then refer to the pre-Windows2000 compatible username in AD). This is mandatory as pam_radius is only used for authentication. UID, GID, home dir and all *nix relevant account parameters are still retrieved from the local user database. An alternative to step 3 would be to use the template_user option in radius.conf, but this means that all your Windows users will appear to the system with same UID/GID as the template_user. MattAD wrote: I would just like to know if anyone on earth has been able to get the pam_radius module working on FreeBSD, using a windows domain username through ssh... ??? This has become a mystery to me. My /etc/pam.d/sshd config looks like so: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the sshd service # # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient pam_radius.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient pam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass :confused: -- Regards, Todor Genov Systems Operations Verizon Business South Africa (Pty) Ltd [EMAIL PROTECTED] Tel: +27 11 235 6500 Fax: 086 692 0543 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Auto Backup Data and Delete for Account Expired
Dear Jeremy, Jeremy Chadwick wrote: On Thu, Oct 16, 2008 at 03:17:14PM +0700, Kalpin Erlangga Silaen wrote: Dear all, is there any routines to check if some accounts expire then system would like to do backup all data to certain directory and then delete the account. Any help would be appreciate. You sent this mail to the list yesterday. We saw it. I am sorry, my email client was error and all sent email still exist in outbox. I have fix it. Thank you Kalpin Erlangga Silaen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
kgdb of kernel issues FB7.0
I was running my FreeBSD 7.0-RELEASE (160GB HD) on this laptop: http://www.monkeyview.net/id/965/fsck/dmesg/PB12001901.vhtml Right now I am swapped out http://www.monkeyview.net/id/965/fsck/torrent/p5120212.vhtml but I have the problem disk mounted using this: http://www.monkeyview.net/id/965/fsck/torrent/p5120226.vhtml This is a much older disk with 60GB and $ uname -a FreeBSD 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SMP i386 $ It makes clunking sounds sometimes, but for the most part it seems to run fine. Some diagnostics on the 160GB HD FB 7.0 that have been done: # mount /dev/da0s4 /mnt/usr # fsck_ufs -y /mnt/usr ** /dev/da0s4 (NO WRITE) ** Last Mounted on /mnt/usr ** Phase 1 - Check Blocks and Sizes INCORRECT BLOCK COUNT I=2779162 (4 should be 0) CORRECT? no fsck_ufs: cannot alloc 871186332 bytes for inoinfo # I have been told that doing fsck while mounted is a very bad thing, but I did fsck before the above depicted instantiation of the fsck command and after this and it always did the same thing. I have done fsck using the argument /dev/da0s4, I have done fsck in single user mode (the 160GB hard boots a character based shell, but crashes and reboots during startx) and always the fsck looks the same. My configuration of the 160GB is a little goofy, in my estimation, just to explain. I currently have three hard drives representing all the times I have installed FreeBSD, two of them are dual booted with MS Vista, and this latest one with 160GB has FreeBSD all to itself, but when I was creating it, I mistook partitions for slices so I configured 4 partitions, leaving some of the disk unallocated thinking that would be good for that 10% utilization thing. I mount three partitions on /, /var, and /usr; respectively and the last one as swap. I learned the vi editor in 1985 and tend to recount the flavor of unix as evax but at this point I wonder if this evax concept is mistaken. I have done a bunch of c programming in university courses, but also spent some time doing molecular biology but they had me on a SUN SPARCstation I guess. Didn't mess with that source code. Anyway. Sorry for not being concise. I thought maybe my background might be useful information. I was told to do another diagnostic, alleged to pin the disk down as having no bad sectors: # dd if=/dev/da0 bs=65536 of=/dev/null 2442045+1 records in 2442045+1 records out 160041885696 bytes transferred in 5718.122211 secs (27988539 bytes/sec) # echo $? 0 # I was told that the fact that it returns 0 was good. I also tried the port called recoverdisk, but that was taking extremely long. I accidently disconnected the USB port # /usr/src/tools/tools/recoverdisk zsh: permission denied: /usr/src/tools/tools/recoverdisk # set -o vi # ls /usr/src/tools/tools/recoverdisk Makefilerecoverdisk.1 recoverdisk.c # cd /usr/src/tools/tools/recoverdisk # make Warning: Object directory not changed from original /usr/src/tools/tools/recoverdisk cc -O2 -fno-strict-aliasing -pipe -Wsystem-headers -Werror -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wunused-parameter -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls -c recoverdisk.c cc -O2 -fno-strict-aliasing -pipe -Wsystem-headers -Werror -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wunused-parameter -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls -o recoverdisk recoverdisk.o gzip -cn recoverdisk.1 recoverdisk.1.gz # ls Makefilerecoverdisk.1 recoverdisk.c recoverdisk recoverdisk.1.gzrecoverdisk.o # ./recoverdisk usage: recoverdisk [-r worklist] [-w worklist] source-drive [destination] # ./recoverdisk /dev/da0s4 startsize len state done remaining% done 590348288 1048576 134551002112 0 590348288 134551002112 0.0043684 It had run for perhaps half an hour and still was only 0.3% done or so. finally, the guy downstairs told me to debug the kernel so I found this page: http://www.freebsd.org/doc/en/books/developers-handbook/kerneldebug-gdb.html and after mounting the /usr partition I am here: -rw-r--r-- 1 root wheel 21360 Jun 22 10:30 yarrow.o # kgdb /mnt/nexstar/obj/usr/src/sys/KV_KERN/kernel.debug vmcore.12 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol ps_pglobal_lookup] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB.
IPFW UID match questions
Dear all, I tried to implement IPFW rules like below on my shell server: /sbin/ipfw -q add 18600 allow tcp from any to personal_ip in /sbin/ipfw -q add 18650 allow tcp from personal_ip to any out uid kalpin /sbin/ipfw -q add 18660 allow tcp from personal_ip to any out uid root /sbin/ipfw -q add 18670 allow tcp from personal_ip to any out uid nobody /sbin/ipfw -q add 18700 deny tcp from personal_ip to any out I hope with this rule, only user kalpin could be use the vhost personal_ip. Below is brief description line 1 will allow all tcp incoming packets into personal_ip line 2 will allow tcp outgoing packets from personal_ip to anywhere if match uid kalpin line 3 same with line 2 if match uid root (to response identd request from IRC Network if identd run as root) line 4 same with line 3 if match uid nobody (to response identd request from IRC Network if identd run as fall into nobody) line 5 will deny all tcp outgoing packets But, IRC Network still could not get ident response from my server. If I removed line 5, then IRC Network get identd response. My identd process is: root 63932 0.0 0.1 3136 1028 ?? Ss 1:46AM 0:00.03 /usr/local/sbin/oidentd -C /usr/local/etc/oidentd.conf Is there anything else should be done to fix this problem? Thank you Kalpin Erlangga Silaen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: g4u and ftp
--- On Thu, 10/16/08, Jean-Paul Natola [EMAIL PROTECTED] wrote: From: Jean-Paul Natola [EMAIL PROTECTED] Subject: g4u and ftp To: FreeBSD Questions freebsd-questions@freebsd.org Date: Thursday, October 16, 2008, 1:41 PM Hi all, I'm having an issue trying to write to my ftp server from linux- I just setup the ftp server with read and write access anonymous login From windows explorer no-problem from the mac's no problem- but when I try to upload an image using g4u (http://www.feyrer.de/g4u/) I get rejected by the MS ftp server Im not sure why it doesn't let me any thoughts? tia Hi Jean-Paul I use G4U very much myself so I've been there G4U's defaults are reading/writing to a FTP user-account by the name of install I hope that helps you out Take care Steve Quinn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Radius Authentication
MattAD wrote: I would just like to know if anyone on earth has been able to get the pam_radius module working on FreeBSD, using a windows domain username through ssh... ??? This has become a mystery to me. My /etc/pam.d/sshd config looks like so: I don't have a direct answer to your question, but we use tac_plus with the RADIUS extension to authenticate from our IPS environment to a Windows 2003 domain, and there are two things I vaguely remember from that setup (maybe they apply to your setup as well): - when authenticating we have to use the complete login name, including domain info: [EMAIL PROTECTED] - we had to switch 'Store passwords in reversable form' (or something like that - in Windows that is) to be able to authenticate. The first password is stored that way after a password change. - we discovered that some password do not work: passwords with a + sign in it, but I don't know if that due to TACACS or RADIUS. Hope it helps. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW UID match questions
On Fri, Oct 17, 2008 at 09:10:05AM +0700, Kalpin Erlangga Silaen wrote: Dear all, I tried to implement IPFW rules like below on my shell server: /sbin/ipfw -q add 18600 allow tcp from any to personal_ip in /sbin/ipfw -q add 18650 allow tcp from personal_ip to any out uid kalpin /sbin/ipfw -q add 18660 allow tcp from personal_ip to any out uid root /sbin/ipfw -q add 18670 allow tcp from personal_ip to any out uid nobody /sbin/ipfw -q add 18700 deny tcp from personal_ip to any out I hope with this rule, only user kalpin could be use the vhost personal_ip. Below is brief description line 1 will allow all tcp incoming packets into personal_ip line 2 will allow tcp outgoing packets from personal_ip to anywhere if match uid kalpin line 3 same with line 2 if match uid root (to response identd request from IRC Network if identd run as root) line 4 same with line 3 if match uid nobody (to response identd request from IRC Network if identd run as fall into nobody) line 5 will deny all tcp outgoing packets But, IRC Network still could not get ident response from my server. If I removed line 5, then IRC Network get identd response. My identd process is: root 63932 0.0 0.1 3136 1028 ?? Ss 1:46AM 0:00.03 /usr/local/sbin/oidentd -C /usr/local/etc/oidentd.conf Is there anything else should be done to fix this problem? The problem is that you're not allowing incoming connections to personal_ip on TCP port 113 (ident/auth). Add this rule: /sbin/ipfw -q add 18680 allow tcp from personal_ip 113 to any out You can also replace 113 with auth or ident if you want (see /etc/services). -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW UID match questions
Jeremy Chadwick wrote: The problem is that you're not allowing incoming connections to personal_ip on TCP port 113 (ident/auth). Add this rule: /sbin/ipfw -q add 18680 allow tcp from personal_ip 113 to any out You can also replace 113 with auth or ident if you want (see /etc/services). thank you very much. It's solved. Regards, Kalpin Erlangga Silaen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Fri, Oct 17, 2008 at 09:59:17AM +1100, Edwin Groothuis wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. When this happens I enable the move all messages from mailer-daemon to /dev/null rules in procmail for a day or two. And curse at the people who originated the original spam... I use a similar approach to Edward's. My old domain used to get hammered with backscatter which basically I had no choice but to accept. I was on a pop3 catch-all. If I had a regular amount of backscatter (100), I'd accept it then pass it to procmail. I found (I don't know if the OP did too) that the backscatter was generally addressed to a non-existent user, so it was easy to write rules to filter it out and send it to the bit-bucket. I also found that the backscatter was commonly addressed to people like frankn@ - close but no cigar. The following filtered out that crap: :0: * ^To:\ [[EMAIL PROTECTED] spam/new :0: * ^To:\ [EMAIL PROTECTED] spam/new In the worst case scenario, I'd find that I'd get thousands of backscattered mails (the swine must have been sending millions of messages purportedly coming from me). In this case I'd just delete all my mail off the popserver with a script. Yes, I might lose a few genuine emails but when I had thousands of backscattered mails, they'd come in the space of a couple of hours. My ultimate sanction was eventually getting a new domain (I know it's admitting defeat). I now find that I get very little backscatter on my old domain and I haven't had a mass mailing effort from it for some time. Best of luck! Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
