Re: Security report question
On Sun, 30 Sep 2007 09:41:00 -0700 Kurt Buff <[EMAIL PROTECTED]> wrote: > On 9/30/07, Chuck Swiger <[EMAIL PROTECTED]> wrote: > > Kurt Buff wrote: > > [ ... ] > > > +Limiting closed port RST response from 283 to 200 packets/sec > > > > > > I don't know what this means, though I suspect it could mean that I'm > > > being port scanned. Is this a reasonable guess? > > > > Yes. It could also be something beating really hard on a single closed > > port, too. > > > > -- > > -Chuck > > Thanks. This, coupled with some invalid SSH login attempts from a > known user, has made me quite suspicious. I think, though, that this > is all that I can call it at this point - suspcious. > > Anything further I could turn up to monitor/log what's going on? It may help in spotting unwanted stuff getting past your firewall, to either add to /etc/rc.conf: log_in_vain="1" or (coming to the same thing) add to /etc/sysctl.conf: net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 You can set the latter two sysctls immediately, of course. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: php failing to produce phpinfo()
On Sun, 30 Sep 2007 13:52:58 -0600 bob <[EMAIL PROTECTED]> wrote: > My business has been using PHP for years. Mysql outputs to my browser, > where I can print invoices, bills and any business statitic. > > Suddenly, my browser started acting funny. I don't know how to use the > repair disk to fix a problem, so I reinstalled FreeBSD-6.1. It still > works the same except I can't get phpinfo() to display in the browser. > I can do php -i, which displays several pages of PHP code. That means > PHP is working. I don't use CGI or PHP scripts. If phpinfo() doesn't > show up in my browser, I can't do anything. > > The following is in /usr/local/etc/apache/httpd.conf: > > LoadModule php5_module LoadModule php5_modulelibexec/apache/libphp5.so > AddModule mod_php5.c > DirectoryIndex index.php index.html > DirectoryIndex index.html Last match wins: remove latter DirectoryIndex to have index.php work. > AddType application/x-httpd-php .php > AddType application/x-httpd-php-source .phps > > The httpd.error.log doesn't show any problems. Thre are 35 modules in > /usr/local/libexec/apache including libphp5.so and httpd.exp. Php.ini > is installed at /usr/local/lib php.ini (from the default php5 port) installs in /usr/local/etc: paqi% ll -rt /usr/local/etc/|grep php -r--r--r-- 1 root wheel 39243 May 5 2006 php.ini.php4.05May06 drwxr-xr-x 2 root wheel 512 Dec 17 2006 php -rw-r--r-- 1 root wheel 27669 Dec 17 2006 diff_php.ini.4vs5rec -r--r--r-- 1 root wheel 46221 Dec 18 2006 php.ini-recommended -r--r--r-- 1 root wheel 42919 Dec 18 2006 php.ini-dist -r--r--r-- 1 root wheel 49 Dec 18 2006 php.conf -r--r--r-- 1 root wheel 43278 Dec 19 2006 php.ini > This time I installed mysql-5.1, apache-1.3 and PHP-5.1. I used > "pkg_add -r" to install apache and mysql. Apache and mysql work > excellent. I installed PHP from www.php.net. Both PHP4 and PHP5 would > fail to load the phpinfo() file. I installed PHP-5.1 from the ports > directory. Same problem. I ordered FreeBSD-6.1, before it was > available. The FreeBSD Mall had it, but wasn't promoting it yet. > > About 2 years ago when I first installed FreeBSD-6.1, I installed > mysql-4.0, PHP-4 and apache-1.3 on FreeBSD-6.1. I used "pkg_add -r" to > install apache and mysql and I downloaded PHP-4 from www.php.net. > Everything worked, including PHP. Two years ago, www.php.net was > supplying any version of PHP including older versions of PHP-4. I > installed older versions because they worked. > Now www.php.net only supplies the latest version. The php5 port applies heaps of patches to the php.net sources; I think you'll save yourself lots of grief by using the port. I suggest (saving configs and) uninstalling php, then install it from lang/php5. Assuming your ports tree is up to date - and it had probably better be regarding dependencies - then install php5 (5.2.something). Make sure to set the apache module on (it's turned off by default, for some bizarre reason, so pkg_add -r php5* is broken), by running make config first, though the options screen should come up on the initial install anyway. You may want to install lang/php5-extensions too .. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: determining the space used in / partition
On Tue, 2 Oct 2007 08:03:00 +0200 Zbigniew Szalbot <[EMAIL PROTECTED]> wrote: > 2007/10/2, Duane Hill <[EMAIL PROTECTED]>: > > On Tue, 2 Oct 2007 at 07:36 +0200, [EMAIL PROTECTED] confabulated: [..] > > > For the record. During the backup, the file system is dumped to a dir > > > on a USB drive called backup. Now, since the drive was unavailable, > > > the dump utility created /backup dir and populated it with > > > lists-var-l0-2007-09-30.dump.bz2 (dumping var) but of course it died > > > as there was not enough space on the / to do it. I mean this is what I > > > make of this. > > > > > > So after deleting /backup I get: > > > df > > > Filesystem 1K-blocks UsedAvail Capacity Mounted on > > > /dev/ad0s1a19812674084 10819241%/ > > > devfs 110 100%/dev > > > /dev/ad0s1e 44511308 4217760 3673264410%/usr > > > /dev/ad0s1d 30462636 3210650 2481497611%/var > > > devfs 110 100%/var/named/dev > > > /dev/da0s1c 75685352 34308200 3532232449%/mnt/usbck > > > > I'm still learning about all the little details about the workings of > > dump myself. It would seem to me, you are dumping to /backup which is the > > mount point for the USB device. Would that hold true? > > I dump to /mnt/usbck/backup. Since backup dir was not present, the > script created it under / Naughty script. It should check against doing something like that, eg [ ! -d $backupdir ] && echo "no $backupdir - not mounted?" && exit 1 You do have a very small root filesystem for the size of your disk, so similar disasters may need some preventing. Something will want to use more than 100M in /tmp sometime, so you may want to symlink /tmp to say /usr/tmp if you haven't already. Re hunting for 'missing' diskspace on / (or any other mounted fs), the -x switch prevents du from crossing mountpoints, so something like .. # du -x -d1 / | sort -rn 146341 / 72306 /boot 49252 /root 7262/rescue 4062/sbin 3278/lib 2356/stand 2266/etc 2114/etc.old 2112/etc.old.0 984 /bin 282 /libexec 8 /flash 2 /var 2 /usr 2 /usbdsk [..] .. takes next to no time on a small /. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBsd e-mail question
On Wed, 3 Oct 2007 16:30:54 -0400 Lisa Casey <[EMAIL PROTECTED]> wrote:
> The problem comes in when a customer cancels his account. We remove users by
> rmuser username. That command removes the user from the password file,
> removes his home directory and removes the mailspool. What it doesn't do is
> to remove the .username.pop file associated with that mailbox. This isn't a
> problem unless we add another account with the same username. The new
> account cannot pop his mail because he gets the following error messge:
>
> -ERR [SYS/PERM] Temporary drop /var/mail/.jjvc.pop not owned by jjvc.
>
> If I take a look at /var/mail/.jjvc.pop it isn't owned by anyone, the
> ownership of the file is the group number of the original jjvc.
>
> -rw-rw 1 1473 mail 0 Sep 11 19:15
> .jjvc.pop
>
> Is there anyway to have rmuser remover the mail drop file associated with
> that account also, or am I just going to have to remove these manually?
I've read this whole thread, and what's strange is that this used to
work. I just checked our old FreeBSD 2.2.6 system where rmuser always
cleaned up /var/mail/.{$user}.pop properly. Its /usr/sbin/rmuser had:
# Remove some pop daemon's leftover file
$file = "$mail_dir/.${login_name}.pop";
if (-e $file || -l $file) {
print STDERR "Removing pop daemon's temporary mail file ${file}:";
unlink $file ||
print STDERR "\n${whoami}: Warning: unlink on $file failed ($!) -
continuing\n";
print STDERR " done.\n";
}
So I wonder whether it's a bug - or maybe a later popper update? - that
has the present version of rmuser looking for ${MAILSPOOL}/${login}.pop
instead?
Cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBsd e-mail question
On Thu, 4 Oct 2007, Erik Trulsson wrote:
> On Thu, Oct 04, 2007 at 04:56:35PM +1000, Ian Smith wrote:
> > On Wed, 3 Oct 2007 16:30:54 -0400 Lisa Casey <[EMAIL PROTECTED]> wrote:
> >
> > > The problem comes in when a customer cancels his account. We remove
> > users by
> > > rmuser username. That command removes the user from the password file,
> > > removes his home directory and removes the mailspool. What it doesn't
> > do is
> > > to remove the .username.pop file associated with that mailbox. This
> > isn't a
> > > problem unless we add another account with the same username. The new
> > > account cannot pop his mail because he gets the following error messge:
> > >
> > > -ERR [SYS/PERM] Temporary drop /var/mail/.jjvc.pop not owned by jjvc.
> > >
> > > If I take a look at /var/mail/.jjvc.pop it isn't owned by anyone, the
> > > ownership of the file is the group number of the original jjvc.
> > >
> > > -rw-rw 1 1473 mail 0 Sep 11 19:15
> > > .jjvc.pop
> > >
> > > Is there anyway to have rmuser remover the mail drop file associated
> > with
> > > that account also, or am I just going to have to remove these manually?
> >
> > I've read this whole thread, and what's strange is that this used to
> > work. I just checked our old FreeBSD 2.2.6 system where rmuser always
> > cleaned up /var/mail/.{$user}.pop properly. Its /usr/sbin/rmuser had:
> >
> > # Remove some pop daemon's leftover file
> > $file = "$mail_dir/.${login_name}.pop";
> > if (-e $file || -l $file) {
> > print STDERR "Removing pop daemon's temporary mail file ${file}:";
> > unlink $file ||
> > print STDERR "\n${whoami}: Warning: unlink on $file failed ($!) -
> > continuing\n";
> > print STDERR " done.\n";
> > }
> >
> > So I wonder whether it's a bug - or maybe a later popper update? - that
> > has the present version of rmuser looking for ${MAILSPOOL}/${login}.pop
> > instead?
>
> As far as I can tell the change was introduced back in 2002 when rmuser was
> changed from a Perl program into a shell script - presumably as part of the
> process of removing Perl from the base system.
> FreeBSD versions 2.2 - 4.11 used the Perl version of rmuser, while all
> 5.x and 6.x releases have used the shell script version.
>
> I have no idea if the difference - if the file rmuser looks for has a leading
> '.' in the filename or not - was deliberate or simply a mistake, but I
> suspect the latter: it is the kind of thing that is very easy to miss when
> rewriting a program in another language.
Looks like that's exactly right. Copying the maintainer and suggesting
the no-brain patch, pardon the broken tabs from pasting, against the
head / stable versions (checked) .. I should sendPR I guess .. time!
Cheers, Ian
--- /usr/sbin/rmuserSat Mar 3 16:48:29 2007
+++ /home/smithi/rmuser Fri Oct 5 00:30:51 2007
@@ -86,10 +86,10 @@
echo -n " mailspool"
rm ${MAILSPOOL}/$login
fi
- if [ -f ${MAILSPOOL}/${login}.pop ]; then
- verbose && echo -n " ${MAILSPOOL}/${login}.pop" ||
+ if [ -f ${MAILSPOOL}/.${login}.pop ]; then
+ verbose && echo -n " ${MAILSPOOL}/.${login}.pop" ||
echo -n " pop3"
- rm ${MAILSPOOL}/${login}.pop
+ rm ${MAILSPOOL}/.${login}.pop
fi
verbose && echo '.'
}
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Odd PF Denied Message
On Fri, 19 Oct 2007, Nikos Vassiliadis wrote: > On Friday 19 October 2007 07:06:35 Ian Smith wrote: > > On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote: .. > > > I think log_in_vain can be used when configuring a firewall. > > > Just to see quickly if your firewall works as expected and > > > then turn it off. Otherwise it is just going to create tons > > > of irrelevant log messages. > > > > On the contrary .. if your firewall is working correctly, you shouldn't > > ever be seeing connection attempts to non-listening ports, especially > > from outside. > > Hey, we are saying the same thing, aren't we? Well, not exactly :) but I don't think we have any serious disagreement. > > log_in_vain messages indicate some attention is needed, > > either to block or reset those connections, or to provide a listener :) > > so removing log_in_vain (shooting the messenger) may not be a good idea. > > Hm, almost the same thing. I tend to disagree with this. I prefer > log_in_vain off because usually a server will live in a DMZ. And > most of the time we donot bother runnning local firewalls one each > server and some will say it's wrong to do firewalling on each/a server. Some will. And some run only one server, and must be extra paranoid :) > Just one firewall protecting the DMZ. Other computing systems > living in the DMZ can cause noise, irrelevant log messages. > I remember a case where delayed replies from the DNS server were > logged by the kernel creating noise and bloating the logs. > Ofcourse YMMV... > > But we basically say the same thing... Use log_in_vain to see what > passes your firewall and "touches" your servers. I prefer to turn > it off afterwards, Ian prefers to let it on. Fair enough. I don't see any harm in leaving it on, as I tend to pay attention to any 'irrelevant' messages and fix the source of them, and if something slips by the firewall I want to know about it. Sometimes that means such as delayed responses from DNS being logged, it's true. In Michael's case in point it did indicate a problem though, or at least a deficiency in the lack of handling ident requests. As you say, YMMV. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Odd PF Denied Message
On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote: > On Thursday 18 October 2007 18:39:56 Michael K. Smith - Adhost wrote: > > Thank you for the clue! We are using log in vain as part of our > > security logging for this particular box, but this is the only message > > I've ever seen so I'm not sure it's really needed. > > It must be a local program trying to connect to ident. Yes, quite likely sendmail sending daily etc reports? You can either run a (real or fake) ident daemon (see inetd.conf), or have the firewall reset (not drop) such connections, avoiding sendmail(ono) delays waiting for a response. If running a mailserver, this applies to outside too. > Probably nothing to worry about. I would check which is > this program though. If that's the only message you get > you must be protected, at least packet_filtering-wise. > > I think log_in_vain can be used when configuring a firewall. > Just to see quickly if your firewall works as expected and > then turn it off. Otherwise it is just going to create tons > of irrelevant log messages. On the contrary .. if your firewall is working correctly, you shouldn't ever be seeing connection attempts to non-listening ports, especially from outside. log_in_vain messages indicate some attention is needed, either to block or reset those connections, or to provide a listener :) so removing log_in_vain (shooting the messenger) may not be a good idea. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: USB->Serial adapter, how to make /dev/cuad* appear?
On Tue, 23 Oct 2007 18:06:08 +0200 Benjamin Lutz <[EMAIL PROTECTED]> wrote: > I've bought an USB->Serial adapter in order to use an old serial 33.6k > modem. I've loaded the uplcom and ucom modules, but am unsure how to > proceed from here. > > The system runs FreeBSD 6.2-RELEASE-p8. When connecting the adapter, > dmesg says: > > ucom0: Prolific Technology Inc. USB-Serial Controller D, rev > 1.10/4.00, addr 3 > > usbdevs -v says: > > port 6 addr 3: full speed, power 100 mA, config 1, USB-Serial > Controller D(0x2303), Prolific Technology Inc.(0x067b), rev 4.00 > > I'd expect some device to show up in /dev, cuad1, ucom0, something like > that, but I get nothing. (cuad0 is taken by the onboard serial port, > which, alas, isn't wired to the outside of the case). Perhaps you need to load umodem(4) also? Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 7.0 and 6.3
On Wed, 24 Oct 2007 09:17:12 +0200 Kris Kennaway <[EMAIL PROTECTED]> > David J Brooks wrote: > > Bill Moran wrote: > >> Note also that a ports freeze is starting soon for 7.0 and 6.3 release. > > > > What are the differences between 6.3 and 7.0? Which should be considered > > the > > standard upgrade path from 6.2 release? Is there a compelling reason to > > upgrade to one over the other? > > 7.0 is the recommended choice; 6.3 is only for people who cannot update > to the new branch yet. > > http://people.freebsd.org/~kris/scaling/7.0%20Preview.pdf Very nice at 2x. I particularly enjoyed pp 17 & 18 .. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw rule question ... all possible interfaces ?
On Mon, 5 Nov 2007 00:22:00 + RW <[EMAIL PROTECTED]> wrote: > On Sun, 4 Nov 2007 16:10:12 -0800 (PST) > Juri Mianovich <[EMAIL PROTECTED]> wrote: > > > > > Is there a way to tell ipfw: > > > > "all interfaces currently configured on this system" ? > > > >... > > > > So if I have a rule like: > > > > allow ip from any to any via iwi0 > > > > You don't have to use "via" in a rule. That's true, though you can also specify 'via any'. Whether either is actually a good idea for the case in question may be another matter .. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW show format question...
On Tue, 6 Nov 2007 Eric F Crist <[EMAIL PROTECTED]> wrote: > So, everything I've read says that ipfw show displays rule number, > packets caught, bytes matched, and rule. The problem I'm having is > that it seems that the bytes, at least on some rules, is way out of > whack. I'm capturing this data for cacti, and trying to display > accumulated ipfw traffic. > > If I zero my counters and download a file via FTP, the downloaded > sizes don't even compare. 61MB into the download, if I convert the > ipfw show from the supposed bytes into MB, it says I've downloaded > 155MB. Catching up on a few days' digests, and seeing noone else having a go: It helps to show rather than tell about your rules, but I'll guess that you're not distinguishing between inbound and outbound traffic, ie your rules are counting packets both on the way in (pass 1) and out (pass 2) Eg allowing traffic using 'via' (qualified neither by 'in' nor 'out') allows (so, counts) a packet on both passes .. as may stateful rules. Separate counts before allowing traffic can be best for accounting, eg add $n1 count ip from $outthere to $inhere in recv $some_if add $n2 count ip from $inhere to $outthere out xmit $some_if [..] add allow $whatever .. HTH, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: Looking for some inpiration with UPS setup
On Fri, 09 Nov 2007 16:33:34 + Christopher Key <[EMAIL PROTECTED]> wrote: > I've a FreeBSD fileserver, a solid state router (Linksys box running > OpenWRT) and a couple of gigabit switches that I'd like to move onto a > UPS (I'm primarily looking at the APC Smart-UPS line). > > The requirements for the FreeBSD system are pretty simple, it's not > likely to be of any use if the power's out, so after a few minutes to > allow any files open over the network to be saved, it should perform an > orderly shutdown and remain off until the power returns. However, the > router is a little different. It maintains some state information in > RAM (dhcp leases etc) that I'd prefer not to lose during a short power > outage, and it would also be useful to retain internet access, so > ideally I'd like the router and switches to stay up for as long as the > battery lasts in the UPS. > > Space and budget are limited, so ideally I'd like to achieve all this > with a single UPS, which is where the problems arise. As I understant > it, when the UPS wants to wake the attached machines up, it power cycles > its output. This however will reset the router, which was what I was > hoping to avoid. Looking at the relative power requirements, I suspect your Linksys WRT box would likely draw 12W max and perhaps a good deal less (check its specs or measure it) whereas your server + switches might draw 10 times that, even without a monitor staying on. (P-166 or 3GHz quad-core? :) Given you're using a main UPS that needs to cycle power to restart your server (presumably powered off by 'shutdown -p +1 message for syslog' ONO after several minutes running on UPS battery) then using a tiny UPS to run your router separately makes good sense. Have a look at, for example, http://phk.freebsd.dk/soekris/ups/ which supplies 12V for a Soekris 4501/4801 but could easily be adapted if the Linksys isn't happy with 12VDC input. A 12Ah SLA battery could run the Soekris at 6W (.5A) for maybe 20 hrs. The 250/12VAC transformer needed is likely in a nearby junkbox as a plugpak for some external modem, or you could use many 12-15VDC @1A unregulated supplies, which include the transformer and the first rectifier .. even more old modems used these. Meanwhile your larger (3-500VA?) UPS can look after your server etc. > I've thought around the problem for some time, but not come up with any > convincing solutions: > > 1) Use some sort of WOL command from the router to the FreeBSD system > rather than having the UPS power cycle its output. How does the router > know the power's returned? Can the UPS be set not to power cycle its > power output when the power returns? No idea about the former, and I don't know if OpenWRT could be made to listen to the UPS and act on it - anything's possible I guess - but if the UPS is still running when power returns, it has to cycle power to wakeup the server somehow, or you need some sort of external swiching. > 2) Use a second cheap UPS to 'protect' the router whilst the primary UPS > cycles its power output. This seems rather crude, and would presumably > reduce the battery life of the primary UPS due the losses in the second UPS. As above .. if the second UPS is small, it will be relatively efficient for its load, and can be run from the mains rather than the primary UPS. Anything bigger than 12Ah (or even 7Ah) for the router UPS is overkill, and it's more efficient to run the router on DC than its plugpak anyway. > 3) Have the UPS wake the PC via some other means. USB would seem to > ideal choice, but the motherboard won't do a wake on USB from S5, and > I'm can't find a UPS with an ethernet interface. Some older laptops, at least, were reputed to do wake-on-serial input, but I'm not sure if that would work with (serial) UPS wiring or not. > 4) KISS. Buy two smaller, cheapers UPS units. Or buy one, get one (nearly) free from the junkbox and a few bits from the local electronics store. Coopt a friendly engineering student if you're wary about the bit of soldering or choosing components. Generally: don't shutdown your server too soon .. I don't know about your situation, but here at least most blackouts, brownouts and surges last just a few seconds, sometimes short enough to reset server A while server B sails through, but outages more than a few minutes are much rarer (and are then likely to last perhaps hours). Sometimes power will come back for a few seconds then quit again, and you don't want too much stop/start, so if you can persuade your UPS to wait for a minute or so of good power before cycling its output back on, so much the safer. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
One (FreeBSD?) Laptop Per Child
On Tue, 13 Nov 2007 09:15:42 -0500 Bart Silverstrim <[EMAIL PROTECTED]> wrote: [..] > Have you read the articles on OLPC? > > They're made to run on very low power. They have batteries that can be > crank-charged quickly, or run off small solar panels. Somehow I don't > think they're short on sunlight there. The laptopgiving.org site states > that it operates up to 2,000 recharge cycles and can be charged by > crank, pedal, pullcord, or solar panel. > > It's not like they're shipping off-the-shelf laptops to them. While > there are plenty of problems for these kids, the OLPC project is a way > to try to help with education and interaction. The units work with a > type of automatic mesh network. As I understand it, if one gets access > to the Internet, they all can route to it, but even if not they connect > to each other for social and collaborative applications. Indeed. Putting aside any ignorance or bigotry regarding whether or not other than rich countries' kids should have access to computers and IT, surely the on-topic issue is "Can we run FreeBSD on the OLPC laptop?" >From what I've been able to quickly discover about the machine's specs: http://wiki.laptop.org/index.php/Hardware_specification http://wiki.laptop.org/go/Software_components http://wiki.laptop.org/go/Firmware it should be emininently suitable as a FreeBSD small/embedded project? Standard issue runs Linux 2.6.22 FC7 on 'Open Firmware', though now of course M$ want to put winders on it, saying, in effect, "If it's open, it should also be open to closed-source software" (ahem :) Just how Linux-dependent the other software components are I don't know, but it mostly looks like stuff that should run fine on FreeBSD to me. I guess the rather unique video display arrangements may pose a real challenge, though it's not like it should need any real reverse-engineering. The mesh networking is of particular interest, to me anyway. Seems they've been playing with OLSR and BATMAN and haven't really firmed this aspect up yet, from my hour or so of googling; it's still early days .. So, does anyone know if anyone's looked into porting FreeBSD to OLPC? Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: is this IT or not/
On Wed, 21 Nov 2007 10:25:35 -0800 Gary Kline wrote: > On Wed, Nov 21, 2007 at 06:23:29PM +0100, Roland Smith wrote: > > On Wed, Nov 21, 2007 at 12:12:50AM -0800, Gary Kline wrote: > > > > > > guys, one last thing before i call it a days; i just tried > > > kmidi and tried to configure the audio. > > > got the sound of a breaking glass and the warning that something > > > was already using "dev/sequencer". i tried a > > > ps -alx, but couldn't tell very much.. can anybody shed a light? It actually says "could not open /dev/sequencer to get some info. Probably there is another program using it". where 'probably' may often be true on Linux, but here it's proved a less than helpful hint. > > Does /dev/sequencer actually exist? > > > > I think it's looking for a deprecated device. On my 7.0-BETA2 machine, > > the sound(4) manpage only lists /dev/audio*, /dev/dsp* and /dev/sndstat. > > > > Looking at the manual pages on the FreeBSD site, there was a > > /dev/sequencer in 4.x, but not in 5.x and later. That's about right, FreeBSD hasn't had MIDI since newpcm arrived, IIRC. I vaguely recall a few people missing it, but nobody offering any code. > > BTW, 'cat /dev/sndstat' shows you the installed sound devices. > > Right; I tried catting /dev/sndstat awhile ago. Didn't see much It's all in the handbook, but check out sound|snd|pcm(4) re tuning .. paqi% sysctl hw.snd hw.snd.targetirqrate: 32 hw.snd.report_soft_formats: 1 hw.snd.verbose: 2 hw.snd.unit: 0 hw.snd.maxautovchans: 4 hw.snd.pcm0.buffersize: 4096 hw.snd.pcm0.vchans: 4 With .verbose=2 you'll see plenty of info :) and you can make good use of the vchans to stop KDE sounds and non-KDE programs (like XMMS etc) tripping over each other, by assigning one of /dev/dsp* to KDE, say. > beyong my cound card type. Also, there is no /dev/sequencer. > So why Kmid would be hunting for it is one I'll have to look > thru the code to learn about. It's probably trying to open the > sequencer as a last resort. Kmid is for playing MIDI files using the soundcard synth chip, for which /dev/sequencer is the missing device, so it's of no use to you. I've used audio/timidity in the past to convert some .mid files of interest into .wav files on the way towards making .mp3s, but I never did get it to work to play .mid files directly. YMMV, there are later versions .. > This is also why lsof fails. Sorry, I don't see a connection with lsof? > Hm, no src. Kmid is build from the kde3 source. Unless you really want to, you don't want to go there :) > Well, I'm building kplayer which seems to be a frontt end for > mplayer. Maybe give me some clues why things-KDE keep breaking. KDE, despite all the *wonderful* porting done to FreeBSD, is still very Linux-centric in lots of its assumptions, I find. I use plenty of KDE but the sound system has always been a bear here. This laptop has never worked with ArtS so I don't bother with it, and I'll use Kmix for basic volume adjustments, yet need to use mixer(8) to switch recording device, and prefer using commandline scripts using sox and lame for recording. Which brings me to your earlier (unresolved?) question about missing sound on playing audio CDs .. first assuming your CD drive is properly externally wired to your soundcard(?), check the level on the 'cd' device, in Kmix 'input' tab or if in doubt, good ol' /usr/sbin/mixer: paqi% mixer Mixer vol is currently set to 90:90 Mixer synthis currently set to 0:0 Mixer pcm is currently set to 90:90 Mixer speaker is currently set to 95:95 Mixer line is currently set to 0:0 Mixer mic is currently set to 0:0 Mixer cd is currently set to 92:92 Mixer line1is currently set to 0:0 Recording source: mic Good luck, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
On Fri, 23 Nov 2007 12:33:26 -0200 "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > 2007/11/23, Bill Moran <[EMAIL PROTECTED]>: > > > > "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: [..] > > > > > em0 external world XXX.XXX.XXX.XXX > > > > > rl0 adm 192.168.1.80 > > > > > rl1 acad 192.168.2.90 > > > > > rl3 database 10.10.0.50 > > > > > > > > > > They are all separated networks. What I want: 192.168.2 should only > > > > > access > > > > > the internet, shouldn't have access to 192.168.1 or 10.10/16. > > > > > 192.168.1should access the internet and > > > > > 10.10/16, but shouldn't access the academic network. 10.10/16 should > > > > > access > > > > > only the 192.168.1 network, but it's not a problem if they had > > > > > access to > > > > > internet too. > > > > > > > > > > How I would set up my rc.conf with my static routes? > > > > > > > > This is beyond the scope of routing. You'll need to install a packet > > > > filter. The best at this time is probably pf: ipfw works fine too for these sorts of network policy separation :) > > > Yes, I have IPFIlTER installed, but if I would want to everybody ping to > > > everybody and then block the things in the firewall, it isn't about > > > routes? > > > because neighter of my networks are pinging to any other right now. By > > > ping > > > I mean have access. I thought it would have something to do with setting > > > routes. BTW, my ipfilter now just pass everything because I'm building > > > the > > > server, but I already have a config file with the blocks that I would > > > apply. > > > > That's a completely different scenario than the one you described in > > your previous message. > > > > Do you have gatetway_enable="YES" in /etc/rc.conf? > > > > -- > > Bill Moran > > http://www.potentialtech.com Just to add a couple of points to what Bill's pursuing here: > Yeah, I know, I was trying to make it work with only adm and external, but > the real scenario I have is this. Yes I have this line, my rc.conf is like > this: > [...] > gateway_enable="yes" > defaultrouter="XXX.XXX.XXX.158" (the external ip) > ifconfig_em0="inet XXX.XXX.XXX.130 netmask 255.255.255.227" If that wasn't a typo, this is a non-contiguous netmask. I suspect you want 255.255.255.224, assuming the default router is in the same subnet? Specifying CIDR notation with route and ifconfig can make netmask fatfingering a bit less likely (eg here XXX.XXX.XXX.130/27) I'm not saying this odd netmask explains your problem, nor that I fully understand the effect of non-contiguous netmasks, but it's worth fixing. > ifconfig_rl0="inet 192.168.1.80 netmask 255.255.255.0" > ifconfig_rl1="inet 192.168.2.90 netmask 255.255.255.0" > ifconfig_rl2="inet 10.10.0.50 netmask 255.255.0.0" > [...] On which machine/s is NAT translation taking place? Eg if 10.10/16 were allowed access to the internet via here, where would they get NAT'd to the external IP? Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: is this IT or not/
On Thu, 22 Nov 2007, Gary Kline wrote: > On Fri, Nov 23, 2007 at 01:22:37AM +1100, Ian Smith wrote: > > On Wed, 21 Nov 2007 10:25:35 -0800 Gary Kline wrote: [..] > > Which brings me to your earlier (unresolved?) question about missing > > sound on playing audio CDs .. first assuming your CD drive is properly > > externally wired to your soundcard(?), check the level on the 'cd' > > device, in Kmix 'input' tab or if in doubt, good ol' /usr/sbin/mixer: > > > > paqi% mixer [..] > > Mixer cd is currently set to 92:92 Quoting out of place, from your later message to Andreus: > Thanks for your input, but it was ignorance that KsCD is not for > playback of audio CD's on FBSD. This from Michael Nottebrook. That's odd: KsCD is working here, now, playing a favourite audio CD. Caveat: older KDE 3.5.4 and 5-STABLE. I doubt it's lost features .. Maybe your soundcard wiring to the player isn't right? KsCD uses ~0% CPU so I gather it's just shunting the CD player's audio to the mixer, ie not actually reading any CD data itself. Maybe this just doesn't work with your particular soundcard and/or CD drive .. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
On Sat, 24 Nov 2007, Alaor Barroso de Carvalho Neto wrote: > 2007/11/24, Ian Smith <[EMAIL PROTECTED]>: > > > > ipfw works fine too for these sorts of network policy separation :) > > > So ipfilter is not recommended by you guyz? No I didn't mean that; use your own favourite packet filter, any of them can handle what you've described. Bill suggested pf - lots of people seem to like it a lot - and I use ipfw because I (mostly) know how to. > > I'm not saying this odd netmask explains your problem, nor that I fully > > understand the effect of non-contiguous netmasks, but it's worth fixing. > > > My fault again, the mask is 255.255.255.224, I messed up the things the 27 > come from XXX.XXX.XXX.XXX/27, you're right! But in the config file it's > .224. Ok. Pasted output of 'ifconfig' and 'netstat -finet -nr' may help .. it's easier to parse familiar machine output than textual descriptions. > On which machine/s is NAT translation taking place? Eg if 10.10/16 were > > allowed access to the internet via here, where would they get NAT'd to > > the external IP? > > > > Cheers, Ian > > > > The ipfilter was nating, but I'm not sure about the NAT rules inside the > config file, I must recheck it monday, I just tested the redirection rules, > do you think this can be the problem? Dunno. I'd just run tcpdump in a different terminal for each interface and watch the traffic; what gets forwarded, or not, what gets translated by NAT, or not. As you said, pings are a useful start, as can be adding temporary firewall rules to log everything in and out per interface .. I know next to nothing about routed(8) and RIP, nor why you might prefer it to static and cloned routing, but taking it out of the mix might help with debugging until your basic routing and filtering works right? HTH, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
On Sat, 24 Nov 2007, Alaor Barroso de Carvalho Neto wrote: > 2007/11/24, Ian Smith <[EMAIL PROTECTED]>: > > > > No I didn't mean that; use your own favourite packet filter, any of them > > can handle what you've described. Bill suggested pf - lots of people > > seem to like it a lot - and I use ipfw because I (mostly) know how to. > > > I always had linux servers, so I'm very familiar with iptables, I don't have > a favorite BSD firewall yet, so that's why I'm asking. I choose ipfilter > because I liked the tutorial in the FreeBSD handbook, but I don't know any > features of the others, I even don't know ipfilter yet. Yes, I suspect the handbook firewall sections were put together by an ipfilter fan, even the ipfw section contains some oddities indicating that, and the pf section so far lacks the basic and with-NAT firewall setups that might encourage more people unfamiliar with pf to try it. > Ok. Pasted output of 'ifconfig' and 'netstat -finet -nr' may help .. > > it's easier to parse familiar machine output than textual descriptions. > > > My BSD box don't have graphic interface and I must admit I'm suffering to > use it, so that's why I'm transcripting the configs, but I'm gonna change > that. You can mark and copy with the mouse in text terminals on non-X boxes, at a pinch. I then use (say) ee to save the paste, though of course it's a lot less tedious working from an xterm with multiple clipboard buffers .. I've pasted up to 2000 lines from a Konsole at times :) > Dunno. I'd just run tcpdump in a different terminal for each interface > > and watch the traffic; what gets forwarded, or not, what gets translated > > by NAT, or not. As you said, pings are a useful start, as can be adding > > temporary firewall rules to log everything in and out per interface .. > > > > I know next to nothing about routed(8) and RIP, nor why you might prefer > > it to static and cloned routing, but taking it out of the mix might help > > with debugging until your basic routing and filtering works right? > > > I think it's hard to be NAT even because I've disabled ipfilter and the > problem still. I thought I would just set gateway_enable="YES" and things > would start working, at least that was how I've seem in the docs, but like > it didn't, I tried to set static routes. I don't know anything about routed > too, I just know that it's supposed to build the routes on demand, or I think routed might only work in a network that's using RIP throughout, but that's only from what I've read in Hunt's TCP/IP Network Admin book, and I've seen next to no discussion of using RIP in recent times. I'm pretty sure you don't want to run routed(8) and that it would only add to confusion for anyone trying to help you spot your problem here. > something like that. I'll copy the result of netstat on monday but the > routes seems to be OK, they're there like they're supposed to be, at least I > think they are right. Probably the problem is very stupid, but I feel like Possibly just a little confusion re how freebsd routing tables are presented compared to Linux, especially re default routes, perhaps? > I've checked everything and I can't find the error, and like I'm not very > familiar with BSD I'm losing my hope. Next week I'll try some things and if > it don't work I think it's time to go back to linux. That's bad because I > liked a lot the freebsd way of do the things. I suggest ending this thread here, and that you come back with a fresh start on a fresh subject stating again what you want to do, your network setup and layout, ifconfig and your full IPv4 routing tables, and clear description of which packets via which interface/s are failing to get to where you want them to go (and back!). Your original message was fairly clear about that, though it's got lost in the mists of time by now .. Don't give up. Perhaps spend a little time browsing the freebsd-net list to see if that's worth joining for you, if you can't get sufficent answers here, but with enough basic info I'm sure someone here can help. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [OT] who wrote this
On Sun, 25 Nov 2007 22:03:30 -0600 "eBoundHost: Artur" <[EMAIL PROTECTED]> wrote: > >Lets also remember that history is written by the victors, > >which means they LIE! > >neal. > > > Wow neal, that's very nice of you. are you saying that hitler didn't > do any of these things? I'm not even going to respond to you here, > just going to re-post your words to show that there are still people > like you out there... Researching the fascinating set of OT discussions in recent -questions digests has provided three new entries for my favourite quotes file: I shall give a propagandist reason for starting the war, no matter whether it is plausible or not. The victor will not be asked afterwards whether he told the truth or not. When starting and waging war it is not right that matters, but victory. -- Adolf Hitler If all else fails, immortality can always be assured by spectacular error. -- John Kenneth Galbraith For all my early exposure, I didn't get laid until I was 17. -- Ted Mittelstaedt Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: copying DVD material :: somewhat OT.
On Sat, 08 Dec 2007 14:18:25 -0700 Predrag Punosevac <[EMAIL PROTECTED]> wrote: > Gary Kline wrote: > >Folks, > > > >IFF k3b works, and I think it might, I'll put up a howto > >on my bsd virtual site. Make this domain more useful. > >The help from this group has been outstanding, but getting things > >CD and DVD actually working has been a study in persseverancce. [..] > I wrote K3b how to > http://www.bsd-srbija.org/dokumentacija/doku.php/rezanje_cd_i_dvd_diskova_pomo%C4%87u_k3b > but you will need little bit of Serbian language to read it. > > Actually probably you could follow article even if you do not speak > Serbian as the language is generic and there are only three important > steps you need to do. > > Step 1 Editing your /boot/loader.conf file with > > atapicam_load="YES" > hw.ata.ata_dma="1" > hw.ata.atapi_dma="1" > > since FreeBSD is using atapicam device to write DVD > > > Step 2 Edit your /etc/devfs.conf with various permission. Most of those > are needed for a work station anyway > > perm /dev/acd0 0666 > perm /dev/cd00666 I'm more comfortable with putting users in a group (operator, burner, whatever) and setting perms to 660 .. but anyway .. > # Commonly used by many ports > > link cd0 cdrom > link cd0 dvd > link cd0 rdvd > > link acd0 cdrom > link acd0 dvd > link acd0 rdvd All good stuff, but just one point that Roland Smith picked up on in another incarnation of this topic recently .. 'link' in devfs makes a symlink in /dev, and you can't make two symlinks with the same name. On my 5.5-S system I'd long had in devfs.conf: linkacd0cdrom linkcd0 cdrom but ls -l /dev/cdrom shows lrwxr-xr-x 1 root wheel 4 Nov 28 01:27 /dev/cdrom -> acd0 so it seems the first link is made and any subsequent silently ignored (or at least, I haven't spotted any console messages complaining of it) > # Misc other devices > > permcdrom 0666 > permdvd 0666 > permrdvd0666 > permxpt00666 > permpass0 0666 > > > Step 3 Edit your /etc/fstab file if you want to use K3b as a normal user > since the disk has to be mounted on the mount point which belong to you > > > [pedja@ /usr/home/Pedja]$ more /etc/fstab > #These are my options > /dev/cd0 /usr/home/Pedja/mnt/cdrom cd9660 rw, noauto 0 0 > /dev/acd0/usr/home/Pedja/mnt/cdrom cd9660 rw, noauto 0 0 > > > > You do not need HAL for things to work but is not going to heart. > > > Also read > > make showinfo /usr/ports/sysutils/k3b If I ever get a DVD writer and want to try k3b, I'll start here thanks. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Connecting networks
Re-copying the various contributors .. On Tue, 11 Dec 2007 20:00:56 -0200 "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > 2007/12/11, Jonathan Horne [EMAIL PROTECTED]: > > > out of curiosity, are you pinging from the 4-interfaced-connected BSD > > box, or some other workstation that is trying to use the BSD box as its > > gateway? > > > >From a workstation that is trying to use BSD box as its gateway and have the > ip of the BSD box as it's default gateway in network settings. My BSD box > can ping to everywhere. > > 2007/12/11, Erik Norgaard <[EMAIL PROTECTED]> > > > Could you post your configuration, rc.conf, just the entries related to > > network interfaces and routing? > > > > The BSD box should automatically route any packets between imidiately > > connected networks without adding any static routes. Do you have any > > firewalling enabled? > > > > Cheers, Erik > > > I'm not in my work anymore but I'll try to remember it as it is: > > defaultroute="192.168.1.80" Should be 'defaultrouter', but then it's a route to an apparent local router, whereas your em0 appears to be your public internet connection? > hostname="tiger.administrativo.unedmacae.cefetcampos.br" > gateway_enable="YES" > ifconfig_em0="inet XXX.XXX.XXX.XXX netmask 255.255.255.227" Hopefully you've just mis-remembered that netmask: it's non-contiguous. .224 perhaps? > ifconfig_xl0="inet 192.168.1.244 netmask 255.255.255.0" > ifconfig_xl1="inet 192.168.2.90 netmask 255.255.255.0" > ifconfig_xl2="inet 10.10.0.50 netmask 255.255.0.0" > pf_enable="YES" > pf_rules="/etc/pf.conf" > pf_flags="" > pflog_enable="YES" > pflog_logfile="/var/log/pflog" > pflog_flags="" Let's assume you've disabled your firewall to take that out of the equation till you get the routing happening as desired .. > The rest is just is all the default from the installation. > > 2007/12/11, Eric Crist <[EMAIL PROTECTED]> > > > Add > > > > gateway_enable="YES" to /etc/rc.conf. > > > > Make sure your other systems use the freebsd box in question as their > > default route. I suspect this may be (one of?) your problem(s); more below. > > make sure your firewall, if you have one, is passing the traffic > > between the two networks. > > > > Use pf or some other means to nat outbound traffic. > > > > HTH Let's also assume you're not (on this box) trying to NAT one or more of these multiple private networks to public IP address(es) .. > I already have this line in my rc.conf. > > 2007/12/11, Trix Farrar <[EMAIL PROTECTED]>: > > > It sounds like your BSD server is configured correctly. You may, > > however, need to tell the other devices on your different networks how > > to find their way. > > > > Given that you have networks A, B and C that are each connected to > > each other by your BSD server, F, the hosts on network A have to know > > how to find network B and network C. If the three networks already > > have routers the hosts use as a default gateway, then those routers > > will need to have routes added to find your other networks; the > > network A router needs to have routes to networks B and C that point > > to your BSD server and so on. > > > How I do that? I think this is at the core or your issue. Let's assume that a box on xl1, say 192.168.2.100, wants to talk with a box on xl2, say 10.10.0.100 192.168.2.100 needs either your box (192.168.2.90) as its default route, or it needs to have added a specific route for 10.10 via your box. Similarly, 10.10.0.100 needs either your box (10.10.0.50) as its default route, or it needs to have added a specific route for 192.168.2 via you. Unless both of these conditions are true, packets will not get (or get back) to where they're supposed to go, even if your box setup is all ok. > Thankz guyz for your attention with me! I'm going to have nightmares with > this trouble. Sounds like you need a very good diagram of your boxes and networks and interfaces so you can easily trace all the paths (and thus the necessary routes) between the various subnets you're wanting to interconnect. You also need to look carefully at which boxes/nets have routes to the internet, via wherever (and at what point their addresses are NAT'd to and from which public addresses), so you can hope to resolve the vast potential for routing loops and/or blackholed connections that such a setup offers :) Later on, your firewall may be able to help with this by at least preventing disallowed connections, but the above needs to work first. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Connecting networks
On Wed, 12 Dec 2007, Alaor Barroso de Carvalho Neto wrote: > 2007/12/12, Ian Smith <[EMAIL PROTECTED]>: > > Should be 'defaultrouter', but then it's a route to an apparent local > > router, whereas your em0 appears to be your public internet connection? > Yes, it's default router, like I said I was not in my work then I wrote by > myself this lines, like I didn't touch the defaultrouter line since the > install I guess it's correct, my fault. Yes, em0 is my public connection, > but it's not connected to the external network yet, that's why my default > router is 192.168.1.80 (that is my current gateway, connected with the > external world, and who I want to be replaced by this BSD box) Ok. Will this box be connecting some/all of these subnets to the world? > > I think this is at the core or your issue. Let's assume that a box on > > xl1, say 192.168.2.100, wants to talk with a box on xl2, say 10.10.0.100 > > > > 192.168.2.100 needs either your box (192.168.2.90) as its default route, > > or it needs to have added a specific route for 10.10 via your box. > > > > Similarly, 10.10.0.100 needs either your box (10.10.0.50) as its default > > route, or it needs to have added a specific route for 192.168.2 via you. > > > > Unless both of these conditions are true, packets will not get (or get > > back) to where they're supposed to go, even if your box setup is all ok. > The The machines is 192.168.1 aren't using my BSD box like it's default > gateway it, so it may be the problem? But, like I've said, this is the > second time I try to put the things to work, the first time I've set the > 192.168.1 machines to use my bsd as default gatway and didn't work also. But > I gonna change it to test again. My machines in 192.168.2 are all using > 192.168.2.90 as it gateway already. Well, as above. In your scenario all of the boxes in each of your 3 local subnets will have to route packets for the other 2 subnets via your box's address in that subnet, either as their default route or by adding specific routes for each of the 'foreign' subnets via your box. Tricky unless you have admin control of all boxes' routing, especially in an 'anything that can happen will happen' environment like a campus, unless this box is going to be the default route for all subnets anyway? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache 1.3 Problems
On Tue, 16 Sep 2008 17:48:48 +1000 (EST) [EMAIL PROTECTED] wrote: > > On Tue, 16 Sep 2008 [EMAIL PROTECTED] wrote: >From a digest post, trimming a bit .. > >>> After 3 years, by apache 1.3 server quite working. It shows a > >>> PID, it's running, it can be stopped and restarted, and from FreeBSD > >>> the home page comes up using lynx http://andrsn.stanford.edu > >>> > >>> But from outside, it times out. > >>> > >>> I have run the texts for valid configuration (I haven't changed > >>> anything) and I actually rebooted the machine. The texts are okay and > >>> rebooting doesn't help. > >>> > >>> The machine is pingable. It's running FreeBSD 5.5 or so. > >>> > >>> What to do next? > >>> > >>> Annelise > >>> ___ > >> > >> Hmm.. > >> Can it connect to the outside world at all itself? Has the network > >> changed > >> at all recently? Did the server restart at all and if so are the > >> firewall > >> rules (if any) permitting external traffic? > >> > >> You could check the apache logs to see if any external connections are > >> getting through to the box at all, too. > >> > >> Is the lynx test connecting from the same box to itself? or from another > >> FreeBSD box..? > > > >>From the same box to itself. What about from other boxes 'inside' your domain? > >> -- > >> Also, what Chris said would cover most of these. :) > >> > >> Cheers, > >> Mark > > > > Chris wrote: > > > >>Sounds like a (probebly external) firewall issue. Just because pings get > >>through, doesn't mean the http requests are. > > > > No firewall on my machine. No, but there are (hopefully :) Stanford firewall/s between you and the outside world. Might they have upgraded policy about allowing inbound port 80 connections to boxes not known/expected to be running servers? > >>I'd run ngrep or tcpdump on the console and double-check that the packets > >>are actually making it to the server. > > > >>Also, do a "sockstat -4" and make sure it's listening on the approprate > >>IP. > > > > Thank you both-- > > > > sockstat -4 show that it's listening on *:80, which is right. > > Neither tcpdump (assuming I'm reading it correcting) nor httpd-access.log > > shows any tcp packets at all getting through except when lynx is run > > from the machine on which apache is running after Sept 12 at 2:12 a.m. > > Thus, I assume packets are not getting to the server, except when > > requested from the local machine. Sounds like your machine is setup ok, but inbound tcp setup packets are apparently getting blocked upstream. > > email and ftp are working--and I can log into the machine remotely-- > > so stuff is getting out and in. tcpdump shows a lot of other activity, Specific like 'tcpdump -pn -i $iface tcp port 80' quells other noise. > > So, I'm stumped. > > > >Annelise Ok, ping and DNS look fine. I (also) can traceroute your box this far: 14 bbrb-isp.Stanford.EDU (171.64.1.155) 193.489 ms 193.562 ms 195.603 ms 15 * * * 16 * * * 17 * * * 18 * *^C I don't know whether you allow inbound traceroutes? but the question now is, how many routers between you and and bbrb-isp.Stanford.EDU ? Can you show us a 'traceroute bbrb-isp.Stanford.EDU' from your machine? > This might sound like an odd test, but try configuring it to sit on a port > other than 80 (8080, for example) and seeing if you get the same problem > there. > > Cheers, > Mark If you're thinking what I'm thinking, 8080's just as unlikely to work :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache 1.3 Problems
On Tue, 16 Sep 2008, Annelise Anderson wrote: > On Wed, 17 Sep 2008, Ian Smith wrote: > > On Tue, 16 Sep 2008 17:48:48 +1000 (EST) [EMAIL PROTECTED] wrote: > > > > On Tue, 16 Sep 2008 [EMAIL PROTECTED] wrote: > > > > From a digest post, trimming a bit .. Trimming lots this time .. > > Ok, ping and DNS look fine. I (also) can traceroute your box this far: > > > > 14 bbrb-isp.Stanford.EDU (171.64.1.155) 193.489 ms 193.562 ms 195.603 > > ms > > 15 * * * > > 16 * * * > > 17 * * * > > 18 * *^C > > > > I don't know whether you allow inbound traceroutes? but the question > > now is, how many routers between you and and bbrb-isp.Stanford.EDU ? > > > > Can you show us a 'traceroute bbrb-isp.Stanford.EDU' from your machine? [..] > I think port 80 is being filtered. I have started talking to the admins. > The traceroute looks like this-- > > andrsn 2:23PM ~ % traceroute bbrb-isp.Stanford.EDU > traceroute to bbrb-isp.Stanford.EDU (171.64.1.155), 64 hops max, 40 byte > packets > 1 goz-srtr-vlan910.Stanford.EDU (171.66.112.1) 0.610 ms 0.571 ms 0.711 ms > 2 * bbra-rtr.Stanford.EDU (172.20.4.1) 1.093 ms * > 3 * * * > 4 * * * > and so forth indefinitely. While talking to the admins, you might show them your traceroute too. It's a bit strange that bbrb-isp.Stanford.EDU responds to traceroutes from the outside, but not from your internal machine. Of course it may be that the port 80 blocking (and/or traceroute blocking) is occurring on another router between you and bbrb-isp .. we can see at least two. > When I filter out non-tcp traffic nothing shows up at all. Obviously mail works both ways. tcptraceroute was also a good clue. > I have not tried another port yet, but will do that now. > > Annelise Happy hunting, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: sound card and freebsd v7.0
On Sat, 27 Sep 2008 09:44:07 +1000 jonathan michaels <[EMAIL PROTECTED]> wrote: > On Fri, Sep 26, 2008 at 08:52:42AM +0200, Bernt Hansson wrote: > > jonathan michaels: > > > > > > > > Sep 26 13:26:46 hostid kernel: pci0: at device 4.3 (no driver > > > attached) > > > Sep 26 13:26:46 hostid kernel: csa0: > > > mem > > > 0xf410-0xf4100fff,0xf400-0xf40f irq 10 at device 6.0 on pci0 > > > Sep 26 13:26:46 hostid kernel: csa: card is Unknown/invalid SSID (CS4614) > > > Sep 26 13:26:46 hostid kernel: csa0: [GIANT-LOCKED] > > > Sep 26 13:26:46 hostid kernel: csa0: [ITHREAD] > > > Sep 26 13:26:46 hostid kernel: pcm0: on csa0 > > > Sep 26 13:26:46 hostid kernel: pcm0: > > > Sep 26 13:26:46 hostid kernel: pcm0: [GIANT-LOCKED] > > > Sep 26 13:26:46 hostid kernel: pcm0: [ITHREAD] > > > > > > i enabled all teh sound drivers on boot and this is what is in teh > > > /var/log/messages said aboutt he sound card. > > > > How did you enable the sounddriver? > > after the initial install, i created/editied a /boot/loader.conf.local > file to enable all teh sound drivers to see which one came up as being > the one .. grin. [..] > > What is the output of cat /dev/sndstat? > > FreeBSD Audio Driver (newpcm: 32bit 2007061600/i386) > Installed devices: > pcm0: at irq 10 kld snd_csa [GIANT] (1p:1v/1r:1v channels > duplex default) Right, so you should only need snd_csa_load="YES" in /boot/loader.conf, assuming you have a GENERIC kernel that already has 'device sound'; if not, you may also need sound_load="YES". If you set 'sysctl hw.snd.verbose=2' manually or have 'hw.snd.verbose=2' in /etc/sysctl.conf, you'll get more info out of 'cat /dev/sndstat', which someone might need if you're still having problems with sound. > > > the drive is a 120 gb hitachi deskstar .. linux (several of teh most > > > recent distributions, ubuntu/centos/fedora sees it as a 120 gb, as > > > dose solaris v10/v11 but freebsd calls it a 114 gb drive > > > > That's quite simple, freebsd calls it for what it is a 114 Gb disk. [..] > i do not understand this .. i mean i do not understant how freebsd can > take a drive with the cylinders/heads/sectors that produces xxx million > sectors that muitiplied by 512 bytes producs 120 gb (real gb) solaris > also identifies this as a 120 gb drive as do several linux distrinutions > (centos and ubuntu based). I think you're perhaps referring to what df tells you about free space? Remember that UFS reserves, by default, 8% of a slice for system use or overcommitment by root. So a 120GB drive, all allocated to one slice, newfs'd, you'd expect df to show you around 110GB. If you actually fill it up, from a root process, you'd see the oft-dreaded '108% capacity' :) Assuming for example that your disk is /dev/ad0, show us the output of 'fdisk -s ad0'. Then, for any slice/s (X) having FreeBSD type 0xa5, show result of 'bsdlabel ad0sX'. The sector maths should then work out. > could this be a "lba" confusion/issue between teh drive/bios/freebsd > interpretation ?? it is a term i recall from earlier, when thes kinds > of drives first appeared and casued significant consternations for > everybody not just freebsd. it is a problems as far as i have several > of thes drives to be putting into several 'server' machines where > this kind of freespace 'loss' would become an issue --- hardware > density, as in drivers per terabyte leading to power consumption/space > and heating conciderations in raid arrays (five and ten drive rack)s >From memory, all disks over ~8GB need LBA addressing. It's been a long while since the LBA vs CHS setup was an issue, which is why on modern disks you should always ignore sysinstall's archaic whinging about the geometry, and just use what's originally detected, ie leave it alone. > this is not a 'real' problem as 95 gb (whats left after install from a > 114 gb start point) is more than enough for this boxes task-load. it is > that i find this a bit confusing/interesting, esp given that fresbie > v1.1 aslo sees this as a 120 gb drive ??? just interested in fiding > out what is going on and if this is a pointer to future hardware > mis-identification --- i understand the difference between "real" > gigabytes and "marketing department" gigabytes The fdisk and bsdlabel outputs will tell the true story. If, as you suggested earlier, you did enter a different geometry, you might have lost some real space, so also show us 'fdisk ad0 | grep cylinders' cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: newsyslog and apache
On Fri, 03 Oct 2008 10:08:52 +0200 "DA Forsyth" <[EMAIL PROTECTED]> wrote: > On 2 Oct 2008 , [EMAIL PROTECTED] entreated about > "freebsd-questions Digest, Vol 235, Issue 11": I'm replying to the digest too, so threading is doubly screwed :) > > No need to change log rotation software since the problem clearly is > > somewhere else. You need to inspect Apache's error logs to see why it > > cannot start. > > the previous error log shows > [Wed Oct 01 08:00:03 2008] [notice] Graceful restart requested, doing > restart > [Wed Oct 01 08:00:04 2008] [notice] seg fault or similar nasty error > detected in the parent process This is what you need to find and fix. Most likely a config error of some sort .. possibly re some module - php extensions order, maybe? What does 'apachectl configtest' have to say? > the new error log shows, after the manual start > [Wed Oct 01 08:39:09 2008] [warn] pid file /var/run/httpd.pid > overwritten -- Unclean shutdown of previous Apache run? > [Wed Oct 01 08:39:09 2008] [notice] Apache/2.0.63 (FreeBSD) PHP/4.4.9 > with Suhosin-Patch DAV/2 SVN/1.5.2 configured -- resuming normal > operations > > those error messages are repeated any time I do a >apachectl graceful > > However, doing >apachectl stop >apachectlstart > works as expected. See apachectl(8) .. apachectl graceful sends httpd a SIGUSR1, as does your previously mentioned newsyslog line, which shuts apache down but without murdering existing connections, while apachectl restart does. However both graceful and restart run configttest before restarting, and it seems likely that's where/why it's bombing. OTOH, apachectl start doesn't run configtest, maybe explaining why it starts up ok that way? > apache version is apache-2.0.63_2 from ports > uname -a gives > FreeBSD iwr.ru.ac.za 7.0-RELEASE-p1 FreeBSD 7.0-RELEASE-p1 #2: Mon > Jun 2 13:10:26 SAST 2008 > iwr.ru.ac.za:/usr/obj/usr/src/sys/KERNIWR70 i386 Here running apache 1.3 on 5.5-STABLE, but I doubt the apachectl functionality has changed significantly, though I may be wrong .. > php v4 is installed, though i do plan to upgrade that to V5 as soon > as I get time to do it. Good idea, especially if PHP is related to your apparent config issue. > PS: I used to use logrotate, but it too stopped working correctly, > with apache process stopping in a similar way that is why I changed > to newsyslog. I rotate the logs monthly, and set it to 8am so there > is a chance I'll be on hand to start apache to minimize downtime. Theoretically if it survives an apachectl configtest, you should be good to go - and if it doesn't, neither method will restart apache. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems moving my jails (mv: Operation not permitted)
On Sat, 4 Oct 2008, Redd Vinylene wrote: > On Sat, Oct 4, 2008 at 9:22 PM, George Hartzell <[EMAIL PROTECTED]> wrote: > > Redd Vinylene writes: > > > On Sat, Oct 4, 2008 at 9:02 PM, George Hartzell <[EMAIL PROTECTED]> > > wrote: > > > > > > > > If you do an ls -lo /home/jail/box/usr/bin/chpass, you'll probably see > > > > the schg flag set. Man chflags for more info and instructions on how > > > > to unset it > > > > > > > > g. > > > > > > > > > > Yes: > > > > > > -r-sr-xr-x 6 root wheel schg 18468 Aug 2 19:47 > > /usr/jail/box/usr/bin/chpass > > > > > > So I'd simply have to "chflags noschg /usr/jail/box/usr/bin/chpass" > > > and then "cp /usr/jail/box/usr/bin/chpass > > > /home/jail/box/usr/bin/chpass"? > > > > I think that you ought to be able to cp it as is. You're just not > > allowed to change the original (e.g. remove it), which is why your mv > > and rm failed. > > > > g. > > > > I've been told that changing flags might seriously mess things up. Is > there any way to copy the remaining files from /usr/jail into > /home/jail, or do I have to rebuild everything from scratch? Having read the thread to date, I reckon you should: a) find(1) all schg files in your jails (was chpass the only one?) b) clear the schg flag on any such found as above (-R if you like) c) use mv as you originally intended (if they're still there :) d) chflags schg on all files that were originally set that way. If you do use cp instead of mv, make sure to use cp -p to preserve each file's owner/group/permissions/datestamp. e) make sure any and all symlinks still point to the right file/s. Personally I'd use cp -pR rather than mv in case I stuffed it up :) but then being perhaps overcautious I'd have started off with a 'ls -lR /usr/jail > listfile' (if I hadn't made a backup tar) to at least have a full list of what was where, with what user/perms etc .. Also read cp(1) re -R flag carefully .. if there are any hard linked files, as there may well be, then using tar to move these would be the safest bet anyway - plus you'd have a backup .. next time anyway :) Since it just failed to mv some files, you shouldn't need to rebuild if you can mv those files and reset their flags/permissions correctly. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: man -t odd page size
On Wed, 22 Oct 2008 23:35:25 -0200 Gonzalo Nemmi <[EMAIL PROTECTED]> wrote: > On Wednesday 22 October 2008 10:38:40 pm Polytropon wrote: [..] Polytropon: thanks for pdfman script - but does 'pdfman ipfw' work for you? Here the 'overprinting' is misaligned in gv, while others are ok. > > I know this is not the best idea, but it should be accomplishable > > without many problems. A better idea would be to write a simple > > filter that convert the man page (including formatting characters) > > into LaTeX source and then run it through pdflatex. > > Exactly .. you got it just the way I wanted .. after your explanantion, the > question _begs_ to be asked: do we, citizens of ISO 216 adopting countries, > have to walk that cumbersome path in order to get something as simple as an > ISO compliant document?? > > Shouldn't it be the other way around??? > > Does an inmensily huge majority have to walk the extra mile in order to get > an > ISO compliant document whereas a small minority benefits from having non ISO > complaint default formats??? Gonzalo: shouldn't that be 'the extra kilometre?' :) Well, a quarter of the people on this planet live in China, so by your theory shouldn't the FreeBSD lists, docs and code all be in Chinese? I doubt an 'immensely huge majority' of FreeBSD systems are located outside the US (data at http://www.bsdstats.org/freebsd/countries.php notwithstanding, reckoning Australia to have the most FreeBSD users :) > I, for once, would pretty much like to know the logic behind that decision. It's not logic, nor even a decision, but simply a matter of tradition. > > > and on a side note: will we ever get to see ISO 216 A4 as the default > > > choice for output instead of not-standard, only usefull in the US but > > > useless in the rest of the whole world "letter" page size and the > > > likes??? I've yet to run into any printing or display software that didn't offer a wide choice of formats, including A4 and many other A* sizes, so what any particular software chooses as its 'default' scarcely matters. > > You're getting my thoughts, man. :-) I'd like to see this happen, > > too, but I don't think the developers of FreeBSD and all the fine > > applications will say goodbye to their Letter, Legal, Exec etc. > > paper formats. A4 isn't a DIN standard anymore, its ISO for many > > years now, and unlike Letter, it has the ability to be scaled > > (to half size, to quarter size, to double size) easily. Today, > > the manual replacement of many different settings is needed to > > get a system A4 compliant. > > > > Greetings from Germany, where A4 is the standard for more than > > a century now. =^_^= > > I really hope they do, or at least, start contemplating the fact that ISO > standards are usefull as a whole or are not usefull at all .. That's not true at all; there's no 'all or nothing' about standards. What actually works and is adopted in the real world determines that. Ask yourself: how come the world uses TCP/IP for internet communications rather than the OSI X.200-X.219 suite? How come we're still using SMTP plus a pile of RFCs to deliver email rather than the X.400-X.420 suite? Apart from SNMP and its use of (a subset of) the ASN.1 / BER notation, and the X.500-X.521 directory services model to the extent of X.501 certificates, not much of the massive CCITT / OSI / ISO 'standards' have ever entered common usage, most being a camel designed by committee. In '91 I bought three 'fascicles' (volumes) of the CCITT Blue Book for the best part of A$500, then convinced it was the way things would go. I was entirely wrong :) but I don't regret that study for ASN.1 alone. > Gretings from Argentina, where A4 is the standard from 1943. > > And yes .. so are the metric system, kilograms, litres, etc :) I suspect the Yanquis will abandon letter, legal etc paper sizes around the same time they jettison pounds and ounces, feet and inches, gallons and pints .. that is, you probably shouldn't be holding your breath :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: man -t odd page size
On Thu, 23 Oct 2008, Polytropon wrote: > On Thu, 23 Oct 2008 19:37:56 +1100 (EST), Ian Smith <[EMAIL PROTECTED]> > wrote: > > Polytropon: thanks for pdfman script - but does 'pdfman ipfw' work for > > you? Here the 'overprinting' is misaligned in gv, while others are ok. > > Yes, but it outputs an error message: > > :2620: warning [p 25, 6.2i]: cannot adjust line > > The PDF file is 26 pages long. Maybe another PDF viewer will work > better (xpdf)? Modified to rm any /tmp/man.pdf first, then tried both xpdf and kpdf .. still the same problem. Here's a small (if messy) text clip from xpdf; all the underlining and overprinting stuff gets scrambled, plus some missing newlines later in the file .. N A ME N AM E ip fw -- IP firewall and traffic shaper control program pf w S YN OP SI S SY NO PS I S ip fw [- c q] a dd _ u_ e pf w - cq ad d r_ l_ However this time I noticed an error listed also, different to yours, maybe because mine is only 20 pages (this on 5.5-STABLE if it matters) sola% pdfman ipfw (source:.gz: No such file or directory /usr/share/man/man8/ipfw.8.gz).gz: No such file or directory Which is strange, and goes away if I redirect the first command's stderr to /dev/null, but it doesn't change the output. The groff output looks ok, not that I read postscript beyond seeing head and tail look intact. zcat `man -w [EMAIL PROTECTED] 2>/dev/null | groff -Tps -dpaper=a4 -P-pa4 -mandoc \ | ps2pdf - /tmp/man.pdf && gv /tmp/man.pdf Seems that short (or maybe just 'some') mans work very well, but longer ones, (or just 'some others'?) have problems here, eg: sola% pdfman ip # looks great, 5pp sola% pdfman ipfw # overprinting misaligned as above, 20pp sola% pdfman csh# pretty rough and misaligned also, 48pp :1798: normal or special character expected (got a tab character) :1798: normal or special character expected (got a space) :1798: normal or special character expected (got a space) :1798: normal or special character expected (got a space) :1800: a backspace character is not allowed in an escape name :1801: a backspace character is not allowed in an escape name :1804: warning: numeric expression expected (got `v') sola% Possibly just my out of date ports (don't ask), quite likely ps2pdf? > > Well, a quarter of the people on this planet live in China, so by your > > theory shouldn't the FreeBSD lists, docs and code all be in Chinese? > > Let me follow this Micky Mouse Logic. :-) Because the computer has > been invented by a German, all computer stuff should be in the > german language. And now all the Americans can feel how the average > german computer user feels today: scared by all the things he doesn't > understand. :-) Charlie Babbage was German? Learn something every day on this list :) > > What actually works and is adopted in the real world determines that. > > Nota bene: > > The worst solution always prevails. But much sooner than the best, which takes forever. > People want cheap, they get cheap. We wanted free, we got free .. and don't have to shell out maybe $10k+ for a shelf full of CCITT / ISO docs! > > Ask yourself: how come the world uses TCP/IP for internet communications > > rather than the OSI X.200-X.219 suite? How come we're still using SMTP > > plus a pile of RFCs to deliver email rather than the X.400-X.420 suite? > > Having worked with the AX.25 protocol (on amateur radio), sometimes > I tend to thing... oh what a crap is TCP/IP... :-) Well I suppose the ITU have a TCP/IP-free X.20something net running somewhere, but it doesn't look like pushing TCP/IP off its perch .. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: man -t odd page size
Gonzalo, please cc those to whom you are responding. I had to dig this out of the digest, which breaks the threading .. On Thu, 23 Oct 2008 18:35:36 -0200 Gonzalo Nemmi <[EMAIL PROTECTED]> wrote: [..] > > On Thu, Oct 23, 2008 at 10:37 AM, Ian Smith <[EMAIL PROTECTED]> wrote: > > > On Wed, 22 Oct 2008 23:35:25 -0200 Gonzalo Nemmi <[EMAIL PROTECTED]> > > > wrote: [..] > > > > Does an inmensily huge majority have to walk the extra mile in order > > > > to > > > > > > get an > > > > > > > ISO compliant document whereas a small minority benefits from having > > > > non > > > > > > ISO > > > > > > > complaint default formats??? Gmail does a superb job of formatting quotes, eh? > > > Gonzalo: shouldn't that be 'the extra kilometre?' :) > > > > > > Well, a quarter of the people on this planet live in China, so by your > > > theory shouldn't the FreeBSD lists, docs and code all be in Chinese? > > No .. languages are not ISO standards... let alone the fact that we are not > discussing languages in here. ISO is just another committee. I think what you're really complaining about is that the US tends to ignore international standards. We know that, it's more about politics .. also not being discussed in here :) > > > I doubt an 'immensely huge majority' of FreeBSD systems are located > > > outside the US (data at http://www.bsdstats.org/freebsd/countries.php > > > notwithstanding, reckoning Australia to have the most FreeBSD users :) > > That's only if you take bsdstats as the ultimate and most authoritative word > on the location of FreeBSD based systems. I do not. And actually Im running > 3 > FreeBSD systems in my place and Argentina doesn't even figure on that list. My point exactly! So where do you get your assumption that the majority of FreeBSD systems, let alone an 'immensely huge' majority, are located outside the US? I don't say the opposite, just that it's unproveable. > > > > > > and on a side note: will we ever get to see ISO 216 A4 as the > > > > > > default > > > > > > > > > choice for output instead of not-standard, only usefull in the US > > > > > > but > > > > > > > > > useless in the rest of the whole world "letter" page size and the > > > > > > likes??? > > > > > > I've yet to run into any printing or display software that didn't offer > > > a wide choice of formats, including A4 and many other A* sizes, so what > > > any particular software chooses as its 'default' scarcely matters. > > To you .. but not for me or for anyone who lives in a country in which > non-iso-standard paper (like letter) is simply _not_available_ or costs > twice > as much as A4. Australia went metric in the mid '70s, and I don't know where I could find letter-size paper if I wanted any, which I don't. Nor do I find it any great inconvenience to select A4 for printing. Storm in a teacup? > I undertand this may not be a problem for someone who can just "man -t man | > ps2pdf14 - > man_getopt" and get a printable pdf that uses the whole page > but > I have to go "zcat `man -w ls` | groff -Tps -dpaper=a4 -P-pa4 -mandoc | > ps2pdf - tmp.pdf" in order to get a usefull output or use the first method > and waste a lot of paper (wasting resources .. wich is something the, we, > citizens of the third world can not afford). Oh please. I wouldn't try remembering either of those incantations, and any process complicated enough to require looking up in the man/s goes into a one or two-line script here. I can't afford wasted time either. > > > > > Greetings from Germany, where A4 is the standard for more than > > > > > a century now. =^_^= > > > > > > > > I really hope they do, or at least, start contemplating the fact that > > > > > > ISO > > > > > > > standards are usefull as a whole or are not usefull at all .. > > > > > > That's not true at all; there's no 'all or nothing' about standards. > > > What actually works and is adopted in the real world determines that. > > ISO 216 works (and it has worked ever since it's conception, more than 100 > years ago) and is adopted in the real world, except for the US, Mexico and > Canada. > > http://www.cl.cam.ac.uk/~mgk2
Re: mpd - lcp protocol rejects
On Fri, 24 Oct 2008 22:08:13 +0300 CK <[EMAIL PROTECTED]> wrote: > Hello, > > I'm running mpd 4.4 on 6.3-STABLE #4. Connecting with mpd to my ISP's > VPN server running poptop. Everything is ok for some time, and then all > of a sudden mpd starts throwing weird protocol rejects to log file and > vpn connection stops working. > > mpd.conf: I can't answer your question, but I'm pretty sure that if you posted your nicely detailed message to [EMAIL PROTECTED] especially if cc'd to [EMAIL PROTECTED] you'll most likely get an informed response. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: odd problem, system clock stops while power-down
On Tue, 28 Oct 2008 12:46:58 +0100 Polytropon <[EMAIL PROTECTED]> wrote: > On Tue, 28 Oct 2008 03:17:39 -0700 (PDT), Richard Smith <[EMAIL PROTECTED]> > wrote: > > How do i get around this so i wouldn't have to set the clock every > > time i boot into freebsd? and by the way, does freebsd use the > > CMOS clock? > > An idea would to use NTP to get the exact time from your > local atomic time dealer at system startup. :-) > > See ntpd and ntpdate for further information. Definitely the best advice. However it doesn't explain why his system apparently fails to retrieve the current date & time from CMOS on boot. Mine always have, though CMOS clocks rarely keep good time, so using NTP after network connection after boot I see initial corrections of several seconds usually .. still it's better than having all your log timestamps screwed after reboot until NTP does its thing. Richard: are you running UTC or local time in CMOS? If the latter, does the file /etc/wall_cmos_clock exist? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: odd problem, system clock stops while power-down
On Wed, 29 Oct 2008, Richard Smith wrote: > > > > How do i get around this so i wouldn't have > > to set the clock every > > > > time i boot into freebsd? and by the way, does > > freebsd use the > > > > CMOS clock? > > > > > > An idea would to use NTP to get the exact time from > > your > > > local atomic time dealer at system startup. :-) > > > > > > See ntpd and ntpdate for further information. > > > > Definitely the best advice. However it doesn't explain > > why his system > > apparently fails to retrieve the current date & time > > from CMOS on boot. > > > > Mine always have, though CMOS clocks rarely keep good time, > > so using NTP > > after network connection after boot I see initial > > corrections of several > > seconds usually .. still it's better than having all > > your log timestamps > > screwed after reboot until NTP does its thing. > > > > Richard: are you running UTC or local time in CMOS? If the > > latter, does > > the file /etc/wall_cmos_clock exist? > > > > cheers, Ian Copying back to the list, for the archives and for more eyes to help, especially if the below doesn't help. > Thanks for the reply, wondering how to configure freebsd to use CMOS > time, as i'm using it as a desktop system. so it wouldn't be that my > machine always connects to the Internet to get the correct time. If in the wrong timezone it should come up a whole number of hours out. > my CMOS is running local time, and the file /etc/wall_cmos_clock > exists. is the time zone configuration related to this problem? Could well be. Check out tzsetup(8) re setting your timezone. If you update it, see the note about needing to run adjkerntz(8) .. but being a workstation you may as well just reboot to see if it's fixed :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Apache environment variables - logical AND
I know this isn't FreeBSD specific - but I am, so crave your indulgence. Running Apache 1.3.27, using a fairly extensive access.conf to beat off the most rapacious robots and such, using mostly BrowserMatch[NoCase] and SetEnvIf to moderate access to several virtual hosts. No problem. OR conditions are of course straighforward: SetEnvIf somevar SetEnvIf somevar SetEnvIf !somevar What I can't figure out is how to set a variable3 if and only if both variable1 AND variable2 are set. Eg: SetEnvIf Referer "^$" no_referer SetEnvIf User-Agent "^$" no_browser I want the equivalent for this (invalid and totally fanciful) match: SetEnvIf (no_browser AND no_referer) go_away Any clues? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache environment variables - logical AND
On Tue, 4 Nov 2008, Jeremy Chadwick wrote:
> On Wed, Nov 05, 2008 at 05:33:45PM +1100, Ian Smith wrote:
> > I know this isn't FreeBSD specific - but I am, so crave your indulgence.
> >
> > Running Apache 1.3.27, using a fairly extensive access.conf to beat off
> > the most rapacious robots and such, using mostly BrowserMatch[NoCase]
> > and SetEnvIf to moderate access to several virtual hosts. No problem.
> >
> > OR conditions are of course straighforward:
> >
> > SetEnvIf somevar
> > SetEnvIf somevar
> > SetEnvIf !somevar
> >
> > What I can't figure out is how to set a variable3 if and only if both
> > variable1 AND variable2 are set. Eg:
> >
> > SetEnvIf Referer "^$" no_referer
> > SetEnvIf User-Agent "^$" no_browser
> >
> > I want the equivalent for this (invalid and totally fanciful) match:
> >
> > SetEnvIf (no_browser AND no_referer) go_away
>
> Sounds like a job for mod_rewrite. The SetEnvIf stuff is such a hack.
It may be a hack, but I've found it an extremely useful one so far.
> This is what we use on our production servers (snipped to keep it
> short):
>
> RewriteEngine on
> RewriteCond %{HTTP_REFERER} ^: [OR]
> RewriteCond %{HTTP_REFERER} ^http://forums.somethingawful.com/ [OR]
> RewriteCond %{HTTP_REFERER} ^http://forums.fark.com/[OR]
> RewriteCond %{HTTP_USER_AGENT} ^Alexibot[OR]
> RewriteCond %{HTTP_USER_AGENT} ^asterias[OR]
> RewriteCond %{HTTP_USER_AGENT} ^BackDoorBot [OR]
> RewriteCond %{HTTP_USER_AGENT} ^Black.Hole [NC,OR]
> RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE[OR]
> RewriteCond %{HTTP_USER_AGENT} ^Xaldon.WebSpider
> RewriteRule ^.* - [F,L]
>
> You need to keep something in mind however: blocking by user agent is
> basically worthless these days. Most "leeching" tools now let you
> spoof the user agent to show up as Internet Explorer, essentially
> defeating the checks.
While that's true, I've found most of the more troublesome robots are
too proud of their 'brand' to spoof user agent, and those that do are a)
often consistent enough in their Remote_Addr to exclude by subnet and/or
b) often make obvious errors in spoofed User_Agent strings .. especially
those pretending to be some variant of MSIE :)
> If you're that concerned about bandwidth (which is why a lot of people
> do the above), consider rate-limiting. It's really, quite honestly, the
> only method that is fail-safe.
Thanks Jeremy. Certainly time to take the time to have another look at
mod_rewrite, especially regarding redirection, alternative pages etc,
but I still tend to glaze over about halfway through all that section.
And unless I've completely missed it, your examples don't address my
question, being how to AND two or more conditions in a particular test?
If I really can't do this with mod_setenvif I'll have to take that time.
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[SOLVED] Apache environment variables - logical AND
On Wed, 5 Nov 2008, Jeremy Chadwick wrote:
> On Wed, Nov 05, 2008 at 08:24:16PM +1100, Ian Smith wrote:
> > On Tue, 4 Nov 2008, Jeremy Chadwick wrote:
> > > On Wed, Nov 05, 2008 at 05:33:45PM +1100, Ian Smith wrote:
> > > > I know this isn't FreeBSD specific - but I am, so crave your
> > indulgence.
> > > >
> > > > Running Apache 1.3.27, using a fairly extensive access.conf to beat
> > off
> > > > the most rapacious robots and such, using mostly BrowserMatch[NoCase]
> > > > and SetEnvIf to moderate access to several virtual hosts. No problem.
> > > >
> > > > OR conditions are of course straighforward:
> > > >
> > > > SetEnvIf somevar
> > > > SetEnvIf somevar
> > > > SetEnvIf !somevar
> > > >
> > > > What I can't figure out is how to set a variable3 if and only if both
> > > > variable1 AND variable2 are set. Eg:
> > > >
> > > > SetEnvIf Referer "^$" no_referer
> > > > SetEnvIf User-Agent "^$" no_browser
> > > >
> > > > I want the equivalent for this (invalid and totally fanciful) match:
> > > >
> > > > SetEnvIf (no_browser AND no_referer) go_away
> > >
> > > Sounds like a job for mod_rewrite. The SetEnvIf stuff is such a hack.
That's true. Thanks for your considered and helpful tutorial. I do use
ipfw+dummynet for bandwidth limiting, and ipfw table 80 to house bogons.
But I finally figured out how to make such a hack work .. it just kept
on bugging me until I woke up remembering some very basic logic; quite
embarrassing really ..
# 9/11/8: preset env vars to be tested by value
SetEnvIf Referer ".*" no_ref=0 no_bro=0 both=1
SetEnvIf Referer"^$" no_ref=1
SetEnvIf User-Agent "^$" no_bro=1
# duh, logic 101: a AND b = NOT ( (NOT a) OR (NOT b) )
SetEnvIf no_ref 0 both=0
SetEnvIf no_bro 0 both=0
SetEnvIf both 1 go_away
It's a bit round about and awkward but seems to work fine, and this was
just one example of several combination conditions I'd like to test.
cheers, Ian
> > It may be a hack, but I've found it an extremely useful one so far.
> >
> > > This is what we use on our production servers (snipped to keep it
> > > short):
> > >
> > > RewriteEngine on
> > > RewriteCond %{HTTP_REFERER} ^: [OR]
> > > RewriteCond %{HTTP_REFERER} ^http://forums.somethingawful.com/ [OR]
> > > RewriteCond %{HTTP_REFERER} ^http://forums.fark.com/[OR]
> > > RewriteCond %{HTTP_USER_AGENT} ^Alexibot[OR]
> > > RewriteCond %{HTTP_USER_AGENT} ^asterias[OR]
> > > RewriteCond %{HTTP_USER_AGENT} ^BackDoorBot [OR]
> > > RewriteCond %{HTTP_USER_AGENT} ^Black.Hole [NC,OR]
> > > RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE[OR]
> > > RewriteCond %{HTTP_USER_AGENT} ^Xaldon.WebSpider
> > > RewriteRule ^.* - [F,L]
> > >
> > > You need to keep something in mind however: blocking by user agent is
> > > basically worthless these days. Most "leeching" tools now let you
> > > spoof the user agent to show up as Internet Explorer, essentially
> > > defeating the checks.
> >
> > While that's true, I've found most of the more troublesome robots are
> > too proud of their 'brand' to spoof user agent, and those that do are a)
> > often consistent enough in their Remote_Addr to exclude by subnet and/or
> > b) often make obvious errors in spoofed User_Agent strings .. especially
> > those pretending to be some variant of MSIE :)
>
> I haven't found this to be true at all, and I've been doing web hosting
> since 1993. In the past 2-3 years, the amount of leeching tools which
> spoof their User-Agent has increased dramatically.
>
> But step back for a moment and look at it from a usability perspective,
> because this is what really happens.
>
> A user tries to leech a site you host, using FruitBatLeecher, which your
> Apache server blocks based on User-Agent. The user has no idea why the
> leech program doesn't work. Does the user simply give up his quest?
> Absolutely not -- the user then goes and finds BobsBandwidthZilla which
> pretends to be Internet Explorer, Firefox, or lynx, and downloads the
> site.
>
> Now, if you're trying to block robots/scrapers which aren't honourin
Re: some ipfw filter does not function under Release 6.3
On Sat, 15 Nov 2008, Jin Guojun[VFF] wrote: >I think this is a bug in ipfw because after change the rule order, the >problem persists: >0056626 3090 deny ip from 221.192.199.36 to any >65330 2018 983473 allow tcp from any to any established >65535 00 deny ip from any to any Are you saying that the packets shown below from 221.192.199.36 arrived =after= you added rule 566, which denys all traffic from that address? Are you showing us your entire ruleset; it is just those three rules? Is the tcpdump shown running on the same box as ipfw, or another box? If another box, how is it connected through the firewall, to the net? Which machine performs NAT for your network? None of this is obvious. Please show output of 'ifconfig' and 'netstat -rn' on the ipfw box? >15:47:21.238720 IP 221.192.199.36.4469 > 192.168.2.14.80: S >3191960249:3191960249(0) win 65535 >15:47:21.238768 IP 192.168.2.14.80 > 221.192.199.36.4469: S >2102254306:2102254306(0) ack 3191960250 win 65535 1460,sackOK,eol> >15:47:21.483754 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win >65535 >15:47:21.499489 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205) >ack 1 win 65535 >15:47:24.238570 IP 192.168.2.14.80 > 221.192.199.36.4469: S >2102254306:2102254306(0) ack 3191960250 win 65535 1460,sackOK,eol> >15:47:24.482113 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win >65535 >15:47:24.498613 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205) >ack 1 win 65535 >15:47:30.238574 IP 192.168.2.14.80 > 221.192.199.36.4469: S >2102254306:2102254306(0) ack 3191960250 win 65535 1460,sackOK,eol> >15:47:30.482746 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win >65535 >15:47:30.513193 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205) >ack 1 win 65535 >15:47:42.238577 IP 192.168.2.14.80 > 221.192.199.36.4469: S >2102254306:2102254306(0) ack 3191960250 win 65535 1460,sackOK,eol> >15:47:42.435040 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205) >ack 1 win 65535 >15:47:42.466055 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win >65535 >15:47:54.466599 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205) >ack 1 win 65535 >15:47:59.703272 IP 221.192.199.36.4469 > 192.168.2.14.80: R 206:206(0) >ack 1 win 0 > >Jin Guojun[VFF] wrote: > >But the rule 330 should only allow established TCP pass through. In >other words, Sync should NOT >allowed by rule 330, or I missed something for this rule? >Erik Trulsson wrote: > > On Sat, Nov 15, 2008 at 01:38:02PM -0800, Jin Guojun[VFF] wrote: > > > Below is set of ipfw rules, but it seems that not all rules are > functioning properly. > From rule 361 to first two of rule 567 are not blocking any traffic and > not measuring any traffic. > Is this bacuse tcp rule )330) can overwrite the ip rule? or this is a > known issue in R-6.3? Misattribution here: Erik Trulsson wrote this next paragraph. Please fix your quoting to show clearly who said what .. it will help us all. Can you see why we try to discourage top-posting in the freebsd lists? > In general the first matching rule is the one that is applied. > In your case this means that if a packet matches your rule 330 then > it will be allowed through, and the rules further down the list will > not be considered. Erik is right; you'll have to deny unwanted traffic before allowing the established traffic. 'established' here really means 'not setup', ie not SYN-only packets; ipfw doesn't track TCP sessions, the stack does. People can send bogus established packets, and though they won't have a socket to connect to, they're still inbound traffic you have to receive to even block, which can consume bandwidth and perhaps money. Sometimes these are a result of someone sending TCP setup packets to some other host, with the source address forged as yours .. you get the SYN+ACK packets, which do pass as established through ipfw. It's possible that the host you see as attacking you may itself be victim .. Yes, did I read your PR .. no sign of that host here so far, so it might just be scanning networks a bit closer to home: http://www.iptools.com/dnstools.php?tool=ipwhois&user_data=221.192.199.36&submit=Go > The second and third rules in rule set 567 seem working well. > > -Jin > > ipfw rule sets - > 00330 3108378 2700826874 allow tcp from any to any established > 00361 0 0 deny ip from 203.83.248.93 to any > 00361 0 0 deny ip from 72.30.142.215 to any > 00567 0 0 deny ip from 193.200.241.171 to any > 00567 0 0 deny ip from 221.192.199.36 to any > 00567 3180 deny ip from 118.153.18.186 to any > 00567 3180 deny ip from 203.78.214.180 to an
Re: some ipfw filter does not function under Release 6.3
On Sun, 16 Nov 2008, Jin Guojun[VFF] wrote: > Ian Smith wrote: > > > On Sat, 15 Nov 2008, Jin Guojun[VFF] wrote: > > > > >I think this is a bug in ipfw because after change the rule order, the > > >problem persists: > > >0056626 3090 deny ip from 221.192.199.36 to any > > >65330 2018 983473 allow tcp from any to any established > > >65535 00 deny ip from any to any > > > > Are you saying that the packets shown below from 221.192.199.36 arrived > > =after= you added rule 566, which denys all traffic from that address? > > > > Are you showing us your entire ruleset; it is just those three rules? > > > > Is the tcpdump shown running on the same box as ipfw, or another box? > > If another box, how is it connected through the firewall, to the net? > > > > Which machine performs NAT for your network? None of this is obvious. > > > > Please show output of 'ifconfig' and 'netstat -rn' on the ipfw box? > I have found the problem due to the NIC naming change after motherboard > upgrading. > The em0 was LAN port, but now it is WAN port. So, the following rule caused > Sync coming in: > > 00123 12 528 allow tcp from any to 192.168.0.0/16 via em0 setup Ahah! > This is my configuration fault, and we can close PR kern/128902. > > Thanks, > -Jin Glad you found it so soon, Jin; that was one very short-lived PR :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problem about ppp -nat
On Sun, 23 Nov 2008 14:14:44 +0700 "Pongthep Kulkrisada" <[EMAIL PROTECTED]> wrote: > Hi All, > > Firstly, I'm sorry for late reply. For simplicity to your responses, I shall > ask question by question... > > * Manolis Kiagias ([EMAIL PROTECTED]) wrote: > > > > There are at least two ways that I know of to achieve this. One uses the > > ipfw firewall, the other the pf firewall. > > For the ipfw solution, look at the FreeBSD Handbook: > > > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html Since you're running FreeBSD 7 with ipfw, there's actually a third way: in-kernel NAT. See ipfw(8) searching for NAT (in caps) for the section. > 1. I heard that ppp itself has capability of NAT. It can work with the > command ppp -nat and without running natd. Please tell me whether it is > right or wrong. ipfw is the same. If natd is not used, I can't add the rule > ... > > add divert natd ip from any to any via tun0 > > to /etc/ipfw.rules. I'm confused. You're right in that if you use ppp -nat, NAT's already done by the time ipfw (or pf, ipf etc) see the packets. ppp has some simple and limited rules you might apply, but I'd have to recommend using either natd(8) or ipfw nat, and running ppp without -nat. This leaves open for you the possibility of using mpd rather than ppp, either dialup or pppoe etc. All use the same libalias(3) libraries, but both ppp -nat and natd run in userland, while ipfw nat runs in-kernel, which may not matter at dialup speeds, but will migrate easily if/when you get a faster link. > 2. And if natd is still required, what -nat argument (ppp -nat) is for? For some very simple nat setups, mostly in ye olden days :) > > This worked fine for me, although I prefer to use pf. Here is how I > > setup pf (Adjust for your interfaces as necessary) > > > > My Internet interface is rl0, setup in rc.conf as: > > > > ifconfig_rl0="inet 192.168.0.100 netmask 255.255.255.0" > > > > My local interface is rl1, setup in rc.conf as: > > > > ifconfig_rl1="inet 192.168.1.100 netmask 255.255.255.0" > 3. I haven't mentioned that I can't use this configuration. I have 2 > interfaces i.e. public and private LAN. But I have only one NIC card for > private LAN. I don't have NIC card for public. I'm using 56k modem to > connect the outside world. I think I can't add > > ifconfig_tun0="inet 192.168.0.100 netmask 0xff00" > > to /etc/rc.conf. If I'm wrong, please tell me. No, and you don't need to; ppp (or mpd) assigns the 'outside' IP and sets up the default route through it on connection or renegotiation, assuming your ppp.conf is setup right. I gather from your previous success with ppp that this is most likely not a problem. > I did much googling. All sites always refer 2 NIC cards being used like your > example. I do have only one NIC card + 56k serial modem (/dev/cuad0). That's fine. tun0 for ppp (or ng0 for mpd) will be configured as your outside interface, and ipfw only needs that, not its (varying) address. > > (I also have a defaultrouter setting which probably does not apply to you) > > > > I have nameserver entries in /etc/resolv.conf (or setup your own DNS > > server if you wish) > 4. I also have nameserver entries. I tried setting DNS server on my WinXP > host to both gateway (FBSD host) and DNS servers of ISP. Both don't work. Once you get the NAT right, that should work out. I think ppp will fetch nameserver addresses for you if so configured, mpd sure will, or if they're constant just use resolv.conf and have ppp leave it alone. > > Use this settings in rc.conf for pf: > > > > pf_enable="YES" > > pflog_logfile="/var/log/pflog" > > pflog_flags="" > > pf_rules="/etc/pf.conf" > > pf_flags="" > > gateway_enable="YES" > 5. I think I have equivalent setting of ipfw in /etc/rc.conf but don't work. > gateway_enable="YES" > firewall_enable="YES" > firewall_type="OPEN" > firewall_quite="YES" That's 'firewall_quiet' - I think it only gets used by the default rules in rc.firewall, unless you add a check for it in your own, to add a '-q' flag to each ipfw command, so it's not noisy on boot or reloading ipfw. > firewall_script="/etc/ipfw.rules" > firewall_logging="YES" If you've used the IPFW section in the Handbook as a guide, I suggest reconsidering that after half a dozen browses of ipfw(8), and instead try using the 'simple' ruleset in rc.firewall at least to get going; of particular concern is the placement of divert rule/s in that scenario, where those anti-spoofing rules protect you from NAT misconfiguration. > > Run: > > # sysctl net.inet.ip.forwarding=1 > > # /etc/rc.d/routing restart > > > > Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots gateway_enable=YES in rc.conf is an easier way to accomplish the same. > 6. I recompiled my kernel. > options IPFIREWALL > options IPFIREWALL_FORWARD > options IPFIREWALL_DEFAULT_TO_ACCEPT > opt
Re: Problem about ppp -nat
On Fri, 28 Nov 2008, Pongthep Kulkrisada wrote: > Hi all, > > > I didn't touch /etc/ppp/ppp.conf, which has been working for 5 years > > since FBSD5.0R. Even if I go back to GENERIC kernel. I could not dial out > > to ISP in any ways. I didn't know what I do wrong even if > > I did read many docs. > I tried exactly what being described in the handbook. But all failed, > I still can't dial ISP. I think that posting /etc/ppp/ppp.conf may be > useful for your diagnostic. Note that this file has been used for > long time and never changed. But I've just reminded that ppp is > changed from version to version. My ppp.conf may not suit the current > version. I don't know. > > # cat /etc/ppp/ppp.conf > > default: > set log Phase Chat LCP IPCP CCP tun command Try using more logging, at least temporarily, then you should be able to see from your ppp.log just what's going on. For about 10 years I used: set log phase chat connect carrier link ipcp ccp ID0 TUN command > ident user-ppp VERSION (built COMPILATIONDATE) > > set device /dev/cuad0 Try /dev/cuaa0. At least in the olden days, cuad0 was configured more for dialin rather than dialout. This may? explain the next two lines: > set ctsrts off # enables software flow control > set accmap 000a# comments out these 2 lines for hardware flow > control Not sure why you don't want to use hardware flow control? Is this with a regular external modem? Anyway, I've always used ctsrts (with cuaa0). > set speed 115200 > disable pred1 > deny pred1 > disable lqr > deny lqr > set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ > \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 180 CONNECT" > set redial 3 20 > enable dns # request DNS info (for resolv.conf) Looks ok. TIMEOUT 60 is plenty for a dialup modem, but whatever. > isp: > set phone 0123456789 > set authname [EMAIL PROTECTED] > set authkey mypassword > set timeout 0 > add! default HISADDR # Add a (sticky) default route > set openmode active > accept pap > set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 > add 0 0 HISADDR You probably don't want both those add statements. Try taking out the first one, and replacing the last one with the add! default HISADDR. Unsure if you need an 'enable pap' as well, maybe default. Can't hurt. Anyway, some extra logging should show you when and how it fails, if it still does .. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problem about ppp -nat
On Wed, 26 Nov 2008, Pongthep Kulkrisada wrote: [..] > read many docs. Yesterday I decided to re-install FBSD7.0R from CDs > again. That causes late reply, I'm sorry. :-( No worries .. it's not like we were just hanging out waiting :) > I now have gateway_enable="YES" and firewall_enable="YES" in my /etc/rc.conf. > I can then dial ISP again. Then the following steps were taken. > > 1. I can ping any sites and very fast. > 2. # kldload ipfw (as I don't want to compile kernel anymore.) > 3. # kldload ipdivert I was under the impression that divert had to be built into the kernel, but perhaps kldload ipdivert works allright with 7.x. > 4. I also have ``natd8668/divert'' in my /etc/services. > 5. # natd -interface tun0 > 6. # /sbin/ipfw add 101 divert natd all from any to any via tun0 > 7. # /sbin/ipfw add 102 pass all from any to any > (Note that my first ipfw rule is 100 check-state. So steps 6 and 7 > should be considered as the first two filtering rules.) Just as an aside, as you're not using any keep-state rules: you should do NAT before a check-state, so packets match dynamic rules after NAT. > I do this way because I know from reading document that ppp must be > run before natd. I always want to dial ppp by myself so I can't put > natd in /etc/rc.conf. And doing it interactively is very easy to > detect when something goes wrong and step 1 can proof my good > connection. More specifically the interface, here tun0, must exist before using divert sockets using that interface. natd(8) says: 3. If you use the -interface option, make sure that your interface is already configured. If, for example, you wish to specify `tun0' as your interface, and you are using ppp(8) on that interface, you must make sure that you start ppp prior to starting natd. You've probably noticed that tun0 doesn't go away when you close ppp, so it's sufficient to have run ppp once before using the divert rule. In any case I doubt this'd really do any harm (apart from not working :) There's another way to bring up ppp (so creating tun0) without dialing out until you're ready; using ppp -auto, with a dial filter rule/s. See ppp(8) and the examples in /usr/share/examples/ppp/ppp.conf.sample .. maybe something like: set filter dial 00 0 icmp src eq 8 which will only dial upon seeing an outbound ping packet. You could specify some address rather than 0 0 if you want to be more specific. > After step 7 I switched to terminal, which keeping ping. > I found that ping stalled. I tried re-connect many times, now I know > that step 3 causes the problem. I have also tried putting > ipfw_load="YES" and ipdivert_load="YES" in /boot/loader.conf. The > problem persists. I'm quite sure that the module ipdivert has adverse > effect to the connection through modem. Should I say a bug?!!! Perhaps others can say if it's ok to kldload ipdivert after ipfw these days? In any case, this could mean coincidence rather than causation. You've not shown error messages from ppp.log indicating disconnection? Two things you should always check if there are problems passing traffic through an interface that's apparently 'UP': # ifconfig # make sure addresses, netmasks, etc make sense. # netstat -finet -ran # check the default and other routes make sense. > Without ipdivert I can not play NAT (I don't want to learn ``ipfw > nat'' and ``ppp -nat'' for now). This was also the major problem when 'ipfw nat' is as easy to setup as natd, using much the same semantics, and doesn't require the presence of ipdivert. I can't say whether it would get upset if tun0 was specified and didn't yet exist, but expect it'll just ignore any packets that don't match the specified interface, though I can't test that here now. Something like this should work: # ipfw nat 123 config if tun0 log deny_in same_ports unreg_only reset # ipfw add [number] nat 123 ip4 from any to any via tun0 where 123 is an arbitary number,and ip4 is more specific than 'all' nat logging is likely intense, but useful until things are working. deny_in provides some protection till your ipfw is properly setup. unreg_only means only traffic from your internal network (eg 192.168.*) is considered, not traffic from your router itself - maybe quicker. reset clears the aliasing table if your IP address on tun0 changes. You can study more about all NAT functionality in 'man 3 libalias'. > I recompiled kernel with options IPDIVERT few days ago. That caused > me unable to connect ISP. One thing I should note here, always run > ppp before natd. Last time when I was on GENERIC kernel, I couldn't > connect ISP because my /etc/rc.conf contained natd. So natd ran Again, I kinda doubt this is cause and effect; I can't see how the mere presence of ipdivert could have any such effect. Perhaps the extra logging in ppp.log suggested might help debug this (other) problem
Re: Is there anything weird I should know about using ipfw on alias addresses?
On Mon, 01 Dec 2008 16:52:12 +1300 Brett Davidson <[EMAIL PROTECTED]> wrote: > ifconfig shows the alias addresses correctly bound. > Creating an ipfw rule and testing it from the command line works > (connects out from master address, not alias) > > From website on alias address, the firewall blocks the packets. > > The weird thing is that it tags them (in the security log) as coming > from the master address (not the alias) out the correct interface. In a > normal world that would mean the packet would match! > > What's goin' on here Willis? Difficult to tell without seeing a) ifconfig b) netstat -rn c) at least the relevant firewall rule/s and d) log entries that illustrate your problem. Obscure sensitive information by all means, but otherwise pretend we haven't the slightest clue how your system is configured :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problem about ppp -nat
On Sun, 30 Nov 2008, Pongthep Kulkrisada wrote: > Hi all, > > > set log phase chat connect carrier link ipcp ccp ID0 TUN command > I still can't dial using this configuration... Yes sorry, that was from a really old system, from backups. > # ppp -background isp > Loading /lib/libalias_cuseeme.so > Loading /lib/libalias_ftp.so > Loading /lib/libalias_irc.so > Loading /lib/libalias_nbt.so > Loading /lib/libalias_pptp.so > Loading /lib/libalias_skinny.so > Loading /lib/libalias_smedia.so I'm surprised ppp would load these unless -nat was specified somewhere? My newest system that used ppp is 5.5-STABLE, up till last August, but I'm not up with it on 6 or 7, still this does look rather odd to me. Perhaps someone else could confirm whether ppp always loads these libalias modules, whether intending to use them or not? > Working in background mode > Using interface: tun0 > Warning: carrier: Invalid log value > Warning: link: Invalid log value > Warning: usage: set log [local] > [+|-]all|async|cbcp|ccp|chat|command|connect|debug|dns|hdlc|id0|ipcp|lcp|lqm|phase|physical|radius|sync|tcp/ip|timer|tun... > Attempting redial > Attempting redial > Attempting redial > > I then removed ``carrier'' and ``link''. It always keeps redialing without > hearing dialing tone from the modem. So I removed ``connect'' again. The > result was still the same. Sorry again. On 5.5 I just used 'log Phase LCP IPCP CCP tun command' once everything was running smoothly, using several different modems. > > Try /dev/cuaa0. At least in the olden days, cuad0 was configured more > > for dialin rather than dialout. This may? explain the next two lines: > It keeps redialing without hearing any tone from the modem. So I > switched back to /dev/cuad0. Then dial; now I hear dialing tone from > the modem but warning message of ``Child failed (errdead)'' occured > then line dropped. And can not connect. I tried it many times. Note > that /dev/cuad0 appeared in my > /usr/share/examples/ppp/ppp.conf.sample, not /dev/cuaa0. If I > remember correctly I changed from cuaa0 to cuad0 when I upgraded from > FBSD5.4R to FBSD6.2R. Ok. I hadn't realised that ppp had changed so much. Wish someone who knows a bit more about the current situation would comment .. > [...] > Working in background mode > Using interface: tun0 > Child failed (errdead) > > >> set ctsrts off # enables software flow control > >> set accmap 000a # comments out these 2 lines for hardware flow > >> control > > Not sure why you don't want to use hardware flow control? Is this with > > a regular external modem? Anyway, I've always used ctsrts (with cuaa0). > 5 year ago, I downloaded this ppp.conf from some web site. But > anyway, I did follow your suggestion i.e. hardware flow control. It > still doesn't work as ``Child failed''. Actually I don't know so much > in this area (flow control). I only code C on *Unix. I rarely do this > kind of things e.g. system setup or configuration. And yes, it is a > regular external modem. I spent about 15 years debugging user problems with dialup modems; it can be really difficult without first knowing the modem type and it's internal config - however that doesn't seem to be your problem here. > >> add! default HISADDR # Add a (sticky) default route > >> [...] > >> add 0 0 HISADDR > > You probably don't want both those add statements. Try taking out the > > first one, and replacing the last one with the add! default HISADDR. > I changed it before dialing. > > > Unsure if you need an 'enable pap' as well, maybe default. Can't hurt. > I added it before dialing. But all failed. I think it is probably caused by > ipdivert. Well as mentioned above, if ppp is loading libalias modules also, there definitely could be some conflict there .. but I'm now out of my depth. > > Anyway, some extra logging should show you when and how it fails, if it > > still does .. > Nov 30 17:00:00 bsdhost newsyslog[960]: logfile turned over due to size>100K > Nov 30 17:00:16 bsdhost ppp[977]: Phase: Using interface: tun0 > Nov 30 17:00:16 bsdhost ppp[977]: Phase: deflink: Created in closed state > Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: ident user-ppp > VERSION (built COMPILATIONDATE) > Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: set device > /dev/cuad0 > Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: set speed 115200 > Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: disable pred1 > Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: deny pred1 > Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: disable lqr > Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: deny lqr > Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: set dial ABORT > BUSY ABORT NO\sCARRIER TIMEOUT 5"" AT OK-AT-OK ATE1Q0 OK > \dATDT\T TIMEOUT 180 CONNECT > Nov 30 17:00:16 bsdho
Re: Is there anything weird I should know about using ipfw on alias addresses?
On Tue, 2 Dec 2008, Brett Davidson wrote: > Ian Smith wrote: > > On Mon, 01 Dec 2008 16:52:12 +1300 Brett Davidson <[EMAIL PROTECTED]> > > wrote: > > > > > ifconfig shows the alias addresses correctly bound. > > > Creating an ipfw rule and testing it from the command line works > > > (connects out from master address, not alias) > > > > From website on alias address, the firewall blocks the packets. > > > > > > The weird thing is that it tags them (in the security log) as coming > > > from the master address (not the alias) out the correct interface. In a > > > normal world that would mean the packet would match! > > > > What's goin' on here Willis? > > > > Difficult to tell without seeing a) ifconfig b) netstat -rn c) at least the > > relevant firewall rule/s and d) log entries that illustrate your problem. > > Obscure sensitive information by all means, but otherwise pretend we > > haven't the slightest clue how your system is configured :) > > Fair enough. > > ifconfig below: > > bce1: flags=8843 mtu 1500 >options=3b >inet 210.5.50.5 netmask 0xffe0 broadcast 210.5.50.31 NB .. >inet 210.5.51.32 netmask 0x broadcast 210.5.51.32 >inet 210.5.51.27 netmask 0x broadcast 210.5.51.27 >inet 210.5.51.33 netmask 0x broadcast 210.5.51.33 >inet 210.5.51.34 netmask 0x broadcast 210.5.51.34 >inet 210.5.51.42 netmask 0x broadcast 210.5.51.42 >inet 210.5.51.4 netmask 0x broadcast 210.5.51.4 >ether 00:1c:c4:c0:56:94 >media: Ethernet autoselect (1000baseSX ) >status: active > > Relevant /etc/rc.conf entries : > ifconfig_bce1="inet 210.5.50.5 netmask 255.255.255.224" > ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224" Your first alias here is a repeat of the 'primary' address. ifonfig seems to have resolved/merged that above, but it's not an alias. > ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255" > ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255" > ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255" > ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255" > ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255" > ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255" I didn't spot on first reading this that the first address is in a different subnet than all the others. I'm not entirely sure whether that's relevant, or how, just pointing it out as being non-obvious, and suspecting one of the 210.5.51 subnet should show a broader netmask. > Relevant ipfw rules : > ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 setup > keep-state > ipfw -q add 02012 allow tcp from any to 208.69.123.164 443 out via bce1 setup > keep-state netstat -finet -rn (or -rna) please? unclear where your default route goes, or how the 210.5.51 subnet is routed or its netmask, but assume that 208.69.123.164 is probably accessed via the default route .. > Interesting entries in /var/log/security : > Dec 1 16:42:25 kernel: ipfw: Deny TCP 210.5.50.5:49708 > 208.69.123.164:80 out via bce1 Did that occur =after= the above rules were installed? Just the one? Seems odd on face value, but without knowing what your other rules do. > What makes this interesting is that I can connect to that port via the > command line. You mean like with 'telnet 208.69.123.164 80' ? With 210.5.50.5 as source address? tcpdump output may help understand or explain this. > It's the website that lives on 210.5.51.42 that is having problems. Why, if > the rule is valid enough for the command line is it having problems from an > aliased address? Hang on; do you mean you're having a webserver on 210.5.51.42 trying to connect out to another webserver on 208.69.123.164 ? If not, what? I guess you have rules allowing inbound port 80 access to 210.5.51.42 ? And that your upstream is routing 210.5.51.42/something to 210.5.50.5 ? > This MUST have something to do with the way ipfw is working with aliased > addresses but I'm blowed if I know what is wrong. ipfw doesn't do anything different with any address in particular except when using the forward action. ipfw certainly has no concept of primary or alias addresses, it just applies the addresses/masks you specify. Nor does ipfw know or care (even when forwarding) whence the stack is next going to route outbound packets .. but netstat -rn will tell us. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Is there anything weird I should know about using ipfw on alias addresses?
On Thu, 4 Dec 2008, Brett Davidson wrote: > Ian Smith wrote: > > On Tue, 2 Dec 2008, Brett Davidson wrote: > > > Ian Smith wrote: > > > > On Mon, 01 Dec 2008 16:52:12 +1300 Brett Davidson <[EMAIL PROTECTED]> > > > > wrote: > > > > > > > ifconfig shows the alias addresses correctly bound. > > > > > Creating an ipfw rule and testing it from the command line works > > > > > (connects out from master address, not alias) > > > > > > From website on alias address, the firewall blocks the packets. > > > > > > > > > > The weird thing is that it tags them (in the security log) as > > coming > > > > > from the master address (not the alias) out the correct interface. In > > a > > > > > normal world that would mean the packet would match! > > > > > > What's goin' on here Willis? > > > > > > Difficult to tell without seeing a) ifconfig b) netstat -rn c) at > > least the > > > > relevant firewall rule/s and d) log entries that illustrate your > > problem. > > > > Obscure sensitive information by all means, but otherwise pretend we > > > > haven't the slightest clue how your system is configured :) > > > > > > Fair enough. > > > > ifconfig below: > > > > bce1: flags=8843 mtu 1500 > > >options=3b > > >inet 210.5.50.5 netmask 0xffe0 broadcast 210.5.50.31 > > NB .. > > >inet 210.5.51.32 netmask 0x broadcast 210.5.51.32 > > >inet 210.5.51.27 netmask 0x broadcast 210.5.51.27 > > >inet 210.5.51.33 netmask 0x broadcast 210.5.51.33 > > >inet 210.5.51.34 netmask 0x broadcast 210.5.51.34 > > >inet 210.5.51.42 netmask 0x broadcast 210.5.51.42 > > >inet 210.5.51.4 netmask 0x broadcast 210.5.51.4 > > >ether 00:1c:c4:c0:56:94 > > >media: Ethernet autoselect (1000baseSX ) > > >status: active > > > > Relevant /etc/rc.conf entries : > > > ifconfig_bce1="inet 210.5.50.5 netmask 255.255.255.224" > > > ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224" > > > > Your first alias here is a repeat of the 'primary' address. ifonfig seems > > to have resolved/merged that above, but it's not an alias. > > > > > True. Blame that on the piece of software (Plesk) that manages the IP > addresses for the websites we host. Ok in this instance. Please copy the list on replies, for archives. > > > ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255" > > > ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255" > > > ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255" > > > ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255" > > > ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255" > > > ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255" > > > > I didn't spot on first reading this that the first address is in a > > different subnet than all the others. I'm not entirely sure whether that's > > relevant, or how, just pointing it out as being non-obvious, and suspecting > > one of the 210.5.51 subnet should show a broader netmask. > > > I've wondered that as well but it all works EXCEPT for when ipfw is involved. Looks like we may need to see more, if not all, of your ipfw ruleset. 'ipfw -ted show' is pretty good for seeing everything. try adding 'log' to some more rules, until you can SEE where packets are getting blocked. Doesn't 'tcpdump -pn -i bce1 host 210.5.51.42 and host 208.69.123.164' provide any good clues to these flows? Or in this case maybe better: tcpdump -pn -i bce1 host \(210.5.51.42 or 210.5.50.5\) and host 208.69.123.164 > > > Relevant ipfw rules : > > > ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 > > setup > > > keep-state > > > ipfw -q add 02012 allow tcp from any to 208.69.123.164 443 out via bce1 > > setup > > > keep-state Do you have a check-state rule? Where? Are there any skiptos that might miss anything? Do you have rules affecting established traffic? Sorry, but I find this too like a guessing game, or pulling teeth :) > > netstat -f
Re: Question about FreeBSD installation procedure
In freebsd-questions Digest, Vol 278, Issue 4, Message 2 On Tue, 29 Sep 2009 12:36:00 +0800 (WST) Bret Busby wrote: > On Sat, 26 Sep 2009, Manolis Kiagias wrote: > > Bret Busby wrote: > >> Hello. > >> > >> I have been interested in installing FreeBSD on my laptop (HP/Compaq > >> NX5000, 2MB RAM), in a free 20MB partition. [..] > See > http://busby.net/bret/Screenshot--dev-sda-GParted.png Presumably from your screenshot, what Linux Gparted calls /dev/sda8 > However, with the response above, and, with all of the responses thus > far, to the query, it appears that I cannot install FreeBSD on the > computer, without a full system rebuild, involving removal of all of the > installed operating systems and software from the computer, then > repartitioning, or, slicing up, the hard drive, and then creating new > logical, extended partitions, and then reinstalling each of the > operating systems, and all of the software for each of the operating > systems, trying to ensure that I then have at least all of the software > that is currently installed on each operating system on the computer, > and, the data that is currently present on the computer. Bret, none of that much drama will be necessary :) Manolis nailed it, but I'll add a little reinforcement if it helps reassure you that what you want to do is a) entirely possible and b) not terribly difficult. > And, with being required to do all of that, I do not know what would > happen, regarding issues such as the interrupt conflict that I > encountered when trying to initially install Debian 3.1 on the computer, > the interrupt conflict being between the WiFi card and the ethernet > card, which reuired Ubuntu to resolve the conflict, then (at the time, > as I was then a strictly Debian user) uninstalling Ubuntu to reinstall > Debian 3.1, with the solution to the interrupt conflict, having used > Mandriva Linux to do the partitioning, so as to retain the initial > installation of MS Win XP, which I would probably lose, and have to > install from scratch, as part of installing BSD on the system. I can't comment on your wifi or interrupt issues, but there's no reason you need to lose any of your existing systems to install FreeBSD here. First, make SURE you have good backups, whatever else you do. Sooner or later the HD is going to fail anyway, so be prepared and be comfortable. More or less as Manolis later said, using gparted since you have it: a) delete the 20GB logical partition /dev/sda8 for the space you need. b) move the free space in the extended partition to the end, after the present sda9 and sda10. these may then become sda8 and sda9, and you may later need to edit references to these to account for renumbering. c) shrink the extended partition sda2 to the end of (now) sda9, which will provide 20GB of unallocated free space on the disk. d) create a new slice (primary partition in DOS terms) using all of the 20GB free space. gparted will call it /dev/sda3, and it'll be the third partition in the MBR. FreeBSD will see this as slice /dev/ad0s3, and there you can install FreeBSD, probably in several FreeBSD partitions. > So, getting the system set up, initially, to get Debian 3.1 running (it > has been superseded on the system, first by Debian 4, and, now, by > Debian 5), took a fair bit of time and effort, and problem solving, > using various operating systems, to get the one extra operating system > installed. Sure, and you learned quite a lot in the process :) > Due to the time and effort involved, and the apparent complexity, it all > seems too difficult, to install BSD. Nope. Just a bit more learning, shifting a bit further from 'DOS-think' > If FreeBSD would be able to be installed in a logical partition, within > an extended partition, as can be done with Linux, it would probably be > able to be done by me - in the meantime, it is simply too difficult. It's only too difficult until you know how to do it. Manolis and I have both shown you a fairly straightforward way of doing it, and others have provided good background info on how FreeBSD uses diskspace. Go for it! As a bonus, you should be able to access all of the other filesystems on your disk from FreeBSD, at least read-only. FAT32 (mount_msdosfs), NTFS (I don't, but many people here have done), ext3 - not sure about write capability, but certainly ext2. Way back on FreeBSD 3.3 I salvaged many OS/2 HPFS filesystems from various extended partitions, readonly, and last time I looked (FreeBSD 7.0) the HPFS code was still in the tree. You'll find that FreeBSD knows the (covering) extended partition as /dev/ad0s5 and the logical partitions within as /dev/ad0s6, s7 etc. FAT32 is reliable read-write, and most useful for shipping files between different OS, especially if you enclose them in a tar(1) or zip(1) file if you need to maintain file ownerships and permissions. cheers, Ian
Re: I hate to bitch but bitch I must
PJ, having (in this case at least) the luxury of reading freebsd-questions as a digest, I'm going to quote a few of your extracts from several messages, largely without surounding context, as it's all incredibly repetitive, masively overquoted and mostly just "grasping for ambiguity" as Warren Block so eloquently put it. > To be as precise as possible, it means normally it should work so go > ahead; then the question is - what do you mean by normally. > In our case above, the instructions were to do the operation with the > disk not in use and the os in SUM. That's very clear. Now, I f they > wanted to point out a bug, the bug means that there is an anomaly under > certain circumstances - and in this case there really is no bug as it is > very clear as to how the instructions should be used. If they consider > the operation under a live files system a bug, then they should just > make a warning and say something along the lines of "do not use on live > system as that may destroy data" or something to that effect. I think you're only being so obtuse about this because you haven't had much experience reading man pages, and seem to expect them to conform to some sort of English Literary standards that are entirely inapplicable. > Just a note: I find it strange that nobody looked into the problem of > the confusion... I thought I had pointed out where the co;nfusion > arises... and no one seems to have either understood the inconsistencies > or bothere to read the explanation... oh well... let's keep on > blundering away... ;-) Must we? The confusion, and the seems-like-a-hundred messages it's now spawned, is all yours. Many have tried relentlessly and unsuccessfully to explain to you what just about everyone else has had no difficulty in understanding, because they don't try applying linguistic contortions to a simple statement by its (entirely English-speaking) authors. M. McKusick, W. Joy, S. Leffler, and R. Fabry, "A Fast File System for UNIX", ACM Transactions on Computer Systems 2, 3, pp 181-197, August 1984, (reprinted in the BSD System Manager's Manual, SMM:5). BUGS This utility should work on active file systems. You can tune a file system, but you can't tune a fish. If you want to see the _fascinating_ history of the tunefs(8) man page: http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/tunefs/tunefs.8 First go right down the bottom, Rev 1.1, and choose 'annotated' view .. you'll see the original text committed by Rodney Grimes. If you don't know who Marshall McKusick, Bill Joy, Sam Leffler and Robert Fabry are, do some googling, or start at http://www.mckusick.com/articles.html Rev 1.4 adds an interesting warning .. perhaps some pedant had suggested that a little humour was inappropriate :) At some later point, mckusick corrected the spelling of 'Daemon', and later ru@ changed "can't" to "cannot" (FFS!). This is a very carefully considered BUGS section, with over 15 years' of history. Mess with it at your peril :) > What in the world is RFC 2119? (that's a rhetorical question) I > prefer to stick to orinary dictionaries, like Oxford, Collins, Webster... > then again, my college university studies were in English lit... but I'm > afraid I have have neglected that and have been somewhat dragged down to > the level of the "plebes" in the hope they may catch some of my > meanings... :-D You need to use the right terms in the appropriate context, and it's best to try avoiding condescension when dealing with people who may not have attained your literary qualifications, but who clearly know a hell of a lot more about this subject than you do. If you don't know about RFCs you'll get lost with lots of UNIX (and other computer system) references. Google is your (and our!) friend. > > I understand that I'm confused :) Ok. > > Actually, what's happening here is dropping part of a sentence. It's > > common in English to shorten > >Yea, it should work, but it doesn't. > > > Absolutely not! There is nothing to suggest either statement above. If > one says it should work, it can mean (of course, it changes within > different contexts) that all is ok and normal conditions (whatever they > may be) will allow things to function correctly. There is certainly no > implication about confidence... where do you get that? It can mean ver > confident just as well. And dropping a sentence is a very presumptuous > assumption. "but is doesn't" is a specific condition... and there can me > innumerable conditions. Semantic obfuscation and failure to understand usage of 'BUGS' sections. Try reading a whole lot more manpages to get their drift, eg what would you make of "BUGS: bound to be some" without knowing the wisdom therein? > In the end, it's up to the author to clarify... I don't understand what > he's trying to do as on my stem his instructions/example just do not > work anyway. :-( You really cannot go
Re: Why is sendmail is part of the system and not a package?
In freebsd-questions Digest, Vol 282, Issue 14, Message 14 On Thu, 29 Oct 2009 14:58:54 -0500 (CDT) Lars Eighner wrote: > On Thu, 29 Oct 2009, Ruben de Groot wrote: > > > sendmail is NOT a legacy application. It's actively being developed > > ON FreeBSD. Actually, the maintainer(s) are doing a great job > > Bullshit. :) IYNSHO. > Why does sendmail call up the internet during boot? If it needs to know who > it is, why can't it look in hosts? See the section: WHO AM I? in /usr/src/contrib/sendmail/cf/README (assuming you haven't deleted the documentation from your system) > Since it cannot be trusted to send mail, what does it need to know > from the internet? The first clause reflects an opinion you apparently formed many years ago from which you seem determined not to let any contrary indications dissuade you. I certainly trust sendmail to send mail - who to accept mail from is always the far greater issue - though after only 11+ years using FreeBSD, I clearly haven't your depth of experience. > It has been horribly broken for the 15 years or so that I have run FBSD, What was the last version of sendmail you actually used? Sure 8.8 was a bear to configure against spam back in '98; I almost succumbed to buying the book back then, but always found what I needed here, by searching or at sendmail.org. Since FreeBSD ~4.5 I've done just fine using 'make'. (cd /etc/mail; ee access; make maps) is my usual extent of maintenance. > and this m4 stuff is a pile of crap. Works here :) though I just let 'make' hide all of the gritty stuff. > There is no documentation whatsoever. Re-sup your sources? There's plenty here, and the abovementioned README contains just about everything I've ever needed to configure sendmail. Mail is never going to be any trivial one-conf-fits-all service and requires some study, with at least a slightly open attitude. > Unless you buy a book from O'Reilly and line the pockets of the > "maintainer(s)." Why can't it be a option to configure the system > without it? Not any money in that, is there? Maybe a systems programming background helped, but since ~'02 I've felt no further need to explore the intricacies of sendmail.cf tinkering. Others here affirm that you can indeed configure FreeBSD not to use sendmail, or any mailer, but I've never had a need so can't comment. There's an old folk song you may have come across that pretty well covers the best approach to fixing any such perceived brokenness: http://www.songsforteaching.com/folk/theresaholeinthebucket.htm cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: dhcpd related issue - not giving up
In freebsd-questions Digest, Vol 283, Issue 2, Message: 4
On Mon, 2 Nov 2009 02:04:31 -0800 (PST)
Dánielisz László wrote:
> Sorry, I misspell it, (192.168.1.1) at 00:13:8f:86:2f:64 on rl1
> permanent [ethernet] <- actually this is my rl1 interface on BSD
Ok. Chomping heavily .. I've just reviewed this thread through four
digests, rather a top-posting, multi-tail-quoting mess. Please trim
quotes to the necessary then add your response; we've seen the rest.
> > mac# $ dhcping -h 00:23:32:dc:72:19 -s 192.168.1.1
> > no answer
> >
> > bsd# tcpdump -i rl1 -n port 67 or port 68
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> > listening on rl1, link-type EN10MB (Ethernet), capture size 96 bytes
> > 19:14:38.604545 IP 192.168.1.234.68 > 192.168.1.1.67: BOOTP/DHCP, Request
> > from 00:23:32:dc:72:19, length 250
> > 19:24:06.600131 IP 192.168.1.234.68 > 192.168.1.1.67: BOOTP/DHCP, Request
> > from 00:23:32:dc:72:19, length 250
You could perhaps usefully add 'or arp' to that tcpdump.
Like your earlier tcpdump; the Mac's asking and 192.168.1.1 is not
responding. I don't think anyone's asked yet what you get from:
# netstat -finet -an | grep 67
ie, is dhcpd really listening? something like ..
udp4 0 0 192.168.1.1.67*.*
If not, there's your problem .. if so, looks like your firewall might be
blocking those packets from reaching 192.168.1.1 (OR its responses back)
If dhcpd is running, even if it's misconfigured, I'd expect to see some
response if it's receiving requests.
> > bsd# arp -a
> > ? (192.168.1.234) at 00:23:6c:86:41:d9 on rl1 [ethernet] <- this is my
> > MacBook
> > ? (192.168.1.1) at 00:13:8f:86:2f:64 on rl1 permanent [ethernet] <- this is
> > the layer 3 switch
> >
>
> So your switch and your rl1 interface have the same IP? That can't be good,
> can't see why it would affect things when the switch isn't in action though.
>
> # sockstat -4l | grep dhcp
> > dhcpddhcpd 4747 7 udp4 *:67 *:*
Yeah sockstat's always useful too; both it and netstat -a will show udp
port 67 listening if dhcpd's running (right).
>From a later message ..
> pool {
>option domain-name-servers cns01.hdsnet.hu;
>max-lease-time 300;
>range 192.168.1.200 192.168.1.253;
>allow unknown-clients;
> }
> }
.. it seems from the arp -a above that the Mac already has 192.168.1.234
which is within that range? However, concentrate on getting as far as
seeing return responses from dhcpd on port 67 to clients with tcpdump,
with your firewall momentarily disabled if need be ..
HTH, Ian___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Does hybernate/wakeup work?
In freebsd-questions Digest, Vol 283, Issue 5, Message 13 On Tue, 03 Nov 2009 10:56:24 -0800 Yuri wrote: > Paul B Mahol wrote: > > On 10/23/09, Yuri wrote: > > > >> I tried to make system hybernate with 'acpiconf -s4' on my laptop. > >> It quickly turned off, but when I press the power button it boots like > >> no hybernate and begins to check disks. > >> > >> What can be wrong? > >> > > > > OS S4 is not implemented, but BIOS S4 is possible on some machines ... > > And on 8.0 and 9.0 i386 SMP doesnt resume properly (amd64 works). > 'acpiconf -s4' also brings laptop to unwakeable state. Power button > begins to flash, when I press any button there is some disk activity, > power button light turns on. And nothing happens. 'apm -z' produces > similar result. > > Maybe it's better to ask what works? > Is there any way I can use suspend/sleep mode? Any basic way to make it > sleep? As Paul said, hibernation only works if the machine's BIOS supports it (hw.acpi.s4bios = 1) AND you've already prepared a suitable disk area, usually a separate slice (DOS partition) or as a file in a 'doze slice. To make even a vaguely informed guess as to whether hibernation and/or acpiconf -s3 (suspend/resume) might work, we'd need to know: What version of FreeBSD on which architecture? (output of 'uname -a') What make and model of laptop? (someone may know if that one works) Whether it runs a single or multiple CPUs? (see /var/run/dmesg.boot) The output of 'sysctl hw.acpi' ? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Does hybernate/wakeup work?
On Tue, 3 Nov 2009, Yuri wrote:
> Ian Smith wrote:
> > As Paul said, hibernation only works if the machine's BIOS supports it
> > (hw.acpi.s4bios = 1) AND you've already prepared a suitable disk area,
> > usually a separate slice (DOS partition) or as a file in a 'doze slice.
> >
> > To make even a vaguely informed guess as to whether hibernation and/or
> > acpiconf -s3 (suspend/resume) might work, we'd need to know:
> >
> > What version of FreeBSD on which architecture? (output of 'uname -a')
> >
> > What make and model of laptop? (someone may know if that one works)
> >
> > Whether it runs a single or multiple CPUs? (see /var/run/dmesg.boot)
> >
> > The output of 'sysctl hw.acpi' ?
> >
> > cheers, Ian
> >
>
> Here is this information:
> FreeBSD-8.0-RC2
i386 or amd64? It matters, which is why we ask for uname -a .. obscure
your hostname etc if needed. Some Atom models (230 and 330, I read)
have feature 'LM' and so can run amd64; others don't and must run i386.
> Laptop is Lenovo S10-2, single CPU, Intel Atom.
But with hyperthreading enabled or not? How many CPUs launched (dmesg)?
Again, it matters. As I understand it, on 8.0 amd64 SMP suspend/resume
(S3) should work, i386 SMP is currently broken, i386 non-SMP should
(still) work, but I'm really not sure about the Atoms.
head -50 /var/run/dmesg.boot (or so) should clear this up. We don't
need the whole thing, but show anything to do with ACPI and CPU(s).
> --- sysctl hw.acpi output ---
>
> hw.acpi.supported_sleep_state: S3 S4 S5
> hw.acpi.power_button_state: S5
> hw.acpi.sleep_button_state: S3
> hw.acpi.lid_switch_state: NONE
> hw.acpi.standby_state: NONE
> hw.acpi.suspend_state: S3
> hw.acpi.sleep_delay: 1
> hw.acpi.s4bios: 0
So, hibernate won't work. There was talk of someone doing that for a
Google SoC project but I've heard no more about it for a long while.
> hw.acpi.verbose: 0
> hw.acpi.disable_on_reboot: 0
> hw.acpi.handle_reboot: 0
> hw.acpi.reset_video: 0
> hw.acpi.thermal.min_runtime: 0
> hw.acpi.thermal.polling_rate: 10
> hw.acpi.thermal.user_override: 0
> hw.acpi.thermal.tz0.temperature: 43.0C
> hw.acpi.thermal.tz0.active: -1
> hw.acpi.thermal.tz0.passive_cooling: 0
Slightly surprising, but again I know nothing about Atom BIOSes.
> hw.acpi.thermal.tz0.thermal_flags: 0
> hw.acpi.thermal.tz0._PSV: -1
> hw.acpi.thermal.tz0._HOT: -1
> hw.acpi.thermal.tz0._CRT: 102.0C
> hw.acpi.thermal.tz0._ACx: -1 -1 -1 -1 -1 -1 -1 -1 -1 -1
> hw.acpi.thermal.tz0._TC1: -1
> hw.acpi.thermal.tz0._TC2: -1
> hw.acpi.thermal.tz0._TSP: 300
> hw.acpi.battery.life: -1
> hw.acpi.battery.time: -1
> hw.acpi.battery.state: 7
> hw.acpi.battery.units: 1
> hw.acpi.battery.info_expire: 5
> hw.acpi.acline: 1
> hw.acpi.cpu.cx_lowest: C1
If this is either i386 uniprocessor or amd64 SMP, suspend/resume should
work, though possibly needing some settings tweaked and/or some modules
unloaded/reloaded in /etc/rc.{suspend,resume} to do so successfully.
If so, I'd next try the freebsd-mobile@ list where several people who
should be able to advise on this tend to hang out. If not, you may be
out of luck at this stage.
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Partition naming, fstab, and geli
In freebsd-questions Digest, Vol 285, Issue 2, Message 2 On Sun, 15 Nov 2009 19:23:15 -0700 David Allen wrote: > Say I have performed a standard installation of FreeBSD onto a single IDE > drive with the following entries in /etc/fstab: > > /dev/ad0s1b none swap sw 0 0 > /dev/ad0s1a / ufs rw 1 1 > /dev/ad0s1d /var ufs rw 2 2 > /dev/ad0s1e /tmp ufs rw 2 2 > /dev/ad0s1f /usr ufs rw 2 2 > > Then I added more drives. > > 1. The Handbook suggests there is a convention that when partitioning a a > drive that's been added, to label the first new partition on that drive as > 'e' as opposed to 'a' (which is reserved for the /root partition). Does > the following satisfy that convention, or would starting with 'a' in each > case make more sense? > > /dev/ad1e /foo1 ufs rw 2 2 > /dev/ad1f /bar1 ufs rw 2 2 > /dev/ad1g /baz1 ufs rw 2 2 > > /dev/ad2e /foo2 ufs rw 2 2 > /dev/ad2f /bar2 ufs rw 2 2 > > /dev/ad3e /foo3 ufs rw 2 2 > /dev/ad3f /bar3 ufs rw 2 2 If you added these with sysinstall (or sade) it will tend to choose 'd' for the first partition on other than the / partition (which is named 'a' on install). Or at least, it's always started with 'd' for me :) But if you're doing it manually starting with 'e' is fine. I suspect the handbook section you quoted to Polytropon later is more an example than definitive. You can happily mount an 'a' partition from another drive that was once a system disk; it's more of a convention really. > 2. My second question is in regards to using the 'xx' fstype to have the > system ignore that device. > > Consider, for example, a geli encrypted partition. The .eli device > doesn't exist at boot time. I discovered by accident that the system > won't boot with an fstab entry for a device that doesn't exist. So if I > was to record an entry in fstab, I couldn't use > > /dev/ad1e.eli /home/david/private ufs rw 0 0 > > Does that mean that the following is what's typically to record fstab > entries for ignored devices? > > /dev/ad1e.eli /home/david/private xx rw 0 0 > /dev/ad3e /fakexx rw 0 0 > /dev/ad3f /reservedxx rw 0 0 Yes. Here I must differ with Polytropon, though your format for the options isn't perhaps quite right. From an old fstab here: # DeviceMountpoint FStype Options DumpPass# /dev/acd0 /cdrom cd9660 ro,noauto 0 0 /dev/ad0s1 /dosmsdosfs ro,noauto 0 0 /dev/ad0s2b noneswapsw 0 0 /dev/ad0s2a / ufs rw 1 1 /dev/ad0s2d /varufs rw,noatime 2 2 /dev/ad0s2e /usrufs rw,noatime 2 2 /dev/ad0s4d /paqi4.5ufs ro,noauto,nodev,noexec,nosymfollow,noatime 2 3 /dev/ad0s4e /paqi4.5/varufs ro,noauto,nodev,noexec,nosymfollow,noatime 2 4 /dev/ad0s4f /paqi4.5/usrufs ro,noauto,nodev,noexec,nosymfollow,noatime 2 4 # 25Apr06 ext 20Gb USB disk. DON'T autoadd these, deadly if da0 absent! # .. xx fsopts, everything incl fsck must ignore .. /dev/da0s3d /usbdsk ufs xx,noauto,nosymfollow 3 3 /dev/da0s3e /usbdsk/var ufs xx,noauto,nosymfollow 4 4 /dev/da0s3f /usbdsk/usr ufs xx,noauto,nosymfollow 4 4 # 26May06 shintaro 1G flashdrive .. just doc, can't mount using these .. /dev/da0s1 /flash/dos msdosfs xx,noauto 0 0 /dev/da0s2d /flash/ufs ufs xx,noauto,noatime 3 3 /dev/da0s3d /flash/pvt ufs xx,noauto,noatime 3 3 As you say they're useful for doc, and not hard to edit into action. Note the additions above were assigned starting at 'd' by sysinstall. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Bad Blocks... Should I RMA?
In freebsd-questions Digest, Vol 285, Issue 3, Message 28 On Mon, 16 Nov 2009 23:16:27 +0100 Roland Smith wrote: > On Mon, Nov 16, 2009 at 09:43:31PM +, Bruce Cran wrote: > > On Mon, 16 Nov 2009 19:23:58 +0100 > > Roland Smith wrote: > > > > > Install the smartmontools port, and check the drive with > > > 'smartctl -a /dev/ad4'. If you see a non-zero Reallocated_Sector_Ct, > > > RMA it immediately, as it is about to fail. If see other errors > > > reported, RMA it. > > > > > > (S)ATA disk have spare sectors available. If a sector fails, it is > > > replaced by one of the spares by the firmware. If you see a non-zero > > > Reallocated_Sector_Ct, it means that the drive has run out of spares. > > > This is bad news. > > > > Surely it's the other way around - if you see a value of zero in the > > "value" column the drive has run out of spare sectors and it's time to > > RMA the drive? > > I was talking about the _RAW_VALUE column. There seems to be some differences > in interpretation between vendors as to what the VALUE column means. Most of > the advice I've seen over the years says to look at the RAW_VALUE. > > See http://en.wikipedia.org/wiki/S.M.A.R.T. as well. Mmm, but as that article - which really only mentions the 'normalised' values smartctl presents in passing - points out, there can be quite a lot of variation between different manufacturers as to what RAW_VALUE actually represents for various attributes, whereas the usage of VALUE WORST THRESH values is much more consistent, and what the vendor is actually presenting as the SMART good/fair/fail analysis to the world. For instance, I've got two Fujitsu 5400rpm 2.5" drives in two laptops, one MHV2040AH with near 19,000 hours on it, and a much newer MHV2120AH, 40 and 120GB respectively. Nice quiet low-power laptop drives, fwiw. Both show as (more recently) being in the smartctl database, and both show _exactly_ the same values for this one: 5 Reallocated_Sector_Ct 0x0033 100 100 024Pre-fail Always - 8589934592000 Now if that were a number of 512-byte sectors, it'd be 4096000 GB! :) but both drives are 100% ok, as the VALUE / WORST figures show. > > From what I've seen the 'raw' column appears to count > > the number of sectors the drive has remapped using the spares buffer. > > If it gets into the hundreds it's probably time to think about RMA'ing > > the drive > > Yes, the raw value is the number of sectors allocated from the spares. I > originally thought it was the number of reallocations _beyond_ the > spares. That's a misunderstanding on my part. Again, may depend on the drive make/model. With the same make/model you can of course usefully compare raw values, but be careful about drawing inferences for different drives, or you may be RMA'ing needlessly .. > Nevertheless this attribute (along with several) is marked on the Wikipedia > page for smart as a "Potential indicator of imminent electromechanical > failure". You can find the same attributes marked as critical when perusing > mailing list archives. > > For me, my data is worth much more than the harddisk it is on. Some of it is > literally irreplacable. So my policy is to go look for a replacement harddisk > as soon as the RAW_VALUEs of any of these critical indicators start going up > from zero. And store any data at least on two harddisks, whether in a mirror > or in a cron+rsync setup. That'd be the case for the disks you tend to use. I was first going to reply to Bruce's message when I spotted yours, but you've dropped the last bit of his quote, that I was about to wholeheartedly agree with :) : If it gets into the hundreds it's probably time to think about RMA'ing : the drive - if you trust that the 'raw' column is reporting what you : think it is (you should really only base your decision on the value, : worst and threshold columns). cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Bad Blocks... Should I RMA?
On Tue, 17 Nov 2009, Chuck Swiger wrote: > On Nov 17, 2009, at 7:51 AM, Ian Smith wrote: > [ ... ] > > For instance, I've got two Fujitsu 5400rpm 2.5" drives in two laptops, > > one MHV2040AH with near 19,000 hours on it, and a much newer MHV2120AH, > > 40 and 120GB respectively. Nice quiet low-power laptop drives, fwiw. > > > > Both show as (more recently) being in the smartctl database, and both > > show _exactly_ the same values for this one: > > > > 5 Reallocated_Sector_Ct 0x0033 100 100 024Pre-fail Always - > > 8589934592000 > > > > Now if that were a number of 512-byte sectors, it'd be 4096000 GB! :) > > but both drives are 100% ok, as the VALUE / WORST figures show. > > I wouldn't conclude that the drives were 100% OK from that line, although > they *might* be; I'd conclude that the drives aren't implementing this SMART > field correctly in their firmware. Are you using the latest version of > smartctl-- updates to that can sometimes better interpret vendor-specific > odditities. Hi Chuck, Well, _Fujitsu_ reckon they're 100% OK on THAT attribute (100 100 024), which is the point I (and Bruce, I think) was trying to make, along with perhaps a gentle "don't believe everything you read on Wikipedia" :) The smartctl program is not definitive for RAW_VALUE attributes; the manufacturer is. Some raw values are manufacturer-specific, like this one, and the smartctl author likely concentrates on the lowest hanging fruit; its database is already huge. This one is larger than 32 bits, possibly a mis-byte-ordered 48- or 64-bit value? If the two drives showed different values I'd pursue trying different byte orderings. And no, this certainly wouldn't be the latest smartctl; to compare the 120G drive I installed (last night) smartmontools on a 7.0 system that's soon to be upgraded to 7-STABLE, so using a 7.0-RELEASE ports tree with smartctl 5.37, which shows '009 Power_On_Seconds' as the only odd value for this make/model, from smartctl -P show /dev/ad0 cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
login accounts with no sendmail access
Hi all, I hope you'll forgive a sendmail question that's not FreeBSD specific - immediate application is for a Debian Linux system running sendmail 8.13 - but I assume it's most likely applicable to a similar FreeBSD system. We need to (re)create a number of user accounts for Samba to service a nest of windows boxes, but do not want these accounts to be able to send or receive email, rather restricting mail access to only a few accounts, on a box that runs DNS, apache2, mail, audio streaming (fwiw) and Samba access to various fileshares, including users' home directories. I figure we can deny each would-be email address using both From: and To: entries in /etc/mail/access, but I'm wondering if there's an easier way that doesn't involve creating such entries for each new account? (Please don't even mention LDAP) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Poor throughput with natd
In freebsd-questions Digest, Vol 286, Issue 4, Message 16
On Mon, 23 Nov 2009 15:28:12 -0800 James Long wrote:
> Please copy me on replies.
>
> I am testing ipfw and natd on a gateway machine running FreeBSD
> 7.2-STABLE #0: Tue Oct 27 00:12:39 PDT 2009 with the generic
> kernel. ipfw.ko and ipdivert.ko are loaded as modules, since
> they're not part of the GENERIC kernel.
>
> The symptom is that scp uploads from the gateway machine have
> very poor throughput, often showing "stalled" status in the scp
> progress output.
>
> Machines on the LAN do not suffer this problem, and can upload
> their traffic via NAT with no observed degradation in throughput.
> That's why I haven't noticed this problem until recently, when I
> tried rsync-ing some files outbound from the gateway to a remote
> machine.
>
> I can work around the problem, but this problem has never cropped
> up in the past. Is there a problem in my configuration, or in
> recent natd?
>
> Thanks for your time!
Hi Jim,
among the over-copious notes in my rc.firewall is:
#% Julian Elischer, 22Oct06 in freebsd-net:
# "one thing that you need to name sure of is that only the packets that
# have potential of being on interest to natd are passed to natd.
# i.e. be VERY specific in your natd rules..
#
# ipfw add 1000 divert natd ip from any to any out recv {inner-ineterface}
#xmit {outer-interface}.
# ipfw add 1001 divert natd ip from any to {inner-interface-address} in
#recv {outer-interface}.
#
# don't waste natd's time with packets it doesn't care about."
1001 is actually not quite right, I'll get to that, but the principle is
correct; the only packets natd can do anything useful with are these:
a) going OUT on the external interface that were received on internal
interface, so needing source address translation to the outside address.
b) coming IN on the external interface, which MAY match previous (a)
packets, so requiring destination address remapping to an internal IP.
In the case you outline, the scp is happening between this box itself
and an outside host so are of no interest to natd, costing extra time.
> All commands below were executed on the gateway machine that is
> running natd with very basic options:
>
> 15:07:37 /root# findps natd
> root480 0.0 0.1 3388 1252 ?? Ss 12Nov09 4:32.81 natd -n fxp1
Here I rather use -a ${ext_ip} but that probably doesn't matter.
> Here are the ipfw rules:
>
> 14:55:41 /root# ipfw show
> 00100 94930656746770 allow ip from any to any via lo0
> 002000 0 deny ip from any to 127.0.0.0/8
> 003000 0 deny ip from 127.0.0.0/8 to any
> 0040077293 8699526 divert 8668 ip from any to any via fxp1
> 00500 35245946 28535731864 allow ip from any to any
> 655350 0 deny ip from any to any
Try, where ext_if=fxp1, int_if=$your_internal_if and ext_ip=$yours
ipfw add 400 divert natd ip from any to any out recv $int_if xmit $ext_if
ipfw add 410 divert natd ip from any to $ext_ip in recv $ext_if
Apart from not passing natd undivertable packets, use of 'via' here has
natd being called at least once and maybe twice on each packet coming or
going on the outside interface, including those from the host itself.
> Downloading, scp has no trouble:
>
> 14:55:59 /root# scp -p remote:public_html/video/tatra1.mpg .
> tatra1.mpg 100%
> 85MB 559.4KB/s 02:36
>
> But uploads stall. This scp process was killed after about 60 seconds:
Might there be an MTU issue as well? Anything in /etc/natd.conf?
Despite that the above divert rules will prevent outbound host traffic
being diverted at all, I'm still surprised natd's impact was so severe?
> 14:58:40 /root# scp -p tatra1.mpg remote:/tmp/
> tatra1.mpg0%
> 320KB 1.8KB/s - stalled -
> ^CKilled by signal 2.
>
> Deleting the DIVERT rule eliminates the stalling:
>
> 14:59:54 /root# ipfw delete 400
> 15:00:04 /root# scp -p tatra1.mpg remote:/tmp/
> tatra1.mpg 27%
> 23MB 248.2KB/s 04:14 ETA
> ^CKilled by signal 2.
>
> But of course, it also eliminates NAT.
>
> 15:01:14 /root# ipfw add 400 divert 8668 ip from any to any via fxp1
> 00400 divert 8668 ip from any to any via fxp1
>
> Adding this rule works around the natd throughput problem:
>
> 15:01:29 /root# ipfw add 350 allow all from me to any via fxp1
> 00350 allow ip from me to any via fxp1
>
> 15:02:03 /root# scp -p tatra1.mpg remote:/tmp/
> tatra1.mpg 100%
> 85MB 266.9KB/s 05:27
350 has same effect as putting the selective requirements on outbound
divert. You still need to check inbound packets for possible NAT'ing.
cheers, Ian
__
Re: 8.0-RELEASE-i386-memstick fixit - No USB devices found!
In freebsd-questions Digest, Vol 286, Issue 12, Message 7 On Fri, 27 Nov 2009 06:51:50 -0800 Randi Harper wrote: > On Fri, Nov 27, 2009 at 5:00 AM, Derek (freebsd lists) > <48225...@razorfever.net> wrote: > > Hi, > > > > Just wondering if anyone else out there has successfully gotten the > > 8.0-RELEASE-i386-memstick fixit prompt up. > > > > It boots fine, and sysinstall comes up, but I continually get "No USB > > devices found!" when I go to the fixit/USB option. > > > > When I switch to the debug tty, I see da0, and all my device parameters. > > > > I've even created a second USB stick, and stuck it in and tried. > > > > No joy. > > > > Anyways, has anyone successfully gotten the 8.0-RELEASE-i386-memstick fixit > > prompt up? > > > > Thanks! > > - Derek > > That's really weird. I can't say that I've seen this problem. It > sounds like you're trying to load the livefs - can you bring up a > normal fixit shell prompt and see what entries you have in /dev for > da0*? There should be a da0a. Due to sysinstall weirdness, adding this > USB support was somewhat of a hack, as it doesn't look for da0 - it > looks for da0a. :P Hi Randi, I had the same problem, rather more substantially, installing 8.0 from the memstick.img. This thread and to you seems to be where I should report what I remember of the process, only later finding all this. I made the memstick.img by dd as per the release page on my Thinkpad T23. It only sports USB 1.0 ports, and while I was confident of the dd (which took ~25m at ~600kB/s), I didn't really expect a 2002 laptop to boot from the image, but on seeing the USB stick show up in its BIOS and promoting it in the disk boot order, it did! Never underestimate IBM .. I was being very careful, as I wanted to install 8.0 on ad0s4, hopefully not damaging my 7.0-R on ad0s2, still having memories of a 3.3-R install in similar circumstances that went horribly wrong, 8? years ago :) So .. booted into sysinstall, fdisk and label ad0s4, leave boot0 as was, committed that much after two earlier attempts failed due to the below, quit to reboot, checked the labelling, redid the mount points, all ok. Picked pretty much all distributions from custom install, then of course had to select media. Picked USB - and got about what Derek did, no USB disk found. Very long story short: googled for ages and found a forum thread about this very problem, in which someone suggested Options / Rescan Devices then trying again. The OP there said it didn't work for him, but it sure did for me! After knowing that, the install went pretty smoothly, modulo not getting fc-10 to install by FTP, but that's another issue.. And just now, prompted by this thread I tried selecting Fixit, to again get what Derek did. And again, Options / Rescan Devices fixed it for me. Maybe it will for Derek and/or maybe provide another clue? Maybe sysinstall could try a device rescan itself in that circumstance? While I'm at it .. selecting 'Holographic Shell', while in that state at least, brings up a shell that (perhaps due to stick not being mounted?) has no ls command, making navigation difficult :) pwd works, set works, but no ls. Later (from debug msgs on vty1) I saw that I'd been perhaps in /stand and only much later found that find worked and served as ls .. One more thing, while I remember .. seeing the USB stick is here ad0a, isn't that the old 'dangerously dedicated mode' now dropped from 8.0? And to be a real pest with questions, where in CVS do I find the script or whatever makes memstick.img in the first place? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: 8.0-RELEASE-i386-memstick fixit - No USB devices found!
On Sat, 5 Dec 2009, Ian Smith wrote: > One more thing, while I remember .. seeing the USB stick is here ad0a, > isn't that the old 'dangerously dedicated mode' now dropped from 8.0? That's da0a of course. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: 8.0-RELEASE-i386-memstick fixit - No USB devices found!
On Mon, 7 Dec 2009, Derek (freebsd lists) wrote: > Ian Smith wrote: > > > > Options / Rescan Devices fixed it for me. Maybe it will for Derek > > and/or maybe provide another clue? > > Indeed this works for me. I've added a follow-up to the PR. > > Thanks for the tip! Good to hear. Randi, thanks for your detailed response. Picked up the 'flu visiting Sydney and have been well out of it; hoping for a little energy soon. If nothing else, might adding a quick "(try Options/Rescan Devices)" to the "No USB devices" message text help some folks out of this quandary? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: 8.0 installation doesn't contain X distributions
In freebsd-questions Digest, Vol 287, Issue 16, Message: 8 On Sat, 05 Dec 2009 19:39:08 +0200 Manolis Kiagias wrote: > Nicky Chorley wrote: > > Hi, > > > > I downloaded the DVD ISO for FreeBSD 8.0 (i386) and verified the MD5 > > checksum before burning. With regards to choosing distributions for > > installation, the handbook says > > > > "If a graphical user interface is desired then a distribution set that > > is preceded by an X should be chosen" > > > > and the help for the "Choose Distributions" section of sysinstall says > > > > "An "X-" prefixed before a distribution set means that the Xorg base > > distribution, libraries, manual pages, servers and a set of default > > fonts will be selected in addition to the set itself..". > > > > However, I do not see any distributions listed that are prefixed with > > "X-". The choices are "All", "Reset", "Developer", "Kern-Developer", > > "User", "Minimal" and "Custom". Even the "Custom" option has nothing > > related to Xorg. > > > > That's correct, these have been removed. Hi Manolis, Look, I'm sorry, but I think this is a huge regression, especially if we're still hoping that people with no prior experience of installing freeBSD, people coming from Linux and such, for essentially or including desktop use, are going to have a rewarding installation experience. > > Is it supposed to be like this (i.e. no distributions containing X are > > presented on installation), or do I need to download other media from > > which to install? Note that I'm not asking how to install X and I > > realise that I can do it post-installation, but I'm just wondering > > whether I've made a mistake with my download or if the documentation > > is out of date. > > > > You've done nothing wrong, the documentation is in need of an update. > Please file a doc-bug PR. > Removing X from the distributions is a right step IMO, these are just > 3rd party packages and it seems confusing if they get installed along > with the base system. I think this is taking base-system-only installation purity to excess. Fine for people installing servers of course, and maybe it will shift more people wanting a GUI environment towards PC-BSD and such if we want to discourage these from using FreeBSD as it is (or maybe, was) but even with my 11 years experience of installing FrreeBSD versions from 2.2 till now, I kept on wondering, how would a newbie fare at this point? > If you wish to install X during initial installation you can still do it > when you get to the packages stage. I believe you will need the DVD for > that. I used the memstick.img (discussed in another thread) and then FTP for installing packages. I've done this before using bootonly CDs, and it has advantages and disadvantages; for me it's been mostly positive. The main advantage is access to all packages. If you know what you want, and which categories they live in, it's great; an hour or so picking and away you go (modulo failures with this FTP site or that). There still exist people with slow net connections and older, slower kit for whom building everything from source would be very tedious. The main disadvantage is - access to all packages :) In the case of X, you and I, developers and most people here know to hunt for the Xorg meta-port. But the naive or new installer knows of no such thing, and could beat around in the huge lists of X software for ages, wondering what's required and what's not to get a desktop going. The previous basic setup menus in sysinstall for X were not only useful; I suspect that they are virtually essential for someone, say, coming from Debian or Ubuntu or such, wanting to try FreeBSD on their system, or the genuine first-time installer of FreeBSD. sysinstall used to assume as little prior knowledge or need to pre-read the Handbook and/or FAQ or follow the lists as possible. Now it's seeming much more firmly targeted at the already experienced user, and I feel that's regressive. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: 8.0-RELEASE-i386-memstick fixit - No USB devices found!
On Sat, 5 Dec 2009, Randi Harper wrote: > On Sat, Dec 5, 2009 at 4:01 AM, Ian Smith wrote: > > In freebsd-questions Digest, Vol 286, Issue 12, Message 7 > > On Fri, 27 Nov 2009 06:51:50 -0800 Randi Harper wrote: > > Â > On Fri, Nov 27, 2009 at 5:00 AM, Derek (freebsd lists) > > <48225...@razorfever.net> wrote: [..] > > I made the memstick.img by dd as per the release page on my Thinkpad > > T23. Â It only sports USB 1.0 ports, and while I was confident of the dd > > (which took ~25m at ~600kB/s), I didn't really expect a 2002 laptop to > > boot from the image, but on seeing the USB stick show up in its BIOS and > > promoting it in the disk boot order, it did! Â Never underestimate IBM .. [..] > > So .. booted into sysinstall, fdisk and label ad0s4, leave boot0 as was, > > committed that much after two earlier attempts failed due to the below, > > quit to reboot, checked the labelling, redid the mount points, all ok. > > > > Picked pretty much all distributions from custom install, then of course > > had to select media. Â Picked USB - and got about what Derek did, no USB > > disk found. > > > > Very long story short: googled for ages and found a forum thread about > > this very problem, in which someone suggested Options / Rescan Devices > > then trying again. Â The OP there said it didn't work for him, but it > > sure did for me! Â After knowing that, the install went pretty smoothly, > > modulo not getting fc-10 to install by FTP, but that's another issue.. > > > > And just now, prompted by this thread I tried selecting Fixit, to again > > get what Derek did. Â And again, Options / Rescan Devices fixed it for > > me. Â Maybe it will for Derek and/or maybe provide another clue? Â Maybe > > sysinstall could try a device rescan itself in that circumstance? > > This is a known issue. It would be possible to write in a hack to fix > this problem that would be fairly quick to implement, but sysinstall > already has one too many bandaids in place. I'd rather take a little > bit of extra time and fix the underlying problem, especially since > there is this workaround (forcing a device rescan) that seems to work > for users in the meanwhile. At best it's an 'unknown known' :) Except for this present thread, my 'googling for ages' found nothing in FreeBSD lists about it. I was so close to giving up until I could go somewhere to burn a DVD, by then. I appreciate your disinclination to extend that message in sysinstall, it's been "about to die" for so long it's no longer funny, still it would have saved me half a day, and I'm sure I won't be the last person to run into this. I guess I should file a PR with a patch .. > sysinstall was written back in the good 'ol days of pre-devfs and > hasn't been updated much since. When it first runs, it does a device > scan - that is, there's this really ugly data structure of all > possible devices and a description/limit for each. So, just for > example (and I'm not checking the code, so this value is probably > wrong), say there's an entry for 'fxp' that is a type network with a > limit of 16 devices - it's going to poke the system looking for fxp0, > fxp1, ..., fxp15. It's doing this for every single network card, all > possible disk devices, everything. Back in the day when computers were > slower, this process could take a while, so it only happened once > unless the user selected it again. But now, a rescan on my T23 was quite fast, and it's only a P3 1133MHz. > Needless to say, this is extremely inefficient (sysinstall code has to > be changed any time a new driver is added, too!) and there's a lot of > better ways to do this. It's very easy to pull a list of network > cards, disks, etc, but the work in moving away from that ugly data > structure is no small job. Right now, much of my time is being taken > up in trying to get gpt support into sysinstall, but getting rid of > that data structure is high in my priority list, especially since > there's a workaround. Old/cheap USB flash sticks seem to be the main > offender, as they are slow to be recognized/probed, and sysinstall has > already finished it's device scan by then. Point taken, but an unknown workaround is no use to the newbie installer (see my prior whinge to Manolis re the X installation menu going away) Yes, I was using an older 1GB Shintaro stick, the only one on hand, on a machine using USB 1.0 only, but I doubt I'll be the only one; sysinstall has always striven to work with other than just top-range newer kit. I do know how hard it i
Re: is this getting out?
In freebsd-questions Digest, Vol 289, Issue 4, Message 14 On Sat, 12 Dec 2009 15:32:07 -0800 Gary Kline wrote: > ariatotle is offline; i'm exclusively on my new server. will > somebody please do a digg thought.org and see if they see what i see? > > hope i get this. At this moment just seeing SERVFAIL for thought.org, and (thus) its listed nameservers at your registrar: Name Server:NS1.THOUGHT.ORG Name Server:ETHIC.THOUGHT.ORG === smithi on sola% dig thought.org ; <<>> DiG 9.3.4-P1 <<>> thought.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20499 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;thought.org. IN A ;; Query time: 4730 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Dec 18 12:35:32 2009 ;; MSG SIZE rcvd: 29 === That's from Australia (as good as anywhere else in this regard :) It's a bit fraught, and not recommended (indeed, frowned upon by RFCs), to have both/all of your domain nameserver IPs on one physical network. I know you had too many before, but if you know someone who can and will provide secondary/slave DNS for you, with a decent expiry time you can be offline for longish periods without your domain disappearing from view, even if your mail/web//etc servers are temporarily offline. Rather than having to ask others to look it up, try locating some public recursive nameserver that you can use, maybe provided by your ISP, let's call it ns1.example.org .. then (assuming basic connectivity) you can: % dig @ns1.example.org [whatever.]thought.org [a|ns|soa|mx|..] to check visibility for yourself while you're tinkering with your DNS, remembering to allow time for changes to propagate. So it's best to be running a short default TTL (say 3600 seconds) until you're running ok, then once OK increase it to something more reasonable, say 1 day. Don't forget to increase your zone's serial number with each change to your configuration, or slave servers won't notice and fetch updates. If in doubt, it never hurts to bump the serial and restart named. Use the standard format so you never use a smaller integer than before, eg 2009121801 for the first update today. Check the supplied HTML docs. Ensure that your firewall allows both TCP and UDP connections inbound on port 53 on each of your externally accessible nameservers, and of course allows response traffic outbound. cheers, Ian PS because thought.org is SERVFAIL at the mo, you won't get this mail direct till the domain reappears here. It'll be queued for two days. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: freebsd for children
In freebsd-questions Digest, Vol 290, Issue 11, Message: 1 On Fri, 25 Dec 2009 19:53:49 +0700 "Anh Ky Huynh" wrote: > On Fri, 25 Dec 2009 11:33:14 + > Anton Shterenlikht wrote: > > > Can somebody recommend a graphical port which could be used > > to teach kids 6-8 years programming? I know it's a very > > vague question, but what I have in mind (possibly) is > > say an interpreter linked with some graphical enviroment, > > perhaps drawing with commands, or making animations, > > or maybe music? > > > > Something that would make kids or that age curious, > > some programming environment that they can easily > > understand and enjoy. A programming game of sorts? > > > > I know the `logo` language (aport lang/ucblogo, lang/klogoturtle, > etc) which is used in our educational environment (Vietnamese), but > for the older pupils (>= 10 years old). > > Hope this helps, > > Regards, > > -- > Anh Ky Huynh Another vote for LOGO. Michael Grunewald mentions having learned it at 7, and I knew a couple of then 5-6 year olds who had good fun with it in '84 on the first 128K Macintosh, and before that on the Apple II. LOGO's simplicity is deceptive, to adults anyway, as it teaches quite advanced programming concepts straight away; the simple vector graphics lets kids make pretty geometrical drawings early on, teaching maths - especially trigonometry and dynamics - to kids before they could spell either, progressing easily to fairly sophisticated list processing, content addressible memory concepts and such if you dig into it a bit. I'd (still) recommend Seymour Papert's "Mindstorms: Children, Computers and Powerful Ideas" (Harvester Press 1980) to anybody interested in introducing children to computer programming, especially using Logo. KDE3 includes Kturtle, not 'pure' Logo at all but a reasonable interface and some decent starter examples to see if kids find it interesting, then maybe move onto ucblogo (which I haven't played with, but looks fully-featured and well-documented on a quick scan of the pkglist) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: clicky driver
On Fri, 25 Dec 2009 20:23:22 -0800 Gary Kline wrote: > On Sat, Dec 26, 2009 at 01:10:45AM +, Chris Whitehouse wrote: > > Gary Kline wrote: > > >>On Fri, 25 Dec 2009 13:37:13 -0800, Gary Kline wrote: > > >>>at first I'm lookings for a "cots" (commericial, off-the-shelf) > > >>>solution. The XO has stereo speakers and so do the notebooks. > > >>>I am thinking of the 'PC speaker'; something that would sound > > >>> for > > >>>around a 25th/second, very low and with at least some loudness > > >>>control. > > > > Hi Gary, > > > > someone posted recently about the play-string language for /dev/speaker, > > see speaker(4). Could you do something with that? > > > > btw thanks to whoever posted the play-string code for frere jaques - > > cracked me up :) > > > > Chris Yeah :) I play little tunelets on certain battery power events, when some IP gets blacklisted by some logtailing script, things like that. > Wow; the stuff I've never heard about:-) --I just tried spkrtest > and have no /dev/speaker. # kldload speaker device speaker isn't in kernel GENERIC. If it doesn't work immediately, try adding speaker_load="YES" to /boot/loader.conf .. this assumes that your box _has_ a working speaker, eg beeps once while booting? Some laptops use the sound'card' for speaker, and provide a mixer level. > The short answer [Guess] is no, I dont think so. If getting the > keys to have an auditory feedback with beeps or shorter clicks were > that easy, it would have been done after 15 years. Even Linux > lacks this--and I'd bet Minux too. > > What I've got to do is pick up where I kwit ten years ago with the > kernel driver code and drop the the code to make the speaker-audio > create tiny, brief clicks, preferably low, thunky sounds like ye > ancient IBM Selectrics. You can do quite a lot with various tempos, intervals and frequencies; see speaker(4) and play around. Making a short click or thunk! should be easy enough, but spkrtest and echoing playstrings >/dev/speaker are userland processes; I've no idea how much 'fun' it would be to invoke /dev/speaker ioctls from the kbd drivers. But if you're really keen: % find /sys/ -name "speaker*" -o -name "spkr*" cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: clicky driver
On Sat, 26 Dec 2009 15:07:34 -0800, Gary Kline wrote: > On Sun, Dec 27, 2009 at 01:19:49AM +1100, Ian Smith wrote: > > On Fri, 25 Dec 2009 20:23:22 -0800 Gary Kline wrote: [..] > > > Wow; the stuff I've never heard about:-) --I just tried > > spkrtest > > > and have no /dev/speaker. > > > > # kldload speaker > > Thanks! I just listened to the opening few notes of Star Trek [!] > But very faint and I don't know if the dinky BEL is a chip or a > real speaker. > > Anybody know how I can redirect the beep to my speakers? I miss > the confirmation that vi/vim puts out. [..] > > Some laptops use the sound'card' for speaker, and provide a mixer level. > > Should be a way to send the beep to my desktop speakers, then, > right? I've got volume and power, treble/bass. Depends entirely on whether the speaker is wired into the sound system. If so, mixer will show a speaker device, eg on my 10y.o. Armada 1500c: % mixer Mixer vol is currently set to 80:80 Mixer synthis currently set to 0:0 Mixer pcm is currently set to 92:92 Mixer speaker is currently set to 51:51 Mixer line is currently set to 0:0 Mixer mic is currently set to 0:0 Mixer cd is currently set to 0:0 Mixer line1is currently set to 0:0 Recording source: mic cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: re-write is this booting info correct?
In freebsd-questions Digest, Vol 291, Issue 3, Message: 1 On Mon, 28 Dec 2009 21:04:57 +0800 Fbsd1 wrote: > Content-Type: text/plain; charset=windows-1252; format=flowed First up, you'd be better off using a non-Windows charset here, as they use weird characters just for ordinary things like quotes, as below. > How is this rewrite correct? > > Users with Microsoft/Windows knowledge of how a hard drive is configured > may have a terminology issue with FreeBSD. Microsoft/Windows and FreeBSD > use the word partition to mean different (but related) things. > > The Microsoft/Windows fdisk program is used to allocate partitions on > the hard drive. This program allocated two types of partitions “primary > dos partition” and “extended dos partition”. > A single “primary dos partition” occupying all the space on the hard > drive would be assigned drive letter C. You can also sub-divide the hard > drive into multiple “primary dos partition” each one being assigned a > drive letter C, D, E, F, Not exactly, and I assume you're hoping to be exact. Disclaimer: I know nothing about Vista or its successor Windows 7, nor do I care to, but I've used many DOS versions - 3, 5, 6 (base of Win 3.1), 7 (under Win95 through to XP) - in both MS and IBM variants, plus IBM OS/2 v2 and v3, and have had some exposure to NT (4 and 5), the latter having been being merged into Win2k and XP to some degree, including of course its NTFS. All of these, at least from DOS 3 (c. '86?) use the same MBR setup, a maximum of 4 Primary Partitions, one (and only one) of which may be an Extended DOS Partition, containing as many Logical Drives as you like; they're formed as a linked list, though I never used past Drive J: with OS/2 (HPFS). (I'm using caps here to refer to the DOS nomenclature) In all of these, you can't access more than one Primary Partition from any DOS-based OS; if you wish to have drives D:, E:, F: (etc) then these _must_ be in the single Extended Partition - so your statement above is not correct in that respect. > An alternate method is to allocate an “extended dos partition” and then > sub-divide it into logical dos drives lettered C, D, E, F. One of these Not limited to F: as above (adding the DOS colon as Polytropon suggests) > “primary dos partitions” or one of the logical dos drives in the > “extended dos partition” must be set as the active partition to boot > from. I don't think even XP can boot from a Logical Drive in the Extended Partition. OS/2 can be installed to and booted from a Logical Drive (though only by using the OS/2 Boot Manager or Grub ono), as can most? varieties of Linux. I'm not sure about NT, but certainly DOS 3 to 7 cannot boot from other than drive C: - though DOS Drive C: need not be the first physical disk partition, indeed there can be several, though only the first one marked Active is called C: by DOS on any one boot. > In a multiple partition allocation only one partition can be > marked as bootable at one time. Typically legacy Microsoft/Windows > Win3.1, Win95, Win98, WinMe, and Win2000 defaulted to a single “primary > dos partition”. Starting with XP, PC manufactures started to provide > support for their PC’s operating system by having a second “primary dos > partition” where the original factory version of the system was hidden > and used to restore the C drive back to the factory version when > corrupted by a virus. Again, not exactly or always correct. Compaq at least were providing a 'hidden' Primary Partition as early as '98 on laptops, for a diagnostics boot (running DOS 6.2 with a mini-Win 3.1 'desktop', FWIW). And while most OEMs and computer shops were in that 'default' habit of installing a single C: partition (and many still are), that was an install choice; most people with a clue were using multiple DOS Drives, requiring use of the Extended Partition, since DOS 3. > Microsoft/Windows provides no native method of > selecting which partition to boot from in a multiple partition allocation. At least NT, Win2k and XP can multiboot .. W2k uses C:\boot.ini listing bootable OSes, and as I recall it's called \NTLDR.something on XP. > FreeBSD’s fdisk program allocates disk space into slices. A FreeBSD > slice is the same thing as a Microsoft/Windows “primary dos partition”. > FreeBSD has nothing akin to an “extended dos partition”. The Although FreeBSD can mount and access the multiple Logical Drives as slices 5 and up. I'm not sure if FreeBSD has any limit to the number of such slices it can access, but I've recovered multiple HPFS 'drives' that way, and you can access DOS FAT, NTFS, HPFS (requires compiling code still in the tree at 8.0-R) and Linux ext2 and ext3 filesystems. It's true that sysinstall can't access such slices, there are comments in the code suggesting it should maybe be added, though unlikely now :) > Microsoft/Windows partition and the FreeBSD slice is wh
fpc on FreeBSD?
Hi to .. any old Turbo Pascal hackers out there, who've used fpc on FreeBSD. I have some astronomy and sound related code from last century that I want to resume working on. Mostly lots of float number-crunching and file processing, no gui stuff till the underlying processing all goes. I've tried some other languages, but can only really think straight into Pascal, to fully declare my disability - please don't try to cure me :) Is fpc's IDE usable, like good ol' TP6 and 7, never mind Delphi? Docs seem vast, I'm wondering if there's a simple guide to basic compilation, but basically I'd just like to hear that it's working ok for someone and is worth the learning curve? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: fpc on FreeBSD?
On Wed, 30 Dec 2009, Boris Samorodov wrote: > On Wed, 30 Dec 2009 01:35:05 +1100 (EST) Ian Smith wrote: > > > Is fpc's IDE usable, like good ol' TP6 and 7, never mind Delphi? > > Usable. Thanks for confirmation, Boris, 'usable' and 'working OK' are good enough. I installed it on my Thinkpad's new 8.0-R system so I'll give it a go there when $workload allows. > > Docs > > seem vast, I'm wondering if there's a simple guide to basic compilation, > > but basically I'd just like to hear that it's working ok for someone and > > is worth the learning curve? > > Working OK. For FreeBSD: > . it's i386-only (seems that upcomming 2.4.0 may have amd64 bits); > . static binaries. That sounds fine, especially as these are mostly just for procedural calculations and straightforward file-processing. Thanks also to Eduardo, Rod and Polytropon for contributions, some of which I have or will follow up privately. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail: open-relay
In freebsd-questions Digest, Vol 292, Issue 3, Message: 10
On Mon, 04 Jan 2010 13:42:28 + Matthew Seaman
wrote:
> Peter Ulrich Kruppa wrote:
> > Am Montag, den 04.01.2010, 13:02 + schrieb Matthew Seaman:
> >> Peter Ulrich Kruppa wrote:
>
> >>> I am running my own small mail-server, i.e. I use my desktop pc for
> >>> sending and receiving my private mails.
> >>> That worked quite nicely the last years. From time to time I tested
> >> my
> >>> mail-server via abuse.net's mail-relay tester. - Never got any
> >>> positives.
> >>> Now suddenly I receive one:
>
> >>> Any ideas?
> >> Plenty. But it would help a great deal if you showed us your
> >> ${hostname}.mc.
>
> > O.K. this is my complete pukruppa.net.mc
> >
> > divert(-1)
> > #
> [...]
>
> which is exactly the same as the default freebsd.mc -- nothing suspicious
> there.
Well, except as you said later, how then is SA being invoked from that
.mc file, unless the sendmail.cf in use maybe wasn't made from that .mc?
I'd suggest:
# cd /etc/mail
copy the present sendmail.cf (and maybe submit.cf) for diff later
# make cf # read the nice Makefile
# diff sendmail.cf.old sendmail.cf# expecting nothing
> Hmmm... anything unusual (ie to do with domains not local to your machine)
> in /etc/mail/local-host-names or /etc/mail/virtusertable or
> /etc/mail/mailertable? You're definitely running with that config file,
If it was in fact last compiled to the present sendmail.cf, yes.
I'd also check that abuse.net or its IP address[es] don't appear in
relay-domains (aka sendmail.cR) - which sounds like a long shot, but
might explain the behaviour. Or an 'abuse.net RELAY' in access[.db]?
Jerry's test seems to have ruled out general open relay behaviour.
> and you don't have anything like OpenBSD spamd(8) running that could
> intercept incoming SMTP traffic?
Even so, should spamd ever send or bounce mail?
> If that's so, then I can't see how your machine could be an open
> relay. The abuse.net relay tester must have been having a bad day.
> In fact, can you find the records in /var/mail/maillog to show
> abuse.net's server connecting to yours in order to do the testing?
> It may be that it was connecting to somewhere else entirely. Or it
> was somehow trying to test relaying using an address that was somehow
> actually valid on your system.
Indeed. Unless there's a 'to=<[*.]abuse.net> [...] stat=Sent' line in
maillog then or later, your Bad Day Theory sounds quite likely.
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: re-write is this booting info correct?
On Wed, 30 Dec 2009, Polytropon wrote: > On Tue, 29 Dec 2009 16:29:56 +1100 (EST), Ian Smith > wrote: > > In freebsd-questions Digest, Vol 291, Issue 3, Message: 1 > > On Mon, 28 Dec 2009 21:04:57 +0800 Fbsd1 wrote: [..] > > All of these, at least from DOS 3 (c. '86?) use the same MBR setup, a > > maximum of 4 Primary Partitions, one (and only one) of which may be an > > Extended DOS Partition, containing as many Logical Drives as you like; > > they're formed as a linked list, though I never used past Drive J: with > > OS/2 (HPFS). (I'm using caps here to refer to the DOS nomenclature) > > The number is de-facto limited to 26 maximum for ALL drive > letters - keyword is LETTER: A up to Z. A: and B: are > reserved for floppy disk drives, C: is the booting partition > (usually a primary DOS partition), D: up to Z: can be: > - other primary partitions > - optical drives > - fake drives refering to directories (SUBST command) > - external drives (INTERLNK / INTERSVR commands) > The order of the drives is somewhat arbitrary, so you > can't always predict drive letter behaviour. All true. Plus perhaps virtual drives provided by a Domain Controller (eg Samba) pointing to various network resources users can access. > > In all of these, you can't access more than one Primary Partition from > > any DOS-based OS; if you wish to have drives D:, E:, F: (etc) then these > > _must_ be in the single Extended Partition - so your statement above is > > not correct in that respect. > > I'm not sure about this. It's long time ago, so my brain isn't > up to date anymore. :-) When I try to remember, I have the > idea in mind that it WAS possible to partition a drive with > primary partitions (max. 4). Oh you can partition it that way, but DOSes can only see one Primary Partition (PP) at a time, the Active one, on any one disk; eg you could have say DOS 6 and Win2k in separate PPs; booting either would call that one its Drive C: and any other PPs are then not visible to that OS. FreeBSD of course can mount any of the Primary or Extended Partitions as slices, as can Linux AFAIK, so this is really just a DOS/win limitation, rather than being any consequence of the MBR-based system itself. > I'll check this - and I actually CAN, because I still have > a DOS machine (6.22) running well; it's mostly used for > programming mobile radios and for disk operations in a > museal content (robotron resurrection). :-) Goodo :) I think my ancient OS/2 tower is past booting these days. I've since dusted off (which took a while :) my User's Guide to OS/2 Warp, which has very detailed info on all this. I was talking before about single-disk systems, as was fbsd1. Strange things happen to what any DOS-based OS sees if there are also Primary Partitions on HD#2 .. DOS(etc) sees the PP marked active on HD#1 as C:, always, and DOS 3-6 at least, and I suspect DOS 7 (win9x through XP) can only boot from HD #1. Further, DOS <= 3.3 required that PP to be within the first 32MB, and all to 6.x need the bootable PP to be within the first 1024 cylinders. However, DOS allocates any active PP on the second disk as Drive D:, so even if there is an Extended Partition on HD #1, its Drive Letters will be allocated AFTER the D: drive on HD#2, as first E:, F: etc on HD#1 then any more on HD#2 as G: etc. This used to provide much 'fun' for folks later adding another HD who had hardcoded links to other drives. Partition Magic used to understand (and display) all these intricacies, and gparted and friends likely do also. > > > An alternate method is to allocate an “extended dos partition” and then > > > sub-divide it into logical dos drives lettered C, D, E, F. One of these > > > > Not limited to F: as above (adding the DOS colon as Polytropon suggests) > > My suggestion comes from documentation where "C:" is preferred > to "C" (in context of drive letters), like "The C: drive is > the booting drive", or "On floppy A: you'll find no files". Sure; when in Rome speak Latin, as it were. OK, Italian these days :) > > I'm not sure about NT, but certainly DOS 3 to 7 > > cannot boot from other than drive C: - though DOS Drive C: need not be > > the first physical disk partition, indeed there can be several, though > > only the first one marked Active is called C: by DOS on any one boot. > > DOS doesn't provide a native means for boot selection, so > this statement appears to be correct in relation to my > memories. I'm not sure if the DOSes that can multiboot (NT, W2k, XP) can do so from another PP on HD#1 or
Re: Tuning for very little RAM
In freebsd-questions Digest, Vol 292, Issue 8, Message: 13 On Wed, 6 Jan 2010 15:52:59 + Bruce Cran wrote: > On Tue, 05 Jan 2010 20:03:45 +1000 > Da Rock wrote: > > > Its been a while- work's has been keeping me very busy for months now. > > > > I have revived an old laptop which has very little RAM, and it is > > absolutely hammering the swap. > > > > I'm trying to set it up as a demo for some skeptics with no money, so > > I need email, internet (with plugins), openoffice, acrobat, and wine. [Rock, mate, you may be on a hiding to nothing trying to run X apps in 100MB (128MB fitted I guess?) while setting yourself up as the advocate of an OS they're going to think is s slow .. but that's just me :-] With a lightweight wm it may be better, but you're talking about some big apps. OTOH, 256MB is plenty for that sort of usage; any chance of adding more RAM to it? Even another 32MB will really help .. > > Aside from all that though, for the academics of it how can I help > > this situation? The laptop has around 100MB RAM, with 16k free, and > > has a new install of FreeBSD 8.0. I just manage with 160MB on a old Celeron 300 laptop whose prime mission is pppoe, firewall, nat and routing for the LAN, half a dozen obscure websites, DNS, mail and such .. plus until now, KDE 3.5 on Xorg 6.9 on 5.5-STABLE. Just! That with 30-40% swap (of 384MB) in use, but mostly static, eg 6 more Konsoles I'm not using just now, 5x minimised kwrites for sources I may edit a few times a week, stuff like that stashed away in swap, using very little resident memory, ie not as bad as it looks :) > You can save a bit of memory by building a custom kernel. First, remove > any options you don't need such as INET6, NFS, AUDIT etc. Then, you can > replace "device ata" with more specific drivers, and "device mii" with > specific PHY drivers for your NIC. On a 128MB box I have that's running > 8-STABLE my kernel is just 4.1MB. Indeed. That's no bigger than my trimmed 5.5 kernel, good to hear. > You should also be able to build Xorg so it'll use less memory - for > example by not requiring hald but getting it to read the > configuration from xorg.conf instead. Again talking on the margins of usability, I notice that the Xorg with 7.0-RELEASE (X server 1.4.0) only used similar memory to 6.9 (30-50M, say 20M resident), but on 8.0-RELEASE (X server 1.6.1) top shows SIZE 126M RES 115M .. on a 256MB laptop, eek! It's a HAL-free config, though installed from packages so not at all optimised. Will try that later, while I'm hunting for 1G RAM at a decent price for it (Thinkpad T23) > You can also tell FreeBSD to agressively swap idle processes out by > setting vm.swap_idle_enabled to 1. Thanks for this, Bruce; I hadn't come across it before, or missed it. This has had an amazing and so far apparently only beneficial effect on the 5.5 box. At 127d uptime, I crossed my fingers and set that, to see swap drop from its then steady 46% (~15 mozilla tabs open, past time to restart the leaky thing anyway :) to below 40% in a matter of minutes. A little extra (async) swap in/out activity for sure, but contrary to expectations it's noticeably more responsive to things like switching desktops/windows on a slow machine already under swap stress, and even somehow(?) has increased idle CPU in top by about 3% to over 90%! cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ISO image size -regarding
In freebsd-questions Digest, Vol 292, Issue 14, Message: 12 On Fri, 8 Jan 2010 16:41:24 -0800 Knight Tiger wrote: > Hi, > > I am trying to create a custom ISO image of FreeBSD 6.4. The only > difference between the release ISO and this custom image is a modified > driver (amdsmb.ko). I did not create the new driver. I believe it was > backported from a later release. > > I understand that this is not a backport of the driver but a hack but > the ISO size surprises me. > > The steps I had followed (listed below) resulted in an ISO image of > around 1 GB while the original ISO image is around 600 MB. The new > image work boots fine but I am not sure why it is huge > > Steps: > > // mount the release ISO > # mdconfig -a -t vnode -f 6.4-RELEASE-i386-disc1.iso -u 0 > # mount_cd9660 /dev/acd0 /mnt > > # pwd > /usr/home/scott > > # mkdir custom > # cd custom > > // copy iso files to custom > # rsync -a /mnt . Hi Scott, nearly all in /rescue are hardlinks to one big executable, and there are also hardlinks in /bin and /sbin, hence your size difference. rsync(1): Note that -a does not preserve hardlinks, because finding multi- ply-linked files is expensive. You must separately specify -H. Note also that for compatibility, -a currently does not include --flags (see there) to include preserving change file flags (if supported by the OS). > # scp sc...@remote:/boot/kernel/amdsmb.ko boot/kernel/. > > // wrap up in a ISO > # cd .. > #mkisofs -R -b boot/cdboot -no-emul-boot -o custom.iso custom > > The ISO file is created successfully but is huge. I mounted it in > VirtualBox and boots just fine. I was able to install the OS (although > I have not checked the functionality of amdsmb changes yet) > > I looked up information on creating custom ISO images but they had all > involved rebuilding the kernel while I am not sure if I need to do the > same Any leads is appreciated. Yes, running make release might be just a tad over the top for this :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: IPFW with user-ppp's NAT
On Sat, 15 Mar 2008 21:16:12 -0500 Dan Nelson <[EMAIL PROTECTED]> wrote:
> In the last episode (Mar 16), Razmig K said:
> > With IPFW enabled in the kernel, I'd like to use the NAT functionality of
> > user-ppp instead of natd. Do I need the IPDIVERT option in the kernel and
> > the special arrangement of divert and skipto rules in the ruleset? Or, a
> > non-NATed ruleset (as demonstrated in handbook section 28.6.5.6) would
> > suffice?
> >
> > If divert rules are necessary, what argument do I need to pass to action
> > divert in place of natd?
>
> If you mean the "nat enable yes" option in ppp.conf, that is done
> completely within the user-ppp daemon (using the same libalias libarary
> that natd uses). Since user-ppp creates its own tun# device, it can
> call the NAT functions as it processes packets to/from that device
> without needing IPFW divert rules.
True, though if you're running FreeBSD 7 you can instead use ipfw(8)'s
new in-kernel NAT, which uses the same libalias and semantics.
Frankly I'm a bit surprised that this hasn't been more widely heralded,
as userland natd is often given as a reason to prefer other firewalls,
even in the handbook. ('legacy', indeed :)
And while being frank .. the present ipfw section in the handbook needs
rewriting in large part. It contains undue deprecation, misconceptions,
outdated information and some straight up errors, both of principle and
usage. Using rc.firewall as a base example (modulo needing to permit
appropriate icmp traffic) and a fair study of ipfw(8) should yield a
better firewall, with or without NAT - certainly a more comprehensible
and flexible one - than the examples in that section.
Cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW with user-ppp's NAT
On Sun, 16 Mar 2008 18:20:12 +0100 (CET) Wojciech Puchar <[EMAIL PROTECTED]> wrote: > >> > >> what's wrong in userland natd? > > > > Performance. With userland natd, every packet that passes through natd > > must pass from kernel to userland (causing one context switch) and back > > again (causing another context switch). This will be slower and use more > > CPU than doing it all inside the kernel, without any context switches. > > true, anyway for my two 2Mbps symmetric connection (all for nat), and > three 4/0.5Mbit connections (part for nat, mostly for squid) all natd > processes takes at most 3 percent of single core (core2duo). Sure. And with my little 512/128k ADSL link, soon 1500/256, I doubt you could even measure the difference. I haven't seen any comparative data on high-performance boxes but as Erik points out, it may be significant. Just to make it clear, my point was that one reason for deprecating ipfw is out the door, and that its development is ongoing. I see rc.firewall has had a recent facelift too, including a stateful 'workstation' type. (Sorry that our ancient mail setup blocked your mail; hopefully fixed.) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ARP(4) spoofing?
In freebsd-questions Digest, Vol 207, Issue 2 On Mon, 17 Mar 2008 03:29:04 -0600 Modulok <[EMAIL PROTECTED]> wrote: > > > Would this be ARP(4) spoofing, or is it just me? How would I > > > confirm it? > > > > > > arp: 192.168.1.1 is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1 > > > This is on a FreeBSD router, em1 is Internet-facing. 192.168.1.1 (em0) > > > is LAN facing and permanent entry in the arp cache. This happens > > > constantly and is slowly filling my log files. > > > What does an "ifconfig -a" on your machine show? It looks like you've > > configured your loopback interface to also have 192.168.1.1 > > [-]Modulok> ifconfig -au inet > em0: flags=8843 mtu 1500 > options=b > inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > em1: flags=8843 mtu 1500 > options=b > inet 66.x.x.x netmask 0xff80 broadcast 66.x.x.255 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff00 > > Just for fun, the entry in the arp cache: > > [-]Modulok> arp -an | grep 192.168.1.1 > ? (192.168.1.1) at (myEthernetAddress) on em0 permanent [ethernet] You've omitted even obfuscated ether addresses, and haven't said if xx:xx:xx:xx:xx:xx is one of yours or one of your LAN's or an unknown, so I'm assuming the latter, and that address isn't shown by arp -an? Does 'netstat -finet -rn' show anything useful re MACs connected? > Concerning the arp(4) DIAGNOSTICS section (Just thinking aloud here:) > "Physical connections exist to the same logical IP network on both if0 and > if1." > > Doubtful: LAN---em0[FreeBSD]em1---modem---Internet What sort of modem? cable/DSL? using PPPoE? Router or bridge? I'm wondering if the modem might sometimes? think it was 192.168.1.1 too? Or the ISP could be misconfigured, depending on how you're connected. From the above, looks like em1's on a /25 public subnet? Best way to find out might be watching something like: # tcpdump -pen -i em1 adding such as 'not tcp and not udp' and/or 'and not port blah' and/or 'not host blah and ..' until it's not too busy. If this is happening every 10 minutes, maybe there's a ping or udp packet or such associated too? > "an entry already exists in the ARP cache ... and the cable has been > disconnected from if0, then reconnected to if1." > > Nope. > > "This message can only be issued if the sysctl > net.link.ether.inet.log_arp_wrong_iface is set to 1" > > While I could set the relevant sysctl variable to prevent it from > being logged, (which I'll probably end up doing) when strange things > happen, I usually like to know about them. Yeah, usually best not swept under the carpet. > Disable the dynamic ARP cache on the external interface and make > permanent entries to the ISP's gateway and DNS servers? Perhaps. What arp entries have you for these now? (obscure at will, though the first 3 octet manuf/product codes might be interesting/useful). Still don't get what your 'modem' is, if both/all these servers are visible. > However, in the event they ever change hardware (and fail to spoof > their previous ethernet address), I'd have to manually edit the ARP > cache...at 3:00am...on a Sunday. Plus these ARP replies, while > annoying, are not really harming anything as FreeBSD's ARP appears to > prevent address takeover via gratuitous, un-solicited, impersonating > ARP replies. Sure, but it's (at least) misconfiguration, somewhere, by someone .. > Come to think of it, that might be it. I haven't looked into whether > or not these are replies triggered by requests from the local host (If > only I knew a way to do such a thing.) Logic initially rejects the Again, tcpdump, running in as many terms as needed (here, two) > notion. As why would this box be sending out a gratuitous ARP request > every 10 minutes through the wrong interface for the given address? Smells more like incoming so far, on em1 .. did I mention tcpdump? :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: mpd pptp server?
On Wed, 19 Mar 2008 00:43:58 +0100 Jon Theil Nielsen <[EMAIL PROTECTED]> wrote: > > I have tried some different ways to make a working VPN server on FreeBSD 7.0. > The main goal is to make it possible for Windows clients to access their > Samba home shares. I'm not sure if mpd is the best solution, but I will give > it a try. > I have installed /usr/ports/mpd4 and have the following configuration: You'll do much better in freebsd-net@ with this. I've copied Alexander Motin, current author/maintainer, as he may not be watching [EMAIL PROTECTED] > ==/usr/local/etc/mpd4/mpd.conf > startup: > Stuff like configuring the console and/or web interface, logging etc. > default: > load pptp1 > I'm not sure whether leading whitespace on non-label lines is still required as with ppp.conf, but it can't hurt to follow the examples. > pptp1: > new -i ng0 pptp1 pptp1 > set iface disable on-demand > set iface enable proxy-arp > set iface idle 0 > set iface enable tcpmssfix > set bundle enable multilink > set link yes acfcomp protocomp > set link no pap chap > set link enable chap > set link keep-alive 10 60 > set ipcp yes vjcomp > set ipcp ranges 192.168.1.4/32 192.168.1.151/32 > set ipcp dns 192.168.1.4 > set ipcp nbns 192.168.1.4 > set link disable pap > set bundle enable compression > set ccp yes mppc > #set ccp yes mpp-e40 > set ccp yes mpp-e128 > set ccp yes mpp-stateless > #set bundle enable crypt-reqd > > ==/usr/local/etc/mpd4/mpd.linksf I assume 'mpd.linksf' is a typo .. > pptp1: > set link type pptp ## define the link type protocol as PPTP > set pptp self 192.168.1.4## define the IP address on which MPD will > run > set pptp enable incoming ## define the connection as Incoming > set pptp disable originate ## enables PPTP connection for communication > with the client > > And then I also have a mpd.secrets file of course. > > I can start the service, but I don't see any pptp interface after an > ifconfig command. And netstat -an does not show any port 1723 listening. > > Do I need to have a customized kernel to make it work? Or are there any > obvious errors in the above configuration? Can't help with pptp, I only use pppoe, but have posted this to bring it to Alexander's attention. He'll most likely want to see some logging .. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: /var/named Changes Ownership to Root on Boot
In freebsd-questions Digest, Vol 207, Issue 18, Message: 6
On Fri, 21 Mar 2008 08:54:36 -0500
Martin McCormick <[EMAIL PROTECTED]> wrote:
> I think I fixed it but I am not sure I would have
> figured it out quickly without the help from the list.
>
> It seems that FreeBSD defaults to a chroot of bind with
> the tree owned by root. You can run bind in a sandbox as the
> documentation says and have it chroot but if you do, and heres's
> the confusion, you had better disable FreeBSD's attempt to make
> sure the /var/named tree is always owned by root which would be
> fine if named ran as root.
I'm sorry, but you seem a tad confused about how named operates in
sandbox mode. A thorough study of /etc/rc.d/named might help .. at
least, that's how I figured out how the whole chroot setup works.
As Chuck Swiger pointed out, quoted below, it's only necessary (and for
security, desirable) for the =subdirectories= of /var/named/var to be
owned bind:wheel, not /var/named, nor /var/named/etc with the exception
of a couple of directories. All this is setup (on each /etc/rc.d/named
start) by:
mtree -deU -f /etc/mtree/BIND.chroot.dist -p ${named_chrootdir}
where /etc/mtree/BIND.chroot.dist is, on my 5.5-STABLE(ish) system:
# $FreeBSD: src/etc/mtree/BIND.chroot.dist,v 1.5.2.2 2004/11/11 04:08:16
gshapiro Exp $
[..]
/set type=dir uname=root gname=wheel mode=0755
.
dev mode=0555
..
etc
namedb
dynamic uname=bind
..
master
..
slave uname=bind
..
..
..
/set type=dir uname=bind gname=wheel mode=0755
var uname=root
dump
..
log
..
run
named
..
..
stats
..
..
..
> When you run it in a sandbox with a lower-priority UID,
> you must make sure that at least one more little line appears in
> rc.conf.local.
>
> named_chrootdir="" # Chroot directory (or "" not to auto-chroot it)
No, that STOPS named running in a chroot sandbox. Which is fine if you
want to run it the old (considered insecure) way; is that what you want?
> That's the key right there. If you use lines from rc.conf.local
> from an older system such as pre-FreeBSD5, you don't need that
> line and things work fine. If you don't have it on a FreeBSD5 or
> newer system,
> /etc/defaults/rc.conf supplies the default version of that line
> which reads:
>
> named_chrootdir="/var/named" # Chroot directory (or "" not to auto-chroot it)
That's right, and what you need to run it in the sandbox.
> and one is seriously messed up from there on during the booting
> process.
how 'messed up'? That's how it's supposed to work. You're supposed to
do bind configuration (/var/named/etc/namedb/named.conf etc) as root.
Ah, you might still have /etc/namedb as a directory, rather than a
symlink, if you'd done a source upgrade from 4.X to 5 or later? If so,
(save and) delete it and let /etc/rc.d/named make the symlink for you,
then move your config to /var/named/etc/namedb
> I was confused and thought this would all help me keep
> ownership of /var/named belonging to bind when, in fact, it does
> just the opposite.
The whole point of the sandbox is to keep named, running as user bind,
from messing with anything out of its chroot environment if it were to
be compromised. The actual chroot is performed in run_rc_command() in
/etc/rc.subr if you want to see the gorier details.
> Martin McCormick WB5AGZ Stillwater, OK
> Systems Engineer
> OSU Information Technology Department Network Operations Group
>
> Chuck Swiger writes:
> >/var/named is owned by root on all of my newer (5.x and later)
> >systems; I found an old 4.11 box with it owned by bind, though. If
> >you're using named chroot'ed (as recommended), it will want /var/named/
> >var/{dump/log/run/stats} writable by bind.
Yep, which is exactly what the mtree above does for you, every startup,
plus the dynamic and slave directories in (chrooted) /etc/namedb
The only problem I've struck with the chroot setup is a permission error
when trying to get debug (named.run) logging going, as named by default
wants to create the named.run file in the default directory (/etc/namedb
-> /var/named/etc/namedb) which is of course owned by root, but I'm sure
I just need to spend a bit more time with the reference manual:
http://127.0.0.1/bind9ref/Bv9ARM.html
(where /usr/local/www/data/bind9ref -> /usr/local/share/doc/bind9/arm/)
to find out how to get this log made in /var/log ie /var/named/var/log
- but I'll wait till I've upgraded to 6.3 before trying that again.
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Limiting apache's upload speed?
On Sun, 13 Apr 2008 11:41:02 +0100 Patsy <[EMAIL PROTECTED]> wrote: > Hello list, > > I am running FreeBSD 7.0-RELEASE (GENERIC), I am running Apache 2.2.6_2 > and hosting a small website with a few relatively small (500kB-900kB) > photographs. I am doing so from a home ADSL connection in the UK and so > I am estimating my upload capacity at 500kb/s. Assuming that's 500kbit/s or maybe around 60KBytes/s .. > When I have apache enabled and serving the web page it seems to disrupt > my other network programs - on my main computer (running Debian etch) > Wengophone stutters and my browser slows down noticeably. When apache is > disabled these problems disappear. Like Manolis I suspect your outbound bandwidth is often being saturated serving images. Unless you leave yourself enough outbound bandwidth for snappy delivery of requests and acks for inbound sessions, performance suffers tragically. Bandwidth limiting apache to maybe 400kbit/s should leave you plenty of headroom (unless you're uploading torrents too :) > I do not wish to take my website down and so I was hoping somebody would > be able to tell me if it is possible to throttle apache's upload speed. > It seems that this would provide a good solution - people will need to > wait a little longer to see my page, but a change of waiting 3 seconds > to waiting 6 seconds isn't terrible. > > My router does not appear to have the option to throttle individual > hosts/ports. Any advice on the matter would be appreciated. The apache module should do that job. For a more generic solution (and perhaps anyway, given some crazed robots will suck down your whole site xty times a day, if allowed) a firewall with pipe/queue management, like Jeff's pf+altq, or ipfw+dummynet, can provide more fine-grained control. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Limiting apache's upload speed?
In freebsd-questions Digest, Vol 211, Issue 1 On Sun, 13 Apr 2008 Wojciech Puchar <[EMAIL PROTECTED]> wrote: (quoting 2 separate messages, one of the occasional joys of digests :) > ADSL modems (at least this used by polish telecom) tend to choke when > upload bandwidth is near max. delays gets even above 1000ms and > probably not. at least here with polish telecom's ADSL services, just > uploading one thing with ftp somewhere slows everything down, unless > traffic management is used Both are true - I've seen p2p uploads pushing pings towards 3000ms while I'm trying! to work via ssh from outside - but it's nothing to do with your ISP/telco in particular; it's just the nature of A(symmetric)DSL. I'm only using ipfw+dummynet pipes for such so far, but hope to try out WF2Q+ queuing soon to prioritise traffic so I can ease up on b/w limits. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: brindging ath0 with re0 working, kinda, almost
On Fri, 25 Apr 2008 19:05:47 +0100 (BST) Reinhold <[EMAIL PROTECTED]> wrote:
> # block some known-bad ports without logging
> #
> block return-rst in quick on $ext_if1 proto tcp from any to any port {
> 111, 445, 1080, 6000, 6667 }
> block return-icmp in quick on $ext_if1 proto udp from any to any port {
> 137, 138, 139, 1434 }
> block return-rst in quick on $ext_if2 proto tcp from any to any port {
> 111, 445, 1080, 6000, 6667 }
> block return-icmp in quick on $ext_if2 proto udp from any to any port {
> 137, 138, 139, 1434 }
Just an almost-OT aside, and I don't use pf, but port 139 (netbios-ssn)
is done on TCP, not UDP. My current same-intent sections for ipfw are:
# first take out the vast bulk of inbound TCP bogons / scan noise:
crap="135,139,445,1433,2967,2968,4899,5900"
crap="${crap},1080,8000,8080,3128"
${fwadd} deny log $afew tcp from any to any $crap in via ${ext_if} setup
${fwadd} deny log $lots tcp from any to any in via ${ext_if} setup
[..]
# first cut out most of the heavy duty UDP noise (incl broken insiders)
junk="137,138,1433,1434"
junk="${junk},3544" # XP home calls home? MS ipV6 'Toredo'
${fwadd} deny log $afew udp from any to any $junk via ${ext_if}
Some of the handbook firewall examples are mistaken about port 139 too.
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: error mounting USB disk: Invalid argument
On Sat, 31 May 2008 13:29:26 +0200 (CEST) Wojciech Puchar <[EMAIL PROTECTED]> wrote: > >> Then: > >> > >> # mount /dev/da0s1c /media/disk6 > >> mount: /dev/da0s1c : Invalid argument > > mount_msdosfs ? Maybe. But then it'd likely be /dev/da0s1 .. Even if it's UFS, you wouldn't want to mount the 'c' partition. Perhaps? 'mount /dev/da0s1a /media/disk6' or da0s1d maybe .. Colin, what does 'fdisk da0' say? How about 'bsdlabel da0s1' ? > > This is caused by the nmount system call returning EINVAL. Quoting from > > mount(2): > > > > [EINVAL] The super block for the file system had a bad magic > > number or an out of range block size. > > > > After partitioning and labeling the disk, did you make filesystems on > > the partitions with newfs? > > > > Roland cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: change the file date and time
On Fri, 06 Jun 2008 20:25:41 +0300 Georgi Tyuliev <[EMAIL PROTECTED]> wrote: > 1. How to mount Sony Ericsson k750i mobile phone with FreeBSD 7.0 ? No idea. > 2. How to change automatically the file attributes (for example 'date') > of large number of files? For modification and/or access times, use touch(1) For user:group ownership, use chown(1) For file modes, use chmod(1) > For example: I have taken many photos with my Sony Ericsson k750i mobile > phone and > the exact time end date is accessible (e.g. through F3 of the midnight > commander), > but very often when copying the jpg's the file attributes change. To preserve user/group ownership and modification/access timestamps on files, use cp(1) with the -p flag. Maybe mc doesn't do that correctly on copying, though it should for a move, assuming that it uses mv(1) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD Security in Multiuser Environments
In freebsd-questions Digest, Vol 408, Issue 10, Message: 5
On Sat, 31 Mar 2012 21:05:00 +0700 Erich Dollansky
wrote:
> On Saturday 31 March 2012 20:26:14 Julian H. Stacey wrote:
[..]
> > Da Rock wrote:
> > > On 03/31/12 17:46, Julian H. Stacey wrote:
[..]
> > > > schu...@ime.usp.br wrote:
> > > >> Hello,
> > > >>
> > > >> I would like to raise a discussion about the security features
> > > >> of FreeBSD as a whole and how they might be employed to actually
> > > >> derive some meaningful guarantees.
> > > > We have a list specialy for freebsd-security@. Please use it.
I thought this to be sensible advice. Before seeing that I'd thought of
copying it to rwatson@ who I figured might take an interest due to his
involvement with Capsicum, acl(3) and such, but he certainly reads that
list anyway (and more than likely, not this one :)
> > > Hang on, hold the phone: The security list (specifically) is for
> > > security announcements. At least that what it said when I subscribed to
> > > it...
> >
> > Wrong.
Correct :)
> > For list of mail lists see:
> >http://lists.freebsd.org/mailman/listinfo
> >
> > Specifically:
> >freebsd-secur...@freebsd.org
> >http://lists.freebsd.org/mailman/listinfo/freebsd-security
> >
> >freebsd-security-notificati...@freebsd.org
> >http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
> this sounds very confusing for people who have simple question:
>
> 'General system administrator questions of an FAQ nature are
> off-topic for this list, but the creation and maintenance of a FAQ is
> on-topic. Thus, the submission of questions (with answers) for
> inclusion into the FAQ is welcome. Such question/answer sets should
> be clearly marked as (at least "FAQ submission") such in the subject.
> '
schultz' post was nothing in the way of an FAQ issue, but a request for
discussion of a wide range of system security issues, far indeed from a
'simple question'. Had you posted the two paragraphs before the one you
quote above, this may have been a little clearer. To wit:
"This is a technical discussion list covering FreeBSD security issues.
The intention is for the list to contain a high-signal, low-noise
discussion of issues affecting the security of FreeBSD.
"Welcome topics include Cryptography (as it relates to FreeBSD), OS bugs
that affect security, and security design issues. Denial-of-service
(DoS) issues are less important than problems that allow an attacker to
achieve elevated privelige, but are still on-topic."
> This sounds that 'schultz' would be wrong there.
Not at all Erich, quite the opposite in my view; as someone who's been
subscribed to freebsd-security@ for 12 or so years, I look forward to
seeing informed responses to some of schultz' issues. In any event,
{s,}he promptly took Julian's advice to post it there, where one aspect
has already attracted responses from des@ and pjd@
The best way to get a good sense of what issues are acceptible and/or
useful topics for which lists, without having to subscribe, is to browse
a list's archives for several months. Works for me. In this case try:
http://lists.freebsd.org/pipermail/freebsd-security/
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: current pids per tty
In freebsd-questions Digest, Vol 409, Issue 5, Message: 3
On Wed, 04 Apr 2012 08:03:11 -0700, per...@pluto.rain.com wrote:
> "ill...@gmail.com" wrote:
>
> > (there is an executable named /usr/bin/jobs, but . . .
> > well run "cat /usr/bin/jobs" & see for yourself).
>
> Whoa! Does /usr/bin/jobs even work?
>
> $ cat /usr/bin/jobs
> #!/bin/sh
> # $FreeBSD: src/usr.bin/alias/generic.sh,v 1.2.10.1.4.1 2010/06/14
> 02:09:06 kensmith Exp $
> # This file is in the public domain.
> builtin ${0##*/} ${1+"$@"}
>
> It looks as if generic.sh intends to have the same effect as the
> builtin matching the name under which the script is run, but at
> least for "jobs" I don't think it will DTRT because it will run
> in the wrong context:
>
> * The builtin "jobs" command will report all background jobs known
> to the shell in which it is issued.
>
> * Because it is a shebang script, running /usr/bin/jobs will cause
> the shell in which it is run to fork/exec an instance of /bin/sh,
> and that instance will execute the /usr/bin/jobs script, thus it
> will will be the new /bin/sh instance that executes _its_ builtin
> "jobs" command -- reporting nothing, since _that_ instance has not
> put anything into the background (and has no knowledge of what-all
> its parent shell may have put in the background).
Quite so:
t23# jobs -l
t23# sleep 60 &
[1] 86793
t23# jobs -l
[1] + 86793 Running sleep 60
t23# /usr/bin/jobs -l
t23# jobs -l
[1] + 86793 Running sleep 60
t23# sh
# jobs -l
# sleep 60 &
# jobs -l
[1] + 86819 Running sleep 60
# /usr/bin/jobs -l
# jobs -l
[1] + 86819 Running sleep 60
# exit
t23# jobs -l
[1] + 86793 Running sleep 60
t23# jobs -l
[1]86793 Done sleep 60
t23# jobs -l
t23#
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Postfix + Courier IMAP local email problems
In freebsd-questions Digest, Vol 410, Issue 12, Message: 2 On Sat, 14 Apr 2012 10:51:36 -0500 (CDT) Robert Bonomi wrote: | Ron wrote: > > OK, I found the problem. It was the hostname not being set correctly. > > What threw me was that it was correct in the rc.conf file, but I did not > > know you needed to reboot the machine to have it take effect. It just > > never occurred to me to run 'hostname' and see since I was seeing it > > correctly in the rc.conf. > > FYI, while it's true tht rc.conf is processed only t boot time, you don't > _have_ to reboot when you make a change. What you _do_ need to do is run > the same commands the the rc processing does. Unfortunately, with the > 'rc.d'-style process, where rc.conf just sets environment variables, and > everything else happens 'by magic', it can be a major effort to figure > out -what- commands need to be run when you change something, and 'reboot' > *is* the simplest way to get the job done. One reason _I_ much prefer > the "old" BSD-style '/etc/rc.boot' and '/etc/rc.local' approch. It was > =far= simpler to see exactly what was going on, in what order, and with > what params. Tracking stuff through the rc.d/* swamp is a 'project' -- > there is a whole nuther 'command language' to master. :(( It's really not all that complicated to change hostname(1) t23# grep hostname /etc/rc.conf hostname="t23.smithi.id.au" t23# hostname t23.smithi.id.au t23# hostname boofar t23# hostname boofar t23# csh boofar# exit exit t23# hostname boofar t23# hostname t23.smithi.id.au t23# hostname t23.smithi.id.au cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Limiting closed port RST response
In freebsd-questions Digest, Vol 413, Issue 4, Message: 7 On Tue, 01 May 2012 12:59:36 +0100 Arthur Chance wrote: > Every once in a while the nightly periodic security checks tell me I've > got a kernel message > > Limiting closed port RST response from N to 200 packets/sec > > where N > 200. The problem is that it doesn't say which port was > involved. Is there any way to find that out so I can try tracking down > the problem? AFAICT tcpdump doesn't have a way saying "closed ports on > this machine" as a filter. % sysctl -ad | grep vain net.inet.tcp.log_in_vain: Log all incoming TCP segments to closed ports net.inet.udp.log_in_vain: Log all incoming UDP packets With sysctl net.inet.tcp.log_in_vain=1 you get a message per instance, likely aggregated into 'last message repeated N times' at those rates. I add ipfw rules for heavy hitters on particular ports &/or from particular hosts to cut both the noise and (albeit slight) load. If you'd rather not have these (hardly uncommon) messages spamming /var/log/messages, use something along these lines in /etc/syslog.conf: *.notice;authpriv.none;kern.!=info;mail.crit;news.err;ntp.err;local0.none;ftp.none /var/log/messages kern.=info /var/log/kerninfo.log # touch /var/log/kerninfo.log # service syslogd restart cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Limiting closed port RST response
On Wed, 2 May 2012, Arthur Chance wrote: > On 05/01/12 20:01, Ian Smith wrote: > > In freebsd-questions Digest, Vol 413, Issue 4, Message: 7 > > On Tue, 01 May 2012 12:59:36 +0100 Arthur Chance > > wrote: > > > > > Every once in a while the nightly periodic security checks tell me > > I've > > > got a kernel message > > > > > > Limiting closed port RST response from N to 200 packets/sec > > > > > > where N> 200. The problem is that it doesn't say which port was > > > involved. Is there any way to find that out so I can try tracking down > > > the problem? AFAICT tcpdump doesn't have a way saying "closed ports on > > > this machine" as a filter. > > > > % sysctl -ad | grep vain > > net.inet.tcp.log_in_vain: Log all incoming TCP segments to closed ports > > net.inet.udp.log_in_vain: Log all incoming UDP packets > > Thanks, that's what I need. There's another option you may want to consider, especially once you work out who or what's originating these. From an /etc/sysctl.conf: #% 9/8/6 net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 #% 7/10/8 # can't use this and respond to traceroutes # net.inet.udp.blackhole: Do not send port unreachables for refused connects # net.inet.udp.blackhole=1 # net.inet.tcp.blackhole: Do not send RST when dropping refused connections #% 14/4/10 was 1, still see some resets sent (see /sys/netinet/tcp_input.c) net.inet.tcp.blackhole=2 > > With sysctl net.inet.tcp.log_in_vain=1 you get a message per instance, > > likely aggregated into 'last message repeated N times' at those rates. I > > add ipfw rules for heavy hitters on particular ports&/or from > > particular hosts to cut both the noise and (albeit slight) load. > > This is on an internal LAN behind a firewall, so there isn't (I hope!) > anything external causing it. There's a motley bunch of hardware and software > sharing the LAN and I'd like to identify the source of the problem just for > my peace of mind. Good idea. There are a few reasons you may see inbound TCP connections you're not expecting, including general background noise from bots scanning everyone for everything, late responses from genuine outbound connection attempts, and bots hitting other sites using your forged IP address, so you get a bunch of SYN ACK packets out of the blue, most often from port 80 to some random (or particular) port. If using udp.log_in_vain=1 too, you'll see such as late responses from DNS servers (even from localhost) and assorted bot scans, and at times unsolicited responses from DNS servers from someone/s again forging your IP address in requests, possible on a large scale. These may look like attacks on your system, but you're just one of many forged addresses, the attack being on (what you see as) the source system, big in 2010. Happy hunting, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: help debug bwn(4) wireless
On Fri, 4 May 2012 21:03:07 +0100, Anton Shterenlikht wrote: [..] > wlan0: flags=8843 metric 0 mtu 1500 > ether 00:c0:49:58:00:fe > inet 192.168.1.104 netmask 0xff00 broadcast 192.168.1.255 > nd6 options=29 > media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g > status: associated > ssid lagartixa channel 11 (2462 MHz 11g) bssid 00:18:39:e6:46:b6 > country US authmode WPA2/802.11i privacy ON deftxkey UNDEF > AES-CCM 2:128-bit txpower 30 bmiss 7 scanvalid 450 bgscan > bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS > wme roaming MANUAL > > I run wpa_supplicant: > > # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf > Trying to associate with 00:18:39:e6:46:b6 (SSID='lagartixa' freq=2462 MHz) > Associated with 00:18:39:e6:46:b6 > WPA: Key negotiation completed with 00:18:39:e6:46:b6 [PTK=CCMP GTK=CCMP] > CTRL-EVENT-CONNECTED - Connection to 00:18:39:e6:46:b6 completed (auth) > [id=0 id_str=] > > I got issued the ip address by my wireless router. > > I see the card on the router: > > DHCP Active IP Table > DHCP Server IP Address: 192.168.1.1 > Client Host Name IP Address MAC Address Expires > 192.168.1.104 00:c0:49:58:00:fe 23:58:54 > > I get /etc/resolve.conf set up automatically > (through the wired connection): > > % cat /etc/resolv.conf > # Generated by resolvconf > search cable.virginmedia.net > nameserver 194.168.4.100 > nameserver 194.168.8.100 > > > But I just can't get the wireless connection, > even to the router: > > % ping 192.168.1.1 > PING 192.168.1.1 (192.168.1.1): 56 data bytes > ping: sendto: No route to host > ping: sendto: No route to host > ^C What sayeth 'netstat -finet -rn' ? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: help debug bwn(4) wireless
In freebsd-questions Digest, Vol 413, Issue 11, Message: 21 On Sat, 5 May 2012 19:26:00 -0400 (EDT) Chris Hill wrote: > On Sat, 5 May 2012, Robert Bonomi wrote: > > > Anton Shterenlikht wrote; > > [snip] > > >> ...I still find the whole networking area perfectly impenetrable. (If > >> you can recommend a really introductory book on the subject, I'd > >> really appreciate it. > > [snip] > > > See also "TCP/IP Network Administration". This is an "O'Reilley > > Associates" book. Virtually *everything* they publish is excellent. > > If they've ever published an even mediocre book, _I_ have never > > encountered it. > > Anton, I'll second that recommendation. 'TCP/IP Network Administration' > by Craig Hunt is an outstanding book; it taught me a lot about > networking, really made the subject comprehensible. The other O'Reilly > book that I found indispensable when getting started was 'Essential > System Administration' by Aeleen Frisch. In fact, why don't I just "me > too" about O'Reilly. Everything of theirs that I have seen has been > excellent. I'll third it Chris. Apart from Tanenbaum's seminal 'Computer Networks' (qv) a decade earlier, I learned most of what I needed to setup mail, DNS, other servers and TCP/IP networking in general from Hunt's book. I also borrowed Frish's excellent book (for about five years :) and found it invaluable for all sorts of sysadmin tasks, including good shell scripting techniques, covering a wide range of unixish OSes. Anton, I'm not sure what the state of the art is for multiple network profiles for such as wireless vs wired, home and work etc, but look around. I recall one called just 'profile' from years ago, and more recently talk of 'failover' setups for wired/wireless nets (probably in n...@freebsd.org), but I've no time for hunting tonight. Anyone? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: help debug bwn(4) wireless
In freebsd-questions Digest, Vol 414, Issue 1, Message: 13 On Sun, 06 May 2012 21:48:19 +0100 Chris Whitehouse wrote: > On 06/05/2012 17:31, Ian Smith wrote: > > Anton, I'm not sure what the state of the art is for multiple network > > profiles for such as wireless vs wired, home and work etc, but look > > around. I recall one called just 'profile' from years ago, and more > > recently talk of 'failover' setups for wired/wireless nets (probably in > > n...@freebsd.org), but I've no time for hunting tonight. Anyone? > > Would that be lagg? > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-aggregation.html It would indeed, thanks Chris. "Example 32-3. Failover Mode Between Wired and Wireless Interfaces" might almost meet Anton's requirements? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Newsyslog | Cronjob faulty?
In freebsd-questions Digest, Vol 415, Issue 4, Message: 12 On Wed, 16 May 2012 21:44:53 +0200 Jos Chrispijn wrote: > At midnight (00.00) I run this cronjob from my crontab: > > Crontab: > 00 * * * * rootnewsyslog By 'my' crontab, do you mean the system crontab, /etc/crontab ? If so, that's nearly but not quite the default syntax of: #minute hourmdaymonth wdaywho command # Rotate log files every hour, if necessary. 0 * * * * rootnewsyslog Note the single '0'. I don't know if '00' is valid. And it doesn't mean 'at midnight', it means whenever the minute is 0, any hour, any day, any month, any weekday; ie newsyslog is run hourly, on the hour. And the default entry in /etc/newsyslog.conf for maillog is: /var/log/maillog640 7 *@T00 JC So it's newsyslog using newsyslog.conf(5) that creates maillog if it doesn't yet exist, rotates it to maillog.0 at midnight (T00), thereafter compressing it with bzip2 (J). > For some reason this goes wrong; (if I run 'newsyslog' on any other > time, there is no error message). > > bzip2: Can't open input file /var/log/maillog.0: No such file or directory. > newsyslog: `bzip2 -f /var/log/maillog.0' terminated with a non-zero > status (1) > > /var/log: > -rw-r- 1 rootwheel 63162 May 16 21:20 maillog > -rw-r- 1 rootwheel 109 May 16 00:00 maillog.0.bz2 > -rw-r- 1 rootwheel 73674 May 16 00:00 maillog.1 > -rw-r- 1 rootwheel 111 May 15 00:00 maillog.2.bz2 > -rw-r- 1 rootwheel 73050 May 15 00:00 maillog.3 > -rw-r- 1 rootwheel 109 May 14 00:00 maillog.4.bz2 > -rw-r- 1 rootwheel184042 May 14 00:00 maillog.5 > > Can somebody tell me what goes wrong here? Looks likely two instances of newsyslog racing at midnight; one makes maillog.0.bz2 from the just-rolled maillog.0, the other finds maillog.0 has disappeared before getting to run bzip2 on it? So, two files per day, and the above message? > On my other FreeBSD server the same cronjob goes ok... Check /etc/crontab and /etc/newsyslog.conf on both, and make sure you're not also trying to run a user crontab for root, apart from /etc/crontab? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: problems with networking and route command
In freebsd-questions Digest, Vol 415, Issue 6, Message: 1 On Fri, 18 May 2012 08:07:16 -0400 David Banning wrote: > > > It is machines that connect and receive via DHCP 192.168.1.2 and above > > > that > > > can't connect to the internet though the server. I don't know a whole > > > lot about route - I have been attempting a variation of route commands > > > without success. [Chuck Swiger wrote:] > > You need to implement NAT on this box, since 192.168.0.0/16 is an > > RFC-1918 unrouteable private network range. > I previously connected to the internet using ppp with the -nat option > and now my connection has changed - so that makes sense. > > So I implemented natd. > > Unfortunately natd does not work as yet. I followed the setup as laid > out in "man natd" and also used the layout in; > > http://www.freebsddiary.org/ipfw.php I've since seen Derek's response in the archives (I get the digests) at http://lists.freebsd.org/pipermail/freebsd-questions/2012-May/241035.html and I agree that 1998 is far too old to be of much use. I differ however about advisability of referring to the Handbook IPFW page, which frankly sucks - the only section of the Handbook that does, that I know of; you will find ipfw(8) and /etc/rc.firewall to be much better friends. > Here is my natd setup > > 1. Compiled IPFIREWALL & IPDIVERT into my kernel - went fine. Didn't need to, both will load from modules from the /etc/rc.d scripts. Many these days prefer to use in-kernel NAT (firewall_nat_enable="YES") instead, but natd still works as ever; you can always switch later. > Here is my rc.conf network related entries; > > natd_enable="YES" > natd_interface="rl0" > natd_flags="-f /etc/natd.conf" > gateway_enable="YES" > ifconfig_rl0="inet 64.40.244.36 netmask 255.255.255.240" > defaultrouter="64.40.244.33" > ifconfig_vr0="DHCP" > ifconfig_vr0=up > ifconfig_vr0="inet 192.168.1.1" Only the last ifconfig_vr0 counts, but that's ok, DHCP is for clients, not where vr0 gets its address from, right? Ah, you fix that below .. > network_interfaces="rl0 vr0 lo0" > ifconfig_lo0="inet 127.0.0.1" > firewall_enable="YES" > firewall_script="/etc/firewall.rules" > firewall_type="simple" > firewall_logging="YES" firewall_type only applies where firewall_script="/etc/rc.firewall", however that would be ignored by your custom /etc/firewall.rules. > dhcpd_ifaces="vr0" > dhcpd_enable="YES" > > My firewall rules; > > ipfw add 64000 allow ip from any to any > ipfw add divert natd all from any to any via rl0 > ipfw add allow tcp from any to 192.168.2.1 139 > ipfw add allow tcp from any to 192.168.1.1 139 That won't work; after specifying the current rule as 64000, subsequent unnumbered rules will be placed at 64100, 64200 etc - so they will never be reached. If you put that 'allow all' at the end that would work, although a default policy of 'deny all' is very much safer. > ipfw add 6000 deny tcp from any to 64.40.244.36 139 > ipfw add 6010 deny tcp from any to 64.40.244.36 445 These two will now be the first rules encountered, being so numbered. You'll also want to deny an awful lot more than NETBIOS packets to your outside address, see below. > ipfw add deny tcp from any to any 139 And that will go at the end, again after everything has been allowed. Always use 'ipfw list' or 'ipfw show' to check your running ruleset. I would seriously advise you to consider using the rc.firewall 'simple' ruleset, at least as a basis, for a setup like yours. It's designed specifically to protect small networks, and particularly to place the NAT rules in just the right place between inbound and outbound anti- spoofing rules. See /etc/defaults/rc.conf for the variables you can set that should work more or less out of the box, though you may want to modify rc.firewall (or better, a copy of it, say rc.myfirewall) if you need to any add particular rules for specific services you need. It will also protect your IPv6 network, if that's relevant to you. > My /etc/natd.conf; > > interface rl0 > use_sockets yes > same_ports yes Should be ok. You already have natd_interface="rl0" in rc.conf. Consider 'unregistered_only yes', particularly if not using the anti-spoofing rules provided in rc.firewall 'simple'. > My /etc/services includes the line; > > natd 8668/divert # Network Address Translation socket > > Output of ifconfig; > > # ifconfig > fwe0: flags=8802 mtu 1500 > ether 02:11:d8:b3:0e:43 > ch 1 dma -1 > vr0: flags=8843 mtu 1500 > inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > inet6 fe80::16d6:4dff:fe47:88ae%vr0 prefixlen 64 scopeid 0x2 > ether 14:d6:4d:47:88:ae > media: Ethernet autoselect (100baseTX ) > status: active > rl0: flags=8843 mtu 1500 > inet 64.40.244.36 netmask 0xfff0 broadcast 64.40.244.47 > inet6 fe80::211:95ff:fe66:7162%rl0 prefixle
Re: ipfw subnetting
In freebsd-questions Digest, Vol 416, Issue 1, Message: 26 On Mon, 21 May 2012 10:06:12 +0100 Paul Macdonald wrote: > can anyone suggest what i'm doing wrong here. > > Desired:drop everything from 180.0.0.0 to 180.255.255.255 > > ipfw -q add 137 deny all from 180.0.0.0/8 to any t23# ipfw -q add 137 deny all from 180.0.0.0/8 to any t23# ipfw show 137 001370 0 deny ip from 180.0.0.0/8 to any So what doesn't work? (apart from scattergun removal of small pieces of a whole lot of Asian countries, incl. Japan, Indonesia, Australia, .. :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipfw subnetting
On Mon, 21 May 2012 16:30:59 +0100, Paul Macdonald wrote: > On 21/05/2012 14:50, Ian Smith wrote: > > In freebsd-questions Digest, Vol 416, Issue 1, Message: 26 > > On Mon, 21 May 2012 10:06:12 +0100 Paul Macdonald wrote: > > > > > can anyone suggest what i'm doing wrong here. > > > > > > Desired:drop everything from 180.0.0.0 to 180.255.255.255 > > > > > > ipfw -q add 137 deny all from 180.0.0.0/8 to any > > > > t23# ipfw -q add 137 deny all from 180.0.0.0/8 to any > > t23# ipfw show 137 > > 001370 0 deny ip from 180.0.0.0/8 to any > > > > So what doesn't work? (apart from scattergun removal of small pieces of > > a whole lot of Asian countries, incl. Japan, Indonesia, Australia, .. :) > it was intended as a required temporary measure, > but even though it was listed in my ipfw list, i was/am still seeing traffic > coming in via addresses such as 180.248.x.x Ok. Coming in to what service/s? > A very open firewall test script is as follows: > > 00010 allow ip from any to any via lo0 > 00081 deny log ip from 180.0.0.0/8 to any > 00100 check-state > 00101 allow tcp from any to any established > 00102 allow ip from any to any out keep-state > 00103 allow icmp from any to any > 65535 deny ip from any to any > > but i'm still seeing traffic from > > 180.149.29.102 Banglalion Communications Ltd. WiMAX Operator. Bangladesh. > 180.234.116.61 > 180.234.36.44 > 180.234.237.119 > 180.234.72.115 Augere Wireless Broadband Bangladesh Limited. (FWIW) > I must be doing something wrong! If you're using just that order, denying 180/8 BEFORE the check-state, then incoming traffic from 180/8 not being dropped (and logged) at rule 81 would represent a serious bug in ipfw, worthy of a PR. But this may not be quite as it seems .. for example, even when dropped you'll see such packets from tcpdump, which are hooked before the firewall. Where and how, past the firewall, are you detecting this traffic? What sort of traffic? Are you sure sysctl net.inet.ip.fw.enable=1 ? Seeing `ipfw show` over a period, even better `ipfw -t show` with timestamps, could convince us the firewall was actually otherwise working .. In your later post to Michael you had that rule 137 AFTER check-state, which means that packets from 180/8 - in response to outbound requests by you (or your rootkit :) to those addresses - might indeed pass. > 00102 allow ip from any to any out keep-state keep-state for 'ip' or 'all' traffic (rather than specifying tcp, udp or icmp) doesn't make much sense, and could have dangerous consequences of allowing any sort of return traffic from (say) 180/8 initiated from your end, but only if check-state were BEFORE you've denied 180/8 traffic. Rather than show the script, please post results from ipfw show, and a few of the log entries of denied packets (with your addresses obscured if need be). And some logging from where you're detecting those hosts? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Newsyslog | Cronjob faulty? (fwd)
Jos, did you not get my response to your original query over a week ago? I see it made the list archives. Anyway this second time around, Robert Bonomi wins gold for the best guess, with even fewer clues to go on :-) cheers, Ian (who probably said too much, but doesn't resile) -- Forwarded message -- Date: Sat, 19 May 2012 05:03:23 +1000 (EST) From: Ian Smith To: Jos Chrispijn Cc: freebsd-questions@freebsd.org Subject: Re: Newsyslog | Cronjob faulty? In freebsd-questions Digest, Vol 415, Issue 4, Message: 12 On Wed, 16 May 2012 21:44:53 +0200 Jos Chrispijn wrote: > At midnight (00.00) I run this cronjob from my crontab: > > Crontab: > 00 * * * * rootnewsyslog By 'my' crontab, do you mean the system crontab, /etc/crontab ? If so, that's nearly but not quite the default syntax of: #minute hourmdaymonth wdaywho command # Rotate log files every hour, if necessary. 0 * * * * rootnewsyslog Note the single '0'. I don't know if '00' is valid. And it doesn't mean 'at midnight', it means whenever the minute is 0, any hour, any day, any month, any weekday; ie newsyslog is run hourly, on the hour. And the default entry in /etc/newsyslog.conf for maillog is: /var/log/maillog640 7 *@T00 JC So it's newsyslog using newsyslog.conf(5) that creates maillog if it doesn't yet exist, rotates it to maillog.0 at midnight (T00), thereafter compressing it with bzip2 (J). > For some reason this goes wrong; (if I run 'newsyslog' on any other > time, there is no error message). > > bzip2: Can't open input file /var/log/maillog.0: No such file or directory. > newsyslog: `bzip2 -f /var/log/maillog.0' terminated with a non-zero > status (1) > > /var/log: > -rw-r- 1 rootwheel 63162 May 16 21:20 maillog > -rw-r- 1 rootwheel 109 May 16 00:00 maillog.0.bz2 > -rw-r- 1 rootwheel 73674 May 16 00:00 maillog.1 > -rw-r- 1 rootwheel 111 May 15 00:00 maillog.2.bz2 > -rw-r- 1 rootwheel 73050 May 15 00:00 maillog.3 > -rw-r- 1 rootwheel 109 May 14 00:00 maillog.4.bz2 > -rw-r- 1 rootwheel184042 May 14 00:00 maillog.5 > > Can somebody tell me what goes wrong here? Looks likely two instances of newsyslog racing at midnight; one makes maillog.0.bz2 from the just-rolled maillog.0, the other finds maillog.0 has disappeared before getting to run bzip2 on it? So, two files per day, and the above message? > On my other FreeBSD server the same cronjob goes ok... Check /etc/crontab and /etc/newsyslog.conf on both, and make sure you're not also trying to run a user crontab for root, apart from /etc/crontab? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Address to reach human operator regarding problems with list?
In freebsd-questions Digest, Vol 417, Issue 4, Message: 26 On Wed, 30 May 2012 06:31:38 -0400 "Thomas Mueller" wrote: [Matthew Seaman wrote:] > > freebsd-questions-owner@... is correct, except that to my knowledge > > there isn't really a moderator for freebsd-questions (it's an open list > > that anyone can post to without having to be a member) and that address > > ultimately gets dealt with by postmas...@freebsd.org. 'Ultimately' being operative; I gather it rather depends on workload. It does sound a little odd that writing to freebsd-questions-owner@ is interpreted as mail to a subs-only list (moderators@), which may be well down the TODO queue of the postmaster@ team. > > The message you got about "held for moderation" is standard boiler-plate > > from mailman, and probably not appropriate for your specific circumstances. I think mentioning the whole circumstance to postmaster@, including the result of posting to freebsd-questions-owner@ could be worthwhile; I wouldn't suggest every little mail issue should go to postmaster@, but apart from Tom's immediate problem, there may be a functional issue. > > On the whole though, you shouldn't need to contact anyone about the > > warning you received. It generally occurs when your mail system > > rejects messages from the freebsd-questions@... list as spam. As there > > is a certain amount of spam that does appear on the list, this is an > > absolutely legitimate practice: trouble is, it's hard for the FreeBSD > > mail system to distinguish deliberate non-acceptance of spam from > > accidental non-acceptance of traffic due to a broken mailer. Indeed. Considering the number of lists and the number of subscribers, I think mailman (and spamassassin recipes) do a great job, though it's always going to be a battle chasing the latest spammer techniques; the recent spamruns with multiple 'From:' addresses being a case in point, not a pretty look seeing spam 'apparently' by FreeBSD committers .. > > Mailman has an adaptive system that scores you based on how many rejects > > you generate in a certain time period. If you log into mailman at eg. > > http://lists.freebsd.org/mailman/options/freebsd-questions > > you can see your current score. Mine is currently 2.0 (out of 5.0) and > > has been about that for quite some time. So long as your score is not > > too large, I wouldn't worry about the message you received. Even if > > your score does go over the threshold, you can just use that same > > interface to re-enable delivery. I hadn't checked for ages, but see my score is now 1.0, probably from a couple of days downtime last month ie delayed delivery. This would help Tom see if mailman 'knows' anything about his problem, but not what was happening to cause that? > I contacted my Internet service provider, Insight Cable, about the > problem, and they need a copy of any message that bounces, so they > can see what went awry. Bit strange asking you to provide copies of messages you didn't get :) Are they providing your inbound MX server, ie is that where your mail is received? I gather you're not running your own mailserver. It should not be hard to find any such bounces from/to mx2.freebsd.org in their mail or spam logs, if it was they who bounced them? If not, who did? > So I can't just ignore the problem. I rather suspect that even if each bounce is logged at freebsd.org (and it might be some task to find yours, beyond that they've been counted), that it could be non-trivial to locate the offending source messages. Not impossible, Message-IDs are likely logged, but last-resort stuff. OTOH this may be something postmaster@ does routinely, what do I know :) > Maybe I should resend the message to postmas...@freebsd.org instead > of freebsd-questions-ow...@freebsd.org? > > This problem relates to FreeBSD emailing lists in general, not just > one list such as questions@ . Yes, in this case I think you should, after exploring the options Matthew outlined. Be sure to show complete headers of any and all messages you need to forward to postmaster@. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Proper Port Forwarding
In freebsd-questions Digest, Vol 418, Issue 10, Message: 7 On Wed, 06 Jun 2012 14:31:24 -0400 "Simon" wrote: > Can someone suggest an alternative/proper way to port forward using ipfw. > Right > now I have the following and some bad clients cause too many FIN_WAIT_2 state > > fwd IP,PORT2 tcp from any to me dst-port PORT1 keep-state > > This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW > stops forwarding using the rule above because of "too many dynamic rules" Michael's and Dan's suggestions of adjusting sysctl net.inet.ip.fw.dyn* variables are good; consider also using 'limit' instead of 'keep-state', which works the same except limiting the number of open connections to a specified number. See ipfw(8) /limit and /EXAMPLES for more, but eg: fwd IP,PORT2 tcp from any to me dst-port PORT1 limit src-addr 9 to prevent any one source address opening more than 9 connections, or fwd IP,PORT2 tcp from any to me dst-port PORT1 limit dst-port 42 to limit total open connections by everyone to dst-port PORT1 to 42. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: how to allow by MAC
In freebsd-questions Digest, Vol 418, Issue 18, Message: 1 On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan wrote: > how to allow by MAC in ipfw > > currently i set the rule like below > > 1 allow ip from any to any MAC any to > 1 allow ip from any to any MAC any > 2 deny all from any to any > > i want to only allow the mac address to go through the freebsd firewall, > > but I found it is not working on my freebsd but it works on pfsense! > > so maybe that means the environment is not the same ? and how to setup the > ipfw properly to support this ? Bill, you did get some good clues in the earlier thread, but it's not clear if you took note of them. There's also been some confusion .. Firstly, read up on layer2 (ethernet, MAC-level) filtering options in ipfw(8). Thoroughly, several times, until you've got it. Seriously. After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf) ipfw will be invoked 4 times instead of the normal 2, on every packet. Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the inbound pass invoked from ether_demux() and the outbound pass invoked from ether_output_frame() can you test for MAC addresses (or mac-types); the 'normal' layer3 passes examine packets that have no layer2 headers. You could just add 'layer2' to any rules filtering on MAC addresses, and omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using a method like shown there to separate layer2 and layer3 flows early on: # packets from ether_demux ipfw add 10 skipto 1000 all from any to any layer2 in # packets from ip_input ipfw add 10 skipto 2000 all from any to any not layer2 in # packets from ip_output ipfw add 10 skipto 3000 all from any to any not layer2 out # packets from ether_output_frame ipfw add 10 skipto 4000 all from any to any layer2 out So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering rules (remembering the reversed order of MAC addresses vs IP addresses, and to allow broadcasts as well), pass good guys and/or block bad guys, then deal with your normal IPv4|v6 traffic in a separate section(s). Or you could just split the flows into two streams, one for layer2 for your MAC filtering, the other for layer3, ie the rest of your ruleset. HTH, Ian [please cc me on any reply] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Is this something we (as consumers of FreeBSD) need to be aware of?
In freebsd-questions Digest, Vol 418, Issue 19, Message: 23 On Sun, 10 Jun 2012 16:56:49 -0400 Jerry wrote: > On Sun, 10 Jun 2012 22:06:26 +0200 > Julian H. Stacey articulated: [..] > >As a start here's : http://berklix.org/uefi/ > > > >URLs welcome. Contact names welcome. Volunteers welcome. > > It is posts like this that basically turn my stomach. A product, any > product, should succeed or fail based on its own merits and not because > some government agency aided or thwarted it. Most, it not nearly all PC > manufacturers exist solely because of Microsoft. The PC market balloons > every time Microsoft releases a new version of Windows. Seriously now, > how many PC were sold because FreeBSD released version 9 of its OS? If > you want to beat someone, you make a better product. You don't go > running to your mamma asking for protection. That stinks of > socialism/fascism. The UEFI specification has existed for years. > Supposedly, Linux has been capable of using it for 8+ years. I have > no idea if FreeBSD is even capable of handling it. It wouldn't > surprise me it if couldn't though. What this really tells me is that > there has been way to much procrastination by the FOSS. Microsoft > simply took advantage of an existing standard (remember "standards" > something the FOSS is always crying about) and now FOSS is begging for > mercy. This is more than just slightly funny, it is pathetic. If 1% of > the effort of spreading this BS over UEFI had gone into working on a > solution for UEFI two years ago, we wouldn't be having this discussion > at all. I'vw been wondering when this topic would summon our longest-serving resident troll for Microsoft out of the woodwork for a proper full-tilt rant, replete with inimitable "socialism/fascism" jibe. Gotta love it! Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: how to allow by MAC
On Mon, 11 Jun 2012 15:18:18 -0700, Randal L. Schwartz wrote: > > "Bill" == Bill Yuan writes: > Bill> I want to create a white list MAC address, Only the machine which > it's MAC > Bill> in the white list will be allowed, all others will be blocked. > > Bad idea. Since (a) every MAC address that *is* allowed is transmitted > in the clear and (b) it's trivial to spoof a MAC address. > > This. is. no. security. Indeed, that's right Randal. But I got the impression from Bill's mails that this is more likely just something inside his internal network. > Please stop even trying. Well I don't think learning how to use ipfw properly at layer2 is a bad idea in itself, and I wouldn't want to discourage anyone from that. For some years I ran a filtering transparent bridge with ipfw + dummynet for a small network of about 20 mostly W98, XP and Mac boxes sharing one slow ADSL gateway between various assorted community groups (talk about herding cats! :) and MAC filtering was one of the handiest tools when some box or other got owned (again!) by some virus and started spewing spam, provider complains and/or cuts access .. you know the deal. In that sort of environment, none of the punters had any clue about forging MACs or anything vaguely like that, and it stopped people randomly plugging boxes into the network. Horses for courses. I replied in more detail to another from Bill privately, copy follows. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
