SSH XForwarding Failure
I have absolutely no clue why this isn't working. xauth is installed $DISPLAY is localhost:10.0 XForwarding is enabled in sshd_config and I invoked ssh with -X. %/usr/local/bin/xauth list phantomcircuit.mine.nu/unix:11 MIT-MAGIC-COOKIE-1 eea299b0035168d92d95659436874a80 phantomcircuit.mine.nu/unix:12 MIT-MAGIC-COOKIE-1 e05b1ac4522781c3be2049a35782b704 phantomcircuit.mine.nu/unix:10 MIT-MAGIC-COOKIE-1 c9c16e95897333c3f300817f50ef9344 %/usr/local/bin/xauth list :0.0 %echo $DISPLAY localhost:10.0 % Attempt to use XForwarding $ ssh -Xvv phantomcirc...@covertinferno.org OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to covertinferno.org [76.199.103.250] port 22. debug1: Connection established. debug1: identity file /home/username/.ssh/identity type -1 debug2: key_type_from_name: unknown key type '-BEGIN' debug2: key_type_from_name: unknown key type 'Proc-Type:' debug2: key_type_from_name: unknown key type 'DEK-Info:' debug2: key_type_from_name: unknown key type '-END' debug1: identity file /home/username/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096 debug1: identity file /home/username/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 CovertInferno debug1: match: OpenSSH_5.1p1 CovertInferno pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,blowfish-cbc,arcfour128,arcfour256,aes192-cbc,aes256-cbc,aes128-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,blowfish-cbc,arcfour128,arcfour256,aes192-cbc,aes256-cbc,aes128-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160,hmac-sha1-96 debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160,hmac-sha1-96 debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-sha1 debug1: kex: server-client aes128-cbc hmac-sha1 none debug2: mac_setup: found hmac-sha1 debug1: kex: client-server aes128-cbc hmac-sha1 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102420488192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 158/320 debug2: bits set: 1039/2048 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'covertinferno.org' is known and matches the RSA host key. debug1: Found key in /home/username/.ssh/known_hosts:3 debug2: bits set: 1026/2048 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/username/.ssh/id_rsa (0x4c75353ab9d1) debug2: key: /home/username/.ssh/identity ((nil)) debug2: key: /home/username/.ssh/id_dsa ((nil)) This computer system is in California. By connecting you accept the Terms of Service found at http://covertinferno.org/tos.xhtml. debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key:
Re: ipf firewall, dropping connections
I'm guessing you have kernel tuning issues that have nothing to do with the firewall. http://www.freebsd.org/doc/en/books/handbook/configtuning-kernel-limits.html ckn...@savage.za.org wrote: Hi, I'm runing 7.2 with IPFilter - main purpose is for a news server. Many established connections are just dropped and closed, it seems to be random, all allow rules are being affected. Any insight would be appreciated. The machine is under heavy usage, averaging arround 150 to 200 connections per second. [r...@news ~]# ipfstat bad packets:in 0out 0 IPv6 packets: in 0 out 0 input packets: blocked 22570422 passed 488309778 nomatch 146719580 counted 0 short 0 output packets: blocked 21885 passed 507034679 nomatch 160765161 counted 0 short 0 input packets logged: blocked 22570422 passed 0 output packets logged: blocked 0 passed 0 packets logged:input 0 output 0 log failures: input 12571655 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out):kept 0 lost 0 not fragmented 0 packet state(in): kept 14100 lost 2770255 packet state(out): kept 22966740 lost 8078847 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 17487490(out): 21607481 IN Pullups succeeded: 9 failed: 0 OUT Pullups succeeded: 1092failed: 0 Fastroute successes:0 failures: 0 TCP cksum fails(in):0 (out): 0 IPF Ticks: 325071 Packet log flags set: (0) none [r...@wa-cpt-news ~]# cat /etc/ipf.rules ### ### Globals ### block in log quick all with frags # TCP Fragments block in log quick all with short # Short Fragments block in log quick all with ipopts # Invalid IP Options ### ### Loopback Interface ### pass in quick on lo0 from any to 127.0.0.0/8 pass out quick on lo0 from 127.0.0.0/8 to any ### ## em0 - Public NIC ### # em0 - Outbound Traffic pass out quick on em0 from a.a.a.a to any keep state pass out quick on em0 from a.a.a.21 to any keep state pass out quick on em0 from a.a.a.22 to any keep state pass out quick on em0 from x.x.x.23 to any keep state pass out quick on em0 from x.x.x.24 to any keep state pass out quick on em0 from x.x.x.59.30 to any keep state pass in quick on em0 from 196.220.59.0/27 to a.a.a.a # Internal Network Traffic pass in quick on em0 proto icmp from any to a.a.a.a keep state # ICMP pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from any port = 53 to a.a.a.a # DNS (Responces) pass in quick on em0 proto udp from any port = 53 to a.a.a.a # DNS (Responces) pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.185.0.0/16 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.211.26.0/24 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.220.32.0/19 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 119# NNTP pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 119# NNTP pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.220.42.29/32 to
Re: What causes random disk access slow down
How full are the disks? Jin Guojun wrote: A 6-7 years old Xeon dual 2.4MHz CPU machine runs FreeBSD 6.4-Release suddenly becomes slow on some tasks requiring disk access. Typical things like ls, objdump etc. Be more specific, a couple of minutes objdump became a several hours job. A several seconds ls -RC became a 15-minute task (see output below). It sounds like a hard drive problem, but run sequential disk test on all drives, their throughput meet the original disk spec and disks run very quite, at random disk access, disks generate some rigid noise, so it looks like a random disk access problem. This machine has two IDE PATA drives (ignore da0 -- a USB stick), but No error message has been recorded in dmesg for any dirve a couple of weeks after the problem happened. Machine has been rebooted a few times after slowness occurred, but it won't help. Is there anyway/any tool to find out what is going wrong in the system? -Jin [165] bsd-ms: ls -RC Dir 3.756u 19.402s 15:29.37 2.4%30+2938k 49120+76io 0pf+0w monitored from the other terms -- [138] bsd-ms: ll ~/Dir -rw-r--r-- 1 src wheel 6152192 Oct 27 14:53 /home/users/src/Dir [139] bsd-ms: ll ~/Dir -rw-r--r-- 1 src wheel 8019968 Oct 27 14:56 /home/users/src/Dir [140] bsd-ms: ll ~/Dir -rw-r--r-- 1 src wheel 9915957 Oct 27 14:58 /home/users/src/Dir tty ad0 ad1 da0 cpu tin tout KB/t tps MB/s KB/t tps MB/s KB/t tps MB/s us ni sy in id 9 365 9.14 6 0.05 12.08 6 0.07 121.91 0 0.00 2 0 1 0 97 0 1020 11.75 87 0.99 17.82 7 0.13 0.00 0 0.00 76 0 14 0 10 0 1005 8.54 262 2.19 52.94 23 1.21 0.00 0 0.00 61 0 29 1 9 0 893 7.54 184 1.36 85.76 34 2.82 0.00 0 0.00 53 0 32 1 14 0 551 3.35 265 0.87 9.38 4 0.04 0.00 0 0.00 47 0 33 1 19 0 594 6.81 201 1.33 37.82 4 0.14 0.00 0 0.00 54 0 16 0 30 0 1106 3.54 252 0.87 55.19 17 0.93 0.00 0 0.00 39 0 33 1 27 0 393 2.88 223 0.63 11.43 2 0.03 0.00 0 0.00 67 0 31 1 1 0 644 4.81 165 0.77 16.00 0 0.01 0.00 0 0.00 87 0 12 1 1 27 339 10.39 180 1.82 15.18 11 0.17 0.00 0 0.00 86 0 13 0 0 32 130 5.06 146 0.72 23.40 46 1.04 0.00 0 0.00 86 0 8 1 5 32 267 8.39 138 1.13 61.09 4 0.22 0.00 0 0.00 73 0 26 1 0 33 340 8.75 222 1.90 61.54 4 0.26 0.00 0 0.00 78 0 21 1 0 32 595 5.85 154 0.88 12.20 3 0.04 0.00 0 0.00 87 0 12 1 0 32 288 5.28 147 0.76 6.00 1 0.01 0.00 0 0.00 86 0 13 1 0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: best way to install/update software and firewall choice
freebsd-update works fine in a jail so long as you symlink the kernel file to /dev/null Manolis Kiagias wrote: Guy Marcenac wrote: Hi, I am an old debian user and I am looking at freebsd for security reasons * I am very interested in the jail concept * I have to relearn iptables syntax each time I want to add a rule Don't we all :) I am testing the system in vmware virtual machine. There is a point I don't fully understand. There are several ways of updating the system, from precompiled binaries or by recompiling the system and the ports (and using csup, portsnap, portupgrade ...). To update your base system, you can use freebsd-update. This uses precompiled binaries and also updates the relevant sources (assuming you have them installed beforehand and you are using the default freebsd-update configuration - which is recommended). However if you are going to run jails, this advantage is more less defeated: you will have to run 'make buildworld' anyway to install the result in the jails. I would prefer to use the first way because it is really faster, but it seems to me that when I want to update my jails, there is no other easy way than recompiling the whole world into my jails. Yes, unless you can somehow run freebsd-update from inside a jail :) Don't know if this will work though. It will probably fail trying to patch the kernel. If you use freebsd-update you will only 'make installworld' for the jails, as the 'host' will be taken care of by freebsd-update binary patching. You still need the make buildworld step, so you don't really gain much. The other point a bit confusing is that I dont know which firewall to use. My first guess would be to use pf, because it exists also on openbsd, but it seems that the default would go to ipfw. I am using pf too. It is a matter of preference and features needed. I suggest you read the Handbook chapter and decide for yourself. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org