Re: Firewall rules for ftp
Hello Here are my ftp rules: [snip # FTP ipfw add allow tcp from any to any 20 keep-state ipfw add allow tcp from any to any 21 keep-state ipfw add allow tcp from any 20 to me 1024-49151 keep-state # aktives FTP ipfw add allow tcp from any 20 to 192.168.1.1/24 1024-49151 keep-state ipfw add allow tcp from me 1024-49151 to any keep-state # passives FTP 1. [snip] Am Fri, Feb 13, 2004 at 09:23:07AM -0500 JJB schrieb: It would help if you posted you ipfw rules file so people can review them to look for your problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Martin Schweizer Sent: Friday, February 13, 2004 2:07 AM To: [EMAIL PROTECTED] Subject: Firewall rules for ftp Hello Until now I tested a lot regarding ftp and ipfw but with no 100% success. What are the correct ipfw rules for ftp (regarding dir and ls, passive etc.)? System: FreeBSD 4.9, NAT, ipfw, LAN 192.168.1.0/24, WAN: dyn. WAN ip over ADSL -- Regards Martin Schweizer [EMAIL PROTECTED] PC-Service M. Schweizer; Gewerbehaus Schwarz; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch; public key : http://www.pc-service.ch/pgp/public_key.asc; fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239; pgp0.pgp Description: PGP signature
Re: startup daemon as unpriviliged user
matthew wrote: On Fri, 13 Feb 2004, Louis LeBlanc wrote: [...] So, how can I get a process to run automatically on startup for an unprivileged user? cd /usr/local/etc/rc.d make a small sh script like so: #!/bin/sh su username -c command For scripts in '/usr/local/etc/rc.d' one should stick to the required semantics. That is, in this particular case you need to make sure that it only runs on startup and not a second time on shutdown. Like so: cut here #!/bin/sh case $1 in start) su username -c command ;; stop) ;; esac cut here Also, keep in mind that the script's name requires a suffix of '.sh', or else the system won't execute it automatically. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers [EMAIL PROTECTED] | http://www.escapebox.net ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: No More Daily Run Output
[EMAIL PROTECTED] wrote: All, We've got a FreeBSD 4.7 box that's been running great for the last year and a half or so. We host our customer's email on this box using postfix. Before the FreeBSD box, we had two Linux boxes that hosted all of the email. We've since migrated over the accounts just recently. Approximately one week ago, the day after we moved over approximately 300 accounts, I no longer get a 'daily run output' email. I do stil get the security run output and a pflogsumm report every morning. Ive tried running the 'periodic daily' manually, but I only get the security report. Any ideas on where to begin troubleshooting this? Thanks! - This mail sent through IMP: http://horde.org/imp/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hi, Check your #/etc/periodic.conf the daily_output can go to a file or a user. daily_output=root # user or /file While your there check the daily_status_security_output for who the mail is sent to. daily_status_security_output=root # user or /file All the Defaults are in #/etc/defaults/periodic.conf A typical file is #/var/log/daily.log which is set in newsyslog to rotate. Last thing to check is that your aliases for the user for the daily_output has a valid email address. -- -Ryan Merrick [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
MFS on new server.
Hi folks, When my new DNS server is finished I'm planning to create around a 512MB memory file system. An Onlamp article gives some basics. But how would I cp (say), gcc, sendmail, and bind to this new fs? Or am I looking at this the wrong way? Any advice, tips, or sharing will be greatly appreciated. tia, gary -- Gary Kline [EMAIL PROTECTED] www.thought.org Public service Unix ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: MFS on new server.
On Sat, Feb 14, 2004 at 02:48:18AM -0800, Gary Kline wrote: When my new DNS server is finished I'm planning to create around a 512MB memory file system. An Onlamp article gives some basics. But how would I cp (say), gcc, sendmail, and bind to this new fs? Or am I looking at this the wrong way? Unless you're talking about a vnode backed MFS (as generated by vnconfig(8) on 4.x or 'mdconfig -t vnode' with 5.x's generic mdconfig(8) command) you're going to have to rebuild everything you put onto the MFS every time you recreate it. That's not the usual way of doing things -- generally a MFS is used for ephemeral data created as the application runs. On the other hand, if you're running on a vnode backed setup, then from the point of view of populating it with files, it's just like any other filesystem. Any advice, tips, or sharing will be greatly appreciated. Hmmm... Well, the copying can be done by all manner of means. rsync(1), tar(1), find(1)/cpio(1) spring to mind. pkg_add(1) works well -- maybe with a modified $PREFIX. Building a custom package containing everything you want to install in your MFS so that you can just re-install it at will would be quite a nifty idea. Even cp(1). If you're using a vnode backed area for a thick jail(8), then you can install a base system on it by: # make installworld DESTDIR=/jail/192.168.0.2 (assuming that's where you mount your jail...) If you then either do a loopback nfs mount or a null mount of /usr/ports onto the jail (see mount_nfs(8), mount_null(8)), or even just install a separate copy of /usr/ports, you can compile and install ports from within the jail as just if you were in the base system. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: MFS on new server.
Gary, On Sat, Feb 14, 2004 at 11:09:00AM +, Matthew Seaman wrote: On Sat, Feb 14, 2004 at 02:48:18AM -0800, Gary Kline wrote: Your mailing system anti-spam filters are a bit too hair triggered. You're bouncing the ham as well as the spam... - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 5.0.0 No SPAM) - Transcript of session follows - ... while talking to ns1.thought.org.: MAIL From:[EMAIL PROTECTED] 550 5.0.0 No SPAM 554 5.0.0 Service unavailable Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
new bsd-il mailing list
Hello, I am running a new bsd-il mailing list for israeli BSD users, seems like the bsd-il mailing list on the freebsd web site is inactive If you can add it to the user groups lists on the web site.. it's [EMAIL PROTECTED], subscribe bsd-il thanks -- Gal Ben-Haim, EMAIL:[EMAIL PROTECTED], ICQ:20550948 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH problem partially solved!! Still need help.
Huh. It was there! I thought that there might be a second sshd config file somewhere on the system, but locate and find never reported it. Weird. But everything's working as required, so I'm very happy. Thanks for all the help guys!! At 10:54 PM 2/13/04 -0500, matthew wrote: On Fri, 13 Feb 2004, Dragoncrest wrote: Ok, I finally figured out why my configs weren't loading for ssh. Apparently when you startup SSHD it loads some weird default sshd_config file that I can't seem to find. However, if I specify sshd -f /etc/ssh/sshd_config it will load my config file and my ssh works the way it should. Now I can obviously edit my /usr/local/etc/rc.d/sshd.sh file to do this on startup, but it's baffling the living heck out of me as to why sshd doesn't load the default /etc/ssh/sshd_config file when you load it from the command prompt by typing /usr/sbin/sshd. Look in /usr/local/etc/ sshd proably checks there first. this sort of thing happened to me with procmail and procmail.rc. Until of course i read the man page. sshd will refuse to start if no config file. I reckon it is in there. also a locate sshd_config after running /etc/per*/week*/310* to update the search db. Almost there. m Anyone got any idea what setting in the system dictates to sshd what the default config file is? I'm guessing that there's gotta be something I'm missing somewhere as to why sshd isn't loading the default config file like it should short of specifying it by hand. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Running processes...
Hello list, Which of the processes can I safely block from the internet via ipfw? Here's an nmap output from one of my servers. I would really like to tame this down: Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-02-14 06:41 CST Interesting ports on localhost (127.0.0.1): (The 1646 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 443/tcp open https 587/tcp open submission 783/tcp open hp-alarm-mgr 3306/tcp open mysql 6667/tcp open irc 6668/tcp open irc /tcp open abyss Nmap run completed -- 1 IP address (1 host up) scanned in 9.730 seconds Port is an irc port for server connections, for anyone who's wondering what that's doing there. I mainly need to get rid of 783, 587. What are those anyways? Also, what's the name of that app that basically makes all ports appear open and logs connection attempts? Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: startup daemon as unpriviliged user
On Sat, Feb 14, 2004 at 06:28:29AM -0600, Eric F Crist wrote: On Saturday 14 February 2004 03:01 am, Uwe Doering wrote: matthew wrote: On Fri, 13 Feb 2004, Louis LeBlanc wrote: [...] So, how can I get a process to run automatically on startup for an unprivileged user? cd /usr/local/etc/rc.d make a small sh script like so: #!/bin/sh su username -c command For scripts in '/usr/local/etc/rc.d' one should stick to the required semantics. That is, in this particular case you need to make sure that it only runs on startup and not a second time on shutdown. Like so: cut here #!/bin/sh case $1 in start) su username -c command ;; stop) ;; esac cut here Also, keep in mind that the script's name requires a suffix of '.sh', or else the system won't execute it automatically. Uwe I think you could also setuid for that user to the shell script. No, the setuid flag does not work for shell scripts. -- Insert your favourite quote here. Erik Trulsson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw bandwidth limit
I've got 172.16.0.0/24 network that is connected to internet via vpn gre tunnel. And now I've had bit hard time doing bandwidth control, maybe I'm missing something. I've set ipfw pipes like this: ipfw add queue 1 gre from any to 172.16.0.0/24 ipfw queue 1 config weight 5 pipe 2 mask dst-ip 0x00ff ipfw pipe 2 config bw 1500Kbit/s ipfw add queue 2 gre from 172.16.0.0/24 to any ipfw queue 2 config weight 20 pipe 3 mask src-ip 0x00ff ipfw pipe 3 config bw 256Kbit/s net.inet.ip.fw.one_pass: 0 65100 queue 1 gre from any to 172.16.0.0/24 65200 queue 2 gre from 172.16.0.0/24 to any 2: 1.500 Mbit/s0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x/0x - 0x/0x 3: 256.000 Kbit/s0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x/0x - 0x/0x q1: weight 5 pipe 2 50 sl. 0 queues (64 buckets) droptail mask: 0x00 0x/0x - 0x00ff/0x q2: weight 20 pipe 3 50 sl. 0 queues (64 buckets) droptail mask: 0x00 0x00ff/0x - 0x/0x It seems to have no effect on network. What I'm missing? (replacing gre-protocol with ip doesn't help) Markus Kovero ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
network throughput with WiFi/LAN
Someone PLEASE help me figure this out? I am baffled. I have 2 100% identical IBM servers. Same everything. Purchased at the same time/date. P4-3.06 512MB ram 18GB scsi u160 10Krpm drive One machine runs FreeBSD-5.2 and the other Solaris9x86. FTP transfers via machine to machine or via LAN client to/from either machine are around 11.5MB/sec (which I would expect on 100BaseT). Thats fine. However I did notice the following: WiFi 802.11b client machine (10' away from the AP and excellent signal) sees the following transfer rates: WiFi client to solaris box will sustain and maintain 821K/sec. WiFi client to FreeBSD-5.2 box will start around 900K/sec and immediately fall and fall and fall - settling around 620K/sec sustain and maintain. Since ftp rates to/from servers/clients are at just about the max, I dont understand what I am seeing here. What does the FreeBSD box not like about my WiFi ? - the recv/send space is set identical on the solaris and freebsd box. Any thoughts? - Since I use WiFi a tremendous amount - solaris seems like the answer but yet it makes no sense. Any thing I can try? - everything is full duplex. Verified speeds and settings. Thanks! -- J.D. Bronson - LoneBandit Aurora Health Care // Information Services // Milwaukee, WI USA Office: 414.978.8282 // Email: [EMAIL PROTECTED] // Pager: 414.314.8282 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reboot record information
On Fri, 13 Feb 2004 11:39:28 -0500 JJB [EMAIL PROTECTED] probably wrote: When an FBSD system crooks, and It reboots it's self, very seldom does any of issued problem messages have time to be posted completely before the rug is pulled out from under the log write process by the reboot occurring. All you can find out from the logs is yes indeed it did reboot. You are SOL, just like the rest of us when this happens to us. Probably a loose chance, but `last' could come up with something... Anyway it still just reads the logs... If you're afraid this may happen again, and you're on a network, you might want to use the remote logging feature of syslog. Then, all messages will make it to the destination, right up to the reboot. HTH, -- DoubleF Truth is the most valuable thing we have -- so let us economize it. -- Mark Twain pgp0.pgp Description: PGP signature
Re: SYN Attacks - how i cant stop it
JJB wrote: Very interesting reading about net.inet.tcp.syncookies 'knob'. Thank you for such an curious and informative reply. I am running 4.9 and net.inet.tcp.syncookies=1 is the default. I am writing an 'Harding you FBSD system' article for the local FBSD club, would you please review the following. Are my comments correct? Are there any other knobs I should include? I got the rc.conf securelevel ok as it from the man page. # # The sysctl.conf file contains MIB's to change the default setting # of internal options of the kernel at boot up time. These Mib's # control how network packets are handled after IPFW or IPFILTER # software applications firewall returns the packet to the kernel. # Some of these MIB's may seem like they are doing the say thing, # but because there is no FBSD provided documentation on the order # these MIB's get control, they all get enabled here and we let the # kernel do it's thing. # # NOTE: Some of these MIB's can also be set in rc.conf and or the # Kernel source. This will not hurt anything. # # Redirect attacks is the purposeful mass issuing of ICMP type 5 packets. # In a normal network, redirects to the end stations should not be required. # To defend against this type of attack both the sending and accepting of # redirect should be disabled. The first statement below enables the MIB # to drop all inbound icmp redirect packets without returning any response. # The second statement turns off the logging of redirect packets because # there in no limit and this could fill up your logs consuming your whole # hard drive. But there is no information about where the redirect packets # get logged. The last statement changes the FBSD default about allowing # redirects to be sent from this system to the internet from yes to no. # This option is ignored unless the host is routing IP packets, and # should normally be enabled (=1) on all systems # man icmp(4) and inet(4) and man ip(4) do not contain info about these MIB. # man sysctl(3) does have info on ip.redirect net.inet.icmp.drop_redirect=1 net.inet.icmp.log_redirect=0 net.inet.ip.redirect=0 # Source routing is another way for an attacker to try to reach non routable # addresses behind your box. It can also be used to probe for information # about your internal networks. These functions come enabled as part of the # standard FBSD core system. The following will disable them. # man inet(4) and man ip(4) do not contain any information on these MIBs. net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 # This MIB only drops ICMP Echo requests which have a destination of your # broadcast address. For example, if your network is 10.10.0.1/24, # (making your subnet mask 255.255.255.0) then your network broadcast address # is 10.10.0.255. When a host on your network needs to send a message to all # other hosts on the subnet (which happens more often than you may think) it # uses this address. Everyone listens on it. Hosts outside your network have # no reason to be sending packets to your broadcast address. This MIB rejects # all of the broadcast echo traffic from the outside world to your network # broadcast address. If this host is a firewall or gateway, it should not # propagate directed broadcasts originating from outside your private network. # The following statement sets the default to no, rejecting all external # broadcasts requests. # man sysctl(3) has some info. # man inet(4) and man icmp(4) do not contain any information on these MIBs net.inet.icmp.bmcastecho=0 # To change the system behavior when connection requests are received # on TCP or UDP ports where there is no socket listening. The normal # behavior, when a TCP SYN segment is received on a port where there # is no socket accepting connections, is for the system to return a # RST segment, and drop the connection. The requesting system will # see this as a Connection reset by peer. # # By turning the TCP black hole MIB on to a numeric value of one, the # incoming SYN segment is merely dropped, and no RST is sent, making # the system appear as a blackhole. # # By setting the MIB value to two, any segment arriving on a closed # port is dropped without returning a RST. # This provides some degree of protection against stealth port scans. # The following enables this MIB. man tcp(4) and man udp(4) blackhole(4) # contain a little information on these MIBs net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 # The log_in_vain MIB will provide you with logging of attempted # connections to your
Re: Install on 486 with floppy reboots after mfsroot
matthew wrote: On Thu, 12 Feb 2004, Brent Bowman wrote: Oh boy, I guess that I've either got to find more RAM, find an older/stripped down version of FreeBSD, or give up. Well, if i was you i would get on the phone and call every household that you think has a basement full of junk. They will more than likely have an old computer down there you can take the ram from. I looked around a little, how would I find a skinnier version of FreeBSD for this old box. Did you try 3.5-RELEASE and cvsup to stable? I still run 3.4 and 3.5. I have previously used install floppies from 3.2 (as this was the most readily available version because I still have the cd set) to install 4.x on similar machines. However, these was quite a long time ago. When using this method, in the options section change the release you want to install from 3.2-RELEASE to the version you want to install from the cd/ftp/etc. as appropriate. Watch vtty1 for /etc/libexec to be installed and then you will be able to use vi in the holographic shell to edit /etc/fstab to change the /dev/wd* to /dev/ad*. After this you shouldn't have any problems. Waiting until after the machine reboots before editing /etc/fstab can result in headaches and is not recommended, but is not impossible(IIRC). Again, I should point out that the last time I did this was with an early release on the 4.x branch, I don't remember the exact version and the old 486 that would testify to the procedure is at my parents house pretending to be a paper weight. Also, does anybody have any ideas (besides ebay) on how I would find some really old 60ns SIMMS for that box for cheap? If you were standing right next to me I would throw some at you :P Are you in some strange region where it is difficult to find old ram? I am sure a second hand pc shop will gladly give you 32mb ram (come in pairs) for 5 bucks. 10 at most. m -- Jeremy Faulkner http://www.gldis.ca ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running processes...
At 2004-02-14T12:42:55Z, Eric F Crist [EMAIL PROTECTED] writes: I mainly need to get rid of 783, 587. What are those anyways? 587 is half of the new Sendmail install - the submission function runs as a seperate process listening on its own !25 port. Also, what's the name of that app that basically makes all ports appear open and logs connection attempts? I think you just described IIS and Exchange, except that they don't log so well... -- Kirk Strauser 94 outdated ports on the box, 94 outdated ports. Portupgrade one, an hour 'til done, 82 outdated ports on the box. pgp0.pgp Description: PGP signature
CUPS + GDI(GNU Ghostscript)
I'm trying to use a Samsung ML1710 laster printer on FreeBSD. It's connected via USB and is detected: ulpt0: Samsung Electronics Co., Ltd. Samsung ML-1710, rev 1.10/1.00, addr 3, iclass 7/1 It is Linux-drivers on the CD that does not work with FreeBSD (not Linux either), but the Samsung ML1210 driver that is in the GDI-driver in GNU-Ghostscript works in Linux. But in FreeBSD, it does not list the Ghostscript-drivers in the Gnome-cups-manager or the web-interface, like it does in Linux (Fedora+RedHat+Mandrake). I think this is some configurations the distro-makers do, but I cannot find out what. This printer does _only_ accept postscript that is 100% correctly formatted. Anyone? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Running processes...
This port map is only showing you what ports are open to accept start requests from the public internet. Looks like you are using IPFW with stateless rules which just provides an very basic level of security. Use stateful rules with 'out' and 'via' keywords to separate your firewall into out bound control where you allow all these ports listed below out to the public internet. Then for the inbound side use stateful rules with 'in' and 'via' keywords allowing in only the ports that you have servers running on. That will close all those listed ports to inbound availability. If you have LAN behind your gateway and using ipfw with divert rule legacy sub-routine call to userland Natd then stateful rules do not work because of legacy bug in basic concept design of this process. Use IPFILTER, it's stateful rules work in Nated environment and as such provides an much highter level of security than IPFW can provide in an Nated environment. I have IPFILTER sample rule set if you are interested. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric F Crist Sent: Saturday, February 14, 2004 7:43 AM To: FreeBSD questions List Subject: Running processes... Hello list, Which of the processes can I safely block from the internet via ipfw? Here's an nmap output from one of my servers. I would really like to tame this down: Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-02-14 06:41 CST Interesting ports on localhost (127.0.0.1): (The 1646 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 443/tcp open https 587/tcp open submission 783/tcp open hp-alarm-mgr 3306/tcp open mysql 6667/tcp open irc 6668/tcp open irc /tcp open abyss Nmap run completed -- 1 IP address (1 host up) scanned in 9.730 seconds Port is an irc port for server connections, for anyone who's wondering what that's doing there. I mainly need to get rid of 783, 587. What are those anyways? Also, what's the name of that app that basically makes all ports appear open and logs connection attempts? Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running processes...
On Saturday 14 February 2004 10:26 am, JJB wrote: This port map is only showing you what ports are open to accept start requests from the public internet. Looks like you are using IPFW with stateless rules which just provides an very basic level of security. Use stateful rules with 'out' and 'via' keywords to separate your firewall into out bound control where you allow all these ports listed below out to the public internet. Then for the inbound side use stateful rules with 'in' and 'via' keywords allowing in only the ports that you have servers running on. That will close all those listed ports to inbound availability. If you have LAN behind your gateway and using ipfw with divert rule legacy sub-routine call to userland Natd then stateful rules do not work because of legacy bug in basic concept design of this process. Use IPFILTER, it's stateful rules work in Nated environment and as such provides an much highter level of security than IPFW can provide in an Nated environment. I have IPFILTER sample rule set if you are interested. Thanks for the reply. This is not a nated environment. For the time being, I've got DSL with a /29 network. I'm running DNS, Mail, etc right from my own box. I guess my question was, what are those two services I listed? Submission and hp-alrm-mgr? Are there any ipfw rules that I SHOULD set? Here's my current ruleset: 00100 1622 256612 allow ip from any to any via lo0 002000 0 deny ip from any to 127.0.0.0/8 003000 0 deny ip from 127.0.0.0/8 to any 00600 3931 501305 allow ip from any to any 655350 0 deny ip from any to any This is obviously an very wide-open server right now. I'm guessing I should add some rules like the following? change 0600 to allow ip from any to any established add allow ip from any to server ip address port mail add allow ip from any to server ip address port ftp add allow ip from any to server ip address port irc1 add allow ip from any to server ip address port irc2 add allow ip from any to server ip address port irc3 add allow ip from any to server ip address port ssh add allow ip from any to server ip address port dns add allow ip from any to server ip address port 110 add allow ip from any to server ip address port 443 add deny ip from any to server ip address via dc0 port mysql add deny ip from any to server ip address The mysql, I assume, since the only thing accessing it should be my local web server, I don't need it to have public (inet) access? -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: Running processes...
On Saturday 14 February 2004 10:45 am, Eric F Crist wrote: Forgot to mention in regards to my basic network structure. As I've got 5 usable IP addresses, I've got a linksys wifi/router that does my basic network needs. i.e. my laptop is connected via wifi and they all share a private network (192.168.1.x), so that I'm not using real address space in the even of a lan part, that sort of thing. There are three other servers (two running, third on its way) with public, static IP addresses. This still leaves one free. The other two boxes are co-los for friends, and they're responsible for their own security. They want to learn freebsd on their own, so I'm going to let them. ;) As such, this is a firewall for my main server only. Again, thanks greatly to everyone who spends the time to help people on this list! -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: startup daemon as unpriviliged user
Bingo! Thanks a bunch! I'll check out gettytab too, but the @reboot is exactly what I needed for this. Lou On 02/13/04 08:04 PM, Craig Reyenga sat at the `puter and typed: man 5 crontab -- check out @reboot Or, for something crazy, man gettytab; you can autologin on a tty and then use a shell script to do all kinds of fun things. I used to run X without xdm that way. Hope this helps. -Craig - Original Message - From: Louis LeBlanc [EMAIL PROTECTED] To: FreeBSD Questions [EMAIL PROTECTED] Sent: Friday, February 13, 2004 7:47 PM Subject: startup daemon as unpriviliged user Hey everyone. Here's a general question for you. I have a FreeBSD 4.8 system that runs fetchmail for me as an unprivileged everyday userid. The problem is that the machine isn't on the most reliable powergrid one could hope for. So when the system comes back up after going down, I ALWAYS forget that I have to get fetchmail restarted. If I forget for too long, there's so much mail it blows the server that receives the mail into oblivion (also FreeBSD 4.8, running Sendmail, Cyrus Imapd, and the main culprit, Spamassassin - spamd). This is so bad that I often have to reboot the receiving system. So, how can I get a process to run automatically on startup for an unprivileged user? Thanks. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ The clearest way into the Universe is through a forest wilderness. -- John Muir ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ ignisecond, n: The overlapping moment of time when the hand is locking the car door even as the brain is saying, my keys are in there! -- Rich Hall, Sniglets ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Branch Tags vs Release Tags
Hello, Need to upgrade to FreeBSD 4.9 so all my ports will run. Not sure, however if I want/need: RELENG_4_9 The release branch for FreeBSD-4.9, used only for security advisories and other critical fixes. or, RELENG_4_9_0_RELEASE FreeBSD 4.9 I understand that the Release tag references FreeBSD version at a given point in time, but is there a problem selecting RELENG_4_9, ...used only for security advisories and other critical fixes. Thanks Bob Perry -- FreeBSD 4.8-RELEASE-p13 0# ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: USB2 external hard drive too slow ....
Antoine Jacoutot wrote: On Friday 13 February 2004 16:02, Heinrich Rebehn wrote: Hi Ivan, did you get any reply to your posting? I am having the same problem: Maxtor 250 GB external USB2 drive, Belkin USB2 card, FreeBSD 5.1, but i get only 1MB/sec. Does FreeBSD support USB 2.0 at all? Did you add device ehci in your kernel config file ? That's what enable USB2 support if I'm not mistaken. But beware, I compiled my system (5.2.1-RC2) with this option and now USB crashes totally. I'm afraid, mine too (5.2.1-RC2). System just reboots without any message. Also, after reboot, my USB disk was not reachable anymore until i cycled power of the disk. man(4) ehci seems to be correct here: The driver is not finished and is quite buggy. :-( Heinrich ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Branch Tags vs Release Tags
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Perry Sent: 14 February 2004 17:17 To: FreeBSD-Questions Subject: Branch Tags vs Release Tags Hello, Need to upgrade to FreeBSD 4.9 so all my ports will run. Not sure, however if I want/need: RELENG_4_9 This is the one you want, as it contains all the fixes etc since 4.9 was released. The release branch for FreeBSD-4.9, used only for security advisories and other critical fixes. or, RELENG_4_9_0_RELEASE This one is exactly as released, ie what you get on the install CD. FreeBSD 4.9 I understand that the Release tag references FreeBSD version at a given point in time, but is there a problem selecting RELENG_4_9, ...used only for security advisories and other critical fixes. No problem, in fact it would make little sense not to use this branch. It has all the security vulnerabilities since original release patched and any other critical fixes worthy of committing. Thanks Bob Perry Ed ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Branch Tags vs Release Tags
Edmund Craske wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Perry Sent: 14 February 2004 17:17 To: FreeBSD-Questions Subject: Branch Tags vs Release Tags Hello, Need to upgrade to FreeBSD 4.9 so all my ports will run. Not sure, however if I want/need: RELENG_4_9 This is the one you want, as it contains all the fixes etc since 4.9 was released. The release branch for FreeBSD-4.9, used only for security advisories and other critical fixes. or, RELENG_4_9_0_RELEASE This one is exactly as released, ie what you get on the install CD. FreeBSD 4.9 I understand that the Release tag references FreeBSD version at a given point in time, but is there a problem selecting RELENG_4_9, ...used only for security advisories and other critical fixes. No problem, in fact it would make little sense not to use this branch. I guess that 's what so confusing. Who would benefit using RELENG_4_9_0_RELEASE? Thanks much Ed. Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running processes...
Eric F Crist wrote:
On Saturday 14 February 2004 10:26 am, JJB wrote:
This port map is only showing you what ports are open to accept
start requests from the public internet. Looks like you are using
IPFW with stateless rules which just provides an very basic level
of security. Use stateful rules with 'out' and 'via' keywords to
separate your firewall into out bound control where you allow all
these ports listed below out to the public internet. Then for the
inbound side use stateful rules with 'in' and 'via' keywords
allowing in only the ports that you have servers running on. That
will close all those listed ports to inbound availability. If you
have LAN behind your gateway and using ipfw with divert rule legacy
sub-routine call to userland Natd then stateful rules do not work
because of legacy bug in basic concept design of this process. Use
IPFILTER, it's stateful rules work in Nated environment and as such
provides an much highter level of security than IPFW can provide in
an Nated environment. I have IPFILTER sample rule set if you are
interested.
Thanks for the reply. This is not a nated environment. For the time being,
I've got DSL with a /29 network. I'm running DNS, Mail, etc right from my
own box. I guess my question was, what are those two services I listed?
Submission and hp-alrm-mgr? Are there any ipfw rules that I SHOULD set?
Here's my current ruleset:
00100 1622 256612 allow ip from any to any via lo0
002000 0 deny ip from any to 127.0.0.0/8
003000 0 deny ip from 127.0.0.0/8 to any
00600 3931 501305 allow ip from any to any
655350 0 deny ip from any to any
This is obviously an very wide-open server right now. I'm guessing I should
add some rules like the following?
change 0600 to allow ip from any to any established
add allow ip from any to server ip address port mail
add allow ip from any to server ip address port ftp
add allow ip from any to server ip address port irc1
add allow ip from any to server ip address port irc2
add allow ip from any to server ip address port irc3
add allow ip from any to server ip address port ssh
add allow ip from any to server ip address port dns
add allow ip from any to server ip address port 110
add allow ip from any to server ip address port 443
add deny ip from any to server ip address via dc0 port mysql
add deny ip from any to server ip address
The mysql, I assume, since the only thing accessing it should be my local web
server, I don't need it to have public (inet) access?
Sample FTP/SMTP/DNS/HTTP entry:
add allow tcp from any to {$me} in via ${oif} 22 setup
add allow tcp from any to {$me} in via ${oif} 25 setup
add allow tcp from any to {$me} in via ${oif} 53 setup
add allow tcp from any to {$me} in via ${oif} 80 setup
These must be paired with, later in list:
add allow tcp from any to {$me} established
HTH,
Kevin Kinsey
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running processes...
On Saturday 14 February 2004 11:51 am, Kevin D. Kinsey, DaleCo, S.P. wrote:
Sample FTP/SMTP/DNS/HTTP entry:
add allow tcp from any to {$me} in via ${oif} 22 setup
add allow tcp from any to {$me} in via ${oif} 25 setup
add allow tcp from any to {$me} in via ${oif} 53 setup
add allow tcp from any to {$me} in via ${oif} 80 setup
These must be paired with, later in list:
add allow tcp from any to {$me} established
What does the setup do in these statements?
--
Eric F Crist
AdTech Integrated Systems, Inc
(612) 998-3588
pgp0.pgp
Description: signature
Re: Creating mp3
Hi, Benjamin Walkenhorst wrote: Hello, On Thu, 12 Feb 2004 23:51:19 -0600 Quintin Riis [EMAIL PROTECTED] wrote: mp3 is outdated, use vorbis. I wouldn't say so. Unless you show me an affordable hardware-vorbis-player. There's plenty of CD-Players that will also play mp3-CDs, just like most standalone-DVD-players. Try the iRiver imp 550 - it rocks. The firmware's still beta, though. Also, I hear, XMMS does not support vorbis. I don't know for sure, though. There's a plugin of course. Simon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw bandwidth limit
here is a example from my ftp server... ipfw add 200 pipe 2 tcp from me to any out gid ftpusersBWL ipfw pipe config 2 bw 16KBps queue 100 this will pipe any thing from that gid into pipe 2... and pipe 2 is bw limited at 16KBps... the only dif is that you will have to change the packet matching setup... On Sat, 14 Feb 2004 15:19:28 +0200 Markus Kovero [EMAIL PROTECTED] wrote: I've got 172.16.0.0/24 network that is connected to internet via vpn gre tunnel. And now I've had bit hard time doing bandwidth control, maybe I'm missing something. I've set ipfw pipes like this: ipfw add queue 1 gre from any to 172.16.0.0/24 ipfw queue 1 config weight 5 pipe 2 mask dst-ip 0x00ff ipfw pipe 2 config bw 1500Kbit/s ipfw add queue 2 gre from 172.16.0.0/24 to any ipfw queue 2 config weight 20 pipe 3 mask src-ip 0x00ff ipfw pipe 3 config bw 256Kbit/s net.inet.ip.fw.one_pass: 0 65100 queue 1 gre from any to 172.16.0.0/24 65200 queue 2 gre from 172.16.0.0/24 to any 2: 1.500 Mbit/s0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x/0x - 0x/0x 3: 256.000 Kbit/s0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x/0x - 0x/0x q1: weight 5 pipe 2 50 sl. 0 queues (64 buckets) droptail mask: 0x00 0x/0x - 0x00ff/0x q2: weight 20 pipe 3 50 sl. 0 queues (64 buckets) droptail mask: 0x00 0x00ff/0x - 0x/0x It seems to have no effect on network. What I'm missing? (replacing gre-protocol with ip doesn't help) Markus Kovero ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Branch Tags vs Release Tags
I guess that 's what so confusing. Who would benefit using RELENG_4_9_0_RELEASE? Noone really, except for diagnosis purposes. It's just a tag to mark the release of 4.9, so more an administrative reference than of everyday use. Ed ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW ruleset not working... advice? WAS Re: Running processes...
Hello all, I've got the following ruleset, but I can't ssh into my server anymore. What did I miss? grog# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 7 1562 allow ip from 1.2.3.4/29 to me 00500 0 0 allow ip from any 22 to me 00600 0 0 allow ip from any 21 to me 00700 0 0 allow ip from any 25 to me 00800 0 0 allow ip from any 80 to me 00900 0 0 allow ip from any 443 to me 01000 0 0 allow ip from any 110 to me 01100 0 0 allow ip from any 53 to me 01200 0 0 allow ip from any 6667 to me 01300 0 0 allow ip from any 6668 to me 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me 65535 101 13960 deny ip from any to any Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Is it a bug
Hello. I didn't use FreeBSD with SMB much, so I'm not sure it is a bug or not. When I run 'smbutil lookup smth' it works well but 'smbutil view //smth' and 'smbutil lc' produce error messages: $ smbutil lookup moon Warning: no cfg file(s) found. Got response from 192.168.1.3 IP address of moon: 192.168.1.3 $ smbutil view //moon smbutil: smb_lib_init: can't find kernel module $ smbutil view //192.168.1.3 smbutil: smb_lib_init: can't find kernel module $ smbutil lc smbutil: smb_lib_init: can't find kernel module Is it a bug or I'm missing something? Man page of 'smbutil' doesn't tell me anything that can help answer this question. This is a fresh 5.2.1-RC2 system installed from FTP. Thanks ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Sat, Feb 14, 2004 at 12:47:01PM -0600, Eric F Crist wrote: Hello all, I've got the following ruleset, but I can't ssh into my server anymore. What did I miss? You missed allowing IP packets going from your server to the outside. You only allow packets from the outside to you. I also think you might have misplaced the port numbers. As it is you allow connections *from* port 25 (etc.) on the outside to any port on your machine. I believe you want it the other way around (i.e. allowing connections *to* port 25 on your machine from anywhere on the outside.) grog# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 7 1562 allow ip from 1.2.3.4/29 to me 00500 0 0 allow ip from any 22 to me 00600 0 0 allow ip from any 21 to me 00700 0 0 allow ip from any 25 to me 00800 0 0 allow ip from any 80 to me 00900 0 0 allow ip from any 443 to me 01000 0 0 allow ip from any 110 to me 01100 0 0 allow ip from any 53 to me 01200 0 0 allow ip from any 6667 to me 01300 0 0 allow ip from any 6668 to me 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me 65535 101 13960 deny ip from any to any Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 -- Insert your favourite quote here. Erik Trulsson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Saturday 14 February 2004 12:58 pm, Erik Trulsson wrote: On Sat, Feb 14, 2004 at 12:47:01PM -0600, Eric F Crist wrote: Hello all, I've got the following ruleset, but I can't ssh into my server anymore. What did I miss? You missed allowing IP packets going from your server to the outside. You only allow packets from the outside to you. I also think you might have misplaced the port numbers. As it is you allow connections *from* port 25 (etc.) on the outside to any port on your machine. I believe you want it the other way around (i.e. allowing connections *to* port 25 on your machine from anywhere on the outside.) grog# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 7 1562 allow ip from 1.2.3.4/29 to me 00500 0 0 allow ip from any 22 to me 00600 0 0 allow ip from any 21 to me 00700 0 0 allow ip from any 25 to me 00800 0 0 allow ip from any 80 to me 00900 0 0 allow ip from any 443 to me 01000 0 0 allow ip from any 110 to me 01100 0 0 allow ip from any 53 to me 01200 0 0 allow ip from any 6667 to me 01300 0 0 allow ip from any 6668 to me 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me 65535 101 13960 deny ip from any to any Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 Hey, thanks! I changed all the rules so they read: allow ip from any to me port and added the rule: allow ip from me to any at rule 50 All seems to work now! Does anyone have any suggestions on how to make this system even tighter? Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: redundancy with freebsd.
On Wed, 2004-02-11 at 02:49, Mipam wrote: Hi, I wish to run freebsd on some servers (hp blade servers). Each server will be supplied with two nic's, both will have the same ip and network mask. like this: snip Suppose one switch will fail, then the link on one nic will be inactive. Meaning is that than the second nic will become active traffic will go out over the second nic. Is this possible with freebsd, anybody got any experience with it? Btw, could you also cc to my own adress [EMAIL PROTECTED] What you need to somthing like Spanning Tree Protocol. STP allows you to use multiple NIC's simultaneously, and prevents any loops that could be caused. FreeBSD does not have STP to my knowledge, but OpenBSD does. -- Bob Bomar [EMAIL PROTECTED] http://www.ibsd.us signature.asc Description: This is a digitally signed message part
Re: MFS on new server.
Thanks, Matthew; found and fixed I was 550'ing '[*].co.uk' in /etc/mail/access. (I figured my sledge-hammer approach would break eventually; didn't realize it would break in this manner. :-| ) appreciated! gary On Sat, Feb 14, 2004 at 11:17:47AM +, Matthew Seaman wrote: Gary, On Sat, Feb 14, 2004 at 11:09:00AM +, Matthew Seaman wrote: On Sat, Feb 14, 2004 at 02:48:18AM -0800, Gary Kline wrote: Your mailing system anti-spam filters are a bit too hair triggered. You're bouncing the ham as well as the spam... - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 5.0.0 No SPAM) - Transcript of session follows - ... while talking to ns1.thought.org.: MAIL From:[EMAIL PROTECTED] 550 5.0.0 No SPAM 554 5.0.0 Service unavailable Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK -- Gary Kline [EMAIL PROTECTED] www.thought.org Public service Unix ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
background process limit?
Hi list, Is there a way to limit background processes ? I need to separate these from foreground processes, but can't find a way to. Any ideas? Thanks in advance. -- http://www.6s-gaming.com - your online store! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: background process limit?
On Sat, Feb 14, 2004 at 08:11:59PM +0100, Hugo (6s-gaming.com) wrote: Is there a way to limit background processes ? I need to separate these from foreground processes, but can't find a way to. Any ideas? You can restrict the maximum number of processes a UID is allowed to run concurrently by configuring login.conf(5). Some more info might be useful. What exactly are you trying to achieve? What do you mean by 'limit' and 'separate' in the above? You don't qualify those verbs in the above :P -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - Another FreeBSD Diary http://ipfwstats.sf.net/- ipfw peruser traffic logging ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Sat, Feb 14, 2004 at 01:15:07PM -0600, Eric F Crist wrote: Hey, thanks! I changed all the rules so they read: allow ip from any to me port and added the rule: allow ip from me to any at rule 50 All seems to work now! Does anyone have any suggestions on how to make this system even tighter? Thanks. Yes. Use the stateful rules feature. Instead of opening up outgoing packets to everywhere, the keep-state rules dynamically open up a point to point connection that remains open while traffic is flowing beteeen the two systems, and times out after traffic stops or the connection is closed. A very minimal partial ruleset to allow incoming SSH, HTTP, HTTPS, SMTP and outgoing DNS lookups would look like: 00100 check-state 00200 deny log tcp from any to any established 00300 allow tcp from any to me 22,25,80,443 keep-state in recv fxp0 00400 allow udp from me to any 53 out xmit fxp0 00500 deny log ip from any to any [The 'in recv fxp0' and 'out xmit fxp0' stuff is optional: all it does is filter packets according to what interface they are traversing and in what direction. Remember to substitute the correct device name for your network interface.] Although at first sight, this would appear to block all tcp traffic except for the first 'SYN' packet, and not permit any incoming UDP traffic at all, the 'keep-state' flag in rules 00300 and 00400 generates dynamic rules that permit packets to flow in response to the packet that triggered them. Those rules are effectively inserted into the ruleset at the 'check-state' line (or at the first occuring 'limit' or 'keep-state' line). Use 'ipfw -d list' to show all active dynamic rules. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Other ways to check/repair disks besides fsck?
Hello, Are there any other approaches to checking/repairing disks besides fsck after a power outage? Thanks, Mark Hessler ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: background process limit?
On Sat, Feb 14, 2004 at 08:11:59PM +0100, Hugo (6s-gaming.com) wrote: Is there a way to limit background processes ? I need to separate these from foreground processes, but can't find a way to. Any ideas? There isn't really any way of distinguishing foreground and background processes apart from typing 'jobs' at the shell prompt. 'Foreground' and 'background' processes are concepts specific to your shell -- as far as the system is concerned, a process is a process, and it doesn't care if that's the process currently accepting interactive input from the tty or not. You can use the limits(1) command or the settings in /etc/login.conf to limit the total number of processes are user can run, which effectively prevents them from spawning too many background processes. You can set the 'maxfiles' limit quite high if the intent is to prevent your users from forkbombing your machine -- that will avoid interfereing with normal usage. If the problem is that your system is running out of resources to cope with the number of users and processes on it, then you're probably better off looking at each users' datasize, filesize, cputime, memoryuse and/or virtualmem limits as well. However, don't be too draconian or your users will become quite irate as their legitimate processes start to get killed off. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
5.1-release - 5.2-release: manual steps?
Hello, Is it necessary to separately/manually upgrade the boot files (or anything else) after rebuilding userland and kernel, or does mergemaster take care of everything? (5.1-release - 5.2-release upgrade.) Mark Hessler ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Other ways to check/repair disks besides fsck?
On Saturday 14 February 2004 12:46 pm, Mark Hessler wrote: Hello, Are there any other approaches to checking/repairing disks besides fsck after a power outage? You have to remember that it is your fs that is most likely fouled up and that is what fsck checks. The next step lower, from my experience, is a low level format by program provided by most HD manufacturer's. Obviously, that is a last grasp choice. Kent -- Kent Stewart Richland, WA http://users.owt.com/kstewart/index.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Other ways to check/repair disks besides fsck?
Mark Hessler wrote: Are there any other approaches to checking/repairing disks besides fsck after a power outage? Certainly, however it would help to know what types of problems you are concerned about reparing: physical media errors, data corruption within the filesystem (truncated files, open files with unwritten data, etc), or other kinds of problems? You can use RAID mirroring against physical data loss. You can use tripwire or other checksumming routines to verify whether file contents are intact. You can compare files against backups, and restore if needed. You can use software which performs fault-tolerance transaction processing-- for instance, databases with transaction rollback capabilities. You can mount the filesystem with -o sync to keep data+metadata more consistant at the expense of performance. You can obtain a UPS and shutdown cleanly in the event of power outage. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 5.1-release - 5.2-release: manual steps?
On Saturday 14 February 2004 12:53 pm, Mark Hessler wrote: Hello, Is it necessary to separately/manually upgrade the boot files (or anything else) after rebuilding userland and kernel, or does mergemaster take care of everything? (5.1-release - 5.2-release upgrade.) In my installworld log, I see the following, which updates the boot. === sys/boot/i386/boot2 install -o root -g wheel -m 444 boot /boot/boot install -o root -g wheel -m 444 boot1 /boot/boot1 install -o root -g wheel -m 444 boot2 /boot/boot2 This was the last update of a 5-current machine but I haven't seen a change in behavior. Kent -- Kent Stewart Richland, WA http://users.owt.com/kstewart/index.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Can I prevent touching the disk every 10 seconds?
How would I track down what is touching the hard drive every 10 or so seconds? It seems to be multiple things because the delay changes if I remove xmd from /etc/ttys, or if I add/remove the noatime option in /etc/fstab. To complicate matters, it sounds like the hard drive is seeking and then spins up when the disk is accessed. This is a laptop machine so I'd like to stop thing from happening for the power saving if nothing else. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
continued IPFW issues... (actually a lack of ability on my part)
I'm still having some sort of issues with ipfw rules on my server. I've got a cgi based irc client installed, and I can't connect. Also, it seems as if my DNS server isn't able to send queries out. An ipfw show displays the following for me: 00050 54632 4640473 allow ip from me to any 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 4027 351563 allow ip from 63.228.14.240/29 to me 00500 2 80 allow ip from any to me dst-port 22 00600 2 80 allow ip from any to me dst-port 21 00700 388 25405 allow ip from any to me dst-port 25 00800584944 allow ip from any to me dst-port 80 00900 2 80 allow ip from any to me dst-port 443 01000 2 80 allow ip from any to me dst-port 110 01100544247 allow ip from any to me dst-port 53 01200 2 80 allow ip from any to me dst-port 6667 01300 2 80 allow ip from any to me dst-port 6668 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port 8080 65535 46432 7224466 deny ip from any to any Where is all that denied traffic coming from on the final rule? TIA -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: /tmp full (newbie)
On Thu, Feb 12, 2004 at 08:26:24PM +0100, gaf wrote: Hello. Im a newbie to unix and FreeBSD. I have 5.2 installed. When installing I followed the advice in The Complete FreeBSD and made the following partitions: / 4G swap 800M /home 35G I have KDE 3.2 installed I have done cvsup on src and ports new kernel etc etc. Today I tried to install a new browser and I got the information that my filesystem is full. When I tried to start KDE I got the message that /tmp is full. I would really apprecite some help. What to do?? Can I give you some other info and if so what and how??? Many thanks Gaf Hi, If you've install KDE thougth the ports system then do: cd /usr/ports/; make clean (or be more specific in the path) Otherwise you can use this command to search where your disk is full: du -s * | sort -n But i would advise you to reinstall your system because this setup is not the safest. If something happens to /usr /tmp or /var then this would mean / is also affecten and that could mean that you can no longer boot. Also having seperate partions is good for keeping the filesystem optimized. Then diffente anti-fraqmentations can be used. Also doing this can result in a system that works faster because the start of the disk can be accessed faster then the end. Its usual to have the following partions in this order: / 256M; allows faster boot) swapallowed faster memory writes than if you where to have this afhter 4G /var256M; allows fast writting of logfiles The remainder of the partions: /tmpI have this 5G because I also place the working directory of the ports here and /usr/obj and like to install openoffice and java /usrI have this 3G7 but that is full for 95% (which i will solve by moving /usr/src and /usr/ports; its an X-system with two users and openoffice+kde installed) /other-partions -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
domain and email problems
Just wondering why when i send email to yahoo or lycos and probably hotmail too it always ends up in there bulk mail folder. This is a great inconvience do i need to be on or off some sort of list or something. Any help would be aprciated ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Allowing Anonymous FTP
I wanted to see how the anonymous FTP option worked on FreeBSD so I enabled it on my test box. I haven't been able to find out much info about locking down to a default directory. Is there a way to lets say block all directories when logging in and open right up to the /incoming directory? It doesn't seem smart to have the /etc directory visible with the group and passwd file readable. At the very least is there a way to make the /bin and /etc directory hidden? Thanks _ Keep up with high-tech trends here at Hook'd on Technology. http://special.msn.com/msnbc/hookedontech.armx ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
domain and email problems
Just wondering why when i send email to yahoo or lycos and probably hotmail too it always ends up in there bulk mail folder. This is a great inconvenience do i need to be on or off some sort of list or something. Any help would be appreciated ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
vnc-4.0b4
FreeBSD team, anyone gotten the Xvnc server out of this to compile correctly from source on 4.9-STABLE? if so, whats the secret? ;) Ive tried building with make and gmake and get errors both ways. Googling didnt seem to get me any answers. regards, Jason ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: startup daemon as unpriviliged user
On Saturday 14 February 2004 01:47, Louis LeBlanc wrote: Hey everyone. Here's a general question for you. I have a FreeBSD 4.8 system that runs fetchmail for me as an unprivileged everyday userid. The problem is that the machine isn't on the most reliable powergrid one could hope for. So when the system comes back up after going down, I ALWAYS forget that I have to get fetchmail restarted. If I forget for too long, there's so much mail it blows the server that receives the mail into oblivion (also FreeBSD 4.8, running Sendmail, Cyrus Imapd, and the main culprit, Spamassassin - spamd). This is so bad that I often have to reboot the receiving system. So, how can I get a process to run automatically on startup for an unprivileged user? For a user unpriviledged but with a login, run service as user if available as an option to the app you want to run or use sudo or equivalent (as root you can sudo anything as any user). I have made this little blurb for my desktop after realizing that it's easy to forget starting spambayes pop3 proxy and then have my kmail be not able to connect to localhost:10110: % cat /usr/local/etc/rc.d/zzz_local_users.sh #!/bin/sh # spambayes cd /home/danny sudo -u danny sb_server.py -D hammie.db -l 10110 pop.vuurwerk.nl 110 # get yahoo mail every n minutes sudo -u danny ./.fetchyahoo It's a bit crude (need to hit enter to get my console back) but for my desktop its ok as it is. Obviously sudo needs to be installed and in path. The processes show up if I 'ps' as user danny and I can kill or hup them. HTH, Dan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: domain and email problems
On Saturday 14 February 2004 23:39, RYAN vAN GINNEIKEN wrote: Just wondering why when i send email to yahoo or lycos and probably hotmail too it always ends up in there bulk mail folder. This is a great inconvenience do i need to be on or off some sort of list or something. Any help would be appreciated Are you using a fake domain? E.g. 'HELO yourbox' doesn't match your ISP's, or the like. Reverse DNS is also something often used as a criterion. They may use that when filtering, it's very common (which IMHO is kinda silly, they should instead use a Bayesian filter and let the user dump their spam into a SPAM folder, then use that periodically for training the filter). You may even be unfortunate as to being part of a blacklisted IP block by one of the anti spam houses whose databases are often used for filtering. It's hard to say what exactly they do. HTH, Dan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: continued IPFW issues... (actually a lack of ability on my part)
On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote: I'm still having some sort of issues with ipfw rules on my server. I've got a cgi based irc client installed, and I can't connect. Also, it seems as if my DNS server isn't able to send queries out. An ipfw show displays the following for me: 00050 54632 4640473 allow ip from me to any 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 4027 351563 allow ip from 63.228.14.240/29 to me 00500 2 80 allow ip from any to me dst-port 22 00600 2 80 allow ip from any to me dst-port 21 00700 388 25405 allow ip from any to me dst-port 25 00800584944 allow ip from any to me dst-port 80 00900 2 80 allow ip from any to me dst-port 443 01000 2 80 allow ip from any to me dst-port 110 01100544247 allow ip from any to me dst-port 53 01200 2 80 allow ip from any to me dst-port 6667 01300 2 80 allow ip from any to me dst-port 6668 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port 8080 65535 46432 7224466 deny ip from any to any Where is all that denied traffic coming from on the final rule? You are only allowing traffic in and not out - as Matthew Seaman mentioned in the last post in your previous thread, you should use 'keep-state' to keep track of the connections made to you. See the examples he provided in that thread. From the manpage for ipfw: check-state Checks the packet against the dynamic ruleset. If a match is found, execute the action associated with the rule which gener- ated this dynamic rule, otherwise move to the next rule. Check-state rules do not have a body. If no check-state rule is found, the dynamic ruleset is checked at the first keep-state or limit rule. ... keep-state Upon a match, the firewall will create a dynamic rule, whose default behaviour is to match bidirectional traffic between source and destination IP/port using the same protocol. The rule has a limited lifetime (controlled by a set of sysctl(8) vari- ables), and the lifetime is refreshed every time a matching packet is found. When a connection is made to port 80 from an external host, with the 'keep-state' flag set on your rule for port 80 data transfer will be allowed in both directions to/from the external host to/from you on port 80 for a limited period. The check-state rule effectively 'shortcuts' the rest of the rules in the ruleset if a match is made for the external host for the given action (inbound connections to port 80 in this case). You'd need to do the same for each of the other ports you want to allow free connections to/from. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - Another FreeBSD Diary http://ipfwstats.sf.net/- ipfw peruser traffic logging ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw bandwidth limit
On Sat, Feb 14, 2004 at 12:25:22PM -0600, Vulpes Velox wrote: Markus Kovero [EMAIL PROTECTED] wrote: On Sat, 14 Feb 2004 15:19:28 +0200 I've got 172.16.0.0/24 network that is connected to internet via vpn gre tunnel. And now I've had bit hard time doing bandwidth control, maybe I'm missing something. I've set ipfw pipes like this: ipfw add queue 1 gre from any to 172.16.0.0/24 ipfw queue 1 config weight 5 pipe 2 mask dst-ip 0x00ff ipfw pipe 2 config bw 1500Kbit/s ipfw add queue 2 gre from 172.16.0.0/24 to any ipfw queue 2 config weight 20 pipe 3 mask src-ip 0x00ff ipfw pipe 3 config bw 256Kbit/s From my own website, this should work: pipe 1 config mask dst-ip 0x00ff bw 256Kbit/s pipe 2 config mask src-ip 0x00ff bw 32Kbit/s add 10310 pipe 1 ip from any to any in add 10320 pipe 2 ip from any to any out net.inet.ip.fw.one_pass: 0 Depending on this value package are allowed by the pipe rules or passed to the next rule. 65100 queue 1 gre from any to 172.16.0.0/24 65200 queue 2 gre from 172.16.0.0/24 to any 2: 1.500 Mbit/s0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x/0x - 0x/0x 3: 256.000 Kbit/s0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x/0x - 0x/0x q1: weight 5 pipe 2 50 sl. 0 queues (64 buckets) droptail mask: 0x00 0x/0x - 0x00ff/0x q2: weight 20 pipe 3 50 sl. 0 queues (64 buckets) droptail mask: 0x00 0x00ff/0x - 0x/0x It seems to have no effect on network. What I'm missing? (replacing gre-protocol with ip doesn't help) here is a example from my ftp server... ipfw add 200 pipe 2 tcp from me to any out gid ftpusersBWL ipfw pipe config 2 bw 16KBps queue 100 this will pipe any thing from that gid into pipe 2... and pipe 2 is bw limited at 16KBps... the only dif is that you will have to change the packet matching setup... That only works if a user has an accound and uses that to login to something. It not something that can be use for the more general setup. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: background process limit?
On Sat, Feb 14, 2004 at 08:11:59PM +0100, Hugo (6s-gaming.com) wrote: Hi list, Is there a way to limit background processes ? I need to separate these from foreground processes, but can't find a way to. Any ideas? Thanks in advance. Dear Hugo, As an addition to what others already have sad: you migth wanna check out the commands nice and idprio. These can give you background processes less weigth. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: domain and email problems
On Sat, Feb 14, 2004 at 03:39:13PM -0700, RYAN vAN GINNEIKEN wrote: Just wondering why when i send email to yahoo or lycos and probably hotmail too it always ends up in there bulk mail folder. This is a great inconvenience do i need to be on or off some sort of list or something. Any help would be appreciated Hi Ryan, We don't have any information to base some help on. If you like us to help you then you sould at the at least include all information on how you mail system is setup. If you wan't to now way yahoo/lycos/hotmail places your emails in to spam mails then you should ask then why this is. There little we can do about that. Another good source for help is your own provider. You do forward you mail don't you? (See the SMART_HUB option if you use sendmail) -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
System reboot afther shutdown -p
Howdy, I have a problem with powering down my system. When I give the command shutdown -p now then the system powers down, waits a couple of seconds and the reboots. I've checked the BIOS but can't find anything wrong with it. I was wondering if anything i can do to fix this? I did look in the BIOS but couldn't find anything. Or if there isn't implemented something in to the ACPI driver of FreeBSD? I also googled but didn't find anything. # uname -a FreeBSD alex.lan 5.2-RELEASE-p2 FreeBSD 5.2-RELEASE-p2 #1: Wed Feb 11 09:43:00 CET 2004 [EMAIL PROTECTED]:/temp/obj/usr/src/sys/I686 i386 # dmesg Preloaded elf kernel /boot/kernel/kernel at 0xc0a78000. Preloaded elf module /boot/kernel/acpi.ko at 0xc0a781f4. Timecounter i8254 frequency 1193182 Hz quality 0 CPU: Intel(R) Pentium(R) 4 CPU 2.60GHz (2605.92-MHz 686-class CPU) Origin = GenuineIntel Id = 0xf29 Stepping = 9 Features=0xbfebfbffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,C MOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE Hyperthreading: 2 logical CPUs real memory = 536805376 (511 MB) avail memory = 511766528 (488 MB) ACPI APIC Table: IntelR AWRDACPI FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 ioapic0: Changing APIC ID to 2 ioapic0 Version 2.0 irqs 0-23 on motherboard Pentium Pro MTRR support enabled npx0: [FAST] npx0: math processor on motherboard npx0: INT 16 interface acpi0: IntelR AWRDACPI on motherboard pcibios: BIOS version 2.10 Using $PIR table, 11 entries at 0xc00fde90 acpi0: Power Button (fixed) Timecounter ACPI-fast frequency 3579545 Hz quality 1000 acpi_timer0: 24-bit timer at 3.579545MHz port 0x408-0x40b on acpi0 acpi_cpu0: CPU port 0x530-0x537 on acpi0 acpi_cpu1: CPU port 0x530-0x537 on acpi0 acpi_tz0: Thermal Zone port 0x530-0x537 on acpi0 acpi_button0: Power Button on acpi0 pcib0: ACPI Host-PCI bridge port 0xcf8-0xcff on acpi0 pci0: ACPI PCI bus on pcib0 agp0: Intel 82865 host to AGP bridge mem 0xe800-0xefff at device 0.0 o n pci0 pcib1: PCI-PCI bridge at device 1.0 on pci0 pci1: PCI bus on pcib1 pcib1: slot 0 INTA is routed to irq 16 pci1: display, VGA at device 0.0 (no driver attached) uhci0: Intel 82801EB (ICH5) USB controller USB-A port 0xac00-0xac1f irq 16 at device 29.0 on pci0 usb0: Intel 82801EB (ICH5) USB controller USB-A on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1: Intel 82801EB (ICH5) USB controller USB-B port 0xa000-0xa01f irq 19 at device 29.1 on pci0 usb1: Intel 82801EB (ICH5) USB controller USB-B on uhci1 usb1: USB revision 1.0 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2: Intel 82801EB (ICH5) USB controller USB-C port 0xa400-0xa41f irq 18 at device 29.2 on pci0 usb2: Intel 82801EB (ICH5) USB controller USB-C on uhci2 usb2: USB revision 1.0 uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3: Intel 82801EB (ICH5) USB controller USB-D port 0xa800-0xa81f irq 16 at device 29.3 on pci0 usb3: Intel 82801EB (ICH5) USB controller USB-D on uhci3 usb3: USB revision 1.0 uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered pci0: serial bus, USB at device 29.7 (no driver attached) pcib2: ACPI PCI-PCI bridge at device 30.0 on pci0 pci2: ACPI PCI bus on pcib2 xl0: 3Com 3c905C-TX Fast Etherlink XL port 0x9000-0x907f mem 0xfb00-0xfb00 007f irq 20 at device 0.0 on pci2 xl0: Ethernet address: 00:0a:48:0b:0d:9d xl0: no PHY found! device_probe_and_attach: xl0 attach returned 6 xl0: 3Com 3c905C-TX Fast Etherlink XL port 0x9400-0x947f mem 0xfb001000-0xfb00 107f irq 19 at device 5.0 on pci2 xl0: Ethernet address: 00:01:02:dc:30:b3 miibus0: MII bus on xl0 xlphy0: 3c905C 10/100 internal PHY on miibus0 xlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto isab0: PCI-ISA bridge at device 31.0 on pci0 isa0: ISA bus on isab0 atapci0: Intel ICH5 UDMA100 controller port 0xf000-0xf00f,0-0x3,0-0x7,0-0x3,0- 0x7 at device 31.1 on pci0 ata0: at 0x1f0 irq 14 on atapci0 ata0: [MPSAFE] ata1: at 0x170 irq 15 on atapci0 ata1: [MPSAFE] pci0: serial bus, SMBus at device 31.3 (no driver attached) pcm0: Intel ICH5 (82801EB) port 0xb800-0xb83f,0xb400-0xb4ff mem 0xfc002000-0xf c0020ff,0xfc001000-0xfc0011ff irq 17 at device 31.5 on pci0 pcm0: Avance Logic ALC655 AC97 Codec fdc0: Enhanced floppy controller (i82077, NE72065 or clone) port 0x3f7,0x3f0-0 x3f5 irq 6 drq 2 on acpi0 fdc0: FIFO enabled, 8 bytes threshold fd0: 1440-KB 3.5 drive on fdc0 drive 0 sio0 port 0x3f8-0x3ff irq 4 on acpi0 sio0: type 16550A ppc0 port 0x778-0x77b,0x378-0x37f irq 7 drq 3 on acpi0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/9 bytes threshold ppbus0: Parallel port bus on ppc0 plip0: PLIP network interface on ppbus0 lpt0: Printer on ppbus0 lpt0:
RE: continued IPFW issues... (actually a lack of ability on my part)
-Original Message- From: Jez Hancock [mailto:[EMAIL PROTECTED] On Behalf Of Jez Hancock Sent: Saturday, February 14, 2004 5:36 PM To: Eric F Crist Cc: FreeBSD questions List Subject: Re: continued IPFW issues... (actually a lack of ability on my part) On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote: I'm still having some sort of issues with ipfw rules on my server. I've got a cgi based irc client installed, and I can't connect. Also, it seems as if my DNS server isn't able to send queries out. An ipfw show displays the following for me: 00050 54632 4640473 allow ip from me to any 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 4027 351563 allow ip from 63.228.14.240/29 to me 00500 2 80 allow ip from any to me dst-port 22 00600 2 80 allow ip from any to me dst-port 21 00700 388 25405 allow ip from any to me dst-port 25 00800584944 allow ip from any to me dst-port 80 00900 2 80 allow ip from any to me dst-port 443 01000 2 80 allow ip from any to me dst-port 110 01100544247 allow ip from any to me dst-port 53 01200 2 80 allow ip from any to me dst-port 6667 01300 2 80 allow ip from any to me dst-port 6668 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port 8080 65535 46432 7224466 deny ip from any to any Where is all that denied traffic coming from on the final rule? You are only allowing traffic in and not out - as Matthew Seaman mentioned in the last post in your previous thread, you should use 'keep-state' to keep track of the connections made to you. See the examples he provided in that thread. From the manpage for ipfw: check-state Checks the packet against the dynamic ruleset. If a match is found, execute the action associated with the rule which gener- ated this dynamic rule, otherwise move to the next rule. Check-state rules do not have a body. If no check-state rule is found, the dynamic ruleset is checked at the first keep-state or limit rule. ... keep-state Upon a match, the firewall will create a dynamic rule, whose default behaviour is to match bidirectional traffic between source and destination IP/port using the same protocol. The rule has a limited lifetime (controlled by a set of sysctl(8) vari- ables), and the lifetime is refreshed every time a matching packet is found. When a connection is made to port 80 from an external host, with the 'keep-state' flag set on your rule for port 80 data transfer will be allowed in both directions to/from the external host to/from you on port 80 for a limited period. The check-state rule effectively 'shortcuts' the rest of the rules in the ruleset if a match is made for the external host for the given action (inbound connections to port 80 in this case). You'd need to do the same for each of the other ports you want to allow free connections to/from. Wouldn't my first rule: ipfw allow ip from me to any have fixed this problem? --- Eric F Crist President AdTech Integrated Systems, Inc (612) 998-3588 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: continued IPFW issues... (actually a lack of ability on my part)
On Sat, Feb 14, 2004 at 05:59:14PM -0600, Eric F Crist wrote: On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote: I'm still having some sort of issues with ipfw rules on my server. I've got a cgi based irc client installed, and I can't connect. Also, it seems as if my DNS server isn't able to send queries out. An ipfw show displays the following for me: 00050 54632 4640473 allow ip from me to any 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 4027 351563 allow ip from 63.228.14.240/29 to me 00500 2 80 allow ip from any to me dst-port 22 00600 2 80 allow ip from any to me dst-port 21 00700 388 25405 allow ip from any to me dst-port 25 00800584944 allow ip from any to me dst-port 80 00900 2 80 allow ip from any to me dst-port 443 01000 2 80 allow ip from any to me dst-port 110 01100544247 allow ip from any to me dst-port 53 01200 2 80 allow ip from any to me dst-port 6667 01300 2 80 allow ip from any to me dst-port 6668 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port 8080 65535 46432 7224466 deny ip from any to any Where is all that denied traffic coming from on the final rule? You are only allowing traffic in and not out - as Matthew Seaman mentioned in the last post in your previous thread, you should use 'keep-state' to keep track of the connections made to you. See the examples he provided in that thread. From the manpage for ipfw: check-state Checks the packet against the dynamic ruleset. If a match is found, execute the action associated with the rule which gener- ated this dynamic rule, otherwise move to the next rule. Check-state rules do not have a body. If no check-state rule is found, the dynamic ruleset is checked at the first keep-state or limit rule. ... keep-state Upon a match, the firewall will create a dynamic rule, whose default behaviour is to match bidirectional traffic between source and destination IP/port using the same protocol. The rule has a limited lifetime (controlled by a set of sysctl(8) vari- ables), and the lifetime is refreshed every time a matching packet is found. When a connection is made to port 80 from an external host, with the 'keep-state' flag set on your rule for port 80 data transfer will be allowed in both directions to/from the external host to/from you on port 80 for a limited period. The check-state rule effectively 'shortcuts' the rest of the rules in the ruleset if a match is made for the external host for the given action (inbound connections to port 80 in this case). You'd need to do the same for each of the other ports you want to allow free connections to/from. Wouldn't my first rule: ipfw allow ip from me to any have fixed this problem? Sorry I missed that rule :( How about adding a log keyword to that last deny rule temporarily just to see what exactly is being denied? -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - Another FreeBSD Diary http://ipfwstats.sf.net/- ipfw peruser traffic logging ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Allowing Anonymous FTP
On Sun, 15 Feb 2004 08:29, GRF . wrote: I wanted to see how the anonymous FTP option worked on FreeBSD so I enabled it on my test box. I haven't been able to find out much info about locking down to a default directory. Is there a way to lets say block all directories when logging in and open right up to the /incoming directory? It doesn't seem smart to have the /etc directory visible with the group and passwd file readable. At the very least is there a way to make the /bin and /etc directory hidden? Thanks Have you read the ftpd man page? Anonymous ftp with a normal setup does not allow access to the system /etc directory. On anonymous login to ftp you are effectively chroot'ed to the ftp home directory and can only see or operate on files in the tree down from that point. From within ftp that home directory (/home/ftp/) appears as the directory /. If you want ftp users to see user and group names from 'ls' rather than numerical identities then you'll need a subdirectory under the ftp home directory called etc and containing a copy of the system /etc/group file and /etc/pwd.db. The password data base pwd.db does not contain passwords coded or otherwise so this is fairly safe. I guess you could also consider constructing special versions of these files for use in /home/ftp/etc containing only the names you want visible under 'ls' to ftp users. You might also need /home/ftp/bin containing a copy of ls to be called when command ls or dir is given in the ftp client. Malcolm Kay ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: continued IPFW issues... (actually a lack of ability on my part)
On Saturday 14 February 2004 06:59 pm, Jez Hancock wrote: On Sat, Feb 14, 2004 at 05:59:14PM -0600, Eric F Crist wrote: On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote: I'm still having some sort of issues with ipfw rules on my server. I've got a cgi based irc client installed, and I can't connect. Also, it seems as if my DNS server isn't able to send queries out. An ipfw show displays the following for me: 00050 54632 4640473 allow ip from me to any 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 4027 351563 allow ip from 63.228.14.240/29 to me 00500 2 80 allow ip from any to me dst-port 22 00600 2 80 allow ip from any to me dst-port 21 00700 388 25405 allow ip from any to me dst-port 25 00800584944 allow ip from any to me dst-port 80 00900 2 80 allow ip from any to me dst-port 443 01000 2 80 allow ip from any to me dst-port 110 01100544247 allow ip from any to me dst-port 53 01200 2 80 allow ip from any to me dst-port 6667 01300 2 80 allow ip from any to me dst-port 6668 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port 8080 65535 46432 7224466 deny ip from any to any Where is all that denied traffic coming from on the final rule? You are only allowing traffic in and not out - as Matthew Seaman mentioned in the last post in your previous thread, you should use 'keep-state' to keep track of the connections made to you. See the examples he provided in that thread. From the manpage for ipfw: check-state Checks the packet against the dynamic ruleset. If a match is found, execute the action associated with the rule which gener- ated this dynamic rule, otherwise move to the next rule. Check-state rules do not have a body. If no check-state rule is found, the dynamic ruleset is checked at the first keep-state or limit rule. ... keep-state Upon a match, the firewall will create a dynamic rule, whose default behaviour is to match bidirectional traffic between source and destination IP/port using the same protocol. The rule has a limited lifetime (controlled by a set of sysctl(8) vari- ables), and the lifetime is refreshed every time a matching packet is found. When a connection is made to port 80 from an external host, with the 'keep-state' flag set on your rule for port 80 data transfer will be allowed in both directions to/from the external host to/from you on port 80 for a limited period. The check-state rule effectively 'shortcuts' the rest of the rules in the ruleset if a match is made for the external host for the given action (inbound connections to port 80 in this case). You'd need to do the same for each of the other ports you want to allow free connections to/from. Wouldn't my first rule: ipfw allow ip from me to any have fixed this problem? Sorry I missed that rule :( How about adding a log keyword to that last deny rule temporarily just to see what exactly is being denied? Maybe I'm missing something somewhere, but I can't find anything about log in the man page. I tried: ipfw add 65534 add deny ip from any to any log and got this error: ipfw: unrecognised option [-1] log Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: continued IPFW issues... (actually a lack of ability on my part)
On Sat, Feb 14, 2004 at 07:42:28PM -0600, Eric F Crist wrote: On Saturday 14 February 2004 06:59 pm, Jez Hancock wrote: On Sat, Feb 14, 2004 at 05:59:14PM -0600, Eric F Crist wrote: On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote: I'm still having some sort of issues with ipfw rules on my server. I've got a cgi based irc client installed, and I can't connect. Also, it seems as if my DNS server isn't able to send queries out. An ipfw show displays the following for me: 00050 54632 4640473 allow ip from me to any 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 4027 351563 allow ip from 63.228.14.240/29 to me 00500 2 80 allow ip from any to me dst-port 22 00600 2 80 allow ip from any to me dst-port 21 00700 388 25405 allow ip from any to me dst-port 25 00800584944 allow ip from any to me dst-port 80 00900 2 80 allow ip from any to me dst-port 443 01000 2 80 allow ip from any to me dst-port 110 01100544247 allow ip from any to me dst-port 53 01200 2 80 allow ip from any to me dst-port 6667 01300 2 80 allow ip from any to me dst-port 6668 01400 4 160 deny ip from not 63.228.14.240/29 to me dst-port 8080 65535 46432 7224466 deny ip from any to any Where is all that denied traffic coming from on the final rule? You are only allowing traffic in and not out - as Matthew Seaman mentioned in the last post in your previous thread, you should use 'keep-state' to keep track of the connections made to you. See the examples he provided in that thread. From the manpage for ipfw: check-state Checks the packet against the dynamic ruleset. If a match is found, execute the action associated with the rule which gener- ated this dynamic rule, otherwise move to the next rule. Check-state rules do not have a body. If no check-state rule is found, the dynamic ruleset is checked at the first keep-state or limit rule. ... keep-state Upon a match, the firewall will create a dynamic rule, whose default behaviour is to match bidirectional traffic between source and destination IP/port using the same protocol. The rule has a limited lifetime (controlled by a set of sysctl(8) vari- ables), and the lifetime is refreshed every time a matching packet is found. When a connection is made to port 80 from an external host, with the 'keep-state' flag set on your rule for port 80 data transfer will be allowed in both directions to/from the external host to/from you on port 80 for a limited period. The check-state rule effectively 'shortcuts' the rest of the rules in the ruleset if a match is made for the external host for the given action (inbound connections to port 80 in this case). You'd need to do the same for each of the other ports you want to allow free connections to/from. Wouldn't my first rule: ipfw allow ip from me to any have fixed this problem? Sorry I missed that rule :( How about adding a log keyword to that last deny rule temporarily just to see what exactly is being denied? Maybe I'm missing something somewhere, but I can't find anything about log in the man page. I tried: The you need to read the man page more carefully, because it is there. Look for the the section titled RULE FORMAT ipfw add 65534 add deny ip from any to any log and got this error: Try ipfw add 65534 deny log ip from any to any instead, and it ought to work better. ipfw: unrecognised option [-1] log Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 -- Insert your favourite quote here. Erik Trulsson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Branch Tags vs Release Tags
Bob Perry [EMAIL PROTECTED] writes: Edmund Craske wrote: No problem, in fact it would make little sense not to use this branch. I guess that 's what so confusing. Who would benefit using RELENG_4_9_0_RELEASE? Look at it this way. If someone installed the 4.9 release, from a set of disks they bought in a store, and then they had a question about it, I might want to help them figure out their problem. Because there is a RELENG_4_9_0_RELEASE tag, I can look at the files that produced their release. It makes no sense that anyone would download those files to install from, but some people can actually read the source files. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: continued IPFW issues... (actually a lack of ability on my part)
My bad, I found the log entry after your prodding. After enabling logging in the ruleset and enabling the sysctl variable, I get the following output in a tail /var/log/security: Feb 14 19:59:44 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51598 255.255.255.255:61112 in via dc0 Feb 14 19:59:45 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:46 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:50 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51599 255.255.255.255:61112 in via dc0 Feb 14 19:59:55 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:56 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51600 255.255.255.255:61112 in via dc0 Feb 14 19:59:59 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 63.228.14.241:49152 in via dc0 Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 63.228.14.241:49152 in via dc0 Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51601 255.255.255.255:61112 in via dc0 Feb 14 20:00:03 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 63.228.14.241:49152 in via dc0 I would assume I need to enable a rule such as: ipfw add allow udp from any to me 53 Is this correct? TIA -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: continued IPFW issues... (actually a lack of ability on my part)
On Sat, Feb 14, 2004 at 08:01:07PM -0600, Eric F Crist wrote: My bad, I found the log entry after your prodding. After enabling logging in the ruleset and enabling the sysctl variable, I get the following output in a tail /var/log/security: Feb 14 19:59:44 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51598 255.255.255.255:61112 in via dc0 Feb 14 19:59:45 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:46 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:50 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51599 255.255.255.255:61112 in via dc0 Feb 14 19:59:55 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:56 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51600 255.255.255.255:61112 in via dc0 Feb 14 19:59:59 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 63.228.14.241:49152 in via dc0 Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 63.228.14.241:49152 in via dc0 Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51601 255.255.255.255:61112 in via dc0 Feb 14 20:00:03 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 63.228.14.241:49152 in via dc0 I would assume I need to enable a rule such as: ipfw add allow udp from any to me 53 Is this correct? TIA I don't think so. The entries of the form 'Deny UDP 204.147.80.1:53 63.228.14.241:49152 in via dc0' would appear to be replies to your DNS queries. They go to the port from which the DNS query was sent (49152 in this case). You need to make sure that you allow replies to connections you initiate to get through. Take a look at the check-state/established/keepstate stuff people have repeatedly told you to use. They are probably what you want. -- Insert your favourite quote here. Erik Trulsson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: continued IPFW issues... (actually a lack of ability on my part)
On Saturday 14 February 2004 08:09 pm, Erik Trulsson wrote: On Sat, Feb 14, 2004 at 08:01:07PM -0600, Eric F Crist wrote: My bad, I found the log entry after your prodding. After enabling logging in the ruleset and enabling the sysctl variable, I get the following output in a tail /var/log/security: Feb 14 19:59:44 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51598 255.255.255.255:61112 in via dc0 Feb 14 19:59:45 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:46 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:50 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51599 255.255.255.255:61112 in via dc0 Feb 14 19:59:55 grog kernel: ipfw: 65534 Deny UDP 204.127.202.4:53 63.228.14.241:49152 in via dc0 Feb 14 19:59:56 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51600 255.255.255.255:61112 in via dc0 Feb 14 19:59:59 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 63.228.14.241:49152 in via dc0 Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 204.147.80.5:53 63.228.14.241:49152 in via dc0 Feb 14 20:00:02 grog kernel: ipfw: 65534 Deny UDP 192.168.0.1:51601 255.255.255.255:61112 in via dc0 Feb 14 20:00:03 grog kernel: ipfw: 65534 Deny UDP 204.147.80.1:53 63.228.14.241:49152 in via dc0 I would assume I need to enable a rule such as: ipfw add allow udp from any to me 53 Is this correct? TIA I don't think so. The entries of the form 'Deny UDP 204.147.80.1:53 63.228.14.241:49152 in via dc0' would appear to be replies to your DNS queries. They go to the port from which the DNS query was sent (49152 in this case). You need to make sure that you allow replies to connections you initiate to get through. Take a look at the check-state/established/keepstate stuff people have repeatedly told you to use. They are probably what you want. Well, from what I understand, isn't udp a state-less protocol? How would established/keepstate/check-state work with that? -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: continued IPFW issues... (actually a lack of ability on my part)
On Saturday 14 February 2004 08:14 pm, Eric F Crist wrote: Well, from what I understand, isn't udp a state-less protocol? How would established/keepstate/check-state work with that? Ok, so I read that check-state/keep-state should be able to work with udp. According to the man page, I should add: ipfw add check-state ipfw add allow udp from my-subnet to any keep-state ipfw add deny udp from any to any my-subnet was changed to my /29 network address (i.e. 1.2.3.4/29). Still, the rule following all of these is ipfw add allow udp from any to any and it's getting all the packets. I'm still reading, but the check-state isn't making sense to me. TIA -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
APM on 4.9 on a Winbook XL2 laptop
I can't get the APM on this to work for anything. I have tried putting: apm_load=YES in my /boot/loader.conf file, and the lines: apm_enable=YES apmd_enable=YES in my /etc/rc.conf file. I run apm -a and it tells me: apm: can't open /dev/apm: Device not configured Any ideas? TIA Sara T. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: APM on 4.9 on a Winbook XL2 laptop
On Sat, 14 Feb 2004, Sara Trice wrote: I can't get the APM on this to work for anything. I have tried putting: apm_load=YES in my /boot/loader.conf file, and the lines: apm_enable=YES apmd_enable=YES in my /etc/rc.conf file. I run apm -a and it tells me: apm: can't open /dev/apm: Device not configured Any ideas? One would make sure that device apm0at nexus? disable flags 0x20 # Advanced Power Management is in their running kernel. Is APM enabled in your BIOS? These two answers are the basic ones. Reply back with answer. m TIA Sara T. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
3,000+ DNS /./ANY/ANY requests - ...resent...
Sorry about the earlier question, that was more or less just blank Hello, About a week ago I started noticing 3,000 or more requests coming from several ips for the following DNS queries: XX+/128.255.203.200/./ANY/ANY XX+/193.201.105.4/./ANY/ANY Those are just two examples, but each IP - I have about 20 of them now create 3,000 or more queries within several minutes. All the queries are exactly the same for ./ANY/ANY.any idea what those queries are? or what they are trying to do? Also how can I create an 'ipfw' rule to block an ip if XX amount of connections come in within XX amount of minutes/seconds?? Right now I manually block them, and yes those IP's try a day or so later to DNS bomb (?) my machine. Thanks ---Peter--- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Branch Tags vs Release Tags
Lowell Gilbert wrote: Bob Perry [EMAIL PROTECTED] writes: Edmund Craske wrote: No problem, in fact it would make little sense not to use this branch. I guess that 's what so confusing. Who would benefit using RELENG_4_9_0_RELEASE? Look at it this way. If someone installed the 4.9 release, from a set of disks they bought in a store, and then they had a question about it, I might want to help them figure out their problem. Because there is a RELENG_4_9_0_RELEASE tag, I can look at the files that produced their release. It makes no sense that anyone would download those files to install from, but some people can actually read the source files. Lowell/Ed, It's very clear now. I guess I was just looking at things as they related to upgrading one's system. Thanks for following up with your explanations. Bob -- FreeBSD 4.8-RELEASE-p13 0# ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: APM on 4.9 on a Winbook XL2 laptop
On Sat, 14 Feb 2004, matthew wrote: On Sat, 14 Feb 2004, Sara Trice wrote: I can't get the APM on this to work for anything. I have tried putting: apm_load=YES in my /boot/loader.conf file, and the lines: apm_enable=YES apmd_enable=YES in my /etc/rc.conf file. I run apm -a and it tells me: apm: can't open /dev/apm: Device not configured Any ideas? Sara emailed me back when she found the answer. I want to post this so others can find this answer too. Her solution was: echo en apm0 /boot/kernel.conf m One would make sure that device apm0at nexus? disable flags 0x20 # Advanced Power Management is in their running kernel. Is APM enabled in your BIOS? These two answers are the basic ones. Reply back with answer. m TIA Sara T. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ports vulnerability check
Hello, I started seeing this in late 5.1 and now in 5.2 as well. When i am compiling a port the first message is get is Vulnerability check disabled What is this? Should i be worried about it? Thanks. Dave. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports vulnerability check
On Sun, Feb 15, 2004 at 01:22:51AM -0500, dave wrote: Hello, I started seeing this in late 5.1 and now in 5.2 as well. When i am compiling a port the first message is get is Vulnerability check disabled What is this? Should i be worried about it? See /usr/ports/CHANGES Kris pgp0.pgp Description: PGP signature
cvsup not honouring refuse
Hello list, I noticed, that if I create refuse file (/usr/sup/refuse) and do: # cvsup -L 0 ~/supfiles/ports it ignores my refuse file. As I remember, this used to work. I'm using 5.2-CURRENT, and refuse file looks like: arabic astro benchmarks ... ports supfile is: *default host=cvsup.lt.FreeBSD.org *default base=/usr *default prefix=/usr *default release=cvs tag=. *default delete use-rel-suffix *default compress ports-all and I'm using cvsup-without-gui-16.1h installed as binary package. TIA Paulius ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
