The worldwide search for CircusPrincess 2009 is on!

[The CircusPrincess]

The worldwide search for CircusPrincess 2009 is on!

The CircusPrincess, a fairytale come true, is no ordinary circus. It's the 
ultimate celebration of female grace, beauty and talent. And now, for the first 
time in history, we're inviting the global Internet audience to join us in the 
nomination, voting and selection process.

We're searching for the most entertaining, completely original female circus 
act or performance. You can perform by yourself or with a group, on land or in 
the air - whether you're an acrobat, comedian, dancer, singer or an entirely 
new type of performer.

Apply now on our website for the chance to be one of 14 finalists. The winner 
will receive a prize, the title of CircusPrincess 2009, a three-month contract 
with Circus Scott, a distinctive, irreplaceable Kosta Boda trophy and the 
prestige of being recognized as the best female circus performer in the world.

Buy your tickets today to reserve your seats for one of five amazing evenings!

To browse through the history of past performances, view the contributions or 
book tickets, simply visit cirkusprinsessan2009.se

Welcome to the greatest show on earth!
/ Robert Bronet



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Wojciech Puchar]

you guys aren't going to believe what i just found on the web for
the ASUS Eee-901 [or is it the "900"].  it was for the 9- and
10-inch screens.  i was using konq which just segv'd so i am
taking a break and thought i'd share this.

last night, i could barely believe the ten-inch with a 40GB SSD.
these mini-notebooks take two memory chips. they just plug in.
i was googling around and found they have 32's and even 128's.
so you can get 64 or up to 256Gigs of solid state disk ...
not in a year or two (or five or six), but now.


today we have huge flash disks for really cheap, but still don't have 
native flash filesystem in any OS, be it FreeBSD or windoze or mac os x or 
whatever.


This flash chips have to emulate hard drive, which slows them down 
manyfold

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Matthew Seaman]

Wojciech Puchar wrote:
>> If for some reason you would prefer to use password authentication, I
>> would recommend that you look into automatic brute force detection.
>> There are a number of utilities in ports available for this purpose,
>> including security/sshguard and security/denyhosts.
> 
> good, but not really important with properly chosen password.
> You can't do more than maybe 10 attempts/second this way, while cracking
> 10 character password consisting of just small letters and digits needs

10 characters is a longer than usual password.  Most people have been
conditioned into using a 7 or 8 character password, which is at least a
1000 times easier to crack using your measure.  (Still a pretty big
possible space though).

> 36^10=3656158440062976 possible passwords, and over 11 milion years to
> check all possibilities, so say 10 years if someone is really lucky
> and will get it after checking 1% possible password.

There is a very big flaw in your analysis here.  You're assuming that
the passwords people might use are randomly and evenly distributed over
the whole possible password space.  That is simply untrue.  A lot of
people -- perhaps the majority -- will use a password consisting of an
English word, possibly with StUdLy CaPs or 3lite SP3LL1NG and with some
random extra characters!*99 tacked on[*].  That's a whole lot smaller
search space -- and it must be possible to brute-force passwords or it
wouldn't be worthwhile for the brute-force attackers to keep trying.

Agreed however that if people can be educated to use good passwords then
a brute force attack like this really is unfeasible.  I like apg(1) for
generating passwords where there is no alternative to using strong
crypto.

> Of course - you must not look at logs in 10 years and not see this
> 10 attempts per second.

Sure.  My experience is that any machine on the internet with a port 22
listener will attract about 2 to 5 brute force attackers a day -- that
is, a sequence of brute force attempts originating from 2 -- 5
independent IPs per day.  In fact, given that you have taken reasonable
measures like using ssh keys exclusively or enforcing strong passwords
then the biggest problems caused by these sort of attacks are the drain
on system resources and the excess verbiage in log files.  Getting rid
of that is why I like to implement connection-rate based SSH blocking
via pf(4) -- not because it gives any extra security.

> I give this example against common paranoia that exist on that group -
> mix of real "security paranoid" persons and pseudo-experts that like to
> repeat "intelligent" phrases to show up themselves.
> 
> Actually - there is no need for extra protection for ssh, but for humans.
> 
> 99% of crack attempts are done by "kevin mitnick" methods, not password
> cracking.

Absolutely true.  Mitnick was an early exponent of Social Engineering
attacks, which are still the easiest and most effective methods for
breaking computer security.  Now, if we could just get rid of all the
users, our lives as Sys Admins would be a whole lot easier...

Cheers,

Matthew

[*] It's amazing how many people, when you tell them to use a mix of
upper and lower case letters, just capitalize the *first* letter of
their password.

-- 
Dr Matthew J Seaman MA, D.Phil.   Flat 3
  7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
  Kent, CT11 9PW, UK



signature.asc
Description: OpenPGP digital signature

Re: Best practices for securing SSH server

[Wojciech Puchar]

You can't do more than maybe 10 attempts/second this way, while cracking
10 character password consisting of just small letters and digits needs


10 characters is a longer than usual password.  Most people have been
conditioned into using a 7 or 8 character password, which is at least a


so that's the answer how to secure SSH server. use 10 letter random 
passwords.



36^10=3656158440062976 possible passwords, and over 11 milion years to
check all possibilities, so say 10 years if someone is really lucky
and will get it after checking 1% possible password.


There is a very big flaw in your analysis here.  You're assuming that
the passwords people might use are randomly and evenly distributed over


So you already confirmed what i say. It's human problem - for example 
not using random passwords.


Talking about security within that context is a joke.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Chris Rees]

2009/6/23 Wojciech Puchar :
>> If for some reason you would prefer to use password authentication, I
>> would recommend that you look into automatic brute force detection.
>> There are a number of utilities in ports available for this purpose,
>> including security/sshguard and security/denyhosts.
>
> good, but not really important with properly chosen password.
> You can't do more than maybe 10 attempts/second this way, while cracking 10
> character password consisting of just small letters and digits needs
>
> 36^10=3656158440062976 possible passwords, and over 11 milion years to check
> all possibilities, so say 10 years if someone is really lucky and will
> get it after checking 1% possible password.
>
> Of course - you must not look at logs in 10 years and not see this 10
> attempts per second.
>
>
>
> I give this example against common paranoia that exist on that group - mix
> of real "security paranoid" persons and pseudo-experts that like to repeat
> "intelligent" phrases to show up themselves.
>
> Actually - there is no need for extra protection for ssh, but for humans.
>
> 99% of crack attempts are done by "kevin mitnick" methods, not password
> cracking.

You're right about the probability of password breaking, but
personally I installed denyhosts just because I got sick of this:

Aug 22 00:46:21 amnesiac sshd[63107]: error: PAM: authentication error
for illegal user adrian from
adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:21 amnesiac sshd[63107]: Failed keyboard-interactive/pam
for invalid user adrian from 76.193.128.193 port 2901 ssh2
Aug 22 00:46:23 amnesiac sshd[63110]: error: PAM: authentication error
for illegal user agfa from
adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:23 amnesiac sshd[63110]: Failed keyboard-interactive/pam
for invalid user agfa from 76.193.128.193 port 3165 ssh2
Aug 22 00:46:26 amnesiac sshd[63113]: error: PAM: authentication error
for illegal user agneta from
adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:26 amnesiac sshd[63113]: Failed keyboard-interactive/pam
for invalid user agneta from 76.193.128.193 port 3338 ssh2
Aug 22 00:46:29 amnesiac sshd[63116]: error: PAM: authentication error
for illegal user ahren from
adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:29 amnesiac sshd[63116]: Failed keyboard-interactive/pam
for invalid user ahren from 76.193.128.193 port 3499 ssh2

10,000 lines of this in _every_ security digest I get off my server.
No I haven't changed any IP addresses, either.

Now I get:

Added the following hosts to /etc/hosts.evil:
89.232.63.160
87.117.236.15

Much easier to read...

Chris

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in a mailing list?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: freebsd-questions Digest, Vol 264, Issue 3

[The Ghost]

DA Forsyth wrote:
On 22 Jun 2009 , freebsd-questions-requ...@freebsd.org entreated 
about

 "freebsd-questions Digest, Vol 264, Issue 3":

I am trying to find out the temperature of my CPU. After a whole night 
from dusk till dawn of searching the Web like a furious spider, I got 
the following results: it can be done via either ISA or SMB, with one of 
the ports: lmmon, healthd, consolehm or mbmon, and there are also few 
modules that are required in the kernel: smb, smbus, intpm, ichsmb 


I used a TUSL2 board for a while for one of my servers and mbmon 
worked fine with it.  I did have to compile mbmon without SMB support 
though (just look inside the Makefile for the right thing to define 
to prevent smb support).  Then when you do a 'mbmon -d' it will tell 
you what it finds.   I never even tried adding smb support to the 
kernel until after I upgraded both the motherboard and BSD to 7.1 and 
was curious to see what it might give me.


cya

--
   DA Fo rsythNetwork Supervisor
Principal Technical Officer -- Institute for Water Research
http://www.ru.ac.za/institutes/iwr/



Holy cahones de la... *skipping few languages* ...rear of Vyagrimukha 
and Leviathan!! I'm so happy, de merde!.. So, like... When installing 
mbmon, it gives you an option to disable SMB support; I did never even 
think about disabling it because where would it take the data from?!.. I 
do not have ISA or I2C, so SMB seemed like the only way. But, with this 
support, it's completely impossible to read the temperatures (and -d 
says that, like, ICH found but there is hardware monitor on it...), and 
when you disable this support - it reads everything properly!! Thank you 
very much, my new old CPU will now rest happily knowing that I always 
watch carefully after its temperature...

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: slowloris, accf_http and POST requests

[Ruben de Groot]

On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed:
> In the last episode (Jun 22), Ruben de Groot said:
> > 
> > My main concern here is if applying the trivial patch I posted would break
> > anything in the http protocol layer. And if not, why isn't the POST method
> > included in the http accept filter in the first place?
> 
> The filter wasn't designed to be an anti-DOS tool; it was an optimization to
> save some context switches at the beginning of every request.  POSTs are

I know this. But in this particular case, it *works* as an anti-DOS tool. And a 
pretty good one too.

> infrequent, always include extra trailing data after the headers, and end up
> doing more processing at the server end than plain GET or HEADs, so
> buffering the first line of the request doesn't really help much.

Well, it helps against this slowloris script. And I don't see it costing much.

> You're better off adding a request-max-time limit to your webserver, or
> doing random-drops of existing connections if you get close to your fd or
> thread limit.

I'm exploring these options as well, but they have their own drawbacks.

Anyway, since it doesn't look like I'm breaking anything by buffering the POST
headers, I'm gonna maintain this as a local patch until something better comes
along.

Thanks for your input,
Ruben

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Wojciech Puchar]

99% of crack attempts are done by "kevin mitnick" methods, not password
cracking.


You're right about the probability of password breaking, but
personally I installed denyhosts just because I got sick of this:


indeed, it's very useful but it's not a requirement at all to be secure :)

The only requirements for security are:

1) use proper passwords, or keyfiles but with keyfiles stored on properly 
protected machine (geli, proper password for geli too)


2) it's not really wrong to use same (but well done - random) passwords in 
many places YOU administer, but never use the same password on any 
foreign places.


3) Store that password ONLY in brain.


As herds of morons don't really understand what are passwords for, all 
points are usually not respected, point 3 being the most common :)


You want to crack into company server - just look at monitors and notes 
glued to it. If you can't - ask a charwoman working there ;)

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Wojciech Puchar]

99% of crack attempts are done by "kevin mitnick" methods, not password
cracking.


Absolutely true.  Mitnick was an early exponent of Social Engineering
attacks, which are still the easiest and most effective methods for


Mitnick just chose the best possible friend - human stupidity. It never 
fails.



breaking computer security.  Now, if we could just get rid of all the
users, our lives as Sys Admins would be a whole lot easier...


Just make sure that one user can't do mess to others, and to log every 
logins. Then it's no more your problem, as users can only hurt themselves.


Don't care about their security if they don't care by themselves.


Cheers,

Matthew

[*] It's amazing how many people, when you tell them to use a mix of
upper and lower case letters, just capitalize the *first* letter of
their password.


because most people don't understand what are passwords for. They just 
treat them as a part of required ceremony.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: cannot find -lltdl

[Chris Rees]

2009/6/23 kalin m :
>
>
> hi all..
>
> this is a bit awkward
>
> i'm building php 5.2.10 from source on freebsd 7.0. using:
>
> ./configure --with-layout=GNU --with-config-file-scan-dir=/usr/local/etc/php
> --disable-all --enable-libxml --with-libxml-dir=/usr/local
> --enable-reflection --program-prefix= --disable-cgi
> --with-apxs2=/etc/httpd/bin/apxs --with-regex=php --with-zend-vm=CALL
> --prefix=/usr/local --mandir=/usr/local/man --infodir=/usr/local/info/
> --with-pcre-regex --with-mysql=/usr/local/mysql --with-curl --enable-ctype
> --enable-dom --enable-exif --enable-filter --with-gd --with-openssl
> --enable-json --with-iconv --with-mhash --with-mcrypt
>
>
> the configuration runs fine but  the build breaks:
> ..
> main/internal_functions.lo -lcrypt -lcrypt -lmysqlclient -lmhash -lmcrypt
> -lltdl -liconv -lpng -lz -lcurl -lssl -lcrypto -lm -lxml2 -lz -liconv -lm
> -lcurl -lssl -lcrypto -lz -lxml2 -lz -liconv -lm -lcrypt -lcrypt  -o
> libphp5.la
> /usr/bin/ld: cannot find -lltdl
> *** Error code 1
>
> Stop in /usr/local/src/php-5.2.10.
>
> # locate ltdl
> /usr/local/share/aclocal/ltdl.m4
> /usr/local/share/libtool/libltdl
> ...
>
> the thing is it already build once with the same configuration options. an
> hour ago. and it is working. but i need to add more stuff to this. if i take
> off --with-mcrypt it builds fine. i have mcrypt already and i need it. and
> don't want to reinstall without it
>
> any help?
>
> thanks...


Why aren't you using ports?



Chris


-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in a mailing list?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Checksum mismatches when csup-ing.

[Paul van der Zwan]

On 23 jun 2009, at 05:55, Frank Shute wrote:


On Mon, Jun 22, 2009 at 07:17:40PM +0200, Paul van der Zwan wrote:


The last few days I see a dozens of Checksum mismatches when csup-ing
src-all from cvsup.freebsd.org.
No errors appear on ports-all.
Is there a problem with the cvs repository ?


Most people will use a local mirror as listed in the handbook:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html

Check and see if you have the same problem with one of the mirror
sites.



I have tried both cvsup.freebsd.org and cvsup.nl.freebsd.org with both
csup and cvsup and I get checksum mismatches on all attempts.


If you've got the same problem, then your cvsup config file for src
could be up the creek.

I have deleted /usr/sup/src-all/* bun that did not fix the checksum  
errors,

just gave me a lot of SetAttr messages the first run.
If you mean my c{v}sup config file, that hasn't been changed in years  
and
how would an error in that file cause errors on src-all but none on  
ports-all ?




If the problem disappears, then the server is up the creek.

I am stumped, as far as I can tell it's no local config problem, but  
what's causing it?

I have no idea..
Am I the only one seeing these errors ?

Paul



The fact that all errors are on src-all and none on ports-all make me
suspect it is not a local problem on
my system as both end up on the same filesystem here.

Paul

PS I am not on this list so please reply directly as well



Regards,

--

Frank


Contact info: http://www.shute.org.uk/misc/contact.html


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

The Gimp

[Rob Hurle]

  Due to some meteorological disasters I've had to replace my 6.1
FreeBSD system and I've installed 7.2 on the refurbished i386
computer:

freebsd [22:03] ~>uname -a
FreeBSD freebsd.connect-a.com.au 7.2-RELEASE FreeBSD 7.2-RELEASE #0:
Fri May  1 08:49:13 UTC 2009

My desktop is KDE Version 4.2.2 (not yet sure that this is an
improvement over the previous version).  I'm starting to re-install
software using portupgrade (portinstall).  I've a few problems with
that, but I'll leave that to another post.  The immediate problem is
that I've used portinstall to install gimp (picture processing
software) which I was happily using on the previous version.  It
installs OK (after a fearful amount of time) but when I start it, I
get a segmentation fault:

freebsd [22:07] ~>gimp &
[1] 3696
freebsd [22:09] ~>
[1]Segmentation faultgimp
freebsd [22:09] ~>

If I run as root, there is no problem:

freebsd [22:09] ~>sudo gimp &
[1] 3700
freebsd [22:10] ~>
[1]  + Suspended (tty output)sudo gimp
freebsd [22:10] ~>fg
sudo gimp
Password:

freebsd [22:11] ~>

It starts OK and I can use it fine.  The config file ".gimp-2.6" is
saved in root's home directory.  I've tried RTFM, but there is no
information on this problem.  Maybe it's due to some library having
the wrong permissions and I should search the system for files with
544 permissions or something.  Does anyone have a clue as to what's
going on, or should I report a bug?  Thanks heaps.

Rob Hurle
-- 
-
Rob Hurle
Research School of Pacific and Asian Studies, ANU
e-mail:  rob1...@gmail.com
Telephone (ANU): +61 2 6125 3169
Mobile (in VN):  +84 948 243 538 (Currently in Australia)
Mobile (in OZ):  +61 417 293 603 (Currently in Australia)
-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Daniel Underwood]

"why does the speed of a connection make it a higher risk?"

Super-fast connections are ideal targets for people to install private
fileservers (among other things).
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: No sound, no mouse and now X applications won't start

[Manish Jain]

Message: 11
Date: Sat, 20 Jun 2009 16:34:00 -0400
From: Jerry 
Subject: Re: No sound, no mouse and now X applications won't start
To: freebsd-questions@freebsd.org
Message-ID: <20090620163400.62143...@scorpio.seibercom.net>
Content-Type: text/plain; charset=US-ASCII

On Sun, 21 Jun 2009 01:31:45 +0530
Manish Jain  wrote:


Looks like nobody at freebsd-questions has any answers for me. Maybe
7.2-x86 doesn't like newish amd hardware.


post the output of: pciconf -lv as well as dmesg. Also your rc.conf and
PolicyKit.conf files might be useful.

--
Jerry
ges...@yahoo.com



Hi,

I have solved most of the problems listed in my previous message with 
help from Roland Smith.


The fact still remains that FreeBSD-7.2 has some definite problems on 
AMD hardware :


1) On multi-core systems, the cores don't get initialized properly and 
you get messages like : "AP #1 (PHY# 1) failed !" followed by panic. The 
solution is to reboot, maybe as many as 6-7 times.


2) The uhub/ums module fails to load and /dev/ums0 consequently won't 
get created. The workaround is to unplug your USB mouse just before the 
boot process begins, and plug it back in once you get the console.


I have googled for the above 2 problems and there seem to many folks 
suffering from the ills, with no solution except the ones I have listed 
above. And these problems almost always occur on AMD multi-core systems.


I hope the next release will address these problems, as well as a pretty 
reasonable request from me much earlier to move vi from /usr/bin to 
/bin. Even in single-user mode, you almost always need an editor.


--
Regards
Manish Jain
invalid.poin...@gmail.com
+91-96500-10329

Laast year I kudn't spell Software Engineer. Now I are won.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Checksum mismatches when csup-ing.

[Frank Shute]

On Tue, Jun 23, 2009 at 02:43:36PM +0200, Paul van der Zwan wrote:
>
> 
> On 23 jun 2009, at 05:55, Frank Shute wrote:
> 
>> On Mon, Jun 22, 2009 at 07:17:40PM +0200, Paul van der Zwan wrote:
>>>
>>> The last few days I see a dozens of Checksum mismatches when csup-ing
>>> src-all from cvsup.freebsd.org.
>>> No errors appear on ports-all.
>>> Is there a problem with the cvs repository ?
>>
>> Most people will use a local mirror as listed in the handbook:
>>
>> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html
>>
>> Check and see if you have the same problem with one of the mirror
>> sites.
>>
> 
> I have tried both cvsup.freebsd.org and cvsup.nl.freebsd.org with both
> csup and cvsup and I get checksum mismatches on all attempts.

Haven't tried those 2 but I'm OK on cvsup3.uk.freebsd.org so I suspect
the problem is with your end.

> 
>> If you've got the same problem, then your cvsup config file for src
>> could be up the creek.
>>
> I have deleted /usr/sup/src-all/* bun that did not fix the checksum  
> errors,
> just gave me a lot of SetAttr messages the first run.

I wonder if it is some sort of permission problem. Runlevel OK? You
might want to check if somebody has done something funny with
extended attributes (setextattr(8) etc.).

> If you mean my c{v}sup config file, that hasn't been changed in years  
> and
> how would an error in that file cause errors on src-all but none on  
> ports-all ?

I didn't know you had ports and src in the same config. I keep mine
separately.

Where do you put your ports btw? Under /usr/sup/ or /usr/ports/ ?

> 
> 
>> If the problem disappears, then the server is up the creek.
>>
> I am stumped, as far as I can tell it's no local config problem, but  
> what's causing it?
> I have no idea..
> Am I the only one seeing these errors ?

Maybe you could cut & paste the output from a run & post it. (Or the
bits that look relevant). Use script(1) to capture the output.

> 
>   Paul
> 
>>>
>>> The fact that all errors are on src-all and none on ports-all make me
>>> suspect it is not a local problem on
>>> my system as both end up on the same filesystem here.
>>>
>>> Paul
>>>
>>> PS I am not on this list so please reply directly as well
>>>
>>
>> Regards,
>>
>>-- 
>>
>> Frank
>>

Regards,

-- 

 Frank 


 Contact info: http://www.shute.org.uk/misc/contact.html 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Multi-homed FreeBSD

[Matej Šerc]

Hi,

we have a FreeBSD machine currently using PPPoE with NAT. As we already have
the cable connection which is about the same speed, I was just wondering of
doing some load balancing for the outside connection. I have no experiences
with that and will be really glad if someone could point some things, where
to look and what to read. Also your configurations and experiences regarding
this fact are very welcome.

Thanks,
Matej
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Daniel Underwood]

> I do not believe that tricks like running ssh on a
> non standard port or using port-knocking provide
> much extra security.

I can understand that varying the port is not a very strong defensive
measure, but I don't understand your point about port-knocking.

If you configure a complex and seemingly random sequence of knocks
before allowing an IP access to your ssh port, have you not
significantly strengthened your ssh server?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Checksum mismatches when csup-ing.

[Erik Trulsson]

On Tue, Jun 23, 2009 at 02:43:36PM +0200, Paul van der Zwan wrote:
> 
> On 23 jun 2009, at 05:55, Frank Shute wrote:
> 
> > On Mon, Jun 22, 2009 at 07:17:40PM +0200, Paul van der Zwan wrote:
> >>
> >> The last few days I see a dozens of Checksum mismatches when csup-ing
> >> src-all from cvsup.freebsd.org.
> >> No errors appear on ports-all.
> >> Is there a problem with the cvs repository ?
> >
> > Most people will use a local mirror as listed in the handbook:
> >
> > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html
> >
> > Check and see if you have the same problem with one of the mirror
> > sites.
> >
> 
> I have tried both cvsup.freebsd.org and cvsup.nl.freebsd.org with both
> csup and cvsup and I get checksum mismatches on all attempts.
> 
> > If you've got the same problem, then your cvsup config file for src
> > could be up the creek.
> >
> I have deleted /usr/sup/src-all/* bun that did not fix the checksum  
> errors,
> just gave me a lot of SetAttr messages the first run.
> If you mean my c{v}sup config file, that hasn't been changed in years  
> and
> how would an error in that file cause errors on src-all but none on  
> ports-all ?
> 
> 
> > If the problem disappears, then the server is up the creek.
> >
> I am stumped, as far as I can tell it's no local config problem, but  
> what's causing it?
> I have no idea..
> Am I the only one seeing these errors ?


Nope, I am seeing exactly the same thing. (And I am using different mirrors
than you are.) 
Since I too am only seeing this for src-all and not ports-all I
suspect it may be a problem with the svn->cvs export. (src-all is nowadays
maintained in a subversion repository and the changes automatically exported
to the cvs repository, while ports-all is still maintained directly in the
cvs repository.)

Note: I use cvsup to maintain a local copy of the cvs repository.
It is not clear if you too is doing that, or if you use cvsup to check out
just the latest version.



> 
>   Paul
> 
> >>
> >> The fact that all errors are on src-all and none on ports-all make me
> >> suspect it is not a local problem on
> >> my system as both end up on the same filesystem here.
> >>
> >> Paul
> >>
> >> PS I am not on this list so please reply directly as well
> >>



-- 

Erik Trulsson
ertr1...@student.uu.se
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

links for hal and hplip

[Andrew Gould]

For those of you, like myself, struggling with hal and printing
(separate issues), check out the links below.

You will note that the freebsd gnome page is at freebsd.org, but the
freebsd kde page is at freebsd.kde.org.  The hplip information at the
kde site is not specific to kde.  The hal faq at the gnome page has
some information that is not specific to gnome.


gnome:  http://www.freebsd.org/gnome
hal:http://www.freebsd.org/gnome/docs/halfaq.html
kde:   http://freebsd.kde.org
hplip:  http://freebsd.kde.org/howtos/hplip.php


Best of luck,

Andrew
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

~/.ssh directory permissions

[Daniel Underwood]

Looking at my ~/.ssh directory, I see the following permissions:

-rw-r--r--

Which I understand to be equivalent to 644.

I read here  that
~/.ssh ought to have permissions 700.

Which is preferable, and why?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Thanks [upgrading installed ports: time to do it ?]

[dan]

Hello !

Thanks alll of you for taking time to answer my mail. I really appreciate it.

I have (well...the system has) succesfully done the upgrade.

I used both pkg_updating and portupdate-scan to scan UPDATING [pkg_updating 
did not show an entry suggesting to update python to version 2.6 (which 
Portupdate-scan did)].
AS UPDATING suggests, I made the switch from python 2.5 to python 2.6 (using 
portupgrade).
Then I did a "mass" upgrade... portupgrade -ab --batch ... It took 6h30 
upgrading 40 ports (not many ports because I installed this system only few 
months ago). [Now I should find where the backup packages have been sent]

Thanks again and see you here !

d

p.s. Robert I meant to say if you prefer to upgrade just a selection of the 
ports or all of the ports together ;-)




On Tuesday 23 June 2009 00:34:59 Charlie Kester wrote:
> On Mon 22 Jun 2009 at 13:48:02 PDT RW wrote:
> >On Mon, 22 Jun 2009 20:58:41 +0100
> >
> >Chris Whitehouse  wrote:
> >> I'll probably get flamed for this but since I've been using
> >> ports-mgmt/portmanager I've almost forgotten
> >> about /usr/ports/UPDATING and all that pkgdb -Fu stuff or whatever it
> >> was. I've upgraded ports just by doing 'portmanager -u' over one or
> >> two quite major changes and not had any problems that haven't been
> >> down to an individual ports.
> >
> >You still need to read UPDATING, portmanager handles some of the issues
> >automatically, but not all.
>
> that durned human element again!
>
> would be nice if a port upgrade tool did that for you, displayed any
> entries related to ports that need updating, and gave you a chance to
> postpone the update until you've taken whatever actions UPDATING
> suggests
>
> would require UPDATING to be written in a consistent, machine-readable
> format
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscr...@freebsd.org"


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: ~/.ssh directory permissions

[Jerry McAllister]

On Tue, Jun 23, 2009 at 10:06:03AM -0400, Daniel Underwood wrote:

> Looking at my ~/.ssh directory, I see the following permissions:
> 
> -rw-r--r--
> 
> Which I understand to be equivalent to 644.
> 
> I read here  that
> ~/.ssh ought to have permissions 700.
> 
> Which is preferable, and why?

Well, generically, 700 allows you to do anything you want with
the file as owner, but no other id (except root) can touch it in
any way - not even look at it.   I don't really know if it would
hurt to allow others to read it or not, but in the philosophy of
if access is not needed, then don't provide it, I would make it
limited to 700.

I just looked at mine and it is set to 700.

jerry
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: ~/.ssh directory permissions

[Daniel Underwood]

Thanks. Might as well set to 700 then.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Checksum mismatches when csup-ing.

[Michael Powell]

Paul van der Zwan wrote:

> 
> On 23 jun 2009, at 05:55, Frank Shute wrote:
> 
>> On Mon, Jun 22, 2009 at 07:17:40PM +0200, Paul van der Zwan wrote:
>>>
>>> The last few days I see a dozens of Checksum mismatches when csup-ing
>>> src-all from cvsup.freebsd.org.
>>> No errors appear on ports-all.
>>> Is there a problem with the cvs repository ?
>>
>> Most people will use a local mirror as listed in the handbook:
>>
>> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html
>>
>> Check and see if you have the same problem with one of the mirror
>> sites.
>>
> 
> I have tried both cvsup.freebsd.org and cvsup.nl.freebsd.org with both
> csup and cvsup and I get checksum mismatches on all attempts.
[snip]

About a week ago I csup'ed src-all from cvsup.nl.freebsd.org and rebuilt my 
systems. I just did it again to test, although since it was up to date 
nothing new was changed/downloaded. No checksum errors at all with either 
event.

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: cannot find -lltdl

[kalin m]

Chris Rees wrote:

2009/6/23 kalin m :
  

hi all..

this is a bit awkward

i'm building php 5.2.10 from source on freebsd 7.0. using:

./configure --with-layout=GNU --with-config-file-scan-dir=/usr/local/etc/php
--disable-all --enable-libxml --with-libxml-dir=/usr/local
--enable-reflection --program-prefix= --disable-cgi
--with-apxs2=/etc/httpd/bin/apxs --with-regex=php --with-zend-vm=CALL
--prefix=/usr/local --mandir=/usr/local/man --infodir=/usr/local/info/
--with-pcre-regex --with-mysql=/usr/local/mysql --with-curl --enable-ctype
--enable-dom --enable-exif --enable-filter --with-gd --with-openssl
--enable-json --with-iconv --with-mhash --with-mcrypt


the configuration runs fine but  the build breaks:
..
main/internal_functions.lo -lcrypt -lcrypt -lmysqlclient -lmhash -lmcrypt
-lltdl -liconv -lpng -lz -lcurl -lssl -lcrypto -lm -lxml2 -lz -liconv -lm
-lcurl -lssl -lcrypto -lz -lxml2 -lz -liconv -lm -lcrypt -lcrypt  -o
libphp5.la
/usr/bin/ld: cannot find -lltdl
*** Error code 1

Stop in /usr/local/src/php-5.2.10.

# locate ltdl
/usr/local/share/aclocal/ltdl.m4
/usr/local/share/libtool/libltdl
...

the thing is it already build once with the same configuration options. an
hour ago. and it is working. but i need to add more stuff to this. if i take
off --with-mcrypt it builds fine. i have mcrypt already and i need it. and
don't want to reinstall without it

any help?

thanks...




Why aren't you using ports?
  


there isn't ports for all that i need compiling with 5.2.10.







Chris


  

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: slowloris, accf_http and POST requests

[Michael Powell]

Ruben de Groot wrote:

> On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed:
>> In the last episode (Jun 22), Ruben de Groot said:
>> > 
>> > My main concern here is if applying the trivial patch I posted would
>> > break anything in the http protocol layer. And if not, why isn't the
>> > POST method included in the http accept filter in the first place?
>> 
>> The filter wasn't designed to be an anti-DOS tool; it was an optimization
>> to
>> save some context switches at the beginning of every request.  POSTs are
> 
> I know this. But in this particular case, it *works* as an anti-DOS tool.
> And a pretty good one too.
> 
>> infrequent, always include extra trailing data after the headers, and end
>> up doing more processing at the server end than plain GET or HEADs, so
>> buffering the first line of the request doesn't really help much.
> 
> Well, it helps against this slowloris script. And I don't see it costing
> much.
> 
>> You're better off adding a request-max-time limit to your webserver, or
>> doing random-drops of existing connections if you get close to your fd or
>> thread limit.
> 
> I'm exploring these options as well, but they have their own drawbacks.
> 
> Anyway, since it doesn't look like I'm breaking anything by buffering the
> POST headers, I'm gonna maintain this as a local patch until something
> better comes along.
> 

I was interested to follow this, as I was under the impression http accept 
filter was more for performance rather than security. Since I use it anyway 
I was happy to learn of these facts.

Although not directly related, per se, you may also be interested in:

http://www.modsecurity.org/projects/modsecurity/apache/index.html

It can be useful in narrowing the scope of allowable POST content to 
mitigate SQL injection techniques. The default pattern is overly broad but 
if you are only intent on tightening up one web app on one server it is 
possible to tune it to be more specific. Not a magic bullet, but every layer 
in the onion helps.

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Problem starting slapd

[Carmel NY]

FreeBSD-7.2
openldap-server-2.4.16_1

I just installed this port. For some reason it will not start
correctly. I have all of the information entered in the /etc/rc.conf
file and the slapd.conf and ldap.conf files are configured correctly.

There is no 'PID' file created. Below is what I receive when I attempt
to start or stop the program.

/usr/local/etc/rc.d # ./slapd start
Starting slapd.
/usr/local/etc/rc.d # ./slapd stop 
slapd not running? (check /var/run/openldap/slapd.pid).
/usr/local/etc/rc.d # ls /var/run/openldap
ldapi=
/usr/local/etc/rc.d # 

There is a 'socket' created, but that is it. I a pulling my hair out,
what is left of it, trying to figure out what the problem is. Any
suggestions?

Thanks!

-- 
Carmel
car...@hotmail.com

I would have made a good pope.

Richard Nixon
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Multi-homed FreeBSD

[Tim Judd]

On 6/23/09, Matej Šerc  wrote:
> Hi,
>
> we have a FreeBSD machine currently using PPPoE with NAT. As we already have
> the cable connection which is about the same speed, I was just wondering of
> doing some load balancing for the outside connection. I have no experiences
> with that and will be really glad if someone could point some things, where
> to look and what to read. Also your configurations and experiences regarding
> this fact are very welcome.
>
> Thanks,
> Matej


This question has been asked very frequently on this list, starting
with my thread about multiple gateways on may 31st.

Best option is by using firewall routing options, since bsd itself
cannot add more than one gateway (which I think is the TCP/IP
standard, being only one gateway)

please google and read, and if you have further questions, follow up
and ask questions.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Problem starting slapd

[Tim Judd]

On 6/23/09, Carmel NY  wrote:
> FreeBSD-7.2
> openldap-server-2.4.16_1
>
> I just installed this port. For some reason it will not start
> correctly. I have all of the information entered in the /etc/rc.conf
> file and the slapd.conf and ldap.conf files are configured correctly.
>
> There is no 'PID' file created. Below is what I receive when I attempt
> to start or stop the program.
>
> /usr/local/etc/rc.d # ./slapd start
> Starting slapd.
> /usr/local/etc/rc.d # ./slapd stop
> slapd not running? (check /var/run/openldap/slapd.pid).
> /usr/local/etc/rc.d # ls /var/run/openldap
> ldapi=
> /usr/local/etc/rc.d #
>
> There is a 'socket' created, but that is it. I a pulling my hair out,
> what is left of it, trying to figure out what the problem is. Any
> suggestions?
>
> Thanks!


is there a /usr/local/etc/openldap/slapd.conf?
does it pass muster, config check 'n all?
did you enable logging?

would you pastebin your slapd.conf - masking out any passwords or
sensitive information?


I've run slapd plenty times, I bet it's something with your config
file.  Posting your /usr/ports/net/openldap24-server make
showconfigwould be appreciative too.


--TJ
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Problem starting slapd

[Peter Boosten]

On 23 jun 2009, at 16:39, Carmel NY  wrote:


FreeBSD-7.2
openldap-server-2.4.16_1

I just installed this port. For some reason it will not start
correctly. I have all of the information entered in the /etc/rc.conf
file and the slapd.conf and ldap.conf files are configured correctly.

There is no 'PID' file created. Below is what I receive when I attempt
to start or stop the program.

/usr/local/etc/rc.d # ./slapd start
Starting slapd.
/usr/local/etc/rc.d # ./slapd stop
slapd not running? (check /var/run/openldap/slapd.pid).
/usr/local/etc/rc.d # ls /var/run/openldap
ldapi=
/usr/local/etc/rc.d #

There is a 'socket' created, but that is it. I a pulling my hair out,
what is left of it, trying to figure out what the problem is. Any
suggestions?

Thanks!



Check permissions on /var/run/openldap

Peter
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Checksum mismatches when csup-ing.

[Paul van der Zwan]

On 23 jun 2009, at 15:53, Erik Trulsson wrote:


On Tue, Jun 23, 2009 at 02:43:36PM +0200, Paul van der Zwan wrote:


On 23 jun 2009, at 05:55, Frank Shute wrote:


On Mon, Jun 22, 2009 at 07:17:40PM +0200, Paul van der Zwan wrote:


The last few days I see a dozens of Checksum mismatches when csup- 
ing

src-all from cvsup.freebsd.org.
No errors appear on ports-all.
Is there a problem with the cvs repository ?


Most people will use a local mirror as listed in the handbook:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html

Check and see if you have the same problem with one of the mirror
sites.



I have tried both cvsup.freebsd.org and cvsup.nl.freebsd.org with  
both

csup and cvsup and I get checksum mismatches on all attempts.


If you've got the same problem, then your cvsup config file for src
could be up the creek.


I have deleted /usr/sup/src-all/* bun that did not fix the checksum
errors,
just gave me a lot of SetAttr messages the first run.
If you mean my c{v}sup config file, that hasn't been changed in years
and
how would an error in that file cause errors on src-all but none on
ports-all ?



If the problem disappears, then the server is up the creek.


I am stumped, as far as I can tell it's no local config problem, but
what's causing it?
I have no idea..
Am I the only one seeing these errors ?



Nope, I am seeing exactly the same thing. (And I am using different  
mirrors

than you are.)
Since I too am only seeing this for src-all and not ports-all I
suspect it may be a problem with the svn->cvs export. (src-all is  
nowadays
maintained in a subversion repository and the changes automatically  
exported
to the cvs repository, while ports-all is still maintained directly  
in the

cvs repository.)


Well at least I am not the only one seeing these errors. I think we can
rule out a local problem and will have to wait for someone to fix this.


Note: I use cvsup to maintain a local copy of the cvs repository.
It is not clear if you too is doing that, or if you use cvsup to  
check out

just the latest version.




I use cvsup/csup to mirror the cvs repo and I do a local cvs checkout.
But until these errors are fixed I will not be doing any checkouts and  
build

for src. I don't think I can trust the repository...


Paul



Paul



The fact that all errors are on src-all and none on ports-all  
make me

suspect it is not a local problem on
my system as both end up on the same filesystem here.

Paul

PS I am not on this list so please reply directly as well





--

Erik Trulsson
ertr1...@student.uu.se


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: ~/.ssh directory permissions

[Peter Boosten]

On 23 jun 2009, at 16:06, Daniel Underwood  wrote:


Looking at my ~/.ssh directory, I see the following permissions:

-rw-r--r--

Which I understand to be equivalent to 644.

I read here  that
~/.ssh ought to have permissions 700.

Which is preferable, and why?
__


700, you private key(s) go in there.

Peter
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Gary Kline]

On Tue, Jun 23, 2009 at 09:31:06AM +0200, Wojciech Puchar wrote:
> 
> > you guys aren't going to believe what i just found on the web for
> > the ASUS Eee-901 [or is it the "900"].  it was for the 9- and
> > 10-inch screens.  i was using konq which just segv'd so i am
> > taking a break and thought i'd share this.
> >
> > last night, i could barely believe the ten-inch with a 40GB SSD.
> > these mini-notebooks take two memory chips. they just plug in.
> > i was googling around and found they have 32's and even 128's.
> > so you can get 64 or up to 256Gigs of solid state disk ...
> > not in a year or two (or five or six), but now.
> 
> today we have huge flash disks for really cheap, but still don't have 
> native flash filesystem in any OS, be it FreeBSD or windoze or mac os x or 
> whatever.
> 
> This flash chips have to emulate hard drive, which slows them down 
> manyfold


so is there any best guess regarding what timeframe a filesystem
for freebsd might exist?  on the you-tube demo they were using
[i think] XP.

i'll see if i can find the site.

gary



-- 
 Gary Kline  kl...@thought.org  http://www.thought.org  Public Service Unix
http://jottings.thought.org   http://transfinite.thought.org
   For FBSD list: http://transfinite.thought.org/slicejourney.php
The 4.98a release of Jottings: http://jottings.thought.org/index.php

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Problem starting slapd

[Carmel NY]

On Tue, 23 Jun 2009 16:46:42 +0200
Peter Boosten  wrote:

> Check permissions on /var/run/openldap

drwxr-xr-x   2 ldapldap 512B Jun 23 10:57 openldap/

They appear to be correct. I might add, that I did a complete deinstall
of the port, removed the /usr/local/etc/openldap directory and the
start up script and then reinstalled the port. The only thing I have not
done is remove DB46 and reinstall that. I really don't think that would
effect anything anyway.

-- 
Carmel
car...@hotmail.com

Do not do unto others as you would they should do unto you. Their
tastes may not be the same.

George Bernard Shaw
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: cannot find -lltdl

[Michael Powell]

kalin m wrote:

> 
> 
> Chris Rees wrote:
>> 2009/6/23 kalin m :
[snip] 
>>
>>
>> Why aren't you using ports?
>>   
> 
> there isn't ports for all that i need compiling with 5.2.10.

Yes there is. You install the main PHP5 port first, then follow up by 
installing the php5-extensions port. When you either do it the first time, 
or subsequently do make config you will be presented with a menu listing all 
the php extension options. This is where you build the individual module(s) 
which you require. For example, the most common is probably MySQL support. 
You would tick the box next to the mysql module in the menu. Even if you 
chose to build all of them you can deactivate any you don't need after the 
fact in /usr/local/etc/php/extensions.ini file.

Strongly recommended for you to use the ports system. You will find your 
system much more easily maintainable for the future.

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: No sound, no mouse and now X applications won't start

[Jonathan McKeown]

On Tuesday 23 June 2009 15:41:48 Manish Jain wrote:
> I hope the next release will address these problems, as well as a pretty
> reasonable request from me much earlier to move vi from /usr/bin to
> /bin. Even in single-user mode, you almost always need an editor.

Which is why you have ed(1) - both in /bin and in /rescue - and /rescue/vi 
(although that needs a bit of tweaking due to the /etc/termcap problem).

Bear in mind that /usr/bin/vi is over 300K, compared to the whole of /bin 
which is ~950K (if you avoid double-counting entries like /bin/csh 
and /bin/tcsh which are hardlinks to the same file), so you need to convince 
people who think /bin should stay small to let it grow by a third to save 
people learning ed(1).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Checksum mismatches when csup-ing.

[Michael Powell]

Paul van der Zwan wrote:

[snip]
>>
> Well at least I am not the only one seeing these errors. I think we can
> rule out a local problem and will have to wait for someone to fix this.
> 
>> Note: I use cvsup to maintain a local copy of the cvs repository.
>> It is not clear if you too is doing that, or if you use cvsup to
>> check out
>> just the latest version.
>>
>>
> 
> I use cvsup/csup to mirror the cvs repo and I do a local cvs checkout.
> But until these errors are fixed I will not be doing any checkouts and
> build
> for src. I don't think I can trust the repository...
> 
> 
[snip]

Ah - OK. Got it now. Maintaining you own local repository, e.g. not just a 
simple src upgrade/download such as I do here for basic updating.

I recently saw something about this, IIRC on the -Current, or possible -
Stable list explaining this. It had something to do with the export from SVN 
back to CVS. I believe the developers are aware of this. Search the archive 
for their comments. 

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: slowloris, accf_http and POST requests

[Fabian Keil]

Ruben de Groot  wrote:

> On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed:
> > In the last episode (Jun 22), Ruben de Groot said:
> > > 
> > > My main concern here is if applying the trivial patch I posted would
> > > break anything in the http protocol layer. And if not, why isn't the
> > > POST method included in the http accept filter in the first place?
> > 
> > The filter wasn't designed to be an anti-DOS tool; it was an
> > optimization to save some context switches at the beginning of every
> > request.  POSTs are
> 
> I know this. But in this particular case, it *works* as an anti-DOS
> tool. And a pretty good one too.

How did you verify this?

accf_http doesn't require a complete request but will also
pass the connection to the userland if its buffer is full.

If you continue to send headers that will happen eventually and if
you're impatient, you simply have to send a bit more headers at the
beginning to reach the application faster.

Fabian


signature.asc
Description: PGP signature

What's happening

[Jack Raats]

Can anyone explain this:

Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN
Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP

What's causing this???

Thanks for yout time

Jack Raats
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: self-serving redeux/revisited, and more questions?

[Polytropon]

On Mon, 22 Jun 2009 08:14:47 -0700, Gary Kline  wrote:
>   ok, sorry.  "Brain fault: Core dump"  :-)

Core fault: brain dump. :-)



-- 
Polytropon
>From Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[David Kelly]

On Tue, Jun 23, 2009 at 07:52:27AM -0700, Gary Kline wrote:
> On Tue, Jun 23, 2009 at 09:31:06AM +0200, Wojciech Puchar wrote:
> > 
> > today we have huge flash disks for really cheap, but still don't
> > have native flash filesystem in any OS, be it FreeBSD or windoze or
> > mac os x or whatever.
> > 
> > This flash chips have to emulate hard drive, which slows them down
> > manyfold
> 
> 
>   so is there any best guess regarding what timeframe a filesystem
>   for freebsd might exist?  on the you-tube demo they were using
>   [i think] XP.

Don't worry about it. Buy your SSD (Solid state Storage Device) and
mount with the noatime option. Don't let someone scare you away from the
99.8% solution waiting for the 99.9% solution.

As for "emulating a hard drive", its only slow relative to potential
FLASH speeds. Its fast relative to hard drive speeds. Writing may not be
as fast as a "real" HD, YMMV.

-- 
David Kelly N4HHE, dke...@hiwaay.net

Whom computers would destroy, they must first drive mad.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: What's happening

[David Kelly]

On Tue, Jun 23, 2009 at 05:28:51PM +0200, Jack Raats wrote:
> Can anyone explain this:
> 
> Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN
> Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP
> 
> What's causing this???

The wire was disconnected during that time. Possibly the hub/switch lost
power, or the modem was down.

-- 
David Kelly N4HHE, dke...@hiwaay.net

Whom computers would destroy, they must first drive mad.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Polytropon]

On Tue, 23 Jun 2009 09:31:06 +0200 (CEST), Wojciech Puchar 
 wrote:
> today we have huge flash disks for really cheap, but still don't have 
> native flash filesystem in any OS, be it FreeBSD or windoze or mac os x or 
> whatever.
> 
> This flash chips have to emulate hard drive, which slows them down 
> manyfold

Article: "NILFS: A File System to Make SSDs Scream"
http://www.linux-mag.com/cache/7345/1.html


-- 
Polytropon
>From Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: ~/.ssh directory permissions

[Chris Rees]

2009/6/23 Peter Boosten :
>
>
> On 23 jun 2009, at 16:06, Daniel Underwood  wrote:
>
>> Looking at my ~/.ssh directory, I see the following permissions:
>>
>> -rw-r--r--
>>
>> Which I understand to be equivalent to 644.
>>
>> I read here  that
>> ~/.ssh ought to have permissions 700.
>>
>> Which is preferable, and why?
>> __
>
> 700, you private key(s) go in there.
>

Interesting, I never noticed the 700 permissions on .ssh...

[ch...@amnesiac]~% ls -ld .ssh
drwx--  2 chris  chris  512 Nov 22  2008 .ssh/
[ch...@amnesiac]~% ls -l .ssh
total 18
-rw-r--r--  1 chris  chris  3281 Jan  8 21:21 authorized_keys
-rw---  1 chris  chris  1675 Oct  1  2008 id_rsa
-rw-r--r--  1 chris  chris   409 Oct  1  2008 id_rsa.pub
-rw-r--r--  1 chris  chris  8379 Jun 11 22:01 known_hosts
[ch...@amnesiac]~%


Although I think it's not a big deal, as long as your id_?sa has
permissions 600 like mine, or even 400.

Chris

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in a mailing list?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Erik Norgaard]

Daniel Underwood wrote:

I do not believe that tricks like running ssh on a
non standard port or using port-knocking provide
much extra security.


I can understand that varying the port is not a very strong defensive
measure, but I don't understand your point about port-knocking.

If you configure a complex and seemingly random sequence of knocks
before allowing an IP access to your ssh port, have you not
significantly strengthened your ssh server?


A port-knocking sequence is really nothing different than a shared 
password. Since there is no user dialog, the sequence has to be known by 
all users accessing the system.


Basically you ask your users to authenticate twice - don't you think you 
could get the same security with a standard deployment insisting on good 
passwords or better yet, using keys?


You add an extra layer of inconvenience and complexity, more things that 
can fail and possibly result in an insecure server:


- dynamically updating firewall rules on the interface facing the 
Internet is not on my list of good practices. loading or flushing rules 
continuously is the recipe for service interruption or exposing your 
server to the net.
- nor is having a sniffer daemon putting the network interface in 
promiscuous mode, a daemon that listen on lots of ports! that really 
sounds attractive. (yup: that's the latest version on portknocking.org).


And it can result in people being unable to access if the knocks are 
filtered at the source.


BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157  http://www.locolomo.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Thanks [upgrading installed ports: time to do it ?]

[Charlie Kester]

On Tue 23 Jun 2009 at 07:09:28 PDT dan wrote:


I used both pkg_updating and portupdate-scan to scan UPDATING [pkg_updating
did not show an entry suggesting to update python to version 2.6 (which
Portupdate-scan did)].


Well, I just learned something from this thread.  I didn't know about
these tools.  Thanks for mentioning them! I usually use portupgrade, in
a rather simple-minded way.  Now you've inspired me to spend some time
reading the manpages, to see how I can improve my routine.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Roland Smith]

On Tue, Jun 23, 2009 at 09:31:06AM +0200, Wojciech Puchar wrote:
> 
> > you guys aren't going to believe what i just found on the web for
> > the ASUS Eee-901 [or is it the "900"].  it was for the 9- and
> > 10-inch screens.  i was using konq which just segv'd so i am
> > taking a break and thought i'd share this.
> >
> > last night, i could barely believe the ten-inch with a 40GB SSD.
> > these mini-notebooks take two memory chips. they just plug in.
> > i was googling around and found they have 32's and even 128's.
> > so you can get 64 or up to 256Gigs of solid state disk ...
> > not in a year or two (or five or six), but now.
> 
> today we have huge flash disks for really cheap, but still don't have 
> native flash filesystem in any OS, be it FreeBSD or windoze or mac os x or 
> whatever.

Not so. See http://en.wikipedia.org/wiki/Flash_file_system

Most flash devices sold as harddisks have hardware that emulates a
traditional harddisk, representing it as a (P/S)ATA block device. Unless
you can bypass this, there is no need for a special filesystem.

The only downside is that one has no idea how good or bad this interface
hardware is. The abovementioned Wikipedia article provides insight into
the unique issues surrounding flash-based filesystems.

Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpf0WCcyUrGg.pgp
Description: PGP signature

Re: Problem starting slapd (FIXED)

[Carmel NY]

On Tue, 23 Jun 2009 11:03:16 -0400
Carmel NY  wrote:

> On Tue, 23 Jun 2009 16:46:42 +0200
> Peter Boosten  wrote:
> 
> > Check permissions on /var/run/openldap
> 
> drwxr-xr-x   2 ldapldap 512B Jun 23 10:57 openldap/
> 
> They appear to be correct. I might add, that I did a complete
> deinstall of the port, removed the /usr/local/etc/openldap directory
> and the start up script and then reinstalled the port. The only thing
> I have not done is remove DB46 and reinstall that. I really don't
> think that would effect anything anyway.

FIXED! Apparently, I had a corrupted schema file. Replaced it and now
all is well.

-- 
Carmel
car...@hotmail.com

Don't eat yellow snow.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Bill Moran]

In response to Erik Norgaard :

> Daniel Underwood wrote:
> >> I do not believe that tricks like running ssh on a
> >> non standard port or using port-knocking provide
> >> much extra security.
> > 
> > I can understand that varying the port is not a very strong defensive
> > measure, but I don't understand your point about port-knocking.
> > 
> > If you configure a complex and seemingly random sequence of knocks
> > before allowing an IP access to your ssh port, have you not
> > significantly strengthened your ssh server?
> 
> A port-knocking sequence is really nothing different than a shared 
> password. Since there is no user dialog, the sequence has to be known by 
> all users accessing the system.
> 
> Basically you ask your users to authenticate twice - don't you think you 
> could get the same security with a standard deployment insisting on good 
> passwords or better yet, using keys?
> 
> You add an extra layer of inconvenience and complexity, more things that 
> can fail and possibly result in an insecure server:

I would agree with you, except ...

> - dynamically updating firewall rules on the interface facing the 
> Internet is not on my list of good practices. loading or flushing rules 
> continuously is the recipe for service interruption or exposing your 
> server to the net.

What crappy firewall are you using that needs flushed or reloaded to
update rules?  Has your packet filtering software been updated since
the 80s?

> - nor is having a sniffer daemon putting the network interface in 
> promiscuous mode, a daemon that listen on lots of ports! that really 
> sounds attractive. (yup: that's the latest version on portknocking.org).

Listening on multiple ports is not synonymous with promiscuous interfaces.
You should take some time to understand the difference between those two
techniques.

> And it can result in people being unable to access if the knocks are 
> filtered at the source.

Which can happen anyway if you have an ISP who filters out ssh traffic
(which isn't unheard of).

What _is_ accomplished by both using a nonstandard port and using knock
techniques, is that you don't have the annoyance of all those botnets
filling up your logs with attempts to log in as root (if you don't
monitor your access logs daily, then I don't want to hear any argument
about this).  With a knock solution, or running on a nonstandard port,
then you know that any login attempts are serious attack attempts, and
not just some random, mindless bots.

If you're doing proper security monitoring, then reducing that log load
is worthwhile.

-- 
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Wojciech Puchar]

whatever.


Not so. See http://en.wikipedia.org/wiki/Flash_file_system

Most flash devices sold as harddisks have hardware that emulates a
traditional harddisk, representing it as a (P/S)ATA block device. Unless
you can bypass this, there is no need for a special filesystem.


yes this is exactly a problem. it emulates hard disk, which lowers 
performance much. for example wear leveling and emulation small 
blocks requires moving of data within flash, this lowers both performance 
and lifetime.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Wojciech Puchar]

99.8% solution waiting for the 99.9% solution.

As for "emulating a hard drive", its only slow relative to potential


it's a nonsense to pay for emulation layer that slows down real devices.
And random filesystem writes could be much faster on flash than on disk - 
if properly designed

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

RE: you're not going to believe this.

[Gary Gatten]

If it's fast enough to allow one to work unimpeded, has acceptable
lifetime/reliability, and uses less power/generates less heat than
traditional platter HD - I'd say it's a good solution.  It's not a one
size fits all world.

-Original Message-
From: owner-freebsd-questi...@freebsd.org
[mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Wojciech
Puchar
Sent: Tuesday, June 23, 2009 12:25 PM
To: FreeBSD Mailing List
Cc: Gary Kline
Subject: Re: you're not going to believe this.

> 99.8% solution waiting for the 99.9% solution.
>
> As for "emulating a hard drive", its only slow relative to potential

it's a nonsense to pay for emulation layer that slows down real devices.
And random filesystem writes could be much faster on flash than on disk
- 
if properly designed
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscr...@freebsd.org"








"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Can't boot 7.2-RELEASE i386 or AMD64 on an Abit KV8 Pro motherboard with Sempron 3100+ CPU

[ericr]

On Sat, Jun 20, 2009 at 3:10 PM, Kent Stewart  wrote:

> On Saturday 20 June 2009 11:00:45 am ericr wrote:
> > Hi,
> >
> > As the subject says, I can't get the 7.2-RELEASE i386 CD to boot on a
> > system that has:
> >
> > Abit KV8 Pro (K8T800P-8237-6A7L1A1BC-26) motherboard with the most recent
> > BIOS - BIOS release 26 4/20/2007
> > (
> >
> http://www.abit.com.tw/page/en/motherboard/motherboard_detail.php?pMODEL_NA
> >ME=KV8+Pro&fMTYPE=Socket+754)
> >
> > An AMD Sempron 3100+ 1.8Ghz CPU
> >
> > 1 Gb RAM
> >
> > An ATI 1050 256mb AGP video card
> >
> > I think I have turned off everything ACPI related in the BIOS setup.
> >
> > When I boot the i386 ISO, the kernel boots to the point of probing the
> PCI
> > bus and then hangs completely, even the keyboard is locked up.
> >
> > I've unplugged all the disks, so the only things in the system are the CD
> > drive, the floppy drive, and the video card.
> >
> > I have turned off acpi at boot time, and when I boot the i386 ISO
> > verbosely, the last few lines the kernel spews are:
> >
> > pci_open(1): mode 1 addr port (0x0cf8) is 0x8000c060
> > pci_open(1a): mode1res=0x8000 (0x8000)
> > pci_cfgcheck: device 0 [class=06] [hdr=80] is there (id=02821106)
> > pcibios: BIOS version 2.10
> > pcib0:  pcibus 0 on motherboard
> > pci0:  on pcib0
> > pci0: domain=0, physical bus=0
> >
> > There's no PCI cards plugged in, just the AGP video card.
> >
> >
> > When I try booting the AMD64 ISO, the boot loader runs, I get the boot
> > menu, and regardless of what boot options I give the kernel, I get the
> > message "CPU doesn't support long mode" and then I get the OK prompt.
> >
> >
> > I'm pretty sure it doesn't have a h/w problem, it'll boot and install
> > Fedora 11, Win2K, WinXP, and runs every DOS based diagnostic app I can
> find
> > with no problems.
> >
> > Anyone have any suggestions, or should I file a PR?
>
> Did you follow the suggestion on the release announcement of using the
> other
> CDs and switching before you start the install.


Yes.  None of the FreeBSD kernels will boot on this system.  Doesn't matter
if I use the livefs disk, or the install disk, it only gets as far as
described above, then hangs.

- ericr
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: No sound, no mouse and now X applications won't start

[Roland Smith]

On Tue, Jun 23, 2009 at 07:11:48PM +0530, Manish Jain wrote:
> Hi,
> 
> I have solved most of the problems listed in my previous message with 
> help from Roland Smith.
> 
> The fact still remains that FreeBSD-7.2 has some definite problems on 
> AMD hardware :
> 
> 1) On multi-core systems, the cores don't get initialized properly and 
> you get messages like : "AP #1 (PHY# 1) failed !" followed by panic. The 
> solution is to reboot, maybe as many as 6-7 times.

Can you run the mptable command as root and post the output?

> 2) The uhub/ums module fails to load and /dev/ums0 consequently won't 
> get created. The workaround is to unplug your USB mouse just before the 
> boot process begins, and plug it back in once you get the console.

Since the USB stack has been replaced in 8-CURRENT, I'm not sure if many
developers will want to spend time on this...
 
> I have googled for the above 2 problems and there seem to many folks 
> suffering from the ills, with no solution except the ones I have listed 
> above. And these problems almost always occur on AMD multi-core systems.

Most posts about the "AP #1 (PHY# 1) failed !" message that I found are
several years old. 

> I hope the next release will address these problems, as well as a pretty 
> reasonable request from me much earlier to move vi from /usr/bin to 
> /bin. Even in single-user mode, you almost always need an editor.

There is always /rescue/vi. And in single-user mode, you can always
mount /usr if it is on a separate partition.

Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpzxBEF0g59U.pgp
Description: PGP signature

Re: What's happening

[Robert Huff]

David Kelly writes:

>  > Can anyone explain this:
>  > 
>  > Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN
>  > Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP
>  > 
>  > What's causing this???
>  
>  The wire was disconnected during that time. Possibly the
>  hub/switch lost power, or the modem was down.

It also happens to some cards during boot-up.  I have an Intel
Pro/1000, connected to a live switch; during boot I get an
UP->DOWN->UP transition.
As far as I can tell, it's harmless.  To the OP: does this
transition affect traffic?


Robert Huff
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Erik Norgaard]

Bill Moran wrote:

In response to Erik Norgaard :


You add an extra layer of inconvenience and complexity, more things that 
can fail and possibly result in an insecure server:


I would agree with you, except ...

- dynamically updating firewall rules on the interface facing the 
Internet is not on my list of good practices. loading or flushing rules 
continuously is the recipe for service interruption or exposing your 
server to the net.


What crappy firewall are you using that needs flushed or reloaded to
update rules?  Has your packet filtering software been updated since
the 80s?


Whether you flush or add rules to ipf or update tables in pf etc. you 
are modifying your firewall live.


- nor is having a sniffer daemon putting the network interface in 
promiscuous mode, a daemon that listen on lots of ports! that really 
sounds attractive. (yup: that's the latest version on portknocking.org).


Listening on multiple ports is not synonymous with promiscuous interfaces.
You should take some time to understand the difference between those two
techniques.


I do, you can put your interface in promiscuous mode and let the daemon 
grab packets before they are filtered by the firewall, or open in your 
firewall for a range of port your knock deamon will listen to. In either 
case you add an extra daemon, an extra point of failure, an extra piece 
of code that can undermine your security.


And it can result in people being unable to access if the knocks are 
filtered at the source.


Which can happen anyway if you have an ISP who filters out ssh traffic
(which isn't unheard of).


There's no point in adding this argument, in that case you have no 
connection with or without port knocking. Sticking to standard protocols 
on standard ports is the best way to ensure your ISP doesn't get in your 
way.



What _is_ accomplished by both using a nonstandard port and using knock
techniques, is that you don't have the annoyance of all those botnets
filling up your logs with attempts to log in as root (if you don't
monitor your access logs daily, then I don't want to hear any argument
about this).  With a knock solution, or running on a nonstandard port,
then you know that any login attempts are serious attack attempts, and
not just some random, mindless bots.


I must be in the safe end of the internet, I don't get that much logs. 
So your argument about port knocking boils down to getting rid of some 
log entries, while annoying your users?


Now, how about your logs of failed port knocking attempts? Because, you 
log that, right? If your idea gains traction, then attackers will start 
knocking ports randomly ... you'll just have those logs filling up instead.



If you're doing proper security monitoring, then reducing that log load
is worthwhile.


if this is your main concern, why don't you just filter out the failed 
attempts? after all they failed. If you do proper security monitoring, 
your tools can be tuned to look at the interesting part of the logs.


There are other tricks that work well too, take a look at

LoginGraceTime
MaxAuthTries
MaxSessions
MaxStartups

Also, very effective, identify address ranges where your users will 
never connect from and black list them in the first place. It's fairly 
easy to get rid of a huge chunk of these logs - and getting your system 
safer - by simply restricting access to address ranges where your users 
are likely to connect from.


Let them know that if they go to some weird place, not on the official 
white list then a temporary exception can be made for the period of 
their travel.


BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157  http://www.locolomo.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: What's happening

[Bruce Ferrell]

Robert Huff wrote:
> David Kelly writes:
> 
>>  > Can anyone explain this:
>>  > 
>>  > Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN
>>  > Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP
>>  > 
>>  > What's causing this???
>>  
>>  The wire was disconnected during that time. Possibly the
>>  hub/switch lost power, or the modem was down.
> 
>   It also happens to some cards during boot-up.  I have an Intel
> Pro/1000, connected to a live switch; during boot I get an
> UP->DOWN->UP transition.
>   As far as I can tell, it's harmless.  To the OP: does this
> transition affect traffic?
> 
> 
>   Robert Huff
depending in the switch, it could be negotiating speed/duplex.  Some if
configured to auto switch will do it continuously
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Roland Smith]

On Tue, Jun 23, 2009 at 07:23:22PM +0200, Wojciech Puchar wrote:
> >> whatever.
> >
> > Not so. See http://en.wikipedia.org/wiki/Flash_file_system
> >
> > Most flash devices sold as harddisks have hardware that emulates a
> > traditional harddisk, representing it as a (P/S)ATA block device. Unless
> > you can bypass this, there is no need for a special filesystem.
> 
> yes this is exactly a problem. it emulates hard disk, which lowers 
> performance much. for example wear leveling and emulation small 
> blocks requires moving of data within flash, this lowers both performance 
> and lifetime.

Even a flash filesystem will have to do wear levelling. And you'll have
to gather writes to minimize the (slow) wiping of eraseblocks. In other
words, you'll be doing more or less the same that current hardware
does. But then in software, which is generally slower than dedicated
hardware.

The big difference is that it is much easier to tweak and change
algorithms when doing it in software.

Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpZ3J9a7kwNL.pgp
Description: PGP signature

Re: Best practices for securing SSH server

[Kurt Buff]

On Mon, Jun 22, 2009 at 22:50, prad wrote:
> On Mon, 22 Jun 2009 21:16:35 -0400
> Daniel Underwood  wrote:
>
>> Due to the speed and location of the
>> connection, it's a relatively high-risk target.
>>
> why does the speed of a connection make it a higher risk?
> is it because bruteforce techniques can capitalize on the speed?

I's suspect it's a higher risk because the target is higher value. A
high speed connection means more ability to do, well, whatever.

Just a guess on my part, though.

Kurt
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Can't boot 7.2-RELEASE i386 or AMD64 on an Abit KV8 Pro motherboard with Sempron 3100+ CPU

[Mark Busby]

--- On Tue, 6/23/09, ericr  wrote:

> From: ericr 
> Subject: Re: Can't boot 7.2-RELEASE i386 or AMD64 on an Abit KV8 Pro  
> motherboard with Sempron 3100+ CPU
> To: "Kent Stewart" , freebsd-questions@freebsd.org
> Date: Tuesday, June 23, 2009, 12:44 PM
> On Sat, Jun 20, 2009 at 3:10 PM, Kent
> Stewart 
> wrote:
> 
> > On Saturday 20 June 2009 11:00:45 am ericr wrote:
> > > Hi,
> > >
> > > As the subject says, I can't get the 7.2-RELEASE
> i386 CD to boot on a
> > > system that has:
> > >
> > > Abit KV8 Pro (K8T800P-8237-6A7L1A1BC-26)
> motherboard with the most recent
> > > BIOS - BIOS release 26 4/20/2007
> > > (
> > >
> > http://www.abit.com.tw/page/en/motherboard/motherboard_detail.php?pMODEL_NA
> > >ME=KV8+Pro&fMTYPE=Socket+754)
> > >
> > > An AMD Sempron 3100+ 1.8Ghz CPU
> > >
> > > 1 Gb RAM
> > >
> > > An ATI 1050 256mb AGP video card
> > >
> > > I think I have turned off everything ACPI related
> in the BIOS setup.
> > >
> > > When I boot the i386 ISO, the kernel boots to the
> point of probing the
> > PCI
> > > bus and then hangs completely, even the keyboard
> is locked up.
> > >
> > > I've unplugged all the disks, so the only things
> in the system are the CD
> > > drive, the floppy drive, and the video card.
> > >
> > > I have turned off acpi at boot time, and when I
> boot the i386 ISO
> > > verbosely, the last few lines the kernel spews
> are:
> > >
> > > pci_open(1): mode 1 addr port (0x0cf8) is
> 0x8000c060
> > > pci_open(1a): mode1res=0x8000 (0x8000)
> > > pci_cfgcheck: device 0 [class=06] [hdr=80] is
> there (id=02821106)
> > > pcibios: BIOS version 2.10
> > > pcib0:  pcibus 0
> on motherboard
> > > pci0:  on pcib0
> > > pci0: domain=0, physical bus=0
> > >
> > > There's no PCI cards plugged in, just the AGP
> video card.
> > >
> > >
> > > When I try booting the AMD64 ISO, the boot loader
> runs, I get the boot
> > > menu, and regardless of what boot options I give
> the kernel, I get the
> > > message "CPU doesn't support long mode" and then
> I get the OK prompt.
> > >
> > >
> > > I'm pretty sure it doesn't have a h/w problem,
> it'll boot and install
> > > Fedora 11, Win2K, WinXP, and runs every DOS based
> diagnostic app I can
> > find
> > > with no problems.
> > >
> > > Anyone have any suggestions, or should I file a
> PR?
> >
> > Did you follow the suggestion on the release
> announcement of using the
> > other
> > CDs and switching before you start the install.
> 
> 
> Yes.  None of the FreeBSD kernels will boot on this
> system.  Doesn't matter
> if I use the livefs disk, or the install disk, it only gets
> as far as
> described above, then hangs.
> 
> - ericr

I'll risk the flames, and say go back to basics.
 
Make sure of the drive cabling and jumpers. 

I was reloading a home-grown nas the other day and the cable and jumpers gave 
me a bugger of a time. 7.2 would start to boot and then just hang. I unplugged 
everything except the harddrive on the primary and the optical drive on the 
secondary. After the OS was loaded, I was able move everything where I wanted.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Can't boot 7.2-RELEASE i386 or AMD64 on an Abit KV8 Pro motherboard with Sempron 3100+ CPU

[Chris Whitehouse]

ericr wrote:

On Sat, Jun 20, 2009 at 3:10 PM, Kent Stewart  wrote:


On Saturday 20 June 2009 11:00:45 am ericr wrote:

Hi,

As the subject says, I can't get the 7.2-RELEASE i386 CD to boot on a
system that has:

Abit KV8 Pro (K8T800P-8237-6A7L1A1BC-26) motherboard with the most recent
BIOS - BIOS release 26 4/20/2007
(


snip


Anyone have any suggestions, or should I file a PR?

Did you follow the suggestion on the release announcement of using the
other
CDs and switching before you start the install.



Yes.  None of the FreeBSD kernels will boot on this system.  Doesn't matter
if I use the livefs disk, or the install disk, it only gets as far as
described above, then hangs.

- ericrCan 


Try leaving it for a few minutes at the hang

http://www.freebsd.org/cgi/getmsg.cgi?fetch=1705690+0+/usr/local/www/db/text/2009/freebsd-questions/20090517.freebsd-questions

I got mine going by putting the hard disk in another machine, installing 
fbsd on that and building a kernel with most stuff taken out, after 
which I could boot my motherboard with that hard disk. Once it was 
booting I kept putting drivers back into the kernel until I found what 
was stopping it (device sbp in my case). You can use an external usb 
caddy and another machine with capability to boot from usb to do the 
same thing.


You might have to modify /etc/fstab.

Chris


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Kurt Buff]

On Mon, Jun 22, 2009 at 16:07, Gary Kline wrote:
>        you guys aren't going to believe what i just found on the web for
>        the ASUS Eee-901 [or is it the "900"].  it was for the 9- and
>        10-inch screens.  i was using konq which just segv'd so i am
>        taking a break and thought i'd share this.
>
>        last night, i could barely believe the ten-inch with a 40GB SSD.
>        these mini-notebooks take two memory chips. they just plug in.
>        i was googling around and found they have 32's and even 128's.
>        so you can get 64 or up to 256Gigs of solid state disk ...
>        not in a year or two (or five or six), but now.
>
>        i'll double and triple check to make sure this isn't a sham, but
>        they had a thing on you-tube...  Oh, and next time i see the
>        speech therapist, i'll lug my hugmongous thinkpad and demo what
>        i've done with my scripts and flite
>
>        8 kilobux for a Doze speech dev my butt. with berkeley unix and
>        open source tools, you can have it for a few hundred bux.
>
>        gary

For a small unit like this, SSD is really nice.

But, for my workstations/servers, I'm wondering if a pure
battery-backed RAM disk, in RAID1 with a regular hard drive, might be
the real screamer.

Kurt
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Wojciech Puchar]

and lifetime.


Even a flash filesystem will have to do wear levelling.


yes - but it don't have to copy blocks that are free. with disk emulation 
- it doesn't know anything about filesystem and don't know what blocks are 
free.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: What's happening

[Wojciech Puchar]

>
> Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN
> Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP


look at time. it's 13 minutes down

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: slowloris, accf_http and POST requests

[Ruben de Groot]

On Tue, Jun 23, 2009 at 05:23:19PM +0200, Fabian Keil typed:
> Ruben de Groot  wrote:
> 
> > On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed:
> > > In the last episode (Jun 22), Ruben de Groot said:
> > > > 
> > > > My main concern here is if applying the trivial patch I posted would
> > > > break anything in the http protocol layer. And if not, why isn't the
> > > > POST method included in the http accept filter in the first place?
> > > 
> > > The filter wasn't designed to be an anti-DOS tool; it was an
> > > optimization to save some context switches at the beginning of every
> > > request.  POSTs are
> > 
> > I know this. But in this particular case, it *works* as an anti-DOS
> > tool. And a pretty good one too.
> 
> How did you verify this?

By using the slowloris script against my own servers.
Running the script from a single client pc:

./slowloris.pl -dns myserver.domain.tld -port 80 -timeout 2000 -num 500 -tcpto 
5 -httpready

brings apache to its knees. No more connections are accepted as there
are allready MaxClients processes running (150) and they're all 
just sitting there waiting.
With accf_http just slightly adjusted as posted, nothing happens at all.
Apache just doesn't see the connections, even with multiple clients
running the DOS.
(Off course, there'll be memory buffers in the kernel filling, but
from that I haven't seen any negative side effects yet)

> accf_http doesn't require a complete request but will also
> pass the connection to the userland if its buffer is full.

Haven't seen that, but it sounds sane.

> If you continue to send headers that will happen eventually and if
> you're impatient, you simply have to send a bit more headers at the
> beginning to reach the application faster.

Yes. A real and prolonged DDOS is hard to counter. And the accept filter
was not designed for that. It was just an observation about this
particular script.

cheers,
Ruben

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Certified Hardware

[Thompson, Rhett]

Hi, 

 

Is it possible for you to provide us with an updated hardware certified
vendor list for FreeBsd.   We would like to know if FreeBSD is supported
on HP Blades and which models, network cards, HBA cards for connecting
to SAN's.   Any help will be greatly appreciated.  We need this
information as soon as possible.The current supported hardware
vendor list on the web site does not appear to be current and does not
include many other vendors.   Looking forward to hearing from you.

 

Kind Regards,

 

Rhett Thompson

 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Certified Hardware

[Glen Barber]

On Tue, Jun 23, 2009 at 3:18 PM, Thompson,
Rhett wrote:
> Hi,
>
>
>
> Is it possible for you to provide us with an updated hardware certified
> vendor list for FreeBsd.   We would like to know if FreeBSD is supported
> on HP Blades and which models, network cards, HBA cards for connecting
> to SAN's.   Any help will be greatly appreciated.  We need this
> information as soon as possible.    The current supported hardware
> vendor list on the web site does not appear to be current and does not
> include many other vendors.   Looking forward to hearing from you.
>
>
>

http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/hardware.html

-- 
Glen Barber
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Gary Kline]

On Tue, Jun 23, 2009 at 12:22:19PM -0700, Kurt Buff wrote:
> On Mon, Jun 22, 2009 at 16:07, Gary Kline wrote:
> 
> For a small unit like this, SSD is really nice.
> 
> But, for my workstations/servers, I'm wondering if a pure
> battery-backed RAM disk, in RAID1 with a regular hard drive, might be
> the real screamer.

battery-backed ram sound great for the time being!

if not now [this minute], then relatively soon, i'm guessing
within a few years somebody will have a solid-state device that emulates
the current mechanical technology.  it will wind up being considerably 
faster than the current drives and suck Much less juice.  

oh yeah, and in a few years *every* computer will have a battery back up
--not just our laptops.  after some N minutes everything will be saved.
much less lost data due to sudden power outtages.

gary


> 
> Kurt

-- 
 Gary Kline  kl...@thought.org  http://www.thought.org  Public Service Unix
http://jottings.thought.org   http://transfinite.thought.org
   For FBSD list: http://transfinite.thought.org/slicejourney.php
The 4.98a release of Jottings: http://jottings.thought.org/index.php

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Daniel Underwood]

> A port-knocking sequence is really nothing different than a shared password.

Technically and conceptually, that's true.  But "practically", I'm not
sure you're right.  If in addition to attempting to enumerate the
space of possible passwords, an attacker also enumerates the space of
possible port-knocking sequences, then, yes, you're right.  But I am
willing to bet that the vast majority of attackers DO NOT attempt
this.  For this reason, I think well-designed port-knocking DOES add
significant strength to the server.

If I'm misunderstanding port-knocking, please jump in and correct me...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[David Kelly]

On Tue, Jun 23, 2009 at 09:46:01PM +0200, Wojciech Puchar wrote:
> >>and lifetime.
> >
> >Even a flash filesystem will have to do wear levelling.
> 
> yes - but it don't have to copy blocks that are free. with disk
> emulation - it doesn't know anything about filesystem and don't know
> what blocks are free.

If it is swapping from heavily used blocks to lightly used blocks then
"so what" if there is an "unnecessary" read/write? Perhaps its harder to
determine if unused than to simply move the data. I seem to recall
something like this in comments in the FreeBSD virtual memory manager in
6.0-RELEASE.

Don't want to leave the old data laying around for security reasons so
even if the blocks are unused the formerly heavily used blocks need to
be scrubbed.

As I originally said to Gary Kline, "Don't let someone scare you away
from the 99.8% solution waiting on the 99.9% solution."

-- 
David Kelly N4HHE, dke...@hiwaay.net

Whom computers would destroy, they must first drive mad.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Erik Norgaard]

Daniel Underwood wrote:

A port-knocking sequence is really nothing different than a shared password.


Technically and conceptually, that's true.  But "practically", I'm not
sure you're right.  If in addition to attempting to enumerate the
space of possible passwords, an attacker also enumerates the space of
possible port-knocking sequences, then, yes, you're right.  But I am
willing to bet that the vast majority of attackers DO NOT attempt
this.  For this reason, I think well-designed port-knocking DOES add
significant strength to the server.


You're right, as long as port-knocking as a first pass authentication 
scheme is not in wide spread use, then any attackers will not waste time 
port-knocking. If ever port-knocking becomes common, attackers will 
adapt and start knocking. Or: if you want to keep port-knocking useful 
then don't recommend it to anyone!


I think it is a bad idea, a wrong route to go. I think that there are so 
many other options for improving security that are well tested, much 
easier to deploy, cause less user annoyance etc etc.


Since, as said, the knocking sequence is a shared secret, the more users 
you have the more likely it will be disclosed, and the more difficult it 
is to distribute new knocking sequences as more users are affected.


More complexity, more possible failures and errors means more resources 
spent on user support, and more resources spend on configuring the new 
"toy". Resources that could be well spent on improving actual security 
and monitoring actual threats.


You may deploy port-knocking at home for your own curriousity, but it 
has no value on your curriculum.


BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157  http://www.locolomo.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[David Kelly]

On Tue, Jun 23, 2009 at 01:10:41PM -0700, Gary Kline wrote:
> 
>   battery-backed ram sound great for the time being!
> 
>   if not now [this minute], then relatively soon, i'm guessing
>   within a few years somebody will have a solid-state device that emulates
>   the current mechanical technology.  it will wind up being considerably 
>   faster than the current drives and suck Much less juice.  

We are already there. SSDs are not slower than mechanical disk drives,
they are faster. The only detriments are 1) cost, 2) limited write life.

-- 
David Kelly N4HHE, dke...@hiwaay.net

Whom computers would destroy, they must first drive mad.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

RE: What's happening

[Gary Gatten]

There's not NEARLY enough info in OP to answer this - I can't believe
anyone is even trying.  It could be many dozen different things.

-Original Message-
From: owner-freebsd-questi...@freebsd.org
[mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Wojciech
Puchar
Sent: Tuesday, June 23, 2009 2:47 PM
To: Robert Huff
Cc: FreeBSD-Questions@freebsd.org
Subject: Re: What's happening

>> >
>> > Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN
>> > Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP

look at time. it's 13 minutes down

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscr...@freebsd.org"








"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Kurt Buff]

On Tue, Jun 23, 2009 at 13:59, David Kelly wrote:
> On Tue, Jun 23, 2009 at 01:10:41PM -0700, Gary Kline wrote:
>>
>>       battery-backed ram sound great for the time being!
>>
>>       if not now [this minute], then relatively soon, i'm guessing
>>       within a few years somebody will have a solid-state device that 
>> emulates
>>       the current mechanical technology.  it will wind up being considerably
>>       faster than the current drives and suck Much less juice.
>
> We are already there. SSDs are not slower than mechanical disk drives,
> they are faster. The only detriments are 1) cost, 2) limited write life.

Not completely there, AFAIK - FlashRAM write speeds are still
significantly slower than standard RAM. Of course, standard RAM is
significantly more expensive than FlashRAM, especially with the
battery backup, but it doesn't have the limited write life.

Kurt
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Polytropon]

On Tue, 23 Jun 2009 15:59:44 -0500, David Kelly  wrote:
> We are already there. SSDs are not slower than mechanical disk drives,
> they are faster. The only detriments are 1) cost, 2) limited write life.

What about power consumption? Because they seem to be
primarily intended for portable devices, it should be
better than "tradidional hard disks", but as I read,
it's worse (less efficient, because higher current
drain).



-- 
Polytropon
>From Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: upgrading installed ports: time to do it ?

[Chris Whitehouse]

RW wrote:

On Mon, 22 Jun 2009 20:58:41 +0100
Chris Whitehouse  wrote:

I'll probably get flamed for this but since I've been using 
ports-mgmt/portmanager I've almost forgotten

about /usr/ports/UPDATING and all that pkgdb -Fu stuff or whatever it
was. I've upgraded ports just by doing 'portmanager -u' over one or
two quite major changes and not had any problems that haven't been
down to an individual ports.


You still need to read UPDATING, portmanager handles some of the
issues automatically, but not all.


Not trolling but can you give me some examples?

Chris
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Bill Moran]

In response to Erik Norgaard :

> Bill Moran wrote:
> > In response to Erik Norgaard :
> > 
> >> - dynamically updating firewall rules on the interface facing the 
> >> Internet is not on my list of good practices. loading or flushing rules 
> >> continuously is the recipe for service interruption or exposing your 
> >> server to the net.
> > 
> > What crappy firewall are you using that needs flushed or reloaded to
> > update rules?  Has your packet filtering software been updated since
> > the 80s?
> 
> Whether you flush or add rules to ipf or update tables in pf etc. you 
> are modifying your firewall live.

There's a _HUGE_ difference between reloading the entire ruleset and
updating a table.  Don't trivialize that difference.

> >> - nor is having a sniffer daemon putting the network interface in 
> >> promiscuous mode, a daemon that listen on lots of ports! that really 
> >> sounds attractive. (yup: that's the latest version on portknocking.org).
> > 
> > Listening on multiple ports is not synonymous with promiscuous interfaces.
> > You should take some time to understand the difference between those two
> > techniques.
> 
> I do, you can put your interface in promiscuous mode and let the daemon 
> grab packets before they are filtered by the firewall, or open in your 
> firewall for a range of port your knock deamon will listen to. In either 
> case you add an extra daemon, an extra point of failure, an extra piece 
> of code that can undermine your security.

In your earlier message you argued that promiscuous mode is a bad idea, and
when I show that it's not the case, you magically change your argument to
be about extra processes running.  Please keep your argument consistent.

> >> And it can result in people being unable to access if the knocks are 
> >> filtered at the source.
> > 
> > Which can happen anyway if you have an ISP who filters out ssh traffic
> > (which isn't unheard of).
> 
> There's no point in adding this argument, in that case you have no 
> connection with or without port knocking. Sticking to standard protocols 
> on standard ports is the best way to ensure your ISP doesn't get in your 
> way.

Both false.  Quite frequently I've moved services to a nonstandard port
because it was the _only_ way to get a service.

... an the _best_ way to ensure your ISP doesn't pull that kind of crap
on you is to use an ISP that won't do that.  Not everyone has that option,
though.

> > What _is_ accomplished by both using a nonstandard port and using knock
> > techniques, is that you don't have the annoyance of all those botnets
> > filling up your logs with attempts to log in as root (if you don't
> > monitor your access logs daily, then I don't want to hear any argument
> > about this).  With a knock solution, or running on a nonstandard port,
> > then you know that any login attempts are serious attack attempts, and
> > not just some random, mindless bots.
> 
> I must be in the safe end of the internet, I don't get that much logs.

Must be.  I get multiple attacks per day.

> So your argument about port knocking boils down to getting rid of some 
> log entries, while annoying your users?

Nay.  It boils down to making log entries _useful_.  And if your users
are annoyed, you're not doing your job.  Something like puTTY (for example)
allows you to set up a profile.  Just set the port in the profile and
the user never need remember it again.

And if catering to users who don't know how to switch ports is more important
than making your logs useful, then do that instead.  I'm not arguing that
it's the correct solution for everyone, I'm simply arguing that it's not
totally useless, which seems to be your point.

> Now, how about your logs of failed port knocking attempts? Because, you 
> log that, right? If your idea gains traction, then attackers will start 
> knocking ports randomly ... you'll just have those logs filling up instead.

Once attackers start trying random keys instead of passwords, will you
abandon PKI as well?

Security has been, and always will be, keeping one step ahead of your
attackers.  Take the opinion that you can't stay ahead of them, and you've
already lost the war.

> > If you're doing proper security monitoring, then reducing that log load
> > is worthwhile.
> 
> if this is your main concern, why don't you just filter out the failed 
> attempts? after all they failed. If you do proper security monitoring, 
> your tools can be tuned to look at the interesting part of the logs.

Because a successful attack is already too late.  I want to know who is
_attempting_ to break in and prevent them from having additional time
to keep trying.

> There are other tricks that work well too, take a look at
> 
> LoginGraceTime
> MaxAuthTries
> MaxSessions
> MaxStartups

All of these are valid _parts_ of a comprehensive security approach to
SSH.  Any one of them alone is not very strong, but combine them with
a strong password policy and other tools, and you'll have a site that's
ve

Re: What's happening

[Kurt Buff]

Well, sorta true.

We know that he lost connectivity for 13 minutes. As you said, there
are many reasons why this might be so, and several were suggested. The
two most likely are:

1) power loss to the switch
2) somebody disconnected the cable, then replaced it

Clearly, however, it isn't port negotiation - not over 13 minutes.
Unfortunately, he probably doesn't have a central syslog server that
collects data from hosts and other equipment, because that's the only
way to tell for sure. Things like UPS power loss/fluctuation
notifications, switch bootup notifications, etc., in the syslog would
provide the necessary data.

Kurt


On Tue, Jun 23, 2009 at 14:00, Gary Gatten wrote:
> There's not NEARLY enough info in OP to answer this - I can't believe
> anyone is even trying.  It could be many dozen different things.
>
> -Original Message-
> From: owner-freebsd-questi...@freebsd.org
> [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Wojciech
> Puchar
> Sent: Tuesday, June 23, 2009 2:47 PM
> To: Robert Huff
> Cc: FreeBSD-Questions@freebsd.org
> Subject: Re: What's happening
>
>>> >
>>> > Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN
>>> > Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP
>
> look at time. it's 13 minutes down
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: upgrading installed ports: time to do it ?

[Chris Whitehouse]

Jerry wrote:

On Mon, 22 Jun 2009 20:58:41 +0100
Chris Whitehouse  wrote:

I'll probably get flamed for this but since I've been using 
ports-mgmt/portmanager I've almost forgotten

about /usr/ports/UPDATING and all that pkgdb -Fu stuff or whatever it
was. I've upgraded ports just by doing 'portmanager -u' over one or
two quite major changes and not had any problems that haven't been
down to an individual ports.

I've never seen any reasons given for not using portmanager, just it 
seems to be getting quietly deprecated, which is a shame because it 
works supremely well.


Having said that why not check out
http://freebsd-custom.wikidot.com/, the new binary ports upgrade
system and save yourself a bunch of compile time.

Chris


I use it myself, It "just works". I would also add "-p -l" to the
command line. that way you have a log created if something does go
wrong. It will also fix up any outdated dependencies.


I do use logging. In fact I do 'portmanager -s > somefile', extract a 
list of ports to be upgraded and run the list through a loop which does 
'make config' for each port, _then_ run 'portmanager -l -u' so it runs 
completely unattended. It does indeed "just works" which is down to the 
way it works out to do leaf ports first and work backwards.


portmaster looks like it has some nice features, including doing all the 
configs first, but I don't know if it does as good a job as portmanager 
in deciding what order to do things.


Chris

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Roland Smith]

On Tue, Jun 23, 2009 at 01:10:41PM -0700, Gary Kline wrote:
> On Tue, Jun 23, 2009 at 12:22:19PM -0700, Kurt Buff wrote:
> > On Mon, Jun 22, 2009 at 16:07, Gary Kline wrote:
> > 
> > For a small unit like this, SSD is really nice.
> > 
> > But, for my workstations/servers, I'm wondering if a pure
> > battery-backed RAM disk, in RAID1 with a regular hard drive, might be
> > the real screamer.
> 
>   battery-backed ram sound great for the time being!

The downside is low capacity: 4-8 RAM modules, limiting these devices to
64GiB. And they consume more power than HDDs when idle!
[http://techreport.com/articles.x/16255/11]

>   if not now [this minute], then relatively soon, i'm guessing
>   within a few years somebody will have a solid-state device that emulates
>   the current mechanical technology.  it will wind up being considerably 
>   faster than the current drives and suck Much less juice.  

Intel's X25 is already faster
[http://www.intel.com/design/flash/nand/extreme/index.htm] and consumes
less electricity than a HDD [http://techreport.com/articles.x/16255/11].

Of course RAM-based disks kick ass when writing
files. [http://techreport.com/articles.x/16255/6]

>   oh yeah, and in a few years *every* computer will have a battery back up
>   --not just our laptops.  after some N minutes everything will be saved.
>   much less lost data due to sudden power outtages.

I don't think so. Not every part of the world suffers from regular power
outages. And efficient batteries require rare raw materials like
lithium, with demand far outstripping winnable reserves.

Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpOhDxS8Qm49.pgp
Description: PGP signature

Re: upgrading installed ports: time to do it ?

[dan]

On Tuesday 23 June 2009 23:21:21 Chris Whitehouse wrote:
> RW wrote:
> > On Mon, 22 Jun 2009 20:58:41 +0100
> >
> > Chris Whitehouse  wrote:
> >> I'll probably get flamed for this but since I've been using
> >> ports-mgmt/portmanager I've almost forgotten
> >> about /usr/ports/UPDATING and all that pkgdb -Fu stuff or whatever it
> >> was. I've upgraded ports just by doing 'portmanager -u' over one or
> >> two quite major changes and not had any problems that haven't been
> >> down to an individual ports.
> >
> > You still need to read UPDATING, portmanager handles some of the
> > issues automatically, but not all.
>
> Not trolling but can you give me some examples?
>
> Chris
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscr...@freebsd.org"

Yes. I think there is at least one. Please, consider to correct me if I am 
wrong.

Yesterday, reading the contents of /usr/src/UPDATING in the source tree (using 
portupdate-scan) I found :

"[...]
20090608:
  AFFECTS: users of lang/python* and py-*
  AUTHOR: m...@freebsd.org

  The default version of Python has been changed from 2.5.x to 2.6.x.
  If you have 2.5.x installed, perform an upgrade of lang/python25 to
  lang/python26 with the following command:
[...]
"
Can portmanager know that the default version of a port has been changed and 
then you need to do the upgrade to the newer major version ?

And if it can  know that... can also portmanager know that 

"[...]
Once the installed Python has been updated to 2.6, by using the
  method above, it is required to run the upgrade-site-packages target in
  lang/python to assure that site-packages are made available to the new 
Python
  version.

 [...]   "?

If, otherwise, using portmanager you end up with a newer version of python 2.5 
(for example)... are you sure that every upgrade in the future will work 
flawlessly ? After Reading the UPDATING file a guy will
"
[...]   set the   PYTHON_DEFAULT_VERSION variable to 'python2.5' without 
quotes in  make.conf, then go to lang/python and perform the following
  command:
[...]
"
will portmanager do the same ?


d


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

RE: What's happening

[Gary Gatten]

Since we're speculating, could be the switch disabled the port due to a 
"security" event of some sort (flapping, bpdu guard/filter, etc.) and it's 
configured to auto-enable after n minutes.  It's all speculation without more 
info.  If this is the only info available, it's nearly worthless.

-Original Message-
From: owner-freebsd-questi...@freebsd.org 
[mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Kurt Buff
Sent: Tuesday, June 23, 2009 4:24 PM
To: freebsd-questions@freebsd.org
Subject: Re: What's happening

Well, sorta true.

We know that he lost connectivity for 13 minutes. As you said, there
are many reasons why this might be so, and several were suggested. The
two most likely are:

1) power loss to the switch
2) somebody disconnected the cable, then replaced it

Clearly, however, it isn't port negotiation - not over 13 minutes.
Unfortunately, he probably doesn't have a central syslog server that
collects data from hosts and other equipment, because that's the only
way to tell for sure. Things like UPS power loss/fluctuation
notifications, switch bootup notifications, etc., in the syslog would
provide the necessary data.

Kurt


On Tue, Jun 23, 2009 at 14:00, Gary Gatten wrote:
> There's not NEARLY enough info in OP to answer this - I can't believe
> anyone is even trying.  It could be many dozen different things.
>
> -Original Message-
> From: owner-freebsd-questi...@freebsd.org
> [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Wojciech
> Puchar
> Sent: Tuesday, June 23, 2009 2:47 PM
> To: Robert Huff
> Cc: FreeBSD-Questions@freebsd.org
> Subject: Re: What's happening
>
>>> >
>>> > Jun 23 17:09:09 zeus kernel: fxp0: link state changed to DOWN
>>> > Jun 23 17:22:25 zeus kernel: fxp0: link state changed to UP
>
> look at time. it's 13 minutes down
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"








"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[David Kelly]

On Tue, Jun 23, 2009 at 11:12:05PM +0200, Polytropon wrote:
> On Tue, 23 Jun 2009 15:59:44 -0500, David Kelly  wrote:
> > We are already there. SSDs are not slower than mechanical disk
> > drives, they are faster. The only detriments are 1) cost, 2) limited
> > write life.
> 
> What about power consumption? Because they seem to be primarily
> intended for portable devices, it should be better than "tradidional
> hard disks", but as I read, it's worse (less efficient, because higher
> current drain).

Don't think generic generalizations can be made this early in the life
of the technology. Shop for SSDs while looking at the properties that
interest you.

In general, reading is much faster than for mechanical HD. Also seek
time is nil. And read power consumption is low. A serious contender for
use in servers where lots of unchanging data is needed quickly. Probably
not as good of an idea for use in a mail server, but ideal for a web
server.

-- 
David Kelly N4HHE, dke...@hiwaay.net

Whom computers would destroy, they must first drive mad.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Best practices for securing SSH server

[Erik Norgaard]

Bill Moran wrote:

In response to Erik Norgaard :


Bill Moran wrote:

In response to Erik Norgaard :


I do, you can put your interface in promiscuous mode and let the daemon 
grab packets before they are filtered by the firewall, or open in your 
firewall for a range of port your knock deamon will listen to. In either 
case you add an extra daemon, an extra point of failure, an extra piece 
of code that can undermine your security.


In your earlier message you argued that promiscuous mode is a bad idea, and
when I show that it's not the case, you magically change your argument to
be about extra processes running.  Please keep your argument consistent.


My argument is consistent: I still think promiscuous mode is a bad idea 
as it allows to circumvent the firewall.


I then argue that the alternative is also a bad idea since, while you 
may have got rid of the promiscuous mode problem which in itself is a 
bad idea, you still introduce a service that will need to listen on a 
number of ports.


The alternative is to have a daemon parsing firewall log files, this is 
the old solution which has been abandoned if you check portknocking.org




And it can result in people being unable to access if the knocks are 
filtered at the source.

Which can happen anyway if you have an ISP who filters out ssh traffic
(which isn't unheard of).
There's no point in adding this argument, in that case you have no 
connection with or without port knocking. Sticking to standard protocols 
on standard ports is the best way to ensure your ISP doesn't get in your 
way.


Both false.  Quite frequently I've moved services to a nonstandard port
because it was the _only_ way to get a service.


Please read again. I here argue against port knocking not against 
running on a non-standard port.


If you have a problem running your ssh on some port - standard or not - 
then you will likely also have trouble getting port-knocking working.


If you don't have a problem running you ssh on the standard port, then 
you may still find problems deploying port-knocking.


Your argument is logically inconsistent.


... an the _best_ way to ensure your ISP doesn't pull that kind of crap
on you is to use an ISP that won't do that.  Not everyone has that option,
though.


The best way to get your ISP to allow connections is to use standard 
well documented protocols on standard ports as it is fairly easy to 
convince them that this is a standard service and should be enabled.


And it's not only ISPs, it's also the other sites your users visit, 
businesses that may employ their policies. The more you divert from 
standards the more likely you are to have your connection blocked by a 
policy some where, and the more difficulty you'll have convincing that a 
change should be made.


So your argument about port knocking boils down to getting rid of some 
log entries, while annoying your users?


Nay.  It boils down to making log entries _useful_.  And if your users
are annoyed, you're not doing your job.  Something like puTTY (for example)
allows you to set up a profile.  Just set the port in the profile and
the user never need remember it again.


Yes, changing to a non-standard port is not excessively annoying and I 
agree that this measure cannot compromise the security. But I think 
port-knocking is annoying, it may cause security problems and it does 
not add any real security.



And if catering to users who don't know how to switch ports is more important
than making your logs useful, then do that instead.  I'm not arguing that
it's the correct solution for everyone, I'm simply arguing that it's not
totally useless, which seems to be your point.


It is security by obscurity not adding any real security but potentially 
worsening it or causing denial of service - no in the sense of DOS 
attacks but in the sense that it doesn't allow ordinary users to login 
and get stuff done.


Now, how about your logs of failed port knocking attempts? Because, you 
log that, right? If your idea gains traction, then attackers will start 
knocking ports randomly ... you'll just have those logs filling up instead.


Once attackers start trying random keys instead of passwords, will you
abandon PKI as well?


Bad example. The only valid point you have demonstrated thus far is that 
you get less log entries. I am not convinced that this compensates for 
the problems you face deploying it. And, then also I argue that your 
only valid point only remains valid as long as I am correct in my analysis



Security has been, and always will be, keeping one step ahead of your
attackers.  Take the opinion that you can't stay ahead of them, and you've
already lost the war.


Best way to stay ahead is to deploy solutions that add real security and 
not solutions that add complexity and obscurity.


if this is your main concern, why don't you just filter out the failed 
attempts? after all they failed. If you do proper security monitoring, 
your tools can be tuned to look a

Re: 3d video driver for x1950 / Dawn of war via wine

[Roland Smith]

On Tue, Jun 23, 2009 at 09:54:02PM +, Brad Davison wrote:
> 
> I have a 7.2-RELEASE system for audio processing (Ardour, JACK, etc.) running 
> on a dual Xeon 2.8, 2gb ram 
> drm0:  on vgapci0
> with xorg7.4_2
> xorg-server-1.16.1,1
> xfce-4.6.1
> 
> I was wondering if I was using the right driver for video.  I have run
> glxgears, and I get 3d, I can play 'tuxracer' which is a 3d game, when
> I do a glxinfo, I get direct rendering: Yes (full glxinfo and xvinfo
> attached).  I am just running the 'radeon' driver.

Both the xf86-video-ati and xf86-video-radeonhd from ports should
work with this realease and hardware. I'm using radeonhd on an
X1650. Works fine.
 
> I had read a really old thread in the FreeBSD wiki saying that the
> x1950 should be using the radeondrm driver.  (which I do not have, I
> tried changing that in my xorg.conf and it told me that the module
> does not exist.

This is referring to the radeon/drm kernel modules. Since you get direct
rendering, I'm assuming you've already have those modules loaded or
built into the kernel. I have the following modules loaded:

slackbox:~> kldstat
Id Refs AddressSize Name
 18 0x8010 681588   kernel
 22 0x80782000 ee78 agp.ko
 32 0x80791000 220f8drm.ko
 41 0x807b4000 71110radeon.ko

(This won't show drivers built into the kernel)

> I have wine-1.1.24,1, and in the downtimes, I'd really love to be able
> to play Dawn of War, which has Platinum rating in wine, but I get an
> error that my video driver is not supported as well as:

> "fixme:win:EnumDisplayDevicesW ((null),0,0xb2ec58,0x), stub!
> fixme:gl_compat:add_gl_compat_wrappers GL implementation supports 
> GL_ARB_fragment_program but not GL_EXT_fog_coord
> fixme:gl_compat:add_gl_compat_wrappers The fog coord emulation will most 
> likely fail
 "
This is probably a bug in wine:
http://archives.free.net.ph/message/20080418.104819.53073efd.en.html


Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpt5nWKSvAQ6.pgp
Description: PGP signature

The worldwide search for CircusPrincess 2009 is on!

[The CircusPrincess]

The worldwide search for CircusPrincess 2009 is on!

The CircusPrincess, a fairytale come true, is no ordinary circus. It's the 
ultimate celebration of female grace, beauty and talent. And now, for the first 
time in history, we're inviting the global Internet audience to join us in the 
nomination, voting and selection process.

We're searching for the most entertaining, completely original female circus 
act or performance. You can perform by yourself or with a group, on land or in 
the air - whether you're an acrobat, comedian, dancer, singer or an entirely 
new type of performer.

Apply now on our website for the chance to be one of 14 finalists. The winner 
will receive a prize, the title of CircusPrincess 2009, a three-month contract 
with Circus Scott, a distinctive, irreplaceable Kosta Boda trophy and the 
prestige of being recognized as the best female circus performer in the world.

Buy your tickets today to reserve your seats for one of five amazing evenings!

To browse through the history of past performances, view the contributions or 
book tickets, simply visit cirkusprinsessan2009.se

Welcome to the greatest show on earth!
/ Robert Bronet



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Certified Hardware

[Roland Smith]

On Tue, Jun 23, 2009 at 03:18:33PM -0400, Thompson, Rhett wrote:

> Is it possible for you to provide us with an updated hardware certified
> vendor list for FreeBsd. 

There is no such thing, AFAIK. The volunteers who form the FreeBSD
project spend their time improving FreeBSD, not doing formal
certification tests. That should be the job of the vendor.

The hardware vendors list that you can find on the site
[http://www.freebsd.org/commercial/hardware.html] is driven by
submissions from the vendors.

>  We would like to know if FreeBSD is supported on HP Blades and which
> models, network cards, HBA cards for connecting to SAN's.

First, ask the vendors of the hardware in question. If they are
unwilling or unable to give an answer, would you want to buy their
stuff?

If you want information on particular models of hardware, search through
the archives of the freebsd-questions list. If problems exist with
particular models, that is where it will probably turn up first. If you
have specific questions, you can ask on the list. Or use zgrep to search
the manual pages in drivers category (/usr/share/man/man4).

If you want a particular piece of hardware supported, you could hire a
developer to do that for you. Maybe ask on the hackers@ list.

Roland
-- 
R.F.Smith   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)


pgpg3VjMjWzcu.pgp
Description: PGP signature

upgrading openoffice.org with portmaster

[kenneth hatteland]

when I start upgrading openoffice.org it switches from my localized 
language build to standard us en.


Anyone have an idea how to force upgrade to stick with my norwegian 
build with portmaster ??


Platform freebsd 7.2 stable (x86)


Blessed be
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Untrusted X11 forwarding setup failed

[Daniel Underwood]

Whenever I

$ ssh -X u...@server

from my FreeBSD machine, I get the following message (and am
successfully logged in):

Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.

When I log in to the same servers from my Ubuntu machines, I do NOT
get that message.

What's wrong here?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Gary Kline]

On Tue, Jun 23, 2009 at 12:30:25PM -0500, Gary Gatten wrote:
> If it's fast enough to allow one to work unimpeded, has acceptable
> lifetime/reliability, and uses less power/generates less heat than
> traditional platter HD - I'd say it's a good solution.  It's not a one
> size fits all world.
> 
hm.  but then, the rhetorical question might be: Does any one thing 
fit everyone?

seriously, i did check the specs sheet for this flavor of SSD.  the most
noteworthy thing was the statement that this device lasts ten years
before it fails to hold state.  the youtube video demo'd the narrator
using windoze XP and editing a video, then task-switching and browsing 
the
net.  it showed some girl talking; her voice was audible.  

i'll post the site if i ever find it, but i gather it was from dec, '08.

gary


-- 
 Gary Kline  kl...@thought.org  http://www.thought.org  Public Service Unix
http://jottings.thought.org   http://transfinite.thought.org
   For FBSD list: http://transfinite.thought.org/slicejourney.php
The 4.98a release of Jottings: http://jottings.thought.org/index.php

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: upgrading installed ports: time to do it ?

[RW]

On Tue, 23 Jun 2009 22:21:21 +0100
Chris Whitehouse  wrote:

> RW wrote:
> > On Mon, 22 Jun 2009 20:58:41 +0100
> > Chris Whitehouse  wrote:
> > 
> >> I'll probably get flamed for this but since I've been using 
> >> ports-mgmt/portmanager I've almost forgotten
> >> about /usr/ports/UPDATING and all that pkgdb -Fu stuff or whatever
> >> it was. I've upgraded ports just by doing 'portmanager -u' over
> >> one or two quite major changes and not had any problems that
> >> haven't been down to an individual ports.
> > 
> > You still need to read UPDATING, portmanager handles some of the
> > issues automatically, but not all.
> 
> Not trolling but can you give me some examples?

Many of of the entries aren't solely to do with guiding
portmaster/portupgrade through the upgrade, they may also involve
migrating configuration or user data, or performing other
administrative tasks.

Portmanger does cope with most of the "portupgrade -o"  and
"portupgrade -r" entries, although sometime it will need to be run (or
rerun) in pristine-mode. 

However, it doesn't always work correctly when software has been
repackaged because this can create temporary unrecorded conflicts
which are difficult for any tool to deal with. If you see any
instructions to remove packages before upgrading, it's prudent to follow
them. 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: you're not going to believe this.

[Gary Kline]

On Tue, Jun 23, 2009 at 03:59:44PM -0500, David Kelly wrote:
> On Tue, Jun 23, 2009 at 01:10:41PM -0700, Gary Kline wrote:
> > 
> > battery-backed ram sound great for the time being!
> > 
> > if not now [this minute], then relatively soon, i'm guessing
> > within a few years somebody will have a solid-state device that emulates
> > the current mechanical technology.  it will wind up being considerably 
> > faster than the current drives and suck Much less juice.  
> 
> We are already there. SSDs are not slower than mechanical disk drives,
> they are faster. The only detriments are 1) cost, 2) limited write life.


FOUND IT:  URL IS:



Http://www.mydigitaldiscount.com/SPD/runcore-64gb-pata-mini-pci-e-pcie-ssd-for-asus-eee-pc-901-and-1000---backorder-runcore-64gb-pata-mini-pci-e-pcie-ssd-for-asus-eee-pc-901-and-1000--88DB-1224129741.jsp

YOU were right about the cost.  i thought it was half the $220.
the 10k r/w cycle isn't that bad  


> 
> -- 
> David Kelly N4HHE, dke...@hiwaay.net
> 
> Whom computers would destroy, they must first drive mad.

-- 
 Gary Kline  kl...@thought.org  http://www.thought.org  Public Service Unix
http://jottings.thought.org   http://transfinite.thought.org
   For FBSD list: http://transfinite.thought.org/slicejourney.php
The 4.98a release of Jottings: http://jottings.thought.org/index.php

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

cups&samba jailed

[Derek Funk]

Attempting to setup cups and samba into a jail. How do you mount/add 
device node /dev/ulpt0 within a jail.
Essentially I would like to know, how to add device nodes within jail 
/dev for specifically the devices I want?
I have read man pages and tutorials on setting up jails but none show 
examples of actually putting specific device nodes within jail /dev. It 
would also be nice to know, how to build a minimal install into a jail?  
What I have read so far from search does not show this either.  Reading 
mostly states to refer to man pages and man pages state see also other 
man pages.  I missing the tie together.


Derek
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

PCI-X SATA card for FreeBSD

[Olivier Nicole]

--- Start of forwarded message ---
Hi,

I am not sure if any card of the type exists, but I am looking for a
PCI-X card with external SATA connector (1 or 2) to supports port
multiplier.

Idea is to attach a bank of disk to use a backup media.

TIA,

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

security/pgp on amd64

[Olivier Nicole]

--- Start of forwarded message ---
Hi,

Is the port security/pgp working on amd64 system?

I copied my public and private keyrings from i386 to amd64 system and
I cannot decipher any file, it keeps on complaining that the pass
phrase is bad.

I already tried to export the key on the i386 and import on the amd64,
but it did not change a thing.

TIA,

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"