Re: need help with pf configuration
Le Sun, 9 Oct 2011 12:15:54 +0700, Victor Sudakov v...@mpeks.tomsk.su a écrit : I have a configuration with 2 inside interfaces, 1 outside and 1 dmz interface. The traffic should be able to flow 1) from inside1 to any (and back) 2) from inside2 to any (and back) 3) from dmz to outside only (and back). I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. something like block in quick on $inside1 from urpf-failed to any pass in quick on $inside1 I've not tested this. Regards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Patrick Lamaiziere wrote: I have a configuration with 2 inside interfaces, 1 outside and 1 dmz interface. The traffic should be able to flow 1) from inside1 to any (and back) 2) from inside2 to any (and back) 3) from dmz to outside only (and back). I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkg_upgrade seems to try server that isn't right
On Sunday 09 October 2011, Conrad J. Sabatier wrote: I assume you mean pkg_upgrade (not upgrade_pkg)? See the ENVIRONMENT section of the man page. All of the pkg_* tools are consistent in how they reference these variables. There isn't a pkg_upgrade in the base system and I'm not aware of one in ports either but I'm open to correction. There is a python script, pkgupgrade, developed by Michel Talon which might meet the OP's needs http://www.lpthe.jussieu.fr/~talon/. Alternatively the OP could use either portmaster or portupgrade from ports, both of these can be forced to use packages instead of building from source by using the -P or -PP options. -- Mike Clarke ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Le Sun, 9 Oct 2011 14:39:10 +0700, Victor Sudakov v...@mpeks.tomsk.su a écrit : I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). My reply was about the use of the interface:network addresses. Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
two networks in one server?
Hello! I'm just asking before trying if it possible to use two network uplinks in one server so other would be just backup way in? I have currently connection from two ISPs and server is up with one connection. Is it possible to add another nic and wire that to connection from another isp? So isp 1 would be in normal use in/out, but isp 2 could be used connecting in? -- pepe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
On 09/10/2011 10:31, Patrick Lamaiziere wrote: Le Sun, 9 Oct 2011 14:39:10 +0700, Victor Sudakov v...@mpeks.tomsk.su a écrit : I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). My reply was about the use of the interface:network addresses. pf has the concept of packet tagging. So you can write a small rule to tag traffic crossing eg. your set of internal interfaces and then write one ruleset to filter all that traffic identified by tag. Quoting pf.conf(5): This can be used, for example, to provide trust between interfaces and to determine if packets have been processed by translation rules. I think that's roughly equivalent to what the OP was asking about. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: two networks in one server?
On 09/10/2011 10:36, pepe wrote: I'm just asking before trying if it possible to use two network uplinks in one server so other would be just backup way in? I have currently connection from two ISPs and server is up with one connection. Is it possible to add another nic and wire that to connection from another isp? So isp 1 would be in normal use in/out, but isp 2 could be used connecting in? This is a very commonly asked question around the Internet. The answer is -- it's a lot harder to do properly than you might think. Requires understanding Internet routing protocols like BGP and you will need the cooperation of both ISPs to make it all work. However there is a light version which might work for you. Keywords here are policy based routing. In this case you can use firewall software to forward packets by an alternate gateway. This only affects the outward path from your system: no good at all if all the incoming traffic is using an uplink that fails, but you can use it to load balance across multiple links. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: need help with pf configuration
On 10/9/2011 10:39 AM, Victor Sudakov wrote:
Patrick Lamaiziere wrote:
I have a configuration with 2 inside interfaces, 1 outside and 1 dmz
interface. The traffic should be able to flow
1) from inside1 to any (and back)
2) from inside2 to any (and back)
3) from dmz to outside only (and back).
I need no details, just a general hint how to setup such security
levels, preferably independent of actual IP addressses behind the
interfaces (a :network macro is not always sufficient).
You may use urpf-failed instead :network
urpf-failed: Any source address that fails a unicast reverse path
forwarding (URPF) check, i.e. packets coming in on an interface other
than that which holds the route back to the packet's source address.
Excuse me, I do not see how this is relevant to my question (allowing
traffic to be initiated from a more secure interface to a less secure
interface and not vice versa).
What if you combine macros and lists?
The ruleset below seems scalable to any number of interfaces.
inside1 = em1
inside2 = em2
dmz = em0
insides = { $inside1:network $inside2:network }
pass in on $dmz from $dmz:network to any
block in on $dmz from any to $insides
This expands nicely to:
lab# pfctl -vf te
inside1 = em1
inside2 = em2
dmz = em0
insides = { em1:network em2:network }
pass in on em0 inet from 192.168.73.0/24 to any flags S/SA keep state
block drop in on em0 inet from any to 10.0.0.0/29
block drop in on em0 inet from any to 192.168.56.0/24
HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: two networks in one server?
Hello all. Another solution I have seen some clients use... a router that accepts different ISP's in this case ADSL. The equipment does the job and integrates all the internet services so the internal network see them as only one). I guess there are equipments of 24-8 and 16 connections. I hope this helps. At 06:38 a.m. 09/10/2011, Matthew Seaman wrote: On 09/10/2011 10:36, pepe wrote: I'm just asking before trying if it possible to use two network uplinks in one server so other would be just backup way in? I have currently connection from two ISPs and server is up with one connection. Is it possible to add another nic and wire that to connection from another isp? So isp 1 would be in normal use in/out, but isp 2 could be used connecting in? This is a very commonly asked question around the Internet. The answer is -- it's a lot harder to do properly than you might think. Requires understanding Internet routing protocols like BGP and you will need the cooperation of both ISPs to make it all work. However there is a light version which might work for you. Keywords here are policy based routing. In this case you can use firewall software to forward packets by an alternate gateway. This only affects the outward path from your system: no good at all if all the incoming traffic is using an uplink that fails, but you can use it to load balance across multiple links. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: New FreeBSD User | HP Doesn't Boot
On 10/09/11 01:11, Michael Starr wrote: Hello Everyone, I am a brand new FreeBSD user with minimal Unix knowledge. I have successfully installed FreeBSD on a computer dedicated to the operating system. However, after rebooting, the machine can't boot, nor get into BIOS. I installed the system from a bootable USB stick. I would try another fresh install, but currently I can't do anything. Could someone please direct me to a solution? I hope I did not irrevocably alter my BIOS. Any help would be deeply appreciated. Thank you. Computer: HP dvr6 2150us (laptop) First of all - I looked for you notebook and it looks like you have an Intel Core i3 with an Intel GMA HD. If that is the case you will have troubles running Xorg on that notebook due to the lack of KMS in FreeBSD. There is a patch for HEAD (the development version of FreeBSD) but quiet some work is needed to get it running. KMS is under development right now - but not yet available in any releases... Regarding your problem: I have the same problem on my notebook - my solution is dirty but I was not able find a better one: (or better - not any other at all) - Install FreeBSD, remove the disk from your computer, put it in an external case and run fdisk (e.g. linux fdisk - i used fdisk from the parted magic boot cd for that) Mark the correct partition as active (even if it's already marked as such - remove the flag, write it, set it back and again write) - put it back into your notebook - now everything should work fine - don't ever press any of the F keys during the boot (it usually prompts for it) - it would result in the same problem as before - if you want to install eg windows now would be the time (if so - use the windows boot manager to boot freebsd - do NOT use the freebsd boot manager (the F1, F2, ... thing) ) [ http://bastian.rieck.ru/howtos/windows_boot_manager/ ] To be honest - I haven't tried booting FreeBSD after that fix without Windows - so no promises there - it might happen that it boots eg only once... An alternative solution would be to install FreeBSD using GPT instead of MBR (works if you a.) don't care about windows, or b.) have UEFI BIOS to install Windows on a GPT disk) Armin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
System randomly not logging complete bi-directional traffic.
freebsd-questions@freebsd.org # # # FreeBSD_7-4 RELEASE # Our hardware is pristine # # What is described herein are regular, yet random occurrences; we need help. We have already performed a reinstall of FreeBSD_7-4 RELEASE (and the daemons in question); the issue remains. Below, is part of a conversation with an httpd whereby the packets (entire conversations) are randomly 'not' being logged and/or seen by either the httpd nor ipfw (logging enabled), yet both tshark and tcpdump are capturing everything. To be perfectly clear, httpd and ipfw (randomly) will not see/log anything of an 'entire conversation'. It is not like it drops certain packets of a conversation; they (httpd/ipfw) either see and log everything during a conversation, or, 'do not see' and 'do not log' any packet associated with a given conversation; all the while tshark and tcpdump are capturing everything (bidirectional); hence the connection is real. The capture below was witnessed by both tshark and tcpdump, but not logged via the httpd or the following ipfw rule: $cmd 00029 deny log logamount 0 ip from table(1) to me 80 The above ipfw rule functions properly from table(1) which contains -- ip.ip.ip.ip/32 -- one (1) ip per line. The names (below) were changed to protect the innocent; yeah right. Internet Protocol Version 4, Src: ex.ter.nal.ip (ex.ter.nal.ip), Dst: in.ter.nal.ip (in.ter.nal.ip) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 00.. = Differentiated Services Codepoint: Default (0x00) ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 60 Identification: 0x8ce5 (36069) Flags: 0x02 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 251 Protocol: TCP (6) Header checksum: 0x9102 [correct] [Good: True] [Bad: False] Source: ex.ter.nal.ip (ex.ter.nal.ip) Destination: in.ter.nal.ip (in.ter.nal.ip) Transmission Control Protocol, Src Port: 46463 (46463), Dst Port: http (80), Seq: 0, Len: 0 Source port: 46463 (46463) Destination port: http (80) [Stream index: 19] Sequence number: 0(relative sequence number) Header length: 40 bytes Flags: 0x02 (SYN) 000. = Reserved: Not set ...0 = Nonce: Not set 0... = Congestion Window Reduced (CWR): Not set .0.. = ECN-Echo: Not set ..0. = Urgent: Not set ...0 = Acknowledgement: Not set 0... = Push: Not set .0.. = Reset: Not set ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish request (SYN): server port http] [Message: Connection establish request (SYN): server port http] [Severity level: Chat] [Group: Sequence] ...0 = Fin: Not set Window size value: 5840 [Calculated window size: 5840] Checksum: 0xe7f8 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Options: (20 bytes) Maximum segment size: 1460 bytes TCP SACK Permitted Option: True Timestamps: TSval 309029146, TSecr 0 Kind: Timestamp (8) Length: 10 Timestamp value: 309029146 Timestamp echo reply: 0 No-Operation (NOP) Window scale: 7 (multiply by 128) Kind: Window Scale (3) Length: 3 Shift count: 7 [Multiplier: 128] Frame Number: 51 Frame Length: 74 bytes (592 bits) Capture Length: 74 bytes (592 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] Ethernet II, Src: Router_cf:gr:f0 (11:52:c3:fd:dd:f0), Dst: Goe_40:84:21 (00:15:18:40:28:41) Destination: Goe_40:84:21 (00:15:18:40:28:41) Address: Goe_40:84:21 (00:15:18:40:28:41) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Source: Router_cf:gr:f0 (11:52:c3:fd:dd:f0) Address: Router_cf:gr:f0 (11:52:c3:fd:dd:f0) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol Version 4, Src: ex.ter.nal.ip (ex.ter.nal.ip), Dst: in.ter.nal.ip (in.ter.nal.ip) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 00.. = Differentiated Services Codepoint: Default (0x00) ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport)
Re: System randomly not logging complete bi-directional traffic.
Sorry to have missed your prior post - please include the entire ruleset. Thanks. On Sun, Oct 9, 2011 at 10:28 AM, freebsd_u...@guice.ath.cx wrote: freebsd-questions@freebsd.org # # # FreeBSD_7-4 RELEASE # Our hardware is pristine # # What is described herein are regular, yet random occurrences; we need help. We have already performed a reinstall of FreeBSD_7-4 RELEASE (and the daemons in question); the issue remains. Below, is part of a conversation with an httpd whereby the packets (entire conversations) are randomly 'not' being logged and/or seen by either the httpd nor ipfw (logging enabled), yet both tshark and tcpdump are capturing everything. To be perfectly clear, httpd and ipfw (randomly) will not see/log anything of an 'entire conversation'. It is not like it drops certain packets of a conversation; they (httpd/ipfw) either see and log everything during a conversation, or, 'do not see' and 'do not log' any packet associated with a given conversation; all the while tshark and tcpdump are capturing everything (bidirectional); hence the connection is real. The capture below was witnessed by both tshark and tcpdump, but not logged via the httpd or the following ipfw rule: $cmd 00029 deny log logamount 0 ip from table(1) to me 80 The above ipfw rule functions properly from table(1) which contains -- ip.ip.ip.ip/32 -- one (1) ip per line. The names (below) were changed to protect the innocent; yeah right. Internet Protocol Version 4, Src: ex.ter.nal.ip (ex.ter.nal.ip), Dst: in.ter.nal.ip (in.ter.nal.ip) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 00.. = Differentiated Services Codepoint: Default (0x00) ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 60 Identification: 0x8ce5 (36069) Flags: 0x02 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 251 Protocol: TCP (6) Header checksum: 0x9102 [correct] [Good: True] [Bad: False] Source: ex.ter.nal.ip (ex.ter.nal.ip) Destination: in.ter.nal.ip (in.ter.nal.ip) Transmission Control Protocol, Src Port: 46463 (46463), Dst Port: http (80), Seq: 0, Len: 0 Source port: 46463 (46463) Destination port: http (80) [Stream index: 19] Sequence number: 0 (relative sequence number) Header length: 40 bytes Flags: 0x02 (SYN) 000. = Reserved: Not set ...0 = Nonce: Not set 0... = Congestion Window Reduced (CWR): Not set .0.. = ECN-Echo: Not set ..0. = Urgent: Not set ...0 = Acknowledgement: Not set 0... = Push: Not set .0.. = Reset: Not set ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish request (SYN): server port http] [Message: Connection establish request (SYN): server port http] [Severity level: Chat] [Group: Sequence] ...0 = Fin: Not set Window size value: 5840 [Calculated window size: 5840] Checksum: 0xe7f8 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Options: (20 bytes) Maximum segment size: 1460 bytes TCP SACK Permitted Option: True Timestamps: TSval 309029146, TSecr 0 Kind: Timestamp (8) Length: 10 Timestamp value: 309029146 Timestamp echo reply: 0 No-Operation (NOP) Window scale: 7 (multiply by 128) Kind: Window Scale (3) Length: 3 Shift count: 7 [Multiplier: 128] Frame Number: 51 Frame Length: 74 bytes (592 bits) Capture Length: 74 bytes (592 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] Ethernet II, Src: Router_cf:gr:f0 (11:52:c3:fd:dd:f0), Dst: Goe_40:84:21 (00:15:18:40:28:41) Destination: Goe_40:84:21 (00:15:18:40:28:41) Address: Goe_40:84:21 (00:15:18:40:28:41) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Source: Router_cf:gr:f0 (11:52:c3:fd:dd:f0) Address: Router_cf:gr:f0 (11:52:c3:fd:dd:f0) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol Version 4, Src: ex.ter.nal.ip (ex.ter.nal.ip), Dst: in.ter.nal.ip (in.ter.nal.ip) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
Rhythmbox and Ipod
Is anyone here able to use Rhythmbox to manage their ipods? I'd like to break the dependency on itunes if I can. I've run the package and compiled my own with the ipod option set to no avail. the ipod is not displayed in devices under rhythmbox. dmesg shows that the device is probed. I am able to mount the ipod using msdosfs. Perhaps there is some hal, dbus, or other dependency that I am missing. How did you get youripod to work with rhythmbox? Thanks, Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Can't access a music CD
Good Day; Since installing FreeBSD 9-beta2 (now 9-beta3) I have not been able to play a music cd with the dvd writer on this laptop. It is a Dell Latitude D630. I have built several new worlds and kernels with the following devices enabled in the kernel config.; devicescbus# SCSI bus (required for ATA/SCSI) devicech# SCSI media changers deviceatapicam deviceda# Direct Access (disks) devicesa# Sequential Access (tape etc) devicecd# CD devicepass# Passthrough device (direct ATA/SCSI access) deviceses# SCSI Environmental Services (and SAF-TE) $uname -a FreeBSD ..net 9.0-BETA3 FreeBSD 9.0-BETA3 #0: Sat Oct 8 19:48:29 CDT 2011 michael@..net:/usr/obj/usr/src/sys/KERNEL_100811 amd64 This kernel was built after a recent csup and portsnap fetch. The buildworld and buildkernel steps have executed several times without error. A recent portupgrade only updated a couple of applications. dmesg says this; cd0 at ata0 bus 0 scbus1 target 0 lun 0 cd0: TSSTcorp DVD+-RW TS-L632H D300 Removable CD-ROM SCSI-0 device cd0: 33.300MB/s transfers (UDMA2, ATAPI 12bytes, PIO 65534bytes) cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closed and /boot/loader.conf says this; linux_load=YES atapicam_load=YES With a music CD in the drive /var/log/messages says this; Oct 9 20:19:01 bucksnort kernel: (cd0:ata0:0:0:0): READ(10). CDB: 28 0 0 0 0 0 0 0 40 0 Oct 9 20:19:01 bucksnort kernel: (cd0:ata0:0:0:0): CAM status: SCSI Status Error Oct 9 20:19:01 bucksnort kernel: (cd0:ata0:0:0:0): SCSI status: Check Condition Oct 9 20:19:01 bucksnort kernel: (cd0:ata0:0:0:0): SCSI sense: ILLEGAL REQUEST asc:64,0 (Illegal mode for this track) Oct 9 20:19:01 bucksnort kernel: (cd0:ata0:0:0:0): cddone: got error 0x6 back and /etc/devfs.conf says this; # Commonly used by many ports #link acd0cdrom linkcd0 cdrom own cd0 root:wheel permcd0 0660 I think I might be missing something in /etc/devfs.conf. man devfs.conf or the handbook did not get me any closer to a solution. It worked under 8.2 on this machine. Thank You for the help. Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Patrick Lamaiziere wrote: I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). Actually you can with ipfw. The following concise ruleset should do it: check-state permit ip from any to any recv INSIDE xmit DMZ keep-state permit ip from any to any recv INSIDE xmit OUTSIDE keep-state permit ip from any to any recv DMZ xmit OUTSIDE keep-state -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: p11-kit port patch fail on 8.2p3. [solved]
On 3 October 2011 16:15, R. Clayton rvclay...@verizon.net wrote: Odd, I find no such file as patch-p11-kit-modules.c here (9.0-BETA3-amd64), either in /usr/ports/distfiles/ or in /usr/ports/security/p11-kit/files/. It was in /usr/ports/security/p11-kit/files: # cat /tmp/patch-p11-kit-modules.c --- p11-kit/modules.c.orig 2011-09-15 18:15:24.0 -0700 +++ p11-kit/modules.c 2011-09-15 18:16:27.0 -0700 @@ -50,11 +50,12 @@ #include dirent.h #include dlfcn.h #include errno.h +#include limits.h #include pthread.h #include stdarg.h #include stddef.h -#include stdlib.h #include stdio.h +#include stdlib.h #include string.h #include unistd.h # Yup, the make system automatically tries to apply any patches found in the (relative) files/ directory. Stale files in there are naughty. -- -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
