Re: ifconfig alias: File Exists
Hi, On Tue, 19 Oct 2004, Marc G. Fournier wrote: On Tue, 19 Oct 2004, Christian Kratzer wrote: Hi, On Tue, 19 Oct 2004, Marc G. Fournier wrote: Why would I be getting: # ifconfig fxp0 alias 200.46.204.9 ifconfig: ioctl (SIOCAIFADDR): File exists when I know for a fact that it hasn't been configured? you should use a netmask of 255.255.255.255 for ipv4 aliases. ifconfig fxp0 alias 200.46.204.9 netmask 255.255.255.255 Is that new? You are right, that fixed it, but didn't think I had to do that before :( no it's been like that since I know of FreeBSD 2.0 and propably longer. The BSD ip stack adds a route to the connected network over the respective interface when you do an ifconfig. Using the same netmask on all aliases it will cause it to try to add the same route multiple times causing the error you saw. Greetings Christian -- Christian Kratzer [EMAIL PROTECTED] CK Software GmbHhttp://www.cksoft.de/ Phone: +49 7452 889 135 Fax: +49 7452 889 136 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ifconfig alias: File Exists
Hi, On Tue, 19 Oct 2004, Marc G. Fournier wrote: Why would I be getting: # ifconfig fxp0 alias 200.46.204.9 ifconfig: ioctl (SIOCAIFADDR): File exists when I know for a fact that it hasn't been configured? you should use a netmask of 255.255.255.255 for ipv4 aliases. ifconfig fxp0 alias 200.46.204.9 netmask 255.255.255.255 Greetings Christian -- Christian Kratzer [EMAIL PROTECTED] CK Software GmbHhttp://www.cksoft.de/ Phone: +49 7452 889 135 Fax: +49 7452 889 136 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OT: Longest uptime
Hi,
On Sun, 22 Feb 2004, Daniela wrote:
On Saturday 21 February 2004 20:47, Jamie wrote:
I'm curious as to what the longest uptimes are people have seen on
production servers. We've got a FreeBSD machine here with an uptime of 506
days. It is a file server and it also runs spamassassin for another
machine. Too bad we have to take it down to replace a motherboard tonight
with leaky caps. It would have been fun to see if it could have made it to
999 or higher.
I'm curious as to what the highest uptimes people have seen on their
servers. With times like that, you can't help but fall in love
with FreeBSD!!
I have heard of a machine running FreeBSD 2.2 with 2300+ days uptime and still
running.
Mine has only reached 29 days so far, because I patch my system very often.
I just checked back and it's still up ...
--snipp--
[EMAIL PROTECTED]: {8} uname -a
FreeBSD hostname.domain 2.2.2-RELEASE FreeBSD 2.2.2-RELEASE #0: Mon Feb 9 18:53:29
CET 1998 [EMAIL PROTECTED]:/usr/src/sys/compile/XX i386
[EMAIL PROTECTED]: {9} uptime
9:44PM up 2204 days, 2:38, 1 user, load averages: 0.48, 0.24, 0.10
[EMAIL PROTECTED]: {10} date
Sun Feb 22 21:45:29 CET 2004
[EMAIL PROTECTED]: {11}
--snipp--
hostnames and domains changed to protect the innocent.
Of course this does not make much sense and the customer in question
would be well advised with an update. Have been talking to them.
Our own production servers regularly reach 200 days and more. We update things
like ssh and openssl in place and only do full buildworld/installworld
upgrades perhaps once or twice a year. Lot's can be done while staying up.
Jails help a lot of course. Not having external users with shell access also
helps.
Greetings
Christian
--
Christian Kratzer [EMAIL PROTECTED]
CK Software GmbHhttp://www.cksoft.de/
Phone: +49 7452 889 135 Fax: +49 7452 889 136
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dynamic IPSEC: Holy grail sighted
Hi,
On Mon, 18 Aug 2003, The Anarcat wrote:
I don't some of the attachments you intended to send (raccoon.conf?
perl script?) didn't get through the list.
I would be very interested to read those, if you don't mind sharing
them...
we run following scripts
1. run lookup-peers.sh from cron every 3 minutes to resolve the peers
listed in /usr/local/etc/peers.in
2. diff the results to the results fo the previous run and run update-ipsec.sh
if changed to generate new ipsec.conf ipsec.conf.m4 using the m4 macro
processor ( yes we use m4 for just about everything ;-) )
3. update-ipsec.sh installs the new policy but purposely keeps the
already handshaked associations in place so as not to hang connections
unnecessarily
you also need something else to update your dnsdns setup.
This is left as an excercise to the reader.
The following scripts are freshly pasted out of our live setup and
somewhat obfuscated so there might still be something missing.
Especially the ipsec.conf.m4 will need adapting to your setup and to
the specific host in question.
Greetings
Christian
--- peers.in ---
peera peera.yourfavourite-dyndns-provider.com
peerb peerb.yourfavourite-dyndns-provider.com
peerc peerc.yourfavourite-dyndns-provider.com
--- peers.in ---
--- lookup-peers.sh
#!/bin/sh
SRC=/usr/local/etc/peers.in
DST=/tmp/peers.m4
TMP=/tmp/peers.tmp
DYNINT=tun0
AWK=/usr/bin/awk
IFCONFIG=/sbin/ifconfig
HOST=/usr/local/bin/host
if [ -f $TMP ]; then
rm $TMP
fi
MYIP=`$IFCONFIG $DYNINT | $AWK '/inet /{ print $2 }'`
echo define(\`MYIP',\`$MYIP')dnl $TMP
while read name host; do
addr=`$HOST -W 3 $host | awk '/address/{ print $4 }`
if [ -n $addr ]; then
echo define(\`$name',\`$addr')dnl $TMP
fi
done $SRC
if [ ! -f $DST ]; then
touch $DST
fi
diff $DST $TMP 2 /dev/null /dev/null
if [ $? -ne 0 ]; then
# ip addresses of peers changed
mv $TMP $DST
# trigger actions here
/usr/local/libexec/update-ipsec.sh
fi
--- lookup-peers.sh
--- update-ipsec.sh ---
#!/bin/sh
/usr/bin/m4 /etc/ipsec.conf.m4 /etc/ipsec.conf
/usr/sbin/setkey -f /etc/ipsec.conf
--- update-ipsec.sh ---
--- ipsec.conf.m4 --- (on host1)
define(`SRCNET1',`192.168.1.0/24')
define(`DSTNET2',`192.168.2.0/24')
define(`DSTNET3',`192.168.3.0/24')
# flush policy
spdflush;
# vpn tunnel from hosta to hostb
spdadd SRCNET1 DSTNET2 any
-P out ipsec esp/tunnel/MYIP-hostb/require ;
spdadd DSTNET2 SRCNET1 any
-P in ipsec esp/tunnel/hostb-MYIP/require ;
# vpn tunnel from hosta to hostc
spdadd SRCNET1 DSTNET3 any
-P out ipsec esp/tunnel/MYIP-hostc/require ;
spdadd DSTNET3 SRCNET1 any
-P in ipsec esp/tunnel/hostc-MYIP/require ;
--- ipsec.conf.m4 ---
Greetings
Christian
--
CK Software GmbH
Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen
Email: [EMAIL PROTECTED]
Phone: +49 7452 889-135Open Software Solutions, Network Security
Fax: +49 7452 889-136FreeBSD spoken here!
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dynamic IPSEC
Hi, On Mon, 11 Aug 2003, Kent Hauser wrote: Hi Mike, Had any progress? I've also by stymied for a clean solution. Previously, I used a simple SED script from executed from /etc/ppp/ppp.linkup to edit a setkeys script which then negotiated with the office ascend router/gw all was VPN heaven. However, I now need to negotiate mobile(FreeBSD) to static(FreeBSD) that is proving problematic. Executing a SED script after DHCP of mobile is easy, but it seems I also need to SED the static host's SPD -- ie no wildcards allowed as in the ascend router situtation. Needless to say, allowing unauthenticated hosts (read anyone) to modify the SPD on a machine so that it can be authenticated strikes me as putting the cart before the horse. When I install a wildcard host (0.0.0.0) on the static side, racoon only negotiates the mobile-static SAD...which is useless expires. Seems to me that racoon needs to update kernel SPDs with wildcards to support mobile VPNs. At least that's all I've been able to come up with. Have you found a silver bullet? Solution 1: the silver bullet to allow roaming clients with dynamic address to connect to your racoon is to have no policy at all defined for them and use an anonymous section your racoon.conf with generate_policy on; This way your clients connect and racoon sets up any policy they request. This is a bit ugly as you have to trust them not to screw up your policy but seems to be the only solution currently availale with racoon. You will also want to use certificates instead of preshared keys for authentication unless you are comfortable with having a single preshared key for all your roaming users. Solution 2: We have a setup where we have 3 offices each with dynamic ip's and freebsd boxes as their gateways. The boxes all run scripts to register their dynamic ip address at a colocated box with a static ip. The boxes also resolve each others ip addresses every 5 minutes and generate a new ipsec.conf and install it if it differs from the previous one. The system is now very stable and we have ispec tunnels between all 3 offices. If something changes they rewire themselves on the fly. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: [EMAIL PROTECTED] Phone: +49 7452 889-135Open Software Solutions, Network Security Fax: +49 7452 889-136FreeBSD spoken here! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dynamic IPSEC
Hi, On Mon, 11 Aug 2003, Kent Hauser wrote: Hi Mike, Had any progress? I've also by stymied for a clean solution. Previously, I used a simple SED script from executed from /etc/ppp/ppp.linkup to edit a setkeys script which then negotiated with the office ascend router/gw all was VPN heaven. However, I now need to negotiate mobile(FreeBSD) to static(FreeBSD) that is proving problematic. Executing a SED script after DHCP of mobile is easy, but it seems I also need to SED the static host's SPD -- ie no wildcards allowed as in the ascend router situtation. Needless to say, allowing unauthenticated hosts (read anyone) to modify the SPD on a machine so that it can be authenticated strikes me as putting the cart before the horse. When I install a wildcard host (0.0.0.0) on the static side, racoon only negotiates the mobile-static SAD...which is useless expires. Seems to me that racoon needs to update kernel SPDs with wildcards to support mobile VPNs. At least that's all I've been able to come up with. Have you found a silver bullet? Solution 1: the silver bullet to allow roaming clients with dynamic address to connect to your racoon is to have no policy at all defined for them and use an anonymous section your racoon.conf with generate_policy on; This way your clients connect and racoon sets up any policy they request. This is a bit ugly as you have to trust them not to screw up your policy but seems to be the only solution currently availale with racoon. You will also want to use certificates instead of preshared keys for authentication unless you are comfortable with having a single preshared key for all your roaming users. Solution 2: We have a setup where we have 3 offices each with dynamic ip's and freebsd boxes as their gateways. The boxes all run scripts to register their dynamic ip address at a colocated box with a static ip. The boxes also resolve each others ip addresses every 5 minutes and generate a new ipsec.conf and install it if it differs from the previous one. The system is now very stable and we have ispec tunnels between all 3 offices. If something changes they rewire themselves on the fly. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: [EMAIL PROTECTED] Phone: +49 7452 889-135Open Software Solutions, Network Security Fax: +49 7452 889-136FreeBSD spoken here! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Still a few problems in jail
Hi, On Thu, 5 Dec 2002, Didier Wiroth wrote: Hey, Using (FreeBSD 4.7-Release) It takes considerably long to login from a workstation to a jailed ssh server or sometimes I even can't login. The login: appears, and then Sent username 'xyz' and then nothing happens or after 20 or even far more seconds I can enter my password! [rest snipped] you most propably have dns resolution problems in the jail. Do you have a correctly setup resolv.conf in your jail ? Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: [EMAIL PROTECTED] Phone: +49 7452 889-135Open Software Solutions, Network Security Fax:+49 7452 889-136FreeBSD spoken here! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: List of big names ...
Hi, On Sun, 1 Dec 2002, Marc G. Fournier wrote: Other then that I know Yahoo! uses FreeBSD ... is there a list that anyone is maintain about who is using it? I've been having discussions with a partner for awhile now about whether we should launch a product with a base OS of linux vs freebsd ... and its tiring to try and argue against but, nobody is accepting FreeBSD ... everyone (IBM, HP, Sun, etc) is falling behind Linux ... Do we have *anything* ... case studies or the like, from big names that have decided *for* FreeBSD over Linux, with a sort of 'why' discusion? on the embedded side there is the Nokia/CheckPoint hardware firewall applicaces. Nokia uses a hacked FreeBSD 2.x base system to host the checkpoint firewall for which checkpoint did a port only available with this nokia bundle. Also junipers internet core routers are based on FreeBSD. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: [EMAIL PROTECTED] Phone: +49 7452 889-135Open Software Solutions, Network Security Fax:+49 7452 889-136FreeBSD spoken here! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
