Re: ifconfig alias: File Exists
Hi, On Tue, 19 Oct 2004, Marc G. Fournier wrote: On Tue, 19 Oct 2004, Christian Kratzer wrote: Hi, On Tue, 19 Oct 2004, Marc G. Fournier wrote: Why would I be getting: # ifconfig fxp0 alias 200.46.204.9 ifconfig: ioctl (SIOCAIFADDR): File exists when I know for a fact that it hasn't been configured? you should use a netmask of 255.255.255.255 for ipv4 aliases. ifconfig fxp0 alias 200.46.204.9 netmask 255.255.255.255 Is that new? You are right, that fixed it, but didn't think I had to do that before :( no it's been like that since I know of FreeBSD 2.0 and propably longer. The BSD ip stack adds a route to the connected network over the respective interface when you do an ifconfig. Using the same netmask on all aliases it will cause it to try to add the same route multiple times causing the error you saw. Greetings Christian -- Christian Kratzer [EMAIL PROTECTED] CK Software GmbHhttp://www.cksoft.de/ Phone: +49 7452 889 135 Fax: +49 7452 889 136 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ifconfig alias: File Exists
Hi, On Tue, 19 Oct 2004, Marc G. Fournier wrote: Why would I be getting: # ifconfig fxp0 alias 200.46.204.9 ifconfig: ioctl (SIOCAIFADDR): File exists when I know for a fact that it hasn't been configured? you should use a netmask of 255.255.255.255 for ipv4 aliases. ifconfig fxp0 alias 200.46.204.9 netmask 255.255.255.255 Greetings Christian -- Christian Kratzer [EMAIL PROTECTED] CK Software GmbHhttp://www.cksoft.de/ Phone: +49 7452 889 135 Fax: +49 7452 889 136 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OT: Longest uptime
Hi, On Sun, 22 Feb 2004, Daniela wrote: On Saturday 21 February 2004 20:47, Jamie wrote: I'm curious as to what the longest uptimes are people have seen on production servers. We've got a FreeBSD machine here with an uptime of 506 days. It is a file server and it also runs spamassassin for another machine. Too bad we have to take it down to replace a motherboard tonight with leaky caps. It would have been fun to see if it could have made it to 999 or higher. I'm curious as to what the highest uptimes people have seen on their servers. With times like that, you can't help but fall in love with FreeBSD!! I have heard of a machine running FreeBSD 2.2 with 2300+ days uptime and still running. Mine has only reached 29 days so far, because I patch my system very often. I just checked back and it's still up ... --snipp-- [EMAIL PROTECTED]: {8} uname -a FreeBSD hostname.domain 2.2.2-RELEASE FreeBSD 2.2.2-RELEASE #0: Mon Feb 9 18:53:29 CET 1998 [EMAIL PROTECTED]:/usr/src/sys/compile/XX i386 [EMAIL PROTECTED]: {9} uptime 9:44PM up 2204 days, 2:38, 1 user, load averages: 0.48, 0.24, 0.10 [EMAIL PROTECTED]: {10} date Sun Feb 22 21:45:29 CET 2004 [EMAIL PROTECTED]: {11} --snipp-- hostnames and domains changed to protect the innocent. Of course this does not make much sense and the customer in question would be well advised with an update. Have been talking to them. Our own production servers regularly reach 200 days and more. We update things like ssh and openssl in place and only do full buildworld/installworld upgrades perhaps once or twice a year. Lot's can be done while staying up. Jails help a lot of course. Not having external users with shell access also helps. Greetings Christian -- Christian Kratzer [EMAIL PROTECTED] CK Software GmbHhttp://www.cksoft.de/ Phone: +49 7452 889 135 Fax: +49 7452 889 136 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dynamic IPSEC: Holy grail sighted
Hi, On Mon, 18 Aug 2003, The Anarcat wrote: I don't some of the attachments you intended to send (raccoon.conf? perl script?) didn't get through the list. I would be very interested to read those, if you don't mind sharing them... we run following scripts 1. run lookup-peers.sh from cron every 3 minutes to resolve the peers listed in /usr/local/etc/peers.in 2. diff the results to the results fo the previous run and run update-ipsec.sh if changed to generate new ipsec.conf ipsec.conf.m4 using the m4 macro processor ( yes we use m4 for just about everything ;-) ) 3. update-ipsec.sh installs the new policy but purposely keeps the already handshaked associations in place so as not to hang connections unnecessarily you also need something else to update your dnsdns setup. This is left as an excercise to the reader. The following scripts are freshly pasted out of our live setup and somewhat obfuscated so there might still be something missing. Especially the ipsec.conf.m4 will need adapting to your setup and to the specific host in question. Greetings Christian --- peers.in --- peera peera.yourfavourite-dyndns-provider.com peerb peerb.yourfavourite-dyndns-provider.com peerc peerc.yourfavourite-dyndns-provider.com --- peers.in --- --- lookup-peers.sh #!/bin/sh SRC=/usr/local/etc/peers.in DST=/tmp/peers.m4 TMP=/tmp/peers.tmp DYNINT=tun0 AWK=/usr/bin/awk IFCONFIG=/sbin/ifconfig HOST=/usr/local/bin/host if [ -f $TMP ]; then rm $TMP fi MYIP=`$IFCONFIG $DYNINT | $AWK '/inet /{ print $2 }'` echo define(\`MYIP',\`$MYIP')dnl $TMP while read name host; do addr=`$HOST -W 3 $host | awk '/address/{ print $4 }` if [ -n $addr ]; then echo define(\`$name',\`$addr')dnl $TMP fi done $SRC if [ ! -f $DST ]; then touch $DST fi diff $DST $TMP 2 /dev/null /dev/null if [ $? -ne 0 ]; then # ip addresses of peers changed mv $TMP $DST # trigger actions here /usr/local/libexec/update-ipsec.sh fi --- lookup-peers.sh --- update-ipsec.sh --- #!/bin/sh /usr/bin/m4 /etc/ipsec.conf.m4 /etc/ipsec.conf /usr/sbin/setkey -f /etc/ipsec.conf --- update-ipsec.sh --- --- ipsec.conf.m4 --- (on host1) define(`SRCNET1',`192.168.1.0/24') define(`DSTNET2',`192.168.2.0/24') define(`DSTNET3',`192.168.3.0/24') # flush policy spdflush; # vpn tunnel from hosta to hostb spdadd SRCNET1 DSTNET2 any -P out ipsec esp/tunnel/MYIP-hostb/require ; spdadd DSTNET2 SRCNET1 any -P in ipsec esp/tunnel/hostb-MYIP/require ; # vpn tunnel from hosta to hostc spdadd SRCNET1 DSTNET3 any -P out ipsec esp/tunnel/MYIP-hostc/require ; spdadd DSTNET3 SRCNET1 any -P in ipsec esp/tunnel/hostc-MYIP/require ; --- ipsec.conf.m4 --- Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: [EMAIL PROTECTED] Phone: +49 7452 889-135Open Software Solutions, Network Security Fax: +49 7452 889-136FreeBSD spoken here! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dynamic IPSEC
Hi, On Mon, 11 Aug 2003, Kent Hauser wrote: Hi Mike, Had any progress? I've also by stymied for a clean solution. Previously, I used a simple SED script from executed from /etc/ppp/ppp.linkup to edit a setkeys script which then negotiated with the office ascend router/gw all was VPN heaven. However, I now need to negotiate mobile(FreeBSD) to static(FreeBSD) that is proving problematic. Executing a SED script after DHCP of mobile is easy, but it seems I also need to SED the static host's SPD -- ie no wildcards allowed as in the ascend router situtation. Needless to say, allowing unauthenticated hosts (read anyone) to modify the SPD on a machine so that it can be authenticated strikes me as putting the cart before the horse. When I install a wildcard host (0.0.0.0) on the static side, racoon only negotiates the mobile-static SAD...which is useless expires. Seems to me that racoon needs to update kernel SPDs with wildcards to support mobile VPNs. At least that's all I've been able to come up with. Have you found a silver bullet? Solution 1: the silver bullet to allow roaming clients with dynamic address to connect to your racoon is to have no policy at all defined for them and use an anonymous section your racoon.conf with generate_policy on; This way your clients connect and racoon sets up any policy they request. This is a bit ugly as you have to trust them not to screw up your policy but seems to be the only solution currently availale with racoon. You will also want to use certificates instead of preshared keys for authentication unless you are comfortable with having a single preshared key for all your roaming users. Solution 2: We have a setup where we have 3 offices each with dynamic ip's and freebsd boxes as their gateways. The boxes all run scripts to register their dynamic ip address at a colocated box with a static ip. The boxes also resolve each others ip addresses every 5 minutes and generate a new ipsec.conf and install it if it differs from the previous one. The system is now very stable and we have ispec tunnels between all 3 offices. If something changes they rewire themselves on the fly. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: [EMAIL PROTECTED] Phone: +49 7452 889-135Open Software Solutions, Network Security Fax: +49 7452 889-136FreeBSD spoken here! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dynamic IPSEC
Hi, On Mon, 11 Aug 2003, Kent Hauser wrote: Hi Mike, Had any progress? I've also by stymied for a clean solution. Previously, I used a simple SED script from executed from /etc/ppp/ppp.linkup to edit a setkeys script which then negotiated with the office ascend router/gw all was VPN heaven. However, I now need to negotiate mobile(FreeBSD) to static(FreeBSD) that is proving problematic. Executing a SED script after DHCP of mobile is easy, but it seems I also need to SED the static host's SPD -- ie no wildcards allowed as in the ascend router situtation. Needless to say, allowing unauthenticated hosts (read anyone) to modify the SPD on a machine so that it can be authenticated strikes me as putting the cart before the horse. When I install a wildcard host (0.0.0.0) on the static side, racoon only negotiates the mobile-static SAD...which is useless expires. Seems to me that racoon needs to update kernel SPDs with wildcards to support mobile VPNs. At least that's all I've been able to come up with. Have you found a silver bullet? Solution 1: the silver bullet to allow roaming clients with dynamic address to connect to your racoon is to have no policy at all defined for them and use an anonymous section your racoon.conf with generate_policy on; This way your clients connect and racoon sets up any policy they request. This is a bit ugly as you have to trust them not to screw up your policy but seems to be the only solution currently availale with racoon. You will also want to use certificates instead of preshared keys for authentication unless you are comfortable with having a single preshared key for all your roaming users. Solution 2: We have a setup where we have 3 offices each with dynamic ip's and freebsd boxes as their gateways. The boxes all run scripts to register their dynamic ip address at a colocated box with a static ip. The boxes also resolve each others ip addresses every 5 minutes and generate a new ipsec.conf and install it if it differs from the previous one. The system is now very stable and we have ispec tunnels between all 3 offices. If something changes they rewire themselves on the fly. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: [EMAIL PROTECTED] Phone: +49 7452 889-135Open Software Solutions, Network Security Fax: +49 7452 889-136FreeBSD spoken here! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Still a few problems in jail
Hi, On Thu, 5 Dec 2002, Didier Wiroth wrote: Hey, Using (FreeBSD 4.7-Release) It takes considerably long to login from a workstation to a jailed ssh server or sometimes I even can't login. The login: appears, and then Sent username 'xyz' and then nothing happens or after 20 or even far more seconds I can enter my password! [rest snipped] you most propably have dns resolution problems in the jail. Do you have a correctly setup resolv.conf in your jail ? Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: [EMAIL PROTECTED] Phone: +49 7452 889-135Open Software Solutions, Network Security Fax:+49 7452 889-136FreeBSD spoken here! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: List of big names ...
Hi, On Sun, 1 Dec 2002, Marc G. Fournier wrote: Other then that I know Yahoo! uses FreeBSD ... is there a list that anyone is maintain about who is using it? I've been having discussions with a partner for awhile now about whether we should launch a product with a base OS of linux vs freebsd ... and its tiring to try and argue against but, nobody is accepting FreeBSD ... everyone (IBM, HP, Sun, etc) is falling behind Linux ... Do we have *anything* ... case studies or the like, from big names that have decided *for* FreeBSD over Linux, with a sort of 'why' discusion? on the embedded side there is the Nokia/CheckPoint hardware firewall applicaces. Nokia uses a hacked FreeBSD 2.x base system to host the checkpoint firewall for which checkpoint did a port only available with this nokia bundle. Also junipers internet core routers are based on FreeBSD. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: [EMAIL PROTECTED] Phone: +49 7452 889-135Open Software Solutions, Network Security Fax:+49 7452 889-136FreeBSD spoken here! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message