Re: How do I know what a meta port installs?
Per Berger wrote: I have installed a couple of meta ports, for example gnome2. How can I see exactly which ports the meta port installs? I have tried to figure it out but failed... I am right now installing gnome2-power-tools and can see that it installs apache (!) which causes some concern regarding configuration and security. So; what else did it install? How do I find out? A meta port installs a number of packages by depending on them. For example in the ports/x11/gnome2/Makefile you will find a variable RUN_DEPENDS= and then a long list of things. All these dependencies are installed when you make install but since it is a run-time dependency, nothing happens if you just type make. What you won't see, is that each of these packages most likely depends on other packages etc. that are also installed. Tracing this till the end is hard. What may give you some idea is to install the portupgrade tools and run portupgrade -rRn gnome2 This will not install anything (-n) but recurse up and down in the dependencies to tell you what would be done. This may not show you all dependencies as portupgrade should only want to upgrade what is _not_ up to date. Regarding gnome2-power-tools: First, it may install apache as a (sub-) dependency, but apache won't start unless you start it, as such it does not introduce new network accessible services. Second: Do you actually need all that? The easiest way to keep a system clean and updated is to stay at minimal needs, install as needed. You will learn that first time you try to upgrade a major package ... Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sendmail
Gert Cuykens wrote: Just how big is this movie and are you sure his ISP's/private mail server would even accept it? Its 5.5mb and my gmail doesnt want to sent it :( So how do you do that with the sendmail command ? As everyone else notes, this is not a job for e-mailing. Even if you want to e-mail the file, it is not a job for sendmail. When you send attachments they are typically base64 encoded, this explodes the file from 5.5MB to about 8MB. You can cut it up in two ways: Use transcode to make shorter clips and send separately or convert the file to base64, then cut it up manually and ask your friend to concateneate the attachments and deconvert from base64. The second option is the low tech - transcode is not designed to be user friendly. But, as everyone suggest: Setup anon ftp, an apache webserver, or give ssh access - all of these are faster, simpler and better. This is posible if you are not NAT'ed and have a reasonably fixed ip. Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: can i delete /stand ?
Gert Cuykens wrote: It bugs me... yes you can. If you need to run sysinstall later it will be in /usr/sbin/sysinstall You might want to check your init_path in loader.conf, in /boot/defaults/loader.conf it is set to /sbin/init:/sbin/oinit:/sbin/init.bak:/stand/sysinstall it would be sensible to replace /stand/sysinstall by /rescue/init Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: can i delete /stand ?
Gert Cuykens wrote: You might want to check your init_path in loader.conf, in /boot/defaults/loader.conf it is set to /sbin/init:/sbin/oinit:/sbin/init.bak:/stand/sysinstall it would be sensible to replace /stand/sysinstall by /rescue/init What happens if i leave /stand/sysinstall and put nothing in return ? How will singel user look like ? The same. /stand/sysinstall starts the installer, it's the last thing the loader will try if everything else fail, then it must be because you have no system and would like to install one - right? But then, you might as well use an install disc. Asuming you have a working system there is really no use for /stand. All the files in /stand are hardlinks to the /stand/boot_crunch file. Some people like sysinstall as a postconfiguration tool, and documen- tation refers to this. But you can run it from /usr/sbin/sysinstall On the other hand it surprises me that /rescue/init is not in the init_path, for system recovery it is far more usefull than sysinstall, it will give you a single user like system with a shell. So, if you can't stand /stand - go ahead delete it - but don't sue me if you some day need it :-) Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfilter problems
Angelin Lalev wrote: Two days ago I've switched the firewall on my FreeBSD 5.3 RELEASE router from ipfw to ipfilter. The firewalls are not my speciality and ipfilter looked simplier way to do NAT with firewall, because it separates NAT rules from filtering rules. The router has two interfaces rl0 (192.168.0.254/24) and rl1 (82.137.64.106/29, 192.168.5.1/24, 10.1.6.2/24). The ipfilter is compiled in kernel: == options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK /etc/ipnat.conf map rl1 192.168.0.1/27 - 82.137.64.106/32 /etc/ipf.rules pass in quick on lo0 pass out quick on lo0 pass out quick on rl0 all pass in quick on rl0 all pass in quick on rl1 proto tcp from 192.168.5.1/24 to 192.168.5.1 port = 80 flags S keep state pass in quick on rl1 proto tcp from 192.168.5.1/24 to 192.168.5.1 port = 3128 flags S keep state # local counter-strike server. No NAT. pass in quick on rl1 from 192.168.5.1/24 to 192.168.0.50 keep state block in quick on rl1 from 192.168.5.1/24 to any pass out quick on rl1 all keep state The problem On 192.168.0.0/24 network I have 6 machines. The router itself is an old 166 MHz Pentium box, but load averages are not bigger than 10%. When one of the machins makes dns lookup (the dns server is on outside - 62.73.78.2) it fails with timeout in about 9 of 10 times. ipfstat -t shows that a rule is created - something like this: Source IP Dest IPST PR pkts.bytes 192.168.0.4,1029 62.73.78.2,53 0/0 udp 165 9992 Any help will be appreciated. Well, the short answer is: there is no keep state in the line pass in quick on rl0 all the dns reply you get back times out because your default rule is block and there is nowhere in the in rules for rl1 that allows the reply back. Some recomendations: 1) I have a bit of dificulty understanding your network setup - why do you have two private networks on your external interface? May scetch in a diagram. 2) Having default block can be done by adding the rules block in all block out all in the op of the ruleset rather than compile in the kernel. It makes it explicit. It also means that you can connect if no rules are pressent - this is usefull for installing while the machine is behind a gateway. Anyway, with your pass in all rules, you have almost effectively disabled the default block anyway. 2) For your security, in all pass rules, state from and to even if it is any it makes it more explicit. Split on protocols for security and control. 3) At least when setting up your firewall, use log in all block rules and enable ipmon, then you can see where your packets are blocked. 4) Use groups to structure your rules, and group them accordingly visually. It makes them easier to manage and for large rulesets optimises the firewall. 5) Always keep state! Doing so, all out rules only apply to the gateway itself, it makes the ruleset shorter and firewall faster. 6) You probably want to enable the ftp-proxy in your nat-rule and define which port-ranges are used for nat'ed connections. and a lot more you'll learn along the way :-) Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: can i delete /stand ?
dick hoogendijk wrote: Some people like sysinstall as a postconfiguration tool, and documen- tation refers to this. But you can run it from /usr/sbin/sysinstall I can't. Nor have I something like '/rescue/init' So I assume you're taking me (us?) on? I don't know which system you're on. Both are present on 5.3 and -CURRENT. Now, it's some time ago I installed, it may be added later as I have rebuilt my world with updated sources. Anyway, regarding /stand/sysinstall, you can safely delete it unless you use it for configuration/installation tasks. Now, I just looked at the dates on my directories, it seems a new /stand was installed last time I installed world - so you'll have to get rid of it again and again :-) Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: can i delete /stand ?
Chris wrote: I did like the idea of rm -r /boot I hate that / in the beginning - can I get rid of it by 'rm -r /'? Really, while I can sometimes find it intertaining to wonder and discuss the reasons for whatever wierdness people my prefer, and see the discussion to go off track. I think we should just answer the question and if you can't do that, let it go. Some people want to order their socks according to colour, and if they are out of order their life is a missery. If this kind of person comes to me and ask if he can order his sock drawer according to colour, I'd say sure, your sock drawer will function perfectly with your socks ordered according to colour - as long as I can keep mine disordered according to your scheme. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFILTER and NFS
Matt Juszczak wrote: Howdy, Trying to get IPFILTER and NFS working. A google search didn't show much about my specific issue. With ipfilter working, nfs initially works, until someone tries to login. Then it stops working. With my firewall down on the NFS-CLIENT machine, it works fine. Any ideas? It appears to be an issue with random ports It is, NFS is an RPC service where the RPC deamon is requested to for info on which port mountd binds to. I wrote an howto for diskless clients, www.daemonsecurity.com/pxe/ - here's what to do: Enable nfs in /etc/rc.conf: rpcbind_enable=YES # Run the portmapper service (YES/NO). nfs_server_enable=YES # This host is an NFS server (or NO). mountd_enable=YES # Run mountd (or NO). mountd_flags=-r -p 59 # Force mountd to bind on port 59 As a minimum you need to enable rpcbind, nfsserver and mountd. lockd and statd provides file locking and status monitoring. By default, when mountd starts it binds to some arbitrary port, and rpc is used to discover which, making it imposible to firewall. With option '-p' mountd can be forced to bind to a specific port. Port 59 is assigned to any private file service (see /etc/services). This limits the number of ports relevant to 59, 111 and 2049. You can't force lockd and statd to bind to specific ports (they are alos RPC services) and AFAIK you can't have disk quotas work correctly because of this. AFAIK NFS4 should address these problems, but the NFS4 server is still experimental. Till then, RPC is a security nightmare. Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Rsync Setup
Robert Slade wrote: Hi, I'm trying to get my brain around rsync. What I am trying to do is synchronise 2 directories on different machines. I have an rsync server running on one machine and running it as a client on the other. I have been able to get this setup to work. However, it just syncs the directories on machine A with those on B. If B has a later version of the file on A it gets overwritten with the older version from A. I have done a fair bit of reading on rsync which leads me to believe that it will only work one way. Is this correct? If so, is there any other way of synchronising the 2 directories so that they end up with the latest version of the file(s) from either machine. you can only do one way at a time, so what you need to do is: rsync options machine_A:/pathA machine_B:/pathB rsync options machine_B:/pathB machine_A:/pathA Then what you need is to find the correct options so that the first rsync does not overwrite files that should have been synced the other way. options -u and -t seems to do that. You can do this as a batch script on just one of the machines, so you don't get any race conditions. My options are -Cuvaz, but I only sync one way. You should be carefull: if clocks on the servers are out of sync, you may get syncing the wrong way! and you will have problems deleting files, this has to be done both places. If you instead can assing one machine as master and the other as slave, so you only sync one way, then you avoid all these problems. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfilter.log
Francis Whittington wrote: Hi guys, I've been following this guide: http://www.unixguide.net/freebsd/fbsd_installguide/index.php So far I have gotten the firewall/router to work. Everything seems to be okay, except I do not see anything being logged in ipfilter.log. My rc.conf options are: moused_enable=YES moused_port=/dev/psm0 moused_type=auto moused_flags=-m 2=3 allscreens_flags=-m on -c blink -h 200 clear_tmp_enable=YES hostname=gateway.fbsdbuds.com saver=logo ifconfig_rl0=DHCP ipfilter_enable=YES ipfilter_rules=/etc/ipf.rules ipmon_enable=YES ipmon_flags=-Ds ipnat_enable=YES ipnat_rules=/etc/ipnat.rules ifconfig_rl1=inet 10.0.10.2 netmask 255.255.255.248 gateway_enable=YES Two things: First: You can log directly to a file instead of through syslog: ipmon_flags=-D /path/to/logfile Second: Have you any rules in your ruleset with the log keyword? Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sendmail
Gert Cuykens wrote: On Apr 1, 2005 9:59 AM, Erik Nørgaard [EMAIL PROTECTED] wrote: As everyone else notes, this is not a job for e-mailing. Even if you want to e-mail the file, it is not a job for sendmail. When you send attachments they are typically base64 encoded, this explodes the file from 5.5MB to about 8MB. You can cut it up in two ways: Use transcode to make shorter clips and send separately or convert the file to base64, then cut it up manually and ask your friend to concateneate the attachments and deconvert from base64. The second option is the low tech - transcode is not designed to be user friendly. But, as everyone suggest: Setup anon ftp, an apache webserver, or give ssh access - all of these are faster, simpler and better. This is posible if you are not NAT'ed and have a reasonably fixed ip. well i can setup a ftp but then i have to leave my pc on all the time , people need to sleep you know and i cant sleep whith PR in the background. irc wasnt made to sent files either and look at it now , its more popular then ftp :) more popular does not mean better, just more popular. So how do i get a movie in my friends mailbox using sentmail ? I was thinking in de lines of sendmail -t [EMAIL PROTECTED] -a movie.mpeg -m hello.txt -s hello ? there is a trick you may find handy: man mail it tells you all about the options and stuff. Then you'll find that something along the lines 'cat movie.mpeg | mail -s movie [EMAIL PROTECTED]' will fail, because you first have to convert your movie.mpeg to base64 and wrap the lines at every 72 characaters. But otherwise you do something like this: 'cat body | mail -s subject [EMAIL PROTECTED]' and the format of body is described in rfc2822 and others, eg. the mime-stuff in rfc2045-2048+/- Read that, if you still have problems, then ask again. It still may fail because the recipient won't take large mails, so you will have to chop it of as explained in previous mail. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ssh key fingerprints
Hi, How do I see the fingerprints of my ssh keys, both user and host keys? I know I can get the fingerprint of the host key by removing the host from my known hosts and connecting, but there ought to be some more straight forward way, and what about the user keys? And how do I determine the key lenght from the public key file? Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DHCP failing with WiFi after 6.0 upgrade
Jesse Sheidlower wrote: I recently took my IBM ThinkPad X23, which had been running 4.11, and did a fresh install (backup files, wipe disk, install from scratch) to 6.0. Most things have gone smoothly, though there are still a few things to iron out. My biggest problem is that I can't seem to get DHCP to work with my wireless card. I have an Orinoco Gold 802.11b card that's always worked fine; I'm about to replace it with something else for 802.11g with a new WAP. There seem to be minor differences in how the card goes in; under 4.11 I would get various beeps when I plugged it in and after it associated, but now it's silent. And I had to remember to load WEP in my kernel. But I can seem to get things started by issuing the command ifconfig wi0 ssid jesterWAP wepmode on wepkey 0x[DELETED] which does seem to successfully reach my WAP: # ifconfig wi0 wi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::202:[DELETED] prefixlen 64 scopeid 0x3 ether 00:02:[DELETED] media: IEEE 802.11 Wireless Ethernet autoselect (DS/2Mbps) status: associated ssid jesterWAP channel 6 bssid 00:[DELETED] stationname FreeBSD WaveLAN/IEEE node authmode OPEN privacy MIXED deftxkey UNDEF wepkey 1:104-bit txpowmax 100 bintval 100 I can't seem to get a DHCP lease, however: # dhclient wi0 DHCPDISCOVER on wi0 to 255.255.255.255 port 67 interval 5 DHCPDISCOVER on wi0 to 255.255.255.255 port 67 interval 13 DHCPDISCOVER on wi0 to 255.255.255.255 port 67 interval 7 DHCPDISCOVER on wi0 to 255.255.255.255 port 67 interval 8 DHCPDISCOVER on wi0 to 255.255.255.255 port 67 interval 13 DHCPDISCOVER on wi0 to 255.255.255.255 port 67 interval 15 No DHCPOFFERS received. No working leases in persistent database - sleeping. (Under 4.11, I didn't get any verbose output from dhcpclient.) I can get a DHCP lease with fxp0, my Ethernet card; also, some Macs in the house have no problem getting leases through the WAP. (The DHCP server is in a separate router, not in the WAP.) Is there something that's changed under 6.0, or is there just something I'm forgetting to do? I do plan to get a new card, but I want to get this working too. Just about everything about dhclient has changed. The dhclient from ISC has been replaced by a complete new development from the OpenBSD team. Options that previously worked are nolonger recognized. Among these options are the options to configure what wireless network to associate with. Also, added is wpa_supplicant which is used to choose the WLAN to connect to. If there are other WLAN's in your neighbourhood and you have not configured wpa_supplicant, it is likely that you associate with the wrong network and that network doesn't offer a lease. One thing to do, mostly for testing: Reset completely your card so it does not appear to be associated with any network. When you run dhclient and it fails, you should at least be able to see what network it is associated with if any. So, read up on the man-pages, and start over. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Thanks for FBSD6
Dominique Goncalves wrote:
basically the meat of the script looks like:
ifconfig ath0 ssid my wireless network
dhclient ath0
if someone can tell me what /etc/rc.conf options i need to set to
duplicate that, that would be cool. i played around with it for a while
but never got it to work without my custom script.
You can use in /etc/rc.conf:
ifconfig_ath0=DHCP ssid your_ssid
That's FreeBSD 5.X and prior way of doing it. The suggested way to
config your wirerless is with wpa_supplicant(8). In rc.conf add:
wpa_suplicant_enable=YES
ifconfig_ath0=DHCP
and create wpa_supplicant.conf:
network={
ssid=MyWireless
mode=11g
}
The neat thing is that you can configure multiple networks and
wpa_supplicant will try them in order.
Note that dhclient was replaced with the new OpenBSD implementation in
FBSD6, and wpa_supplicant introduced to handle association with wireless
networks.
Cheers, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Thanks for FBSD6
Erik Nørgaard wrote:
and create wpa_supplicant.conf:
network={
ssid=MyWireless
mode=11g
}
ofcourse there are more options see wpa_supplicant.conf(5), I just now
see that I've used 11g incorrectly. Well, another thing that maybe
someone can highlight:
Say you configure two (or more) networks, one uses dhcp the other static
ip, or they use two different static ip's. How to go about that?
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Copying kernel and OS
Jack Raats wrote: I've two machines running FreeBSD 6.0-STABLE. One very fast machine and one very very slow machine. On the fast machine I can compile a new kernel and OS very quickly and easily. Is it possible to transfer the compile world and kernel to the slow machine. If yes whart directories etc... do i have to transfer. see the handbook, this section seems for you: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/small-lan.html Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Thanks for FBSD6
Dominique Goncalves wrote: You can use in /etc/rc.conf: ifconfig_ath0=DHCP ssid your_ssid That's FreeBSD 5.X and prior way of doing it. The suggested way to config your wirerless is with wpa_supplicant(8). In rc.conf add: According to this documentation http://www.freebsdmall.com/~loader/en_US.ISO8859-1/articles/wireless/article.html this syntax is ok on 6.0, but I don't know if the order of arguments have an importance. Yes, you're right, it works - I'm not sure of the order either. What doesn't work anymore is the ancient posibility of including these options in dhclient.conf However, wpa_supplicant is needed to handle encryption keys etc. And then comes the neat feature of supporting multiple networks. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Projects List page
pete wright wrote: Saw the newly posted list of projects that need volunteers. One project in particular caught my eye: http://www.freebsd.org/projects/ideas/#p-pxeinstaller (FreeBSD PXE Install support) I do not see an email contact regarding this, has anyone started working something like this? In the bottom is a list of people associated with a group of projects, so I guess you can write to one of them and ask and/or volunteer. I don't know what exactly they have in mind, they write good PXE knowledge is required, but I see the main task to provide a good UI. I see two things to do: 1) preconfiguring a server 2) configuring the pxe-install 1) is the easy part: You just need the live disk to be preinstalled with isc-dhcpd (or similar) and tftp preconfigured. I guess ftp-install would be the viable method using an external ftp-server, else a native ftp server should be preconfigured and populated with install files. The problem is 2) It's fairly easy to create a memory disk boot image that is fetched with tftp. The problem is that this contains the script file that scripts the installation and that script should be customizeable. The script is a sysinstall script and sysinstall is largely undocumented in this regard. Further sysinstall, AFAIK, is regularly suggested for an overhaul, and it is at least listed for a minor update on the project list. So, in my point of view, the obvious solution would be to work on sysinstall, adding an option save configuration which would generate the script. Then we only need to save it in the memory disk image. I don't know if the listed network people are reading this, or maybe those who are not yet responsible for sysinstall. But I would be interested in working on this... (well, not exactly sysinstall as much as the easy parts :-) Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Adding lines to /etc/rc.conf during sysinstall wihout being REMOVED
Josh Endries wrote: Does anyone know the correct way to add lines to rc.conf without sysinstall commenting them out and prepending REMOVED to them, during an automated install.cfg routine? Currently I have a pkg I made that adds stuff like ntp.conf and rc.conf, but all the lines in my custom rc.conf are removed after the script finishes. I looked through the code for sysinstall but didn't see any way to disable this behavior (my C isn't very good). What would be the correct way to do this? I'm now having my pkg install a rc.d script which cat's /etc/rc.conf... could you post your install.cfg? Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Adding lines to /etc/rc.conf during sysinstall wihout being REMOVED
Josh Endries wrote: Here is my install.cfg: debug=YES #nonInteractive=YES #noWarn=YES disk=ad0 partition=all bootManager=standard diskPartitionEditor #diskPartitionWrite ad0s1-2=swap 4194304 none ad0s1-1=ufs 524288 / ad0s1-3=ufs 19531250 /home 1 ad0s1-4=ufs 2097152 /tmp 1 ad0s1-5=ufs 19531250 /usr 1 ad0s1-6=ufs 0 /var 1 diskLabelEditor diskLabelCommit hostname=test netDev=vr0 nfs=192.168.0.3:/var/export/6.0-RELEASE/ tryDHCP=YES mediaSetNFS #nameserver=192.168.0.7 dists=base distSetCustom installCommit ... command=cp /dist/pkgtools.conf /usr/local/etc system command=sed -i '' 's/md5/blf/' /etc/login.conf system command=cap_mkdb /etc/login.conf system command=pkg_add /dist/packages/All/my_base.tgz system shutdown have you considered command=shutdown system ? it may not be the nicest way to do things though. After sysinstall's shutdown and reboot, it comments out these lines (using #REMOVED: %s). Converting them to something like this in install.cfg didn't help, regardless of quotes: command=echo sshd_enable=YES /etc/rc.conf system two things: try this before shutdown: command=cp /etc/rc.conf /tmp/rc.conf system and also try to echo like this: command=echo 'sshd_enable=YES' /etc/rc.conf I don't know how sysinstall treats quotes. Well, honestly, I don't _know_ the answer to your question, but I hope this helps. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Wireless NIC in FreeBSD 6.0 ?
Yuan Jue wrote: ath0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 166.111.208.137 netmask 0xfe00 broadcast 166.111.209.255 ether 00:11:85:1b:21:79 media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/36Mbps) status: associated ssid A314b channel 11 bssid 00:09:5b:d1:fa:c4 authmode OPEN privacy OFF txpowmax 30 protmode CTS bintval 100 PING 166.111.8.28 (166.111.8.28): 56 data bytes ping: send to: No route to host it means I cannot connect to the internet even when I have got the wireless card an IP address using DHCP. WHY? can anybody help on this? any suggestion would be much appreciated. Take a close look at the ip/broadcast of your nic and the ip of the host you're trying to ping. Your NIC: 166.111.208.137/23 Your DNS: 166.111.8.28 They are not on the same network as far as I can see. Now, check that you have the default route set, # route -n get default Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Wireless NIC in FreeBSD 6.0 ?
Erik Nørgaard wrote: Your NIC: 166.111.208.137/23 Your DNS: 166.111.8.28 Just now when I think of it, maybe you meant to ping 166.111.208.28? Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Wireless NIC in FreeBSD 6.0 ?
Yuan Jue wrote: On Sunday 25 December 2005 19:53, you wrote: yes. they are not on the same LAN. but when I use my local NIC to connect the internet, everything is fine. the following is how my local NIC works: [EMAIL PROTECTED] ifconfig bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1aTXCSUM,VLAN_MTU,VLAN_HWTAGGING inet 166.111.208.204 netmask 0xfe00 broadcast 166.111.209.255 ether 00:0d:9d:90:e0:68 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 [EMAIL PROTECTED] ping 166.111.8.28 PING 166.111.8.28 (166.111.8.28): 56 data bytes 64 bytes from 166.111.8.28: icmp_seq=0 ttl=251 time=0.525 ms why does this work? it has the same netmask and broadcast address as the wireless NIC. Any more explanations? OK, now, if you have two nic's configured for the same lan things get wierd. Try # ifconfig bge0 down And, check that default route is set correctly. I think the default route binds not only to an ip but also to the interface that connects to that network, so maybe you have configured both bge0 and ath0 and default route set to go out bge0. Now, when you disconnect bge0 and try to ping, your ping is not sent on ath0 as you might think but on bge0. To check this kind of problems, use snort to sniff what's actually leaving your interface. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Wireless NIC in FreeBSD 6.0 ?
Yuan Jue wrote: one more question since I use a fixed IP address in my dormitory and a dynamic IP address in the classroom or library, i need to change my local NIC configure from time to time. In fact, I use the fixed IP address as my default setting, which is as follows: what is the right way to do it? or is there any better solution for my situation? Try to take a look at dhclient.conf(5) and dhclient(8) and set all interfaces to be configured with dhcp. I think it should be posible to configure default values so there is something to fall back on if a lease is not obtained. Note that dhclient is new in FBSD 6, this is also why you had to take down the other interface. The old dhclient would reset all dhcp configured interfaces, the new doesn't, which is quite neat because usually you would have the two interfaces connected to /different/ networks. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
Roman Serbski wrote: Start over with a clean /usr/src and /usr/obj tree and read the file ``/usr/src/UPDATING'' for instructions about upgrading from source. Dear Erik and Giorgos, Thanks a lot for your assistance! I just cvsuped one hour ago, build/install kernel/world and now everything is working just fine! I had probably a bad luck during first cvsup... One last question (just for curiosity). What is the procedure for _upgrading_ of ipf? I mean, since ipf is already included in the base (v4.1.8), is it possible to upgrade it to v4.1.10? The ipf source is as I understand it compiled as kernel modules or into the kernel and some administrative applications are compiled to interact with the kernel. Hence, as mentioned by Giorgos, upgrading by downloading the source from the official site should be done with care. The recommended way is as Giorgos say to update your source and go with the current version included in FreeBSD. When I suggested to look at more resent versions it was more to check the history and see if there was some bug discovered in 4.1.8 that had been corrected and could have been causing your troubles. If there are such bugs you should file a problem report. If changes are minor it may be possible to merge the newer version into the FreeBSD code, but at the cost that on next cvsup you will have to do it again unless the newer version has been adopted. If there are no such problems, don't bother to update. In such a crucial part of the system it is important to be aware of the actual benefit from upgrading. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Arplookup strange messages
Pietro Cerutti wrote: Hi list, today in the daily security report (periodic) of a i386 machine there is this message repeated about 30 times: +arplookup 0.0.0.0 failed: host is not on local network From rfc 3330: 0.0.0.0/8 - Addresses in this block refer to source hosts on this network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network [RFC1700, page 4]. I think in packet filter you can specify 0/32 and it will automatically be replaced by the ip on the relevant interface, this is useful when you have nics configured with dhcp. However, not all programs support this and will instead try to make an arplookup which is bound to fail. So first question is, what program causes this arplookup? - Do you in your firewall rules specify 0/32? - Do you have correctly set antispoofing? If your firewall does not drop packets from 0/8 then it may try to send a response to the invalid ip. - Do you have dhcp configured somewhere for some host? IIRC dhcp requests are sent with source 0/32 to destination 255.255.255.255/0 (rfc 2131). Your firewall may (it shouldn't, but check anyway) incorrectly try to route it if you don't have the antispoofing setup. If dhcp configuration fails, sometimes the interface gets assigned the address 0/32 unless some fallback have been configured. This could be a client on your network that is misconfigured. The machine is the router (ipnat) and firewall (ipfilter) for a small home network. It runs postfix, sshd and nfsd. My guess is to take a look at your firewall rules and check if there are any misbehaving dhcp clients. Since I'm away from home now, I can't sit in front of it and check what's wrong. Furthermore, it seams that the machine is not accepting ssh logins anymore, after those strange messages. Well, then you have a problem correcting this - maybe someone can reboot the machine for you? Hope this helps, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: resolv.conf getting rewritten at system startup
Duane Whitty wrote: I use DHCP to configure my network interface. At startup my resolv.conf is overwritten, setting my nameserver to the address of the router running DHCP. dhclient, also the new one updates /etc/resolv.conf with the information received from the dhcp server. You can change things by configuring dhclient editing /etc/dhclient.conf see dhclient.conf(5) and dhcp-options(5) Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Solved, sort of: configuring fetch to passive mode
Erik Norgaard wrote: This ought to be a configuration tunable, but I can't find any documentaion on it: How to I force fetch to use passive mode? It appears that this is indeed an environment variable, and is further set in login.conf, so this turned out not to be the cause of the problem. Instead, it seems that there is a problem with pf to be investigated. Thanks for listening :) and to those who replyed of course. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 6.1-BETA 4 stable for normal use?
Marc G. Fournier wrote: I am using 6.1-PRERELEASE which has actually been upgraded from 6.1-BETA3. The system as such is stable, but there are some nuisances. These are not fatal in any way but may cause confusion. So in particular if you're new to FreeBSD, better stay with 6.0. Like ... ? Well, I have another machine at work which for some yet unknown reason requires me to reload the pf rule set in order to fetch - I posted on that last week. And I have minor errors like when I run man pf.conf and exit the man-page then I get this error: col: write error grotty:standard input (standard input):31713:fatal error: output error Not all manpages give that though. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 6.1-BETA 4 stable for normal use?
Kris Kennaway wrote: On Wed, Mar 22, 2006 at 09:55:34PM +0100, Erik N?rgaard wrote: Marc G. Fournier wrote: I am using 6.1-PRERELEASE which has actually been upgraded from 6.1-BETA3. The system as such is stable, but there are some nuisances. These are not fatal in any way but may cause confusion. So in particular if you're new to FreeBSD, better stay with 6.0. Like ... ? Well, I have another machine at work which for some yet unknown reason requires me to reload the pf rule set in order to fetch - I posted on that last week. And I have minor errors like when I run man pf.conf and exit the man-page then I get this error: col: write error grotty:standard input (standard input):31713:fatal error: output error Did you file PRs? If not, and you only posted to this list, your emails did not reach any of the relevant people. No, I need to investigate more and ensure me that it has not been a passing error. For example, the mentioned problem with pf, I first thougt it was a misconfiguration problem that fetch didn't use passive ftp, in which case this was the right forum. Then by accident I discovered that reloading the ruleset solved the problem. Rebooting, I would have the problem again until a new reload of the ruleset. I then tried at home to repeat on a different machine which had been updated almost at the same time but without luck. So, I there may be some error in updating or that very snap I got. In any case I need to investigate that more. And the other error, I have now tried and found that it appears only in Eterm, not in xterm or on the console. It may have been introduced as the ports version is now 0.9.3_4. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to start a script running at boot time?
[EMAIL PROTECTED] wrote: Hi, I have a script I would like to launch at boot time, as a non-root user, to remain running in the background. What is the best way to accomplish this? I looked through the rc* stuff, and it looks like overkill for what I need, plus my scripting isn't that strong either. I know I can do something like: su - user -c script_to_run But I don't even know what's the best place to include that. Any suggestions, or examples? A sample script could be /etc/rc.d/sysctl, it contains a block sysctl_start() which is executed when you run # /etc/rc.d/sysctl start Using that as a sample you can insert you custom startup code. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do you keep users from stealing other user's ip??
Mark Jayson Alvarez wrote: Good day, We are trying to reorganize our local area network and I need some tips on how you are managing your own lan... We have a vanilla pc router with interface facing our private lan and interface facing the Internet. One problem which we are experiencing right now is that any user from private lan can use any ip address he wants. If he boots his computer with a stolen ip address, the poor owner of that machine(not active at the moment) will give automatically up his ip address to this user. The same scenario for public ip addresses. Basically, we need to track down the users through their ip address.. But this is trivial as of now since anyone can use any ip he wants. Even if there is a solution out there to tie up his mac address to his ip address..(sort of checking the mac first before giving him an ip, possibly through dhcp..) still, users can just download applications which will enable him to change his mac address Now, where thinking about authenticating users before he is allowed to use a particular network service(internet proxy, mail etc.) because I guess it is a clever way of keeping the bad users from doing something bad within your network when after all, the reason why he is plugging his lancard to the network is to use a particular service. However, it still doesn't keep them from playing around and steal other ip addresses or mac addresses and thus denying network access to those legitimate owners. I'm thinking about tying dhcp with authentication, and freeradius comes to mind.. I just need some more tips from you. User's workstations are mixed Windows and *nixes. Some have laptops with wireless interfaces. Any idea how to handle this situations?? I once set up such a solution in a student house with about 120 users. People had their own private pcs so we couldn't just take away their admin rights on their own pc. Now, question to ask: - Are all users legitimate users? Do users have friends coming in and connect to the network? is it wired or do you have neighbors trying to use the net also? - What is the benefit of stealing another users ip? Do you have limitations on access such as download? Is it to hide behind another user? In our case we had a wired network, so all users was legitimate users, but we had a limitation on download so some users would try to use their neighbors ip to get more quota. What we did was: 1) Static ip assigned with dhcp - people wouldn't need to learn to configure their computer. 2) Static arp table on router, to spoof, one would have to spoof mac-address. 3) Require registration of all hosts owned by the user: To hold users accountable for their hosts. 4) Count traffic per host, up and download, this was done with ipfilter. 5) Make current usage visible, the users could always check their quota and knew when they hit the limit. That way they didn't get surprises and annoyed. This actually worked fine. It was sufficiently complicated to spoof that people wouldn't bother. A different and possibly better way around this would be to limit bandwidth for ports higher than 1023, this is where most file sharing takes place. You can do that with packet filter, I still haven't figured how to effectively implement traffic quotas on packet filter as accounting is not so easy. If your concerns are people trying to hide behind others identity, or unauthorized access such as if you have a wireless lan, then there are two good options: 1) Use authpf with packet filter. This requires the user to authenticate with the firewall to get access. No proxy needed. 2) Let each client establish a VPN to the router, this have the advantage of also encrypting traffic if you have a wireless or non-switched network. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Not an easy install
Tim wrote: Why couldn't you guys make a install easy instead of this and that, ok I am a newbie and it should be easy, I have installed Ubuntu, it was like a dream, smooth as silk, Fedora pretty much the same FreeBSD, its a nitemare if you have never done it, I am now reloading windows and then putting back Ubuntu, unless someone over there can make it simple even for me. If you want simple installation why don't you stick to windows? This question is a faq, improving the installer is low priority. The fact is that most FreeBSD users don't really care: It works, it installs, and once you've got your system installed you'll never use it again. There is no need for an annual reinstallation as some other OS'es tend to require. So your initial effort to get started pays off, I think. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Urgent Help needed: How to boot in single user mode with usb keyboard
Ian Lord wrote: Hi, I am currently in a maintenance window trying to rebuildworld... I am doing it on a dell poweredge with a built in drac wich emulate a usb keyboard... When I need to boot on the drac, I need to use boot with usb keyboard in the menu... Now I need to boot in single mode WITH usb keyboard and I can't figure out... I saw in a post that I could do the following in boot loader: set hint.atkbd.0.flags=0x1 boot -s Is the kernel you boot built with support for usb keyboard? if not, I think you can do something like load ukbd boot -s you may also need some other modules depending on your hardware. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Cyrus-IMAP disallowing clear text connections
Hi: I have a Postfix/Cyrus-IMAP setup, Postfix requires TLS and user authentication to relay mail, and cyrus requires TLS and user authentication to retrieve mail. Or so I thought: I just tested to see that things were in fact encrypted and unencrypted connection was refused, works fine for Postfix but Cyrus-IMAP accepts unencrypted connections _and_ authentication even though I have set the following in imapd.conf allowplaintext: yes allowplainwithouttls: no How do I force the use of TLS for Cyrus-IMAP? Also: Postfix allows hiding authentication mechanisms unless TLS is invoked (so in clear text, capabilities just show STARTTLS), while Cyrus-IMAP announces everything. Is there anyway to be more strict with the cyrus in respect of what it announces? Thanks, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Cyrus-IMAP disallowing clear text connections
Anish Mistry wrote: On Sunday 26 March 2006 16:37, Erik Nørgaard wrote: Cyrus-IMAP accepts unencrypted connections _and_ authentication even though I have set the following in imapd.conf allowplaintext: yes allowplainwithouttls: no How do I force the use of TLS for Cyrus-IMAP? Also: Postfix allows hiding authentication mechanisms unless TLS is invoked (so in clear text, capabilities just show STARTTLS), while Cyrus-IMAP announces everything. Is there anyway to be more strict with the cyrus in respect of what it announces? sasl_minimum_layer: 128 Thanks, but that doesn't do it, everything still goes through nice and clear unless I set the client to use TLS. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: User unknown?
Guillaume R. wrote: Hello I'm trying to setup (for the first time under FreeBSD!) my usual setup to read my mail (postfix+fm+procmail+mutt) But I got a serious problem: when I try to fetch the mails for my user those mails dont go in /var/mail/my_user but *always* in /var/mail/root... I read all the mails I receive from the system and I could see that on this box my_user is...unknown so I can't having those mails in a normal way. Does anyone could help me by telling me which files I must modify so that it works (I suppose I got to change my hostname too but I cant find any /etc/hostname file...) Thx PS:btw does anyone remember the option so that fetchmail fetch *all* the mails (the one non-read and the other one read as well)? Thx again Sounds like you're coming from Linux? Did you add the user? can you login as that user? If you pasted the user info into master.passwd then you need run pwd_mkdb to update the db files. If you pasted into passwd, then that's not the way to do it. Use pw(8) to add users and keep files correctly updated. You set hostname in rc.conf. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipnat syntax error?
Juergen Heberling wrote: Could someone please check me on this ... fw1# ipnat -CFn -f /etc/ipnat.rules 0 entries flushed from NAT table 1 entries flushed from NAT list syntax error error at -, line 1 /etc/ipnat.rules contains: map em0 192.168.1.0/24 - 204.134.75.1-10 .. snip .. line 1 in the rules file is the example from the FreeBSD handbook. I'm running FreeBSD6.0 stable. It seems to be a documentation bug, the ipf-howto.txt distributed with ipfilter makes no mention of that notation, instead you should use cidr notation, for example 204.134.75.0/29 Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipnat syntax error?
Juergen Heberling wrote: /etc/ipnat.rules contains: map em0 192.168.1.0/24 - 204.134.75.1-10 .. snip .. I tried your suggestion of using the cidr notation format and that work; thank you! However I am concerned about overlapping mappings in the cidr range with host-to-host maps - my cidr range is a /28, for example, and I want to map (spoof) some IP address in the middle to, say the web or mail servers. In order to avoid the overlap I was counting on the range specification on the map command. Well, my suggestion is not to exhaust your precious /28 address space right away. And don't make your life unnecessary difficult, why choose the addreses in the middle for bimap? Rather than using all your external ip's right away I would save some for later expansion, and reserve one for debugging. You may need to connect a laptop on the external net to figure out what's going on. You could do this: x.x.x.0/29 to servers (bimap), x.x.x.8/30 debug and future expansion (not mapped), x.x.x.12/30 map for lan clients. If you stick to cidr you can also write your filter rules in cidr making it far easier to read an maintain. For the mapping, and bimapping consider this: The /24 network you want to map, it contains at most 254 hosts. If you map that network to a single ip, then each host can establish at least 256 simultaneous connections. My experience is that this is far mor than needed in most normal operating environments. I'd suggest using the same ip as on the firewall external interface. If the purpose of binatting is to make one service available, http say, then you may consider using rdr. IIRC you can also use rdr to round robin load balancing incoming connections. That way you can have one host serving http and another serving smtp on the same external ip. The only reason to use different ip's is if you're hosting a number of https servers, each need a different ip. There's no point in bimapping all ports on a external ip to one single internal ip if most of them are blocked by the filter. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: disable listen on ports
Niklaus wrote: Hi, How do i disable users on a system to run their own http proxy. I don't want to allow users who have login accounts on my system to listen to any port . How do i do that. Putting up a packet filter as some suggest may break other things. Instead, you can take a look at MAC, Mandatory Access Controls. There is a module mac_portacl(4) that can control this. You need to compile your kernel with options MAC and then add mac_portacl_load=YES to loader.conf But don't ask me how it works, haven't used it. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reconfiguring a package
Luiz Eduardo Guida Valmont wrote: I'm sorry if this is one of those rtfm cases, but I've exhausted my options so far (except asking for help here ^^). When you make install a package, for some the first thing you get is a screen where you choose some compile-time options that affect the package's dependancies (eg. postgresql support when trying to install amarok). The question is simple: is there a way or a make target that deletes my choices and / or forces make to ask them again? Use the make target, 'config', eg: # make config install clean should do. Alternatively, you can simply delete the config from /var/db/ports/package_name that will clear any previous choices. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: TCP/IP source Code
Chava Leviatan wrote: Hello, How can i get the TCP/IP source code , mainly sys/netinet. I have been browsing the site for a while , but havn'yt managed to discover how can I get those simple .c, .h files Any help is highly appreciated While you're at it, you might want to get a copy of TCP/IP illustrated, I think it's vol 2 that goes in detail with the BSD implementaion. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Negative look ahead with capturing using pcre
Hi: I am trying to write some rules for filtering email with postfix header rules. In particular, I'd like to discard anything in a character set I don't understand, or rather accept ascii, iso-8859-* and utf-8. So I have created the following rule for mime header checks: /^Content-Type:.*?charset\s*=\s*?(?!us-ascii|iso-8859-\d+|utf-8)(.*?)?.*$/i WARN MHD1000 Invalid charset: $1. Use UTF-8 or ISO-8859-X I have two problems: First: This rule catches a lot of legitimate mail, ascii or iso character sets Secondly: I'd like to catch the character set that is rejected so I can adjust it if legitimate mail gets blocked. In the above I don't allow windows-1252 for example. So, how do I do negative look ahead with capturing using pcre? Thanks, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PXEboot install failing to load kernel
Chris wrote: I am trying to perform a netboot install of FreeBSD 6 to a Thinkpad X40 laptop from linux on my desktop. I've followed what guides I can but the info is either for older versions of FreeBSD (the CD structure has changed?) or assumes an existing FreeBSD install to work from (for dissecting floppy images etc). The assumption that you have some other existing FreeBSD installation makes certain things easier: In particular compiling the loader with tftp support, posibly creating a custom kernel and a memory file system. If you can get hold of these from download, then you should be fine. I have downloaded the i386 bootonly iso and I have followed portions of several guides which has got me as far as tftp serving the pxeboot. I assume the dhcp and tftp parts are working ok as the laptop gets hold of pxeboot fine but then fails to load the kernel. pxeboot can either attempt to fetch the kernel with tftp or nfs, (the standard pxeboot does not support tftp). If it doesn't get the kernel then either there is a misconfiguration so it doesn't fetch it correctly with tftp or the nfs server is incorrectly setup. You should post the relevant part of your dhcpd.conf. I have tried nfs serving the boot directory of the cd and the kernel directory within that without any luck, is the kernel passed by tftp or nfs? I have tried tailing var/log/daemons but the failure to load kernel message on the laptop is the only useful indicator I get. I would recommend to go without nfs: You can have pxeboot fetch kernel, and the loader.* files as well as a memory filesystem using tftp. It's easier to setup the server part, you have to setup tftp anyway and already have it working, going for nfs just introduces an extra source for errors. I wrote down what I did when I tried to setup pxeboot, , you may have found it - and yes, I do assume that you have a working FreeBSD for some parts, but read on, it may not be relevant for you. Check out www.daemonsecurity.com/pxe/ I want to update this so let me know if there are any errors or things that could be better explained. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
I can't spell my own name in UTF-8, base 64 encoded
Hi: So, I finally decided to get OpenLDAP set up to serve an address book independent of where I am and on what computer. The problem is that unless an attribute value is ascii, values have to be in UTF-8 and base64 encoded(?), as I could understand from googling. But, I can't even spell my own name in that encoding! So question is: How do I most easily populate my directory? Is there a tool that can convert an iso-8859-1 ldif to utf-8+base64 ldif? Will ldap queries also have to be encoded UTF-8+base64 as well? Have I misunderstood the bit about base64, that this is only required for binary data such as jpeg images? All documentation I have found tells how easy it is to get data out in UTF-8 ldif, but I really need to get the data in there first. Thanks, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F0C.crt Subject ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 Fingerprint: 7F:80:96:EA:95:92:E2:23:1F:FA:0F:98:92:C2:CC:55:6B:9A:8C:92 smime.p7s Description: S/MIME Cryptographic Signature
Re: LDAP schema problems
Joerg Pulz wrote: On Mon, 24 Apr 2006, Erik Norgaard wrote: b) In their infinite wisdom, those who defined the person and derivative object classes did not add country to the list of possible attributes. Adding this object class to the otherwise working entry: dn: cn=First Lastname, ou=people, dc=domain, dc=tld objectClass: top objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: country cn: First Lastname sn: Lastname l: somewhere c: XX I again get the error: ldap_add: Internal (implementation specific) error (80) additional info: no structuralObjectClass operational attribute I'd prefer not to go through the pain of defining my own schema from scratch, obtain OID etc just for adding such a basic attribute, what is the recommended patch? Erik, please try this: dn: cn=First Lastname, ou=people, dc=domain, dc=tld objectClass: top objectClass: person objectClass: inetOrgPerson cn: First Lastname givenName: First sn: Lastname postalAddress: some_address postalCode: 12345 street: some_street st: some_state telephoneNumber: 01232234 mobile: 0042750 facsimileTelephoneNumber: 12470512 pager: 38979 homePhone: 07520326 homePostalAddress: some_address mail: [EMAIL PROTECTED] Do you need more? I was following this example from O'Reilly: http://www.onlamp.com/pub/a/onlamp/2003/03/27/ldap_ab.html I checked again inetOrgPerson inherits from organizationalPerson which inherits from person, so you can leave out the person object class. Now I also understand the conflict mentioned in my first question. Of course one can't mix both organizationalPerson and residentialPerson. But question b) remains, I still like to add country. As I understand state, st, applies in countries like US and Germany and should not be used for country. friendlyCountry doesn't work because it inherit country. It seems that to solve this I would have to define a schema with an auxCountry object class which is auxiliary rather than structural and just contains the attribute country. That would require applying of an OID branch etc... But maybe there is another schema I am unaware of? is there a schema repository? What do multinational organizations do? Thanks, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F0C.crt Subject ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 Fingerprint: 7F:80:96:EA:95:92:E2:23:1F:FA:0F:98:92:C2:CC:55:6B:9A:8C:92 smime.p7s Description: S/MIME Cryptographic Signature
Re: PXE boot jumpstarting
Rat wrote: Does PXE boot installing in fact work in 6.0? sysinstall has all this nice jumpstart/kickstart-like stuff in it, and I'd love to use this for deploying new servers. It does, take a look at this: http://www.daemonsecurity.com/pub/pxeboot (I know, some links are broken, I'm working on it). Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F0C.crt Subject ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 Fingerprint: 7F:80:96:EA:95:92:E2:23:1F:FA:0F:98:92:C2:CC:55:6B:9A:8C:92 smime.p7s Description: S/MIME Cryptographic Signature
Re: PXE boot jumpstarting
Matthias Fechner wrote: Hello Erik, * Erik Nrgaard [EMAIL PROTECTED] [25-04-06 00:19]: http://www.daemonsecurity.com/pub/pxeboot is it possible, that the side is down? I got always: Connection to 81.33.11.59 Failed Server went down, power failure I think, at 9.XXam and I wasn't home to put it back up. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F0C.crt Subject ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 Fingerprint: 7F:80:96:EA:95:92:E2:23:1F:FA:0F:98:92:C2:CC:55:6B:9A:8C:92 smime.p7s Description: S/MIME Cryptographic Signature
Re: pxeboot looping
John Pettitt wrote: Help! I'm trying to set up a machine to boot using pxe and have run into an odd problem. The box (a Soekris 4510) load pxeboot via TFTP prints a few lines of text then reboots - the last text I see is: Building the boot loader arguments Relocating the loader and the BTX Starting the BTX loader There is no further net traffic after the last tftp packet. I'm stumped - I thought it might be a cpu issue (the Soekris is a 486 clone) so I rebuilt pxeboot with -march=i486 and it didn't make any difference. Do you see the pxeboot actually gets fetched? Check the logs on your server. My immediate idea is that it doesn't get as far as fetching the pxeboot loader. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F0C.crt Subject ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 Fingerprint: 7F:80:96:EA:95:92:E2:23:1F:FA:0F:98:92:C2:CC:55:6B:9A:8C:92 smime.p7s Description: S/MIME Cryptographic Signature
Memory exhausted when compiling SUN Java JDK 15
Hi: I tried to compile the new jdk15 on 6.1-RC1, but it stops while compiling ad_i486.cpp with a memory exhausted error. I have more than 3GB disk, 512MB swap but only 112MB RAM, I have monitored with top and found that no more than 150MB swap is used. I guess the RAM gets exhausted, how much is needed? Is it possible to build jdk without the browser extensions and then build that separately? - not that I think it helps, but maybe. Thanks, Erik output from make: # make WITH_MOZILLA=firefox === Building for jdk-1.5.0p3 # Start of jdk build ... ... Target Build Versions: JAVAWS_VERSION = 1.5.0 MILESTONE = p3 BUILD_NUMBER = norgaard_04_may_2006_19_29 Bootstrap Settings: BOOTDIR = /usr/local/jdk1.4.2 BOOTSTRAP J2SDK VERSION: 1.4.2-p8 OUTPUTDIR = /usr/ports/java/jdk15/work/control/build/bsd-i586 Build Tool Settings: UNIXCOMMAND_PATH = /bin/ COMPILER_PATH = /usr/bin/ DEVTOOLS_PATH = /usr/local/bin/ USRBIN_PATH = /usr/bin/ MOTIF_DIR = /usr/X11R6 CC_VER = 3.4.4 ZIP_VER = 2.31 PATH = /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bi n:/usr/X11R6/bin:/root/bin TMPDIR = /usr/ports/java/jdk15/work/control/build/bsd-i586/tmp Build Directives: USE_ONLY_BOOTDIR_TOOLS = USE_HOTSPOT_INTERPRETER_MODE = PEDANTIC = DEV_ONLY = J2RE_ONLY = NO_DOCS = NO_IMAGES = TOOLS_ONLY = INSANE = PARALLEL_COMPILES = false PARALLEL_COMPILE_JOBS = 2 FASTDEBUG = false INCREMENTAL_BUILD = false Build Platform Settings: PLATFORM = bsd ARCH = i586 LIBARCH = i386 ARCH_FAMILY = i586 ARCH_DATA_MODEL = 32 TRUE_PLATFORM = FreeBSD OS_VERSION = 6.1-RC FREE_SPACE = 6508524 GNU Make Settings: MAKE = gmake MAKE VERSION = MAKECMDGOALS = sanity MAKEFLAGS = SHELL = /bin/sh Target Build Versions: JDK_VERSION = 1.5.0 MILESTONE = p3 BUILD_NUMBER = norgaard_04_may_2006_19_29 External File/Binary Locations: HOTSPOT_SERVER_PATH = /usr/ports/java/jdk15/work/control/build/bsd-i586/hotspot-i586/server HOTSPOT_CLIENT_PATH = /usr/ports/java/jdk15/work/control/build/bsd-i586/hotspot-i586/client HOTSPOT_IMPORT_PATH = /usr/ports/java/jdk15/work/control/build/bsd-i586/hotspot-i586/import MOTIF_DIR = /usr/X11R6 CACERTS_FILE = ./../src/share/lib/security/cacerts ... ... gmake[3]: Entering directory `/usr/ports/java/jdk15/work/control/build/bsd-i586/hotspot-i586/tmp/bsd_i486_compiler2/jvmg' Compiling ../generated/adfiles/ad_i486.cpp virtual memory exhausted: Cannot allocate memory gmake[3]: *** [ad_i486.o] Error 1 gmake[3]: Leaving directory `/usr/ports/java/jdk15/work/control/build/bsd-i586/hotspot-i586/tmp/bsd_i486_compiler2/jvmg' gmake[2]: *** [the_vm] Error 2 gmake[2]: Leaving directory `/usr/ports/java/jdk15/work/control/build/bsd-i586/hotspot-i586/tmp/bsd_i486_compiler2/jvmg' gmake[1]: *** [jvmg] Error 2 gmake[1]: Leaving directory `/usr/ports/java/jdk15/work/control/build/bsd-i586/hotspot-i586/tmp' gmake: *** [jvmg] Error 2 *** Error code 2 Stop in /usr/ports/java/jdk15. -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F0C.crt Subject ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 Fingerprint: 7F:80:96:EA:95:92:E2:23:1F:FA:0F:98:92:C2:CC:55:6B:9A:8C:92 smime.p7s Description: S/MIME Cryptographic Signature
Re: dhclient fixed leases
Maxim Vetrov wrote: I'm on 6.0 release. The default will not help - I have several networks without dhcpd. So 'default option routers 10.0.1.5;' will work only for one and fail for others. Well, in that case I have dificult seeing how fixed leases will help you, how should dhclient choose which fixed lease to use? One fixed lease or one default would work. Otherwise, it seems that you should create a script that interactively lets you log on a particular network, and start dhclient if needed or configure your nic with a fixed ip using ifconfig. Regards, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A strategic question
Jozef Baum wrote: ... to install FreeBSD, one needs already a lot of knowledge about the system. To acquire that knowledge, one needs experience on an installed system. But to have an installed system, one needs already a lot of knowledge about the system. That's the problem. The handbook doesn't tell you that, at the last chance message, you have to take out the boot CD and to insert CD 1. But if you don't do so, nothing gets installed. 1st: I don't think I have ever installed an unknown system and got it right the first time: OS/2, RedHat Linux, OpenBSD and FreeBSD. I have always installed the system, used it about a month and then reinstalled. So you install the system the best you can, then start learning your way around it and figure out what went wrong. First time, don't worry about things getting messed up, just don't throw it directly into production. You might find yourself reinstalling a few times, but that's just part of the game. 2nd: It's true that the FreeBSD developers have not gone out of their way to make a sleek installer, but unlike other OS's, the installer is something you'll hardly ever use. I installed my laptop with 5.2.1 two years ago, since then I have continuously upgraded everything and run 6.0 now, but I haven't used the installer at all. So, there is a catch, those who use the installer has yet to get the experience to make it better and those who know how just don't have that itch scratching. 3rd: If there is an error or something missing then you can file a problem report for the documentation and explain what you find missing. I configured a German ISO keyboard, but many keys don't work correctly. One has to look with Google to find additional information about configuring a German keyboard. Getting keyboards right is a science and one of the most frequently asked questions. The thing is that you have to deal with both keyboard and character sets, and further some programs let the user change the keyboard for that program only: emacs, pine, thunderbird. While not particularly for german keyboard, there is an article about setting things up and you should be able to figure out the needed changes - heck the examples are for german! http://www.freebsd.org/doc/en_US.ISO8859-1/articles/euro/index.html The locate command did not work, as the locate database seemed to be corrupted. I had to figure out how to rebuild this database. An all system you need to build/rebuild the locate database regularly. The root user had a csh, while ordinary users had a sh shell. I had to figure out how to provide the same shell to the root user and the other users, as all those virtual users are all one and the same person, me. There is one principle you should adhere to on any system: Let root keep default settings. This is challenging at first, but in critical situations an advantage. I tried to setup an X Window environment (nVidia Geforce video adapter), but the horizontal and vertical refresh rates of the manufacturer didn't work, I had to experiment to find out the one X likes. Then I could startup X, only to not having configured at all my German keyboard. see the above article, it also have the part covering X11. I tried to install emacs during installation, but it didn't succeed. Returning to the post-installation tasks after having installed the system resulted in a successfull installation of emacs (working only after a system reboot). Well, this is where sometimes you install, gain some experience and reinstall. Anyway, there is no reason you have to get everything installed at install time. I have learned to prefer a lean system at install and then add stuff as needed. Otherwise I allways end up with lots of crap that I don't need. Why is it that FreeBSD people, who seem to be perfectly able to formulate correct algorithms for implementing UNIX concepts, and translating them into code, don't care at all about a novice user, providing him with an installation program that doesn't work as it should, even without a GUI? As another stated this: It seems you want the system to think your way - which more or less requires the developers to think your way. This is obviously unrealistic and unreasonable to require - but your luck is that unlike other operating systems, you can make FreeBSD behave as you like it. I know UNIX is all about solving problems, but is it really interesting to make it apparently deliberatly so difficult for a newcomer? Is it really the policy of those guys to make the entry level to UNIX difficult, only to avoid a breakthrough of UNIX (FreeBSD) to the desktop users? I don't think anyone makes things difficult on purpose. but as above statement, their brain might just not work like yours. Not better, nor worse, just different. And there is no avoding breakthrough to desktop - I have used FreeBSD on my desktop, laptop actually, for three years. Before that I used RedHat for 4
scanner problems: I/O error/scanner application hangs
Hi: I had my scanner, Epson 2480, working half a year ago on FBSD 6.0, now it's been a while since I used it, I have upgraded to FBSD 6.1-PREREL as well as upgrading applications, and now it doesn't work. First scanner probe gives an I/O error, second hangs: charm# date scanimage -L date scanimage -T || date Fri 24 Feb 2006 23:07:28 CET device `snapscan:/dev/uscanner0' is a EPSON EPSON Scanner flatbed scanner Fri 24 Feb 2006 23:07:29 CET scanimage: open of device snapscan:/dev/uscanner0 failed: Error during device I/O Fri 24 Feb 2006 23:07:29 CET charm# date scanimage -L date scanimage -T || date Fri 24 Feb 2006 23:07:33 CET Killed Fri 24 Feb 2006 23:09:09 CET I need to turn off the scanner in order to repeat, it is not enough to unplug the usb port. The scanner is found correctly after applying the patches I submitted (pr usb/86094), otherwise it appears as a ugen device. My system is: FreeBSD charm 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #3: Fri Feb 24 22:25:37 CET 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/CLIENT6 i386 No difference whether uscanner is compiled in kernel or loadable module. Sane: sane-backends-1.0.17 sane-frontends-1.0.14_1 xsane-0.991 I believe I had it working with sane-backends 1.0.15 and xsane 0.80 Any ideas? Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Updating OpenSSH
Daniel A. wrote: So, basically, if I want the newest version of OpenSSH running on my system, I have to not use the one shipped with 6.0-RELEASE, and install OpenSSH from ports? Please don't toppost. Installing from ports you'll get version 3.6.1. Before you get paranoid, check the changelog - are there any changes that you actually need? do they provide increased security? Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
Roman Serbski wrote: Hi all, I am having a problem with ipf after recent upgrade to 6.1-PRERELEASE. Any help would be greatly appreciated. ipf: IP Filter: v4.1.8 (416) Kernel: IP Filter: v4.1.8 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 Feature mask: 0xa I am trying to allow outgoing dns requests from my server to DNS server of ISP. Here is my ruleset: ipfstat -oh 0 pass out quick on lo0 from any to any 0 pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state 1 pass out quick on xl0 proto udp from any to any port = domain keep state 0 block out log quick on xl0 all ipfstat -ih 0 pass in quick on lo0 from any to any 0 block in quick on xl0 all Could you change your last rule to this: block in log quick on xl0 all and then tell what you see in the log. This would give some information if any traffic is blocked in the first place. Actually, adding the log keyword to all rules for the xl0 interface might be a good idea for debugging. Also, is this the complete ruleset or did you remove rules you thought were irrelevant? If so, then post the whole ruleset. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD mini-ITX
Benjamin Keating wrote: I've been eyeing up these mini-ITX boards - would like to make a quite little file server. Does anyone here run a mini-ITX board (what model)? Does it work out of the box? Anything not supported? I'd go for one of VIA's as AMD's and others are still a little new and pricey. Recommend a shop to purchase from (in the US)? I bought a VIA EPIA CL1000 (now PD, dual NIC) and a Morex Cubid 3688 case one year ago from mini-itx.com. I installed FBSD 4.10 and later FBSD 5.3-5.4 with out any problems. I haven't installed X11, I don't see the point as it's a server remotely controled with ssh, and I don't have a spare monitor anyway. The only issues I have had are: 'halt -p' reboots instead of powerdown, so I had to 'halt' then powerdown manually. ACPI doesn't read cpu temperature. I use it at home as my mail/web/whatever server with a DSL connection, generally with a load of 0.00. The DSL limits the traffic so it simply can't get too much network load. I have had one problem that gave me some grey hairs, which I initially thought it to be MB or disk problem, but it turned out to be ip-filter rather than hardware. mini-itx.com reports noice of 25dB. The fans may produce that level of noice if they were not mounted. I found resonances causing the box to be quite noicy, in particular the cpu fan. You can buy some stuff to make the fan run slower and it helps. But what really helps is to reduce vibrations: Raise the cpu fan a bit from the cooler plates using some heat tolerable silicon, this makes the fan run more freely and transfers less resonances to the cooler plates and onto the MB. Also place the box on rubber feet so it won't pass on vibrations. I run my box with only the cpu fan, no others, the box is hot but it runs without problems. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So if your OBSD is the latest or updated after 3.6, then you might have functionalities not supported yet on FBSD. The basic stuff is all the same, I don't think anyone could survive without 'quick', just as 'pass' and 'block' are supported on both platforms :-) Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: upgrading all ports
Dick Hoogendijk wrote: I want to do a portupgrade on all installed ports. What's the right way? portupgrade -arR ? or portupgrade -a ? I hesitate and don't want to screw up my machine. portupgrade isn't suitable for upgrading the entire machine, even though you do recursive and Recursive. It is much faster to deinstall everything and then installing from ground up. And it is far more secure in not screwing up. I recommend writing down a list of apps you need to be happy, deinstall everything and then install those apps. Dependencies comes along fine, and then whatever remains can be installed as needed. Anyway, the worst that can happen is that you will screw up some user app's - ok this is bad - but your system won't require a reinstall :-) Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: upgrading all ports
Kirk Strauser wrote: On Saturday 25 June 2005 06:36 am, Erik Nørgaard wrote: It is much faster to deinstall everything and then installing from ground up. And it is far more secure in not screwing up. On toy systems, maybe. I've got 654 ports installed on the machine I'm typing this on, and I assure you that it's much, much faster to selectively upgrade a few of them rather than starting over from scratch. I think you overlooked one important thing in the original post, and in my post as well: We are talking about upgrading the entire system, not just a few ports. Upgrading a few ports is faster using portupgrade, yes. Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: upgrading all ports
Alex Zbyslaw wrote: Erik Nørgaard wrote: portupgrade isn't suitable for upgrading the entire machine, even though you do recursive and Recursive. What, in your opinion, makes it unsuitable? I've used portugrade exclusively and never had trouble. Unsuitable if - it is slower than the altertative to deinstall all ports and reinstall. - thinks break I don't claim it won't work, I don't claim that things will break, but they may depending on what is being upgraded which was not mentioned in OP. The problem is that the double (up and down) recursive resolution of interdependencies quickly becomes very complex with the result that some ports may be updated multiple times, or that portupgrade will choke trying to figure out where to start. It then quickly becomes much faster to simply deinstall all ports and reinstall. It also lets you clean up any junk that may have been left for whatever reasons. And, then there are the general warnings about upgrading Gnome (not minor minor upgrades) eg 2.8 to 2.10, upgrading perl and friends, module paths etc. These are things that can ofcourse be resolved, I just found it easier to clean up the whole thing and reinstall it, see /usr/ports/UPDATING - there are numerous warnings on portupgrade. For single/few apps upgrade portupgrade is fine, or if the system is mostly up to date so a full upgrade will only affect a few packages. I have had my system serverely down after using portupgrade because of problems with dependencies on X11. OP did not mention how old the system to be upgraded is. So in the particular case it is dificult to say. But I assume that if he wants to upgrade his _entire_ system then I can assume significant updates to be done. Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
wireless config in dhclient.conf (CURRENT)
Hi,
I have a problem configuring dhclient for my wireless interface, ath, on
-CURRENT. I updated my system recently and are now using the port of
dhclient from OpenBSD.
I have a Comtrend DSL/AP on channel 11 with ssid ISPY, my wired server
(FBSD 5.4) is running isc-dhcpd v. 3. My neighbour has a 3Com DSL/AP on
channel 6 with default configuration, running a dhcp server. On my
laptop I have a 3Com PCMCIA card, ath0.
According to the documentation I can find on the web, I should include
an entry in /etc/dhclient.conf like:
interface ath0 {
media ssid ISPY mode 11g;
}
but doing so dhclient fails to get a lease on boot. Instead it enters
into an infinite loop (long, I eventually pressed CRTL-C), changing
link state to up, sending one dhcp request, and changing linkstate to
down. This does not change if I include a channel 11 in the media line.
Since configuration failed the interface is not configured and dhclient
is not running. If I log in and run dhclient it fails as above - no
surprise.
If I manually set ssid and mode, then I can run dhclient at it
associates and gets a lease as it should.
If I leave no configuration, it sometimes picks up my neighbours AP and
get a lease from that - his signal is at times stronger than my own
(probably Comtrend crap against 3Com).
How do I correctly configure dhclient for my wireless nic so it
associates with my network?
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Looking for arp scanner
Fabian Anklam wrote: I've browsing freshports.org for an arp scanner and found only arpscan, which is marked broken and knowlan, which hasn't been updated in years. What's the tool of choice to map out IP-Adresses on a subnet when you know that quite a few hosts are firewalled from ping? Active: arping will send out an arpdiscover for the ip entered. Passive: snort can sniff arp packets arriving at your interface. Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
dhclient.conf for wireless interface
Hi,
I am trying to configure dhclient to associate with the correct
accesspoint, I use FreeBSD Current with the new dhclient ported from
OpenBSD.
The examples I can find mentions that I should create an entry in my
dhclient.conf like this:
interface ath0 {
media ssid AP1 mode 11g, ssid AP2 mode 11g;
}
and dhclient will then first try to associate with AP1 and then AP2.
The problem is that with that setup dhclient enters into an aparently
infinite loop bringing up and down the interface, until I break it. I
have to manually run 'ifconfig ssid AP1 mode 11g' first.
Can anyone point me to the correct manpage for configuring dhclient?
This is not covered in the dhclient.conf(5) dhclient(8) ifconfig(8) or
ath(4) man-pages.
I have a 3Com wireless NIC, broadcom AP, my dhcp server is isc-dhcp v.3
running on FBSD 5.4. I usually get associated with my neighbours 3Com AP
running with a default setup.
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PHP PCRE
Myron Turner wrote: I just installed FreeBSD 5.4 with PHP 5.0.3 for the express purpose of testing out a web-based application. I was wondering what the rationale is for excluding PCRE from the current php distribution.As I understand it, the PCRE extensions are included by default in PHP 5. This suggests that the FreeBSD organization opted not to include these. A search of mailing lists shows that people have been having problems because of this. For me, the solution is not to install a rebuilt php on my test machine, because I have to have the assurance that my application will run on any FreeBSD system. On FreeBSD you are given the option of installing a pure php with no extra bells or whistles. Then you can add the extensions you neeed using the php5-extensions metaport, which really just installs individual modules such as devel/php5-pcre. And, AFIAK, installing extensions afterwards does not require that you rebuild php5. I have had problems with this too - usually they amounted to forgetting about the extensions, because back then when I first used it, extensions was installed with the php base (I think this was with php 4.1?). As for reasoning: For security reasons or performance it may be wise to exclude what you don't use. pcre is not the fastest thing AFAIK. Now, I must add the disclaimer that I'm using php4 Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I have found a pc on the side curb
Martin wrote: maybe there is a universal password for admin that bypass all password. something like that. Try booting into single user mode. Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Perl module for parsing tcpdump file
Hi, I was wondering if there is a perl module that can read the tcpdump formated files produced by pflog. I've been looking in the ports collection but can't seem to fine a port whose name decrypts to tcpdump. I have a script that parses my maillog and blocks owned hosts or relays used by owned hosts. Now, I'd like to parse the firewall log to unblock those who have become sane again. Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewire setup/test
Hi, I want to buy a miniDV camera, transfer the DV stream using firewire. Now, I'm really newbie on firewire devices and DV, I have none so far, and I'd really like to test and see it work before throwing out $1000. I know, this is probably one of those questions that I would answer by go try, see if it works but I'd rather not get embarrased in the shop trying to get silly permissions or other things right :-) So, how make sure that I can access the firewire device as ordinary user and test with gvdrecv, kino or other programs? Do I need to configure the device as root before I switch to ordinary user privileges? how? Thanks! Erik Here's my setup: Kernel config file: # FireWire support device firewire# FireWire bus code device fwe # Ethernet over FireWire (non-standard!) #device sbp# SCSI over FireWire (Requires scbus and da) device fwip# IP over FireWire (rfc2734 and rfc3146) # dmesg fwohci0: Ricoh R5C552 mem 0xe580-0xe58007ff irq 11 at device 10.2 on pci0 fwohci0: [GIANT-LOCKED] fwohci0: OHCI version 1.0 (ROM=1) fwohci0: No. of Isochronous channels is 4. fwohci0: EUI64 00:e0:18:00:03:09:43:39 fwohci0: Phy 1394a available S400, 2 ports. fwohci0: Link S400, max_rec 2048 bytes. firewire0: IEEE1394(FireWire) bus on fwohci0 fwe0: Ethernet over FireWire on firewire0 if_fwe0: Fake Ethernet address: 02:e0:18:09:43:39 fwe0: Ethernet address: 02:e0:18:09:43:39 fwip0: IP over FireWire on firewire0 fwip0: Firewire address: 00:e0:18:00:03:09:43:39 @ 0xfffe, S400, maxrec 2048 fwohci0: Initiate bus reset fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode firewire0: 1 nodes, maxhop = 0, cable IRM = 0 (me) firewire0: bus manager 0 (me) # sysctl -a|grep firewire firewire2723K - 29 16,32,64,512,1024,2048,4096 debug.firewire_debug: 0 hw.firewire.try_bmr: 1 hw.firewire.hold_count: 3 hw.firewire.fwmem.eui64_hi: 0 hw.firewire.fwmem.eui64_lo: 0 hw.firewire.fwmem.speed: 2 hw.firewire.fwe.stream_ch: 1 hw.firewire.fwe.tx_speed: 2 hw.firewire.fwe.rx_queue_len: 128 hw.firewire.fwip.rx_queue_len: 128 dev.firewire.0.%desc: IEEE1394(FireWire) bus dev.firewire.0.%driver: firewire dev.firewire.0.%parent: fwohci0 dev.fwe.0.%parent: firewire0 dev.fwip.0.%parent: firewire0 # sysctl -a | grep fwoh dev.fwohci.0.%desc: Ricoh R5C552 dev.fwohci.0.%driver: fwohci dev.fwohci.0.%location: slot=10 function=2 handle=\_SB_.PCI0.IE94 dev.fwohci.0.%pnpinfo: vendor=0x1180 device=0x0552 subvendor=0x1043 subdevice=0x1687 class=0x0c0010 dev.fwohci.0.%parent: pci0 dev.firewire.0.%parent: fwohci0 # ls -l /dev lrwxr-xr-x 1 root wheel5 1 Jan 1970 fw0 - fw0.0 crw-rw 1 root operator 15, 32 20 Jul 08:14 fw0.0 crw-rw 1 root operator 15, 96 20 Jul 08:14 fw0.1 crw-rw 1 root operator 15, 97 20 Jul 08:14 fw0.2 crw-rw 1 root operator 15, 98 20 Jul 08:14 fw0.3 lrwxr-xr-x 1 root wheel8 1 Jan 1970 fwmem0 - fwmem0.0 crw-rw 1 root operator 15, 33 20 Jul 08:14 fwmem0.0 There's no firewire0 device, but this may be because I have nothing attached. -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Epson 2480/2580 scanner support
Hi, Sorry if this question is misplaced, but the sane project hosts no user mailing list, and the hardware list brought no luck. Looking at the handbook it seems that ny scanner supported by the sane backend is supported on FBSD. Now, the ports version is 1.0.15, on the sane home page, they list support for version 1.0.13 and the CVS version. I'm interested in the Epson 2480 or 2580, for the stable version 1.0.13, they are listed with basic/minimal support while the CVS version mentions good/basic support. (snapscan backend) Can anyone enlighten me as to how well these devices are supported by the ports-version 1.0.15? Second, on the snapscan web page, they warn: quote 05/22/05: Warning! I've received a report from a user who was left with a broken scanner after using the Epson 2480 in transparency mode in 2400 DPI with xsane. According to the report the scanner power light went red and the scanner smelled hot. After power-cycling the scanner it was not possible to scan anymore... /quote Can anyone confirm this? and know if the problem has been corrected in newer versions? The scanner is primarily for scanning negatives, if anyone can recommend me an alternative, supported and with an equivalent pricetag I'll really appreciate! Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [OT] ssh security
On Mar 10, 2010, at 11:59, Olivier Nicole olivier.nic...@cs.ait.ac.th wrote: Now Diffie-Hellman may help providing the trust for the fingerprint. No it won't. Trust goes either via a trusted third party as in PKI or the pgp chain of trust or via direct verification. In the latter case if you cannot establish trust, call up the owner to verify his key. BR erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FBSD support for Intel mini-itx board w. realtek 8111D nic
Hi: I've got a fanless via based mini-itx box as my gateway and server and looking to upgrade to a Intel Atom based box. I believe it's supported out of the box. Now, I don't have an extra monitor, basically I'm gonna take the old disk, plug it in and hope it will boot (FBSD81, GENERIC kernel). So, I'm looking at the D945GSEJT which has a realtek 8111DL nic. Which driver is used for this nic? Well, basically I need to preconfigure the network so I can connect if/when it gets up. Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Link and network level in the tcp/ip stack
Hi: This is a generic question about may, should and must: I have the following setup: 192.168.28/24 +---+ |.196 |.1 SRV GW- RN |.28|.1 +---+ 10.225.162/24 The server, SRV, has default gateway set to 192.168.28.1, no routing has been configured for the 10.225.162/24 network. The gateway is a router, no NAT or firewall. Yup, we do have this setup, don't ask why. Now, the remote node RN pings the server on 192.168.28.196 fine, no problem. Then it pings 10.225.162.28 and get destination unreachable. OK, so I did tcpdump first on the 10.225.162.28 interface, and saw icmp echo requests coming in, but no replies going out. Then I did tcpdump on the other interface and got this: 13:39:43.233419 arp who-has 192.168.28.1 tell 10.225.162.28 obviously no reply, wrong network. So, the system strips the link layer and completely forgets about it? with the added overhead of having to figure things out again to send a reply? Since the server also keeps an updated arp table it's not like the link layer is completely delegated to the nic to take care of. For incoming connections, I would assume that the link address is preserved for replying, no need to send any arp requests. This also means that no routing would need to be defined on the 10.225.162.28 interface to receive connections from non-local nodes. What is the may/should/must protocol recommendation on this? I can't figure whether keeping the link layer for the reply will introduce loop problems or rather solve them. Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Link and network level in the tcp/ip stack
On 7/5/11 4:12 PM, Arun wrote: Just add default route at your node 10.225.162.28, and make the default GW for this route as 192.168.28.0/24 or the connected interface. Your SRV node should pass it to its default gw 192.168.28.1 which should take care of forwarding it to the destination RN. If your SRV node could NOT forward the ping reply then add a specific route there like - pkt comes from 10.225.162.0 then forward it to 192.168.28.1. Thanks. Hi: There can only be one default gateway, anything else doesn't make sense. I did try adding a specific route on SRV for RN such that pings arriving on 10.225.162.28 would be responded correctly. But, then RN can no longer reach 192.168.28.196. No surprise there really. So, why do we have this setup? Well, some services like ssh that is used for administration must arrive on 192.168.28/24 where as the commercial service has a dedicated network on 10.225.162/24 and to ensure availability and bandwidth we cannot accept to have ssh coming in on that network. I should add that this is a Red Hat Linux, I ask here since the FBSD implementation of the tcp/ip stack is considered the reference implementation. So the question is which behaviour is correct, recommended or accepted? Stripping the link layer and reply according to the network layer, or keeping the link layer? Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD compatible mini-itx board
Hi: I am looking for a new low power mini-itx board for my firewall/home server. I've had VIA boards but flacky disk controller and other problems have made me look for something else. So, going all Intel, I hope there will be no hardware problems. I'm looking at The Intel D945GSEJT with an Atom N270 processor and the following specs: Mobile Intel 945GSE Express Chipset Intel 82945GSE Express Chipset Graphics/Memory Controller Hub Intel 82801GBM I/O Controller Hub (ICH7-M) Intel GMA950 RealTek 8111DL Gigabit Ethernet Controller Does FBSD support this? I don't care about graphics basic VGA is enough as this will be a headless server. But I do care that the disk controller is fully supported as well as the NIC. Any suggestions of alternative boards? AFAIK the N270 is single core 32bit, a dual core and/or 64bit alternative would be interesting. Also: The Intel manual mentions: Support for DDR2 533 MHz SO-DIMMs (DDR2 800 MHz and DDR2 667 MHz validated to run at 533 MHz only) Will faster RAM result in a less stable system? And what is Serial Presence Detect RAM? I've never seen this advertised. Lots of questions, I know... Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD compatible mini-itx board
On 19/5/11 7:49 PM, Chuck Swiger wrote: FreeBSD ought to support the 945G chipset and the ICH7 hub; also the RealTek NIC, but the latter isn't the highest quality NIC around. yeah, I'd rather have Intels own NIC dunno why they can't put them on their own boards. Realtek seem to be on all the Intel boards :S At least I'm adding an Intel PCI NIC. Also: The Intel manual mentions: Support for DDR2 533 MHz SO-DIMMs (DDR2 800 MHz and DDR2 667 MHz validated to run at 533 MHz only) Will faster RAM result in a less stable system? It indicates that they put faster RAM into the box, but ran it at a speed of 533MHz, which is slower than the memory is capable of running. In some cases, doing this lets you run the RAM at lower voltage or with tighter timing settings of CL/tRCD/tTP/etc. Thanks, currently I have, well ancient RAM on an old VIA board and it's not really any reliable. That with the flacky disk controller on the VIA board is my reason to go Intel. Regards, Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Where's my disk?
Hi: I'm moving my server to new hardware, but I will preserve the disk making the necessary changes to the configuration before the move. The first problem is that I have no idea how my disk will be recognized, now the root partition is on /dev/ad6s1a. The second problem is that the server is headless. I pretty much have to guess and remember. I have no way of knowing if a command was successful. oh, and the third problem is that this new one uses a USB keyboard and I only have a PS2 keyboard. This means that I need to figure out how the hard disk will be recognized so it will be mounted properly at first attempt. Or else have to go out investing in a lot of extra hardware. Any trick for doing this? Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Where's my disk?
On 4/6/11 10:48 AM, Polytropon wrote: On Sat, 04 Jun 2011 10:31:18 +0200, Erik Nørgaardnorga...@locolomo.org wrote: The first problem is that I have no idea how my disk will be recognized, now the root partition is on /dev/ad6s1a. A good approach is to apply a label or use the UFSID of the partitions (which don't depend on controller position) instead of the device names. Thanks, I tried to add labels, and all file systems are labeled, except the root file system, it gives an error alpha# tunefs -L root /dev/ad6s1a tunefs: /dev/ad6s1a: failed to write superblock Can I use the fsid in fstab? alpha# mount -v /dev/ad6s1a on / (ufs, local, fsid c18a2f44f29adbc0) devfs on /dev (devfs, local, multilabel, fsid 00ff00060600) /dev/ufs/local on /usr/local (ufs, local, fsid c58a2f44da5dfaa7) /dev/ufs/var on /var (ufs, local, fsid c98a2f44462bb250) /dev/ufs/tmp on /tmp (ufs, local, fsid d38a2f44b88ac8e5) /dev/ufs/home on /home (ufs, local, fsid d58a2f449675649f) /dev/ufs/share on /home/share (ufs, local, fsid e28a2f4464800a20) devfs on /var/named/dev (devfs, local, multilabel, fsid 01ff00060600) As for the screen I've usually done without, I know my system well, but if the disk moves, I'm lost. For the keyboard, maybe a PS2 to USB adapter? Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Where's my disk?
On 4/6/11 3:09 PM, Warren Block wrote: On Sat, 4 Jun 2011, Erik Nørgaard wrote: Thanks, I tried to add labels, and all file systems are labeled, except the root file system, it gives an error alpha# tunefs -L root /dev/ad6s1a tunefs: /dev/ad6s1a: failed to write superblock The filesystem has to be unmounted or mounted ro to set a label. Thanks, but not enough: alpha# mount -f -o ro / alpha# mount /dev/ad6s1a on / (ufs, local, read-only) devfs on /dev (devfs, local, multilabel) /dev/ufs/local on /usr/local (ufs, local) /dev/ufs/var on /var (ufs, local) /dev/ufs/tmp on /tmp (ufs, local) /dev/ufs/home on /home (ufs, local) /dev/ufs/share on /home/share (ufs, local) devfs on /var/named/dev (devfs, local, multilabel) alpha# tunefs -L root /dev/ad6s1a tunefs: /dev/ad6s1a: failed to write superblock BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Partitioning with gpart or old style slices?
Hi: I just realized how many years ago I haven't been partitioning any disks .. this system is so stable :) So, now I see I have gpart as alternative to fdisk/bsdlabel. I have a 320GB disk which will be dedicated to FBSD, is there any advantage - or any problems (problems as in I've never tried that before) - using gpart instead of the old scheme? Do I need kernel modules not in the generic kernel or create extra boot partition? Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Partitioning with gpart or old style slices?
On 5/6/11 7:03 AM, Robert Simmons wrote: On Sunday, June 05, 2011 12:40:22 AM Matthias Apitz wrote: # gpart create -s mbr ad4 # Init the disk with an MBR # gpart add -t freebsd ad4# Create a BSD container # gpart create -s bsd ad4s1 # Init with a BSD scheme # gpart add -t freebsd-ufs -s 1G ad4s1 # 1GB for / # gpart add -t freebsd-swap -s 2G ad4s1 # 2GB for swap # gpart add -t freebsd-ufs -s 2G ad4s1 # 2GB for /var # gpart add -t freebsd-ufs -s 1G ad4s1 # 1GB for /tmp # gpart add -t freebsd-ufs ad4s1 # all rest for /usr # gpart set -a active -i 1 ad4 You need to install the bootcode: This will install the interactive one: gpart bootcode -b /mnt2/boot/boot0 ad4 this will install the non-interactive one: gpart bootcode -b /mnt2/boot/mbr ad4 Thanks Warren, great article, and thanks all for the follow up posts as well. Just one more question, the usual mbr and boot files will boot a gpt partition? I see there are some additional files gptboot and pmbr? Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
How to restrict jail's network access?
Hi: I'm planning to move services to run in jails. Two jails: 1: Mail related: postfix, cyrus imap and openldap 2: Web related: apache and postgresql No service should be able to connect out of the jail to remote hosts, except for postfix that need to connect out to port 25 for delivery to other domains. I don't want to allow a ssh out of a jail to the local node, as that could allow a compromised jail to jump to the host server - even if only theoretically. Both jails need to access the named that runs chrooted on the host server but may not access remote DNS services. Otherwise than this there is, any connection to remote nodes or the host server on the loopback interface must be blocked. I don't have extra IPs to create jails with separate interfaces, but there is no conflicting port assignments so this shouldn't be a problem. I have considered to isolate the jails by only offering a loopback interface and let the firewall impose these policies, but is this at all possible? How would you go about implementing the above policies? Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
8_RELEASE buildkernel fails
Hi: I csup'ed my source tree and rebuilt world succesfully, but buildkernel fails with the following error: cc -c -O -pipe -std=c99 -g -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc -I. -I/usr/local/src/sys -I/usr/local/src/sys/contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -mno-align-long-strings -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -mno-sse3 -ffreestanding -fstack-protector -Werror /usr/local/src/sys/net/if_vlan.c /usr/local/src/sys/net/if_vlan.c: In function 'vlan_ioctl': /usr/local/src/sys/net/if_vlan.c:1424: error: stray '\1' in program *** Error code 1 Stop in /usr/local/obj/usr/local/src/sys/GENERIC. *** Error code 1 Stop in /usr/local/src. *** Error code 1 Stop in /usr/local/src. I've cleaned and retried a few times, csup'ed again, but it fails at the same point. Any suggestions? Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ISC dhcp server
On 18/10/2011 08:38, n dhert wrote: isc-dhcp31-server was removes from the ports. The Freebsd Handbook still refers to it... Can a /usr/local/etc/dhcpd.conf configuration file from isc-dhcp31-server, without changealso be used in isc-dhcp42-4.2.2 ? I think so, I use dhcp 4.1 and didn't change my 3.1 configfile. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
On 22/10/2011 16:12, Polytropon wrote: Is there _any_ reason why moving from port 22 to something different is _not_ a solution? Yes Reason why I'm asking: Moving SSH away from its default port seems to be a relatively good solution as break-in attempts concentrate on default ports. So in case a sysadmin decides to move SSH to a hidden location, what could be an argument against this decision? Moving to a non standard port does not provide you any additional real security. The random scannings and occasional attacks will disappear from your logs but these are not interesting, they fail because you already hardened your server. Those who are determined to break into your server will also find your ssh running on a non-standard port. On the other hand, those legitimate users who rely on ssh to connect remotely to their account may not be able to because the firewall on the network only allows access to standard ports for whatever reason, and running ssh on port, say, 24 is a non-standard port. It is actually common to block access to most ports and allow access only through a proxy, and then open for those particular services that will not run through a proxy. Hence, if you want to be sure to be able to connect remotely, your best bet is to run your services on standard ports. In summary, nothing is won moving ssh to a nonstandard port except for potential problems. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: No network in mixed FBSD81/90 chroot environment
On 29/11/2011 15:58, Damien Fleuriot wrote: On 11/29/11 1:58 PM, Erik Nørgaard wrote: Today I finished make build/install world/kernel in /mnt, and now I no longer have network access, interfaces are visible with ifconfig but no ip is set and can't be set from within the chroot environment. Is this to be expected? How do I get my network access back? Should add: Network on the host FBSD81 system works fine. When you chroot to your /mnt/ folder you're still using the 8.x kernel and thus the 8.x NIC drivers, with a 9.x userland. This might be your problem. That seems strange though, first, drivers are loaded into the kernel so there is no mismatch there, 8.1 drivers in 8.1 kernel. And then, this is the output from ifconfig, first the chroot environment, then the host environment: FreeBSD chroot # ifconfig re0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=389bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC ether e0:69:95:77:f1:20 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM pflog0: flags=141UP,RUNNING,PROMISC metric 0 mtu 33200 FreeBSD chroot # exit alpha# ifconfig re0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=389bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC ether e0:69:95:77:f1:20 inet 192.168.0.1 netmask 0xfe00 broadcast 192.168.1.255 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 nd6 options=3PERFORMNUD,ACCEPT_RTADV pflog0: flags=141UP,RUNNING,PROMISC metric 0 mtu 33200 So, the devices are there, just no network connectivity. What are you trying to achieve with this, a smooth 8.x - 9.x transition ? Well, I don't know what happened on the host system, but the kernel fails building, even kernel 8.2, at if_vlan. Since I decided to migrate to the other disk and upgrade to 9.0 I created a chrooted environment on the new disk and build sources there. Now, the tricky part is that this is a headless system and I need it to be up or at least be sure that I can roll back if something fails. You may want to, instead, install your 9.0 on a different machine (possibly a VM), then use dump on the filesystems to inject them properly on your new disk on the original machine. You should then be able to reboot on the new disk just fine. Thanks, for the suggestion, but sounds risky, the disks are not identical size. It seems I have a workaround that will get my new disk ready: Using fetch-recursive I've downloaded the sources of the ports I need installed, so I can build in the chroot without network access. BR, Erik -- M: +34 666 334 818 T: +34 915 211 157 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pxebooting different versions/variants of FreeBSD
On 11/12/2011 13:18, Dura Zell wrote: Is there a way to circumvent the need need of the dhcp option root-path and set it instead manually via a config file or as parameter? If not: How can I achieve my goal of pxebooting the different versions of FreeBSD? Hi: No. The only thing you can do is to set root-path for each host with host declarations in your dhcpd.conf. This is useful if you know the mac of each computer and that for example certain macs correspond to 64bit systems while others to 32bit. However, in the installer you can choose the version to install if you want a different. BR, Erik -- M: +34 666 334 818 T: +34 915 211 157 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipv6 in FreeBSD 9
On 14/01/2012 18:07, Marco Beishuizen wrote: Hi, In 8.2 ipv6 was enabled by adding ipv6_enable=YES in rc.conf, and all worked fine. In FreeBSD 9 that changed to ipv6_activate_all_interfaces=YES. But now there are still some error messages at boot time, and ipv6 doesn't seem to work correctly: ... root: /etc/rc: WARNING: $ipv6_firewall_enable is not set properly - see rc.conf(5). root: /etc/rc: WARNING: $ipv6_enable is not set properly - see rc.conf(5). ... I do not use a static IP adress, but DHCP. Wat do I need to do more to enable ipv6? Don't use ipv6, but reading above: Did you replace ipv6_enable with ipv6_activate_all_interfaces? because the error seems to tell you that you must keep ipv6_enable Or, maybe there was an error with mergemaster? old scripts, new kernel variables? BR, Erik -- M: +34 666 334 818 T: +34 915 211 157 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipv6 in FreeBSD 9
On 15/01/2012 21:41, Marco Beishuizen wrote: On Sun, 15 Jan 2012, the wise Erik Nørgaard wrote: Don't use ipv6, but reading above: Did you replace ipv6_enable with ipv6_activate_all_interfaces? because the error seems to tell you that you must keep ipv6_enable I replaced it with the new lines because according to the manpage ipv6_enable is deprecated. But why shouldn't I use ipv6? Sorry, meant to say, I don't use ipv6 so I can't do much debugging. Or, maybe there was an error with mergemaster? old scripts, new kernel variables? I ran mergemaster, but didn't get any error messages. Afaik all scripts in /etc are new. OK, in the error messages you posted it seems that some script checks or use these variables. Maybe try to run the different networking scripts manually and see where it fails. BR, Erik -- M: +34 666 334 818 T: +34 915 211 157 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pxeboot.bs and vlan tagging
On 06/02/2012 16:35, Rick Miller wrote: We are PXE booting into FreeBSD 8.2-RELEASE to perform system builds. The pxeboot.bs file was recompiled with TFTP support. 8.2-RELEASE builds were working fine until we attempted a build on bare metal in an environment that utilizes vlan tagging. When the system loaded the pxeboot.bs file it prompted that a disk containing the mfsroot.gz be inserted. Hi, a few questions: 1) do you use tftp or nfs? if you built pxeboot with tftp, did you also build the kernel with tftp? I assume that you want to use tftp since you fetch a memory file system as root device. 2) do you fetch the kernel successfully? When using tftp, The kernel and kernel modules are fetched before the memory file system, so do pxeboot fetch the kernel but not the mfsroot? The reason for these questions is that your problem may be with the kernel and kernel modules and not pxeboot. Just to be sure. I have a couple of questions that I am hoping I can use to glean a proper solution: 1) Does the 8.2-RELEASE pxeboot.bs source code support use of vlan tagging? 2) Can I get vlan tagging support with newer 8.2 code? 3) Will the 9.0-RELEASE code have better support for vlan tagging and can I use it to build an 8.2-RELEASE system? I did a grep in the source and it seems there is a kernel module for vlan tagging, if you load the kernel succesfully it may be a question of getting that module loaded as well, or rebuild the kernel. But I can't give a better answer. My best guess is not to rely on vlan tagging unless you can configure that on the hardware. Or, normally there is a default vlan that corresponds to no tag. If you can configure that for pxe and use tagging for the other networks. BR, Erik -- M: +34 666 334 818 T: +34 915 211 157 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pxeboot.bs and vlan tagging
On 06/02/2012 17:11, Rick Miller wrote: See my responses inline... On Mon, Feb 6, 2012 at 10:54 AM, Erik Nørgaardnorga...@locolomo.org wrote: On 06/02/2012 16:35, Rick Miller wrote: We are PXE booting into FreeBSD 8.2-RELEASE to perform system builds. The pxeboot.bs file was recompiled with TFTP support. 8.2-RELEASE builds were working fine until we attempted a build on bare metal in an environment that utilizes vlan tagging. When the system loaded the pxeboot.bs file it prompted that a disk containing the mfsroot.gz be inserted. Hi, a few questions: 1) do you use tftp or nfs? if you built pxeboot with tftp, did you also build the kernel with tftp? pxeboot.bs was compiled with TFTP enabled. We made 3 modifications to the kernel not related to tftp. One change was to the NIC source code to improve small packet performance, we compiled a custom kernel that disabled FLOWTABLE and enabled ROUTETABLES. TFTP is the intent for PXE, we did not want to rely on NFS. For the remainder of the install, we've written code into sysinstall to support pure HTTP installs. 2) do you fetch the kernel successfully? When using tftp, The kernel and kernel modules are fetched before the memory file system, so do pxeboot fetch the kernel but not the mfsroot? The reason for these questions is that your problem may be with the kernel and kernel modules and not pxeboot. Just to be sure. I see what you are saying. We will have to look at the packet captures to make that determination. There used to be some kernel options in older versions but I think the necessity for these were removed with 7.0. Can't find them right now. Also, there is a trick when you want to use tftp, by default the kernel will try nfs if it has been built with nfs code, so check for references to nfs. The generic kernel is built with with the option options NFSCL options NFSD options NFSLOCKD options NFS_ROOT these should be disabled. Thanks for this information, it has given me some other things to think about and could potentially lead to a proper solution. My approach to this is to create a closed network with one server providing all the necessary services (dhcp, tftp and ftp/http) as well as a local mirror with all the required files for installation. If you have a lot of servers, it makes no sense that each sould fetch packages from the public mirrors, hence for installation there should be no need for access to external networks. If you do this you can configure your switches accordingly without any need for vlan tagging. BR, Erik -- M: +34 666 334 818 T: +34 915 211 157 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pxeboot.bs and vlan tagging
On 06/02/2012 17:33, Rick Miller wrote: 2) do you fetch the kernel successfully? When using tftp, The kernel and kernel modules are fetched before the memory file system, so do pxeboot fetch the kernel but not the mfsroot? The reason for these questions is that your problem may be with the kernel and kernel modules and not pxeboot. Just to be sure. I see what you are saying. We will have to look at the packet captures to make that determination. The target system loads pxeboot.bs and consequently requests the following files: /boot/boot.4th (which it does not find) /boot/loader.rc /boot/loader.4th /boot/support.4th /boot/defaults/loader.conf /boot/device.hints /boot/loader.conf It is at this point where the failure occurs. The contents of loader.conf are: mfsroot_load=YES mfsroot_type=mfs_root mfsroot_name=/boot/mfsroot Does this seem consistent with what you were theorizing that it's the kernel that has the problem with vlan tagging and not pxeboot.bs? See the other mail, the way pxeboot works IIRC, is that first the pxeboot is fetched using tftp, the pxeboot is given the next server and will fetch the kernel, modules and other files from /boot/ on that server, (path respective to the root of the tftp dir). The kernel loads and will then fetch the mfsroot file. As mentioned, by default this is done using nfs, and nfs is assumed if the kernel supports nfs, even if it only fetches one file. This I understand has to be this way since the network configuration set with dhcp does not specify the protocol. So, if your kernel supports nfs it will not use tftp and hence fail. The details are somewhat distant to me, it's been some time since I messsed arround with this. hope this helps. BR, Erik -- M: +34 666 334 818 T: +34 915 211 157 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pxeboot.bs and vlan tagging
On 06/02/2012 19:34, Rick Miller wrote: Thanks for your feedback, Erik! I do have a question below... The kernel I am using is the kernel from the DVD ISO as it is downloaded from freebsd.org. How do I determine what modules have been enabled and disabled in that kernel? I am under the assumption that NFS is compiled into that kernel. We can install 8.2-RELEASE with this kernel in VMs, but not bare metal. Is there an explanation as to why an NFS enabled kernel would work inside a VM, but fail on bare metal? The kernel distributed with the ISOs is the generic kernel, so if you have the source (it's also on the DVD) you'll find the GENERIC kernel configuration file in /usr/src/sys/YOUR_ARCH/conf/GENERIC and you can see what are the compile options. You'll see these options: options MD_ROOT # MD is a potential root device options NFSCL# New Network Filesystem Client options NFSD # New Network Filesystem Server options NFSLOCKD # Network Lock Manager options NFS_ROOT # NFS usable as /, requires NFSCL The first one is required, this allows your kernel to mount a memory disk device (your mfsroot), the others enable NFS. You need to rebuild the kernel with NFS disabled. BR, Erik -- M: +34 666 334 818 T: +34 915 211 157 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: too many illegal connection attempts through ssh
Edwin D. Vinas wrote: shown below is snapshot of too many illegal attempts to login to my server from a suspicious hacker. this is taken from the /var/log/auth.log. my question is, how do i automatically block an IP address if it is attempting to guess my login usernames? can i configure the firewall to check the instances a certain IP has attempted to access/ssh the sevrer, and if it has failed to login for about x number of attempts, it will be blocked automatically? This question is asked on the list ever so often - see the archives for suggestions. These are automated attacks, they come regularly as crackers, black hats or script kidies scan across the net. You can avoid the automated scanning by chaning port, but this won't stop the determined cracker - he will scan all your ports and identify which services are running on which ports. Ask yourself a few questions: * Do you need to allow ssh from anywhere? If not, restrict to the relevant ip blocks. * Do you need to allow password based authentication? If not, disable it and use only ssh keys, in sshd_config: PasswordAuthentication no PubkeyAuthentication yes * Do all users need to have ssh access? If not, restrict to specific groups of users, in sshd_config, eg: AllowGroups staff * Is it a problem appart from the log messages? Trying to login with a nonexistent username is usually not a problem. Other tips: Disable ssh1, reduce the number of simultaneous non-authen- ticated connections, set timeouts etc. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Very confused
Tom Vilot wrote: apache and the ports tree I find a bit confusing. I want: Apache with mod_perl and mod_ssl. I had apache with mod_ssl by installing apach13-modssl. But I kinda need mod_perl compiled in statically. If I deinstall apache13-modssl, and then install apache13-modperl, I don't have mod_ssl anymore. How do I install JUST mod_ssl? Or ... more specifically ... how do I install both? I think the whole mod_ means that you don't compile anything statically in. I installed apache13-modssl and then installed modperl separately, works fine. Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Very confused
Tom Vilot wrote: I think I finally figured this out --- by having two different apache installs: one with ssl the other with perl. installing both apache13-modssl and apache13-modperl could/should cause problems - they should be marked as conflicting, if not submit a pr. Installing apache13-modssl and mod_perl should not cause a problem, this is the solution I am refering to. I want mod_perl compiled in statically. I have been finding that if I leave it as a loadable module, I get my signal 11 core dumps in Apache If you get a coredump then please investigate the problem, submit here or submit a problem report. I must say that I have installed mod_perl mostly to have it supported since my dynamic web is still php. However, I have tested and it works fine. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Don't Panic - how do I investigate a kernel panic?
Hi, I have a 5.3-STABLE which was stable untill last friday. Since then I experience irregular panics, with uptimes between 25 secs and 16 hours. In most cases I got a fatal trap 12, the last panic was simply panic: sbdrop. I had 5.3p5 but upgraded to 5.3p8 after the first panics. After the last trap 12, I replaced my custom kernel with a fresh built GENERIC, as I thought it might be easier to investigate. I have experienced trap 12 before startup completed and after shutdown unmounted all disks. So, it seems not to be triggered by network events. However, about the same time as the first panic and since then, I have experienced an unusually high amount of ilicit mail delivery attempts to adresses like random_chars@mydomain.com - not the amount I would expect could cause a crash though, my connection is far to thin for that. Following the kernel panic faq: Fatal trap 12: Page fault while in kernel mode Fault virtual address = 0xc Fault code = supervisor read, page not present instruction pointer = 0x8:0xc053d638 stack pointer = 0x10:0xcb4ddaec frame pointer = 0x10:0xcb4ddaf8 code segment= base 0x0, limit 0x, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags= interrupt enabled, resume, IOPL=0 current process = 28 (swi1:net) trap number = 12 panic: page fault # nm -n /boot/kernel/kernel | grep c053d6 c053d610 T m_copydata c053d670 T m_dup Note: This was the same error for both the custom p5 and p8 kernels. The sbdrop panic happened with the GENERIC kernel. What does sbdrop mean? Is this a simple disk I/O or hardware error? How do I get on from here? How do I keep my system at least at minimum service without crashing? Thanks! Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Can FreeBSD withstand this kind of network load??
Mark Jayson Alvarez wrote: The setup looks like this. There are three /24 networks, A, B, C All of these networks are private lan. However, Network A contains their servers, one of which is their internet proxy server. That proxy server is dual homed, one private, one public, which is also their passage way to the Internet. Now, the IT guy asked me if he can use a pc router so that network B and C can see network A, and make their way to the internet through the proxy server sitting on network A. I told him yes. I'm thinking of three posibilities, bridging, ip forwarding, and NAT. In his sketch, PC router has 3 interfaces, 1 facing network A, and two each facing network B and C. With this setup, since A already have a route to the Internet, we don't have to use NAT, ip forwarding will do the job. We will simply forward the request coming from each interface connected to network B and C to the interface connected to network A and then they can already see the proxy. However, he told me that network B and C in his sketch is not really their set up. It could extend to even few more networks(D, E, F, G, H). If internet access is proxied you don't need to do NAT either. You just need to tell the proxy server about routes for networks B, C, ... ie. point it to your FBSD gateway network A interface. Qestion: Instead of using 6 to 8 interface cards in his pc router,(which I don't think is a good idea) can we just alias that interface, let's say it has an ip for networks B, C, D, E, F, G, H, I and then all the traffic from B-I network will pass through this interface through some sort of cascading switches and then routed will forward this to the second interface facing the A network and then every body will be happy? Or is it not feasible considering that all the traffic from 6-8 networks will only pass through a single interface considering that each network will at least have 30-50 hosts? There is no problem in having n NIC's. In your suggested setup you have two problems: 1) You may want to keep traffic completly separate so that hosts on B can't sniff on the rest of the networks. This is a risk if you have them all on the same wire, but can be mitigated with switches. 2) You may want B to be able to communicate with the rest of the networks, this requires traffic to be reflected on that one network card. It is nasty to get working and it may be dificult to filter. What's even funny about this is that he brought that pc he will turn into a router in our office so that we can install freebsd-4.11 with this specs: You should recommend 5.4, 4.11 is legacy. If a minimal 5.4 is too heavy, try OpenBSD. pentium III - 500 Mhz memory 64 MB. HD 4 GB I haven't really encountered this kind of setup yet, that's why I told him I will do a research on this setup. I've heard that freebsd can be configured as a web server with this specs serving hundreds of clients with just few tweekings.. What do you think with his scenario? I have setup a OpenBSD based router with similar specs and load: Three NIC's, 1 for client network with more than 100 hosts, one for server network and one for internet. What you want to invest in is good NIC's. Also, you get a natural limit by how thick your wire is: These specs are fine for up to 10Mbit. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
5.4-RC2: Unexpected reboots
Hi, I have had problems recently keeping my 5.3 up, then I upgraded to 5.4-RC2. Things seemed stable, but then I just ran last: norgaard ttyp1charmSat 23 Apr 12:05 still logged in norgaard ttyp0charmSat 23 Apr 11:57 still logged in norgaard ttyp0charmSat 23 Apr 00:39 - 00:57 (00:17) reboot ~ Fri 22 Apr 22:36 reboot ~ Fri 22 Apr 21:03 reboot ~ Fri 22 Apr 20:59 reboot ~ Fri 22 Apr 20:52 reboot ~ Fri 22 Apr 20:33 reboot ~ Fri 22 Apr 20:30 reboot ~ Fri 22 Apr 20:07 reboot ~ Fri 22 Apr 19:17 reboot ~ Fri 22 Apr 18:00 reboot ~ Fri 22 Apr 17:57 reboot ~ Fri 22 Apr 17:00 norgaard ttyp0xxx.xxx.xxx.xxx Fri 22 Apr 14:44 - 15:17 (00:32) reboot ~ Fri 22 Apr 14:16 norgaard ttyp0xxx.xxx.xxx.xxx Fri 22 Apr 12:35 - 14:05 (01:30) reboot ~ Fri 22 Apr 12:24 norgaard ttyp0xxx.xxx.xxx.xxx Fri 22 Apr 12:05 - crash (00:18) reboot ~ Fri 22 Apr 10:56 reboot ~ Fri 22 Apr 10:27 reboot ~ Fri 22 Apr 10:00 norgaard ttyp0xxx.xxx.xxx.xxx Fri 22 Apr 09:57 - crash (00:03) reboot ~ Fri 22 Apr 09:55 norgaard ttyp0xxx.xxx.xxx.xxx Fri 22 Apr 09:27 - 09:48 (00:20) reboot ~ Thu 21 Apr 23:09 reboot ~ Thu 21 Apr 22:03 reboot ~ Thu 21 Apr 18:41 norgaard ttyp0xxx.xxx.xxx.xxx Thu 21 Apr 17:52 - 18:04 (00:12) reboot ~ Thu 21 Apr 17:18 reboot ~ Thu 21 Apr 17:11 norgaard ttyp0xxx.xxx.xxx.xxx Thu 21 Apr 16:55 - crash (00:16) reboot ~ Thu 21 Apr 16:10 norgaard ttyp0xxx.xxx.xxx.xxx Thu 21 Apr 15:38 - crash (00:32) I didn't realise the crashes while locked in with ssh, I thought it was due to an unstable DSL. But even disregarding crashes, I have no idea why all these reboots, there is no hint in /var/log/critical, /var/log/kernel, /var/log/console.log, /var/log/auth.log or others. The only thing I have noticed is a new error message in /var/log/messages, happening regularly every 9 minutes: Apr 22 15:08:14 top postfix/smtpd[874]: warning: TLS library problem: \ 874:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown \ protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_srvr.c:585: However, it does not seem to sync with the reboots, and I think this is due to postfix being built on the 5.3. Any ideas what causes this? Any ideas how I can tune syslog to grap the events? Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 5.4-RC2: Unexpected reboots
Erik Nørgaard wrote: Any ideas what causes this? Any ideas how I can tune syslog to grap the events? Ofcourse for the last question, I should include my syslog.conf: # Emergency: System failure stuff! *.emerg * *.warn /var/log/critical kern.info /var/log/kernel.log # System messages in messages *.notice/var/log/messages # Send console messages to log console.* /var/log/console.log # Authentication and security messages auth.*,authpriv.* /var/log/auth.log security.* /var/log/security.log # Cron messages cron.* /var/log/cron # ftp/tftp ftp.* /var/log/ftp.log # Log all mail messages in maillog mail.info /var/log/maillog # Cyrus IMAP uses log facility local6 local6.info /var/log/imapd.log # OpenLDAP logfile local4.debug/var/log/ldapd.log Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Unexpected reboots
Hi, I have had problems recently keeping my 5.3 up, then I upgraded to 5.4-RC2. Things seemed stable, but then I just ran last: norgaard ttyp1charmSat 23 Apr 12:05 still logged in norgaard ttyp0charmSat 23 Apr 11:57 still logged in norgaard ttyp0charmSat 23 Apr 00:39 - 00:57 (00:17) reboot ~ Fri 22 Apr 22:36 reboot ~ Fri 22 Apr 21:03 reboot ~ Fri 22 Apr 20:59 reboot ~ Fri 22 Apr 20:52 reboot ~ Fri 22 Apr 20:33 reboot ~ Fri 22 Apr 20:30 reboot ~ Fri 22 Apr 20:07 reboot ~ Fri 22 Apr 19:17 reboot ~ Fri 22 Apr 18:00 reboot ~ Fri 22 Apr 17:57 reboot ~ Fri 22 Apr 17:00 norgaard ttyp0xxx.xxx.xxx.xxx Fri 22 Apr 14:44 - 15:17 (00:32) reboot ~ Fri 22 Apr 14:16 norgaard ttyp0xxx.xxx.xxx.xxx Fri 22 Apr 12:35 - 14:05 (01:30) reboot ~ Fri 22 Apr 12:24 norgaard ttyp0xxx.xxx.xxx.xxx Fri 22 Apr 12:05 - crash (00:18) reboot ~ Fri 22 Apr 10:56 reboot ~ Fri 22 Apr 10:27 reboot ~ Fri 22 Apr 10:00 norgaard ttyp0xxx.xxx.xxx.xxx Fri 22 Apr 09:57 - crash (00:03) reboot ~ Fri 22 Apr 09:55 norgaard ttyp0xxx.xxx.xxx.xxx Fri 22 Apr 09:27 - 09:48 (00:20) reboot ~ Thu 21 Apr 23:09 reboot ~ Thu 21 Apr 22:03 reboot ~ Thu 21 Apr 18:41 norgaard ttyp0xxx.xxx.xxx.xxx Thu 21 Apr 17:52 - 18:04 (00:12) reboot ~ Thu 21 Apr 17:18 reboot ~ Thu 21 Apr 17:11 norgaard ttyp0xxx.xxx.xxx.xxx Thu 21 Apr 16:55 - crash (00:16) reboot ~ Thu 21 Apr 16:10 norgaard ttyp0xxx.xxx.xxx.xxx Thu 21 Apr 15:38 - crash (00:32) I didn't realise the crashes while locked in with ssh, I thought it was due to an unstable DSL. But even disregarding crashes, I have no idea why all these reboots, there is no hint in /var/log/critical, /var/log/kernel, /var/log/console.log, /var/log/auth.log or others. The only thing I have noticed is a new error message in /var/log/messages, happening regularly every 9 minutes: Apr 22 15:08:14 top postfix/smtpd[874]: warning: TLS library problem: \ 874:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown \ protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_srvr.c:585: However, it does not seem to sync with the reboots, and I think this is due to postfix being built on the 5.3. Any ideas what causes this? Any ideas how I can tune syslog to grap the events? Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: high perf kernel
On Fri, 6 May 2005, Chris Knipe wrote: Can anyone recommend some very usefull settings for a high performance kernel on 5.4? There doesn't seem to be a LINT config anymore in CVS, so I dont know what all my options are. AFIAK LINT has been replaced by NOTES, there is a general NOTES in sys/conf/ and a system specific NOTES in sys/system/conf/. Cheers, Erik GnuPG: http://www.locolomo.org/home/norgaard/norgaard.gpg.asc pub 1024D/11D11F9E 2003-08-15 Erik Norgaard [EMAIL PROTECTED] Key fingerprint = C394 81C4 D137 EEE5 39BE 82D5 3E6B FB3E 11D1 1F9E ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
