7.0-make.conf
Has this been removed or is it still supported? It does not appear in the man page or examples... NO_BIND=true -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.0-make.conf
At 03:03 PM 7/27/2008 +0300, Reko Turja wrote: make.conf has been split into two, the actual make.conf which has variables for the make process and generic make environment and src.conf which controls the building of add-on software. Check src.conf for details. -Reko so something like this it seems: WITHOUT_BIND=true WITHOUT_GAMES=true WITHOUT_MAILWRAPPER=true WITHOUT_OPENSSH=true WITHOUT_SENDMAIL=true I am not sure of the need for the 'true' or not. it seems it is not required but should work either way? -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: how to fight concurrent connection DOS attack to FreeBSD ftpd?
At 10:34 PM 11/24/2007 +0800, Zhang Weiwu wrote: Dear all I run a ftp site which is being attacked by someone who issue some 1000 concurrent connection for downloading as anonymous. How can I fight back? how about controlling access via pf? you can limit the number of connections from the SAME IP and/or number of connections from the SAME IP over a given time... Or just block the IP and be done with it? We use this method for controlling attacks on SSH port 22 but it could also be used for any type of needed control. the items of value under pf are: max-src-conn max-src-conn-rate flush flush global hth -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
7.0 BETA1 and cvsup
Can someone tell me the correct tag to follow 7.0 and not 7.0 STABLE? I am presuming 7.0 has been frozen and I am only interested in following the 7.0-standard (bug fixes only) and not 7.0-stable. I think this results in 7.0-stable? *default release=cvs tag=RELENG_7 Thanks in advance.. -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.0 BETA1 and cvsup
At 04:54 PM 10/31/2007 +0100, Erik Trulsson wrote: On Wed, Oct 31, 2007 at 06:38:19AM -0600, JD Bronson wrote: Can someone tell me the correct tag to follow 7.0 and not 7.0 STABLE? I am presuming 7.0 has been frozen and I am only interested in following the 7.0-standard (bug fixes only) and not 7.0-stable. I think this results in 7.0-stable? *default release=cvs tag=RELENG_7 Thanks in advance.. The relase/security branch for 7.0 has not been created yet. Once it has been it should be tag=RELENG_7_0 but at the moment that will give you nothing. For the time being you will either have to use RELENG_7 or wait until the release branch has been created. thanks guys!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
arp on cable modems
Is there any rule in pf to dump this crap? tcpdump just shows streams of this stuff!! 11:10:06.810287 arp who-has CPE-65-27-48-161.wi.res.rr.com tell CPE-65-27-48-1.wi.res.rr.com 11:10:06.864875 arp who-has CPE-65-27-48-74.wi.res.rr.com tell CPE-65-27-48-1.wi.res.rr.com 11:10:06.931964 arp who-has CPE-72-128-121-89.wi.res.rr.com tell CPE-72-128-112-1.wi.res.rr.com 11:10:06.946955 arp who-has CPE-72-128-112-152.wi.res.rr.com tell CPE-72-128-112-1.wi.res.rr.com 11:10:07.087627 arp who-has CPE-72-128-120-184.wi.res.rr.com tell CPE-72-128-112-1.wi.res.rr.com 11:10:07.110739 arp who-has CPE-72-128-114-39.wi.res.rr.com tell CPE-72-128-112-1.wi.res.rr.com 11:10:07.113737 arp who-has CPE-72-128-127-248.wi.res.rr.com tell CPE-72-128-112-1.wi.res.rr.com 11:10:07.174330 arp who-has CPE-72-128-119-17.wi.res.rr.com tell CPE-72-128-112-1.wi.res.rr.com 11:10:07.222803 arp who-has CPE-72-128-126-131.wi.res.rr.com tell CPE-72-128-112-1.wi.res.rr.com 11:10:07.413698 arp who-has CPE-72-128-125-148.wi.res.rr.com tell CPE-72-128-112-1.wi.res.rr.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
arp/dhcp question
I recently moved my PPPoE onto my 4100 modem. Tt is capable of passing my public IP into the freebsd box and then when I reboot, since the modem keeps my connection alive I dont change IPs as often...This works very well...but, however, this has caused a new twist: My modem appears to be at IP 192.168.0.1 My freebsd box has 2 NICs in it: WAN = DHCP (connected to the 4100 modem) LAN = 10.0.0.1 When the freebsd box boots, it asks for a DHCP address and the modem hands it a public one...207.227.122.7 for example. This works well...with one exception: Each so many seconds or so, my dmesg is filled with tons of these: arplookup: unable to enter address for 192.168.0.1 arplookup: unable to enter address for 192.168.0.1 arplookup: unable to enter address for 192.168.0.1 arplookup: unable to enter address for 192.168.0.1 arplookup: unable to enter address for 192.168.0.1 arplookup: unable to enter address for 192.168.0.1 arplookup: unable to enter address for 192.168.0.1 arplookup: unable to enter address for 192.168.0.1 Now I certainly know why, but cant seem to solve this. If I try to add an alias IP on the WAN NIC (after DHCP) this works but seems to kill off dhclient so once it gets a public IP it never asks/updates again. I am looking for a solution either in a NIC or route command... I could tell the modem to hand me a private IP but I would prefer to have the freebsd box use a public. Help? -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: make buildworld fails on 6.2-STABLE
At 08:19 PM 7/27/2007 +1200, Jonathan Chen wrote: On Thu, Jul 26, 2007 at 11:12:26AM -0500, J.D. Bronson wrote: so I deleted /usr/src redownloaded from a different mirror and tried make buildworld again... It still failed -but this time at a different point: Standard behaviour of failing hardware - most likely memory. yes. I removed/cleaned/replaced the RAM and it built. Not sure if the issue will return or not :) -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf and keep/modulate state on 6.2
At 01:58 AM 7/26/2007 +0200, Max Laier wrote: Well, in RELENG_6 we can't (pf update breaks ABI = no go in a RELENG branch). In HEAD we have 4.1 since a couple of weeks. thanks Max. I appreciate the response. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf and keep/modulate state on 6.2
At 08:55 PM 7/25/2007 +0200, Max Laier wrote: On Saturday 21 July 2007, Jordan Gordeev wrote: I'm replying to an old and long-forgotten thread to report my recent findings. There's a bug in PF with modulate/synproxy state. Modulate/synproxy state modulate sequence numbers, but don't modulate sequence numbers in TCP SACK options. Some firewalls block TCP segments with sequence numbers in the SACK option pointing outside the window, which causes connection stalls. The bug was fixed in OpenBSD with revision 1.509 of src/sys/net/pf.c about an year and a half ago. The bug is present in FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with the big import of PF from OpenBSD 4.1. I'm CC-ing Max to notify him of the bug present in -STABLE and to ask him to deal with the issue by either porting the fix from OpenBSD, or by documenting that modulate/synproxy state is broken. Good catch - sorry for the delay. Here is the diff (almost verbatim from OPENBSD_3_8). Please test and report back. I plan to commit this to RELENG_6 in a bit. -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 Max - 3.8? Cant we get a bit closer and more up-to-date as far as staying with pf and openbsd? I know pf changed - especially for OBSD 4.1 and it would be nice to be CLOSER than 3.8 ? -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf and keep/modulate state on 6.2
thanks for the update on this. I had forgot about it since I just stopped using modulate state (is it really needed anymore?). Then, the beginning of this month I moved my firewall/router back over to OpenBSD 4.1 to stay more current with pf instead of running -CURRENT within FreebSD. This fix really should be incorporated into 6.2-STABLE or even 6.2-STANDARD I think. I wonder how many people use this and don't even know its messed up? -JD At 02:14 PM 7/21/2007 +0300, Jordan Gordeev wrote: J.D. Bronson wrote: At 02:52 AM 02/26/2007, you wrote: Wow, this fixed my FTP-over-DSL-to-6.2 problem too. With modulate state, I was getting ~30K/sec. With just keep state, I'm now getting more like what my connection is capable of. This is between two 6.2 hosts on opposite sides of the Atlantic. Ted, I use pf because I like the format of the configuration file, I like the logging and pftop, and like how it's harder to lock yourself out of a remote machine by accident :) /JMS I use pf since its newer (I think?) and I came from openbsd..pf just works and the config file is nice and sweet. I had thought that modulate state would put a load on my proc, but sheesh, its a p4-3.06 - thats more than robust for a router. I wonder if we should file a bug on this? I am glad my post helped here. I still use modulate state for any INCOMING connections though (www/smtp/etc). I'm replying to an old and long-forgotten thread to report my recent findings. There's a bug in PF with modulate/synproxy state. Modulate/synproxy state modulate sequence numbers, but don't modulate sequence numbers in TCP SACK options. Some firewalls block TCP segments with sequence numbers in the SACK option pointing outside the window, which causes connection stalls. The bug was fixed in OpenBSD with revision 1.509 of src/sys/net/pf.c about an year and a half ago. The bug is present in FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with the big import of PF from OpenBSD 4.1. I'm CC-ing Max to notify him of the bug present in -STABLE and to ask him to deal with the issue by either porting the fix from OpenBSD, or by documenting that modulate/synproxy state is broken. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf and keep/modulate state on 6.2
At 02:08 PM 7/21/2007 +0100, RW wrote: On Sat, 21 Jul 2007 07:29:53 -0500 JD Bronson [EMAIL PROTECTED] wrote: thanks for the update on this. I had forgot about it since I just stopped using modulate state (is it really needed anymore?). Then, the beginning of this month I moved my firewall/router back over to OpenBSD 4.1 to stay more current with pf instead of running -CURRENT within FreebSD. This fix really should be incorporated into 6.2-STABLE or even 6.2-STANDARD I think. I wonder how many people use this and don't even know its messed up? I think it depends what percentage of people see connections actually petering-out to nothing, like I did, rather that just slowing down. What I'm wondering is how many more serious bugs have been fixed in OpenBSD, but not ported. As well as modulate state, I also stopped using hfsc because ping-times sometimes just seem to jump-up to several seconds and stay there. I never understood why Freebsd can't keep up to date with openbsd at least in regards to pfthats the #1 reason I dont use freebsd as a firewall anymore. If they kept up to date, freebsd would rock. I always get much better performance than with openbsd..but with openbsd, I get stability and current versions of pf and the features therein, that I am after Netbsd is MUCH worse...I tried to use some pf commands and got errors only to find out that these features are not in the pf that ships with 3.0.1 netbsd. I was very surprised...gee, how the heck OLD is pf in Netbsd 3.0.1 ?!!? Maybe whomever supports/ports pf into freebsd will read this and either respond with reasons as to why freebsd cant be closer in sync with pf from openbsd or at least update it more often. -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
device polling on 6.2-stable..use? yes/no?
Anyone using device polling on 6.2stable (i386) ? I have been reading up on this and seen some good and some bad but nothing definitive. I have bge NICs in these machines and they are running as routers, and running pf. When I enabled it in the kernel and then via rc.conf (since sysctl use is depreciated now) ...I can see a difference in vmstat -i presuming thats the correct way to check. With polling DISABLED...vmstat shows ever increasing values for example: vmstat -i interrupt total rate irq4: sio0 3 0 irq6: fdc010 0 irq14: ata012210 0 irq15: ata178834 2 irq22: bge0 430416 11 irq23: bge1 917826 24 cpu0: timer 75098549 2000 cpu1: timer 75092636 1999 Total 151630484 4038 and when I do a large network operation (like ftp an ISO) it increases and increaseshowever, with device polling compiled and configured (all default values though in sysctl) - I do not see an increase in vmstat numbers for the nics...I figured thats good...but I might be wrong? I dont do anything higher than WAN(10MB) and LAN(100MB). But if anyone has any suggestions or comments -especially values to adjust in sysctl, please chime in. TIA -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: questions about floppy disk
At 07:21 PM 6/24/2007 +0200, Olivier Regnier wrote: I have two questions about floppy disk with FreeBSD. How add a UFS filesystem to use the diskette for transfering files ? I think with this command but i'm not sure because, i can't check for the moment. # newfs /dev/fd0 To mount a floppy disk with ufs filesystem, i must use this command ? # mount /dev/fd0 /mnt/floppy Thank you for your help Bye bye, Olivier Regnier http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/floppies.html -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP System but only CPU#0 being used?
At 09:41 AM 6/3/2007 +1000, Alex R wrote: Hi All, Just wondering about something here. First of all, I am running FreeBSD 6.2-STABLE and the CPU stats (parts of dmesg) CPU: Intel(R) Pentium(R) 4 CPU 3.00GHz (2992.52-MHz 686-class CPU) Origin = GenuineIntel Id = 0xf49 Stepping = 9 Features=0xbfebfbffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE Features2=0x641dSSE3,RSVD2,MON,DS_CPL,CNTX-ID,CX16,b14 AMD Features=0x2010NX,LM AMD Features2=0x1LAHF Logical CPUs per core: 2 real memory = 1065287680 (1015 MB) avail memory = 1033314304 (985 MB) ACPI APIC Table: GBTAWRDACPI FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 SMP: AP CPU #1 Launched! Now some processes: If this is HTT (seems to be) and not 'real' dual processors I just answered this last week? Check /etc/sysctl.conf for this: machdep.hyperthreading_allowed=1 -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Hyperthreading Issues
At 12:19 PM 5/19/2007 -0400, Dantavious wrote: Hi. It seems to me (From the limited knowledge that I have!) that my machine is not hyperthreading. I have done the following. maybe /etc/sysctl.conf: machdep.hyperthreading_allowed=1 ? -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pppoe (userland PPP) and nat 'loopback'
Can this be configured? What I need is a way to go from one LAN machine to the WAN and loopback to the other LAN machine. LAN-WAN-LAN simple pf.conf: binat on $bge1 from 192.168.82.170 to any - 67.x.x.1 binat on $bge1 from 192.168.82.171 to any - 67.x.x.2 binat on $bge1 from 192.168.82.172 to any - 67.x.x.3 binat on $bge1 from 192.168.82.173 to any - 67.x.x.4 and so on. I need to use 192.168.82.172 to go and connect to public 67.x.x.2 then loop back to 67.x.x.1 Why do I need this? - I run 2 external DNS servers (with views) and as such NS2 needs to talk to NS1 but using the WAN NAT loopbacks. thanks in advance for any tips. -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ppp.conf + resolv.conf
I am using 6.2 as a DSL (PPPoE) router and also run my own internal DNS on the same machine. I would like to APPEND my ISP's dished out DNS servers to my current resolv.conf but anytime I enable dns in my ppp.conf it nukes my entire resolv.conf! I am looking to end up with this: % cat /etc/resolv.conf domain mydomain nameserver 192.168.1.1 nameserver ISP's DNS nameserver ISP's DNS How do I do this and still retain my own entries in resolv.conf? If I was using DHCPclient, I could edit dhclient.conf of course but PPPoE does not consult this file during negotiation that I am aware of. Any comments will be appreciated... -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: ppp.conf + resolv.conf
At 01:12 PM 5/6/2007 -0400, Bob wrote: Be sure you have this statement in your ppp.conf enable dns # Gets the ISP's DNS IP address places them # in resolv.conf for reference by FBSD. But this overwrites my resolv.conf doesnt it? thats what I am trying to avoid -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
using freebsd for a router
I dont want to start a flame/war here...but was *just* wondering... I currently use OpenBSD-3.8 for my router (T-1 with many statics) and then use FreeBSD-6.0 for my servers (web/mail/DNS...) I am debating on just standardizing to all FreeBSD. It seems the security is quite the same - but I dont know about performance pros/cons. It seems that the 'pf' that comes with FreeBSD 6.0 is equal to that within OBSD 3.8. So all things considered - is there any advantage to using FreeBSD for a router or just keeping things the way they are? Thanks for any comments or flames (I suppose). -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: using freebsd for a router
At 09:01 AM 11/24/2005, Nathan Vidican wrote: Not to start any flames of my own, know one can do a custom install and have the same result with FreeBSD - just pointing out the 'simple' default install does enable things you'll probably want to disable if just using the machine as a router and/or packet filter/firewall. Thanks for the comments. Yes, I always disable anything not absolutely needed on a router. Also, there are no other accounts on the machine but mine and root. :-) -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pflog summary script?
Does anyone have a simple shell/perl script that can take /var/log/pflog and parse it into a simple txt or html? I would like to cron a script that can clean up the output of pflog and put it into something more readable... Basically something that looks like: Time - SourceIP - Destination Port or a count of these as well. Thanks! -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]