Re: Need to ( re-chown /etc )
Mike Price wrote: > I needed to edit the /etc/pf.conf so I accidentally typed: chown -r /etc > Can someone please help me with a command to change /etc back to the way it > was? Did Kevin Kinsey's suggestion not work? It would be helpful if you gave some hint as to why you're asking this again. However, you should realize that you destroy information when you change all the ownership information to a uniform value. You need to: 1) Know what the value for each file was so you can set it back, or 2) Use your backups, or 3) Check what the standard files are set to in the distribution (as Kevin suggested), or 4) Know that most, but not all, files in /etc are user root and group wheel, use those values, and hope for the best. In other words, there really isn't "a command" to fix the damage you've done. However, as I'm sure you realize by now, recursively destroying information in or about system files tends to be a bad idea. As is, as a general rule, using chown as a privileged user just so that you can edit a file such as this as an unprivileged user. --Jon Radel [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: uptime 2 years!
Chad Marshall wrote: Here's what I said to the last guy who says my skin is thin, just leave well enough alone and drop it please. Seems your skin is thin as well if you can't handle a little back talk :) Well, I can always except critism. The problem is that I don't need rude responses for something I thought would be something to share for your organization, a success story of FreeBSD. Only for people to call me lazy and say "Big Deal". If it's not a big deal, than say nothing. Maybe you should put someone in charge of answering emails who aren't cocky and smug, some responses were nice and at least supportive. I still believe in FreeBSD and it's a great OS. It's the nix I started and learned with but I think your community is full of conceited, pompous asses, the reason I don't like to associate with IT people. I'd rather not give money to someone who has to insult me. If you go to a restaurant and you get a rude waiter, what do you do? I don't go back or give them a crap tip. I get better tack out of forums where I'm asking for help on coding challenges than just simply offering a testimonial. Dear Mr. Marshall: I'm terribly sorry that our representatives in charge of answering emails have been rude to you. I've just fired the lot of them, particularly as we can't afford to keep then on anymore seeing as how your generous donations are now in jeopardy. Moving forward I certainly hope that you evaluate your operating systems based on their technical merits and overall ROI, where I believe you will find that FreeBSD stands out, as it has for years, as a hard working operating system to support your Internet requirements at low cost. I will ask, however, that in the future you constrain your e-mail to freebsd-questions to either questions or answers to them, so as to not inflame our more excitable representatives once we hire a new, much reduced, batch of them. Thanks. --Jon Radel Who will now resign in shame ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Locked out of Root
Benjamin Lee wrote: > On 10/22/08 19:55, APseudoUtopia wrote: >> Hey, >> >> I have one user (other than root and the other system users) on my >> box, and that user is _NOT_ in the wheel group. I also have root >> logins disabled via SSH. This is a remote server and all I have is SSH >> access. >> >> Is there any way that I can gain root? I know the root password and >> everything, but I just can't get to it. The user is not in the wheel >> group, and root login is disabled in SSH. >> >> Thanks for any help/advice. > > Login as the unprivileged user and run: > > $ su > > See su(1). > > Noting with care the following paragraph: PAM is used to set the policy su(1) will use. In particular, by default only users in the ``wheel'' group can switch to UID 0 (``root''). This group requirement may be changed by modifying the ``pam_group'' section of /etc/pam.d/su. See pam_group(8) for details on how to modify this setting. which may well be why the OP keeps stressing that his unprivileged user is not in the wheel group. ;-) --Jon Radel [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: man -t odd page size
Bob McConnell wrote: > On Behalf Of Al Plant >> Valentin Bud wrote: >>> hello, >>> what do you know about this site: http://www.metricamerica.com/. >>> i don't remember where i have read that America is going to apply the > SI >>> (ess eye) >>> unit system. >>> so things are going to change maybe even the A4 papersize. >>> > >> The Metric System has been a legal measure in the United States since >> the 1860's. >> >> There is nothing to stop anybody legally from using it. > > However, there is one problem. When I go into Staples, Office Depot or > Sam's, they only have letter sized paper. I have yet to see a single box > of A4 or any other ISO size. Sure, my printers can handle A4, but where > can I buy a couple reams of it? > > Bob McConnell > Ithaca, NY Locally, probably nowhere. But try www.staples.com where there's currently one type of paper available by the ream or case. Of course, it costs more and then you'll need to get A4 binders, slightly longer file folders, a new file cabinet, It's not easy switching. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: way to check an email without sending it??
Gary Kline wrote: Hey Guys, Seen as a sexist assumption by some, but some consider gals to be guys. Is there a way I can tell that an email address, say j...@foo.com is still valid without joe knowing that I am curious? --And, yes, this isn't a FBSD-specific question... . Depends heavily on how foo.com does things. Used to be, and still is some places, easy to tell by doing a raw SMTP connection and seeing what the receiving server did when you provided the destination address. That makes it real easy to harvest addresses by brute force, so these days many servers don't give you a hint unless you actually send some mail. Some don't even give you a hint then, simply black holing the mail if the address is incorrect. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: / almost out of space just after installation
Randi Harper wrote: I was thinking that a more acceptable default layout (leaving swap at it's current default size) would be: / = 1GB /var = 2GB /tmp = 2GB One thing to remember is that these are just suggested defaults. Most experienced users are going to use a custom layout when setting up a new server, so the goal here is to have partition sizes that work for everyone else. Although FreeBSD does work on older hardware, I'd guess that most of the hardware it is being installed on now is less than 10 years old. The defaults we currently have in place are outdated. They are targeted more for older systems, perhaps because sysinstall hasn't been touched in quite a while. I'm looking for community input on this, so feel free to pipe up with your $.02. I believe it's been years since I didn't bump up the sizes on an install, otherwise I just end up with all this space where it's least likely to save me from a filled disk in the future. While I am actually running some hardware that is over 10 years old with FreeBSD, quite happily, every single hard drive involved has been replaced due to failure or as a preventative measure. You just can't get general purpose disks that small anymoreI'd think that assuming everyone had at least 10 GB disks at this point would be reasonable. I'm all for increased defaults. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: using own ntp server
kenneth hatteland wrote: If I have understand ntp right it is possible to hook up my machines to the machine running the ntp server. nevertheless I am not able to find anywhere helping me with configuring these machines to connect to my server and I am still not bright enough to figure out the syntax myself. Does anyone know about a web page or anything that my Googling have missed ? Or perhaps I have gailed to grasp nto correct, and all machines must be configured like the handbook says to connect to external machines ? Leaving aside two areas which could cover a multitude of complications should you pursue them, namely 1) You start setting various security settings and make your ntp server effectively unreachable, or 2) the ability of your local server to multicast time data, your local ntp server should look like any other ntp server to which you have access (other than for less latency and jitter should your network be "normal"). Put server IP_OR_FQDN_OF_LOCAL_NTP_SERVER_HERE in the ntp.conf of your client machines and see what happens. The "peers" query from the ntpq program should let you know if you have success or have somehow locked yourself out / blocked access. Feel free to give us specifics of what you're doing if this doesn't work. BTW, the above assumes that you mean setting up your various local machines to all use ntpd, but not all query outside machines. If this isn't it, you're going to have to tell us what you mean by "hook up my machines to the machine running the ntp server." -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: NTP Client synchronization with a Windows 2003/2008
Jacques Henry wrote: Hello, I am using a System based on FreeBSD 6.3. On this System an automatically generated ntpd.conf file is generated in order to synchronize the System clock with a NTP Server. I want to use a Windows 2003 or 2008 Server to act as the NTP Server. On the Windows System the NTP Server (Windows Time Service) is *correctly* running. The thing is that even if there are NTP traffic between the client and the Server (NTP Client and Server IP packet), My FreeBSD is not synchronizing at all: freebsd-client>ntpq -p 127.0.0.1 remote refid st t when poll reach delay offset jitter === NTP_server 192.168.10.6 2 u 103 102411.037 -587367 0.002 As you can see the offset is huge and never decreases as in a normal way... My ntpd.conf file looks like: --- # File is automatically generated # Do not edit tinker panic 1 tinker step 1 My man page for ntp.conf clearly states in regards to the tinker command: The default values of these variables have been carefully optimized for a wide range of network speeds and reliability expectations. In general, they interact in intricate ways that are hard to predict and some combinations can result in some very nasty behavior. Very rarely is it necessary to change the default values; but, some folks cannot resist twisting the knobs anyway and this com- mand is for them. Emphasis added: twisters are on their own and can expect no help from the support group. so the very first thing you might want to try is to comment out the tinker commands, in particular the panic one. I'm not sure that after you set the panic threshold to 1 second you should expect your ntpd to pay any attention to servers with an offset of 587 seconds. If that fails, consider setting ntpdate_enable="YES" ntpdate_hosts="NTP_server" in your /etc/rc.conf and simply stepping to the correct time at boot time. In short, I don't think this has anything with a Windows server being involved, and everything to do with starting off almost 10 minutes off and a config file that says to never make a step correction larger than 1 second and to panic if you see an offset of over 1 second. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: NTP Client synchronization with a Windows 2003/2008
Jacques Henry wrote: I commented the commands involved and nothing changed... (with only 10 minutes of time difference) The 19 minutes between when I sent my suggestions and you responded is hardly enough time to see if ntpd was slewing the time. Slewing 587 seconds takes days. I even tried to "force" the sync: U450XA0A0800650>nstop ntp U450XA0A0800650>ntpd -x -n -q -c /var/ntp.conf U450XA0A0800650>nstart ntp Are you sure that -x in there, telling ntpd to not step unless the offset is over 600 sec, doesn't override what you're trying to do with the -q? How about you try simple: ntpdate the_windows_server and see what that does? After that look in /var/log/messages. In fact I am still quite convinced that the MS implementation isn't totally compliant with the client... Could be, but ntpq was showing that your ntpd was accepting time data from the Windows server at least on some level. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: I hate to bitch but bitch I must
PJ wrote: It's owrthless to read your entire comment here as everyone is forgetting two things, here... 1. COMMON SENSE 2. NOT EVERYONE WHO READS MANUALS OR MAN PAGES IS NECESSARILY LIMITED TO THE NARROW MINDBEND OF THE "INITIATED". There are those who think those who bitch because they've not taken the time to understand "terms of art" (to borrow language from yet another of the many, many sub-varieties of English) that have been widely used in the community for decades, and seem to feel that their resulting confusion is obviously somebody else's fault and duty to fix, lack sense, common or otherwise. On this, I suspect we'll just have to disagree. (Though I will point out that in the above passage you've just told us that you admit to having forgotten common sense. Ordinarily I wouldn't stoop this low, but you've just spent much time telling us how much clearer, better, and comprehensible your brand of English is.)) Personally, I welcomed Ian's comments, as I believe he was the first to point out explicitly that language such as this is contextual, long-standing in the community in which it is used, and really not that confusing once you pay attention. (My apologies to anyone else who discussed this earlier; I found it difficult to read every message in this thread.) BTW, it's hard for me, personally, to take seriously anyone who quotes in full, with no trimming, something which he dismisses as "worthless to read." -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: no sshd on new server...
Polytropon wrote:
On Sun, 15 Nov 2009 15:49:33 -0800, Gary Kline wrote:
ok, i have my new server-to-be underway but having problems exec'ing
/usr/sbin/sshd. i can ssh out to existing computers, but cannot ssh
or scp stuff in. so my question is: how do i create
/etc/ssh/ssh_host_dsa_key ? checking around does no good.
Maybe I remember incorrectly, but doesn't sshd create this file
on its first startup?
Do you have
sshd_enable="YES"
in /etc/rc.conf? Is sshd running, or do you get error messages
regarding the host DSA key file?
This is version specific. If you're really old fashioned (v4, for
example ;-), you can look in /etc/rc.network for a cookbook:
case ${sshd_enable} in
[Yy][Ee][Ss])
if [ -x /usr/bin/ssh-keygen ]; then
if [ ! -f /etc/ssh/ssh_host_key ]; then
echo ' creating ssh1 RSA host key';
/usr/bin/ssh-keygen -t rsa1 -N "" \
-f /etc/ssh/ssh_host_key
fi
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
echo ' creating ssh2 RSA host key';
/usr/bin/ssh-keygen -t rsa -N "" \
-f /etc/ssh/ssh_host_rsa_key
fi
if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
echo ' creating ssh2 DSA host key';
/usr/bin/ssh-keygen -t dsa -N "" \
-f /etc/ssh/ssh_host_dsa_key
fi
fi
;;
esac
or just reboot after setting sshd_enable="YES". In newer versions,
"/etc/rc.d/sshd start" checks if the files exist and creates any of the
3 which don't, or you can force this check and creation with
"/etc/rc.d/sshd keygen". In all cases that I know of, it's just the
ssh-keygen program being run on your behalf.
--
--Jon Radel
j...@radel.com
smime.p7s
Description: S/MIME Cryptographic Signature
Re: is this getting out?
Gary Kline wrote: ariatotle is offline; i'm exclusively on my new server. will somebody please do a digg thought.org and see if they see what i see? hope i get this. 1) If you don't share what you see, nobody can compare, 2) Various people have pointed out various problems already, however, I'll reference you to the detailed analysis of your DNS problems that Giorgos Keramidas provided to you on 12/12 at 22:29 UTC. thought.org still has at least 7 name servers referenced somewhere; some of them have an MX record pointing at ethic, some have an MX record pointing at aristotle. Until you fix *all* the problems that have been documented in great detail, you will continue to have problems like this. For example, it appears that you've reduced the servers recorded with your registrar down to 2, but ns1.thought.org still returns this list of NS records: thought.org.38400 IN NS b.ns.celestial.com. thought.org.38400 IN NS c.ns.celestial.com. thought.org.38400 IN NS d.ns.celestial.com. thought.org.38400 IN NS ns1.thought.org. thought.org.38400 IN NS ns1.localhostservices.net. thought.org.38400 IN NS ns2.secondary.com. thought.org.38400 IN NS a.ns.celestial.com. Fix your DNS! --Jon Radel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Source of closed port RST responses
DAve wrote: I am routinely seeing these entries in one of my servers logs. Limiting closed port RST response from 373 to 200 packets/sec The server sits behind a PIX firewall, so I am suspicious of what is trying to connect to a closed port. I don't see in any other logs what port is being hit, or what IP is causing these log entries. Any way to tell what the source IP of these is? Thanks, DAve Easiest way, probably without any "observer effect," would be to mirror the switch port your server is plugged into and use a computer running wireshark, or equivalent, to look at the mirrored traffic. Unless, of course, your switch doesn't support port mirroring, you don't have a spare computer running wireshark, etc., etc. It's obviously hard to tell what resources you have available to you. You can also install wireshark from ports on your server, but depending on disk space, how "pristine" you want your server to remain, and internal security rules (wireshark, particularly some of the protocol decoders, is not without its own issues), there are some downsides to this. Also remember that source IPs can be forged, so look at the MAC address information as well if things appear to be really odd. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: NOW what?
Gary Kline wrote: My new server is back out of harm's way, but now, upon reboot, no mail. I have tail -f maillog and get "Domain not found" Yes, i did edit my DNS files, but I think i have a backup. Can anybody clue me in so i don't do this by mistake again? thanks. Are we talking about ethic.thought.org? (Personally I think it's a bit arrogant of you to assume we all remember the details of your network from week to week, but I'm a grouch, and other's mileage almost certainly varies.) Is your mail server on ethic.thought.org? If so, you're probably just running into a race condition, given that your *only* nameserver for thought.org is also on ethic. Or at least your only announced nameserver. In other words, your mailserver is quite possibly starting up, attempting a dns lookup and timing out, all before your nameserver is up and running. What happens if you restart just your mailserver at this time? If that doesn't resolve the matter, give us some details about where your nameserver and mailserver live, and give us the contents of /etc/resolv.conf on the mailserver, and tell us for which e-mail addresses e-mail isn't flowing. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: NOW what?
Gary Kline wrote: It was a good lesson that I should NOT have ever dared to mess around with IPv6 ... but I did. And yup, after moving the server everything restarted. And that v6 stuff busted things. H...yes, putting IPv6 addresses into your DNS w/o your IPv6 network actually working does tend to break things all over the place. You really need a test server to play with rather than subjecting your main [only] server to these experiments. ;-) [ten mins later with coffee kicking in]:: a question on the nameserver stuff: given that I have only one ISP, how could I have another nameserver? ethic is DNS, mail, and web. I've got two secondary nameservers. One in Dallas, a second in England. Wellwhich is it? One or three nameservers I find it helps to think of nameservers as being of two types: 1) Resolving nameservers These are the servers that *your* machines use to look up addresses, both your own and things like www.google.com. You can use your own server. Your ISP would also have one or more available for customer use. I'd suggest using a list of servers rather than just one. This list is what you'd set up in /etc/resolv.conf. 2) Authoritative nameservers These are the servers that tell everyone about thought.org (in your case). You say that you have one on ethic.thought.org and 2 secondaries in Dallas and England. However, given that neither your parent servers nor your own zone file as found on ethic mention those two other servers, it's very unlikely that they're doing you any good at all. (There are advanced scenarios where "hidden secondaries" are useful, but I don't think any of them apply to your network.) BTW, a single install of a name server on a single machine is perfectly capable of acting as both a resolving and an authoritative server, but it still helps, IMHO, to consider it as serving two different roles. (All of which leaves aside the security issues involved) I would suggest you find out what servers your ISP makes available as resolving servers for customers, and use ethic followed by those servers in resolv.conf and other such setup. I would suggest you find out if those secondary servers are actually syncing the data from ethic, and if so, list them with your domain registrar and in NS records in your dns zone. With those two steps, dns as a whole will become a bit more resilient for you. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Setup FTP service on FreeBSD 2.0.5?
Paul Shi wrote: Dear Matthew and Everyone, Thank you so much for your response. I think I will just create a user named ftp to enable anonymous access since security is not our major concern so far. I should hope that security will never be your concern, given how many years of security related patches you're missing. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: partly offtopic, but need feed back now.
Gary Kline wrote: according to him, on each one copper circuit, there were two unused wires that could be used for a second phone number. so that afternoon I had a dialup line and the house had a voice line. Or more Each POTS (Plain Old Telephone Service) line takes one copper pair. The wiring inside your house probably has two pairs, which can either be used for 2 lines or for 1 line plus power to light the dial of your Princess phone. If your wiring is of the right vintage you might even have the old transformer for providing the power dangling somewhere. The wiring up to your house probably has some even number of pairs. I think I have a 4-pair and a 6-pair at this point, though most are no longer used (I'm down to a single POTS and a single T1, way down from my high point). if I'm not mistaken, there are some Qwest people amongst this group. I would like to know if what the telephone installer told me 14 years ago was true, and also, if it is likely unchanged. Well, pretty much unchanged other than that all the local exchange carriers that actually run copper wire to houses are eager to get out of that business to one extent or another. I don't follow this closely, but I think AT&T is the only one to have actually gone public with a request to the FCC to set a date when they can drop POTS lines forever. at any rate, within four hours, the cable company will take ownership of the second voice line. I think it is just one physical circuit split in two by a clever tech. Hif you're doing the standard thing, and porting your phone number to the cable company, they'll have to put some equipment of their own on or in your house. They don't really take ownership of the "line", just the number. See if you can get the tech to make real sure that your two inside pairs are well isolated so maybe you can get rid of the problem of ring voltage leaking from one to the other. He'll probably just detach one of your inside pairs from Qwest and hook it up to his box, assuming he doesn't just wave his hands and tell you plug your phone in "here" and go away. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: Tinydns configuration... works, but no reverse dns
John Almberg wrote: > > I am using tinydns on my FreeBSD server. Normal DNS lookups work fine, > but I can't get reverse DNS to work. > > My colocation provider says they have delegated DNS to my name servers. > If there is a way to independently verify this, I don't know how to do > it, so I am taking their word for it. I'm a bind guy myself, so I can't answer to your tinydns configuration, but as to how to independently verify delegation, I find the following handy: freesparky# dig +trace -x 66.111.0.194 ; <<>> DiG 9.4.2 <<>> +trace -x 66.111.0.194 ;; global options: printcmd . 112878 IN NS A.ROOT-SERVERS.NET. . 112878 IN NS B.ROOT-SERVERS.NET. . 112878 IN NS C.ROOT-SERVERS.NET. . 112878 IN NS D.ROOT-SERVERS.NET. . 112878 IN NS E.ROOT-SERVERS.NET. . 112878 IN NS F.ROOT-SERVERS.NET. . 112878 IN NS G.ROOT-SERVERS.NET. . 112878 IN NS H.ROOT-SERVERS.NET. . 112878 IN NS I.ROOT-SERVERS.NET. . 112878 IN NS J.ROOT-SERVERS.NET. . 112878 IN NS K.ROOT-SERVERS.NET. . 112878 IN NS L.ROOT-SERVERS.NET. . 112878 IN NS M.ROOT-SERVERS.NET. ;; Received 272 bytes from 216.143.151.3#53(216.143.151.3) in 13 ms 66.in-addr.arpa.86400 IN NS indigo.ARIN.NET. 66.in-addr.arpa.86400 IN NS BASIL.ARIN.NET. 66.in-addr.arpa.86400 IN NS henna.ARIN.NET. 66.in-addr.arpa.86400 IN NS dill.ARIN.NET. 66.in-addr.arpa.86400 IN NS figwort.ARIN.NET. 66.in-addr.arpa.86400 IN NS chia.ARIN.NET. 66.in-addr.arpa.86400 IN NS epazote.ARIN.NET. ;; Received 194 bytes from 2001:dc3::35#53(M.ROOT-SERVERS.NET) in 107 ms 0.111.66.in-addr.arpa. 86400 IN NS auth1.ns.nyi.net. 0.111.66.in-addr.arpa. 86400 IN NS auth2.ns.nyi.net. ;; Received 93 bytes from 192.42.93.32#53(figwort.ARIN.NET) in 94 ms 194.0.111.66.in-addr.arpa. 86400 IN NS ns1.identry.com. 194.0.111.66.in-addr.arpa. 86400 IN NS ns2.identry.com. 194.0.111.66.in-addr.arpa. 86400 IN NS ns3.identry.com. ;; Received 140 bytes from 64.90.175.14#53(auth1.ns.nyi.net) in 16 ms dig: couldn't get address for 'ns3.identry.com': not found which does bring up the issue of why you refer to ns0 and ns1 in your question and your provider delegates to ns1, ns2, and ns3, the last of which doesn't appear to have an A record anywhere useful. A retry, using a different NS record this time: .trimmed 194.0.111.66.in-addr.arpa. 86400 IN NS ns1.identry.com. 194.0.111.66.in-addr.arpa. 86400 IN NS ns2.identry.com. 194.0.111.66.in-addr.arpa. 86400 IN NS ns3.identry.com. ;; Received 140 bytes from 64.90.175.14#53(auth1.ns.nyi.net) in 23 ms 194.0.111.66.in-addr.arpa. 3600 IN PTR on.identry.com. 0.111.66.in-addr.arpa. 259200 IN NS ns0.0.111.66.in-addr.arpa. 0.111.66.in-addr.arpa. 259200 IN NS ns1.0.111.66.in-addr.arpa. ;; Received 107 bytes from 66.111.0.253#53(ns1.identry.com) in 17 ms The PTR record looks reasonable, but those NS records...well. ;-) --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: Server build config, what would you do?
Wojciech Puchar wrote: > >> >> I'd like a C2D to allow for future growth and the fact that it will be >> serving files for several people on my home network not to mention the >> other services on it. > > buying computers for future needs is nonsense - as their prices fall all > the time. Particularly if your labor costs are effectively free, your maintenance windows particularly large, and your data collection not too big. I've been involved in situations where that planning mechanism would have led to a world of pain... (OK, so he mentioned "several people" and "home network," so you have a point. ;-) The one thing that I can think of that I've not seen mentioned in this thread, which could actually start to make a difference to component choice, is whether those several people are all hoping to stream video and music off of this server. Other than that, I'd go for a Celeron on a dull, but stable, motherboard. One other thought on hardware RAID: If your RAID board itself dies you better hope you can get it repaired or acquire an exact replacement, down to the firmware version in some cases. If not, you'll have real trouble reading anything off of your disks. With software RAID, you at least stand a decent chance of recovering everything from nothing more than the (N-1) hard disks, a FreeBSD CD-ROM, and the components to build a new server around them. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: IP Aliasing
David Allen wrote: > This may be a dumb question, but I'm puzzled by the following (taken > from the Virtual Hosts section in the Handbook): > > For example, consider the case where the fxp0 interface is connected > to two networks, the 10.1.1.0 network with a netmask of > 255.255.255.0 and the 202.0.75.16 network with a netmask of > 255.255.255.240. > > IP aliasing I get, but two different networks on the same interface? > What would this be plugged into to make that work? Ethernet most likely these days. In a perfect world, where ipv4 addresses flowed like water, everyone managed to forecast everything perfectly, and nobody ever had to renumber a network, I doubt there'd be much call for it. And I'd never want to try make a case for it being terribly elegant. I'm personally acquainted with a couple of cases where it comes up: 1) Multi-homed networks with ipv4 addresses assignments too small to do something "real" like using BGP to advertise >= /24 to multiple ISPs. So to talk via one ISP you use one address and via the other ISP you use the other. 2) You need to migrate to new addresses but can't afford to shut everything down long enough to change everything all at once. There are others. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: Chown PRoblem..HELP PLEASE
Ruel Luchavez wrote: > Hi ALL, > > i make a new directory in my server using "mkdir [name of folder], then when > i wan to view the folder i use "ll" and this is the view: > > drwxrwxrwx 2 root wheel 512 Apr 11 11:05 [name of folder] > > when i want to change the owner[root] into a certain name (ex.ruel) using > the command: > > chown -R ruel:wheel ...path/[name folder] > > I allways got and error: > > chown:ruel: Invalid argument > > what went wrong here guys? what could be my error? can you HELP me on this? > PLEASE... Before the user ruel can own a directory, the user ruel must exist. Does he? The command "cat /etc/passwd" will give you a list of every existing user. The adduser script is useful for adding users, if this indeed the problem. Incidentally, I find it hard to believe that the name of your directory is so embarrassing that you can't share it. By sanitizing such things, rather than reporting exactly what you typed and exactly what the response is, you seriously risk editing out clues. If you already knew what was important as a clue, you probably wouldn't need to ask the question. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: FTP server behind firewall?
Gilles wrote: > Hello > > We have FreeBSD server on our private LAN behind a NAT firewall on > which I'd like to add an FTP server so that customers can send us > stuff. > > Problem is, since customers might have a NAT firewall on their end, > the client application must connect in passive mode... but this just > moves the problem to our end, where the FTP server will open a random > port for data... to which the client will fail connecting since our > NAT firewall is keeping them out of our LAN :-/ > > Is there a way to keep our server in the private LAN and still provide > a way for customers to upload data? Hard-code the socket number used > by the FTP server for data? Use a different type of server? What control do you have over the firewall? One of the cleaner solutions would be to run an ftp proxy on the firewall, such as that supplied with pf. See ftp-proxy(8) or http://www.openbsd.org/faq/pf/ftp.html --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: Username & groups
Ruel Luchavez wrote: > *My Problem:* Only one? ;-) > I have a new user, i already add the user in the server using command > "adduser" and "pw" to modify it, by the way the name of user is ac06... > when i had a command "id -p ac06" this is the reply of the server.. >uid ac06 >group plusmate > and which im sure its correct.. > > BUT, when that user acces(ac06) the folder (plusmate shared) throug the > windows (windows XP) its always asking for username & password, however it > didn't ask for username & password while the other users getting to that > folder/directory. Assuming you're using Samba for this, you'll need to read up on authentication in Samba and then figure out which of several options are configured on your system. It is not [necessarily] sufficient to add a FreeBSD user. --Jon Radel P.S. In many circumstances adduser -G plusmate ac06 instead of adduser -g plusmater ac06 would give more elegant results. Other things being equal, it's better to have all users use their own login group and then add them to additional groups as appropriate. There are plenty of legitimate reasons not to do this, so you're probably best off remaining consistent with the setup of the existing users. smime.p7s Description: S/MIME Cryptographic Signature
Re: [SSHd] Limiting access from authorized IP's
Mel wrote: > On Friday 18 April 2008 10:51:45 Gilles wrote: > >> 1. I'd like to limit connections from the Net only from specific IP's. >> It seems like there are several ways to do it (/etc/hosts.allow, >> AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would >> you recommend? > > hosts.allow == TCP wrapper. > I recommend firewall, with hosts.allow backup. In the event the firewall gets > disabled, hosts.allow takes over. > Note though, that with setups like this, you will have to call someone to add > your IP to the lists, when your IP changes or you're on a location you didn't > think you'd need access from. > I personally prefer sshd to be world accessible and block scans, since I > consider being locked out of the machines a security risk as well... > Some additional thoughts: If you want to control which users can connect from which IP addresses, use the AllowUsers, etc. statements in sshd_config. That's the big advantage of doing it at that level. If you're not going to get that granular, I'd stick with the advice others have already given. Also, some of us are convinced that we further reduce our risk from scanning by turning off password access and forcing the use of keys. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: [SSHd] Limiting access from authorized IP's
Paul Schmehl wrote: > I see this statement all the time, and I wonder why. What does a > firewall on an individual host accomplish? > > I have maintained publicly available servers for a small hobby domain > for almost ten years now. Initially, I bought in to this logic and ran > a firewall. (At that time we only had one server.) What it cost me was > CPU and memory. What it gained me was nothing. I turned it off. I have > never run a firewall on a publicly available host since. > > Firewalls are for preventing access to running services. By definition, > if you are running a service, you want it to be accessed. So firewalls > are self-defeating or completely useless at the host level **unless** > you don't know what you're doing. For an enterprise they make a great > deal of sense. No matter what a user inside your network might do, you > can prevent access by simply not allowing traffic on that port. Yes, in a world where nothing ever breaks, all system administrators never make dumb mistakes, and no one ever breaks into your box to install services that you certainly wouldn't approve of, the defense-in-depth techniques being discussed here are pretty much a waste of time. Alas, alack, my machines prove every couple of years that they don't live in such a world. Must be me. ;-) > If *everyone* knew how to properly configure and maintain a host, even > enterprise firewalls would be completely unnecessary. And if you've got users on your network Oh, my, users do the darnedest things. As one little example: My firewall blocks outbound traffic to port 25 from all those pesky workstations to anywhere other than the local SMTP servers. Why? Makes me worry just a bit less about some Windows box pumping spam out to the world due to an unfortunate choice made by a user. I doubt there's an enterprise in the world where every user both knows enough about host security *and* is disciplined enough to apply that knowledge every minute of every day. But then, I'm the guy who takes the time to put on his seatbelt each and every time he starts the car, despite never, not once, having to actually use it in 3 decades of driving. > Firewalls are too often crutches for people that don't want to learn > how to properly maintain a host. Now that, on the other hand, I can completely agree with. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: [SSHd] Limiting access from authorized IP's
Wojciech Puchar wrote: > >>> this: >>> >>> AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL >>> PROTECTED] [EMAIL PROTECTED] >> >> It looks like AllowHosts is not available with the version of SSH that >> comes with FreeBSD. >> >> This works: >> >> AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL >> PROTECTED] >> > man hosts.allow Now that would really confuse things. We're not talking tcp wrappers here, or at least we weren't. man sshd_config --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: RAM & Swap & Speed
herbert langhans wrote: > Hi Daemons, > recently I had to add some more RAM on a workstation. Was 512MB before and is > 2GB now, the reason was to give some graphic apps more space. > > But to my surprise the workstation ran faster--but before adding RAM it did > NOT make use of the swap-partition and after the big RAM chip of course not > too (checked it with #top). > > This was a Slackware installation. Had anyone experienced such effect on BSD > as well? Why are you asking about Slackware file caching on a FreeBSD mailing list? :-) In any case, what you're probably seeing is the effect of having lots of spare RAM to cache files. In FreeBSD top look at the Cache and Buf values up top. If you're doing a lot of file I/O, this can make a noticeable difference, particularly if you're repeatedly reading the same files. However, as is usually the case, unless you do some benchmarks on *your* computer, it's hard to say more than "the first couple GB of RAM you add will probably make your workstation run faster." --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: RAM & Swap & Speed
Jon Radel wrote: > herbert langhans wrote: >> Hi Daemons, >> recently I had to add some more RAM on a workstation. Was 512MB before and >> is 2GB now, the reason was to give some graphic apps more space. >> >> But to my surprise the workstation ran faster--but before adding RAM it did >> NOT make use of the swap-partition and after the big RAM chip of course not >> too (checked it with #top). >> >> This was a Slackware installation. Had anyone experienced such effect on BSD >> as well? > > Why are you asking about Slackware file caching on a FreeBSD mailing > list? :-) > > In any case, what you're probably seeing is the effect of having lots of > spare RAM to cache files. In FreeBSD top look at the Cache and Buf > values up top. If you're doing a lot of file I/O, this can make a > noticeable difference, particularly if you're repeatedly reading the > same files. It has been pointed out that this response by me is incomplete, arguably misleadingly so. See http://lists.freebsd.org/pipermail/freebsd-performance/2004-April/000769.html for much more technical detail on what is really happening. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: Recommendations for BSD Unix Toolbox: 1000+ Commands for FreeBSD & BSD Books
loony wrote: > > What are folks recommendations for the updated edition of BSD UNIX Toolbox: > 1000+ Commands for FreeBSD, OpenBSD and NetBSD (Paperback)by Christopher > Negus > (Author), Francois Caen (Author)? Amazon.com started shipping pre-ordered copies only today, so I can't imagine too many people have had a chance to form in-depth impressions yet. I'll try to say more after I actually have browsed my copy. :-) For the moment, I will strongly second Roland Smith's reminder that ?AMP is largely OS independent so long as you use a *n?x that Apache/MySQL/etc. are well supported under. You may well do better to find a "Use Apache to build a web site" or "(language of your choice) with (database of your choice)" book that suits your development philosophy. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: Need to download FreeBSD
Bill Moran wrote: > In response to Ecole Point Bleu <[EMAIL PROTECTED]>: > >> Mr./Ms.: >> >> I am trying to download FreeBsd from >> http://www.freebsd.org/fr/where.html. But so far, I have been >> unsuccessful at it as I am asked to provide a user name and a password. >> Anonymous login does not work either. Though some few days ago I started >> downloading Disc1 (iso) just to find out that the checksum was not >> right. Can I you assist, please ? > > I just tried and it's working fine for me. What software are you using > for the download? Perhaps your FTP client is doing it wrong. ftp://ftp.freebsd.org/ is currently rejecting my "anonymous" in 50% of a small sample of attempts. To OP: you may wish to try one of the mirrors closer to you (Spain, France, South Africa?? I have no idea how you connect to the world). See http://www.freebsd.org/doc/fr_FR.ISO8859-1/books/handbook/mirrors-ftp.html Another thought is to consider using Bittorrent if it is available to you. As this splits the files into many small chunks, checksums each one independently, and can be stopped and restarted at any time with very little loss of already transferred bytes, you may find it more resilient in your situation. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: root login stops working
Wojciech Puchar wrote: > >> need root access, you should use a staff account in the wheel group to >> remotely log into the machine, then su to root. > > or set > > PermitRootLogin yes > > in sshd_conf > > much easier. > >> The fact that remote direct root login is disabled is a security feature, >> meant to prevent things like brute-force attacks on root over the >> network. It's a bad idea to change that behavior, in general. Back when > > just another stupid myth. As is, of course, all security in depth. Hey, if you want everything riding on one password, more power to you, but you might want to refrain from using phrases like "stupid myth" unless you've got some hard data to back them up. > simply use good passwords. Or a nice little key encrypted with a good pass phrase. Use ssh-agent right and you can make things even easier for yourself. > > having to log through 2 accounts doesn't increase security. actually > increases mess. The only mess I can think of is all that logging that forces a bit of accountability onto all the admins who know the root password. Of course, if you're the only admin, I suppose it doesn't really matter. ;-) --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: Nagios Apache and FreeBSD
DSA - JCR wrote: > Hi to all > > I use FreeBSD 6.2 > > I have installed Nagios from ports and configured and also as required by > Nagios Apache22 > > The problem I have is that I cannot access the server by web, in order to > see the Nagios frontend doing > > http://mynagiosIP/nagios > > doesn't work Please be more precise. Does http://mynagiosIP/ work? When you try http://mynagiosIP/nagios does the browser time out, or do you get an error response, if so which one? Or do you get another web page that has nothing to do with Nagios? > > I suspect that maybe as I use inetd I must put somewhere in inetd.conf > something about apache, is true? No. > > I have > nagios_enable=YES and apache_enable=YES > in rc.conf > > also I test and start nagios and apache manually and I don't get any error > message or misconfiguration. Did you configure apache at all after you installed it? If so, what did you do? --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: arplookup 0.0.0.0 failed: host is not on local network
Christer Solskogen wrote: Derek Ragona wrote: I would do a traceroute from all your hosts there. When you do keep an eye out for the arp error message. This should help find the host causing these errors and then look at that systems configuration. Also do you have more than one ethernet interface in the system showing the arp errors? If you do, make sure the interfaces are on different subnets. traceroute dont show anything(no response). Only ping responds, and ping respodns with "192.168.0.1" - which is my router. My router on the other hand do not have this arp problem. Only the other machines. Every machine, except my router, have only one interface. (my router has two, butthey are on to different subnets) OK, this problem amused me enough to play around. Unfortunately, while I was able to, somehow, replicate the log entries on a FreeBSD 6.2 box, I don't know how, as it was a box that I wasn't using for my experiments (though on the same LAN segment as those I was using) and it was only the next day that I realized that it had taken offense at something I'd done. By then I'd forgotten what I'd tried in which order In any case, what I can tell you: On FreeBSD (various versions from 4.9 to 7.0) and MacOS X 10.4, ping 0.0.0.0 appears to be the equivalent of pinging the ipv4 default gateway (if you use tcpdump you can actually see the packets with a destination address of 0.0.0.0 go out and the replies come in). OpenBSD 4.2 and Windows XP basically tell you can't do such a foolish thing. I think this is a red herring. I doubt you have an interface with a 0.0.0.0 address. What I suspect you have is some software, somewhere on the same segment as the machine logging the complaints, that is triggering an ARP query for 0.0.0.0. If you really want to track this down, what I'd strongly urge you to start with is to, on a machine where the log entries happen, run the command tcpdump -vvv -n -l -e arp and see if you can catch ARP traffic mentioning 0.0.0.0. If you catch one, this will give you the MAC address of the source of the traffic. I would hope that this would help narrow it down. Meanwhile, I'll see if I can replicate this when I'm paying a bit more attention. :-) --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: arplookup 0.0.0.0 failed: host is not on local network
Jon Radel wrote: Christer Solskogen wrote: Derek Ragona wrote: I would do a traceroute from all your hosts there. When you do keep an eye out for the arp error message. This should help find the host causing these errors and then look at that systems configuration. Also do you have more than one ethernet interface in the system showing the arp errors? If you do, make sure the interfaces are on different subnets. traceroute dont show anything(no response). Only ping responds, and ping respodns with "192.168.0.1" - which is my router. My router on the other hand do not have this arp problem. Only the other machines. Every machine, except my router, have only one interface. (my router has two, butthey are on to different subnets) OK, this problem amused me enough to play around. Unfortunately, while I was able to, somehow, replicate the log entries on a FreeBSD 6.2 box, I don't know how, as it was a box that I wasn't using for my experiments (though on the same LAN segment as those I was using) and it was only the next day that I realized that it had taken offense at something I'd done. By then I'd forgotten what I'd tried in which order On FreeBSD 7.0 box on other side of OpenBSD 4.2 router did a arpdig 216.143.151.1/28 On FreeBSD 6.2 box tcpdump said: 22:45:06.707002 00:08:02:cc:b1:60 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 216.143.151.11 tell 0.0.0.0 22:45:06.707020 00:16:76:cf:e4:b3 > 00:08:02:cc:b1:60, ethertype ARP (0x0806), length 42: arp reply 216.143.151.11 is-at 00:16:76:cf:e4:b3 with resulting message in debug.log: May 14 22:45:06 left kernel: arplookup 0.0.0.0 failed: host is not on local netw ork May 14 22:45:07 left last message repeated 2 times So I'm actually going to update my hypothesis a bit; I suspect that any incoming packet that triggers an ARP lookup for 0.0.0.0 will result in this message. Try tcpdump -vvv -n -l -e -s 128 arp or ip | grep 0.0.0.0 to see what you can catch. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: arplookup 0.0.0.0 failed: host is not on local network
Christer Solskogen wrote: [EMAIL PROTECTED] ~]# tcpdump -vvv -n -l -e arp tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 96 bytes 08:58:46.337968 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 08:58:46.337974 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 ...snip... There is this line saying: 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff and nothing has ff:ff:ff:ff:ff:ff as a mac address :) ff:ff:ff:ff:ff:ff is the broadcast address. That looks like a rather mundane arp request broadcast followed by a reply from the machine with the address in question. The trick will be to see if you see anything with tcpdump at the time one of the syslog messages about 0.0.0.0 gets logged. BTW, just for the record, personally I doubt this is anything serious to worry about, but as I have no real evidence for that feeling You may, however, find http://en.wikipedia.org/wiki/0.0.0.0 at least mildly interesting. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: FreeBSD based router ...
Tom Van Looy wrote: Wojciech Puchar wrote: been happy with using soekris net48XX boxes using m0n0wall small but expensive. used 486-pentium hardware is for free. No it's not, they consume electricity. Soekris boxes are designed for low-power. I had a 4501 and now have a 5501. And, other than in hobbyist's private networks and things built with volunteer labor, there are generally labor costs. Rummaging in the junk pile can get pretty expensive if you have to pay somebody to do it.... --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: Redirect email account in freebsd
Ruel Luchavez wrote: ALL Hi, I dont know if its right to post my problem here.. Yes. How would you redirect an email account? Lets put it in this way, we have an existing account namely [EMAIL PROTECTED] ,[EMAIL PROTECTED] and [EMAIL PROTECTED] what i want is when someone send and email to account1 only (no cc: or bcc: from sender) , account3 can also receive the message being sent to account1? is it possible? If you're using sendmail (the default mail server in FreeBSD), probably the easiest way is to edit /etc/mail/aliases and put the following line in the file: account1: \account1, account3 and then run the newaliases command. While this will not send account3 two copies of e-mail that the sender sent to both account1 and account3, it will not check that account1 is the only recipient. If you need to strictly check that there are no cc: or bcc: recipients, I suspect you will have to install something more sophisticated, such as procmail from ports. I'm using the Thunderbird. Or, you could set up rules in Thunderbird to do the forwarding from there. Of course, this means that mail gets forwarded only when account1 checks for mail. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: NFE setting manually to 1000baseT and half duplex
Gelsema, P (Patrick) - FreeBSD wrote: Hi List, I am using the nfe driver on Freebsd 7.0R and I am unable to change the NIC driver manually to 1000baseT with half-duplex. I believe I am not getting the max out of my network connection and want to see if changing the duplex will help. Even if you do have hardware that supports half-duplex gigabit ethernet on both ends, the need to do carrier extension for any frame shorter than 512 bytes so that CSMA/CD actually works on a reasonable sized cable, does horrible things to your throughput if you've got lots of small frames. (In other words, at gigabit speeds, frames smaller than 512 bytes zip down the wire so quickly that you can no longer reliably detect collisions, so the frames all get padded.) I'm having trouble wrapping my head around any circumstances other than horribly, horribly broken hardware or software where half-duplex would increase your performance over full-duplex. That said, most (an imprecise way saying "every time I've looked this has been the case, but I generally no longer bother looking") gigabit ethernet hardware I've ever touched has been incapable of doing half-duplex when it's being used at gigabit speeds. The specs for doing it exist more for theoretical completeness than out of practical utility. See, for example http://www.intel.com/network/connectivity/resources/doc_library/white_papers/solutions/copper_guide/gig_over_copper.htm for a discussion on this and related topics. My suggestion would be to let both sides auto-detect if they're both capable of gigabit ethernet. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: NFE setting manually to 1000baseT and half duplex
Wojciech Puchar wrote: Even if you do have hardware that supports half-duplex gigabit ethernet on both ends, the need to do carrier extension for any frame shorter than 512 bytes so that CSMA/CD actually works on a reasonable sized cable, does horrible things to your throughput if you've got lots of small frames. (In other words, at gigabit speeds, frames smaller than 512 bytes zip down the wire so quickly that you can no longer reliably detect collisions, so the frames all get padded.) I'm having trouble wrapping my head around any circumstances other than horribly, horribly broken hardware or software where half-duplex would increase your performance over full-duplex. actually there are no gigabit devices incapable of full-duplex. I would certainly hope so; I can't see much of a market for gigabit ethernet devices that can't do full-duplex. (I'm a touch confused, however, by your phrasing that as if you're rebutting something I wrote.) --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: Email issues, relay failure
On 2/25/12 10:26 AM, Bender, Chris wrote: On telnet w IP it says unable to connect. ... Its weird that the delivery on A says deferred connection timed out but on tcpdump I see the port 25 If you can't establish a TCP connection from A to your relay server on port 25, I'd expect all of the above. If you can't establish a TCP connection to port 25 at all from A, I'd stop focusing on the details of the e-mail server on the relay machine (as they're likely to be beside the point) and start focusing on what is blocking the traffic from A. Have you audited all the firewalls involved? To be really focused, if you see traffic (both ways) at the relay server when A tries to talk to port 25, but A is convinced that no TCP connection is established, either you're stomping on things at the relay server (do your attempts to telnet to port 25 fail immediately or just sit there for a good long time and then fail?), the reply packets from relay to A are getting mis-routed, or A is ignoring the packets coming in from the relay. Can you ping from the relay to A? There's a distinct difference between failure to establish a TCP connection (look to the network stuff) and the e-mail server giving you an error response rejecting your attempt to transfer mail or just quietly loosing the mail (look to the e-mail servers). -- --Jon Radel j...@radel.com
Re: Email issues, relay failure
On 2/25/12 1:39 PM, Bender, Chris wrote: Thanks. There aren't any firewalls between the devices but they are far apart. On 2/27/12 11:12 AM, Bender, Chris wrote: > Can anybody assist me with pfctl on freebsd? > I have pfctl running as adaptive. It is blocking some smtp mail. ! BTW, pfctl is the program for controlling the firewall. The actual firewall is generally referred to as pf. So if you just turn PF off for a bit, does e-mail suddenly flow? -- --Jon Radel j...@radel.com
Re: Email issues, relay failure
On 2/27/12 11:45 AM, Bender, Chris wrote: I was thinking about just reloading the pf.conf but I have never worked with pf so I am worried other things might break. My thought was by doing that the Adaptive part of the pfctl would be restarted? Any pf.conf file I've ever seen does something sensible after reload. I suspect one could write something perverse that blows up on restart, but that would making rebooting the machine problematic Does that make sense would reloading the rules wash the adaptive behavior away or Would all that still be in some sort of bruteforce file to protect the firewall? pf can load data from files when it starts or just manage things in a fashion that is transient upon restart. Hard to say what's happening in your case w/o a clue as to what's in pf.conf. I'd suggest that you at the very least whitelist internal SMTP speakers that you expect to get e-mail from on a regular basis, even if you do throttling of SMTP connections in general. Much less messy.... -- --Jon Radel j...@radel.com
Re: Email issues, relay failure
On 2/27/12 12:00 PM, Bender, Chris wrote: How would I whitelist SMTP speakers? You're invited to read the documentation. The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall, 2nd ed., is also rather informative, although one has to keep in mind that the version of PF in FreeBSD lags that in OpenBSD. I am thinking it would be ok to reload the rules, would that clear the issue with SMTP users for now? Whats the harm? The universe might grind to a halt. This would upset a great many people. This outcome, however, is exceedingly unlikely. Again, with no clue as to what's in pf.conf, I could offer only the vaguest guesses based in part on my judged competence of the author of your pf.conf. Since your pf.conf appears to have possibly destroyed your e-mail infrastructure, the preliminary assessment is a bit shaky. -- --Jon Radel j...@radel.com
Re: Do not work turn-off line to syslogd "last message repeated N times'"
On 3/2/12 6:33 PM, Vladislav V. Prodan wrote: 03.03.2012 1:10, Yuri Pankov wrote: Well, "twice" means "cc" :-) #man syslogd ... SYNOPSIS syslogd [-468ACcdkNnosuv] [-a allowed_peer] [-b bind_address] [-f config_file] [-l [mode:]path] [-m mark_interval] [-P pid_file] [-p log_socket] ... Where do you see an indication to use the "-cc"? I need to remove the logs from the line of the form: "last message repeated N times" There was a very clear indication in the quote from the manpage that you, your very own self, sent us all just a few minutes ago. -- --Jon Radel j...@radel.com
Re: Some questions about Link Aggregation and Failover
On 3/6/12 11:41 PM, bo wang wrote: Hello: Recently I want to do Link Aggregation for increasing the speed. I use a Cisco 3750 Switche and two IBM Server R with BSD 9.0 .I do link aggregation According to this page. http://www.freebsd.org/doc/en/books/handbook/network-aggregation.html I use LACP .But when i have done ,the link aggregation only can do Failover .It cann't increase the speed. What is the problem?Detailed configuration as follows How are you measuring the speed to determine that there is no speed-up? You're not, by some chance, sending test data between a single source and single destination address pair are you? -- --Jon Radel j...@radel.com
Re: Fwd: Some questions about Link Aggregation and Failover
On 3/9/12 4:08 AM, Damien Fleuriot wrote: Well that's exactly what I'm trying to show you. Link aggregation will *NOT* allow you to get 200mbs between 2 servers by sending data over the 2 cables. As per the example I pasted below, link aggregation uses a load balancing algorithm to share the traffic across several links. It will *NOT* use *BOTH* links for a single "source ip - destination ip" pair. All of which is explained at least twice in the document the OP claims to have used http://www.freebsd.org/doc/en/books/handbook/network-aggregation.html once in the section on LACP: "LACP balances outgoing traffic across the active ports based on hashed protocol header information and accepts incoming traffic from any active port. The hash includes the Ethernet source and destination address, and, if available, the VLAN tag, and the IPv4/IPv6 source and destination address." and once in Example 32-1, which is presumably being used as the cookbook for this project: "Since frame ordering is mandatory on Ethernet links then any traffic between two stations always flows over the same physical link limiting the maximum speed to that of one interface. The transmit algorithm attempts to use as much information as it can to distinguish different traffic flows and balance across the available interfaces." Has use of Gig ethernet been considered? -- --Jon Radel j...@radel.com
Re: problem
The format of named files isn't quite as free-form as you apparently think. :-) Compare one of mine: $TTL 1H @ IN SOA ns3.radel.com. jon.radel.com. ( 2010100400 ; serial 1H ; refresh 15M ; retry 2W ; expiry 30M ) ; minimum IN NS ns.radel.com. IN NS ns2.radel.com. IN NS ns3.radel.com. IN NS ns4.radel.com. with yours: $TTL3600 OK johannesang.com. IN SOA host.johannesang.com. root.johannesang.com. ( OK; "@" in mine is shorthand for "the domain which this zone file defines", but giving the domain explicitly works fine. 201204010042 1d12h 1w 3h Starts as OK syntax, but a 42 second refresh with 1 day retry strikes me as dubious at best and then you have an extra value on the end. Actually, I suspect that 42 is actually your extra value. "2012040100" is the serial number, you know. Serial, Refresh, Retry, Expire, Neg. cache TTL This line is extraneous garbage, as you've not commented it out; that's what the semi-colons do in my example. I suspect that's why one error message moans about an error in the vicinity of the "3h", as that's an extra value followed by garbage. Missing close parenthesis. ;DNS Servers johannesang.com. IN NS host.johannesang.com. Looks fine. ;Machine Names host.johannesang.com.IN A 167.205.79.105 Looks fine ;Aliases www IN CNAME host.johannesang.com. Looks fine here is my db.johannesang file $TTL3600 79.205.167.in-addr.arpa. IN SOA host.johannesang.com. root.johannesang.com. 201204010042 1d12h 1w 3h missing open and close parenthesis, extra value Serial, Refresh, Retry, Expire, Neg. cache TTL extraneous garbage Etc. You're pretty close and it should work fine after you clean up your syntax a bit. --Jon Radel j...@radel.com
Re: log error..
On 4/1/12 2:01 AM, jangkawij...@students.itb.ac.id wrote: Apr 1 19:33:10 johannesang named[18782]: starting BIND 9.7.4-P1 -t /var/named -u bind Apr 1 19:33:10 johannesang named[18782]: built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-openssl=/usr/local' '--with-libxml2=/usr/local' '--without-idn' '--enable-ipv6' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=i386-portbld-freebsd7.3' 'build_alias=i386-portbld-freebsd7.3' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe' 'LDFLAGS= -rpath=/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe' Apr 1 19:33:10 johannesang named[18782]: Using 101 tasks for zone loading Apr 1 19:33:11 johannesang named[18782]: max open files (3520) is smaller than max sockets (4096) Apr 1 19:33:11 johannesang named[18782]: command channel listening on 127.0.0.1#953 Apr 1 19:33:11 johannesang named[18782]: command channel listening on ::1#953 Apr 1 19:33:11 johannesang named[18782]: zone 127.in-addr.arpa/IN: NS 'johannesang.com.127.in-addr.arpa' has no address records (A or ) Apr 1 19:33:11 johannesang named[18782]: zone 127.in-addr.arpa/IN: not loaded due to errors. Apr 1 19:33:11 johannesang named[18782]: zone 79.205.167.in-addr.arpa/IN: has no NS records Apr 1 19:33:11 johannesang named[18782]: zone 79.205.167.in-addr.arpa/IN: not loaded due to errors. Apr 1 19:33:11 johannesang named[18782]: zone johannesang.com/IN: NS 'host.johannesang.com' has no address records (A or ) Apr 1 19:33:11 johannesang named[18782]: zone johannesang.com/IN: not loaded due to errors. Apr 1 19:33:11 johannesang named[18782]: /etc/namedb/master/localhost-forward.db:5: unknown RR type 'Serial,' Apr 1 19:33:11 johannesang named[18782]: zone localhost/IN: loading from master file /etc/namedb/master/localhost-forward.db failed: unknown class/type Apr 1 19:33:11 johannesang named[18782]: zone localhost/IN: not loaded due to errors. Apr 1 19:33:11 johannesang named[18782]: running can somene help me ?? can some help me to selve this thanks Ah, the impatience of youthhe'd sent me essentially the same "question" directly and got impatient 30 minutes later and resent it here. Those error messages are pretty explicit. The one hint is that each zone file needs to have at least one NS record that uses a name for a server. That name has to have at least one A (or if you're using ipv6, but I'd suggest you stick with ipv4 until you have a clue) record that gives an IP address for the server. You can't assign your servers names in in-addr.arpa. Judging from the complaint about RR type 'Serial' you've still got uncommented-out garbage floating around. Fix all that and it'll get better. Better yet, compare what you've got against what's in the documentation and think a bit about what it *means*. The question, of course, is how did you manage to completely break this since the last go around, where I believe you had the NS records working? --Jon Radel j...@radel.com
Re: log error..
On 4/1/12 3:21 AM, Robert Bonomi wrote: Since you seen incapable of reading and following the directions for creating properly formatted BIND zone files, even after having been directed to those resoures after your prior post, the best advice is for you to either: 1) Hire a knowledgable professional to set it up for you. -or- 2) Contract with a knowledgable operator to host your zones on *their* servers. or 3) Find a fellow student locally who has figured it out and is willing to look over your files with you until you get it. --Jon Radel j...@radel.com
Re: Apple & FreeBSD relationship
On 3/10/11 2:39 PM, Adam Vande More wrote: On Thu, Mar 10, 2011 at 1:35 PM, Charlie Kesterwrote: Especially if you earmark it for a specific project. You can't do that via a donation to the FreeBSD Foundation, only offer a suggestion. If the amount of money is large enough, I strongly suspect you could negotiate an exception to that -- --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: reverse dns in bind9
On 3/28/11 7:21 AM, Tim Dunphy wrote:
Hello,
Thanks for your reply!
I took your advice and removed that line from resolv.conf and added
it into /etc/named/named.conf
Now it looks like this
// RFC 1912
zone "localhost"{ type master; file "master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "master/empty.db"; };
zone "192.in-addr.arpa" { type master; file "master/summitjnhome-reverse.db"; };
And I did a restart of both network and named but the issue remains:
LBSD2# host 192.168.1.44
Host 44.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
Nowhere do you mention that you moved all the PTR records into the
192.in-addr.arpa zone where they belong, as noted by Robert Bonomi. And
why did you change
> zone "1.168.192.in-addr.arpa" { type master; file
> >> "/etc/named/master/summitnjhome-reverse.db"
> >> };
>
to
zone "192.in-addr.arpa" { type master; file
"master/summitjnhome-reverse.db"; };
when your PTR lines only give the last octet? Where do you expect the
"168.1" to come from?
--Jon Radel
j...@radel.com
Re: reverse dns in bind9
On 3/28/11 11:36 PM, Tim Dunphy wrote: Now I could probably understand it FAILING due to perhaps a type-o in the config. But I am genuinely curious as to how forward lookups will work and reverse lookups time out. I would expect them to time out if your dns server knows nothing about the reverse zone; give or take how you connect to the rest of the DNS. What messages about zones loading did you get when you restarted bind? Where there any crabby comments in the log file about not loading master/summitnjhome-reverse.db due to error(s)? Was that file mentioned at all? --Jon Radel j...@radel.com
Re: reverse dns in bind9
On 3/29/11 12:05 AM, Tim Dunphy wrote: hello no crabby comments on restart at all! LBSD2# /etc/rc.d/named restart Stopping named. Waiting for PIDS: 4970. Starting named. Ah but yes some complaints from the logs Mar 29 04:59:47 LBSD2 named[5469]: master/summitnjhome-reverse.db:10: ignoring out-of-zone data (summitnjhome.com) Mar 29 04:59:47 LBSD2 named[5469]: dns_master_load: master/summitnjhome-reverse.db:11: unexpected end of line Mar 29 04:59:47 LBSD2 named[5469]: dns_master_load: master/summitnjhome-reverse.db:10: unexpected end of input Mar 29 04:59:47 LBSD2 named[5469]: zone 1.168.192.in-addr.arpa/IN: loading from master file master/summitnjhome-reverse.db failed: unexpected end of input Mar 29 04:59:47 LBSD2 named[5469]: zone 1.168.192.in-addr.arpa/IN: not loaded due to errors. Mar 29 04:59:47 LBSD2 named[5469]: running Tho I am not sure why it's complaining about unexpected end of input this is the whole file Really? Judging from the line numbers in the log messages, you're missing about 3 lines that, I would hope, include something like IN SOA ns1.summitnjhome.com bluethunder.gmail.com ( 201103271 ; Serial, todays date + todays serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns1.summitnjhome.com. summitnjhome.com. doesn't make much sense as data in this zone, error message 1 ^ Whoa, Nelly, where's the rest of this line? error message 2 Oh, never mind, I'm so out of here.ignore all that stuff below, messages 3 and 4 42 PTR LCENT01.summitnjhome.com. 43 PTR LCENT02.summitnjhome.com. 44 PTR LBSD2.summitnjhome.com. 45 PTR LCENT02.summitnjhome.com. 46 PTR LCENT03.summitnjhome.com. 47 PTR LCENT04.summitnjhome.com. 23 PTR virtcent01.summitnjhome.com. 24 PTR virtcent02.summitnjhome.com. 21 PTR virtcent03.summitnjhome.com. 26 PTR virtcent04.summitnjhome.com. 27 PTR virtcent05.summitnjhome.com. 28 PTR virtcent06.summitnjhome.com. 29 PTR virtcent07.summitnjhome.com. 30 PTR virtcent08.summitnjhome.com. 31 PTR virtcent09.summitnjhome.com. 32 PTR virtcent10.summitnjhome.com. 33 PTR virtcent11.summitnjhome.com. 34 PTR virtcent12.summitnjhome.com. 35 PTR virtcent13.summitnjhome.com. 36 PTR virtcent14.summitnjhome.com. 37 PTR virtcent15.summitnjhome.com. 38 PTR virtcent16.summitnjhome.com. 39 PTR virtcent17.summitnjhome.com. 40 PTR virtcent18.summitnjhome.com. 41 PTR virtcent19.summitnjhome.com. -- --Jon Radel j...@radel.com
Re: Linksys-E4200 Wireless N-router
On 4/8/11 11:21 AM, Carmel wrote: On Fri, 08 Apr 2011 12:51:41 +0100 Arthur Chance articulated: On 04/07/11 15:32, Carmel wrote: Odhiambo, please don't CC me. I don't need multiple copies of the same post. CCing the original poster is standard etiquette on FreeBSD mailing lists. Most lists are open to anybody to mail to without being signed up, so when replying there's no way of knowing whether or not the questioner will see a reply that only goes to the list. This is especially true of freebsd-questions. 1) I have posted several times on this list and only received CC's on two of them that I can recall. Obviously your standard is not so standard. That's the nice thing about standards, there are so many of them to choose from. 2) I placed a very clear notice at the bottom of my post(s). Many people would consider that a clue as to my desire to receive multiple copies of the same document. Expecting people to actually read and react to your disclaimernow that's *not* standard, given the wild proliferation of meaningless disclaimers necessitated by current thinking on various liability matters. 3) Perhaps it is only me; however, most of the major lists that I employ all require a registration by the poster prior to being allowed to post. Try to be friendly and helpful to non-subscribers...much too old school for a modern dude like you, it appears. 4) I have seen several posts where the OP requested to be CC'd because they were not registered members of the list. Obviously, they were aware of the necessity of being CC'd or reading the archives in order to review any posts to their request. Now, is someone is just so plain stupid that they are not aware of that simple fact, then they are too stupid to be posting to begin with. You're conflating ignorance and stupidity. Not really the same thing. Shall we have a rousing discussion as to whether this is ignorant or stupid of you? Feh! 5) If you noticed, I asked Odhiambo very nicely not to include me in a CC. I am sure he meant well; however, the inevitable destruction of electrons in the transmission of the superfluous document could have been avoided. If you'd just shaken your head and gone away quietly, instead of making your numbered list and sharing with us all, a lot more electrons would have gone on to have happy, productive lives doing something useful. But, no, you had to move up the heat death of the universe by 3 seconds. -- --Jon Radel j...@radel.com
Re: Options for Secondary DNS Service?
On 04/11/2011 06:10 AM, Maxim Khitrov wrote: If you're able/willing to transfer your domain to gandi.net, they offer free secondary dns service. It is enabled by adding ns6.gandi.net as one of the nameservers. I've been using it without any issues for a few years with djbdns as primary server. - Max On 4/11/11 7:58 AM, Pierre-Luc Drouin wrote: > > I was more looking for a slave server, since it would prefer to keep my > primary server... > > Thanks! > Yes, that's what a secondary server is. As Maxim said, gandi.net will provide a slave server as an option. They will also provide all servers and allow use of their dashboard for maintaining records as a different option. Don't top-post in this neighborhood, please. -- --Jon Radel j...@radel.com
Re: Unable to download FreeBSD
On 4/20/11 9:23 AM, Ruben de Groot wrote: On Wed, Apr 20, 2011 at 11:09:57AM +0530, Balaje Suri typed: Hi FreeBSD Team, When I try to download the FreeBSD distribution (by clicking on the link that refers to location: ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/8.2-RELEASE) , I get an error "425 Failed to establish connection". Could you please let me know an alternate working link. The link is good. You should probably configure your ftp client to use passive mode. And if ftp just won't cooperate with you, you can always go to http://torrents.FreeBSD.org:8080/ grab a torrent file using HTTP and use a BitTorrent client to get what you need. Unless, of course, your local firewall/network/ISP/etc blocks BitTorrent also. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: OT: Security question (openssl vs openssh)
On 5/3/11 10:22 AM, Mark Moellering wrote: Everyone, I am looking into setting up a webserver to hold some very sensitive information. I am trying to figure out which is more secure, forcing any web connections to be done using an ssh tunnel or forcing ssl. I have not been able to figure out if one is definitively much more secure than another or if they are close to the same. I would have initially thought the ssh tunnel was more secure but knowing that ssl can use AES-256, I am now wondering if that isn't adding a complexity for little extra security. Thanks in advance Mark Moellering I'd say that that's a really hard problem to answer definitively, but my gut reaction is that the less complex solution is less likely to involve configuration screw-ups which compromise security. Particularly if other administrators are or will be involved, that which is too clever just begs for innocent, even if clueless, changes that compromise assumptions upon which the security depends. In any case, I'd worry more about how I handle user authentication and authorization than squeezing the last little drop of warm fuzzies out of the encryption setup. To the extent that if you already have a fully trusted infrastructure in place for ssh keys, you might want to consider using ssh tunnels for that reason alone. Or, to put it another way, if your security is going to fall, it's much more likely that it's going to involve a poor configuration choice, a user that screws up big time, or a "back door" to the data, than a successful "technical" attack against TSL or SSH. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Home firewall with DLink router and FreeBSD
On 5/5/11 8:37 PM, Leonardo M. Ramé wrote: Hi, at home I have a DLink Dir 300 router to provide internet access for my home network. The network is composed by two Windows PCs, one Linux laptop and one FreeBSD server we use mainly for storage and as web/database server. I must add, the server only have one network card. It becomes difficult to use a server as a firewall unless you have an "inside" and an "outside" network. Easiest is to simply add another network card, should that be possible on your server. Another possibility is to use VLAN taggging and connect the server to a switch that understands VLANs. I would like to know if its possible to use the FreeBSD server as a Firewall for the whole network, securing LAN and WiFi connections. If this can be done, then how? could you point me to some howto?. Yes. I'd start on the FreeBSD website and start reading things that look useful. If you're thinking about using pf as your firewall, which I'd personally recommend though other options are perfectly workable also, there's a nice document on the OpenBSD web site, IIRC. P.S.: this is the 2nd time I send this email, the first time it got caught by SpamAssassin. Maybe because a link in my signature. We got both on the list. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Newbie Needing Help
On 5/8/11 8:17 PM, John or Judy Hixson wrote: At the risk of being told to get out of here and never come back (until you know enough to not need to come back), I need help on some very elementary stuff. I haven't found anywhere else to ask these questions and am therefore taking my chances. Ah, but you appear to be trying and you're certainly giving us useful information about what you're trying. You're even reading a useful book. So we're sometimes quite tolerant. :-) I'm trying to learn some FreeBSD in anticipation of eventually admining a FBSD server for my church office network. I've installed FreeBSD 7.4 on an old PC and am trying to follow along while reading Michael Lucas' book (2nd ed.). Beautiful way to start. Right now my problem is with the command line. Lucas make a statement as follows: "If you want to see a comprehensive list of loader variables, check the default configuration file." Since there is no command "check", I have no idea what to use. What command will "check" a file? Most, but not all configuration files of this nature are plain text files, though generally there are relatively strict rules about syntax which, alas, are not consistent across all parts of the system. What I really want to do is "view" the file, but that command doesn't exist either. You've already had a recommendation for using a text editor. I'd suggest use of "less" which is a text file viewer. Not using an editor makes accidental changes a bit less likely. less more cat will all show you the file, though with differing effects. I generally use the first. BTW, when you can explain the really bad Unix joke, "less is more than more," you'll be getting the hang of things. Another problem that's throwing me for a loop is that even though I'm logged in as root I'm getting a "permission denied" return when I list a file (e.g. /etc/fstab) and press enter. If you simply enter a filename at the prompt it tries to execute the file (give or take a whole bunch of details, such as what the search path for commands looks like, etc., etc.) But, basically, any command is simply a file by that name somewhere in the file system, with the exception of the very short list of commands that are built into the shell (aka command line). So if you type the name of a file all by itself at the command prompt, the shell is liable to try execute, i.e. run, that file. Unless the file was written with an eye to being executed, this doesn't necessarily work out well so sometimes the shell simply refuses to do it. This no doubt the wrong place for simple questions like these so someone PLEASE tell me where better to go. Thank you. Remember that for the really basic stuff, Unix is Unix is Linux, so any tutorial you find with a google search or two would apply. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Skyip? question
On 5/11/11 8:20 PM, Gary Kline wrote: (How hard/easy woold be be to hack out a better one...or do GOOG and YHOO already have their own versions of skyip?) Not all that trivial, really, but, frankly, rather beside the point. The value of communications networks is more than the technology, it's in whom you can communicate with using it. So even if you were to hack out something more elegant than Skype, the vast majority of the world wouldn't care in the slightest, as they want to talk to their friends, family, and business associates, and have no interest in talking to you and the 137 hacking buddies who built the better mousetrap. There's a reason the PSTN still does so well despite its 19th century, low-bandwidth, voice-only roots. Lastly, a few years ago, somebody on this list said that skype was "free like free beer." Pretty sure they had that saying when i was a kind back in the twelfth century, but still have no ides what it means, so would appreciate it from my fellow geeks who get that 'free-beer' swipe. Free beer = you can use it without paying money, but the stuff behind the curtain is proprietary and you can't necessarily look, never mind play. Free speech = you can do as you wish with the bits behind the curtain (give or take various license terms that can start religious wars) I believe the term doesn't pre-date Linux; wasn't it first used when the unwashed masses started getting confused as to what it meant for Linux to be "free?" BTW, I believe this discussion belongs over in the discussion list, as it has nothing to do with FreeBSD, so I will sin no more after this. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Disable or limit email in root?
On 5/27/11 12:16 AM, Jorge Biquez wrote: Hello. I am trying to find if sendmail was the problem or what... thing is not that root receive email but that root was used to send email to a list of address... And what does it say in the logs? We'll help you interpret them if you wish, but right now I've heard nothing but speculation and I've heard nothing to distinguish between: 1) Somebody sent e-mail with root@ as the return address, or 2) Somebody generated e-mail with a process running as root, or 3) both. Your sendmail log should tell you where sendmail thinks the e-mail came from and where it thinks it sent it. Or you could start by telling us HOW you detected this problem. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Long Day's Journey into
On 6/8/11 11:53 PM, Chad Perrin wrote: On Wed, Jun 08, 2011 at 05:56:59PM -0700, Gary Kline wrote: I'm still bringing back the dozens of things I removed from ethic. And testing new ideas. But I have a general question: have any of you wizards who run your own domains or otherwise use a switch [or hub] *ever* had it just-quit?! It is solid-state. Yes, the box is within my feet/foot reach. I have accidently kicked it i suppose, but still. I think I've just had ports die one by one on a switch until it no longer worked. I don't think I've ever had the whole thing go poof for no evident reason. Ditto. Most recently a Cisco switch had a rather useful port go into a really weird state that didn't really look broken but bits just...weren'tflowing. Took a while, and a lot of poking at the server in question, before we looked at each other and said, "Wait, we've been assuming the switch works, what if it isn't." BTW, Gary, Linksys=Cisco is pretty much just a marketing thing and not a technology thing. --Jon Radel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: free sco unix
On 6/18/11 10:36 AM, Jerry McAllister wrote: On Sat, Jun 18, 2011 at 03:28:24PM +0200, C. P. Ghost wrote: On Sat, Jun 18, 2011 at 12:02 AM, Robert Bonomi wrote: I'ts _MUCH_ simpler, to just sign and date a copy of the work, and have a notary public 'witness' the signature. True. Without the service of a public registry of copyrighted works that (I think) only the US offers, and when you need a legally binding "official stamp" of some sort, you can go to a registered public notary. They're mildly expensive though; certainly a lot more expensive than the US Copyright Office fees. Have you ever had something notarized? I have had many things. It is not generally expensive. They ask $5 - $20 and many banks will have someone who will do it for for free if you have an account in the bank. That is much cheaper than doing an officialy USA registration. What the Notary notarizes is your signature being done at that place and on that date. jerry This stream of comments from people who, for reasons I can't quite fathom, but I like to give them the benefit of the doubt and figure that they really don't know how provincial they're being, figure that everything is *just*like*it*is*in*their*country*of*residence* is really becoming quite tedious. Could we please stop it? Face it folks, despite global commerce and a heap of treaties, the low-level mechanics of how banking, the courts, notarizing documents, applying for patents, registering copyrights, etc., etc., etc. work vary from country to country, sometimes rather wildly. --Jon Radel j...@radel.com Adding terribly to the noise, once and only once ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: unable to reach bsd-lists via mail
On 6/18/11 11:53 AM, Christopher J. Ruwe wrote: I have a problem with my mail-server configuration so that mail sent will not reach any freebsd adresses. The solutions offered in similar mails already accessible via various archives did not help :-( And yet, yet, yet, here is your mail. In duplicate no less. Next time please: 1) tell us what you actually mean by "will not reach" 2) keep in mind that some mailing lists greylist incoming mail In other words, be specific and patient. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Two Networks on one System
On 6/20/11 5:07 PM, Martin McCormick wrote: We are moving a primary name server from network A to network B on one of our branch campuses. If the secondary interface was reachable from the world, we can change the whois information and not worry about the exact second the change goes in to effect. Can networks A and B talk to each other? I suspect not, otherwise things would be just working even if all traffic went to the primary's gateway, but I just wanted to check that there wasn't something else bad happening. On the assumption that A and B are completely disconnected, then the only solution for this problem that I know of is to do policy-based routing using the source address or interface to make routing decisions, rather than using solely the destination address. This is actually relatively trivial to do using PF. pass in on nic_a reply-to ($nic_a $gw_a) pass in on nic_b reply-to ($nic_b $gw_b) with the various interfaces named appropriately and variables set to match should get you much of the way there. If you're using a slightly older version of PF, where keeping state on connections is not the default, you'll have to add state maintenance options to the lines. If you want packets to local machines to not go to the gateways and do u-turns there, you'll have to add a bit of filtering based on addresses, etc., etc. The explanation for the first line is more or less: For any new "connection" that comes in on NIC A, add an entry to the state table indicating that any reply packets should physically go out NIC A and should be passed to the next hop at adress $gw_a. WARNING: I use PF primarily on OpenBSD so sometimes get caught out on the subtle differences to the FreeBSD version. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Two Networks on one System
On 6/20/11 6:30 PM, Gary Gatten wrote: I was kinda going this route as well - policy based routing type thing, but, is there an "easier" way? Not that I know of given a constraint of completely disjoint networks. However, I won't be too terribly surprised if somebody comes up with something elegant that makes us all go, "Ooo, what a disgustingly neat hack." 1.) Temporarily enable ipforwarding - not my favorite 2.) Instead of a second NIC, bind the new IP to the org nic (alias). man ifconfig specifically mentions using alias during ip renumbering: Yes, if you've got a single network and are renumbering it. As I understand it, the OP has 2 networks, which is an entirely different matter. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Two Networks on one System
On 6/20/11 8:32 PM, Jerome Herman wrote: pass in on nic_a reply-to ($nic_a $gw_a) pass in on nic_b reply-to ($nic_b $gw_b) From what I understand, there are two different ISP providing access to two different interfaces. In this case I am very concerned with all the bizarre things that a reply-to might trigger. What I mean is that nothing guarantees that a distant address will access the box from the same interface every time. Who cares? The interfaces have different addresses so any traffic that belongs together will go to only one interface. It's not like machines out there will alternate packets to two different destination IP addresses. They might alternate "connections," for a very broad definition of "connections," but that shouldn't present a problem. As for the rest, I think you're going waay beyond what the OP described as his problem: Setup two interfaces with different addresses which make use of different gateways as the addresses belong on different networks. Allow traffic to go to one address on one network until DNS glue records are changed and traffic starts going to a second address on a second network. I would suspect that he has stateful firewalls and/or anti-spoofing rules upstream from him that keep him from replying to everything out a single interface. If it weren't for that, I suspect we wouldn't be having this discussion. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Two Networks on one System
On 6/21/11 6:41 AM, Damien Fleuriot wrote: On 6/21/11 2:32 AM, Jerome Herman wrote: On 21/06/2011 00:13, Jon Radel wrote: So depending on the client route, packets from a given IP address can land on either interface. Actually two clients nated behind the same public address might end up on both interfaces at the same time. Even though your solution should work 99% of the time , it can lead to pretty strange behavior. I am not completely sure of how reply-to works, notably with keep state (and of course OpenBSD manuals on PF are down right now, at least from here). I remember attempting similar setups and having quite a lot of trouble with ICMP (especially RST for that matter). I most emphatically did NOT write that. Somebody else isn't quoting properly. --Jon Radel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Two Networks on one System
On 6/21/11 7:28 AM, Martin McCormick wrote: The problem I have, probably due to a misunderstanding of what I need to do, is easy to describe. The defaultrouter statement in rc.conf or route add default x.x.x.x from the command line sets an interface to know that packets whose destinations or sources that are outside the subnet go to that default gateway. There is only one default gateway per FreeBSD machine. When I set up the secondary interface, I have not been able to come up with a statement or statements that tell fxp1 that it's default router is y.y.y.y so you can't ever reach it from outside the new subnet. This, in of itself, doesn't follow. In the absence of stateful firewalls and anti-spoofing filtering (blocking packets that don't have a source IP address on the "expected" list), or a complete disconnect between your networks, any packet coming in fxp1 can have a reply go out fxp0, to the default gateway, and get where it's going just fine. We can quibble over the finer details of the evils of asymmetrical routing some other day, but fundamentally an IP network doesn't care in the SLIGHTEST which route a packet takes to get where it's going. I have tried both a second physical connection and an alias and have ended up with the same behavior each time. Since we have the second NIC active, I prefer to use it if I can ever get it to use its router just like the primary interface does. As hinted at above, this is possibly not a FreeBSD issue at all. Without knowledge of how your network actually works, there's not too much more to be said, but one of the following should be true: 1) You don't have stateful firewalling and anti-spoofing filtering in the way, and something on your network is broken, as the default FreeBSD behavior should simply work if you've got a network that is simply transitioning from one set of addresses to another. 2) If you really can't reply to the same default gateway for everything, you'll need to do either policy-based routing or add more specific routes, depending on whether outgoing traffic can be segregated by source address, destination address, etc. However, since it appears that you don't actually have 2 networks at all, given your clarification that you've tried an interface alias, I'm left with one key question: Are your two gateways two different interfaces, or one interface with two different IP addresses? If the former, I'd try policy-based routing. If the latter, I'd check my firewall rules really carefully. Next step in any case should probably be to do some packet sniffing to confirm that packets from the outside world to the new address actually get to you in the first place. Or have you confirmed this from DNS logs or something else? --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: top-posting 'condescending asshats' (to use Ryan Coleman's description of himself)
On 8/3/11 3:01 PM, Robert Bonomi wrote: *ANY* situation where the elapsed time between messages is longer than the recipient's ability to retain the 'frame of reference' (i.e., the previous message) in memory, it _is_ harder for the recipient of the message to follow top-posted content than interleaved/bottom-posted. They _do_ have to scan back-and-forth to find out (first) _what_ is being talked about,and (then) what the response is. But you can learn so very many interesting things if you read down to the part that has the internal discussion about what they wish to tell you, which they completely loose track of by they time they send you a nice sanitized statement way up top..... ;-) --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: wheel group & mkdir
On 9/6/11 7:13 PM, Fbsd8 wrote: Thanks for your reply. I have a user id that is in the wheel group. I su and get prompted for the user id's password after which I get returned to the command line. Running the script with the mkdir command embedded still returns Permission Denied message. I have read the su man page to no joy. Could you please explain the sequence of events to get su to work. Since you're the one having the issue you wish to have resolved, you might want to take it upon yourself to tell us *exactly* what you're typing, what the results are, and what you'd prefer to have happen instead. We can guess what you're doing when you say "I su and get prompted for the user id's password after which I get returned to the command line," but given the root problem is that you don't fully understand the su command, it's hard to be certain what you mean by that. Going out on a limb, however, I'll point out that, when you're logged in as fred su - fred doesn't do much for you as you remain fred, whereas, what was meant in the suggestion to you was something more along the lines of su - which, if you enter root's password, leaves you as root. (Or gives you a shell with root's privileges to be a bit more precise.) But, again, I'd suggest that this would go faster if you provide what you're doing and what the results are rather than what you think you're doing and what you think the results mean. To recap: Cut and paste what's actually happening, not your summary of same. -- --Jon Radel j...@radel.com
Re: Please secure your FTP access
On 9/16/11 1:37 PM, David Demelier wrote: For me, I have tested a lot of client mails and I was always able to write text under the last message. And even microsoft outlook. Though your current client does appear to keep you from trimming. -- --Jon Radel j...@radel.com
Re: [OT] but concerns all of us
On 11/17/11 9:02 AM, Rod Person wrote: As someone that has been stop because of how I look and where I live, I find the 'only those that break laws have reason to fear them argument' extremely naive. To put it mildly. Before you know it, records of what you've been up to on the Internet will be discoverable in your divorce proceedings when your soon-to-be-ex-spouse decides to go for the nuclear option. Now, not only will you have to pull the battery from your cell phone and pay cash at all toll plazas, but you'll have to hit a different "Internet Cafe" and pay cash every time you surf the web. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Alternative to syslogd that actually writes external logs to files?
On 11/28/11 6:42 PM, Kaya Saman wrote: However, when using tcpdump it shows that rsyslog is infact receiving information but still unfortunately not logging to file??? # tcpdump -tlnvv -i em0 port 514 tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes IP (tos 0x0, ttl 255, id 1875, offset 0, flags [none], proto UDP (17), length 142) 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114 Facility local7 (23), Severity notice (5) Msg: 11578: 011565: Nov 28 23:34:19.475: %SYS-5-CONFIG[|syslog] File permissions are correct as I got rsyslog to create the file from scratch... What am I missing here? Have you tried with all firewalling on the machine turned off? [My apologies if this has been covered earlier in the thread and I missed it.] --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipfw And ping
On 12/1/11 6:25 PM, Tim Daneliuk wrote:
I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine.
Pings were not getting through so I added this near the top
of the rule set:
#
# Allow icmp
#
${FWCMD} add allow icmp from any to any
It does work but, two questions:
1) Is there a better way?
Consider allowing only the ICMP that does things you want to do. Google
something like "icmp types to allow" for some hints and opinions. Just
as an example, you can independently control being able to ping others
and others being able to ping you.
2) Will this cause harm or otherwise expose the server to some
vulnerability?
Well, if you allow all ICMP types, it's possible to make your little
packets go places you didn't really want them to go, and similar network
breakage. You can also find those who feel strongly that allowing
others to ping your machines gives them way too much information about
what you have at which IP address. On the other hand, working ping and
traceroute can be very handy to figure out what's wrong when the network
breaks. But do you open up access on your server?---well not so much,
though having said that I'm ready for somebody to remind me of some
obscure attack that uses ICMP for more than information gathering. :-)
--Jon Radel
j...@radel.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Diljot kor wants to chat
On 12/13/11 8:23 AM, Diljot kor wrote: --- Diljot kor wants to stay in better touch using some of Google's coolest new products. The "invite everyone in your address book" feature is evil, yes? Be careful out there. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what is from [sic (wrong)] with this picture? -- Answer: It's Ubuntu, not FreeBSD
On 9/29/10 4:24 PM, Gary Kline wrote: Yes! changing the line in main.cf lets things get thru to my server cleanly, thanks for the tip. I still don't understand what's wrong with my DNS files. Hopefully, other folk on-list will see what's messed up. Your domain registrar is having your dns delegated to 3 nameservers: thought.org.86400INNSns1.thought.org. thought.org.86400INNSns1.silvertree.org. thought.org.86400INNSns1.twisted4life.com. ;; Received 142 bytes from 2001:500:48::1#53(b2.org.afilias-nst.org) in 32 ms The last of the 3, ns1.twisted4life.com, is of the opinion that your domain doesn't exist, given that it has no authoritative data and refuses to do recursive lookups for the Internet at large. I would suspect that this would result in the coming and going visibility that others have reported. Basically, you don't exist a third of the time. You need to make sure that all the nameservers you list with your registrar are actually admitting to your existence and are getting up-to-date data. I recall having this conversation with you before. -- --Jon Radel j...@radel.com
Re: Which OS for notebook
On 10/5/10 7:31 AM, Carmel wrote: I realize that at this point someone will inevitably chime in and play the "blame the manufacturers" whine. If that were factually correct, then no one else would be able to supply drivers and support for hardware that FreeBSD has left orphaned. I'm somewhat unclear on how that follows. Might it not be that many manufacturers, busily dealing with Microsoft, and easing into Linux now that it has significant "mindshare," have simply decided that there's no economic benefit to releasing detailed hardware specs in a form that works for FreeBSD developers? I really fail to see why you think the fact that the manufacturer itself has released binary drivers for Windows, and possibly Linux, and/or released hardware specs under NDA (non-disclosure agreement) to certain business partners, has any bearing on whether sufficient information to write a driver is available to any FreeBSD programmer with permission to use it to write an open source driver. -- --Jon Radel j...@radel.com
Re: ssh key authentication problem...
On 10/28/10 3:39 PM, Peter Harrison wrote: Can anyone help me debug an ssh key-based authentication problem? I have an 8.1-R server running sshd, with one user account. On the server, I've used ssh-keygen to generate id_rsa and id_rsa.pub. On my laptop I then pulled the id_rsa.pub file over and: % cat id_rsa.pub>> .ssh/authorized_keys Either I'm having reading comprehension problems, or you've got things backwards. If you're trying to login into the server across the network, the id_rsa.pub file goes into .ssh/authorized_keys file on the server, and the id_rsa file lives on your laptop, all nicely secured with a passphrase in case somebody steals your laptop. --Jon Radel j...@radel.com
Re: ATTN GARY KLINE
On 11/4/10 1:29 AM, Polytropon wrote: On Wed, 3 Nov 2010 21:51:04 -0500, Ryan Coleman wrote: He likely won't. This was pointed out to him two months ago and nothing's been fixed. Seems to be fine from here: % nslookup -type=any thought.org Server: 192.168.100.1 Address:192.168.100.1#53 Non-authoritative answer: thought.org mail exchanger = 10 ethic.thought.org. thought.org nameserver = ns2.everydns.net. thought.org nameserver = ns1.thought.org. Authoritative answers can be found from: % host ethic.thought.org ethic.thought.org has address 209.180.213.210 % host ns1.thought.org ns1.thought.org has address 209.180.213.210 % host ns2.everydns.net ns2.everydns.net has address 208.76.62.100 % ping -c 3 ns2.everydns.net PING ns2.everydns.net (208.76.62.100): 56 data bytes 64 bytes from 208.76.62.100: icmp_seq=0 ttl=54 time=107.684 ms 64 bytes from 208.76.62.100: icmp_seq=1 ttl=54 time=107.073 ms 64 bytes from 208.76.62.100: icmp_seq=2 ttl=54 time=107.046 ms --- ns2.everydns.net ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 107.046/107.268/107.684/0.295 ms Or am I misreading that? You're overlooking the fact that ns2.everydns.net refuses to respond to queries about thought.org, though it is happy to respond to queries about everydns.net. When half the servers for your zone refuse to answer, things work less than 100%. On the other hand, I don't think things are completely broken. Actually they're less broken than Gary's DNS frequently is; it gets discussed on a regular basis for a reason. So is the last octet of ns1.thought.org's address 209 or 210? ;-) -- --Jon Radel j...@radel.com Consistency is the hobgoblin of little minds.
Re: Installed memory today, questions immediately
On 11/4/10 10:13 PM, justin v wrote: I installed 4GB or memory today. I rebooted and see this, the first line after the splash menu thing: 983040K of memory above 4GB ignored dmesg shows avail mem amount and I am concerned as well: real memory = 4294967296 (4096 MB) avail memory = 3139940352 (2994 MB) is a stick bad perhaps? Start by reading http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/faq/compatibility-memory.html If that doesn't cover it, come back here and include a little information about the version of FreeBSD and the hardware you're using. -- --Jon Radel j...@radel.com
Re: ATTN GARY KLINE
On 11/5/10 12:22 AM, kline wrote: i''m using evo to be able to click on. i have fewer ``Fail'' type responses, but do not understand the failure messages. Also, since it has been 9.5 years since I read DNS AND BIND, the jargon is lost. What does "glue" means? and how should I resolve? It is time to get this stuff arrow-straight, so hoping that someone on-list can clue me in. tx, gary http://www.dnscog.com/report/thought.org/1288928790 If your parents, the nameservers authoritative for .org, tell the world that one of the nameservers for thought.org is ns1.thought.org, they also have to tell the world what the IP address for ns1.thought.org is using an A record. That A record is glue. Otherwise you get a machine conversation something like: Resolving nameserver trying to find a record in the thought.org zone (RN): Please Mr. root server, I'd like to know about www.thought.org Root: See the .org folks over there RN: Please Mr. top-level dude, about that www.thought.org Org: Well, see ns1.thought.org RN: Ahem, I'm trying to find out basic stuff about thought.org and I don't know the address for ns1.thought.org in order to ask it Org: Well, ask ns1.thought.org what the address for ns1.thought.org is... RN: But, but, butfollowed by petulant stomping off Glue A records fix that problem. BTW, the fact that a glue record isn't returned for ns2.everydns.net in response to a query about NS records for thought.org really isn't a problem; note the "info" rather than "fail" from DNSCog. Biggest problem I still see is that ns2.everydns.net refuses to respond to queries about thought.org. You sure your account there is still active and functional and that you're allowing zone transfers to them? I note that you don't allow transfers from arbitrary addresses, and http://www.everydns.com/faq/secondary-domain/example-setup does warn that the source address for transfer requests was/will/did change. Some of the problems reported by DNSCog appear to be bogus. They've got some bugs related to cases where a nameserver has a name in the domain in question. (And also some bugs related to nameservers which are reachable by both ipv4 and ipv6, but that doesn't apply to you.) -- --Jon Radel j...@radel.com
Re: THE SPAM WE GET [stop fretting and read]
On 12/10/10 9:46 AM, Ryan Coleman wrote: No, this list does not. As I mentioned yesterday, this is an unmonitored, unnannyed list that accepts emails from addresses without checking authenticity... meaning I can post from 4 emails (and I have) and not be subscribed on each address. Spoofing email addresses has happened for years, and with this list's archives being publicly available online it's been happening for a while and will continue to happen until the rules may or may not be changed. -- Ryan If this discussion is about the same wave of spam I've been getting examples of in the last couple of days, it should be noted that the mail isn't coming via the mailing list at all. Somebody is harvesting e-mail addresses and subject lines from a month or more ago and sending the spam directly. Folks, you have to read the headers if you want to have a sensible discussion about specific instances of spam. If you don't, you're simply sending yet more noise that's kinda sorta pretending to be signal. My personal rule of thumb with spam is to assume that absolutely everything involved is a lie, this leading to a more accurate overall assessment than the naive thought that any of it might possible be true just because of some social contract. After careful analysis, you *might* conclude that a few things actually are true, but that's different than assuming they are. So, Subject: that look like they're from the FreeBSD mailing list: lie. From: address that of somebody you discussed that topic with on the mailing list: lie. Date:: lie. All lies with one goal, to get you to click through on a URL that is *not* (another lie, get it?) in your self-interest to visit. -- --Jon Radel j...@radel.com
Re: Is there a 'Y' (i.e. branch) version of a command pipe?
On 1/8/11 10:30 PM, Modulok wrote: List, Is there a command that lets me send standard input to two different places at the same time? (i.e. non-sequentially.) Think of it like a pipe character, but with a 'Y' branch instead. Basically, I want to record standard input to a log file, but also send it to another command for processing. Think T, not Y, and then type man tee which I suspect does exactly what you want. -- --Jon Radel j...@radel.com
Re: harddrive encryption
On 1/17/11 5:53 PM, Roland Smith wrote: Do not rely on a keyfile that resides on a disk in the machine (that would make encryption futile)! Use a passphrase instead. I'd think that depends on your use case. If you're encrypting removable drives and then shipping them elsewhere, such as for off-site backup, and you trust the physical security for the computer a lot more than you trust the courier and/or storage site Of course, I would agree that that's probably not what the OP has in mind. :-) -- --Jon Radel j...@radel.com
Re: vm ware
On 1/19/11 3:41 AM, rafay awan wrote: Hi, I want to inquire if its possible to install freeBSD on vm ware? is there any live cd iso available? See http://www.vmware.com/resources/compatibility/search.php?deviceCategory=software Yes, though I suspect you mean to ask a more specific question which I can't discern. -- --Jon Radel j...@radel.com
Re: questions on bind9-3.6-P1
On 1/24/11 2:33 PM, Gary Kline wrote: oKay, since my prev question caught no wixards, how about looking at the errors from bind-9.3.6? [I rebuilt this from the src tarball; it finally installed; I fixed some obvious errors, but several remain. Here is the log file where bind9 fails on "em0", my NIC in my server. This is one failure that is simply over my head. +++ Jan 24 11:14:55 ethic named[59747]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf Jan 24 11:14:55 ethic named[59747]: could not listen on UDP socket: address in use Jan 24 11:14:55 ethic named[59747]: creating IPv4 interface em0 failed; interface ignored Jan 24 11:14:55 ethic named[59747]: could not listen on UDP socket: address in use Jan 24 11:14:55 ethic named[59747]: creating IPv4 interface lo0 failed; interface ignored Jan 24 11:14:55 ethic named[59747]: not listening on any interfaces Jan 24 11:14:55 ethic named[59747]: couldn't add command channel 127.0.0.1#953: address in use Jan 24 11:14:55 ethic named[59747]: couldn't add command channel ::1#953: address in use Jan 24 11:14:55 ethic named[59747]: could not listen on UDP socket: address in use Jan 24 11:14:55 ethic named[59747]: creating IPv4 interface em0 failed; interface ignored Jan 24 11:14:55 ethic named[59747]: could not listen on UDP socket: address in use Jan 24 11:14:55 ethic named[59747]: creating IPv4 interface lo0 failed; interface ignored Jan 24 11:14:55 ethic named[59747]: running +++ Can anybody explain why (eg) the lo0 failed or was ignored. And why bind9--now offically at its EOLife--has trouble creating an IPv4 interface with my NIC, em0? Do I have to do some very simple? like rebooting? It appears to be complaining that you're already running another piece of software that is listening on all those ports. I'd be guessing another copy of bind. Try: ps uxwwa | grep named and see what all is running. If you're dealing with a bind from base and bind from ports I could see you trying to start both of them. Do you have named files in both /etc/rc.d and /usr/local/etc/rc.d? -- --Jon Radel j...@radel.com
Re: Any package for surveys?
On 1/28/11 7:42 AM, Jerry wrote: On Fri, 28 Jan 2011 06:28:48 -0600 (CST) Robert Bonomi articulated: But, then, you're a spammer. And have just re-proven the validity of Rule #3, and Kruegers Corrolary thereunto, of the "Rules of Spam". see:<http://www.pearlgates.net/nanae/rulesofspam.shtmld> I would, except all I keep getting are: 404 - Not Found error messages. Remove the spurious "d" from the end of the URL. -- --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SU
Shone Russell wrote: I am not able to execute any commands when I utilize the su function, I am entering our correct password. It was working on Friday, but now it's not. Please let us know exactly what you're entering (without the password, of course) and what the results are. Do you get an error message? Does it hang? What? -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: NTP Stratum
DAve wrote: Afternoon from Blizzard central in Indiana, I have three DNS servers across the state that I have installed and configured ntpd on. They seem to be working well except they are announcing themselves as Stratum 0 servers. As many times as I have read the man pages I can't seem to figure out how I *should* set them to announce themselves at a lower stratum. Not enough information about what you're trying to do: Are these synchronized against an outside source of time? Are you using a local source of time such as a GPS receiver? Or are your servers sitting there with nothing but the undisciplined local clock and something like: server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 0 in the config file? What's ntpq -c peers showing? As a general sort of rule, if you're synchronized to some trusted time from somewhere, your stratum is going to be one higher than the stratum of the server you're synchronized against, and you rather have to go out of your way to override that. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: PASSWORD LOST!!
Adam Vande More wrote: On Fri, Feb 12, 2010 at 8:05 AM, John wrote: People, people - be careful that we are not creating a formula to break into FreeBSD servers around the world... The only acceptable solution is for someone in Eric's organization to secure physical access to the server. It may be in a co-lo situation, but if that's true, they must have a contract open and, if nothing else, they terminate the contract and get the machine back, though more likely, the contract allows them supervised access. Machines are not perfect - even without losing the root password, they break and need maintenance - this is a MAINTENANCE event and should be treated as such, just like a hard drive failure or a NIC failure. Creating a scheme for someone to break into FreeBSD systems remotely or to publicize schemes people have created to remotely manage their systems in ways that could be used to compromise them is foolishness! Regardless of the purity of his intention, Eric is asking us to tell him how to break into our homes or steal our cars. ;) Security through obscurity is no security, hence it is a good exercise. Quite. In any case, the OP started out by telling us how he had plugged a monitor into the server, so we're several degrees removed from reality by this point. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: selling freebsd cd for profit
On 2/27/10 2:58 AM, Matthew Seaman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27/02/2010 24:50:54, Citra Cool wrote: can i selling free bsd for my profit?? is it legal?? In a word, yes -- sure you can. All you have to do is abide by the terms of the licensing. You sure that this applies in a couple countries where they have rather draconian laws about selling software that supports any type of encryption? It's a big world out there, with many interesting laws. -- --Jon Radel j...@radel.com
Re: selling freebsd cd for profit
On 2/27/10 1:31 PM, Programmer In Training wrote: On 02/27/10 12:22, Jon Radel wrote: On 2/27/10 2:58 AM, Matthew Seaman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27/02/2010 24:50:54, Citra Cool wrote: can i selling free bsd for my profit?? is it legal?? In a word, yes -- sure you can. All you have to do is abide by the terms of the licensing. You sure that this applies in a couple countries where they have rather draconian laws about selling software that supports any type of encryption? It's a big world out there, with many interesting laws. That would be for the interested party to find out on their own, since we cannot possibly know the laws for each and every country out there. I find it hard enough to keep up with the laws in my own. Well, duh! However, in personal correspondence, the OP refuses to even say what country he or she wants to do this in and simply reiterates the original question, despite strong hints, both on and off list, to get local expertise. -- --Jon Radel j...@radel.com
Re: Squid reporting incorrect time
On 2/27/10 7:59 PM, Ty John (sand_man) wrote: On Sun, 28 Feb 2010 00:03:19 + RW wrote: On Sun, 28 Feb 2010 09:07:27 +1030 Ty John (sand_man) wrote: Hi guys, I've had my squid proxy running fine for quite some time now but just one thing bothers me. When a page cannot be displayed, the date and time showing on that page is incorrect even the the system date and time is correct. Works for me. Are you sure the error page is generated by your cache? Do you see your own hostname in the page? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Yes I'm 100% sure. I'll check out those others links Jon just posted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" He's referring to my mail where I mentioned: > > Try http://www.linuxreaders.com/2009/08/10/squid-change-timezone/ > See also the distinction between %t and %T at http://wiki.squid-cache.org/Features/CustomErrors -- --Jon Radel j...@radel.com
Re: Thousands of ssh probes
Randal L. Schwartz wrote: "Tim" == Tim Judd writes: Tim> I've been in that same boat. I eventually came to the decision to: Tim> Install PPTP server software, accepting connections from any IP. Whoa. Here we are, talking about making it *more* secure, and you go the other direction http://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security_of_the_PPTP_protocol In short, you can't take anyone seriously who suggests PPTP when talking about security. Especially since rolling out OpenVPN and your own little CA to issue yourself and your 10 best friends certificates is pretty easy. I find it easier to wrap my head around than something like IPSEC for supporting a "trusted server on trusted network attached to by laptops that wander around in sometimes sleazy parts of the Internet" model. Just make sure you've kept up to date with your SSL libraries. :-) --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: can't ping localhost
Well, the ping issue is just an example. My real problem is that sendmail can't send anything locally: # tail /var/log/maillog Mar 11 02:16:58 mech-anton240 sm-msp-queue[32611]: o2B0irgd029426: to=mexas, ctladdr=mexas (1001/1001), delay=01:32:05, xdelay=00:00:00, mailer=relay, pri=480031, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: [127.0.0.1]: No route to host Well, have you considered looking to see if it's right? What do you get in response to: $ netstat -rn | grep 127 127.0.0.1 127.0.0.1 UH 064746lo0 $ Showing what I get on a 7.0 server. Unless they've moved things around since 7.0, you probably want to make sure that you've not messed with the ifconfig_lo0 line in /etc/defaults/rc.conf. My apologies if that config stuff has changed in the latest; I don't have access to the latest right now. -- --Jon Radel j...@radel.com
Re: Sendmail Five Second Greeting Delay
On 4/2/10 8:33 AM, David Allen wrote: Secondly, it seems the cause of the OP's problem was a delay associated with an IDENT query. Specificially confTO_IDENT Timeout.ident [5s] The timeout waiting for a response to an IDENT query. If he had local DNS configured, there would be no query, and therefore no issue, but setting the timeout to 0 seconds using define(`confTO_IDENT', 0s) does remove the delay, but not the underlying problem. You sure? IDENT has nothing to do with DNS, and I don't know of any program that does an IDENT query solely if DNS data is not available. I can't see why that would make any sense. What is most likely the OP's root problem is that he's sending e-mail from a machine that's on the other side of a firewall that blocks IDENT traffic but doesn't actively reject it. So sendmail has to sit around and wait for the query to time out. This is why there's a school of thought that even if your default for firewall configuration is to quietly drop unwanted packets, IDENT is a protocol that you should actively reject. It makes things move along more quickly. Put another way, I'm wondering why IDENT queries are made? My knowledge of that protocol is superficial, but my understanding is that running an identity service is widely considered a security problem. FreeBSD doesn't run identd by default, for example, but it's possible that some Linux distros do. The Wikipedia article suggests "It's an IRC thing", but that doesn't address the default sendmail behavior. Things can make more sense when you realize that TCP/IP networks have changed over the years. Long ago, when dinosaurs roamed the earth, and timesharing servers were big things with professional admins and lots of users, it could be helpful to know that if you got an irritating connection from the Math Dept. server using source port X, and IDENT said the owner of the process that was using port X was a user called Jimbob, that you could go to the admin of that server and tell him to slap Jimbob upside the head. After all, if his IDENT server had been subverted, he would have mentioned it when you had a beer with him last night. These days, when so much traffic comes from individual workstations where the user can frequently arrange for an IDENT server to return any fool information they want, if they have it running at all, the value added is much less. Do remember that some of these things date from back when Linus was still in diapers (well, actually, he was about 15 when the earliest RFC with the genesis of IDENT was published), so trying to figure out why they make sense based solely on what Linux does can be futile. ;-) -- --Jon Radel j...@radel.com
Re: Sendmail Five Second Greeting Delay
On 4/2/10 11:49 AM, David Allen wrote: On 4/2/10, Jon Radel wrote: On 4/2/10 8:33 AM, David Allen wrote: Secondly, it seems the cause of the OP's problem was a delay associated with an IDENT query. Specificially confTO_IDENT Timeout.ident [5s] The timeout waiting for a response to an IDENT query. If he had local DNS configured, there would be no query, and therefore no issue, but setting the timeout to 0 seconds using define(`confTO_IDENT', 0s) does remove the delay, but not the underlying problem. You sure? IDENT has nothing to do with DNS, and I don't know of any program that does an IDENT query solely if DNS data is not available. I can't see why that would make any sense. Well, I'm sure that on a network with functional DNS, sendmail sends no IDENT queries. And by extension, there are no delays due to timeouts of unaswered queries . Very odd. Why on earth would that be the case? What is most likely the OP's root problem is that he's sending e-mail from a machine that's on the other side of a firewall that blocks IDENT traffic but doesn't actively reject it. So sendmail has to sit around and wait for the query to time out. That much I get, but the question is why sendmail, by default sends those queries? Historical reasons. So that you know, when bad mail is sent to you from the Math Dept. server by Jimbob playing around with his own SMTP program, whom to yell at. (See below for references.) Please don't make out like I'm advocating as this being of much utility these days; I'm not. You can find all sorts of recommendations to turn this off if you look around. This is why there's a school of thought that even if your default for firewall configuration is to quietly drop unwanted packets, IDENT is a protocol that you should actively reject. It makes things move along more quickly. Fair enough. But that reasoning is based on a premise that IDENT is widely depended upon (and implicitly widely used), yes? It's still deployed enough to result in tedious discussions, such as this one, coming up fairly frequently. None of this is a problem until you have people who drop ident packets *and* get upset that there are servers out there that wait for a timeout. And just think, we could be in the bad old days, when you *had* to wait for the IP stack to timeout and sendmail didn't have a handy place to set the timeout to a short value. To paraphrase: One of the underlying rules of getting along on the Internet is to be strict in what you send and forgiving in what you accept. So do something sensible with IDENT requests or expect odd delays, and don't waste time wondering why there are still servers out there that do things that don't really make a lot of sense anymore. Put another way, I'm wondering why IDENT queries are made? My knowledge of that protocol is superficial, but my understanding is that running an identity service is widely considered a security problem. FreeBSD doesn't run identd by default, for example, but it's possible that some Linux distros do. The Wikipedia article suggests "It's an IRC thing", but that doesn't address the default sendmail behavior. Things can make more sense when you realize that TCP/IP networks have changed over the years. Long ago, when dinosaurs roamed the earth, and timesharing servers were big things with professional admins and lots of users, it could be helpful to know that if you got an irritating connection from the Math Dept. server using source port X, and IDENT said the owner of the process that was using port X was a user called Jimbob, that you could go to the admin of that server and tell him to slap Jimbob upside the head. After all, if his IDENT server had been subverted, he would have mentioned it when you had a beer with him last night. These days, when so much traffic comes from individual workstations where the user can frequently arrange for an IDENT server to return any fool information they want, if they have it running at all, the value added is much less. Do remember that some of these things date from back when Linus was still in diapers (well, actually, he was about 15 when the earliest RFC with the genesis of IDENT was published), so trying to figure out why they make sense based solely on what Linux does can be futile. ;-) Interesting reading. Thanks for elaborating. So the IDENT protocol was relied on in the time of the dinosaurs, it's value today is "so much less" (a polite way of saying "not used at all"?), and IDENT packets are commonly dropped by firewalls. Do I have that right? Yes, except for the "not used at all" bit. If so, then a reasonable conclusion is that the default sendmail behaviour with respect to IDENT (sending queries and then waiting for a reply) is an anachroni
Re: Question. Multi Boot
On 4/18/10 12:50 PM, Kruppa, Peter Ulrich wrote: Since Windows isn't very cooperative with other operating systems, leave it where it is, buy a second hard disk and install FreeBSD (and Linux) on it. The FreeBSD bootmanager will be able to boot Windows but Windows will not boot any FreeBSD or Linux. I would agree that is the safest way to proceed, although the repartitioning of the hard disk as outlined by somebody else would certainly work. However, even here I would urge you to have a complete backup that you have verified is usable before you start. Makes that sinking feeling in your stomach when you realize you've just partitioned the wrong drive much less ugly. :-) --Jon Radel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: [OT] Was: Disabling DNS
On 4/20/10 5:11 PM, Sergio Tam wrote: 2010/4/20 Jorge Biquez: Hello all. My English is not perfect at all since it is not my native language. With that in mind I read the comments about the dummy word, interpreted as a basic task, simple task In th eeffort of learning... can you explain why you considered the comments unfriendly and non-professional? dummy= idiot stupid retard moron dumb dumbass fool loser jerk jackass asshole dork imbecile ass dunce slow tard ignorant silly dolt lame retarded hyphy douchebag simpleton slut cretin bitch crazy dickhead gay dipshit douche fag fucktard ignoramus dumbo dimwit dope dodo blockhead doofus dumbbell dunderhead tool nitwit dullard foolish fat annoying Which must be why the X for Dummies series of books sells so well in the U.S., eh? --Jon Radel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
