FTP server link aggregation
I have a single FreeBSD box acting as an FTP server for multiple FreeBSD and Linux clients on the same /24 subnet (all gigabit ethernet). It is currently connected by just one of it's two gig ethernet ports. I also have two cisco switches with an etherchannel between them (using 2 x gig ports on each switch). I would like to connect the remaining NIC on my FreeBSD box to the other switch and enable 802.3ad on those switch ports to aggregate traffic between them. This is in the hope that it can better serve multiple FTP clients. Is my thinking correct? Other than the network interface changes which are documented here: http://www.freebsd.org/doc/handbook/network-aggregation.html are there any further tweaks I could make to improve things? -the server is a 'standard install' and does not use ZFS. It has an adaptec 5408 RAID card with 4 x SATA II drives and, IIRC, 128K stripe size and plenty of RAM. Is there a way of testing this other than initiating large file transfers to this server from multiple hosts? Many thanks, Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, October 15, 2010 2:54 pm, Ivan Voras wrote: Since jails can do many things there are many helper utilities that can do much to simplify the process. If you can hack python, you can, for example, modify my script at http://ivoras.sharanet.org/stuff/mkjails.py which I've used to create a thousand very light-weight jails which are started and managed using only standard FreeBSD tools. In any case, read rc.conf(5) man page for the jail_* settings. snip This is the more complex question; I think that everything which needs direct access to the NIC (i.e. BPF, DHCP, IPFW, etc.) will need to be run on the host system. TCP services will work inside jails without problems, but with jails it's almost the same as if they were on another system. If you do use NAT you will have to configure it on the host. Instead, you can also use TCP proxies (like bsdproxy). It's up to you how much complexity do you want in your system, but for simplicity I would set up a single outward-facing IP address and then proxy TCP services where I need them. Thanks for the helpful replies. I am experimenting with some ideas on a VM now. It certainly does seem more logical to have the firewall, VPN and NAT rules in the base system and everything else jailed. I can just about get by with Python and your script looks like it could be of use - thanks for sharing it. Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Jail question
I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference Sorry for the rambling question and I hope this makes sense! Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot scp only network storage?
On Tue, May 25, 2010 11:05 pm, Matthew Seaman wrote: Checkout the security/openssh-portable port which has options to enable chroot'ing. You should be able to configure the account to only be able to use scp(1) or sftp(1) by editing sshd_config or by using forced commands in the user authorized_keys files. This sounds pretty close to what I want. I don't want the user to be able to get a shell on the box but do want to allow them to run a small subset of useful commands over ssh such as 'ls' and of course scp files to and from it. Another alternative is WebDAV. Run it over HTTPS for security, and use the standard Apache authn/authz controls to give each user access to only their own area. In principle your users can mount their WebDAV areas as networked filesystems on their desktops. In practice, this works fine with MacOS X, is horribly buggy under Windows, needs quite a lot of effort to make work on Linux, and I don't think it's actually available at all on FreeBSD. However, commandline clients like cadaver will work fine on anything Unixy. I've had problems with exactly this before on linux. I only need to allow linux, FreeBSD and Solaris users access to this resource so will persevere with something SSH based I think. Thanks, Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot scp only network storage?
On Tue, May 25, 2010 11:23 pm, Balázs Mátéffy wrote: Hello, Try /usr/ports/shells/scponly . Look up the features, this way you can assign the restrictive scponly shell to the users: http://sublimation.org/scponly/wiki/index.php/Main_Page Thanks, I have used this before on linux. In this case it might not be exactly what I want. Thanks, Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
chroot scp only network storage?
I want to provide some users with secure network attached storage over SCP. The intent is to provide people with a similar thing to, e.g. rsync.net but inside of our network only. Security is obviously a priority so I would like each user to be chrooted into their allocated directory and allow them only to execute a small set of commands. I have come across scponly before. Is this the best way of achieving this with FreeBSD or is there some other better way? Thanks in advance, Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Hardware RAID controller questions - 3Ware vs RocketRaid
On Thu, March 18, 2010 8:37 am, Andy Wodfer wrote: Hi, We're setting up two backup servers where each server will have about 4TB of harddrives (for now) connected (4x1TB and 8x500GB drives). Last night we ran into trouble with the 3ware controllers we have (9650SE-8LPML) because we couldn't create a larger RAID5 than 1.99TB. We are going to use FreeBSD 8.0 and Bacula, but first we obviously need to create a working RAID. My questions are: - Are HighPoint RocketRaid controllers a good alternative to 3ware controllers? Are RocketRaid controllers true hardware RAID? - What should we look for in a RAID controller spec to see that it has support for larger than 2TB RAIDs? I've been looking at these: http://www.highpoint-tech.com/USA_new/series_rr2300.htm http://www.highpoint-tech.com/USA_new/series_rr3500.htm Any FreeBSD recommendations? Or perhaps for another 3ware controller? We're using SATAII drives. Thanks for your help! Is ZFS not an option? - you could save yourself a lot of money and hassle with hardware RAID by moving to ZFS. Either using onboard SATA ports on the motherboard (and accept that you might have to shutdown the box to swap failed disks out) or get a simple 8-port HBA in JBOD mode, e.g: http://www.lsi.com/channel/products/hba/sas_sata_hbas/internal/lsisas3081er/index.html You'll need plenty of RAM too, but IMHO it is worth the trade. HTH, Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Re : Replacing Home Router With PC
+1 for psSense and if you need a quick to setup home NAS box, you could do worse than FreeNAS, which is also derived from FreeBSD -although I don't think it supports ZFS currently. When it does it will be even better. Best, Matt On Thu, March 11, 2010 7:59 am, Alexandre L. wrote: You can use pfSense : pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. http://www.pfsense.org/ pfSense is very simple and intuitive to use with is GUI in PHP. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Advice request: DSL modem
Mike, I use a Draytek Vigor 120 (I'm in the UK, but it most certainly will work for you aswell). This is a self-contained ADSL modem that presents a PPPoE interface to your PC or server via a conventional RJ45 connector. It is painless and past firmware hiccups accepted, performs very well indeed. http://www.draytek.co.uk/products/vigor120.html I use it in preference to anything because it does not get you embroiled in PCI device driver support and it doesn't NAT or otherwise screw with the conenction - you get 'the internet' and nothing more. The only downside is it is not cheap. I think I paid around 50 GBP. Best regards, Matt. On Thu, March 11, 2010 10:42 am, Michael Doyle wrote: I am looking for advice regarding DSL Modems: I need to add a computer to our VPN which is implemented using the FreeBSD IPSEC protocols. So far, all our sites are connected using a wireless point-to-point link provided by our ISP that gives us fixed IP addresses with no NAT issues. Now I need to add a site with a DSL link. My ISP will give me a fixed IP address for this site but can anyone recommend a DSL modem (ADSL2) that will be easy to configure with this setup ? (The previous model I used successfully for this purpose is no longer available) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Root on ZFS
I am following this wiki page to move to zfs root: http://wiki.freebsd.org/ZFSOnRoot I got to this section: Create bootdir directory where the boot file system will be mounted: # mkdir /tank/bootdir # ln -s bootdir/boot /tank/boot I am confused about the symlink line - what is 'bootdir' ? Thanks, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Root on ZFS
On Thu, March 4, 2010 3:44 pm, Randal L. Schwartz wrote: Matthew == Matthew Law m...@webcontracts.co.uk writes: Matthew I am following this wiki page to move to zfs root: Matthew http://wiki.freebsd.org/ZFSOnRoot If you're running RELEASE-8 or later, I've gotten this to work just fine: http://wiki.freebsd.org/RootOnZFS/GPTZFSBoot Thanks, guys. Yes, I am on 8-RELEASE. I was really looking to create a 3-disk raidz or raidz2 volume with 1 hot spare. I happened across this page: http://wiki.freebsd.org/RootOnZFS/GPTZFSBoot/RAIDZ2 and started to follow that. Currently live on two slices at arpnetworks.com with that. The trickiest part is that Arp installs an existing system on the disk, and the instructions there don't tell how to remove it. :( I can't remember the workaround, but someone in IRC told me. (gpart destroy didn't work, because it said already in use) I ran into this and figured out I need to remove each slice first. But it did take a little head scratching. I installed a minimal OS from a USB stick onto a single SATA drive. After testing it was installed and running OK, I rebooted and chose the fixit option from sysinstall and followed the above guide. I've got to this part: 7. 'Create ZFS Pool zroot' Fixit# mkdir /boot/zfs Fixit# zpool create zroot raidz2 /dev/gpt/disk0 /dev/gpt/disk1 /dev/gpt/disk2 Fixit# zpool set bootfs=zroot zroot The zpool create command fails because I don't have '/dev/gpt' - I take it I haven't actually installed with gpt in the first place? Can I go back and do that and what's the advantage of gpt? Finally, I had problems with the SAS card in this box, which is a bog standard LSI SAS8041E. I can install OK, but on rebooting it can't find the root slice, panics and drops me into mountroot. Where I get stuck. Any help much appreciated, Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Stress testing a new FreeBSD server?
I would be grateful if anyone could recommend any tests, scripts, ports or packages which would stress test a new FreeBSD box? - both CPU and disk I/O. I would particularly like to get the processors nice and warm! :-) We already use bonnie++, unixbench, etc. but I was wondering if there is a proper suite of tools for doing just this and google hasn't brought up anything particularly appealing. Thanks in advance, Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Options for redundant storage cluster?
Hi, hopefully I'm not too far out posting this question here. It takes in a lot of areas so I was unsure where to post it. If it belongs on another ML please advise and I will re-post it there. I am researching options for a two node failover storage cluster. This is primarily to provide shared storage (either iSCSI or NFS) for XenServer VMs. I am looking to get the best bang for the buck and wondering if FreeBSD might be a good choice? Hardware-wise we have available two identical supermicro chassis each with 16 x SAS bays and a choice of AMD or latest Xeon 5500 CPUs, together with as many gigabit cards as we need but the budget won't stretch to faster networking. It would be nice to take advantage of ZFS and use two or three 8-port SAS HBAs in each server rather than expensive hardware RAID cards. We don't need to store more than around 2TB but we would like to comfortably service around a 75 - 100 VM instances (the VMs on average, are not too I/O heavy). Thin provisioning and snapshots would be nice, too. My initial thoughts were that we might be able to use ZFS, cheap LSI 8 port SAS HBAs together with a dozen or so SATA II drives and a couple of Intel X25E SSDs to help things along. It would be great if these boxen could network boot, so we can use all the drive bays for storage. I have no idea what options exist for clustering NFS/redundancy. I would be very grateful for any advice - especially from anyone who has experience in the same scenario. Thanks in advance, Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
courier imap rc.conf entry?
I've just installed courier-imapd from ports. I can't find any reference to the required entry in rc.conf to start it at boot time. Can someone please tell me what I need in there or tell me where to look for the info? I'd like SSL too if that makes a difference... TIA, Matt. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: courier imap rc.conf entry?
* Dev Tugnait [EMAIL PROTECTED] [2004-12-09 12:00]: Also check /usr/share/examples/etc/defaults/rc.conf This helped a great deal. It's working now - thanks! Matt. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Perl undefined symbol errors
Hello, I am having issues with Perl and wondered if someone might be able to help. For example, I installed from ports, anomy-sanitizer. Occasionally I see the following error when run from procmail: /usr/local/bin/sanitizer.pl,/usr/local/etc/sanitizer.cfg /libexec/ld-elf.so.1: /usr/local/lib/perl5/site_perl/5.8.5/mach/auto/Digest/MD5/MD5.so: Undefined symbol Perl_malloc I am using FreeBSD 5.3. All ports were installed straight after an update to ports-all with cvsup. It's difficult for me to debug since it only happens occasionally. Would I be correct in thinking that these errors occur because perl expects it's libs in a different place to where they are in FreeBSD? Is this a known problem and what is the solution? Thanks in advance, Matt. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
