awstats for a single directory
hello i was previously using webalizer to analyze my apache log files. i was able to generate webalizer reports for a single directory using webalizer's IgnoreURL directive. is it possible to get awstats to do the same thing - generate a report for an individual directory i.e., http://www.myserver.com/just_this_directory/ ? i wasn't able to find any documentation related to this. any advice appreciated. redmond -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.4-STABLE #0: Wed Sep 7 15:00:27 CDT 2005 i386 12:15PM up 1:54, 1 user, load averages: 0.24, 0.27, 0.22 pgp2uOlaQUKvJ.pgp Description: PGP signature
Re: error installing graphics/ImageMagick from ports
tax error before `)' > coders/jp2.c:567: `icc_stream' undeclared (first use in this function) > coders/jp2.c:569: warning: implicit declaration of function `jas_iccprof_save' > coders/jp2.c: At top level: > coders/jp2.c:597: syntax error before `void' > coders/jp2.c:598: warning: type defaults to `int' in declaration of > `jas_image_destroy' > coders/jp2.c:598: warning: parameter names (without types) in function > declaration > coders/jp2.c:598: conflicting types for `jas_image_destroy' > /usr/local/include/jasper/jas_image.h:348: previous declaration of > `jas_image_destroy' > coders/jp2.c:598: warning: data definition has no type or storage class > coders/jp2.c:599: syntax error before `for' > coders/jp2.c:86: warning: `WriteJP2Image' declared `static' but never defined > coders/jp2.c:117: warning: `IsJP2' defined but not used > coders/jp2.c:153: warning: `IsJPC' defined but not used > coders/jp2.c:272: warning: `ReadJP2Image' defined but not used > gmake[1]: *** [coders/magick_libMagick_la-jp2.lo] Error 1 > gmake[1]: Leaving directory > `/usr/ports/graphics/ImageMagick/work/ImageMagick-6.2.2' > gmake: *** [all] Error 2 > *** Error code 2 > > Stop in /usr/ports/graphics/ImageMagick. > > > > -- > Redmond Militante > Software Engineer / Medill School of Journalism > FreeBSD 5.2.1-RELEASE-p14 #0: Fri Jun 10 16:46:59 CDT 2005 i386 > 5:30AM up 21 days, 18:08, 4 users, load averages: 0.00, 0.00, 0.00 -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p14 #0: Fri Jun 10 16:46:59 CDT 2005 i386 3:30PM up 22 days, 4:08, 5 users, load averages: 0.00, 0.00, 0.00 pgpYzLEncpxN5.pgp Description: PGP signature
error installing graphics/ImageMagick from ports
sr/local/include/jasper/jas_image.h:348: previous declaration of `jas_image_destroy' coders/jp2.c:598: warning: data definition has no type or storage class coders/jp2.c:599: syntax error before `for' coders/jp2.c:86: warning: `WriteJP2Image' declared `static' but never defined coders/jp2.c:117: warning: `IsJP2' defined but not used coders/jp2.c:153: warning: `IsJPC' defined but not used coders/jp2.c:272: warning: `ReadJP2Image' defined but not used gmake[1]: *** [coders/magick_libMagick_la-jp2.lo] Error 1 gmake[1]: Leaving directory `/usr/ports/graphics/ImageMagick/work/ImageMagick-6.2.2' gmake: *** [all] Error 2 *** Error code 2 Stop in /usr/ports/graphics/ImageMagick. -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p14 #0: Fri Jun 10 16:46:59 CDT 2005 i386 5:30AM up 21 days, 18:08, 4 users, load averages: 0.00, 0.00, 0.00 pgpHSOxVBnArZ.pgp Description: PGP signature
Re: error installing openssh-portable
hi i'm bumping this, still having this problem. upgrading to 4.11 did not fix it... > please if anyone has any ideas... > > > > Don't top-post, please. > > > > Redmond Militante <[EMAIL PROTECTED]> writes: > > > > > is /usr/ports/cryptlib the port you're referring to? > > > > No, I'm talking about the crypto distribution in the base system. I > > don't remember when it was folded into the main distribution, but for > > a long time it was separate because of concerns about export > > regulations and patent issues. > > > > > i've also read that make -DWITHOUT_KERBEROS=yes would also work, but it > > > didn't in my case. > > > > > > > > > > > > [Tue, Mar 29, 2005 at 09:14:07AM -0500] > > > This one time, at band camp, Lowell Gilbert said: > > > > > > > Redmond Militante <[EMAIL PROTECTED]> writes: > > > > > > > > > hi all > > > > > > > > > > i get this installing the openssh-portable port on a 4.8-RELEASE > > > > > machine > > > > > > > > > > ===> Building for openssh-portable-3.9.0.1,1 > > > > > if test ! -z ""; then /usr/bin/perl5 ./fixprogs ssh_prng_cmds ; fi > > > > > (cd openbsd-compat && make) > > > > > cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o > > > > > sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/lib > > > > > -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib -lssh > > > > > -lopenbsd-compat -lcrypto -lutil -lz -lcrypt -lkrb5 -lcrypto > > > > > -lcom_err -lasn1 -lroken > > > > > /usr/lib/libkrb5.so: undefined reference to `des_is_weak_key' > > > > > /usr/lib/libkrb5.so: undefined reference to `des_pcbc_encrypt' > > > > > /usr/lib/libkrb5.so: undefined reference to `des_cfb64_encrypt' > > > > > /usr/lib/libkrb5.so: undefined reference to `des_cbc_encrypt' > > > > > /usr/lib/libkrb5.so: undefined reference to `des_set_odd_parity' > > > > > /usr/lib/libkrb5.so: undefined reference to `des_read_pw_string' > > > > > /usr/lib/libkrb5.so: undefined reference to `des_set_key' > > > > > /usr/lib/libkrb5.so: undefined reference to `des_ede3_cbc_encrypt' > > > > > /usr/lib/libkrb5.so: undefined reference to `des_cbc_cksum' > > > > > *** Error code 1 > > > > > > > > > > Stop in /usr/ports/security/openssh-portable/work/openssh-3.9p1. > > > > > *** Error code 1 > > > > > > > > > > Stop in /usr/ports/security/openssh-portable. > > > > > > > > > > > > > > > any ideas on how to fix? cvsup'ing ports didn't work. > > > > > > > > I seem to recall DES being optional back when; you'll need to install > > > > it to get this linking. It should be in the crypto library. > > > > > > > > Or maybe my memory is just off... > > > > > > -- > > > Redmond Militante > > > Software Engineer / Medill School of Journalism > > > FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386 > > > 11:15AM up 45 mins, 2 users, load averages: 0.00, 0.02, 0.05 > > > > > > > > > > -- > > Lowell Gilbert, embedded/networking software engineer, Boston area > > http://be-well.ilk.org/~lowell/ > > -- > Redmond Militante > Software Engineer / Medill School of Journalism > FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386 > 12:00PM up 2 days, 1:30, 1 user, load averages: 0.41, 0.16, 0.05 -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386 2:00PM up 4 days, 29 mins, 4 users, load averages: 0.07, 0.11, 0.20 pgpTSokQw0kSj.pgp Description: PGP signature
Re: error installing openssh-portable
please if anyone has any ideas... > Don't top-post, please. > > Redmond Militante <[EMAIL PROTECTED]> writes: > > > is /usr/ports/cryptlib the port you're referring to? > > No, I'm talking about the crypto distribution in the base system. I > don't remember when it was folded into the main distribution, but for > a long time it was separate because of concerns about export > regulations and patent issues. > > > i've also read that make -DWITHOUT_KERBEROS=yes would also work, but it > > didn't in my case. > > > > > > > > [Tue, Mar 29, 2005 at 09:14:07AM -0500] > > This one time, at band camp, Lowell Gilbert said: > > > > > Redmond Militante <[EMAIL PROTECTED]> writes: > > > > > > > hi all > > > > > > > > i get this installing the openssh-portable port on a 4.8-RELEASE machine > > > > > > > > ===> Building for openssh-portable-3.9.0.1,1 > > > > if test ! -z ""; then /usr/bin/perl5 ./fixprogs ssh_prng_cmds ; fi > > > > (cd openbsd-compat && make) > > > > cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o > > > > sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/lib > > > > -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib -lssh -lopenbsd-compat > > > > -lcrypto -lutil -lz -lcrypt -lkrb5 -lcrypto -lcom_err -lasn1 -lroken > > > > /usr/lib/libkrb5.so: undefined reference to `des_is_weak_key' > > > > /usr/lib/libkrb5.so: undefined reference to `des_pcbc_encrypt' > > > > /usr/lib/libkrb5.so: undefined reference to `des_cfb64_encrypt' > > > > /usr/lib/libkrb5.so: undefined reference to `des_cbc_encrypt' > > > > /usr/lib/libkrb5.so: undefined reference to `des_set_odd_parity' > > > > /usr/lib/libkrb5.so: undefined reference to `des_read_pw_string' > > > > /usr/lib/libkrb5.so: undefined reference to `des_set_key' > > > > /usr/lib/libkrb5.so: undefined reference to `des_ede3_cbc_encrypt' > > > > /usr/lib/libkrb5.so: undefined reference to `des_cbc_cksum' > > > > *** Error code 1 > > > > > > > > Stop in /usr/ports/security/openssh-portable/work/openssh-3.9p1. > > > > *** Error code 1 > > > > > > > > Stop in /usr/ports/security/openssh-portable. > > > > > > > > > > > > any ideas on how to fix? cvsup'ing ports didn't work. > > > > > > I seem to recall DES being optional back when; you'll need to install > > > it to get this linking. It should be in the crypto library. > > > > > > Or maybe my memory is just off... > > > > -- > > Redmond Militante > > Software Engineer / Medill School of Journalism > > FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386 > > 11:15AM up 45 mins, 2 users, load averages: 0.00, 0.02, 0.05 > > > > > > -- > Lowell Gilbert, embedded/networking software engineer, Boston area > http://be-well.ilk.org/~lowell/ -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386 12:00PM up 2 days, 1:30, 1 user, load averages: 0.41, 0.16, 0.05 pgpwZV057j3VB.pgp Description: PGP signature
Re: error installing openssh-portable
hi is /usr/ports/cryptlib the port you're referring to? i've also read that make -DWITHOUT_KERBEROS=yes would also work, but it didn't in my case. [Tue, Mar 29, 2005 at 09:14:07AM -0500] This one time, at band camp, Lowell Gilbert said: > Redmond Militante <[EMAIL PROTECTED]> writes: > > > hi all > > > > i get this installing the openssh-portable port on a 4.8-RELEASE machine > > > > ===> Building for openssh-portable-3.9.0.1,1 > > if test ! -z ""; then /usr/bin/perl5 ./fixprogs ssh_prng_cmds ; fi > > (cd openbsd-compat && make) > > cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o > > sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/lib > > -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib -lssh -lopenbsd-compat > > -lcrypto -lutil -lz -lcrypt -lkrb5 -lcrypto -lcom_err -lasn1 -lroken > > /usr/lib/libkrb5.so: undefined reference to `des_is_weak_key' > > /usr/lib/libkrb5.so: undefined reference to `des_pcbc_encrypt' > > /usr/lib/libkrb5.so: undefined reference to `des_cfb64_encrypt' > > /usr/lib/libkrb5.so: undefined reference to `des_cbc_encrypt' > > /usr/lib/libkrb5.so: undefined reference to `des_set_odd_parity' > > /usr/lib/libkrb5.so: undefined reference to `des_read_pw_string' > > /usr/lib/libkrb5.so: undefined reference to `des_set_key' > > /usr/lib/libkrb5.so: undefined reference to `des_ede3_cbc_encrypt' > > /usr/lib/libkrb5.so: undefined reference to `des_cbc_cksum' > > *** Error code 1 > > > > Stop in /usr/ports/security/openssh-portable/work/openssh-3.9p1. > > *** Error code 1 > > > > Stop in /usr/ports/security/openssh-portable. > > > > > > any ideas on how to fix? cvsup'ing ports didn't work. > > I seem to recall DES being optional back when; you'll need to install > it to get this linking. It should be in the crypto library. > > Or maybe my memory is just off... -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386 11:15AM up 45 mins, 2 users, load averages: 0.00, 0.02, 0.05 pgpXB0dpxBM4y.pgp Description: PGP signature
error installing openssh-portable
hi all i get this installing the openssh-portable port on a 4.8-RELEASE machine ===> Building for openssh-portable-3.9.0.1,1 if test ! -z ""; then /usr/bin/perl5 ./fixprogs ssh_prng_cmds ; fi (cd openbsd-compat && make) cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/lib -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt -lkrb5 -lcrypto -lcom_err -lasn1 -lroken /usr/lib/libkrb5.so: undefined reference to `des_is_weak_key' /usr/lib/libkrb5.so: undefined reference to `des_pcbc_encrypt' /usr/lib/libkrb5.so: undefined reference to `des_cfb64_encrypt' /usr/lib/libkrb5.so: undefined reference to `des_cbc_encrypt' /usr/lib/libkrb5.so: undefined reference to `des_set_odd_parity' /usr/lib/libkrb5.so: undefined reference to `des_read_pw_string' /usr/lib/libkrb5.so: undefined reference to `des_set_key' /usr/lib/libkrb5.so: undefined reference to `des_ede3_cbc_encrypt' /usr/lib/libkrb5.so: undefined reference to `des_cbc_cksum' *** Error code 1 Stop in /usr/ports/security/openssh-portable/work/openssh-3.9p1. *** Error code 1 Stop in /usr/ports/security/openssh-portable. any ideas on how to fix? cvsup'ing ports didn't work. thanks redmond -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 2:00PM up 1:32, 1 user, load averages: 0.35, 0.16, 0.09 pgpVWiz3neLYg.pgp Description: PGP signature
maxtor one touch usb 2.0 drive
hello i have a 250 maxtor one touch usb 2/1.1 external hard drive, i'm trying to get it to work with my rel_end 5.21 box. i have device scbus device da device pass device uhci device ohci device usb device umass in my kernel. i'm trying to fdisk the drive to partition it right now, but when i plug it in, it's not showing up in dmesg (no umass or da0 device appears in dmesg). am i missing a step or is this device even incompatible? thanks -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 12:45AM up 3 days, 10:45, 2 users, load averages: 0.58, 0.94, 0.96 pgpseRmMkgujT.pgp Description: PGP signature
Re: httpd in /tmp - Sound advice sought
ok [Tue, Feb 08, 2005 at 02:40:19PM -0600] This one time, at band camp, Bret Walker said: > Thanks. > Could you send me your conf file for portsentry so I can see how you do > it? > Bret > > -Original Message----- > From: Redmond Militante [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 08, 2005 2:21 PM > To: Bret Walker > Subject: Re: httpd in /tmp - Sound advice sought > > > [Tue, Feb 08, 2005 at 01:43:36PM -0600] > This one time, at band camp, Bret Walker said: > > > I do read it, but not every day (weekends, especially). > > > > i use logcheck to mail me the messages log every 15 mins > > > Do you have a way for suspicious activity to be reported to you? > > > > logcheck, and portsentry as well > > > Also, I'm tarring /usr and am going to run a diff on it compared to a > > clean install. > > > > Bret > > > > -Original Message- > > From: Redmond Militante [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, February 08, 2005 1:45 PM > > To: Bret Walker > > Subject: Re: httpd in /tmp - Sound advice sought > > > > > > hi > > > > [Tue, Feb 08, 2005 at 10:46:19AM -0600] > > This one time, at band camp, Bret Walker said: > > > > > Redmond- > > > > > > Here is the response I got from the list. > > > > > > I also found another file - shellbind.c - it's essentially this - > > > http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html > > > (although phpBB has never been installed). > > > > > > I had register_globals on in PHP for a month+ because a reservation > > > system I was using required them. I now know better. We also had php > > > > errors set to display for a while as bugs were being worked out. > > > > > > The owner of this file is www, so it was put in /tmp by the apache > > > daemon. I messed the file up trying to tar it, so I can't get a good > > > md5. Register globals and php file uploads are both off now. I don't > > > think the system was compromised because anything written to /tmp > > > (which is the temp dir php defaults to) could not be executed. > > > > > > Do you think we're safe to continue as is? > > > > > > > this person is telling you that slapper is nothing to worry about > > because it's a linux only virus - but if you didn't put httpd in /tmp > > then you should be worried about this situation. > > > > this is probably your call what you want to do. > > > > > Also, I would like to talk with you about what preventative measures > > > you take with herald. I know you run tripwire, but what else do you > > > do on a regular basis? > > > > > > > one thing i do is i read /var/log/messages every day. do you do that? > > > > > > > Bret > > > > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark A. > > > Garcia > > > Sent: Tuesday, February 08, 2005 9:57 AM > > > To: Bret Walker > > > Cc: freebsd-questions@freebsd.org > > > Subject: Re: httpd in /tmp - Sound advice sought > > > > > > > > > Bret Walker wrote: > > > > > > >Last night, I ran chkrootkit and it gave me a warning about being > > > >infected with Slapper. Slapper exploits vulnerabilities in OpenSSL > > > >up to version 0.96d or older on Linux systems. I have only run > > > >0.97d. The file that set chkrootkit off was httpd which was located > > > >in /tmp. /tmp is always mounted rw, noexec. > > > > > > > >I update my packages (which are installed via ports) any time there > > > >is a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl > > > >2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a > > > >couple of weeks, but the only code that required it to be on was in a > > > > >.htaccess/SSL password protected directory. > > > > > > > >Tripwire didn't show anything that I noted as odd. I reexamined > > > >the > > > >tripwire logs, which are e-mailed to an account off of the machine > > > >immediately after completion, and I don't see anything odd for the > > > >3/4 days before or after the date on the file. (I don't scan /tmp) > > > > > > > >I stupidly deleted the httpd file from /tmp, w
Re: httpd in /tmp - Sound advice sought
[Tue, Feb 08, 2005 at 01:43:36PM -0600] This one time, at band camp, Bret Walker said: > I do read it, but not every day (weekends, especially). > i use logcheck to mail me the messages log every 15 mins > Do you have a way for suspicious activity to be reported to you? > logcheck, and portsentry as well > Also, I'm tarring /usr and am going to run a diff on it compared to a > clean install. > > Bret > > -Original Message- > From: Redmond Militante [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 08, 2005 1:45 PM > To: Bret Walker > Subject: Re: httpd in /tmp - Sound advice sought > > > hi > > [Tue, Feb 08, 2005 at 10:46:19AM -0600] > This one time, at band camp, Bret Walker said: > > > Redmond- > > > > Here is the response I got from the list. > > > > I also found another file - shellbind.c - it's essentially this - > > http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html > > (although phpBB has never been installed). > > > > I had register_globals on in PHP for a month+ because a reservation > > system I was using required them. I now know better. We also had php > > errors set to display for a while as bugs were being worked out. > > > > The owner of this file is www, so it was put in /tmp by the apache > > daemon. I messed the file up trying to tar it, so I can't get a good > > md5. Register globals and php file uploads are both off now. I don't > > think the system was compromised because anything written to /tmp > > (which is the temp dir php defaults to) could not be executed. > > > > Do you think we're safe to continue as is? > > > > this person is telling you that slapper is nothing to worry about because > it's a linux only virus - but if you didn't put httpd in /tmp then you > should be worried about this situation. > > this is probably your call what you want to do. > > > Also, I would like to talk with you about what preventative measures > > you take with herald. I know you run tripwire, but what else do you > > do on a regular basis? > > > > one thing i do is i read /var/log/messages every day. do you do that? > > > > Bret > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark A. > > Garcia > > Sent: Tuesday, February 08, 2005 9:57 AM > > To: Bret Walker > > Cc: freebsd-questions@freebsd.org > > Subject: Re: httpd in /tmp - Sound advice sought > > > > > > Bret Walker wrote: > > > > >Last night, I ran chkrootkit and it gave me a warning about being > > >infected with Slapper. Slapper exploits vulnerabilities in OpenSSL > > >up to version 0.96d or older on Linux systems. I have only run > > >0.97d. The file that set chkrootkit off was httpd which was located > > >in /tmp. /tmp is always mounted rw, noexec. > > > > > >I update my packages (which are installed via ports) any time there > > >is a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl > > >2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a > > >couple of weeks, but the only code that required it to be on was in a > > >.htaccess/SSL password protected directory. > > > > > >Tripwire didn't show anything that I noted as odd. I reexamined the > > >tripwire logs, which are e-mailed to an account off of the machine > > >immediately after completion, and I don't see anything odd for the > > >3/4 days before or after the date on the file. (I don't scan /tmp) > > > > > >I stupidly deleted the httpd file from /tmp, which was smaller than > > >the actual apache httpd. And I don't back up /tmp. > > > > > >The only info I can find regarding this file being in /tmp pertains > > >to Slapper. Could something have copied a file there? Could I have > > >done it by mistake at some point - the server's been up ~60 days, > > >plenty of time for me to forget something? > > > > > >This is production box that I very much want to keep up, so I'm > > >seeking some sound advice. > > > > > >Does this box need to be rebuilt? How could a file get written to > > >/tmp, and is it an issue since it couldn't be executed? I run > > >tripwire nightly, and haven't seen anything odd to the best of my > > >recollection. I also check ipfstat -t frequently to see if any odd > >
Re: httpd in /tmp - Sound advice sought
worried. Running tripwire and > chrootkit on a periodic basis should help. Re-installing the os isn't > your only solution, but it does give comfort knowing that after a > reinstall, and locking down the box, no one has a in on your system. > This could be overboard though. > > You also might want to consider enabling the clean_tmp scripts. Next > time tar up those suspicious files, a quick forensics on them can do > wonders (md5sum, timestamps, ownership, permissions.) > > Cheers, > -.mag > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 1:30PM up 1 day, 1:21, 2 users, load averages: 0.00, 0.04, 0.19 pgpu76wLNdjsN.pgp Description: PGP signature
trouble with rsync script - large tar files
hi i have a 'push' type rsync script, which pushes out tar backup files to a backup repository machine that looks like /usr/local/bin/rsync -e ssh -avz --delete --stats /usr/home/user/backupserver*tar.gz server2:/mnt/drive2/serverdailybackup/ this script rsyncs over ssh, over a short distance w t1 connections at both ends and works fine. i have a 'pull' type rsync script which pulls tar backups from the backup repository machine that looks like /usr/local/bin/rsync -e ssh -avz --delete --stats server2:/mnt/drive2/serverdailybackup/backupserverusrlocal.tar.gz /mnt/drive2/serverbackup/ this script rsyncs over ssh, over a long distance - the two machines are not in the same building, geographically like 10 miles apart. this script is pulling some large tar files, some 1-2 gig in size. it has yet to finish pulling tar files off the repository. it usually cuts off before it completes - i get: 'read from remote host host.ip.address.com: connection reset by peer rsync: connection unexpectedly closed...' any advice on how to modify either the ssh setup on either host, or the script itself, so that rsync through the secondd script would be stable enough to allow the rsync operation to finish completely? in the second script, we're doing a 'pull' rsync operation from host a (on cable modem), to host b (t1). in the first script, we're doing a 'push' rsync operation from host c (t1) to host b (t1). thanks for any advice. -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 9:45AM up 21:57, 1 user, load averages: 0.01, 0.18, 0.24 pgpos1KZNHawJ.pgp Description: PGP signature
limit login attempts with pam
hello i'm interested in configuring PAM on my 4x system so that a user is locked out of ignored if trying to log in unsuccessfully via ftp within the space of a minute or so. i'm trying to eliminate brute force attacks... can anyone point me towards some good tutorials on how to do this? thanks redmond -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p9 #0: Thu Jul 1 14:36:26 CDT 2004 i386 10:15AM up 10 days, 16:19, 3 users, load averages: 0.08, 0.09, 0.08 pgpH9184nEEUW.pgp Description: PGP signature
Stop in /usr/ports/x11-toolkits/tk84/work/tk8.4.6/unix.
hi i'm getting another error attempting to reinstall kde on my machine. the errors are related to x11-toolkits/tk84 sample... /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.h:97: error: syntax error before "void" /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:23: error: syntax error before "char" /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:31: error: syntax error before "_ANSI_ARGS_" /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:32: error: syntax error before "_ANSI_ARGS_" /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:34: error: syntax error before "_ANSI_ARGS_" /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:35: error: syntax error before "_ANSI_ARGS_" /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:37: error: syntax error before "_ANSI_ARGS_" /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:38: error: syntax error before "_ANSI_ARGS_" /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:50: warning: initialization makes integer from pointer without a cast /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:51: error: `FreeBorderObjProc' undeclared here (not in a function) /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:51: warning: excess elements in scalar initializer /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:51: warning: (near initialization for `tkBorderObjType') /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:52: error: `DupBorderObjProc' undeclared here (not in a function) /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:52: warning: excess elements in scalar initializer /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:52: warning: (near initialization for `tkBorderObjType') /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:53: warning: excess elements in scalar initializer /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:53: warning: (near initialization for `tkBorderObjType') /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:55: warning: excess elements in scalar initializer /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:55: warning: (near initialization for `tkBorderObjType') /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:55: warning: data definition has no type or storage class /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:83: error: syntax error before "Tcl_Interp" /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:85: error: syntax error before '*' token /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:85: warning: data definition has no type or storage class /usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:87: error: syntax error before '{' token *** Error code 1 Stop in /usr/ports/x11-toolkits/tk84/work/tk8.4.6/unix. *** Error code 1 Stop in /usr/ports/x11-toolkits/tk84. *** Error code 1 Stop in /usr/ports/x11-toolkits/tk84. has anyone seen this? fresh install of freebsd5.2.1, ports tree is cvsupp'd, portupgrade -rf gettext, portupgrade -rf textproc/expat2. i've been trying to compile kde on this box for a couple of days now, and i keep hitting these random errors... any advice appreciated thanks redmond -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p5 #0: Fri Apr 16 06:34:06 CDT 2004 i386 5:30AM up 2 days, 7:09, 5 users, load averages: 0.00, 0.00, 0.00 pgp0.pgp Description: PGP signature
libgthread error building arts
hi i'm having trouble building kde3 on a freshly installed box. the ports tree has been cvsupp'ed, i've portupgraded -rf gettext, and portupgraded -rf textproc/expat2. the kde3 install errors out while installing arts. the error i get is /usr/local/lib/libgthread-2.0.so: undefined reference to 'pthread_attr_destroy' /usr/local/lib/libgthread-2.0.so: undefined reference to 'pthread_create' /usr/local/lib/libgthread-2.0.so: undefined reference to 'pthread_attr_init' ... gmake[2] *** [mcopid1] Error 1 gmake[2] Leaving directory '/usr/ports/audio/arts/work/arts-1.2.2/mcopid1' gmake[1] *** [all-recursive] Error 1 gmake[1] Leaving directory '/usr/ports/audio/arts/work/arts-1.2.2/' gmake[1] *** [all] Error 2 *** Error code 2 i've tried to google this one. all i could find were references to people having the same sort of problem while installing other apps, but no solution. anyone know what's going on? thanks redmond -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p5 #0: Fri Apr 16 06:34:06 CDT 2004 i386 11:00AM up 1 day, 12:39, 6 users, load averages: 0.41, 0.09, 0.03 pgp0.pgp Description: PGP signature
PERC3 SCSI RAID firmware upgrade dell poweredge 1650
hi all does anyone on the list have any production dell poweredge 1650 servers? we have several. we recently got a memo from our dell reps that there is a firmware upgrade to the PERC3 dual channel SCSI raid cards. this firmware upgrade is supposedly a preventative measure - apparently, dell has had some experience with the cards not being able to recover after one of the raid controllers goes down, they explained to me on the phone that this firmware upgrade is pretty much mandatory. of course, since our boxen are running freebsd 4.6-4.9-RELENG, the dell rep who came over to our server room to run the firmware upgrade would not touch them. he left a disk for me to do this myself - apparently, the the firmware upgrade involves booting to a cdrom which applies the firmware for you, rebooting, then hitting control-m to get into the perc3 management console, running a consistency check (could take an hour or so), then rebooting into the o/s. they informed me that i would not have to upgrade the kernel or download patches for freebsd's native scsi raid drivers for this card. has anyone applied the firmware upgrade to their own dells? seems relatively straightforward, but thought i'd check with the list before taking down machines that have been running flawlessly for almost a year to apply something which may be arbitrary... thanks redmond -- FreeBSD 5.2-RELEASE-p2 FreeBSD 5.2-RELEASE-p2 #0: Wed Feb 11 13:58:31 CST 2004 6:00PM up 5 days, 3:26, 4 users, load averages: 0.21, 0.18, 0.29 Conceit causes more conversation than wit. -- LaRouchefoucauld pgp0.pgp Description: PGP signature
sharity-light/winxp issues
hi all i almost have sharity-light working well enough to be able to map a windows share to my freebsd5.1 box. the two machines are: 1. Freebsd 5.1-RELEASE, DHCP but i'm using dyndns.org to map the address of 'machine1.gotdns.org' to this machine, ipfilter enabled 2. Windows Xp pro, DHCP but i'm using dyndns.org to map the address of 'machine2.gotdns.org' to this machine, windows xp built in firewall turned on i'm able to successfully map a windows share on the winxp machine using as root: shlight //24.24.24.24/files /mnt/win -U username -P password in order to do this i had to disable the built in windows firewall on the winxp box. is there a way to do this without having to disable the built in windows firewall entirely? or is there a way to set up a stateful connection from a specific ip address using the windows built in firewall? (i doubt it) also - if you notice, i've had to use the 24.24.24.24 ip address in my line above. i have to use the ip address, and to put the following line in my /etc/hosts to get this working 24.24.24.24 machine2.gotdns.org machine2 i'd really like to use 'machine2' or machine2.gotnds.org' in my sharity-light command, but it doesn't seem to like it (says either machine name doesn't exist or is too long). this kind of defeats the purpose of using dyndns.org for dhcp mapping to a hostname. is there any way around this, so i don't have to edit my /etc/hosts every time my ip address changes? any comments welcome... -- FreeBSD 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #0: Fri Oct 3 21:30:51 CDT 2003 12:00PM up 22 days, 9:12, 5 users, load averages: 0.01, 0.09, 0.19 Oh, I don't blame Congress. If I had $600 billion at my disposal, I'd be irresponsible, too. -- Lichty & Wagner pgp0.pgp Description: PGP signature
php4-cli install with mod_php4
hi all i'd like to run a php file as a cron job on my apache box. in order to do this, i'm trying to install /usr/ports/lang/php4-cli. i cd to the dir, make install clean, set php compile options, etc. it errors out like this: --snip-- # make install ===> Installing for php4-cli-4.3.4_2 ===> php4-cli-4.3.4_2 conflicts with installed package(s): mod_php4-4.3.4_2,1 They install files into the same place. Please remove them first with pkg_delete(1). *** Error code 1 Stop in /usr/ports/lang/php4-cli. *** Error code 1 Stop in /usr/ports/lang/php4-cli. --snip-- what's the best way to get php4-cli installed on a box with mod_php4? any suggestions would be appreciated thanks redmond -- FreeBSD 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #0: Fri Oct 3 21:30:51 CDT 2003 12:30PM up 14 days, 9:42, 5 users, load averages: 0.00, 0.05, 0.09 Bare feet magnetize sharp metal objects so they point upward from the floor -- especially in the dark. pgp0.pgp Description: PGP signature
apache/auth_ldap authentication to win2k active directory
hi all i've been given the task of setting up ldap authentication against a windows 2000 active directory from a webpage served up by our apache box. the documentation that exists for this is sparse. so far, i've: installed auth_ldap as an apache module recompiled php4 for openldap support recompiled apache for modssl support i've been going through the examples listed on http://www.rudedog.org/auth_ldap/ (auth_ldap homepage) - but the examples listed on this page are mainly for iPlanet, no examples are given for windows active directory authentication, just some notes on the subject... ideally, i'd like to have a webpage/pages protected by .htaccess that authenticates against my win2k pdc. i've tried the following in my httpd.conf file # #Options Indexes FollowSymLinks #AllowOverride None #Order allow,deny #Allow from all #AuthLDAPEnabled on #AuthLDAPAuthoritative on #AuthName "Secure Access" #AuthType Basic #AuthLDAPBindDN CN=users,DC=my.domaincontroller.edu,DC=edu #AuthLDAPBindPassword MyP4sswurd #AuthLDAPUrl ldap://my.domaincontroller.edu:389/DC=my.domaincontroller .edu,DC=edu?sAMAccountName?sub?(objectClass*) #require valid-user # (these have been commented out, but it wasn't working when i tried it, i didn't even get an login prompt) i'm kind of unsure if my syntax above is ok, whether or not i've compiled in the right modules/options, whether i should be putting the above directives directly into my httpd.conf file, or whether i should put these into an .htaccess file, etc. anyone have any experience with auth_ldap/apache authentication to a win2k active directory? any pointers or recommendations would be welcome. thanks redmond -- FreeBSD 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #0: Fri Oct 3 21:30:51 CDT 2003 9:30AM up 1:11, 4 users, load averages: 0.03, 0.01, 0.05 Death is Nature's way of recycling human beings. pgp0.pgp Description: PGP signature
weird ftp-related logcheck msgs
hi all the last couple of days, i've noticed strange security notifications sent to the root user of one of my boxen. this box is running proftpd as an ftp server. the messages appear whenever somebody authenticates via ftp. most often, it's me ftp'ing to the machine, so it's probably not someone doing something malicious (just in case, i ran chkrootkit and yafic, which turn up clean...) the messages look like Oct 10 11:27:06 server proftpd[45750]: server.com +(my.box.com[129.xxx.xx.xx]) - PAM(secure): Permission denied. Oct 10 11:17:25 server sendmail[45703]: h9AGHPbK045703: h9AGHPbL045703: DSN: To:... List:; +syntax illegal for recipient addresses Oct 10 11:17:41 server sendmail[45708]: h9AGHfPB045708: h9AGHfPC045708: DSN: To:... List:; +syntax illegal for recipient addresses Oct 10 11:18:43 server sendmail[45715]: h9AGIhBK045715: h9AGIhBL045715: DSN: To:... List:; +syntax illegal for recipient addresses Oct 10 11:19:13 server sendmail[45720]: h9AGJDEV045720: h9AGJDEW045720: DSN: To:... List:; +syntax illegal for recipient addresses Oct 10 11:19:29 server sendmail[45725]: h9AGJTMA045725: h9AGJTMB045725: DSN: To:... List:; +syntax illegal for recipient addresses Oct 10 11:19:56 server sendmail[45730]: h9AGJuBg045730: h9AGJuBh045730: DSN: To:... List:; +syntax illegal for recipient addresses i'm not sure what to make of these messages. ftp still seems to work (fyi - i upgraded to the latest version of proftpd today - 1.2.8 stable, didn't fix the situation though), my server is FreeBSD server.com 4.7-RELEASE-p23 FreeBSD 4.7-RELEASE-p23 #0: Fri Oct 3 21:37:09 CDT 2003 if anyone can shed some light, i'd really appreciate it... thanks again redmond -- FreeBSD 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #0: Fri Oct 3 21:30:51 CDT 2003 11:45AM up 5 days, 2:01, 2 users, load averages: 0.82, 0.51, 0.48 Oh, wow! Look at the moon! pgp0.pgp Description: PGP signature
rsync/mirroring permissions problem
hi all i'm trying to do a 'push' rsync operation to mirror the contents of my websites root directory on one machine over to a remote machine. rsync is installed on both machines. the command i'm using to rsync is rsync -e ssh -avz --exclude "/phpSysInfo" --exclude "/webalizer" --exclude "/phpMyAdmin" --delete --stats /usr/local/www/data-dist/ remote.machine.com=:/usr/local/www/data-dist/ this works, for the most part. the majority of files on the remote directory are sync'ed correctly after the operation. the problem is - this websites root directory is owned by one user - webuser, who is a member of group - webuser. various subdirectories inside of the websites root folder are owned by other users, who are also members of the 'webuser' group. the files/folders in the websites root direcotry are chmod'ed 775. this causes problems with the rsync operation, as i'm rsync'ing as webuser:webuser. i get errors during the rsync process such as failed to set permissions on studentwork/winter03old/war/images : Operation not permitted again, the majority of files sync correctly. but can anyone recommend a good way around this? i'm not able at this point to limit the websites root directory to only one user account... thanks redmond -- FreeBSD 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #0: Fri Oct 3 21:30:51 CDT 2003 8:30AM up 22:46, 1 user, load averages: 1.69, 1.61, 1.47 Ever notice that even the busiest people are never too busy to tell you just how busy they are. pgp0.pgp Description: PGP signature
Re: var partition is too small
hello i have a practice box set up, i've been trying to resizing /var by symlinking it to /usr/var in theory this is simple - my methodology is drop to single user mode fsck -p mount -u / mount -a -t ufs swapon -a adjkerntz -i mkdir /usr/var cd /var cp -R * /usr/var cd ../ mv /var /var-old ln -s /usr/var comment out the var line in fstab reboot -this works, except the permissions in the var directory are lost. dmesg shows that /var/spool/clientmqueue needs to be owned by smmsp:smmsp and be chmod 770. i get around this by going to one of my backups, unzipping the var directory, and trying the above procedure again, only this time mv'ing the /var contents i extracted from backup into /usr/var this seems to work ok - no errors in dmesg - however, i was using the machine, and i opened up mutt - mutt complained about /var/tmp's permissions not being set right. so - it looks like i may run the risk of losing the correct permissions on some files/directories in var if i decide to try symlinking to give my var partition more space... is there anything i'm missing? i'd really like this to go seamlessly... thanks again redmond [Fri, Oct 03, 2003 at 11:32:30AM -0400] This one time, at band camp, Robert Huff said: > > Redmond Militante writes: > > > which sets httpd-access.log to be rotated in binary format > > everytime it reaches 100 mb or once every hour for 24 hours. > > > > the /var partition on this machine is 252 mb. > > In my opinion, if you acknowledge the real possibility of > haveing a 100mb file (never mind 100 users' mailboxes) there then > /var is _way_ too small. I would have 500mb, and do 1gb if I could > afford it. > > > Robert Huff > > pgp0.pgp Description: PGP signature
Re: var partition is too small
hi a cron job that moves httpd-access.logs to an archive directory sounds like a fine idea - is it safe, though to move these logs while apache and syslogd are running? or would the cron job need to stop those apps first, move the logs, then restart apache/syslogd? thanks redmond [Fri, Oct 03, 2003 at 02:27:00PM +] This one time, at band camp, Jens Rehsack said: > Redmond Militante wrote: > >hi all > > > >the var partition on my apache box may be too small. > >this is a problem because - > >i originally had newsyslog set at > > > >/var/log/httpd-access.log 644 7 100 24B > >/var/run/httpd.pid 30 > > > >which sets httpd-access.log to be rotated in binary format everytime it > >reaches 100 mb or once every hour for 24 hours. > >which basically means we only archive less than a day's worth of > >httpd-access.log's on this machine... > > > > > >the /var partition on this machine is 252 mb. > > Looks like sysinstalls defaults. > Maybe this should be fixed some fine day :-) > > >yesterday i was told asked to start archiving httpd-access.logs for > >analysis over longer periods of time - that i should be keeping a year's > >worth of logs, if possible. i remember the original reason i set up > >newsyslog.conf to rotate httpd-access.logs on this machine so frequently > >is because the webserver is really busy, and this file tends to grow > >pretty rapidly, and i didn't want to have to log in, stop apache, and > >archive the logs by hand every day... > > > >yesterday i looked into expanding the size of my /var partition by > >symlinking. > > > >-drop to single user mode > >-stop syslogd > >-mv /var to /usr/var > >-umount /var > >-delete /var directory > >-create symlink from /usr/var to /var > > That's really bad, because this means that there will be permanent > write accesses to you /usr label. > > A better way could be a cron job which moves the old http-logs > once a day into a place in /usr, eg. /usr/save-logs. > > >it seems easy, and i did it successfully once, but i hosed a > >(non)production box yesterday practicing the above procedure. > > > >i have a number of questions: > >-if i copy the contents of /var to /usr/var, then delete the var > >directory, do i need to modify my fstab? > > If you've done it as described, that would be better. > But I think you should re-think about the procedure. > > >my fstab right now looks like > > > >/dev/aacd0s1g /usrufs rw 2 2 > >/dev/aacd0s1e /varufs rw 2 2 > > > >-do i need to modify this so that /var now points to a directory inside > >/usr? and how? > >-i'm thinking that this may be too risky a procedure to try on a > >production box (i guess i'm spooked from ruining the practice box...) - > >anyone think i should just archive these logs by hand to someplace in my > >home directory (/usr is very large on this box - 65 gb - and hardly used)? > >my goal is basically to keep an archive of httpd-access.logs for as long > >as possible to produce a comprehensive webalizer report... > > > >thanks again > > > >redmond > > Best, > Jens > -- FreeBSD 5.1-RELEASE-p5 FreeBSD 5.1-RELEASE-p5 #0: Wed Sep 24 09:12:23 CDT 2003 9:30AM up 1 day, 18:54, 2 users, load averages: 0.07, 0.17, 0.18 Rules for Academic Deans: (1) HIDE (2) If they find you, LIE -- Father Damian C. Fandal pgp0.pgp Description: PGP signature
var partition is too small
hi all the var partition on my apache box may be too small. this is a problem because - i originally had newsyslog set at /var/log/httpd-access.log 644 7 100 24B /var/run/httpd.pid 30 which sets httpd-access.log to be rotated in binary format everytime it reaches 100 mb or once every hour for 24 hours. which basically means we only archive less than a day's worth of httpd-access.log's on this machine... the /var partition on this machine is 252 mb. yesterday i was told asked to start archiving httpd-access.logs for analysis over longer periods of time - that i should be keeping a year's worth of logs, if possible. i remember the original reason i set up newsyslog.conf to rotate httpd-access.logs on this machine so frequently is because the webserver is really busy, and this file tends to grow pretty rapidly, and i didn't want to have to log in, stop apache, and archive the logs by hand every day... yesterday i looked into expanding the size of my /var partition by symlinking. -drop to single user mode -stop syslogd -mv /var to /usr/var -umount /var -delete /var directory -create symlink from /usr/var to /var it seems easy, and i did it successfully once, but i hosed a (non)production box yesterday practicing the above procedure. i have a number of questions: -if i copy the contents of /var to /usr/var, then delete the var directory, do i need to modify my fstab? my fstab right now looks like /dev/aacd0s1g /usrufs rw 2 2 /dev/aacd0s1e /varufs rw 2 2 -do i need to modify this so that /var now points to a directory inside /usr? and how? -i'm thinking that this may be too risky a procedure to try on a production box (i guess i'm spooked from ruining the practice box...) - anyone think i should just archive these logs by hand to someplace in my home directory (/usr is very large on this box - 65 gb - and hardly used)? my goal is basically to keep an archive of httpd-access.logs for as long as possible to produce a comprehensive webalizer report... thanks again redmond -- FreeBSD 5.1-RELEASE-p5 FreeBSD 5.1-RELEASE-p5 #0: Wed Sep 24 09:12:23 CDT 2003 8:30AM up 1 day, 17:54, 2 users, load averages: 0.61, 0.58, 0.55 Ken Thompson has an automobile which he helped design. Unlike most automobiles, it has neither speedometer, nor gas gauge, nor any of the numerous idiot lights which plague the modern driver. Rather, if the driver makes any mistake, a giant "?" lights up in the center of the dashboard. "The experienced driver", he says, "will usually know what's wrong." pgp0.pgp Description: PGP signature
WARNING unreserved major device number...
hi all i have a couple of errors when i run dmesg ... IP Filter: already initialized WARNING: driver "rtc" used unreserved major device number 202 WARNING: driver "vmmon" used unreserved major device number 200 /dev/vmmon: Module vmmon: registered with major=200 minor=0 tag=$Name: build-570 + $ /dev/vmmon: Module vmmon: initialized i just noticed these and don't know when it started. anything to worry about? my setup info is in my sig. thanks redmond -- FreeBSD 5.1-RELEASE-p5 FreeBSD 5.1-RELEASE-p5 #0: Wed Sep 24 09:12:23 CDT 2003 1:45PM up 9 mins, 1 user, load averages: 0.72, 0.42, 0.21 Spelling is a lossed art. pgp0.pgp Description: PGP signature
ipfilter vs. firewall appliance
hi i have an ipfilter/ipnat box, that i'm using to protect an apache webserver. the machine is 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #1: Mon Aug 11 18:27:06 CDT 2003. the machine is a dell optiplex gx260 Intel(R) Pentium(R) 4 CPU 2.40GHz 512 mb of ram. it's been doing a fine job. i'd like to get extra nics for this machine and stick additional servers, such as our win2k domain controllers, and a mysql box, possibly more, behind the firewall/nat. i wanted to ask - for a firewall/nat that would potentially be protecting multiple production machines, is ipfilter's performance comparable to production firewall appliances and software such as netscreen and symantec firewall? i'm the only unix person where i work, and sometimes it's hard to get projects green lighted when a) i'm the only one on staff who knows the technology and b) it probably seems hard to believe to windows admins that a little pentium3 box with 2 nic cards and hand written firewall rules can do the same thing as an appliance that some companies are charging tens of thousands of dollars for. i'd like to be able to present a case to my employers - that the ipfilter/ipnat box that i set up would be able to provide the performance of commercial firewall solutions, and was wondering if anyone knows of any benchmarks/reviews/etc. that i can cite. any comments welcome thanks as always redmond -- FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Thu Aug 28 12:42:04 CDT 2003 2:45PM up 8 days, 1:42, 1 user, load averages: 0.73, 0.23, 0.13 "You should, without hesitation, pound your typewriter into a plowshare, your paper into fertilizer, and enter agriculture." -- Business Professor, University of Georgia pgp0.pgp Description: PGP signature
[r-militante@northwestern.edu: Re: need advice: core dumps duringbuildworld]
- Forwarded message from Redmond Militante <[EMAIL PROTECTED]> - Date: Mon, 1 Sep 2003 09:22:52 -0500 From: Redmond Militante <[EMAIL PROTECTED]> To: Jonathan Chen <[EMAIL PROTECTED]> Subject: Re: need advice: core dumps during buildworld Reply-To: Redmond Militante <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> User-Agent: Mutt/1.4.1i X-Sender: [EMAIL PROTECTED] X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSA-and-ElGamal-Fingerprint: 2AA2 E78E A6FC 9144 3534 39A2 EE0F 8D26 5FDF 481D hi thanks for responding! my make.conf seems ok to me, is there something i should change? CFLAGS= -O -pipe COPTFLAGS= -O -pipe NOPROFILE= true USA_RESIDENT= YES # -- use.perl generated deltas -- # # Created: Wed Aug 6 16:28:04 2003 # Setting to use base perl from ports: PERL_VER=5.6.1 PERL_VERSION=5.6.1 PERL_ARCH=mach NOPERL=yo NO_PERL=yo NO_PERL_WRAPPER=yo thanks redmond [Mon, Sep 01, 2003 at 03:37:21PM +1200] This one time, at band camp, Jonathan Chen said: > On Sun, Aug 31, 2003 at 06:56:16PM -0500, Redmond Militante wrote: > > hi all > > > > i am having trouble trying to cvsup a 5_1-RELEASE machine > > > > i'm at the 'cd /usr/src/ make buildworld' stage. i can't run 'make buildworld' > > successfully on this machine. i'm able to on my other 5_1-RELEASE machine > > (although it's different hardware...). the buildworld seems to fail at > > different points randomly. for ex., the most current kernel core dump/error i > > get when trying to complete this operation is > > > > Illegal instruction(core dumped) > > Error code 132 > > Check your make.conf flags. You're very likely using some odd CPU > specific flags. > -- > Jonathan Chen <[EMAIL PROTECTED]> > -- > The human mind ordinarily operates at only ten percent of its capacity > -- the rest is overhead for the operating system. > -- FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Thu Aug 28 12:42:04 CDT 2003 9:15AM up 3 days, 20:12, 1 user, load averages: 0.28, 0.53, 0.49 University, n.: Like a software house, except the software's free, and it's usable, and it works, and if it breaks they'll quickly tell you how to fix it, and ... - End forwarded message - -- FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Thu Aug 28 12:42:04 CDT 2003 9:15AM up 3 days, 20:12, 1 user, load averages: 0.28, 0.53, 0.49 University, n.: Like a software house, except the software's free, and it's usable, and it works, and if it breaks they'll quickly tell you how to fix it, and ... pgp0.pgp Description: PGP signature
need advice: core dumps during buildworld
hi all i am having trouble trying to cvsup a 5_1-RELEASE machine i'm at the 'cd /usr/src/ make buildworld' stage. i can't run 'make buildworld' successfully on this machine. i'm able to on my other 5_1-RELEASE machine (although it's different hardware...). the buildworld seems to fail at different points randomly. for ex., the most current kernel core dump/error i get when trying to complete this operation is Illegal instruction(core dumped) Error code 132 stop in /usr/src/usr.bin/objformat ***Error code 1 stop in /usr/src/usr.bin. ***Error code 1... Aug 28 12:30:39 host kernel : pid 61508 (make), uid 0: exited on signal 4 (core +dumped) my hardware: dell optiplex gx250 p4 2.4 ghz 500 mhz ram FreeBSD 5.1-RELEASE-p2 #1 -i was advised that problems like these most often are a result of bad ram. i ran memtest on this machine, it found no errors. i ran dell hardware diagnostics on this machine, also found no errors. i pull each stick of ram separately - the buildworld problem reappeared no matter which stick of ram is in the machine, or which ram slot on the motherboard it's plugged into. one thing to note is that, before i wiped this machine and reinstalled 5_1, this machine cvsupped flawlessly for a year as a 4x-RELEASE machine, with the same ram. i'm hoping that there's something else i can try before wiping/reinstalling 5_1. i'm not even sure if reinstalling will fix the problem. if anyone has any words of advice, i'd appreciate it thanks -- FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Thu Aug 28 12:42:04 CDT 2003 6:55PM up 3 days, 5:53, 3 users, load averages: 0.81, 0.54, 0.33 Individualists unite! pgp0.pgp Description: PGP signature
ipfilter/natd for windows domain controllers
hi i have an ipfilter/ipnat box, that i'm using to protect an apache webserver. the machine is 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #1: Mon Aug 11 18:27:06 CDT 2003. the machine is a dell optiplex gx260 Intel(R) Pentium(R) 4 CPU 2.40GHz 512 mb of ram. it's been doing a fine job. my boss asked me today whether he could stick his two windows 2000 domain controllers behind the ipf/ipnat box. the domain controllers are pretty busy. they get about 4000-5000 authentication requests on a typical day. while i was at it, i was thinking of putting my mysql server behind the firewall. my question is - do i need to upgrade my hardware? or is my setup sufficient to handle the 3 extra machines? thanks redmond -- FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Thu Aug 28 12:42:04 CDT 2003 9:00AM up 19:57, 2 users, load averages: 0.08, 0.15, 0.26 'I generally avoid temptation unless I can't resist it." -- Mae West pgp0.pgp Description: PGP signature
kernel core dump during make buildworld
hi all i am trying to cvsup a 5_1-RELEASE machine i'm at the 'cd /usr/src/ make buildworld' stage. i can't run 'make buildworld' successfully on this machine. i'm able to on my other 5_1-RELEASE machine (although it's different hardware...). the buildworld seems to fail at different points randomly. for ex., the most current kernel core dump/error i get when trying to complete this operation is Illegal instruction(core dumped) Error code 132 stop in /usr/src/usr.bin/objformat ***Error code 1 stop in /usr/src/usr.bin. ***Error code 1... Aug 28 12:30:39 host kernel : pid 61508 (make), uid 0: exited on signal 4 (core dumped) any advice would be appreciated. my hardware: dell optiplex gx250 p4 2.4 ghz 500 mhz ram FreeBSD 5.1-RELEASE-p2 #1 thanks redmond -- FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Mon Aug 11 13:00:11 CDT 2003 12:15PM up 14 days, 11:59, 4 users, load averages: 0.00, 0.00, 0.00 It's a very *__UN*lucky week in which to be took dead. -- Churchy La Femme pgp0.pgp Description: PGP signature
changed root alias/unusual system events
hi all i have a general question, probably no big deal. a while ago, i edited /etc/aliases and did 'new aliases', so that root's email account now points to one of my email accounts - i have logcheck set up as a cron job every fifteen minutes to notify me of unusual system events. ever since this happened, the great majority of emails to root have looked like -- Subject: my.hostname.com 08/19/03:14.00 system check X-UIDL: 4%\!![P/"!lU=!!4=N!! Unusual System Events =-=-=-=-=-=-=-=-=-=-= Aug 19 13:45:01 chronicle sm-mta[28345]: h7JIj1ZT028345: +from=<[EMAIL PROTECTED]>, size=1061, class=0, nrcpts=1, +msgid=<[EMAIL PROTECTED]>, proto=ESMTP, +daemon=Daemon0, relay=localhost [127.0.0.1] Aug 19 13:45:01 chronicle sm-mta[28346]: h7JIj1ZT028345: [EMAIL PROTECTED], +ctladdr=<[EMAIL PROTECTED]> (0/0), delay=00:00:00, xdelay=00:00:00, +mailer=esmtp, pri=31400, relay=relay.my.mailserver [111.222.333.444], dsn=2.0.0, +stat=Sent (Mail accepted) -- can someone interpret this message for me? i'm guessing that it's telling me that it just forwarded root's mail to my regular email account, which would be normal behavior, but i'm not sure... thanks redmond -- FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Mon Aug 11 13:00:11 CDT 2003 7:35AM up 6 days, 7:20, 3 users, load averages: 0.01, 0.20, 0.57 An exotic journey in downtown Newark is in your future. pgp0.pgp Description: PGP signature
urgent: how to downgrade php4.3.3rc2
hi i upgraded mod_php4 via ports on my apache box the other day i just went to the mod_php4 directory, make deinstall, make clean install and restarted apache. i was upgraded to php4.3.3rc2 from 4.3.1. i need to get the old version back as we make extensive use of pdflib. pdflib5x is not supported in php4.3.3rc2. can anyone please tell me how to downgrade php4.3.3rc2 on this machine? it's pretty critical.. thanks redmond pgp0.pgp Description: PGP signature
newsyslog.conf syntax 5.1-RELEASE
hi all i'm getting the following message from the cron daemon on a 5.1-RELEASE box. newsyslog: malformed at: /var/log/firewall_logs 600 14*$DO Z i've been trying to set up newsyslog so that it archives my firewall logs every night at midnight. can anyone tell me what's wrong with my syntax on this line? thanks redmond pgp0.pgp Description: PGP signature
recompile php/upgrade apache
hi all i have a production server running freebsd4.8-RELEASE/apache1.3.27-modssl/mod_php4 i would like to recompile php4 for gdlib support. i'd also like to upgrade apache to 1.3.28. i'd like to have minimal downtime if possible. i was thinking the easiest way of doing this was to stop apache backup httpd.conf and php.ini-dist portupgrade -rR apache13-modssl make deinstall /usr/ports/lang/php4, make install clean /usr/ports/lang/php4 with gdlib support restart apache i just wanted to run this past the list in case i'm missing something above, or if anyone can suggest a more efficient way of accomplishing this thanks redmond pgp0.pgp Description: PGP signature
ip filter: already initialized 5.1-RELEASE
hi all i'm trying to get ipfilter set up on my new 5.1-RELEASE box. i think i have everything configured properly my kernel config looks like options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK my /etc/rc.conf looks like ipfilter_enable="YES" ipfilter_flags="" ipfilter_rules="/etc/ipfilter.rules" ipmon_enable="YES" ipmon_flags="-Dsvn" does my setup look ok? or is there additional procedures involved in setting up ipfilter on 5x? thanks redmond pgp0.pgp Description: PGP signature
cvsup on 5.1-RELEASE
hi all i had a question about the correct procedure to cvsup your machine on 5.1-RELEASE at the end of my cvsup routine on 4.8-REL_ENG, i used to: ... # cd /dev # /bin/sh MAKEDEV all 13. Update /stand: This step is included for completeness. It can be safely omitted. # cd /usr/src/release/sysinstall # make clean # make all install 14. Reboot to multi-user mode: # reboot -it seems that MAKEDEV is deprecated for 5x, and there is no /usr/src/release/sysinstall folder in 5x. what would be the equivalent to these steps in the cvsup process on 5x-RELEASE? are there any other differences involved in cvsup'ing on 5x-RELEASE vs. 4x-RELEASE that one should be aware of? thanks redmond pgp0.pgp Description: PGP signature
problems with ipfilter on 5.1-RELEASE
hi all i'm trying to get ipfilter set up on my new 5.1-RELEASE box. ipfilter seems to be working fine. i just have a couple of issues that are probably not very serious... one thing is that during network startup at boot, i get the message IPFilter: already initialized repeated 4 times. i think i have everything configured properly my kernel config looks like options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK my /etc/rc.conf looks like ipfilter_enable="YES" ipfilter_flags="" ipfilter_rules="/etc/ipfilter.rules" ipmon_enable="YES" ipmon_flags="-Dsvn" the other problem i have is that: it now seems that ipmon is logging to /var/log/messages. i've set up ipfilter successfully on many freebsd 4x boxes, but this is the first time i've tried to set it up on 5x. in my /etc/syslog.conf i have local0.*/var/log/firewall_logs *.notice;local0.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages am i missing some things that i should be doing to set up ipfilter on 5x-RELEASE. on 4x-RELEASE, i've followed the procedures outlined at schlacter.net to set up ipfilter. i'm basically following the same procedures here, with unexpected results. any advice would be appreciated thanks redmond pgp0.pgp Description: PGP signature
arplookup host not on local network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi all i rebooted my dual boot (with winxp), dhcp, 4.8-REL_ENG machine today, and noticed for the first time some strange behavior. i can boot successfully, but i notice recurring messages in /var/log/messages, which read Jul 5 21:04:23 hostname-15m1kxku /kernel: arplookup xx.xx.xx.xx failed: host is not on local network note: xx.xx.xx.xx looks like an ip on the same subnet as my box, ie., the first two octets are similar. i can boot into freebsd, looks like i'm still receiving a network connection, however - certain things now don't work - namely, kde takes forever to start up (hangs during 'initializing network services'), kde terminates unexpectedly, and i can no longer start konqueror from within kde. this was a stab in the dark, but i tried deleting the contents of /tmp, and rebooting. it didn't help. if anyone has experienced this type of behavior before, i'd appreciate hearing from you... thanks redmond -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/B4NSFNjun16SvHYRAutaAKDG3uKYDNN6akYe9jnAnjeYVtYRlwCdGb39 q1iuynkUgCxCZVPsfuWDvmc= =Bta0 -END PGP SIGNATURE- pgp0.pgp Description: PGP signature
basic ipf question
hi i have a basic question regarding ipf/ipnat setup. at the moment my setup is: i have a ipf/ipnat box hooked up to a switch, and one internal client hooked up to the switch. the public ip of the internal client is aliased to the external (xl0) nic of the ipf/ipnat box. this is working ok for me. i would now like to add a second internal client. i'd like to alias the public ip of the second internal client to the external nic (xl0) of the ipf/ipnat box, hook the second internal client to the switch and protect it behind the ipf/ipnat box in the same way that i do the first internal client machine. this isn't working for me. when i add the second alias to the external nic of the ipf/ipnat box, change rc.conf on the second internal client, and hook it up to the switch, then reboot both internal clients, they freeze up during reboot. hitting ctrl-c during the reboot process forces them to complete the reboot process, but only the first - original - internal client is working correctly. the second - newer - internal client doesn't seem to be receiving connectivity. am i going about this the wrong way? thanks again pgp0.pgp Description: PGP signature
trolltech qt questions
hi i'm trying to teach myself a little qt programming. i'm on the first tutorial http://doc.trolltech.com/3.1/tutorial1-01.html i created main.cpp in vi and saved it to a directory. i type qmake -project and it generates a hello.pro file. when i try to issue 'qmake', i get the error QMAKESPEC has not been set, so configuration cannot be deduced. upon reading the INSTALL instructions at ftp://ftp.trolltech.com/qt/source/INSTALL, i figured out that this was probably due to my path not being set correctly trolltech's docs recommend you place QTDIR=/usr/local/qt PATH=$QTDIR/bin:$PATH MANPATH=$QTDIR/doc/man:$MANPATH LD_LIBRARY_PATH=$QTDIR/lib:$LD_LIBRARY_PATH export QTDIR PATH MANPATH LD_LIBRARY_PATH in your .bash_profile - since i'm on freebsd, the directory /usr/local/qt doesn't exist. i was confused about whether or not i needed to install the qt 3.1.2 free version from tar archive downloaded off the trolltech website. i had downloaded the tar file and was halfway through installing it manually when i was informed by someone on irc not to do this. i have kde 3.1 installed, so i have qt 3.1.1.4. i was wondering what the correct directory was to set as QTDIR in my path, so that i can use qmake and finish the tutorial. i was informed that i could get my correct QTDIR from /usr/ports/Mk/bsd.kde.mk, but i can't make out from that file what the correct path to my QTDIR should be. has anyone done this before? i'd like to continue with the tutorial but am not sure how to proceed thanks again pgp0.pgp Description: PGP signature
passive ftp on ipf/ipnat
hi all i had a couple of general questions about ftp serving through an ipf/ipnat gateway. i had set up my gateway box to redirect port 21 to my internal ftp server, i.e., to only allow active ftp sessions. this has been working ok, i've just been telling users to set their ftp clients for 'active' mode, or unselect 'passive' mode. i have run into a weird situation with one particular ftp user. this user is connecting to the ftp server remotely from behind a router that does nat translation for the subnet that this person is on. this is the only thing different between this person and my 30 or so other ftp users who have been successfully connecting using active mode. this person is able successfully log in and connect to the server, but their ftp client immediately gives off an error 425 - unable to establish data connection... when this person ftp's via the command line in win2000, i.e., ftp my.ftpserver.org (they're successfully authenticated at this point) when they try to issue the 'ls' statement, they are given the same 'error 425 - unable to establish data connection'... i've spoken to this person's isp. there are no firewall restrictions on their router. the person can ftp to other servers fine. i'm not quite sure how to proceed troubleshooting this problem - whether or not i should tweak my gateway config to allow for passive ftp, or if i should try to enable transparent proxy support (or both). for the record, i've tried enabling both, and seem to be having trouble. but at this point, i would just like to know what the issue is exactly, so that i can proceed troubleshooting it... any advice would be appreciated, if anyone has dealt with this type of issue before... thanks redmond msg19099/pgp0.pgp Description: PGP signature
Re: portsentry in combination with ipfilter
hi thanks again. i think i'm going to move portsentry to hosts behind the gateway - makes more sense considering the info you sent, and then look into snort/tripwire on the gateway (i actually have tripwire installed, i just haven't generated a new config db lately, since i've been messing around with my configs so much). redmond > Redmond Militante <[EMAIL PROTECTED]> wrote: > > > hi > > i've used portsentry on standalone workstations before with ipfilter setup as a > > +firewall, and for some reason, now when i'm trying to use it on a ipf/ipnat > > +gateway box, it's being really verbose about the ports it's binding to. if i > > +nmap a standalone workstation i have configured ipfilter/portsentry on, i don't > > +get the huge list of ports that it's binding to... i thought perhaps there was > > +a config option to hide this information > > Redmond, > > There is a good article regrading using portsentry @ > > http://www.sans.org/rr/intrusion/portsentry.php > > They talk about version 1 on Linux being able to monitor ports > using a socket instead of binding to a port, so this should > look different to an nmap scan. As to wheather or not FreeBSD > supports this feature, I do not know, Anyone out there chime in? > > > >From the SANS article > snip- > Example One ? Default configuration > > By default, the portsentry.conf is designed to listen and block > attacking hosts using TCP Wrappers. The default configuration > is set up to bind with some of the most commonly probed TCP ports > and UDP ports on a Unix system. If any attacking host scans or > makes an attempt to attach to one of the PortSentry bound ports, > PortSentry will instantly drop the attacking host into the > hosts.deny file, thus blocking _ALL_ traffic from the attacking > IP address. > snip- > > What bothers me about this method of defense is the possibilty > of an attacker causing a DOS by spoofing their source scan IP > and causing your system to deny traffic from a vaild host like > your upstream DNS server. > > I have not worked with portsentry at all so, this default > behavior is probably not the optimum way to use this tool. > > Scanning is so common on the net that the gain from this > seems minimal on a gateway firewall, inside your LAN is > another story ;-) > > As to system integrity checking, I like to use Aide, > found in /usr/ports/security/aide but tripwire is > probably a more commonly used tool. > > Using a tight ipf firewall in conjunction with snort on > a gateway firewall is a common and well liked setup. > > Regards, > > Stephen Hilton > [EMAIL PROTECTED] > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > msg18977/pgp0.pgp Description: PGP signature
Re: portsentry in combination with ipfilter
hi i've used portsentry on standalone workstations before with ipfilter setup as a +firewall, and for some reason, now when i'm trying to use it on a ipf/ipnat +gateway box, it's being really verbose about the ports it's binding to. if i +nmap a standalone workstation i have configured ipfilter/portsentry on, i don't +get the huge list of ports that it's binding to... i thought perhaps there was +a config option to hide this information > > > hi all > > > > i have an ipf/ipnat gateway machine protecting an internal network of - > > so far one, hopefully 2 or more - computers. the first thing i did > > after i observed that i have my setup successfully nat'ing, was to try > > to portscan myself from an outside machine, using nmap. at first i > > thought something was up, and that my ipf.rules were being ignored, > > because when i ran > > > > nmap -sS -v -O > > > > on my the public ip of my internal host - which was aliased to the > > external nic of my gateway box - it showed that a huge amount of tcp > > and udp ports were open. i could copy the nmap results, but they're > > long, and suffice it to say ports i thought were closed or inactive > > were shown as open. > > > > after discussing it with the -security listserv, and running a > > 'sockstat' on the gateway box, it turns out that portsentry was indeed > > listening on the great majority of ports that the nmap showed to be > > open. when i turn portsentry off and run nmap again on my setup, it > > only shows ports that i specially allow open in my ipf/ipnat rules like > > 80,22, etc. > > > > my question is: first if anyone knows how to get portsentry to not > > broadcast the fact that it's listening on a wide variety ports when the > > host is being portscanned. i checked the portsentry.conf file, there > > didn't seem to be an option for this. also - i have > > This is exactly what portsentry is designed to do. Can't tell if a port > is hit without first binding to it. I have placed portsentry on other > machines than the firewall for just this sort of information. A better > solution on a firewall is to turn on logging for specific ports or rules > that you are interested in. > > > block return-rst in log quick on xl0 proto tcp from any to any > > > > in my ipf.rules, so i thought that any ports not be nat'd would show up > > in portscans as not listening. not sure why this isn't working. > > What ports exactly are still listening that aren't getting allowed through? > > when i turn portsentry off and nmap again, all appears as i expected it to - only 80 22 and 21 are listed as open - as i defined it in my ipf.rules > also, i had wanted to run logcheck, portsentry, and snort or tripwire > > on my ipf/ipnat gateway box. is this a good combination of apps? as of > > now, i have portsentry turned off, but would like to use it or an app > > that performs the same function. > > logcheck - not really syslog should be sent inside either via syslog or > msyslog (in ports) > logcheck is not a good idea? could you elaborate on this point please? portsentry - nope (see above) > would you recommend running portsentry on an internal host behind the gateway machine? thanks redmond snort - i 'spose (no harm per say) > tripwire - definately > > > any thoughts? > > > > thanks again > > > > redmond > > Hope this helps. > > -- > Scott A. Moberly > [EMAIL PROTECTED] > > "BASIC is the Computer Science equivalent of `Scientific Creationism'." > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > msg18969/pgp0.pgp Description: PGP signature
portsentry in combination with ipfilter
hi all i have an ipf/ipnat gateway machine protecting an internal network of - so far one, hopefully 2 or more - computers. the first thing i did after i observed that i have my setup successfully nat'ing, was to try to portscan myself from an outside machine, using nmap. at first i thought something was up, and that my ipf.rules were being ignored, because when i ran nmap -sS -v -O on my the public ip of my internal host - which was aliased to the external nic of my gateway box - it showed that a huge amount of tcp and udp ports were open. i could copy the nmap results, but they're long, and suffice it to say ports i thought were closed or inactive were shown as open. after discussing it with the -security listserv, and running a 'sockstat' on the gateway box, it turns out that portsentry was indeed listening on the great majority of ports that the nmap showed to be open. when i turn portsentry off and run nmap again on my setup, it only shows ports that i specially allow open in my ipf/ipnat rules like 80,22, etc. my question is: first if anyone knows how to get portsentry to not broadcast the fact that it's listening on a wide variety ports when the host is being portscanned. i checked the portsentry.conf file, there didn't seem to be an option for this. also - i have block return-rst in log quick on xl0 proto tcp from any to any in my ipf.rules, so i thought that any ports not be nat'd would show up in portscans as not listening. not sure why this isn't working. also, i had wanted to run logcheck, portsentry, and snort or tripwire on my ipf/ipnat gateway box. is this a good combination of apps? as of now, i have portsentry turned off, but would like to use it or an app that performs the same function. any thoughts? thanks again redmond msg18948/pgp0.pgp Description: PGP signature
rc.conf syntax for ip alias on external nic
hi i have the following lines in my rc.conf, and i was wondering if my syntax was ok: --- #here, i'm setting the ip/subnet mask for outside nic interface for a dual homed gateway box ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0" #declaring three network interfaces - outside nic interface for gateway, internal interface for private subnet, and loopback network_interfaces="xl0 xl1 lo0" #not sure about the following lines: trying to alias two public ip's to the outside nic interface for the gateway. the gateway will use ipnat to nat these public ip's to two internal client machines hooked up to the internal interface - xl1- of the gateway box ifconfig_xl0_alias0="inet 129.x.x.6 netmask 255.0.0.0" ifconfig_xl0_alias1="inet 129.x.x.5 netmask 255.0.0.0" #inside nic of gateway box ifconfig_xl1="inet 192.168.1.1 netmask 255.0.0.0" --- i'm having trouble i think with the two aliases to the outside nic of the gateway. it works fine when i have only one client hooked up to the gateway, but when i have both clients hooked up to the gateway through a hub, i have problems - mainly, i reboot both machines, and one machine usually freezes on reboot. any advice would be really appreciated thanks redmond msg18735/pgp0.pgp Description: PGP signature
gtk themes in kde 3.1 fbsd 4.7-release
hi all anyone know how to get gtk themes going from from within kde 3.1? i've tried googling this and asking in irc, to no avail. i've installed gtk-theme-switch and gtk-themes-collection from ports, it doesn't seem to work from within kde, it works however, from within gnome. the error i get when i try to apply a gtk theme is Gtk-CRITICAL **: file gtkentry.c: line 440 (gtk_entry_set_text): assertion `text != NULL' failed. not sure if the error is related... thanks again redmond msg18255/pgp0.pgp Description: PGP signature
ipf/ipnat setup
- Forwarded message from Redmond Militante <[EMAIL PROTECTED]> - Date: Mon, 3 Feb 2003 17:32:55 -0600 From: Redmond Militante <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: ipf/ipnat setup Reply-To: Redmond Militante <[EMAIL PROTECTED]> User-Agent: Mutt/1.4i X-Sender: [EMAIL PROTECTED] X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Tofu: The other white meat substitute. hi all setting up ipf/ipnat on a gateway box to protect a single workstation was prett painless. i'm now trying to protect two servers - a web/ftp server and a mysql server - through an ipf/ipnat gateway box, and am running into some problems most of my setup i've gleaned from JoeB and people on this list, as well as tutorials on schlacter.net and obfuscation.org/ipf the problems i'm having right now - i can't seem to get passive ftp working on the webserver through the gateway. active works fine, i've commented my ipf.rules and ipnat.rules where i *thought* i was allowing passive ftp connections, but was unsuccessful (connection times out or connects, but doesn't give directory listing), webmin on the webserver and db server doesn't work through the nat, despite the fact i have port 1 open. also - i can't seem to successfully connect the webserver and db server to the gateway at the same time - when a second machine is hooked up, it hangs when trying to mount nfs shares and when initiating sendmail. i can't get a successful mysql connection through the gateway, but that may be more a mysql permissions/coding problem than an ipf problem. regardless, i'm stumped. if anyone sees anything glaringly wrong - i probably messed up in several places - i'd really appreciate it if you could help me out gateway: 129.0.0.1 bound to outside nic, 192.168.1.1 to inner nic webserver 192.168.1.50, gateway is inner nic on gateway box db server 192.168.1.51, gateway is inner nic on gateway box ip's of db and webserver are aliased to xl0 on gateway box /etc/rc.conf - hostname="gateway.ipfipnat.com" ifconfig_lo0="inet 127.0.0.1" ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0" network_interfaces="xl0 xl1 lo0" #aliasing webserver's ip to the outside nic of gateway box ifconfig_xl0_alias0="inet 129.x.x.6 netmask 255.0.0.0" #aliasing db server's ip to the outside nic of gateway box ifconfig_xl0_alias1="inet 129.x.x.5 netmask 255.0.0.0" #inside nic of gateway box ifconfig_xl1="inet 192.168.1.1 netmask 255.0.0.0" ipfilter_enable="YES" ipfilter_flags="" ipfilter_rules="/etc/ipf.rules" ipmon_enable="YES" ipmon_flags="-Dsvn" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" icmp_drop_redirect="YES" gateway_enable="YES" -- /etc/ipf.rules -- # # Outside Interface # # # Allow out all TCP, UDP, and ICMP traffic & keep state on it # so that it's allowed back in. # # If you wanted to do egress filtering...here's where you'd do it. # You'd change the lines below so that rather than allowing out any # arbitrary TCP connection, it would only allow out mail, pop3, and http # connections (for example). So, the first line, below, would be # replaced with: # pass out quick on xl0 proto tcp from any to any port = 25 keep state # pass out quick on xl0 proto tcp from any to any port = 110 keep state # pass out quick on xl0 proto tcp from any to any port = 80 keep state # ...and then do the same for the remaining lines so that you allow # only specified protocols/ports 'out' of your network # pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state block out quick on xl0 all #--- # Block all inbound traffic from non-routable or reserved address spaces #--- block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on xl0 from 127.0.0.0/8 to any #loopback block in log quick on xl0 from 0.0.0.0/8 to any #loopback blo
ipf/ipnat setup
hi all setting up ipf/ipnat on a gateway box to protect a single workstation was prett painless. i'm now trying to protect two servers - a web/ftp server and a mysql server - through an ipf/ipnat gateway box, and am running into some problems most of my setup i've gleaned from JoeB and people on this list, as well as tutorials on schlacter.net and obfuscation.org/ipf the problems i'm having right now - i can't seem to get passive ftp working on the webserver through the gateway. active works fine, i've commented my ipf.rules and ipnat.rules where i *thought* i was allowing passive ftp connections, but was unsuccessful (connection times out or connects, but doesn't give directory listing), webmin on the webserver and db server doesn't work through the nat, despite the fact i have port 1 open. also - i can't seem to successfully connect the webserver and db server to the gateway at the same time - when a second machine is hooked up, it hangs when trying to mount nfs shares and when initiating sendmail. i can't get a successful mysql connection through the gateway, but that may be more a mysql permissions/coding problem than an ipf problem. regardless, i'm stumped. if anyone sees anything glaringly wrong - i probably messed up in several places - i'd really appreciate it if you could help me out gateway: 129.0.0.1 bound to outside nic, 192.168.1.1 to inner nic webserver 192.168.1.50, gateway is inner nic on gateway box db server 192.168.1.51, gateway is inner nic on gateway box ip's of db and webserver are aliased to xl0 on gateway box /etc/rc.conf - hostname="gateway.ipfipnat.com" ifconfig_lo0="inet 127.0.0.1" ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0" network_interfaces="xl0 xl1 lo0" #aliasing webserver's ip to the outside nic of gateway box ifconfig_xl0_alias0="inet 129.x.x.6 netmask 255.0.0.0" #aliasing db server's ip to the outside nic of gateway box ifconfig_xl0_alias1="inet 129.x.x.5 netmask 255.0.0.0" #inside nic of gateway box ifconfig_xl1="inet 192.168.1.1 netmask 255.0.0.0" ipfilter_enable="YES" ipfilter_flags="" ipfilter_rules="/etc/ipf.rules" ipmon_enable="YES" ipmon_flags="-Dsvn" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" icmp_drop_redirect="YES" gateway_enable="YES" -- /etc/ipf.rules -- # # Outside Interface # # # Allow out all TCP, UDP, and ICMP traffic & keep state on it # so that it's allowed back in. # # If you wanted to do egress filtering...here's where you'd do it. # You'd change the lines below so that rather than allowing out any # arbitrary TCP connection, it would only allow out mail, pop3, and http # connections (for example). So, the first line, below, would be # replaced with: # pass out quick on xl0 proto tcp from any to any port = 25 keep state # pass out quick on xl0 proto tcp from any to any port = 110 keep state # pass out quick on xl0 proto tcp from any to any port = 80 keep state # ...and then do the same for the remaining lines so that you allow # only specified protocols/ports 'out' of your network # pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state block out quick on xl0 all #--- # Block all inbound traffic from non-routable or reserved address spaces #--- block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on xl0 from 127.0.0.0/8 to any #loopback block in log quick on xl0 from 0.0.0.0/8 to any #loopback block in log quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on xl0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast # # Allow bootp traffic in from your ISP's DHCP server only. # pass in quick on xl0 proto udp from 129.105.49.1/32 to any port = 53 keep state pass in quick on xl0 proto udp from 129.105.49.10/32 to any port = 68 keep state # # If you wanted to set up a web server or mail server on your box # (which is outside the scope of this howto), or allow another system # on the Int
ipf/ipnat and passive ftp
hi all i have an ftp server behind an ipf/ipnat gateway box. active ftp works fine. i'm trying to get passive ftp working, at the moment it is *slow*, eventually connects in most cases, but will not display directory contents unless you switch the ftp client to 'active'ly connect... relevant portions of my config files /etc/ipf.rules pass in quick on xl0 proto tcp from any to 192.168.1.50/8 port = 21 flags S kee p state keep frags pass in quick on xl0 proto tcp from any to any port > 1023 flags S keep state rdr xl0 0.0.0.0/0 port 21 -> 192.168.1.50 port 21 tcp rdr xl0 0.0.0.0/0 port > 1023 -> 192.168.1.50 port > 1023 tcp any advice you could give would be highly appreciated. thanks redmond msg17748/pgp0.pgp Description: PGP signature
test
msg17672/pgp0.pgp Description: PGP signature
Re: please comment on my nat/ipfw rules (resent)
hi you've sold me :) do you have any good online tutorials to recommend for setting up a gateway/firewall/natd machine using ipfilter/ipnat? thanks redmond > 1. Your firewall rules are not working at all, except for the natd > redirect option. This is caused by the kernel compile time option > IPFIREWALL_DEFAULT_TO_ACCEPT.This option tell your firewall that > any packet that does not match a rule is allowed to pass on through > the firewall. Comment out that option in your kernel options source > and recompile your kernel to take the default of default-to-deny and > your current rules set will stop functioning. > > 2. You are using the simplest of the rule types 'state-less'. Using > this type of rules you have to not only have a rule to allow the > packet out you also have to have a rule to allow the packet in. See > rules 220 & 230 of your posted rule set to see how it should be > done. > > 3. There are 3 classes of rules, each class has separate packet > interrogation abilities. Each proceeding class has greater packet > interrogation abilities than the previous one. These are stateless, > simple stateful, and advanced stateful. The advanced stateful rule > class is the only class having technically advanced interrogation > abilities capable of defending against the flood of different attack > methods currently employed by perpetrators. Stateless and Simple > Stateful IPFW firewall rules are inadequate to protect the users > system in today's internet environment and leaves the user > unknowingly believing they are protected when in reality they are > not. > > > 4. The advanced stateful rule option keep-state works as documented > only when used in a rule set that does not use the divert rule. > Simply stated the IPFW advanced stateful rule option keep-state does > not function correctly when used in a IPFW firewall that also is > using the IPFW built in NATD function. For the most complete > keep-state protection the other FIREWALL solution (IPFILTER) that > comes with FBSD should be used. Just checkout the IPFW list archives > and you will see this subject discussed in detail with out any > solution forthcoming. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Redmond > Militante > Sent: Friday, January 31, 2003 8:18 AM > To: [EMAIL PROTECTED] > Subject: please comment on my nat/ipfw rules (resent) > > > hi all > > i have my test machine set up as a gateway box, with ipfw/natd > configured on it, set up to filter/redirect packets bound for a > client on my internal network. > > external ip of my internal client is aliased to the outside nic of > the gateway box > > > gateway machine's kernel has been recompiled with: > > options IPFIREWALL > options IPDIVERT > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_VERBOSE > > > > gateway's /etc/rc.conf looks like > > defaultrouter="129.x.x.1" > hostname="hostname.com" > ifconfig_xl0="inet 129.x.x.1 netmask 255.255.255.0" > #aliasing internal client's ip to the outside nic of gateway box > ifconfig_xl0_alias0="inet 129.x.1.20 netmask 255.0.0.0" > #inside nic of gateway box > ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0" > gateway_enable="YES" > firewall_enable="YES" > #firewall_script="/etc/rc.firewall" > firewall_type="/etc/ipfw.rules" > natd_enable="YES" > #natd interface is outside nic > natd_interface="xl0" > #natd flags redirect any traffic bound for ip of www3 to internal > ip of www3 > natd_flags="-redirect_address 10.0.0.2 129.x.x.20" > kern_securelevel_enable="NO" > . > > > > internal client's /etc/rc.conf looks like > > second machine's /etc/rc.conf: > > defaultrouter="10.0.0.1" > ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0" > > > > looks like this setup is working. the internal client is a basic > webserver/ftp server. i am able to ftp to it, ssh to it, view > webpages that it serves up, etc. with it hooked up to the internal > nic of the gateway box. > > i am now trying to come up with a good set of firewall rules on the > gateway box to filter out all unnecessary traffic to my internal > network. the following is my /etc/ipfw.rules on the gateway box. > > -snip-- > > # firewall_type="/etc/ipfw.rules" > # enquirer ipfw.rules > > # NAT > add 00100 divert 8668 ip from any to any via xl
please comment on my nat/ipfw rules (resent)
hi all i have my test machine set up as a gateway box, with ipfw/natd configured on it, set up to filter/redirect packets bound for a client on my internal network. external ip of my internal client is aliased to the outside nic of the gateway box gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway's /etc/rc.conf looks like defaultrouter="129.x.x.1" hostname="hostname.com" ifconfig_xl0="inet 129.x.x.1 netmask 255.255.255.0" #aliasing internal client's ip to the outside nic of gateway box ifconfig_xl0_alias0="inet 129.x.1.20 netmask 255.0.0.0" #inside nic of gateway box ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0" gateway_enable="YES" firewall_enable="YES" #firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" natd_enable="YES" #natd interface is outside nic natd_interface="xl0" #natd flags redirect any traffic bound for ip of www3 to internal ip of www3 natd_flags="-redirect_address 10.0.0.2 129.x.x.20" kern_securelevel_enable="NO" . internal client's /etc/rc.conf looks like second machine's /etc/rc.conf: defaultrouter="10.0.0.1" ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0" looks like this setup is working. the internal client is a basic webserver/ftp server. i am able to ftp to it, ssh to it, view webpages that it serves up, etc. with it hooked up to the internal nic of the gateway box. i am now trying to come up with a good set of firewall rules on the gateway box to filter out all unnecessary traffic to my internal network. the following is my /etc/ipfw.rules on the gateway box. -snip-- # firewall_type="/etc/ipfw.rules" # enquirer ipfw.rules # NAT add 00100 divert 8668 ip from any to any via xl0 # loopback add 00210 allow ip from any to any via lo0 add 00220 deny ip from any to 127.0.0.0/8 add 00230 deny ip from 127.0.0.0/8 to any #allow tcp in for nfs shares #add 00301 allow tcp from 129.x.x.x to any in via xl0 #add 00302 allow tcp from 129.x.x.x to any in via xl0 #allow tcp in for ftp,ssh, smtp, httpd add 00303 allow tcp from any to any in 21,22,25,80,1 via xl0 #deny rest of incoming tcp add 00309 deny log tcp from any to any in established #from man 8 ipfw: allow only outbound tcp connections i've created add 00310 allow tcp from any to any out via xl0 #allow udp in for gateway for DNS add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0 #allow udp in for nfs shares #add 00401 allow udp from 129.x.x.x to any in recv xl0 #add 00402 allow udp from 129.x.x.x to any in recv xl0 #allow all udp out from machine add 00404 allow udp from any to any out via xl0 #allow some icmp types (codes not supported) ##allow path-mtu in both directions add 00500 allow icmp from any to any icmptypes 3 ##allow source quench in and out add 00501 allow icmp from any to any icmptypes 4 ##allow me to ping out and receive response back add 00502 allow icmp from any to any icmptypes 8 out add 00503 allow icmp from any to any icmptypes 0 in ##allow me to run traceroute add 00504 allow icmp from any to any icmptypes 11 in add 00600 deny log ip from any to any #--- end ipfw.rules ---# -snip-- any comments on how i could improve this set of ipfw rules to better secure my internal client would be appreciated. thanks again redmond msg17337/pgp0.pgp Description: PGP signature
new ipfw/nat ruleset for gateway
hi all i have my test machine set up as a gateway box, with ipfw/natd configured on it, set up to filter/redirect packets bound for a client on my internal network. external ip of my internal client is aliased to the outside nic of the gateway box gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway's /etc/rc.conf looks like defaultrouter="129.x.x.1" hostname="hostname.com" ifconfig_xl0="inet 129.x.x.1 netmask 255.255.255.0" #aliasing internal client's ip to the outside nic of gateway box ifconfig_xl0_alias0="inet 129.x.1.20 netmask 255.0.0.0" #inside nic of gateway box ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0" gateway_enable="YES" firewall_enable="YES" #firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" natd_enable="YES" #natd interface is outside nic natd_interface="xl0" #natd flags redirect any traffic bound for ip of www3 to internal ip of www3 natd_flags="-redirect_address 10.0.0.2 129.x.x.20" kern_securelevel_enable="NO" . internal client's /etc/rc.conf looks like second machine's /etc/rc.conf: defaultrouter="10.0.0.1" ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0" looks like this setup is working. the internal client is a basic webserver/ftp server. i am able to ftp to it, ssh to it, view webpages that it serves up, etc. with it hooked up to the internal nic of the gateway box. i am now trying to come up with a good set of firewall rules on the gateway box to filter out all unnecessary traffic to my internal network. the following is my /etc/ipfw.rules on the gateway box. -snip-- # firewall_type="/etc/ipfw.rules" # enquirer ipfw.rules # NAT add 00100 divert 8668 ip from any to any via xl0 # loopback add 00210 allow ip from any to any via lo0 add 00220 deny ip from any to 127.0.0.0/8 add 00230 deny ip from 127.0.0.0/8 to any #allow tcp in for nfs shares #add 00301 allow tcp from 129.x.x.x to any in via xl0 #add 00302 allow tcp from 129.x.x.x to any in via xl0 #allow tcp in for ftp,ssh, smtp, httpd add 00303 allow tcp from any to any in 21,22,25,80,1 via xl0 #deny rest of incoming tcp add 00309 deny log tcp from any to any in established #from man 8 ipfw: allow only outbound tcp connections i've created add 00310 allow tcp from any to any out via xl0 #allow udp in for gateway for DNS add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0 #allow udp in for nfs shares #add 00401 allow udp from 129.x.x.x to any in recv xl0 #add 00402 allow udp from 129.x.x.x to any in recv xl0 #allow all udp out from machine add 00404 allow udp from any to any out via xl0 #allow some icmp types (codes not supported) ##allow path-mtu in both directions add 00500 allow icmp from any to any icmptypes 3 ##allow source quench in and out add 00501 allow icmp from any to any icmptypes 4 ##allow me to ping out and receive response back add 00502 allow icmp from any to any icmptypes 8 out add 00503 allow icmp from any to any icmptypes 0 in ##allow me to run traceroute add 00504 allow icmp from any to any icmptypes 11 in add 00600 deny log ip from any to any #--- end ipfw.rules ---# -snip-- any comments on how i could improve this set of ipfw rules to better secure my internal client would be appreciated. thanks again redmond msg17284/pgp0.pgp Description: PGP signature
another go at natd
hi all this is a followup to an email i sent out to the list a week or so ago. i was having trouble getting the following natd setup to work: ---snip-- two machines - one has two nics, one has one nic. i'd like to set up the machine with two nics as a gateway/natd box, and place the second machine behind it. gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway machine's /etc/rc.conf: defaultrouter="129.x.x.1" hostname="enquirer.medill.northwestern.edu" ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0" ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0" gateway_enable="YES" firewall_enable="YES" #firewall_script="/etc/rc.firewall" firewall_type="OPEN" natd_enable="YES" natd_interface="xl0" natd_flags="" second machine's /etc/rc.conf: defaultrouter="10.0.0.1" ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0" 'ipfw list' on the gateway machine gives me: 00050 divert 8668 ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any i'm following the instructions in the handbook http://www.freebsd.org/doc/en_US.IS...dbook/natd.html snip- -turns out my setup above was exactly right. i was informed by various members of the list that my original problem was that i was running a connection from the client machine directly to the internal nic on the gateway box, and all i needed to do was to run everything through a hub to get it to work. so, i'm nat'ing. i'm redirecting packets to my internal lan on the gateway box. i guess my question to the list would be: is a vanilla natd setup like this enough? today, i tried changing firewall_type to '/etc/ipfw.rules' instead of "OPEN", it's been problematic. i'm having trouble getting the following /etc/ipfw.rules file working with my nat setup: add 00100 allow ip from any to any via lo0 add 00200 deny ip from any to 127.0.0.0/8 add 00300 check-state add 00301 allow tcp from 129.x.x.20 to any in setup keep-state add 00302 allow tcp from 10.0.0.2 to any in setup keep-state #allow tcp in for ftp,ssh, smtp, httpd add 00304 allow tcp from any to any 21 in setup keep-state add 00305 allow tcp from any to any 22 in setup keep-state add 00306 allow tcp from any to any 25 in setup keep-state add 00307 allow tcp from any to any 80 in setup keep-state #allow tcp in for webmin port add 00308 allow tcp from any to any 1 in setup keep-state #deny rest of incoming tcp add 00309 deny log tcp from any to any in established #from man 8 ipfw: allow only outbound tcp connections i've created add 00310 allow tcp from any to any out setup keep-state #allow udp in for gateway for DNS add 00400 allow udp from 129.105.49.1 to any in recv xl0 add 00401 allow udp from 129.x.x.20 to any in recv xl0 add 00402 allow udp from 10.0.0.2 to any in recv xl0 #allow all udp out from machine add 00404 allow udp from any to any out #allow some icmp types (codes not supported) ##allow path-mtu in both directions add 00500 allow icmp from any to any icmptypes 3 ##allow source quench in and out add 00501 allow icmp from any to any icmptypes 4 ##allow me to ping out and receive response back add 00502 allow icmp from any to any icmptypes 8 out add 00503 allow icmp from any to any icmptypes 0 in ##allow me to run traceroute add 00504 allow icmp from any to any icmptypes 11 in add 00600 deny log ip from any to any sorry, this is long winded. any comments on how to get the above rules working with my nat setup, or if these measures are even necessary would be greatly appreciated. thanks redmond msg17195/pgp0.pgp Description: PGP signature
tx underrun error when ftp'ing large file
hi i get the following error l0: transmissions error: 90 xl0: tx underrun, increasing tx start threshold to 120 bytes when trying to ftp a large tar.gz file to a dell poweredge network storage appli ance. the commands i'm using to upload this large tar.gz file are: ftp -n -v storageappliance.organization.com user myaccount mypassword bin prompt mput largefile.tar.gz -i've used this method to ftp smaller tar.gz files, but when i try to upload thi s large file (several gig in size) i get the tx underrun error, and the transfer freezes. i've done some research on this error i've found the following off the mailing list archives: "According to: http://www.freebsd.org/cgi/getmsg.cgi?fetch=1651362+1653480+/usr/local/www/db/te xt/1999/freebsd-questions/19990926.freebsd-questions Tx under runs occur when the tx state machine cannot get packet data from memory fast enough to keep up with wire transmit rate. Setting the start threshold higher increases the number of bytes which are buffered in the tx fifo which increases the allowable bus latency. And according to the linux driver for the 3com cards: Tx underrun (not enough PCI bus bandwidth). It's not a problem as far as I know, if the message stops (depending on how mutch traffic there is on your network, at my FreeBSD box it sometimes rizes to 300 bytes) the systems works fine. " so - i'm wondering if anyone has deal w this type of issue before, and if so, how to configure my nic card to perform this type of ftp transfer. any advice would be appreciated thanks again redmond msg17093/pgp0.pgp Description: PGP signature
need help in setting up a demilitarized zone
hi all so i have my gateway/ipfw/natd machine working, protecting a test client box. this gateway box is an dell optiplex gx150 pIII 930 mhz with 128 mb of ram, 2 nics - one integrated intel pro 1000, the other a really old 3com 3c905b that i pulled out of an old junker computer that we were going to throw out. i would like this gateway box to protect our webserver, our mysql server, and possibly another webserver. our webserver is a dual xeon dell poweredge 1650 with 2 gig of ram, it gets sometimes more than 10 hits a day, and is hooked up to a t100 line. will my little optiplex gateway box be able to keep up with a webserver that's this busy? i know i at least have to replace the 3com 3c905b card on it, as i'm pretty sure that that type of nic can't even handle a t100 connection. but - is the computer itself fast enough? also - does anyone have any recommendations for a good 4 port hub or switch for this particular purpose? right now i'm using an old netgear en 104tp, which is probably not ideal. thanks again msg15810/pgp0.pgp Description: PGP signature
Re: another go at ipfw/natd
hi thanks this worked :) In the gothic chambers of the underworld on Thu, Jan 16, 2003 at 03:51:55PM -0600, Daniel Schrock darkly muttered: > Redmond Militante wrote: > >xl1: flags=3D8843 mtu 1500 > >options=3D3 > >inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 > >inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2=20 > >ether 00:06:5b:80:98:5b > >media: Ethernet autoselect (none) > >status: no carrier > ^^ > This is your problem. > > > >Do your net card and hub both have link lights? > > > >>i > > > > > >i am hooking the client directly into the internal nic on the gateway, so > >n= > >o hub. i've verified that both nics on the gateway work - did this by > >conf= > >iguring xl1 as the primary nic, and it worked. > > You can't do this. > You _must_ use a crossover cable to connect 2 NICs directly together. > You need to use a hub or switch to use straight-through ethernet cables. > > > .daniel.schrock > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > msg15703/pgp0.pgp Description: PGP signature
Re: another go at ipfw/natd
> > Let me ask some questions to help diagnose this: > 1. From the gateway: Can you ping www.freebsd.org? Can you ping 129.x.x.1? > yes to both 2. What's in /etc/resolv.conf on the gateway and the client machine? > /etc/resolv.conf is identical on gateway and client machines search northwestern.edu nameserver 129.105.49.1 nameserver 165.124.49.21 ~ 3. What does ifconfig display on the gateway? Does xl1 show as "up" with a > valid media type? > xl0: flags=8843 mtu 1500 options=3 inet 129.105.51.35 netmask 0xff00 broadcast 129.105.51.255 inet6 fe80::210:5aff:fec6:8bcb%xl0 prefixlen 64 scopeid 0x1 ether 00:10:5a:c6:8b:cb media: Ethernet autoselect (100baseTX ) status: active xl1: flags=8843 mtu 1500 options=3 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2 ether 00:06:5b:80:98:5b media: Ethernet autoselect (none) status: no carrier (ifconfig has changed slightly here - i was experimenting by giving xl1 a subnet mask of 255.255.255.0 - still doesn't work) Do your net card and hub both have link lights? >i i am hooking the client directly into the internal nic on the gateway, so no hub. i've verified that both nics on the gateway work - did this by configuring xl1 as the primary nic, and it worked. thanks redmond > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > msg15695/pgp0.pgp Description: PGP signature
another go at ipfw/natd
hi again i have two machines - one has two nics, one has one nic. i'd like to set up the machine with two nics as a gateway/natd box, and place the second machine behind it. gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway machine's /etc/rc.conf: defaultrouter="129.x.x.1" hostname="enquirer.medill.northwestern.edu" ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0" ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0" gateway_enable="YES" firewall_enable="YES" #firewall_script="/etc/rc.firewall" firewall_type="OPEN" natd_enable="YES" natd_interface="xl0" natd_flags="" second machine's /etc/rc.conf: defaultrouter="10.0.0.1" ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0" 'ipfw list' on the gateway machine gives me: 00050 divert 8668 ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any i'm following the instructions in the handbook http://www.freebsd.org/doc/en_US.IS...dbook/natd.html "Each machine and interface behind the LAN should be assigned IP address numbers in the private network space as defined by RFC 1918 and have a default gateway of the natd machine's internal IP address." this isn't working for me. i cannot ping outside machines from the client machine. 'ping www.freebsd.org' times out. pinging the ip address outside the router gives me 'no route to host', pinging the ip address of the gateway box gives me 'no route to host'. 'ping 10.0.0.1' gives me 'host is down'. the client machine can ping itself and get a response, however - 'ping 10.0.0.2' gives me a response. please help, i'm stuck. msg15692/pgp0.pgp Description: PGP signature
[r-militante@northwestern.edu: Re: ipfw/natd questions]
- Forwarded message from Redmond Militante <[EMAIL PROTECTED]> - Date: Thu, 16 Jan 2003 07:20:30 -0600 From: Redmond Militante <[EMAIL PROTECTED]> To: Axel Gruner <[EMAIL PROTECTED]> Subject: Re: ipfw/natd questions Reply-To: Redmond Militante <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> User-Agent: Mutt/1.4i X-Sender: [EMAIL PROTECTED] X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Tofu: The other white meat substitute. hello! thanks for responding. my isp has two nameservers. they are listed by ip in the resolv.conf files on both machines. am i missing a divert rule in my rc.ipfw? > On Wed, 15 Jan 2003 19:08:08 -0600 > Redmond Militante <[EMAIL PROTECTED]> wrote: > [...] > > at the moment, it's not working. > > on machine 2, i can't ping www.freebsd.org - i get 'hostname lookup > > failure', i can't ping xl0 - external nic on machine 1 - ping > > 129.x.x.35 gives me a 'host is down message' machine 2 can ping it's > > own static ip successfully - ping 129.x.x.20 works machine 2 can ping > > its own hostname successfully - ping machine2.hostname.com works > > sorry if this is long, i've been messing with this all day and i think > > i'm doing it right. can you guys tell if i'm missing something > > obvious? > > What about your /etc/resolv.conf? On both machines? > Did you insert the namserver of your ISP? > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > - End forwarded message - msg15657/pgp0.pgp Description: PGP signature
ipfw/natd questions
now i'm trying to set up a gateway box using ipfw/natd. i have 2 test machines - machine 1 has two nics, one's an integrated intel 1000 pro, the other is an old pci 3com 3c905b. machine 1 has a static ip and hostname. machine 2 is virtually identical except it has only one nic - the intel 1000 pro integrated. machine 2 also has a static ip and hostname. i'd like machine 1 to act as a gateway/packet filtering firewall/natd box. i'd like to hook up machine 2 to the internal network interface card of machine 1 and be able to filter/log/divert packets bound for machine 2 through ipfw/natd on machine 1. i've been basically following the instructions at http://www.mostgraveconcern.com/freebsd/ for 'setting up a dual-homed host' - on machine 1, ifconfig returns xl0: flags=8843 mtu 1500 options=3 inet 129.x.x.35 netmask 0xff00 broadcast 129.x.x.255 inet6 fe80::210:5aff:fec6:8bcb%xl0 prefixlen 64 scopeid 0x1 ether 00:10:5a:c6:8b:cb media: Ethernet autoselect (100baseTX ) status: active xl1: flags=8843 mtu 1500 options=3 inet 10.20.155.1 netmask 0xff00 broadcast 10.20.155.255 inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2 ether 00:06:5b:80:98:5b media: Ethernet autoselect (none) status: no carrier i'd like xl0 to be my external nic, and xl1 to be my internal nic -on machine 1, my /etc/rc.conf reads ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0" ifconfig_xl1="inet 10.20.155.1 netmask 255.255.255.0" gateway_enable="YES" #required for ipfw support firewall_enable="YES" firewall_script="/etc/rc.ipfw" firewall_type="open" firewall_quiet="NO" #change to yes once happy with rules firewall_logging_enable="YES" #extra firewalling options log_in_vain="YES" tcp_drop_synfin="YES" icmp_drop_redirect="YES" natd_program="/sbin/natd" natd_enable="YES" natd_interface="xl0" natd_flags="-f /etc/natd.conf" - machine 1's kernel has been recompiled with the following options #to enable ipfirewall with default to deny all packets options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 #to hide the firewall from traceroute options IPSTEALTH options IPDIVERT #to hide from nmap options TCP_DROP_SYNFIN - machine's firewall_script, /etc/rc.ipfw, is taken from the tutorial mostly verbatim, the only part of it i changed was # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi # Firewall program fwcmd="/sbin/ipfw" # Outside interface network and netmask and ip oif="xl0" onet="129.x.x.1" omask="255.255.255.0" oip="129.x.x.35" # Inside interface network and netmask and ip iif="xl1" inet="10.20.155.0" imask="255.255.255.0" iip="10.20.155.1" # My ISP's DNS servers dns1="129.x.x.1" dns2="165.x.x.21" # Flush previous rules ${fwcmd} -f flush # Allow loopbacks, deny imposters ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. ${fwcmd} add divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169
apache mod_rewrite not registering configuration change
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi all i was using this code in my httpd.conf # # Redirect allows you to tell clients about documents which used to exist in # your server's namespace, but do not anymore. This allows you to tell the # clients where to look for the relocated document. # Format: Redirect old-URI new-URL # RewriteEngine on rewriterule "^(/folderatlocation1/.*)" "http://location2.org$1"; [r] this points mod_rewrite to rewrite all requests for any documents in 'folderatlocation1' to http://location2.org/(equivalent folder) i modified the httpd.conf file today to RewriteEngine on rewriterule "^(/folderatlocation1/.*)" "http://location3.org$1"; [r] here i want to point mod_rewrite to location3.org instead of location2.org i did 'apachectl graceful', and mod_rewrite still points to the old location. i did a couple of reboots, it still points to the old location. am i missing something? like a cache someplace that i have to flush to get mod_rewrite pointing to a new location after editing it? thanks for any advice redmond -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE+DQoqFNjun16SvHYRAjNFAKCSlK69PiQEzPEx4ciz5p2BTAm60QCeKF2r zJDl876TTTSfwmrL4+DQZxY= =LEwl -END PGP SIGNATURE- msg13441/pgp0.pgp Description: PGP signature
portsentry KILL_RUN_CMD
hi all i'm configuring portsentry and i wanted to set the value of the KILL_RUN_CMD option to reverse finger a scanning host. can somebody tell me what the correct syntax this would be in this file? thanks msg12345/pgp0.pgp Description: PGP signature
dell poweredge 1650
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi all we're thinking of buying a dell poweredge 1650 at work to be our new webserver. i'd like to run the most recent version of freebsd RELENG_4_7, apache, and proftpd on it. our site has approximately 45000-5 documents on it, and receives about 9 hits a day. we host about 10 php/mysql database apps, i am not sure whether or not we will maintain a separate box for mysql. we probably will, though. i am listing the hardware quote below - any thoughts you guys may have, particularly in relation to hardware compatability and processing requirements would be highly appreciated. here are the server specs. PowerEdge 1650,Intel Pentium III,1.26GHz w/512K Cache 165126 - [ 220-8249 ] Additional Processors: Dual Processor Intel Pentium III,1.13GHz w/512K Cache 2P113 - [ 311-1478 ] Memory: 512MB SDRAM,133MHz,2X256MB DIMMs 512M2D - [ 311-1480 ] PCI Riser: PCI Riser,1x64bit/66MHz slot and 1x32bit/33MHz slot 32BPCI - [ 430-0289 ] First Hard Drive: 36GB 10K RPM Ultra 160 SCSI Hard Drive 36GB10 - [ 340-3599 ] Primary Controller: PERC3-DI,128MB Battery Backed Cache,1 Int,1 Ext Channels- Embedded RAID ROMB128 - [ 340-3605 ] Dual On-Board NICs OBNICS - [ 430-8991 ] CD ROM or DVD ROM: 24X IDE Internal CD ROM Drive CD24X - [ 313-0317 ] Hard Drive Backplane: 3 Bay (1x3) Hot Plug SCSI Hard Drive Backplane 1X3BKPL - [ 311-1586 ] Second Hard Drive: 36GB 10K RPM Ultra 160 SCSI Hard Drive 36GB10 - [ 340-3599 ] Secondary Controller: Single Fibre Channel Host Bus Adapter,Copper 2200/66 FHBA1C6 - [ 340-7360 ] Hard Drive Configuration: On-Board RAID5,3 drives connected to on-board RAID MR5 - [ 340-3608 ] Third Hard Drive: 36GB 10K RPM Ultra 160 SCSI Hard Drive 36GB10 - [ 340-3599 ] regards, redmond -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9yn1uFNjun16SvHYRAm1TAJ9FsMWozrhmTUmfFWgoq2+p38tcjwCfexCF pAkM+WX5XJCRSodI+UoMJAk= =XcSv -END PGP SIGNATURE- msg08079/pgp0.pgp Description: PGP signature
Re: need help with ipfw rules
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi thanks for responding On Mon, Oct 21, 2002 at 09:16:36PM -0400, Dan Pelleg expatiated with great perspicuity: > > > hi all > > > > my apologies, this could get long as i'm including the text of various > > config files: > > > > i've been trying to learn ipfw. i've recompiled a kernel with the > > following options > > > > ipfw add allow ip from any to any > typo > Do you really want to allow everything in, or is this just a typo? > If this rule is really in effect, the rest of the rules are > not doing anything. > > > ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 > > I'm assuming "vua" is a typo - should be "via". > typo again > > ipfw add allow udp from any to any 53 > > ipfw add check-state > > You're not letting DNS replies to come back. You are allowing the queries > to go *out*, but when the remote server's reply packets hit the firewall > they have port 53 on the *source* address, not on the destination. > So they don't match that rule anymore and are discarded. > > What you probably want instead is: > ipfw add allow udp from any to any 53 keep-state > > i changed this line. boots up fine. webserver, ssh, nfs, mail, etc. work. there's only one problem i noticed right off the bat - it looks like ftp users can authenticate fine, but when their ftp client tries to bring up a list of files in their ftp directories, it hangs at 'getting file list...' any ideas on how to fix? thanks redmond > Another point: you're not using the "divert" rule for natd, > and I see you have NAT enabled in your rc.conf. This is likely to > be a problem later (well, you'll just not have NAT). > > A very good resource for this is /etc/rc.firewall. Just try > to follow what the "CLIENT", "SIMPLE" and "OPEN" targets > do, or even let them run, then output the generated ruleset > and use it as the skeleton of your own ruleset. > > Another useful debugging tool is "ipfw show" - typed repeatedly to watch > which counters increased and so to know which rules were hit. > Once you get into stateful filtering, you'll want "ipfw -d show". > > Having said that, good ol' tcpdump is always handy to have around. > Just fire up "tcpdump -ni XXX" with XXX for your external interface > and see what's going out and what's coming in. Once you start > firewalling for a network, a "tcpdump -ni III" with III being > the internal interface becomes useful as well, either in itself > or in addition to the external-watching tcpdump. > > -- > Dan Pelleg > > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9tK3rFNjun16SvHYRAnSNAJ9RPPcFelXQwS3R7ELFN+A8UdEWDwCgsJWS 3TUBFhcGrtRa9eCIrhrnv0w= =07L+ -END PGP SIGNATURE- msg05849/pgp0.pgp Description: PGP signature
need help with ipfw rules
hi all my apologies, this could get long as i'm including the text of various config files: i've been trying to learn ipfw. i've recompiled a kernel with the following options options ICMP_BANDLIM options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT options TCP_DROP_SYNFIN options IPFIREWALL_FORWARD options IPSTEALTH options DUMMYNET my rc.conf: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter="1.1.1.1" gateway_enable="YES" hostname="hostname.com" ifconfig_xl0="inet 1.1.1.1 netmask 255.255.255.0" inetd_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" firewall_type="open" firewall_quiet="NO" tcp_drop_synfin="NO" firewall_logging_enable="YES" icmp_drop_redirect="YES" log_in_vain="YES" sendmail_flags=-bd kern_securelevel_enable="NO" linux_enable="YES" moused_enable="YES" moused_port="/dev/psm0" moused_type="auto" nfs_reserved_port_only="YES" saver="logo" sendmail_enable="YES" sshd_enable="YES" usbd_enable="YES" portmap_enable="YES" nfs_server_enable="YES" mountd_flags="-r" i haven't edited rc.firewall this machine is a combinationi desktop/web/ftp/nfs server. my /etc/ipfw.rules looks like ipfw add allow ip from any to any ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 ipfw add allow udp from any to any 53 ipfw add check-state ipfw add allow tcp from any to any 80 setup keep-state ipfw add allow tcp from any to any 53 setup keep-state ipfw add allow tcp from any to any 21 setup keep-state ipfw add allow tcp from any to any 22 setup keep-state ipfw add allow tcp from any to any 25 setup keep-state ipfw add allow tcp from any to any 110 setup keep-state ipfw add allow tcp from any to any 587 setup keep-state ipfw add allow tcp from any to any 3306 setup keep-state ipfw add allow tcp from any to any 1 setup keep-state ipfw add reject tcp from any to any ipfw add allow udp from any to any 53 ipfw add allow icmp from any to any icmptype 0,3,4,8,11 ipfw add deny log logamount 5000 ip from any to any (i was following phoenix's and kirk's ipfw advice in another thread) i've also added !ipfw *.* /var/log/firewall.log to /etc/syslog.conf, touch /var/log/firewall.log, and restarted syslogd. upon reboot, the machine hangs in 3 different places during the bootup process. my bootup messages look like: [snip] additional network daemons:mountd oct 21 15:27:47 hostname mountd[96]: get hostname failed for www3 oct 21 15:27:47 hostname mountd[96]: bad host www3, skipping oct 21 15:27:47 hostname mountd[96]: bad exports list line /mnt/drive2/dailybackup www3 nfs on reserved port only=YES nfsd rpc.statd [snip] here it hangs on mountd for a minute or two, then proceeds [snip] starting standard daemons: inetd cron sshd usbd sendmail sendmail-clientmqueue [snip] here it hangs on sendmail and sendmail-clientmqueue, then proceeds it then hangs for hours at 'recovering vi sessions:'. it eventually boots all the way through after a few hours. this is not workable for me. i've switched my /etc/ipfw.rules to ipfw add allow ip from any to any ipfw add allow udp from any to any 53 temporarily, so that i can use the machine, but would like to have a set of basic ipfw rules in place. can anyone tell me where i'm going wrong? i think it's hanging on the bootup process because my ipfw.rules are messed up. thanks redmond Redmond Militante Northwestern University, Evanston, IL. USA [EMAIL PROTECTED] 847-467-7617 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: limiting closed port rst response from ...
thanks. On Mon, 21 Oct 2002, Roman Neuhauser wrote: > # [EMAIL PROTECTED] / 2002-10-21 09:38:52 -0500: > > hi all > > > > i saw this messages in /var/log/messages over the weekend repeated several > > times > > > > oct 21 09:35:15 hostname /kernel: limiting closed port rst response from > > 384 to 200 packets per second > > > > also listed in the log were several attempts to connect to the machine via > > anonymous ftp > > > > can anyone tell me what the limiting closed port... message means? > > * AFAICT * > > that means that your box is trying to circumvent a possible DoS > attack. this message is of the same kind as those > > previous message repeated N times > > lines in /var/log/messages. > > -- > If you cc me or take the list(s) out completely I'll most likely > ignore your message. > Redmond Militante Northwestern University, Evanston, IL. USA [EMAIL PROTECTED] 847-467-7617 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
favorite security software
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi just wanted to get people's opinions - i'm probably going to configure ipfw on a new box. this box is a combo web/ftp/mysql box. do people have any favorite security software that they always run in addition to ipfw or ipfilter? thanks for any feedback you may have redmond -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9sJv2FNjun16SvHYRAleLAJ462zDoYIsHaaK8XEd88WCsd2ThIQCdHltt SbbvP0NcNGQdgapf4wn5pRo= =4g9N -END PGP SIGNATURE- msg05679/pgp0.pgp Description: PGP signature