Re: IPFW Rule

[Chris Pratt]

On Nov 22, 2008, at 5:43 AM, Tom Marchand wrote:



On Nov 21, 2008, at 6:25 PM, Wojciech Puchar wrote:

I am trying to add a IPFW rule to forward traffic but I keep  
getting the message "ipfw: getsockopt(IP_FW_ADD): Invalid  
argument".  The rule I am trying to add looks like this:


ipfw add 600 fwd 192.169.2.3, 6000 tcp from 192.169.2.3 to any 80

I do have IP Forwarding enabled.  Any ideas what I am doing wrong?


rule looks OK, but your message clearly suggest you DO NOT have IP  
forwarding enabled


Interesting sysctl reports that forwarding is enabled:

$ sysctl -a |grep forward
net.inet.ip.forwarding: 1

IP forwarding is enabled in GENERIC isn't it?  I am running 6.1- 
RELEASE FreeBSD 6.1-RELEASE


I'm looking at a 6.2 box that does forwarding. The GENERIC
kernel does not have this line:

options IPFIREWALL_FORWARD

In my kernel, I am using that. Recollection is you need this
specified explicitly. I could be wrong.



#0.___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Suggestions for PII 400 boot failure

[Chris Pratt]

On Nov 20, 2008, at 4:31 PM, Vinny wrote:


Hi,

A friend of mine is trying out FreeBSD and ran into
a booting problem.  Here is his message:

"Well, that's discouraging.

I have put together an old PII 400 with  three 20GB drives and a  
CDROM that I'd like to run BSD on.  Half a GB of RAM I figured  
would be respectable.


Downloaded the ISO files, burned CDs of them and when I try to run  
them it starts to boot and then freezes tighter than a muskrat's arse.


Three lines coming on the screen and it ends with "Starting the_"  
and just hangs.



He might want to try downloading the floppy set and booting
from there. I think that is what I did on an old Dell 200 I'm
using as a bridging firewall at home. This is a pathetically old
machine and won't boot the ISO (I found it when cleaning out
my rental, left to throw away by the renter), but it works great
once you finally get the system on it. It's on 6.2 but I imagine
7.0 will be fine.

FreeBSD 6.2-RELEASE-p3 #3: Mon Apr  9 09:11:48 UTC 2007
snip
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Pentium/P55C (199.43-MHz 586-class CPU)
  Origin = "GenuineIntel"  Id = 0x544  Stepping = 4
  Features=0x8001bf
real memory  = 100663296 (96 MB)
avail memory = 93102080 (88 MB)
Intel Pentium detected, installing workaround for F00F bug


I've got a PIII 1000 here that I use as a file server and the boot  
disks run fine on that.  Just won't boot off the PII 400.


Weird.  Really, really weird.  I tried five different CDROMs in  
case it was the actual drive but same thing.  I tried using version  
6.3 instead of release 7.0 and same thing.


That system doesn't like BSD/Linux whatever.

I use GParted as a partition manager all the time which is bootable  
and same thing on that machine.  It just don't like booting to that  
OS."


Any suggestions?

Thanks
Vinny

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: smbfs 2 GB file size limit

[Chris Pratt]

On Nov 20, 2008, at 7:21 AM, David Horn wrote:


On Thu, Nov 20, 2008 at 7:07 AM, Derek Ragona


No error message, it just stopped writing at 1 Gb.  I was doing  
this using

scp.


Whoa, hopefully you just made a few typos here, or we are going down
the wrong path of investigation.

Did you really mean to say scp or cp ?
 scp(1)   - secure copy (remote file copy  
program)

 cp(1)- copy files

...

What ssh version is running on both of these "other" systems ?
What OS are both of these other systems ?



So it looks to me like there is some issue with the scp that is  
within

FreeBSD i386 7.



As per my previous message, I still suggest running single variable
tests to make sure that you know what is causing the failure, but if
you just want to jump to a possible solution, you can try updating ssh
to the latest in the ports tree (5.0p1).

If you have the FreeBSD ports collection installed and updated using
portsnap(8) or csup(1) , just do:

cd /usr/ports/security/openssh-portable
make install

Otherwise, install / update your ports collection using portsnap(8)
(fetch update or fetch extract) first, then install openssh-portable.

Good Luck.

---Dave



I apologize in advance if this has nothing to do with this. I'd ignored
this thread completely since it had "SMB" in the subject. Today I
noticed the comments shown above that it was apparently actually
related to ssh (scp). The fired a synapse of a recent session failure
I was having after updating a server to 7.0 that normally accrues
about a gig of changes a day. My backup server was running 5.5
and rsyncing the diffs each day. After the upgrade of the application
server, the 5.5 client began to hang it's rsync session every day. I  
updated

the 5.5 server to 7.0 (which OBTW replaced the ssh suite) and the
problem disappeared. I didn't see in the thread what the actual ssh
client OS or rev was but perhaps the client is downrev and there is an
issue there. I did no research to figure out why, having my backup
server so far downrevved made it's upgrade my first potshot and it
worked.



-Derek

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: make doesn't know how to make KERNCONF

[Chris Pratt]

On Nov 16, 2008, at 12:06 PM, Mel wrote:


On Friday 14 November 2008 20:31:28 Gerardo Paredes wrote:

Hello, i have a problem compiling a custom kernel on a AMD 850 MHZ
Processor, however on the last stage  it fails with the following  
message:



make doesn't know how to make KERNCONF


the command i run is:

cd /usr/src
make buildkernel KERNCONF=MIO


The most likely cause is that you typed make buildkernel KERNCONF  
=MIO, with a

space between KERNCONF and the = sign.


I thought that initially too and I tried that to reproduce his situation
using that typo. It came up with:

ERROR: Missing kernel configuration file(s) (GENERIC).

rather than the error he reports. This was on a 6.2 test box though.


--
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: make doesn't know how to make KERNCONF

[Chris Pratt]

On Nov 16, 2008, at 7:55 AM, Gerardo Paredes wrote:


From: Polytropon <[EMAIL PROTECTED]>
Subject: Re: make doesn't know how to make KERNCONF
To: freebsd-questions@freebsd.org
Date: Saturday, November 15, 2008, 8:46 AM
On Sat, 15 Nov 2008 10:23:50 -0500, Lowell Gilbert
<[EMAIL PROTECTED]> wrote:

No, the shell isn't interpreting anything in that

command line (the

variable assignment is interpreted by make itself), so

the command is

fine.  Maybe the sources aren't completely

installed?  If I were trying

to exercise my psychic technical support powers, I

might guess that the

system makefiles weren't installed.


Check /usr/src/Makefile, /usr/src/Makefile.inc1 and
/usr/src/release/Makefile. These files should be up to
date when doing a correct update (or at least they should
get installed by installing the "src"
distribution).


i am using csh and the files you mention are there.
I checked them because i were trying to figure out what is happening.



I attempted to reproduce the error message you received and could
not. This isn't a normal buildkernel make error one would expect to
see if the /usr/src makefiles are not correct.

You might want to include a lot more information for those
reading the list to be able to answer your question. Offhand, things
like the Release version, if your src install was done correctly, the
architecture you installed (amd64 vs i386) and if you've cvsup'd
again since you had the problem.





___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: 128 Bucket Failures?

[Chris Pratt]

On Nov 13, 2008, at 1:34 PM, Ivan Voras wrote:


Chris Pratt wrote:

I have asked this before a couple of years ago but received no
replies. I assumed that's because it's a somewhat obscure question.
I'm still interested and thought I might try again in case someone
new is watching this list who might know.

A vmstat -z on my highest traffic server always shows the failures
as below on 128 Bucket. It also goes to having 0 free rather soon
after the system is restarted and never returns to having more than
1 free in that column and yet always has the highest number of
requests by far. Does this mean anything significant? Is it
something I should tune or even can be tuned?


UMA buckets seem to be some kind of cache for SMP-optimized  
allocations

- I hope someone who knows it better will explain them.


Here is the output of the vmstat -z with everything chopped out
besides the 128 Bucket line. The machine it's on is an 8 core 8 GB
Tyan and shouldn't really be starved for anything in my way of  
thinking.


vmstat -z
ITEM SIZE LIMIT  USED  FREE   
REQUESTS  FAILURES


128 Bucket:  1048,0, 2043,0, 
13591,  6511069


What is the server used for?



A busy webserver (about 5G Views a month, average view is 3-4 hits).  
Not really
large pages, we keep graphics minimal. It's apache, perl cgi, mysqld.  
Tends to
collect a lot of garbage traffic attacks on top of real traffic, both  
TCP and UDP.


Here's a snapshot from a very loaded apache+php+pgsql web server,  
uptime

60 days (since the last power outage):

16 Bucket: 76,0,   42,   58,  125,
  0
32 Bucket:140,0,   76,   64,  183,
  0
64 Bucket:268,0,   74,   38,  438,
 11
128 Bucket:   524,0, 2060,  642,   788828,
   6985

A generic advice would be to increase vm.kmem_size (you're using  
AMD64,

right?) and see what happens.



I'll try that. I had heard this before in relation to KVA but have  
been concerned
about trying it. If I can just change that knob and have an effect,  
seems worth

a try. If more than one person is doing it, it must be safe?

Yes, AMD64. Thank you very much.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

128 Bucket Failures?

[Chris Pratt]

I have asked this before a couple of years ago but received no
replies. I assumed that's because it's a somewhat obscure question.
I'm still interested and thought I might try again in case someone
new is watching this list who might know.

A vmstat -z on my highest traffic server always shows the failures
as below on 128 Bucket. It also goes to having 0 free rather soon
after the system is restarted and never returns to having more than
1 free in that column and yet always has the highest number of
requests by far. Does this mean anything significant? Is it
something I should tune or even can be tuned?

Here is the output of the vmstat -z with everything chopped out
besides the 128 Bucket line. The machine it's on is an 8 core 8 GB
Tyan and shouldn't really be starved for anything in my way of thinking.

vmstat -z
ITEM SIZE LIMIT  USED  FREE   
REQUESTS  FAILURES


128 Bucket:  1048,0, 2043,0, 
13591,  6511069


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: UFS2 limits

[Chris Pratt]

On Nov 9, 2008, at 12:18 AM, Ian wrote:


On Sun, 9 Nov 2008 13:10:46 Jeremy Chadwick wrote:
On Sun, Nov 09, 2008 at 01:40:51AM +, [EMAIL PROTECTED]  
wrote:

Hi,
I have a FreeBSD server that has about 10,500 subdirectories  
within a

single directory.
This number will keep rising and I assume UFS2 has a limit to the  
number
of sub-directories in a single directory - can anyone tell me  
what it is?


As far as I know, there is no such limit on the number of files/dirs
inside of a directory.


Thanks for that Jeremy. I didn't invent this structure, but I  
daresay I can
either modify it or get the original writer to do that. I never  
really gave
it a thought before now - it was the system I was given to work  
with and it's
worked fine so far, except when I try to list the contents of the  
directory -

that takes ages!
All the folders are 7 digit numbers and we are up to approx.  
0010500 entries

(ie subdirs) so far.
I guess it will just be a matter of experimenting to find the  
optimum number

of sub-sub-directories per sub-directory :-/


On the issue of possible inode limitations, it may be of some  
reassurance
(or alarm ;-)) to look at the output of df -i. This will tell you if  
you are close
to any limit on inodes. Between that and your already well known  
counts of
directories and rate of creation, you can gauge how much time you  
have to

change your app.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Boot device question

[Chris Pratt]

On Oct 23, 2008, at 8:43 AM, Jeremy Chadwick wrote:


On Thu, Oct 23, 2008 at 08:12:38AM -0700, Chris Pratt wrote:

I have a server with 6 hot-swap SATA slots. It was delivered
...

I was thinking a right approach would be to change fstab to
reference ad2 for all the system disk file systems, shutdown,
move that drive to the first bay and plug the new drive into the
2nd bay. This seemed like more of a permanent solution.


This is the solution I go with, because it's obvious and doesn't add
more complexity to the picture.

If the installation was originally done when the disk was considered
ad4, for example, you should still be able to boot that drive (no  
matter

what port it's on, assuming SATA), choose single-user at the
beastie/loader menu, then make changes to /etc/fstab.  Upon reboot (in
multi-user mode) things should "just work", sans any programs which  
you

have that might refer to disks by device (e.g.  smartd.conf, etc.)

You can avoid the single-user step if you enjoy living dangerously.


It was sensed as ad4 and there wasn't an ad2 (which always made me
wonder though not enough to actually look into it). This is why I  
presumed
if I placed the system disk in the first bay, it would be seen as / 
dev/ad2.

Single user and a console are the key here I can tell. No free lunch.



If those /dev/ad* files are created at boot dynamically,
this should work. I've found docs that imply that they are
dynamically discovered and created from FreeBSD 5 forward
(auto-discovery?). Are they or do I need to create them prior to
start up.


They are, and it's hard to explain why/how.

The "dynamic" aspect is entirely dependent upon different features/ 
modes

of the ATA configuration though.  For example, a SATA controller
operating in "Legacy/Compatible" mode might show two SATA disks as
ata0-master and ata0-slave (even though they're SATA); the same
controller in "Enhanced" mode might show the disks as ata4-master
and ata5-master; the same controller in AHCI mode might show the disks
as ata8-master and ata10-master.

I think some people deal with this problem using glabel(8), but as I
mentioned, I prefer to do things the old-fashioned way.


I see why a simple answer doesn't pop out on searching. Too many
possible configurations and results vary with each. This driver appears
to enumerate the bays as ad2 (hoping), ad4, 6, 8, 10, and 12. The
device minor numbers seemed they must have been created on the fly
since acd0 is 79, ad4 is presently 80, ad6, 8, 10, and 12 are 81 through
84 respectively.



The thing is, there is no easy recovery from failure here since I
have no console monitor to let me see what's going on or to fix
fstab if it fails (counter-intuitively, the only place I can access
the console is from remote locations ;-)), so I just want to know
if I'm thinking straight?


See bottom of my mail.


The plan is:

1. Change /etc/fstab entries for ad4 filesystems to ad2
2. Shutdown
3. Put the system disk in Bay 1
4. Power up

Should it boot?


How certain are you that "bay 1" correlates with ad4?  That's the real
question here.


I think I see your point, the second bay may not be the system disk.
Getting a console sounds like it's necessary. I didn't really explain  
that.

It's not a co-locate, but a business's server room with 10 servers all
connected to a KVM. The KVM is reachable only from certain IPs. The
local monitor is fried and I have no spares. You caught me in laziness
here. I need to haul a monitor with me and I can more safely do this
switch. Seeing what's happening at boot will tell me if the above
assumptions are valid and how to proceed. I think you implied that
you move the disk first, boot and see what we end up with. It
eliminates numerous questions and allows a recoverable process. I'll
get a real console on it. This also means I can use a live CD disk
if necessary.


You obviously have *some* form of access to the machine physically --
or, your co-location provider is offering "remote hands" capability.
...
If you're with a co-lo provider who doesn't offer this capability,
consider switching to one who does.  There is absolutely no reason
to accept lack-of remote management in this day and age.



Thanks for your reply. As always, you give a lot of thought to your
responses. I'll study some of this you've mentioned to see if I can
understand how the devices are created for my specific setups on
all the servers. It's always quite fuzzy to me.




--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Boot device question

[Chris Pratt]

I have a server with 6 hot-swap SATA slots. It was delivered
with the first slot empty and 5 drives set up as /dev/ad4 through
/dev/ad12. I'd never paid attention to this until I wanted to add
a 6th, now 4 years later. When I popped it in, I realized the
empty bay was not 6 but rather bay 1, and of course it wouldn't
boot. Presumably /dev/ad2 had now come alive for the first time.
I popped out the disk, rebooted and after it was up, I plugged it
back in (hot) and ran sysinstall. It didn't see the disk so I couldn't
fdisk it. No device files existed for it.

I was thinking a right approach would be to change fstab to
reference ad2 for all the system disk file systems, shutdown,
move that drive to the first bay and plug the new drive into the
2nd bay. This seemed like more of a permanent solution.
If those /dev/ad* files are created at boot dynamically,
this should work. I've found docs that imply that they are
dynamically discovered and created from FreeBSD 5 forward
(auto-discovery?). Are they or do I need to create them prior to
start up.

The thing is, there is no easy recovery from failure here since I
have no console monitor to let me see what's going on or to fix
fstab if it fails (counter-intuitively, the only place I can access
the console is from remote locations ;-)), so I just want to know
if I'm thinking straight? The plan is:

1. Change /etc/fstab entries for ad4 filesystems to ad2
2. Shutdown
3. Put the system disk in Bay 1
4. Power up

Should it boot?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: cvsup to 7.0 from 5.5?

[Chris Pratt]

On Oct 22, 2008, at 1:06 AM, Aftab Jahan Subedar wrote:


On 10/22/08, Chris Pratt <[EMAIL PROTECTED]> wrote:


How risky is it to jump directly to 7.0 on a 5.5 system?
Upgrade would be by cvsup. I expect mergemaster
issues anyway but this system is relatively vanilla in
it's configuration. It's duty is just rsyncing other servers.
The kernel is GENERIC minus drivers plus ipfw and there are
no kldloads. Can this jump be made? I was hoping to avoid
having to make two major release jumps by doing only one.

Thanks



Not really a bed of roses.
Its a thorny road. You will stumble with packages then gcc version  
then

make.conf then cvsup itself.

Cannot really remember exact thorny issues but I can tell that it  
is not

straight path. Rather Install 7.0 directly then migrate the data.


Thanks for the time to respond. That was enough for me. I'm
half-way to a 6.3 installation, then will take it to 7.0. It's
surprising that I could find no specifics of the issues, only
references that it wasn't a good idea.




--
Aftab Jahan Subedar
CEO/Software Engineer
Subedar Technologies Ltd
Subedar Baag Bibir Bagicha #1
North Jatra Bari
Dhaka 1204
Bangladesh
88027554546
8801552635208
8801191336608
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

cvsup to 7.0 from 5.5?

[Chris Pratt]

How risky is it to jump directly to 7.0 on a 5.5 system?
Upgrade would be by cvsup. I expect mergemaster
issues anyway but this system is relatively vanilla in
it's configuration. It's duty is just rsyncing other servers.
The kernel is GENERIC minus drivers plus ipfw and there are
no kldloads. Can this jump be made? I was hoping to avoid
having to make two major release jumps by doing only one.

Thanks
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Using mirroring to replace drive?

[Chris Pratt]

On Oct 18, 2008, at 7:03 PM, John Nielsen wrote:

On Saturday 18 October 2008, Chris Pratt wrote:


1. Is this an appropriate way to deal with this?


It could be. However if the new disks are not the same size as the  
failing

...
it. Worst case you end up booting from a single drive and have to  
manually

specify your root partition.



JN


Wow, I was asking a concept question and got what appears
to be a comprehensive plan. I appreciate the effort, it will save
me quite a bit of time.

Thanks very much,
Chris

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Using mirroring to replace drive?

[Chris Pratt]

Hi, For years I've been upgrading by building a temp
server, transferring a production function to it and
temporarily decommissioning the one server while
I upgrade and rebuild it. I was thinking of trying a different
approach since having tried out gvinum in the last
couple of years.

The current scenario is that I have a machine where the
adaptec controller is suggesting I replace a failing SCSI
drive which happens to be the system disk. I purchased
a couple of new drives and thought I might just plug it in
and mirror the failing drive on the new drive. Then
pull the failing drive and plug in the other new drive as
the second mirrored drive and be done with it. One
obvious outcome would be a having a system drive
mirror for future such issues. I have never built a mirror
on the fly but it seems many have from what I've read
and the cookbooks out there make it sound very
easy. I was going to use GEOM Mirror on 6.2 (then
upgrade to 7.0 after establishing the new good drives).

1. Is this an appropriate way to deal with this?

2. Are there any high risk aspects of doing this while running
a server in production? I'm thinking of things like how
probable it is of trashing the original disk, making the
system unbootable in the process etc?

3. Are there better approaches that are safer (aside from
my normal hardware swap MO).

4. Does using GEOM Mirror RAID-1 make the upgrade from
6.2 to 7.0 a dangerous proposition. I do upgrades via
cvsup and buildworld.

The environment is
FreeBSD 6.2
Supermicro with Adaptec SCSI
All ~73 GB Maxtor and Seagate drives
Current da0 system is Maxtor, there
will be minor size differences, the
replacement Cheetah is a hair larger.
Apache, PHP5 and Mysql
	No existing RAID Configuration 
___

freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: How to get my Dad's Win2k system to access internet through my FreeBSD 6.2 system

[Chris Pratt]

On Oct 13, 2008, at 11:39 PM, Manish Jain wrote:



Hi,

I am poor at networking and need a little bit of help. My dad has a  
Windows 2000 machine with a network card but does not have a  
connection to the internet. My freebsd 6.2 box is connected to the  
internet and has 2 network cards, rl0 and rl1. rl0 connects to the  
ISP and rl1 is directly connected via a long Ethernet cable to the  
NIC on my dad's machine. While I can access the internet easily, I  
want my dad to be able to connect to the internet with my freebsd  
box serving as the gateway. Can anyone please explain to me in easy  
steps how to accomplish this ?


Thanks in advance for any help.

Here is an alternative if there is no actual requirement for
routing. It works on 6.2.

If your network already has a router/firewall/NAT dhcp server
(e.g., a Linksys, netgear router, a satellite modem, etc),
investigate the use of if_bridge rather than attempt to use
NAT and routing. This eliminates a number of issues that you
will find difficult as someone new to networking and possibly
FreeBSD. This allows you to make your FreeBSD machine
transparent to the network as if the W2K box were another
peer (in many ways). The benefits would be not having to
proxy the private addresses/serve dhcp while maintaining your
existing hardware set up.

I add in "options if_bridge" to the kernel and rebuild though it
can be loaded dynamically at boot.

Your rc.conf entries would look something like this given a
router to this ISP using a 192.168.1.0 private network space.

# the FreeBSD <-> ISP NIC card
ifconfig_rl0="inet 192.168.1.2  netmask 255.255.255.0"
# the ISP Router connection to the LAN
defaultrouter="192.168.1.1"
gateway_enable="YES"
#rl0 is the WAN Facing nic.
#rl1 is the second nic to other computers. This connects to switch or  
crossover

# note that no address is set for rl1, it serves no purpose
#  the media statements are just shown to reflect rl1s existence
#  and other settings it may need
ifconfig_rl1="up media 100baseTX mediaopt full-duplex"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm rl0 addm rl1 up"

Look at man if_bridge for sysctl.conf entries that may be
needed. They determine what is passed on the bridge and
can easily block necessary traffic if not set correctly. For
my purposes, I found the following necessary:

net.link.bridge.ipfw=1
net.link.bridge.ipfw_arp=1

These allow me to control the traffic within ipfw which makes
me more comfortable than passing everything.

Once a simple bridge is functional, investigate the entries
necessary to further inhibit traffic using ipfw. This can be
quite helpful in protecting a W2K box which is likely weak
in it's security. The combination of these two products is
thought of as a transparent firewall and is quite effective.
It serves as a foundation for more complex configurations
up to a complete Intrusion Detection System using
snort_inline which can actually filter and drop virus
signatures headed for the weaker windows platforms.

Documentation is quite weak out there on this configuration
but I can provide basic examples of ipfw commands to
monitor, allow and deny traffic using ipfw and if_bridge.
I'm unable to accurately provide this on the fly though.
What some people do, is build a set of rules early in the
ipfw ruleset to handle all traffic associated with the local
FreeBSD computer's use of the net and separate traffic
for the bridge into in and out sections (e.g. use of skipto). Then you
can allow or deny what goes to and comes from the W2K
box/other workstations, just like you do to the local machine.

There is some minimal info here:
http://www.freebsd.org/doc/en/books/handbook/network-bridging.html



Manish Jain
[EMAIL PROTECTED]


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Best way to back up mysql database

[Chris Pratt]

I am just about to dive into Google in search of a solution, but  
thought I would fire off a quick request, in case there is an  
obvious solution that everyone uses. If there is, a name or URL  
will do. I'll figure out the rest.


Any hints much appreciated. Not going home until this is fixed...




Most certainly would want you to not not go home having
been there before. Here is a crude way to do this. Find an
elegant solution at leisure.

The downside is that you if you crash at the wrong time,
your job won't start for the next day. Be forewarned, then
you stop making backups. You just need to monitor your
atq. The gzip step should probably be part of a pipe
for efficiency. You could cron this to get around that.

I saw the response about repairing corruptions, REPAIR
TABLE has thus far kept me from ever reloading.

See man on date and use something other than %a to
generate a numeric date unique back, that would give
you numerous backups if you have the storage.

DATE=`date +%a`
#
echo $DATE
#
echo Backup Mysql database
mysqldump -h localhost -u YOURSQLUSERID -pYOURPASSWORD YOURDATABASE >/ 
usr/somedirectory/somefile_$DATE.backup

gzip -f /usr/somedirectory/somefile_$DATE.backup
/usr/bin/at -f /usr/somedirectory/mysqlbackup.sh midnight

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Flooded with emails to root -- URGG

[Chris Pratt]

On Sep 25, 2008, at 9:34 AM, David Southwell wrote:


Hi

I am running postfix.

Am receiving a flood of  emails that appear to emanate from Servers  
who have

received spam that has masqueraded [EMAIL PROTECTED] as the email source.

Could anyone please suggest the best way of dealing with these.  
Please bear in
mind I am not all that familiar with postfix so if anyone feels  
treating me
like an idiot and spoonfeeding the actual command s to use I would  
be most

appreciative 



I have no idea what a command would be to stop receipt. Cutting off the
original generation of the emails being spoofed is more to the point.

You may want to look at SPF (openspf.org). If your domain is listed  
with an

spf entry in DNS, you become less tempting as a domain to spoof. Over
time, it will all but cease. Once you've created an SPF DNS record, many
servers receiving mail spoofed for your domain will begin to drop it  
rather

than backscatter emails back to your server.

You should study the information on their site but in a nutshell, you  
create
a TXT record in DNS that lists your servers IP as the only valid  
machine to
send mail for your domain. This tells the others to drop emails from  
other

IPs using your domain. It's relatively effective and painless.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Sendmail become open relay

[Chris Pratt]

On Sep 8, 2008, at 7:26 AM, Paul Macdonald wrote:



This might be more general advice than a specific help, but i've  
found most bad mail originating from me comes from php driven forum  
sites.
After originally patching the php src to log sitenames that send  
mail, i found enabling MAILHEAD support in php build adds customs  
headers which help to identify the site anyway.


I plan on adding a milter to pick these up dynamically, but for  
now, it helps identify sites from stuck items in mailq.


i.e a grep into mailq  for X-PHP-Script

/var/spool/mqueue/qfm83AltWj045560:H??X-PHP-Script:  
www.siteonserver.com/signup.php for x.101.27.178


Its easy to spot dubious scripts as the ip is commonly the same.

gd luck.
Paul.


I was thinking somewhat the same thing. It can be the leveraging
of any scripts if the server is a web server of any sort. Spammers test
every possible crack against your scripts. While you attempt to find
which is being leveraged, you can minimize the damage by
using the MAX_RCPTS_PER_MESSAGE within sendmail. It allows
you to catch and destroy their use of your system prior to much
mail going out. You set this value to 2 and it's impossible to send
in one pass to more than two recipients. Monitoring your mailq
will allow you to see quickly if someone has got your number. This
will help keep you off BLs while you tighten your security.



lyd mc wrote:

Hi guys need help..

My mailserver become an open relay.

Unknown user can now send mail.

snippet from mailq

m88C8iWq042874  689 Mon Sep  8 20:08 <[EMAIL PROTECTED]>
 (Deferred: Name server: mx1.mail.tw.yahoo.com.:  
host name loo)

 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>
  
<[EMAIL PROTECTED]>

 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>

I don't  have user 'osxch' and there others can also send..


best regars thnx

alydio




  ___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"




--

   *Ultra fast and secure web hosting
Live and on demand video streaming
Custom online Solutions *

*Paul Macdonald*
Director
[EMAIL PROTECTED] 
www.ifdnrg.com 

*IFDNRG*
127 Rose St South Lane, Edinburgh, EH2 4BB
0044.(0)131.2257470



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Spam sent to me from my own mail server ?

[Chris Pratt]

Peter Ulrich Kruppa wrote:

Hello,
for some time now I keep receiving spam mails from my own (small)  
mail server, some of them with faked usernames some of them even  
with my own ([EMAIL PROTECTED]).





Matthew's message beat me to the response but I had typed
one. There are some great tools for this and many are in
ports. SPF and these do work. Here is what has been sitting in
my drafts, it may have some additional value.
...
I don't worry much about what I receive that is forged because
I'm reasonably sure that I didn't send it nor were my servers
leveraged. I monitor heavily. On the other hand,
I do make certain that others aren't receiving spam thinking
it's from my domains. SPF helps with this, information is
available on www.openspf.org. This doesn't stop forgery,
but it does give a tool to the receiver to verify what email
is actually from your domain and email server. It's
implemented very easily in your DNS entries. SPF is you telling
the world that you authorize your domain to send email only
from a specific set of servers (or a specific server). After you
implement SPF, after a few weeks, they will generally
stop using your domain because it's too frequently rejected
by receivers. It becomes less in their interest to forge your
domain so they go pick on someone else.

If you DO want to stop people using your domain in sending to
YOU, there are several tools to use in conjunction with sendmail
to do this. I use MailScanner which is available within ports.
If there are no relays involved in how you receive mail, this
works because SpamAssassin (automatically installed with
MailScanner) will see if the email you are receiving matched SPF.
Yours and everyone elses. There are good docs on the net for
using FreeBSD, sendmail, and MailScanner and it's dependencies.
If you can't find them, try this:

http://bio.fsu.edu/~sysalex/freebsd-mail-server.htm

If you are going to run a mail server, it's good to
have spam and virus defenses installed.

There are more direct methods of actually rejecting forged
emails within sendmail. You will find a list of these on the
SPF site under "implementations". These tools may or may not
be in ports. You will have to check on that. They make use of
the milter interface within sendmail.

The spf mail list is extremely helpful and professional if you have
questions on this. You can join this list on their site. I'm not
pushing their site or this draft standard, it's that SPF has
worked pretty well for what it does and it's open method of
dealing with the problems.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IP alias/routing question

[Chris Pratt]

On Jul 25, 2008, at 4:05 PM, David Allen wrote:


On Fri, Jul 25, 2008 at 10:12 AM, Matthew Seaman
<[EMAIL PROTECTED]> wrote:

Chris Pratt wrote:


I'm now setting up a bind server in which the third alias
is the address for incoming DNS queries. It appears
it's responding but even though the queries come in
on the third alias, they "go out" through the "primary"
address or more specifically, the packet count is
incremented in the Opkts total for the IP address first
attached to the interface via ifconfig (without an alias).
My problem appears to be that the packets really are
coming from the first IP as the source and are getting
blocked by my firewall as they should (the first address
is not supposed to be answering DNS queries).


Carefully not answering the 'why do these packets come from the
wrong address' question, but just pointing out that BIND is
actually rather more configurable in this respect than most
software.


Deliberately addressing the question of 'why do these packets come
from the wrong address' question which Mr. Seaman avoided (hello
again, Mathew!), I'll add my two cents.

Run netstat -rnfinet and examine what's in the 'Netif' column.  If
there was some inter-host traffic, you'll see a host entry for each of
your aliases with a value of 'lo0'.  Correlate all the entries in the
routing table and you'll be able to determine what exits where.

I'm not sure why this question doesn't come up more frequently as it
can be problematic, especially in regards to jails (which are
implemented using IP aliasing).  I started a discussion some weeks ago
on the subject that you may find interesting.  To recap briefly, if a
jail host sends traffic to a jail, the traffic will transit the lo0
interface, exit the jail's interface using the jail's IP address, and
connect to the jail on its IP address.  The end result?  Traffic with
identical source and destination IP addresses!

Using your numbers, if named was running in a jail (192.168.0.18) and
a query was made on the host (192.168.0.12), instead of seeing

192.168.0.12.3450 -> 192.168.0.18.53
192.168.0.18.53 -> 192.168.0.12.3450

you'd see the following on lo0:

192.168.0.18.3450 -> 192.168.0.18.53
192.168.0.18.53 -> 192.168.0.18.3450

You're not using jails, but what I'm describing isn't a jail issue, or
a general IP aliasing issue, but a routing issue.  Modifying the
routing table is, of course, possible.  But the results, I've found,
are less than satisfactory.  If you force traffic out an actual
interface, the return traffic will probably still have to occur over
loopback and you're back to where you started, but with some new
problems.   Note also that the above seems to apply irrespective of
the number of network cards or networks.

Tthe moral of the story?  Configure named appropriately, and don't ask
any more questions. ;-)  On the other hand, if you insist on thinking
immoral thoughts as I do, and find a more thorough explanation of any
of the above, please do let me know.


Thanks for the very detailed explanation. I'm hot on the named
configuration so that should quiet the questions. But ;-), how about the
multiple route table implementation recently introduced in HEAD.
Perhaps there is a solution there in the future! I stay with the current
RELEASE so I haven't even researched, just watched the talk.

Thanks again to both you and Matthew,
Chris
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IP alias/routing question

[Chris Pratt]

On Jul 25, 2008, at 10:12 AM, Matthew Seaman wrote:


Chris Pratt wrote:


I'm now setting up a bind server in which the third alias
is the address for incoming DNS queries. It appears
it's responding but even though the queries come in
on the third alias, they "go out" through the "primary"
address or more specifically, the packet count is
incremented in the Opkts total for the IP address first
attached to the interface via ifconfig (without an alias).
My problem appears to be that the packets really are
coming from the first IP as the source and are getting
blocked by my firewall as they should (the first address
is not supposed to be answering DNS queries).


Carefully not answering the 'why do these packets come from the
wrong address' question, but just pointing out that BIND is
actually rather more configurable in this respect than most
software.

You can control what IPs BIND will communicate on for various
purposes using the following statements in the options { } section
of named.conf:

   listen-on {
   127.0.0.1;
   12.34.56.78;
   };
   listen-on-v6 {
   ::1;
   1234:5678:9abc:def0::1;
   };
   query-source   address 12.34.56.78 port *;
   query-source-v6address 1234:5678:9abc:def0::1 port *;
   transfer-source12.34.56.78 port *;
   transfer-source-v6 1234:5678:9abc:def0::1 port *;
   notify-source  812.34.56.78 port *;
   notify-source-v6   1234:5678:9abc:def0::1 port *;


I am not using those latter three but only the listen-on.
I will experiment. I am still curious if what I see with
bind, ssh and some others is actually returning on the
first address or if netstat just makes it look that way
because of the default gateway.


Note the 'port *' stuff -- due to the recent security problem with
the DNS protocol publicised by Dan Kaminsky, it is imperative that
the /source/ port on DNS traffic is allowed to be randomised.  See



This is good to know. I assumed going to the current
patched cvs was enough.

Thank you very much.

http://www.kb.cert.org/vuls/id/800113 http://security.freebsd.org/ 
advisories/FreeBSD-SA-08:06.bind.asc


and  make sure you install a patched version of BIND.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

IP alias/routing question

[Chris Pratt]

This strikes me as a noob question but in 10 years of
freebsd, I've never wrapped my brain around it and
it seems to be causing me problems this time.

I have many aliases on many servers. Some services
listening on an alias address seem to return the packets
out the alias address as shown in netstat -i in the Opkt
column. Others seem to return packets back out the first
address specified on the system. This has not bothered
me before because it seems to work and I figured I was
just confused on how netstat shows the In and Out
packet counts. I assumed that local lan traffic would be
listed on the appropriate line and anything headed
out the WAN would go to default gateway thus appear
on the line with the initial address. I've noticed it on ssh
often, connect in on a second or third IP yet the
packets show as going out through the first configured
IP in netstat.

I'm now setting up a bind server in which the third alias
is the address for incoming DNS queries. It appears
it's responding but even though the queries come in
on the third alias, they "go out" through the "primary"
address or more specifically, the packet count is
incremented in the Opkts total for the IP address first
attached to the interface via ifconfig (without an alias).
My problem appears to be that the packets really are
coming from the first IP as the source and are getting
blocked by my firewall as they should (the first address
is not supposed to be answering DNS queries).

Am I conceptualizing what I'm seeing incorrectly and
have a different config error, or is it true that some
services respond with a different source IP other than
the what they came in on if multiple aliases are
specified on a single interface and wire. In other
words, is the Opkt count on the IP irrelevant to the
addressing of the packet?

Please let me know if this should instead go to
FreeBSD-Net.

Supporting info: here is an example of the netstat,
in this example, dns is listening on 192.168.0.18, the
first interface ifconfig'd is 0.12. If I read it correctly,
it goes out the default gateway which is somehow
tied to the 0.12.

This machine is not a gateway, has no FWDs in
ipfw, and isn't running natd.

$ netstat -i
NameMtu Network   Address  Ipkts IerrsOpkts  
Oerrs  Coll
rl01500   00:10:b5:76:ce:20  631 0 
1 0 0
rl01500 192.168.252.0 192.168.252.11   0 - 
0 - -
rl11500   00:14:2a:02:bd:6422628 0  
7833 0 0
rl11500 192.168.0.0  192.168.0.12   11 - 7450  
- -
rl11500 192.168.0.11 192.168.0.11 1482 -  278  
- -
rl11500 192.168.0.18 192.168.0.18 1243 -0  
- -


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Server crashing, no explanations

[Chris Pratt]

On May 21, 2008, at 8:05 AM, Chris Pratt wrote:



On May 20, 2008, at 7:17 AM, Alan Gilmour wrote:


Hey all,

We have recently been getting a lot of traffic to one of our sites.
The CPU is consistently during busy periods using 100% utilisation.
When this happens we have approx 150 apache threads, and the loads
goes way above 15.

However recently the server has been auto-restarting (when under  
heavy

load) with no explanation in any logs. I've checked the console log,
messages, db logs e.t.c. but no mention of anything wrong.

Brief server summary :

FreeBSD 6.3-STABLE #0:
CPU: Intel(R) Xeon(TM) CPU 2.80GHz (2800.11-MHz 686-class CPU)
 Logical CPUs per core: 2
real memory  = 17716740096 (16896 MB)
avail memory = 16837763072 (16057 MB)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs

We tried installing mbmon and lmmon and healthd, but none seem to  
work.


Anyone got any suggestions for other things we can try to detect why
the server is failing? or other ways to check things like CPU temp  
and

memory status?


We have experienced this since 6.x began and it's not hardware.
It can be reproduced by moving the role to another similar server.
When the role is changed and the traffic (not necessarily the load),
the problem goes away or rather, will transfer to the new box.

Look at the thread named "zonealarm issues" on Freebsd-Net a


BIG CORRECTION: "zonelimit issues" (geez, I hadn't touched a
windows product in 3 years, no idea where that came from,
sorry).



couple of months ago. You may find it will apply but there aren't
any answers there yet. I gather that people need more data
collection. I have never figured out how to get a dump though
people have recommended things to try over the last couple of
years. I was hoping 7.0 would be the solution but I'm told it's
not.

Reduce your traffic and the problem will go away. Split the
traffic to more than one server is a way to do this. We increased
our uptime drastically by doing this but we still get hit hard enough
at times to go down. During our low traffic periods of the year,
we simply stay up all the time (in the hottest days of summer).

By the way, the symptom I see is never immediate reboot, it will
hang for reasonable period of time prior to rebooting. As I
monitor ours 24/7, I reset power on the box before it reboots to
reduce the outage to customers. If I'm not watching it eventually
will reboot. Brutal but it works.

Realize it's possible you don't have this problem but there are a
few of us who do. It has something to do with buffers not being
freed up.



Cheers

Alan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Server crashing, no explanations

[Chris Pratt]

On May 20, 2008, at 7:17 AM, Alan Gilmour wrote:


Hey all,

We have recently been getting a lot of traffic to one of our sites.
The CPU is consistently during busy periods using 100% utilisation.
When this happens we have approx 150 apache threads, and the loads
goes way above 15.

However recently the server has been auto-restarting (when under heavy
load) with no explanation in any logs. I've checked the console log,
messages, db logs e.t.c. but no mention of anything wrong.

Brief server summary :

FreeBSD 6.3-STABLE #0:
CPU: Intel(R) Xeon(TM) CPU 2.80GHz (2800.11-MHz 686-class CPU)
 Logical CPUs per core: 2
real memory  = 17716740096 (16896 MB)
avail memory = 16837763072 (16057 MB)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs

We tried installing mbmon and lmmon and healthd, but none seem to  
work.


Anyone got any suggestions for other things we can try to detect why
the server is failing? or other ways to check things like CPU temp and
memory status?


We have experienced this since 6.x began and it's not hardware.
It can be reproduced by moving the role to another similar server.
When the role is changed and the traffic (not necessarily the load),
the problem goes away or rather, will transfer to the new box.

Look at the thread named "zonealarm issues" on Freebsd-Net a
couple of months ago. You may find it will apply but there aren't
any answers there yet. I gather that people need more data
collection. I have never figured out how to get a dump though
people have recommended things to try over the last couple of
years. I was hoping 7.0 would be the solution but I'm told it's
not.

Reduce your traffic and the problem will go away. Split the
traffic to more than one server is a way to do this. We increased
our uptime drastically by doing this but we still get hit hard enough
at times to go down. During our low traffic periods of the year,
we simply stay up all the time (in the hottest days of summer).

By the way, the symptom I see is never immediate reboot, it will
hang for reasonable period of time prior to rebooting. As I
monitor ours 24/7, I reset power on the box before it reboots to
reduce the outage to customers. If I'm not watching it eventually
will reboot. Brutal but it works.

Realize it's possible you don't have this problem but there are a
few of us who do. It has something to do with buffers not being
freed up.



Cheers

Alan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: handling mysql binlog data

[Chris Pratt]

On May 2, 2008, at 9:28 AM, Zbigniew Szalbot wrote:


Hi Chris,

Chris Pratt pisze:

Thank you anyway - this was very helpful and I instantly saved a   
lot of space on a shrinking /var partition!



I find it most comfortable to do this manually so I can check
my backups first. There is an example in the reply comments
below the documentation on the 5.0 version of the mysql
doc page that shows a "unix" way to set up a cron script
and automate the process. I've not tried it.
Shrinking /var partition?: I found the ports setup of mysql to
be overly restrictive by using the /var method. It was simple
to install, shutdown mysqld, copy the contents of the /var
database files (preserving the appropriate ownership and
permissions). I then added (assuming /usr is your large
partition)
mysql_dbdir="/usr/mysql"
mysql_datadir="/usr/mysql"
to /etc/rc.conf and restarted. It is an outage but it helped given
I'd never have thought to size /var anywhere near what a
medium size database required.



Yeah, I am in the same boat so to say... I guess copying mysql data  
using cp -p will preserve all the file attributes?



I didn't do that so I can't say. I actually tarred and untarred.

Will any future upgrade (by means of portupgrade) not change the  
custom mysql location back to /var/db/mysql?




I ran through portupgrade on both systems twice but
I can't recall if mysql was updated. Given the change
is in /etc/rc.conf, the upgrade shouldn't have an impact.
If an upgrade uses a supplied script to alter the installation
I'd presume it would be an issue. Usually you can provide
these directories as command line options on scripts
provided with mysql.

The saving grace is that since you are not hurting your
original installation, a trial run is rather simple, falling back
is as pretty much a vi /etc/rc.conf and a reboot.


Thanks again Chris!


--
Zbigniew Szalbot
www.lc-words.com


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: handling mysql binlog data

[Chris Pratt]

On May 2, 2008, at 8:58 AM, Zbigniew Szalbot wrote:




The procedure for this is here:
http://dev.mysql.com/doc/refman/5.1/en/purge-master-logs.html
for 5.1 and here:
http://dev.mysql.com/doc/refman/5.0/en/purge-master-logs.html
for 5.0


Thanks a lot! It did help me get rid of a few files in a safe way.  
I only wonder now how to set up a cron job to do it on a permanent  
basis?


1/ I would probably be better off setting this mysql query (URGE  
{MASTER | BINARY} LOGS BEFORE 'date') in a separate file an run it  
from cron?


2/ Even if I do that, I would still have to change the 'date' value  
each month... hmm... as non-programmer I will probably do best to  
simply enter a task in a calendar to run this manually... each  
month :)


Thank you anyway - this was very helpful and I instantly saved a  
lot of space on a shrinking /var partition!




I find it most comfortable to do this manually so I can check
my backups first. There is an example in the reply comments
below the documentation on the 5.0 version of the mysql
doc page that shows a "unix" way to set up a cron script
and automate the process. I've not tried it.

Shrinking /var partition?: I found the ports setup of mysql to
be overly restrictive by using the /var method. It was simple
to install, shutdown mysqld, copy the contents of the /var
database files (preserving the appropriate ownership and
permissions). I then added (assuming /usr is your large
partition)

mysql_dbdir="/usr/mysql"
mysql_datadir="/usr/mysql"

to /etc/rc.conf and restarted. It is an outage but it helped given
I'd never have thought to size /var anywhere near what a
medium size database required.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: handling mysql binlog data

[Chris Pratt]

On May 2, 2008, at 5:27 AM, Zbigniew Szalbot wrote:


Hello,

Following a recent thread I would like to ask if it is safe to  
remove old binlog data. From the below I understand that the  
current binlog is mysql-bin.07 and the previous ones (from  
01-06) are not written to any more. I just need  
confirmation before I take any action. By asking whether it is  
safe, I only mean if deleting them will not affect mysql operation.  
I do backups of mysql data anyway.


-rw-rw  1 mysql  mysql61956466 Apr 16 08:44 mysql-bin.01
-rw-rw  1 mysql  mysql   697756219 Apr 17 14:26 mysql-bin.02
-rw-rw  1 mysql  mysql1056 Apr 17 14:29 mysql-bin.03
-rw-rw  1 mysql  mysql  1073745860 Apr 24 05:49 mysql-bin.04
-rw-rw  1 mysql  mysql   620489997 Apr 27 10:48 mysql-bin.05
-rw-rw  1 mysql  mysql   229357379 Apr 28 15:55 mysql-bin.06
-rw-rw  1 mysql  mysql   869964294 May  2 14:15 mysql-bin.07

Do I understand correctly that removing mysql-bin.07 would  
result in mysql not writing any data to mysql-bin file until the  
server gets restarted?




I recently removed all logs prior to the one shown as current
without any problems. I would not think you would want to
remove the one currently in use or problems would result.

The procedure for this is here:
http://dev.mysql.com/doc/refman/5.1/en/purge-master-logs.html
for 5.1 and here:
http://dev.mysql.com/doc/refman/5.0/en/purge-master-logs.html
for 5.0

Simply doing an rm on the files you know are no longer in use
is probably not a good idea because they are known within mysql
data files. Using the above will make sure they are removed in
an orderly manner. According to the docs, if you use the process
as shown, the active file will be skipped even if you accidently
try to remove it.



Many thanks for sharing!
--
Zbigniew Szalbot
www.lc-words.com


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Multiple if_bridge devices

[Chris Pratt]

On Jan 29, 2008, at 6:50 AM, Chris wrote:


Hi,

I have 3 transparent firewalls on 3 T1s with a LAN behind each
supporting multiple servers.

Existing:
Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1
Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2
Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3

These firewalls are workstation class computers running
FreeBSD 6.2, if_bridge and ipfw. This has worked quite well
with the exception of hardware failures because of the
workstations hardware. I can afford one server-class blade
with 3 2-port NICs, but not three complete quality servers.
I would like to get to one firewall machine yet maintain the
isolation of the circuits and servers.

Target: 1 firewall, 4 nics, if_bridge (1 bridge) and ipfw
AllServers<->Switch<->FreeBSD Firewall<->T1 Router1
<->T1 Router2
<->T1 Router3
or
 1 firewall 6 nics, if_bridge (3 bridges) and ipfw
Servers1<->Switch1<->FreeBSD Firewall<->T1 Router1
Servers2<->Switch2<->   <->T1 Router2
Servers3<->Switch3<->   <->T1 Router3

Initially I designed the replacement using a single if_bridge
with a single LAN backbone as shown first here. After trying
to design the rules, I concluded that it was either illogical
or beyond my ipfw rule skills. Then it occurred to me to try
to run three if_bridge devices as shown in the second Target
One box, 6 NICs, 3 networks kept isolated for arp but
IP-managed in a single instance of ipfw.

I got as far as attempting this:

ifconfig bridge0 create
ifconfig bridge0 addm rl0 addm em0 up
ifconfig bridge1 create
ifconfig bridge1 addm vx0 up

It created the devices but obviously is not something I could
test to see if it actually worked as two discrete bridges. I've
no additional hardware, but before I buy anything, I thought
I could simply ask if if_bridge is meant to do this. I have
googled, checked man (if_bridge, ipfirewall, ipfw), and the
handbook, but I can't find anywhere that specifically says
if_bridge is designed to support multiple bridges on one
computer.

My questions are:

1. Is if_bridge is designed to support more than one bridge
on a single machine by creating multiple bridge devices (only,
of course with multiple NICs on the second and tertiary
bridges)?

2. If so, does it retain complete isolation of the bridges (e.g.
for ARP) while allowing ipfw to examine all three simultaneously?

3. Should I be exploring a different FreeBSD route to
implement this.



The response to this message can be found on FreeBSD-Net.
The answer was affirmative on the use of multiple bridges
on one FreeBSD installation using if_bridge. Alternate suggestion
was to use a single bridge with private flag on each interface.

Pardon the extra intrusion but I'd hate for someone to google
this and not find the answer. ... and sorry I posted to the wrong list
initially.

Chris



Please let me know if this should actually go to the
FreeBSD-Net List.

Thank you,
Chris Pratt

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- 
[EMAIL PROTECTED]"


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"