Re: MIT Kerberos
On Mon, Oct 28, 2002 at 09:08:01PM +0100, Sebastian Boldt wrote: Date: Mon, 28 Oct 2002 21:08:01 +0100 From: Sebastian Boldt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hello, how do I make buildworld and let it compile the MIT Kerberos V port as the system kerberos instead of heimdal? You cann't compile MIT Kerberos with buildworld, instead install kerberos port (/usr/ports/security/krb5), if you have any lines for kerberos in make.conf comment them, leave uncomment only KRB5_HOME=/usr/local and make buildworld. thanks in advance... To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
On Sat, Oct 26, 2002 at 10:47:48PM +0100, Stacey Roberts wrote: Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: D. Penev [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Date: 26 Oct 2002 22:47:48 +0100 Hi, Thanks for the reply. I should mention that I've made some progress with my efforts to set up a samba PDC for my Win2K clients. First of all I am now able to successfully complete all tests in the recommended DIAGNOSTICS.TXT at http://hr.uoregon.edu/davidrl/DIAGNOSIS.txt, except:- test 8: On the PC type the command net view \\BIGSERVER Specifically, I am only able to complete this test by using the IP Addr of the samba server in place of its name. Likewise for test 9 that follows. Recapping, I *am* able to serve share dirs to *NIX clients as well as the Win2K boxes, with the caveat that for the Windows boxes, I have to use the IP Addr of the samba server. This is not an issue for other (*NIX) client hosts. Needless to say, I am not as yet able to have the Win2K boxes join the domain as described in Chapter 9. (How to Configure Samba 2.2 as a Primary Domain Controller - 9.4.3. Joining the Client to the Domain.4.3. Joining the Client to the Domain). I still get the MS error when I click OK after entering the domain as defined in smb.conf. Hope this presents somewhat a clearer description of the current status here. Do get back to if you would require more information in assisting me in resolving this. From you description of the problem it's looks like that win2k box can't make resolving of names to ip address. That's why I accent to firewall because according to you logs ipfw block port 137, which is used to resolve NetBIOS names to IP address. I make a little test and block port 137 on my PDC (Samba 2.2.4 on NetBSD) and results are the same as yours. If that is true (blocking of netbios-ns port) you PDC can't register as domain controler, and workstations when is joined to domain can't find who is PDC for this domain. What are you firewall rules? What's show nbtstat -A YOU_SAMBA_SERVER and nbtstat -c on win2k box? Thanks On Sat, 2002-10-26 at 22:26, D. Penev wrote: On Mon, Oct 21, 2002 at 07:33:58PM +0100, Stacey Roberts wrote: Subject: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: Andrew Boothman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 21 Oct 2002 19:33:58 +0100 Hello, I'd appreciate some help from anyone who's got samba 2.2.6 running on FreeBSD as a PDC for Win2K client wkstations, please. I'm trying to following the SAMBA How-To at: http://samba.epfl.ch/samba/docs/Samba-HOWTO-Collection.html#AEN60 but fail at the smbclient -L PDC host stage: # smbclient -L -N Demon added interface ip=192.168.1.8 bcast=192.168.1.255 nmask=255.255.255.0 Packet send failed to 192.168.1.255(137) ERRNO=Permission denied Connection to -N failed # I get these entries in /var/log/security: Oct 21 19:31:08 Demon /kernel: ipfw: 910 Deny UDP My IP:2308 net.255:137 out via sis0 You firewall blocks packets to port 137 (netbios-ns). That's why you can access samba server with ip address and not by name. Please help me out here. Stacey On Mon, 2002-10-21 at 02:32, Andrew Boothman wrote: Stacey Roberts wrote: Hello, I've got 2 WIN2K Pro workstations on my home lan that I'd like to enable network logon for. I've been banging my head against a wall for the last four hours trying to get this sorted, but to no avail. I keep getting the same error when trying to enter the Domain name into the WORKGROUP field in Win2K network properties: The following error occured validating the name my_domainname, This condition may be caused by a DNS lookup problem. For more information about troubleshooting common DNS lookup problems see the following Microsoft blah., blah.., blah.., The specified domain either does not exist or could not be contacted. Have you added machine accounts to the FreeBSD box for the client boxes? You need machine accounts that look like clientname$ (dollar sign at end) added both as local accounts and then again with smbpasswd passing whatever the appropriate switch is to create a machine account. I have a FreeBSD box here acting as a PDC so we should be able to find the problem. Andrew. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
On Sun, Oct 27, 2002 at 10:50:47AM +, Stacey Roberts wrote: Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: D. Penev [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Date: 27 Oct 2002 10:50:47 + Hi, Here's the relevant lines in my firewall: 00620 allow udp from any to any 137 keep-state out xmit sis0 00621 allow tcp from any to any 137 keep-state out xmit sis0 Add: 00622 allow udp from Win2KBox to any 137,138 keep-state in recv sis0 00623 allow log logamount 10 tcp from Win2KBox to me 137,138 ^^ use any because win2k use broadcast if you don't have wins server keep-state in recv sis0 setup 00624 allow udp from any to any 138 keep-state out xmit sis0 00625 allow tcp from any to any 138 keep-state out xmit sis0 The output from nbtstat -A SAMBA_SERVER_IP: Host not found The output from nbtstat -c: No names in cache After running both commands, no new entries in /var/log/security appear for packets issued from Win2K box. Hope this helps. Stacey On Sun, 2002-10-27 at 07:15, D. Penev wrote: On Sat, Oct 26, 2002 at 10:47:48PM +0100, Stacey Roberts wrote: Subject: Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: D. Penev [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Date: 26 Oct 2002 22:47:48 +0100 Hi, Thanks for the reply. I should mention that I've made some progress with my efforts to set up a samba PDC for my Win2K clients. First of all I am now able to successfully complete all tests in the recommended DIAGNOSTICS.TXT at http://hr.uoregon.edu/davidrl/DIAGNOSIS.txt, except:- test 8: On the PC type the command net view \\BIGSERVER Specifically, I am only able to complete this test by using the IP Addr of the samba server in place of its name. Likewise for test 9 that follows. Recapping, I *am* able to serve share dirs to *NIX clients as well as the Win2K boxes, with the caveat that for the Windows boxes, I have to use the IP Addr of the samba server. This is not an issue for other (*NIX) client hosts. Needless to say, I am not as yet able to have the Win2K boxes join the domain as described in Chapter 9. (How to Configure Samba 2.2 as a Primary Domain Controller - 9.4.3. Joining the Client to the Domain.4.3. Joining the Client to the Domain). I still get the MS error when I click OK after entering the domain as defined in smb.conf. Hope this presents somewhat a clearer description of the current status here. Do get back to if you would require more information in assisting me in resolving this. From you description of the problem it's looks like that win2k box can't make resolving of names to ip address. That's why I accent to firewall because according to you logs ipfw block port 137, which is used to resolve NetBIOS names to IP address. I make a little test and block port 137 on my PDC (Samba 2.2.4 on NetBSD) and results are the same as yours. If that is true (blocking of netbios-ns port) you PDC can't register as domain controler, and workstations when is joined to domain can't find who is PDC for this domain. What are you firewall rules? What's show nbtstat -A YOU_SAMBA_SERVER and nbtstat -c on win2k box? Thanks On Sat, 2002-10-26 at 22:26, D. Penev wrote: On Mon, Oct 21, 2002 at 07:33:58PM +0100, Stacey Roberts wrote: Subject: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: Andrew Boothman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 21 Oct 2002 19:33:58 +0100 Hello, I'd appreciate some help from anyone who's got samba 2.2.6 running on FreeBSD as a PDC for Win2K client wkstations, please. I'm trying to following the SAMBA How-To at: http://samba.epfl.ch/samba/docs/Samba-HOWTO-Collection.html#AEN60 but fail at the smbclient -L PDC host stage: # smbclient -L -N Demon added interface ip=192.168.1.8 bcast=192.168.1.255 nmask=255.255.255.0 Packet send failed to 192.168.1.255(137) ERRNO=Permission denied Connection to -N failed # I get these entries in /var/log/security: Oct 21 19:31:08 Demon /kernel: ipfw: 910 Deny UDP My IP:2308 net.255:137 out via sis0 You firewall blocks packets to port 137 (netbios-ns). That's why you can access samba server with ip address and not by name. Please help me out here. Stacey On Mon, 2002-10-21 at 02:32, Andrew Boothman wrote: Stacey Roberts wrote: Hello, I've got 2 WIN2K Pro workstations on my home lan that I'd like to enable network logon for. I've been banging my head against a wall for the last four hours trying to get this sorted, but to no avail. I keep getting the same error when trying to enter
Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of DENY UDP mess]ages in /var/log/security
On Sun, Oct 27, 2002 at 06:29:16PM +, Stacey Roberts wrote: Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of DENY UDP mess]ages in /var/log/security From: Stacey Roberts [EMAIL PROTECTED] To: Ruben de Groot [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 27 Oct 2002 18:29:16 + Okay, I've been hacking about with my ipfw rules in order to nail this down, but I'm still coming up against a wall here.., I've made this change: # Allow out access to Internet Domain name server $fwcmd add 00617 allow tcp from any to any 53 out via $oif setup keep-state #$fwcmd add 00618 allow udp from any to any 53 out via $oif setup keep-state COMMENTED THIS OUT $fwcmd add 00618 allow udp from any to any 53 out via $oif You forget keep-state. You rule should be: $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state ^ | PUT THIS IN INSTEAD Now I try to query a root-server, I still get stopped by the firewall: # date Sun Oct 27 18:19:35 GMT 2002 # dig . ns @b.root-servers.net ; DiG 8.3 . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed out Checking logs: # tail /var/log/security snip Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 192.168.1.8:1642 in via sis0 # The previous posted (see below) informed me that using setup / keep-state with udp is wrong. Given the changes I've made above, what are the magic statements to allow my to query the root servers and allow their responses back in? TIA Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: snip Verifying relevant ipfw rules: # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. setup is not supposed to work for UDP packets. there is no handshake as in tcp connections. Checking ipfw rule 910: $fwcmd add 00910 deny log logamount 500 ip from any to any Why am I not able to query root servers, given my rules 00618 00619? I'd appreciate someone helping me out here., (or hitting me over the head if I'm missing something simple and glaringly obvious) TIA Stacey -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Starting natd
On Sun, Oct 27, 2002 at 02:18:21PM -0500, Robert Hall wrote: Date: Sun, 27 Oct 2002 14:18:21 -0500 To: [EMAIL PROTECTED] From: Robert Hall [EMAIL PROTECTED] Subject: Re: Starting natd At 11:41 PM 10/26/2002 +0300, you wrote: On Sat, Oct 26, 2002 at 02:18:01PM -0500, Robert Hall wrote: Date: Sat, 26 Oct 2002 14:18:01 -0500 To: [EMAIL PROTECTED] From: Robert Hall [EMAIL PROTECTED] Subject: Starting natd I'm setting up a FBSD 4.4 box as a gateway. I've got natd_enable=YES natd_interface=ppp0 in rc.config, but I can't get natd to run without entering natd -interface ppp0 at the comand prompt. I assume this is a configuration problem, but I've been through the files several times and can't find an error. Can someone tell me how to get natd to run automatically? If you use user ppp ( ppp(8) not pppd(8)) I suggest you to use build in nat in rc.conf : ppp_nat=YES But if you for some reasons want to use natd, then you must first start ppp or pppd before starting natd. Note if you use ppp set interface to tun0 not to ppp0. I'm using kernel ppp (pppd). It is already set up and it runs. I have set up FreeBSD boxes before with this configuration, and natd started automatically and ran without any intervention on my part. For some reason, it doesn't do that this time, and I have to start it manually. I'm hoping someone can tell me why, so I can fix it. Put in rc.conf: natd_flags=-dynamic Bob Hall To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Starting natd
On Sat, Oct 26, 2002 at 02:18:01PM -0500, Robert Hall wrote: Date: Sat, 26 Oct 2002 14:18:01 -0500 To: [EMAIL PROTECTED] From: Robert Hall [EMAIL PROTECTED] Subject: Starting natd I'm setting up a FBSD 4.4 box as a gateway. I've got natd_enable=YES natd_interface=ppp0 in rc.config, but I can't get natd to run without entering natd -interface ppp0 at the comand prompt. I assume this is a configuration problem, but I've been through the files several times and can't find an error. Can someone tell me how to get natd to run automatically? If you use user ppp ( ppp(8) not pppd(8)) I suggest you to use build in nat in rc.conf : ppp_nat=YES But if you for some reasons want to use natd, then you must first start ppp or pppd before starting natd. Note if you use ppp set interface to tun0 not to ppp0. Bob Hall To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?]
On Mon, Oct 21, 2002 at 07:33:58PM +0100, Stacey Roberts wrote: Subject: IPFW Rules for samba PDC? [WAS: samba PDC for WIN2K clients?] From: Stacey Roberts [EMAIL PROTECTED] To: Andrew Boothman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 21 Oct 2002 19:33:58 +0100 Hello, I'd appreciate some help from anyone who's got samba 2.2.6 running on FreeBSD as a PDC for Win2K client wkstations, please. I'm trying to following the SAMBA How-To at: http://samba.epfl.ch/samba/docs/Samba-HOWTO-Collection.html#AEN60 but fail at the smbclient -L PDC host stage: # smbclient -L -N Demon added interface ip=192.168.1.8 bcast=192.168.1.255 nmask=255.255.255.0 Packet send failed to 192.168.1.255(137) ERRNO=Permission denied Connection to -N failed # I get these entries in /var/log/security: Oct 21 19:31:08 Demon /kernel: ipfw: 910 Deny UDP My IP:2308 net.255:137 out via sis0 You firewall blocks packets to port 137 (netbios-ns). That's why you can access samba server with ip address and not by name. Please help me out here. Stacey On Mon, 2002-10-21 at 02:32, Andrew Boothman wrote: Stacey Roberts wrote: Hello, I've got 2 WIN2K Pro workstations on my home lan that I'd like to enable network logon for. I've been banging my head against a wall for the last four hours trying to get this sorted, but to no avail. I keep getting the same error when trying to enter the Domain name into the WORKGROUP field in Win2K network properties: The following error occured validating the name my_domainname, This condition may be caused by a DNS lookup problem. For more information about troubleshooting common DNS lookup problems see the following Microsoft blah., blah.., blah.., The specified domain either does not exist or could not be contacted. Have you added machine accounts to the FreeBSD box for the client boxes? You need machine accounts that look like clientname$ (dollar sign at end) added both as local accounts and then again with smbpasswd passing whatever the appropriate switch is to create a machine account. I have a FreeBSD box here acting as a PDC so we should be able to find the problem. Andrew. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: samba PDC for WIN2K clients?
On Mon, Oct 21, 2002 at 06:07:44AM +0100, Stacey Roberts wrote: Subject: Re: samba PDC for WIN2K clients? From: Stacey Roberts [EMAIL PROTECTED] To: Andrew Boothman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 21 Oct 2002 06:07:44 +0100 Hi Andrew, Thanks for getting back to me. I tried getting the machine account added to smbpasswd file, but this fails: # smbpasswd -m -n -a winbox LDAPS option set...! fetch_ldap_pw: no ldap secret retrieved! ldap_connect_system: Failed to retrieve password for from secrets.tdb LDAPS option set...! fetch_ldap_pw: no ldap secret retrieved! ldap_connect_system: Failed to retrieve password for from secrets.tdb Failed to add entry for user winbox$. Failed to modify password entry for user winbox$ # Is the syntax for adding the account correct here? Thanks again, hope to hear from you again soon. Stacey On Mon, 2002-10-21 at 02:32, Andrew Boothman wrote: Stacey Roberts wrote: Hello, I've got 2 WIN2K Pro workstations on my home lan that I'd like to enable network logon for. I've been banging my head against a wall for the last four hours trying to get this sorted, but to no avail. I keep getting the same error when trying to enter the Domain name into the WORKGROUP field in Win2K network properties: The following error occured validating the name my_domainname, This condition may be caused by a DNS lookup problem. For more information about troubleshooting common DNS lookup problems see the following Microsoft blah., blah.., blah.., Do you enable NBT on adapter? It seems that win2k box attempt to use dns not wins for resolving names. The standard way to add machine account is to use join to domain function from windows box because if you manual add this account windows box doesn't know what is the password for account. The specified domain either does not exist or could not be contacted. Have you added machine accounts to the FreeBSD box for the client boxes? You need machine accounts that look like clientname$ (dollar sign at end) added both as local accounts and then again with smbpasswd passing whatever the appropriate switch is to create a machine account. I have a FreeBSD box here acting as a PDC so we should be able to find the problem. Andrew. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Puzzling Simple NATD and IPFW Problem
and it seems that it is bound to never work! Do you have gateway_enable=YES in /etc/rc.conf? What do the following show when you run them (just paste them in a reply): # ifconfig -a # netstat -rn # ipfw -a l # sysctl net.inet.ip.forwarding # ps -aux |grep nat # cat /etc/rc.conf Nick Rogness [EMAIL PROTECTED] - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. --- [This E-mail scanned for viruses by Declude Virus] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message In fact I don't think that will solve you problem but who know :) -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: UDP Port 53 Log In Vain Messages
On Wed, Oct 09, 2002 at 02:21:50PM -0400, wolf wrote: Date: Wed, 09 Oct 2002 14:21:50 -0400 From: wolf [EMAIL PROTECTED] To: Roman Neuhauser [EMAIL PROTECTED] Cc: Wolfieee [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: UDP Port 53 Log In Vain Messages I don't think the firewall is to blame. I think so. If there is a firewall that blocks dns replies then they never go through firewall. My explanation is that dns send query to external dns but after some time period hi doesn't get answer (because external dns is very busy) and close socket, so when answer arrive there isn't opened socket. If you have a lot of name resolving errors my suggestion is to remove you isp dns servers as forwarders. 00050 60949435 31435808176 divert 8668 ip from any to any via rl0 0010071631099071516 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 120754392 61388414174 allow ip from any to any 65535 81016 deny ip from any to any Roman Neuhauser wrote: # [EMAIL PROTECTED] / 2002-10-09 13:21:25 -0400: Ok, what causes the following events to ocurr and what do I do to fix whatever is wrong? _MY_MACHINE_ is my machine _ISP_NAMESERVER_01_ and _ISP_NAMESERVER_02_ are my ISP's nameservers I am running named. What additional information is needed? (if any) What do I look at? Unusual System Events =-=-=-=-=-=-=-=-=-=-= Oct 9 09:01:01 hq /kernel: Connection attempt to UDP _MY_MACHINE_:3550 from _ISP_NAMESERVER_02_:53 Oct 9 09:01:03 hq /kernel: Connection attempt to UDP _LOCALHOST_:512 from _LOCALHOST_:3597 Oct 9 09:01:06 hq /kernel: Connection attempt to UDP _MY_MACHINE_:3551 from _ISP_NAMESERVER_01_:53 Oct 9 09:01:14 hq /kernel: Connection attempt to UDP _MY_MACHINE_:3553 from _ISP_NAMESERVER_02_:53 Oct 9 09:01:17 hq /kernel: Connection attempt to UDP _MY_MACHINE_:3554 from _ISP_NAMESERVER_01_:53 Oct 9 09:01:23 hq /kernel: Connection attempt to UDP _LOCALHOST_:512 from _LOCALHOST_:3611 Oct 9 09:01:24 hq /kernel: Connection attempt to UDP _LOCALHOST_:3548 from _LOCALHOST_:53 this means that you have a firewall that blocks incoming udp on port 53 on both the loopback and your nic. specifically, the blocked packets are replies to your dns queries. fix your firewall ruleset. the rule from my ipf ruleset: pass out quick on $if proto tcp/udp from $ip to any port = 53 keep state that keep state is what allows the responses back in. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: 2 gateways - seperate routes for different ports?
On Fri, Sep 27, 2002 at 08:23:12PM +1000, Alek - [EMAIL PROTECTED] wrote: Date: Fri, 27 Sep 2002 20:23:12 +1000 (EST) Subject: 2 gateways - seperate routes for different ports? From: Alek - [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Greetings, I currently have 2 gateway servers that I would like to consolidate. One is a permanent dialup with a static IP - this maintains DNS, routes my SMTP namespace and is relatively secured with IPFW. The other is a cable connection with a dynamic IP running NAT but unsecured because I havent figured out how to configure IPFW with a dynamic IP yet. I want to consolidate these 2 boxes, but I would need to route port 25 and 53 traffic through the dialup connection and everything else through the cable connection? I expect I should be able to do this with IPFW ? No? Any ideas / solutions appreciated. Try this: in /etc/ppp/ppp.linkup dialup_isp_label: /sbin/ipfw add XXX fwd HISADDR tcp from any to any 25,53 /sbin/ipfw add YYY fwd HISADDR udp from any to any 25,53 ^^^ numbers depends of ^^^ if you have own dns and/or mail others ipfw rulesserver change with ip address that they are bind in /etc/ppp/ppp.linkdown dialup_isp_label: /sbin/ipfw delete XXX /sbin/ipfw delete YYY Remove or comment add default HISADDR in dialup_isp_label section in ppp.conf and set default route to cable connection . Cheers, Alek. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: XP Windows and Nat
On Thu, Sep 26, 2002 at 02:07:23AM -0600, Grant Cooper wrote: From: Grant Cooper [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: XP Windows and Nat Date: Thu, 26 Sep 2002 02:07:23 -0600 I have am using FreeBSD as a firewall and just recently upgraded to an XP box. Not so much a problem but my Network connection gives me a warning every 15 - 20 min saying my internet connection is down. Then it re-connects. About a 5-6 sec delay. Never had this problem with Windows 98 and still don't. Think maby a windows driver is causing the problem? Give more info about your configuration. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: samba server as a PDC
On Thu, Sep 26, 2002 at 09:09:08PM +, Peter Ulrich Kruppa wrote: Date: Thu, 26 Sep 2002 21:09:08 + (GMT) From: [EMAIL PROTECTED] (Peter Ulrich Kruppa) To: D. Penev [EMAIL PROTECTED] cc: Peter Ulrich Kruppa [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: samba server as a PDC On Wed, 25 Sep 2002, D. Penev wrote: On Wed, Sep 25, 2002 at 10:10:34PM +, Peter Ulrich Kruppa wrote: Date: Wed, 25 Sep 2002 22:10:34 + (GMT) From: [EMAIL PROTECTED] (Peter Ulrich Kruppa) To: [EMAIL PROTECTED] Subject: samba server as a PDC Hi, I am trying to set up a samba server as a primary domain controller for about 30 NT and Win2000 machines (and about 800 users). Password administration and homes services seem to work ok. But the machines should also be able to read the user's profile from the server when logging on and write them back when logging off(roaming profiles). This only works for users with root access to the server. Ordinary users can read their profile when starting up, but logging off they receive an access denied message. I guess, I have to set permissions correctly, but I have no idea how. My users belong to group called samba, their profiles are stored in a directory /usr/local/samba/profiles . What ls -al /usr/local/samba/profiles show? My is : # ls -al profiles total 4 drwxr-xr-x 4 DomainAdmin DomainAdmins 512 Jul 15 23:04 . drwxr-xr-x 5 root wheel 512 Jul 15 21:16 .. drwx-- 13 DomainAdmin DomainAdmins 512 Jul 19 23:32 DomainAdmin drwx-- 13 DomainUser DomainUsers 512 Jul 26 22:15 DomainUser [snip] Hmm ... I have got --- total 4 drwxr-xr-x 4 root samba 512 26 Sep 20:48 . drwxrwx--- 4 root 512 26 Sep 21:02 .. I don't think that this causing the problem. drwxr-xr-x 14 lukas_mueller samba 512 26 Sep 20:33 lukas_mueller Is this user have problems with write permission ? I don't see any incorrect permissions, and hi must save his profile without any problems but users that haven't profiles cannot create them because they haven't write permission to /usr/local/samba/profiles. I see two sollutions: 1. chmod 775 /usr/local/samba/profiles 2. manualy create users directories as root and each of them chown to user drwxr-xr-x 13 root samba 512 26 Sep 20:24 root - ... and I have to admit, I don't know who group is. I don't have it in my /etc/group. How do I change permissions for .. then? Uli. Any idea what could be done? Thanks for your answers. Uli. *---* *Peter Ulrich Kruppa* * - Wuppertal - * * Germany * *---* To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message *---* *Peter Ulrich Kruppa* * - Wuppertal - * * Germany * *---* -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: samba server as a PDC
On Thu, Sep 26, 2002 at 10:48:45PM +, Peter Ulrich Kruppa wrote: Date: Thu, 26 Sep 2002 22:48:45 + (GMT) From: [EMAIL PROTECTED] (Peter Ulrich Kruppa) To: D. Penev [EMAIL PROTECTED] Cc: Peter Ulrich Kruppa [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: samba server as a PDC Yes, thanks to *everybody* ! I think I mixed up chown chgrp and chmod somehow. Now # ls -al /usr/local/samba/profiles delivers total 4 drwxr-xr-x 4 root samba 512 26 Sep 20:48 . drwxr-xr-x 4 root samba 512 26 Sep 21:05 .. drwxr-xr-x 15 lukas_mueller samba 512 26 Sep 22:41 lukas_mueller drwxr-xr-x 13 root samba 512 26 Sep 20:24 root and everything works. His is just in time because we are going to set up a second computer room in our school during the next weeks. Regards, Uli. On Thu, 26 Sep 2002, D. Penev wrote: On Thu, Sep 26, 2002 at 09:09:08PM +, Peter Ulrich Kruppa wrote: Date: Thu, 26 Sep 2002 21:09:08 + (GMT) From: [EMAIL PROTECTED] (Peter Ulrich Kruppa) To: D. Penev [EMAIL PROTECTED] cc: Peter Ulrich Kruppa [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: samba server as a PDC On Wed, 25 Sep 2002, D. Penev wrote: On Wed, Sep 25, 2002 at 10:10:34PM +, Peter Ulrich Kruppa wrote: Date: Wed, 25 Sep 2002 22:10:34 + (GMT) From: [EMAIL PROTECTED] (Peter Ulrich Kruppa) To: [EMAIL PROTECTED] Subject: samba server as a PDC Hi, I am trying to set up a samba server as a primary domain controller for about 30 NT and Win2000 machines (and about 800 users). Password administration and homes services seem to work ok. But the machines should also be able to read the user's profile from the server when logging on and write them back when logging off(roaming profiles). This only works for users with root access to the server. Ordinary users can read their profile when starting up, but logging off they receive an access denied message. I guess, I have to set permissions correctly, but I have no idea how. My users belong to group called samba, their profiles are stored in a directory /usr/local/samba/profiles . What ls -al /usr/local/samba/profiles show? My is : # ls -al profiles total 4 drwxr-xr-x 4 DomainAdmin DomainAdmins 512 Jul 15 23:04 . drwxr-xr-x 5 root wheel 512 Jul 15 21:16 .. drwx-- 13 DomainAdmin DomainAdmins 512 Jul 19 23:32 DomainAdmin drwx-- 13 DomainUser DomainUsers 512 Jul 26 22:15 DomainUser [snip] Hmm ... I have got --- total 4 drwxr-xr-x 4 root samba 512 26 Sep 20:48 . drwxrwx--- 4 root 512 26 Sep 21:02 .. I don't think that this causing the problem. What I don't saw is that /usr/local/samba is not world readable, but below suggestions that I gave are still valid for roaming profiles. drwxr-xr-x 14 lukas_mueller samba 512 26 Sep 20:33 lukas_mueller Is this user have problems with write permission ? I don't see any incorrect permissions, and hi must save his profile without any problems but users that haven't profiles cannot create them because they haven't write permission to /usr/local/samba/profiles. I see two sollutions: 1. chmod 775 /usr/local/samba/profiles 2. manualy create users directories as root and each of them chown to user drwxr-xr-x 13 root samba 512 26 Sep 20:24 root - ... and I have to admit, I don't know who group is. I don't have it in my /etc/group. How do I change permissions for .. then? Uli. Any idea what could be done? Thanks for your answers. Uli. *---* *Peter Ulrich Kruppa* * - Wuppertal - * * Germany * *---* To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message *---* *Peter Ulrich Kruppa* * - Wuppertal - * * Germany * *---* -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message *---* *Peter Ulrich Kruppa* * - Wuppertal - * * Germany * *---* To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: samba server as a PDC
On Wed, Sep 25, 2002 at 10:10:34PM +, Peter Ulrich Kruppa wrote: Date: Wed, 25 Sep 2002 22:10:34 + (GMT) From: [EMAIL PROTECTED] (Peter Ulrich Kruppa) To: [EMAIL PROTECTED] Subject: samba server as a PDC Hi, I am trying to set up a samba server as a primary domain controller for about 30 NT and Win2000 machines (and about 800 users). Password administration and homes services seem to work ok. But the machines should also be able to read the user's profile from the server when logging on and write them back when logging off(roaming profiles). This only works for users with root access to the server. Ordinary users can read their profile when starting up, but logging off they receive an access denied message. I guess, I have to set permissions correctly, but I have no idea how. My users belong to group called samba, their profiles are stored in a directory /usr/local/samba/profiles . What ls -al /usr/local/samba/profiles show? My is : # ls -al profiles total 4 drwxr-xr-x 4 DomainAdmin DomainAdmins 512 Jul 15 23:04 . drwxr-xr-x 5 root wheel 512 Jul 15 21:16 .. drwx-- 13 DomainAdmin DomainAdmins 512 Jul 19 23:32 DomainAdmin drwx-- 13 DomainUser DomainUsers 512 Jul 26 22:15 DomainUser [snip] Any idea what could be done? Thanks for your answers. Uli. *---* *Peter Ulrich Kruppa* * - Wuppertal - * * Germany * *---* To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Can IPFW keep state after a flush?
On Tue, Sep 24, 2002 at 11:43:19AM -0500, Kirk Strauser wrote: To: [EMAIL PROTECTED] Subject: Can IPFW keep state after a flush? From: Kirk Strauser [EMAIL PROTECTED] Date: 24 Sep 2002 11:43:19 -0500 From what I can tell, ipfw's 'flush' command clears the ruleset *and* the current list of dynamic (keep-state) rules. Is there any way to ask ipfw to flush only the ruleset, but to leave the dynamic rules intact? Ideally, From ip_fw.c: [snip] * Each dynamic rules holds a pointer to the parent ipfw rule so * we know what action to perform. Dynamic rules are removed when * the parent rule is deleted. [snip] From ip_fw2.c: * Each dynamic rule holds a pointer to the parent ipfw rule so * we know what action to perform. Dynamic rules are removed when * the parent rule is deleted. XXX we should make them survive. ipfw could be made to compare the curreny dynamic rules against any new rules that were added, which would allow a sysadmin to implement a new ruleset on an already-running system without disturbing any current valid connections. Is such a thing possible, or am I dreaming? -- Kirk Strauser In Googlis non est, ergo non est. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Remove Multiple Boot
On Sun, Sep 22, 2002 at 09:44:11AM -0400, Grant Peel wrote: From: Grant Peel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Remove Multiple Boot Date: Sun, 22 Sep 2002 09:44:11 -0400 Hi all, I have recently converted another PC to FreeBSD and no longer need FreeBSD on my usual workstation. I am running Windows XP on the workstation, and need to remove the (Easy Boot) boot manager and have the conputer return to just automaticly booting to woindows. Does anyone know how to remove it? Boot from XP cdrom, start Recovery Console and use fixmbr command. Fdisk that Giorgos suggest is no longer supported by XP. -Grant Grant W. Peel Server Administrator The Net Now -- Expresshost http://thenetnow.com [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message