Re: Login.conf Limits not Applying for Postfix
Hey list, I have a pretty low resource usage for users on my system, thus I have some low limits set in my /etc/login.conf. Particularly openfiles, which is set to 128 for the default class. However, I started getting errors from Postfix saying it has hit this limit: postfix/proxymap[97907]: warning: could allocate space for only 128 open files So I added a new class in my /etc/login.conf: postfix:\ :openfiles=1024:\ :tc=default: Yes, I did run `cap_mkdb /etc/login.conf` (multiple times, in fact). I stopped and restarted the postfix daemon. I've even rebooted the system entirely since then, to no avail (It sends half the mail at a time - but the error appears again once mail starts building up). Am I missing something? Do I need to set the postfix user into the postfix login class somehow? Yes see http://www.freebsd.org/doc/en/books/handbook/users-modifying.html My full /etc/login.conf is here: http://pastebin.ca/2376936 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng repositories
On Wed, 01 May 2013 08:54:33 -0500, Quark unixuser2000-f...@yahoo.com wrote: Does some noble soul maintain any publically accessible pkgng repo? PCBSD has one! ftp://ftp.pcbsd.org/pub/mirror/packages/9.1-RELEASE/amd64/ (or i386) ___ Also if I remember right Xorg and KDE4 are included on the release DVD image. -- | _ ASCII Ribbon Eric S Pulley | ( ) Campaign Against pul...@dabus.com | X HTML Mail | / \ www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Hi, I'm looking to replace the piece of crap 2wire WiFi router that gets crakced every other day for something with pfSense or m0n0wall I would like something that is plug and play and easy to use in the $300 rage tops that has the WiFi router integrated. It seems only Hacom offers this. Can anyone recommend something different or has anyone here tried Hacom WiFi routers? Any additional comments or recommendations? Thanks, -- Alejandro Imass Get a HostAP capable miniPCI card and stick it in a netbook. I did that to an Acer I picked up cheap and added external antenna (not sure how much that mattered), works great all for under 300USD. I'm running OpenBSD on mine but should do any of the firewall/routers specific variants just fine. -- | _ ASCII Ribbon Eric S Pulley | ( ) Campaign Against pul...@dabus.com | X HTML Mail | / \ www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Soekris or .. ?
On Fri, Mar 1, 2013 at 11:49 AM, Julien Cigar jci...@ulb.ac.be wrote: Hello, I'm looking for a small Soekris-like (http://soekris.com/) box which support FreeBSD, any experience or brand to advise .. ? I'm using Soekris net4801 boxes with FreeBSD without problems since many years as small routers with pf, dhcp, bind, lighttpd etc... Last version i've tested is 8.3. I didn't update to 9.X yet for no other reasons than lack of time to try it, and I don't know if clang supports Geode well enough so I can't say anything about -CURRENT. But save for this, Soekris boxes and FreeBSD are a great match. Thank you, Julien -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Just food for thought: You could also use a cheap netbook for about the same money as a new Soekris box. Unless you have minimalistic power requirements and really need the Seokris' 12-15W vs a netbooks 40-50W draw. Advantages, at least compared to my Soekris net4801, are integrated screen,keyboard and UPS and much better network throughput via ural(4) or similar versus the built in sis(4) of the net4801. If power is a major concern you can shut down the LCD assuming you can get APCI working correctly. -- ESP ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Unable to install xorg using pkg_add
Read the 9.1 Release notes. This is the expected behavior. You'll need the DVD iso or build from ports to get xorg going in 9.1 right now. Hello, I just installed FreeBSD last night using the bootonly image for 9.0-RELEASE. I then updated to 9.1-RELEASE using freebsd-update. Everything seems to have gone smoothly but now I'm getting the below error when trying to isntall xorg. Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.1-release/Latest/xorg.tbz: File unavailable (e.g., file not found, no access) pkg_add: unable to fetch ' ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.1-release/Latest/xorg.tbz' by URL ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Is FreeBSD 9 Production Ready?
--On November 24, 2012 10:38:35 AM -0600 Tim Daneliuk tun...@tundraware.com wrote: I am currently running FBSD 8.3-STABLE on a production server that provides http, dns, smtp, and so on for a small domain. This is not a high arrival rate environment but it does need to be rock solid (which FBSD 4-8 have been). I am contemplating moving to the FBSD 9 family. Is this branch ready for production or should I wait a while yet? I ordinarily avoid x.0 releases of anything and I know 9.1 is soon going to be with us. In a related note, if I do move to 9.x is it sufficient to grab the appropriate source tree and compile world and kernels, install and reboot? That is, it is reasonable to do an in-place upgrade. This is how I migrated 4-6, 6-7, and 7-8 and I am hoping this is till the case since a complete reinstall is painful and slow. I upgraded to 9 on a server that is basically doing what yours is. I used freebsd-update and it did all the right things no problems. Been running on 9 without any issues pretty much since it came out. However, the only thing remotely fancy I'm doing is running root ZFS and link aggregation on my NIC's. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How is zfs file system known in fsck?
--On November 18, 2012 10:38:43 AM -0500 Lynn Steven Killingsworth blue.seahorse.syndic...@gmail.com wrote: Hi FreeBSD - On my PC-BSD 9.1 RC3 I need to run fsck on my internal storage drive. I would like to use I think: fsck -y -F -t ufs /dev The question is what should I place for 'ufs' since I have zfs. My guesses just generate similar to 'directories unknown' My disk is also gpt. If I leave out the file system type after -t my machine apparently accepts a command to do something, but it of course does not do what is needed. Thanks If you're going to run advanced filesystems you really should try to understand how they work. There is no fsck tool and no need for one on zfs. If you have managed to loose data while running zfs you'd better have a backup. Read zpool(8) zfs(8) and possibly http://docs.oracle.com/cd/E19253-01/819-5461/index.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: 9.0 install and journaling
--On Tuesday, December 13, 2011 09:54:38 AM +1000 Da Rock freebsd-questi...@herveybayaustralia.com.au wrote: On 12/13/11 06:00, Eric S Pulley wrote: As for one big / partition- linux may be using it: and its their biggest failing! I've had a system lockup due to lack of space. Never a problem with bsd as logs will only fill up var, a user won't break it with filling up usr, etc. And root always stays protected! Its saved my life a number of times... I can quickly fill TB's of data in no time, and if something goes bang the logs can be a silent killer too. My 2c's anyway... ___ And along those lines for security of the system, this is the U.S. DoD recommendations (well mandates really) including ZFS. Not that the DoD doesn’t have security problems... but I’m not big fan of the one or two mount point solution either… never understood why other OS packagers think is okay to just dump it all under / Per the DISA STIG (Security Technical Implementation Guide) / (obviously) /home directories) /var /tmp /location of audit files should all be separate mount points The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing... in addition... All local file systems must employ journaling or another mechanism that ensures file system consistency. Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the nodev option. Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the nosuid option. The nosuid option must be enabled on all NFS client mounts. and so on... you can find a copy of the UNIX STIG online and some of it is just crazy paranoia and makes your life a pain, but there are a lot of good practices in it too. I don't think any of it crazy paranoia. A PITA, maybe, but not paranoid. Do you have a link to the original of it? Sure, http://iase.disa.mil/stigs/ Lots more there than just UNIX too. I find that the newer SRG xml files are easier to just load into a browsers and read the recommendations rather than pouring through the big sections in the STIGs. http://iase.disa.mil/stigs/downloads/zip/unclassified_os-srg-unix_v1r1_finalsrg.zip Or just do the checklists. There are no *BSD specific ones but the the generic UNIX STIG works good (probably because at this point *BSD is basically the reference implementation of UNIX or at least it should be... damn Linux) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: 9.0 install and journaling
--On Tuesday, December 13, 2011 08:54:23 AM -0800 Devin Teske devin.te...@fisglobal.com wrote: We're seeing in 8.1-RELEASE that nodev is an invalid option for NFS mounts that causes your system to boot into single-user mode. Is this still the case in 9.0-RC2/3 or has the option been re-added? nodev was a valid option in 4.11-RELEASE, not sure why it was removed (and/or made invalid). -- Devin No that was just a guideline for generic unix security practices if nodev isn't support by the filesystem there is nothing you can do about it. Not a FreeBSD specific issue. Sorry for the confusion. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: 9.0 install and journaling
As for one big / partition- linux may be using it: and its their biggest failing! I've had a system lockup due to lack of space. Never a problem with bsd as logs will only fill up var, a user won't break it with filling up usr, etc. And root always stays protected! Its saved my life a number of times... I can quickly fill TB's of data in no time, and if something goes bang the logs can be a silent killer too. My 2c's anyway... ___ And along those lines for security of the system, this is the U.S. DoD recommendations (well mandates really) including ZFS. Not that the DoD doesnt have security problems... but Im not big fan of the one or two mount point solution either never understood why other OS packagers think is okay to just dump it all under / Per the DISA STIG (Security Technical Implementation Guide) / (obviously) /home directories) /var /tmp /location of audit files should all be separate mount points The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing... in addition... All local file systems must employ journaling or another mechanism that ensures file system consistency. Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the nodev option. Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the nosuid option. The nosuid option must be enabled on all NFS client mounts. and so on... you can find a copy of the UNIX STIG online and some of it is just crazy paranoia and makes your life a pain, but there are a lot of good practices in it too. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
Actually this looks like fairly normal white noise you can expect on a
public facing ssh server. There are a lot of bots out there, looking for
another box to own. If you're running PF put in something like the
following.
block in quick log from {BADGUYS}
.
.
.
pass in log on $ext_if proto tcp to ($ext_if) port { ssh } \
flags S/SA modulate state \
(max-src-conn-rate 3/60, overload BADGUYS flush global)
And remember that that you need to wait a minute if you (for some reason)
make more than x (3 in this case) connections from the same source in a
minutes time. Tune as needed.
The disable root logins and only use keys if you can, strong PWs if you
can't and you should be good.
--On Saturday, October 22, 2011 03:43:44 PM +0200 Admin ValhallaProjectet
ad...@thorshammare.org wrote:
Hello all
FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22
10:14:48 CEST 2011
ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN i386
Firewall PF.
Blocking China and some other related countries in that region.
Disabled ssh root logins
Apparently, I'm under some kind of attack, for the last 3 days.
Lots of attempts to ssh in as root from many different IP addresses.
No bruteforce attempts.
This just puzzles me. Using all these resources ? To achieve what ?
Below is a one hour snip from my auth.log
Nothing unusual in pflog
Appreciate all ideas of how to proceed with this mather.
Best regards Hasse
Oct 22 12:00:19 odin sshd[14359]: error: PAM: authentication error for
root from server.fabian.cz
Oct 22 12:01:08 odin sshd[14365]: Address 87.105.187.194 maps to
client-arsmedica-2.wroclaw.dialog.net.pl, but this does not map back to
the address - POSSIBLE BREAK-IN ATTEMPT!
Oct 22 12:01:09 odin sshd[14365]: error: PAM: authentication error for
root from 87.105.187.194
Oct 22 12:02:59 odin sshd[14422]: error: PAM: authentication error for
root from 87.229.7.163
Oct 22 12:03:36 odin sshd[14865]: error: PAM: authentication error for
root from 201.25.53.34
Oct 22 12:03:53 odin sshd[15571]: error: PAM: authentication error for
root from 109.237.210.147
Oct 22 12:05:18 odin sshd[18357]: error: PAM: authentication error for
root from 12.222.202.34
Oct 22 12:05:36 odin sshd[18375]: error: PAM: authentication error for
root from mx.aysor.am
Oct 22 12:05:53 odin sshd[18537]: error: PAM: authentication error for
root from 190.129.11.76
Oct 22 12:07:06 odin sshd[19429]: Address 80.188.13.214 maps to
www.profitaxi.cz, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Oct 22 12:07:06 odin sshd[19429]: error: PAM: authentication error for
root from 80.188.13.214
Oct 22 12:07:27 odin sshd[19542]: error: PAM: authentication error for
root from 85.185.180.48
Oct 22 12:08:05 odin sshd[19591]: error: PAM: authentication error for
root from 208.125.137.121
Oct 22 12:09:45 odin sshd[19629]: error: PAM: authentication error for
root from 83.14.240.10
Oct 22 12:10:53 odin sshd[19699]: error: PAM: authentication error for
root from 200.160.121.246
Oct 22 12:10:59 odin sshd[19702]: error: PAM: authentication error for
root from 151.1.183.216
Oct 22 12:11:38 odin sshd[19787]: error: PAM: authentication error for
root from crm.nepinc.com
Oct 22 12:12:16 odin sshd[19830]: error: PAM: authentication error for
root from 189.16.12.146
Oct 22 12:12:45 odin sshd[19843]: error: PAM: authentication error for
root from narro.uaaan.mx
Oct 22 12:14:14 odin sshd[19913]: error: PAM: authentication error for
root from 217.128.151.181
Oct 22 12:14:56 odin sshd[19925]: reverse mapping checking getaddrinfo for
panda.zsuvoz.cz [195.178.81.116] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 22 12:14:56 odin sshd[19925]: error: PAM: authentication error for
root from 195.178.81.116
Oct 22 12:16:14 odin sshd[19995]: error: PAM: authentication error for
root from 87.193.246.26
Oct 22 12:16:23 odin sshd[20008]: error: PAM: authentication error for
root from 219.94.144.230
Oct 22 12:16:39 odin sshd[20026]: error: PAM: authentication error for
root from 82.130.143.216
Oct 22 12:17:41 odin sshd[20073]: error: PAM: authentication error for
root from 87.193.246.26
Oct 22 12:17:52 odin sshd[20102]: error: PAM: authentication error for
root from 82.130.143.216
Oct 22 12:21:16 odin sshd[20268]: error: PAM: authentication error for
root from 203.141.158.120
Oct 22 12:21:34 odin sshd[20286]: error: PAM: authentication error for
root from 208.125.137.121
Oct 22 12:22:05 odin sshd[20326]: reverse mapping checking getaddrinfo for
86-100-134-185-ip.balticum.lt [86.100.134.185] failed - POSSIBLE BREAK-IN
ATTEMPT!
Oct 22 12:22:05 odin sshd[20326]: error: PAM: authentication error for
root from 86.100.134.185
Oct 22 12:22:22 odin sshd[20339]: error: PAM: authentication error for
root from 201.232.69.113
Oct 22 12:23:35 odin sshd[20428]: error: PAM: authentication error for
root from 87.229.7.163
Oct 22 12:23:58 odin sshd[20486]: error: PAM: authentication error for
root from
Re: How to deny getting static ip address via pf ?
On Tue, July 26, 2011 9:01 am, Chuck Swiger wrote: On Jul 26, 2011, at 3:44 AM, Yavuz MaÅlak wrote: I use pf on freebsd as packet filter. I have a wireless area. The users get to the internet using automatic ip from the dhcp server. I wish to deny to assign a static ip address by manual. You can't prevent someone from doing manual configuration. If you were connecting via a smart switch, you can configure MAC address filtering on each of the switch ports and then use DHCPd to only assign each MAC to the right range or static IP, and then use an IP-based firewall to control traffic from there. If a user tried to spoof some other MAC, the switch would block such traffic. However, with wireless, nothing prevents the users from spoofing other MACs. Regards, -- -Chuck If your purpose is to deny a person the ability to add themselves manually to your local net and then get to other networks this is a perfect example of the use for authpf. Combine authpf with port security on your local switch (if you have that functionality). But they can still spoof their MAC so it doesn't protect the local wifi subnet much. Only thing I know works 100% is to set up a wifi net that is unrouted with nothing in it but a VPN concentrator, once someone connects to the wifi net then they establish an encrypted VPN connection that will route the VPN traffic in/out of the wifi net. Might be an interesting project for someone to add a PKI auth layer to the DHCP protocol if someone hasn't already . I can think of several uses for it. Of course Cisco has something that might work for you: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftdsiaa.html. I'd rather figure something else out than pay them for their crap though. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
