Re: note on my messed up 2003 dell
Replacing the old battery with a new one usually solves this kind of problem. I just did this yesterday ;) On 2/17/12, Gary Kline kl...@thought.org wrote: guys, this is just a FWIW, but it's worth bearing in mind. i just tried to change the bios settings so that the old computer would boot from CD first. no-joy. long-story short, months in the garage or just-age must have ruined this box. -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Voice By Computer (for Universal Access): http:/www.thought.org/vbc The 8.57a release of Jottings: http://jottings.thought.org Twenty-five years of service to the Unix community. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Diagnosing packet loss
On Tue, Nov 22, 2011 at 9:33 PM, Kees Jan Koster kjkos...@gmail.com wrote: Dear All, I am stuck with a machine that shows serious packet loss (about 1% of all traffic is dropped). I tried the obvious (new network cable, different switch port, different ethernet interface on the machine), but the problems remain. Another machine that sits in the same rack and is hooked up to the same switch shows no such packet loss issues. The problematic machine is a dual Opteron with FreeBSD 8.2-STABLE from Thu Aug 11 14:05:47 CEST 2011. The machine is lightly loaded. A MySQL slave is running, but the machine is not serving queries. Plus a Munin server process. I am at a loss where to start diagnosing this. Can you advise me where to look? Are there network buffers that may be overflowing? -- To check input/output errors and collisions : netstat -in Detailed TCP/IP statistics: netstat -s or netstat -ss Checking Receive and Send Queue : netstat -an -f inet Buffers: netstat -m Adriaan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Serial console with incorrect terminal set
On Wed, Nov 16, 2011 at 3:52 PM, James Edwards jedwa...@bsdftw.org wrote: Hi All, I have two servers currently colocated, one running FreeBSD 8.2/amd64 , and the other is a Sun Netra T1 that I am attempting to install FreeBSD 8.2 on, over serial. When the system booted up, I was presented with a list of console options and I chose the first option, I believe to be ANSI (I have a knack for never picking the right one). The keyboard mapping was a bit screwed up, but somehow I managed to get to the Fixit shell. In order to test that I had my secondary NIC setup correctly, I just ran 'ping 10.0.0.2' and now it wont stop. If I hit 'Ctrl+C', it keeps going. I tried 'Ctrl+Z' in order to attempt to suspend it so I can kill the process, but that brings up the 'Abort, Restart, Continue' screen, but it gets interrupted by ping. I tried sending a break command using '~#', but I can't get to the OpenFirmware to restart in attempt to pick the correct terminal settings. IIRC, the break is not supported without a kernel that supports it. It could be easier to call my ISP and have someone power down the machine for me, as the Netra has LOM. In a worse case scenario, I can swing by and do it myself after work. My question is, is there another way to either 1) Stop ping or 2) Get to the openfirmware console? You can stop ping with : $ pkill -TERM ping From the ping man page: -c count Stop after sending (and receiving) count ECHO_RESPONSE packets. If this option is not specified, ping will operate until inter- rupted. So with something like ping -c4 10.0.0.2 , it would stop after 4 pings. Good luck ;) Adriaan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: switching from gnu make to bsd make
On Thu, Feb 10, 2011 at 8:32 AM, Vikash Badal vikash.ba...@is.co.za wrote:
Can someone please advise me as to how I switch the following lines of gnu
make to bsd make
$(OBJDIR)/%.o:${SRCDIR}/%.c
${CC} -c ${CFLAGS} ${INCDIR} ${LIBDIR} $ -o $@
I use BSD make for XML and XSLT transformations, so I cannot advise
you about this particular issue, but there is a very nice tutorial
about the BSD make at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/pmake/index.html
Good luck
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: if the file changes send email about diff
On Sun, Feb 6, 2011 at 2:33 PM, kellyremo kellyr...@zoho.com wrote: I have 2 script. Script A, Script B. Script A is regulary watching the dhcpacks [dhcp release is configured to 2mins] in the logs, for the past 2 minutes. it writes the MAC addresses to a file [/dev/shm/dhcpacks-in-last-2min.txt] every 2 minutes. Ok, this is working, active clients are in this file. Super! Script B: http://pastebin.com/raw.php?i=wvhwhPWu I'm trying to create a script, that watches the changes in /dev/shm/dhcpacks-in-last-2min.txt file [in every 1 sec]. Ok. But: my watcher script [the pastebined] is not working fine...sometime it works, sometime it send that someone XY logged out, but it's not true! nothing happened, and the problem is not in the Script A. Can someone help me point out, what am i missing? How can i watch a file [in every sec], that contains only MAC addresses, and if someone doesn't get dhcpack in 2 minutes, the file /dev/shm/dhcpacks-in-last-2min.txt changes, and that clients MAC address will be gone from it, and i need to know, who was it [pastebined my script..but somethings wrong with it]. You are attempting to re-invent the wheel called revision control system ;) Your FreeBSD box has a simple revision control system called 'rcs'. It will do the most things you are trying to emulate in your shell script. Read the rcsintro(1) man page how to get started. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sysinstall and mfs Great News and another Question
On Thu, Feb 11, 2010 at 3:44 AM, Martin McCormick mar...@dc.cis.okstate.edu wrote: J65nko writes: IMHO it is easier to to install FreeBSD without using sysinstall at all. See the FreeBSD Install Without Sysinstall guide at http://www.daemonforums.org/showthread.php?t=1538 This looks very possible with a couple of changes. Am I right in my reading of the man page of mdconfig that the memory disk image will gobble up at least as much RAM as the image, itself? In this case, that's about 600 times more than I have available. mfsbsd seems as solid as a rock as long as you don't do something that needs lots of buffer space as there is only about a megabyte or two left over. tar works fine and I can copy either an iso image or a tar ball made from the file system over to the newly-formatted drive where it can be unpacked. It may be necessary to run chroot /mnt so as not to munch mfs when running the install.sh scripts but I think this should install the system. I really have given up on sysinstall for this purpose. It is hard to script and it appears that if you use the custom installation, you almost get a system but the effort is hardly worth it. One still has to install the kernel and many of the configuration files like /etc/rc.conf. I don't know why but another artickel I read on remote installation of FreeBSD that uses sysinstall describes this so I know it isn't just me doing something stupid. I feel kind of stupid spending almost 3 weeks finding out what doesn't work. When using mfsbsd, one already has enough information in the interface configuration and resolv.conf to populate /etc/rc.conf, /etc/hosts and /etc/resolv.conf to match the present network configuration. The local time zone is a copy of one of the rule sets for computing time placed as /etc/localtime. In the middle of the United States, it is /usr/share/zoneinfo/America/Chicago copied, not linked, to /etc/localtime. The goal is to run the script I will build under mfsbsd and then boot the system in working order as if it had been installed via sysinstall by someone sitting at a console. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sysinstall and mfs Great News and another Question
On Tue, Feb 9, 2010 at 4:41 AM, Martin McCormick mar...@dc.cis.okstate.edu wrote: I really hate to give up on anything and I finally found out my problem with getting sysinstall to use the hard drive rather than garbaging up mfs every time. The problem is not something you can set in the partition editor or disklabel editor. It is found in the very first menu which oddly is numbered 2 and is the options editor. The option that makes it all work is one that lets you specify where you want the distribution to go on the drive. It is always set for you when using the CDROM unless you were formatting another disk so it is kind of easy to miss. I missed it for a week and a half. Now the question. There are a bunch of functions that can be set in sysinstall such as the bsdlabel editor, partition editor and dists to name a few. It would be nice to be able to set that mount point in install.cfg because I am trying to make a script that coworkers can run to configure a system quickly without having to waste a week of their own trying to figure it all out. IMHO it is easier to to install FreeBSD without using sysinstall at all. See the FreeBSD Install Without Sysinstall guide at http://www.daemonforums.org/showthread.php?t=1538 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD's UFS vs Ext4
On Mon, Feb 8, 2010 at 5:46 AM, alex a...@mailinglist.ahhyes.net wrote: I do suspect personally that the ext4 filesystem is the reason for the difference here, since ext4 has a number of features such as deferred disk writes etc. Even deleting a large file off that raid array I can see a difference, prior to reformatting, i deleted a 190GB file off the raid, under UFS the delete took quite some time (well over 10 seconds), under ext4 the deletion of the same size file took about 3 seconds. But what I said with ext4 being faster then the aging UFS still rings true in my mind, look at the recent Phoronix benchmarks for yourself and see (10 pages of benchmarks). http://www.phoronix.com/scan.php?page=articleitem=freebsd8_benchmarksnum=1 (skip to page 7 of the benchmarks if you want to see the I/O stuff relating to disk performance) According to the first page they used the default configuration of all benchmarked OS'es. And what is the default mount option on Linux async The FreeBSD man page for mount describes this async option as follows: async All I/O to the file system should be done asynchronously. This is a dangerous flag to set, since it does not guar- antee that the file system structure on the disk will remain consistent. For this reason, the async flag should be used sparingly, and only when some data recov- ery mechanism is present. The OpenBSD man page has the following additional remark: The most common use of this flag is to speed up restore(8) where it can give a factor of two speed in- crease. Conclusion: you cannot compare filesystem performance, when you give one a unfair speed advantage of what could be a factor two. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PASSWORD LOST!!
On Mon, Feb 8, 2010 at 7:53 PM, Eric Petersen er...@andersonbrothers.biz wrote: Hey guys, I have a web/ftp server loaded with FreeBSD. This was done a couple of years back. Since then the person or persons that did the original install have gone out of business and cannot be found. Currently I have an issue logging into the ftp. I hooked a monitor up to the server and I'm getting filesystem full errors and since I don't have a password to get in I cannot have it fixed by someone that knows UNIX. I have made numerous attempts to contact the person that installed on a personal level. But I'm getting the impression he has moved with no forwarding. I you have need for more information I will supply it. I just don't know where to start. Our company's ftp is down and doesn't look like it will return anytime soon with out further assistance. Thank you for your time and have a great day. Read http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/admin.html#FORGOT-ROOT-PW how to become root or the superuser. It could be wise to hire somebody to fix the problem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: wrong md5 sum of 8.0-RELEASE-amd64-dvd1.iso.gz ??
On Fri, Feb 5, 2010 at 4:37 AM, Shripad R. shripad...@gmail.com wrote: hi, i just wanted to upgrade my current 7.2 to 8.0 and wanted to do it from scratch so downloaded 8.0-RELEASE-amd64-dvd1.iso.gz. But the md5 mentioned here http://www.freebsd.org/releases/8.0R/announce.html is : MD5 (8.0-RELEASE-amd64-dvd1.iso) = 44c016ae8812a266f710d1845722366d Please note the .iso extension And the md5 i am getting after downloading the ISO is : MD5 (8.0-RELEASE-amd64-dvd1.iso.gz) = add311be2d189cde1d47ba515c05f440 Please note the .iso.gz extension So unpack you iso.gz file and then recheck the MD5 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FTP using .netrc
On Mon, Feb 1, 2010 at 11:11 AM, Fbsd1 fb...@a1poweruser.com wrote: Goal is to download the install source directory tree so I can use it as an target for local ftp sysinstall. The problem is that the FreeBSD ftp server keeps timing out before everything is downloaded. This is the error message ftp gives me. 421 Service not available, remote server timed out. Connection closed This is the command line command used to launch the ftp session ftp -v ftp.FreeBSD.org It defaults to using /root/.netrc which is shown below machine ftp.FreeBSD.org login anonymous password f...@home.com macdef init prompt off cd /pub/FreeBSD/releases/i386/8.0-RELEASE epsv4 off mget ERRATA.HTM ERRATA.TXT HARDWARE.HTM HARDWARE.TXT README.HTM mget README.TXT RELNOTES.HTM RELNOTES.TXT cdrom.inf docbook.css $ getdir base catpages dict doc games info kernels manpages ports proflibs src quit macdef getdir ! mkdir $i mget $i/* Question is how can I make FTP resume the download at the place it timed out. IE not start at the beginning and re-download all the same files all ready received. ftp -vR ftp.FreeBSD.org just starts downloading from the beginning again. That .netrc looks familiar ;) I never had that issue, but I always used a ftp mirror site listed in the handbook, instead of one of the busiest ftp sites in the world .;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Generating normally distributed random numbers.
On Sun, Jan 31, 2010 at 4:30 AM, Rolf Nielsen listrea...@lazlarlyricon.com wrote: I am working on a project where I have the need to generate normally distributed random positive integers, preferably unsigned 64 bit (or even longer if possible) integers. More specifically, I will need the ability to supply the expected value and the standard deviation for the desired distribution, so a standard normal distribution will not do. Is there anyone out there who knows how to accomplish this? I have no idea whatsoever, and for all I know there may already be a function that does this in the math library. I'm quite accomplished when it comes to math, but strangely I've never programmed computers for it. http://en.wikipedia.org/wiki/Random_number_generator#Generation_from_a_probability_distribution refers to two methods. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Is their Automatic command to send a JPG file using FTP
On Wed, Jan 27, 2010 at 11:08 PM, Dixit, Viraj viraj.di...@cityofpaloalto.org wrote: Hi, I am looking to see if there a command or a script In BSD Os that will allow me to ftp to a server automatically and get a file from another server. User name and passwd will be already in the script so it will run ftp and download a file or a JPG from that server. Like in Linux OS there is a command using .netrc file and you can script that file and will automatically do what is in the file at time interval that you want. Thanks, VJ Yes, FreeBSD ftp supports .netrc files. I posted a guide to download a FreeBSD release with a .netrc file at http://www.daemonforums.org/showthread.php?t=4212 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Blocking a slow-burning SSH bruteforce
After some posts a discussion on the freebsd-table mailing list goes into several approaches to deal with these SSH probes. See http://lists.freebsd.org/pipermail/freebsd-stable/2009-December/053326.html You still could allow outgoing ssh traffic on port 22 and allow incoming SSH on another port. Adriaan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /bin/sh does not read profile
On Wed, Mar 4, 2009 at 4:08 PM, Bertram Scharpf li...@bertram-scharpf.de wrote: Hi, from man sh: Invocation [...] When first starting, the shell inspects argument 0, and if it begins with a dash (`-'), the shell is also consid- ered a login shell. This is normally done automatically by the system when the user first logs in. A login shell first reads commands from the files /etc/profile and then .profile in a user's home directory, if they exist. [...] I use Slim (X login manager) which calls exec /bin/sh - ~/.xinitrc I first wondered why none of my commands in /etc/profile and ~/.profile got executed. Finally, I modified /usr/src/bin/sh/main.c to trace what files are read, recompiled the sh command and: the only file that is executed is ~/.shrc. I just cannot believe that FreeBSD has such a severe bug. What is going wrong here? Put the following in a file called .Xresources : XTerm*loginShell: true =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Is the freesbie project dead????????
On Fri, Sep 12, 2008 at 4:56 AM, FBSD1 [EMAIL PROTECTED] wrote: I can't reach http://www.freesbie.org/ to official site for the project. Has this project disbanded? Not sure about that. But the following post on daemonforums.org has a list of *BSD live CD : http://daemonforums.org/showthread.php?t=1505#post11017 J65nko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF, bridge, states and window scaling problem
On Nov 12, 2007 9:08 PM, Alupului Costin [EMAIL PROTECTED] wrote: Hello all, I seem to have quite a problem with PF. I have set up a bridge to shape my upstream traffic. I use ALTQ with hfsc discipline; but that's not really important. My problem comes with the filter rules. I have to use keep state because of the speed benefits (really I don't have a choice), but PF has a problem when the clients passing traffic through the bridge use TCP window scaling. Here is an example of four filter rules that I thought should work to pass the traffic from one client through the bridge and create a state: pass in quick on vlan0 from any to anIP/32 pass out quick on vlan0 from anIP/32 to any keep state queue ul_client pass in quick on vlan1 from anIP/32 to any pass out quick on vlan1 from any to anIP/32 keep state queue dl_client The above rules generate state-mismatches. I thought that would be because pf doesn't see the SYN packet, although it does (one of the out rules) and should create the state then... I tried writing all the rules with keep state (even the inbound ones) but then nothing would work at all. My intention was to create if-bound states, but I switched back to floating states in the hope that pf would associate the state created by an outbound rule with the traffic returning on another interface of the bridge; still didn't work. I have read the man page for if_bridge and set the following sysctl variables: net.link.bridge.pfil_onlyip: 1 net.link.bridge.pfil_bridge: 0 net.link.bridge.pfil_member: 1 I have also read some posts on the web that said that pf simply doesn't have all the hooks necesary to do the filtering inbound and outbound, but reading the pfil man page I seem to disaggree with that. Has anyone encountered the same problem? And, more important: if i give up the bridge setup and switch to routing, would that have any effect? I.E: will I then be able to use keep state with the inbound rules? Any help at all would be hugely appreciated as I am trying for about a week to sort out this problem and can't seem to get any closer. The only solution was to kindly ask my clients using TCP window scaling (Vista mostly) to turn off this feature... Now I am seriously considering bumping my bridge to a router but I am not sure that the problem will be solved then. Oh, here is the setup of the bridge from rc.conf, although there shouldn't be any problems there (the bridge works fine without pf, or with pf stateless): # # Core: em2 - vlan1 # Border: em1 - vlan0 # Bridge0 vlan0 -- vlan1 # cloned_interfaces=bridge0 vlan0 vlan1 ifconfig_em0=up ifconfig_em1=up ifconfig_em2=up ifconfig_vlan0=vlan 132 vlandev em1 up ifconfig_vlan1=vlan 132 vlandev em2 up ifconfig_bridge0=addm vlan0 addm vlan1 up # Admin iface ifconfig_em0=inet adminIP netmask 255.255.255.0 See Create TCP states on the initial SYN packet from http://undeadly.org/cgi?action=articlesid=20060928081238 That paragraph explains nicely the necessity of pf to create state on the first packet of the 3-way TCP handshake to prevent TCP window scaling issues. =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: www.freebsd.org won't load in IE 7.x in vista box.
On 10/16/07, Lisandro Grullon [EMAIL PROTECTED] wrote: Dear all users, After troubleshooting from all angles this problem i have run out of imagination/sense. I loaded a machine with Windows Vista a work and try accessing the www.freebsd.org website. The web site didn't load, yet I try again in 10 other machines to see if it was a machine issue. Lastly I try loading the size in a Windows XP machine and it works ok. What seems to be the problem in this case? I have run out of ideas and even ask a few colleges at work and they don't seem to have a clue either. Please advise. Lisandro grullon From the section Compatibility problems of http://en.wikipedia.org/wiki/TCP_window_scale_option TCP Window Scaling is widely implemented in the Windows Vista operating system. Because many routers do not properly implement TCP Window Scaling, it can cause a users Internet connection to malfunction intermittently for a few minutes, then appear to start working again for no reason. If diagnose problem is selected in Vista, an error message will be displayed cannot communicate with primary DNS server. -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: help with text-append over SSH ?
On 10/14/07, Wojciech Puchar [EMAIL PROTECTED] wrote: 'dd' command (among others) on the remote host ... so for instance, I can do things like this: ssh [EMAIL PROTECTED] rm -rf filename So, with all that in mind, how do I append the contents of a local file to a remote file, over SSH, using either 'echo' or 'dd' ? cat file |ssh [EMAIL PROTECTED] cat file replace cat with dd if you have to You can drop the first cat ssh [EMAIL PROTECTED] cat file file =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD Live?
On 10/11/07, Timothy Klaver [EMAIL PROTECTED] wrote: Is there any BSD version that provides a LiveCD so that I can test the OS and see whether or not I will enjoy it before actually installing? Last year I played with RoFreeSBIE, and was quite impressed. See http://www.rofreesbie.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: http://www.freebsd.org site unreachable
On 9/14/07, Harry Maugans [EMAIL PROTECTED] wrote: I've confirmed (through a friend) in England it's not accessible either. I'm surprised they wouldn't have redundancies to prevent this from happening. Round robin DNS with collocation at least. There is a kind of redundancy. The FreeBSD website is mirrored in many countries. I hardly have problems with www.nl.freebsd.org. I wonder why so many people still use the main site, while there are a lot of mirror sites. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about Window Scaling
On 8/30/07, Shah, Baiju-p98993 [EMAIL PROTECTED] wrote: Greetings. We currently use Espion appliance running FreeBSD 4.9 as a mail interceptor for SPAM. We have one customer who has their mail gateway hard coded with Window Scaling (WS=9). Their mail gateway fails to establish SMTP hello connection with WS=9. However if they set their Window Scaling to 7, it works. Where can I go on the FreeBSD to see its configuration for Window Scale? How can I modify that configuration? Please email me with your recommendation to [EMAIL PROTECTED] Any and all help are appreciated. Thank you in advance. [snip] A not well configured firewall also could cause problems with TCP window scaling. See the section Create TCP states on the initial SYN packet of Daniel Hartmeier's article at http://undeadly.org/cgi?action=articlesid=20060928081238 =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: TCP packets don't flow from external hosts to WinVista clients behind
On 8/26/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello... I've got a strange trouble... FreeBSD 6.2 amd64 as nat-router: rl0 85.249.249.249 - ISP fxp0 10.0.0.1 - My Internal Net natd/ng_nat ipfw: allow all from any to any WinXP client machines work fine behind nat, but WinVista, FreeBSD (5.5/6.2) clients don't. It's very strange but it's unable to establish any TCP internet connection from non WinXP host. ICMP and UDP packets flows normally. For example, I can ping host ya.ru, get DNS-reply from internet servers, play games via UDP, but i can't view web pages, open shh session and just can't telnet to any port Traffic from/to my net is not filtering by firewalls at all. I've tested it with natd ang ng_nat - there's no difference! I've tried to solve this problem during last week =( Unfortunately, i can't. Now i'm going to try using pf or ipfilter instead of ipfw or ever reinstall server OS and may be change freebsd architecture to i386. Any ideas ? Could be TCP window scaling. See http://en.wikipedia.org/wiki/TCP_window_scale_option Or the plain old PMTUD problem described in http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a008011a218.shtml#backinfo =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: is is able to setting up DNS server reverse lookup with DynamicIP?
On 7/13/07, Olivier Nicole [EMAIL PROTECTED] wrote: I understand your problem. dyndns.com is taking care of the forward dynamic DNS for you. Now who is in charge of the reverse DNS for 58.187.106.120 (your current IP)? I beleive it is FPT. So FPT should upgrade its own reverse DNS every time it gives an IP to your server. Right now if I make a reverse DNS lookup on 58.187.106.120 it gets nothing, while it should get thecuong.gotdns.com. The easiest way to solve your email problem would be that your server sends all the email thought FPT mail server. As a rule, it is a bad idea to use a machine with a dynamic address to be an SMTP server: when the IP changes, the DNS cache will take some time to update everywhere, so for some time your email will be sent to the wrong IP: mailiong list may decide that your account is dead and remove you from the list. Olivier This same issue is being discussed at http://www.bsdforums.org/forums/showthread.php?p=265093#post265093 ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: non-interactive dump
On 7/8/07, Dinesh Pandian [EMAIL PROTECTED] wrote: Hello guys, quick question.. Is there a way to tell dump to do it's working without it asking Is the new volume mounted and ready to go?: (yes or no) everytime it changes mount points? For example: solara# dump -0L -f /dev/da1 / DUMP: Date of this level 0 dump: Mon Jul 9 02:17:40 2007 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping snapshot of /dev/da0s1a (/) to /dev/da1 DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 288357 tape blocks on 7.42 tape(s). DUMP: dumping (Pass III) [directories] DUMP: dumping (Pass IV) [regular files] DUMP: Closing /dev/da1 DUMP: Change Volumes: Mount volume #2 DUMP: Is the new volume mounted and ready to go?: (yes or no) yes DUMP: Volume 2 begins with blocks from inode 33729 DUMP: Closing /dev/da1 DUMP: Change Volumes: Mount volume #3 DUMP: Is the new volume mounted and ready to go?: (yes or no) yes DUMP: Volume 3 begins with blocks from inode 49969 DUMP: Closing /dev/da1 DUMP: Change Volumes: Mount volume #4 DUMP: Is the new volume mounted and ready to go?: (yes or no) yes DUMP: Volume 4 begins with blocks from inode 50225 DUMP: 39.89% done, finished in 0:01 at Mon Jul 9 02:25:01 2007 DUMP: Closing /dev/da1 DUMP: Change Volumes: Mount volume #5 DUMP: Is the new volume mounted and ready to go?: (yes or no) yes DUMP: Volume 5 begins with blocks from inode 50225 DUMP: Closing /dev/da1 DUMP: Change Volumes: Mount volume #6 DUMP: Is the new volume mounted and ready to go?: (yes or no) yes DUMP: Volume 6 begins with blocks from inode 50225 DUMP: Closing /dev/da1 DUMP: Change Volumes: Mount volume #7 DUMP: Is the new volume mounted and ready to go?: (yes or no) yes DUMP: Volume 7 begins with blocks from inode 50225 DUMP: Closing /dev/da1 DUMP: Change Volumes: Mount volume #8 DUMP: Is the new volume mounted and ready to go?: (yes or no) yes DUMP: Volume 8 begins with blocks from inode 50225 DUMP: DUMP: 289411 tape blocks on 8 volumes DUMP: finished in 180 seconds, throughput 1607 KBytes/sec DUMP: Closing /dev/da1 DUMP: DUMP IS DONE Dump requires that I key in yes everytime it changes mount volumes.. is there a way to just get it to continue without user intervention? Use the -a flag ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: scponly chroot doesn´t work FB6.2
On 5/7/07, Marcelo Maraboli [EMAIL PROTECTED] wrote: I can´t seem to make scponly work with a chrooted jail. I´ve read many articles on how FREEBSD´s scripts on making jails really don´t work and a manual mknod of $jail/dev/null must be done, but it still does´t work... I´d appreciate any help [snip] I haven't used it myself but at http://www.bsdforums.org/forums/showthread.php?t=49388 somebody posted a solution for a similar problem with scponly ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to find HorizSync / VertRefresh rates?
On 4/30/07, Victor Engmark [EMAIL PROTECTED] wrote: Hi all, I'm trying to create a pristine xorg.conf, but I've been unable to find proper values for HorizSync and VertRefresh for my Dell Latitude D610. I've tried the values presented in MonitorsDB http://sources.gentoo.org/viewcvs.py/gentoo/src/hwdata/MonitorsDB?view=markup for Dell 1400x1050 Laptop Display Panel, which are HorizSync 31.5-90.0 and VertRefresh 59.0-75.0, but I get a warning in /var/log/Xorg.0.log for both of them saying they are not within DDC ranges. [snip] (WW) I810(0): config file hsync range 60-66.3158kHz not within DDC hsync ranges. [snip] It seems that a DDC (or, apparently, DDS) query should be able to determine these numbers, but [snip] I don't understand why people still configure X the old ancient way. Follow the FBSD handbook to do a 'Xorg -configure' and a test run of X with the generated Xorg.conf file. Then have a look at your your '/var/log/Xorg.0.log'. You will find a log of X using DDC to interrogate your LCD screen for it's capabilities and the acceptable modelines A snippet of my Xorg.0.log file -- (II) Loading sub module ddc (II) LoadModule: ddc (II) Loading /usr/X11R6/lib/modules/libddc.so (II) Module ddc: vendor=X.Org Foundation compiled for 6.9.0, module version = 1.0.0 ABI class: X.Org Video Driver, version 0.8 (II) NV(0): I2C bus DDC initialized. (II) NV(0): Probing for EDID on I2C bus A... (II) NV(0): I2C device DDC:ddc2 registered at address 0xA0. (II) NV(0): I2C device DDC:ddc2 removed. (--) NV(0): DDC detected a CRT: (II) NV(0): Manufacturer: AOC Model: a770 Serial#: 30015 (II) NV(0): Year: 1998 Week: 15 (II) NV(0): EDID Version: 1.0 (II) NV(0): Analog Display Input, Input Voltage Level: 0.714/0.286 V (II) NV(0): Sync: Separate (II) NV(0): Max H-Image Size [cm]: horiz.: 32 vert.: 24 (II) NV(0): Gamma: 1.50 (II) NV(0): DPMS capabilities: StandBy Suspend Off; RGB/Color Display (II) NV(0): redX: 0.622 redY: 0.340 greenX: 0.282 greenY: 0.600 (II) NV(0): blueX: 0.147 blueY: 0.062 whiteX: 0.278 whiteY: 0.311 (II) NV(0): Supported VESA Video Modes: (II) NV(0): [EMAIL PROTECTED] (II) NV(0): [EMAIL PROTECTED] (II) NV(0): [EMAIL PROTECTED] (II) NV(0): [EMAIL PROTECTED] (II) NV(0): [EMAIL PROTECTED] (II) NV(0): Manufacturer's mask: 0 (II) NV(0): Supported Future Video Modes: (II) NV(0): #0: hsize: 640 vsize 480 refresh: 85 vid: 22833 (II) NV(0): #1: hsize: 800 vsize 600 refresh: 85 vid: 22853 (II) NV(0): #2: hsize: 1024 vsize 768 refresh: 85 vid: 22881 [snip] (==) NV(0): Using gamma correction (1.0, 1.0, 1.0) (II) NV(0): Monitor0: Using default hsync range of 43.27-69.85 kHz (II) NV(0): Monitor0: Using default vrefresh range of 60.02-85.01 Hz (II) NV(0): Clock range: 12.00 to 350.00 MHz [snip](**) NV(0): *Default mode 1024x768: 94.5 MHz, 68.7 kHz, 85.0 Hz (II) NV(0): Modeline 1024x768 94.50 1024 1072 1168 1376 768 769 772 808 +hsync +vsync (**) NV(0): *Default mode 800x600: 56.3 MHz, 53.7 kHz, 85.1 Hz (II) NV(0): Modeline 800x600 56.30 800 832 896 1048 600 601 604 631 +hsync +vsync (**) NV(0): Default mode 1024x768: 78.8 MHz, 60.1 kHz, 75.1 Hz (II) NV(0): Modeline 1024x768 78.80 1024 1040 1136 1312 768 769 772 800 +hsync +vsync (**) NV(0): Default mode 1024x768: 75.0 MHz, 56.5 kHz, 70.1 Hz (II) NV(0): Modeline 1024x768 75.00 1024 1048 1184 1328 768 771 777 806 -hsync -vsync (**) NV(0): Default mode 1024x768: 65.0 MHz, 48.4 kHz, 60.0 Hz (II) NV(0): Modeline 1024x768 65.00 1024 1048 1184 1344 768 771 777 806 -hsync -vsync (**) NV(0): Default mode 832x624: 57.3 MHz, 49.7 kHz, 74.6 Hz [remainder snipped] - In your Xorg conf just put in the resolution you want and X will usually figure out which sync rates to use. Or copy the modelines you find in your Xorg.0.log file. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Execute command upon interface initialization?
On 4/17/07, Ido Admon [EMAIL PROTECTED] wrote: Hello list, I couldn't find any way to execute an arbitrary command upon network interface initialization. My situations is that I have and ethernet card that takes DHCP from a cables provider (not a fixed IP address) and I need to update a DynDNS hostname everytime it does (everytime the IP changes). I couldn't find a way to execute shell commands using the rc system or dhclient, what did I miss? You can use a '/etc/start_if.nic' file. If your NIC is fxp0 then a '/etc/start_if.fxp0' file will be run or sourced by the 'rc' system. In http://www.bsdforums.org/forums/showthread.php?t=34607 this type of file is used to set a MTU of 1492 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS and mail servers behind a PF firewall?
On 2/26/07, Jacques Beigbeder [EMAIL PROTECTED] wrote: Hello, My question is related to PF performances with large state tables. FreeBSD : 5.5 hw.model: Intel(R) Xeon(TM) CPU 3.20GHz hw.physmem: 2138378240 = 2 Gb If I put a mail server 20 SMTP hits per second (thanks to spam...) 15 seconds per SMTP dialog 90 seconds for PF timeout tcp.close the state table will have: 20 * (90 + 15) * 2 ways = 5.000 entries Since any mail generates a few DNS queries (reverse DNS, + DSNRBL queries), the state table will also gets 2 ways * 60 seconds (timeout udp.multiple) * 5 (DNS queries) * 20 (connections) = 12.000 entries So I'll get around 20.000 entries, each of them have a short lifetime. Question: . is such a number a performance problem? It seems strange to constantly add and delete entries for DNS requests in the state table? . or do I have to write rules to avoid all the (unnecessary??) entries? As far as I understand, beginning with pass in quick proto udp from a.b.c.d port 53 to any ... same for TCP/25 ... is the trick. [snip] Yes, keeping state on DNS traffic is quite expensive ;) This is mentioned in the series of 3 artilcles by the architect of pf, Daniel Hartmeier, at undeadly.org http://undeadly.org/cgi?action=articlesid=20060927091645mode=expanded http://undeadly.org/cgi?action=articlesid=20060928081238mode=expanded http://undeadly.org/cgi?action=articlesid=20060929080943mode=expanded Try if just passing quick port 53 traffic without keeping state has a measurable postive impact. Or you could install a small not resource hungry caching nameserver like Bernstein's dnscache, which will save a lot of DNS and RBL ttraffic. Most of the time however, perl based virus scanning is the cause of less than expected performance of a mail server. =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF slowing down file copies
On 2/22/07, RW [EMAIL PROTECTED] wrote: On Wed, 21 Feb 2007 19:38:39 +0100 J65nko [EMAIL PROTECTED] wrote: For keeping state on TCP connections you should only create state on the first packet of the 3 way TCP handshake. Using flags S/SA will ensure this. This will prevent problems with TCP windows scaling.. Why? Creating a state entry causes subsequent packets, in the same tcp connection, to bypass the rules altogether. The OP did not keep state on TCP connections using flags S/SA. That can cause problems for TCP window scaling (defined in RFC 1323) and result in stalling connections. From http://undeadly.org/cgi?action=articlesid=20060928081238 under Create TCP states on the initial SYN packet --- quote -- pf does know about window scaling and supports it. However, the prerequisite is that you create state on the initial SYN, so pf can associate the first two packets of the handshake with the state entry. Since the entire negotiation of the window scaling factors takes place only in these two packets, there is no reliable way to deduce the factors after the handshake. Window scaling wasn't widely used in the past, but this is changing rapidly. Just recently, Linux started using window scaling by default. If you experience stalling connections, especially when problems are limited to certain combinations of hosts, and you see 'BAD state' messages related to these connections logged, verify that you're really creating states on the initial packet of a connection. -- end of quote --- To prevent these TCP windows scaling issues, the current pf version of OpenBSD-4.1 BETA defaults to flags S/SA keep state for TCP pass rules. Don't know when this feature will make it into FreeBSD ;) Other issues the OP should look into are the optimizing tips given in http://undeadly.org/cgi?action=articlesid=20060927091645 Adriaan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF slowing down file copies
On 2/21/07, José Pablo Fernández [EMAIL PROTECTED] wrote: Hello, I have a FreeBSD 6.2 acting as router between two LANs and the internet. I am using PF on it for filtering and I am allowing all the traffic to pass by between the two LANs: pass from $lan0:network to $lan1:network keep state pass from $lan1:network to $lan0:network keep state My problem is that when I copy a file from one network to the other, the first 128KB seems to be copied instantaneously, the second 128KB take more than two minutes and I've seen the third 128KB being copied very rarely. This is using Secure CoPy. If I copy the file to the router and from the router to the other computer, it just works. And it seems people copying files with SMB (Window's protocol) have found the same problem. Any ideas what might be going on? Thanks. For keeping state on TCP connections you should only create state on the first packet of the 3 way TCP handshake. Using flags S/SA will ensure this. This will prevent problems with TCP windows scaling.. For a more detailed explanation and some suggestions see the 3 part series about the pf firewall starting at http://undeadly.org/cgi?action=articlesid=20060927091645 BTW The author of these 3 articles is Daniel Hartmeier, principal developer of pf. ;) [big snip] =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mail server recomendations (was: is the list the right place toask?)
On 2/11/07, Ted Mittelstaedt [EMAIL PROTECTED] wrote: [big snip] I would caution anyone against using the alternatives. There are a lot of people that use them successfully, but sendmail is far more popular in terms of total installs - this is no doubt because it is used in the larger mail servers on the Internet, and the alternatives are more used on home or small servers. The reason you want to use Sendmail is that once you learn how to use it, that is knowledge that you have a much higher chance of re-using in the future. Is this an effort to convince FreeBSD.org to stop using postfix? ;) $ host freebsd.org freebsd.org has address 69.147.83.40 freebsd.org mail is handled by 10 mx1.freebsd.org. $ telnet mx1.freebsd.org 25 Trying 69.147.83.52... Connected to mx1.freebsd.org. Escape character is '^]'. 220 mx1.freebsd.org ESMTP Postfix (Postfix Rules!) quit 221 2.0.0 Bye Connection closed by foreign host $ No, this is ain't a flame bait ;) =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary IP addition to firewall rules
On 2/4/07, Noah [EMAIL PROTECTED] wrote: Does anybody have a recommendation for a program out there that would allow somebody to enter an account and password on my website, their IP address is cached, and the cached IP address is added temporarily to the firewall ruleset to be allowed. Have you checked authpf? There is a man page and http://openbsd.unixtech.be/faq/pf/authpf.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: unexpected result from sh script with `date`
On 2/2/07, Tigger [EMAIL PROTECTED] wrote: Hello, the following simply sh script is outputting unexpected results. Any idea why? --script-- #!/bin/sh started=`date` echo Started at: $started echo Finished : `date` exit --output-- Started at: Fri Feb 2 22:13:51 EST 2007 Finished : Fri Feb 2 22:13:51 EST 2007 --problem-- Between 'Feb' and '2', there is two spaces on the 'Started at' line, however the 'Finished' one only has 1 space. I know this sounds picky, but I was not expecting this at all. uname -a FreeBSD piglet 6.2-STABLE FreeBSD 6.2-STABLE #0: Fri Jan 19 04:13:20 EST 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/PIGLET i386 The same on OpenBSD here (ksh) OpenBSD 4.0-current (GENERIC) #1194: Thu Nov 2 16:32:12 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC It seems to depend whether the command substitution is within the quote-delimited string, for 'echo' or outside that string, in other words on its own. --- script-- #!/bin/sh started=$(date) echo \$started within \ delimited string for echo echo Started at: $started echo Command substitution \$(date) within \ delimited string for echo echo Finished : $(date) echo Command substitution \$(date) outside \ delimited string for echo echo Finished : $(date) echo Command substitution \`date\` outside \ delimited string for echo echo Finished : $(date) --- Output: --- $started within delimited string for echo Started at: Fri Feb 2 13:46:07 CET 2007 Command substitution $(date) within delimited string for echo Finished : Fri Feb 2 13:46:07 CET 2007 Command substitution $(date) outside delimited string for echo Finished : Fri Feb 2 13:46:07 CET 2007 Command substitution `date` outside delimited string for echo Finished : Fri Feb 2 13:46:07 CET 2007 --- Embedded inside the string there are two spaces between Feb and the 2, as stand-alone there is only one space. Strange indeed ;) J65nko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Single command that outputs system status?
On 1/21/07, Kelly Jones [EMAIL PROTECTED] wrote: It's easy to write a shell script that dumps/mails the output of several status commands (eg, df -k, crontab -l, ps -aux -www, top -n -d 1 infinity, w -d, mailq -v, netstat -a, vmstat, etc) every hour, but I'm wondering if I'm re-inventing the wheel. Is there a FreeBSD command that reports system status, either an existing shell script that does the above, or something that talks to the kernel at a lower level and reports all relevant values? I know about /etc/periodic/*/*status*, but this seems both excessive in places (I don't really need rejected email info, for example) and incomplete (I don't think it gives me all the information the commands above do). I also know about mrtg, but that seems more geared toward graphing and storing historical information and seems limited as well. I realize this question is ambiguous. I guess what I'm really asking is: is there a FreeBSD tool *designed* to report system status on a regular basis, that I could use as the basis of an hourly reporting system, even if I had to add/tweak some stuff myself. Although may be not exactly what you want http://www.bsdforums.org/forums/showthread.php?t=31072 It could be a start ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and 2 ADSL links
On 10/5/06, Thiago Rocha [EMAIL PROTECTED] wrote: hi! Brazilian I and do not say English, I forgive for any error! I have a FreeBSD Server (5.4). This server links ADSL has two, and I need to balance the load between them, e also case one stops the other keeps the connection. You can do this with pf, see http://openbsd.org/faq/pf/pools.html#outgoing and http://openbsd.org/faq/pf/carp.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nested labels
On 9/21/06, Jeffrey Katz [EMAIL PROTECTED] wrote: I have hit the limit of 8 disklabels per slice. Supposedly, one can create lables within a label, thus overcoming this limit. I googled everything but could only find references to gpt-- nothing about nested labels or partitions. Can anyone detail the steps involved in setting up nested labels or partitions? A slice can have 8 labels, a disk can have 4 slices, so 4 x 8 labels = 32 labels Deduct from those 32 the reserved c and possibly b and you still have a lot to spare ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OT: awk/sed: how to use a variable in an address range?
On 9/14/06, O. Hartmann [EMAIL PROTECTED] wrote:
[snip]
To keep a small shell script portable I use awk for separating an ASCII
file from a home brewn scientific model software. The datasets of the
output is enclosed by
/begin_data_set_##/
.
.
.
/end_data_set_##/
## is a two-digit counter, but not necessesaryly equidistant.
I would like to separate the file contaning all datasets via awk or sed
into appropriate files - this is my intention, but I failed.
the simplest way - in theory and in my limitit ability of using sed or
awk - is to print all lines between the (sed/awk) addresses
/begin_data_set_##/
...
/end_data_set_##/
but this does not work due to i cannot use variables in the address
range specifiers neither in awk nor in sed like this:
awk -v nc=$NUMBER '/\/begin_data_set_nc\//,/\/end_data_set_nc\// {
do-something-in-awk}' $input_file $output_file_$NUMBER
nc in this example is set to the counter of the desired dataset.
I would like to use SED or AWK only due to portability reasons.
[snip]
You have to prefix the variable with $ and use double quotes instead
of single quotes.
The shell will expand a variable within double quotes, but one within
single quotes
$ cat data
/start_1/
This is dataset 1
/end_1/
/start_2/
This is dataset 2
/end_2/
/start_3/
This is dataset 3
/end_3/
$ cat sed_extract
NR=$1
sed -ne /\/start_$NR\//,/\/end_$NR\//p data
$ sh -vx sed_extract 3
NR=$1
+ NR=3
sed -ne /\/start_$NR\//,/\/end_$NR\//p data
+ sed -ne /\/start_3\//,/\/end_3\//p data
/start_3/
This is dataset 3
/end_3/
$ sh -vx sed_extract 2
NR=$1
+ NR=2
sed -ne /\/start_$NR\//,/\/end_$NR\//p data
+ sed -ne /\/start_2\//,/\/end_2\//p data
/start_2/
This is dataset 2
/end_2/
You were close ;)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Xorg install
You can download the latest ports tree from http://www.freebsd.org/ports/installing.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to remove this (maybe tinydns?)...
On 4/30/06, Mare Negrocan [EMAIL PROTECTED] wrote: I runned my box freebsd 4.10 and noticed in ps aux this lines: root 212 0.0 0.4 868 104 con- I 8:30PM 0:00.02 readproctitle service errors: .. root 211 0.0 1.1 920 284 con- S 8:30PM 0:00.62 svscan /service root 206 0.0 0.2 632 48 con- I 8:30PM 0:00.02 /bin/sh /command/svscanboot How to remove them? http://cr.yp.to/daemontools/faq/create.html#remove ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: repeated ssh login attempts/failure/break-in attempts from kiddy script
On 3/31/06, Nathan Vidican [EMAIL PROTECTED] wrote: Noted recently in auth.log, a string of connection attempts repeated/failed over and over from one host - looks like a script someone's running, tries all kinds of various usernames, etc... attempts like 100-200 logins, fails and goes away. Few hours go by, and another such attempt, from a different IP comes in. If I'm here and just happen to notice them - simple ipfw add deny... does the trick, but is there not a way to limit the login attempts for a certain period of time? ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_ minutes, deny all attempts and drop connection from said IP... possible? Any suggestions/ideas? Thus far, no one has managed to login (there are only three accounts which even have a shell or can login via ssh... but still not the point). I'd just like to get rid of the problem and save my auth.log file for perhaps something more useful ;) [snip] This pf.conf rule will stop them: block drop log quick on xl0 proto tcp from any os Linux to any port = ssh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: blocking yahoo messenger
On 1/2/06, Imran Imtiaz [EMAIL PROTECTED] wrote: how can I block yahoo messenger using ipf? [snip] Have a look at at http://www.bsdforums.org/forums/showthread.php?t=10225 ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf blocking nfs
[snip] In your original post, there was something about a short packet. I'm guessing this might screw things up. You might try adding 'scrub in all' before the filtering rules. [smip] Be careful with scrub and NFS. From http://openbsd.bay13.net/faq/pf/scrub.html One reason not to scrub on an interface is if one is passing NFS through PF. Some non-OpenBSD platforms send (and expect) strange packets -- fragmented packets with the do not fragment bit set, which are (properly) rejected by scrub. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Aztech modem
On 10/29/05, Greg 'groggy' Lehey [EMAIL PROTECTED] wrote: On Tuesday, 15 November 2005 at 6:37:40 +0330, Mohsen Pahlevanzadeh wrote: Dears, I can use my modem in GNU/Linux (each distro,without problem) My modem is external its mark is Aztech.I use dos port. But i can't use /dev/cuaa0 or plus in FreeBSD. Please guide .. http://www.lemis.com/questions.html Greg Same question as http://www.bsdforums.org/forums/showthread.php?t=35879 ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Has this box been hacked?
On 7/6/05, Brett Glass [EMAIL PROTECTED] wrote: A client had a network problem, and I wanted to make sure that his FreeBSD 4.11 router wasn't the cause of it, so I rebooted it. I then did a last command and saw the following: root ttyv0 Tue Jul 5 12:01 - 12:05 (00:04) admin ttyp0 localhost Tue Jul 5 11:57 - 11:57 (00:00) root ttyv0 Tue Jul 5 11:49 - 12:00 (00:11) reboot ~ Tue Jul 5 11:49 shutdown ~ Tue Jul 5 11:47 root ttyv0 Tue Jul 5 11:37 - shutdown (00:10) reboot ~ Tue Jul 5 11:36 shutdown ~ Tue Jul 5 05:36 shutdown ~ Tue Jul 5 11:22 Note the shutdown entry with the time 5:36 AM, which is odd because it's out of chronological order and the other logs don't show the typical debug messages at that time. Where might such an entry come from? How likely is it that the box has been rooted? Are there known exploits that might have been used to root a FreeBSD 4.11-RELEASE machine? (The only unusual activity I can see in the logs is a few attempts to log in as root via SSH. The attempts that were logged were not successful, but of course a skilled attacker would cover his tracks.) If you would have installed something like tripwire or aide, you would have been in a better position to find out whether the box has been owned. See http://www.onlamp.com/pub/a/bsd/2003/04/03/FreeBSD_Basics.html =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Using unix mail with maildir format
On 6/29/05, bsd [EMAIL PROTECTED] wrote: Does anyone know if there is a way to read mail with unix mail program? I've been using this program since couple of years and I am quite happy with It… I can't seem to find a shortcut to have It read maildir format… The program maildir2mbox (part of qmail), can convert a Maildir into mbox format. See http://qmail.bzimage.dk/man/man1/maildir2mbox.html. There is also a short shell script called qail which runs maildir2mbox and then mail. =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: installing big qmail server ... where to start?
See http://www.lifewithqmail.org/ldap/ Maybe you could ask on the qmail-ldap mailing list ;) =adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: illegal user root user failed login attempts
On 4/26/05, Peter Kropholler [EMAIL PROTECTED] wrote: I run a server at home on port 22. There are loads of illegal user attempts to login every few days. As its at home I protect myself by having only one user on the sshd AllowUsers list and with a very strong password and no admin/sysman priveleges. So essentially every failed login attempt is illegal. Is there any way to actually record what passwords the hackers' scripts are trying? I am just really intrigued to know what they are thinking might work. I realize that it's not normally appropriate to log people's passwords but in my case I am literally the only user who will ever legitimately login to my machine __ Moving your ssh port away from port 22 seems to stop these attempts. These logons seem to come from cracked Linux boxes. This issue has been discussed quite a lot on this list. For a non-list discussion, see http://www.freebsdforums.org/forums/showthread.php?s=threadid=27683 =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Enabling Gratuitous ARP
On 4/14/05, Adam Smith [EMAIL PROTECTED] wrote: Hi, In a particular network scenario we have, swapping an ethernet link between two FreeBSD machines using the same IP and a different MAC is proving to be a problem. We have discovered that in order to make this work we will need to enable gratuitous ARP. Does anyone know how to turn this feature on? http://openbsd.org/faq/faq6.html#CARP and http://www.freebsd.org/cgi/man.cgi?query=carpapropos=0sektion=0manpath=FreeBSD+6.0-currentformat=html It looks like carp is available in FBSD 5.4 =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf synproxy and fragments
On Apr 2, 2005 12:18 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm running 5.3 stable. I've recently switched from ipfilter to pf to take advantage of the traffic shaping, and I've run into something I don't understand. I read the documentation on the synproxy option and it sounded good to me, so I replaced my keep state rules with synproxy state. After doing this, I noticed that my filesharing programs stopped downloading. I switched back to keep state for the rules that handled my filesharing traffic and the problem went away. Today my brother called and told me that he couldn't get to my website anymore because his firewall said that my http service was sending a fragment attack. I replaced synproxy state with keep state for the rules pertaining to httpd and the problem went away. Specifically, the http traffic rule was (formatted): pass in quick on $ext_if proto tcp from any to any port 80 flags S/SAFR synproxy state queue(http_out,ack_out) Having tried a few other firewalls in the past, I know that some of them don't like fragmented packets at all. This week's events make me believe that pf's synproxy option is causing my server to send out fragments, and those fragments aren't well-received. Is this normal with synproxy? Am I misusing synproxy? Is this just a coincidence? In http://archives.neohapsis.com/archives/openbsd/2005-03/2760.html somebody reported a similar problem. Maybe you could try his solution by leaving out flags S/SAFR =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: possible bug report re: (malformed?) internet addresses
On Thu, 31 Mar 2005 05:45:37 -0400, fredthetree [EMAIL PROTECTED] wrote: Almost forgot. $ uname -a FreeBSD computer 5.4-PRERELEASE FreeBSD 5.4-PRERELEASE #0: Tue Mar 1 05:39:33 AST 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MACHINE i386 (I haven't cvsup'd and re-built in a little while.. maybe one of you who have could verify the problem still exists..) -dan On Thu, 31 Mar 2005 05:43:12 -0400, fredthetree [EMAIL PROTECTED] wrote: $ ping mr-chips-.deviantart.com ping: cannot resolve mr-chips-.deviantart.com: Unknown server error $ ping etc-etc-etc.deviantart.com PING etc-etc-etc.deviantart.com (69.28.181.43): 56 data bytes 64 bytes from 69.28.181.43: icmp_seq=0 ttl=50 time=108.127 ms At first it may seem logical to point the blame to the server, after noting Unknown server error, however, I am perfectly able to connect to this address on a Windows machine. The problem is reproducible with any address which has a - before a . I am not sure where the problem lies, it is obviously not just within 'ping,' as I first noticed this problem within firefox/mozilla. No problem on FreeBSD plato.utp.xnet 5.3-STABLE-20050116-JPSNAP FreeBSD 5.3-STABLE-20050116-JPSNAP #0: Sun Jan 16 01:31:07 UTC 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 consulting a local dnscache, part of djbdns, nameserver running under OpenBSD dig mr-chips-.deviantart.com ; DiG 9.2.3 mr-chips-.deviantart.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 27024 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mr-chips-.deviantart.com. IN A ;; ANSWER SECTION: mr-chips-.deviantart.com. 86400 IN A 69.28.181.43 ;; Query time: 293 msec ;; SERVER: 192.168.222.10#53(192.168.222.10) ;; WHEN: Thu Mar 31 23:08:23 2005 ;; MSG SIZE rcvd: 58 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ppp problems with routing
On Mon, 28 Mar 2005 19:13:47 -0500, PS [EMAIL PROTECTED] wrote: Hello I use freeBSD 4.11 with pppoe. I used almost default ppp.conf (as in freebsd handbook) for dynamic ip. my config is here http://block111.servehttp.com/ppp.conf Twice a day I restart ppp from cron with `killall -INT ppp` and if the new connection default gateway is different then the old default route isn't removed, e.g. after ppp restart I have this: ifconfig - ... inet 66.11.172.181 -- 66.11.165.1 netmask 0x inet 66.11.180.20 -- 66.11.190.1 netmask 0x before I had inet 66.11.172.181 -- 66.11.165.1 netmask 0x only, but after I sent INT to ppp the new ip has a different dafault gateway and the old one isn't removed. Should the old default route/ip be removed or not? In my case the old ip becomes invalid. Thank you ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Have you tried: add! default HISADDR Note the exclamation mark ! after the add. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [repost] ip.forwarding with pf
On Thu, 03 Mar 2005 06:30:52 -0600, J.D. Bronson [EMAIL PROTECTED] wrote: No one replied to this and I thought it was easy for someone on this list to help me? I am going to run pf and setup FBSD as a router (3 NICs). And I see there are some options: net.inet.ip.fastforwarding or net.inet.ip.forwarding Can someone tell me which is appropriate when FreeBSD 5.4-PRE is used as a router running pf with built in NAT ? And what is the difference on these 2 options? -- I don't know the difference, but here is a report of WinXP clients having problems with net.inet.ip.fastforwarding: http://www.freebsdforums.org/forums/showthread.php?s=threadid=29094 =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Change MAC address of LAN card in rc.conf. How?
On Sun, 27 Feb 2005 05:54:49 -0800 (PST), Rob [EMAIL PROTECTED] wrote: Hi, I'm running 5.3 STABLE. I need to change the MAC address of my PC. I know it can be done like this: ifconfig rl0 ether 11:22:33:44:55:66 So I guessed I could make life a little easier by adding this in my /etc/rc.conf file as: ifconfig_rl0=inet 192.168.123.2 netmask 255.255.255.0 ether 11:22:33:44:55:66 However, this does not seem to work. No IP address is assigned to the LAN card after bootup. Apparently something is wrong here. Any idea how I can do this at bootup? echo 'ifconfig rl0 ether 11:22:33:44:55:66' /etc/start_if.rl0 =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transfering from SCSI to IDE ?
On Wed, 23 Feb 2005 18:12:29 + (GMT), ali boreiri [EMAIL PROTECTED] wrote: Dear Sir : I have a FreeBSD system with a squid cache installed on it on my 17 GB SCSI drive. Recently I get an image of it by Norton GHOST on a 80GB IDE drive. Transferring was successful but when system on new IDE disk booted , after pimary freeBSD boot menu boot proccess continued till an error occured in mounting file system and disk; and then system ask me to mount root and a mount prompt appeared. Messages appears on screen are as below: Mounting root from ufs:/dev/da0s1a setrootbyname failed ffs_mountroot: can't find rootvp Rootmount failed:6 mount root mount root ? List of GEOMD Managed disk devices: ad1s1f ad1s1e ad1s1d ad1s1c ad1s1b ad1s1a ad1s1 acd0 ad1 fd0 Now please tell me what must I do ;and refer me to a compelete step by step guide in mounting partition of this IDE disk (which the image of a SCSI disk is on it.)and no change perform to partitions for properly working of squid cache. Thank you : Dr.A.Boreiri Maybe you should forget about the Ghost shortcut, and not ignore 30 years of Unix backup history ;) Use dump to make a backup of your SCSI disk. Do a minimal FBSD install on your IDE disk, using a similar partition and disklabel scheme as the FBSD install on the SCSI disk. Now use restore to transfer the backups to the IDE disk. Please note that dump and restore work on complete filesystems. =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: djbdns question
On Wed, 23 Feb 2005 14:45:16 -0600, Darryl Hoar [EMAIL PROTECTED] wrote: Greetings, I setup djbdns on a freebsd server attached to my internal network. It answers for the local machine on the domain for my internal while forwarding all others to our ISP for resolution. I set this up a 2 years ago and haven't needed to do a thing other than to add/remove machines. Well, now I need to change the domain name from osborneindustries.com to osborneinternal.com. Unfortunately, I haven't found any documentation that takes you through the changes to convert and already running tinydns/dnscache setup from one domain name to a different one. Anybody have any pointers here ? Change directory to the tinydns data directory (cd /service/tinydns/root) , edit your tinydns data file. Editing can be done in one sweep with # mv data data.old # sed -e 's/osborneindustries.com/osborneinternal.com/g' data.old data Now run make to generate a new data.cdb file from the edited data file. Tinydns will notice the change, no need to start/stop or give a -HUP to tinydns. The only other thing left is to tell dnscache about the change. # cd /service/dnscache/root/servers You will see a file called osborneindustries.com The contents of that file is the IP address of your tinydns server. Rename this file with mv to osborneinternal.com =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: djbdns question
On Thu, 24 Feb 2005 22:18:01 +0100, J65nko BSD [EMAIL PROTECTED] wrote: On Wed, 23 Feb 2005 14:45:16 -0600, Darryl Hoar [EMAIL PROTECTED] wrote: Greetings, I setup djbdns on a freebsd server attached to my internal network. It answers for the local machine on the domain for my internal while forwarding all others to our ISP for resolution. I set this up a 2 years ago and haven't needed to do a thing other than to add/remove machines. Well, now I need to change the domain name from osborneindustries.com to osborneinternal.com. Unfortunately, I haven't found any documentation that takes you through the changes to convert and already running tinydns/dnscache setup from one domain name to a different one. Anybody have any pointers here ? Change directory to the tinydns data directory (cd /service/tinydns/root) , edit your tinydns data file. Editing can be done in one sweep with # mv data data.old # sed -e 's/osborneindustries.com/osborneinternal.com/g' data.old data Now run make to generate a new data.cdb file from the edited data file. Tinydns will notice the change, no need to start/stop or give a -HUP to tinydns. The only other thing left is to tell dnscache about the change. # cd /service/dnscache/root/servers You will see a file called osborneindustries.com The contents of that file is the IP address of your tinydns server. Rename this file with mv to osborneinternal.com I forget to mention that a restart of dnscache is needed # svc -t /service/dnscache At http://www.freebsdforums.org/forums/showthread.php?s=threadid=25244 you can find a comfortable dnscachectl script to start/stop and many other things with dnscache. =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Partial web page loading
It could have something to do with an incorrect MTU size. This can cause partial loading of webpages. See http://www.cisco.com/warp/public/794/router_mtu.html Adriaan On Sun, 20 Feb 2005 12:46:09 -0800, Scott Stevenson [EMAIL PROTECTED] wrote: I'm a relatively new user of FreeBSD (5.3 release), and have encountered a problem that I haven't seen on other platforms. The details and a screenshot are outlined here: http://theocacao.com/document.page/82 Essentially, web content (text and images alike, it seems) occasionally fails to load in entirety. I personally haven't be able to recreate this yet, but a few people have sent me emails about it. I didn't hear anything about this prior to switching to FreeBSD. This is the exact same content I had running on a Red Hat-based machine running the same version of Apache. I've done a lot of googling and looking through mailing list archives, but haven't been able to identify any real leads yet. Syslog doesn't suggest anything is amiss. My environment is: FreeBSD 5.3-Release Apache 2.0.50 PHP 5.0.2 BIND 9.3.0 Both Apache and PHP were built from ports. I realize Apache is a few versions behind, and I'm going to upgrade it. Looking at the changelog, though, I can't seem to find anything that would pertain to this. Any ideas? Thanks, - Scott -- http://treehouseideas.com/ http://theocacao.com/ [blog] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Configuring PF
On Sun, 20 Feb 2005 11:42:41 -0700, Pat Maddox [EMAIL PROTECTED] I'd still like to find a good example config file that works well for a web server. I posted an easy to adapt config file 3 days ago, haven't you seen it? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Configuring PF
On Fri, 18 Feb 2005 00:28:30 -0700, Pat Maddox [EMAIL PROTECTED] wrote:
Can you guys let me know if this looks like a good conf file? I've
got web, mail, ftp, ssh, and DNS that I need to have open.
# Macros
ext_if=fxp0
SYN_ONLY=S/FSRA
tcp_services = { 21, 22, 25, 53, 80, 143 }
icmp_types = echoreq
# Default deny
block all
## Filtering rules
# Default TCP policy
block return-rst in log on $ext_if proto TCP all
This block rule is not needed, You alreadt have a default deny policy
pass in log quick on $ext_if proto TCP from any to $ext_if port
$tcp_services flags $SYN_ONLY keep state
# Default UDP policy
block in log on $ext_if proto udp all
This block rule is not needed, You alreadt have a default deny policy
pass in log quick on $ext_if proto UDP from any to $ext_if port 53 keep state
# Default ICMP policy
block in log on $ext_if proto icmp all
This block rule is not needed, You already have a default deny policy
pass in inet proto icmp all icmp-type echoreq keep state
block out log on $ext_if all
This block rule is not needed, You alreadt have a default deny policy
pass out log quick on $ext_if from $ext_if to any keep state
# Allow the local interface to talk unrestricted
pass in quick on lo0 all
pass out quick on lo0 all
On Fri, 18 Feb 2005 03:17:30 +0100, J65nko BSD [EMAIL PROTECTED] wrote:
On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox [EMAIL PROTECTED] wrote:
I've managed to come up with something that works so far. I am having
two problems though.
The first is that I can't authenticate for IMAP anymore. No clue why,
it just keeps rejecting my password. maillog shows imapd: LOGIN
FAILED, that's it.
Also, after enabling pf, all my UDP ports show as open. I've got a
ruleset of
block in log on $ext_if proto udp all
So all UDP ports should be shown as closed. Doesn't really make any
sense to me. Anyone care to help?
Thanks for the help so far.
Pat
Start with a default policy to block and log all traffic
# --- default policy
block log from any to any
Now you only have to open ports to let traffic in. If you don't know
which port to open for a certain protocol, you can run tcpdump -eni
pfl0g. tcpdump will show which rule blocked, and on which port
address combination.
How about this?
# --- pf.conf skeleton for server
# j65nko freebsdforums.org
#
# --- MACRO Section -
EXT_IF=fxp0
PING = echoreq
# --- allowed incoming services initiated by clients
TCP_IN = { ssh, smtp, pop3, imap, http, https }
#UDP_IN = { domain }
# --- allowed services initiated by server
TCP_OUT = { smtp }
UDP_OUT = { domain }
# -- TABLE Section --
# -- OPTIONS Section
set loginterface $EXT_IF
# - TRAFFIC NORMALIZATION
scrub in all
# -- TRANSLATION Section (NAT/RDR)
# -- FILTER section
# --- DEFAULT POLICY
block log all
# --- LOOPBACK
pass quick on lo0 all
# === INCOMING
# --- EXTERNAL INTERFACE
# --- TCP
pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
$TCP_IN flags S/SA keep state
# --- UDP
#pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
$UDP_IN keep state
# --- ICMP
#pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF
icmp-type $PING keep state
# === OUTGOING
# --- EXTERNAL INTERFACE
# --- TCP
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
$TCP_OUT flags S/SA keep state
# --- UDP
pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
$UDP_OUT keep state
# --- ICMP
pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
icmp-type $PING keep state
# - end of pr.conf
=Adriaan=
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Configuring PF
On Wed, 16 Feb 2005 19:18:17 -0700, Pat Maddox [EMAIL PROTECTED] wrote: I've managed to come up with something that works so far. I am having two problems though. The first is that I can't authenticate for IMAP anymore. No clue why, it just keeps rejecting my password. maillog shows imapd: LOGIN FAILED, that's it. Also, after enabling pf, all my UDP ports show as open. I've got a ruleset of block in log on $ext_if proto udp all So all UDP ports should be shown as closed. Doesn't really make any sense to me. Anyone care to help? Thanks for the help so far. Pat Start with a default policy to block and log all traffic # --- default policy block log from any to any Now you only have to open ports to let traffic in. If you don't know which port to open for a certain protocol, you can run tcpdump -eni pfl0g. tcpdump will show which rule blocked, and on which port address combination. =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: keeping freebsd uptodate - doubt
On Fri, 04 Feb 2005 22:16:30 -0600, Billy Newsom [EMAIL PROTECTED] wrote:
saravanan ganapathy wrote:
cvsup -g -L 2 /root/ports-supfile
Once you get your cvsup stuff straightened out, try this script, which I run
every other day. Change the Log file if you want. This updates my sources
to stable and updates the ports tree. I use two different cvsup files and
commands so the two don't get confused. Don't try to use the same config
file and cvsup command for the two different types of updates!! (In my
experience, you're asking for trouble.)
You will need to install a few ports first, but you should get the idea. If
you read the output every day (or you could email it to yourself, which I may
eventually do if I like it), you will see which ports need to be updated.
This script will probably contiune to get better as it gets added to. Like I
need to include the security audited version of ports that need updated!
BEGIN CODE... mydaily.sh
#!/bin/sh
#
# Billy borrowed stuff on 12/18/2004 from:
#http://www.oreillynet.com/pub/wlg/6041?page=lastx-order=date
#
LOGF=/var/log/cvsup.log
echo START @ `/bin/date` $LOGF
#/bin/date $LOGF
#use fastest_cvsup to find fastest geographically
#close mirror; I'll check Canada and the US
if SERVER=`/usr/local/bin/fastest_cvsup -Q -c ca,us`; then
echo Using STABLE Server: $SERVER $LOGF
/usr/local/bin/cvsup -L1 -h $SERVER -l /var/log/cvs-lock-s
/root/stable-supfile $LOGF
echo STABLE done @ `/bin/date` $LOGF
else
echo cvsup-STABLE has a fastest_cvsup problem on...`/bin/date` $LOGF
fi
if SERVER=`/usr/local/bin/fastest_cvsup -Q -c ca,us`; then
echo Using PORTS Server: $SERVER $LOGF
/usr/local/bin/cvsup -L0 -h $SERVER -l /var/log/cvs-lock-p
/root/ports-supfile $LOGF
echo PORTS done @ `/bin/date` $LOGF
else
echo cvsup-PORTS has a fastest_cvsup problem on...`/bin/date` $LOGF
fi
#-U (which takes a long time to execute) isn't needed
#with the fetchindex command
cd /usr/ports
make fetchindex $LOGF
/usr/local/sbin/portsdb -u $LOGF
# command1 21 | command2
# echo Looking for security patches
# freebsd-update fetch
# This program not working for me. unComment above line if it works for U.
echo The following ports need upgrading $LOGF
/usr/local/sbin/portversion -l $LOGF
echo $LOGF
echo STOP at `/bin/date`. $LOGF
echo $LOGF
END CODE... mydaily.sh
--
Billy
___
You can use exec at the top of your script to redirect all output
to a file. This way don't need to add $LOG at the end of each
line.
#!/bin/sh
LOGF=/var/log/cvsup.log
# --- redirect all script output to logfile
exec ${LOGF} 21
=Adriaan=
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BIND9 doesn't seem to do anything
On Sat, 29 Jan 2005 17:57:50 -0700, Pat Maddox [EMAIL PROTECTED] wrote: The named process is always in the kserel state. I've got no idea what that is, and all I can find on Google is that programs hang in that state. So I don't know what to do. There's no output, I can't find any logs, there's just no way for me to tell what's wrong. On Sat, 29 Jan 2005 15:59:46 -0800, Thomas Foster [EMAIL PROTECTED] wrote: you might want to add named_enable=YES in your /etc/rc.conf check out the following tutorial on setting up Bind9 http://www.section6.net/help/bind.php Hope this helps.. T - Original Message - From: Pat Maddox [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Saturday, January 29, 2005 3:54 PM Subject: BIND9 doesn't seem to do anything I installed BIND9 from the ports earlier, edited the config files a bit, but I can't get it to run at all. When I type named, or /etc/rc.d/named start, there's no output at all, and then I find that named isn't running. I've tried this again with the default install as well, without touching and files, but same thing. There also isn't anything in the logs folder, so I guess it's not creating an error log of anything. Any ideas? Thanks, Pat netstat -an -f inet should show something like this. A nameserver LISTENing on port 53 for TCP and another line for for UDP. tcp0 0 192.168.222.10.53 *.*LISTEN udp0 0 192.168.222.10.53 *.* =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How does FreeBSD access NetBSD, OpenBSD?
On Thu, 27 Jan 2005 19:17:33 -0800, Loren M. Lang [EMAIL PROTECTED] wrote: I have FreeBSD, OpenBSD, and NetBSD on the same hard drive of my system. How can I mount the NetBSD or OpenBSD partitions from FreeBSD? Slice 1 - Ext3fs for data between linux/bsd Slice 2 - OpenBSD slice with 4 ufs partitions and swap (a,b,e,f,g) Slice 3 - FreeBSD slice with 4 ufs partitions and swap (a,b,d,e,f) Slice 4 - Extended slice composed of: Slice 5 - NetBSD slice with 4 ufs partitions and swap (a,b,e,f,g) Slice 6 - Unformatted as of yet. FreeBSD is, of course running fine, but I can't see any of the other slices/partitions on the drive including the ext3fs partition. $ ls /dev/ad1* /dev/ad1/dev/ad1s3 /dev/ad1s3c /dev/ad1s3f /dev/ad1s6 /dev/ad1s1 /dev/ad1s3a /dev/ad1s3d /dev/ad1s4 /dev/ad1s2 /dev/ad1s3b /dev/ad1s3e /dev/ad1s5 I can seem to access all the linux partitions on my first drive ad0, but that drive is only linux so there are no complex partitions in slices like on ad1. I would expect that the nature of geom, I should be able to access all the partitions fine, but I might be missing something. [snip] OpenBSD and NetBSD have one single label for the whole disk or all slices, unlike FreeBSD that has a separate disklabel for each slice. See http://www.freebsdforums.org/forums/showthread.php?s=threadid=27859 =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Adding a partition
On Fri, 28 Jan 2005 15:36:08 +0101, David J. Weller-Fahy [EMAIL PROTECTED] wrote: I left about 26GB free on my 80GB hard drive. Having found a use for that space, I now want to add a partition. I've not added one by hand, and /stand/sysinstall gives me a 'cannot write to ...' message, so I want confirmation that what I'm about to do won't crump on me. ;] System is two 80GB ATA hard drives on a 'Promise PDC20269 UDMA133 controller' (according to dmesg), with one on each channel (both master). I'm running software raid using atacontrol. My current partition table follows: #v+ dave[tigger]~ sudo bsdlabel ar0s1 # /dev/ar0s1: 8 partitions: #size offsetfstype [fsize bsize bps/cpg] a: 104857604.2BSD 2048 16384 8 b: 2097152 1048576 swap c: 1562963220unused0 0 # raw part, don't edit d: 73400320 304087044.2BSD 2048 16384 28544 e: 2097152 31457284.2BSD 2048 16384 28552 f: 12582912 52428804.2BSD 2048 16384 28552 g: 12582912 178257924.2BSD 2048 16384 28552 #v- To use up the unused space, I believe I need to add the following line: #v+ h: 52487298 1038090244.2BSD 2048 16384 28552 #v- Could someone who's done that before confirm whether that looks right? First you need to create a FreeBSD slice with fdisk, say /dev/ar0s2. Only then you can disklabel that /dev/ar0s2. =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPSec without AH
On Sun, 23 Jan 2005 13:47:35 +0100, Erik Norgaard [EMAIL PROTECTED] wrote: Hi, Due to the problems of IPSec with NAT I was thinking if it is posible to setup IPSec without Authenticated Headers? Does anyone know of a howto? My postulate is that since data is encrypted, this should provide the same security as SSL/TLS - or better as _all_ protocols are encapsulated - or did I miss something? Thanks, Erik The AH (Authenticated Header) protocol cannot be used with NAT, NAT modifies the header of packets, while AH is supposed to protect that header from being modified. Another IPSEC protocol ESP (Encrypted Security Payload), both authenticates and encrypts, and thus has no problem with NAT traversal. BTW I am not an IPSEC expert, just scratched its surface a little bit ;) =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPSec without AH
On Sun, 23 Jan 2005 14:54:46 +0100, Erik Norgaard [EMAIL PROTECTED] wrote: J65nko BSD wrote: Due to the problems of IPSec with NAT I was thinking if it is posible to setup IPSec without Authenticated Headers? Does anyone know of a howto? The AH (Authenticated Header) protocol cannot be used with NAT, NAT modifies the header of packets, while AH is supposed to protect that header from being modified. Another IPSEC protocol ESP (Encrypted Security Payload), both authenticates and encrypts, and thus has no problem with NAT traversal. Thanks, AFAIK, ESP and AH are used in conjunction in IPSec, ESP for encrypting the packet payload, and AH for authentication. ESP in it self does not provide authentication, but only encrypts the payload - hence the names :-) Since ESP only encrypts the payload, as you say, ESP has no problem with NAT, whereas AH appends a signed checksum of the header. And since NAT alters the header, verifying the AH fails. Ofcourse, it requires access to the (public?) keys to create valid encrypted packets. Hence, if the public key is kept as a shared secret among the authorized users, one could assume that ESP packets are authenticated/trusted. This is my idea, discard AH, rely on ESP and assume that anyone capable of producing decryptable packets must have access to the pre-shared secret public key and hence authorized. Your are not the first to have this idea. The authors of Secure Architectures with OpenBSD already published this ;) AH would work, if both ends were NATaware, such that the rigth src/dst ip could be inserted in the header before checking. It just occured to me that maybe this could be done by adding yet another IP/IP tunnel? Cheers, Erik OpenBSD 3.6 supports NAT traversal. From http://openbsd.org/36.html: isakmpd(8) now supports NAT-traversal and Dead Peer Detection (RFC 3706). Don't know how ling it would take to before this is supported by FreeBSD ;) =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 'nat pass' not working in PF
On Fri, 21 Jan 2005 08:20:45 -0600, Andrew L. Gould [EMAIL PROTECTED] wrote:
I'm running pf in FreeBSD 5.3 on my laptop. The filters for the local
box work fine.
I'm also working on a pc for a friend; but ran out of ethernet ports in
my router. This pc doesn't have a wireless adapter; so I adjusted my
pf rules to use my laptop as a gateway for the pc.
I want my filters to remain intact for the laptop; but I want nat to let
all the pc's traffic through. (It has it's own firewall.) According
the OpenBSD pf tutorial, adding the word 'pass' after 'nat' in the nat
command will allow nat traffic to bypass the filter rules.
Unfortunately, this doesn't seem to work.
If my default 'block log all' rule is left uncommented, I can only ping
ip addresses (not host names that require nameservers). No other
activity passes through. If I comment it out, all traffic passes; but
my laptop is left unprotected.
Any advice?
The relevant lines from my pf rules follow:
ifdev = ath0
natdev = fxp0
scrub in all no-df
nat pass on $ifdev from $natdev:network to any - $ifdev
icmp_types = echoreq
block log all
#other filtering rules follow
Thanks,
Andrew Gould
How about something like this:
EXT_IF = fxp0
INT_IF = xl0
TCP_OUT = { ssh, www, https, smtp, pop3 }
UDP_OUT = { domain }
ICMP_OUT = echoreq
scrub in all no-df
nat on $EXT_IF from $INT_IF:network to any - $EXT_IF
# -- default policy
block log from any to any
# -- LOOPBACK
pass quick on lo0 from any to any
# -- EXTERNAL
# -- tcp
pass out quick on $EXT_IF inet proto tcp from any to any port $TCP_OUT
flags S/SA keep state
# -- udp
pass out quick on $EXT_IF inet proto udp from any to any port $UDP_OUT
keep state
# -- icmp
pass out quick on $EXT_IF inet proto icmp from any to any icmp-type
$ICMP_OUT keep state
# -- INTERNAL
pass on $INT_IF from any to any
=Adriaan==
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail: host name lookup failure
On Thu, 23 Dec 2004 15:09:08 +1030, Paul A. Hoadley [EMAIL PROTECTED] wrote: On Mon, Dec 20, 2004 at 10:54:42PM +1030, Paul A. Hoadley wrote: I have actually solved the problem. I intend to post a summary for the archive when I return to the site later in the week, at which time I'll be able to identify the OS/nameserver combination at fault. I am told it's running Windows 2000 DNS Server. Presumably that's Microsoft's own DNS implementation built into Windows 2000. Here's a teaser, though: it's a Microsoft product (I just don't know which), and it's returing SERVFAIL status for a record query. Sometimes it behaves: dig tsb.coremedicalsolutions.com. ; DiG 9.3.0 tsb.coremedicalsolutions.com. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 8959 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;tsb.coremedicalsolutions.com. IN ;; AUTHORITY SECTION: coremedicalsolutions.com. 3600 IN SOA archibald2.coremedicalsolutions.com. marc.coremedicalsolutions.com. 1480 900 600 86400 3600 ;; Query time: 281 msec ;; SERVER: 192.168.10.2#53(192.168.10.2) ;; WHEN: Thu Dec 23 15:03:23 2004 ;; MSG SIZE rcvd: 98 But sendmail seems intent on asking for just about every permutation on each domain name invovled, so sometimes it returns the bogus answer: dig tsb ; DiG 9.3.0 tsb ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 43109 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;tsb. IN ;; Query time: 245 msec ;; SERVER: 192.168.10.2#53(192.168.10.2) ;; WHEN: Thu Dec 23 15:04:42 2004 ;; MSG SIZE rcvd: 21 (By 'sometimes' I don't mean it's non-deterministic. Every time sendmail asks for the record of an unqualified hostname, the nameserver responds with SERVFAIL.) The consequence of this is that sendmail repeatedly defers delivery until the mail expires. Curiously, sendmail's WorkAroundBroken option did not help, and I don't know why. Daryl Tester suggested using a mailertable entry, and this worked. I still don't know why WorkAroundBroken isn't working in this case. From [EMAIL PROTECTED] Fri Jan 21 03:59:02 2005 Date: Fri, 21 Jan 2005 03:58:59 +0100 (CET) From: J65nko BSD [EMAIL PROTECTED] To: [EMAIL PROTECTED] A couple of months ago some root servers started doing something they never did before: handing out IPV6 referrals $ dig +norecurse kpn.com @a.root-servers.net ; DiG 9.2.3 +norecurse kpn.com @a.root-servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 25453 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; QUESTION SECTION: ;kpn.com. IN A ;; AUTHORITY SECTION: com.172800 IN NS A.GTLD-SERVERS.NET. com.172800 IN NS G.GTLD-SERVERS.NET. com.172800 IN NS H.GTLD-SERVERS.NET. com.172800 IN NS C.GTLD-SERVERS.NET. com.172800 IN NS I.GTLD-SERVERS.NET. com.172800 IN NS B.GTLD-SERVERS.NET. com.172800 IN NS D.GTLD-SERVERS.NET. com.172800 IN NS L.GTLD-SERVERS.NET. com.172800 IN NS F.GTLD-SERVERS.NET. com.172800 IN NS J.GTLD-SERVERS.NET. com.172800 IN NS K.GTLD-SERVERS.NET. com.172800 IN NS E.GTLD-SERVERS.NET. com.172800 IN NS M.GTLD-SERVERS.NET. ;; ADDITIONAL SECTION: A.GTLD-SERVERS.NET. 172800 IN 2001:503:a83e::2:30 A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30 G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30 H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30 C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30 I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30 B.GTLD-SERVERS.NET. 172800 IN 2001:503:231d::2:30 B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30 D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30 L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30 F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30 J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30 K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30 E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30 ;; Query time: 115 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Fri Jan 21 01:06:01 2005 ;; MSG SIZE rcvd: 497 Somehow an IPV6 referral may entice a nameserver into actually issue a query via IPV6. BIND in the OpenBSD base
Re: Copying directory trees only for new files
On Mon, 10 Jan 2005 00:08:35 +0100, Anthony Atkielski [EMAIL PROTECTED] wrote: What's the safest and most elegant way to copy an entire directory tree such that only newer files and directories are actually copied? Have a look at rsync http://rsync.samba.org/ It is in ports ;) [snip] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW and whois lookup
On Fri, 7 Jan 2005 19:33:32 -0700, V Foulk [EMAIL PROTECTED] wrote: [snip] # ipfw list 65535 allow ip from any to any I did have more elaborate rule sets that worked great, with the exception of the whois/hostname lookups. $ grep whois /etc/services whois 43/tcp nicname In pf the following rule would allow whois requests, initiated by clients behind the firewall pass out quick on xl0 proto tcp from any to any port = whois flags S/SA modulate state [snip] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Packet filtering with pf and gif tunnels.
On Sun, 9 Jan 2005 00:23:55 +, Lewis Thompson [EMAIL PROTECTED] wrote: Hi, I am wondering what sequence a packet goes through when it is passing through a gif tunnel. I have the following interface and gif tunnel (with the equivalent being on the same subnet at the other side): fxp0: a.a.a.a/24 gif0: a.a.a.a - a.a.a.b (192.168.0.1/32 - 192.168.0.2/32) My question is really what order does the packet go pass through my firewall (pf) in? i.e., is it: in on fxp0 from a.a.a.b to a.a.a.a (unencapsulated) in on gif0 from 192.168.0.2 to 192.168.0.1 or does it just magically ``appear'' on gif0 straight away? Now I write it out I am assuiming that it passes through pf twice (first on fxp0 and secondly on gif0); if this is in fact the case, what sensible rule might I add to allow this encapsulated traffic from a.a.a.b? Currently I have pf configured as follows: pass all pass quick proto icmp block in on fxp0 pass out on fxp0 keep state pass in on fxp0 proto tcp from any to fxp0 port 22 keep state The reason I ask this question is that for my tunnel endpoints to ping each other, a.a.a.a must be doing so (a.a.a.b has no firewall). Thank you, -Lewis Thompson. For some debugging strategies in a similar case with IPSEC see http://www.bsdforums.org/forums/showthread.php?s=threadid=18601 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sendmail and mbox permissions
On Wed, 5 Jan 2005 23:23:29 +0300, Eugene M. Minkovskii [EMAIL PROTECTED] wrote: Hi. I use FreeBSD 5.3 and sendmail. When root rechieve the mail, mailbox's (/var/mail/root) permission bits has been setted to 600. Who and how it does? Can I change this behavior? -- For security reasons, the root account should not receice any mail. One of sendmail's alternatives qmail will even NEVER send any mail to the root account. Enter an alias for root in /etc/mail/aliases and run the newaliases command. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: defered mail
On Mon, 3 Jan 2005 10:23:07 +0200, tethys ocean [EMAIL PROTECTED] wrote: My problem is about defered mail. On our server sendmail is running and sometimes some mail defered. I am researching how I can get managed to send defer mail information to senders? I am taking a mail from root but sender didnt take a mail that consist your mail defered bla bla blaso I will take next tree minutes.. is it possible? if it is possible how I can manage? in sendmail.cf O Timeout.queuereturn=2d O Timeout.queuewarn=4h O Timeout.queuewarn.normal=4h mailq /var/spool/mqamavis (5 requests) -Q-ID- --Size-- -Q-Time- Sender/Recipient--- iBVC8fpT049046-6361 Fri Dec 31 14:12 [EMAIL PROTECTED] (host map: lookup (bbscomputer.net): deferred) [EMAIL PROTECTED] iBVCIB9u051147-6361 Fri Dec 31 14:21 [EMAIL PROTECTED] (host map: lookup (bbscomputer.net): deferred) [EMAIL PROTECTED] iBVDjmck072838- 19579 Fri Dec 31 15:46 [EMAIL PROTECTED] (host map: lookup (gesan.com.tr): deferred) [EMAIL PROTECTED] iBV68HLM055154- 30 Fri Dec 31 08:08 [EMAIL PROTECTED] (host map: lookup (active.net): deferred) [EMAIL PROTECTED] iBVAnlhq030740- 354708 Fri Dec 31 12:49 [EMAIL PROTECTED] (host map: lookup (jungletree.org): deferred) [EMAIL PROTECTED] Total requests: 5 As far as I can see, there is not much what you can do about it ;) $ host bbscomputer.net ;; connection timed out; no servers could be reached $ host gesan.com.tr Host gesan.com.tr not found: 2(SERVFAIL) $ host active.net active.net has address 12.161.44.180 $ host -t mx active.net active.net mail is handled by 10 mail.active.net. $ host mail.active.net Host mail.active.net not found: 3(NXDOMAIN) $ host jungletree.org Host jungletree.org not found: 3(NXDOMAIN) =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: basic freebsd programming
On Sun, 02 Jan 2005 21:11:42 +0300, Andrew P. [EMAIL PROTECTED] wrote: Hello and Happy New Year! I need to write some very basic C programs under FreeBSD. I am new to Unix programming and not very good at C programming either, so I'm looking for documentation on some topics. The ones that are the most interesting for me now is how to write small daemons best and how to read ipfw info from a program. Man pages help me very much, but I really need some guide. The problem is that doc project doesn't seem to have released anything like it. I looked through dev-, arch-, porters- handbooks, read design-44bsd - but I didn't find what I want. Of course I can refresh my C skills and gain some Unix-coding knowledge by reading a couple' thousand pages, but I don't feel like it's necessary for what I want to write - just a basic statistics collector. Should I explore FreeBSD source code or is there some solid piece of documentation? Best wishes, Andrew P. This could be useful: http://www.khmere.com/freebsd_book/index.html Table of Contents: * I. Introduction * Chapter 1: FreeBSD's Make * Chapter 2: Bootstrapping BSD * Chapter 3: Processes and Kernel Services * Chapter 4: Advanced Process Controls and Signals * Chapter 5: Basic I/O * Chapter 6: Advanced I/O * Chapter 7: Processes Resources and System Limits * Chapter 8: FreeBSD 5.x * All source code * Entire book in a tarball ==Adriaan== ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS TTL problem
On Wed, 22 Dec 2004 12:47:34 +0100, Mark Frasa [EMAIL PROTECTED] wrote: Hello, I am using a djbdns DNS server which operates almost perfect. There is 1 small problem, i have for my domain frasa.net 2 namservers: frasa.net. 3600IN NS ns1.frasa.net. frasa.net. 3600IN NS ns2.frasa.net. This is when i resolve directly on ns1.frasa.net or ns2.frasa.net When I resolve on my ISP's nameserver and serveral others: frasa.net. 172800 IN NS ns1.frasa.net. frasa.net. 172800 IN NS ns2.frasa.net. The problem is that this is a TTL of 2 days. When i Trace the dig, is see that the root servers are providing the 2 days TTL: ;; Received 512 bytes from 198.32.64.12#53(l.root-servers.net) in 169 ms frasa.net. 172800 IN NS ns1.frasa.net. frasa.net. 172800 IN NS ns2.frasa.net. ;; Received 95 bytes from 192.42.93.30#53(G.GTLD-SERVERS.net) in 154 ms Can anyone explain this behaviour? Yes, you have something like this in your tinydns data file: .frasa.net:80.69.78.171:ns1.frasa.net:3600 .frasa.net:80.69.78.172:ns2.frasa.net:3600 If you change the 3600 into a higher number , like 172800 you will have the same TTL as the GTLD-SERVERS.net servers ;) == Adriaan === ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Desperate for Help
On Tue, 21 Dec 2004 17:24:02 -0500, alfredo perez [EMAIL PROTECTED] wrote: Heloo list I have been trying to set up my FreeBSD 5.3 to get my emails with no results. I have installed and set up Mutt, Ssmtp and Fetchmail. None of them are working properly. I have no idea where to start first. I have already read the man pages and followed several how-tos I found on the internet but no results. I was wondering if any of you know of a web site with steps that I can follow to sep up my Mutt, fetchmail and ssmtp. I dont want to give up on this!!! THANKS Start with fetchmail. You need a .fetchmailrc file in your home directory. Some examples poll pop.domain2.com protocol POP3 timeout 60 no dns user loginname password 'poppassword' is homedirowner here, options fetchall fetchlimit 0 poll pop3.domain.com protocol POP3 user [EMAIL PROTECTED] password poppasswd is homedirowner here, options fetchall As you can see some ISP's require only your login name, others require [EMAIL PROTECTED]. You can run fetchmail -v to see where you get stuck. This is an example for googles gmail, using SSL poll pop.gmail.com protocol POP3 timeout 60 no dns user gmailname password gmailpassword ssl is homdirowner here, options fetchall fetchlimit 0 If you are new to all this MTA, MUA and SMTP thing, you could consider to use Pine. mutt is nice but as a beginner Pine is probably easier to understand and configure than mutt. Just take step by step ;) J65nko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: X kills su
On Sat, 18 Dec 2004 11:31:24 -0500, Robert William Vesterman [EMAIL PROTECTED] wrote: After I exit from X windows, I no longer have the ability to su (to root, at least). It doesn't even ask for my password - it just immediately says bad su from myacct to root. If I then exit, and immediately log back in as myacct, I am able to su to root no problem. I am running 5.3-STABLE, and the latest X (or very, very near it). It happens with at least two distinct WMs (Window Maker and Fluxbox). Any idea? Or any further information I can provide? Thanks, Bob Vesterman. Did you change your root shell recently? Somebody on the list reported about the systems inability to run ppp from boot-up. His problem was caused by using bash as the root shell. Restoring sh as the root shell fixed it :) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OT: Backing up machine to machine, cvsup vs. rsync vs... ?
On Thu, 9 Dec 2004 14:14:53 -0500, Communications Machine [EMAIL PROTECTED] wrote: Hey all, Looking for a (cheap but effective) solution to nightly backup or synchronize about 100-200gigs of data. Figure this might be a tad bit off-topic, but sent to the general questions list hoping to find anyone out there doing something similar. I was hoping to do something along the lines of cvsup or rsync, so-as to only have to sync changes daily. Here's a better picture of the scenario: ~~ File Server 1 has (roughly) 750GB Storage on RAID 5 Array, runs as a PDC using combination of Samba, OpenLDAP and some in-house utilities. This machine is very fast by comparasin to all of our other machines (dual AMD Opteron 244, 2GB RAM, running 5.3-RELEASE/amd64), and runs under minimal load/stress. Server two runs as an incoming filter for email (spamassassin/mimedefang/custom stuff using milter interface), and as a proxy server for network users during the day (running squid). This machine is considerably slower (AMD 350Mhz K62, 768Mb RAM, ATA133 disks running 4.9-RELEASE/i386), but should be adequate for the job. This machine has two 80GB disks which we'd like to use to sync data to. Ideally, we would like to backup certain directories nightly, so as to have a mirror of the important files (100-200GB or so) on the second server in the event that the first ever goes down, (essentially avoiding a tape-backup solution we cannot afford). The two machines will be connected with a dedicated ethernet link (cross cable) driectly from to each other at 100Mbps. How do I reliably synchronize the data in selected directories from one machine to the other on a nightly basis? Any ideas/suggestions/comments/questions will be greatly appreciated. -- Thank-you Nathan Vidican [EMAIL PROTECTED] I will skip the rsyn or cvsup issue;) Have you considered the security implications of such an setup? A publicly accessible email server, handling incoming mail directly connected to a corporate file server. That is a security nightmare. You would be playing with fire. In case the mail server gets hacked, the attacker has direct access to your mission critical file server. Please put this out of our mind ;) The sendmail box belongs in properly setup DMZ firewall and should not be allowed to initiate any connections with any of your internal network boxes. If that box gets hacked, it cannot be used to launch an attack against your local network. Get a refurbished PII or PIII box to do the backup. Adriaan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
