Re: Outbound SMTP filtering
On Tue, 10 Aug 2004, Warren Block wrote: On Mon, 9 Aug 2004, Nick Rogness wrote: I am looking for an Outbound SMTP filtering solution to prevent SPAM and Virii from being sent through our SMTP relay machine (FreeBSD running sendmail). A plugin module for sendmail or maybe some external appliance? Just outbound SMTP traffic only. Any suggestions? greylist-milter and clamav-milter are doing well for me. They both scan outbound mail, although I'm not sure if it's possible to set clamav-milter to scan only outbound mail. I guess I'm looking for more of a commercial solution. That is, I don't want to have to perform a lot of administration of adding filters and virus signatures constantly. Maybe I need to look more at a commerical appliance? Anyone have any recommendations? I just want a Outbound solution! Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Outbound SMTP filtering
I am looking for an Outbound SMTP filtering solution to prevent SPAM and Virii from being sent through our SMTP relay machine (FreeBSD running sendmail). A plugin module for sendmail or maybe some external appliance? Just outbound SMTP traffic only. Any suggestions? Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Lilliput 7 Touch screen
Does anyone have a FreeBSD driver for the the Lilliput 7 touch screen that works or in development? I know the Linux folks have one out there. It has a USB output jack that I'm assuming works like a USB mouse. Any advice? -- Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
make buildworld fails
I cvsup'd just a few minutes ago and tried a make buildworld. Any hints as to why I'm failing out? Details below: # uname -a FreeBSD cody.jharris.com 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Mon Oct 27 17:51:09 GMT 2003 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 # cd /usr/src make buildworld SNIP rm -f .depend mkdep -f .depend -a-D_GNU_SOURCE -I. -I/usr/src/gnu/usr.bin/binutils/objdump -I/usr/src/gnu/usr.bin/binutils/objdump/../libbfd/i386 -I/usr/src/gnu/usr.bin/binutils/objdump/../../../../contrib/binutils/include -I/usr/src/gnu/usr.bin/binutils/objdump/../libbinutils -I/usr/src/gnu/usr.bin/binutils/objdump/../../../../contrib/binutils/binutils -DBFD_VERSION_STRING=\2.12.1 [FreeBSD] 2002-07-20\ -D__FBSDID=__RCSID /usr/src/gnu/usr.bin/binutils/objdump/../../../../contrib/binutils/binutils/objdump.c /usr/src/gnu/usr.bin/binutils/objdump/../../../../contrib/binutils/binutils/prdbg.c /usr/src/gnu/usr.bin/binutils/objdump/../../../../contrib/binutils/binutils/objdump.c:1553: unterminated character constant mkdep: compile failed *** Error code 1 Stop in /usr/src/gnu/usr.bin/binutils/objdump. *** Error code 1 Stop in /usr/src/gnu/usr.bin/binutils. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. -- Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: make buildworld fails
On Mon, 19 Jan 2004, Kevin D. Kinsey, DaleCo, S.P. wrote: Nick Rogness wrote: I cvsup'd just a few minutes ago and tried a make buildworld. Any hints as to why I'm failing out? Details below: /usr/src/gnu/usr.bin/binutils/objdump/../../../../contrib/binutils/binutils/objdump.c:1553: unterminated character constant mkdep: compile failed Yes ;-) There is an unterminated character constant in line 1553 of objdump.c in the directory given by the error message. Suppose there's a semicolon missing there? However, as Kent Stewart has noticed, it's a real good idea to make sure you're building the correct src tree first. AFAIK, 5.x is using different build tools. Forgot to mention, this is the 4 branch. -- Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: make buildworld fails
On Mon, 19 Jan 2004, Kent Stewart wrote: On Monday 19 January 2004 11:55 am, Nick Rogness wrote: On Mon, 19 Jan 2004, Kevin D. Kinsey, DaleCo, S.P. wrote: Nick Rogness wrote: I cvsup'd just a few minutes ago and tried a make buildworld. Any hints as to why I'm failing out? Details below: /usr/src/gnu/usr.bin/binutils/objdump/../../../../contrib/binutils /binutils/objdump.c:1553: unterminated character constant mkdep: compile failed Yes ;-) There is an unterminated character constant in line 1553 of objdump.c in the directory given by the error message. Suppose there's a semicolon missing there? However, as Kent Stewart has noticed, it's a real good idea to make sure you're building the correct src tree first. AFAIK, 5.x is using different build tools. Forgot to mention, this is the 4 branch. All of the RELENG_4 have the following line at objdump.c:1553 fatal (_(Can't use supplied machine %s), machine); What do you have? That line has a matched pair of 's. It sounds like you have a corrupted source. The usual fix is to delete it and recvsup. Since, you still really haven't told us what you cvsup'ed, you should include in-line a copy of your cvsup file, so that we know what we are trying to diagnose :). I cvsup'd the whole system from the stable-supfile provided in /usr/share/examples/cvsup. That is what was ment by 'the 4 branch' above. The entire source tree (RELENG_4) like I've done thousands of times. It appears to be dying in another place this time. I think it is probably memory or some other hardware problem. Anybody had this experience with hardware and building? -- Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Anyone using Linux-PAM on 5.x?
On Sat, 4 Oct 2003, Kris Kennaway wrote: On Sat, Oct 04, 2003 at 02:12:53PM -0600, Joe Lewis wrote: Question for you guru's; I've been trying to install a PAM module on my FreeBSD 5.1 system. Unfortunately, someone thought they were bright and included OpenPAM, which would be fine and dandy except for it is installed by default as static. This means I PAM is now AM, because nothing is pluggable. And the documentation on getting a 3rd party module to work is like slitting your wrists and doing pushups in salt water. What is the PAM module? Where are you having problems, Compiling? How about some logs or error messages or something. How about the PAM module code itself? Send more info and as Kris suggested be a tad more professional or at least polite ;-P There have been PAM changes from 4.X to 5.X, mostly just changing a few things. I've had to change my PAM module several times, I do it by simply looking at existing PAM modules and determining what's changed. Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Perl cgi redirect not working
On Wed, 1 Oct 2003, Charles Howse wrote:
Hi,
I'm *copying an example* perl cgi script from FreeBSD Unleashed pp.
699. I have 2 issues.
1. The redirect on the last line isn't working. It opens a blank page
and prints the text Location: http://howse.no-ip.org/thanks.shtml;.
That's not what I want. I want to open the page thanks.shtml.
2. I can't see the text in the book clear enough to know whether the
characters I've marked with ^ should be dashes or tildies.
I've Googled for the redirect, and tried a few examples, no joy. Would
someone be kind enough to help?
#!/usr/bin/perl
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(//, $buffer);
foreach $pair (@pairs)
{
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
^
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack(C, hex($1))/eg;
^
$value =~ s/~!/ ~!/g;
^ ^ ^
$FORM{$name} = $value;
}
print Content-type: text/html\n\n;
open (MAIL,| /usr/sbin/sendmail -oi -t);
print MAIL From: $FORM{'name'} $FORM{'email'}\n;
print MAIL To: charles\n;
print MAIL Subject: Contact form output\n\n;
print MAIL $FORM{'name'}, from $ENV{'REMOTE_HOST'}
($ENV{'REMOTE_ADDR'}), has sent you the following comment:\n\n;
print MAIL $FORM{'comment'}\n;
close (MAIL);
print Location: http://howse.no-ip.org/thanks.shtml\n\n;;
1) This is a little extreme for a simple redirect. A simple 3 liner will
do the trick:
#!/usr/bin/perl
print Location: http://howse.no-ip.org/thanks.shtml\n\n;;
exit;
2) They are suppose to be tildes (~).
Nick Rogness [EMAIL PROTECTED]
-
How many people here have telekenetic powers? Raise my hand.
-Emo Philips
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Courier IMAPd and UW IMAPd Very Slow
On Tue, 16 Sep 2003, Jason L. Schwab wrote: Heya Folks; I've been looking into setting up IMAPd support on my mail servers, and i got it working with both UW and Courier, but both seem to take way to long (upwards of minutes) to login and fetch my mail. (like 10 messages) on the test acct. I would not blame the software so quickly. We run imap-uw on very heavily loaded boxes and rarely see problems with it. Sure it's not the fastest but minutes of wait? No. I would suggest looking at: 1) DNS issues (resolution issues) 2) If it's login related checking into PAM issues (DB issues) 3) Check network problems (Duplex mismatch? Congestion?) 4) Check hardware problems (Disk especially) Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Frontpage perils
On Tue, 5 Aug 2003, Mark wrote:
[SNIP]
No errors reported, and it seems to have installed just fine; it says I
have a valid httpd, and httpd.conf has been changed to contain these two
lines:
LoadModule frontpage_module libexec/apache/mod_frontpage.so
AddModule mod_frontpage.c
And those files exist in the right place. All as expected. Then I try
and start the httpd daemon:
-
asarian-host: {root} % /usr/local/sbin/httpd -DSSL
Syntax error on line 5 of /usr/local/etc/apache/httpd.conf:
Invalid command 'FrontPageEnable', perhaps mis-spelled or defined by a
module not included in the server configuration
-
Eh? FrontPageEnable should be available when mod_frontpage has loaded. And
mod_ssl, in case you wondered, works fine by itself. And, unfortunately,
/var/log/httpd-error.log has no error-messages for this occasion.
So, what am I missing again? suexec (which I believe is mandatory), is
compiled in too:
-
asarian-host: {root} % /usr/local/sbin/httpd -l
Compiled-in modules:
http_core.c
mod_so.c
suexec: enabled; valid wrapper /usr/local/sbin/suexec
-
If you have any suggestions left, I will gladly hear them. :) Thanks!
Make sure the mod_fronpage directives aren't surrounded by some
IfDefine blocks that aren't being loaded.
Line #5 is where the error is? What does your httpd.conf file
look like? I'm not sure about ordering but I would move
any Frontpage stuff to the bottom of your file after the
Load/AddModule directives. Don't know for sure if httpd.conf gets
processed in a linear fashion or not.
BTW, you should be using apachectl to start/stop/restart httpd.
'apachectl startssl' (Not that it matters much).
Nick Rogness [EMAIL PROTECTED]
-
How many people here have telekenetic powers? Raise my hand.
-Emo Philips
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: urgent: how to downgrade php4.3.3rc2
On Fri, 8 Aug 2003, Redmond Militante wrote: hi i upgraded mod_php4 via ports on my apache box the other day i just went to the mod_php4 directory, make deinstall, make clean install and restarted apache. i was upgraded to php4.3.3rc2 from 4.3.1. i need to get the old version back as we make extensive use of pdflib. pdflib5x is not supported in php4.3.3rc2. can anyone please tell me how to downgrade php4.3.3rc2 on this machine? it's pretty critical.. I made a copy of the 4.3.1 mod_php port dir on my machine and put it at: http://freebsd.rogness.net/mod_php4.tar To install: # cd /usr/ports/www # rm -r mod_php4 # fetch http://freebsd.rogness.net/mod_php4.tar # tar -xvpPf mod_php4.tar # cd mod_php4 # make install I'm not sure of any other way to downgrade like this. Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: backup static routes for freebsd (default)
On Tue, 5 Aug 2003, Ezra Banoba wrote: Thanks Phil, I tried some guesswork myself to add the secondary default routes router style with weights and that's the only way the route add command will accept another default route. I do not know how freebsd interpretes this: route add default [gateway] [administrative weight] though this has no effect when i birng down the default route. Maybe a script to ping the gateways at intervals will do. Any other ideas are welcome. Thanks. The trick to adding a backup default route is to split 'default' into 2 different and more specific subnets: # route add 0.0.0.0 PRIMARY_GW -netmask 127.0.0.0 # route add 127.0.0.0 PRIMARY_GW -netmask 127.0.0.0 # route add default SECONDARY_GW Now that default is split into 2 different smaller subnets than 'default' they will be the preferred route. If your interface that connects PRIMARY_GW goes down, the first 2 routes will be removed, leave your backup 'default' gateway to take affect. This only works if PRIMARY_GW and SECONDARY_GW are on seperate physical networks and will also only work if the INTERFACE goes down. It will not work if the PRIMARY_GW goes down but the physical interface connected to that network stays up. Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: backup static routes for freebsd (default)
On Wed, 6 Aug 2003, Ezra Banoba wrote: Hi, It works like magic. But then, ... that means I still would have to use a script to mark the interface as down when the remote gateway is inaccessible. Or is there a way to automagically mark the interface down if the network is inaccessible? Not without a active routing protocol like OSPF/RIP/etc (using gated or zebra). In which case, the interface stays up but the routes get removed. Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Frontpage perils
On Fri, 1 Aug 2003, Mark wrote:
I just installed apache+mod_ssl-1.3.28+2.8.15 (FreeBSD 4.7R). Having
some serious trouble integrating Frontpage 5, though. I installed the
package, and it seemingly integrated just fine:
lynx --head --source http://asarian-host.net:90/overview.html
Server: Apache/1.3.28 (Unix) FrontPage/5.0.2.2623 PHP/4.3.1
mod_ssl/2.8.15 OpenSSL/0.9.6g mod_perl/1.26
So far, so good; then I ran the install script:
asarian-host: {root} % /usr/local/frontpage/version5.0/fp_install.sh
Step 3. Upgrading/Installing the extensions
Checking for previous versions of FrontPage Server Extensions to
upgrade...
You have an older version of FrontPage Server Extensions installed
(4.0). Would you like to migrate these settings to version 5.0 now (y/n)
[Y]?
Checking for existing web servers to upgrade...
Existing web servers were found; do you want to upgrade them now? (If
you answer no, you can safely run this script again and answer yes
to upgrade your servers later.)
Upgrade now (y/n) [Y]? y
All existing servers will now be upgraded:
Upgrading using configuration file:
/usr/local/frontpage/someone.asarian-host.net:80.cnf
Verifying web server configuration...
This version of FrontPage Server Extensions does not suppport
apache servers. We only support patched apache servers.
Say what? :) Does not support apache servers? Then what have I been
compiling for, the last half day? I must be missing some step in the
process. Does anyone know what I am doing wrong?
All you should have to do is:
# cd /usr/ports/www/apache13-modssl make install
# cd /usr/ports/www/mod_frontpage make install
If all goes well you should have everything you need installed. I
personally don't use the fp_install.sh script...I think it sucks.
If I need to install frontpage extentions on a website I do the
following:
1) Add the VirtualHost to the main httpd.conf file (must
be in the main httpd.conf file):
VirtualHost 64.251.173.41:80
ServerName www.domain.com
ServerAlias domain.com
DocumentRoot /home/jim/public_html
UserDir disabled
/VirtualHost
2) Install extensions with the owsadm.exe tool (execute
the line wrap):
# cd /usr/local/frontpage/version5.0/bin
# ./owsadm.exe -o install -u jimfpuser -p 80 \
-m www.domain.com \
-servconf /usr/local/etc/apache/httpd.conf \
-xuser jim
3) Restart apache: # apachectl restart
It should prompt you for a password...which is the FRONTPAGE
password for the FRONTPAGE user 'jimfpuser' as seen above.
jimfpuser doesn't need to exist anywhere on the systemm, but you
will need to use it with the frontpage client to connect to
www.domain.com.
Now, there are some gotcha's with frontpage. First off, make
sure the owner and group owner of files located in the /home/jim/*
directories are above uid=100 and gid=100. Make sure the user jim
is created in the unix system password file and his home dir and
public_html dir exist or this will fail. Make sure mod_frontpage
is running. If you installed in the order above, mod_frontpage
may only be loaded when mod_ssl is loaded ('apachectl startssl').
I'm only touching the brim of problems with frontpage...
Finding complete documentation on the frontpage owsadm.exe command
blows. You will have to experiment or visit microsoft.com and try
to interpret their ramblings. I will also gladly try to answer
any questions if I know the answer.
Nick Rogness [EMAIL PROTECTED] -
How many people here have telekenetic powers? Raise my hand.
-Emo Philips
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Multiple Internet connection
On Thu, 20 Mar 2003, Allan Jude - ShellFusion.net Administrator wrote: I have a FreeBSD box that has 3 nic's. 2 of them are connected to separate internet connections, and the 3rd is a lan. When data is coming in over one of the connections, it comes over the nic to which that ip is assigned, but, outgoing traffic, even if bound to the second nic, always going out over the first nic. Is there a way to have the 2 links share the load of the outgoing traffic, as well as the incoming. Not to load balance no, without other daemons running routing protocols. Even then, it takes routing peering with your upstream ISPs. Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: gif tunnels?
On Fri, 21 Feb 2003, Krassimir Slavchev wrote: Hello All, I have: Private Net 1 Firewall 1Firewall 2 Private Net 2 --- --- | 10.1.0.0/24 || FBSD 4.7 |--//--| FBSD 4.7 || 10.2.0.0/24 | --- --- |__tunnel__| I want to configure tunnel between Private Net 1 and Private Net 2 and can not get tunnel to work when Public IP of Firewall 1 and Firewall 2 are from same subnet. If public IPs of my firewalls are from different subnets all works fine. On Firewall 1 I do: # ifconfig gif0 create # gifconfig gif0 x.y.z.1 x.y.z.2 # ifconfig gif0 inet 10.255.255.1 10.255.255.2 netmask 255.255.255.252 # route add -net 10.2.0.0/24 10.255.255.2 On Firewall 2 I do: # ifconfig gif0 create # gifconfig gif0 x.y.z.2 x.y.z.1 # ifconfig gif0 inet 10.255.255.2 10.255.255.1 netmask 255.255.255.252 # route add -net 10.1.0.0/24 10.255.255.1 Is there any way to get this to work? Your concept is right, I think your syntax is wrong. I use this sytnax: # ifconfig gif0 create # gifconfig gif0 tunnel x.y.z.1 x.y.z.2 # ifconfig gif0 10.255.255.1 10.255.255.2 netmask 255.255.255.252 # route add -net 10.2.0.0/24 10.255.255.2 Pay close attention to the tunnel keyword on line 2 above. Also, make sure gateway_enable=YES is in /etc/rc.conf. Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Source nat question (ipfw and natd)
On Sun, 26 Jan 2003, Vikash Badal wrote: I currently have a box (4.7p3) that i want to connect to four different networks According to the man page i can only nat on one interface using natd. My current natd.conf is as follows : -- redirect_address 10.136.236.18 192.168.28.61 redirect_address 10.136.236.20 192.168.20.47 redirect_address 10.136.236.19 192.167.11.47 -- When i add the following maping : redirect_address 10.136.236.18 192.168.15.47 the source address for connections to 192.168.15.0/24 is 192.168.25.61 is there any way i can setup natd and ipfw so that if packets are destined for 192.168.15.0/24 then the source address should be 192.168.15.47 I'm still not sure what you are trying to accomplish here. You talk about source address for connections to 192.168.15.0/24...from where ? From the 192.168.X.X network? If so, you can run a seperate copy of natd in -reverse mode and an alias address to translate the source address. It becomes tricky to do but it might be what you want. What are you trying to accomplish? It sounds like you want the -reverse option for nat but I don't know what machines are where and how your network is laid out and how traffic flows across the BSD machine. Do you want all machines on the 192.168.X.X network (connected via vx0) to hit 10.136.X.X network with the same source address always? Please clarify. Also, comments below: I made a typo in the original mail : === redirect_address 10.136.236.19 192.167.11.47 should be redirect_address 10.136.236.19 192.168.21.47 configs: rc.conf: kern_securelevel_enable=NO nfs_reserved_port_only=YES sendmail_enable=NONE sshd_enable=YES inetd_enable=NO portmap_enable=NO gateway_enable=YES ntpdate_flags=10.131.156.5 ntpdate_enable=YES natd_enable=YES natd_interface=vx0 natd_flags=-config /etc/natd.conf hostname=nwest-fw.natis.natis ifconfig_xl0=inet 10.136.236.5 netmask 255.255.255.0 ifconfig_vx0=inet 192.168.28.61 netmask 255.255.240.0 ifconfig_vx0_alias0=inet 192.168.15.57 netmask 255.255.255.0 defaultrouter=10.136.236.1 firewall_enable=YES firewall_type=natis firewall_quiet=YES With your default gateway 10.136.236.1 I hope that the machines on the 10.136 network know how to reach the 192 network. nwest-fw# ipfw -a l 00050 0 0 divert 8668 ip from any to any via vx0 00100 32 2000 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 check-state [SNIP] Why are you running stateful inspection intermixed with nat? That is a bad combination. nwest-fw# cat /etc/natd.conf redirect_address 10.136.236.18 192.168.28.61 redirect_address 10.136.236.20 192.168.20.47 redirect_address 10.136.236.19 192.168.21.47 redirect_address 10.136.236.18 192.168.15.47 So do these translations work? The only way to test them is from the 192.168 network. Also, 192.168.15.47.??.But the vx0 interface is setup with IP 192.168.15.57? Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re[2]: IMAP
On Mon, 27 Jan 2003, Ben Williams wrote: Monday, January 27, 2003, 12:32:29 PM, you wrote: What is this kill -HUP inetd? kill -HUP pid is the standard command to reload a daemon in Unix. GJ Replacing the 'pid' with the process id number of the daemon in question (listed GJ when you do a 'ps aux') will force the daemon to reload it's configuration. GJ My problem is that the ps aux doesn't lists the inetd daemon. So this GJ kill thing doesn't works as well. GJ How can I check IMAP or POP3 is really listening? For IMAP: sockstat | grep :143 For POP3: sockstat | grep :110 For both/either: sockstat | egrep :143|:110 Alternatively, if sockstat isn't available (like on another OS), then: # netstat -an Works on a lot of OS's (including windows). Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Source nat question (ipfw and natd) Revised
On Tue, 28 Jan 2003, Vikash Badal - PCS wrote: Greetings, My current natd.conf is as follows : -- redirect_address 10.136.236.18 192.168.28.61 redirect_address 10.136.236.20 192.168.20.47 redirect_address 10.136.236.19 192.168.21.47 - When i add the following maping : redirect_address 10.136.236.18 192.168.15.47 the source address for connections to 192.168.15.0/24 is 192.168.25.61 what I want to do is : if i initiate a connection to 192.168.15.0/24 from 10.136.238.18 then i need the source address to be 192.168.15.47 If i initiate a connection to 192.168.28.0/24 from 10.136.238.18 then i need the source address to be 192.168.28.61 network layout 192.168.16.0:255.255.240.0 --- 192.168.15.0:255.255.255.0 ---| | | | | HUB | | | vx0 === 192.168.15.47 (alias address) 192.168.28.61 xl0 === 10.136.236.5 | | | 10.136.236.0/24 The machines on 192.168.x.x only hit 10.136.236.[18/19/20] depending the application required. The source address of packets from the 192.168.x.x remains unaltered. The machines on the 10.136.236.0 network have a static route to the 192.168.x.x network. The translations work for : 10.136.236.20 to 192.168.20.0/24 i.e the 192.168.20.0/24 sees the source as 192.168.28.61 10.136.236.19 to 192.168.21.0/24 i.e the 192.168.20.0/24 sees the source as 192.168.20.47 When i try to connect from 10.136.236.18 to 192.168.15.0/24, the source address is 192.168.28.61. I needed the source address to be 192.168.15.47 only when i connect to 192.168.15.0/24 If i change the order of the redirect rules in /etc/natd.conf : i.e redirect_address 10.136.236.18 192.168.15.47 is place before redirect_address 10.136.236.18 192.168.28.61 then the translation to 192.168.28.0/24 no longer works but the translation for 192.168.15.0/24 works. Yes, this is true as it will use the first entry in natd.conf for the translation. The problem is, you are thinking of the translations backwards. Are only 3 machines on the 10.136 segment talking to only 3 machines on the 192 segment? Does communication have to go both ways, ie. do the 192.168 machines need to talk to 10.136 machines? Also, you can run multiple copies of natd for the same interface (different port needed) and direct packets to the different natds based on the firewall rules applied: Firewall rules and Corresponding Natd #1( on port 8668): # ipfw divert 8668 ip from 10.136.236.18/32 to 192.168.15.0/24 out via vx0 # ipfw divert 8668 ip from 192.168.15.0/24 to 192.168.15.47/32 in via vx0 # natd -p 8668 -n vx0 -redirect_address 10.136.236.18 192.168.15.47 Firewall rules and Corresponding natd #2 (port 8669): # ipfw divert 8669 ip from 10.136.236.18/32 to 192.168.28.0/24 out via vx0 # ipfw divert 8669 ip from 192.168.28.0/24 to 192.168.28.61/32 in via vx0 # natd -p 8669 -n vx0 -redirect_address 10.136.236.18 192.168.28.61 Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Source nat question (ipfw and natd)
On Sat, 25 Jan 2003, Vikash Badal wrote: Greetings, I currently have a box (4.7p3) that i want to connect to four different networks According to the man page i can only nat on one interface using natd. My current natd.conf is as follows : -- redirect_address 10.136.236.18 192.168.28.61 redirect_address 10.136.236.20 192.168.20.47 redirect_address 10.136.236.19 192.167.11.47 -- When i add the following maping : redirect_address 10.136.236.18 192.168.15.47 the source address for connections to 192.168.15.0/24 is 192.168.25.61 is there any way i can setup natd and ipfw so that if packets are destined for 192.168.15.0/24 then the source address should be 192.168.15.47 Yes, it is possible...just a pain in the butt. I am not clear exactly what your mean. If you wish to pursue this, you need to send the output of: # cat /etc/rc.conf # ipfw -a l # netstat -rn # ps -aux |grep nat And any additional nat configuration files or settings. That would greatly improve the chances of your questions getting answered. Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NATD HELP
On Thu, 7 Nov 2002, Alvaro Rosales R. wrote: Im trying to set up natd in my FreeBSD BOX, I have read the NAT portion of the hand book but I still need some help. this is my environment 10.10.1.2 (internal ip address of my wkstation) 200.37.53.22 (this the natd box external IP address) 10.10.1.1 (internal address of the natd box, is the default gw of the wstation)) When I run this command natd -redirect_address 10.10.1.2 200.37.53.22 I get this message natd: aliasing address not given.Do I have to make You need additional command line options: -n $external_ethernet_interface OR -a 200.37.53.22 Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: FreeBSD Router/Firewall Questions
On Thu, 31 Oct 2002, RD wrote: Hi guys, me again :) well I've been reading up on compiling a kernel for nat and ipfw. I'm running a d-link 704 router now. I want some input here... I have an extra box (p200 - 128ram) for a router firewall.. I was thinking about it being my Gateway/Router/Firewall for my other 3 computers. I run a webserver box, a ftp server box, and my workstation box behind my d-link. What advantages/disadvantages would I have by running freebsd in place of the d-link? Let's be honest folks, If you are not running any special services or are not in the pursuit of learning, then having BSD do the work is pointless. If you want to learn a little something then it may be worth doing. It does give you the opportunity to do more with your network. People could go on and on about what it can do for you. I'll just leave it at: lots. How do I connect this? Do I use 2 eithernets 1 to net and 1 to a hub? I also have 1 crossover rj45 cable for card to card connection that I haven't tried yet... Yes, 2 ethernet cards. One for the outside network and one for the inside network. Basic stuff. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Home network design
On Mon, 28 Oct 2002, Kristin Guttormsen wrote: I have been playing around with different configurations for my home network for some time and while I have learned much of the specifics, I remain dissatisfied with my general concepts. I hope someone can offer some clarity to my designs, and then I should be able to solve the specifics (I hope) with time and study. I have a cable connection through ATTBI (1-5 dynamic IP's available at $5/month a piece after the first, no truly static IP's). I have three registered domains (mynet1.net, mynet2.net, mynet3.net) and can work out dynamic dns using available free resources. I have 4 user pc's (win98se, nt4 workstation, win2k, winxp mix) that need constant connection, a networked ps2 (needed as I'm a beta tester), an occasionally laptop connection needed (win2k or xp), and I'd like to be able to let 1-5 people drop in whenever for lan parties. I also have 4 constant servers built (2 freebsd, 1 will be sol linux when it arrives, 1 linux of oft changing flavor), and I also have one borrowed server which I'm currently using for my Novell training which may eventually join the network (undecided yet). Network hardware currently available: 5 port switch, router w/ 4 port switch, 4 port hub, and I'm picking up an 8 port switch next week sometime. I have 2 public websites to host and one which I use purely for testing and fun. I have had ftp, irc, mail (only for my private domain, not the two others), nntp, and a game server running publicly. I have remote storage (a private fileserver for friends (mostly mp3 and video)) and a mysql server which are not for public use but which DO need to be fully accessible from any location (as well as desiring remote network management just for showing off). I'd like to be moderately secure, although I'm not talking about fortune 500 class sensitive material. If nothing else, I'm doing all this to broaden my skills and experience and have a little fun. Where I start to break down is deciding what to do as far as how many ip's to get and where to assign them. Do I build a full DMZ, or use a 3rd nic DMZ out of a firewall gateway, or just lump them altogether? Should I run the servers each with the public IP's and share the private systems behind NAT, or the other way around, or should everything use NAT behind a single or maybe two public IP's? So far I've compiled about 11 different network designs but don't have enough knowledge to know the pro's and cons each would present. Can anyone suggest an appropriate physical layout and address scheme (and if anyone is feeling REALLY helpful how they would break down the application load across the different machines (ie what services would play together nicely residing on the same server)? This is a rather difficult question to answer. It's like asking a fisherman how to catch a fish. Everyone has there own ideas on how you should do this. It depends mostly on what you want to accomplish or what has more importance, functionality or security. However, I'll take a shot at it. Consider the following diagram: Internet Connection | | HUB/SW | | NAT | Web Server FreeBSD Firewall ---HUB/sw protected machines (DMZ) (RFC1918) 10.0.0.0 | OR ext. IP subnet | HUB/Sw | Private Lan (192.168 or other RFC1918) The service breakdown is simple. Anything that needs to be accessed FROM the outside world (ie, the Internet) put on the DMZ. Firewall off the important services for the DMZ network. Put general machines in the private segement. Run NAT where needed. This is generally how most firewall appliances (like Cisco PIX, Sonic Wall, etc) work. It's just a matter of preference anyway, it's not like your running some massive network service. Of course, you could just KISS and put everything behind a BSD gateway and NAT certain ports to different machines. That is the easiest. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
re: divxplayer
On Mon, 28 Oct 2002, Mike Johnston wrote: Unfortunatley, adding the line linux=YES to /etc/rc.conf has not solved the problem of me getting : Should be: linux_enable=YES ELF binary type 3 not known. Abort trap. I've tried running netscape communciator as well with the same msg. so it's definitely linux ports.. and i have linux-base-7.1.1 installed. When you run from the command line: # linux What does it say? Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
On Thu, 24 Oct 2002, Alan McKay wrote: Folks, I've done port-forwarding before on several different FW/NAT devices, but damned if I can get it going on FreeBSD. At first I tried with PPP's builtin NAT, and when that failed I switched to natd. I did google searches and even searched the FreeBSD list archives but did not find any help. /etc/natd.conf looks like this (private IP removed) : interface tun0 port 8668 use_sockets yes dynamic yes redirect_port tcp MY_PRIVATE_IP:8080 8080 /etc/rc.conf has this : firewall_type=SIMPLE firewall_enable=YES firewall_script=/etc/rc.firewall firewall_quiet=NO natd_enable=YES natd_program=/sbin/natd natd_interface=tun0 natd_flags=-f /etc/natd.conf My firewall does not have much changed from the SIMPLE template. I allow a few incoming connections including ports 80, 443, 53, 110 and the port I want to foward back to my webcam : 8080. What does `ipfw -a l` show? Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
On Thu, 24 Oct 2002, Alan McKay wrote: What does `ipfw -a l` show? That seems to be the same as ipfw show, which I used to determine that there do not seem to be any 'deny' rules hit. So I cannot really tell where those packets are going. I can hit my port 80 from work no problem (www.bodensatz.com), but 8080 no deal. So it seems to be going through some allow rule, but I'm not sure which. If indeed your internal machine is excepting connections on port 8080 (can be tested from the firewall box using telnet) then this sounds like a firewalling problem. Set your firewall type to OPEN, reboot and see if it works. If it does, then you need to examine your firewall rules better. There is really nothing special about what your doing if the firewall is correct. Also, to help troubleshoot more, I would recommend using ipfw log statements as well as the natd log option. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
On Thu, 24 Oct 2002, Alan McKay wrote: If indeed your internal machine is excepting connections on port 8080 (can be tested from the firewall box using telnet) then this Cannot telnet to 8080 so it must be nat, but my natd.conf looks good to me. dunno what's up. nat itself is working otherwise I wouldn't be talking to you right now. You say my natd.conf looked fine. You mean you can't: # telnet $PRIVATE_IP 8080 From your BSD machine? That leaves only 2 possible problems: 1) The program isn't listening on port 8080 tcp on your $PRIVATE_IP (Use netstat -an on that machine to verify) 2) The firewall is blocking the packets. I still haven't seen the output of ipfw -a l yet so I can't be sure. Packets don't always act the way you think they do when nat is in the picture. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
On Thu, 24 Oct 2002, Charles Pelletier wrote: question... having never dealt with IPFW and nat, does ipnat.conf need to exist? i wonder this because it seems like a great majority of problems that exist with IPF can be solved by having a correct ipnat.conf. No, ipnat.conf doesn't need to exist when using IPFW/NAT. That is for the ipnat/ipfilter system which is a whole different monster. Charles Pelletier Tech. Coordinator St Luke's School - Original Message - From: Nick Rogness [EMAIL PROTECTED] To: Alan McKay [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 24, 2002 8:16 PM Subject: Re: help with webcam through natd + ipfw On Thu, 24 Oct 2002, Alan McKay wrote: What does `ipfw -a l` show? That seems to be the same as ipfw show, which I used to determine that there do not seem to be any 'deny' rules hit. So I cannot really tell where those packets are going. I can hit my port 80 from work no problem (www.bodensatz.com), but 8080 no deal. So it seems to be going through some allow rule, but I'm not sure which. If indeed your internal machine is excepting connections on port 8080 (can be tested from the firewall box using telnet) then this sounds like a firewalling problem. Set your firewall type to OPEN, reboot and see if it works. If it does, then you need to examine your firewall rules better. There is really nothing special about what your doing if the firewall is correct. Also, to help troubleshoot more, I would recommend using ipfw log statements as well as the natd log option. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NAT gateway
On Wed, 23 Oct 2002, Robert Hall wrote: I'm setting up a FreeBSD 4.4 box again after a system crash. It's intended to be a gateway. I can communicate with the other hosts on my network, but I can't communicate outside the network. netstat -r shows that I have the default route; ppp is connecting to my ISP and getting the dynamically assigned address. But I can't ping or traceroute outside my LAN. (They work fine internally.) I'm using NAT and I have the kernel recompiled with IPFIREWALL and IPDIVERT. In rc.conf, natd and the firewall are enabled. Does anyone have any suggestions? Is gateway_enable=YES in /etc/rc.conf? If so, please provide output from the following commands to help us troubleshoot your problem: # ifconfig -a # netstat -rn # ps -aux |grep nat # ipfw -a l # sysctl net.inet.ip.forwarding Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Low Balancing
On Tue, 22 Oct 2002, Fernando Gleiser wrote: On Tue, 22 Oct 2002, Oliveira Ramiro wrote: Tengo un Server BSD con 2 diferentes conexiones a internet, mediante 2 placas de red, con 2 proveedores diferentes. La pregunta es: Cual creen es la mejor solucion (o al menos la mas estable y razonable) para que mi trafico quede balanceado? translation I have a BSD server with two NICs. Each NIC is connected to the Internet via different ISPs. The question is: What's the best (or the most stable) solution for traffic balancing between the two links? /translation The only proper way to do this is with a routing daemon like gated or zebra. This requires peering arrangements with your upstream ISPs. There are other alternatives, all of which are rather difficult to implement. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Caching namesever in sandbox not resolving local boxes
On 14 Oct 2002, Stacey Roberts wrote: Hi, I thought I had this one licked, but I may have ommited some step that I'd like to get some info on, please. I've got named configured as a caching nameserver in a sandbox on my gateway as per the Handbook. However when I run nslookup on other machines on my network, I get this: # nslookup lan box Server: upstream NS Address: upstream NS IP *** upstream NS can't find lan box: Non-existent host/domain # I have the lan box in /etc/hosts and my domain included at the top of /etc/resolv.conf. Your /etc/resolv.conf should be: search domain.com nameserver 127.0.0.1 I'm thinking that I can't resolve any other hosts on my network because I've not got entries for them in a zone file, but then the handbook says that to create a caching nameserver: A caching name server is a name server that is not authoritative for any zones. It simply asks queries of its own, and remembers them for later use. To set one up, just configure the name server as usual, omitting any inclusions of zones. So, am I missing something here. I might well be mistaken in my understanding of exactly *what* a caching nameserver is supposed to do. Yes, to have your local names resolve via nslookup you need to create a zone and add your local hosts in that zone. At that point, your nameserver is no longer a caching-only nameserver. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw and natd during internal to internal access ...
On Thu, 10 Oct 2002, wolf wrote: You might try freebsd-hackers or freebsd-stable mailing lists. They are more technically oriented for things like this. Um, no don't send this to hackers or stable. That is not their focus. This type of question is a newbie question and belongs on this list. This question gets asked probably once a month or so...maybe needs to be added to someone's FAQ I suppose. Besides, they will probably tell you the same thing that was mentioned below. Nick Rogness wrote: On Thu, 10 Oct 2002, Marc Hunter wrote: Hi, We have just implemented an ipfw and natd firewall and generally it works great. We are using natd for traffic going out and to redirect outside traffic on port 80 to a particular webserver. However, when a machine within the network attempts to access the web server through its external address (using the domain name for instance) it doesn't work. Is there some special trick to deal with this? Yeh, run an internal DNS server which resolves the site differently on the inside of your network to the internal address. Any other workaround is considered shitty by most people, like: ipfw divert natd all from any to any via $outside_int ipfw divert natd all from any to any via $inside_int However, this would probably work [not sure]. Nick Rogness [EMAIL PROTECTED] - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. Nick Rogness [EMAIL PROTECTED] - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw and natd during internal to internal access ...
On Thu, 10 Oct 2002, Jack L. Stone wrote: At 03:35 PM 10.10.2002 -0600, Nick Rogness wrote: On Thu, 10 Oct 2002, wolf wrote: You might try freebsd-hackers or freebsd-stable mailing lists. They are more technically oriented for things like this. Um, no don't send this to hackers or stable. That is not their focus. This type of question is a newbie question and belongs on this list. This question gets asked probably once a month or so...maybe needs to be added to someone's FAQ I suppose. Besides, they will probably tell you the same thing that was mentioned below. Yes, this is asked often and wish there was some good complete answers -- roadmaps. One answer I suppose is to use a hardware router (but I don't want to). I too prefer using FBSD as a software router and DNS server. But, I don't have the extra internal DNS server set up either. Our networked machines can go to each web server on the network via the internal IP, like 192.168.0.xxx. It gets more complicated because of redirects from the routing machine (which is also the external DNS server) to the various web servers on the same network. It loads up the web sites just fine. Or, also I can just step over to a machine with a modem connected to the Internet and go to each one too that way. The above is just another couple of workarounds. I should set up another machine to do the Internal DNS. Are there some good URLs with info on setting up such a server for this and won't interfere with the router and external DNS setups...??? There are so many different ways to do this with DNS: 1) Use another domain (point to inside) 2) Setup subdomain www.internal.domain.com 3) Setup nameserver to respond differently depending on source IP 4) Run a proxy server The list goes on and on. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw and natd during internal to internal access ...
On Thu, 10 Oct 2002, Marc Hunter wrote: Thank you all for your responses so far. We tried the divert option and it almost worked : We can see that the packet got natted but the request still times out. From what I can gather what is happening is that machine A (user) sent the packet to machine B (firewall) which sent the packet to machine C (internal web server) which responded with a packet to machine A, however machine A was expecting its answer from machine B. (Assuming a tcp connection request must receive the response from the machine it was sent to...) What is curious is that the nat converted the 'to' address correctly, but didn't change the from address to the firewall address as it does with outside traffic, so we could be missing something. Our additional divert looks as follows: divert natd log tcp from 192.168.0.0/24 to 24.70.100.100 80 in via rl1 our natd.conf says: redirect_port tcp 192.168.0.129:80 80 (and the interface is set to rl0 which is the outside world). 1) Use another domain (point to inside) 2) Setup subdomain www.internal.domain.com It actually is a subdomain which we are using, but neither of these options is feasible as we need to have our website links the same whether a page is accessed internally or externally... That is an HTML coding problem. You shouldn't be coding with full domain references in the HTML code. 3) Setup nameserver to respond differently depending on source IP I suppose if there is no other way we will have to consider this, but we hadn't counted on having to do this : It's easy, just run an internal nameserver 4) Run a proxy server This whole project is to get rid of our Wingate proxy, a hardware firewall and a linux firewall, so we were hoping to avoid this (thus the use of nat). Someone suggested using the ipfw fwd command, which we will try, but I suspect it will present the same problem as the divert above... ipfw fwd will not work. Here are some questions which may reveal our ignorance: Can you 'attach' natd to both the internal and external interfaces? Perhaps have two copies running and the one on the internal interface would only get triggered by the divert rule we added above? I suppose it would have to run on a different port in any case... Yes, you could do this but it's not necessary and it's very ugly. Run an internal nameserver!! It's just that easy ;-P Would ipf and ipnat have a solution to this problem or are they roughly the same thing, different syntax (insofar as basic firewall/nat needs go)? It's possible, I'm not familiar with ipf/ipnat. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Ping to broadcast ok from subnet, not ok otherwise
On Wed, 9 Oct 2002, TheGlenMann wrote: Hi all- (Is this list working right? - I'm getting lots of wierd stuff in the digests...but anyway...) Other attempts to find the answer to this have failed, hopefully this isn't too off-topic. We have several subnets connected via Frame Relay. Call them 10.10.1, 10.10.2, 10.10.3, etc. On each, the gateway is the 254 address, e.g., 10.10.1.254. Sitting at a 10.10.1.n machine, I can ping the gateway 10.10.x.254 on every subnet. However, a ping to the broadcast address as ping -c1 10.10.x.255 fails on some of the subnets (from outside that subnet). From within the subnet, the ping to the broadcast succeeds everywhere. Pings to known hosts (and 10.10.x.254) succeed always from everywhere. So, my question is, why would I be able to successfully ping to the broadcast address from within a subnet but not from outside the subnet, but only in certain cases? We have a mix of windows, FreeBSD, router, and other machines on each subnet. (I'm led to ask all this since where the broadcast doesn't work from outside the subnet, neither does DHCP, which is proving to be a real problem!) Do you have Cisco routers connecting your frame's together? Nick Rogness [EMAIL PROTECTED] - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Puzzling Simple NATD and IPFW Problem
On Tue, 8 Oct 2002, 2005 - Chill, Samuel Thomas wrote: I have ipfirewall, ipdivert, and dummynet all compiled into my kernel. I am able to run run natd and to specify rules with ipfw, i can also ping my external interface. My internal network card (rl1) is 10.0.0.1 and my lan clients are running on 10.0.0.x. I can ping everything, the network is setup properly. Im using the default rules supplied in the man page and apperently natd is not passing them on. I cant ping or go to any website at all. The lan clients have 10.0.0.1 set as there default gateway. rl0 is connected to the cable modem and gets it ip via dhcp. The freebsd box can ping any thing but apparently nothing is forwarded to the external interface. I have double checked and reinstalled multiple times and it seems that it is bound to never work! Do you have gateway_enable=YES in /etc/rc.conf? What do the following show when you run them (just paste them in a reply): # ifconfig -a # netstat -rn # ipfw -a l # sysctl net.inet.ip.forwarding # ps -aux |grep nat # cat /etc/rc.conf Nick Rogness [EMAIL PROTECTED] - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: pam is hosed! ;)
On Sat, 21 Sep 2002, jason wrote: running FreeBSD monsterjam.org 4.5-RC FreeBSD 4.5-RC #0: Sat Jan 26 00:52:46 EST 2002 [EMAIL PROTECTED]:/space/obj/usr/src/sys/ROLAND i386 and everything has been running absolutely ducky for quite a while monsterjam# uptime 1:45PM up 237 days, 35 mins, 8 users, load averages: 0.16, 0.04, 0.02 all of a sudden pam stops authenticating for my imap/pop3 users and http users.. I see all these messages in my /var/log/messages: Sep 21 13:23:22 monsterjam cupsd: unable to dlopen(/lib/security/pam_unix.so) Sep 21 13:23:22 monsterjam cupsd: [dlerror: Cannot open /lib/security/pam_unix.so] Sep 21 13:23:22 monsterjam cupsd: adding faulty module: /lib/security/pam_unix.so Sep 20 22:35:36 monsterjam login: _pam_init_handlers: no default config /etc/pam.d/other Sep 20 22:35:36 monsterjam login: error reading PAM configuration file Sep 20 22:35:36 monsterjam login: pam_start: failed to initialize handlers Sep 20 22:35:36 monsterjam login: pam_start: Critical error - immediate abort Sep 21 08:40:58 monsterjam login: unable to dlopen(/lib/security/pam_unix.so) Sep 21 08:40:58 monsterjam login: [dlerror: Cannot open /lib/security/pam_unix.so] Sep 21 08:40:58 monsterjam login: adding faulty module: /lib/security/pam_unix.so Sep 21 08:40:58 monsterjam login: pam_authenticate: Module is unknown Ive searched google and cant seem to find out what they mean. looking at my system, pam_unix.so is in /usr/lib, not /lib/security monsterjam# locate pam_unix.so /usr/lib/pam_unix.so regular telnet,ssh logins to the box work fine, just not imap, pop3, http, what should I do? Well what does your /etc/pam.conf file look like? Nick Rogness [EMAIL PROTECTED] - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NIC problem
On Tue, 17 Sep 2002, Bob Bomar wrote: I have a dual P-200 file server that is haveing some connection problems. When I ssh to the box, I login in fine, but some times it lags for a while, but the two boxes are physically sitting next to each other, and are on ports that are side by side on the switch. While I ssh out of the box from the console, to another box on the LAN, it is still intermitant. Any body have any ideas? What type of ethernet card(s) is in the box? Is the switch reporting any type of errors? Nick Rogness [EMAIL PROTECTED] - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: inet sharing
On Tue, 16 Jul 2002 [EMAIL PROTECTED] wrote: Here's my setup.. I'm on FreeBSD 4.6 release.. my main machine (running the freebsd) has two network cards.. 1st card is attached to ADSL using dhcp.. second network card has crossover cable running to another windows machine. I want to share my internet from the freebsd machine. Any idea how to proceed? There are several references online about doing this. Some even walk you through step by step. Search for keywords such as NAT on FreeBSD and FreeBSD home gateway and FreeBSD networking etc... Also search the freebsd-questions mailling list archive and handbook as this is a very common topic. Nick Rogness [EMAIL PROTECTED] - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Three nics routing problem
I've got a routing problem the answer to which eludes me. The situation is as follows. The box (4.6) has three NICs: rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 10.0.1.55 netmask 0xff00 broadcast 10.0.1.255 ether 00:e0:4c:39:00:32 media: Ethernet autoselect (100baseTX full-duplex) status: active ep0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 10.0.0.55 netmask 0xff00 broadcast 10.0.0.255 ether 00:60:97:14:31:a7 media: Ethernet 10base2/BNC ep1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 212.187.0.39 netmask 0xf800 broadcast 212.187.7.255 ether 00:60:97:e4:98:db media: Ethernet 10baseT/UTP The ep1 connects to the CATV external connection. The ep0 to the local coax cable and finally the rl0 to a switchlet. The idea was to start moving to the UTP network. However, the box fails to comply. Diagrammatically it looks like this: CATV --- ep1 ep0 --- test's ed0 as 10.0.0.10 --- other boxes rl0 --- test's rl0 as 10.0.1.100 --- other stuff DestinationGatewayFlagsRefs Use Netif Expire default212.187.0.1UGSc 35 338854ep1 10/24 link#2 UC 20ep0 10.0.0.2 0:0:e8:ef:7b:fbUHLW987347ep0 1139 10.0.1/24 link#1 UCc 10rl0 127.0.0.1 127.0.0.1 UH 217851lo0 212.187.0/21 link#3 UC 20ep1 212.187.0.10:30:7b:94:31:c8 UHLW 294ep1 1200 212.187.7.255 ff:ff:ff:ff:ff:ff UHLWb 05ep1 frl:~/samba/NOTAS$ sysctl -a|grep forward net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 0 Looks good...forwding enabled. Even with forwarding enabled it does not forward. My workstation can connect to 10.0.1.100 but only through the coax cable (the test box also has forwarding enabled). When I unplug that cable it can no longer reach the test box. Which is unfortunate. What does the routing table on both test machines look like? Are they using the FreeBSD machine as their default gateway? What does traceroute reviel? The frl box will of course always communicate with the test box. But it will not forward packets from the 10.0.0. net to the 10.0.1. net without resorting to the coax net. The info listed above looks as if the box should just work. Nick Rogness [EMAIL PROTECTED] - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
