Re: Any 4.10 installation on asus pundit ?
Bernard Dugas wrote: Thanks very much, Robert, it was the udma option : but this is quite inefficient if I can't use UDMA with FreeBSD ? FreeBSD will drop down to PIO mode, probably mode 4. According to Scott Mueller's book, PIO mode 4 offers up to 16.67 MB/sec, whereas UDMA can offer up to 100 or 133 MB/sec. So, yes, less efficient (but also a bit quieter in my experience). Have you been able to switch the data cable for a know good cable? That solved the problem for me. -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall rules
I'm obviously missing something... I've read as much about IPFW and firewall packet filtering as I can, and Im still happy with these very simple rules: su-2.05b# ipfw -a list 00100 16 1144 divert 8668 ip from any to any in via rl0 00200 17 964 divert 8668 ip from any to any out via rl0 00300 0 0 check-state 00400 32 3296 allow ip from me to me 00500 21 1268 allow ip from 192.168.0.0/24 to any keep-state 00600 274 25875 allow ip from 192.168.1.0/24 to any keep-state 00700 296 deny log ip from any to any 65535 4 429 deny ip from any to any Now, having seen plenty of examples of huge lists of rules, I'm obviously not seeing something that is apparent to others. I've tested my network using the grc.com ShieldsUp! port probing system. It informs me that every one of the first 1056 ports is stealthed (i.e. does not even reply to probes). In fact, the only thing it complains about is the fact that my IP replies to ICPM ping requests (though I don't understand how). The above rules only allow replies to IPs and ports on my network that establish a connection first. I'm not running any net services, so I don't need to allow any unsolicited inbound connections. All the machines on my network seem to be able to fetch mail, browse web pages, ping, and nslookup machines on the Internet at large. And my /var/log/security file shows that dozens of random connections to ports 135 and 445 have been dropped. So, what am I missing? What gaping hole have I left open? -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall rules
JJB wrote: First indication is the hit count on the check-state rule. It's zero which means there is never an match in the keep-state table. For all practical purposes your firewall keep-state rules are useless. I was suspicious of that too, but if I remove the keep-state option from the allow rules, I get no return traffic. Replies from websites never make it back. So I assumed that the state was being recorded and used correctly. Just with in the last few days an complete working example of ipfw + natd + stateful rules was posted here for the archives Search the questions archives for your answer. Yes, I have been referring to that posting, but I'm struggling to see what (fundamentally) the poster has put in his ruleset that I have not. He has denied several IP addresses that should never send packets, and he has allowed some specific outbound traffic types, but it basically seems to be doing the same. Hence my desire to understand what I am clearly missing. -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall rules
JJB wrote: Fundamentally his keep-state rules work and yours don't. I have used his script exactly, modifying only for the differences in my ISP's addresses. Everything works as before, and still the check-state rule is showing zero packets and zero bytes, even though keep-state rules have been triggered. Are you sure this is not just a quirk of IPFW? The use of the skipto rule to control what ip address goes into the dynamic keep-state table, IE the lan ip or the natd public ip. The bottom line is native ipfw with natd and stateful rules does not work together at all, unless you do some gymnastics with skipto rule so the dynamic keep-state table always has the private lan ip address for matching against. Yes, this is the mechanism I cannot find a clear explanation for. Can you recommend a link to a page that defines how IPFW stumbles on NAT and keep-state, because I've read and re-read the IPFW man page, and it does me no good whatsoever. If you want the max in firewall protection you need stateful rules to monitor the bi-directional exchange of session packets conversation so forged packets can not be inserted. I agree. My recommendation is to scrap your rule file and use the posted archive example with changes for your network. Like the 2 lan nic cards, lo0 interface, and the correct public facing nic card interface for the via interface name. I've done that. Much better ruleset, but I still cannot see how it is handling NAT + keep-state any differently. Second problem is you are allowing every thing out your firewall. This is very bad as it allows out any trojons or spy-ware from windows boxs on your lan so thet can report their harvested info to the person who planted them. Take control of your firewall and only allow out the exact services you know you are using. No arguments there. I'm running ZoneAlarm on all Windows boxes, but it's still better to aim for traffic to be killed on sight by the router. -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Any 4.10 installation on asus pundit ?
[EMAIL PROTECTED] wrote: Hi, I've tried to install the last freebds4.10 on an ASUS PUNDIT, from the iso images downloaded from the freeBSD website. But it can't install. It stops on a : ata0 : resetting devices I had that problem. I disabled UDMA (Ultra DMA) in the BIOS, and the problem was overcome. However, it ultimately turned out to be a bad data cable to the hard drive, so see if you've got a good spare lying around to give that a try. (I got some serious errors in 5.2.1 trying to use the bad cable). -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW with NAT and keep-state
There seems to be confusion as soon as IPFW is used for NAT and for stateful dynamic rules. My ruleset so far contains the below rules, and I wonder if someone can tell me if there's anything incorrect about them (with regard to correctly using NAT and dynamic rulesets): bash-2.05b# ipfw -a list 00100 3155 1100714 divert 8668 ip from any to any via rl0 002000 0 check-state 00300 200 25128 allow ip from me to me 00400 1991 131910 allow ip from 192.168.0.0/24 to any keep-state 00500 3928 2038665 allow ip from 192.168.1.0/24 to any keep-state 655351 338 deny ip from any to any I'm not asking if these rules are battleship secure - I'm sure I have a lot of work to do yet in creating a tigher ruleset. What I want to know is: are these rules correctly allowing NAT to work with dynamic rules, or is there some gaping security flaw that I'm missing? With the above rules, I can use the gateway machine to connect to the Internet (well, any website of my choice), and I can also use a machine on the 192.168.1 subnet to connect through the gateway to any website, mail server, etc. So NAT seems to be working. If I remove the keep-state option from the 192.168.1 line, then the LAN machine can send a request to a website, but never gets a reply. Removing the keep-state from the 192.168.0 line stops the gateway asking for pages. So the dynamic rule system seems to be working. So it would seem that NAT and dynamic rules are working harmoniously together. But how naive am I being? What might I be missing? Also, if I have got them working together correctly, why do I end up with a lot of packets denied by the `deny ip from any to any` rule? What are these few packets, and what tried to send them? Any ideas? (By The Way... I remember why I stopped using Usenet all those years ago - have you seen what's being done to c.u.b.freebsd.misc lately? Not the correct way to promote Windows and discredit Linux.) -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
chroot versus jail for the name daemon
Newbie Fodder (skip down the page if old and wise): The FreeBSD Handbook describes running BIND (named) in a sandbox, i.e. using chroot to force the named to think that its place in the filesystem is actually the filesystem root when it's not, so it sees /somewhere/deep/inthe/file/jungle as /. So if hackers break named they theoretically cannot attack the real root of the filesystem, only what is within the chroot path. Then the Handbook rather offhandedly mentions that some people would recommend putting named into a jail instead. So I've been looking into the jail system in FreeBSD, and comments suggest that it offers better security. On the surface, jail seems to do the same thing: deceive a process into believing that its place in the filesystem is root, and stopping access to directories outside that path. Questions (for the old and wise): So, are there any FreeBSD-internals masters who can answer the following: 1) What happens if named is broken with neither chroot nor jail, assuming named is running as user and group bind (rather than as root)? 2) What happens if named is broken while using chroot? 3) What happens if named is broken while in a jail, and how is this less dangerous than using chroot? Also, can FreeBSD run as a gateway with NAT while using a jail? A jail needs its own IP address, and that seems to intefere with the way other services need to be configured. -- Bob London, UK ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
5.2.1 goes beserk on EPIA M board
I have no CD drive on my EPIA machine, so I plugged the 2.5 Toshiba drive into another machine to install FreeBSD 5.2.1 from a minimal install CD I burned myself. Installation ran fine on the big machine (a Pentium 4) and FreeBSD was able to boot on that machine without problem. I plugged the Toshiba drive back into my EPIA M (VIA C3 processor) machine and the boot process began as normal, until it paused at the ad0 detection stage. Then messages like the following, dozens of them, start to flood up the screen: ad0: FAILURE - WRITE_DMA status=11 DSC,ERROR error=84ICRC,ABORTED LBA=4127103 I did have, yesterday, FreeBSD 5.0 running on my EPIA M successfully until I tried to buildworld using 5.2.1 sources, at which point my EPIA hard crashed and reset itself. I assumed my PSU had failed briefly, but is it possible that 5.2.1 has special problems with the EPIA board or processor? Or are these messages a sign that my EPIA board is damaged now? I'm starting to lose my mind with this new hardware. Any advice that might clear up the chaos and reduce the possible lines of investigation would be much appreciated. -- Bob London, UK echo Mail fefsensmrrjyaheeoceoq\! | tr jefroq\! @obe.uk ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
buildworld actually crashed
During buildworld, I wandered off. When I returned, my machine was, alarmingly, in single user mode, demanding that I run fsck manually. I'm running fsck right now, and it's finding all sorts of block size errors, to which I'm simply hitting 'y' and agreeing that things should be salvaged and corrected. Before running fsck, I had a look at the buildworld.out script that was being written to during the buildworld process. I can't tell you exactly what it says, but it definitely came to a stop in the middle of a 'sentence' of output. I.e. it looks like my new machine (yeah, the soon-to-be-fanless EPIA again) must have crashed during buildworld. What could cause buildworld to crash like that? I'm now worried that my PSU board *was* damaged the other day. Is a damaged PSU the most likely cause of this incident? All advice very welcome. -- Bob London, UK echo Mail fefsensmrrjyaheeoceoq\! | tr jefroq\! @obe.uk ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Install hangs with Toshiba 2.5 drive
Running FreeBSD 5.0 installer, I see a few messages along the lines of configured IRQ 3 is not in bitmap of irqs and then the following pair of lines: ad0: READ command timeout tag=0 serv=0 - resetting ata0: resetting devices .. And then the system seems to jam, the drive light still on, and no further progress is made even after several minutes. Does anyone know what would cause this? The version of FreeBSD I'm trying to install is 5.0. Would creating a newer install CD solve this problem? The drive I'm trying to install to is a Toshiba MK8025GAS, 2.5 notebook drive. I've successfully installed Windows XP on it to test it, so the drive does not seem to be the problem. Any ideas? -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Install hangs with Toshiba 2.5 drive
[EMAIL PROTECTED] wrote: Running FreeBSD 5.0 installer, I see a few messages along the lines of configured IRQ 3 is not in bitmap of irqs and then the following pair of lines: ad0: READ command timeout tag=0 serv=0 - resetting ata0: resetting devices .. And then the system seems to jam, the drive light still on, and no further progress is made even after several minutes. Solved it, thanks to the wisdom of the Web. A Google search and some luck led me to the nugget that disabling DMA mode for the IDE drive (and possibly disconnecting troublesome CD drives - but I didn't need to do that) would stop the boot jamming. So I've successfully installed FreeBSD on one machine (with a CD drive) and run it on another (without). Thank you to JJB and Joe for replying to me personally. -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: MASTER_SITE_OVERRIDE in make.conf
Kris Kennaway wrote: On Sun, Apr 04, 2004 at 08:33:33AM +0100, Robert Downes wrote: My make.conf file contains the line: MASTER_SITE_OVERRIDE=ftp://ftp.uk.freebsd.org/pub/FreeBSD/ports/distfiles It's documented in /usr/ports/Mk/bsd.port.mk, together with most of the other port-related variables, and also in the default make.conf file (/etc/defaults/make.conf on 4.x, /usr/share/examples/etc/make.conf on 5.x) I found plenty in /usr/ports/Mk/bsd.port.mk, but neither I nor the ee search function could find anything about MASTER_SITE* in /usr/share/examples/etc/make.conf. Is my file damaged? -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
MASTER_SITE_OVERRIDE in make.conf
My make.conf file contains the line: MASTER_SITE_OVERRIDE=ftp://ftp.uk.freebsd.org/pub/FreeBSD/ports/distfiles Someone gave me this line months ago when I asked how to instruct make to request files from local FTP servers (rather than dumping all requests on the master server). However, I can not find a description for this line in any official literature. I have checked man make.conf, and there seems to be no mention. Where should I be looking for the definitive description of this configuration setting, or has it been removed from recent versions of FreeBSD? -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: won't buildworld
Bernardo Marcelo Brummer wrote: I'm trying to upgrade from 4.7 to 4.9 I made cvsup (src-all), with no problems, then: cd /usr/src and: make buildworld It runs for a while (about 10 -15 minutes) and stops (see message bellow) I already tried cvsup three more times but always with the same result. Any upgrading hints? Have you read the UPDATING file in /usr/src because sometimes it contains important information regarding version upgrade builds (even from 4.x to 4.y for instance). When I built 5.2 from 5.1, there was a certain MAKE variable I had to include. I can't remember what it was, but UPDATING should enlighten you. -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: One of your employees are very rude.
I gave up on IRC when it became clear that anyone claiming to be female was actually male (and slightly twisted - I am a girl! I've got tits and everything!!!) Stick to official forums and this usenet group and you should be safe. (And even then you'll get sexnet ads being posted every now and again.) -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
CVSup checkout mode for FreeBSD doc tree
The quick start instructions for the FreeBSD documentation project say 2. Get a local copy of the FreeBSD doc tree. Either use CVSup in checkout mode to do this, or get a full copy of the CVS repository locally. I have, so far, used CVSup to reconcile sources and ports and docs, but I'm confused now. According to the man page for CVSup, checkout mode is not the default, and will only be used if a tag or a date are specified. If I want to obey the instruction from the documentation project, what do I want to do with my /etc/cvsupfile if mine currently looks like this: *default host=cvsup.uk.FreeBSD.org *default base=/usr *default prefix=/usr *default release=cvs *default tag=RELENG_5_2 *default delete use-rel-suffix src-all *default tag=. ports-all doc-all At the moment, the doc section does not seem to have a tag, so does that mean I'm not using checkout mode to update my doc tree? -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: What is the end of FreeBSD ?!
Kris Kennaway wrote: Notice the difference between these two approaches? It means there's basically no chance that what happened with RedHat will ever happen to FreeBSD. No, but it surely is possible that the people that devote time to FreeBSD will be taken for granted, and will drift away from spending time on the project? In fact, so disgusted am I with the thought of a Microsoft-dominated future, and so impressed am I with the FreeBSD system (and by that I mean the whole system, including the way code is offered up by volunteers who do it for the quality of the end result), that I'm going to donate $25 to the FreeBSD Foundation right now. And I'm unemployed, that's how much I like FreeBSD. I no that money is a crappy donation, but I don't have any spare hardware, and I'm not a good enough programmer to offer any actual code (I'm currently 2/3 the way through a PHP forum system, and I've stalled dead - anyone got any tips for getting past a stall like that?), but hopefully a bit of money will become something useful to the system. The important point is that a donation is discretionary. My all-time favourite company, Microsoft, don't seem to realise that students, and teenagers, and the unemployed cannot fork out 180 GBP for a 'professional' operating system, then 180 GBP for a 'professional' word processor (which does nothing that the 1997 version did, as far as most people can tell), and then XXX GBP for development software. I hope that FreeBSD continues to be built by people who don't do it for money, because I really believe that free software is built more lovingly (sorry, I couldn't think of a better word) than commercial, factory-produced stuff. But a donation here and there can't hurt. -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Dvorak keymap in single user mode
I use the US Dvorak keyboard layout, and I find it very difficult to type in single user mode (when installing world, for example), because single user mode uses the QWERTY keyboard layout, and does not seem to pay any attention to kbdmap (I think that's the command name - the one with the interactive keymap chooser). Someone suggested that it's possible to compile the Dvorak layout into my kernel, but how is this done, and is there an easier way of changing keyboard layout in single user mode? -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dvorak keymap in single user mode
Robert Downes wrote: I use the US Dvorak keyboard layout, and I find it very difficult to type in single user mode (when installing world, for example), because single user mode uses the QWERTY keyboard layout, and does not seem to pay any attention to kbdmap (I think that's the command name - the one with the interactive keymap chooser). Someone suggested that it's possible to compile the Dvorak layout into my kernel, but how is this done, and is there an easier way of changing keyboard layout in single user mode? Okay, made some progress here. Finally noticed that kbdmap says, quite clearly, *BUGS* http://www.freebsd.org/cgi/man.cgi?query=kbdmapsektion=1apropos=0manpath=FreeBSD+5.1-RELEASE+and+Ports#end The *kbdmap* and *vidfont* utilities work only on a (virtual) console and not with X11. The single user mode is not a virtual console, as virtual consoles are not permitted to run during single user mode. However, the command-line (non-interactive) equivalent is kbdcontrol, and it seems to suffer no such limitation. So, once in single user mode, type mount -a to make sure that /usr is mounted (needed because it contains the keymaps), and then type df to check that the filesystems are mounted. (Actually, you may not need all of them.) If /usr is now showing up, type kbdcontrol -l us.dvorak and you will be reunited with the (cough... superior... cough) Dvorak keyboard layout. This can be done with any of the available layout files in /usr/share/syscons/keymaps However, never happy with a simple option, I wonder if there's an easy (read lazy) option... is it possible to automate this process, so that this command is run by default? (Or is that inadvisable because it requires /usr to be available, and /usr should not necessarily be available in single user mode everytime?) -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dvorak keymap in single user mode
Reply to myself again, just to make sure this thread can be of use to anyone searching archives at any point in the future. Stéphane Witzmann suggested that the kernel configuration be altered to specify a default keyboard. So, after checking NOTES and the name of the keyboard map I want (us.dvorak), I changed my custom kernel configuration file (BOBKERN) so that it now contains a section exactly like this: # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard options ATKBD_DFLT_KEYMAP makeoptions ATKBD_DFLT_KEYMAP=us.dvorak # use Dvorak key layout Once this was built and installed (see the handbook for advice on custom kernel building), I booted into single user mode and, hallelujah, it is now in Dvorak layout by default. Thanks to Stéphane. DISCLAIMER: Bob is not liable for any minor, major, or irreparable damage his advice may cause. Furthermore by having read the above message, you have already agreed to indemnify Bob against all legal, civil, military, and psychologically hurtful action, whether or not initiated by you. Should any part of this agreement contradict itself, you will close your eyes and ignore the section that is of less profitability to Bob. Should any of this agreement be deemed illegal, you agree to raise up an army and defeat any and all that stand in the way of a change in the law that will install or reinstate the validity of this agreement. -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: apcupsd
Barry Skidmore wrote: Are there any users of apcupsd on the list? If so, please respond to me privately. I have a question about recommended UPS's that work well with FreeBSD. I have used apcupsd before. I have an ancient old APC Back-UPS Pro 420 with serial cable, and everything was working just dandy. Seems that almost any recent APC Back-UPS Pro or Smart-UPS is supposed to work with apcupsd. However, mine does not work with apcupsd anymore. I think this was my fault, as I tried to send data from my FreeBSD machine to the UPS, and later realised that my model does not allow this. So I think I may have fried the UPS data-line. Possibly it was something else, though, so let's hope some more intelligent UPS+FreeBSD users post to this thread. -- Bob ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
