[no subject]
auth d7a512af unsubscribe freebsd-questions [EMAIL PROTECTED] -- Shane Hickey : Network/System Consultant GPG KeyID: 777CBF3F Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F Listening to: Bright Eyes - Arienette (Live - May 15, 2002) To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re:
Cripes! Sorry about that... in my sleepy haze I clicked the wrong dang e-mail address in the confirmation e-mail. How honkin' embarrassing. I suppose that's what I get for trying to unsubscribe ;). -- Shane Hickey : Network/System Consultant GPG KeyID: 777CBF3F Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F Listening to: Bright Eyes - Arienette (Live - May 15, 2002) To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
laptop firewall NICs
Howdy all, I'm attempting to use a Toshiba TECRA 8000 running 5.0-release as the firewall for my home network. It's running right now, but I'm seeing some sketchy network behavior and I think it's one of the NICs. Basically, when I'm doing something fairly network-intensive (like large NNTP downloads) my bandwidth usage fluctuates wildly. I also will get a lot of connections reset and such. I think it's my ed1 interface (which is my inside interface), because when I had ed1 as my outside interface and in promiscuous mode (for snort) I was getting a lot errors like: Feb 14 15:00:37 elijah kernel: ed1: NIC memory corrupt - invalid packet length 4 When I changed my dc0 interface to be my outside, promiscuous interface, these errors went away. My current dmesg info is as follows. ed1: Linksys Combo EthernetCard at port 0x100-0x11f irq 11 function 0 config 16 on pccard0 ed1: address 00:e0:98:88:91:84, type Linksys (16 bit) ukphy0: Generic IEEE 802.3u media interface on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc0: Xircom X3201 10/100BaseTX port 0x1000-0x107f mem 0x88002400-0x880024ff,0x88002500-0x8800257f irq 11 at device 0.0 on cardbus1 dc0: Ethernet address: 06:00:06:29:52:90 miibus1: MII bus on dc0 tdkphy0: TDK 78Q2120 media interface on miibus1 tdkphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto Anyway, so I recently got a Xircom 10/100 cardbus NIC to replace my linksys (ed1) card. However, when I boot up with this NIC, I get to the point where my interfaces are going to be configured (after setting hostname) and the machine locks up. Here's the dmesg info for the new card. dc1: Xircom X3201 10/100BaseTX port 0x1080-0x10ff mem 0x88002000-0x880020ff,0x88002100-0x8800217f irq 11 at device 0.0 on cardbus0 dc1: Ethernet address: 06:00:10:a4:03:3f miibus0: MII bus on dc1 Would it help if I rebuilt my kernel and specified the irq, mem and port for dc0 and dc1? Thanks in advance for any help, -- Shane Hickey : Network/System Consultant GPG KeyID: 777CBF3F Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F Listening to: Bright Eyes - Lover I Dont Have To Love To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfilter on 5.0
Wayne, I am currently using ipfilter on 5.0-release. I rebuilt my kernel to support it. I confused myself because I couldn't find a LINT file in /sys/i386/conf. But it looks like you now build the LINT file by using the Makefile in this directory. The options that you want in your kernel are options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK At least, you for sure want the first one. I don't know much about FreeBSD kernel modules, so if this wasn't what you were trying to do, I apologize. Shane On Thu, 2003-02-20 at 07:38, Wayne Pascoe wrote: Hi all, Does anyone have ipfilter working on 5.0 ? ipf binary appears to be here, but I can't find hide nor hair of the module. I've tried recompiling the code in /usr/src/contrib/ipfilter, but doing both make bsd and make freebsd4 fails. Is this working yet or do I need to look into ipfw? Thanks, To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipf ftp proxy problem?
On Tue, 2003-02-18 at 15:10, Marco Radzinschi wrote: Place the following BEFORE any other rules, and replace $intsubnet with your internal subnet. The second rule will allow active FTP from the firewall itself. map dc0 $intsubnet - 1.1.1.1/32 proxy port ftp ftp/tcp map dc0 1.1.1.1/32 - 1.1.1.1/32 proxy port ftp ftp/tcp Hmm... I had never tried to ftp from the actual firewall box. I just added the second rule and I am now able to do active ftp from the firewall box, but not from any of the internal boxes. I'm sending ipmon data to syslog and I can't see hide nor hair of anything in the logs pertaining to these failed active sessions. Does anyone have any idea of some troubleshooting steps I might take? Thanks, shane To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipf ftp proxy problem?
On Wed, 2003-02-19 at 21:26, Shane Hickey wrote: On Tue, 2003-02-18 at 15:10, Marco Radzinschi wrote: Place the following BEFORE any other rules, and replace $intsubnet with your internal subnet. The second rule will allow active FTP from the firewall itself. map dc0 $intsubnet - 1.1.1.1/32 proxy port ftp ftp/tcp map dc0 1.1.1.1/32 - 1.1.1.1/32 proxy port ftp ftp/tcp Hmm... I had never tried to ftp from the actual firewall box. I just added the second rule and I am now able to do active ftp from the firewall box, but not from any of the internal boxes. I'm sending ipmon data to syslog and I can't see hide nor hair of anything in the logs pertaining to these failed active sessions. Hooo ah! I figured it out. A tcpdump showed me that my ftp data wasn't matching the first two rules. That is, let's say my internal network is 10.0.0.0/24 and some particular hosts are 10.0.0.1 and 10.0.0.2. Let's then say that my outside interface's IP is 1.1.1.1. My outside interface also has 2 IP aliases of 2.2.2.2 and 3.3.3.3. These are my three static publicly routable IPs that I use for public services. Anyway, that said, here's the nat rules that I had in place. map dc0 10.0.0.0/24 - 1.1.1.1/32 proxy port ftp ftp/tcp map dc0 1.1.1.1/32 - 1.1.1.1/32 proxy port ftp ftp/tcp map dc0 10.0.0.0/24 - 1.1.1.1/32 portmap tcp/udp auto map dc0 10.0.0.1/32 - 2.2.2.2/32 map dc0 10.0.0.2/32 - 3.3.3.3/32 map dc0 10.0.0.0/24 - 1.1.1.1/32 I had assumed that the rules would be checked in order and then ipnat would exit with the first matching rule. What seems to have happened, though, is that the most specific rule is matched? When I ftp'd from 10.0.0.1, it was being mapped to 2.2.2.2 and not 1.1.1.1. Anyway, thanks much for all the help. I apologize if these were goofy questions. Shane To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
ipf ftp proxy problem?
Howdy all, I have a freebsd firewall and I want to be able to do make both passive and active ftp client connections from my inside network to the outside world. I'm using ipf and ipnat compiled into the kernel. I followed the IPF HOWTOs that I've read and I'm hitting a brick wall. My outside interface is dc0 and let's say my outside IP is 1.1.1.1. I've tried both of the following rules in my /etc/ipnat.rules file with no success. map dc0 0/0 - 1.1.1.1/32 proxy port 21 ftp/tcp map dc0 0/0 - 0/32 proxy port ftp ftp/tcp When I say no success, I mean that I am able to establish a remote ftp connection, but when I do a 'ls' I get a 425 Can't build data connection: No route to host I'm sure I'm doing something foolish, so any advice would be greatly appreciated. Oh yeah, I'm running FreeBSD5.0-release and IPF version 3.4.29. Thanks in advance for any help. -- Shane Hickey : Network/System Consultant GPG KeyID: 777CBF3F Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F Listening to: MC5 - 12 I Can Only Give you Everyth To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
troubleshooting CVSUP failures
Howdy all, My ISP just put in a packetshaper and I am now having problems getting CVSUP to work. I suppose it could be unrelated, but I wanted to see if anyone could suggest good troubleshooting steps. I've tried several cvsup servers (cvsup, cvsup2, cvsup7, cvsup8) and they all either fail immediately, or shortly thereafter with one of the following errors. TreeList failed: Network write failure: ChannelMux.ProtocolError Detailer failed: Network read failure: Input/output error: zlib data error Will retry at 11:40:22 If anyone can give me some ideas to help figure out where the fault lies, that would be great. Shane To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: troubleshooting CVSUP failures
On Fri, 2003-02-14 at 11:46, Shane Hickey wrote: Howdy all, My ISP just put in a packetshaper and I am now having problems getting CVSUP to work. I suppose it could be unrelated, but I wanted to see if anyone could suggest good troubleshooting steps. I've tried several cvsup servers (cvsup, cvsup2, cvsup7, cvsup8) and they all either fail immediately, or shortly thereafter with one of the following errors. TreeList failed: Network write failure: ChannelMux.ProtocolError Detailer failed: Network read failure: Input/output error: zlib data error I hadn't gotten any responses, but I just noticed something. I put my firewall's outside interface into promiscuous mode for Snort and shortly thereafter I started getting the following errors. Feb 14 15:00:37 elijah kernel: ed1: NIC memory corrupt - invalid packet length 4 Feb 14 15:00:48 elijah kernel: ed1: NIC memory corrupt - invalid packet length 3 Feb 14 15:00:52 elijah kernel: ed1: NIC memory corrupt - invalid packet length 4 Feb 14 15:00:53 elijah kernel: ed1: NIC memory corrupt - invalid packet length 3 Now, my question all along has been whether my ISP munged something up and packets are being corrupted. Might the errors that I'm seeing be evidence of that or is it only pointing to the fact that my firewalls ed1 interface might be screwy? Thanks, Shane To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: troubleshooting CVSUP failures
Howdy, thanks for the response. On Fri, 2003-02-14 at 15:39, Stacey Roberts wrote: What version of FreeBSD is this? 5.0-release. Can you post the dmesg output for both (or more) of the nics on the system, please? What is the P'nP OS BIOS option set to on this box? Here's the dmesg: ed1: Linksys Combo EthernetCard at port 0x100-0x11f irq 11 function 0 config 16 on pccard0 ed1: address 00:e0:98:88:91:84, type Linksys (16 bit) ukphy0: Generic IEEE 802.3u media interface on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto Product version: 5.0 Product name: IBM | 10/100 EtherJet CardBus | IBMC-10/100 | 1.04 | Manufacturer ID: a400130181 Functions: Network Adaptor, Multi-Functioned Function Extension: 04060006295290d8 Function Extension: 0102 Function Extension: 0280969800 Function Extension: 0200e1f505 Function Extension: 0301 Function Extension: 0303 Function Extension: 0501 cardbus1: Invalid BAR number: 27(06) CIS reading done dc0: Xircom X3201 10/100BaseTX port 0x1000-0x107f mem 0x88002400-0x880024ff,0x88002500-0x8800257f irq 11 at device 0.0 on cardbus1 dc0: Ethernet address: 06:00:06:29:52:90 miibus1: MII bus on dc0 tdkphy0: TDK 78Q2120 media interface on miibus1 tdkphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto I don't see any mention of PNP in the BIOS and I didn't specifically enable anything in the KERNEL. Let me know if you need more. Now, here's the weird thing. I reconfigured my ipnat.rules, ipf.rules and rc.conf to switch the NICs. I rebooted and switched the cables and now I haven't gotten an error on the new dc0 interface (which is now the promiscuous snort interface). So, it might be that the ed1 interface is conflicting with something and I only hear about it when I put it into promiscuous mode. I'm going to try to do that next. Thanks, shane To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
5.0-release and tripwire?
Has anyone else had problems getting tripwire from ports to compile on 5.0-release? Here's what I'm seeing ... mkdir -p obj/GCCi386/Release c++ -I../stlport -Wall -W -Wno-sign-compare -Wno-unused -Wno-uninitialized -ftemplate-depth-32 -O2 complex.cpp -c -o obj/GCCi386/Release/complex.o In file included from ../stlport/config/stlcomp.h:71, from ../stlport/stl/_config.h:69, from stlport_prefix.h:8, from complex.cpp:18: ../stlport/config/stl_gcc.h:23: redeclaration of C++ built-in type `wchar_t' In file included from ../stlport/complex:40, from complex.cpp:21: ../stlport/wrap_std/complex:16:39: ../g++-include/complex: No such file or directory complex.cpp:26: syntax error before `' token complex.cpp: In function `float abs(...)': complex.cpp:28: `__z' undeclared (first use this function) complex.cpp:28: (Each undeclared identifier is reported only once for each function it appears in.) complex.cpp:28: `__STL_HYPOTF' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:31: syntax error before `' token complex.cpp: In function `double abs(...)': complex.cpp:32: new declaration `double abs(...)' complex.cpp:27: ambiguates old declaration `float abs(...)' complex.cpp: In function `float abs(...)': complex.cpp:33: `__STL_HYPOT' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:36: syntax error before `' token complex.cpp: In function `long double abs(...)': complex.cpp:37: new declaration `long double abs(...)' complex.cpp:32: ambiguates old declaration `double abs(...)' complex.cpp: In function `float abs(...)': complex.cpp:38: `__STL_HYPOTL' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:43: syntax error before `' token complex.cpp: In function `float arg(...)': complex.cpp:45: `__STL_ATAN2F' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:48: syntax error before `' token complex.cpp: In function `double arg(...)': complex.cpp:49: new declaration `double arg(...)' complex.cpp:44: ambiguates old declaration `float arg(...)' complex.cpp: In function `float arg(...)': complex.cpp:50: `__STL_ATAN2' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:53: syntax error before `' token complex.cpp: In function `long double arg(...)': complex.cpp:54: new declaration `long double arg(...)' complex.cpp:49: ambiguates old declaration `double arg(...)' complex.cpp: In function `float arg(...)': complex.cpp:55: `__STL_ATAN2L' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:60: syntax error before `float' gmake[4]: *** [obj/GCCi386/Release/complex.o] Error 1 gmake[3]: *** [lib/libstlport_gcc.a] Error 2 gmake[2]: *** [../../lib/i386-unknown-freebsd_r/libstlport_gcc.a] Error 2 gmake[1]: *** [STLport_r] Error 2 gmake[4]: Leaving directory `/usr/ports/security/tripwire/work/tripwire-2.3.1-2/src/STLport-4.0/src' gmake[3]: Leaving directory `/usr/ports/security/tripwire/work/tripwire-2.3.1-2/src/STLport-4.0' gmake[2]: Leaving directory `/usr/ports/security/tripwire/work/tripwire-2.3.1-2/src/STLport-4.0' gmake[1]: Leaving directory `/usr/ports/security/tripwire/work/tripwire-2.3.1-2/src' date release.i386-unknown-freebsd.out Thanks in advance for any pointers. -- |Shane Hickey [EMAIL PROTECTED] |Network/System Consultant +- |GPG KeyID 777CBF3F |Key fingerprint = 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F + To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
5.0-release and tripwire?
NOTE: I had problems with my mail client and I wasn't sure if this made it to the list or not. Has anyone else had problems getting tripwire from ports to compile on 5.0-release? Here's what I'm seeing ... mkdir -p obj/GCCi386/Release c++ -I../stlport -Wall -W -Wno-sign-compare -Wno-unused -Wno-uninitialized -ftemplate-depth-32 -O2 complex.cpp -c -o obj/GCCi386/Release/complex.o In file included from ../stlport/config/stlcomp.h:71, from ../stlport/stl/_config.h:69, from stlport_prefix.h:8, from complex.cpp:18: ../stlport/config/stl_gcc.h:23: redeclaration of C++ built-in type `wchar_t' In file included from ../stlport/complex:40, from complex.cpp:21: ../stlport/wrap_std/complex:16:39: ../g++-include/complex: No such file or directory complex.cpp:26: syntax error before `' token complex.cpp: In function `float abs(...)': complex.cpp:28: `__z' undeclared (first use this function) complex.cpp:28: (Each undeclared identifier is reported only once for each function it appears in.) complex.cpp:28: `__STL_HYPOTF' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:31: syntax error before `' token complex.cpp: In function `double abs(...)': complex.cpp:32: new declaration `double abs(...)' complex.cpp:27: ambiguates old declaration `float abs(...)' complex.cpp: In function `float abs(...)': complex.cpp:33: `__STL_HYPOT' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:36: syntax error before `' token complex.cpp: In function `long double abs(...)': complex.cpp:37: new declaration `long double abs(...)' complex.cpp:32: ambiguates old declaration `double abs(...)' complex.cpp: In function `float abs(...)': complex.cpp:38: `__STL_HYPOTL' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:43: syntax error before `' token complex.cpp: In function `float arg(...)': complex.cpp:45: `__STL_ATAN2F' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:48: syntax error before `' token complex.cpp: In function `double arg(...)': complex.cpp:49: new declaration `double arg(...)' complex.cpp:44: ambiguates old declaration `float arg(...)' complex.cpp: In function `float arg(...)': complex.cpp:50: `__STL_ATAN2' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:53: syntax error before `' token complex.cpp: In function `long double arg(...)': complex.cpp:54: new declaration `long double arg(...)' complex.cpp:49: ambiguates old declaration `double arg(...)' complex.cpp: In function `float arg(...)': complex.cpp:55: `__STL_ATAN2L' undeclared (first use this function) complex.cpp: At global scope: complex.cpp:60: syntax error before `float' gmake[4]: *** [obj/GCCi386/Release/complex.o] Error 1 gmake[3]: *** [lib/libstlport_gcc.a] Error 2 gmake[2]: *** [../../lib/i386-unknown-freebsd_r/libstlport_gcc.a] Error 2 gmake[1]: *** [STLport_r] Error 2 gmake[4]: Leaving directory `/usr/ports/security/tripwire/work/tripwire-2.3.1-2/src/STLport-4.0/src' gmake[3]: Leaving directory `/usr/ports/security/tripwire/work/tripwire-2.3.1-2/src/STLport-4.0' gmake[2]: Leaving directory `/usr/ports/security/tripwire/work/tripwire-2.3.1-2/src/STLport-4.0' gmake[1]: Leaving directory `/usr/ports/security/tripwire/work/tripwire-2.3.1-2/src' date release.i386-unknown-freebsd.out Thanks in advance for any pointers. -- |Shane Hickey [EMAIL PROTECTED] |Network/System Consultant +- |GPG KeyID 777CBF3F |Key fingerprint = 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F + To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
5.0-release install problem
Howdy all, I have a Toshiba Tecra 8000 laptop that I had installed 4.7-release on awhile ago using just the kernel and mfsroot floppies and then getting everything else via ftp. Well, I decided to start all over on this system, only with 5.0-release. I actually made the mini-inst cd, but I booted from the floppies because my cd drive won't boot CDR discs. I noticed that it didn't seem to give me the option to configure the kernel like it did on 4.7, so I just went ahead with a standard install. However, it gave the following errors trying to mount the cd. Error mounting /dev/ac0 on /dist: Operation not supported by device (19) I'm pretty sure the drive is operational and I know the cd is good because I can mount it on another machine (which I did to make the floppies). Anyway, so then I decided to install via ftp (as I had just done with the 4.7 floppies a few months ago). However, when I booted with the 4.7 floppies, it asked me if I wanted to configure the pc cards (I set usable memory and such). This didn't happen with 5.0, but I could watch on the boot of the floppies and see dmesg output for pccard0 and see the LEDs go solid for my linksys 10/100 card. But, when I go to select the FTP site, I only see sl0 and ppp0 devices. Nothing for my ethernet card. I'm sure I've done something foolish, so any advice is appreciated. Thanks, Shane To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
USR 22Mbps Wireless PC Card?
Has anyone had any luck getting the above card to work? I have one of these in a linux laptop and I think I'm ready to give up. The model is a USR2210 and I think it uses a T1 chipset? Thanks, Shane To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
ssh with pam_access?
First, lemme say that I foolishly asked this in freebsd-newbies (because I'm a freebsd newbie) but it turns out that it was the wrong forum. Anyway, what are people using to only allow ssh from certain addressees? I'm a recent FreeBSD convert, from Linux. In linuxland I used both iptables and then I would edit /etc/pam.d/sshd and add this line accountrequired /lib/security/pam_access.so to enable the pam module that allowed me to specify hosts/networks in /etc/security/access.conf. I'd rather not do tcp wrappers. Is there an equivalent way to do this with pam in FreeBSD? I know about ipfilter and I'll be doing that, I just like to have another layer. Thanks, Shane To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ssh with pam_access?
Hmm... I sort of answered my own question, but that brought up a new question. Apparently, you can just specify sshd allow and deny statements in /etc/hosts.allow. I had always thought that this only worked for services spawned out of inetd? Now I see that inetd is running (even though I have all lines commented out in my /etc/inetd.conf) and it apparently has something to do with the -W flag? Can someone tell me how this magic works? Thanks, Shane On Sat, 2002-11-09 at 12:58, Shane Hickey wrote: First, lemme say that I foolishly asked this in freebsd-newbies (because I'm a freebsd newbie) but it turns out that it was the wrong forum. Anyway, what are people using to only allow ssh from certain addressees? I'm a recent FreeBSD convert, from Linux. In linuxland I used both iptables and then I would edit /etc/pam.d/sshd and add this line accountrequired /lib/security/pam_access.so to enable the pam module that allowed me to specify hosts/networks in /etc/security/access.conf. I'd rather not do tcp wrappers. Is there an equivalent way to do this with pam in FreeBSD? I know about ipfilter and I'll be doing that, I just like to have another layer. Thanks, Shane To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
