Re: Kerberos authenticatino and ldap authorization
On Wed, Mar 07, 2007 at 02:43:15AM -0700, RJ45 wrote: there are many difficulties and YES there is the documentation on FreeBSD handbook but it does not helped me so much I Still ahve difficulties. I isntalled MIT krb5 also and I Am using kadmin from MIT to manage krb5 server. So no possibility of $PATH problems? First problem kadmin: ktadd -k /etc/krb5.keytab host/host.domain kadmin: Unsupported key table format version number while adding key to keytab I can't undertand this message i touched /etc/krb5.keytab but via kadmin it is unable to export the krb5 key I added before with Touching it ahead of time shouldn't be necessary. Your syntax might be off, I'm not sure because it looks like you've made it generic for purposes of posting it to the list. Here's a cut'n'paste of live data of me doing it (the host has been decommissioned recently, and I haven't yet deleted the host key from the KDC, which I'll do shortly): [EMAIL PROTECTED] ~]# ls -l /etc/test.keytab ls: /etc/test.keytab: No such file or directory [EMAIL PROTECTED] ~]# kadmin.local Authenticating as principal toor/[EMAIL PROTECTED] with password. kadmin.local: getprinc -terse host/[EMAIL PROTECTED] host/[EMAIL PROTECTED]0 1037304860 0 2419200 toor/[EMAIL PROTECTED]1037300 kadmin.local: ktadd -k /etc/test.keytab host/[EMAIL PROTECTED] Entry for principal host/[EMAIL PROTECTED] with kvno 6, encryption type Triple DES cbc mode with HMAC/sha1 Entry for principal host/[EMAIL PROTECTED] with kvno 6, encryption type DES cbc mode with CRC-32 added to keytab kadmin.local: exit [EMAIL PROTECTED] ~]# ls -l /etc/test.keytab -rw--- 1 root wheel 164 Mar 7 19:15 /etc/test.keytab [EMAIL PROTECTED] ~]# ktutil ktutil: read_kt /etc/test.keytab ktutil: list slot KVNO Principal - 16 host/[EMAIL PROTECTED] 26 host/[EMAIL PROTECTED] ktutil: exit So it does indeed work. addprinc -randkey host/host.domain i also chmod 777 krb5.keytab nothing to do chmod 777 on a keytab is a very very bad thing to do :-) If someone can read your keytab, it opens the door to impersonating that principal. at the end I exported it from the kdc and copied it by hand in /etc/krb5.keytab on my client FreeBSD box, but I do not know if in this way it will work. I'm never tried it -- it definitely doesn't sound like it'd be fun to type in, however :-) I tend to extract my keytabs right on the KDC and then scp them to the appropriate host. I don't use kadmin for remote admin -- if I need to admin the KDC, I log in via the serial console and use kadmin.local to keep everything off the network. anyway now I have another problem. I am not able to configure ssh to login via kerberos. I tryed everything KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes Kerberos* is, counterintuitively, not what you want. Google for sshd_config GSSAPI. At the end anyway the scenario needs to be krb5 for authentication and LDAP for authorization I use Kerberos for authentication and NIS-over-IPsec (transport mode), which is very similar. I have a cross-realm trust to another Realm that uses Kerberos and flat files, also on BSD. It's definitely doable. For now I am not able to authenticate via krb5 any hints ? Get some basic troubleshooting information in place by trying the following tests and posting the results to the list: * Have a running KDC computer, a workstation computer, and a server computer that can run a Kerberos service (let's say it's the kerberos telnetd for this example). Ensure that all their clocks are in sync. Ensure that all computers have full naem resolution correctly working. * Confirm the KDC is running and that you ave at least one valid user principal and one valid host principal created. The user principal should also exist in /etc/passwd and the other flat files on both the workstation and the server computer. * Confirm that your /etc/krb5.conf on the KDC sets your default realm and gives the hostname of the KDC * From the KDC, confirm that you can kinit and obtain a TGT (test with klist) * From a workstation with the krb5.conf installed, confirm that you can kinit and obtain a TGT (test with klist) * From a workstation with the krb5.conf, attempt to use a kerberos service on the host that has the valid host principal. Confirm with klist that you're able to obtain the host service ticket. * On the KDC, extract (ktadd) the server principal to a keytab file. Securely copy it (scp is fine) to the server host and ensure it's named /etc/krb5.keytab. Permissions should be 600 and owned by root. * Attempt to use the kerberos telnet client to connect to the kerberos host with the valid host principal (i.e., `telnet -x server_host`). You should be able to connect and login passwordless. If any of those steps don't work, please post back to the
Re: Kerberos authenticatino and ldap authorization
On Tue, Mar 06, 2007 at 10:07:57AM -0700, RJ45 wrote: for example I would like to installa MIT krb5 implementation from ports instead of using heidmal default this because the kerberos server on my network is a MIT server and I can't use kadmin on FreeBSD to administrer the kerberos server remotely using heidmal implementation. Anyone has experience of MIT krb5 implementation on FreeBSD ? The handbook has a chapter on setting up Kerberos, albeit focused on Heimdal. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html In section 14.8.6 it notes that the kadmin protocol differs between Kerberos implementations -- you have to use the MIT kadmin to administer a remote MIT KDC. Other than the kadmin bits (which are fairly different between the two but isn't used by end-users anyway), it's pretty much transparent to a Kerberos-enabled workstation which implementation it's using. I typically install both (to different paths to avoid file conflicts) because I like using the newest Heimdal rather than the one in base and also because the included client applications differ. For example, MIT has Kerberos rsh whereas the base Heimdal doesn't for some of the platforms that I use. If you run into any specific issues when setting it up, please post back to the list and cc me and I'll give you a hand. -T -- I once bought a cellphone that had a little sticker on the box that said 'DO NOT EAT PACKAGING MATERIAL'. There went another freebie snack at the office. - A.S.R. quote (Andreas Buzh Skau) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mounting multiple NFS shares to the same point
On Tue, Feb 13, 2007 at 12:24:03PM +, Alex Zbyslaw wrote: Tillman Hodgson wrote: If that still holds true in the -current src, the second mount will *definitely* cause me backup problems. I may have to move to keeping the NFS export always mounted, which is not ideal. Could you use something like ssh to transfer the files rather than needing NFS? (I don't know if you mentioned what the NFS-end box was...). That's a good idea. In this case the NFS-end box is an Infrant appliance so I don't think I can use scp. I'll check deeper into it -- if it can do scp, that gives me more options. I'm also not clear why you think that keeping the NFS partition mounted all the time is so bad. If there is no access then surely the overhead is minimal. That's true, there's no real performance hit. It's not the overhead I'm worried about, it's minimizing the exposure of the backups volume to problems. A network filesystem that isn't mounted is one that's much harder to accidently rm files from and such :-) Your other alternative is to use lockfiles to control when things get mounted/unmounted. If the control file is locked, you wait until it's unlocked (or bomb with an error, whatever). Trivial in perl, and lockf(1) looks like the way to go with shell. That's the scripting magic that I mentioned. It looks like this is likely the best solution with my current volume arrangement. In hindsight, I think should've used three shares instead of one and then the daily, weekly and monthly mounts wouldn't conflict with each other. -T -- You cannot manipulate a marionette with only one string. - The Zensunni Whip ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mounting multiple NFS shares to the same point
On Tue, Feb 13, 2007 at 03:10:30PM +, Alex Zbyslaw wrote: Tillman Hodgson wrote: Yes, that's certainly an issue. Presumably you can lock down the directory perms to be root only or root/operator though. Depending on setup and money, backing up the backups to tape would give more safeguards. Definitely. The NFS appliance is the staging area before the backups hit a DLT4 library. Can you mount sub-directories from the share as separate mounts? E.g. create simple directories called daily, weekly and monthly on the share, and mount each separately? Then you'd just have to move some files around rather than re-create the share. Plus with a single share you don't have to decide in advance how much space each specific directory needs. Hey, there's a good idea. My effective directory layout remains the same but the seperate mounts means that I won't run into multiple mounts on the same mount point. I just tried it and it works great. Thanks, -T -- Page 461: Tools that are simple enough to use the first day are often a real pain after the first month. - Harley Hahn, _The Unix Companion_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Mounting multiple NFS shares to the same point
A bit of background: I run backup scripts (dumps piped through gzip to a fileshare) out of periodic on a daily, weekly and monthly basis. In the script I mount the NFS share, perform the dumps, and then umount the share. I was worried that if a daily backup took a long time (more than twice the normal time) then the weekly would bomb out because the filesystem was already mounted. So I was going to write some checks to see if it existed before mounting it. Which is when I discovered that you can mount multiple NFS shares to the same directory :-) Here's an example of it in action: [EMAIL PROTECTED] ~]# mount /exports/srvbackup/ [EMAIL PROTECTED] ~]# mount | grep srvbackup nas:/srvbackup on /exports/srvbackup (nfs) [EMAIL PROTECTED] ~]# mount /exports/srvbackup/ [EMAIL PROTECTED] ~]# mount | grep srvbackup nas:/srvbackup on /exports/srvbackup (nfs) nas:/srvbackup on /exports/srvbackup (nfs) [EMAIL PROTECTED] ~]# umount /exports/srvbackup/ [EMAIL PROTECTED] ~]# mount | grep srvbackup nas:/srvbackup on /exports/srvbackup (nfs) [EMAIL PROTECTED] ~]# umount /exports/srvbackup/ [EMAIL PROTECTED] ~]# mount | grep srvbackup [EMAIL PROTECTED] ~]# man mount_nfs Further, you can mount /different/ shares to the same directory: [EMAIL PROTECTED] ~]# mount /exports/srvbackup/ [EMAIL PROTECTED] ~]# mount_nfs nas:/pub /exports/srvbackup/ [EMAIL PROTECTED] ~]# mount | grep srvbackup nas:/srvbackup on /exports/srvbackup (nfs) nas:/pub on /exports/srvbackup (nfs) I then cd'ed to /exports/srvbackup, and only saw files from the second mount (nas:/pub). So it's not doing a union mount or anything like that. Is this normal behaviour? Are there any problems with (performance, perhaps) that might occur if an NFS share is mounted twice? What if my backup job is still running, would it be interrupted by the second mount 75 minutes later (according to the `periodic` entires in crontab) or will it be fine? This definitely seems odd to me, I would've expected mount to express an error to me. -T ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mounting multiple NFS shares to the same point
On Mon, Feb 12, 2007 at 02:04:38PM -0500, Bob Johnson wrote: On 2/12/07, Tillman Hodgson [EMAIL PROTECTED] wrote: Is this normal behaviour? Are there any problems with (performance, perhaps) that might occur if an NFS share is mounted twice? What if my backup job is still running, would it be interrupted by the second mount 75 minutes later (according to the `periodic` entires in crontab) or will it be fine? This is normal behavior. There may be exceptions, but in general you can mount one filesystem over another (it isn't unique to NFS). Only the most recently mounted filesystem will be visible. Unmount it, and the one below it will become visible again. It does not reduce performance, it's just the way it works. For example, when you mount an NFS volume, you are mounting it over a directory on your local UFS volume, which is then no longer visible. In some cases this is useful: for example, you can populate the UFS directory with files that provide default values for something when the NFS mount is not there, or that can tell a script that the NFS mount is not present. I can understand what you're describing, and it makes sense in the case of mounting an NFS share onto a node in another filesystem. It still seems like a bad default operation (especially from a POLA point of view) for the case where you mount the same device or NFS export twice on the same mount point. My expectation was that it would either error or else recognize the duplication and realize that it didn't need to do anything. How do other Unix variants handle the same situation? I checked into Linux, and it appears to let you do the same thing (which surprised me), though in one case it will complain (mounting the *same* device/share over top of itself). A friend tested that case and reported that it gives this kind of error for both real devices and NFS shares: mount: /dev/hda1 already mounted or /mnt busy mount: according to mtab, /dev/hda1 is already mounted on /mnt That error is actually what I was expecting to see for the case of doubled-up NFS mounts :-) If it refused to mount in that case it would be obvious to the administrator what the actual results would be. Otherwise ... I'm not sure whether you are backup up TO or FROM the NFS mount, but either way, you aren't going to get the results you want if the second mount occurs while the backup is in progress. ... they could end up in a situation like this :-) (Note that that in this case I'm backing up TO the NFS mount, and it's possible that the same NFS share could be mounted on the same spot twice, depending on how long it takes for the daily backup job to run). I'll build some shell script logic using magic files and/or grep'ing through the output of `mount` with some time-based backoffs if the previous script hasn't finished running. It doesn't feel clean, though, and there's race conditions that I'll have to think about how to handle. Backups aren't something that I want to be so ... indeterministic. It doesn't inspire trust in the backup set ;-) -T -- I don't believe in art. I believe in artists. -- Marcel Duchamp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mounting multiple NFS shares to the same point
On Mon, Feb 12, 2007 at 01:42:04PM -0600, Tillman Hodgson wrote: (Note that that in this case I'm backing up TO the NFS mount, and it's possible that the same NFS share could be mounted on the same spot twice, depending on how long it takes for the daily backup job to run). Following up on my own post, I starting digging into other backup scripts I've written over the years and ran across snippet on a FreeBSD 4.11 box: ### Perform daily backup of ~tillman # Clean up my backup partition # Note! We delay this by 2 hours because mount/umount cause mountd to be # HUPed, which is not atomic and causes a moment EPERM (permissions error) if # any other machine is currently trying to write via NFS sleep 7200 /sbin/umount /exports/tillman.backup1/ \ /sbin/newfs -v -U /dev/vinum/tillman.backup1 \ /sbin/mount /exports/tillman.backup1/ \ /sbin/dump 0f - /exports/tillman | (cd /exports/tillman.backup1; /sbin/restore -rf - ) If that still holds true in the -current src, the second mount will *definitely* cause me backup problems. I may have to move to keeping the NFS export always mounted, which is not ideal. -T -- Master Tung-shan interviewed a new monk: What's you name? Pen-chi, the monk answered. Say something more. I won't. Why not? My name is not Pen-chi. The Master was much impressed. - Zen Mondo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS and Kerberos 5 : is it possible / smart?
On 8/4/06, Garrett Cooper [EMAIL PROTECTED] wrote: Hi all, Just wondering if it's possible for NIS and Kerberos 5 to work in tandem with one another, such that NIS would handle groups and configuration file management and Kerberos would handle authentication only. Also, is this sort of overkill perhaps, where NIS is not really needed? I basically have 3+ machines (2 desktops, 1 laptop, currently), and I want to keep my credentials and information uniform across the machines as much as possible. The network I would be implementing this on is a low-traffic, private network. (sorry for hijacking another persons reply, but I didn't have the original post available to reply to) Kerberos works fine with NIS. It's more secure if you run both over IPsec (host-to-host transport mode for the local network) because that ensures that the NIS maps themselves maintain integrity (secrecy isn't needed with them, integrity is), though it's not necessary for many environments. This has come up on these lists a few times in the past. Here's some links to the threads in the archives: http://lists.freebsd.org/pipermail/freebsd-questions/2003-September/018487.html http://lists.freebsd.org/pipermail/freebsd-questions/2003-September/018838.html http://archives.neohapsis.com/archives/freebsd/2003-09/0224.html -T -- Who would have suspected that life was all going to turn out well? -- Robert Allen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: linux iproute2 replacement
On Tue, Mar 07, 2006 at 12:58:59PM +0200, Petre Bandac wrote: hallo I am trying to migrate a dual-homed linux box to freebsd; how can I achieve the src routing iproute2 does on freebsd ? There isn't currently a direct routing equivalent. I cheat and use IPF like so (the IPs are faked): # source-IP routed traffic # Note that the on 'interface' has to be the one with my default route pass out quick on hme0 to tun6 from 10.0.0.3/24 to !192.168.0.0/16 keep state block in on tun6 from any to 10.0.0.3/24 head 200 ... group 200 rules follow ... You can do the same with IPFW and PF. -T -- Immobility is often mistaken for peace. - Emperor Elrood Corrino IX ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: linux iproute2 replacement
On Tue, Mar 07, 2006 at 06:07:48PM +0200, Petre Bandac wrote: On Tue, 7 Mar 2006 09:49:51 -0600 Anno Domini, the honourable Tillman Hodgson wrote using one of his keyboards: On Tue, Mar 07, 2006 at 12:58:59PM +0200, Petre Bandac wrote: hallo I am trying to migrate a dual-homed linux box to freebsd; how can I achieve the src routing iproute2 does on freebsd ? There isn't currently a direct routing equivalent. I cheat and use IPF like so (the IPs are faked): # source-IP routed traffic # Note that the on 'interface' has to be the one with my default route pass out quick on hme0 to tun6 from 10.0.0.3/24 to !192.168.0.0/16 keep state block in on tun6 from any to 10.0.0.3/24 head 200 ... group 200 rules follow ... You can do the same with IPFW and PF. shamelesshoping for a full solution :)/shameless I seem to recall that it was on Andre's to-do list of network improvements. I have no idea where that's at, though. I'd also love a full set of policy routing capabilities ... enough rope to do sometime silly, at least ;-) can it be done only with ipfw ? if yes, how ? With the fwd keyword, as per the man page. -T -- The future arrives one day at a time. It's like the frog in the pot. -- Ernest Lilley ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Heimdal Key Table Entry Not Found
On Sun, Feb 26, 2006 at 10:08:53AM -0800, Jason C. Wells wrote: I am not able to use heimdal kerberos telnetd on FreeBSD-6 to provide remote access to a host. I get this error from my Kermit client: Kerberos authentication failed! Kerberos V5 refuses authentication because Read req failed: Key table entry not found The keytab has been extracted to the service host. (see below) I am thinking that there might be some sort of hard to find incompatibility or encryption type issue with Heimdal and MIT. That or there is some stupid detail that I have missed. I would have expected Heimdal to be a drop in replacement for MIT kerberos. A full transcript is provided below if the problem is not obvious. I am successfully running MIT KDCs and have been for years. All my other MIT kerberized hosts function correctly. Any idea what I might be missing? http://www.seekingfire.com/projects/kerberos/tips.html It's very likely a name resolution problem: All hosts in your realm must be resolvable (both forwards and reverse) in DNS (or /etc/hosts as a minimum). CNAMEs will work, but the A and PTR records must be correct and in place. The error message isn't very intuitive: Kerberos V5 refuses authentication because Read req failed: Key table entry not found. This same error message can also result if you the [domain_realms] stanza in your krb5.conf and the host isn't in the right domain. For example, if you have a host server.example.org and your domain_realms section says that example.org = EXAMPLE.ORG but the host server is actually in realm OTHER.REALM, you'll get this error. You can override the realm for a specific host in the domain_realms section like so: server.example.org = OTHER.REALM. -T -- Belief gets in the way of learning. -- Robert Heinlein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 10 years of The Complete FreeBSD
On Fri, Feb 24, 2006 at 11:30:27AM +1030, Greg 'groggy' Lehey wrote: Ten years ago today, on 24 February 1996, I submitted for publication the final version of the first ever book on FreeBSD, Installing and Using FreeBSD. It was later renamed to The Complete FreeBSD. I have always retained full rights to the book, and for today I've decided to release it for download under the Creative Commons license. See more at http://www.lemis.com/grog/Documentation/CFBSD/. Thank you Greg, I appreciate your gift to the community. I have a copy of the 4th Edition (O'Reilly Community Press version) on the O'Reilly shelf in my computer room and it's proven valuable many times. I wish the 10th anniversary edition well and that that the community shares back :-) -T -- There will come a time when you believe everything is finished. That will be the beginning. -- Louis L'Amour ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Compaq ProLiant 1600 server freezes when detecting keyboard
On Thu, Feb 02, 2006 at 08:21:12AM -0500, Shaun Heroux wrote: Wondering if you can give me any advice here... I'm having the same issues installing FreeBSD / 6.0 Is there any way I can install 6.0 by disabling usb probing? Did you first install 5.4-release and then cvsup to 6.0-release? See the freebsd-current@freebsd.org archives for: Date: Fri, 2 Dec 2005 16:24:16 -0600 From: Tillman Hodgson [EMAIL PROTECTED] Subject: Re: Compaq ProLiant 1600 server freezes when detecting keyboard controller Basically, you need to build a kernel without the uhci device and boot with that. -T -- Sysadmin Tip of the Day: Critical production machines should not be mislabeled. Particularily not something like, spare. -- Matthew Crosby ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Compaq ProLiant 1600 server freezes when detecting keyboard
On Tue, Jan 10, 2006 at 12:35:32PM +0200, Ertan K???ko?lu wrote: Good news, System boots flawlessly after removing USB and Firewire in GENERIC kernel. [My apologies for not jumping into this thread early, in spite of Ertan's polite email of inquiry. Vacations, yada yada etc :-).] I can confirm this too. After my last go-around with this box I was able to get it running by removing uhci: [EMAIL PROTECTED] /usr/src/sys/i386/conf]# uname -a FreeBSD thoth.seekingfire.com 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Thu Dec 29 22:27:03 CST 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/THOTH i386 [EMAIL PROTECTED] /usr/src/sys/i386/conf]# grep '###' THOTH ###device uhci# UHCI PCI-USB interface (### is the symbol I use for something that's been commented out for important reasons, so I don't later on mess with it) However, I'm occassionally seeing the box spontanouesly reboot: [EMAIL PROTECTED] /usr/src/sys/i386/conf]# uptime 8:43AM up 17:42, 2 users, load averages: 0.01, 0.01, 0.06 It's not all that often, though I can occassionally trigger it with a buildworld/buildkernel (which is what killed it yesterday). [EMAIL PROTECTED] /var/crash]# ls -l | grep Jan -rw-r--r-- 1 root wheel 2 Jan 9 15:01 bounds -rw--- 1 root wheel451 Jan 9 15:01 info.6 -rw--- 1 root wheel 268042240 Jan 9 15:02 vmcore.6 Debugging and invariants are turned off in the kernel, and I currently lack the knowledge to do much with the vmcore in any case :-) The crashes are very likely unrelated to the usb problem (this box also runs pf and ipsec, either of which could be unhappy). I'm interested in hearing about stability of other 1600Rs under load. -T -- The truth of a proposition has nothing to do with its credibility. And vice versa. -- Robert Heinlein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Trouble connecting OS X 10.4.1 client to FreeBSD -current (on sparc64) mpd server for pptp tunneling
Howdy, I've been googling for information about getting a Mac OS X client (a powerbook running 10.4.1) to work with a VPN server of some sort on FreeBSD (-current as of April 25 running on sparc64). The VPN server has a static IP and acts as a firewall and BGP/OSPF router as well (over tunnels to other internal networks, not to the outside world). I've tried sl2tps but rapidly gave up on it -- no real documentation and it appears to be an abandoned project. I've also tried OpenVPN (which is my preferred solution, detailed at http://metanetwork.seekingfire.com if you're curious) but OS X support appears to be weak. While I can get the tunnel up and running manually, my normal OpenVPN practice of running OSPF on the client isn't an option for the OS X road-warrior case that I have. The GUI doesn't like the Spotlight position on the menu bar and appears to be a semi-abandoned project (I had to dig through an archived older version of the web page to get it). So I tried mpd to implement PPTP. In theory, with native OS X support and proxy-arp replacing OSPF (no dynamic routing needed if I think I'm local) this looked like the ticket. I ran into what appears to be the same issue that Robert Watson posted to freebsd-questions@ about May 5 2004: http://lists.freebsd.org/pipermail/freebsd-questions/2004-May/045705.html I get 10 attempts to SendConfigReq and then negotiation fails. ***snip*** [pptp1] IPCP: SendConfigReq #10 IPADDR 192.168.23.30 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [pptp1] CCP: SendConfigReq #10 [pptp1] CCP: Checking whether 40 bits are enabled - yes [pptp1] CCP: Checking whether 56 bits are enabled - no [pptp1] CCP: Checking whether 128 bits are enabled - yes MPPC 0x: [pptp1] IPCP: state change Req-Sent -- Stopped [pptp1] IPCP: LayerFinish [pptp1] IPCP: parameter negotiation failed [pptp1] IPCP: LayerFinish ***snip*** Has anyone gotten mpd working with OS X and could share their config files and setup with me? Alternatively, has anyone gotten any other sort of decent tunneling for OS X - FreeBSD infrastructure in place that could share what they're running and their experiences with setting it up? Thanks muchly, -T -- We tend to become like the worst in those we oppose. - Bene Gesserit Coda ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kerberos
On Mon, May 09, 2005 at 05:44:23PM -0700, Damian Sobieralski wrote: Look into the GSSAPI options for /etc/ssh/ssh_config instead. Newer OpenSSH versions support Kerberos natively and don't need PAM hacks. Thanks Tillman! I was using PAM only based on someone's recommendation. As I've already admitted limited kerberos knowledge, I didn't know enough to question this approach. Based on your advice, I'll look into GSSAPI and I'll post my results to the group. :-) As a get you started hint, set these in your ssh_config on the client hosts: GSSAPIAuthentication yes GSSAPIDelegateCredentials yes And these in the sshd_config in the destination hosts: GSSAPICleanupCredentials yes GSSAPIAuthentication yes Then obtain a valid ticket with kinit and test OpenSSH with: ssh -vvv -o PreferredAuthentications=gssapi-with-mic hostname.domain.tld (We're specificying the auth option explicitly to avoid things like pubkey, etc. You won't need to do this in the Real World once it's been confirmed to be working.) A successful login displays this in the output: debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic). Note that OpenSSH doesn't appear to be very smart about handling multi-homed hosts, so expect to run into difficulties in that situation (one of the reasons that I just use `telnet -x` instead). -T -- Waking a person unnecessarily should not be considered a capital crime. For a first offense, that is. -- Robert Heinlein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kerberos
On Mon, May 09, 2005 at 08:53:21AM -0700, Damian Sobieralski wrote: PAM does not map well to Kerberos, unfortunately. Generally speaking you want to avoid PAM with Kerberos if you can possibly use native Kerberos :-) It seems my ignorance is kicking in here- how would they log into the machine first, to issue kinit/native if I don't use PAM to get them INTO the machine? Using Kerberos-native login binaries, for example. Once logged in, connecting to other hosts is done using Kerberos-native applications like telnet -x, SSH with GSSAPI, etc. A well-written PAM module can also work here, but generally should be avoided for network services. The problem is that PAM basically assumes a username/password pair. Kerberos doesn't give you that with network services. I just modified the /etc/pam.d/sshd file (only using kerberos for sshd): Look into the GSSAPI options for /etc/ssh/ssh_config instead. Newer OpenSSH versions support Kerberos natively and don't need PAM hacks. -T -- Laws to suppress tend to strengthen what they would prohibit. This is the fine point on which all the legal professions of history have based their job security. - Bene Gesserit Coda ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kerberos 5
On Wed, May 04, 2005 at 02:33:30PM -0700, Damian Sobieralski wrote: I have a fairly weird question for the group. I recently set up a FreeBSD 5.3 box to use pam_krb5 for sshd authentication. It worked great. I created a local workstation user via adduser and when it came time for the password based question, I selected no. So when I logged in, I typed klist and got some verbage back about my ticket in /tmp. I rebuilt the box and although I can log into the box, when I type klist now I get: klist: No ticket file: /tmp/krb5cc_0 Or some variation of the ticket file name. It authenticates me okay via kerneros or I couldn't get logged in, but any idea why this might happen? How did you confirm that you were authenticating via Kerberos? Do you have an environment variable like KRB5CCNAME set anywhere? Which Kerberos are you talking about? The limited Heimdal in the base OS, the full Heimdal port or the MIT port? Do you have more than one in use and are perhaps running into path issues (running a different program than you think you're running)? BTW- I read online that storing tickets like this (in /tmp) is potentially a security risk for a server so the thought was to change it to home directory tickets like the website recommends. It depends. In my environment, /home is NFS mounted. This is a Very Bad Thing for Kerberos tickets. In my case, each computer is basically a single-user workstation and /tmp actually is safer than /home. -T -- Beauty is not diminished by being shared. -- Robert Heinlein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kerberos 5
On Thu, May 05, 2005 at 10:11:30AM -0700, Damian Sobieralski wrote: Followup up: If AFTER I log in, I issue kinit and type my password in. Now when I do a klist I get ticket information. Shouldn't the pam module do this aotomatically (call kinit)? PAM does not map well to Kerberos, unfortunately. Generally speaking you want to avoid PAM with Kerberos if you can possibly use native Kerberos :-) I haven't used pam_krb5 in a long time, but perhaps I can help debug things. Can you post your PAM configure for however it is that you're logging in? (SSH, local console, kerberos telnet, etc). The ccache= option to the PAM module looks applicable, for example. -T -- Do not meddle in the affairs of sysadmins, for they can make your life miserable by doing nothing. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Proper way to add 3rd party milters?
Howdy folks, I'm looking at some milters that would be very useful to my mail architecture (milter-ahead is one I'm looking at deploying very soon). What's the best way to add 3rd-party milters so that it's still maintainable? I'm thinking of writing a port around it (using mail/rbl-milter) because I could then use the ports infrastructure to upgrade. Does this method work well when using milters with the sendmail in the base OS? What are other folks doing to solve this sort of problem? -T -- Truth suffers from too much analysis. - Ancient Fremen Saying ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ksu doesn't use my ticket
On Sat, Mar 19, 2005 at 01:53:58PM -0600, Kirk Strauser wrote: I have a working kdc on my LAN and use OpenSSH's gssapi-with-mic authentication to connect to other machines. However, I can't use /usr/bin/ksu to su to root without entering root's password, even if I have a current, valid ticket and am listed in root's .k5login; The ksu from the mit-krb5 port works the way you expect it to. -T -- You can have peace. Or you can have freedom. Don't ever count on having both at once. -- Robert Heinlein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ksu doesn't use my ticket
On Sat, Mar 19, 2005 at 08:53:18PM -0600, Kirk Strauser wrote: On Saturday 19 March 2005 02:22 pm, Tillman Hodgson wrote: The ksu from the mit-krb5 port works the way you expect it to. Thanks for the info. Any idea why the one in the base system wouldn't, though? I'm loathe to replace the working installation if I don't have to. No need to replace it -- mit-krb5 installs into /usr/local (unless you move it with /etc/make.conf). It won't overlap with your base system Kerberos bits at all. Then, once it's installed, you can alias ksu='usr/local/bin/ksu'. The Heimdal in the base system isn't complete in any case, so if you decide to go whole-hog for Kerberos you'll want one of (or both of) the ports installed. -T -- Beauty is not diminished by being shared. -- Robert Heinlein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: kerberos problems
On Sun, Mar 13, 2005 at 03:38:46PM -, [EMAIL PROTECTED] wrote: I followed the handbook guide to setting it up, and it all seems to be working ok. I have now setup telnetd as described to test how it is working. If I have done a kinit previously, it will log in no problem, but if I do not do a kinit (or do a kdestroy before hand) I get - kerberos V5: mk_req (No Such File or direcotry). Any ideas? That sounds like it's working normally. Without a valid ticket (as shown by `klist`), which is cached in a file, services like telent which use Kerberos won't authenticate you. If I'm misunderstanding the problem you're describing, please add some more detail as to what you expected to have happen and how reality differed :-) -T -- Page xxviii: More than any other computer system today, Unix will repay every moment that you spend learning and experimenting. - Harley Hahn, _The Unix Companion_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: kerberos problems
On Sun, Mar 13, 2005 at 05:30:09PM -, [EMAIL PROTECTED] wrote: what I was assuming would happen when I try to telnet in without a ticket (i.e. with running kinit) was that I would get asked for a username/password, and then I would get issued a ticket, rather than manually having to kinit first. That would require every client application, like telnet, to support kinit functionality. Think of kinit as logging onto the network, something that must be performed in a secure way only once per work session. -T -- Zen is like looking for spectacles that are sitting on your nose. - Zen saying ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: WEIRD: telnet
On Sun, Feb 13, 2005 at 09:22:45AM -0600, Chris wrote: 2. Telnet passes clear text no matter what. Not in a Kerberos environment it doesn't, nor in an transport-mode IPsec environment. Related to that is connections where transport-level encryption typically doesn't matter: connecting over a cross-over cable is one example. 3. ssh ought to be used to replace Telnet whenever possible. s/whenever possible/where it makes sense/. -T -- 1. Get enough food to eat, and eat it. 2. Find a place to sleep where it is quiet, and sleep there. 3. Reduce intellectual and emotional noise until you arrive at the silence of yourself, and listen to it. 4. - Richard Brautigan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Username and password limits
On Mon, Jan 24, 2005 at 04:00:55PM -0800, Sean Murphy wrote: Sorry eight for password as well. Does any know the limits for FreeBSD? man 1 passwd says The new password should be at least six characters long (which may be overridden using the login.conf(5) ``minpasswordlen'' setting for a user's login class) and not purely alphabetic. Its total length must be less than _PASSWORD_LEN (currently 128 characters). -T -- Truth is a chameleon. - Zensunni Aphorism ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 5.3 I/O Performance / Linux 2.6.10
On Fri, Jan 21, 2005 at 03:20:58PM -0700, Nick Pavlica wrote: To be sure that I was using up to date versions of each OS I performed a cvsup and rebuilt the kernel (GENERIC) during the FBSD setup, and a yum update on the Linux install. Most likely unrelated to your performance question, but you generally don't want to update only your kernel on FreeBSD. The userland and kernel should normally be in sync. -T -- If enlightenment is not where you are standing, where will you look? - Zen saying ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: openvpn?
On Thu, Jan 20, 2005 at 09:11:10PM -0500, Shawn wrote: I have been attempting to get open vpn working on my freebsd 4.11 Alpha machine. SO Far I have done the following.. I did the make install for /usr/ports/security/openvpn/ Where is uses SSL Im trying to understand the config file for /etc/ssl/openssl.cnf After an attempted figure change I try to generate the keys.. I create a master certificate authority certificate/private-key *openssl req -nodes -new -x509 -keyout shawng-ca.key -out shawng-ca.crt -days 3650* I might be missing something, but why are you using openssl directly? If you just want shared keys, `openvpn --secret /path/to/where/you/want/private/key --genkey` is probably all you need to do. -T -- If you are not happy here and now, you never will be. Taisen Deshimaru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Upgrade to Courier 4.0.1?
On Mon, Jan 10, 2005 at 01:44:57PM -, Scott Bye wrote: I updated to this via ports, and the services appear to be running and listening for connections. However, if I connect to them, I get disconnected immediately, and nothing appears to be logged for any of the services. I'm encountering the same thing: $ telnet athena 110 Trying 192.168.23.3... Connected to athena.seekingfire.prv (192.168.23.3). Escape character is '^]'. Connection closed by foreign host. $ telnet athena 143 Trying 192.168.23.3... Connected to athena.seekingfire.prv (192.168.23.3). Escape character is '^]'. Connection closed by foreign host. I've just started digging into it, I'll post again if I run across anything interesting. -T -- If you scramble about in search of inner peace, you will lose your inner peace. Lao-Tzu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Upgrade to Courier 4.0.1?
On Mon, Jan 10, 2005 at 11:19:26AM -0600, Tillman Hodgson wrote: On Mon, Jan 10, 2005 at 01:44:57PM -, Scott Bye wrote: I updated to this via ports, and the services appear to be running and listening for connections. However, if I connect to them, I get disconnected immediately, and nothing appears to be logged for any of the services. I'm encountering the same thing: $ telnet athena 110 Trying 192.168.23.3... Connected to athena.seekingfire.prv (192.168.23.3). Escape character is '^]'. Connection closed by foreign host. $ telnet athena 143 Trying 192.168.23.3... Connected to athena.seekingfire.prv (192.168.23.3). Escape character is '^]'. Connection closed by foreign host. I've just started digging into it, I'll post again if I run across anything interesting. In my case, it looks like /usr/local/etc/rc.d/courier-authdaemond.sh actually wants to see courier_authdaemond_enable=YES in /etc/rc.conf now. Will wonders never cease :-) -T -- There is no such thing as 'social gambling.' Either you are there to cut the other bloke's heart out and eat it -- or you're a sucker. If you don't like this choice -- don't gamble. -- Robert Heinlein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: grep help
On Wed, Jan 05, 2005 at 08:27:51PM -0800, Jay O'Brien wrote: I want to look at all of the lines in a FreeBSD log file that do not have an entry from an IP, example 1.2.3.4. Some basic help with the use of grep would be appreciated. This is one of the arguments I've tried that didn't work: grep ^[^1.2.3.4]*$ logfile.log I like `grep -v` for not operations. Also note that . is itself a special character. grep -v 1\.2\.3\.4 logfile.log might be closer to what you want. -T -- 'Way back, I set myself to be a happy man, and made it. -- Louis Armstrong ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to edit file in single user mode
On Wed, Dec 01, 2004 at 06:03:05PM -0600, Kevin D. Kinsey, DaleCo, S.P. wrote:
There was some discussion on the lists (IIRC) a while back
on the idea of building a small editor binary that you like
(trying to remember some of the possibilities: zed, ved, led,
sted, (but not ted), ee (already in the base system), pico, nano,
nah, can't really remember :- ) and cp'ing it to /bin in preparation
for just such an emergency. With root partitions {generally}
being a tad larger these days than in the elder times, it might
be a feasible idea...I'm pretty sure *someone* out there has
tried it. Come to think of it, I may. :-)
On i386 platforms, I build a copy of e3vi from ports and cp it to
/root/bin. It's 12.8k (!) and, as long as you don't get too fancy, it's
a reasonable vi clone.
Saved my bacon a few times already.
-T
--
If you can spend a perfectly useless afternoon in a perfectly useless manner,
you have learned how to live.
Lin Yu-T'ang
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Setting SCSI bus options before reaching fsck at boot time
On Fri, Nov 12, 2004 at 11:28:18PM -0600, Dan Nelson wrote:
In the last episode (Nov 12), Tillman Hodgson said:
I'd like to find a way to have camcontrol (or some other mechanism)
set the SCSI bus speed on this particular SCSI chain early in the
boot process, /before/ it encounters fsck and thus trips over it's
own feet in bus resets.
Since camcontrol is in /sbin, you can just add a line to the top of
/etc/rc. A cleaner solution would be to write a small /etc/rc.d/
script and add a BEFORE: fsck line so it gets run before fsck.
That seemed like a reasonable approach, so I took a stab at it.
Unfortunately, I haven't worked with custom RCng scripts before and I
can't seem to get the script to run.
Here's what I have (blank lines removed to save some space):
#!/bin/sh
#
# PROVIDE: camcontrol_start
# REQUIRE: disks
# BEFORE: bgfsck
. /etc/rc.subr
name=camcontrol_tillman
rcvar=`set rcvar`
start_cmd=camcontrol_start
stop_cmd=:
camcontrol_start()
{
echo -n camcontrol_tillman has started
echo -n da0
camcontrol negotiate da0 -R10 -a -q
... (repeated for da1 through da6 (it's a 7 bay JBOD tower)) ...
info camcontrol_tillman has finished
}
load_rc_config $name
run_rc_command $1
I also have the following in /etc/rc.conf:
### Tillmans custom RCng scripts
camcontrol_tillman_enable=YES
When I run the following by hand, it works:
[EMAIL PROTECTED] camcontrol negotiate da6 | grep freq
(pass6:sym1:0:6:0): frequency: 20.000MHz
[EMAIL PROTECTED] camcontrol negotiate da6 -R10 -q -a
[EMAIL PROTECTED] camcontrol negotiate da6 | grep freq
(pass6:sym1:0:6:0): frequency: 10.000MHz
Yet when I run `/etc/rc.d/camcontrol_tillman start` (or even
forcestart), all I get is:
[EMAIL PROTECTED] /etc/rc.d/camcontrol_tillman forcestart
# camcontrol_tillman
Aside from the echo statements not outputting anything, a quick check
confirms that it really didn't do anything:
[EMAIL PROTECTED] camcontrol neg da5 | grep freq
(pass5:sym1:0:5:0): frequency: 20.000MHz
I'm assuming that I just don't understand something relatively simple
about the RCng system and that the script is missing something
relatively minor. Anyone care to enlighten me?
-T
--
The important thing is not to stop questioning. Curiosity has its own reason
for existing.
-- Albert Einstein
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Setting SCSI bus options before reaching fsck at boot time
Howdy foilks, I have a SCSI controller (the external 68-pin high density connector on a Compaq Proliant 1600) that seems to ignore it's own settings when I through its bus speed down. This is a problem, as I'm running into /many/ SCSI bus reset problems with this ancient DEC 7-bay JBOD tower that I'm playing with. The problems go away when I use `camcontrol negotiate -R 10 da0` to drop the bus freq to 10MHz from 20MHz and I'd hope to simply set the controller to that speed. No love, sigh. FreeBSD comes up at the drives are 20MHz: da0: 40.000MB/s transfers (20.000MHz, offset 15, 16bit), Tagged Queueing Enabled I'd like to find a way to have camcontrol (or some other mechanism) set the SCSI bus speed on this particular SCSI chain early in the boot process, /before/ it encounters fsck and thus trips over it's own feet in bus resets. If it matters, the SCSI controller shows in dmesg as: sym1: 875 port 0x3400-0x34ff mem 0xc6efe000-0xc6efefff,0xc6efde00-0xc6efdeff irq 10 at device 9.1 on pci1 sym1: No NVRAM, ID 7, Fast-20, SE, parity checking sym1: [GIANT-LOCKED] Any pointers? -T -- Keeping UUCP running is starting to seem a lot like keeping a 130-year- old man who smokes 4 packs a day on life support because he's the last person on Earth who knows how to do the cha-cha, but he won't tell anyone. - A.S.R. quote (Ryan Tucker) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sun box
On Thu, Oct 28, 2004 at 01:16:10PM -0400, Kimberley Chrona wrote: Hi there Two very simple questions, can I run FreeBSD on a Sun box and is it possible to run BSD on VMware I can't speak to VMware, but you can run FreeBSD on some types of Sun gear (I'm running it on an Ultra 5, for example). See http://www.freebsd.org/platforms/sparc.html for details. -T -- Page 491: If you want to master emacs, it helps to believe in reincarnation, because there is no way you are going to learn it all in a single lifetime. - Harley Hahn, _The Unix Companion_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getloadavg and source for /usr/bin/uptime
On Wed, Oct 27, 2004 at 11:09:46PM +0100, David Jenkins wrote: NB - I don't want to pipe uptime into awk or use a perl script etc, I'd much prefer it to be C based. If you *did* want to do it that way, something like uptime | sed -e 's/.*: \([0-9.]*\).*/\1/' is handy. If any knows where it's hiding (or why it's not there) I'd be very grateful if you could share it with me. Probably because /usr/bin/uptime is a hard link to the /usr/bin/w binary. I think you want the code from /usr/src/usr.bin/w/w.c. -T -- It is not always the same thing to be a good man and a good citizen. -- Nicomachean Ethics, 325 B.C. by Aristotle ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: topposting (was: colourization in ls command)
On Wed, Oct 13, 2004 at 01:58:28PM +0100, Simon Burke wrote: It may also help if you put the good ole hyphen hyphen space enter' decent e-mail clients should see this as the start of a sig an will remove anything below it, i know thunderbird and even gmail does, so it tidys up the default sig at the end of each post. For those using Mutt with Vim as their editor, toss this into your .vimrc: Delete quoted .sig's au BufRead /tmp/mutt-* normal :g/^ -- .*/,/^$/-1d to accomplish roughly the same thing. -T -- There is no such thing as 'social gambling.' Either you are there to cut the other bloke's heart out and eat it -- or you're a sucker. If you don't like this choice -- don't gamble. -- Robert Heinlein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Apache13+static modperl+modssl?
Howdy, How does one get Apache compiled with both a statically compiled modperl (required for www/bricolage) as well as modssl? I see a www/apache13-modssl and a www/apache13-modperl, but spelunking through the Makefiles for either doesn't reveal a knob that enables the other option. -T -- Give me the judgment of balanced minds in preference to laws every time. Codes and manuals create patterned behavior. All patterned behavior tends to go unquestioned, gathering destructive momentum. - Darwi Odrade ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache13+static modperl+modssl?
On Tue, Oct 12, 2004 at 02:09:33PM -0500, Paul Schmehl wrote: --On Tuesday, October 12, 2004 10:26:19 AM -0600 Tillman Hodgson [EMAIL PROTECTED] wrote: How does one get Apache compiled with both a statically compiled modperl (required for www/bricolage) as well as modssl? I see a www/apache13-modssl and a www/apache13-modperl, but spelunking through the Makefiles for either doesn't reveal a knob that enables the other option. Install apache13-modssl, then install www/mod-perl. That's what I have now, and it results in a mod-perl /module/. www/bricolage requires a mod-perl compiled into Apache (not a module). I dug through the Makefile for www/mod_perl and didn't find knob to statically compile it into Apache (I would have been surprised to find it, actually). Is there something you meant that I'm missing? -T -- Page xxvii: Unix is not like other computer systems. There is a feeling of elegance and charm that hides behind every esoteric command and within every technical rule. - Harley Hahn, _The Unix Companion_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache13+static modperl+modssl?
On Tue, Oct 12, 2004 at 03:15:10PM -0500, Paul Schmehl wrote: --On Tuesday, October 12, 2004 01:43:35 PM -0600 Tillman Hodgson [EMAIL PROTECTED] wrote: Install apache13-modssl, then install www/mod-perl. That's what I have now, and it results in a mod-perl /module/. www/bricolage requires a mod-perl compiled into Apache (not a module). I dug through the Makefile for www/mod_perl and didn't find knob to statically compile it into Apache (I would have been surprised to find it, actually). Is there something you meant that I'm missing? No. I just wasn't paying attention when I responded. Sorry. Is -DWITH-PERL not working? If you install www/apache13-modssl, one of the configure options is with_perl. I assume that means statically compiled into apache. I tried a `portupgrade -mWITH_PERL=true -f apache+mod_ssl`, but www/bricolage still complains and `/usr/local/sbin/httpd -l` shows only: Compiled-in modules: http_core.c mod_so.c suexec: disabled; invalid wrapper /usr/local/sbin/suexec I didn't find WITH-PERL (or WITH_PERL, just in case) in the Makefile for www/apache+mod_ssl, and it's not listed as a knob in the pre-fetch section. I'll try this over on the ports list as well. -T -- Architecture in general is frozen music. -- Friedrich Schelling, _Philosophie der Kunst_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: /usr/ports/net/net-snmp Only contains Readme.html
On Wed, Sep 08, 2004 at 05:06:25PM +0100, Matthew Seaman wrote: The old directory still exists only because there's a readme.html file in it -- if you delete that and re-run cvsup, the old net/net-snmp directory will be deleted completely. Is there a handy way to automate the deletion of abandoned readme.html files in the ports tree? -T -- When you do something, you should burn yourself completely, like a good bonfire, leaving no trace of yourself. Shunryu Suzuki pgpk1IpvtkoCq.pgp Description: PGP signature
Re: User Accounts across multiple machines
On Thu, Jul 22, 2004 at 02:23:36PM -0400, Bill Moran wrote: Ray Seals [EMAIL PROTECTED] wrote: I have 15 FreeBSD machines on my network (soon to be around 30) and want to synch all the machines userid and passwords. Is NIS still the primary way to do this or is there a better solution? As far as I understand it, yes. Although Kerberos seems to be a practical alternative. With 5.x, there is more support for pam, thus opening up your choices to things like LDAP. I use NIS (for meta-data) in combination with Kerberos (for authentication), with the NIS service run over a special VLAN with IPsec transport mode in place. This covers the security problems in the design of NIS that I'm familair with, uses only tools found in the base FreeBSD install, works across Unix-like platforms (and versions, such as 4.X vs 5.X), and provides other benefits such as single sign-on. -T -- Page 461: Tools that are simple enough to use the first day are often a real pain after the first month. - Harley Hahn, _The Unix Companion_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
dhclient.conf and DDNS via TSIG to Bind 9.2.3
Howdy,
I have a backup connection on an ADSL line with an IP address provided
by DHCP. My main line, which has static IPs, hosts my Bind 9.2.3 DNS
server. I don't have control of the DHCP server for the backup line,
it's simply provided by the ISP.
I'm using dhclient from -CURRENT on i386, dated June 17 2004.
I'd like to have dhclient on the backup line update a DNS entry in one
of my zones so that I can always reach my network via the backup line at
the same name. I'm following
http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html as well as a
similar thread from the freebsd hackers lsit from last November:
http://groups.google.ca/groups?hl=enlr=ie=UTF-8th=86443cc1d80de8darnum=2
I set up the named.conf on the DNS host as follows (IPs aren't mangled
... they're dyanmic, after all :-)):
key adsl.seekingfire.com. {
algorithm hmac-md5;
secret my secret generated from dnssec-keygen;
};
view us {
match-clients { MyNets; };
// Master zones
zone seekingfire.com {
type master;
file master/seekingfire.com;
allow-transfer { MyNets; AccessComm; };
// for dynamic DNS
allow-update { key adsl.seekingfire.com.; };
// Note: I've also tried:
//update-policy {
// grant adsl.seekingfire.com. name
// adsl.seekingfire.com. A TXT;
//};
};
And I've set up dhclient.conf as follows:
### Keys and DDNS (see
http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html)
send fqdn.fqdn adsl.seekingfire.com.;
send fqdn.encoded on;
send fqdn.server-update off;
key adsl.seekingfire.com. {
algorithm HMAC-MD5;
secret my secret generated from dnssec-keygen;
}
zone seekingfire.com {
key adsl.seekingfire.com.;
}
interface xl0 {
send dhcp-client-identifier adsl;
send host-name adsl;
}
When I add dhclient_flags=-v to /etc/rc.conf and run
/etc/rc.d/dhclient restart, I get:
Releasing DHCP leases: xl0.
Starting dhclient.
Internet Software Consortium DHCP Client V3.0.1rc12
Copyright 1995-2002 Internet Software Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP
Listening on BPF/xl0/00:01:02:2d:17:47
Sending on BPF/xl0/00:01:02:2d:17:47
Sending on Socket/fallback
DHCPDISCOVER on xl0 to 255.255.255.255 port 67 interval 6
DHCPOFFER from 64.110.241.254
DHCPREQUEST on xl0 to 255.255.255.255 port 67
DHCPACK from 64.110.241.254
bound to 142.165.192.118 -- renewal in 6982 seconds.
xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=9RXCSUM,VLAN_MTU
inet6 fe80::201:2ff:fe2d:1747%xl0 prefixlen 64 scopeid 0x2
inet 142.165.192.118 netmask 0xff00 broadcast 142.165.192.255
ether 00:01:02:2d:17:47
media: Ethernet 10baseT/UTP (10baseT/UTP half-duplex)
status: active
So, yeah, I get my new lease just fine. But it doesn't mention anything
about DNS ... and when I run a tcpdump on the adsl host, I don't see any
traffic on port 53. It's like it's just ignoring that part of
dhclient.conf completely.
Is there something I missing or have messed up in my dhclient.conf
configuration?
-T
--
Page 12: Unix is a set of tools for smart people.
- Harley Hahn, _The Unix Companion_
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NFS and Backups
On Sat, Jul 03, 2004 at 02:33:22PM -0400, Chuck Swiger wrote: Grant Peel wrote: I have recently decided to use some extra disk space on one of my servers as backup space. I have NFS client and Servers running OK, but was wondering how secure it really is. NFS is not secure at all. If you don't trust the local subnet, don't use NFS there. Certainly don't use NFS across the Internet, unless using a secure tunnelling/VPN protocol So if in my nfsd configuration, I specify a host called 'ahab' for example, how does the nfsd authenticate this host, and how secure is it? NFS doesn't authenticate the host. NFS trusts the resolver when reversing the IP addr into a hostname. Even on local networks, NFS over IPsec can be a win due to the deflate algorithm. Here's some netperf results from some tests I did recently between a Celeron 900 (-STABLE) file server and an 360Mhz sparc64 Ultra 5 (-CURRENT): Raw speed, no IPsec: [EMAIL PROTECTED] /usr/local/netperf]# ./netperf -t UDP_STREAM -H athena UDP UNIDIRECTIONAL SEND TEST to athena : histogram Socket Message Elapsed Messages SizeSize Time Okay Errors Throughput bytes bytessecs# # 10^6bits/sec 92169216 10.01 13004 13160 95.81 42080 10.01 12778 94.14 IPsec (3des): [EMAIL PROTECTED] /usr/local/netperf]# ./netperf -t UDP_STREAM -H secathena UDP UNIDIRECTIONAL SEND TEST to secathena : histogram Socket Message Elapsed Messages SizeSize Time Okay Errors Throughput bytes bytessecs# # 10^6bits/sec 92169216 10.01 715 0 5.27 42080 10.01 713 5.25 IPsec (blowfish): [EMAIL PROTECTED] ~]# /usr/local/netperf/netperf -t UDP_STREAM -H secathena UDP UNIDIRECTIONAL SEND TEST to secathena : histogram Socket Message Elapsed Messages SizeSize Time Okay Errors Throughput bytes bytessecs# # 10^6bits/sec 92169216 10.01 14744 0 108.63 42080 10.013681 27.12 Blowfish is definitely preferable to 3des for IPsec work involving NFS-like traffic. Due to the deflate feature, netperf reports a result greater than the 100Mbit/s wire speed. Unfortunately, encryption speed drops off quickly as socket size increases, but 8k NFS looks like it's in good shape. Newer hardware will only nmake things better, naturally. IPsec handles the host authentication bit that NFS is pretty loose about. That still leaves the UID is checked on the wrong end problem, but that's very much a different problem than network level trust attacks. -T -- That time in Seattle... was a nightmare. I came out of it dead broke, without a house, without anything except a girlfriend and a knowledge of UNIX. Well, that's something, Avi says. Normally those two are mutually exclusive. -- Neal Stephenson, Cryptonomicon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is it worth using both gigabit ether ports?
On Wed, Apr 21, 2004 at 03:11:55PM +0100, Andy Holyer wrote: I work for a small special-purpose ISP, and right now I'm configuring our main Web/Mail/DNS server. It's a Dell Poweredge 750, 2.4Gb with 1Gig of memory and twp 80 GB drives mirrored using vinum. When I've prepped it up, it's due to go in our rack at Telecity in Docklands. The box came with an Intel twin Gigabit network card, and I'd like to use ng_one2many to load share so that the box uses both ports at once. There doesn't appear to be much about this on the web. My question: is it worth doing? Will a get a better and/or more fault-tolerent performance by doing this? Do I have to do anything clever with DNS or the router (a Cisco 3660) to get requests evenly distributed, or can I rely on sharing outgoing traffic? I'll reply to just the fault-tolerant question: You'll get less fault-tolerance, as ng_one2many doesn't implement any kind of connection checking. If an interface dies, 1/2 of your packets will still attempt to use it. -T -- Real men use cat /var/spool/mail/$USER | more and telnet $SMTP_HOST 25 - Anonymous Unix geek more /var/spool/mail/$USER -- don't waste a process, you idiot - Second anonymous Unix geek ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPsec performance impact [was: Re: OS X and FreeBSD: What could be a good setup]
On Mon, Apr 12, 2004 at 03:30:42PM +0100, Matthew Seaman wrote: If you're that worried about WEP not being secure enough, you could wrap the NFS connections in ipsec instead. It might have a bit of a performance impact though. I'm a big fan of running IPsec over wireless connections. But I was shocked but the performance impact IPsec has. I collected some numbers netperf recently, shown below. Notes: * Athena (the household server) is a Celeron 900 wiith 256MB of RAM and a 'bge' gigE NIC running -STABLE * Caliban is a UltraSPARC 360 with 384MB of RAM and a 4-port 'hme' NIC running -CURRENT * Coyote is a Celeron 400 with 128MB of RAM and a 'rl' NIC * In my case racoon sets up 3des for me -- note that this isn't a CPU friendly scheme, though it is very likely to be compatible with other platforms * I run a seperate VLAN for IPsec traffic, so all IPsec traffic numbers include an assumed that they were also VLAN'ed * The IPsec'd IP of a host has it's own name in DNS, simply it's regular name prefixed with sec. * I ran netserver (from netperf) on Athena and tested it for UDP_STREAM (a nice NFS-like test) over both the IPsec VLAN and the regular unencrypted link (non-VLAN'ed) Results: [EMAIL PROTECTED] /usr/local/netperf]# ./netperf -t UDP_STREAM -H secathena Socket Message Elapsed Messages SizeSize Time Okay Errors Throughput bytes bytessecs# # 10^6bits/sec 92169216 10.01 715 0 5.27 42080 10.01 713 5.25 [EMAIL PROTECTED] /usr/local/netperf]# ./netperf -t UDP_STREAM -H athena Socket Message Elapsed Messages SizeSize Time Okay Errors Throughput bytes bytessecs# # 10^6bits/sec 92169216 10.01 13004 13160 95.81 42080 10.01 12778 94.14 [EMAIL PROTECTED] /usr/local/netperf]# ./netperf -t UDP_STREAM -H athen Socket Message Elapsed Messages SizeSize Time Okay Errors Throughput bytes bytessecs# # 10^6bits/sec 92169216 10.00 10452 0 77.02 42080 10.00 10452 77.02 [EMAIL PROTECTED] /usr/local/netperf]# ./netperf -t UDP_STREAM -H secathena Socket Message Elapsed Messages SizeSize Time Okay Errors Throughput bytes bytessecs# # 10^6bits/sec 92169216 10.001789 0 13.18 42080 10.001789 13.18 During the tests the clients were CPU-bound. To put it bluntly, the performance impact is non-trivial. That's to be expected, and at the slower speeds of wireless networks it's more likely that more modern CPUs will be able to keep up. I wouldn't want to play a high-bitrate video file over an IPsec connection, though, as the video app and IPsec will starve each other of CPU cycles. -T -- The mere sense of living is joy enough. Emily Dickinson ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Well-supported gigabit cards under 4-stable?
On Mon, Mar 15, 2004 at 12:46:31AM -0600, Tillman Hodgson wrote: I'm interesting in seeing what low-cost gigabit cards are supported under -stable and which cards might be recommended. I'm looking specifically at the Linksys EG1032, D-Link DGE-530T, Intel Pro1000MT, and the Micronet SP2612R. All are relatively cheap (Can$64 and lower), are easily obtained in Canada via the popular online merchants, and would be within reach a typical (though geeky) home network. snip So what's recommended by folks running gigabit gear these days? [Replying to my own email] Thanks for the responses. I ended up getting a bge card (NetGear) which has been performing without any errors through several backup cycles now. I chose that one over the Intel simply because I could get it from the same online as the switch I was purchasing, whereas the Intel card would've required me to go to a different vender (and end up paying for separate shipping). bge0: Altima AC9100 Gigabit Ethernet, ASIC rev. 0x105 mem 0xfa00-0xfa00 irq 11 at device 10.0 on pci0 bge0: Ethernet address: 00:09:5b:8e:71:2f miibus0: MII bus on bge0 brgphy0: BCM5701 10/100/1000baseTX PHY on miibus0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 10 # netstat -i NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll bge0 1500 Link#100:09:5b:8e:71:2f 21261672 0 9481812 0 0 bge0 1500 192.168.23athena 21339692 - 9669772 - - -T -- Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction. - Albert Einstein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Top posting
On Fri, Mar 19, 2004 at 10:41:14PM -0800, Chuck McManis wrote: At 03:24 PM 3/19/2004, you wrote: Top-posting may be an opinion, but RFC 1855 makes it _standard_ opinion. Let's get serious for a minute here. Just because someone wrote up an INFORMATIONAL RFC does NOT make it STANDARD. It makes it INFORMATIONAL. Big difference. Go look up RFC 2026 for what it takes to become a standard. Absolutely. I'm very aware of the RFC process. But bottom-posting has been published as an RFC since Oct of 1995 and nobody has published any alternative since then. That doesn't make bottom posting *the* standard, it makes it a standard opinion (as no contrary opinions have been published). Of course, now that I've said that karma dictates that somebody is drafting up an alternative netiquette RFC at this very minute ;-) -T -- Draw bamboos for ten years, become a bamboo, then forget all about bamboos when you are drawing. Georges Duthuit ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Top posting
On Fri, Mar 19, 2004 at 05:35:06PM -0500, Al Johnson wrote: I'm with you... Top-posting makes the most sense for me. It comes down to opinion I think My standard response to top-posting: A: Because it reverses the logical flow of conversation. Q: Why is putting a reply at the top of the message frowned upon? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? Top-posting may be an opinion, but RFC 1855 makes it _standard_ opinion. Best regards, -T -- It's hard to find people in society who can administer UNIX and professionally carry a weapon. - Jim Williams, former FBI Computer Intrusion Squad agent ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Well-supported gigabit cards under 4-stable?
Howdy, I found a few threads on this topic in google, but they were from a while ago (-stable and hardware are both moving targets, after all). I'm interesting in seeing what low-cost gigabit cards are supported under -stable and which cards might be recommended. I'm looking specifically at the Linksys EG1032, D-Link DGE-530T, Intel Pro1000MT, and the Micronet SP2612R. All are relatively cheap (Can$64 and lower), are easily obtained in Canada via the popular online merchants, and would be within reach a typical (though geeky) home network. Most of my computers will remain 100Mbit, but I'd like to move my main file server to 1000Mbit. All the other machines do full dumps to it every night (which eventually end up on tape), so it spends a fairly large portion of every day with it's interface completely saturated (and it's worse on weekly dump days). I'm primarily concerned with driver stability. For example, I noticed some messages in the archives about the nge driver causing problems ... that was some time ago, but I'd like to avoid that on a server which handles my backups ;-) I'm also interested in nice vlan and jumbo frame support, though I can get by without them. So what's recommended by folks running gigabit gear these days? -T -- Page xxviii: Live with Unix long enough and you will change. You will become more creative, and you will come to understand the spirit of creation in others. - Harley Hahn, _The Unix Companion_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sparc classic
On Fri, Mar 05, 2004 at 11:15:09AM -0600, Brian Henning wrote: Is there a port of freebsd that will run on a sparc classic? I only see one for 64 bit sparc on the ftp site. No, there isn't. Sparc64 works wonderfully, however. http://www.freebsd.org/releases/5.2.1R/hardware.html I suspect that you'll end up running NetBSD, OpenBSD or a Linux variant on that box. I looked into it a while back because I like old Sun gear, but I like having a homogenous environment even more :-) -T -- Special knowledge can be a terrible disadvantage if it leads you too far along a path that you cannot explain anymore. - Mentat Admonition ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OT: Longest uptime
On Sun, Feb 22, 2004 at 06:18:18PM +, Jez Hancock wrote: On Sat, Feb 21, 2004 at 11:49:22PM -0400, Marc G. Fournier wrote: Doesn't (or didn't?) Linux have a 'feature' that allowed ppl to save their uptimes through a reboot? So, for instance, if it was a schedualed reboot, uptime still showed one continuous uptime? I'd imagine that this would be saved through upgrades as well ... There's a similar module for fbsd here: http://garage.freebsd.pl although the site appears to be down at this moment. The irony is delicious ;-) -T -- Beauty is more important in computing than anywhere else in technology because software is so complicated. Beauty is the ultimate defense against complexity. -- David Gelernter, Machine Beauty: Elegance and the Heart of Technology ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Vim startup time much longer than expected
Howdy folks, I NFS export my home directory from a 4-STABLE box. In this home directory are my .vimrc file and a couple of vim plugins that I use. When I launch vim (which I use with mutt) from a workstation running RedHat 7.3 it loads and is ready for input virtually instantly. When I launch vim from the server itself (local disk!) it takes several seconds before it's ready for input. As the config files are identical, I can't think of what else might be causing the difference. Perhaps compile options for the vim port (I use -WITHOUT_X on the FreeBSD server end)? It does seem, though I haven't attempted to profile or trace the process, that it's hanging much longer while displaying this in the status line: Pattern not found: ^ -- .* That's the result of my quoted .sig dumper for email replies (and thus isn't called when I'm composing a new mail): EMAIL Make VIM use shorter lines for emails au BufNewFile,BufRead .letter,mutt*,nn.*,snd.* set tw=72 Delete quoted .sig's au BufRead /tmp/mutt-* normal :g/^ -- .*/,/^$/-1d I don't understand why that would be faster on the workstation (which is half the box CPU-wise and NFS'ed) than the server. Perhaps the FreeBSD port of vim (6.2 rather than 6.1 on the client) incorporates a deliberate delay for warnings like that? In any case, if anyone is able to pass me some insight I'd much appreciate it. -T -- Beauty is more important in computing than anywhere else in technology because software is so complicated. Beauty is the ultimate defense against complexity. -- David Gelernter, Machine Beauty: Elegance and the Heart of Technology ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Re: Loading balancing with more than one ISP.
On Mon, Jan 19, 2004 at 09:25:01AM +0100, Antoine Jacoutot wrote: Now, it does NOT work... 192.168.1.0 -- Internet works with no problem (tun0 being the default route on the FreeBSD gateway) 192.168.0.0 -- Internet doesn't work :( When you tcpdump both external interfaces, do the packets on the interface that the 1921.68.0.0/24 network is supposed to use look like you would expect? -T -- People of the same trade seldom meet together, even for merriment and diversion, but the conversation ends in a conspiracy against the public, or in some contrivance to raise prices. - Adam Smith, _The Wealth of Nations_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Loading balancing with more than one ISP.
On Mon, Jan 19, 2004 at 05:04:50PM +0100, Antoine Jacoutot wrote: On Monday 19 January 2004 16:21, Tillman Hodgson wrote: When you tcpdump both external interfaces, do the packets on the interface that the 1921.68.0.0/24 network is supposed to use look like you would expect? Nope... there's nothing on the external interfaces from the 192.168.0.0/24 network... The thing is since there's NAT going on, I get a little lost... Ahhh, that's the point -- you've discovered that it's not going out the right interface :-) You've pretty much wore out the play with the config files route. Let's try getting some data by finding out what is actually happening so we can figure out what's wrong. Can you post what the traffic on the other interface looks like when you're trying to go out from 192.168.0.0/24? -T -- You cannot manipulate a marionette with only one string. - The Zensunni Whip ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Using Vi through a Serial Console
On Sat, Jan 17, 2004 at 06:52:31PM -0500, Mario Antonio wrote: Dear List, When I make a serial connection to a FreeBSD server that has its serial port configured as a console, how can I make the vi editor work? What doesn't work about it? And you've already set your TERM environment variable to appropriate value for whatever is on the other end of the serial cable? -T -- Nahh, that impending sound of doom is just the blades on my leatherman locking. - A.S.R. quote (Majdi) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to find the reverse on a IP address?
On Fri, Jan 16, 2004 at 09:28:47AM -0800, Jason Williams wrote: Morning everyone. I'm having a major brain freeze this morning. I dont recall how to find the reverse for an IP address? I need to do some testing with a few IP addresses, to ensure they have valid reverse's set, but dont recall how to check them. If I remember, you could do it with both 'nslookup' and 'dig' correct? Assuming IP address is 1.2.3.4: dig -x 1.2.3.4 or from the nslookup prompt: set type=ptr 4.3.2.1.in-addr.arpa. -T -- Some never participate. Life happens to them. They get by on little more than dumb persistence and resist with anger or violence all things that might lift them out of resentment-filled illusions of security. - Alma Mavis Taraza ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: make -jX build(world|kernel): test results
On Thu, Jan 15, 2004 at 03:59:22PM -0500, Lowell Gilbert wrote: Tillman Hodgson [EMAIL PROTECTED] writes: * I built 4 kernels: 3 customized and GENERIC (see above for why) Note that kernels are forced into serial compilation anyway, so the -j flag has no effect on them. This test probably spent a lot more time building kernels than the world, so it doesn't tell us much about the flag's effect. Timing it on buildworld alone would be more interesting. To me, at least, but then my buildworld times are nearly an order of magnitude larger... If you read all the way to the end of my original email you'll see that I did that. -T -- Re: alt.sysadmin.recovery A fitting punishment for kindly naivete, to end up belonging here. - A.S.R. quote (Chris Johnson) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Loading balancing with more than one ISP.
On Thu, Jan 15, 2004 at 05:10:01PM +0100, Antoine Jacoutot wrote:
On Thursday 15 January 2004 16:41, Dirk Meyer wrote:
Thats easy on your router:
#!/bin/sh
gateway1=10.10.10.1
gateway2=10.10.10.2
dmz=10.10.20.0/24
lan=10.10.30.0/24
ipfw add fwd ${gateway2} ip from ${dmz} to any
ipfw add fwd ${gateway1} ip from ${lan} to any
Thanks... but the thing is that I already tried this, but I have dynamic IPs
and I need NAT...
I just sent a new mail to the list, if you can check it out, my configuration
is explained.
I NAT with IPFilter (ipnat, really) rather than IPFW (natd, really) so I
can't help with IPFW. But in ipnat you can NAT to an interface and thus
it follows IP changes.
Taking my previous example and getting more specific, here's my NAT on
my dynamic IP on an ADSL line to CVSup12 (if you'll recall, my goal was
to eliminate system traffic from the main link and thus CVSup was
among the items moved to the ADSL link):
# ... cvsup12.freebsd.org
map rl2 from 192.168.23.0/24 to 128.46.156.46/32 - rl2/32
This is a good example because I'm NATing to a specific interface (rl2)
rather than to an IP (which can change with DHCP fairly regularly). But
it's also a bad example because I'm sending traffic to cvsup12 by
specific IP and this will break if they ever change IP's ;-)
Ah well, if that happens the daily email will show it and I'll adjust it
for the next days run. So it works not-too-bad for this application.
-T
--
If you do not feel yourself growing in your work and your life
broadening and deepening, if your task is not a perpetual tonic
to you, you have not found your place.
- Orison Swett Marden {1850-1924 Founder of Success Magazine}
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Any comparison chart for FreeBSD and other OS about performans
On Fri, Jan 16, 2004 at 12:29:37AM +0200, Vahric MUHTARYAN wrote: Hi I found old chart about some comparison between some OS FreeBSD , Linux and like this . Does any body know any new report or chart about performans between Oss which included FreeBSD of course . Do a google search for fefe freebsd benchmark, it should be the top link. -T -- Page 38: Be sure that, in the excitement of creating a totally rad password, you resist the temptation to tell someone just to show off how smart you are. - Harley Hahn, _The Unix Companion_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Loading balancing with more than one ISP.
On Wed, Jan 14, 2004 at 02:46:28PM -, Simon Gray wrote: I've been looking for answers on this for a while but I found nothing nor no-one who could tell me if and how it is possible. Let the list know if you find anything interesting. Easiest way I would of thought would be to use BGP or OSPF under Zebra (/usr/ports/net/zebra)(www.zebra.org) I'm a heavy Zebra (migrating to Quagga) user. Using dynamic routing is very handy, but it won't solve the problem of balancing load across two connections. Zebra (or any dynamic routing daemon) only makes routing *decisions* and then places the results of those decisions into the regular kernel routing table. It doesn't actually route the packets, the regular kernel routing mechanism still does that. FreeBSD doesn't allow routes to identical destinations with different gateways. For a previous (and recent) thread on this, see http://lists.freebsd.org/pipermail/freebsd-i386/2003-October/000340.html. So you can't round-robin between two default gateways. You /can/, however, send traffic for different destinations out of different links. For example, I send my nightly CVSup traffic and other automated downloads out of a regular ADSL link in order to prevent swamping my main link. If your upstream providers support dynamic routing protocols, then you can get that destination information automatically. But that's not the same as load balancing, it's best-path selection. -T -- Money is truthful. If a man speaks of his honor, make him pay cash. - Robert Heinlein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Loading balancing with more than one ISP.
On Wed, Jan 14, 2004 at 06:27:30PM +0100, Antoine Jacoutot wrote: On Wednesday 14 January 2004 17:30, Tillman Hodgson wrote: I'm a heavy Zebra (migrating to Quagga) user. Using dynamic routing is very handy, but it won't solve the problem of balancing load across two connections. Thanks for the feedback :) So you can't round-robin between two default gateways. You /can/, however, send traffic for different destinations out of different links. For example, I send my nightly CVSup traffic and other automated downloads out of a regular ADSL link in order to prevent swamping my main link. What I'm hoping to do is find a way to route all paquets coming: - from DMZ to internet, using NET connexion1 - from LAN to internet, using NET connection2 To be more understandable, something like this: route add from DMZ defaut em0 route add from LAN defaut em1 -- I know it is not a real command line, it's just to make things clearer. That's basically source-based routing, as opposed to the normal destination based routing. Normal routing says Based on the fact that you want to go to network X, I'll send you to gateway Y. Source-based routing says Based on IP address that you're coming from, I'll send to you to gateway Y. On FreeBSD, source-based routing is done with the IPFW 'fwd' command (or the IPFilter 'pass out quick on int_2 to int_1' syntax) rather that using the `route` command. I'm doing that myself (with IPFilter) and it works well. It's confusing to set up initially because you have to take into account the interaction between normal routing and firewall-based source routing. If you're also NAT'ing and using dynamic IPs understanding how it all can be made to work is an enlightening experience ;-) If your upstream providers support dynamic routing protocols, then you can get that destination information automatically. But that's not the same as load balancing, it's best-path selection. And if it doesn't ? Then you have to figure out and enter the best paths yourself as static routes. Pain in the butt and likely to drift from reality over time. For example, if my CVSup server of choice were to change it's IP address (which I have no control over and am not likely to be notified about), then my static route won't apply and my CVSup traffic, which I've so carefully ensured won't affect my main link, will start going over my main link. -T -- The tao that can be told is not the eternal Tao. The name that can be named is not the eternal Name. - Tao Te Ching ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Loading balancing with more than one ISP.
On Wed, Jan 14, 2004 at 08:10:19PM +0100, Antoine Jacoutot wrote: On Wednesday 14 January 2004 19:50, Tillman Hodgson wrote: On FreeBSD, source-based routing is done with the IPFW 'fwd' command (or the IPFilter 'pass out quick on int_2 to int_1' syntax) rather that using the `route` command. I'm doing that myself (with IPFilter) and it works well. It's confusing to set up initially because you have to take into account the interaction between normal routing and firewall-based source routing. If you're also NAT'ing and using dynamic IPs understanding how it all can be made to work is an enlightening experience ;-) Great :) This is fantastic, this is exactly what I need :) Now, I have to figure out out do to this for real using ipfilter. I have a 1 connexion with NAT+dyn IP and another one that's fixed. I'm impatient to test this. Thanks a lot ! If you're using IPFilter, you might be interested in the HOWTO: http://www.obfuscation.org/ipf/ipf-howto.html The section on the to keyword is unfortunately very brief. -T -- Page 594: You will find that the Unix file system has a compelling beauty: everything makes sense. - Harley Hahn, _The Unix Companion_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
make -jX build(world|kernel): test results
Howdy, Occasionally the question pops up on the questions@ list about what the fastest -jX number is for a single CPU system. I had some spare time so I tried out a small matrix of possibilities. My conclusion is that using -jX at all is mostly a waste of time on single CPU systems running -STABLE (even with multiple spindles being involved), especially when one considers that -jX may introduce build problems. NOTES: * I used the simple shell time command * /usr/obj was cleaned out before each run and I waited at least 30 seconds afterwards for write caching to settle down * This is my regular build host for my network * I built 4 kernels: 3 customized and GENERIC (see above for why) * Celeron 900, 256Mb of RAM, /usr/src and /usr/obj are both on their own set of spindles * /usr/obj consumes part of a vinum mirror on dual 40Gb 7200RPM Maxtor 6L040J2's (the remaining vinum filesystems weren't active during this test) * /usr/src is on a 2,1Gb Compaq ST32550N SCSI-2 drive * The operating system is on separate spindles RESULTS: buildworld -j2 buildworld -j3 buildworld -j4 buildworld == == == == real 57m10.367s 54m10.992s 55m7.494s55m1.459s user 38m5.436s38m20.852s 38m22.453s 38m23.056s sys9m2.801s 10m12.876s 10m17.140s 10m14.792s buildkernel -j2 buildkernel -j3 buildkernel -j4 buildkernel === === === === real 36m59.994s 36m58.988s 37m42.956s 37m31.627s user 29m35.597s 29m43.405s 29m43.846s 29m48.652s sys4m50.478s5m26.372s5m26.883s5m22.763s Thought this might be of some interest, -T -- Re: alt.sysadmin.recovery A fitting punishment for kindly naivete, to end up belonging here. - A.S.R. quote (Chris Johnson) pgp0.pgp Description: PGP signature
Re: How do YOU stay up to date?
On Wed, Jan 14, 2004 at 11:11:22PM -0500, Duane Winner wrote:
I now understand how to use cvsup to keep my src and ports tree current.
I know how to use pkg_add -r to install new sotware, or go into
/usr/ports/whatever to make install. I know how to do portupgrade to
upgrade my installed ports, how to pkg_version -v to see what's out of
date with my tree, and how to cronjob cvsup to keep my trees current. (I
still need to play more with make world and whatnot)
I think you've got the right tools, you jsut need to use them in
different ways.
One thing that concerns me, at least on the laptops, is the amount of
time spent compiling new software as it is release, seeing as how we
will be running x, gnome and Yahweh knows what else
You have enough machines to justify using a build host: a single machine
that simply builds ports into packages (or compiles buildworld and
buildkernel into the /usr/obj directory). You can then do binary
installs off of the build host via NFS. It's a very handy architecture
because it allows you to do offload the work of building to a separate
server and roll out to other machines when it's convenient. It also
helps ensure that other machines stay uniform and allows new machines to
rolled out with little effort.
-T
--
The most exhausting thing in life is being insincere.
- Anne Morrow Lindbergh {American Author}
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ngctl and rc.conf
On Mon, Jan 12, 2004 at 09:45:20PM -0500, Lowell Gilbert wrote: Tillman Hodgson [EMAIL PROTECTED] writes: Howdy folks, What's the best way to build ng_one2many interfaces into rc.conf such that they're brought up (live) at the normal time so that: 1) configuration remains centralized in rc.conf 2) other pieces that depend on a network being present don't fail in enlightening ways? I want to avoid the make a shell script in /usr/local/etc/rc.d approach. Nobody else has written this shell script for you, so you can't just configure it in rc.conf and turn it on. If you want, you can add it to rc.network and submit the patches in a PR, so future upgrades will include it. I'll play around with it and see what I can come up with -- at first blush it doesn't look difficult, just time-consuming to ensure that it fails gracefully under misconfiguration. -T -- Seeing yourself as you want to be is the key to personal growth. - Unknown ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ngctl and rc.conf
Howdy folks, What's the best way to build ng_one2many interfaces into rc.conf such that they're brought up (live) at the normal time so that: 1) configuration remains centralized in rc.conf 2) other pieces that depend on a network being present don't fail in enlightening ways? I want to avoid the make a shell script in /usr/local/etc/rc.d approach. -T -- If any man thinks he slays, and if another thinks he is slain, neither knows the ways of truth. The Eternal in man cannot kill: the Eternal in man cannot die. Bhagavad Gita ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Commercial Distribution?
On Fri, Jan 09, 2004 at 06:23:45PM -0500, Scott W wrote: That still doesn't remove (IMHO of course) the validity of my statement about calling FreeBSD and OS but Linux not based on licensing- FreeBSD wouldn't exist in it's current incarnation without the use of GPL and GNU software. Nor would Linux. I agree that basing what an operating system is on it's license doesn't make sense in this context. It does make sense to determine whether or not something is an operating system by looking at what it /is/, however. FreeBSD is an operating system. RedHat Linux (or Mandrake Linux or whatever distribution you happen to like) is an operating system. Linux, without qualifiers, is a kernel and not an operating system. Analogy: It can be debated that MS-DOS is an operating system. COMMAND.COM, however, is not. Note that isn't a slam by far in any ways- I certainly use both on my own servers, and would likely choose *BSD over Linux for client's web and mail/external accessible sites So would I, since (excepting the possibility of in-kernel HTTP servers and in-kernel data files) you'd need more than just Linux to operate a web server. If FreeBSD was not available I'd consider an operating system like RedHat Enterprise Linux as a web server. -T -- A computer is like an Old Testament god, with a lot of rules and no mercy. - Joseph Campbell ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Commercial Distribution?
On Tue, Jan 06, 2004 at 09:14:41PM -0500, David D.W. Downey wrote: And how is that different from Linux? FreeBSD is an Operating System, so is Red Hat, Debian, Stampede, SLS, Slackware, and on and on. FreeBSD does the same thing. FreeBSD didn't develop OpenSSL but it includes it, nor did it develop SSH or swat, but it includes them. Just as linux distributions do. That's somewhat incorrect in my view. See http://www.freebsd.org/doc/en_US.ISO8859-1/articles/explaining-bsd/index.html for details. My attempt at a summary: RedHat et al may /distribute/ an operating system, but they did not write it. An analogy in the motorcycle world are the custom bike shops (some of which make extremely nice motorcycles!) versus Harley-Davidson. The custom bike shops carefully (one hopes) select components from the open market and put the polish on the resulting product. H-D may also use open market products (electrics *cough*, carbs *cough*) but are considered a /manufacturer/. Both sell motorcycles (operating systems). There is a distinction, however. -T -- Being generous is inborn; being altruistic is a learned perversity. No resemblance. - Robert Heinlein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Commercial Distribution?
On Tue, Jan 06, 2004 at 10:39:59PM -0500, Scott W wrote: snip Note that I don't entirely disagree with the response- IMHO, RedHat and SuSe are in fact merely distributions, but Linux as a collection of kernel + core programs is certainly an OS, in the same manner as *BSD is. I think that if you re-read Lowell's email, you'll find that he doesn't contradict what you're saying :-) -T -- The act of communication is the primary ethical actlife is meaningful only if the bounds of self can be transcended. - Anatol Rapoport ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: using multiple isc-dhcp servers?
On Thu, Jan 01, 2004 at 05:06:23PM -0500, stan wrote: I have set up the isc-dhcp port on 2 machines. and it is serving addresses, but I notice that whichever machine gives the lease is the only one that records the lease in it's leases file. This seems like a problem. Yes, I imagine it is ;-) How can I configure this package to avoid this problem? You shouldn't have more than one DHCP server per broadcast domain (unless you implement some sort of database sharing logic between them). Because clients keep their leases for a period of time even if the DHCP server dies, this isn't a service that typically calls for redundancy. -T -- Nostalgia is a seductive liar. - George W. Ball ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: File system full?
On Thu, Jan 01, 2004 at 06:23:15PM -0600, Eric F Crist wrote: On Thursday 01 January 2004 06:15 pm, Eric F Crist wrote: On Thursday 01 January 2004 06:04 pm, Chris wrote: If you have source installed, that takes up a bit. If you don't see yourself doing a makeworld and building kernel - a binary install would have done nicely. I do have source installed, and I do a bi-weekly source update automatically when my laptop is home. I like having the sources there. Any other suggestions on which directories I can squash? Never mind. I seem to have forgotten you can do a make clean from the /usr/ports and you're fine! Try `make -DNOCLEANDEPENDS clean` instead, it'll run much quicker. -T -- Page 12: Unix is a set of tools for smart people. - Harley Hahn, _The Unix Companion_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dual-boot does not work with GRUB
On Tue, Dec 23, 2003 at 01:52:46AM +0100, Jaroslaw Nozderko wrote: I've got the following error: Filesystem type unknown, partition type 0xa5 Error 17: Cannot mount selected partition Does GRUB have some problems with FreeBSD partition ? I recently ran into the same problem - I found the solution in an archived posting to the bug-grub@ mailing list (from Sergey Matveychuk on Sep 25 2003, if you're interested). Try this: rootnoverify (hd0,1) chainloader +1 -T -- There is a time in the life of every problem when it is big enough to see, yet small enough to solve. - Mike Leavitt ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mutt + Procmail Filters
On Wed, Dec 17, 2003 at 11:08:57PM -0600, Bryan Cassidy wrote: OK. I've added that to my .procmailrc but when I load Mutt it still doesn't show any group called freebsd-questions. Do I have to create a ~/Maildir/freebds-questions directory? Yes. In my post I talked about having mutt do that for you initially. You can also do it yourself if you're careful with permissions and such. Then you need to tell mutt abotu the new directories. Take a look at the mailboxes ~/.muttrc config option in the mutt documentation. -T -- It has long been known that one horse can run faster than another - but which one? Differences are crucial. - Robert Heinlein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipnat+ipfw + 3 gateways
On Mon, Dec 15, 2003 at 07:25:21AM -0800, hugle wrote:
now about this script.
Let's reduce this this to pseudo code to simplify the discussion:
map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 (some ports) - (gw2)
map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 (other ports) - (gw1)
map rl1 from 192.168.0.0/16 ! to 192.168.0.0/16 - (gw3)
in MY opinion these rules should WORK. but as it seems, they don't
I assume that vlan0, fxp0 and rl1 are your *external* NICs?
I'll show what I have set up for comparison. I have two Internet
gateways and I do some source-routing by destination (not by port, as
you are trying to do). I'll leave out the IPFW traffic shaping for
simplicity. My ruleset is getting fairly complex these days ;-)
A bit of background: I bring in a /25 subnet across an OpenVPN tunnel
(where I run zebra/quagga OSPF routing ... some details at
http://www.rospa.ca/projects/). In order for me to use these additional
IPs on my internal network, I need to ensure that my gateway
source-routes them ('fwd' in IPFW parlance) to my tunnel-peer as my
regular default gateway would packet filter them out (a surprisingly
sane policy for an ISP *grin*).
Key for the lines that follow:
* rl1 is my external NIC for the primary Internet gateway
* rl2 is my external NIC for the secondary Internet gateway
* tun6 is the tunnel that I bring a source-routed /25 in on
Here's the relevant part of my /etc/ipnat.rules. Note that I've obscured
external IPs by replacing them with a descriptive tag in ()'s:
### TCP/UDP
# Note that maps to rl2 only work because I have static routes that
# would route traffic for those particular destinations to the
# secondary gateway in any case ... the mapping just forces the correct
# source IP address to be used.
# ... specific destination #1
map rl2 from 192.168.23.0/24 to (net destination #1)/24 - rl2/32
# ... specific destination #2
map rl2 from 192.168.23.0/24 to (net destination #2)/24 - rl2/32
# ... specific destination #3
map rl2 from 192.168.23.0/24 to (host destination #3)/32 - rl2/32
# Map all regular traffic out the primary Internet connection
map rl1 192.168.23.0/24 - rl1/32 portmap tcp/udp 48000:5
### ICMP and other (on the primary internet connection)
map rl1 192.168.23.0/24 - rl1/32
I set the static routes via rc.conf, a simplified version of which is:
### Routes
defaultrouter=(primary gateway)
static_routes=destination1 destination2 destination3
route_destination1=(net destination #1)/24 (secondary gateway)
route_destination2=(net destination #2)/24 (secondary gateway)
route_destination3=(host destination #3)/32 (secondary gateway)
And here's the relevant part of my /etc/ipf.rules:
# Respond to traffic sent to the /25 via tun6
# Note that the on 'interface' has to be the one with my default route
# Note that I use a !/16 instead of a /24 as I have more than one
# internal class C (the meta-network)
pass out quick on rl1 to tun6 from (obscured)/25 to !192.168.0.0/16
# Respond to traffic sent to my secondary connection via the same IP
pass out quick on rl1 to rl2 from (obscured)/32 to any
-T
--
To imagine a human world without ethics, but in which life goes well, it
is necessary to suppose a golden age: a world without competition, or
causes of strife, or clashing desires, or envy or malice.
- Simon Blackburn (Ruling Passions)
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS authontication problem.
On Sun, Dec 14, 2003 at 06:13:39PM -0500, Hossein wrote: Hello every body; In our department we are going to use a 5.1 Stable FreeBSD, and it must run NIS client to authonticate the users through a Linux NIS server. The ypbind works well and when I do ypcat passwd I get the enteries in the passwd of the NIS server. I added the correct lines to passwd.master and group according to the handbook. But no user can log in and in the /var/log/auth.log it apears that the password is not corect. I haven't tried integrating non-BSD'ish machines into one of my NIS domains, but it occurs to me that the /etc/shadow vs /etc/master.passwd difference could cause /etc/passwd to propogate without actually distributing the passwords. You might want to investigate compatibility modes and so forth. -T -- Speak the truth. That is always much easier, and is often the most powerful argument. - Bene Gesserit Axiom ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipnat+ipfw + 3 gateways
On Sun, Dec 14, 2003 at 06:01:08PM -0500, fbsd_user wrote: I think you are confused. IPNAT is part of ipfilter firewall and IPFW is an different firewall who has his own NATD function. You can not use one part from one and the other part from the other one. They work as an set, IPNAT/IPFILTER or IPFW/NATD. Your best bet is to use IPNAT and it's firewall IPFILTER. Not necessarily true. I'm using IPF for packet filtering, IPNAT for NAT, and IPFW for traffic shaping on the same firewall. The order that a packet is mangled becomes important, but that's solved simply by being careful when designing the firewall. -T -- Draw bamboos for ten years, become a bamboo, then forget all about bamboos when you are drawing. Georges Duthuit ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipnat+ipfw + 3 gateways
On Sun, Dec 14, 2003 at 07:23:26PM -0500, fbsd_user wrote: What do you think IPF is? That's the utility name used to load filter rules into IPFILTER. So you are doing just what I said. The original poster said nothing about doing traffic shaping. IPNAT will not function with out IPFILTER rules. At lease pass in all on all interfaces. He listed none in his post. Unlike IPFW, IPF defaults to open (thus the reason for the IPFILTER_DEFAULT_BLOCK kernel option). Thus IPF won't be blocking any of the packets that IPNAT is NATing. For example, when I issue a `ipf -F a`, my IPNAT rules continue to function normally. -T -- The person who takes the banal and ordinary and illuminates it in a new way can terrify. We do not want our ideas changed. We feel threatened by such demands. I already know the important things! we say. Then Changer comes and throws our old ideas away. - The Zensufi Master ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
MIT krb5, telnetd, PAM, incorrect permissions on forwarded tickets
I'm trying over here since I didn't have any luck fishing in ports@ :-) I've since found the parts of the MIT login.krb5 that chown the forwarded ticket file. That was nice to know to not really relevent :-) I understand that there's a race condition when having root chown a file in /tmp to a user (symlinks being the obvious attack path). There are ways around that, though, so I don't believe the change that I'm looking for leads to a security problem if handled carefully. -T -- All programs evolve until they can send email. - A.S.R. quote (Richard Letts) Except Microsoft Exchange. - A.S.R. quote (Art) ---BeginMessage--- Howdy folks, When using the MIT krb5 port (up to date as of a CVSup this morning) on a recent -STABLE box, there are two ways to enable telnetd in /etc/inetd.conf: telnet stream tcp nowait root/usr/libexec/telnetd telnetd -a user or telnet stream tcp nowait root/usr/local/krb5/sbin/telnetd telnetd -a user -L /usr/local/krb5/sbin/login.krb5 The first way, according to the man page and to the README.FreeBSD included in teh krb5 port, uses /usr/bin/login. The second way uses the MIT login program. The first way is obviously preferred -- you get login.conf and login.access that way. However, when using forwarded tickets it creates them with the wrong permissions (0600 root:wheel) and the user can't even read their own ticket. If root chown's them to the user manually the forwarded ticket works correctly. Naturally, login.krb5 sets the permissions correctly. Since a simple chown seems like such a simple thing to fix and there's compelling benefits to using the FreeBSD login, I'd like to start using /usr/bin/login with my MIT telnetd (it's even the default in the port ;-) ). But finding figuring out just where this should be down has been non-trivial. My first instinct (supported by the wording in README.FreeBSD) was to look in /etc/pam.conf. But PAM doesn't appear to be in play here: I have pam_krb5.conf commented out and am still able to login in correctly! Uncommenting pam_krb5 in the PAM stack appears to have no effect. So my next instinct was that the MIT telnetd was performing the ticket creation in /tmp itself. That's a much bigger piece of software to read through -- I'm still digging into it. Are there any known workarounds for this? Would someone with a bit more familiarity with the code in question mind taking a look at it? Thanks, -T -- Belief gets in the way of learning. - Robert Heinlein ---End Message--- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security issue.
On Fri, Nov 28, 2003 at 08:11:23PM -0500, Dragoncrest wrote: Limiting closed port RST response from 272 to 200 packets per second snip Can you disable all PINGS from router to my server? snip It may be best to do two things. 1st would be to disable pings to and from the server at the router by putting in an ACL on the router. No. The problem is clearly TCP related, not ICMP. Disabling pings won't help and it can make future network troubleshooting more difficult. The clue is that is said port and RST. TCP reset packets are sent in response to TCP connectins, not in response to ICMP packets. The second thing you'll want to do is block access to that machine via the router from any suspect IP's or IP blocks that you suspect might be attacking your machine. They already know it's there, so they're going to begin or continue to try to attack it now, so you'll want to block them from being able to access it now. Once you've done that, keep an eye on your machine for a while for any other possible attacks. Once they stop and nothing shows up for about 2 weeks it should be safe to remove the ACL's from the router, but continue to monitor it for a while longer just to be sure and add them back if nessisary. This is a much better idea. Though the rate of 272 packets per second is not terribly high - you could probably just put the ACL on the server itself (via IPFW or IPF) if the hardware and bandwidth aren't horribly undersized. -T -- The secret to creativity is knowing how to hide your sources. - Albert Einstein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do I know when ports are frozen?
On Wed, Nov 26, 2003 at 08:02:19PM +0100, Harald Schmalzbauer wrote: If I unterstand the latest commit messages correctly, the ports tree is in code freeze. Also -current is in code freeze. But how do one know? I'm subscribed to current and announce but can't remember any notice. Kris sent an email to ports@ on Nov 22. -T -- If you can spend a perfectly useless afternoon in a perfectly useless manner, you have learned how to live. Lin Yu-T'ang ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and FHS summary
On Tue, Nov 25, 2003 at 09:11:28PM +0100, Frank Murphy wrote: Before going back to the FHS list, I'd like to summarize what I think the opinions here were. Please correct me if I'm horribly off-base. The idea of defining a default directory to hold directories for recurring temporary mount points is considered to be a good one, though it's use should be optional. Putting these in / would be a bad idea, because it would clutter up the root directory. Putting these in /mnt would be a bad idea because lots of people expect that directory to be empty to be used for temporary ad hoc mount points. Also, the FHS shouldn't try to define all the names of these mount point directories. Putting this directory into /usr, /tmp, or any of the other well-defined top-level directories doesn't make any sense. But perhaps a directory in /var would be a good idea, but some people thought that it sounded wierd, and there were some technical [1] reasons [2] why it might be a bad idea. Some recommended top-level directories were: /fs, /tfs, /mounts, /volumes, /mnts Excellent summary, from my point of view. Will you be reporting back to -questions what the resulting discussion on the FHS list looks like? -T -- Happiness is wanting what you get, NOT getting what you want. - Robert Heinlein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD, FHS, and /mnt/cdrom
On Sat, Nov 22, 2003 at 02:18:30PM -0500, Charles Swiger wrote: Obviously, a standard that says place mount points anywhere you want isn't very useful. But if you did come up with a standard, who should follow it and what would they gain? I don't want to speak for the FHS, but I do want to point out that such a standard is indeed useful. This discussion around a standard location for media mounts is but a small part of the complete FHS standard. As such, it can legitimately say do this, say do anything but this or say not covered by this standard. All three have distinct meanings and implications. To the designer of an FHS-compliant distribution, the third means that they have free reign to do want they want and still claim FHS compliance (assuming they follow the /rest/ of the standard :-) ). -T -- You can't remotely manage an etch-a-sketch. Oh, I dunno... I reckon you could do it pretty well. All you'd need is a beefy vibrating pager attached/built-in to the etch-a-sketch. Instant remote management... - A.S.R. quote (Peter da Silva, Peter Williams) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD, FHS, and /mnt/cdrom
On Fri, Nov 21, 2003 at 03:41:16PM +0100, Frank Murphy wrote: The folks at the Filesystem Hierarchy Standard (FHS) are discussing (again) where directories for recurring temporary mount points should go. Recurring temporary mount points are for things like cdroms, floppies, and digital cameras as well as HD partitions from other OSes (like MS Windows). Hey, thanks for making the discussion a bit more public :-) So, please put these in the order of most to least preferred, and say why you like or dislike any of them. - All mount points in / (e.g. /cdrom, /camera, /windows/C) - current FreeBSD standard Will become annoying as time goes on and my toothbrush has a remotely mountable filesystem. - All mount points in /mnt (e.g. /mnt/cdrom, /mnt/camera, /mnt/windows/C) - breaks FreeBSD standard for an empty /mnt Might be workable if there was a /mnt/mnt, but that's so ridiculous I'd be against it as a matter of humour-prevention :-) - Anyplace at all I don't like this because it makes admin'ing heterogenous networks harder. And because anyplace at all often translates to change locations every few years to accomodate the newest trends in hardware. Ick. Some stability, please. - Anyplace but /mnt (i.e. what the FHS 2.2 currently specifies) Not touching /mnt is a good idea. The anyplace isn't for the same reason as above. - Anyplace but / or /mnt (e.g. /vol/cdrom, /var/mnt/camera, /media/windows/C) (some suggestions have been /media, /mounts, /vol, /var/mnt, and /var/tmp/removable. Others?) This is better. I prefer a single directory (though not /mnt) in the root directory. /vol and /media both make sense to me, though I prefer /vol because it's less typing (and not all mounts are media ...). There's a bit of a bikeshed here. To help alleviate that, I think that the sub-directories inside of /vol or /media should be undefined. This let's us contain these sorts of mounts to a single location but also let's one decorate as one wishes. All tools need to do is poke around in /vol or /media and they'll find the mounts. -T -- if ( $clue eq 'none' ) read (handbook|faq|man|others) search (whatis|lists|forum|google) if ( $answer == 0 ) post-question ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Upgrading perl modules (as ports) and already installed problems
Howdy, I'm looking for the appropriate portupgrade magic to handle these sorts of situations automatically: You may wish to ``make deinstall'' and install this port again by ``make reinstall'' to upgrade it properly. If you really wish to overwrite the old port of www/p5-HTML-Tagset without deleting it first, set the variable FORCE_PKG_REGISTER in your environment or the make install command line. This happens when upgrade perl modules ports a /lot/ for me. As I use HTML::Mason on my production web sites, this makes a Perl upgrade a lengthy and error-prone manual operation. As an example of what I currently do, take the upgrade to perl 5.8.2. After portupgrading it, apache will not restart as mod_perl is in the 5.8.1 dir. Thus I'd do a `portupgrade -f mod_perl` and it will do it's thing until it encounters a sub-port that gives the above error message. Then I'd do a `cd port_dir make deinstall make reinstall portupgrade -f mod_perl`. Repeat for the next perl module. Whats the best way to ensure that all perl modules are properly and automatically upgrade when perl itself is upgraded? -T -- There is no history of mankind, there are only many histories of all kinds of aspects of human life. And one of these is the history of political power. This is elevated into the history of the world. - Karl Popper, _The Open Society and its Enemies_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Upgrading perl modules (as ports) and already installed problems
On Mon, Nov 17, 2003 at 09:14:31AM -0600, Tillman Hodgson wrote: Whats the best way to ensure that all perl modules are properly and automatically upgrade when perl itself is upgraded? I've since discovered that I can shorten the time somewhat by using `pkg_info -R perl-5.6.1_14` and then portupgrading -f the ports listed. This saves going over already-upgraded ports on every run. -T -- Yield to temptation; it may not pass your way again. - Robert Heinlein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sparc64 (Ultra 10) Install emulation
On Wed, Nov 12, 2003 at 04:55:19PM -0800, Kris Kennaway wrote: On Wed, Nov 12, 2003 at 04:40:53PM -0700, Aaron Brandt wrote: Can someone tell me what I need to do to get FreeBSD Sparc 64 installed on a Ultra Sparc 10. It seems as if the emulation is messed up. I have heard of doing a serial install with a dumb terminal but cant find any documentation on it. can someone point me to the correct place? It's documented in the handbook somewhere. I found installation without a serial console difficult as well when setting up my Ultra 5 half a year ago. Using the 'n' and 'p' (next and previous) to navigate will likely get you going, Aaron. The real console emulation /is/ a bit wonky, but the serial console is much better and so is probably the recommended approach. Rather than a serial terminal I'd suggest just using a null-modem cable connected to another computer and something like FreeBSD's `tip`. Leaving this permanently attached and running a getty on it is probably a good idea too. Note that a few folks (myself included) are having problems booting with kernels from recent -current builds. You'll probably want to stick to source from late October until that issue is resolved (or at least have a backup kernel handy). If you start from 5.1R and decide to upgrade be wary of the notes in UPDATING ... the 20030819 note is particularly important as it may change your devices around a bit. This can be annoying if your server is 3 hours drive away :-) I recommend subscribing to the current and sparc64 mailing list when running a Sun box. It's been a very stable server for me and our local user group. I wouldn't mind a few more if anyone is giving them away ;-) -T -- Semiology has taught us that myth has the task of giving an historical intention a natural justification, and making contingency appear eternal. - Roland Barthes, _Mythologies_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with FreeBSD telnet client
On Mon, Nov 10, 2003 at 06:16:50PM -0800, Will Yardley wrote: I've asked this before (a long while back), but never got a response. When I telnet to a Cisco device from a FreeBSD machine, I get this error: jazz% telnet somerouterorswitch Password: Kerberos: No default realm defined for Kerberos! Assuming you don't use Kerberos, is there a way to make the telnet client not attempt to use it to authenticate? Sure, two possible solutions: * Set up your Cisco devices to use Kerberos * Check out the -K option in the telnet man page -T -- Robert Metcalf [the inventor of Ethernet] says that if something comes along to replace Ethernet, it will be called ``Ethernet'', so therefore Ethernet will never die. Unix has already undergone several such transformations. -- Ken Thompson ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NFS v2? possible?
On Sun, Nov 09, 2003 at 07:48:53PM -0700, Chad Leigh -- Shire.Net LLC wrote: On Nov 9, 2003, at 4:28 AM, Kris Kennaway wrote: On Sun, Nov 09, 2003 at 01:33:23AM -0700, Chad Leigh -- Shire.Net LLC wrote: Hi I have a linux server that needs to mount my FBSD server's web volume and the linux server only has v2 support right now (and I cannot make my own kernel since this is a UML kernel distributed as part of a product) and so I would like to run a v2 compatible nfs server on my FBSD server if possible. Can I do this? How? Thanks Read the mount_nfs and/or nfsd manpages..the answer is right there. The mount_nfs is for mounting on FreeBSD. I am serving from FreeBSD and mounting on Linux, so that does not apply. I read the nfsd man page a few time before posting, and just did again, and I see nothing in their about nfs versions except that the server listens on the port as outlined in thge NFS v3 spec. Please enlighten me on what I should read in the nfsd man page. The client needs to request the mount version. Check the Linux man page for `mount`, under the Mount options for nfs section. man nfs(5) is also informative. It looks like the default for Linux NFS clients (at least on a fairly recent RedHat box) is to use version 2. As root, I just did the following on the RedHat client (served by my 4-STABLE NFS server, Athena): # mount -t nfs -o nfsvers=2 athena:/exports/pub test I then tested the results by running mount (results trimmed to only relevant examples ... warning, the lines are long and may wrap): # mount athena:/exports/pub on /nfs/pub type nfs (rw,noexec,nosuid,nodev,mountvers=3,hard,intr,nolock,udp,wsize=8192,rsize=8192,addr=192.168.23.3) athena:/exports/pub on /home/tillman/tmp/test type nfs (rw,nfsvers=2,addr=192.168.23.3) The first line is my regular mount of the 'pub' export from Athena. It's NFS version 3 because that's what I have in my /etc/fstab. The second line is my 'test' mount of the same export ... it's NFSv2 because that what I explicitly requested at the command line when running mount manually (as shown above). It's the same nfsd on the server side. I didn't do anything specify to enable NFS version 2, my rc.conf entry says nfs_server_flags=-u -t -n 14 (the 14 is because it's a high-usage NFS server and my testing shows that I consistently peak at around 12-14 nfsd's in use). You just have to have the client request that version. -T -- One day, a student asked a master, Master, there is conflict between the suits and the sysadmins. Which group has the Zen nature, and which group is grieviously disturbing the stillness of the Tao? And the master said nothing, but installed an operating system. And the student was enlightened. - A.S.R. quote (Anthony DeBoer) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NFS v2? possible?
On Sun, Nov 09, 2003 at 08:49:58PM -0700, Chad Leigh -- Shire.Net LLC wrote: My Linux is now mounting the FreeBSD served mounts, but it takes like 10 minutes for the mount to happen. The exports is simple /local/web -maproot=root and an address to allow mounting from The nfsd is the standard set of options as is the portmapper and mountd (mountd is -2r right now as a test though I am not sure that made a difference) I am not up and how to debug nfs problems. I would appreciate pointers on seeing why it takes forever. For that sort of problem, I'd check your name resolution first. -T -- Your system does not appear to have GTK installed. Thus the Nmap X Front End will not compile. You should still be able to use Nmap the normal way (via text console). GUIs are for wimps anyway :) - Error message seen while compiling nmap-fe ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Restoring vinum root from dump
On Tue, Oct 14, 2003 at 10:54:50AM +0930, Greg 'groggy' Lehey wrote: ... In particular, if you restore /usr/lib you'll replace the C library /usr/lib/libc.so. It's then possible to crash dynamically linked processes (since they no longer have libraries), after which you could be left with a mainly unusable system. Vinum offers a solution to this problem, as you've noted: detach a plex from each volume and restore to it. Then do some magic in single user mode to remove the other plex and attach the one you've just restored to. I'm not quite sure about the best way of doing this. I'll think about it, but if anybody else has suggestions for doing this with the least chance of shooting yourself in the foot, I'd be interested to hear them. Once you've had a chance to think about it, would you mind posting yours thoughts someplace public? I think that there's much magic in that general direction, though the path may need to particularly exact to avoid stepping on a mine :-) -T -- The envious man thinks that if his neighbor breaks a leg, he will be able to walk better himself. - Helmut Schoeck, _Envy: A Theory Of Social Behavior_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: writing pdfs
On Fri, Oct 10, 2003 at 03:06:23PM +0200, Alexander Haderer wrote:
My opinion: yes. Learn the basics of LaTeX and use pdflatex instead of
latex to create pdf files directly from your tex source. The old way of
generating pdf via tex-dvi-ps-pdf via the classic (la)tex commands has
the disadvantage that you have to deal with different ps-fontencodings
(type 1 / type 3 or Pixelfont vs. Outline font) with the bad sideeffect
that your pdfs have crippled and slow display on screen while printing
works fine. google is full of messages regarding this topic.
I agree with the recommendation to learn LaTeX. It's probably the best
way to generate PDF output and it's widely used for document generation.
I disagree that one needs to use pdflatex, though. Those side-effects
you mention are trivial to get rid of:
1. \usepackage{times} (or palatino or bookman or whatever font
package you like)
2. use something like this in your Makefile:
ps:
latex some_latex_file.tex
latex some_latex_file.tex
dvips -Ppdf -G0 some_latex_file.dvi
pdf:
latex some_latex_file.tex
latex some_latex_file.tex
dvips -Ppdf -G0 some_latex_file.dvi
ps2pdf some_latex_file.ps
(running latex twice is for TOC generation, if you don't use a TOC you
don't need that part).
Voila! Your PDF and PS output will be identical. Quick display outdates
and non-bitmap printing.
-T
--
Page 30: Leaving a terminal logged in is like leaving your car unlocked
with the keys in the ignition.
- Harley Hahn, _The Unix Companion_
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: writing pdfs
On Fri, Oct 10, 2003 at 04:18:38PM +0200, Alexander Haderer wrote:
I agree with the recommendation to learn LaTeX. It's probably the best
way to generate PDF output and it's widely used for document generation.
I disagree that one needs to use pdflatex, though. Those side-effects
you mention are trivial to get rid of:
1. \usepackage{times} (or palatino or bookman or whatever font
package you like)
Does this work without _any_ problems when you want to use the
(tex-default) computer modern fonts?
The font packages actually cause PostScript fonts to be used.
I've run into no problems with it over several years, many article
length te4chnical documents, and one book length non-technical
document.
My experiences over the last years with different platforms and latex
installations are, that you alway have to google-around to get this
working. I use LaTeX/pdf output only from time to time so I am not the
big expert, but using pdflatex a while ago was the first time I got
the CMR fonts into a pdf without any display/print problems. I just
made some slight modifications to my latex file necessary for pdflatex
(mentioned in the pdflatex doc) and whoops, there it was.
Right, but in return you gave up nice generation of exactly equivalent
PS files. I have a PS printer - I put PDF on the web and cat PS to the
printer :-)
-T
--
Money is truthful. If a man speaks of his honor, make him pay cash.
- Robert Heinlein
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: writing pdfs
On Fri, Oct 10, 2003 at 07:59:10AM -0600, Tillman Hodgson wrote:
1. \usepackage{times} (or palatino or bookman or whatever font
package you like)
2. use something like this in your Makefile:
ps:
latex some_latex_file.tex
latex some_latex_file.tex
dvips -Ppdf -G0 some_latex_file.dvi
pdf:
latex some_latex_file.tex
latex some_latex_file.tex
dvips -Ppdf -G0 some_latex_file.dvi
ps2pdf some_latex_file.ps
(running latex twice is for TOC generation, if you don't use a TOC you
don't need that part).
Voila! Your PDF and PS output will be identical. Quick display outdates
and non-bitmap printing.
Follow-up:
For some live examples, take a look at Automated report generation with
LaTeX and MetaPost at http://www.rospa.ca/documents/ ... or even the
Prosper based PDFs under Presentations.
-T
--
Certainly the game is rigged. Don't let that stop you; if you don't bet,
you can't win.
- Robert Heinlein
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: low-scale presenter for FreeBSD?
On Sun, Oct 05, 2003 at 10:16:07AM +0200, Simon Rutishauser wrote: Hi, give the Latex Prosper Package a try (you have to fetch it separately). With it you can create pdf files. These you can present using xpdf -fullscreen (I think xpdf doesn't need too much ressources ;-)) Peschmä I also recommend Prosper with LaTeX. It looks great - I have some up at http://www.rospa.ca/documents/ under Presentations if anyone would like to take a look. It presents well under acroread in full-screen mode. xpdf -fullscreen also works well, though the slide transition effects are lost (most likely considered a feature ;-) ). -T -- Page 356: Part of the charm of Unix is, all of a sudden, having a great insight and saying to yourself, So THAT's why they did it that way. - Harley Hahn, _The Unix Companion_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: vpn
On Wed, Sep 24, 2003 at 03:37:19PM -0400, synrat wrote: I'm trying to find vpn software for freebsd that supports pptp. I don't care much for ipsec, unless I have no other choice. Goal being :), windows clients mounting samba shares remotely over vpn. I found a howto for poptop, but it said that encryption is not supported in poptop on bsd. Is that true ? It kind of defeats the purpose in my opinion. What other choices are there ? OpenVPN: http://openvpn.sourceforge.net -T -- Page 5: It is impossible to learn everything about Unix. Concentrate on what you need and what you think you will enjoy. - Harley Hahn, _The Unix Companion_ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: fbsd fibre channel SANs
On Thu, Sep 18, 2003 at 10:42:13AM -0400, Jerry McAllister wrote: AFS looks like it replicates files onto multiple servers, so if one goes down the data is still available somewhere else. The servers do not share backend filesystems. Don't you just wish OpenAFS for FreeBSD (and some of the others) was finished and ready to go. That would be so wonderful. Oh, would that be *great*. I've never even been able to get any of the snapshots running, as my i386 machines are all -STABLE and it doesn't like compiling on sparc64. -T -- Always listen to experts. They'll tell you what can't be done and why. Then do it. - Robert Heinlein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security (DES passwords)
On Sat, Sep 13, 2003 at 05:01:31PM +0200, Guy Van Sanden wrote: I was looking arround for this, and I found that Kerberos uses DES encryption, John (on my sytem) reports it rather weak: snip I'm now using MD5 passwords in NIS. Yet it seems the consensus that Kerberos is secure, am I missing something? Yes :-) 1. Kerberos can use a variety of encryption methods 2. With NIS, arbitrary users can run John against the password database. With Kerberos, they can't because they don't have the Kerberos database to run John against. -T -- Beauty is not diminished by being shared. - Robert Heinlein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security
On Fri, Sep 12, 2003 at 11:35:16AM +0200, Guy Van Sanden wrote: On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote: The rough instructions are fairly simple: * Set up Kerberos and ensure you have a working realm * Set up NIS, but set all the passwd fields to something that doesn't map to a real password (I like 'krb5', others like '*') That's about it. It works because authentication in a Kerberized world doesn't check the password field in the NIS maps anyway (or the /etc/master.passwd file for that matter). Your non-Kerberos app's will break for users that aren't local, but I consider the incentive to replace them a benefit :-) Do you have some links to websites or so that you used to set this up? Not really. Kerberos and NIS are both in the Handbook, and as I mentioned above I just changed the /var/yp/master.passwd that NIS was working off of to have 'krb5' in the password field. A quick bit of Google spelunking dug up some references but no HowTos. The RedHat Security Guide mentions it explicitly in the NIS section, for example. I'm very interested in this setup, with the added complication that the clients are Linux (and Windows using SAMBA), yet the server is FreeBSD (5.0). Normally NIS is a pain between different Unix implementations (due to the different passwd designs such as DES vs. MD5). When using Kerberos to handle the authentication, those problems go away. On the other handle, you get to learn how to install NIS and Kerberos on multiple operating systems :-) -T -- Some never participate. Life happens to them. They get by on little more than dumb persistence and resist with anger or violence all things that might lift them out of resentment-filled illusions of security. - Alma Mavis Taraza ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: remove files in FreeBSD
On Wed, Sep 10, 2003 at 05:11:58PM -0700, Joseph Yuen wrote: Got a simple question. on my 80G harddrive, I originally had 4G files in it and I used rm command to remove it all. Now my drive should be totally empty. But this is what I found when I typed df -H /dev/ar0s1e 79G 2.0K 72G 0% /mountpoint and if I typed df only without the -H parameter /dev/ar0s1e 76928840 2 70774532 0% /mountpoint My question is if the capacity is 0%, then how come I only have 72G left? I should be able to get 79G, right? where has the 7G gone? This is normal: `man tunefs`, the -m option. -T -- We tend to become like the worst in those we oppose. - Bene Gesserit Coda ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
