Re: RAID10 setup
2009/8/24 John Nielsen li...@jnielsen.net You're on the right track, additional comments inline. On Saturday 22 August 2009 06:49:06 am Phil Lewis wrote: This question was asked a few weeks ago, but the original poster must have had their questions amswered. As follow-ups offered further assistance given more detail, I wonder if I could be so bold as to provide that detail for my own circumstances. I have six disks: ad4 - 500MB ad5 - 500MB ad6 - 500MB ad7 - 400MB ad8 - 500MB ad10 - 500MB These are SATA drives, with ad8 and ad10 on a PCIe SATA controller. ad7 was my first disk and currently contains FreeBSD7.2-RELEASE. I've been using that to gain some familiarity with FreeBSD, but it need not be preserved (in fact, I'd rather not preserve it!). When I built the machine, I just plugged the 400GB drive in any old slot, so it can move if that makes sense. When I got the new drives I tried to get identical to the 400GB drive, but couldn't. The 400GB drive currently has a single slice using the full drive. Just make sure you have the disk(s) you plan to boot from on a controller that will boot in your machine. If the controllers have different performance characteristics then you probably want to share the wealth of the better one between multiple mirrors. What I'd like to end up with is a three-way stripe across three two-way mirrors, containing as much of the system as possible. This is certainly do-able. If it were me I'd put the whole OS on the spare change partitions and leave the whole stripe for your serious data consumer(s): /home, /data, possibly /usr/local or some or all of /var, etc. Depends on your intended use of the storage naturally. I understand that you can't boot from a stripe, so some part of some disk will have to be outside the stripe. However, as the stripe will also be limited to the smallest disk, I'm going to have 5 x 100 GB bits left over anyway, so I guess /boot can go on one of these..? Absolutely. I'd make a gmirror of two or three of them and put / on it. If you really want to be minimal w/ your use of the extra space then you could do /boot as you propose. If possible, I'd like set this up pre-install. If it has to be done post-install, or is easier to describe how to do post-install, then that's fine. Either will work. Exactly how you do it depends on how much of the base system you want to end up on the stripe. From here on in, this email becomes speculative. All of the examples I've seen for setting up GEOM stripes and mirrors have used the raw disk as the base-level provider. On the other hand, I've seen nothing that says that the bottom level cannot be a slice, rather than a raw disk, and given the way GEOM works, I suspect this is true. Yes, you can use partitions, slices or any other GEOM providers as members of gstripe, gmirror and friends. My current plan, based on this assumption, is as follows: With my current FreeBSD installation, create 2 slices on each 500GB disk, 1 x ~400GB, 1 x ~100GB (the same size as the slice of my 400GB disk, and the rest of the disk). Boot from the FreeBSD 7.2-RELEASE dvd, and enter fixit mode. I'm not sure which would be best, or even if both are feasible for what I want to do. (I was at this point in my researchwhen I found this post!). From here, kldload geom_stripe and kldload geom_mirror. Then, create the three mirrors: gmirror label -v main0 /dev/ad4s1 /dev/ad5s1 gmirror label -v main1 /dev/ad6s1 /dev/ad571 gmirror label -v main2 /dev/ad8s1 /dev/ad10s1 This should give me /mirror/main0|main1|main2, right? Right. Next create the stripe: gstripe label -v -s 131072 raid10 /dev/mirror/main0 /dev/mirror/main1 /dev/mirror/main2 (that's all one line) If I'm right so far, then hopefully I should be able to boot to the install dvd again (or just rerun sysnstall?), and from there I should be able to choose a slice from outside 'raid10' to mount /boot, and use 'raid10' for everything else. Do I need anything else on a non-striped slice? /boot or equivalent is the only thing required to smell like a normal disk (which gmirror is capable of but gstripe isn't). You may want to use some of the space for swap. The virtual memory system should do its own version of stripe or interleave if you feed it multiple swap devices. Maybe I could even create another mirror: gmirror label -v boot /dev/ad4s2 /dev/ad5s2 and use that to mount /boot, leaving me with s2 on ad6,8 and 10 as 3 spare 100GB slices? Or am I just way off track? You seem to be pretty well on track. It seems you've already parsed the gstripe and gmirror man pages. You should probably look at fdisk(8) and bsdlabel(8) as well in case sysinstall doesn't tie up all your loose ends. Additionally you could just reinstall to a plain disk (or use
Re: Continuous backup of critical system files
2009/8/24 Maxim Khitrov mkhit...@gmail.com Hello all, I'm setting up a firewall using FreeBSD 7.2 and thought that it may not be a bad idea to have a continuous backup for important files like pf and dnsmasq configurations. By continuous I mean some script that would be triggered every few minutes from cron to automatically create a backup of any monitored file if it was modified. I also have a full system backup in place that is executed daily (dump/restore to a compact flash card), so the continuous backup would really be for times when someone makes a mistake editing one of the config files and needs to revert it to a previous state. My initial thought was to create a mercurial repository at the file system root and exclude everything except for explicitly added files. I'd then run something like hg commit -m `date` from cron every 10 minutes to record the changes automatically. Can anyone think of a better way to do this (existing port specifically for this purpose)? Obviously, I need a way to track the history of a file and revert to a previous state quickly. The storage of changes should be as size-efficient as possible. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I rsync all my system files to a filer running zfs. I have a separate zfs fs for every host and then I snapshot the fs after the rsync. We then keep 35 snapshots for retention as we do daily rsyncs. You might want more of a rolling snapshot policy. Keep on for every 10 mins of the last hour, then drop it to hourly for the next 6 hours, then daily, then weekly etc Works quite well. We have also found it handy for forensics as well, when we have had a fault ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Continuous backup of critical system files
2009/8/24 chris scott kra...@googlemail.com 2009/8/24 Maxim Khitrov mkhit...@gmail.com Hello all, I'm setting up a firewall using FreeBSD 7.2 and thought that it may not be a bad idea to have a continuous backup for important files like pf and dnsmasq configurations. By continuous I mean some script that would be triggered every few minutes from cron to automatically create a backup of any monitored file if it was modified. I also have a full system backup in place that is executed daily (dump/restore to a compact flash card), so the continuous backup would really be for times when someone makes a mistake editing one of the config files and needs to revert it to a previous state. My initial thought was to create a mercurial repository at the file system root and exclude everything except for explicitly added files. I'd then run something like hg commit -m `date` from cron every 10 minutes to record the changes automatically. Can anyone think of a better way to do this (existing port specifically for this purpose)? Obviously, I need a way to track the history of a file and revert to a previous state quickly. The storage of changes should be as size-efficient as possible. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I rsync all my system files to a filer running zfs. I have a separate zfs fs for every host and then I snapshot the fs after the rsync. We then keep 35 snapshots for retention as we do daily rsyncs. You might want more of a rolling snapshot policy. Keep on for every 10 mins of the last hour, then drop it to hourly for the next 6 hours, then daily, then weekly etc Works quite well. We have also found it handy for forensics as well, when we have had a fault i forgot to say it need not be a zfs backend just a fs that you can reliably do snapshots ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: fusefs-sshfs
2009/8/17 Roald de Vries r...@roalddevries.nl Dear all, I've installed fusefs-sshfs, and added fusefs_enable=YES to rc.conf. During startup, I see fusefs being started, but when I do: sshfs remote:~ /media/remote, I get fuse: failed to open fuse device: No such file or directory. Any idea why? Thanks in advance. Kind regards, Roald ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org try an explicit path as well rather than ~ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: filesystem size after newfs
2009/8/11 mojo fms fbsdli...@gmail.com On Mon, Aug 10, 2009 at 3:55 PM, Naeem Afzal naf...@hotmail.com wrote: I created this small partition of 512K bytes on disk, I am noticing about 24% is used up before system can be mounted and used. My assumption was about 4% is supposed to be used if minfree is set to 0. #newfs -U -l -m 0 -n -o space /dev/ad1d /dev/ad1d: 0.5MB (1024 sectors) block size 16384, fragment size 2048 using 1 cylinder groups of 0.50MB, 32 blks, 64 inodes with soft updates super-block backups (for fsck -b #) at: 160 #mount /dev/ad1d /test #df -H /test FilesystemSizeUsed Avail Capacity Mounted on /dev/ad1d 391k2.0k389k1%/test Could someone explain where the 512-391=121K of disk space went to? What is the relation between this used of space and total paritition size or is it some fixed ratio? Thanks Regards Naeem _ Express your personality in color! Preview and select themes for Hotmail®. http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=PID23391::T:WLMTAGL:ON:WL:en-US:WM_HYGN_express:082009___ freebsd-questions@freebsd.org http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=PID23391::T:WLMTAGL:ON:WL:en-US:WM_HYGN_express:082009___%0afreebsd-questi...@freebsd.orgmailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org 5% to root, and the rest i am assuming file system blocks. Try making the 512k partition bigger accounting for those things and you should be able to get it really close to 512k available. -- Who knew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org why do you want something that small? Could you not use an md device or tmpfs, they would probably be more efficient ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: boot sector f*ed
2009/8/11 Polytropon free...@edvax.de On Tue, 11 Aug 2009 09:34:13 -0400, PJ af.gour...@videotron.ca wrote: I've got another disk about the same size on the machine and I'm wonderiing how could I transfer the whole shebang to it? Maybe an 1:1 copy using dd with a bs=1m would work. Would doing a minimum 7.2 install be enough, followed by copying all the slices to the corresponding slices on the new disk? I'm thinking of mounting the broken drive on the new one and then copying... does that sound about right? No. Does not. :-) The proper way of doing this - or at least ONE of the proper ways - is to use the intended tools for this task. These are dump and restore. First of all, you use a FreeBSD live system (such as FreeSBIE) or the livefs CD of the FreeBSD OS to run the OS. The goal is: Most minimal interaction with the drives. Let's assume ad0 is your source disk and ad1 the target disk. You can use the sysinstall tool to slice and partition the target disk. You can create the same layout as on the source disk. Of course, using tools like bsdlabel and newfs is valid, too. If you're done, things go like this: 1. Check the source. # fsck /dev/ad0s1a /dev/ad0s1e /dev/ad0s1f /dev/ad0s1g /dev/ad0s1h Add -f (and dangerous -y) if intended. 2. You don't mount the source disk. Instead, you first prepare the target disk which you mount. Then you use dump and restore to transfer the data from the unmounted source partition to the mounted target partition. # mount /dev/ad1s1a /mnt # cd /mnt # dump -0 -f - /dev/ad0s1a | restore -r -f - Keep an eye on where you mount it. Maybe the live system you use already employs /mnt for its own purposes. Create /target instead, or anything else you like. 3. After transferting /, continue with /tmp /var /usr and /home. # mount /dev/ad1s1a /mnt # cd /mnt # dump -0 -f - /dev/ad0s1a | restore -r -f - # mount /dev/ad1s1e /mnt/tmp # cd /mnt/tmp # dump -0 -f - /dev/ad0s1e | restore -r -f - # mount /dev/ad1s1f /mnt/var # cd /mnt/var # dump -0 -f - /dev/ad0s1f | restore -r -f - # mount /dev/ad1s1g /mnt/usr # cd /mnt/usr # dump -0 -f - /dev/ad0s1g | restore -r -f - # mount /dev/ad1s1h /mnt/home # cd /mnt/home # dump -0 -f - /dev/ad0s1h | restore -r -f - Of course, triplepluscheck the commands before running them! 4. Unmount the target disks. # cd / # umount /mnt/home # umount /mnt/usr # umount /mnt/var # umount /mnt/tmp # umount /mnt # sync # halt Replace the disks and start using your target. I haven't looked at the broken one yet; I'll have to see what theat 177mg dump was.. Kernel image? -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Dumping is all very well and good. However if you want daily or hourly backups etc it is very costly. Thats why our in house system at work is based around rsync and zfs Basically we rsync the file to the x4500 with ~ 36 TB and then snapshot the backup. You then have incremental forever. On large systems that dont have much % change of content the benefits are huge ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: a (hopefully) simple newbie zfs query regarding available space
2009/8/9 John . comp.j...@googlemail.com Hello list I followed instructions for ZFS on http://wiki.freebsd.org/ZFSQuickStartGuide, substituting ad6 and ad10 (two new SATA3 1TB disks) for da0 da1 and da2 in the instructions. I was surprised to see only 993GB in /tank/. Is this expected, or is it user error? Also, these disks are completely unformatted. I expected to do a newfs or something similar, and for it to take a bit of time! This is on a running 7.2-STABLE amd64 system. It is only these two disks that I want as ZFS, the rest are UFS2 cheers -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org not a zfs thing is happens with all os and file systems. Basically HD manufacturers quote their capacities in base 10 ie 1 TB = 10 bytes. File systems are calculated in binary therefore the calculation they use is 1024 x 1024 x 1024 = 1099511627776. Slightly more as you can see. Therefore 1 GB is os terms is 1073741824 therefore hd capacity in GB is 1/1073741824 = 931.322575 The extra you see is it due to HD manufactures slightly over capacity the drives ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: a (hopefully) simple newbie zfs query regarding available space
2009/8/9 John . comp.j...@googlemail.com 2009/8/9 chris scott kra...@googlemail.com: not a zfs thing is happens with all os and file systems. Basically HD manufacturers quote their capacities in base 10 ie 1 TB = 10 bytes. File systems are calculated in binary therefore the calculation they use is 1024 x 1024 x 1024 = 1099511627776. Slightly more as you can see. Therefore 1 GB is os terms is 1073741824 therefore hd capacity in GB is 1/1073741824 = 931.322575 The extra you see is it due to HD manufactures slightly over capacity the drives Hi, What I meant was, I was seeing 931MB instead of 1.6TB (2x1TB disks) but this was because I didn't read about zfs properly (they recommend 3 or more disks. In the man page for zpool it says: A raidz group with N disks of size X with P parity disks can hold approximately (N-P)*X bytes [...] The recommended number is between 3 and 9 so, I'll wait till I get an array before implementing zfs. In the meantime, I'm using gconcat. Sorry for the noise. -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ah did you do a zpool create tank ad0 then zpool attach tank ad1 type thing? if you did you have you have created a mirror to fix do a zpool dettach ad1 then a zpool add ad1 to create a stripe Having said that it not good practice to have no redundancy. You could comprise by putting your important data on a dedicated file system then setting copies to 2 or 3 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ZFS Boot Support from Installer
My zfs only system works fine but it based on 8-beta2 built around 16 May( will be rebuilding soon) The main thing to remember to do it make sure your have zfs_loader_support=yes in your src of make.conf I based my install on this howto http://wiki.freebsd.org/ZFSOnRootWithZFSboot#installFreeBSD If you dont want to go for current in theory if you install the boot blocks and loader from current onto the disk you should be able to boot into 7.2 I havent tested this though On thing I would advise though is don't install the root partition in the root of the zpool I have mine like this system68.1G 74.6G21K /system system/home 59.3G 74.6G 59.3G /home system/local-old 952M 74.6G 952M /system/local-old system/root 4G 77.1G 1.53G legacy system/scripts 20K 74.6G20K /usr/local/scripts system/tmp 31K 4.00G31K /tmp system/usr-local 396M 74.6G 324M /usr/local system/usr-obj1.85G 74.6G 1.65G /usr/obj system/usr-ports 193M 74.6G 185M /usr/ports system/usr-ports/distfiles8.53M 74.6G 8.53M /usr/ports/distfiles system/usr-src 499M 74.6G 303M /usr/src system/var1014M 74.6G 776M /var system/var/log 192M 74.6G 192M /var/log system/var/mysql 46.4M 74.6G 46.4M /var/db/mysql I did it like this as it is more like an opensolaris setup. If i wanted to say run a new os build I could say install it on a new zfs fs called say root_MMDD which would be a clone of the original root. I could then flip flop between these installations by resetinng the bootfs option of the pool ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Striping a live file system RAID 10 help
2009/7/30 John Nielsen li...@jnielsen.net On Wednesday 29 July 2009 15:54:42 Richard Fairbanks wrote: OK, so this is what I want to do. I have 4 big fast drives that I want to run in RAID 10 (1+0). So, I'll need to mirror two sets of two disks, then stripe those two mirrors. So, how do I do this if I want this striped set of mirrors to be my entire fs? I can create both mirrors and have the entire fs on one of the mirrors (*mirror0*), but then I need to stripe it with the other mirrors (*mirror1*), and trying to create a stripe (*stripe*) from that a set of mirrors in which one of the mirrors contains the live file system does not work, obviously. I was thinking, very generally, of creating the fstab file that I'll need to point to the stripe instead of ad4 for example, rsyncing everything to a disk on a diffferent server, using a live CD to create the stripe, then rsyncing back to the stripe. I don't know if this will work, and haven't even come to a conclusion of the particulars needed. When changing disk configurations on the same server I generally do everything by hand, then use dump+restore (rather than rsync) to move (UFS) filesystems around. (ZFS has zfs send/recv). Of course, if there is a way to create the striped set off mirrors before installation then installing onto that stripe, that'd be perfect. I don't know if that can be done. I'm sure someone has configured a RAID 10 standalone system before. (Oh, I'm using 7.2). I'm just stuck at this point! You need to consider where/how you are going to boot the system. It's straightforward to boot from a gmirror'ed UFS filesystem (the BIOS just uses one disk and thinks everything is normal), but you can't do the same from a stripe. You will either need a separate disk/device for your / or /boot partition or you will need to use slices/partitions on your disks. I frequently have the root filesystem on a small gmirror (partitions on 2 disks) then use the equivalent extra space on the remaining disk(s) for swap. Youi should be able to do this pre-install from the Fixit shell. Boot to the live CD, enter the shell, kldload geom_mirror and geom_stripe, create the mirrors, create the stripe, exit the shell, start the install, and tell sysinstall to use the device node under /dev/stripe for your filesystem. Alternatively you could just do a regular install to one of the disks and do everything post-install. In this case you'd still create two mirrors but one of them would only contain a single disk at first. Then create your stripe, dump/restore your files, update fstab (in both locations if needed), reboot using the stripe, then add the original system disk into its mirror. If you provide more details of how you want your setup to look I can give you a specific walkthrough if needed. JN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org one thing i find invaluable whan doing fancy disk installs is my bootable use stick with a full bsd installation on it. Much nicer than fixit. Also if the kit is in the data center it means I can ssh into the box rather than having to sit in there I used the howto below to set up the stick http://typo.submonkey.net/articles/2006/04/13/installing-freebsd-on-usb-stick-episode-2 ive also used this to do zfs boot zfsboot install http://wiki.freebsd.org/ZFSOnRootWithZFSboot#installFreeBSD If you dont want to do a zfs one and use gstripe on top of gmirror but dont want to partition up all the drives you could of course leave the use stick in permanently, and have the root fs on there. Just make sure fs that take lots of writes dont reside on the stick ie /tmp /var Also when you create your file systems make sure you label them with newfs's -L flag. It can make the devices you need to mount slightly easier to use. Also consider the use of gjournal as it could save you a lot of time with not having to fsck large file systems ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN Client
2009/7/25 Leonardo M. Ramé martinr...@yahoo.com Hi, I'm trying to connect to an OpenVPN server in my office. To do this, I installed OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] from ports, and looking at different tutorials I found it needs a config file in /usr/local/etc/openvpn/openvpn.conf. The problem here, is that our server provides an client.ovpn file containing all the connection params needed by a client, in fact, we connect windows machines just by installing OpenVPN_Installer.exe, it configures a TAP device and a client that reads the client.ovpn file. Now, in my FreeBSD 7.2 i386 machine, I did this: Created the /usr/local/etc/openvpn/openvpn.conf (the port doesn't created it automatically) with this content: remote 200.80.219.194.static.techtelnet.net client proto tcp port 443 dev tun ns-cert-type server auth-user-pass auth-retry interact comp-lzo user nobody group nobody verb 3 ca /usr/local/etc/openvpn/keys/ca.key cert /usr/local/etc/openvpn/keys/cert.key key /usr/local/etc/openvpn/keys/key.key This contents are extracted from client.ovpn, and ca, cert and key files were extracted from the same file. I kldload tun, but when I do ifconfig, it doesn't shows nothing related to tun or tap. Also, when I do openvpn /usr/local/etc/openvpn/openvpn.conf the results are this: Sat Jul 25 11:24:09 2009 OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Jul 24 2009 Enter Auth Username:nico Enter Auth Password: Sat Jul 25 11:24:13 2009 WARNING: you are using user/group/chroot without persist-key/persist-tun -- this may cause restarts to fail Sat Jul 25 11:24:13 2009 WARNING: file '/usr/local/etc/openvpn/keys/key.key' is group or others accessible Sat Jul 25 11:24:13 2009 LZO compression initialized Sat Jul 25 11:24:13 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Sat Jul 25 11:24:13 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Sat Jul 25 11:24:13 2009 Local Options hash (VER=V4): '69109d17' Sat Jul 25 11:24:13 2009 Expected Remote Options hash (VER=V4): 'c0103fa8' Sat Jul 25 11:24:13 2009 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Sat Jul 25 11:24:13 2009 Attempting to establish TCP connection with 200.80.219.194:443 Sat Jul 25 11:24:13 2009 TCP connection established with 200.80.219.194:443 Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link local: [undef] Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link remote: 200.80.219.194:443 Sat Jul 25 11:24:13 2009 Connection reset, restarting [0] Sat Jul 25 11:24:13 2009 TCP/UDP: Closing socket Sat Jul 25 11:24:13 2009 SIGUSR1[soft,connection-reset] received, process restarting Sat Jul 25 11:24:13 2009 Restart pause, 5 second(s) In my /etc/rc.conf I have openvpn_if=tun, I don't load the tun nor tap interface at boot, I just want to load it with kldload. uname -a: FreeBSD inspiron.local 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 08:49:13 UTC 2009 r...@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 ifconfig: ndis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:23:4d:64:d6:7a inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255 media: IEEE 802.11 Wireless Ethernet autoselect status: associated ssid channel 1 (2412 Mhz 11b) authmode OPEN privacy OFF bmiss 7 scanvalid 60 roaming MANUAL bintval 0 fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 32:4f:c0:e1:55:e1 ch 1 dma -1 fwip0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 lladdr 33.4f.c0.0.26.e1.55.e1.a.2.ff.fe.0.0.0.0 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 Thanks in advance, Leonardo M. Ramé ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org make sure you have the tap kernel module loaded kldload /boot/kernel/if_tap.ko to make sure its there after boot do add if_tap_load=yes to your /boot/loader.conf When used openvpn i also added cloned_interfaces=tun1 to my rc.conf , then reinitialize the network stack by running /etc/netstart I also set the open vpn client to explicitly use tun1 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jpeg-7 - rebuild all dependencies - how?
2009/7/24 Daniel Bye danie...@slightlystrange.org On Fri, Jul 24, 2009 at 03:16:54PM +0200, Peter Boosten wrote: Daniel Bye wrote: On Fri, Jul 24, 2009 at 02:03:43PM +0200, Ewald Jenisch wrote: Hi, Updating one of my sytems I followed /usr/ports/UPDATING and did a pkg_delete -r jpeg-6b_7 - only to discover that everything that Au contraire, Blackadder. UPDATING says to run either of portmaster -r jpeg* OR portupgrade -fr graphics/jpeg It says nothing of pkg_delete. Not anymore, no. This is what's in my UPDATING: quote 20090719: AFFECTS: users of graphics/jpeg AUTHOR: din...@freebsd.org jpeg has been updated to 7.0. Quick instructions: pkg_delete -r jpeg-6b_7 Please rebuild all ports that depends on it. /quote I thought it to be the most stupid upgrade strategy ever, but indeed it was there in the beginning. Yes, now that I look at it, it does seem a little brain damaged... I must admit that when I went through the update a few days ago, I automatically used portupgrade - didn't even notice it said pkg_delete... Here's a list of things I've learnt today: * Don't gob off before you have all the facts to hand. * Being a clever bastard has the unfortunate tendency to backfire, leaving one looking like a prat. *facepalm* Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ maybe it would be a good idea for ports to have an event log like yum does on centos. Just a simple log of stuff added, removed, and upgraded. It would be invaluable in this situation as you could see what was removed and it would be fairly easy to recover. It just may take a little time. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jpeg-7 - rebuild all dependencies - how?
2009/7/24 Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.netmel.flynn%2bfbsd.questi...@mailing.thruhere.net On Friday 24 July 2009 05:52:37 chris scott wrote: maybe it would be a good idea for ports to have an event log like yum does on centos. Just a simple log of stuff added, removed, and upgraded. It would be invaluable in this situation as you could see what was removed and it would be fairly easy to recover. It just may take a little time. Err, this is available through cvs log/cvs diff. -- Mel are you talking about cvs syncing the ports tree? I was refering to make install, make deinstall, pkg_add, pkg_delete etc of packages ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jpeg-7 - rebuild all dependencies - how?
2009/7/24 RW rwmailli...@googlemail.com On Fri, 24 Jul 2009 08:28:14 -0800 Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.netmel.flynn%2bfbsd.questi...@mailing.thruhere.net wrote: On Friday 24 July 2009 05:52:37 chris scott wrote: maybe it would be a good idea for ports to have an event log like yum does on centos. Just a simple log of stuff added, removed, and upgraded. It would be invaluable in this situation as you could see what was removed and it would be fairly easy to recover. It just may take a little time. Err, this is available through cvs log/cvs diff. I believe he's referring to a log of package installs and deletes. What would probably be more useful, is to periodically write out an ordered list of leaf-origins, then you can just diff today's file with an older copy. I used to have a script for it, but it fell-off. I think package-cut-leaves keeps a similar list. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org yep i was i think portmanager can do stuff with leave ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
backticks in rc.conf
can i use backticks in rc.conf?
Basically i want a standard rc.conf and want to bind rsync to a specific ip
hence i want this in my rc.conf
rsyncd_flags=--config=/etc/rsyncd.conf --address=` ifconfig bce1 | grep
inet | awk '{print $2}'`
it works fine from the shell, however on reboot the address section doesnt
expand, or rather it goes blank
eg
Jul 20 16:56:37 X root: /etc/rc: DEBUG: run_rc_command: doit:
/usr/local/bin/rsync --config=/etc/rsyncd.conf --address= --daemon
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: backticks in rc.conf
2009/7/21 Giorgos Keramidas keram...@ceid.upatras.gr
On Tue, 21 Jul 2009 11:29:20 +0200, Polytropon free...@edvax.de wrote:
On Tue, 21 Jul 2009 09:46:47 +0100, chris scott kra...@googlemail.com
wrote:
can i use backticks in rc.conf?
Basically, yes. The /etc/rc.conf file is run through sh, it is
a shell script that assigns values to variables, but can (ab)use
it to execute programs.
rsyncd_flags=--config=/etc/rsyncd.conf --address=` ifconfig bce1 |
grep
inet | awk '{print $2}'`
it works fine from the shell, however on reboot the address section
doesnt
expand, or rather it goes blank
You should use the full pathnames leading to ifconfig, grep, and awk.
Make sure they are accessible when rc.conf is executed.
There's a catch here that may go unnoticed for a while...
rc.conf may be sourced by /etc/rc *long* before filesystems are
mounted. As a result grep or awk may be not be available and stop
rc.conf from loading.
It's probably a good idea to:
* Add a special rsyncd_bind_address variable that is handled in
`/usr/local/etc/rc.d/rsyncd' itself
* Permit AUTO as the value of ${rsyncd_bind_address} and do the
smart thing there.
* Edit `/usr/local/etc/rc.d/rsyncd' to add a dependency for the
NETWORKING and FILESYSTEMS special names, so that `rc.d/rsyncd'
runs only after networking is up and /usr or other late-mounted
filesystems have finished loading.
thanks for the advice but I've found a solution (see below).
My systems dont generally have a /usr slice as i like to keep all the os in
one place, having a slice for /usr/local. /var, /home, and /tmp so the late
fs isnt an issue for me.
My latest test builds are pure zfs so wont be an issue there either 8)
a=`echo $ifconfig_bge0 | /usr/bin/awk '{ for ( i=1 ; i = NF; i++) { if ( $i
~ /[iI][nN][eE][tT]/ ) { sub(/\/.*/,, $(i+1)); print $(i+1) } } }'`
rsyncd_flags=--config=/etc/rsyncd.conf --address=$a
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD USB Install
Hi, Ditch sysinstall and follow this http://typo.submonkey.net/articles/2006/04/13/installing-freebsd-on-usb- stick-episode-2 glabel (the -L one newfs) is your friend, as it will help you avoid the situation when you get boot failures when you try to boot off ur usb disk on a machine that has scsi drives (da0 wont be the usb drive) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Freebsd 6-Stable lockups
Hi all, I have a kind of anoying problem at the moment. A system I run keeps radomly freezing/locking up. This can be anywhere from 2 hours to a week after the last reboot/lockup. The only fix its to power cycleit. It isnt kernel panicing, it just locks. Even accessing via serial doent work. I have changed all the hardware so the issue is unlikely to be there. The load on the box isnt all that high and the memory usage looks fine (all rrded). The box is running quite a lot of services (apache, mysql,exim. spamassasing, clamav, courier, openvpn, zebra). Usually all these services, apart from openvpn and zebra, run in a jail. I dont think this is an issue as the machine still freezes if i run them non jailed. Deactivating all these services apart from openvpn and zebra (needed for monitoring), seems to fix the problem from what I can see so im fairly sure the problem lies in these somewhere. However can anoyone suggest I way i can easily pinpoint the problem other that stepping though each app, as this would take an age to perform and be very tedious. The system has been rebuilt from src (make world) several times, and I have dont a portupgrade -a. All the local installations were done from ports. I have tried running a debug kernel, but it didnt seem to yeild much useful info. Im running 6-stable( last build 4 days ago ) its an SMP kernel on 1 gig intels with 1.2gig ram 2 x 80 gig ide hd ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Freebsd 6-Stable lockups
well theseare the only additional lines ive added to my kernel I pretty sure i added crypto support after the problems started i have disabled geli support for encrytped swap partitions as i thought that may bethe cause # To make an SMP kernel, the next line is needed options SMP # Symmetric MultiProcessor Kernel options ALTQ options ALTQ_CBQ# Class Bases Queueing options ALTQ_RED# Random Early Detection options ALTQ_RIO# RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Priority Queueing options ALTQ_NOPCC # Required for SMP build # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN #options VESA #options SC_PIXEL_MODE maxusers0 #optionsNO_LKM options CONSPEED=115200 device crypto options GEOM_ELI #options WITNESS #options WITNESS_SKIPSPIN #options DEBUG_LOCKS #options DEBUG_VFS_LOCKS #options DDB #options WITNESS_KDB #options KDB - Original Message - From: Paul Beckers [EMAIL PROTECTED] To: chris scott [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Sent: Wednesday, November 01, 2006 6:21 PM Subject: Re: Freebsd 6-Stable lockups Hi Chris, I've noticed the same on three of my FreeBSD 6 systems, until now I haven't found any clue on this. FreeBSD 5 stable was no problem, FreeBSD 6 is quite a mess with no trace at all on what might have caused the machine to freeze. I agree with you that it could very well be a user application problem because my kernel config is quite trivial, my updating routines (cvsup and portupgrade) are trivial and actually the whole configuration of my box isn't exciting. I've opened a thread at bsdforums.org and posted an email on this mailing list as well. http://www.freebsdforums.com/forums/showthread.php?t=38765. http://lists.freebsd.org/pipermail/freebsd-stable/2006-October/ 030225.html Perhaps, comparing both configurations could identify the bad application. Kind Regards, Paul M.C. Beckers On Nov 1, 2006, at 6:09 PM, chris scott wrote: Hi all, I have a kind of anoying problem at the moment. A system I run keeps radomly freezing/locking up. This can be anywhere from 2 hours to a week after the last reboot/lockup. The only fix its to power cycleit. It isnt kernel panicing, it just locks. Even accessing via serial doent work. I have changed all the hardware so the issue is unlikely to be there. The load on the box isnt all that high and the memory usage looks fine (all rrded). The box is running quite a lot of services (apache, mysql,exim. spamassasing, clamav, courier, openvpn, zebra). Usually all these services, apart from openvpn and zebra, run in a jail. I dont think this is an issue as the machine still freezes if i run them non jailed. Deactivating all these services apart from openvpn and zebra (needed for monitoring), seems to fix the problem from what I can see so im fairly sure the problem lies in these somewhere. However can anoyone suggest I way i can easily pinpoint the problem other that stepping though each app, as this would take an age to perform and be very tedious. The system has been rebuilt from src (make world) several times, and I have dont a portupgrade -a. All the local installations were done from ports. I have tried running a debug kernel, but it didnt seem to yeild much useful info. Im running 6-stable( last build 4 days ago ) its an SMP kernel on 1 gig intels with 1.2gig ram 2 x 80 gig ide hd ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Freebsd 6-Stable lockups
thecommentsabout old hardware are interesting as all my kit is at least 4 years old. Its a bit hit and miss though I have3 systems on 6-stable, only one has the problem. These are the basic specs of the systems. system 1 - one that freezes this is the current hardware x2 intel 550 p3 intel 440GX chipset 2 x 512meg ECC pc133 ram, 1 x 128 meg ECC ram fxp and xl0 old hardware that also freezes was x2 p3 1 ghz severworks chipset(asus CUSL2-LS) 2 x 512meg ECC fxp and xl0 system 2 AMD athlon tbird 700 amd 750 irongate 256 meg ddr ep and xl system 3 2x450 intel p3 slot cpu intel 440bx 1x 512, 1 x 128 xl, dc, and sis all machines are using pata drives looking at the specs, bith the flakey boxes are runniung ecc ram is anyone having these issues who isnt running ecc ram? - Original Message - From: Paul Beckers [EMAIL PROTECTED] To: chris scott [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Sent: Wednesday, November 01, 2006 6:21 PM Subject: Re: Freebsd 6-Stable lockups Hi Chris, I've noticed the same on three of my FreeBSD 6 systems, until now I haven't found any clue on this. FreeBSD 5 stable was no problem, FreeBSD 6 is quite a mess with no trace at all on what might have caused the machine to freeze. I agree with you that it could very well be a user application problem because my kernel config is quite trivial, my updating routines (cvsup and portupgrade) are trivial and actually the whole configuration of my box isn't exciting. I've opened a thread at bsdforums.org and posted an email on this mailing list as well. http://www.freebsdforums.com/forums/showthread.php?t=38765. http://lists.freebsd.org/pipermail/freebsd-stable/2006-October/ 030225.html Perhaps, comparing both configurations could identify the bad application. Kind Regards, Paul M.C. Beckers On Nov 1, 2006, at 6:09 PM, chris scott wrote: Hi all, I have a kind of anoying problem at the moment. A system I run keeps radomly freezing/locking up. This can be anywhere from 2 hours to a week after the last reboot/lockup. The only fix its to power cycleit. It isnt kernel panicing, it just locks. Even accessing via serial doent work. I have changed all the hardware so the issue is unlikely to be there. The load on the box isnt all that high and the memory usage looks fine (all rrded). The box is running quite a lot of services (apache, mysql,exim. spamassasing, clamav, courier, openvpn, zebra). Usually all these services, apart from openvpn and zebra, run in a jail. I dont think this is an issue as the machine still freezes if i run them non jailed. Deactivating all these services apart from openvpn and zebra (needed for monitoring), seems to fix the problem from what I can see so im fairly sure the problem lies in these somewhere. However can anoyone suggest I way i can easily pinpoint the problem other that stepping though each app, as this would take an age to perform and be very tedious. The system has been rebuilt from src (make world) several times, and I have dont a portupgrade -a. All the local installations were done from ports. I have tried running a debug kernel, but it didnt seem to yeild much useful info. Im running 6-stable( last build 4 days ago ) its an SMP kernel on 1 gig intels with 1.2gig ram 2 x 80 gig ide hd ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
racoon problems with -STABLE
Hi, I have just cvsuped to RELENG-4 yesterday and made world and installed the new kernel. I also rebuild racoon as it ofen breaks after an upgrade of openssl. Howver racoon still keeps dying. Has anything changed in the build of openssl between 4.7 and 4.8? These are the error messages I am getting 2003-03-30 20:00:50: DEBUG: oakley.c:2745:oakley_do_encrypt(): begin encryption. 2003-03-30 20:00:50: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(3des) 2003-03-30 20:00:50: DEBUG: oakley.c:2761:oakley_do_encrypt(): pad length = 4 2003-03-30 20:00:50: DEBUG: plog.c:193:plogdump(): 0b18 28c7a485 75ad76ad b39e3d1a c184 72fcc45b 001c 0001 01106002 1ab8a05a 48d31cbd 3882106f 51b1f3f3 0004 2003-03-30 20:00:50: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(3des) /usr/libexec/ld-elf.so.1: /usr/local/sbin/racoon: Undefined symbol des_key_sched It looks like to me that something has changed in the crypto libraries from 4-7-4.8. Chris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
racoon problems with -STABLE
Hi, I have just cvsuped to RELENG-4 yesterday and made world and installed the new kernel. I also rebuild racoon as it ofen breaks after an upgrade of openssl. Howver racoon still keeps dying. Has anything changed in the build of openssl between 4.7 and 4.8? These are the error messages I am getting 2003-03-30 20:00:50: DEBUG: oakley.c:2745:oakley_do_encrypt(): begin encryption. 2003-03-30 20:00:50: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(3des) 2003-03-30 20:00:50: DEBUG: oakley.c:2761:oakley_do_encrypt(): pad length = 4 2003-03-30 20:00:50: DEBUG: plog.c:193:plogdump(): 0b18 28c7a485 75ad76ad b39e3d1a c184 72fcc45b 001c 0001 01106002 1ab8a05a 48d31cbd 3882106f 51b1f3f3 0004 2003-03-30 20:00:50: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(3des) /usr/libexec/ld-elf.so.1: /usr/local/sbin/racoon: Undefined symbol des_key_sched It looks like to me that something has changed in the crypto libraries from 4-7-4.8. Chris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipsec and gre tunnels
it always confused me why you would have two tinnels, however gif and ipsec transport works fine. I just wanted to know why gre didnt work in the same way as at presnt it makes no sense. - Original Message - From: Brent Wiese [EMAIL PROTECTED] To: 'chris scott' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 4:59 PM Subject: RE: ipsec and gre tunnels It's a common mistake to do both gif and ipsec. I realize many of the handbooks you find say to do it. They're wrong. They've been contacted and most won't change them, which just misleads more people. Use ipsec in tunnel mode instead of transport and ditch gif. Hi, I currently have a vpn setup between a few lans using freebsd, ipsec and gif tunnels It all works perfectly. However I noticed that a new pseudo device for gre tunnels. As the overhead it supposed to be less for this type of tunnel I decided to test things out. I cvs and made world and kernel on the two test machines. No problems here. I tested original tunnels, all working ok and racoon was doing key exchange no problems. I setup the test gre tunnel with the following syntax /sbin/ifconfig gre0 create tunnel hostA hostB /sbin/ifconfig gre0 192.168.250.34 192.168.250.33 netmask 255.255.255.252 /sbin/route add 192.168.250.33/30 -interface gre0 /sbin/ifconfig gre0 up Cool the tunnel is up and seems to work ok. Now I implement the following ipsec policy which is just an extension of what I was using before for the gif tunnels spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require; # these 2 rules are so i can connect to my ethernet dsl modem # without the traffic getting encrypted, which is bad spdadd 10.0.0.0/24 10.0.0.0/24 gre -P out none ; spdadd 10.0.0.0/24 10.0.0.0/24 gre -P in none ; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require; Hmm, now the tunnel doesn't work. Key exchange seems to be ok as the gif tunnel is still working. Does anyone have any idea why the tunnel should stop working? The man page for setkey as a mysterious reference under the upperspec description We have many protocols in /etc/protocols, but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec. You have to consider and be care- ful to use them. icmp tcp udp all protocols Could gre be one of these protocols and if so why? root on gateway# ifconfig gre0 gre0: flags=9051UP,POINTOPOINT,RUNNING,LINK0,MULTICAST mtu 1476 tunnel inet hostB -- hostA inet 192.168.250.34 -- 192.168.250.33 netmask 0xfffc root on gateway# ifconfig gif0 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 tunnel inet hostB -- hostA inet 192.168.250.1 -- 192.168.250.2 netmask 0xfffc root on gateway# ping 192.168.250.33 PING 192.168.250.33 (192.168.250.33): 56 data bytes ^C --- 192.168.250.33 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss root on gateway# ping 192.168.250.1 PING 192.168.250.1 (192.168.250.1): 56 data bytes ^C --- 192.168.250.1 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss root on gateway# ping 192.168.250.2 PING 192.168.250.2 (192.168.250.2): 56 data bytes 64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=37.682 ms 64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=37.543 ms 64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=37.981 ms 64 bytes from 192.168.250.2: icmp_seq=3 ttl=64 time=37.159 ms ^C --- 192.168.250.2 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 37.159/37.591/37.981/0.296 ms root on gateway# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] ip4 in ipsec esp/transport//require spid=1004 seq=5 pid=75744 refcnt=1 10.0.0.0/24[any] 10.0.0.0/24[any] gre in none spid=1006 seq=4 pid=75744 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] gre in ipsec esp/transport//require spid=1008 seq=3 pid=75744 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] ip4 out ipsec esp/transport//require spid=1003 seq=2 pid=75744 refcnt=1 10.0.0.0/24[any] 10.0.0.0/24[any] gre out none spid=1005 seq=1 pid=75744 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] gre out ipsec esp/transport//require spid=1007 seq=0 pid=75744 refcnt=1 root on gateway# setkey -D hostB hostA esp mode=transport spi=226290556(0x0d7ceb7c) reqid=0(0x) E: 3des-cbc 9ef25cfa f136ecac e6548771 b6675ea5 2427613a d8079969 A: hmac-sha1 fe01a845 3c3288ae
Re: ipsec and gre tunnels
there was also another reason why i did it this way, i means I dont have to update the ipsec policy if I want to add another subnet to one of the lans, as the ipsec policy doesnt care about what the traffic is inside the tunel. All that uneeds updating is the internal routing tables, which is handled via rip. - Original Message - From: Brent Wiese [EMAIL PROTECTED] To: 'chris scott' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 4:59 PM Subject: RE: ipsec and gre tunnels It's a common mistake to do both gif and ipsec. I realize many of the handbooks you find say to do it. They're wrong. They've been contacted and most won't change them, which just misleads more people. Use ipsec in tunnel mode instead of transport and ditch gif. Hi, I currently have a vpn setup between a few lans using freebsd, ipsec and gif tunnels It all works perfectly. However I noticed that a new pseudo device for gre tunnels. As the overhead it supposed to be less for this type of tunnel I decided to test things out. I cvs and made world and kernel on the two test machines. No problems here. I tested original tunnels, all working ok and racoon was doing key exchange no problems. I setup the test gre tunnel with the following syntax /sbin/ifconfig gre0 create tunnel hostA hostB /sbin/ifconfig gre0 192.168.250.34 192.168.250.33 netmask 255.255.255.252 /sbin/route add 192.168.250.33/30 -interface gre0 /sbin/ifconfig gre0 up Cool the tunnel is up and seems to work ok. Now I implement the following ipsec policy which is just an extension of what I was using before for the gif tunnels spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require; # these 2 rules are so i can connect to my ethernet dsl modem # without the traffic getting encrypted, which is bad spdadd 10.0.0.0/24 10.0.0.0/24 gre -P out none ; spdadd 10.0.0.0/24 10.0.0.0/24 gre -P in none ; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require; Hmm, now the tunnel doesn't work. Key exchange seems to be ok as the gif tunnel is still working. Does anyone have any idea why the tunnel should stop working? The man page for setkey as a mysterious reference under the upperspec description We have many protocols in /etc/protocols, but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec. You have to consider and be care- ful to use them. icmp tcp udp all protocols Could gre be one of these protocols and if so why? root on gateway# ifconfig gre0 gre0: flags=9051UP,POINTOPOINT,RUNNING,LINK0,MULTICAST mtu 1476 tunnel inet hostB -- hostA inet 192.168.250.34 -- 192.168.250.33 netmask 0xfffc root on gateway# ifconfig gif0 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 tunnel inet hostB -- hostA inet 192.168.250.1 -- 192.168.250.2 netmask 0xfffc root on gateway# ping 192.168.250.33 PING 192.168.250.33 (192.168.250.33): 56 data bytes ^C --- 192.168.250.33 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss root on gateway# ping 192.168.250.1 PING 192.168.250.1 (192.168.250.1): 56 data bytes ^C --- 192.168.250.1 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss root on gateway# ping 192.168.250.2 PING 192.168.250.2 (192.168.250.2): 56 data bytes 64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=37.682 ms 64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=37.543 ms 64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=37.981 ms 64 bytes from 192.168.250.2: icmp_seq=3 ttl=64 time=37.159 ms ^C --- 192.168.250.2 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 37.159/37.591/37.981/0.296 ms root on gateway# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] ip4 in ipsec esp/transport//require spid=1004 seq=5 pid=75744 refcnt=1 10.0.0.0/24[any] 10.0.0.0/24[any] gre in none spid=1006 seq=4 pid=75744 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] gre in ipsec esp/transport//require spid=1008 seq=3 pid=75744 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] ip4 out ipsec esp/transport//require spid=1003 seq=2 pid=75744 refcnt=1 10.0.0.0/24[any] 10.0.0.0/24[any] gre out none spid=1005 seq=1 pid=75744 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] gre out ipsec esp/transport//require spid=1007 seq=0 pid=75744 refcnt=1 root on gateway# setkey -D hostB hostA esp mode=transport spi=226290556(0x0d7ceb7c) reqid=0(0x
Re: ipsec and gre tunnels
I think people are missing my origonal point. My implementtation using gif tunnel and an ipsec transport to encrypt the gf traffic works fine and always has done, I am therefore not overly bothered about gif tunnels. I just cant understand why when I change the tunnel type to gre and update the ipsec policy to encrypt all gre traffic it stops working. GRE is fine when its not encrypted but it doesnt when it is. TCPdunmping shows no other additiononal traffic so I dont understand why the 2nd of the 2 polices doesnt work while the 1st on does tunnel config and policy. This works gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 tunnel inet A -- B inet 192.168.250.2 -- 192.168.250.1 netmask 0xfffc spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require; This doesnt gre0: flags=9051UP,POINTOPOINT,RUNNING,LINK0,MULTICAST mtu 1476 tunnel inet A - B inet 192.168.250.2 -- 192.168.250.1 netmask 0xfffc spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require; - Original Message - From: David Kelly [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Brent Wiese [EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 1:51 AM Subject: Re: ipsec and gre tunnels On Tuesday 18 March 2003 10:59 am, Brent Wiese wrote: It's a common mistake to do both gif and ipsec. I realize many of the handbooks you find say to do it. They're wrong. They've been contacted and most won't change them, which just misleads more people. Use ipsec in tunnel mode instead of transport and ditch gif. I've heard that before. So with a RELENG_4 system I dropped my gif tunnel and it worked! Then some time after 4.7-RELEASE somebody changed something so that the contents of an ESP packet could not be distinguished by ipfw from non-ESP packets on the same interface. So my rule for blocking RFC 1918 addresses on the public interface was blocking my own tunneled packets. Then I reverted the system to RELENG_4_7 and my IPSec tunnel failed to operate until I resumed initializing the gif interface as I was originally doing. /etc/ipsec.conf looks like this: flush; spdflush; spdadd 10.0.0.253/24 192.168.100.253/24 any -P out ipsec esp/tunnel/city_one-city_two/require ; spdadd 192.168.100.253/24 10.0.0.253/24 any -P in ipsec esp/tunnel/city_two-city-one/require ; /etc/rc.conf has this: # added 4/30/2002 for VPN to city_two ipsec_enable=YES gif_interfaces=gif0 # removed 11/17/2002 dmk # from here to there... gifconfig_gif0=city_one city_two ifconfig_gif0=inet 10.0.0.253 192.168.100.253 netmask 255.255.255.255 # the VPN route: static_routes=city_two route_city_two=-inet 192.168.100.0/24 -interface 192.168.100.253 Other than racoon, that's what it took. So why did I have to fire up gif0? For a while with RELENG_4 the gif entries in /etc/rc.conf were not needed. I have never seen any hits on my gif rules in ipfw. -- David Kelly N4HHE, [EMAIL PROTECTED] = The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Trouble mounting USB pen drive in 4.7
what is the file system and is the drive partitioned? to mount my zip drive, i use the command mount -t ufs /dev/da0 /mnt/zip its its windows formated i use mount -t msdos /dev/da0 /mnt/zip if it was partitioned i would use mount -t msdos /dev/da0s1e /mnt/zip - Original Message - From: Darren Spruell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 10:43 PM Subject: Trouble mounting USB pen drive in 4.7 Greetz, running 4.7 RELEASE and I insert my USB pocket drive into USB slot. I see the following come into my dmesg: umass0: USB Solid state disk, rev 1.10/1.00, addr 2 da0 at umass-sim0 bus 0 target 0 lun 0 da0: Generic Traveling Disk 1.11 Removable Direct Access SCSI-2 device da0: 650KB/s transfers da0: 126MB (258048 512 byte sectors: 64H 32S/T 126C) How can I mount this onto my filesystem? I've tried variations of the da driver (rda0, da0, rda0s1, etc...) but I get I/O errors... Many TIA, -- Darren Spruell Sento IS Department [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
ipsec and gre tunnels
hard: 0(s) soft: 0(s) current: 1264(bytes)hard: 0(bytes) soft: 0(bytes) allocated: 9hard: 0 soft: 0 sadb_seq=2 pid=75781 refcnt=3 hostA hostB esp mode=transport spi=68215519(0x0410e2df) reqid=0(0x) E: 3des-cbc ed219090 5d6f888a e8802825 721304be 93e378a2 0b0386c1 A: hmac-sha1 d5cbeafd bc53fd2b 1fc793e3 a7ba645f acd15afb seq=0x replay=4 flags=0x state=mature created: Mar 5 12:14:01 2003 current: Mar 5 12:14:02 2003 diff: 1(s) hard: 30(s) soft: 24(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0hard: 0 soft: 0 sadb_seq=1 pid=75781 refcnt=1 hostA hostB esp mode=transport spi=29715957(0x01c56df5) reqid=0(0x) E: 3des-cbc ba32a2af 132d3b56 59b26bcf bb094266 2092da1c c598213b A: hmac-sha1 9132f5a9 c5eebd8f cb1bb01d 681a4ff6 1bd042f3 seq=0x000a replay=4 flags=0x state=dying created: Mar 5 12:13:36 2003 current: Mar 5 12:14:02 2003 diff: 26(s) hard: 30(s) soft: 24(s) last: Mar 5 12:14:00 2003 hard: 0(s) soft: 0(s) current: 1716(bytes)hard: 0(bytes) soft: 0(bytes) allocated: 10 hard: 0 soft: 0 sadb_seq=0 pid=75781 refcnt=1 root on gateway# root on gateway# setkey -FP; setkey -F ; ping 192.168.250.33 PING 192.168.250.33 (192.168.250.33): 56 data bytes 64 bytes from 192.168.250.33: icmp_seq=0 ttl=64 time=35.470 ms 64 bytes from 192.168.250.33: icmp_seq=1 ttl=64 time=33.644 ms 64 bytes from 192.168.250.33: icmp_seq=2 ttl=64 time=33.889 ms 64 bytes from 192.168.250.33: icmp_seq=3 ttl=64 time=33.670 ms 64 bytes from 192.168.250.33: icmp_seq=4 ttl=64 time=34.687 ms 64 bytes from 192.168.250.33: icmp_seq=5 ttl=64 time=33.907 ms ^C --- 192.168.250.33 ping statistics --- 6 packets transmitted, 6 packets received, 0% packet loss round-trip min/avg/max/stddev = 33.644/34.211/35.470/0.661 ms root on gateway# ping 192.168.250.2 PING 192.168.250.2 (192.168.250.2): 56 data bytes 64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=35.012 ms 64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=34.409 ms 64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=34.092 ms ^C --- 192.168.250.2 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 34.092/34.504/35.012/0.382 ms root on gateway# setkey -f /etc/ipsec.conf root on gateway# ping 192.168.250.2 PING 192.168.250.2 (192.168.250.2): 56 data bytes 64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=37.455 ms 64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=37.240 ms 64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=37.909 ms ^C --- 192.168.250.2 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 37.240/37.535/37.909/0.279 ms root on gateway# ping 192.168.250.33 PING 192.168.250.33 (192.168.250.33): 56 data bytes ^C --- 192.168.250.33 ping statistics --- 23 packets transmitted, 0 packets received, 100% packet loss regards Chris Scott MK NOC 01908223901 IMPORTANT NOTICE: This email may be confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to the sender. regards Chris Scott IMPORTANT NOTICE: This email may be confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to the sender. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: monitoring CPU/mem etc without SNMP
better still why dont you setup a simple vpn to to each host from the monitoring box, and only bind the snmpd to the interal ip, forewall off the public side totally. If all the machines are local then just build a service network to run the snmp traffic over instead of the vpn, basically there are loads of ways you can secure the snmp traffic from external prying eyes I think trying to find a systems management/monitoring solution that doesn't use snmp that is free might be difficult. I'm sure there are applications out there that will do what your looking for but that will have a daemon running on your managed client, or, monitored system, and with that said, then you have to start thinking about how to secure that. If your worried about security and all of these machines are running FreeBSD, then why not run ipfw or ipf on those machines to allow only those machines you specify in? That way you could run SNMP and do utilize snmp queries to collect data. -Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd-questions;FreeBSD.ORG]On Behalf Of twig les Sent: Thursday, November 07, 2002 4:30 PM To: [EMAIL PROTECTED] Subject: monitoring CPU/mem etc without SNMP Hey all, after a bit of thinking and some looking thru email archives I'm still stumped on a way to get CPU, memory, disk I/O, disk use etc info from one machine to another without using SNMP. All these boxes are FreeBSD 4.7 Release. I'm sure I could rig a script to ssh into the boxes and do a df -h etc. and write the info to a file but my gut tells me there is a MUCH better solution that someone with far better programming skills has already come up with and stuck in the ports collection. So is anyone doing this? The key I'm looking for is security, which negates SNMP. Something small and secure with almost no extra features would be nice. TIA = --- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself --- __ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message [EMAIL PROTECTED] regards Chris Scott MK NOC 01908223901 IMPORTANT NOTICE: This email may be confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to the sender. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: roaming ipsec policies and racoon
Racoon certainly aunt well documented, the man page is all you get. Having said that I have figured out most stuff I need to now. If only winkblows would do user based preshared key lake racoon can. It would all be so easy. Interestingly how do most ppl configure their vpn ipsec policies. I found all the example ones out there would encrypt the inside of the gif,gre, whatever tunnel. This didn't make sense to me as if you added another network to one of the lans you would have to update your polices to cope with the new traffic. I just setup a tunnel, and zebra running ripd on both hosts then encrypted all tunnel traffic between both the hosts, in my case ip protocol 4 ( gif tunnel ). Works fine for me all I have to do now is configure a new interface for the new network and bang it sorts out the rest. - Original Message - From: Lupe Christoph [EMAIL PROTECTED] To: chris scott [EMAIL PROTECTED] Cc: John Howie [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, July 21, 2002 10:37 PM Subject: Re: roaming ipsec policies and racoon On Sunday, 2002-07-21 at 19:48:47 +0100, chris scott wrote: thanks for all the advice, looks like a much bigger job than I inteneded 8( I found it a little more complicated than IP-based IPSec, but it gives you more flexibility. The biggest problem was when I screwed up with the srever DN. It took a while to find how you can get the Windows XP client to tell you what it dowsn't like. Typically Micro$oft. Something went wrong, and as a Windows user we assume you're too stupid to understand what. G Racoon is quite decent, but badly documented. And when I last looked, it lacked CRL (Certificate Revocation List) support. And I needed that for my client, so I had to use FreeS/WAN. Rechecking CRL support, I found this URL: http://www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO.html It doesn't say if CRLs work, but it looks helpful for people wanting to do certificates. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
