/var overflow and named pipes?

2012-09-25 Thread Gary Aitken
Hi all,

After running for a whopping 10 days or so, during which the use of my /var
as shown by df stayed at 62%, my system hung in X.
I was able to exit to a vty using ctlaltfn

At that point I killed X using kill -SIGHUP

I then attempted to restart X.
It came up, but in a clobbered condition with some icons under xfwm4 not 
showing,
and some of the top menu bar text hosed (showing the square box char which 
usually
indicates bad character data).
I was able to shut it down by exiting the controlling xterm.

Somewhere in there I'm pretty sure I saw a message something like
  Too many named pipes

When trying to start X again, there were a boatload of messages:
  Fatal IO Error 35 (Resource temporarily unavailable) on X server :0.0
Messages showed up for programs being started in the startx script
 (xfwm4, xterm)
and some spawned by those
 (thunar...)
Then the message:
  XIO: Fatal IO error 35 (...)
  after 518 requests (388 known processed)
  with 0 events remaining

At that point, /var was at 109%

Examining /var, there was one huge file, Xorg.0.log.
Neither head nor tail nor the portions of the interior I've looked at
of that file shows anything particularly interesting;
however, what is interesting is it seems to contain a never-ending repeat
of reinitialization of the graphics card for monitor configuration.
I copied the offending Xorg.0.log file to save it in a place with more space
so I could examine it later, then deleted it.
Portion appended below.

However, when I restarted X I was still getting the fatal io errors,
so I shutdown the system and rebooted.

Also, since I was editing several (small) text files using vi, 
upon rebooting I got the usual messages about recovery.
One of those files, when I attempted recovery, indicated it was huge.
The file itself was small, ~180 lines, and had been saved already
so the huge recovery file was somehow corrupt.
I interrupted the recovery attempt (^C, took a *long* time to respond), 
checked /var size with du, and it was still only 62% 
so I may have averted another overflow there.

/var/log/messages shows nothing for 16 hrs and then:
Sep 24 16:22:01 breakaway kernel: pid 59110 (dd), uid 2 inumber 113248 on /var: 
filesystem full
Sep 24 16:33:00 breakaway kernel: pid 79946 (dd), uid 2 inumber 113453 on /var: 
filesystem full
Sep 24 17:33:00 breakaway last message repeated 501 times
etc...

I *think* all of the above is true; 
unfortunately, I didn't write notes until some things had passed and
some notes were incomplete as to where in the process they occurred.

Questions:

1. Can anyone shed light on the too many named pipes message?
   Is this likely caused by xfwm4 / thunar ipc?

2. Is the XIO error 35 (Resource temporarily unavailable) probably referring
   to the unavailability of named pipes?
   Or the unavailability of space in the Xorg.0.log file?
   Or does a pipe require space on /var and therefore when /var fills,
   no pipes are available?
   Are the X log files supposed to cycle the way system logs do?

3. Is there a way to see which processes have named pipes opened?
   After killing X and restarting,
 /usr/local/libexec/gam_server
   was still running and showing a runtime of 6472:54.82,
   very large compared to everything else.
   It's my understanding gam_server is used to detect changes in a file or
   directory; and might be using pipes for this purpose.
   Is this likely holding onto pipes?
   Is there an easy way to cause it to exit when X exits?

4. I've noticed the growing Xorg.0.log file in the past, 
   but since /var was staying small it seemed like I had plenty of room.
   Then it seemed to suddenly explode when the system hung.
   Is this a known issue with resetting the graphics card?
 (In this case an unsupported Visiontek 900331 which used Radeon HD 5550)
   There is a redhat bug which may be relevant:
 https://bugzilla.redhat.com/show_bug.cgi?id=820731
   Would getting a different graphics card likely solve this issue?

5. This *feels* like a sudden runaway condition.
   Shouldn't I normally get mail indicating /var is full before reaching 109%?
   There's 10 min between the first two full messages,
   and I didn't get *any* file sys full messages.

Minor Issue:
   /var/tmp contains a number of empty directories with names 
 virtual-[user].xx and gvfs-[user]-xx
   cleanvar_enable is set in /etc/defaults/rc.conf, I have not overridden it;
   but these dirs are obviously not being removed.
   Do I need to specifically turn on
 daily_clean_tmps_enable
 daily_clean_disks_enable
   Are there any reasons *not* to turn these on?
   In particular, if things are still running using some files in those places
   which were created early enough to be candidates for deletion?

Thanks for any insights,

Gary

 Xorg.0.log repeated sequence =
(II) RADEON(0): Monitor name: LCD1970NX
(II) RADEON(0): Serial No: 57302818YA
(II) RADEON(0): EDID (in hex):
(II) RADEON(0

Named | Annoying behaviour

2011-08-04 Thread Jos Chrispijn

Dear group,

I latety face an issue with BIND 9.4.-ESV-R4-P1.

According to my log file, I get the following error:
Aug  4 12:00:03 triton named[93266]: starting BIND 9.4.-ESV-R4-P1 -c 
/etc/namedb/named.conf -t /var/named -u bind
Aug  4 12:00:03 triton named[93266]: command channel listening on 127.0.0.1#953
Aug  4 12:00:03 triton named[93266]: command channel listening on ::1#953
Aug  4 12:00:03 triton named[93266]: _the working directory is not writable_
Aug  4 12:00:03 triton named[93266]: running

I tried to chmod w+g the respecive directory, but it is set to default again by 
bind itself.
Can someone tell me how I can resolve the +w on the working directory?

BR,
Jos Chrispijn


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Named | Annoying behaviour

2011-08-04 Thread Matthew Seaman
on 04/08/2011 11:33, Jos Chrispijn wrote:
 I latety face an issue with BIND 9.4.-ESV-R4-P1.

I deduce that you are running FreeBSD 7.x 

 According to my log file, I get the following error:
 Aug  4 12:00:03 triton named[93266]: starting BIND 9.4.-ESV-R4-P1 -c
 /etc/namedb/named.conf -t /var/named -u bind
 Aug  4 12:00:03 triton named[93266]: command channel listening on
 127.0.0.1#953
 Aug  4 12:00:03 triton named[93266]: command channel listening on ::1#953
 Aug  4 12:00:03 triton named[93266]: _the working directory is not
 writable_
 Aug  4 12:00:03 triton named[93266]: running
 
 I tried to chmod w+g the respecive directory, but it is set to default
 again by bind itself.
 Can someone tell me how I can resolve the +w on the working directory?

By default, the permissions on and location of Bind's working directory
should be:

% ls -lad /etc/namedb/working
drwxr-xr-x  2 bind  wheel  6 Aug  4 11:26 /etc/namedb/working/

Now, as you're clearly running named under the bind user ID, this
suggests that perhaps you have some other directory defined as your
working directory in named.conf  Check the 'directory' setting in the
options {}; block.

The location of the working directory was changed not so long ago --

http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/namedb/named.conf#rev1.30

-- due to the requirement for named to track various data to do with
DNSSEC.  Previously, the working directory was /etc/namedb but simply
making this writable by named would have meant a process with the
credentials that named runs as could re-write named's configuration
file; an unacceptable security risk for a daemon exposed to the internet.

One unfortunate consequence is that any relative paths within named.conf
have to be altered accordingly.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature


Re: Named | Annoying behaviour

2011-08-04 Thread Jos Chrispijn

Matthew Seaman:

One unfortunate consequence is that any relative paths within named.conf
have to be altered accordingly.
Thanks for your detailed explanation, I will follow up and let you know 
if I managed to solve it.


BR
Jos Chrispijn
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


fuser(1): do FIFOs and sockets count as named files?

2011-05-26 Thread Pan Tsu
fuser(1) man page mentions the tool is supposed to list processes that
have specified named file(s) open. As there are several types of files
(according to stat(2)) it's not clear which are supported, e.g.

  $ (mkfifo foo.fifo; cat foo.fifo)  nc -lU foo.socket 
  $ fuser foo.*
  foo.fifo:
  foo.socket:

  $ procstat -af | awk 'NR == 1 || /foo/'
PID COMM   FD T V FLAGSREF  OFFSET PRO NAME
   6672 cat 0 f - rw--   2   0 -   /home/luser/foo.fifo
  11493 nc  3 s - rw--   2   0 UDS foo.socket

  $ fstat | awk 'NR == 1 || $2 ~ /cat/  $4 ~ 0 || $2 ~ /nc/  $4 ~ 3'
  USER CMD  PID   FD MOUNT  INUM MODE SZ|DV R/W
  luser nc 114933* local stream fe00a980d690
  luser cat 66720 /home/luser   5982 prw-r--r--   0 rw

fuser(1) on BusyBox/Linux does show open FIFOs, not sure about sockets.

--
FreeBSD 9.0-CURRENT r47M amd64
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


named/bind problems....

2011-01-19 Thread Gary Kline
Yesterday noon my time I rebooted my server.  Things seemed to be slow.
Several streams were hanging or stopping, and because ethic.thought.org had
been up for 61 days I figured it wouldn't hurt to reinitialize stuff.

Well, nutshell, disaster.  For hours it wasn't clear whether the server would
survive, but eventually i got a portupgrade -avOPk going and now I am close to
having every port rebuilt.  

Now host kuow.org gives the the IP address of the U/Washington.  Etc. last
night for unknown reasons even this failed.  I remembered that late last fall
I  was warned the bind9 was nearing its end/life.   I okayed the portupgrade
to remove bind9 and install whatever its follow up would be.  

Since then, my kill9named script[s] and my restartnamed script[s] have failed.
Can anyone save me from hours of tracking down whatever I have to to put
things right?   

Everything I get in trouble with this bind stuff it occurs how significant an
achievement it is to have a
service that automagically maps quad/dotted-decimals to actual words.

Sorry if this sounds disjoint; it is past time for a lollipop and a blanket
and a *nap*

gary



-- 
 Gary Kline  kl...@thought.org  http://www.thought.org  Public Service Unix
The 7.97a release of Jottings: http://jottings.thought.org/index.php
   http://journey.thought.org
 ethic 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named/bind problems....

2011-01-19 Thread Robert Boyer
Sorry to see you are still having issues. I thought you were set when we fixed 
your resolv last night.

Okay - let's start from scratch here

Are you sure you need a named? Are you actually serving dns for your own IP 
addresses or are you using it as a caching server. Getting a new named 
working/installed is not an issue. Config files are usually and issue. If you 
can explain your network topology and what you are trying to make work I can 
probably point you in the right direction.


We did get your local resolution issue solved didn't we?

RB

On Jan 19, 2011, at 6:03 PM, Gary Kline wrote:

 Yesterday noon my time I rebooted my server.  Things seemed to be slow.
 Several streams were hanging or stopping, and because ethic.thought.org had
 been up for 61 days I figured it wouldn't hurt to reinitialize stuff.
 
 Well, nutshell, disaster.  For hours it wasn't clear whether the server would
 survive, but eventually i got a portupgrade -avOPk going and now I am close to
 having every port rebuilt.  
 
 Now host kuow.org gives the the IP address of the U/Washington.  Etc. last
 night for unknown reasons even this failed.  I remembered that late last fall
 I  was warned the bind9 was nearing its end/life.   I okayed the portupgrade
 to remove bind9 and install whatever its follow up would be.  
 
 Since then, my kill9named script[s] and my restartnamed script[s] have failed.
 Can anyone save me from hours of tracking down whatever I have to to put
 things right?   
 
 Everything I get in trouble with this bind stuff it occurs how significant an
 achievement it is to have a
 service that automagically maps quad/dotted-decimals to actual words.
 
 Sorry if this sounds disjoint; it is past time for a lollipop and a blanket
 and a *nap*
 
 gary
 
 
 
 -- 
 Gary Kline  kl...@thought.org  http://www.thought.org  Public Service Unix
The 7.97a release of Jottings: http://jottings.thought.org/index.php
   http://journey.thought.org
 ethic 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org



Re: named/bind problems....

2011-01-19 Thread Gary Kline
On Wed, Jan 19, 2011 at 06:11:23PM -0500, Robert Boyer wrote:
 Sorry to see you are still having issues. I thought you were set when we 
 fixed your resolv last night.
 
 Okay - let's start from scratch here
 
 Are you sure you need a named? Are you actually serving dns for your own IP 
 addresses or are you using it as a caching server. Getting a new named 
 working/installed is not an issue. Config files are usually and issue. If you 
 can explain your network topology and what you are trying to make work I can 
 probably point you in the right direction.
 


Last night I was on the right track; then suddenly things broke and I
have no idea w hy.  From the modem/router, the wire goes thru my 
firewa that runs pfSense.  Then output from the firewall plugs
into my switch.  

My DNS/Mail/web server is a seperate box that plugs into the
hub/switch as well.  [i think; it is hard for me to get down 
and crawl around under the desk.]  The server has been running named
since April, '01.  I read DNS AND BIND to get things going; then in
late '07 serious network troubles and help from someone in the Dallas
Ft-Worth area reconfigured my network.This fellow mostly edited
the /etc/namedb/named.conf and related files.  I also host a friend's
site, gratis.  He is a builder; we have been friends for nearly
twenty years.   His site is a vvery small part of the picture; I 
mention it only to emphasize that my setup is not entirely trivial.

Would it help to shar or tarball up my namedb files?

FWIW, I am logged into ethic ona console.  Usually I work in X11
and have xset r off set to prevent key bounces.


 
 We did get your local resolution issue solved didn't we?


Ithink in KVM'ing from tao to  ethic and back, the   configuration we 
set up last night  broke.   At least, in watching portupgrade draw in
more and more files [on ethic], when I KVM back to my desktop, the
mutt settings get lost

-gary

 
 RB
 
 On Jan 19, 2011, at 6:03 PM, Gary Kline wrote:
 
  Yesterday noon my time I rebooted my server.  Things seemed to be slow.
  Several streams were hanging or stopping, and because ethic.thought.org had
  been up for 61 days I figured it wouldn't hurt to reinitialize stuff.
  
  Well, nutshell, disaster.  For hours it wasn't clear whether the server 
  would
  survive, but eventually i got a portupgrade -avOPk going and now I am close 
  to
  having every port rebuilt.  
  
  Now host kuow.org gives the the IP address of the U/Washington.  Etc. last
  night for unknown reasons even this failed.  I remembered that late last 
  fall
  I  was warned the bind9 was nearing its end/life.   I okayed the 
  portupgrade
  to remove bind9 and install whatever its follow up would be.  
  
  Since then, my kill9named script[s] and my restartnamed script[s] have 
  failed.
  Can anyone save me from hours of tracking down whatever I have to to put
  things right?   
  
  Everything I get in trouble with this bind stuff it occurs how significant 
  an
  achievement it is to have a
  service that automagically maps quad/dotted-decimals to actual words.
  
  Sorry if this sounds disjoint; it is past time for a lollipop and a blanket
  and a *nap*
  
  gary
  
  
  
  -- 
  Gary Kline  kl...@thought.org  http://www.thought.org  Public Service Unix
 The 7.97a release of Jottings: http://jottings.thought.org/index.php
http://journey.thought.org
  ethic 
  ___
  freebsd-questions@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-questions
  To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
 



-- 
 Gary Kline  kl...@thought.org  http://www.thought.org  Public Service Unix
The 7.97a release of Jottings: http://jottings.thought.org/index.php
   http://journey.thought.org
 ethic 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named/bind problems....

2011-01-19 Thread Robert Boyer
okay,

lets start from the beginning here...

1) Do you have your own IP address and IP address block that you are hosting 
DMS for or is it local only?

2) from talking with you last night I want to make sure you are aware of two 
things...

A) resolv.conf is used for name resolution on EVERY system it tells ALL 
 of the software to get name services from. We fixed this last night for one of 
your systems by pointing it at a name server that works (the one you had did 
not work)
B) named provides name services (as well as forwarding to other dns 
services)  and can be pointed to by resolv.conf on you local systems -  if it 
is not working AND your local resolv.conf files are pointing there your name 
resolution will not work.
C) you can get internet name services working temporarily by using some 
of the servers I have you 8.8.8.8 and 8.8.4.4 in all of your resolv.conf files 
- you don't need named to work for this. You can also use /etc/hosts for your 
couple of local name/address translations as a work around until you get named 
working again.

3) dig is your friend for debugging named - you can use dig @local-dns-address 
lookup-name to debug your named while still using external name servers in your 
resolv.conf and local naming in /etc/hosts until you ACTUALLY are sure your 
local named is working.

4) The only thing you really really need a local named for is if you have a 
real IP block that you are responsible for providing name services on the 
internet for - rarely the case and even if you do you can temporarily jamb the 
names you care about in another 
DNS server somewhere out there like zoneedit or free dns temporarily.

Get your stuff working then debug your named.

RB
On Jan 19, 2011, at 6:55 PM, Gary Kline wrote:

 On Wed, Jan 19, 2011 at 06:11:23PM -0500, Robert Boyer wrote:
 Sorry to see you are still having issues. I thought you were set when we 
 fixed your resolv last night.
 
 Okay - let's start from scratch here
 
 Are you sure you need a named? Are you actually serving dns for your own IP 
 addresses or are you using it as a caching server. Getting a new named 
 working/installed is not an issue. Config files are usually and issue. If 
 you can explain your network topology and what you are trying to make work I 
 can probably point you in the right direction.
 
 
 
   Last night I was on the right track; then suddenly things broke and I
   have no idea w hy.  From the modem/router, the wire goes thru my 
   firewa that runs pfSense.  Then output from the firewall plugs
   into my switch.  
 
   My DNS/Mail/web server is a seperate box that plugs into the
   hub/switch as well.  [i think; it is hard for me to get down 
   and crawl around under the desk.]  The server has been running named
   since April, '01.  I read DNS AND BIND to get things going; then in
   late '07 serious network troubles and help from someone in the Dallas
   Ft-Worth area reconfigured my network.This fellow mostly edited
   the /etc/namedb/named.conf and related files.  I also host a friend's
   site, gratis.  He is a builder; we have been friends for nearly
   twenty years.   His site is a vvery small part of the picture; I 
   mention it only to emphasize that my setup is not entirely trivial.
 
   Would it help to shar or tarball up my namedb files?
 
   FWIW, I am logged into ethic ona console.  Usually I work in X11
   and have xset r off set to prevent key bounces.
 
 
 
 We did get your local resolution issue solved didn't we?
 
 
   Ithink in KVM'ing from tao to  ethic and back, the   configuration we 
   set up last night  broke.   At least, in watching portupgrade draw in
   more and more files [on ethic], when I KVM back to my desktop, the
   mutt settings get lost
 
   -gary
 
 
 RB
 
 On Jan 19, 2011, at 6:03 PM, Gary Kline wrote:
 
 Yesterday noon my time I rebooted my server.  Things seemed to be slow.
 Several streams were hanging or stopping, and because ethic.thought.org had
 been up for 61 days I figured it wouldn't hurt to reinitialize stuff.
 
 Well, nutshell, disaster.  For hours it wasn't clear whether the server 
 would
 survive, but eventually i got a portupgrade -avOPk going and now I am close 
 to
 having every port rebuilt.  
 
 Now host kuow.org gives the the IP address of the U/Washington.  Etc. last
 night for unknown reasons even this failed.  I remembered that late last 
 fall
 I  was warned the bind9 was nearing its end/life.   I okayed the 
 portupgrade
 to remove bind9 and install whatever its follow up would be.  
 
 Since then, my kill9named script[s] and my restartnamed script[s] have 
 failed.
 Can anyone save me from hours of tracking down whatever I have to to put
 things right?   
 
 Everything I get in trouble with this bind stuff it occurs how significant 
 an
 achievement it is to have a
 service that automagically maps

Re: named/bind problems....

2011-01-19 Thread Gary Kline


HEy:: I quit out of portupgrade when it tried to pull over 200MB 
of stuff, did a pkgdb -Fv; then found the the new xdm actually works!

So I am back with two or more xterms/Konsoles and able to type for
legibally.   Dunno what happened but aint asking no questions

At least now I will be able to use my 4-port KVM switch to mv back and
forth from here on ethic [Server] to tao [Desktop], and have fewer
troubles.

:_)


On Wed, Jan 19, 2011 at 06:11:23PM -0500, Robert Boyer wrote:
 Sorry to see you are still having issues. I thought you were set when we 
 fixed your resolv last night.
 
 Okay - let's start from scratch here
 
 Are you sure you need a named? Are you actually serving dns for your own IP 
 addresses or are you using it as a caching server. 


i am actually serving my own DNS for 209.180.213.209-//213.  No
ethic, my doomain disappeares from the world.  

Note that friends say that I am a bit nuts to do this myself; they
thingk I should just pay somebody to host my sites.  There is
www, jottings, journey, transfinite, the site that hosts my library
writing group, and the site that hosts my friends busuiness site.  


 Getting a new named working/installed is not an issue. Config files are 
 usually and issue. If you can explain your network topology and what you are 
 trying to make work I can probably point you in the right direction.
 
 
 We did get your local resolution issue solved didn't we?


Somehow, with ^nameserver 8.8.8.8 added to my /etc/resolv.conf got
even my firfox webserver working on tao.  Not now.

Now that you know that I acutally have ns1.thought.org [[
==ethic.thought.org ]]; that is serves my DNS, what next?  I admit to
only having glanced at the new bind97.  At 01:30 I was helping my
daughter with an English paper.

gary


 
 RB
 
 On Jan 19, 2011, at 6:03 PM, Gary Kline wrote:
 
  Yesterday noon my time I rebooted my server.  Things seemed to be slow.
  Several streams were hanging or stopping, and because ethic.thought.org had
  been up for 61 days I figured it wouldn't hurt to reinitialize stuff.
  
  Well, nutshell, disaster.  For hours it wasn't clear whether the server 
  would
  survive, but eventually i got a portupgrade -avOPk going and now I am close 
  to
  having every port rebuilt.  
  
  Now host kuow.org gives the the IP address of the U/Washington.  Etc. last
  night for unknown reasons even this failed.  I remembered that late last 
  fall
  I  was warned the bind9 was nearing its end/life.   I okayed the 
  portupgrade
  to remove bind9 and install whatever its follow up would be.  
  
  Since then, my kill9named script[s] and my restartnamed script[s] have 
  failed.
  Can anyone save me from hours of tracking down whatever I have to to put
  things right?   
  
  Everything I get in trouble with this bind stuff it occurs how significant 
  an
  achievement it is to have a
  service that automagically maps quad/dotted-decimals to actual words.
  
  Sorry if this sounds disjoint; it is past time for a lollipop and a blanket
  and a *nap*
  
  gary
  
  
  
  -- 
  Gary Kline  kl...@thought.org  http://www.thought.org  Public Service Unix
 The 7.97a release of Jottings: http://jottings.thought.org/index.php
http://journey.thought.org
  ethic 
  ___
  freebsd-questions@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-questions
  To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
 



-- 
 Gary Kline  kl...@thought.org  http://www.thought.org  Public Service Unix
The 7.97a release of Jottings: http://jottings.thought.org/index.php
   http://journey.thought.org
 ethic 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: How to Best Prevent Unwanted named installation

2010-09-11 Thread RW
On Fri, 10 Sep 2010 15:58:42 -0500
Martin McCormick mar...@dc.cis.okstate.edu wrote:

   After successfully installing bind97 from a package on
 to a new server, I do a cvs-sup of the system to get the latest
 patches in to the kernel. After discovering that bind97 had been
 replaced with bind9.6.1, 

Presumably that's because you explicitly configured the port version to
install in the same place as the system version. It doesn't do that by
default.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: How to Best Prevent Unwanted named installation

2010-09-11 Thread Arthur Chance

On 09/10/10 21:58, Martin McCormick wrote:

After successfully installing bind97 from a package on
to a new server, I do a cvs-sup of the system to get the latest
patches in to the kernel. After discovering that bind97 had been
replaced with bind9.6.1, I looked in /usr/src and there is a
contrib/bind9 directory. What is the safest way to disable that
build without adversly effecting the rest of the update?

The reason for doing these things in this order is that
I would like to get bind running as quickly as possible since it
takes a couple of hours or more to get the world built when we
could be doing DNS.

Since I am not using that version of bind, not getting
it built is no problem. I don't even care if it gets built so
long as it does not end up in /usr/sbin to clobber the new
bind9.7.


If your ports version of named is in /usr/sbin you must have enabled the 
REPLACE_BASE option in the port. From man src.conf



 WITHOUT_BIND
 Setting this variable will prevent any part of BIND from being
 built.  When set, it also enforces the following options:

[list of sub options snipped]

Add

WITHOUT_BIND= true

into /etc/src.conf, and the next time you rebuild the world the base 
system bind will be left out of it.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


How to Best Prevent Unwanted named installation

2010-09-10 Thread Martin McCormick
After successfully installing bind97 from a package on
to a new server, I do a cvs-sup of the system to get the latest
patches in to the kernel. After discovering that bind97 had been
replaced with bind9.6.1, I looked in /usr/src and there is a
contrib/bind9 directory. What is the safest way to disable that
build without adversly effecting the rest of the update?

The reason for doing these things in this order is that
I would like to get bind running as quickly as possible since it
takes a couple of hours or more to get the world built when we
could be doing DNS.

Since I am not using that version of bind, not getting
it built is no problem. I don't even care if it gets built so
long as it does not end up in /usr/sbin to clobber the new
bind9.7.

This is not really a complaint. I just want to prevent
the installation of the old bind over the new one as simply as
possible.

Thanks.

Martin McCormick
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: How to Best Prevent Unwanted named installation

2010-09-10 Thread Mike Tancsa

At 04:58 PM 9/10/2010, Martin McCormick wrote:

contrib/bind9 directory. What is the safest way to disable that
build without adversly effecting the rest of the update?


Hi,
Take a look at the man page for src.conf (and make.conf for 
completeness). You can control parts of what gets built and installed.


---Mike





The reason for doing these things in this order is that
I would like to get bind running as quickly as possible since it
takes a couple of hours or more to get the world built when we
could be doing DNS.

Since I am not using that version of bind, not getting
it built is no problem. I don't even care if it gets built so
long as it does not end up in /usr/sbin to clobber the new
bind9.7.

This is not really a complaint. I just want to prevent
the installation of the old bind over the new one as simply as
possible.

Thanks.

Martin McCormick
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org



Mike Tancsa,  tel +1 519 651 3400
Sentex Communications,m...@sentex.net
Providing Internet since 1994www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Ownership of /var/named Changes on Reboot.

2010-06-17 Thread Matthew Seaman
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 17/06/2010 04:21:34, Peter Boosten wrote:
 On 17-6-2010 4:58, Robert Huff wrote:

 Martin McCormick writes:

 Is there a way to keep /var/named owned by bind across
  reboots?

  Yes.  I had this happen for a long time.
  The bad news is it had been years since I fixed it, and I no
 longer remember exactly what I did.  I will keep trying.


 
 Permissions are set using the mtree files:
 
 /etc/mtree/
 

Furthermore, the default setup *is* for named to run as an unprivileged
process.  The setup is very carefully designed so that named doesn't
have write permission on the directory where its configuration files are
stored, or on directories that contain static zone files, but it does
have write permission on directories it uses for zone files AXFR'd from
a master, or zone files maintained using dynamic DNS.

This used to generate a warning from bind about not having a writable
current working directory -- which was basically harmless and could be
ignored.  However recent changes mean bind needs a writable working
directory, so the latest layouts include /var/named/etc/namedb/working

Cheers,

Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwZ0w4ACgkQ8Mjk52CukIyWEACfdgSPyaDaLVXp/ugxYPCZIGSf
KygAn2bsa27UF+O7BpZwmUMBGRIRvYeI
=LaxU
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Ownership of /var/named Changes on Reboot.

2010-06-17 Thread krad
On 17 June 2010 08:47, Matthew Seaman m.sea...@infracaninophile.co.ukwrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 17/06/2010 04:21:34, Peter Boosten wrote:
  On 17-6-2010 4:58, Robert Huff wrote:
 
  Martin McCormick writes:
 
  Is there a way to keep /var/named owned by bind across
   reboots?
 
   Yes.  I had this happen for a long time.
   The bad news is it had been years since I fixed it, and I no
  longer remember exactly what I did.  I will keep trying.
 
 
 
  Permissions are set using the mtree files:
 
  /etc/mtree/
 

 Furthermore, the default setup *is* for named to run as an unprivileged
 process.  The setup is very carefully designed so that named doesn't
 have write permission on the directory where its configuration files are
 stored, or on directories that contain static zone files, but it does
 have write permission on directories it uses for zone files AXFR'd from
 a master, or zone files maintained using dynamic DNS.

 This used to generate a warning from bind about not having a writable
 current working directory -- which was basically harmless and could be
 ignored.  However recent changes mean bind needs a writable working
 directory, so the latest layouts include /var/named/etc/namedb/working

Cheers,

Matthew

 - --
 Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAkwZ0w4ACgkQ8Mjk52CukIyWEACfdgSPyaDaLVXp/ugxYPCZIGSf
 KygAn2bsa27UF+O7BpZwmUMBGRIRvYeI
 =LaxU
 -END PGP SIGNATURE-
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to 
 freebsd-questions-unsubscr...@freebsd.org


so the logical extension to this is by changing the ownership of the
directory to bind, you are making the configuration directory writeable, and
therefore you are actually lowering security.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Ownership of /var/named Changes on Reboot.

2010-06-17 Thread Matthew Seaman
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 17/06/2010 09:37:03, krad wrote:
 so the logical extension to this is by changing the ownership of the
 directory to bind, you are making the configuration directory writeable, and
 therefore you are actually lowering security.

Correct.

Cheers,

Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwZ9iEACgkQ8Mjk52CukIxlOQCfZXV2D+ps0uQITQ6b05sXsmjC
r3IAnjQyzVtfBhJ0XwxO8O+Gsct8wb9j
=Kj7A
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Ownership of /var/named Changes on Reboot.

2010-06-17 Thread Martin McCormick
Matthew Seaman writes:
 Furthermore, the default setup *is* for named to run as an unprivileged
 process.  The setup is very carefully designed so that named doesn't
 have write permission on the directory where its configuration files are
 stored, or on directories that contain static zone files, but it does
 have write permission on directories it uses for zone files AXFR'd from
 a master, or zone files maintained using dynamic DNS.
 
 This used to generate a warning from bind about not having a writable
 current working directory -- which was basically harmless and could be
 ignored.  However recent changes mean bind needs a writable working
 directory, so the latest layouts include /var/named/etc/namedb/working

That turned out to be the issue. I reset the permissions
to match the way they are when one first installs bind.
Root owns /var/named but bind owns directories that should be
writable so the trick is to set one's named.conf file to
reference writable directories for all the zones, logs and
named.pid. It is now starting automatically on reboot just like
it should.

While bind owns all the writable subdirectories, they
all still have wheel as their GID. That appears to be okay since
they are all only writable by owner.

Thanks for explaining this annoying little mystery that
has dogged me at a minor level for years.

I have been running bind for Oklahoma State University
for close to 18 years and one tends to stick with configurations
that work. It is just time to modernize and at least configure
bind in the recommended way so as to take full advantage of the
clever design.

It does still give the message that the working
directory is not writable.

Martin McCormick
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Ownership of /var/named Changes on Reboot.

2010-06-16 Thread Martin McCormick
I run named chrooted to bind but not in a jail. When the
system reboots, something changes ownership of /var/named back
to root:wheel.

I have thought several times I figured out how to
prevent this from happening, but to no avail. The most promising
lead was the following directives in /etc/rc.conf.local:

named_uid=bind# User to run named as
named_chrootdir=  # Chroot directory (or  not to auto-chroot it)
named_chroot_autoupdate=YES   # Automatically install/update chrooted

Is there a way to keep /var/named owned by bind across
reboots?

Our production FreeBSD systems are up for years at a
time so we don't see this problem often, but we have just been
lucky that I am usually the one to reboot and know that named
will come up broken and exit because named can not write in to
/var/named when it is owned by root. It would be really nice to
be able to count on /var/named staying put so named can just
start automatically after a reboot.

I prefer for named to run as a low-priority UID rather
than as root so if I am doing something wrong, tell me that,
also. We have been running named with a high-numbered UID for
probably ten years and the force back to root ownership has
always been a factor when the system is rebooted.

Thank you.

Martin McCormick WB5AGZ  Stillwater, OK 
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Ownership of /var/named Changes on Reboot.

2010-06-16 Thread Robert Huff

Martin McCormick writes:

   Is there a way to keep /var/named owned by bind across
  reboots?

Yes.  I had this happen for a long time.
The bad news is it had been years since I fixed it, and I no
longer remember exactly what I did.  I will keep trying.


Robert Huff

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Ownership of /var/named Changes on Reboot.

2010-06-16 Thread Peter Boosten
On 17-6-2010 4:58, Robert Huff wrote:
 
 Martin McCormick writes:
 
  Is there a way to keep /var/named owned by bind across
  reboots?
 
   Yes.  I had this happen for a long time.
   The bad news is it had been years since I fixed it, and I no
 longer remember exactly what I did.  I will keep trying.
 
 

Permissions are set using the mtree files:

/etc/mtree/

Peter

-- 
http://www.boosten.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


named - Is It Possible to Forward Requests for One Domain to Another Server?

2010-05-25 Thread Drew Tomlinson
In my home network, I have named running to resolve machines on my LAN.  
It is also configured to forward requests to my ISP for all other queries.


On another machine in my LAN, I used mpd to create a vpn connection to 
my work and set appropriate routes so that any machine on my LAN can 
access any machine at my work over the vpn (using mpd's nat function).  
This works when accessing via the IP address.  Now I'm trying to get DNS 
resolution for machines at work.


Is there some way I can tell named to request DNS info for my work 
domain from my work's DNS server available over the vpn?  Does this make 
sense?


Thanks,

Drew


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named - Is It Possible to Forward Requests for One Domain to Another Server?

2010-05-25 Thread Thomas Keusch
On Tue, May 25, 2010 at 04:30:04PM -0700, Drew Tomlinson wrote:

Hi Drew,

 In my home network, I have named running to resolve machines on my LAN.  
 It is also configured to forward requests to my ISP for all other queries.
 
 On another machine in my LAN, I used mpd to create a vpn connection to 
 my work and set appropriate routes so that any machine on my LAN can 
 access any machine at my work over the vpn (using mpd's nat function).  
 This works when accessing via the IP address.  Now I'm trying to get DNS 
 resolution for machines at work.
 
 Is there some way I can tell named to request DNS info for my work 
 domain from my work's DNS server available over the vpn?  Does this make 
 sense?

Yes, it makes sense. What you're looking for is a forward type zone in
named.conf, like

zone foobar.com {
type forward;
forward only;
forwarders { ip_of_work_dns_server; };
};

I'm not sure if I got the syntax 100% right.

Also consider that this might interfere with the setup of the VPN, if
you're using DNS names in the configuration, as named will not be able
to resolve hosts in foobar.com without being able to reach
ip_of_work_dns_server.


Regards
Thomas


-- 

* Freelance Linux  BSD Systemengineer // IT Consultant *
-=- Homepage: http://www.bsd-solutions-duesseldorf.de -=-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named - Is It Possible to Forward Requests for One Domain to Another Server?

2010-05-25 Thread Drew Tomlinson

On 5/25/2010 4:58 PM, Thomas Keusch wrote:

On Tue, May 25, 2010 at 04:30:04PM -0700, Drew Tomlinson wrote:

Hi Drew,

   

In my home network, I have named running to resolve machines on my LAN.
It is also configured to forward requests to my ISP for all other queries.

On another machine in my LAN, I used mpd to create a vpn connection to
my work and set appropriate routes so that any machine on my LAN can
access any machine at my work over the vpn (using mpd's nat function).
This works when accessing via the IP address.  Now I'm trying to get DNS
resolution for machines at work.

Is there some way I can tell named to request DNS info for my work
domain from my work's DNS server available over the vpn?  Does this make
sense?
 

Yes, it makes sense. What you're looking for is a forward type zone in
named.conf, like

zone foobar.com {
type forward;
forward only;
forwarders { ip_of_work_dns_server; };
};

I'm not sure if I got the syntax 100% right.

Also consider that this might interfere with the setup of the VPN, if
you're using DNS names in the configuration, as named will not be able
to resolve hosts in foobar.com without being able to reach
ip_of_work_dns_server.
   


Hi Thomas,

Thank you for your reply. That was what I needed.

Cheers,

Drew
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Can a foreign drive's mirrors be prevented from joining identically named mirrors?

2010-05-08 Thread Peter Steele
Say I have two systems with two hot-swappable drives and have created mirrors 
for root, var, and swap across those two drives on each system. If I take a 
drive from one system and insert it into the other system, it appears that the 
mirror providers on that drive automatically insert themselves into the 
identically named mirrors on the system where the drive has been inserted. 
What's worse, they may also become recognized as the mirrors with the most 
recent data, even though they came from a different system and should in fact 
be immediately flagged as dirty and synchronized with the mirrors on the 
receiving system.

The only solution we've found is that drives being inserted into an existing 
system should be thoroughly wiped first. The problem with that is we cannot be 
certain a user will follow that guideline. The alternative is to make sure that 
the mirrors are uniquely named across all systems. So for example instead of 
having mirrors named root, var, and swap, we could name them root-macId, 
var-macId, and swap-macId, where macId is a unique ID based on the MAC 
address of a given system's Ethernet interface. This is a 100% solution but it 
would likely solve most of the problems we've encountered.

My question is whether there is any other way to accomplish this? We do not 
want the mirrors on a drive being inserted into another system to automatically 
added to the receiving systems identically named mirrors.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Does NAT require DNS (named)?

2010-04-12 Thread Gary Dunn
On Thu, 2010-04-08 at 20:46 -0400, Brodey Dover wrote:
 If you already have a name server on your network then no, the WAP
 will not need to use DNS. You can tell the clients of the WAP that a
 nameserver exists in the DHCPD.conf file.
 
 I believe you can also set router 10.0.0.1 for example in the dhchpd.conf.
 
 On Thu, Apr 8, 2010 at 8:32 PM, Gary Dunn o...@aloha.com wrote:
  On Thu, 8 Apr 2010 17:05:12 -0400 mikel king mikel.k...@olivent.com wrote:
 
  On Apr 8, 2010, at 4:57 PM, Gary Dunn wrote:
[snip]

Thanks for all the help with this! I got NAT working today by commenting
out my custom menu stuff and doing exactly what the handbook documents,
with adjustments for the outdated ipfw documentation. Now I need to
backtrack to get back to my menu design goals.

I got DNS working by placing my upstream DNS servers in dhcpd.conf.
Works fine as long as the router never moves. It is supposed to be
mobile, so I am working on a simple solution for that. Still might go
with a full DNS, as some suggest, but I need to learn a lot more about
managing those configuration files!

Performance was excellent. No visible delay pulling up oddball Google
image searches.

-- 
Gary Dunn, Honolulu
o...@aloha.com
http://openslate.net/
http://e9erust.blogspot.com/
Sent from Slate001

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Does NAT require DNS (named)?

2010-04-08 Thread Gary Dunn
Continuing the saga of building a wireless access point, what is the best way 
to provide DNS service to the dowstream network? Seems like all I need is a 
simple pass-through. For that named seems like overkill. Anyone have an 
/etc/named/named.conf that does that?


--
Gary Dunn, Honolulu
o...@aloha.com
http://openslate.net/
http://e9erust.blogspot.com/
Sent from a Newton 2100 via Mail V
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Does NAT require DNS (named)?

2010-04-08 Thread Chuck Swiger
On Apr 8, 2010, at 1:57 PM, Gary Dunn wrote:
 Continuing the saga of building a wireless access point, what is the best way 
 to provide DNS service to the dowstream network?

Run a nameserver?

 Seems like all I need is a simple pass-through. For that named seems like 
 overkill. Anyone have an /etc/named/named.conf that does that?

named is fine, although I was happier with it's security history in the prior 
millennium than I am recently.  But, if you don't want to run your own 
nameserver, point them toward nameservers run by your upstream network 
provider...

Regards,
-- 
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Does NAT require DNS (named)?

2010-04-08 Thread mikel king


On Apr 8, 2010, at 4:57 PM, Gary Dunn wrote:

Continuing the saga of building a wireless access point, what is the  
best way to provide DNS service to the dowstream network? Seems like  
all I need is a simple pass-through. For that named seems like  
overkill. Anyone have an /etc/named/named.conf that does that?



--
Gary Dunn, Honolulu
o...@aloha.com
http://openslate.net/
http://e9erust.blogspot.com/
Sent from a Newton 2100 via Mail V


Depends on how your internal LAN is configured. Generally if there are  
no internal servers then you can forgo deploying a DNS server. Simply  
setup your firewall IPFW or pf or whatever you are using to allow  
clients to go out to the net and look names up. You will likely need a  
dhcp server though so that your wireless clients can auto-discover the  
appropriate network settings, but you can elect to do that manually as  
well if it's your desire.



Regards,
Mikel King
CEO, Olivent Technologies
Senior Editor, BSD News Network
Columnist, BSD Magazine
skype:mikel.king
http://olivent.com
http://www.linkedin.com/in/mikelking
http://twitter.com/mikelking

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Does NAT require DNS (named)?

2010-04-08 Thread Darek M

Gary Dunn wrote:

Continuing the saga of building a wireless access point, what is the best way 
to provide DNS service to the dowstream network? Seems like all I need is a 
simple pass-through. For that named seems like overkill. Anyone have an 
/etc/named/named.conf that does that?


I normally run a copy of djbdns on the private IP, having private 
clients use that for DNS.  Alternately, the private clients could just 
use your ISP's caching servers, which should work without any other 
configuration (possibly an allowance on the firewall).


- Darek
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Does NAT require DNS (named)?

2010-04-08 Thread Gary Dunn
On Thu, 8 Apr 2010 17:05:12 -0400 mikel king mikel.k...@olivent.com wrote:

 On Apr 8, 2010, at 4:57 PM, Gary Dunn wrote:

 Continuing the saga of building a wireless access point, what is the
 best way to provide DNS service to the dowstream network? Seems like
 all I need is a simple pass-through. For that named seems like
 overkill. Anyone have an /etc/named/named.conf that does that?


 Depends on how your internal LAN is configured. Generally if there are
 no internal servers then you can forgo deploying a DNS server. Simply
 setup your firewall IPFW or pf or whatever you are using to allow
 clients to go out to the net and look names up. You will likely need a
 dhcp server though so that your wireless clients can auto-discover the
 appropriate network settings, but you can elect to do that manually as
 well if it's your
 desire.

I failed to mention that the same FreeBSD box will provide file and printer 
services via Samba, all clients will be Windows Vista, and there will bo no 
other servers on the downstream network. I cannot rely on clients editing their 
LMHOSTS files ... I need plug and play. Do I need a DNS server on the 
downstream network for Windows clients to connect to Samba?
--
Gary Dunn, Honolulu
o...@aloha.com
http://openslate.net/
http://e9erust.blogspot.com/
Sent from a Newton 2100 via Mail V
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Does NAT require DNS (named)?

2010-04-08 Thread mikel king


On Apr 8, 2010, at 8:32 PM, Gary Dunn wrote:

On Thu, 8 Apr 2010 17:05:12 -0400 mikel king  
mikel.k...@olivent.com wrote:



On Apr 8, 2010, at 4:57 PM, Gary Dunn wrote:


Continuing the saga of building a wireless access point, what is the
best way to provide DNS service to the dowstream network? Seems like
all I need is a simple pass-through. For that named seems like
overkill. Anyone have an /etc/named/named.conf that does that?



Depends on how your internal LAN is configured. Generally if there  
are

no internal servers then you can forgo deploying a DNS server. Simply
setup your firewall IPFW or pf or whatever you are using to allow
clients to go out to the net and look names up. You will likely  
need a
dhcp server though so that your wireless clients can auto-discover  
the
appropriate network settings, but you can elect to do that manually  
as

well if it's your
desire.


I failed to mention that the same FreeBSD box will provide file and  
printer services via Samba, all clients will be Windows Vista, and  
there will bo no other servers on the downstream network. I cannot  
rely on clients editing their LMHOSTS files ... I need plug and  
play. Do I need a DNS server on the downstream network for Windows  
clients to connect to Samba?

--
Gary Dunn, Honolulu
o...@aloha.com
http://openslate.net/
http://e9erust.blogspot.com/
Sent from a Newton 2100 via Mail V


Gary,

	Thanks for the clarification. In this case if it were my network then  
I would roll out both DNS and DHCP on this server. Honestly it will  
make your life a hell of a lot easier in the long run, especially if  
you intend on using WINS resolution for the Windows client via samba.  
However only allow the DNS and DHCP services to run on the internal  
LAN, bind them to an internal IP address.


You should be fine.

Cheers,
Mikel King

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Does NAT require DNS (named)?

2010-04-08 Thread Brodey Dover
Unfortunately, still 17MB. I am going to play around with the sticks
of RAM that I have installed to see if there is a chipset/motherboard
issue.

On Thu, Apr 8, 2010 at 8:56 PM, mikel king mikel.k...@olivent.com wrote:

 On Apr 8, 2010, at 8:32 PM, Gary Dunn wrote:

 On Thu, 8 Apr 2010 17:05:12 -0400 mikel king mikel.k...@olivent.com
 wrote:

 On Apr 8, 2010, at 4:57 PM, Gary Dunn wrote:

 Continuing the saga of building a wireless access point, what is the
 best way to provide DNS service to the dowstream network? Seems like
 all I need is a simple pass-through. For that named seems like
 overkill. Anyone have an /etc/named/named.conf that does that?


 Depends on how your internal LAN is configured. Generally if there are
 no internal servers then you can forgo deploying a DNS server. Simply
 setup your firewall IPFW or pf or whatever you are using to allow
 clients to go out to the net and look names up. You will likely need a
 dhcp server though so that your wireless clients can auto-discover the
 appropriate network settings, but you can elect to do that manually as
 well if it's your
 desire.

 I failed to mention that the same FreeBSD box will provide file and
 printer services via Samba, all clients will be Windows Vista, and there
 will bo no other servers on the downstream network. I cannot rely on clients
 editing their LMHOSTS files ... I need plug and play. Do I need a DNS server
 on the downstream network for Windows clients to connect to Samba?
 --
 Gary Dunn, Honolulu
 o...@aloha.com
 http://openslate.net/
 http://e9erust.blogspot.com/
 Sent from a Newton 2100 via Mail V

 Gary,

        Thanks for the clarification. In this case if it were my network then
 I would roll out both DNS and DHCP on this server. Honestly it will make
 your life a hell of a lot easier in the long run, especially if you intend
 on using WINS resolution for the Windows client via samba. However only
 allow the DNS and DHCP services to run on the internal LAN, bind them to an
 internal IP address.

        You should be fine.

 Cheers,
 Mikel King

 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Named errors after adding IPv4 alias - solved by restarting named

2010-02-17 Thread John
It seems that if you add an alias to an interface once named is up
and running, it will cause named, on an hourly basis from the time
named was first started (that is, if it was started at 07:32 after
the hour, then every hour after the alias is added at about 07:32
after each hour), named will say:

Feb 16 22:07:32 elwood named[626]: could not listen on UDP socket: permission 
denied
Feb 16 22:07:32 elwood named[626]: creating IPv4 interface fxp0 failed; 
interface ignored

A kill -1 does not help.  If you do a full stop and start on named,
that will take care of the problem.

Is this something that should be addressed within named, or is this
such a rare event (adding an IP alias on an interface that named is
using) that it should just be let go?
-- 

John Lind
j...@starfire.mn.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: HELP! Is that possible creating a user named root but acturallynot the administrator root

2010-02-13 Thread Bob Johnson
On 2/12/10, Jason Lin taosheng@gmail.com wrote:
 I try this method, after set the password of toor,
 I  can't login with the account toor.

It is possible (I don't remember) that the toor account does not
have a shell in the default passwd file. If that's the problem, use
vipw to add the path to a shell as the last field on the line.  The
root account should provide a good example, or look at the line for
your own user account. /bin/csh should work for recent versions of
FreeBSD.

- Bob
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: HELP! Is that possible creating a user named root but acturallynot the administrator root

2010-02-13 Thread Matthew Seaman
On 13/02/2010 17:49, Bob Johnson wrote:

 It is possible (I don't remember) that the toor account does not
 have a shell in the default passwd file. If that's the problem, use
 vipw to add the path to a shell as the last field on the line.  The
 root account should provide a good example, or look at the line for
 your own user account. /bin/csh should work for recent versions of
 FreeBSD.

An empty field for the user shell in /etc/{master.,}passwd means the
account gets the default shell, which in the case of FreeBSD is /bin/sh.
 Shouldn't cause the observed problem.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.  7 Priory Courtyard, Flat 3
Black Earth Consulting   Ramsgate
 Kent, CT11 9PW
Free and Open Source Solutions   Tel: +44 (0)1843 580647



signature.asc
Description: OpenPGP digital signature


Re: HELP! Is that possible creating a user named root but acturallynot the administrator root

2010-02-13 Thread Chris Rees
On 13 February 2010 18:10, Matthew Seaman m.sea...@black-earth.co.uk wrote:
 On 13/02/2010 17:49, Bob Johnson wrote:

 It is possible (I don't remember) that the toor account does not
 have a shell in the default passwd file. If that's the problem, use
 vipw to add the path to a shell as the last field on the line.  The
 root account should provide a good example, or look at the line for
 your own user account. /bin/csh should work for recent versions of
 FreeBSD.

 An empty field for the user shell in /etc/{master.,}passwd means the
 account gets the default shell, which in the case of FreeBSD is /bin/sh.
  Shouldn't cause the observed problem.

        Cheers,

        Matthew


I would imagine then that /etc/ttys is set to 'insecure' for all.

Can you log in as root Jason?

Chris
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: HELP! Is that possible creating a user named root but acturallynot the administrator root

2010-02-13 Thread Lin Taosheng
yes, I login with toor as root successfully.

2010/2/14 Chris Rees utis...@googlemail.com:
 On 13 February 2010 18:10, Matthew Seaman m.sea...@black-earth.co.uk wrote:
 On 13/02/2010 17:49, Bob Johnson wrote:

 It is possible (I don't remember) that the toor account does not
 have a shell in the default passwd file. If that's the problem, use
 vipw to add the path to a shell as the last field on the line.  The
 root account should provide a good example, or look at the line for
 your own user account. /bin/csh should work for recent versions of
 FreeBSD.

 An empty field for the user shell in /etc/{master.,}passwd means the
 account gets the default shell, which in the case of FreeBSD is /bin/sh.
  Shouldn't cause the observed problem.

        Cheers,

        Matthew


 I would imagine then that /etc/ttys is set to 'insecure' for all.

 Can you log in as root Jason?

 Chris




-- 
Lin Taosheng
Mobile: 86-010-15801256127
MSN:   taosheng@gmail.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: HELP! Is that possible creating a user named root but acturallynot the administrator root

2010-02-12 Thread Jason Lin
I try this method, after set the password of toor,
I  can't login with the account toor.


Bogdan Webb bog...@pgn.ro 
??:c81e6afd1002102307l2b089a76p36a8d67d3085a...@mail.gmail.com...
 Edit the /etc/master.passwd and /etc/passwd records to change the uid and
 gid of the root account BUT FIRST MAKE SURE YOU ADD (or changed password
 of) ANOTHER UID0 ACCOUNT
 here's an example:
 etc/master.passwd:
 root:*PASSWORD HASH*:99:99::0:0:Charlie :/root:/bin/csh

 and /etc/passwd
 root:*:99:99:Charlie :/root:/bin/csh


 check the toor account it's already created by freebsd but it doesn't 
 have
 a password, 1st apply a password for that account, triple check that it's
 usable then edit the records (keep in mind that the 99 uid and 99gid in my
 examples are fake try giving your's the uid and gid of the nobody 
 account,
 or someother)

 cheers!
 2010/2/11 Anthony M. Rasat anthony.ra...@gmail.com

 Lin Taosheng wrote:

 Is that possible to implementated?

 No. I think not. But I have not tried it either.

 Can I ask what do you want to achieve? Because I had the same thought 
 once,
 concerning how to combat once-increasing script-driven SSH brute-force
 attack. But I was instead have a better solution using fail2ban to easily
 thwart those SSH brute force attack. Is that your situation?

 Regards,

 Anthony M. Rasat
 Manager - Technical, Network and Support Division
 PT. Jawa Pos National Network
 Graha Pena Jawa Pos Group Building, 5th floor
 Jln. Raya Kebayoran Lama 12, Jakarta Selatan 12210
 Indonesia.-
 Phone 02132185562
 Phone 081574217035
 Fax 02153651465
 Web http://www.jpnn.com
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to 
 freebsd-questions-unsubscr...@freebsd.org

 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to 
 freebsd-questions-unsubscr...@freebsd.org
 



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: HELP! Is that possible creating a user named root but acturally not the administrator root

2010-02-11 Thread Matthew Seaman
On 11/02/2010 05:23, Giorgos Keramidas wrote:
 On Thu, 11 Feb 2010 00:18:30 -0500, Robert Huff roberth...@rcn.com wrote:
 Lin Taosheng writes:
  Is that possible to implementated?

 For most purposes, what's important is not the account name,
 but the User II.  Root is special because it has UID 0.  You can,
 create other accounts with UIS 0 ... but it's usually a Very Bad
 Idea.

 As far as I know, there's no reason you can't rename the root
 account and have a non UID 0 account with that name.  On the other
 hand, if you're asking this question there may be a better way to
 accomplish your objective: would you care to share?
 
 The kernel doesn't really care what your user *name* is.  See for
 example the 'toor user in '/etc/master.passwd'.

On the other hand, lots of software expects the superuser account to be
called 'root' because that what it always has been ever since Thompson
and Ritchie et al. first created Unix.  Changing the name of the
superuser account, and making root into an unprivileged user will cause
you much wailing and gnashing of teeth.  It doesn't really buy you much
in terms of improved security in any case.  Far better to concentrate
on making it impossible for the existing root account to be compromised.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.  7 Priory Courtyard, Flat 3
Black Earth Consulting   Ramsgate
 Kent, CT11 9PW
Free and Open Source Solutions   Tel: +44 (0)1843 580647



signature.asc
Description: OpenPGP digital signature


Re: HELP! Is that possible creating a user named root but acturally not the administrator root

2010-02-11 Thread Bob Johnson
On 2/11/10, Robert Huff roberth...@rcn.com wrote:

 Lin Taosheng writes:

  Is that possible to implementated?


Yes, use vipw to edit the password file. Add another username that is
UID zero. The name toor is actually already there as an example of
how to do that, but it is disabled because it has a * in the
password field. After the new username is tested and you know it
works, use vipw to replace the password field for root to an *.
Then root will still exist, but it will not be possible to log in to
it. You could also delete the entire line for root, but that gets
farther into unusual territory and increases the chance that you will
break something else by doing so.

   For most purposes, what's important is not the account name,
 but the User II.  Root is special because it has UID 0.  You can,
 create other accounts with UIS 0 ... but it's usually a Very Bad
 Idea.

I know of no reason that this would be a bad idea. It is in fact
useful in some situations to have more than one admin account, enough
so that about a decade ago some effort was put into making sure it
works properly when you do that in FreeBSD.

 As far as I know, there's no reason you can't rename the root
 account and have a non UID 0 account with that name.  On the other
 hand, if you're asking this question there may be a better way to
 accomplish your objective: would you care to share?

Having an account named root that is not UID 0 (i.e. not an
administrator), is likely to have unexpected side effects that you
probably won't like. So even though it has theoretical security
advantages (because unlike Windows, you can't remotely query FreeBSD
and ask it the name of its administrator account), it probably isn't a
good idea. A quick search turned up problems when people tried this in
Debian, and I would expect similar issues in FreeBSD. But if you try
it, I'd love to hear the result.

If you are worried about remote logins to the root account, that is
actually disabled by default in FreeBSD. The biggest hazard you face
in that area is that if you configure SSH to use PAM login, the PAM
subsystem can allow remote root logins when you think they are
disabled. You have to be careful to configure SSH (and anything else
that uses PAM) correctly in that situation.

- Bob Johnson
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: HELP! Is that possible creating a user named root but acturally not the administrator root

2010-02-11 Thread Jerry McAllister
On Thu, Feb 11, 2010 at 01:58:07PM -0500, Bob Johnson wrote:

 On 2/11/10, Robert Huff roberth...@rcn.com wrote:
 
  Lin Taosheng writes:
 
   Is that possible to implementated?
 
 
 Yes, use vipw to edit the password file. Add another username that is
 UID zero. The name toor is actually already there as an example of
 how to do that, but it is disabled because it has a * in the
 password field. After the new username is tested and you know it
 works, use vipw to replace the password field for root to an *.
 Then root will still exist, but it will not be possible to log in to
 it. You could also delete the entire line for root, but that gets
 farther into unusual territory and increases the chance that you will
 break something else by doing so.

If I take what the OP said literally, you are answering backwards.
The OP asked if it is possible to name a different account root - eg
one that is not UID 0.You are answering that it is possible to
give an account other than root a UID 0.

Now, the OP may have meant to ask what you are answering and just
got it mixed up.   But, that was not the way the question went.

Anyway, even if it is possible to name a non-UID 0 account root, 
it is a very bad idea.   Too many things assume that the string 
'root' refers to the UID 0 account.   There may be something that
depends on it.

On the other side, it is possible to give an account with a different
name the UID of 0.  This is often done so someone can work at a root
level without using the root name - probably in hopes of controlling
things more tightly.   Maybe it might help a bit.

But, the FreeBSD system comes automatically set to you cannot log
in over the net with a root (eg a UID 0) account.   The recommended
way to get to root is to either use the console or to log in as a
non-root account using an encrypted path and then su(1) to root or
to a root account (eg one with UID 0).

jerry






 
  For most purposes, what's important is not the account name,
  but the User II.  Root is special because it has UID 0.  You can,
  create other accounts with UIS 0 ... but it's usually a Very Bad
  Idea.
 
 I know of no reason that this would be a bad idea. It is in fact
 useful in some situations to have more than one admin account, enough
 so that about a decade ago some effort was put into making sure it
 works properly when you do that in FreeBSD.
 
  As far as I know, there's no reason you can't rename the root
  account and have a non UID 0 account with that name.  On the other
  hand, if you're asking this question there may be a better way to
  accomplish your objective: would you care to share?
 
 Having an account named root that is not UID 0 (i.e. not an
 administrator), is likely to have unexpected side effects that you
 probably won't like. So even though it has theoretical security
 advantages (because unlike Windows, you can't remotely query FreeBSD
 and ask it the name of its administrator account), it probably isn't a
 good idea. A quick search turned up problems when people tried this in
 Debian, and I would expect similar issues in FreeBSD. But if you try
 it, I'd love to hear the result.
 
 If you are worried about remote logins to the root account, that is
 actually disabled by default in FreeBSD. The biggest hazard you face
 in that area is that if you configure SSH to use PAM login, the PAM
 subsystem can allow remote root logins when you think they are
 disabled. You have to be careful to configure SSH (and anything else
 that uses PAM) correctly in that situation.
 
 - Bob Johnson
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: HELP! Is that possible creating a user named root but acturally not the administrator root

2010-02-11 Thread Giorgos Keramidas
On Thu, 11 Feb 2010 08:04:00 +, Matthew Seaman m.sea...@black-earth.co.uk 
wrote:
On 11/02/2010 05:23, Giorgos Keramidas wrote:
On Thu, 11 Feb 2010 00:18:30 -0500, Robert Huff roberth...@rcn.com wrote:
Lin Taosheng writes:
  Is that possible to implementated?

 For most purposes, what's important is not the account name,
 but the User II.  Root is special because it has UID 0.  You can,
 create other accounts with UIS 0 ... but it's usually a Very Bad
 Idea.

 As far as I know, there's no reason you can't rename the root
 account and have a non UID 0 account with that name.  On the other
 hand, if you're asking this question there may be a better way to
 accomplish your objective: would you care to share?

 The kernel doesn't really care what your user *name* is.  See for
 example the 'toor user in '/etc/master.passwd'.

 On the other hand, lots of software expects the superuser account to
 be called 'root' because that what it always has been ever since
 Thompson and Ritchie et al. first created Unix.  Changing the name of
 the superuser account, and making root into an unprivileged user will
 cause you much wailing and gnashing of teeth.  It doesn't really buy
 you much in terms of improved security in any case.  Far better to
 concentrate on making it impossible for the existing root account to
 be compromised.

This is a good point.  One can argue that the specific applications are
those that are broken if they do not use a tunable option to switch the
name of the 'privileged user'.  But that doesn't negate the fact that
precisely *this* type of applications exists out there and will break.



pgpeEzPfM6FxC.pgp
Description: PGP signature


Re: HELP! Is that possible creating a user named root but acturally not the administrator root

2010-02-11 Thread Bob Johnson
On 2/11/10, Jerry McAllister jerr...@msu.edu wrote:
 On Thu, Feb 11, 2010 at 01:58:07PM -0500, Bob Johnson wrote:

 On 2/11/10, Robert Huff roberth...@rcn.com wrote:
 
  Lin Taosheng writes:
 
   Is that possible to implementated?
 

 Yes, use vipw to edit the password file. Add another username that is
 UID zero. The name toor is actually already there as an example of
 how to do that, but it is disabled because it has a * in the
 password field. After the new username is tested and you know it
 works, use vipw to replace the password field for root to an *.
 Then root will still exist, but it will not be possible to log in to
 it. You could also delete the entire line for root, but that gets
 farther into unusual territory and increases the chance that you will
 break something else by doing so.

 If I take what the OP said literally, you are answering backwards.
 The OP asked if it is possible to name a different account root - eg
 one that is not UID 0.You are answering that it is possible to
 give an account other than root a UID 0.

 Now, the OP may have meant to ask what you are answering and just
 got it mixed up.   But, that was not the way the question went.

Oops. Rats. When I started my reply I had it right, but by the time I
finished I had confused myself. Thanks.

Anyway, it's possible, but in practice it probably won't work right,
and doesn't do much for security anyway.

- Bob
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


HELP! Is that possible creating a user named root but acturally not the administrator root

2010-02-10 Thread Lin Taosheng
Hi all,

Is that possible to implementated?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


HELP! Is that possible creating a user named root but acturally not the administrator root

2010-02-10 Thread Robert Huff

Lin Taosheng writes:

  Is that possible to implementated?

For most purposes, what's important is not the account name,
but the User II.  Root is special because it has UID 0.  You can,
create other accounts with UIS 0 ... but it's usually a Very Bad
Idea.
As far as I know, there's no reason you can't rename the root
account and have a non UID 0 account with that name.  On the other
hand, if you're asking this question there may be a better way to
accomplish your objective: would you care to share?

Respectfully,


Robert Huff

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: HELP! Is that possible creating a user named root but acturally not the administrator root

2010-02-10 Thread Giorgos Keramidas
On Thu, 11 Feb 2010 00:18:30 -0500, Robert Huff roberth...@rcn.com wrote:
Lin Taosheng writes:
  Is that possible to implementated?

 For most purposes, what's important is not the account name,
 but the User II.  Root is special because it has UID 0.  You can,
 create other accounts with UIS 0 ... but it's usually a Very Bad
 Idea.

 As far as I know, there's no reason you can't rename the root
 account and have a non UID 0 account with that name.  On the other
 hand, if you're asking this question there may be a better way to
 accomplish your objective: would you care to share?

The kernel doesn't really care what your user *name* is.  See for
example the 'toor user in '/etc/master.passwd'.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: HELP! Is that possible creating a user named root but acturallynot the administrator root

2010-02-10 Thread Anthony M. Rasat
Lin Taosheng wrote:

Is that possible to implementated?

No. I think not. But I have not tried it either.

Can I ask what do you want to achieve? Because I had the same thought once, 
concerning how to combat once-increasing script-driven SSH brute-force attack. 
But I was instead have a better solution using fail2ban to easily thwart those 
SSH brute force attack. Is that your situation?
 
Regards,

Anthony M. Rasat
Manager - Technical, Network and Support Division
PT. Jawa Pos National Network
Graha Pena Jawa Pos Group Building, 5th floor
Jln. Raya Kebayoran Lama 12, Jakarta Selatan 12210
Indonesia.-
Phone 02132185562
Phone 081574217035
Fax 02153651465
Web http://www.jpnn.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: HELP! Is that possible creating a user named root but acturallynot the administrator root

2010-02-10 Thread Bogdan Webb
Edit the /etc/master.passwd and /etc/passwd records to change the uid and
gid of the root account BUT FIRST MAKE SURE YOU ADD (or changed password
of) ANOTHER UID0 ACCOUNT
here's an example:
etc/master.passwd:
root:*PASSWORD HASH*:99:99::0:0:Charlie :/root:/bin/csh

and /etc/passwd
root:*:99:99:Charlie :/root:/bin/csh


check the toor account it's already created by freebsd but it doesn't have
a password, 1st apply a password for that account, triple check that it's
usable then edit the records (keep in mind that the 99 uid and 99gid in my
examples are fake try giving your's the uid and gid of the nobody account,
or someother)

cheers!
2010/2/11 Anthony M. Rasat anthony.ra...@gmail.com

 Lin Taosheng wrote:

 Is that possible to implementated?

 No. I think not. But I have not tried it either.

 Can I ask what do you want to achieve? Because I had the same thought once,
 concerning how to combat once-increasing script-driven SSH brute-force
 attack. But I was instead have a better solution using fail2ban to easily
 thwart those SSH brute force attack. Is that your situation?

 Regards,

 Anthony M. Rasat
 Manager - Technical, Network and Support Division
 PT. Jawa Pos National Network
 Graha Pena Jawa Pos Group Building, 5th floor
 Jln. Raya Kebayoran Lama 12, Jakarta Selatan 12210
 Indonesia.-
 Phone 02132185562
 Phone 081574217035
 Fax 02153651465
 Web http://www.jpnn.com
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to 
 freebsd-questions-unsubscr...@freebsd.org

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


UDP flooding / Ethernet issues? WAS Re: named error sending response: not enough free resources

2010-01-29 Thread James Smallacombe

On Thu, Jan 28, 2010 at 12:59 PM, James Smallacombe u...@3.am wrote:


To follow up on this: Noticed the issue again this morning, which also was
accompanied by latency so high that I could not connect (some pings got
through at very high latency).  I emailed the provider and they told me that
they had my port on their Ether switch set to 10Mbs.  They switched it to
100Mbs and only time will tell if that fixes it.

Does this sound like it could be the entire cause?  I ask because I've
maxed out pipes before, but never seen it shut all traffic down this much.
One key difference that I forgot to mention is that this server is running
TWO instances of named, on two different IPs (for different domains), each
running a few hundred zones.

Bottom line:  Would congestion cause this issue, or would this issue cause
congestion?


Some updates that may confuse more than inform: I caught this while it 
was happening yesterday and was able to do a tcpdump.  I saw a ton of UDP 
traffic outbound to one IP that turned out to be a colocated server in 
Chicago.  I put that IP in my ipfw rules and once I blocked any to that 
IP, it seemed to stop.  Since then however, the logs have show the same 
issue again and there have been a few brief service disruptions.


Today's security run output showed this:

+(RULE NUMBER) 16054161 131965203420 deny ip from any to (blocked IP)

and more alarmingly, this:

kernel log messages:
+++ /tmp/security.BErFHSS3  2010-01-29 03:09:32.0 -0500
+re0: link state changed to DOWN
+re0: link state changed to UP
+re0: promiscuous mode enabled
+re0: promiscuous mode disabled
+re0: promiscuous mode enabled
+re0: promiscuous mode disabled
+re0: promiscuous mode enabled
+re0: promiscuous mode disabled

re0 obviously being the Realtek Ethernet driver.  The server itself never 
went down during this time, but the Ethernet did.  Is there any DOS type 
of event that could cause this, or could the root of the problem be an 
Ethernet hardware or driver issue?  Again, it is not clear to me which is 
the cause and which is the effect.


Last bit of info:  I just did a: 'tcpdump -n | grep -i udp' and saw a 
bunch of these, coming up a couple of times per second:


11:31:59.387561 IP (IP REMOVED)  (IP REMOVED): NBT UDP PACKET(137): 
QUERY; REQUEST; BROADCAST


Where the source and destination IPs vary, but are NOT one of mine, but DO 
appear to belong to my colo/dedicated server provider and their customers. 
Is my server being used to DDOS others?  If so, how?


TIA,

James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am   http://3.am
=
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: UDP flooding / Ethernet issues? WAS Re: named error sending response: not enough free resources

2010-01-29 Thread Adam Vande More
On Fri, Jan 29, 2010 at 10:51 AM, James Smallacombe u...@3.am wrote:

 Some updates that may confuse more than inform: I caught this while it was
 happening yesterday and was able to do a tcpdump.  I saw a ton of UDP
 traffic outbound to one IP that turned out to be a colocated server in
 Chicago.  I put that IP in my ipfw rules and once I blocked any to that
 IP, it seemed to stop.  Since then however, the logs have show the same
 issue again and there have been a few brief service disruptions.

 Today's security run output showed this:

 +(RULE NUMBER) 16054161 131965203420 deny ip from any to (blocked IP)

 and more alarmingly, this:

 kernel log messages:
 +++ /tmp/security.BErFHSS3  2010-01-29 03:09:32.0 -0500
 +re0: link state changed to DOWN
 +re0: link state changed to UP
 +re0: promiscuous mode enabled
 +re0: promiscuous mode disabled
 +re0: promiscuous mode enabled
 +re0: promiscuous mode disabled
 +re0: promiscuous mode enabled
 +re0: promiscuous mode disabled

 re0 obviously being the Realtek Ethernet driver.  The server itself never
 went down during this time, but the Ethernet did.  Is there any DOS type of
 event that could cause this, or could the root of the problem be an Ethernet
 hardware or driver issue?  Again, it is not clear to me which is the cause
 and which is the effect.

 Last bit of info:  I just did a: 'tcpdump -n | grep -i udp' and saw a bunch
 of these, coming up a couple of times per second:


promiscuous mode entries are caused by tcpdump

-- 
Adam Vande More
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: UDP flooding / Ethernet issues? WAS Re: named error sending response: not enough free resources

2010-01-29 Thread Chuck Swiger
Hi--

On Jan 29, 2010, at 8:51 AM, James Smallacombe wrote:
 On Thu, Jan 28, 2010 at 12:59 PM, James Smallacombe u...@3.am wrote:
 To follow up on this: Noticed the issue again this morning, which also was
 accompanied by latency so high that I could not connect (some pings got
 through at very high latency).  I emailed the provider and they told me that
 they had my port on their Ether switch set to 10Mbs.  They switched it to
 100Mbs and only time will tell if that fixes it.
[ ... ]
 Today's security run output showed this:
 
 +(RULE NUMBER) 16054161 131965203420 deny ip from any to (blocked IP)
 
 and more alarmingly, this:
 
 kernel log messages:
 +++ /tmp/security.BErFHSS3  2010-01-29 03:09:32.0 -0500
 +re0: link state changed to DOWN
 +re0: link state changed to UP

These are probably from your ISP changing the link speed from 10 to 100Mbs.

 +re0: promiscuous mode enabled
 +re0: promiscuous mode disabled
 +re0: promiscuous mode enabled
 +re0: promiscuous mode disabled
 +re0: promiscuous mode enabled
 +re0: promiscuous mode disabled

These are from running tcpdump.

 re0 obviously being the Realtek Ethernet driver.  The server itself never 
 went down during this time, but the Ethernet did.  Is there any DOS type of 
 event that could cause this, or could the root of the problem be an Ethernet 
 hardware or driver issue?  Again, it is not clear to me which is the cause 
 and which is the effect.
 
 Last bit of info:  I just did a: 'tcpdump -n | grep -i udp' and saw a bunch 
 of these, coming up a couple of times per second:
 
 11:31:59.387561 IP (IP REMOVED)  (IP REMOVED): NBT UDP PACKET(137): QUERY; 
 REQUEST; BROADCAST
 
 Where the source and destination IPs vary, but are NOT one of mine, but DO 
 appear to belong to my colo/dedicated server provider and their customers. Is 
 my server being used to DDOS others?  If so, how?

That is standard Windows NetBIOS over IP traffic.  It shouldn't be coming over 
your link unless your machines are sharing a subnet with someone else's Windows 
(or Samba) domain.  You might discuss this with your ISP and ask them what's 
up, but failing that, using IPFW rules like this would be prudent:

  add deny tcp from any 135-139 to any
  add deny tcp from any to any 135-139
  add deny udp from any 135-139 to any
  add deny udp from any to any 135-139

Regards,
-- 
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named error sending response: not enough free resources

2010-01-28 Thread James Smallacombe

On Wed, 27 Jan 2010, Chuck Swiger wrote:


Hi--

On Jan 27, 2010, at 1:15 PM, James Smallacombe wrote:

Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error sending 
response: not enough free resources
Jan 26 21:50:32 host named[667]: client IP REMOVED#59830: error sending 
response: not enough free resources




OK, if the nameserver is published / authoritative, then it would be expected 
to be fielding requests from the Internet at large.


To follow up on this: Noticed the issue again this morning, which also was 
accompanied by latency so high that I could not connect (some pings got 
through at very high latency).  I emailed the provider and they told me 
that they had my port on their Ether switch set to 10Mbs.  They switched 
it to 100Mbs and only time will tell if that fixes it.


Does this sound like it could be the entire cause?  I ask because I've 
maxed out pipes before, but never seen it shut all traffic down this much. 
One key difference that I forgot to mention is that this server is running 
TWO instances of named, on two different IPs (for different domains), each 
running a few hundred zones.


Bottom line:  Would congestion cause this issue, or would this issue cause 
congestion?


Thanks again!

James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am   http://3.am
=
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named error sending response: not enough free resources

2010-01-28 Thread Adam Vande More
On Thu, Jan 28, 2010 at 12:59 PM, James Smallacombe u...@3.am wrote:

 To follow up on this: Noticed the issue again this morning, which also was
 accompanied by latency so high that I could not connect (some pings got
 through at very high latency).  I emailed the provider and they told me that
 they had my port on their Ether switch set to 10Mbs.  They switched it to
 100Mbs and only time will tell if that fixes it.

 Does this sound like it could be the entire cause?  I ask because I've
 maxed out pipes before, but never seen it shut all traffic down this much.
 One key difference that I forgot to mention is that this server is running
 TWO instances of named, on two different IPs (for different domains), each
 running a few hundred zones.

 Bottom line:  Would congestion cause this issue, or would this issue cause
 congestion?


I would guess no, but that guess could easily be wrong.  Have you tried
turning up the logging to verbosity to get a better idea of what's
happening?



-- 
Adam Vande More
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


named error sending response: not enough free resources

2010-01-27 Thread James Smallacombe


NOTE: Please reply off-list as well as I am not subscribed

My server (7.2-STABLE) suffered at least two outages Sunday through 
yesterday after having been up since July (it is a rented dedicated server 
with my FSBD install).  The first time, I was able to log in via remotely, 
saw a ton of spam apparently abusing a php mail form script (more on that 
later) filling the /var partition.  I purged it, but it still required a 
reboot as CPU was through the roof.


Yesterday morning, I was unable to get into the server at all...pings were very 
high.  I called the provider and got in via KVM over IP.  CPU was fine and 
there wre no full partitions.  As I had to catch a flight, I just rebooted it 
and it was fine.


After getting home, I looked in the syslog and see thousands of these:

Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error sending 
response: not enough free resources
Jan 26 21:50:32 host named[667]: client IP REMOVED#59830: error sending 
response: not enough free resources


Some googling on this error found a reference to a possible queue limiting 
problem in pf/qlimit, but the only firewalling I do is a very basic ipfw setup 
strictly for bruteblock.


I am not even sure if this error caused the outage(s) or was caused by them, 
let alone a fix or workaround.  Appreciate any and all clues, especially if you 
are familiar with this.


TIA!

James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am   http://3.am
=
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named error sending response: not enough free resources

2010-01-27 Thread Chuck Swiger
On Jan 27, 2010, at 10:24 AM, James Smallacombe wrote:
 NOTE: Please reply off-list as well as I am not subscribed

OK.  In return, please don't cross-post or multi-post the same question to 
multiple FreeBSD lists.

 My server (7.2-STABLE) suffered at least two outages Sunday through yesterday 
 after having been up since July (it is a rented dedicated server with my FSBD 
 install).  The first time, I was able to log in via remotely, saw a ton of 
 spam apparently abusing a php mail form script (more on that later) filling 
 the /var partition.  I purged it, but it still required a reboot as CPU was 
 through the roof.

See man pkill for an easier way to terminate processes short of rebooting.  
Depending on just how badly this PHP script was being taken advantage of and 
how closely you've been tracking security updates, it's possible that your 
machine might have been compromised.

 Yesterday morning, I was unable to get into the server at all...pings were 
 very high.  I called the provider and got in via KVM over IP.  CPU was fine 
 and there wre no full partitions.  As I had to catch a flight, I just 
 rebooted it and it was fine.
 
 After getting home, I looked in the syslog and see thousands of these:
 
 Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error sending 
 response: not enough free resources
 Jan 26 21:50:32 host named[667]: client IP REMOVED#59830: error sending 
 response: not enough free resources

Were these client IPs expected to be talking to this machine?  It indicates a 
problem sending UDP traffic; netstat -s output would be informative.  You might 
find that setting options in named.conf to tune the # of outstanding queries 
will help:

 clients-per-query 10;
 max-clients-per-query 20;

Doing a tcpdump and examining the queries to see what DNS resources are being 
requested would also be useful.

Regards,
-- 
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named error sending response: not enough free resources

2010-01-27 Thread James Smallacombe

On Wed, 27 Jan 2010, Chuck Swiger wrote:


On Jan 27, 2010, at 10:24 AM, James Smallacombe wrote:

NOTE: Please reply off-list as well as I am not subscribed


OK.  In return, please don't cross-post or multi-post the same question 
to multiple FreeBSD lists.


I posted to the -isp list a couple of hours earlier, then looked at the 
archives and noticed zero traffic on that list for the past couple of 
weeks, so I then posted here.



After getting home, I looked in the syslog and see thousands of these:

Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error sending 
response: not enough free resources
Jan 26 21:50:32 host named[667]: client IP REMOVED#59830: error sending 
response: not enough free resources


Were these client IPs expected to be talking to this machine?  It


This server is authoritative for a few hundred domains, so I would imagine 
anybody doing a query on any of them would need to talk to it...unless I 
misunderstand what you mean by talk.



indicates a problem sending UDP traffic; netstat -s output would be


Unfortunately, I did not have time for netstats or tcpdumps when this was 
happening and I've not seen this log entry since yesterday evening.


informative.  You might find that setting options in named.conf to tune 
the # of outstanding queries will help:


clients-per-query 10;
max-clients-per-query 20;


Thanks, I will look into those.  the man page for named.conf doesn't tell 
you much and my latest cricket book is 3rd edition (only up to BIND 8), so 
I guess it's time to break down and get the latest.


James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am   http://3.am
=
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named error sending response: not enough free resources

2010-01-27 Thread Chuck Swiger
Hi--

On Jan 27, 2010, at 1:15 PM, James Smallacombe wrote:
 Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error sending 
 response: not enough free resources
 Jan 26 21:50:32 host named[667]: client IP REMOVED#59830: error sending 
 response: not enough free resources
 
 Were these client IPs expected to be talking to this machine?  It
 
 This server is authoritative for a few hundred domains, so I would imagine 
 anybody doing a query on any of them would need to talk to it...unless I 
 misunderstand what you mean by talk.

OK, if the nameserver is published / authoritative, then it would be expected 
to be fielding requests from the Internet at large.

 indicates a problem sending UDP traffic; netstat -s output would be
 
 Unfortunately, I did not have time for netstats or tcpdumps when this was 
 happening and I've not seen this log entry since yesterday evening.

Unless you rebooted the machine again since the errors were reported, the 
netstat output would still be relevant.

 informative.  You might find that setting options in named.conf to tune the 
 # of outstanding queries will help:
 
 clients-per-query 10;
 max-clients-per-query 20;
 
 Thanks, I will look into those.  the man page for named.conf doesn't tell you 
 much and my latest cricket book is 3rd edition (only up to BIND 8), so I 
 guess it's time to break down and get the latest.

Good luck

-- 
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named error sending response: not enough free resources

2010-01-27 Thread James Smallacombe

On Wed, 27 Jan 2010, Chuck Swiger wrote:


On Jan 27, 2010, at 1:15 PM, James Smallacombe wrote:


Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error 
sending response: not enough free resources



indicates a problem sending UDP traffic; netstat -s output would be


Unfortunately, I did not have time for netstats or tcpdumps when this 
was happening and I've not seen this log entry since yesterday evening.


Unless you rebooted the machine again since the errors were reported, 
the netstat output would still be relevant.


Ok, I saw this at least once since the last reboot, so here are the tcp 
and udp portions of the netstat -s:


tcp:
31422122 packets sent
23133142 data packets (3473553079 bytes)
314215 data packets (132175418 bytes) retransmitted
6579 data packets unnecessarily retransmitted
11 resends initiated by MTU discovery
5408494 ack-only packets (200066 delayed)
0 URG only packets
1237 window probe packets
868892 window update packets
1713629 control packets
28600984 packets received
17029642 acks (for 3351867346 bytes)
1256410 duplicate acks
73760 acks for unsent data
11363962 packets (548204663 bytes) received in-sequence
184682 completely duplicate packets (16657176 bytes)
2327 old duplicate packets
1468 packets with some dup. data (339128 bytes duped)
334018 out-of-order packets (337877573 bytes)
85687 packets (637782 bytes) of data after window
10 window probes
114047 window update packets
160975 packets received after close
1148 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
9123 discarded due to memory problems
413250 connection requests
1504359 connection accepts
6 bad connection attempts
100 listen queue overflows
186225 ignored RSTs in the windows
1912682 connections established (including accepts)
2050764 connections closed (including 1022550 drops)
1058803 connections updated cached RTT on close
1065370 connections updated cached RTT variance on close
252114 connections updated cached ssthresh on close
3769 embryonic connections dropped
11958433 segments updated rtt (of 11574855 attempts)
285733 retransmit timeouts
12079 connections dropped by rexmit timeout
1884 persist timeouts
4 connections dropped by persist timeout
0 Connections (fin_wait_2) dropped because of timeout
385 keepalive timeouts
345 keepalive probes sent
40 connections dropped by keepalive
2663719 correct ACK header predictions
5996181 correct data packet header predictions
1520655 syncache entries added
58477 retransmitted
26560 dupsyn
20622 dropped
1504359 completed
137 bucket overflow
0 cache overflow
6190 reset
10206 stale
100 aborted
0 badack
47 unreach
0 zone failures
1541277 cookies sent
415 cookies received
21638 SACK recovery episodes
37110 segment rexmits in SACK recovery episodes
51620488 byte rexmits in SACK recovery episodes
240368 SACK options (SACK blocks) received
217836 SACK options (SACK blocks) sent
0 SACK scoreboard overflow
udp:
9663633 datagrams received
0 with incomplete header
0 with bad data length field
549 with bad checksum
9609 with no checksum
12092 dropped due to no socket
49230 broadcast/multicast datagrams undelivered
0 dropped due to full socket buffers
0 not for hashed pcb
9601762 delivered
42443353 datagrams output
0 times multicast source filter matched


James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am   http://3.am
=
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named needs restart after a reboot

2009-12-09 Thread Derrick Ryalls
On Tue, Dec 8, 2009 at 12:24 PM, Warren Block wbl...@wonkity.com wrote:
 On Tue, 8 Dec 2009, Derrick Ryalls wrote:

 uname:

 FreeBSD example.com 8.0-RELEASE-p1 FreeBSD 8.0-RELEASE-p1 #0: Sun Dec
 6 11:23:52 PST 2009     ryal...@example.com:/usr/obj/usr/src/sys/FRODO
 amd64

 I have most things working, but I have noticed that every time I
 reboot the machine, I need to manually restart named to get it
 listening on the proper interfaces as by default it is listening on
 127.0.0.1 interfaces only.  A simple /etc/rc.d/named restart fixes it
 which seems like it would be configured correctly, but I have had to
 do this on a install before.

 Anyone have a guess as to what could be wrong?

 Only a guess: network interface comes up too late.  If you're using DHCP to
 configure that interface, you could try SYNCDHCP.  Or if it's an re(4)
 interface, there are patches in 8-STABLE that make it come up faster.

 -Warren Block * Rapid City, South Dakota USA


ifconfig_nfe0=SYNCDHCP

Was the fix, thanks!
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named needs restart after a reboot

2009-12-09 Thread Derrick Ryalls
On Wed, Dec 9, 2009 at 3:39 PM, Derrick Ryalls ryal...@gmail.com wrote:
 On Tue, Dec 8, 2009 at 12:24 PM, Warren Block wbl...@wonkity.com wrote:
 On Tue, 8 Dec 2009, Derrick Ryalls wrote:

 uname:

 FreeBSD example.com 8.0-RELEASE-p1 FreeBSD 8.0-RELEASE-p1 #0: Sun Dec
 6 11:23:52 PST 2009     ryal...@example.com:/usr/obj/usr/src/sys/FRODO
 amd64

 I have most things working, but I have noticed that every time I
 reboot the machine, I need to manually restart named to get it
 listening on the proper interfaces as by default it is listening on
 127.0.0.1 interfaces only.  A simple /etc/rc.d/named restart fixes it
 which seems like it would be configured correctly, but I have had to
 do this on a install before.

 Anyone have a guess as to what could be wrong?

 Only a guess: network interface comes up too late.  If you're using DHCP to
 configure that interface, you could try SYNCDHCP.  Or if it's an re(4)
 interface, there are patches in 8-STABLE that make it come up faster.

 -Warren Block * Rapid City, South Dakota USA


 ifconfig_nfe0=SYNCDHCP

 Was the fix, thanks!


Spoke too soon.  On one reboot, the interface couldn't talk to DHCP
until I set it down then back up.  I have gone to statically setting
the IP.  Not ideal, but seems to be working (based on one clean
reboot).
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


named needs restart after a reboot

2009-12-08 Thread Derrick Ryalls
Greetings,

uname:

FreeBSD example.com 8.0-RELEASE-p1 FreeBSD 8.0-RELEASE-p1 #0: Sun Dec
6 11:23:52 PST 2009 ryal...@example.com:/usr/obj/usr/src/sys/FRODO
 amd64

I have most things working, but I have noticed that every time I
reboot the machine, I need to manually restart named to get it
listening on the proper interfaces as by default it is listening on
127.0.0.1 interfaces only.  A simple /etc/rc.d/named restart fixes it
which seems like it would be configured correctly, but I have had to
do this on a install before.

Anyone have a guess as to what could be wrong?

Thanks.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named needs restart after a reboot

2009-12-08 Thread Warren Block

On Tue, 8 Dec 2009, Derrick Ryalls wrote:

uname:

FreeBSD example.com 8.0-RELEASE-p1 FreeBSD 8.0-RELEASE-p1 #0: Sun Dec
6 11:23:52 PST 2009 ryal...@example.com:/usr/obj/usr/src/sys/FRODO
amd64

I have most things working, but I have noticed that every time I
reboot the machine, I need to manually restart named to get it
listening on the proper interfaces as by default it is listening on
127.0.0.1 interfaces only.  A simple /etc/rc.d/named restart fixes it
which seems like it would be configured correctly, but I have had to
do this on a install before.

Anyone have a guess as to what could be wrong?


Only a guess: network interface comes up too late.  If you're using DHCP 
to configure that interface, you could try SYNCDHCP.  Or if it's an 
re(4) interface, there are patches in 8-STABLE that make it come up 
faster.


-Warren Block * Rapid City, South Dakota USA
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named issue

2009-09-26 Thread Jos Chrispijn

Jeffrey Goldberg wrote:
These are queries your mailservers are making to the spamhaus blocking 
list.
How many queries to the ZEN Spamhaus DNSBL are you making per day?  If 
you exceed their non-commercial usage, they will cut you off.


I see.

Thank you all for your suggestions.
Jos Chrispijn
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


named issue

2009-09-25 Thread Jos Chrispijn

[named]

Lately I get messages like thin in my all.log:

named[605]: too many timeouts resolving '*.*.*.*.zen.spamhaus.org/A' (in 
'zen.spamhaus.ORG'?): disabling EDNS


(*) is random ip address

Now before I add the following lines in /etc/named.conf or 
/var/named/chroot/etc/

named.conf:

logging {
category lame-servers {null; };
category edns-disabled { null; };

};

I would like to know what I could do to prevent generation of that line?

Thanks,
Jos Chrispijn
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named issue

2009-09-25 Thread Tim Judd
On 9/25/09, Jos Chrispijn ker...@webrz.net wrote:
 [named]

 Lately I get messages like thin in my all.log:

 named[605]: too many timeouts resolving '*.*.*.*.zen.spamhaus.org/A' (in
 'zen.spamhaus.ORG'?): disabling EDNS

 (*) is random ip address

 Now before I add the following lines in /etc/named.conf or
 /var/named/chroot/etc/
 named.conf:

 logging {
 category lame-servers {null; };
 category edns-disabled { null; };

 };

 I would like to know what I could do to prevent generation of that line?

 Thanks,
 Jos Chrispijn


That's likely a email DNSBL (DNS Blacklist).  zen.spamhaus.org is
known for DNSBL.

Disable it in your mailserver...  but then you get nasties.


--TJ
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named issue

2009-09-25 Thread Jeffrey Goldberg

On Sep 25, 2009, at 2:00 PM, Jos Chrispijn wrote:


[named]

Lately I get messages like thin in my all.log:

named[605]: too many timeouts resolving '*.*.*.*.zen.spamhaus.org/ 
A' (in 'zen.spamhaus.ORG'?): disabling EDNS


(*) is random ip address


These are queries your mailservers are making to the spamhaus blocking  
list.


How many queries to the ZEN Spamhaus DNSBL are you making per day?  If  
you exceed their non-commercial usage, they will cut you off.


See

 http://www.spamhaus.org/organization/dnsblusage.html

-j


--
Jeffrey Goldberghttp://www.goldmark.org/jeff/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: /etc/rc.d/named dilemma

2009-08-23 Thread perryh
Nerius Landys nlan...@gmail.com wrote:

 I am still bambuzzled by the network taking 30 seconds to come up.

One thing I've run into recently is an Ethernet switch that needs to
resolve spanning tree after a port reset.  The physical link comes
back up quickly, but it seems to take about 30 seconds before the
switch will handle any traffic.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: /etc/rc.d/named dilemma

2009-08-22 Thread cpghost
On Fri, Aug 21, 2009 at 09:37:09PM -0700, Nerius Landys wrote:
 I am trying to figure out why DNS lookups are not possible right after
 the named process has been launched (during bootup).

At start, named sends a couple of queries to e.g. root servers. All
this requires the network connection to be already up and running;
and if you're using a firewall, it also needs to be up and ready.
And, more importantly, it requires some time until named is ready
to answer lookups... and in the mean time, you've already launched
other processes who do queries.

I have a similar problem with a little FreeBSD-based home router
running net/mpd5 to connect via PPPoE to a DSL line. Because packages
(and so mpd) start after all system processes, named has problems to
connect to the root servers, pf has problems initializing itself
without ng0 interface, ntpd has problems initializing itself,...
and when mpd finally established the network connection, it is
already too late.

I'd love to change the rc-order of the scripts, so that mpd starts
first, waits until the link is up, and only then starts the other
processes. But until I've found out how to do that the right way,
I wrote a little batch script that gets invoked at link-up, and
that simply restarts all other processes in the order: pf, named,
ntpd, postfix, etc... That's not ideal, but as a kludge, it works
for me.

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: /etc/rc.d/named dilemma

2009-08-22 Thread RW
On Fri, 21 Aug 2009 21:37:09 -0700
Nerius Landys nlan...@gmail.com wrote:

 Then why
 can't I do a lookup right after named starts?

Possibly it's a delay in bind being ready or maybe you don't have any
network access - the latter is common with ppp.


 By the way, the underlying issue that I'm trying to address is that
 ntpdate, which comes right after named in the boot sequence, is not
 able to resolve the DNS for the time servers.


Try putting the following in /usr/local/etc/rc.d/waitfordns and make it
executable (untested)

 
#!/bin/sh
#
# PROVIDE: waitfordns
# REQUIRE: named
# BEFORE:  ntpdate

. /etc/rc.subr

: ${waitfordns_enable:=yes}
name=waitfordns
rcvar=`set_rcvar`
stop_cmd=:
start_cmd=waitfordns_start   


waitfordns_start(){

   /usr/bin/dig +time=1 +retry=99 @127.0.0.1 google.com 21  /dev/null

}

load_rc_config ${name}
run_rc_command $1
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: /etc/rc.d/named dilemma

2009-08-22 Thread Nerius Landys
Thanks for the script.  I found the underlying problem on my system.
My server is at a data center and I don't know what kind of equipment
the server is connected to.  It appears that it takes 30 seconds for
the networking to start.  I added this script as
/etc/rc.d/waitfornetwork, and enabled it in rc.conf:

===

#!/bin/sh

# PROVIDE: waitfornetwork
# REQUIRE: NETWORKING
# BEFORE:  named

. /etc/rc.subr

: ${waitfornetwork_enable:=NO}
name=waitfornetwork
rcvar=`set_rcvar`
stop_cmd=:
start_cmd=waitfornetwork_start

waitfornetwork_start()
{
  echo Waiting for network to initialize.
  for i in 0 1 2 3 4 5 6 7 8 9; do
#echo Iteration $i
if ping -c 1 198.41.0.4 | grep -q '^1 packets transmitted, 1
packets received, 0.0% packet loss'; then
  break
fi
  done
}

load_rc_config ${name}
run_rc_command $1

===


It goes through 4 or 5 iterations (the for loop) before it exits.
This takes about 30 seconds.  Without this startup script, ntpdate and
ntpd fail, regardless of whether or not I use named as my local DNS
caching server.  With this script enabled, ntpdate and ntpd are able
to resolve the listed DNS for the time servers, regardless of whether
I'm using 127.0.0.1 or some other DNS in my resolv.conf.

This 30 second delay for the network to start on every reboot (at the
data center) - is this normal?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: /etc/rc.d/named dilemma

2009-08-22 Thread Nerius Landys
One last question.  I'm getting interesting [kernel?] messages during
bootup.  You know, the kind that are highlighted white in the console.

The relevant lines of rc.conf look like this right now:

defaultrouter=64.156.192.1
hostname=daffy.nerius.com
ifconfig_em0=inet 64.156.192.169  netmask 255.255.255.0
waitfornetwork_enable=YES
named_enable=YES
sshd_enable=YES
#ntpdate_enable=YES
ntpd_enable=YES
linux_enable=YES
apache22_enable=YES
mysql_enable=YES


Early on in the bootup, the ifconfig shows for em0:

inet 64.156.192.169 ...
media: Ethernet autoselect
status: no carrier

Then later on:

Waiting for network to initialize.
highlightedem0: link state changed to UP/highlighted
highlightedcalcru: runtime went backwards from 37332 usec to 16577
usec for pid 47 (sh).../highlighted
... (more messages about calcru)

And then everything starts fine, including ntpd.

Why is em0 only brought up when I do my ping command in
/etc/rc.d/waitfornetwork?  And are these calcru messages something to
be worried about?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: /etc/rc.d/named dilemma

2009-08-22 Thread Nerius Landys
 highlightedcalcru: runtime went backwards from 37332 usec to 16577
 usec for pid 47 (sh).../highlighted

Not to seem like I'm talking to myself, but I fixed this problem:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/troubleshoot.html#CALCRU-NEGATIVE-RUNTIME
(Turn off Intel® Enhanced SpeedStep.)

I am still bambuzzled by the network taking 30 seconds to come up.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: /etc/rc.d/named dilemma

2009-08-22 Thread Robert Huff

Nerius Landys wrote:

I am still bambuzzled by the network taking 30 seconds to come up.


	I don't remember the original description, but any time I hear about a 
30 second gap during startup, I think of the well-known DNS reverse 
look-up issue.  Are you sure this is not the case here?



Robert Huff

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: /etc/rc.d/named dilemma

2009-08-22 Thread Nerius Landys
        I don't remember the original description, but any time I hear about
 a 30 second gap during startup, I think of the well-known DNS reverse
 look-up issue.  Are you sure this is not the case here?

Indeed, I have forgotten to have the PTR record set up for my new IP address.

However the original description is that when I issue a ping -c 100
x.y.z.w to a well-known IP address, only the last 70 packets get
returned, not the first 30 (hence 30 seconds).  This ping command is
issued very early in the rc.d scripts, after NETWORK and before named,
and the script does not exit until a ping request is successful.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: /etc/rc.d/named dilemma

2009-08-22 Thread Mario Lobo
On Saturday 22 August 2009 21:11:01 Nerius Landys wrote:
         I don't remember the original description, but any time I hear
  about a 30 second gap during startup, I think of the well-known DNS
  reverse look-up issue.  Are you sure this is not the case here?

 Indeed, I have forgotten to have the PTR record set up for my new IP
 address.

 However the original description is that when I issue a ping -c 100
 x.y.z.w to a well-known IP address, only the last 70 packets get
 returned, not the first 30 (hence 30 seconds).  This ping command is
 issued very early in the rc.d scripts, after NETWORK and before named,
 and the script does not exit until a ping request is successful.
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 freebsd-questions-unsubscr...@freebsd.org

Nerius;

I had the same problem until I put: 

# REQUIRE: SERVERS cleanvar ppp-user

in /etc/rc.d/named script, which means that named won't start until the
ppp -ddial adsl command, which is called by in /etc/rc.d/ppp-user, is 
finished. By then, DNS and default route will be established. 

I also put:
# PROVIDE: ppp-user
in /etc/rc.d/ppp-user.



Sorry for writing you directly but I don't know why, the freebsd-questions 
list (in fact, all freebsd lists i'm subscribed to) is refusing my posts. Not 
even the list manager/owner gets them. If you would be so kind to forward 
this to them, I'd be very greatful. Maybe they could find out why so I could 
take action to try remedy what is causing the refusals of my e-mail.

Thanks and Best wishes,
-- 
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since version 2.2.8 [not Pro-Audio YET!!] (99,7% winedows FREE)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


/etc/rc.d/named dilemma

2009-08-21 Thread Nerius Landys
I am trying to figure out why DNS lookups are not possible right after
the named process has been launched (during bootup).  I am kind of a
newb at diagnosing these sorts of issues, but as an attempt to figure
out what's wrong, I added the following lines to the very bottom of my
/etc/rc.d/named:

case $1 in
*start)
sleep 5
cat /etc/resolv.conf
ping -c 4 127.0.0.1
host google.com || true
;;
esac


And so, during bootup, I get the following messages, as expected:

Starting named.
domain nerius.com
nameserver 127.0.0.1
PING 127.0.0.1 
64 bytes from 127.0.0.1: icmp.
...
4 packets transmitted, 4 packets received...
...
;; connection timed out; no servers could be reached


The last line is what I don't understand.  named is listening on
127.0.0.1, and normal lookups can be done fine after bootup.  Then why
can't I do a lookup right after named starts?

By the way, the underlying issue that I'm trying to address is that
ntpdate, which comes right after named in the boot sequence, is not
able to resolve the DNS for the time servers.

Thx.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


/etc/rc.d/named dilemma

2009-08-21 Thread Nerius Landys
I am trying to figure out why DNS lookups are not possible right after
the named process has been launched (during bootup).  I am kind of a
newb at diagnosing these sorts of issues, but as an attempt to figure
out what's wrong, I added the following lines to the very bottom of my
/etc/rc.d/named:

case $1 in
*start)
sleep 5
cat /etc/resolv.conf
ping -c 4 127.0.0.1
host google.com || true
;;
esac


And so, during bootup, I get the following messages, as expected:

Starting named.
domain nerius.com
nameserver 127.0.0.1
PING 127.0.0.1 
64 bytes from 127.0.0.1: icmp.
...
4 packets transmitted, 4 packets received...
...
;; connection timed out; no servers could be reached


The last line is what I don't understand.  named is listening on
127.0.0.1, and normal lookups can be done fine after bootup.  Then why
can't I do a lookup right after named starts?

By the way, the underlying issue that I'm trying to address is that
ntpdate, which comes right after named in the boot sequence, is not
able to resolve the DNS for the time servers.

Thx.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6

2009-07-13 Thread Ian
On Sun, 28 Jun 2009 20:54:26 Ian wrote:
 Hi, I've been meaning to sort this out since the release of 7.1p5, but only
 just got around to it - I have an installation of 7.1 that runs bind and
 has been working fine up until I tried to update the system to 7.1p5 (using
 freebsd-update). As soon as I apply the update  reboot, named loads but
 the startup script hangs.

 If I press Ctrl+C, the system continues to boot. If I then run
 /etc/rc.d/named start, named starts, but again the script hangs. I can do
 DNS lookups while named is running, so it seems to be functioning ok.
 I tried adding various echo statements to /etc/rc.d/named and found that
 the script seems to run right through. The hang occurs where /etc/rc.subr
 echoes out Starting named after the named script has run and that's where
 things seem to stop! Nothing else that is started by the rc.d scripts
 hangs, so I'm guessing  /etc/rc.subr is ok.

 I did a diff of /etc/rc.d/named before  after the upgrade from p4 to p5
 (or p6 which has the same issue) and there are no changes to the file.
 Nothing seems to be logged anywhere that shows a problem, so I really have
 no idea what to check next.

 The only named entry in rc.conf is named_enable=YES. Doing a
 freebsd-update rollback restores normal operation and given that bind
 actually loads 7 seems to work apart fromthe hanging script, I suspect
 there's nothing wrong with my bind configuration.

 Any suggestions?

 Cheers,
 --
 Ian
 gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc

I've never really solved this problem - even running with the default 
named.conf as a simple caching server didn't change anything.
Instead, I rolled back to 7.1p4  then upgraded to 7.2(p2) and bind works just 
fine.

Cheers,
-- 
Ian
gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc


signature.asc
Description: This is a digitally signed message part.


Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6

2009-06-30 Thread no-spam
Sorry for starting a new thread with this - my ISP's mail server seems to 
rejecting all mail recipients when I 
send email with a mail client, so I'm having to use webmail instead. Their tech 
says they won't help - they 
only support Outlook! Grrr!

On Sun, 28 Jun 2009 23:27:07 Matthew Seaman wrote:
 Ian wrote:
  Well the fact that if I run  /etc/rc.d/named manually after the system
  has booted, the script also hangs suggests it's not the next process I
  have just check however  ntpdate is the next one in the list to be
  started and that does start correctly - you can see it report the clock
  being adjusted. Also, when you do a Ctrl+C to break the named script on
  bootup, it says Script /etc/rc.d/named interrupted.
 
  Something I've just realised is that named stays loaded even when you
  'break' the script. on bootup and DNS lookups work (I didn't think that
  was the case originally, but it is).

Actually, some careful checking tonight shows that I had forgotten I had a 
second DNS server in resolv.conf that was doing the DNS resolution - in fact 
bind on this server is not working even though a bind process appears to be 
running :/

 Hmmm

 Anything interesting from named in the system logs?  You might want to
 enable /var/log/all.log by following the instructions in /etc/syslog.conf
 and then see what output you get by bouncing named.  It's usually pretty
 good at pointing out exactly what it thinks the problem is.

I've enabled all.log, it only shows the following output when starting named:
Jun 29 20:51:43 msgserver named[1593]: starting BIND 9.4.2-P2 -t /var/named -u 
bind
Jun 29 20:51:43 msgserver named[1593]: found 1 CPU, using 1 worker thread

a ps axw | grep named gives the following output after running /etc/rc.d/named 
start:
 1988  ??  Is 0:00.00 /usr/sbin/named -t /var/named -u bind
 1930  p0  I+ 0:00.06 /bin/sh -x /etc/rc.d/named start
 1987  p0  I+ 0:00.01 /usr/sbin/named -t /var/named -u bind

and then after doing a Ctrl+C in the terminal where /etc/rc.d/named start is 
running, only one process continues to run:
 1988  ??  Is 0:00.00 /usr/sbin/named -t /var/named -u bind

This process doesn't respond to DNS queries, to rndc commands, 
to /etc/rc.d/named stop (says no process is running because there is no pid 
file being created) or by a kill command other than kill -9.
(All named processes were killed before stating named)


 You could also try running:

# /bin/sh -x /etc/rc.d/named start


 -- make sure named isn't running when you do that.  There will be quite
 a lot of output as the rc system loads all of the various config files,
 but you should be able to trace exactly where it's got to when it does
 hang.

Here's the edited highlights of output, I can't see anything that helps:
 + _rc_subr_loaded=:
 + name=named
 + rcvar=named_enable
 + command=/usr/sbin/named
 + extra_commands=reload
 + start_precmd=named_precmd
 + start_postcmd=make_symlinks
 + reload_cmd=named_reload
 + stop_cmd=named_stop
 + stop_postcmd=named_poststop
 + load_rc_config named
 + _name=named
 + [ -z named ]
 + false
 + [ -r /etc/defaults/rc.conf ]

 snip

 + named_enable=NO
 + named_program=/usr/sbin/named
 + named_pidfile=/var/run/named/pid
 + named_uid=bind
 + named_chrootdir=/var/named
 + named_chroot_autoupdate=YES
 + named_symlink_enable=YES

 snip

 + sourced_files=:/etc/rc.conf::/etc/rc.conf.local:
 + [ -r /etc/rc.conf.local ]
 + _rc_conf_loaded=true
 + [ -f /etc/rc.conf.d/named ]
 + required_dirs=/var/named
 + pidfile=/var/run/named/pid
 + command_args=-u bind
 + run_rc_command start
 + _return=0
 + rc_arg=start
 + [ -z named ]
 + shift 1
 + rc_extra_args=
 + _rc_prefix=
 + eval _override_command=$named_program
 + _override_command=/usr/sbin/named
 + command=/usr/sbin/named
 + _keywords=start stop restart rcvar reload
 + rc_pid=
 + _pidcmd=
 + _procname=/usr/sbin/named
 + [ -n /usr/sbin/named ]
 + [ -n /var/run/named/pid ]
 + _pidcmd=rc_pid=$(check_pidfile /var/run/named/pid /usr/sbin/named )
 + [ -n rc_pid=$(check_pidfile /var/run/named/pid /usr/sbin/named ) ]
 + _keywords=start stop restart rcvar reload status poll
 + [ -z start ]
 + [ -n  ]
 + eval rc_flags=$named_flags
 + rc_flags=
 + eval _chdir=$named_chdir _chroot=$named_chroot _nice=$named_nice
 _user=$named_user _group=$named_group _groups=$named_groups
 + _chdir= _chroot= _nice= _user= _group= _groups=
 + [ -n  ]
 + [ -n named_enable -a start != rcvar ]
 + checkyesno named_enable
 + eval _value=$named_enable
 + _value=YES
 + debug checkyesno: named_enable is set to YES.
 + return 0
 + eval rc_pid=$(check_pidfile /var/run/named/pid /usr/sbin/named )
 + check_pidfile /var/run/named/pid /usr/sbin/named
 + _pidfile=/var/run/named/pid
 + _procname=/usr/sbin/named
 + _interpreter=
 + [ -z /var/run/named/pid -o -z /usr/sbin/named ]
 + [ ! -f /var/run/named/pid ]
 + debug pid file (/var/run/named/pid): not readable.
 + return
 + rc_pid=
 + [ start != start ]
 + eval _cmd=$start_cmd _precmd=$start_precmd _postcmd

Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6

2009-06-30 Thread Polytropon
On Tue, 30 Jun 2009 08:35:26 +, no-s...@people.net.au wrote:
 Sorry for starting a new thread with this - my ISP's mail server seems to 
 rejecting all mail recipients when I 

Which which reason?



 send email with a mail client, so I'm having to use webmail instead. Their 
 tech says they won't help - they 
 only support Outlook! Grrr!

Can I read this as they don't support proper POP/SMPT? What
an ISP... :-(





-- 
Polytropon
From Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6

2009-06-28 Thread Ian
Hi, I've been meaning to sort this out since the release of 7.1p5, but only 
just got around to it - I have an installation of 7.1 that runs bind and has 
been working fine up until I tried to update the system to 7.1p5 (using 
freebsd-update). As soon as I apply the update  reboot, named loads but the 
startup script hangs.

If I press Ctrl+C, the system continues to boot. If I then run /etc/rc.d/named 
start, named starts, but again the script hangs. I can do DNS lookups while 
named is running, so it seems to be functioning ok.
I tried adding various echo statements to /etc/rc.d/named and found that the 
script seems to run right through. The hang occurs where /etc/rc.subr echoes 
out Starting named after the named script has run and that's where things 
seem to stop! Nothing else that is started by the rc.d scripts hangs, so I'm 
guessing  /etc/rc.subr is ok.

I did a diff of /etc/rc.d/named before  after the upgrade from p4 to p5 (or 
p6 which has the same issue) and there are no changes to the file.
Nothing seems to be logged anywhere that shows a problem, so I really have no 
idea what to check next.

The only named entry in rc.conf is named_enable=YES. Doing a freebsd-update 
rollback restores normal operation and given that bind actually loads 7 seems 
to work apart fromthe hanging script, I suspect there's nothing wrong with my 
bind configuration. 

Any suggestions?

Cheers,
--
Ian
gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc


signature.asc
Description: This is a digitally signed message part.


Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6

2009-06-28 Thread Matthew Seaman

Ian wrote:
Hi, I've been meaning to sort this out since the release of 7.1p5, but only 
just got around to it - I have an installation of 7.1 that runs bind and has 
been working fine up until I tried to update the system to 7.1p5 (using 
freebsd-update). As soon as I apply the update  reboot, named loads but the 
startup script hangs.


If I press Ctrl+C, the system continues to boot. If I then run /etc/rc.d/named 
start, named starts, but again the script hangs. I can do DNS lookups while 
named is running, so it seems to be functioning ok.
I tried adding various echo statements to /etc/rc.d/named and found that the 
script seems to run right through. The hang occurs where /etc/rc.subr echoes 
out Starting named after the named script has run and that's where things 
seem to stop! Nothing else that is started by the rc.d scripts hangs, so I'm 
guessing  /etc/rc.subr is ok.


I did a diff of /etc/rc.d/named before  after the upgrade from p4 to p5 (or 
p6 which has the same issue) and there are no changes to the file.
Nothing seems to be logged anywhere that shows a problem, so I really have no 
idea what to check next.


The only named entry in rc.conf is named_enable=YES. Doing a freebsd-update 
rollback restores normal operation and given that bind actually loads 7 seems 
to work apart fromthe hanging script, I suspect there's nothing wrong with my 
bind configuration. 


Any suggestions?


Are you sure it's not the thing which starts immediately *after* named that is
hanging?  Try running:

  # rcorder /etc/rc.d/* /usr/local/etc/rc.d/* 


and see what should come next.  Note this command shows the order in which
all of the rc scripts in those directories would run, not just the ones you have
enabled in rc.conf, so you may well have to skip a few lines until you get to
something that is enabled.

Cheers,

Matthew


--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature


Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6

2009-06-28 Thread Ian
On Sun, 28 Jun 2009 21:43:49 Matthew Seaman wrote:
 Ian wrote:
  Hi, I've been meaning to sort this out since the release of 7.1p5, but
  only just got around to it - I have an installation of 7.1 that runs bind
  and has been working fine up until I tried to update the system to 7.1p5
  (using freebsd-update). As soon as I apply the update  reboot, named
  loads but the startup script hangs.
 
  If I press Ctrl+C, the system continues to boot. If I then run
  /etc/rc.d/named start, named starts, but again the script hangs. I can do
  DNS lookups while named is running, so it seems to be functioning ok.
  I tried adding various echo statements to /etc/rc.d/named and found that
  the script seems to run right through. The hang occurs where /etc/rc.subr
  echoes out Starting named after the named script has run and that's
  where things seem to stop! Nothing else that is started by the rc.d
  scripts hangs, so I'm guessing  /etc/rc.subr is ok.
 
  I did a diff of /etc/rc.d/named before  after the upgrade from p4 to p5
  (or p6 which has the same issue) and there are no changes to the file.
  Nothing seems to be logged anywhere that shows a problem, so I really
  have no idea what to check next.
 
  The only named entry in rc.conf is named_enable=YES. Doing a
  freebsd-update rollback restores normal operation and given that bind
  actually loads 7 seems to work apart fromthe hanging script, I suspect
  there's nothing wrong with my bind configuration.
 
  Any suggestions?

 Are you sure it's not the thing which starts immediately *after* named that
 is hanging?  Try running:

# rcorder /etc/rc.d/* /usr/local/etc/rc.d/*

 and see what should come next.  Note this command shows the order in which
 all of the rc scripts in those directories would run, not just the ones you
 have enabled in rc.conf, so you may well have to skip a few lines until you
 get to something that is enabled.

   Cheers,

   Matthew

Well the fact that if I run  /etc/rc.d/named manually after the system has 
booted, the script also hangs suggests it's not the next process
I have just check however  ntpdate is the next one in the list to be started 
and that does start correctly - you can see it report the clock being 
adjusted. Also, when you do a Ctrl+C to break the named script on bootup, it 
says Script /etc/rc.d/named interrupted.

Something I've just realised is that named stays loaded even when you 'break' 
the script. on bootup and DNS lookups work (I didn't think that was the case 
originally, but it is).

Cheers,
-- 
Ian
gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc


signature.asc
Description: This is a digitally signed message part.


Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6

2009-06-28 Thread Matthew Seaman

Ian wrote:

Well the fact that if I run  /etc/rc.d/named manually after the system has 
booted, the script also hangs suggests it's not the next process
I have just check however  ntpdate is the next one in the list to be started 
and that does start correctly - you can see it report the clock being 
adjusted. Also, when you do a Ctrl+C to break the named script on bootup, it 
says Script /etc/rc.d/named interrupted.


Something I've just realised is that named stays loaded even when you 'break' 
the script. on bootup and DNS lookups work (I didn't think that was the case 
originally, but it is).


Hmmm 


Anything interesting from named in the system logs?  You might want to
enable /var/log/all.log by following the instructions in /etc/syslog.conf
and then see what output you get by bouncing named.  It's usually pretty
good at pointing out exactly what it thinks the problem is.

You could also try running:

  # /bin/sh -x /etc/rc.d/named start

-- make sure named isn't running when you do that.  There will be quite
a lot of output as the rc system loads all of the various config files,
but you should be able to trace exactly where it's got to when it does hang.

You're using the system-supplied copy of bind aren't you?  Have you got
a valid /etc/named/rndc.conf or /etc/named/rndc.key file so you can use
rndc(8)?  If not, try running:

   # rndc-confgen  /etc/namedb/rndc.conf

and then cut'n'paste the indicated key and controls statements from that
file into named.conf, stripping out the comment characters as you do (of 
course).

If you're using one of the ports versions of named, do exactly the same
thing, but copy or link rndc.conf into /usr/local/etc/ as well.

Cheers,

Matthew


--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature


Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6

2009-06-28 Thread Mel Flynn
On Sunday 28 June 2009 03:24:26 Ian wrote:

 I tried adding various echo statements to /etc/rc.d/named and found that
 the script seems to run right through.

rc_debug=YES in /etc/rc.conf is REALLY handy for this.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Named ignoring forward-only zones?

2009-06-05 Thread Jeff Laine
On Thu, Jun 04, 2009 at 11:53:38AM -0500, Kirk Strauser wrote:
 For some reason, BIND 9 (FreeBSD 7.2-RELEASE) isn't properly forwarding 
 queries.  A snippet of named.conf:
 
 acl clients {
 localnets;
 localhost;
 ::1;  
 10.45.12/19;
 }; 
 
 view internal {
 match-clients { clients; };
 zone 5.0.10.in-addr.arpa {
 type forward;
 forward only;
 forwarders { 10.0.5.16; };
 };
 };
 
 
 Now, I can query the forwarder directly to get the right answer:
 
 $ dig +noall +answer -t ptr -x 10.0.5.16 @10.0.5.16
 16.5.0.10.in-addr.arpa. 86400   IN  PTR kanga.honeypot.net.
 
 But I can't get the same from named:
 
 $ dig -t ptr -x 10.0.5.16
 
 ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 56485
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;16.5.0.10.in-addr.arpa.IN  PTR
 
 ;; AUTHORITY SECTION:
 10.in-addr.arpa.10800   IN  SOA 10.in-addr.arpa. 
 nobody.localhost. 42 86400 43200 604800 10800
 
 So, why isn't named directing that query to the configured forwarder?  I'm 
 99.9% certain this has been working recently.


Hi, Kirk.

I had the similar issue with forward type zones yesterday. 
Though I'm not quite sure, but it started to work after I put 127.0.0.1 
to /etc/resolv.conf on our bind server.


My named.conf entries look like this:

...
zone need2.frwd.zone {
type forward;
forward only;
forwarders { 10.xx.xx.xx; 10.xx.xx.yy; };
};

zone 10.in-addr.arpa {
type forward;
forward only;
forwarders { 10.xx.xx.xx; 10.xx.xx.yy; };
};
...



-- 
Best regards,
Jeff

| Nobody wants to say how this works.  |
|  Maybe nobody knows ...  |
|   Xorg.conf(5)|
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


D'oh! was Re: Named ignoring forward-only zones?

2009-06-05 Thread Kirk Strauser
On Thursday 04 June 2009 11:53:38 am Kirk Strauser wrote:
 For some reason, BIND 9 (FreeBSD 7.2-RELEASE) isn't properly forwarding
 queries.

Commenting out

// zone 10.in-addr.arpa { type master; file master/empty.db; };

from named.conf fixed the problem.  That's kind of... embarrassing.
-- 
Kirk Strauser
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named: error sending response: not enough free resources

2009-06-05 Thread Chris St Denis

Steve Bertrand wrote:

Chris St Denis wrote:
  

Steve Bertrand wrote:



  

What type of device is em1 attached to? Is it a switch or a hub? Is it
possible to upgrade this? You should upgrade it to 100 (or 1000)
anyways. Does this device show any collisions?
  
  

This is a dedicated server in a datacenter. I don't know the exact
switch specs but it's likely a
layer 2/3 managed switch. Probably a 1U catalyst.



Do you force 10Mb on your NIC, or do you auto-negotiate that?

Perhaps before you pay a higher fee, your colo centre could allow you to
connect to a 100Mb port (with perhaps some traffic policing) so you, as
a client, could quickly verify if you want to scale up to their next
tier without having to spend these up-front costs on troubleshooting
this back-asswards.

  

I can upgrade the connection to 100mbps for a small monthly fee. I've
left it at 10 because I haven't
had a need, but with traffic recently growing, this is probably the problem.



Tell the colo that. Tell them you need to test their next tier of service!

  

# mail -s tcpdump output st...@ipv6canada.com  /var/log/dns.pcap
  
  

I don't think this is necessary. If cutting down the http traffic or
raising the port speed doesn't
fix it, I'll look into further debugging with this.



...one more time, don't attempt to throttle your own traffic to
troubleshoot what looks like a throughput bottleneck.

Start with the collocation provider. They should, for free, allow you to
have a testing period with their next service tier. Hopefully, they can
do it without having to swap your Ethernet cable into another device.

If it works during the test, then a small 'migration' and monthly
upgrade fee would be acceptable (if they choose).

Steve
  


The problem was resolved by switching to 100Mbps.

It's interesting that bind is all that complains about the bandwidth 
exhaustion, but I guess it's about my only use of UDP and TCP is better 
able to handle this kind of issue so doesn't complain.


--
Chris St Denis
Programmer
SmarttNet (www.smartt.com)
Ph: 604-473-9700 Ext. 200
---
Smart Internet Solutions For Businesses 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named: error sending response: not enough free resources

2009-06-05 Thread Wojciech Puchar


This is a dedicated server in a datacenter. I don't know the exact
switch specs but it's likely a
layer 2/3 managed switch. Probably a 1U catalyst.


you mean cisco?

there are actually most problematic switches. They don't properly 
autonegotiate speed and full/half duplex with many network cards.

For example card is set to full duplex, cisco to half duplex, or reverse.
More funny - even this doesn't help always.

the only way to be sure it's fine is to set up speed manually on both 
sides.



in one place i have connectivity from upstream provider that uses 
cisco switch. They set up speed to 100Mbps and to full duplex on their 
side, but many NICs does not work with it fine.


It works but there are packet losses, or messages showing that card 
sometimes can't send packet etc.


Actually - cheapest RTL8139 works best, digital 21140 or broadcom 
chips does not.


I really wasted a lot of time to discover that cisco really works well 
with:


- another cisco
- realtek NICs
- some cheapest 5 or 8 port switches


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Named ignoring forward-only zones?

2009-06-04 Thread Kirk Strauser
For some reason, BIND 9 (FreeBSD 7.2-RELEASE) isn't properly forwarding 
queries.  A snippet of named.conf:

acl clients {
localnets;
localhost;
::1;  
10.45.12/19;
}; 

view internal {
match-clients { clients; };
zone 5.0.10.in-addr.arpa {
type forward;
forward only;
forwarders { 10.0.5.16; };
};
};


Now, I can query the forwarder directly to get the right answer:

$ dig +noall +answer -t ptr -x 10.0.5.16 @10.0.5.16
16.5.0.10.in-addr.arpa. 86400   IN  PTR kanga.honeypot.net.

But I can't get the same from named:

$ dig -t ptr -x 10.0.5.16

;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 56485
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;16.5.0.10.in-addr.arpa.IN  PTR

;; AUTHORITY SECTION:
10.in-addr.arpa.10800   IN  SOA 10.in-addr.arpa. 
nobody.localhost. 42 86400 43200 604800 10800

So, why isn't named directing that query to the configured forwarder?  I'm 
99.9% certain this has been working recently.
-- 
Kirk Strauser
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named: error sending response: not enough free resources

2009-06-03 Thread Wojciech Puchar

  - the network/LAN named tries to sent UDP packet is somehow flooded.

  Dns is probably fairly busy. It's the primary authorative dns for some 
busy domains.
  Is there a setting I can do to increase the limits of UDP packets to keep 
it from
  causing problems?


it would need to sent 50 (i think) udp packets in burst faster than NIC 
can send it. unlikely. i'm 90% sure there is some problem with network.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named: error sending response: not enough free resources

2009-06-03 Thread Mel Flynn
On Wednesday 03 June 2009 00:46:20 Wojciech Puchar wrote:

named[69750]: client *ip removed*: error sending response: not
enough free resources

 quite misleading message, but the problem is that named want to send UDP
 packet and get's error from kernel.


 possible reasons
 - your firewall rules are the cause - check it.
 - your network card produce problems (REALLY i have that case)
 - the network/LAN named tries to sent UDP packet is somehow flooded.
  - the network card changes from UP to DOWN state at the time of the error

See that a lot running local resolver on a wireless-g card and turning on the 
microwave.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named: error sending response: not enough free resources

2009-06-03 Thread Wojciech Puchar


possible reasons
- your firewall rules are the cause - check it.
- your network card produce problems (REALLY i have that case)
- the network/LAN named tries to sent UDP packet is somehow flooded.

 - the network card changes from UP to DOWN state at the time of the error

See that a lot running local resolver on a wireless-g card and turning on the
microwave.
this is extreme case. but card don't need to turn UP and DOWN for long 
enough for system to get a message. my second case

- your network card produce problems (REALLY i have that case)


is an example. i had such card that just reported error every some amount 
of packets.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named: error sending response: not enough free resources

2009-06-03 Thread Mel Flynn
On Wednesday 03 June 2009 11:48:48 Wojciech Puchar wrote:
  possible reasons
  - your firewall rules are the cause - check it.
  - your network card produce problems (REALLY i have that case)
  - the network/LAN named tries to sent UDP packet is somehow flooded.
 
   - the network card changes from UP to DOWN state at the time of the
  error
 
  See that a lot running local resolver on a wireless-g card and turning on
  the microwave.

 this is extreme case.

Not really. The point is that at the time the network card goes from up to 
down, named spits out this error. If you log named to a different log file 
then /var/log/messages, you will not see the relation. The reason for changing 
UP to DOWN can be from a device operating at the 2.4Ghz band when using 
wireless-g to someone bumping his elbow into the colo's network cable, driver 
problems to switch failures, etc etc.

-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named: error sending response: not enough free resources

2009-06-03 Thread Wojciech Puchar

Not really. The point is that at the time the network card goes from up to
down, named spits out this error. If you log named to a different log file
then /var/log/messages, you will not see the relation. The reason for changing


this is one reason i always change syslog.conf to configure everything to 
/var/log/messages.


As you said - i see all events in time order.

Fortunately i don't use radio networking unless i have no other choice.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


named: error sending response: not enough free resources

2009-06-02 Thread Chris St Denis
I occasionally get named errors like these in my messages log. I've done 
a lot of searching and have found others with similar problems, but no 
solutions.


   named[69750]: client *ip removed*: error sending response: not
   enough free resources
   named[69750]: client *ip removed*: error sending response: not
   enough free resources
   named[69750]: client *ip removed*: error sending response: not
   enough free resources
   named[69750]: client *ip removed*: error sending response: not
   enough free resources
   named[69750]: client *ip removed*: error sending response: not
   enough free resources

System isn't particularly heavily loaded. Load averages around 0.5, cpu 
averages about 90% idle, not swapping much.


Other messages on this subject suggest a shortage of mbuffs of an issue 
with the nic driver (the item I read was complaining about fxp, but I 
have em) so here is the related info.


   eureka# uname -a
   FreeBSD eureka 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #1: Mon Feb 25
   08:17:08 PST 2008 cstde...@eureka:/usr/obj/usr/src/sys/EUREKA  i386

   eureka# named -v
   BIND 9.3.4-P1

   eureka# ifconfig em1
   em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   options=1bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING
   *IPs removed*
   ether 00:30:48:94:0a:31
   media: Ethernet 10baseT/UTP full-duplex
   status: active


   eureka# netstat -m
   1240/2165/3405 mbufs in use (current/cache/total)
   1216/1290/2506/25600 mbuf clusters in use (current/cache/total/max)
   1216/150 mbuf+clusters out of packet secondary zone in use
   (current/cache)
   0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max)
   0/0/0/0 9k jumbo clusters in use (current/cache/total/max)
   0/0/0/0 16k jumbo clusters in use (current/cache/total/max)
   2742K/3121K/5863K bytes allocated to network (current/cache/total)
   0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
   0/0/0 requests for jumbo clusters denied (4k/9k/16k)
   8/430/6656 sfbufs in use (current/peak/max)
   0 requests for sfbufs denied
   0 requests for sfbufs delayed
   999635 requests for I/O initiated by sendfile
   276104 calls to protocol drain routines


How do I fix this?


--
Chris St Denis
Programmer
SmarttNet (www.smartt.com)
Ph: 604-473-9700 Ext. 200
---
Smart Internet Solutions For Businesses 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named: error sending response: not enough free resources

2009-06-02 Thread Wojciech Puchar
lot of searching and have found others with similar problems, but no 
solutions.


  named[69750]: client *ip removed*: error sending response: not
  enough free resources
  named[69750]: client *ip removed*: error sending response: not
  enough free resources
  named[69750]: client *ip removed*: error sending response: not
  enough free resources
  named[69750]: client *ip removed*: error sending response: not
  enough free resources
  named[69750]: client *ip removed*: error sending response: not
  enough free resources


quite misleading message, but the problem is that named want to send UDP 
packet and get's error from kernel.



possible reasons
- your firewall rules are the cause - check it.
- your network card produce problems (REALLY i have that case)
- the network/LAN named tries to sent UDP packet is somehow flooded.

i experienced all 3 cases. last is of course easiest to detect.



Other messages on this subject suggest a shortage of mbuffs of an issue with


no you are fine with mbufs, memory etc..
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named: error sending response: not enough free resources

2009-06-02 Thread Chris St Denis

Wojciech Puchar wrote:
lot of searching and have found others with similar problems, but no 
solutions.


  named[69750]: client *ip removed*: error sending response: not
  enough free resources
  named[69750]: client *ip removed*: error sending response: not
  enough free resources
  named[69750]: client *ip removed*: error sending response: not
  enough free resources
  named[69750]: client *ip removed*: error sending response: not
  enough free resources
  named[69750]: client *ip removed*: error sending response: not
  enough free resources


quite misleading message, but the problem is that named want to send 
UDP packet and get's error from kernel.



possible reasons
- your firewall rules are the cause - check it.


   Nope

   eureka# ipfw list
   00100 allow ip from any to any via lo0
   00200 deny ip from any to 127.0.0.0/8
   00300 deny ip from 127.0.0.0/8 to any
   65534 allow ip from any to any
   65535 deny ip from any to any


- your network card produce problems (REALLY i have that case)


   I have had this kind of error on multiple servers over the years, so
   i don't think it's a hardware problem.


- the network/LAN named tries to sent UDP packet is somehow flooded.


   Dns is probably fairly busy. It's the primary authorative dns for
   some busy domains. Is there a setting I can do to increase the
   limits of UDP packets to keep it from causing problems?

   The server is approaching it's 10 mbps interface speed during peak
   hours, I may need to upgrade it to 100mbps.



i experienced all 3 cases. last is of course easiest to detect.



Other messages on this subject suggest a shortage of mbuffs of an 
issue with


no you are fine with mbufs, memory etc..
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
freebsd-questions-unsubscr...@freebsd.org



--
Chris St Denis
Programmer
SmarttNet (www.smartt.com)
Ph: 604-473-9700 Ext. 200
---
Smart Internet Solutions For Businesses 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: named: error sending response: not enough free resources

2009-06-02 Thread Steve Bertrand
Chris St Denis wrote:
 Wojciech Puchar wrote:

 possible reasons
 - your firewall rules are the cause - check it.
 
Nope
 
eureka# ipfw list
 
 - your network card produce problems (REALLY i have that case)
 
I have had this kind of error on multiple servers over the years, so
i don't think it's a hardware problem.
 
 - the network/LAN named tries to sent UDP packet is somehow flooded.
 
Dns is probably fairly busy. It's the primary authorative dns for
some busy domains. Is there a setting I can do to increase the
limits of UDP packets to keep it from causing problems?
 
The server is approaching it's 10 mbps interface speed during peak
hours, I may need to upgrade it to 100mbps.

The 10Mb ceiling (provided by your ifconfig output) could be a damper on
this.

What type of device is em1 attached to? Is it a switch or a hub? Is it
possible to upgrade this? You should upgrade it to 100 (or 1000)
anyways. Does this device show any collisions?

Can you do the following for a few minutes (until at least the problem
is triggered):

# tcpdump -n -i em1 proto 17 port 53 -s -w /var/log/dns.pcap

...and then:

# mail -s tcpdump output st...@ipv6canada.com  /var/log/dns.pcap

Is this server a caching recursive server for internal clients, or an
authoritative server?

What else runs on this box?

If you generate further network traffic over the interface, do the log
entries pile up faster?

What does:

# netstat -s -p udp

say?

I'd focus squarely on the 10Mbps cap first. That should be easy to test
and eliminate. Then, once that is rectified, we can find out whether
it's an inherent problem with the system.

Steve


smime.p7s
Description: S/MIME Cryptographic Signature


  1   2   3   4   5   6   >