Re: How to connect a jail to the web ?
On 11/08/2010 9:09, Randal L. Schwartz wrote: fbsd8 man 8 ifconfig Yup, and using that, I can give a private 10.x address to my jail. How do I get it to face the public without a firewall rule? you need natd and firewall divert rule on jail host. Everything that involve outside jail need must be configure at jail host level. -- Thanks Regards, Thomas Wahyudi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
zfs data on disk
Where does ZFS keeps its data *on disk* for created/exported/imported vdevs? Is /etc/zfs the only place or are there other places? Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
trouble building FreeBSD 8.1 amd64 kernel with pfsync support
I'm trying to build a kernel for a pair of firewalls which will be using CARP and pfsync for redundancy. Since I'm new to FreeBSD the config is based on the GENERIC config, thus: include GENERIC ident NEW_FIREWALL device carp ##device pfsync and issuing the build like this: # cd /usr/src # time make buildkernel KERNCONF=NEW_FIREWALL echo YES With the config above (CARP but no pfsync) it builds just fine and boots and runs happily; I've got CARP configured. If I uncomment the devic pfsync the build aborts at link time ending thus: MAKE=make sh /usr/src/sys/conf/newvers.sh NEW_FIREWALL cc -c -O2 -frename-registers -pipe -fno-strict-aliasing -std=c99 -g -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -fno-omit-frame-pointer -mcmodel=kernel -mno-red-zone -mfpmath=387 -mno-sse -mno-sse2 -mno-sse3 -mno-mmx -mno-3dnow -msoft-float -fno-asynchronous-unwind-tables -ffreestanding -fstack-protector -Werror vers.c linking kernel.debug in_proto.o(.data+0x698): undefined reference to `pfsync_input' *** Error code 1 Stop in /usr/obj/usr/src/sys/NEW_FIREWALL. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. real11m33.795s user7m19.405s sys 0m40.068s Am I doing something obviously wrong here? Cheers, -- Cameron Simpson c...@zip.com.au DoD#743 http://www.cskk.ezoshosting.com/cs/ Once a Junior Programmer interrupted a Great Guru of the Sun to ask a Question of no importance. The Great Guru replied in words which the Junior Programmer did not understand. The Junior Programmer sought to rephrase the Question, saying, Stop me if I appear stupid. The great Guru, without speaking, reached over and pressed L1-A. The Junior Programmer achieved Enlightenment. - Jon Green ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to connect a jail to the web ?
On 11/08/2010 01:55, Randal L. Schwartz wrote: Fbsd8 == Fbsd8 fb...@a1poweruser.com writes: Fbsd8 2. Using the hosts firewall to drive traffic to a jail is a sign Fbsd8 you have your jail incorrectly configured or do not understand Fbsd8 how jails are intended to work. OK, I'll bite. I thought this was the only way to do this. Can you elaborate? I'll even accept URL pointers to go read. :) Fbsd8's contention is ... contentious. Giving your jail an IP on the loopback i/f, and then using NAT to redirect traffic for certain selected ports lets you run services in the jail that need to bind to some network address but that you never want exposed to the Internet. Remember, unless you're using VIMAGE, jails don't have a loopback i/f of their own. VIMAGE is cool, but as it's still incompatible with various other kernel bits, I don't think it's quite ready for primetime yet. Yes, you can achieve the same effect using firewall rules, but as I have occasionally said before, firewalls should be optional -- ideally your system should be secure even if you turn the firewall off. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: trouble building FreeBSD 8.1 amd64 kernel with pfsync support
On Wed, Aug 11, 2010 at 12:20 AM, Cameron Simpson c...@zip.com.au wrote: I'm trying to build a kernel for a pair of firewalls which will be using CARP and pfsync for redundancy. Since I'm new to FreeBSD the config is based on the GENERIC config, thus: include GENERIC ident NEW_FIREWALL device carp ##device pfsync and issuing the build like this: # cd /usr/src # time make buildkernel KERNCONF=NEW_FIREWALL echo YES With the config above (CARP but no pfsync) it builds just fine and boots and runs happily; I've got CARP configured. If I uncomment the devic pfsync the build aborts at link time ending thus: Do you also have a device pf line? I think that is a prereq for pfsync. You may also need device pflog - I'm not sure because I've always just added them all. -- Rob Farmer MAKE=make sh /usr/src/sys/conf/newvers.sh NEW_FIREWALL cc -c -O2 -frename-registers -pipe -fno-strict-aliasing -std=c99 -g -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -fno-omit-frame-pointer -mcmodel=kernel -mno-red-zone -mfpmath=387 -mno-sse -mno-sse2 -mno-sse3 -mno-mmx -mno-3dnow -msoft-float -fno-asynchronous-unwind-tables -ffreestanding -fstack-protector -Werror vers.c linking kernel.debug in_proto.o(.data+0x698): undefined reference to `pfsync_input' *** Error code 1 Stop in /usr/obj/usr/src/sys/NEW_FIREWALL. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. real 11m33.795s user 7m19.405s sys 0m40.068s Am I doing something obviously wrong here? Cheers, -- Cameron Simpson c...@zip.com.au DoD#743 http://www.cskk.ezoshosting.com/cs/ Once a Junior Programmer interrupted a Great Guru of the Sun to ask a Question of no importance. The Great Guru replied in words which the Junior Programmer did not understand. The Junior Programmer sought to rephrase the Question, saying, Stop me if I appear stupid. The great Guru, without speaking, reached over and pressed L1-A. The Junior Programmer achieved Enlightenment. - Jon Green ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to connect a jail to the web ?
Randal L. Schwartz wrote: Fbsd8 == Fbsd8 fb...@a1poweruser.com writes: Fbsd8 No. Your jail is assigned it's ip address when you create it. The Fbsd8 alias gives the jail network access when you start the jail. Both Fbsd8 ip address must match. Yup, and if that's a 10.x address, I'm not on the net. So I have to route to it somehow. Fbsd8 Just assign the jail your public ip address when you create it. I was under the impression that the address had to be distinct, in order to uniquely identify it. Are you saying that's not the case? If so, the docs on jails are unclear. Fbsd8 face the public is a very large subject, which the answer depends on your Fbsd8 hardware configuration, registered domain names and static ip Fbsd8 addresses. Yes, I'm hoping not to burn a second or third public address for my jail. Instead, I just want my jail to have a punch through (port 80, port 25, etc) from my one public address. Is there a trick to this without burning another public address? Or do I misunderstand (based on poor docs) how a jail attaches itself to an interface? Fbsd8 Using jails requires the host system administrator to be well Fbsd8 trained in networks and how public and private networks Fbsd8 function. Jail documentation is not going to teach you this. Now you're just being condescending. It's fairly likely, almost certain, that I've been dealing with IP traffic since before you could type. What I'm asking for is the specifics of Jails. I *know* how IP traffic works, and even what alias does. What I don't know is FreeBSD's particulars that make this either hard or easy. I *do* know about pf, having administered an OpenBSD box for a number of years. I'm just new to jails, and since you're the expert, you might have a little patience on that realm, please. First thing to keep in mind is jails were designed to be targeted by unique public routable static ip address, in that configuration each jail can run any mixture of services. Different jails on the gateway host using the same public routable static ip address can be targeted by service port number if that port number is not in use on the host or any other jail. This is implied usage,IE not specified in any control file. Lets say the freebsd gateway host has a single static ip address and you want jails on the gateway host to receive unsolicited inbound traffic for web server (port 80) and mail server (port 25). Your domain name points to the single static ip address. Create 2 jails assigned to the single static ip address without the jail auto alias function enabled. No gateway host firewall rules to stop inbound traffic on those ports, or have those ports NATED, but should have statefull rules to let traffic pass. The gateway host can not have a web server using port 80 or a mail server using port 25 or they will process the traffic before the jails see it. The only service running on the web server jail is apache listening on port 80 and the mail server jail (postfix) listening on port 25. In this configuration the web server can even service multiple domain name vhosts. Now if the gateway host has a non-static ip address (dynamic ip address) such as those assigned by ISP's providing DSL or cable internet services your public ip address may change on you when the lease time expires or the system reboots causing your jails to loose their public internet access. Some domain name registers have function where you run a task on you gateway host to monitor your public IP address, and if it changes submits to your domain name register a automatic request to change the ip address your domain name points to. Another gotcha is some DSL or cable providers of public internet services have their network designed as a LAN and you do not have a real public routable ip address EVER. In this case your jails can only be used for services restricted to your own private LAN. The service provider is NATing your traffic at their front door. You are SOL. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: trouble building FreeBSD 8.1 amd64 kernel with pfsync support
On 11Aug2010 01:36, Rob Farmer rfar...@predatorlabs.net wrote: | On Wed, Aug 11, 2010 at 12:20 AM, Cameron Simpson c...@zip.com.au wrote: | I'm trying to build a kernel for a pair of firewalls which will be using | CARP and pfsync for redundancy. Since I'm new to FreeBSD the config is | based on the GENERIC config, thus: | | include GENERIC | ident NEW_FIREWALL | device carp | ##device pfsync | | and issuing the build like this: | | # cd /usr/src | # time make buildkernel KERNCONF=NEW_FIREWALL echo YES | | With the config above (CARP but no pfsync) it builds just fine | and boots and runs happily; I've got CARP configured. | | If I uncomment the devic pfsync the build aborts at link time ending thus: | | Do you also have a device pf line? I think that is a prereq for | pfsync. You may also need device pflog - I'm not sure because I've | always just added them all. Hmm. [greps GENERIC...] No, I don't. I figured that since pfctl was working I was ok there, but I think it loads the module dynamicly. I can see that if pfsync needs a static build it may rely on pf and pflog being static also. I'll try that now and report. Thanks, -- Cameron Simpson c...@zip.com.au DoD#743 http://www.cskk.ezoshosting.com/cs/ Trust the computer industry to shorten Year 2000 to Y2K. It was this thinking that caused the problem in the first place. - Mark Ovens ma...@uk.radan.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to connect a jail to the web ?
On Wednesday 11 August 2010 03:07:32 Rocky Borg wrote: You should probably preface this by saying you're the author of Qjail and have been actively promoting it in a few places including the fbsd forums. That's interesting, given that you're replying to Fbsd8 fb...@a1poweruser.com. The announcement of qjail came from Aiza aiz...@comclark.com. No reason why someone shouldn't use two email accounts, I guess; but I must admit I'd naively assumed fbsd8 was independently endorsing aiza's utility. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: trouble building FreeBSD 8.1 amd64 kernel with pfsync support
On 11Aug2010 19:30, I wrote: | On 11Aug2010 01:36, Rob Farmer rfar...@predatorlabs.net wrote: | | On Wed, Aug 11, 2010 at 12:20 AM, Cameron Simpson c...@zip.com.au wrote: | | I'm trying to build a kernel for a pair of firewalls which will be using | | CARP and pfsync for redundancy. Since I'm new to FreeBSD the config is | | based on the GENERIC config, thus: | | include GENERIC | | ident NEW_FIREWALL | | device carp | | ##device pfsync [...] | | If I uncomment the devic pfsync the build aborts at link time ending thus: | | | | Do you also have a device pf line? I think that is a prereq for | | pfsync. You may also need device pflog - I'm not sure because I've | | always just added them all. | | Hmm. [greps GENERIC...] No, I don't. I figured that since pfctl was | working I was ok there, but I think it loads the module dynamicly. I can see | that if pfsync needs a static build it may rely on pf and pflog being static | also. I'll try that now and report. Victory! Thanks! I'm a little surprised that the error I got: in_proto.o(.data+0x698): undefined reference to `pfsync_input' seemed to be a complaint about pfsync rather than missing pf stuff. Cheers, -- Cameron Simpson c...@zip.com.au DoD#743 http://www.cskk.ezoshosting.com/cs/ Tis better to have test ridden and lost, than to never have test ridden at all. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chflags(1) unaware utilties
On Tue Aug 10 10, ill...@gmail.com wrote: On 9 August 2010 14:00, Alexander Best arun...@freebsd.org wrote: hi there, chflags(1) mentions that a few utilities including pax(1) aren't chflags aware yet. is there a list of all those utilties available somewhere? also: i don't quite understand why this is in the BUGS section of chflags(1) and not in the pax(1) manual itself [1]. this doesn't seem very logical, since the bug doesn't exist in chflags, but in pax not supporting chflags. so if someone decides to use pax and wants to know if there are any problem with it, there's no way for the average user to stumble upon the fact that chflags isn't supported in pax. in fact the pax(1) manual states that `pax -p e` will preserve everything. this is plain wrong! cheers. alex [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/135516 AFIK, pax is a POSIX thing, and as such working correctly or sanely would violate its posix nature. (POSIX is an anagram of Pox? Si!) POSIX specs issue 7 state that `pax -p e` should: Preserve the user ID, group ID, file mode bits (see XBD File Mode Bits ), access time, modification time, and any other implementation-defined file characteristics. don't chflags fall under other implementation-defined file characteristics? Is cpio chflags-aware? hmm...no idea. sorry. -- -- -- a13x ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Skype
Hello? Is anyone using skype on freebsd 8 and can tell me how to do the setup? Seem to be that there is no port and on the website i find no package for freebsd. THX Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Skype
On Wed, 11 Aug 2010 14:40:06 +0200 Alex Huth a.h...@tmr.net wrote: Hello? Is anyone using skype on freebsd 8 and can tell me how to do the setup? Seem to be that there is no port cd /usr/ports make search name=skype ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to connect a jail to the web ?
Matthew == Matthew Seaman m.sea...@infracaninophile.co.uk writes: Matthew Yes, you can achieve the same effect using firewall rules, but Matthew as I have occasionally said before, firewalls should be Matthew optional -- ideally your system should be secure even if you Matthew turn the firewall off. Well, I already have pf fired up to deal with web and ssh rate limiting, so firing up a natd seems a bit redundant. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to connect a jail to the web ?
Thomas == Thomas Wahyudi tho...@sanbe-farma.com writes: Thomas On 11/08/2010 9:09, Randal L. Schwartz wrote: fbsd8 man 8 ifconfig Yup, and using that, I can give a private 10.x address to my jail. How do I get it to face the public without a firewall rule? Thomas you need natd and firewall divert rule on jail host. Everything that involve Thomas outside jail need must be configure at jail host level. Exactly as I suspected. Thanks for confirming it. I was just wondering if fbsd8 was blowing smoke, and apparently, yes. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Skype
Hi Alex, In that case you can make maintainer and write an e-mail to that person. Of course, you can even lend a hand or take-over the port maintenance if the current maintainer has no time for it. Contributors are always welcomed. Another option would be to get the source from the skype website, compile and run it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to connect a jail to the web ?
On 11/08/2010 14:29, Randal L. Schwartz wrote: Matthew == Matthew Seaman m.sea...@infracaninophile.co.uk writes: Matthew Yes, you can achieve the same effect using firewall rules, but Matthew as I have occasionally said before, firewalls should be Matthew optional -- ideally your system should be secure even if you Matthew turn the firewall off. Well, I already have pf fired up to deal with web and ssh rate limiting, so firing up a natd seems a bit redundant. I meant that you could block access to private servers which need to listen on public network ports by just using firewall rules, as opposed to making the whole jail hang off a private interface and just forwarding selected traffic to it. For the second case, you would need pf to do the NAT'ing (or ipfw+natd if that's your preference). With this trick of binding the sensitive daemons to an address on the loopback, you are still secure even if pf gets turned off. Of course, secure is not necessarily the same as working. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: How to connect a jail to the web ?
I meant that you could block access to private servers which need to listen on public network ports by just using firewall rules, as opposed to making the whole jail hang off a private interface and just forwarding selected traffic to it. For the second case, you would need pf to do the NAT'ing (or ipfw+natd if that's your preference). With this trick of binding the sensitive daemons to an address on the loopback, you are still secure even if pf gets turned off. Of course, secure is not necessarily the same as working. I've read comments in the past about setting up jails using local loopback addresses, but I'm wondering if you wouldn't mind elaborating on what the actual pf rules would look like. Say you have 3 jails and more than one public IP address: ns127.0.0.2 public_ip_1 mail 127.0.0.3 public_ip_2 www 127.0.0.4 public_ip_3 You want to pass port 25 traffic to/from the 'mail' jail. But you also need that jail to use the correct public_ip address. Is that possible without using, for example, pf's binat? Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bind9.7.1 Package
Matthew Seaman writes: # pkg_create -b pkg-config-0.23_1 pkg-config is an indirect dependency for bind -- it's required by security/openssl and textproc/libxml2 either of which bind are optional dependencies for dns/bind97. Thank you. This put me on the right track. When I used the full name of the dependency, the command did not work with the complaint that it could not find the package so I did a pkg_info and looked for any reference to pkg-config. It turns out that if one chops off the _1 at the end, it did recover another package as in pkg-config-0.23.tbz which appeared in /uar/ports/dns/bind97. I copied it to the same directory as the other tar balls so pkg_add should find it also now. Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Spontaneous Reboots with Virtualbox Kernel Modules
In the last episode (Aug 10), Chris Maness said: On Tue, Aug 10, 2010 at 4:08 PM, Roland Smith rsm...@xs4all.nl wrote: On Tue, Aug 10, 2010 at 03:38:03PM -0700, Chris Maness wrote: I have had two spontaneous reboots since I have began using virtualbox. I have never had the issue before. I just upgraded to 8.1 yesterday, so I will see if it happens again. Has anyone else had crashes/reboots running these modules? Yes, I've experiencing several on 8.0-RELEASE amd64. Since I was mostly using it to play with other OSs, I de-installed virtualbox and haven't tried it since. Has this behavior already been documented anywhere? I run 3 VirtualBox vms at home on an 8.1-stable host and haven't had it panic or reboot on me. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: zfs data on disk
In the last episode (Aug 11), Dick Hoogendijk said: Where does ZFS keeps its data *on disk* for created/exported/imported vdevs? Is /etc/zfs the only place or are there other places? Thanks. I don't think there's anything in /etc/zfs apart from the NFS exports file. The list of currently-mounted pools and their devices is stored in /boot/zfs/zpool.cache , and I believe is only used during bootup. vdev information itself is stored in the zpool labels; you can view that with zdb -l /dev/nnn, where nnn is one of the devices your zpool is bulit on. More info than you probably want: http://hub.opensolaris.org/bin/download/Community+Group+zfs/docs/ondiskformat0822.pdf -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Spontaneous Reboots with Virtualbox Kernel Modules
On Wed, Aug 11, 2010 at 7:22 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Aug 10), Chris Maness said: On Tue, Aug 10, 2010 at 4:08 PM, Roland Smith rsm...@xs4all.nl wrote: On Tue, Aug 10, 2010 at 03:38:03PM -0700, Chris Maness wrote: I have had two spontaneous reboots since I have began using virtualbox. I have never had the issue before. I just upgraded to 8.1 yesterday, so I will see if it happens again. Has anyone else had crashes/reboots running these modules? Yes, I've experiencing several on 8.0-RELEASE amd64. Since I was mostly using it to play with other OSs, I de-installed virtualbox and haven't tried it since. Has this behavior already been documented anywhere? I run 3 VirtualBox vms at home on an 8.1-stable host and haven't had it panic or reboot on me. -- Dan Nelson dnel...@allantgroup.com Were you running it on 8.0? I am wondering if the issue was fixed in 8.1. I have commented out the modules for now. I am a little nervous about file system corruption from hard crash/reboots. I can set up a jail for my FreeBSD sandbox. However, my server is the only viable i386 environment that I have to play with other OS's like Linux, so I would like to still use vbox if I can be confident it is stable because this server is a production machine. All my other boxes are Apple machines. Regards, Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Spontaneous Reboots with Virtualbox Kernel Modules
On Wed, Aug 11, 2010 at 9:52 AM, Chris Maness ch...@chrismaness.com wrote: Were you running it on 8.0? I am wondering if the issue was fixed in 8.1. I have commented out the modules for now. I am a little nervous about file system corruption from hard crash/reboots. I can set up a jail for my FreeBSD sandbox. However, my server is the only viable i386 environment that I have to play with other OS's like Linux, so I would like to still use vbox if I can be confident it is stable because this server is a production machine. All my other boxes are Apple machines. I have not had that issue on either 8.0 or 8.1. I used to get some hard locks on vbox = 3.2.4, but haven't seen any issues on 3.2.6. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Spontaneous Reboots with Virtualbox Kernel Modules
On Wed, Aug 11, 2010 at 7:58 AM, Adam Vande More amvandem...@gmail.com wrote: On Wed, Aug 11, 2010 at 9:52 AM, Chris Maness ch...@chrismaness.com wrote: Were you running it on 8.0? I am wondering if the issue was fixed in 8.1. I have commented out the modules for now. I am a little nervous about file system corruption from hard crash/reboots. I can set up a jail for my FreeBSD sandbox. However, my server is the only viable i386 environment that I have to play with other OS's like Linux, so I would like to still use vbox if I can be confident it is stable because this server is a production machine. All my other boxes are Apple machines. I have not had that issue on either 8.0 or 8.1. I used to get some hard locks on vbox = 3.2.4, but haven't seen any issues on 3.2.6. -- Adam Vande More I am running 3.2.6 and it was crashing. Regards, Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Spontaneous Reboots with Virtualbox Kernel Modules
On Wed, Aug 11, 2010 at 10:22 AM, Chris Maness ch...@chrismaness.comwrote: I am running 3.2.6 and it was crashing. On the = 3.2.4 stuff, only time is crashed was with multiple cpu vm's. Doesn't happen any longer and my systems are up for months running vm's. I'd try to find the root cause of your issue, somethings to check are sources vs installed kernel/world in sync? If not fix and rebuild. Is this from a clean install? if not, you may have dependency issues. Finding these can be difficult, save yourself the headache and following the instructions on the portmaster man page for a complete system rebuild, this will take awhile. Review and follow instructions on freebsd vbox wiki. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re : How to connect a jail to the web ?
I tried all of this without any result. But I won't give up. What I want is a jail with an Apache http server running inside. So, the jail must have a public IPv4 and access to the web. What I'd understood of the jails' role (but I must have misunderstood) is that it will have a different public ip than the host, so that if a pirate manage to crack the server, he will only have access to the jail (the real public ip of the host remaining secret). Then I'm surprised to learn that such traffic will be routed through the host. The jail is created. The next step now is to install the ports collection inside with portsnap fetch. But each time I try to run this command inside the jail (with jexec), I get the same answer : Looking up portsnap.FreeBSD.org mirrors... none found. Fetching public key from portsnap.FreeBSD.org... failed. No mirrors remaining, giving up. This makes me think my jail is not connected to the web. To check this, I tried to ping various know websites. When I tried domain names, like ping www.freebsd.org, this error message appears : ping: cannot resolve www.freebsd.org : Host name lookup failure So, I can't contact DNS servers able to translate www.freebsd.org to its ip. Since I know this ip, I tried : ping 69.147.83.33. This time, the error message is : ping: socket: Operation not permitted From this, I concluded my jail was not connected to the web. Meanwhile, I've understood that, anyway, the ping command is forbidden inside a jail. But the portsnap fetch one is not. It seems that the local ip given to the jail has to be an alias of an existing one. I'm not on a local network so I only have 2 real network interfaces : rl0 (192.168.1.38) and the loopack lo0 (127.0.0.1). 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. By the way, I wonder which one I will be able to choose if I ever have to create a second jail. And also how the computer knows which data is for the jail and which one is for the loopback. I also added the line net.inet.ip.forwarding=1 to sysctl.conf (on the host). And here is the rc.conf of my jail : devfs_system_ruleset=devfsrules_jail network_interfaces= sshd_enable=YES sendmail_enable=NO rpcbind_enable=NO Despite the sshd_enable=YES line, I can't ssh from the host to the jail. Well, I can... The first time I did it, I was asked if I wanted to add the jail to the list of known hosts. I did it. No problem there. But, immediatly after that, instead of displaying login :, the system displayed passwd :. And none of the passwords I had set with sysinstall (for the root and the common user) were accepted. That's why I can only run commands inside the jail running jexec. It's not that big problem for the moment but one purpose of the jail is also (I believe) to ssh into them from a distant computer without accessing to the host. It was not clear after the various answers I received if I had to use a firewall or not so I tried both ways. Without the firewall, the rc.conf of my host is : hostname=FreeBSD.ici ifconfig_rl0=DHCP keymap=fr.iso.acc (yes, I'm french) moused_enable=YES saver=dragon hald_enable=YES dbus_enable=YES devfs_system_ruleset=localrules jail_enable=NO jail_list=MaPrison jail_interface=lo0(I also tried rl0 here) jail_devfs_ruleset=devfsrules_jail jail_devfs_enable=YES jail_server_rootdir=/usr/prison jail_server_hostname=MaPrison jail_server_ip=127.0.0.1 gateway_enable=YES router_enable=YES Since I've added this last line (router_enable=YES), I have to press Enter at the end of the bootup process to obtain the login :. Again, it's not a big problem but nonetheless a strange one. With this configuration, portsnap fetch continues to give me the same error message I told before. With the firewall (pf), now, the rc.conf of my host becomes : hostname=FreeBSD.ici ifconfig_rl0=DHCP keymap=fr.iso.acc moused_enable=YES saver=dragon hald_enable=YES dbus_enable=YES devfs_system_ruleset=localrules jail_enable=NO jail_list=MaPrison jail_interface=lo0 jail_devfs_ruleset=devfsrules_jail jail_devfs_enable=YES jail_server_rootdir=/usr/prison jail_server_hostname=MaPrison jail_server_ip=127.0.0.1 gateway_enable=YES pf_enable=YES pf_rules=/etc/pf.conf pflog_enable=YES pflog_logfile=/var/log/pflog And here's the /etc/pf.conf : ext_if=rl0 int_if=rl0 Same result for portsnap fetch. A lot of questions, isn't it. I guess I must have made a lot of mistakes. But I can't believe I'm the first one who tries to install a web server in a jail. This must be a well known process. Thanks to those who helped me and to those who will ! Good evening Brice De : Roland Smith rsm...@xs4all.nl À : Brice ERRANDONEA berrando...@yahoo.fr Envoyé le : Mer 11 août 2010, 13h 23min 34s Objet : Re: Re : Re : How to connect a jail to the web ? On Wed, Aug 11, 2010 at 11:07:59AM +, Brice ERRANDONEA wrote: OK, I'll try this. And, as you suggested, I switch my jail's IP to
Re: Spontaneous Reboots with Virtualbox Kernel Modules
On Wed, Aug 11, 2010 at 8:31 AM, Adam Vande More amvandem...@gmail.com wrote: On Wed, Aug 11, 2010 at 10:22 AM, Chris Maness ch...@chrismaness.com wrote: I am running 3.2.6 and it was crashing. On the = 3.2.4 stuff, only time is crashed was with multiple cpu vm's. Doesn't happen any longer and my systems are up for months running vm's. I'd try to find the root cause of your issue, somethings to check are sources vs installed kernel/world in sync? This is the case with the second crash, but I have since upgraded to 8.1. Is this from a clean install? if not, you may have dependency issues. A clean install of the OS? I am not 100% sure of what you mean here. Finding these can be difficult, save yourself the headache and following the instructions on the portmaster man page for a complete system rebuild, this will take awhile. I have rebuilt and fixed dependency issues. It took me a while to clean up the issues so that vbox would even build. I had some stale includes that were not removed by their scripts. After removing by hand, I was able to rebuild all of these old dependencies and fixed other issues on my server. It is amazing how one little file can cause so much grief. Thanks, Chris Maness Review and follow instructions on freebsd vbox wiki. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
UPS question
I know that APC's website states this load on this unit results in this runtime. However I do not trust these figures, typically, when coming from smaller manufacturers than APC. I am looking at a 1400VA / 980W UPS to run a single server with a usually not on monitor, a DSL modem and a simple switch. The server should generate about 330W in power consumption, the monitor another 50-100, the modem about 10 and the switch about another 10 watts. So: UPS: 1400VA Server: 400W (liberal estimate) Modem: 10W Switch: 10W Monitor: 75W Total: 495W According to a calculator if I enter all that information: http://www.csgnetwork.com/upssizecalc.html It says that it will use 693VA. Enter that into http://www.csgnetwork.com/batterylifecalc.html It requires Amps... 495W / 120 voltage = 4.125 amps... doesn't seem right but... 192 hours... that's not right, right? -- Ryan___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: UPS question
Hi, Ryan-- On Aug 11, 2010, at 8:51 AM, Ryan Coleman wrote: Total: 495W According to a calculator if I enter all that information: http://www.csgnetwork.com/upssizecalc.html It says that it will use 693VA. That sounds reasonable. The better PSUs have 80 Plus certification for efficiency, and that's better than the typical wall warts used for modems and switches and the like commonly manage. (The efficiency they're assuming is a bit over 70%; using 80% would be around 600VA.) Enter that into http://www.csgnetwork.com/batterylifecalc.html It requires Amps... 495W / 120 voltage = 4.125 amps... doesn't seem right but... 192 hours... that's not right, right? Assume for discussion their number was right. In order to get 495W of output load, the UPS needs to provide 693 volt-amps of juice to your equipment. After the inverter and 10:1 stepup transformer used to convert 12VDC or whatever the UPS batteries are charged to up to 120VAC, the current needed would be 5.77 amps. However, the 12VDC battery source itself would be getting a draw of 57 amps (ideally; again, the inverter+transformer themselves might only rate about 90% efficiency for very good quality UPS, so would be drawing more like 60 or 65 amps). A standard APC/Tripplite/whatever 700VA UPS tend so have a lead-acid battery reasonably similar to a car battery, and typically will have around 100 amp-hours of charge; they'd probably give you 90 minutes of backup time. But you can look up the detailed specs of specific models and work from their amp-hour (or watt-hour) ratings-- actually, I think I'm guestimating more from what a 1200VA unit might provide, and a 700VA model is probably going to provide more like 40-60 minutes of power... Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Re : How to connect a jail to the web ?
Brice ERRANDONEA berrando...@yahoo.fr wrote: I tried all of this without any result. But I won't give up. What I want is a jail with an Apache http server running inside. So, the jail must have a public IPv4 and access to the web. Not necessarily. Of course, the jail _can_ have a public IP address. This will make things easier. But some people prefer to give their jails private addresses or even aliases on lo0 (e.g. 127.0.0.2). In order to access such a jail from the outside, the host has to forward packets from and to the private address. This can be done with IPFW fwd rules, for example. What I'd understood of the jails' role (but I must have misunderstood) is that it will have a different public ip than the host, so that if a pirate manage to crack the server, he will only have access to the jail (the real public ip of the host remaining secret). Yes, it has advantages to give a jail its own IP address, but it's not strictly necessary. The IP address can be shared with the host and with other IP addresses if you prefer. It's also possible to give the jail the host's IP address during installation, so things like portsnap, pkg_add -r and similar will run without trouble, and then switch the jail to its final IP address. Then I'm surprised to learn that such traffic will be routed through the host. Routing happens globally (unless you use VIMAGE and/or multiple FIBs, but let's forget about these for now because they make things even more complicated, and you probably don't need them). By default there is only one routing table inside the kernel, through which all packets go. So, packets from your jails go through the same routing table as packets from yur host. The jail is created. The next step now is to install the ports collection inside with portsnap fetch. But each time I try to run this command inside the jail (with jexec), I get the same answer : Looking up portsnap.FreeBSD.org mirrors... none found. Fetching public key from portsnap.FreeBSD.org... failed. No mirrors remaining, giving up. This makes me think my jail is not connected to the web. This has nothing to do with the web. Maybe you confuse web and internet or network? Obviously your jail cannot do DNS lookups, i.e. it cannot resolve host names. So, I can't contact DNS servers able to translate www.freebsd.org to its ip. Since I know this ip, I tried : ping 69.147.83.33. This time, the error message is : ping: socket: Operation not permitted ping(1) uses raw sockets in order to be able to send and receive ICMP packets. By default, raw sopckets or disallowed in jails. To change that, use this command on the host: sysctl security.jail.allow_raw_sockets=1 Add an entry to /etc/sysctl.conf so the setting will survive reboots. It seems that the local ip given to the jail has to be an alias of an existing one. No, it must simply be an existing address, i.e. it must be configured on one of your interfaces (whether alias or not). I'm not on a local network so I only have 2 real network interfaces : rl0 (192.168.1.38) and the loopack lo0 (127.0.0.1). So you can use one of those two addresses, or you can add aliases (e.g. 192.168.1.39) and then use that one. Of course you can only use addresses that you own and that will work on your network. If addresses are assigned to you by an ISP or administrator, then you can only use those. 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. Well, localnet addresses are not routed. If you give your jail a localnet address, it won't be able to access the network outside of the host. (Unless you take measures to rewrite/translate the addresses and forward them.) That's why DNS and portsnap don't work. I suggest using the address 192.168.1.38 for the jail, at least during installation. Make sure that the file /etc/resolv.conf inside the jail is correct, so DNS will work. Copying it from the host should be sufficient. By the way, you don't have to build ports inside the jail. Of course you *can* do that, but there are other ways, too. For example, you could build packages (apache etc.) on the host, or in a different jail, or even on a different machine, and then use pkg_add(8) inside your jail to install them. By the way, I wonder which one I will be able to choose if I ever have to create a second jail. Multiple jails can share the same address if required. And also how the computer knows which data is for the jail and which one is for the loopback. Services (such as apache) listen on certain ports for connections. For example, the default port for the HTTP protocol is 80. So, when someone is trying to open a connection to your IP address on port 80, your kernel looks it up in its table of listening TCP sockets and find the apache process which is running inside the jail. So the connection is handed to the jail. (This is a bit oversimplifying, but basically that's how it works.) I
Re: ssh under attack - sessions in accepted state hogging CPU
On 10/08/10 05.13, Matt Emmerton wrote: I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? If the attack you're experiencing is trying to exhaust system resources by opening a large number of connections, then you may want to toggle these options in sshd_config: ClientAliveInterval LoginGraceTime MaxAuthTries MaxSessions MaxStartups Check the man-page. Secondly, check your logs if this attack is from a limited range of IPs, if so, you might want to try block those ranges. If your users will only connect from your country, then blocking other countries in your firewall is very effective. Thanks to everyone for their help. I did have MaxSessions set to a small number, but that essentially DoS'd my access to the server when enough sshd processes got hung. sshguard+ipfw was blocking a large number of attacks, but the other attacks that were coming in and hanging sshd weren't getting caught (because they weren't repetitive.) I have moved some of my servers to alternate ports, and on the others I tweaked some of the settings Erik suggested which has helped a lot. Thanks for all the advice. -- Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Unabkle to eject DVD after DVD burning failed
I tried to burn some DVD with this command: growisofs -dvd-compat -speed=4 -Z /dev/cd0=image.iso It failed for some reason, but I can't eject the disk now. Button doesn't work, and eject-1.5_4 errors out too: $ /usr/local/sbin/eject /dev/cd0 eject: Invalid argument Running this command under truss I found this: open(/dev/cd0,O_RDONLY,06370046000)= 2 (0x2) ioctl(2,CDIOCALLOW,0x33e04c00) ERR#22 'Invalid argument' close(2) = 0 (0x0) My DVD writer: acd0: DVDR PIONEER DVD-RW DVR-112D/1.21 at ata4-master UDMA66 And device /dev/acd0 doesn't exist. Yuri --- growfs log --- 2224685056/2305976320 (96.5%) @4.1x, remaining 0:15 RBU 100.0% UBU 51.0% 2243526656/2305976320 (97.3%) @4.0x, remaining 0:11 RBU 100.0% UBU 53.1% 2261778432/2305976320 (98.1%) @3.9x, remaining 0:08 RBU 100.0% UBU 51.0% 2280685568/2305976320 (98.9%) @4.1x, remaining 0:04 RBU 75.4% UBU 53.1% 2299330560/2305976320 (99.7%) @4.0x, remaining 0:01 RBU 19.8% UBU 57.1% builtin_dd: 1125968*2KB out @ average 3.8x1352KBps /dev/pass0: flushing cache :-( unable to SYNCHRONOUS FLUSH CACHE: Input/output error ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Skype
in message 20100811124006.ga2...@borusse.ewmr.base, wrote Alex Huth thusly... Is anyone using skype on freebsd 8 and can tell me how to do the setup? Seem to be that there is no port and on the website i find no package for freebsd. Well, version 1.x does not work at all as in I was not able to log in after generating an account via web. Version 2.x as it existed in ports not too long ago was broken due to missing source file (not as in raw code but as in binaries). Then I searched for a possible solution that led me to download ... http://kobyla.info/soft/distfiles/skype_static-2.0.0.72-oss.tar.bz2 ... in /misc/ports/distfiles; edit net/skype/Makefile to set proper PORTVERSION; generate net/skpe/distinfo which led to successful install use of skype as in I could log in with the same password userid generated earlier place a call or two. - parv -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re : Re : How to connect a jail to the web ?
Thank you very much for your answer. It helped me understand some elements. But portsnap still doesn't work. So, I can't contact DNS servers able to translate www.freebsd.org to its ip. Since I know this ip, I tried : ping 69.147.83.33. This time, the error message is : ping: socket: Operation not permitted ping(1) uses raw sockets in order to be able to send and receive ICMP packets. By default, raw sopckets or disallowed in jails. To change that, use this command on the host: sysctl security.jail.allow_raw_sockets=1 Add an entry to /etc/sysctl.conf so the setting will survive reboots. I did it but ping still doesn't work. 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. Well, localnet addresses are not routed. If you give your jail a localnet address, it won't be able to access the network outside of the host. (Unless you take measures to rewrite/translate the addresses and forward them.) That's why DNS and portsnap don't work. I suggest using the address 192.168.1.38 for the jail, at least during installation. Make sure that the file /etc/resolv.conf inside the jail is correct, so DNS will work. Copying it from the host should be sufficient. Isn't 192.168.1.38 a localnet address too ? Do you mean I should use the public ip of my computer here ? By the way, you don't have to build ports inside the jail. Of course you *can* do that, but there are other ways, too. For example, you could build packages (apache etc.) on the host, or in a different jail, or even on a different machine, and then use pkg_add(8) inside your jail to install them. I prefer doing that way. I will use apache later so I will have to connect the jail to internet anyway. And also how the computer knows which data is for the jail and which one is for the loopback. Services (such as apache) listen on certain ports for connections. For example, the default port for the HTTP protocol is 80. So, when someone is trying to open a connection to your IP address on port 80, your kernel looks it up in its table of listening TCP sockets and find the apache process which is running inside the jail. So the connection is handed to the jail. (This is a bit oversimplifying, but basically that's how it works.) OK. This is clear. And it explains how multiple jails can share the same address. Despite the sshd_enable=YES line, I can't ssh from the host to the jail. Well, I can... The first time I did it, I was asked if I wanted to add the jail to the list of known hosts. I did it. No problem there. But, immediatly after that, instead of displaying login :, the system displayed passwd :. That's normal. ssh never asks for the login. You can use the -l option if you need to specify a different user name (or put it in your ~/.ssh/config). Of course. I'm loosing my mind with all that jail trouble. It works perfectly well with le -l option. Some paranoid people have a special login jail. They ssh into the login jail, then log into the host or into other jails from there. The host accepts ssh only from localhost. But please forget this immediately; we don't want to make things more complicated than necessary. I thought it was intended to be impossible to access the host from the jail. But you're right : I'll forget that. So, we're progressing. But the problem is not over yet. Any other idea ? Have a good evening, anyway. Brice -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd Above all, they contribute to the genetic diversity in the operating system pool. Which is a good thing. -- Ruben van Staveren, on the question which BSD OS is the best one. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to connect a jail to the web ?
It seems that you have DNS problems. Login in your jail go to /etc Make a file called resolv.conf which contains: domainyour_jail_domain nameserveryour_namerserver and it will work... Jack PS sorry for the top posting. I'm using outlook express :-( - Original Message - From: Brice ERRANDONEA berrando...@yahoo.fr To: Roland Smith rsm...@xs4all.nl; freebsd-questions@freebsd.org Sent: Wednesday, August 11, 2010 5:35 PM Subject: Re : How to connect a jail to the web ? I tried all of this without any result. But I won't give up. What I want is a jail with an Apache http server running inside. So, the jail must have a public IPv4 and access to the web. What I'd understood of the jails' role (but I must have misunderstood) is that it will have a different public ip than the host, so that if a pirate manage to crack the server, he will only have access to the jail (the real public ip of the host remaining secret). Then I'm surprised to learn that such traffic will be routed through the host. The jail is created. The next step now is to install the ports collection inside with portsnap fetch. But each time I try to run this command inside the jail (with jexec), I get the same answer : Looking up portsnap.FreeBSD.org mirrors... none found. Fetching public key from portsnap.FreeBSD.org... failed. No mirrors remaining, giving up. This makes me think my jail is not connected to the web. To check this, I tried to ping various know websites. When I tried domain names, like ping www.freebsd.org, this error message appears : ping: cannot resolve www.freebsd.org : Host name lookup failure So, I can't contact DNS servers able to translate www.freebsd.org to its ip. Since I know this ip, I tried : ping 69.147.83.33. This time, the error message is : ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to connect a jail to the web ?
Thank you very much for your answer. It helped me understand some elements. But portsnap still doesn't work. So, I can't contact DNS servers able to translate www.freebsd.org to its ip. Since I know this ip, I tried : ping 69.147.83.33. This time, the error message is : ping: socket: Operation not permitted ping(1) uses raw sockets in order to be able to send and receive ICMP packets. By default, raw sopckets or disallowed in jails. To change that, use this command on the host: sysctl security.jail.allow_raw_sockets=1 Add an entry to /etc/sysctl.conf so the setting will survive reboots. I did it but ping still doesn't work. 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. Well, localnet addresses are not routed. If you give your jail a localnet address, it won't be able to access the network outside of the host. (Unless you take measures to rewrite/translate the addresses and forward them.) That's why DNS and portsnap don't work. I suggest using the address 192.168.1.38 for the jail, at least during installation. Make sure that the file /etc/resolv.conf inside the jail is correct, so DNS will work. Copying it from the host should be sufficient. Isn't 192.168.1.38 a localnet address too ? Do you mean I should use the public ip of my computer here ? By the way, you don't have to build ports inside the jail. Of course you *can* do that, but there are other ways, too. For example, you could build packages (apache etc.) on the host, or in a different jail, or even on a different machine, and then use pkg_add(8) inside your jail to install them. I prefer doing that way. I will use apache later so I will have to connect the jail to internet anyway. And also how the computer knows which data is for the jail and which one is for the loopback. Services (such as apache) listen on certain ports for connections. For example, the default port for the HTTP protocol is 80. So, when someone is trying to open a connection to your IP address on port 80, your kernel looks it up in its table of listening TCP sockets and find the apache process which is running inside the jail. So the connection is handed to the jail. (This is a bit oversimplifying, but basically that's how it works.) OK. This is clear. And it explains how multiple jails can share the same address. Despite the sshd_enable=YES line, I can't ssh from the host to the jail. Well, I can... The first time I did it, I was asked if I wanted to add the jail to the list of known hosts. I did it. No problem there. But, immediatly after that, instead of displaying login :, the system displayed passwd :. That's normal. ssh never asks for the login. You can use the -l option if you need to specify a different user name (or put it in your ~/.ssh/config). Of course. I'm loosing my mind with all that jail trouble. It works perfectly well with le -l option. Some paranoid people have a special login jail. They ssh into the login jail, then log into the host or into other jails from there. The host accepts ssh only from localhost. But please forget this immediately; we don't want to make things more complicated than necessary. I thought it was intended to be impossible to access the host from the jail. But you're right : I'll forget that. So, we're progressing. But the problem is not over yet. Any other idea ? Have a good evening, anyway. Brice ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: UPS question
Thanks, Chuck. I talked with a former colleague that has a lot of experience in specing out UPS requirements (between battery-ready and generator-ready backups at the office they have up to 5 minutes of battery backup before the gas generator is needed with a 128-hour recharge time just to support their servers and wiring racks in the office). He thinks that at 500W needed it would give me about 12 minutes on a 1400VA. My consideration is, then, give the server 2 minutes on battery. If full power has not been returned, shut down the server but leave the modem (w/ wireless) and switch running with power for up to 6 hours. Now I need to build a server (looking at RAID5 8x2TB) for less than $1600 w/o a CPU if I can... a local custom builder quoted me $4000 today for a full system inc. CPU, RAM and DVD. -- Ryan On Aug 11, 2010, at 11:44 AM, Chuck Swiger wrote: Hi, Ryan-- On Aug 11, 2010, at 8:51 AM, Ryan Coleman wrote: Total: 495W According to a calculator if I enter all that information: http://www.csgnetwork.com/upssizecalc.html It says that it will use 693VA. That sounds reasonable. The better PSUs have 80 Plus certification for efficiency, and that's better than the typical wall warts used for modems and switches and the like commonly manage. (The efficiency they're assuming is a bit over 70%; using 80% would be around 600VA.) Enter that into http://www.csgnetwork.com/batterylifecalc.html It requires Amps... 495W / 120 voltage = 4.125 amps... doesn't seem right but... 192 hours... that's not right, right? Assume for discussion their number was right. In order to get 495W of output load, the UPS needs to provide 693 volt-amps of juice to your equipment. After the inverter and 10:1 stepup transformer used to convert 12VDC or whatever the UPS batteries are charged to up to 120VAC, the current needed would be 5.77 amps. However, the 12VDC battery source itself would be getting a draw of 57 amps (ideally; again, the inverter+transformer themselves might only rate about 90% efficiency for very good quality UPS, so would be drawing more like 60 or 65 amps). A standard APC/Tripplite/whatever 700VA UPS tend so have a lead-acid battery reasonably similar to a car battery, and typically will have around 100 amp-hours of charge; they'd probably give you 90 minutes of backup time. But you can look up the detailed specs of specific models and work from their amp-hour (or watt-hour) ratings-- actually, I think I'm guestimating more from what a 1200VA unit might provide, and a 700VA model is probably going to provide more like 40-60 minutes of power... Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
HPT RocketRaid 2320 mobo support
List, Is anyone running the HPT RR 2320 controller? What's the Motherboard that you're running on? My ABIT AB9 QuadGT's ethernet support has failed, in fact it did it months ago. I've been limping along with a Firewire 400 ethernet connection to another server (with an EVGA 790i Ultra SLI that doesn't support the RR2320). I can't afford to power two computers all day long just to keep my large RAID available on the net for my customers' needs. Any leads you can provide would be helpful. The AB9 board is no longer available from any vendor anywhere near my purchase price 2 years ago ($150) and that would be an acceptable solution. If I can find 2 of them to build my new 12TB (8x2TB RAID 5) system that would be wonderful. Thanks in advance, Ryan Coleman___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Re : How to connect a jail to the web ?
On 8/11/2010 8:35 AM, Brice ERRANDONEA wrote: I tried all of this without any result. But I won't give up. What I want is a jail with an Apache http server running inside. So, the jail must have a public IPv4 and access to the web. I've been in the same boat as you and there isn't a lot of clear documentation that works in all situations. After reading tons of stuff on the subject I finally figured out what should work in almost every situation. Rather than fit everything in an email I put together a HOWTO on the freebsd forums. This should get you up and running quickly and if you have any problems or questions don't hesitate to ask. http://forums.freebsd.org/showthread.php?t=16860 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: UPS question
On Wed, August 11, 2010 12:25 pm, Ryan Coleman wrote: He thinks that at 500W needed it would give me about 12 minutes on a 1400VA. My consideration is, then, give the server 2 minutes on battery. If full power has not been returned, shut down the server but leave the modem (w/ wireless) and switch running with power for up to 6 hours. A bit of advice: If this is an unattended system, give some thought to how you will boot the server back up if the outage is longer than two minutes but shorter than six hours. Most UPS installations have *some* kind of race condition issue if power comes back after the servers have begun a shutdown, but in your case it's an unusually long window. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: UPS question
On Aug 11, 2010, at 3:06 PM, David Brodbeck wrote: On Wed, August 11, 2010 12:25 pm, Ryan Coleman wrote: He thinks that at 500W needed it would give me about 12 minutes on a 1400VA. My consideration is, then, give the server 2 minutes on battery. If full power has not been returned, shut down the server but leave the modem (w/ wireless) and switch running with power for up to 6 hours. A bit of advice: If this is an unattended system, give some thought to how you will boot the server back up if the outage is longer than two minutes but shorter than six hours. Most UPS installations have *some* kind of race condition issue if power comes back after the servers have begun a shutdown, but in your case it's an unusually long window. Meaning that my 2-minute window is unusually long? If the UPS can support the system for 12 minutes, I say give it 20% of the life of the support because our power outages here are usually spikes that kill my current web server (but amazingly *not* my file server). In fact, one of those power fluxes occurred last night. I love storms for the light shows, but hate them for the toll they take on my servers. Additionally I spent $34 on a video card today that reduces my power consumption by 150Watts, resulting in a $13 per month savings in my powerbill - in MN we have a fixed-rate utility fee structure per season (winter power costs less than summer, I believe, for whatever reason) and a $10 mail-in rebate on the card means I will be turning a net profit in 2 months! -- Ryan___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to connect a jail to the web ?
On 11/08/2010 15:10:06, David Allen wrote: I meant that you could block access to private servers which need to listen on public network ports by just using firewall rules, as opposed to making the whole jail hang off a private interface and just forwarding selected traffic to it. For the second case, you would need pf to do the NAT'ing (or ipfw+natd if that's your preference). With this trick of binding the sensitive daemons to an address on the loopback, you are still secure even if pf gets turned off. Of course, secure is not necessarily the same as working. I've read comments in the past about setting up jails using local loopback addresses, but I'm wondering if you wouldn't mind elaborating on what the actual pf rules would look like. Say you have 3 jails and more than one public IP address: ns127.0.0.2 public_ip_1 mail 127.0.0.3 public_ip_2 www 127.0.0.4 public_ip_3 You want to pass port 25 traffic to/from the 'mail' jail. But you also need that jail to use the correct public_ip address. Is that possible without using, for example, pf's binat? Thanks. Sure. In the best Blue Peter tradition[*], here's one I prepared earlier: http://lists.freebsd.org/pipermail/freebsd-questions/2008-March/171748.html While that talks about redirecting a couple of TCP and one UDP service into a single jailed host, I think it's pretty clear how to get from there to having several different jails each with running a different service. Cheers, Matthew [*] It's a British thing. You have to have been bought up here to understand. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: How to connect a jail to the web ?
Brice ERRANDONEA berrando...@yahoo.fr wrote: Oliver Fromme wrote: sysctl security.jail.allow_raw_sockets=1 I did it but ping still doesn't work. Which IP address are you using for the jail now? If you're using 127.0.0.1, you can only ping the host's own IP addresses, because packets with a localnet IP never leave a machine. If you're using the real address (192.168.1.38) for the jail, then you should be able to ping all addresses that you can ping from the host. I just did a quick test on my machine; it has the IP address 172.20.0.2 (which is being translated with NAT on my router, but that doesn't matter): HOST# sysctl security.jail.allow_raw_sockets=1 security.jail.allow_raw_sockets: 0 - 1 HOST# jail / testjail 172.20.0.2 /bin/sh -E # ping www.google.com PING www.l.google.com (66.102.13.105): 56 data bytes 64 bytes from 66.102.13.105: icmp_seq=0 ttl=54 time=31.196 ms 64 bytes from 66.102.13.105: icmp_seq=1 ttl=54 time=25.553 ms 64 bytes from 66.102.13.105: icmp_seq=2 ttl=54 time=27.086 ms 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. Well, localnet addresses are not routed. If you give your jail a localnet address, it won't be able to access the network outside of the host. (Unless you take measures to rewrite/translate the addresses and forward them.) That's why DNS and portsnap don't work. I suggest using the address 192.168.1.38 for the jail, at least during installation. Make sure that the file /etc/resolv.conf inside the jail is correct, so DNS will work. Copying it from the host should be sufficient. Isn't 192.168.1.38 a localnet address too ? It's a private address (RFC 1918). I assume that you've got a NAT router that translates it to a public IP address. Do you mean I should use the public ip of my computer here ? Do you have one? So far you only mentioned 192.168.1.38. I thought it was intended to be impossible to access the host from the jail. It depends on what you want to do with the jail. Jails can be used for vastly different purposes. But you're right : I'll forget that. Good. :-) Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd Clear perl code is better than unclear awk code; but NOTHING comes close to unclear perl code (taken from comp.lang.awk FAQ) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Jail from dump/restore?
Is it possible to create a jail from a dump/restore of a real system. If so, would I just restore the dump to the jail tld? Regards, Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: HPT RocketRaid 2320 mobo support
-Original Message- From: Ryan Coleman [mailto:ryan.cole...@cwis.biz] Sent: 11 August 2010 20:30 To: User Questions Subject: HPT RocketRaid 2320 mobo support List, Is anyone running the HPT RR 2320 controller? What's the Motherboard that you're running on? My ABIT AB9 QuadGT's ethernet support has failed, in fact it did it months ago. I've been limping along with a Firewire 400 ethernet connection to another server (with an EVGA 790i Ultra SLI that doesn't support the RR2320). I can't afford to power two computers all day long just to keep my large RAID available on the net for my customers' needs. Any leads you can provide would be helpful. The AB9 board is no longer available from any vendor anywhere near my purchase price 2 years ago ($150) and that would be an acceptable solution. If I can find 2 of them to build my new 12TB (8x2TB RAID 5) system that would be wonderful. Thanks in advance, Ryan Coleman___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Not sure about the US v UK on prices but I recently coughed up for 6 1.5TB hard disks for a system, the 2TB disks were almost double the price for only 500mb more, it did not make good economic sense, granted that was a few months ago now. Surely a short term solution would be to get a PCI nic for your existing system. Regards Graeme ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: UPS question
Ryan Coleman ryan.cole...@cwis.biz wrote: He thinks that at 500W needed it would give me about 12 minutes on a 1400VA. That W and VA numbers of the UPS are pretty much irrelevant, because they tell nothing about the capacity of the battery. Those numbers only give an upper limit on the power that the UPS can handle (i.e. you cannot connect devices totalling 800 W to a 500 W UPS, for example). In order to be able to estimate how long the UPS can power wattage, you need to know the capacity of the battery. The capacity is usually given in Ah units (Ampere hours). For example, a battery with 10 Ah capacity can deliver 10 Ampere for 1 hour, or 20 Ampere for 30 minutes, or 30 Ampere for 20 Minutes ... and so on. At a typical battery voltage of 12 V, 30 A would be 360 W. So, theoretically a 10 Ah battery would be able to hold devices that use 360 W for about 20 Minutes. In practice it will be less because no UPS has 100% efficiency. Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd Passwords are like underwear. You don't share them, you don't hang them on your monitor or under your keyboard, you don't email them, or put them on a web site, and you must change them very often. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HPT RocketRaid 2320 mobo support
Graeme: The PCI NIC I bought worked for 2 hours after a boot and then failed, the same thing the onboard NIC did. -- Ryan On Aug 11, 2010, at 4:11 PM, Graeme Dargie wrote: -Original Message- From: Ryan Coleman [mailto:ryan.cole...@cwis.biz] Sent: 11 August 2010 20:30 To: User Questions Subject: HPT RocketRaid 2320 mobo support List, Is anyone running the HPT RR 2320 controller? What's the Motherboard that you're running on? My ABIT AB9 QuadGT's ethernet support has failed, in fact it did it months ago. I've been limping along with a Firewire 400 ethernet connection to another server (with an EVGA 790i Ultra SLI that doesn't support the RR2320). I can't afford to power two computers all day long just to keep my large RAID available on the net for my customers' needs. Any leads you can provide would be helpful. The AB9 board is no longer available from any vendor anywhere near my purchase price 2 years ago ($150) and that would be an acceptable solution. If I can find 2 of them to build my new 12TB (8x2TB RAID 5) system that would be wonderful. Thanks in advance, Ryan Coleman___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Not sure about the US v UK on prices but I recently coughed up for 6 1.5TB hard disks for a system, the 2TB disks were almost double the price for only 500mb more, it did not make good economic sense, granted that was a few months ago now. Surely a short term solution would be to get a PCI nic for your existing system. Regards Graeme ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
