ipf firewall, dropping connections
Hi, I'm runing 7.2 with IPFilter - main purpose is for a news server. Many established connections are just dropped and closed, it seems to be random, all allow rules are being affected. Any insight would be appreciated. The machine is under heavy usage, averaging arround 150 to 200 connections per second. [r...@news ~]# ipfstat bad packets:in 0out 0 IPv6 packets: in 0 out 0 input packets: blocked 22570422 passed 488309778 nomatch 146719580 counted 0 short 0 output packets: blocked 21885 passed 507034679 nomatch 160765161 counted 0 short 0 input packets logged: blocked 22570422 passed 0 output packets logged: blocked 0 passed 0 packets logged:input 0 output 0 log failures: input 12571655 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out):kept 0 lost 0 not fragmented 0 packet state(in): kept 14100 lost 2770255 packet state(out): kept 22966740 lost 8078847 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 17487490(out): 21607481 IN Pullups succeeded: 9 failed: 0 OUT Pullups succeeded: 1092failed: 0 Fastroute successes:0 failures: 0 TCP cksum fails(in):0 (out): 0 IPF Ticks: 325071 Packet log flags set: (0) none [r...@wa-cpt-news ~]# cat /etc/ipf.rules ### ### Globals ### block in log quick all with frags # TCP Fragments block in log quick all with short # Short Fragments block in log quick all with ipopts # Invalid IP Options ### ### Loopback Interface ### pass in quick on lo0 from any to 127.0.0.0/8 pass out quick on lo0 from 127.0.0.0/8 to any ### ## em0 - Public NIC ### # em0 - Outbound Traffic pass out quick on em0 from a.a.a.a to any keep state pass out quick on em0 from a.a.a.21 to any keep state pass out quick on em0 from a.a.a.22 to any keep state pass out quick on em0 from x.x.x.23 to any keep state pass out quick on em0 from x.x.x.24 to any keep state pass out quick on em0 from x.x.x.59.30 to any keep state pass in quick on em0 from 196.220.59.0/27 to a.a.a.a # Internal Network Traffic pass in quick on em0 proto icmp from any to a.a.a.a keep state # ICMP pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from any port = 53 to a.a.a.a # DNS (Responces) pass in quick on em0 proto udp from any port = 53 to a.a.a.a # DNS (Responces) pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.185.0.0/16 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.211.26.0/24 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.220.32.0/19 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 119# NNTP pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 119# NNTP pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto udp from x.220.59.143/32 to a.a.a.a port = 161# SNMP pass in quick on em0 proto udp from x.2
Re: cron/send mail question
existats comes to mind as well. Does the whole analyze thing for you... Quoting Steve Bertrand <[EMAIL PROTECTED]>: > zbigniew szalbot wrote: > > Dear all, > > > > What command (when using cron) should I invoke to automatically sent > > /var/log/exim/rejectlog file to a specified email address? I just need > > to analyze it and would best prefer to have it in my inbox in the morning. > > The following should be on one line in crontab : > > 1 * * * * mail -s "File contents" [EMAIL PROTECTED] < /home/steveb/file.name > > It will send your file to you inline in an email ad one minute after > midnight every day. > > Steve > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: SSH woes
> # ssh -l root > Password: > Password: > Password: > > It kept asking me for Password: although everytime I put the correct > value. I tried out clearing the .ssh* files in my home directories and > trying to reconnect. None of it worked. Don't login as root... It's not good practise, SSH on BSD by default does also not allow for it. Add your normal user to the wheel group, use that to login via SSH, and use su or sudo to gain root privlidges when needed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Transport Mode IPSEC
Quoting Ted Mittelstaedt <[EMAIL PROTECTED]>: > > Most people don't wear 2 condoms, you know. Then you're not having wild enough sex -grin- :) -- C ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Need help! Apache core dumps when running startssl
Quoting Andreas Widerøe Andersen <[EMAIL PROTECTED]>: > (no debugging symbols found)...(no debugging symbols found)...(no debugging > symbols found)... > Program received signal SIGPIPE, Broken pipe. > 0x2810b1e8 in writev () from /usr/lib/libc.so.4 > (gdb) And there's your problem. Some library did not link to libc properly. Do a backtrace and a step, it will tell you which module is failing. I've had numerous problems like this in the past (mostly with mod_php though), recompiling the modules that gave errors sorted them out. I doubt this is a mod_ssl issue. -- C ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Need help! Apache core dumps when running startssl
Quoting Andreas Widerøe Andersen <[EMAIL PROTECTED]>: > On 8/8/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > Quoting Girish Venkatachalam <[EMAIL PROTECTED]>: > > > > > > Hope to get some input. > > > > > Looks like ur random seeding is not happening > > > > > properly. check whether /dev/random and > > > > /dev/urandom > > > > > work properly. You can verify it with the command > > > > > > > > > > $openssl rand 512 > > > > > > > > > > > Why not just run httpd under gdb, and see WHY it is crashing? > > > > gdb httpd httpd.core > > > > run -X > > > > once cored, just back trace, step, and it should tell you exactly why it > > is > > crashing... > > > Thanks! > How do I start httpd with ssl support from this command? (I do apachectl > startssl when Apache crashes. apachectl start works fine though.) > > Apache runs fine when ssl is NOT started. run -X -DSSL ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Need help! Apache core dumps when running startssl
Quoting Girish Venkatachalam <[EMAIL PROTECTED]>: > > > > Hope to get some input. > > > Looks like ur random seeding is not happening > > > properly. check whether /dev/random and > > /dev/urandom > > > work properly. You can verify it with the command > > > > > > $openssl rand 512 > > > Why not just run httpd under gdb, and see WHY it is crashing? gdb httpd httpd.core run -X once cored, just back trace, step, and it should tell you exactly why it is crashing... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: vmware / vmplayer on freebsd?
As far as I'm aware, VMWare only supports FreeBSD as a Guest OS, not as a Host OS. i.e. you can't run VMWare itself on FreeBSD, but you can run FreeBSD inside VMWare.. Quoting Erin Sharmahd <[EMAIL PROTECTED]>: > I'm trying to find some info on google on using vmware server or > vmplayer on freebsd. In essence, one of my classes is expecting us to > do some windows work, and i'd like to do it in vmware or something > similar so that I don't have to actually install windows > > Is it even possible currently to use the most recent version of vmware > or vmplayer on freebsd? I saw a port for vmware3, but in talking to a > friend, he said that's really old... > > Thanks, > > ~Erin > > -- > http://www.tuxgirl.com > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Re[2]: "Mounting a drive"
Hmm Disk Manager - Change Mount Point - Mount Volume to a Directory Unless I'm misunderstanding, that's what you're looking for on the Windows side.. -- Chris Quoting Jerry McAllister <[EMAIL PROTECTED]>: > > > > Many thanks for reply Jerry, when I joined FreeBSD I had not realised > > that it was a Linux/ Unix forum, on quick inspection I assumed that > > the title referred to some kind of general help forum. There is such a > > proliferation of abbreviated titles that I am not always sure from > > titles of their purpose. > > > > My question referred really to Windows XP, as I am only just getting > > to grips with Linux. > > First of all, it has nothing to do with LINUX. > > This is FreeBSD which follows the BSD family of UNIX and > is not nearly the same. In fact, most of us experience it > as superior to LUNIX for server work. >Check it out at: http://www.freebsd.org/ > > As for any Microsloth stuff, I couldn't help, but I would > guess that you are wasting your time trying to do anything > of that sophistication in MS. > > Finally, when you post questions or responses on the list, you should > always include the list in your responses (as a cc). > > jerry > > > > I had read an article recently, which I can no longer find, that to > > get around the limitation, under windows XP, of the number of named > > partitions that one can use, that apparently one can "mount" a > > partition, be it a sector of a hard drive, or a removeable drive, > > within a directory. ( I believe the article said directory, it might > > have ben a folder ) The article was referring to the ability then to > > have a number of flash drives or external USB connected drives which > > could exceed the normal Windows limitation. > > > > I am running a piece of software, hyperOS, which allows me to have > > multiple bootable partitions, and currently I have around 20 on a 300 > > Gig hard drive, I wanted to add several USB memory stick drives and > > some partitions with different flavours of linux, and so am interested > > in finding out how I can overcome the windows XP limitation. I felt > > that also I needed to understand what the term "mounting a drive" > > actually meant, so that I could try to anticipate any unusual > > behaviour, particularly with boot switching. From your email it > > appears that "mounting" implies letting the device driver know the > > address of the device upon which it is to work. > > > > Best regards and thanks for reply, > > Richard > > > > mailto:[EMAIL PROTECTED] > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Getting Source Code after Installing the Software
Quoting "Mayo, Richard A RDECOM CERDEC STCD SRI" <[EMAIL PROTECTED]>: > > > DID ANYBODY LOOK ON THE SENDER ADDRESS OF THIS ORIGINAL POSTING!? > > --> [EMAIL PROTECTED] <-- > > > > I BET THERE ARE SEVERAL GUYS WHO KNOW HOW TO > > INSTALL THE SOURCE OF FREEBSD AT THE US ARMY! > > I'm sure you're right, but we're kind of spread out and we don't talk all > that much... ROTFLOL! :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Running out of swap space????
Quoting [EMAIL PROTECTED]: > > -- Original message -- > >From: [EMAIL PROTECTED] > > >+pid 37308 (mysqld), uid 88, was killed: out of swap space > >+swap_pager: out of swap space > >+swap_pager_getswapspace(1): failed > > > If you kill mysql server, does the swap space free up? Are there any known > issues between the version of MySQL that you're running and FreeBSD 6.0? MySQL not having a properly tuned config file for the system it runs on? It is known to consume vast amounts of resources if not properly configured... Just a thought ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Requirements
Quoting horn <[EMAIL PROTECTED]>: > What the minimum system requirements of FreeBSD 6.1 ? http://www.freebsd.org/releases/6.0R/installation-i386.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
freeVRRP errors?
Hi, May 18 21:26:46 netsphere freevrrpd[15350]: all errors are cleared on interface sis0 May 18 21:57:03 netsphere freevrrpd[15350]: all errors are cleared on interface sis0 May 18 22:02:21 netsphere freevrrpd[15350]: can't write to socket: No buffer space available May 18 22:02:21 netsphere freevrrpd[15350]: There is a big problem here ! May 18 22:02:22 netsphere freevrrpd[15350]: interface sis0 is faulty, deactivated from VRRP VRIDs May 18 22:02:22 netsphere freevrrpd[15350]: interface sis0 is alive again, reactivate it on VRRP May 18 22:02:23 netsphere freevrrpd[15350]: waiting 40 seconds for the spanning tree latency May 18 22:02:23 netsphere freevrrpd[15350]: interface sis0 is faulty, deactivated from VRRP VRIDs May 18 22:02:23 netsphere freevrrpd[15350]: interface sis0 is alive again, reactivate it on VRRP May 18 22:02:24 netsphere freevrrpd[15350]: interface sis0 is faulty, deactivated from VRRP VRIDs May 18 22:02:24 netsphere freevrrpd[15350]: interface sis0 is alive again, reactivate it on VRRP May 18 22:02:25 netsphere freevrrpd[15350]: interface sis0 is faulty, deactivated from VRRP VRIDs May 18 22:02:25 netsphere freevrrpd[15350]: interface sis0 is alive again, reactivate it on VRRP May 18 22:02:26 netsphere freevrrpd[15350]: interface sis0 is faulty, deactivated from VRRP VRIDs May 18 22:02:26 netsphere freevrrpd[15350]: cannot reactivate interface sis0, too much errors on it ! May 18 22:02:27 netsphere freevrrpd[15350]: waiting 40 seconds for the spanning tree latency May 18 22:03:03 netsphere freevrrpd[15350]: send gratuitous arp 198.18.0.36 -> 0:0:5e:0:1:1e May 18 22:03:03 netsphere freevrrpd[15350]: send gratuitous arp 198.18.0.60 -> 0:0:5e:0:1:1e May 18 22:03:03 netsphere freevrrpd[15350]: send gratuitous arp 198.18.0.61 -> 0:0:5e:0:1:1e May 18 22:03:03 netsphere freevrrpd[15350]: send gratuitous arp 198.18.0.62 -> 0:0:5e:0:1:1e May 18 22:03:03 netsphere freevrrpd[15350]: server state vrid 20: backup May 18 22:03:07 netsphere freevrrpd[15350]: send gratuitous arp 198.18.0.36 -> 0:e0:18:84:a4:24 May 18 22:03:07 netsphere freevrrpd[15350]: send gratuitous arp 198.18.0.60 -> 0:e0:18:84:a4:24 May 18 22:03:07 netsphere freevrrpd[15350]: send gratuitous arp 198.18.0.61 -> 0:e0:18:84:a4:24 May 18 22:03:07 netsphere freevrrpd[15350]: send gratuitous arp 198.18.0.62 -> 0:e0:18:84:a4:24 May 18 22:03:07 netsphere freevrrpd[15350]: server state vrid 30: backup That's the last log entry for VRRP. The deamon is still running, nothing is logged, and all my virtual IP addresses are removed from the Interface - even the ones that are configured as Master... Config: [VRID] serverid = 20 interface = sis0 useVMAC = yes carriertimeout = 5 spanningtreelatency = 40 sendgratuitousarp = yes priority = 255 addr = 198.18.0.56/32 monitoredcircuits = yes MCClearErrorsCount = 3600 #masterscript = /usr/local/bin/master_script.sh #backupscript = /usr/local/bin/backup_script.sh password = xxx [VRID] serverid = 30 interface = sis0 useVMAC = yes carriertimeout = 5 spanningtreelatency = 40 sendgratuitousarp = yes priority = 100 addr = 198.18.0.57/32 monitoredcircuits = yes MCClearErrorsCount = 3600 #masterscript = /usr/local/bin/master_script.sh #backupscript = /usr/local/bin/backup_script.sh password = xxx Can anyone shed some light perhaps? I *really* need this to be stable as there are no reason to even attempt a HA system with the HA software being unstable... Thanks, Chris. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pppoe reliability
Quoting "Michael P. Soulier" <[EMAIL PROTECTED]>: > I've noticed that when I drop ppp, the tun0 seems to hang on a bit. If > I restart too quickly, I get a tun1. The ifconfig command will not > permit me to destroy tun0 either, so I wait for a little while before > bringing it back up again. In the ppp.linkdown mylabel: iface clear That will clear the interface and also remove the address when the PPPoE goes down. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Sluggish system
Quoting Subhro <[EMAIL PROTECTED]>: > Why do you want to NOT reinstall the OS? Loads of data, loads of accounts / passwords, nothing wrong with the 'base' part of the OS... There's no need to really. My problems are generated from to many ports / inconsistencies in the ports, and so forth. So that's really the only part of the OS that actually needs some serious work. I also can't re-install the Base OS remotely... Yes, I can make world to upgrade it (which has already been done), but not reinstall it in the sense of format / repartition / etc... -- Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Sluggish system
Hi, I've got a beasty box that has served its purpose for many years. Some files dates back to over 6 years ago when this old trusty and faithfull was pulled into service. Recently however, I've started to pick up rather strange problems with the system. Libraries installed from ports, startup scripts, and egneral weird things started happening with the system and the installed applications. I've made a backup of my /usr/local/etc, would it be a 'clean' way to rm -rf /usr/local, clean the package database, and then basically reinstall everything I need (and remove things I don't need) on the system? I guess, my aim is a clean 'remote' installation, without physically reinstalling the base OS... Thanks, Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: Torn between SCSI and SATA for RAID
Quoting lars <[EMAIL PROTECTED]>: > I recently read an interesting comparison > on consumer and enterprise grade harddisks: > http://www.seagate.com/content/docs/pdf/whitepaper/D2c_More_than_Interface_ATA_vs_SCSI_042003.pdf This was posted yesterday in responce to my question as well. That document deals mainly with the performance and reliability of the different types of hard drives (i.e. SATA vs SCSI). My questions that I'm posting is not really related towards the performance of the system, it's more towards the capacity of the system... I guess it boils down to the physical hardware... How does everything connect, how to expand systems, and how to run arrays bigger than what one single controller can provide... -- C ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
OT: Torn between SCSI and SATA for RAID
Hi, I've been spending the last couple of days extensively looking at various options for RAID and getting some storage system in place. Performance is not really a BIG issue, but I also don't want to have things hecticly slow either. This will be a NAS type of implementation so speed would be bound by relatively speaking slow network connections in any case... Now first things first as well, I did look at Fiber Channels too - and the tecnology is just to expensive and complex for a home type implementation that I want this for. Ideally, I'd like to start at 2TB of storage (yes, those movies must go somewhere!), but I'd like to be able to grow this as times go by... I also definately want redundancy on the data, as I just lost 80GB of precious data when ironically, a 160GB SATA Seagate went out under me. Now SCSI I know, is more expensive than SATA. Whether it provides beter performance than SATA I'm still uncertain off, but gut would tell me that due to the cost factor, SCSI *should* run away as far as speed is concerned. But also as I said previously, speed and performance is not a priority for my implementation and therefore it has very little weight. This makes me look at SATA then therefore. My problem with SATA, is the whole 1 Port, 1 Drive scenario. I've looked at the Adaptec 16 Port SATA Controller. The reviews I managed to get on that card on the Internet, paints a very grim picture. Buggered Firmware, the controller destroys drives, and general sluggish performance. Is anyone using this card that can perhaps give me a better picture? Given than the 16 Port (for now) is out of the question, I have a 8 Port, 4 Port and 2 Port (which isn't really worth looking at even) available to me. Now, even with a 8 Port card... Let's look at what I can achieve: Ports 1+2: 750GB Seagates (Biggest available), 1.5TB <- I'm short on my 2TB Initial Ports 3+4: Mirror of 1+2 Already, I am coming short of what I want to achieve, and I also have no expansion available to me for upgrades... With the 16 Port cards, what I want to achieve becomes quite possible, up to easy about 6TB of data - but I risk loosing drives *IF* what I read about the card is true. Also a gamble, considering the relatively high price of large SATA drives. Another thing that I read that I'm not completely sure about. Some of the Adaptec SCSI Cards advertises a max of 30 devices - some even more. Excuse the ignorance, but does the SCSI Bus not allow for a max of 8 devices? Do these cards then feature multiple buses to connect the cables to? If so, SATA will obviously not be able to provide something like this. Now comes my question... Uhm.. Can SATA RAID Controllers be 'linked'. Say, I but 4 x 8-Port Adaptec SATA RAID Controllers... 2 x 8 Port Cards = 16 Ports for 1 RAID 5 Array (@ 750GB Drives, 12TB Max). The other 2 cards, to mirror. I know that I can use one Controller to mirror another, but can I extend a array across multiple controllers... And then naturally, just HOW much slower does the array function? I've seen some comments and posts (esp. on slashdot) made where people go about running massive arrays successfully on SATA. Given the limits on the Ports at the controller, just how is this achieved? Sorry that this is so OT, but I hope I'd get some good answers. This is definately not something that's been discussed allot before considering the amount of info I got after spending a number of days on google... -- Chris. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"