Re: Newbie Problems with cvsup and updating files.
On Sun, 1 Aug 2004 00:23:01 -0400 (EDT) Paul R Culmo <[EMAIL PROTECTED]> wrote: > On Sat, 31 Jul 2004, Bill Moran wrote: > > Yes, I think your supfile is wrong. > > > > *default release=cvs RELENG_5_2_1_RELEASE > > > > ^^^ This line is what I believe is wrong, replace it with these two > > lines: > > *default release=cvs > > *default tag=RELENG_5_2_1_RELEASE > > > > Although I would recommend tag=RELENG_5_2_1, but that's you're call. > > > > Thanks for the reply , I made the changes you suggested and re-ran the > cvsup but then things got worse, it deleted all the Makefiles. I guess > I need to start over with a vanilla src tree from the CD? then make > buildworld etc.. right ? um, to my knowledge, no. not if you've got connectivity and cvsup installed. in fact, you don't even need to remove /usr/src, because cvsup should take care of everything for you (ie. remove wrong files, add necessary ones, leave correct ones). i suspect that your standard-supfile is to blame, if anything isn't working. it could be that you're inadvertently pulling down HEAD, which is by definition, not guaranteed to build. here is a copy of my file: *default host=cvsup3.freebsd.org *default base=/usr/local/etc/cvsup *default prefix=/usr/ *default release=cvs tag=RELENG_4_10 *default delete use-rel-suffix compress # 1) change cvsup3 for the host you want to use # 2) change RELENG_4_10 for the tag you want # i believe that RELENG_5_2 is the correct number in your case # this will pull down any security and other critical fixes based upon # freebsd 5.2.x src-base src-bin src-contrib src-crypto src-etc src-games src-gnu src-include src-lib src-libexec src-release src-sbin src-secure src-share src-sys src-sys-crypto src-tools src-usrbin src-usrsbin #src-all #src-kerberos5 #src-kerberosIV #src-eBones 1) you might find it easier to simple use 'src-all' and comment out or delete the rest of the src-* entries. 2) if you're using a refuse file, do double check that it's contents reflect what you actually want. if you're not _100%_sure_ whether or not you have one, try 'find / -name refuse -print' 3) depending on where you placed your config files, you may not be using the correct supfile. try feeding cvsup an absolute path, just to be certain. 'cvsup /foo/path/to/your/standard-supfile' hope this helps. cheers, epi > Thanks again > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: konqueror not responding
Dear Manuel, I've run into similar issues with KDE in the past. You were on the right track, but apparently the one file konquerorrc wasn't the problem. Just delete the entire ~/.kde and then restart KDE. You will then be treated like a new user, and KDE will query for the usual desktop settings (language, theme, etc). That does mean, of course, that you'll lose any customized settings you've already made, but that should be no big deal. regards, Robert On Sat, 31 Jul 2004 11:41:17 +0200 Manuel Astudillo <[EMAIL PROTECTED]> wrote: > Hi, > > something weird happen to the settings of Konqueror in kde 3.2.3 and > everytime I try to access to a web page on the internet the browser > freezes. If I try to open local webpages or just use konqueror to > browse in my filesystem everything works just ok. > If I login using other user then it also works perfectly, so I suspect > there is something corrupted in the config files on my current user. > Is there any way to remove all the config files and start konqueror > from scratch? I already tried in ~/.kde and deleted konquerorrc but it > does not help. > > regards, > > Manuel Astudillo. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Sorry--I'm Newbie - Best way to add php4
Bob Kukla wrote: Previous message had no subject,,, sorry for that We are all newbies ... some are older newbies ... Even the "oldies" know that they're just "newbies with experience" ... ;-) Hi, I am very new to BSD and web servers and have just recently installed the latest 5.2 version. I have installed Apache 1.3 from the FreeBSD ftp site and have added mod_dav successfully. The web server and webDAV are working fine. I now want to add php4 and mySQL capabilities. I have read some of the latest mail and am confused as to how to best go about it. I have never used php or mySQL before nor have I had it installed on a web server. What packages and in what sequence , if any, should I install ? Also, what does the number 20020429 at the end (/usr/local/lib/php/20020429 ) signify? Thanks in advance for your help! Bob Kukla I've no experience with mod_dav (in fact I just got done looking it up at google), so I can't say whether it will be affected, or not (I would suspect not, I tend to be an optimist) but: [Read the lower section about MySQL before you do any installation ...] I generally just go to /usr/ports/lang/php4 and type "make install clean" as root. This gets me mod_php4, the PHP CLI, it even builds a CGI you can move to your cgi dir if you desire/need to. If it's your first time, then expect to go through a ncurses-based dialog (remember sysinstall?) where you will choose PHP extensions to be built. After that, it's a matter of the appropriate modifications to httpd.conf. I'd sure recommend that you cruise over to www.php.net and check out their documentation: it's well done, and they've some install "cheat sheets" for almost every variety of OS/webserver on the planet (well, many of them, like I said, I'm optimistic...) MySQL is similar. IIRC, it may be best to get MySQL going first. Like I said, the docs at php.net are good. I also like the boards at www.phpbuilder.com for PHP help and community HTH, Kevin Kinsey ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD and MySQL - mysqld eats CPU alive
> > > Before the rest of the message ... I think it'd be best not to "shotgun" > your mails like this... Hello. I would disagree with this. This is obviously both database@ and questions@ appropriate. I also feel that it is hackers@ appropriate as it deals with an old, existing, and non-trivial problem that is very much related to FreeBSD. (In fact, reading the URLs you note below, this was almost entirely a FreeBSD internals problem.) > It's certain combinations of the two, best I can tell. Looks like you > can stay with FBSD if you want to do the tweaking --- be sure and > read the second article if your are going to read the first > > "FreeBSD or Linux for your MySQL Server?" > http://jeremy.zawodny.com/blog/archives/000203.html > > "Revisiting FreeBSD vs. Linux for MySQL" > http://jeremy.zawodny.com/blog/archives/000697.html Excellent. I had read his earlier notes a long time back, but did not know he had found some solutions to this problem. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Sorry--I'm Newbie - Best way to add php4
Previous message had no subject,,, sorry for that Hi, I am very new to BSD and web servers and have just recently installed the latest 5.2 version. I have installed Apache 1.3 from the FreeBSD ftp site and have added mod_dav successfully. The web server and webDAV are working fine. I now want to add php4 and mySQL capabilities. I have read some of the latest mail and am confused as to how to best go about it. I have never used php or mySQL before nor have I had it installed on a web server. What packages and in what sequence , if any, should I install ? Also, what does the number 20020429 at the end (/usr/local/lib/php/20020429 ) signify? Thanks in advance for your help! Bob Kukla ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: receiving your address on my TV
Sylvia bowman wrote: >I am receiving your email address on my television screen. It happens late on >Saturday evenings. Can you address this situation, please. Sylvia Bowman > Please wrap your messages at 80 characters. This certainly seems very unusual. I have several suggestions, but I am not Too Hopeful(tm) for success in assisting you. *If your TV is running "Web TV" or "MSN TV" delete these viruses... *If your TV is showing "tech TV" via satellite, change channels/transponders/providers... *If you are running your TV screen as a computer monitor, revise your expectations... *If you are a psychic, realize that the collective consciousness of the INTERNET is begging you to switch operating systems... *If you believe in God, realize that He is asking you to look for technical answers in a place other than the Bible ... *If you have a metal television chassis, look on the rear of the unit, find a switch marked "MAGIC" and "MORE MAGIC", and switch it to the "MAGIC" side Whatever you do, *NEVER* stick the electrical connector from your TV into any bodily orifice, as electrical discharge may occur... I predict that you will see more of this address before the problem is solved HTH, ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[no subject]
Hi, I am very new to BSD and web servers and have just recently installed the latest 5.2 version. I have installed Apache 1.3 from the FreeBSD ftp site and have added mod_dav successfully. The web server and webDAV are working fine. I now want to add php4 and mySQL capabilities. I have read some of the latest mail and am confused as to how to best go about it. I have never used php or mySQL before nor have I had it installed on a web server. What packages and in what sequence , if any, should I install ? Also, what does the number 20020429 at the end (/usr/local/lib/php/20020429 ) signify? Thanks in advance for your help! Bob Kukla ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Newbie Problems with cvsup and updating files.
On Sat, 31 Jul 2004, Bill Moran wrote: > Yes, I think your supfile is wrong. > > *default release=cvs RELENG_5_2_1_RELEASE > > ^^^ This line is what I believe is wrong, replace it with these two > lines: > *default release=cvs > *default tag=RELENG_5_2_1_RELEASE > > Although I would recommend tag=RELENG_5_2_1, but that's you're call. > Thanks for the reply , I made the changes you suggested and re-ran the cvsup but then things got worse, it deleted all the Makefiles. I guess I need to start over with a vanilla src tree from the CD? then make buildworld etc.. right ? Thanks again ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
pdf viewer with form fill in
Hi, Does anyone know of a .pdf viewer in the ports tree, or elsewhere, that will allow you to fill in forms. Acrored, kghostview and xpdf all work quite well for viewing, but don't provide that very useful feature. Thanks, Joey ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Receiving your address on my tv
sylvia bowman <[EMAIL PROTECTED]> wrote: > I am receiving your email address on my television screen. It happens > late on Saturday evenings. Can you address this situation, please. > Sylvia Bowman I'm assuming this isn't a joke ... This is about the most unlikely thing I've ever heard of. However, if it really is happening, you're going to have to give a better description of what you mean. Are you saying that on Saturday evenings your TV screen says "[EMAIL PROTECTED]"? Or that you see FreeBSD emails on your screen? Are you using some sort of webTV? -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD and MySQL - mysqld eats CPU alive
Before the rest of the message ... I think it'd be best not to "shotgun" your mails like this... adp wrote: I recently posted the following message to MySQL discussion list. The response there, and the one I keep finding on Google, is that this is a long-standing issue betweeen FreeBSD and MySQL. For me this has been happening since FreeBSD 4.4. I have one site where we are going to have to move to Linux. I would much prefer keeping us on FreeBSD, but we just can't afford the downtime anymore. Another site is looking at moving to PostgreSQL on FreeBSD. Any help on this? Googling shows a long history of people having these problems but no solutions. Please don't give me a URL to a Google showing others having this problem--I've seen that and more. I want to know if there is a solution. Any help is appreciated! ... I have several MySQL and FreeBSD installs across a few different sites, and I consistently have problems with mysqld. It will begin to eat up all of the CPU and eventually become unresponsive (or the machine will just burn). I can't seem to manually reproduce this, but given enough time a FreeBSD box with mysqld will go down. Our servers are generally heavily loaded. I would say that I'm doing something wrong (although what I could be doing wrong I'm not sure), but I recently began working with another company that has the EXACT SAME PROBLEM. They are even thinking of moving to PostgreSQL, but we are trying to fix mysqld instead for now. This behavior has been seen on: FreeBSD 4.4, 4.7, 4.9, 4.10 MySQL 3.x and 4.x Typical load: 50 qps With and without replication enabled. Some sites are SELECT heavy, some are INSERT heavy. For one site I think we will be moving from FreeBSD to Linux for the MySQL servers since MySQL seems to run like a champ on Linux. We will continue to use FreeBSD for everything else. Anyone experienced this problem? Is it mysqld or FreeBSD? I can't pinpoint the exact issue. It's certain combinations of the two, best I can tell. Looks like you can stay with FBSD if you want to do the tweaking --- be sure and read the second article if your are going to read the first "FreeBSD or Linux for your MySQL Server?" http://jeremy.zawodny.com/blog/archives/000203.html "Revisiting FreeBSD vs. Linux for MySQL" http://jeremy.zawodny.com/blog/archives/000697.html HTH, Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Receiving your address on my tv
my oh my i never knew that fbsd was that powerful, hey i never heard of linux manipulating a tv signal what chanell is this on, . -- Steve Rieger ICQ # 5956607 yahoo IM riegersteve - Original Message - From: "sylvia bowman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, July 31, 2004 8:45 PM Subject: Receiving your address on my tv > I am receiving your email address on my television screen. It happens late on Saturday evenings. Can you address this situation, please. Sylvia Bowman > > > - > Do you Yahoo!? > New and Improved Yahoo! Mail - 100MB free storage! > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Receiving your address on my tv
I am receiving your email address on my television screen. It happens late on Saturday evenings. Can you address this situation, please. Sylvia Bowman - Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FreeBSD and MySQL - mysqld eats CPU alive
I recently posted the following message to MySQL discussion list. The response there, and the one I keep finding on Google, is that this is a long-standing issue betweeen FreeBSD and MySQL. For me this has been happening since FreeBSD 4.4. I have one site where we are going to have to move to Linux. I would much prefer keeping us on FreeBSD, but we just can't afford the downtime anymore. Another site is looking at moving to PostgreSQL on FreeBSD. Any help on this? Googling shows a long history of people having these problems but no solutions. Please don't give me a URL to a Google showing others having this problem--I've seen that and more. I want to know if there is a solution. Any help is appreciated! ... I have several MySQL and FreeBSD installs across a few different sites, and I consistently have problems with mysqld. It will begin to eat up all of the CPU and eventually become unresponsive (or the machine will just burn). I can't seem to manually reproduce this, but given enough time a FreeBSD box with mysqld will go down. Our servers are generally heavily loaded. I would say that I'm doing something wrong (although what I could be doing wrong I'm not sure), but I recently began working with another company that has the EXACT SAME PROBLEM. They are even thinking of moving to PostgreSQL, but we are trying to fix mysqld instead for now. This behavior has been seen on: FreeBSD 4.4, 4.7, 4.9, 4.10 MySQL 3.x and 4.x Typical load: 50 qps With and without replication enabled. Some sites are SELECT heavy, some are INSERT heavy. For one site I think we will be moving from FreeBSD to Linux for the MySQL servers since MySQL seems to run like a champ on Linux. We will continue to use FreeBSD for everything else. Anyone experienced this problem? Is it mysqld or FreeBSD? I can't pinpoint the exact issue. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: raw devices
Matthew Seaman wrote: On Sat, Jul 31, 2004 at 10:30:21PM +0200, Wojciech Puchar wrote: where are raw devices in FreeBSD? do they exist at all? Actually, all devices under FreeBSD are raw or character devices. Block devices on the other hand disappeared a long time ago. It's all to do with having an advance VM system, apparently: http://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/driverbasics-block.html Cheers, Matthew Hmm, now I'm a tad curious --- or confused. ceri@ just committed a revised synopsis I hacked at for the handbook's Vinum chapter which states, among other things: "In addition to supporting various cards and controllers for hardware RAID systems, the base FreeBSD system includes the Vinum Volume Manager, a block device driver that implements virtual disk drives." So is there conflicting data here? Might be good to figure out the truth before the next edition handbook goes to the printer (which may be soon...) However, I'd be first to admit a dire lack of knowledge here... help? Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Newbie Problems with cvsup and updating files.
Paul R Culmo <[EMAIL PROTECTED]> wrote: > > wGreetings, > > I've been a newbie on FreeBSD 5.2.1 now for about a month. I Have had > much success lately but I wanted to try the cvsup and update the sources > (/usr/src) so I can stay current on patches and security updates. > > I've managed to create a cvsupfile but all the docs I've read do not > instruct you how to update the old files with the new files. Does this > happen automatically or do I need to create a script to do it ? > > I setup my cvsupfile to grab src-all and it downloaded but now I have > filenames with a ,v for almost every file. Like Makefile and now there is > a Makefile,v in /usr/src and make buildworld will not compile anymore. It > get errors when trying to build tools. > > Below is a snip of my cvsupfile, did I do something wrong? Yes, I think your supfile is wrong. > --snip-- > > *default host=ftp4.us.FreeBSD.org > *default base=/usr > *default prefix=/usr > *default release=cvs RELENG_5_2_1_RELEASE ^^^ This line is what I believe is wrong, replace it with these two lines: *default release=cvs *default tag=RELENG_5_2_1_RELEASE Although I would recommend tag=RELENG_5_2_1, but that's you're call. > *default delete use-rel-suffix > > > *default compress > > src-all > ports-base > ports-www > #cvsroot-common > #cvsroot-src > #cvsroot-ports > #cvsroot-doc -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: backspace and delete keys behavior
On Sunday 01 August 2004 03:51, Giorgos Keramidas wrote: > On 2004-07-31 18:43, Mark Ovens <[EMAIL PROTECTED]> wrote: > >Ion-Mihai Tetcu wrote: > >>On Fri, 30 Jul 2004 14:30:59 +0100 Mark Ovens <[EMAIL PROTECTED]> wrote: > >>> To implement this in a running X session type this in an xterm > >>> > >>> xmodmap -e "keysym Delete = 0x04" > >>> The default code produced by the Delete key and interpretation by X is fine. Xterm produces the standard ANSI sequence "^[[3~" as it should and this is encoded in termcap for xterm as delete character. And this will work as expected for many applications working within an xterm window. The problem comes about that the shell does not honour this termcap entry. Don't fool with xmodmap; it will work against you in applications -- just bind the key sequence in your shell (tcsh?) $ bindkey "^[[3~" delete-char I guess it would not be too difficult to extract the correct string from termcap so that it worked for all (most) terminals but most now use the standard ANSI sequences so it is probably not worth the effort. Malcolm ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Newbie Problems with cvsup and updating files.
wGreetings, I've been a newbie on FreeBSD 5.2.1 now for about a month. I Have had much success lately but I wanted to try the cvsup and update the sources (/usr/src) so I can stay current on patches and security updates. I've managed to create a cvsupfile but all the docs I've read do not instruct you how to update the old files with the new files. Does this happen automatically or do I need to create a script to do it ? I setup my cvsupfile to grab src-all and it downloaded but now I have filenames with a ,v for almost every file. Like Makefile and now there is a Makefile,v in /usr/src and make buildworld will not compile anymore. It get errors when trying to build tools. Below is a snip of my cvsupfile, did I do something wrong? or forget a step? I've followed the docs and howto's relating to this to a T as far as I can tell. Thanks in advance! Paul R Culmo --snip-- *default host=ftp4.us.FreeBSD.org *default base=/usr *default prefix=/usr *default release=cvs RELENG_5_2_1_RELEASE *default delete use-rel-suffix *default compress src-all ports-base ports-www #cvsroot-common #cvsroot-src #cvsroot-ports #cvsroot-doc --end snip--- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Re: Is there an English Dictionary for FreeBSD?(not online like kdict)
aspell works well toothat's what I use. --Brian On Sat, 31 Jul 2004 18:36:47 +0300, Ion-Mihai Tetcu <[EMAIL PROTECTED]> wrote: > On Sat, 31 Jul 2004 05:55:16 -0700 (PDT) > Mark Jayson Alvarez <[EMAIL PROTECTED]> wrote: > > > Hi, > > I'm looking for a dictionary software which I can > > use even if I'm not connected to the internet as > > oppose to what kdict in KDE does. Do you happen to > > know one? > > use kdict but with a local db; for that install net/dictd-database which > will pull in net/dictd > > -- > IOnut > Unregistered ;) FreeBSD "user" > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall Rule Set not allowing access to DNS servers?
On 2004-07-31 20:07, JJB <[EMAIL PROTECTED]> wrote: > Now many home LAN environments have ms/windows boxes and that system > is the target of all the adware and spyware programs. These > unauthorized programs all most always use non-standard ports to > phone home and report on your activity. The only way to defend > against the 'report home action' is to block all outbound ports > except for those explicitly allowed by firewall rules. Ah, yes. This makes much more sense. I never thought of this because the computers I have at home run only UNIX variants now. In such cases, you're right that outbound traffic needs to be controlled to in some way. > New subject. > I see from your post, what looks like you have an automated way to > reformat MS/outlook top post to Unix Bottom post format. > > I sure would like to know how you are doing this. I have been on > this list for 4 years and I have never seen this before. Would you > please share with me and the other readers how you do this. `Manually' is the short answer. I don't usually spend the time to hit the right keys in Emacs to reformat the message. Your message is one of the few exceptions, because I really wanted to reply. Most of the time, when I see text that Outlook has converted magically to garbage I hit DEL. The tricks I use in Emacs are simple -- not really automated stuff. `C-x .' sets the fill-prefix and a few RET lines will quickly separate the message in sections like these: > >>> When I use the rule set in question, I can ping and send mail > but > >>> I cannot access the DNS servers listed in resolv.conf. > >> > >> There are many ways in which your ruleset might break. Two of > the > >> most important comments I wanted to make when I first saw the > posts > >> of this thread are: [...] > I've read a very detailed guide that you wrote, linked by one of > your > posts and available online at: > http://freebsd.a1poweruser.com:6088/FBSD_firewall/ > This guide contains a great deal of useful information and it would > be > cool if it was somehow incorporated to the Handbook. It's not yet, > but > I like most of the text so I hope it gets converted to SGML and > added to > the Handbook either in parts or as a whole. Moving the pointer just past the "> " or "> >>> " text that I want to use as the quotation mark and hitting `C-x .' sets the fill-prefix and then `M-q' (or ESC-q) refills the paragraph. Some lines like the ones that Outlook has wrapped in weird ways, i.e. like this: > >>> When I use the rule set in question, I can ping and send mail > but might need a bit of editing before M-q filling works correctly, but these are usually very few after I've trimmed the text. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall Rule Set not allowing access to DNS servers?
Giorgos Thank you for your opinion about my rewrite of the handbook firewall section. It has been turned over to the FreeBSD doc group and they are sanitizing the English and getting it prepared for update to the handbook. To address your opinion that the rule set may be to limiting for a home user is covered by the following section from the document. * Firewall Rule Set Types Constructing a software application firewall rule set may seem to be trivial, but most people get it wrong. The most common mistake is to create an exclusive firewall rather than an inclusive firewall. An exclusive firewall allows all services through except for those matching a set of rules that block certain services. An inclusive firewall does the reverse. It only allows services matching the rules through and blocks everything else. This way you can control what services can originate behind the firewall destined for the public internet and also control which services originating from the public internet may access your network. Inclusive firewalls are far more secure than exclusive firewalls. * Now many home LAN environments have ms/windows boxes and that system is the target of all the adware and spyware programs. These unauthorized programs all most always use non-standard ports to phone home and report on your activity. The only way to defend against the 'report home action' is to block all outbound ports except for those explicitly allowed by firewall rules. Sure the ipfw firewall rule set you posted will work, but it's so less secure then the ones contained in the document I wrote. Why have a poorly defined firewall rule set that leaves a wide open doorway to the public internet when just a few more rules will result in the maximum protection possible. My document is written to give the reader the maximum protection possible by just using the included samples. This removes the trial and error testing the user have to go through now using the current handbook as a guide. New subject. I see from your post, what looks like you have an automated way to reformat MS/outlook top post to Unix Bottom post format. I sure would like to know how you are doing this. I have been on this list for 4 years and I have never seen this before. Would you please share with me and the other readers how you do this. Thanks Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Giorgos Keramidas Sent: Saturday, July 31, 2004 6:43 PM To: JJB Cc: [EMAIL PROTECTED] Subject: Re: Firewall Rule Set not allowing access to DNS servers? [-- Message reformatted to fix Outlook format --] On 2004-07-31 14:17, JJB <[EMAIL PROTECTED]> wrote: >Giorgos Keramidas wrote on July 31, 2004 1:36 PM >>On 2004-07-31 12:08, "James A. Coulter" <[EMAIL PROTECTED] wrote: >>> My LAN is configured with static IP addresses, 192.168.1.x. >>> >>> I have no problems communicating within the LAN. >>> >>> I have full connectivity with the internet from every machine on >>> my LAN when the firewall is open. >>> >>> When I use the rule set in question, I can ping and send mail but >>> I cannot access the DNS servers listed in resolv.conf. >> >> There are many ways in which your ruleset might break. Two of the >> most important comments I wanted to make when I first saw the posts >> of this thread are: [...] >> >> b) Why do you use so many rules that 'filter' outgoing traffic? >> >> I saw smtp, pop3, time, http, https and many others. You >> don't need to explicitly allow outgoing connections unless >> the users in the internal LAN are not to be trusted at all >> and even then IPFW is most of the time not the right way to >> do it. > > If you had read the start of the thread you would have read the new > handbook firewall section rewrite which explains in detail why the re > are rules to control access to the public internet from LAN users. I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. If by "... which explains in detail why..." you refer to this particular quote from that document, I'm not sure that it is always a good idea but that's my own opinion: "The Outbound section in the following rule set only contains `pass' rules which contain selection values that uniquely identify the service that is authorized for public internet access." In a corporate environment, where access to the Internet has to be limited and/or controlled in a more or less strict manner, it looks like a great idea. At home, where a couple of m
Re: can i delete /usr/obj/ before installworld?
On Sat, 31 Jul 2004 10:36:16 + Scott <[EMAIL PROTECTED]> wrote: > Hi there, > > I'm really short on diskspace, and I have no room to run a make > buildkernel after I run make buildworld. > > Is it possible to do the following: > > make buildworld > rm -fr /usr/obj > make buildkernel > make installkernel > -reboot single user > make installworld hello scott, if i am not mistaken, everything created by make buildworld is what ends up under /usr/obj. by deleting these files, you are effectively removing everything that you want to install via make installworld. (perhaps?) a more space effective workaround would be to: 1) build a generic kernel and keep that lying about. in other words, copy the new generic kernel you build to another file like kernel.generic. these are pretty good about booting up, the despite minor changes that can take place from buildworld to buildworld. 2) perform the make buildworld, reboot, make installworld, mergemaster, reboot. 3) boot with your kernel.generic, clean out usr/obj, then make a new kernel. if this still doesn't work for you, i would recommend cleaning out some of the directories which can chew up free disk space. for example, /usr/ports/distfiles/ and /usr/ports/*/work (see man portsclean - part of portinstall tools) and your/tmp (if you don't already have clear_tmp_enable="YES" set in your rc.conf). i know that this isn't exactly a perfect solution, but i hope nevertheless that it helps you to achieve your end goal. cheers, epi > TIA > Scott > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: bandwidth question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Hi all > > Do you know there is bandwidth software to support > Giga ethernet? same place where it is to support fast ethernet. > > Thank you very much > > ___ > Do You Yahoo!? > Get your free @yahoo.com.hk address at http://mail.english.yahoo.com.hk > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFBDCggVbTJCKecqu0RAngoAJ4hmm+JMoMOjDPrZdBuy9/ItAwFZACaAxbO lg5pnOjnazs1VICoGp/aQgI= =6X6e -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: raw devices
On Sat, Jul 31, 2004 at 10:30:21PM +0200, Wojciech Puchar wrote: > > where are raw devices in FreeBSD? do they exist at all? > and on Sat, 31 Jul 2004 21:45:17 +0100, Matthew Seaman responded: > > Actually, all devices under FreeBSD are raw or character devices. > Block devices on the other hand disappeared a long time ago. It's all > to do with having an advance VM system, apparently: > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/driverbasics-block.html > I checked out the referenced page, which began with something like: 13.5 Block Devices (Are Gone) Other UNIX systems may support a second type of disk device known as block devices. Block devices are disk devices for which the kernel provides caching. This caching makes block-devices almost unusable, or at least dangerously unreliable. The caching will reorder the sequence of write operations, depriving the application of the ability to know the exact disk contents at any one instant in time. This makes predictable and reliable crash ... I knew that the block devices were gone and that the block device names now referred to character devices, but I had not examined the reasons for this or considered the consequences. Perhaps this explains why old SCSI disks are such incredibly bad performers under modern FreeBD. I had just assumed that the drivers for the old SCSI host adapters had been botched when rehacked for the new FreeBSD SCSI system and nobody cared because they were all using modern SCSI host adapters. The performance of my old SCSI hardware is so egregiously abysmally atrociously abominably inexcusably perversely bad that if I had to use it for my primary disk storage I would now be running Linux instead of FreeBSD. (Modern ATA disks seem to work quite well under FreeBSD if you can somehow manage to avoid ATA controller and cable misconfigurations that drive I/O rates way down.) Does anyone know if there are online records of discussions of such issues? Dan Strick ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [OT] Firewall Rule Set not allowing access to DNS servers?
On 2004-07-31 13:51, Steve Bertrand <[EMAIL PROTECTED]> wrote: > > There are many ways in which your ruleset might break. Two of the > > most > > important comments I wanted to make when I first saw the posts of this > > thread are: > > > > a) Why do you use static rule numbers? > > > >You'd only have to use static rule numbers if your ruleset > >had more than 65536/100 = 655 rules. This limit is > >relatively hard to hit in a SOHO installation (Small Office, > >Home Office). If you do reach such limits, there's > >definitely something weird going on with the way your ruleset > >is written ;-) > > > > Giorgos, I am interested in where I can get more information about > this. Are you suggesting that IPFW reads the ruleset and formulates a > rule number according to position in the script? (I always use custom > scripts). The description of `rule number' in the ipfw(8) manpage explains the way ipfw chooses rule numbers automatically: rule_number Each rule is associated with a rule_number in the range 1..65535, with the latter reserved for the default rule. [...] If a rule is entered without specifying a number, the kernel will assign one in such a way that the rule becomes the last one before the default rule. Automatic rule numbers are assigned by incrementing the last non-default rule number by the value of the sysctl variable net.inet.ip.fw.autoinc_step which defaults to 100. This means that the largest number of rules you can add with unique numbers is 65534. The 65535 rule is the default firewall rule, either a deny rule or an allow if the kernel was compiled with the option IPFIREWALL_DEFAULT_TO_ACCEPT enabled. The autoincrement step is the number that is automatically added to rule numbers when you don't specify one. For example, note the numbers that get assigned to the rules below: [EMAIL PROTECTED]:49]/root# kldload ipfw [EMAIL PROTECTED]:49]/root# ipfw -q flush [EMAIL PROTECTED]:49]/root# ipfw add pass ip from 127.0.0.1 to 127.0.0.1 via lo0 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 [EMAIL PROTECTED]:49]/root# ipfw add deny ip from 127.0.0.1 to any 00200 deny ip from 127.0.0.1 to any [EMAIL PROTECTED]:49]/root# ipfw add deny ip from any to 127.0.0.1 00300 deny ip from any to 127.0.0.1 [EMAIL PROTECTED]:49]/root# ipfw show 00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny ip from 127.0.0.1 to any 00300 0 0 deny ip from any to 127.0.0.1 65535 0 0 deny ip from any to any [EMAIL PROTECTED]:49]/root# ipfw -q flush [EMAIL PROTECTED]:49]/root# kldunload ipfw [EMAIL PROTECTED]:49]/root# > If this is true, how does this ``dynamic'' feature get affected when > one houses multiple rule _sets_? If you have multiple sets of rules that you load at random times, and the rulesets do not explicitly specify a starting rule number they'll be ``stacked on top of each other'' as shown below: [EMAIL PROTECTED]:56]/root# ls -l ruleset* -rw-r--r-- 1 root wheel - 117 Aug 1 01:54 ruleset-lo0 -rw-r--r-- 1 root wheel - 61 Aug 1 01:55 ruleset-misc -rw-r--r-- 1 root wheel - 161 Aug 1 01:56 ruleset-tcp [EMAIL PROTECTED]:56]/root# cat ruleset-lo0 add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 add deny ip from 127.0.0.1 to any add deny ip from any to 127.0.0.1 [EMAIL PROTECTED]:56]/root# cat ruleset-misc add allow udp from any to any add allow icmp from any to any [EMAIL PROTECTED]:56]/root# cat ruleset-tcp add check-state add deny tcp from any to any established add allow tcp from any to any out setup keep-state add allow tcp from any to any 22 in setup keep-state [EMAIL PROTECTED]:56]/root# kldload ipfw [EMAIL PROTECTED]:57]/root# ipfw -q flush [EMAIL PROTECTED]:57]/root# ipfw show 65535 0 0 deny ip from any to any [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-lo0 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 deny ip from 127.0.0.1 to any 00300 deny ip from any to 127.0.0.1 [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-misc * 00400 allow udp from any to any 00500 allow icmp from any to any [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-tcp * 00600 check-state 00700 deny tcp from any to any established 00800 allow tcp from any to any out setup keep-state 00900 allow tcp from any to any dst-port 22 in setup keep-state [EMAIL PROTECTED]:57]/root# ipfw show 00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny ip from 127.0.0.1 to any 00300 0 0 deny ip from any to 127.0.0.1 00400 0 0 allow udp from any to any 00500 0 0 allow icmp from any to any 00600 0 0 check-state 00700 0 0 deny tcp from any to any established 00800 0 0 allow tcp from any to any out setup keep-state 00900 0 0 allow tcp from any
Re: Firewall Rule Set not allowing access to DNS servers?
[-- Message reformatted to fix Outlook format --] On 2004-07-31 14:17, JJB <[EMAIL PROTECTED]> wrote: >Giorgos Keramidas wrote on July 31, 2004 1:36 PM >>On 2004-07-31 12:08, "James A. Coulter" <[EMAIL PROTECTED] wrote: >>> My LAN is configured with static IP addresses, 192.168.1.x. >>> >>> I have no problems communicating within the LAN. >>> >>> I have full connectivity with the internet from every machine on >>> my LAN when the firewall is open. >>> >>> When I use the rule set in question, I can ping and send mail but >>> I cannot access the DNS servers listed in resolv.conf. >> >> There are many ways in which your ruleset might break. Two of the >> most important comments I wanted to make when I first saw the posts >> of this thread are: [...] >> >> b) Why do you use so many rules that 'filter' outgoing traffic? >> >> I saw smtp, pop3, time, http, https and many others. You >> don't need to explicitly allow outgoing connections unless >> the users in the internal LAN are not to be trusted at all >> and even then IPFW is most of the time not the right way to >> do it. > > If you had read the start of the thread you would have read the new > handbook firewall section rewrite which explains in detail why there > are rules to control access to the public internet from LAN users. I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. If by "... which explains in detail why..." you refer to this particular quote from that document, I'm not sure that it is always a good idea but that's my own opinion: "The Outbound section in the following rule set only contains `pass' rules which contain selection values that uniquely identify the service that is authorized for public internet access." In a corporate environment, where access to the Internet has to be limited and/or controlled in a more or less strict manner, it looks like a great idea. At home, where a couple of machines share a single Internet connection through a dialup or DSL line, this might be a bit too limiting ;-) - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
bandwidth question
Hi all Do you know there is bandwidth software to support Giga ethernet? Thank you very much ___ Do You Yahoo!? Get your free @yahoo.com.hk address at http://mail.english.yahoo.com.hk ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: backspace and delete keys behavior
On 2004-07-31 18:43, Mark Ovens <[EMAIL PROTECTED]> wrote: >Ion-Mihai Tetcu wrote: >>On Fri, 30 Jul 2004 14:30:59 +0100 Mark Ovens <[EMAIL PROTECTED]> wrote: >>> To implement this in a running X session type this in an xterm >>> >>> xmodmap -e "keysym Delete = 0x04" >>> >>> Actually, this is probably a better solution for the OP as it is >>> global whereas my previous suggestion is xterm specific. >> >> The only problem is that if you keep the delete key pressed to long >> it exits the terminal. At least when xmodmap typed under kde's >> konsole; it acts this way both in for konsole and xterm. > > Only if the cursor is in the first character position after the prompt > of course. Not sure what the solution is since Ctrl-D is delete char to > the right of the cursor and EOT, which exits the shell. There's always some sort of option to ignore EOF's in interactive mode, like IGNOREEOF=10 in GNU bash, `set ignoreeof=10' in tcsh, or `set -I' in FreeBSD's sh(1). Setting this might avoid unexpected shell termination by hitting DEL :) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: raw devices
On Sat, Jul 31, 2004 at 10:30:21PM +0200, Wojciech Puchar wrote: > where are raw devices in FreeBSD? do they exist at all? Actually, all devices under FreeBSD are raw or character devices. Block devices on the other hand disappeared a long time ago. It's all to do with having an advance VM system, apparently: http://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/driverbasics-block.html Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgppniBagdrh3.pgp Description: PGP signature
Re: where can I get ISO IMAGE OF newest FREEBSD ?
On Sat, Jul 31, 2004 at 10:15:47PM +0200, [EMAIL PROTECTED] wrote: > where can I get ISO IMAGE OF newest FREEBSD ? http://mirrorlist.freebsd.org/FBSDsites.php Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpfIZOT34Mdq.pgp Description: PGP signature
raw devices
where are raw devices in FreeBSD? do they exist at all? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
allowing cdrecord non-root
how can i allow given group to be able to write cd's? in NetBSD doing (assuming group name cdrw) chgrp cdrw /dev/rcd0* /dev/cd0* chmod 660 /dev/rcd0* /dev/cd0* in FreeBSD doing this for /dev/cd0 and /dev/acd0 doesn't work. tried to do the same with /dev/xpt0 - doesn't work too. is it possible at all? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
where can I get ISO IMAGE OF newest FREEBSD ?
where can I get ISO IMAGE OF newest FREEBSD ? -- To moze byc ekscytujace lato... >>> http://link.interia.pl/f181c ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall Rule Set not allowing access to DNS servers?
If you had read the start of the thread you would have read the new handbook firewall section rewrite which explains in detail why there are rules to control access to the public internet from LAN users. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Giorgos Keramidas Sent: Saturday, July 31, 2004 1:36 PM To: James A. Coulter Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Firewall Rule Set not allowing access to DNS servers? On 2004-07-31 12:08, "James A. Coulter" <[EMAIL PROTECTED]> wrote: > My LAN is configured with static IP addresses, 192.168.1.x. > > I have no problems communicating within the LAN. > > I have full connectivity with the internet from every machine on my LAN when > the firewall is open. > > When I use the rule set in question, I can ping and send mail but I cannot > access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: a) Why do you use static rule numbers? You'd only have to use static rule numbers if your ruleset had more than 65536/100 = 655 rules. This limit is relatively hard to hit in a SOHO installation (Small Office, Home Office). If you do reach such limits, there's definitely something weird going on with the way your ruleset is written ;-) b) Why do you use so many rules that 'filter' outgoing traffic? I saw smtp, pop3, time, http, https and many others. You don't need to explicitly allow outgoing connections unless the users in the internal LAN are not to be trusted at all and even then IPFW is most of the time not the right way to do it. I'd probably just use something of this form in the /etc/ipfw.rules file and let rc.firewall find it by setting firewall_type="/etc/ipfw.rules" in my rc.conf file: # First clean up all the rules of ipfw. flush # Packets should be passed to natd *before* any other rule as # mentioned in the natd(8) manpage, unlike your current script. add divert natd all from any to any via dc1 # Allow only lo0 interface to use the 127.0.0.1 address. add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 add deny ip from 127.0.0.1 to any add deny ip from any to 127.0.0.1 # Add only the dc0 interface to receive or send packets in the # 192.168.0.0/16 address range. add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via dc0 add deny ip from 192.168.0.0/16 to any add deny ip from any to 192.168.0.0/16 # Block packets with addresses that are used in private networks # and should not appear in any of our interfaces below this point. add deny ip from 10.0.0.0/8 to any add deny ip from any to 10.0.0.0/8 add deny ip from 172.16.0.0/12 to any add deny ip from any to 172.16.0.0/12 # Allow DNS and NTP through. add allow udp from any to any 53,123 keep-state out # Pass all ICMP messages through. They're rate limited by the # kernel if sysctl net.inet.icmp.icmplim is enabled, so this is # not very unsafe to do. add allow icmp from any to any # # Stateful tcp filtering. # add check-state add deny tcp from any to any established # All outgoing and incoming connections are allowed in dc0 (private iface). # Only outgoing connections are allowed on dc1 (external iface). add allow tcp from any to any keep-state out xmit dc0 setup add allow tcp from any to any keep-state in recv dc0 setup add allow tcp from any to any keep-state out xmit dc1 setup # Only selected services are allowed to pass through external iface. add allow tcp from any to any 22 keep-state in recv dc1 setup add allow tcp from any to any 113 keep-state in recv dc1 setup # The default firewall policy. add deny log logamount 0 ip from any to any No inline numbers, a simpler layout and a logic that you can hopefully extend at the second from last paragraph to allow more services through your external interface (the `in recv dc1 setup' rules). Note that I haven't tested this, so it might contain syntax errors because it's based on the ruleset I'm using at home but it also includes some modifications. Instead of untangling the ruleset you're now trying to use which seemed unnecessarily complex to me, I'm posting this just in case it's useful but it's up to you to bring it to shape for your setup if it doesn't "Just Work(TM)" when you load it. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" __
RE: Firewall Rule Set not allowing access to DNS servers?
Rule numbers have to be hard coded in this ipfw rule set because of the skipto rule. How else can you identify the skipto target rule if you allow ipfw to auto assign rule numbers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Bertrand Sent: Saturday, July 31, 2004 2:03 PM To: James A. Coulter Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? > My LAN is configured with static IP addresses, 192.168.1.x. > > I have no problems communicating within the LAN. > > I have full connectivity with the internet from every machine on my > LAN when > the firewall is open. > > When I use the rule set in question, I can ping and send mail but I > cannot > access the DNS servers listed in resolv.conf. > > These are the same DNS servers placed in resolv.conf when the firewall > is > open. > > I'm sorry, but I never said dc1 was my inside nic. > > Again, I appreciate any help with this. The files you requested > follow. Must admit, I'm in a hurry to leave for the day, so I haven't read the ruleset etc, but what happens if you use the following entries, just after the divert rule?: ...allow udp from any to any 53 keep-state ...allow udp from any 53 to any keep-state ...allow tcp from any to any 53 keep-state Steve > > Here's my ifconfig - a: > > sara# ifconfig -a > dc0: flags=8843 mtu 1500 > inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 > ether 00:04:5a:76:55:f0 > media: Ethernet autoselect (100baseTX ) > status: active > dc1: flags=8843 mtu 1500 > inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 > inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 > ether 00:a0:cc:33:e1:f6 > media: Ethernet autoselect (100baseTX ) > status: active > lp0: flags=8810 mtu 1500 > lo0: flags=8049 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > inet 127.0.0.1 netmask 0xff00 > ppp0: flags=8010 mtu 1500 > sl0: flags=c010 mtu 552 > faith0: flags=8002 mtu 1500 > > Here's resolv.conf: > > sara# more /etc/resolv.conf > search pn.at.cox.net > nameserver 68.105.161.20 > nameserver 68.1.18.25 > nameserver 68.10.16.30 > > Here's the entire rule set I'm trying to use. > > I did follow the comments. > > Please note the variable pif is set to dc1, my outside nic. > > Start of IPFW rules file > ### > # Flush out the list before we begin. > ipfw -q -f flush > # Set rules command prefix > cmd="ipfw -q add" > skip="skipto 800" > pif="dc1" # public interface name of Nic card > # facing the public internet > > > > # > # No restrictions on Inside Lan Interface for private network > # Change xl0 to your Lan Nic card interface name > # > $cmd 005 allow all from any to any via dc0 > > # > # No restrictions on Loopback Interface > # > $cmd 010 allow all from any to any via lo0 > > # > # check if packet is inbound and nat address if it is > # > $cmd 014 divert natd ip from any to any in via $pif > > # > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by a allow keep-state statement. > # > $cmd 015 check-state > > # > # Interface facing Public internet (Outbound Section) > # Interrogate session start requests originating from behind the > # firewall on the private network or from this gateway server > # destine for the public internet. > # > > # Allow out access to my ISP's Domain name server. > # x.x.x.x must be the IP address of your ISP's DNS > # Dup these lines if your ISP has more than one DNS server > # Get the IP addresses from /etc/resolv.conf file > $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup > keep-state > $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup > keep-state > $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup > keep-state > > # Allow out access to my ISP's DHCP server for cable/DSL > configurations. > $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state > > # Allow out non-secure standard www function > $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state > > # Allow out secure www fu
RE: Firewall Rule Set not allowing access to DNS servers?
Look back at the ipfw sample rule set and you will see that there are both udp and tcp protocol access to DSN. Also not that udp does not use setup keyword. # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state You DNS rules are # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state As you can see you have no tcp protocol statements. Your udp rules use setup keyword which is only for tcp rules so your udp packets never match this rule and default to getting blocked which is why you get log error messages and you can not access public internet. Also if you look closely at the first 4 ipfw log messages you will see first message is about ip address 193.0.14.129 which is the primary dns server pointed to by url search pn.at.cox.net in /etc/resolv.conf Change your DNS rules to look like this # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip udp from any to 193.0.14.129 53 out via $pif keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif keep-state $cmd 023 $skip udp from any to 68.105.161.20 53 out via $pif keep-state $cmd 024 $skip tcp from any to 193.0.14.129 53 out via $pif setup keep-state $cmd 025 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 026 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state $cmd 027 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Saturday, July 31, 2004 1:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. These are the same DNS servers placed in resolv.conf when the firewall is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Here's my ifconfig - a: sara# ifconfig -a dc0: flags=8843 mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX ) status: active dc1: flags=8843 mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. I did follow the comments. Please note the variable pif is set to dc1, my outside nic. Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 800" pif="dc1" # public interface name of Nic card # facing the public internet # # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name # $cmd 005 allow all from any to any via dc0 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 #
RE: Firewall Rule Set not allowing access to DNS servers?
> My LAN is configured with static IP addresses, 192.168.1.x. > > I have no problems communicating within the LAN. > > I have full connectivity with the internet from every machine on my > LAN when > the firewall is open. > > When I use the rule set in question, I can ping and send mail but I > cannot > access the DNS servers listed in resolv.conf. > > These are the same DNS servers placed in resolv.conf when the firewall > is > open. > > I'm sorry, but I never said dc1 was my inside nic. > > Again, I appreciate any help with this. The files you requested > follow. Must admit, I'm in a hurry to leave for the day, so I haven't read the ruleset etc, but what happens if you use the following entries, just after the divert rule?: ...allow udp from any to any 53 keep-state ...allow udp from any 53 to any keep-state ...allow tcp from any to any 53 keep-state Steve > > Here's my ifconfig - a: > > sara# ifconfig -a > dc0: flags=8843 mtu 1500 > inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 > ether 00:04:5a:76:55:f0 > media: Ethernet autoselect (100baseTX ) > status: active > dc1: flags=8843 mtu 1500 > inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 > inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 > ether 00:a0:cc:33:e1:f6 > media: Ethernet autoselect (100baseTX ) > status: active > lp0: flags=8810 mtu 1500 > lo0: flags=8049 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > inet 127.0.0.1 netmask 0xff00 > ppp0: flags=8010 mtu 1500 > sl0: flags=c010 mtu 552 > faith0: flags=8002 mtu 1500 > > Here's resolv.conf: > > sara# more /etc/resolv.conf > search pn.at.cox.net > nameserver 68.105.161.20 > nameserver 68.1.18.25 > nameserver 68.10.16.30 > > Here's the entire rule set I'm trying to use. > > I did follow the comments. > > Please note the variable pif is set to dc1, my outside nic. > > Start of IPFW rules file > ### > # Flush out the list before we begin. > ipfw -q -f flush > # Set rules command prefix > cmd="ipfw -q add" > skip="skipto 800" > pif="dc1" # public interface name of Nic card > # facing the public internet > > > > # > # No restrictions on Inside Lan Interface for private network > # Change xl0 to your Lan Nic card interface name > # > $cmd 005 allow all from any to any via dc0 > > # > # No restrictions on Loopback Interface > # > $cmd 010 allow all from any to any via lo0 > > # > # check if packet is inbound and nat address if it is > # > $cmd 014 divert natd ip from any to any in via $pif > > # > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by a allow keep-state statement. > # > $cmd 015 check-state > > # > # Interface facing Public internet (Outbound Section) > # Interrogate session start requests originating from behind the > # firewall on the private network or from this gateway server > # destine for the public internet. > # > > # Allow out access to my ISP's Domain name server. > # x.x.x.x must be the IP address of your ISP's DNS > # Dup these lines if your ISP has more than one DNS server > # Get the IP addresses from /etc/resolv.conf file > $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup > keep-state > $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup > keep-state > $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup > keep-state > > # Allow out access to my ISP's DHCP server for cable/DSL > configurations. > $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state > > # Allow out non-secure standard www function > $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state > > # Allow out secure www function https over TLS SSL > $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state > > # Allow out send & get email function > $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state > $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state > > # Allow out FBSD (make install & CVSUP) functions > # Basically give user root "GOD" privileges. > $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid >
Re: [OT] Firewall Rule Set not allowing access to DNS servers?
> There are many ways in which your ruleset might break. Two of the > most > important comments I wanted to make when I first saw the posts of this > thread are: > > a) Why do you use static rule numbers? > > You'd only have to use static rule numbers if your ruleset > had more than 65536/100 = 655 rules. This limit is > relatively hard to hit in a SOHO installation (Small Office, > Home Office). If you do reach such limits, there's > definitely something weird going on with the way your ruleset > is written ;-) > Giorgos, I am interested in where I can get more information about this. Are you suggesting that IPFW reads the ruleset and formulates a rule number according to position in the script? (I always use custom scripts). If this is true, how does this ``dynamic'' feature get affected when one houses multiple rule _sets_? Can you please provide any links to information that I can gain valuable information on this? This would certainly make ruleset creation much easier ;o) Also, links to any information on how/what/why on the 16b/100 limit on the dynamic rules, so I (we) can learn more about this? I must admit, I've never even come within 1/15 of this number, but it is interesting. All my rules have always been simply, allow, allow, allow, DENY. Tks much, Steve > b) Why do you use so many rules that 'filter' outgoing traffic? > > I saw smtp, pop3, time, http, https and many others. You > don't need to explicitly allow outgoing connections unless > the users in the internal LAN are not to be trusted at all > and even then IPFW is most of the time not the right way to > do it. > > I'd probably just use something of this form in the /etc/ipfw.rules > file > and let rc.firewall find it by setting firewall_type="/etc/ipfw.rules" > in my rc.conf file: > > # First clean up all the rules of ipfw. > flush > > # Packets should be passed to natd *before* any other rule as > # mentioned in the natd(8) manpage, unlike your current script. > add divert natd all from any to any via dc1 > > # Allow only lo0 interface to use the 127.0.0.1 address. > add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 > add deny ip from 127.0.0.1 to any > add deny ip from any to 127.0.0.1 > > # Add only the dc0 interface to receive or send packets in the > # 192.168.0.0/16 address range. > add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via dc0 > add deny ip from 192.168.0.0/16 to any > add deny ip from any to 192.168.0.0/16 > > # Block packets with addresses that are used in private networks > # and should not appear in any of our interfaces below this point. > add deny ip from 10.0.0.0/8 to any > add deny ip from any to 10.0.0.0/8 > add deny ip from 172.16.0.0/12 to any > add deny ip from any to 172.16.0.0/12 > > # Allow DNS and NTP through. > add allow udp from any to any 53,123 keep-state out > > # Pass all ICMP messages through. They're rate limited by the > # kernel if sysctl net.inet.icmp.icmplim is enabled, so this is > # not very unsafe to do. > add allow icmp from any to any > > # > # Stateful tcp filtering. > # > > add check-state > add deny tcp from any to any established > > # All outgoing and incoming connections are allowed in dc0 (private > iface). > # Only outgoing connections are allowed on dc1 (external iface). > add allow tcp from any to any keep-state out xmit dc0 setup > add allow tcp from any to any keep-state in recv dc0 setup > add allow tcp from any to any keep-state out xmit dc1 setup > > # Only selected services are allowed to pass through external iface. > add allow tcp from any to any 22 keep-state in recv dc1 setup > add allow tcp from any to any 113 keep-state in recv dc1 setup > > # The default firewall policy. > add deny log logamount 0 ip from any to any > > No inline numbers, a simpler layout and a logic that you can hopefully > extend at the second from last paragraph to allow more services > through > your external interface (the `in recv dc1 setup' rules). > > Note that I haven't tested this, so it might contain syntax errors > because it's based on the ruleset I'm using at home but it also > includes > some modifications. Instead of untangling the ruleset you're now > trying > to use which seemed unnecessarily complex to me, I'm posting this just > in case it's useful but it's up to you to bring it to shape for your > setup if it doesn't "Just Work(TM)" when you load it. > > - Giorgos > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___
kernel: sk0: watchdog timeout
Hi: I'm using 5.2.1, and today when I was transferring files between two different FreeBSD boxes, the 5.2.1 machine's network hung with the following messages to /var/log/messages: Jul 31 10:07:42 belle kernel: sk0: watchdog timeout FWIW, the network is builtin ASUS P4P-800SE motherboard: skc0: Yukon Gigabit Ethernet 10/100/1000Base-T Adapter sk0: on skc0 sk0: Ethernet address: 00:0e:a6:96:8f:72 miibus0: on sk0 e1000phy0: on miibus0 e1000phy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX-FDX, auto I'm not sure what these other interfaces besides sk0 are... It turned out that running 'ipconfig sk0 down' and 'ipconfig sk0 up' brought the network back to life. Any ideas what may have happened? I'm trying to get an idea if it was a hardware or software problem (or both). -Clint ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: backspace and delete keys behavior
Ion-Mihai Tetcu wrote: On Fri, 30 Jul 2004 14:30:59 +0100 Mark Ovens <[EMAIL PROTECTED]> wrote: Peter Ryan wrote: > I've got the same thing on the 2 machines i am experimenting > with. I am new and thought it was a standard feature :) > > I also defined a standard US 101 keyboard. > > Makes me think there is a setting or choice at installation that > deals with this, rather than having to patch something. > Add keysym Delete = 0x04 to ~/.xmodmaprc and add xmodmap ~/.xmodmaprc to ~/.xinitrc To implement this in a running X session type this in an xterm xmodmap -e "keysym Delete = 0x04" Actually, this is probably a better solution for the OP as it is global whereas my previous suggestion is xterm specific. The only problem is that if you keep the delete key pressed to long it exits the terminal. At least when xmodmap typed under kde's konsole; it acts this way both in for konsole and xterm. Only if the cursor is in the first character position after the prompt of course. Not sure what the solution is since Ctrl-D is delete char to the right of the cursor and EOT, which exits the shell. Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: freebsd How do you restart rc.conf without rebooting
>> >> - Original Message - >> From: "Dan" <[EMAIL PROTECTED]> >> To: <[EMAIL PROTECTED]> >> Sent: Friday, July 30, 2004 3:28 PM >> Subject: freebsd How do you restart rc.conf without rebooting >> >> >>> How do you restart rc.conf without rebooting your machine. >>> >>> Dan >> >> >> /etc/netstart if I recall will reload and execute the settings >> within >> rc.conf without rebooting. >> > > IIRC, /etc/netstart will reload the network only. I don't think it > reloads everything in /etc/rc.conf. > > As a matter of fact, I just performed this command, and from what I > can tell, it only reloaded the IP networking, and the fw rulesets. It > did not HUP, or otherwise restart any of my daemons. > To add, I left work, got home, and found my default route did not get reloaded properly after this ``test'' of the command. Don't know why yet, all I do know is that I couldn't reach the box from home so I had to ssh into another box on the same subnet, and add the default route back. All of the IP's and IP aliases did load correctly, as did the IPFW firewall rules, but the defaultrouter="x.x.x.x" statement did not take effect as it would have after a reboot. Steve > >> -- >> >> Micheal Patterson >> TSG Network Administration >> 405-917-0600 >> >> Confidentiality Notice: This e-mail message, including any >> attachments, >> is for the sole use of the intended recipient(s) and may contain >> confidential and privileged information. Any unauthorized review, >> use, >> disclosure or distribution is prohibited. If you are not the >> intended >> recipient, please contact the sender by reply e-mail and destroy all >> copies of the original message. >> >> ___ >> [EMAIL PROTECTED] mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "[EMAIL PROTECTED]" >> > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall Rule Set not allowing access to DNS servers?
On 2004-07-31 12:08, "James A. Coulter" <[EMAIL PROTECTED]> wrote: > My LAN is configured with static IP addresses, 192.168.1.x. > > I have no problems communicating within the LAN. > > I have full connectivity with the internet from every machine on my LAN when > the firewall is open. > > When I use the rule set in question, I can ping and send mail but I cannot > access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: a) Why do you use static rule numbers? You'd only have to use static rule numbers if your ruleset had more than 65536/100 = 655 rules. This limit is relatively hard to hit in a SOHO installation (Small Office, Home Office). If you do reach such limits, there's definitely something weird going on with the way your ruleset is written ;-) b) Why do you use so many rules that 'filter' outgoing traffic? I saw smtp, pop3, time, http, https and many others. You don't need to explicitly allow outgoing connections unless the users in the internal LAN are not to be trusted at all and even then IPFW is most of the time not the right way to do it. I'd probably just use something of this form in the /etc/ipfw.rules file and let rc.firewall find it by setting firewall_type="/etc/ipfw.rules" in my rc.conf file: # First clean up all the rules of ipfw. flush # Packets should be passed to natd *before* any other rule as # mentioned in the natd(8) manpage, unlike your current script. add divert natd all from any to any via dc1 # Allow only lo0 interface to use the 127.0.0.1 address. add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 add deny ip from 127.0.0.1 to any add deny ip from any to 127.0.0.1 # Add only the dc0 interface to receive or send packets in the # 192.168.0.0/16 address range. add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via dc0 add deny ip from 192.168.0.0/16 to any add deny ip from any to 192.168.0.0/16 # Block packets with addresses that are used in private networks # and should not appear in any of our interfaces below this point. add deny ip from 10.0.0.0/8 to any add deny ip from any to 10.0.0.0/8 add deny ip from 172.16.0.0/12 to any add deny ip from any to 172.16.0.0/12 # Allow DNS and NTP through. add allow udp from any to any 53,123 keep-state out # Pass all ICMP messages through. They're rate limited by the # kernel if sysctl net.inet.icmp.icmplim is enabled, so this is # not very unsafe to do. add allow icmp from any to any # # Stateful tcp filtering. # add check-state add deny tcp from any to any established # All outgoing and incoming connections are allowed in dc0 (private iface). # Only outgoing connections are allowed on dc1 (external iface). add allow tcp from any to any keep-state out xmit dc0 setup add allow tcp from any to any keep-state in recv dc0 setup add allow tcp from any to any keep-state out xmit dc1 setup # Only selected services are allowed to pass through external iface. add allow tcp from any to any 22 keep-state in recv dc1 setup add allow tcp from any to any 113 keep-state in recv dc1 setup # The default firewall policy. add deny log logamount 0 ip from any to any No inline numbers, a simpler layout and a logic that you can hopefully extend at the second from last paragraph to allow more services through your external interface (the `in recv dc1 setup' rules). Note that I haven't tested this, so it might contain syntax errors because it's based on the ruleset I'm using at home but it also includes some modifications. Instead of untangling the ruleset you're now trying to use which seemed unnecessarily complex to me, I'm posting this just in case it's useful but it's up to you to bring it to shape for your setup if it doesn't "Just Work(TM)" when you load it. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall Rule Set not allowing access to DNS servers?
My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. These are the same DNS servers placed in resolv.conf when the firewall is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Here's my ifconfig - a: sara# ifconfig -a dc0: flags=8843 mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX ) status: active dc1: flags=8843 mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. I did follow the comments. Please note the variable pif is set to dc1, my outside nic. Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 800" pif="dc1" # public interface name of Nic card # facing the public internet # # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name # $cmd 005 allow all from any to any via dc0 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the "dynamic" rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (IE: news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-
Re: freebsd How do you restart rc.conf without rebooting
> > - Original Message - > From: "Dan" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, July 30, 2004 3:28 PM > Subject: freebsd How do you restart rc.conf without rebooting > > >> How do you restart rc.conf without rebooting your machine. >> >> Dan > > > /etc/netstart if I recall will reload and execute the settings within > rc.conf without rebooting. > IIRC, /etc/netstart will reload the network only. I don't think it reloads everything in /etc/rc.conf. As a matter of fact, I just performed this command, and from what I can tell, it only reloaded the IP networking, and the fw rulesets. It did not HUP, or otherwise restart any of my daemons. YMMV. Steve Steve > -- > > Micheal Patterson > TSG Network Administration > 405-917-0600 > > Confidentiality Notice: This e-mail message, including any > attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply e-mail and destroy all > copies of the original message. > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mozilla builds 4.10 vs. 5.2
On Saturday 31 July 2004 06:49 am, Louis LeBlanc wrote: > Hey all. I'm finishing up my RELENG_5_2 box, hoping to swap it in > tomorrow, and I'm a little confused. > > Mozilla 1.7 seems to build just fine in 4.10, but claims to be broken > in 5.2. It seems to have a problem with Calendar support. > > While poking through the ports directory, I noticed that there are 2 > index files (INDEX and INDEX-5). Now I haven't really researched > this yet, so feel free to point out the FM if that's discussed > somewhere. INDEX is for 4.x and INDEX-5 is for 5.x. When you upgrade and do a ../ports "make index", you build the appropriate one. KEnt > > My question though, is whether anyone has managed to get Mozilla > building without hacking up the Makefile (which still only gives the > Mozilla browser, nothing else). > > TIA > Lou -- Kent Stewart Richland, WA http://users.owt.com/kstewart/index.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: safe mode for kernel.old
JJB wrote: -Original Message- From: Bill Moran [mailto:[EMAIL PROTECTED] "JJB" <[EMAIL PROTECTED]> wrote: >> In 5.x versions the whole kernel boot process was replaced with new method and the auto rename of the kernel no longer happens on a recompile and there is no kernel.generic module available. What are you talking about? I did a cvsup/make kernel process just a week ago on a 5.1 machine, and the 5.2 kernel refused to work with the network card. Lucky for me, kernel.old was in the boot directory, and I was able to move it back over kernel. Yes, the process and everything is different, but the basic fallback device is still there. [format corrected] > You used the upgrade in place from source so the old kernel release > version was left over by error. Try doing an separate stand alone > kernel recompile and the kernel.old is not created. This problem is > more visible for people who install 5.x from scratch. > > Or maybe this is a difference between using the new buildkernal > process over the older kernel compile process. > > All I know for sure is I installed 5.2.1 from miniistall.iso install > CD and used the older kernel compile process to build a custom > kernel and the kernel.old module was not created and the > kernel.generic module was never there. > > So what I am saying is you may be trying to run the kernel.old > module from 5.1 and not the one you think you built from 5.2.1. > Out of interest I just checked three 5.2.1 machines all of which were installed as 5.x and the most recent installed as 5.2.1 a week or so ago, then cvsup'd and buildworld/kernel'd just once. All have kernel.old Peter. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: bash, vi, mutt vs UK settings
Hello Mark, Thanks for the reply. - Original Message - From: "Mark Napper <[EMAIL PROTECTED]>" To: To [EMAIL PROTECTED] Date: Sat, 31 Jul, 2004 13:37 BST Subject: Re: bash, vi, mutt vs UK settings > > Just pop keymap="uk.iso" into rc.conf and reboot or if you dont want to > do that run the kbdmap program. That statement is already in there: $ grep -i key /etc/rc.conf keyrate="normal" keymap="uk.iso" keymap="uk.iso" $ As I mentioned earlier, there isn't a problem when for instance, using Opera, I want to enter the "pound" sign into the search text field in Google, or if I'm using webmail. The problem is that I can never get the "pound" sign when using vi, mutt, or any other terminal-based application. Thanks all the same. Regards, Stacey > > HTH > > Mark > > Stacey Roberts wrote: > >Hello, > > Could someone let me know how I can set a system up so that when > > using "vi", mutt, etc, when I enter SHIFT 3, I get the UK Pound sign > > (the GB currency symbol), please? > > > >In every other application (GUI-based) this is fine, but its the terminal > >related operations that appear to be affected only. > > > >Thanks for the help. > > > >Regards, > > > >Stacey > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: safe mode for kernel.old
You used the upgrade in place from source so the old kernel release version was left over by error. Try doing an separate stand alone kernel recompile and the kernel.old is not created. This problem is more visible for people who install 5.x from scratch. Or maybe this is a difference between using the new buildkernal process over the older kernel compile process. All I know for sure is I installed 5.2.1 from miniistall.iso install CD and used the older kernel compile process to build a custom kernel and the kernel.old module was not created and the kernel.generic module was never there. So what I am saying is you may be trying to run the kernel.old module from 5.1 and not the one you think you built from 5.2.1. -Original Message- From: Bill Moran [mailto:[EMAIL PROTECTED] Sent: Saturday, July 31, 2004 11:01 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: safe mode for kernel.old "JJB" <[EMAIL PROTECTED]> wrote: > I think you have missed some very important details. In 4.x releases > when you do a kernel compile the system automatically renames the > current kernel to kernel.old for you. There is also a kernel.generic > which is always there. > > In 5.x versions the whole kernel boot process was replaced with new > method and the auto rename of the kernel no longer happens on a > recompile and there is no kernel.generic module available. Whoever > added the new boot process to 5.x did real poor job of integrating > the new pirated boot code into Freebsd. This should be reported as > a bug by everybody who wants the old kernel rename process added > back into FreeBSD. What are you talking about? I did a cvsup/make kernel process just a week ago on a 5.1 machine, and the 5.2 kernel refused to work with the network card. Lucky for me, kernel.old was in the boot directory, and I was able to move it back over kernel. Yes, the process and everything is different, but the basic fallback device is still there. > > Submit Bug report. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jason > Barnes > Sent: Friday, July 30, 2004 7:31 PM > To: Jonathan Chen > Cc: [EMAIL PROTECTED] > Subject: Re: safe mode for kernel.old > > On Sat, 31 Jul 2004, Jonathan Chen wrote: > > > On Fri, Jul 30, 2004 at 03:50:40PM -0700, Jason Barnes wrote: > > > > > > Wow -- this is weird, but when I try that the machine locks > up > > > right after loading the old kernel, after the little -/|\ series > finishes. > > > Additionally, safe mode and single-user mode are distinct. Is > there a > > > boot -safe that will boot into SAFE mode? > > > Thanks for your help, > > > > Unlike Windows, there is no SAFE mode. Single user mode is about > as > > safe as it will get. > > Then what's the safe mode in the boot screen in 5.2.1, and > how is > it different than single user mode? Thanks for your patience with > me on > this issue. > > - Jason > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Is there an English Dictionary for FreeBSD?(not online like kdict)
On Sat, 31 Jul 2004 05:55:16 -0700 (PDT) Mark Jayson Alvarez <[EMAIL PROTECTED]> wrote: > Hi, > I'm looking for a dictionary software which I can > use even if I'm not connected to the internet as > oppose to what kdict in KDE does. Do you happen to > know one? use kdict but with a local db; for that install net/dictd-database which will pull in net/dictd -- IOnut Unregistered ;) FreeBSD "user" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall Rule Set not allowing access to DNS servers?
You better re-read what you posted in early post. You posted that dc1 is your outside NIC, which is connected to your cable modem which is connected to your ISP. Your outside NIC needs DHCP to get ip and dns info from your ISP. NOW YOU SAY dc1 IS INSIDE INTERFACE NAME. Make up your mind which is correct. Verify you have correct interface name coded in ipfw rules for NIC connected to cable modem and that the same NIC interface name is the one in rc.conf with DHCP option. When DHCP gets DNS info from ISP /etc/resolv.conf will auto updated with correct info. Read comments in sample firewall source and follow what comments say. You are making this harder than it really is. Also there is no setup option on UDP packets just keepstate Post full contents of your current dmesg.boot, rc.conf, ipfw rule set, and ipfw log files so people can see just want you have configured. And answer question of how you are assigning ip address to LAN PCs? Also post output of ifconfig -a command after boot completes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Saturday, July 31, 2004 9:55 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? Thanks for the response. . . I changed rule 5 from x10 to dc0 - thanks Not sure why I would want my inside nic requesting DHCP service from my ISP. It has been working fine in the configuration I have it so I've left it the way it is. I checked the security log, and found this: Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1 These are the three name servers specified in the rule set I checked the rule set and found this: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state Because security said the firewall was denying UDP packets, I changed the rules to this: $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup keep-state But that hasn't helped. I'm still getting: Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1 FWIW, these rules are skipping to: # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any I apologize for being such a bother and I do appreciate any help or suggestions. TIA Jim C. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of JJB > Sent: Friday, July 30, 2004 1:20 PM > To: James A. Coulter; [EMAIL PROTECTED] > Subject: RE: Firewall Rule Set not allowing access to DNS servers? > > > Change this ipfw rule from > > 5 allow ip from any to any via xl0 > > To > 5 allow ip from any to any via dc0 > > because dc0 is the lan interface name and not xl0. > > > Change these statement in rc.conf because you have interface > name backwards. Dc1 is the NIC connected to your cable modem > and you want to get DHCP info from your ISP. Dc0 is the NIC > connected to your LAN. > > From > ifconfig_dc1="DHCP" > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0" > > to > ifconfig_dc0="DHCP" > ifconfig_dc1="inet 192.168.1.1 netmask 255.255.255.0" > > > You do not say how your LAN PCs get their ip address. > You can hard code them on each LAN PC > or you have to run isc-dhcp-server on your Gateway box to > auto assign ip address to LAN PCs. > > > > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > James A. Coulter > Sent: Friday, July 30, 2004 10:56 AM > To: [EMAIL PROTECTED] > Subject: Firewall Rule Set not allowing access to DNS servers? > > I am using FreeBSD 4.10 as a gateway/router for a small home > LAN. My outside interface (dc1) is connected to a cable modem > and is configured for DHCP. > > I have compiled and installed a custome kernel with > IPFIREWALL and IPDIVERT options and with a rule set allowing > any to any with no problems > > I am in the process of adding a proper rule set to provide > security. I was referred to > http://free
Re: safe mode for kernel.old
"JJB" <[EMAIL PROTECTED]> wrote: > I think you have missed some very important details. In 4.x releases > when you do a kernel compile the system automatically renames the > current kernel to kernel.old for you. There is also a kernel.generic > which is always there. > > In 5.x versions the whole kernel boot process was replaced with new > method and the auto rename of the kernel no longer happens on a > recompile and there is no kernel.generic module available. Whoever > added the new boot process to 5.x did real poor job of integrating > the new pirated boot code into Freebsd. This should be reported as > a bug by everybody who wants the old kernel rename process added > back into FreeBSD. What are you talking about? I did a cvsup/make kernel process just a week ago on a 5.1 machine, and the 5.2 kernel refused to work with the network card. Lucky for me, kernel.old was in the boot directory, and I was able to move it back over kernel. Yes, the process and everything is different, but the basic fallback device is still there. > > Submit Bug report. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jason > Barnes > Sent: Friday, July 30, 2004 7:31 PM > To: Jonathan Chen > Cc: [EMAIL PROTECTED] > Subject: Re: safe mode for kernel.old > > On Sat, 31 Jul 2004, Jonathan Chen wrote: > > > On Fri, Jul 30, 2004 at 03:50:40PM -0700, Jason Barnes wrote: > > > > > > Wow -- this is weird, but when I try that the machine locks > up > > > right after loading the old kernel, after the little -/|\ series > finishes. > > > Additionally, safe mode and single-user mode are distinct. Is > there a > > > boot -safe that will boot into SAFE mode? > > > Thanks for your help, > > > > Unlike Windows, there is no SAFE mode. Single user mode is about > as > > safe as it will get. > > Then what's the safe mode in the boot screen in 5.2.1, and > how is > it different than single user mode? Thanks for your patience with > me on > this issue. > > - Jason > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mozilla builds 4.10 vs. 5.2
On Saturday 31 July 2004 06:49 am, Louis LeBlanc <[EMAIL PROTECTED]> wrote: > Hey all. I'm finishing up my RELENG_5_2 box, hoping to swap it in > tomorrow, and I'm a little confused. > > Mozilla 1.7 seems to build just fine in 4.10, but claims to be broken > in 5.2. It seems to have a problem with Calendar support. > > While poking through the ports directory, I noticed that there are 2 > index files (INDEX and INDEX-5). Now I haven't really researched this > yet, so feel free to point out the FM if that's discussed somewhere. > > My question though, is whether anyone has managed to get Mozilla > building without hacking up the Makefile (which still only gives the > Mozilla browser, nothing else). I'm running 5.2.1 and built Mozilla 1.7.1 very recently. It built and works fine, and I didn't mess with the Makefile, but I don't use the calendar in Mozilla. - jt ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall Rule Set not allowing access to DNS servers?
Thanks for the response. . . I changed rule 5 from x10 to dc0 - thanks Not sure why I would want my inside nic requesting DHCP service from my ISP. It has been working fine in the configuration I have it so I've left it the way it is. I checked the security log, and found this: Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1 These are the three name servers specified in the rule set I checked the rule set and found this: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state Because security said the firewall was denying UDP packets, I changed the rules to this: $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup keep-state But that hasn't helped. I'm still getting: Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1 FWIW, these rules are skipping to: # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any I apologize for being such a bother and I do appreciate any help or suggestions. TIA Jim C. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of JJB > Sent: Friday, July 30, 2004 1:20 PM > To: James A. Coulter; [EMAIL PROTECTED] > Subject: RE: Firewall Rule Set not allowing access to DNS servers? > > > Change this ipfw rule from > > 5 allow ip from any to any via xl0 > > To > 5 allow ip from any to any via dc0 > > because dc0 is the lan interface name and not xl0. > > > Change these statement in rc.conf because you have interface > name backwards. Dc1 is the NIC connected to your cable modem > and you want to get DHCP info from your ISP. Dc0 is the NIC > connected to your LAN. > > From > ifconfig_dc1="DHCP" > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0" > > to > ifconfig_dc0="DHCP" > ifconfig_dc1="inet 192.168.1.1 netmask 255.255.255.0" > > > You do not say how your LAN PCs get their ip address. > You can hard code them on each LAN PC > or you have to run isc-dhcp-server on your Gateway box to > auto assign ip address to LAN PCs. > > > > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > James A. Coulter > Sent: Friday, July 30, 2004 10:56 AM > To: [EMAIL PROTECTED] > Subject: Firewall Rule Set not allowing access to DNS servers? > > I am using FreeBSD 4.10 as a gateway/router for a small home > LAN. My outside interface (dc1) is connected to a cable modem > and is configured for DHCP. > > I have compiled and installed a custome kernel with > IPFIREWALL and IPDIVERT options and with a rule set allowing > any to any with no problems > > I am in the process of adding a proper rule set to provide > security. I was referred to > http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and > installed the Stateful + NATD Rule Set modified for my > outside interface, domain name servers, and DHCP server. > > I can ping IP addresses and pass SMTP mail back and forth > from the gateway/router and all machines on the LAN, but I > cannot ping URLs - I am getting "ping: cannot resolve > www.freebsd.org: Host name lookup failure" errors. > > > This is what ipfw -a list looks like: > > sara# ipfw -a list > 5 0 0 allow ip from any to any via xl0 > 00010 52 3640 allow ip from any to any via lo0 > 00014 0 0 divert 8668 ip from any to any in recv dc1 > 00015 0 0 check-state > 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53 > keep-state out > xmit dc1 setup > 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53 keep-state > out xmit > dc1 setup > 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53 keep-state > out > xmit dc1 setup > 00030 0 0 skipto 800 udp from any to 172.19.17.22 67 > keep-state out > xmit dc1 > 00040 0 0 skipto 800 tcp from any to any 80 keep-state out > xmit dc1 > setup > 00050 0 0 skipto 800 tcp from any to any 443 keep-state out > xmit dc1 > setup > 00060 0 0 skipto 800 tc
Mozilla builds 4.10 vs. 5.2
Hey all. I'm finishing up my RELENG_5_2 box, hoping to swap it in tomorrow, and I'm a little confused. Mozilla 1.7 seems to build just fine in 4.10, but claims to be broken in 5.2. It seems to have a problem with Calendar support. While poking through the ports directory, I noticed that there are 2 index files (INDEX and INDEX-5). Now I haven't really researched this yet, so feel free to point out the FM if that's discussed somewhere. My question though, is whether anyone has managed to get Mozilla building without hacking up the Makefile (which still only gives the Mozilla browser, nothing else). TIA Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ No group of professionals meets except to conspire against the public at large. -- Mark Twain ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: safe mode for kernel.old
I think you have missed some very important details. In 4.x releases when you do a kernel compile the system automatically renames the current kernel to kernel.old for you. There is also a kernel.generic which is always there. In 5.x versions the whole kernel boot process was replaced with new method and the auto rename of the kernel no longer happens on a recompile and there is no kernel.generic module available. Whoever added the new boot process to 5.x did real poor job of integrating the new pirated boot code into Freebsd. This should be reported as a bug by everybody who wants the old kernel rename process added back into FreeBSD. Submit Bug report. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jason Barnes Sent: Friday, July 30, 2004 7:31 PM To: Jonathan Chen Cc: [EMAIL PROTECTED] Subject: Re: safe mode for kernel.old On Sat, 31 Jul 2004, Jonathan Chen wrote: > On Fri, Jul 30, 2004 at 03:50:40PM -0700, Jason Barnes wrote: > > > > Wow -- this is weird, but when I try that the machine locks up > > right after loading the old kernel, after the little -/|\ series finishes. > > Additionally, safe mode and single-user mode are distinct. Is there a > > boot -safe that will boot into SAFE mode? > > Thanks for your help, > > Unlike Windows, there is no SAFE mode. Single user mode is about as > safe as it will get. Then what's the safe mode in the boot screen in 5.2.1, and how is it different than single user mode? Thanks for your patience with me on this issue. - Jason ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Is there an English Dictionary for FreeBSD?(not online like kdict)
Hi, I'm looking for a dictionary software which I can use even if I'm not connected to the internet as oppose to what kdict in KDE does. Do you happen to know one? Thanks!! -jay __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: bash, vi, mutt vs UK settings
Just pop keymap="uk.iso" into rc.conf and reboot or if you dont want to do that run the kbdmap program. HTH Mark Stacey Roberts wrote: Hello, Could someone let me know how I can set a system up so that when using "vi", mutt, etc, when I enter SHIFT 3, I get the UK Pound sign (the GB currency symbol), please? In every other application (GUI-based) this is fine, but its the terminal related operations that appear to be affected only. Thanks for the help. Regards, Stacey ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
bash, vi, mutt vs UK settings
Hello, Could someone let me know how I can set a system up so that when using "vi", mutt, etc, when I enter SHIFT 3, I get the UK Pound sign (the GB currency symbol), please? In every other application (GUI-based) this is fine, but its the terminal related operations that appear to be affected only. Thanks for the help. Regards, Stacey pgpE5GlMWS2o7.pgp Description: PGP signature
Re: problem with clamav
Thanks a lot this seems to work fine now. Fred On Jul 30, 2004, at 9:30 PM, Ion-Mihai Tetcu wrote: On Fri, 30 Jul 2004 19:55:35 +0200 [EMAIL PROTECTED] wrote: Hello, Since two days I have a problem with clamav. The daemon clamd is clogging my CPU. I have try to update the port. I have tryed the devel version in the ports. I have also tryed the snapshot from clamav and the problem is still here. # top ... PID USERNAME PRI NICE SIZERES STATETIME WCPUCPU COMMAND 2122 clamav60 0 9512K 8168K RUN 6:27 95.80% 95.80% clamd ... I am running 4.10. Does someone experiance this or have already seen this ? I believe this diff against devel-20040728 would resolve your problem: --- matcher-bm.c.bk Mon Jul 19 13:54:40 2004 +++ matcher-bm.cThu Jul 29 21:59:42 2004 @@ -91,11 +91,27 @@ void cli_bm_free(struct cl_node *root) {7 +struct cli_bm_patt *b1, *b2; +int i; + if(root->bm_shift) free(root->bm_shift); -if(root->bm_suffix) +if(root->bm_suffix) { + for(i = 0; i < 65536; i++) { + b1 = root->bm_suffix[i]; + while(b1) { + b2 = b1; + b1 = b1->next; + if (b2->virname) + free(b2->virname); + if (b2->pattern) + free(b2->pattern); + free(b2); + } + } free(root->bm_suffix); +} } int cli_bm_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cl_node *root) -- IOnut Unregistered ;) FreeBSD "user" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can i delete /usr/obj/ before installworld?
Scott wrote: Hi there, I'm really short on diskspace, and I have no room to run a make buildkernel after I run make buildworld. If you have enough space on another filesystem, you could move /usr/obj there, e.g. with a symlink, or by setting MAKEOBJDIRPREFIX?= /usr/obj to something else: # make MAKEOBJDIRPREFIX=/path/to/new/obj buildworld # make MAKEOBJDIRPREFIX=/path/to/new/obj buildkernel KERNCONF=blahblah etc... Good luck! -- Cordula's Web. http://www.cordula.ws/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can i delete /usr/obj/ before installworld?
Scott wrote: Hi there, I'm really short on diskspace, and I have no room to run a make buildkernel after I run make buildworld. Is it possible to do the following: No. It's impossible. make buildworld rm -fr /usr/obj This is a no-op. You'd be just wasting time. 'make buildworld' populates /usr/obj with the compiled world. make buildkernel That's not goot either, because it needs the new world which is expected in /usr/obj that you've just nuked. make installkernel -reboot single user make installworld There's not world to install here. -- Cordula's Web. http://www.cordula.ws/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
konqueror not responding
Hi, something weird happen to the settings of Konqueror in kde 3.2.3 and everytime I try to access to a web page on the internet the browser freezes. If I try to open local webpages or just use konqueror to browse in my filesystem everything works just ok. If I login using other user then it also works perfectly, so I suspect there is something corrupted in the config files on my current user. Is there any way to remove all the config files and start konqueror from scratch? I already tried in ~/.kde and deleted konquerorrc but it does not help. regards, Manuel Astudillo. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Antialiased fonts in Linux applications
[epilogue, 2004-07-28] > i noticed the same thing happen to my setup, after upgrading to xorg. in > my case acroread works. unfortunately, i don't run mathematica or maple. > however, for linux-opera, try adding the following settings in > $HOME/.linux-opera/opera6.ini: > > [User Prefs]<< under this section > Enable Core X Fonts=0 > Enable Xft Fonts=1 > Trust Qt FontSwitching=0 Thanks for the tip, but unfortunately it didn't seem to fix my problem. In fact, after adding those lines to the preferences file, opera won't start at all. Or that it, it starts, but never creates ny windows. I will later have to manually kill the pid. Thanks anyway. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
can i delete /usr/obj/ before installworld?
Hi there, I'm really short on diskspace, and I have no room to run a make buildkernel after I run make buildworld. Is it possible to do the following: make buildworld rm -fr /usr/obj make buildkernel make installkernel -reboot single user make installworld TIA Scott ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: amavisd/clamav Virus Recipient email notification template woes
On Fri, Jul 30, 2004 at 06:22:00PM -0600, Warren Block wrote: > On Fri, 30 Jul 2004, Tim Schutt wrote: > > >On Jul 30, 2004, at 4:09 PM, Bill Moran wrote: > > >>If you're going to send notification, there is only one _proper_ way > >>to do it: analyze the Received: headers and find out where the virus > >>_really_ originated, then contact the abuse@ address for that domain > >>with the message. > > >I completely understand where you are coming from, and I am only intending > >on notifying the intended recipient of the email, not the "sender" for the > >very reason that you note. If it was just me, I would can the message and > >be done with it. However, I am in the midst of marketing this service to > >some highly security conscious people so I would like the reinforcement of > >the notifications for their piece of mind and a little customer-stroking > >reminding them how great the service is. :-) > > [Format recovered--please don't top-post. It makes responding to your > messages difficult and time-consuming, to the point that many people > won't bother.] > > "Virus detected" messages are generally abusive. Here are some problems > I've experienced on the receiving end of antivirus notification > messages: > > * Sent to the forged From address. We'll skip the issue of a virus > checker that trusts any content in a virus-generated message; > what about long CC: and BCC: lists? > > * Sent to the intended victim--"Hey, you almost got away without being > harassed, but we wanted to brag about our antivirus system." > > * Some include "this message guaranteed virus-free" text. It's like the > sender is saying "please sue me". > > * Sent outside the detecting system's domains, spreading the damage. > If you must send notifications, send them only to those systems you > control, and where you are responsible to your users. > > * Antivirus software forges "[EMAIL PROTECTED]'sdomain" into the From: > line. Senders of these messages get a 550 reject for all further > mail. > > * Some notifications include the virus. Yes, there are actual > "antivirus" programs out there that are dumb enough to do this. > > Bearing that in mind, here's a suggestion for clamav flags: > > clamav_milter_flags="--quiet --local --outgoing --max-children=50 > --dont-log-clean --noxheader --outgoing" Amen brother. I agree basically with all of that. I'd like to bring out a point implicit in what Warren says, which is that the best -- if not the only -- way to notify someone in the sending chain that they are sending you a virus infected e-mail is to reject the message with a 550 or 554 code at the SMTP DATA stage. This will generate at least a log message on the sending server, and hopefully will alert the admins of that machine that they need to take action. Even so, if your e-mails are commonly relayed through some MXes that don't run AV scans, doing that will result in sending bounce messages with all the implications of those going astray due to forged headers. In that sense, the only 'safe' thing to do is to accept the message and immediately route it to /dev/null. Except that runs counter to the SMTP standards. It's a toss-up: but neither way is completely ideal. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgptROaKtUlnp.pgp Description: PGP signature
sound volume to high
Hi, I have my sound card setup, and it works ok.. but the volume is to high/loud. I tried setting the volume lower with the "mixer" command, but it didnt change the volume (even though it changed the setting). Heres my sound card info from dmesg: pcm0: port 0xbc00-0xbcff irq 11 at device 17.5 on pci0 pcm0: I'd appreciate any help you could provide. Please email me directly, since im not subscribed to the list. TIA __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"