Re: Firewall with bridged interfaces and captive portal
Olivier Nicole wrote: I need to implement a firewall with bridged interfaces that offers captive portal (authentication before opening the traffic). We are using a combination of squid+ipfw. Although we are NATing the users, that really just introduces needless complexity that could be avoided with a bridging solution. Our web-app/captive portal/authentication program is written in-house; it's very tightly integrated with several existing pieces of infrastructure. I don't know if there are any solutions that will work out-of-the-box. I can get you more technical details if this is a direction you'd be interested in moving. Long time ago I have been toying with ipf (for the genral firewall) and NoCat+ipfw for the captive portal. But that did not work too well, so any technical information will be appreciated :) My long term vision is a quite integrated thing, where users that read their email and authenticate to POP3/IMAP would be granted the access without the need to authenticate to the web portal. Hi, Sorry it's taken a while to get back to you on this. You're going to want to get squid up and running as a transparent proxy. You will probably want to write a redirect script [1]. Mine checks against a small set of always-authorized URLs that squid is allowed to proxy for; any other HTTP request will receive a redirect: printf 302:%s%s\n ${default_url} $suffix The URL points to the webserver running on the aux-router (as we call it). The www user has passwordless sudo rules that allow the web code to call scripts for adding and removing a client to and from ipfw tables [2]. You're also going to need to get ipfw to play with bridging. For this, you'll need to `sysctl -w net.link.bridge.ipfw=1` [3]. The portion of your ruleset is going to look something like this: TABLE_AUTH='table(10)' $cmd allow all from $TABLE_AUTH to any bridged $cmd allow all from any to $TABLE_AUTH bridged $cmd fwd 127.0.0.1,3128 tcp from $MY_SUBNET to any http bridged $cmd deny all from any to any bridged NB: you may need IPFIREWALL_FORWARD enabled to get full use of the fwd action. You'll also probably need to poke holes for or deal with DNS, any remote webserver your authentication process may require access to, etc. Also note, I haven't actually done this with bridging, so your mileage my vary. I found 2 tools to be invaluable when working on this project: 1) tcpdump (use -i for interface, and watch the traffic in order to profile exactly what you need to allow, fwd, etc.). 2) ipfw logging. I found that on any deny rule, especially when troubleshooting, I'd do something like: $cmd deny log logamount 0 all from any to any bridged Or, just as useful, but you can stick anywhere in the middle without affecting packet flow: $cmd count log logamount 0 all from any to any bridged NB: AFAIK, requires kernel option IPFIREWALL_VERBOSE I might be able to give you some more pointers if you get stumped, but I hope this helps you get well on your way. [1] http://wiki.squid-cache.org/SquidFaq/SquidRedirectors [2] ipfw(8) /LOOKUP TABLES [3] ipfw(8) /PACKET FLOW -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpPfbyITHbVi.pgp Description: PGP signature
Re: bashrc configuration question: syntax error: unexpected end of file
Noah wrote: I am unable to figure out why I am getting the following error: -bash: /Users/user/.bashrc: line 10: syntax error: unexpected end of file [...] localhost:~ user$ cat .bashrc #nc_fix() { sudo kill -9 $(ps auxwww | grep [nN]cproxyd | awk '{print $2}') } nc_fix() { sudo kill -9 $(ps auxwww | grep [nN]cproxyd | awk '{print $2}') } The } is a statement, and must be preceded with a newline or a ;. Try: nc_fix() { sudo kill -9 $(ps auxwww | grep [nN]cproxyd | awk '{print $2}'); } or nc_fix() { sudo kill -9 $(ps auxwww | grep [nN]cproxyd | awk '{print $2}') } Everything that follows right now is part of the definition of nc_fix(). When you get to the end of the file, it says Hey! I'm still defining a function! -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp8Ud6NqCehN.pgp Description: PGP signature
Re: Firewall with bridged interfaces and captive portal
Olivier Nicole wrote: I need to implement a firewall with bridged interfaces that offers captive portal (authentication before opening the traffic). [...] Is there any solution that exists? I looked at pfSense, but captive portal does not work on bridged interfaces; it's one or the other. Any other suggestion? Hello, We are using a combination of squid+ipfw. Although we are NATing the users, that really just introduces needless complexity that could be avoided with a bridging solution. Our web-app/captive portal/authentication program is written in-house; it's very tightly integrated with several existing pieces of infrastructure. I don't know if there are any solutions that will work out-of-the-box. I can get you more technical details if this is a direction you'd be interested in moving. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpLZMO2kRw0d.pgp Description: PGP signature
Re: files before ldap in nsswitch.conf
Gerhard Schmidt wrote: I'm setting up a new FreeBSD Server for out local Computer club. Most of the users are stored in LDAP and I've installed nss_ldap and pam_ldap and set up both. Everything works so far with nsswitch.conf entry passwd: ldap files. When I try passwd: files ldap the login doesn't work anymore because the LDAP_Server is never asked. The act of logging in is managed by /etc/pam.d/*, not /etc/nsswitch.conf. If `ls -l` works, you've got NSS configured correctly. I tried this to optimize the LDAP requests as the service users are in the local files. This would speed up the boot process and takes some load off the LDAP-Server. Is there a way to configure FreeBSD to look first in the local files and if a user isn't found in the LDAP-Server. This is my /etc/nsswitch.conf: | group: files ldap | hosts: files dns | networks: files | passwd: files ldap | shells: files And /etc/pam.d/system: auth sufficient pam_unix.so no_warn auth required /usr/local/lib/pam_ldap.so no_warn use_first_pass My guess is you used required for both modules, which would require authentication to succeed against both user databases. And another question. Is there a way to use two different LDAP-Servers e.g. by calling nss_ldap with different config files. What's your goal? We have two different LDAP providers with different subtrees that get glued together by a DNS round-robin of LDAP consumers. This round-robin provides a single, unified view of our directory to all our LDAP clients. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpM7L2aEZETp.pgp Description: PGP signature
Increasing the datasize limit
Hello, I have a large data-crunching job once a week that needs some more heap space. How do I go about increasing the datasize limit for a process? Here's what I've tried: | $ sudo su - | crunch# limits | Resource limits (current): | cputime infinity secs | filesize infinity kB | datasize 524288 kB | stacksize 65536 kB | coredumpsize infinity kB | memoryuseinfinity kB | memorylocked infinity kB | maxprocesses 5547 | openfiles 11095 | sbsize infinity bytes | vmemoryuse infinity kB | crunch# limit datasize 1048576 | crunch# limits | Resource limits (current): | cputime infinity secs | filesize infinity kB | datasize 524288 kB | stacksize 65536 kB | coredumpsize infinity kB | memoryuseinfinity kB | memorylocked infinity kB | maxprocesses 5547 | openfiles 11095 | sbsize infinity bytes | vmemoryuse infinity kB | crunch# grep -C 8 '^[^#].*datasize' /etc/login.conf | default:\ | :passwd_format=md5:\ | :copyright=/etc/COPYRIGHT:\ | :welcome=/etc/motd:\ | :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ | :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin ~/bin:\ | :nologin=/var/run/nologin:\ | :cputime=unlimited:\ | :datasize=unlimited:\ | :stacksize=unlimited:\ | :memorylocked=unlimited:\ | :memoryuse=unlimited:\ | :filesize=unlimited:\ | :coredumpsize=unlimited:\ | :openfiles=unlimited:\ | :maxproc=unlimited:\ | :sbsize=unlimited:\ According to setrlimit(2), Only the super-user may raise the maximum limits, but apparently, I can't even increase the limit as the superuser. What am I missing? -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpes2gVAcCY1.pgp Description: PGP signature
Re: Oddities with VLAN/CARP Interfaces on Primary/Failover Setup
Mike Sweetser - Adhost wrote: We currently have a primary/failover setup for two FreeBSD 6.3 servers running PF, and we're running into odd issues when setting up multiple subnets on a single VLAN and CARP interface. We have issues with them coming up properly, and even worse, having both servers believe they are master. If both instances think they're MASTER, make sure you're allowing the multicast traffic for syncing state (in ipfw): | allow carp from $partner to 224.0.0.18 in via $iface Carp is protocol 112 from /etc/protocols. Here's a snippet of one of the VLANs and CARP interfaces in question: ifconfig_vlan10=inet 10.142.255.252 netmask 255.255.0.0 vlan 10 vlandev em2 ifconfig_vlan10_alias0=inet 10.210.0.2 netmask 255.255.0.0 ifconfig_carp10=inet 10.142.255.254 netmask 255.255.0.0 vhid 10 advskew 0 pass testpass ifconfig_carp10_alias0=inet 10.210.0.1 netmask 255.255.0.0 The main difference between this and our other VLAN/CARP interfaces is that because it's separate subnets, the aliases here are set up with /16 netmasks, while the regular aliases on the others are set up with /32s. Is this correct, or should these also be set as /32s? It's correct. If you did a /32 on the alias, your system would have no way of knowing how large the second subnet is. The /32 netmask is for adding an alias on the same subnet. I'm not sure carp can work correctly with aliases. Have you tried creating a separate vhid instance per subnet? For example: | ifconfig_vlan10=inet 10.142.255.252 netmask 255.255.0.0 vlan 10 vlandev em2 | ifconfig_vlan10_alias0=inet 10.210.0.2 netmask 255.255.0.0 | ifconfig_carp10=inet 10.142.255.254 netmask 255.255.0.0 vhid 10 advskew | 0 pass testpass | ifconfig_carp11=inet 10.210.0.1 netmask 255.255.0.0 vhid 11 advskew | 0 pass testpass -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpqOoyOt5N1x.pgp Description: PGP signature
Re: Run script as root from WebServer
Matias Surdi wrote: I'm using mod_python3 and apache22 to create some scripts and access them through a web interface. The problem is that some of these scripts deal with configuration files and some other tasks that require root privileges. In the past, I've solved this issue by using sudo and allowing just the commands I want to allow in the sudoers file to the apache user.But I'm wondering if this is the better way to do what I want to do. What would you do in such a situation? I think sudo is pretty much _the_ way to accomplish this. Not that it would be your only option per se, but I think it's definitely your best option. We maintain a number of scripts that serve very restricted purposes for the use of our web user with sudo. www WIFIROUTERS = (root) NOPASSWD: WIRELESS This allows the www user to run the wireless connection setup/teardown scripts as root without typing a password on wireless routers. We use this to allow a transparent proxy web-app to move the user to the authenticated firewall context. Our sudoers file (shared across roughly 100 machines) is littered with other examples ranging from allowing users to sa-learn in mailman to nagios monitoring and remote sync jobs for DNS/DHCP. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpzuUTwE1gr0.pgp Description: PGP signature
Re: bash shell colors
Sam Fourman Jr. wrote: I am looking to configure FreeBSD's Bash can anyone post a config file that would make FreeBSD's Bash shell color code like the default gentoo bash shell or if you have a config that you like and feel like posting it I will take a look at it. This is also heavily inspired by gentoo, but has some hooks that will help you with customizing the colors. For the full guide of what all the \-escaped sequences mean, see the PROMPTING section of the bash man page. | # Some variables that make it easy to do things in color | BLUE=\[\033[0;34m\] | BBLUE=\[\033[1;34m\] | RED=\[\033[0;31m\] | LIGHT_RED=\[\033[1;31m\] | WHITE=\[\033[1;37m\] | NOCOLOR=\[\033[0m\] | BLACK=\[\033[30;47m\] | RED2=\[\033[31;47m\] | GREEN=\[\033[0;32m\] | BGREEN=\[\033[1;32m\] | BYELLOW=\[\033[1;33m\] | BLUE2=\[\033[34;47m\] | MAGENTA=\[\033[35;47m\] | CYAN=\[\033[36;47m\] | BCYAN=\[\033[1;36m\] | WHITE2=\[\033[37;47m\] | TEAL=\[\033[0;36m\] | | # This sets PS1 so that xterm names and screen window listings are | # automatically populated with the contents of your prompt. You may | # find it useful if you use xterm or rxvt or screen, but will probably | # want to omit it otherwise. | case $TERM in | xterm*|rxvt*) | TITLEBAR=\[\033]0;[EMAIL PROTECTED] : \w\007\] | ;; | screen*) | TITLEBAR=[EMAIL PROTECTED] : \w\033\134\]\[\033]0;[EMAIL PROTECTED] : \w\007\] | ;; | *) | TITLEBAR= | ;; | esac | | PS1=${BGREEN}\\u ${BCYAN}\\h ${BGREEN}\\W${BCYAN} \\\$${NOCOLOR} ${TITLEBAR} | SUDO_PS1=$PS1 | export PS1 SUDO_PS1 -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp5faO4MLIhZ.pgp Description: PGP signature
Re: Wireshark
Grant Peel wrote: Hi all, I recently became aware of a utility called Wireshark (apparently formerly 'EtherReal), and was showing a running copy on Windoze. It apprears that it would be awsome for diagnosing network issues (such as DoS attacks, Email bombs etc. My question is: Does the version in /usr/ports/net/wireshark require X11 to run, or can it be run from the command line with straight text output? (I dont have/want X on the servers). It looks like the port respects the WITHOUT_X11 knob. I believe you get the command tshark if you don't have the GUI, which can do similar packet analysis and display in text form. I believe tshark can be used almost exactly like tcpdump for watching live traffic, but it can also read in tcpdump trace files. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp9eZCzFleoX.pgp Description: PGP signature
Re: Wireshark
Grant Peel wrote: Just attempting to install the port. Something I noticed when the install crapped out was that it wanted me to use the Force Package Register for the OpenSSL_Overwrite_Base port. That port was already installed, what would be the correct method to deal with this? I usually only see this error with ports we've written in-house. Usually it happens because the dependency check on a specific file is bad. The check fails, which causes the port to believe it needs to install the dependency, but the package registry gets upset because the package is already installed and it doesn't think it needs to be reinstalled. If these are real ports, you might want to report the brokenness. You'll probably find that you can FORCE_PKG_REGISTER=1 and leave it at that (though I typically treat it as a last resort and instead opt for fixing the port). -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpj2qcYkGK8K.pgp Description: PGP signature
Re: Configure 2 gateways on a freebsd box for 2 interfaces
The Noob wrote: I have a small question. I have two interface in two vlans. The first interface 192.168.0.1 255.255.255.0 The second interface: 10.228.44.1 255.255.255.0 The gateway for the first interface must be 192.168.0.254 and the second interface must be 10.228.44.254 How can I configure them? In rc.conf we have just defaultrouter but we can't specify the interface. I'm guessing you want the gateway to be chosen based on the source address, correct? The kernel does not support routing based on the source address. I use ipfw and fwd rules to achieve this: ipfw add fwd 10.228.44.254 ip from 10.22.44.1 to not 10.22.44.0/24 Then you can leave the default_gateway as 192.168.0.254. You might need IPFIREWALL_FORWARD in your kernel config. See ipfw(8). -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpiKYKLmOr9K.pgp Description: PGP signature
Re: IPFW In FreeBSD
Marcel Grandemange wrote: Ok so I know this is a newbie question.. But ive for years now wanted to know how to only nat certain traffic or maby only across a certain ip. Ive tried many examples all not working.. Maby im just doing something stupid.. But, below is a example of a machine that is natting everything on em0. Id like to know how to change that to everything on say 196.212.65.186 instead of entire interface. Or better yet.. Stop natting everything and say only nat web traffic. Im having issues where certain traffic is being nated that MUSTN be! If you're running 7.0, you can ditch divert and use the built-in NAT functionality (you can probably replace the nat rules for divert rules). You can use source and destination ports and addresses when deciding what to have ipfw divert/nat. They're rules just like any others. Here's what I do: /etc/ipfw.rules: | CMD=/sbin/ipfw -q add | | # Configure NAT | /sbin/ipfw -q nat 1 config if inet log reset unreg_only same_ports \ | redirect_port tcp 10.1.10.20:80 80 \ | redirect_port tcp 10.1.10.20:443 443 | | # loopback | $CMD allow all from any to any via lo0 | $CMD deny log all from 127.0.0.0/8 to any | | # Anti-spoof | $CMD deny log all from any to any not verrevpath in | | # Catch proto 41 without NATing | $CMD allow ipv6 from any to me | | # Allow this box to initiate unNATed outbound connections | $CMD allow ip from me to any keep-state | | # NAT | $CMD nat 1 ip4 from any to me in via inet | $CMD nat 1 ip4 from 10.1.10.0/24 to not me out via inet | | # ICMP | $CMD allow icmp from any to any | | # SSH From local nets | $CMD allow tcp from 10.1.10.0/24 to me ssh | | # DNS from local nets | $CMD allow udp from 10.1.10.0/24 to me domain | | # DHCP from local nets | $CMD allow udp from any to me bootps in via bridge0 | $CMD allow udp from 0.0.0.0 to 255.255.255.255 bootps in via bridge0 | | # Deny anything else destined to me | $CMD deny log ip from any to me | | # But forward any other traffic | $CMD allow ip4 from any to any -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpkl8dhBai1t.pgp Description: PGP signature
Re: IPFW: Is keep/check-state inherent?
Steve Bertrand wrote: I can't recall for certain, but not so long ago, I either read or heard about IPFW having implicit keep-state and check-state. Is it true that I can now omit these keywords in my rulesets? keep-state is not implicit. check-state is not generally necessary, because dynamic rules are applied at the very first occurrence of a stateful rule. I prefer to use keep-state for outbound traffic (something like allow all from me to any keep-state). For things with inbound connections, I prefer to not use state (allow tcp from any to me http; allow tcp from me http to any) in order to prevent remote hosts from using up all the dynamic rules. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpYl9ZeObsvH.pgp Description: PGP signature
Re: Cloning a gmirrored hard drive
Sasa Stupar wrote: My situation: I have a server with FBSD 7 installed with two 40 GB disks in RAID 1 (gmirror) config. Now I have noticed the lack of space on the drive so I am thinking to change these disks for two 160 GB. What is the best way to clone the main hard disk in raid 1 config? Is this possible or is it better to switch back from RAID 1 to single disk system and then do cloning with dump/restore (or dd) and then make RAID 1 again? I use a variation of this guide[1] when I'm setting up gmirror. The last time I increased the size of the array, I removed one drive from the array (gmirror remove). I rebooted with the bigger drive. I created /dev/mirror/gm1 with the new drive. I followed the dump/restore steps from the guide, switching up the logic a little bit. I then booted the system from the new, larger mirror (gm1) with the other large disk inserted, and did a `gmirror insert'. In the process of building the new mirror on gm1, I made bigger labels in the labeling step for the ones that were filling up. [1] http://people.freebsd.org/~rse/mirror/ -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpU3D7uhPgt8.pgp Description: PGP signature
Lots of accounting data
Hello, I'm playing a game of cat and mouse with process accounting and disk space. I built some boxes with 9GB /var partitions, rolled them into production, and after about 4 days of full load, /var filled up. Looking at the size of /var/account/acct{,.0}, and figuring I'd be seeing a 200% load increase in about a month, I created a new label from the large chunk of free space I saved for situations like this. 40GB mounted to /var/account: usage was down to 20%, and I thought the crisis was averted. About a week and a half later, I get a disk full e-mail from nagios and +pid 94696 (gzip), uid 0 inumber 6 on /var/account: filesystem full in my dailies again. My /var/account/acct file was 17GB in size. Add one rotation before compression and I completely lose that feeling of cleverness I had when I gave accounting a dedicated 40GB partition. If you're wondering how I can possibly have this much accounting data, two `vmstat -f' invocations 100 seconds apart show 32282 forks (an average of 323 per second). These boxes are running squid with a redirect script to implement a captive portal. There are generally several hundred unauthenticated users; all of their http traffic, from firefox to the little weather widgets and spyware phoning home, gets proxied through squid and subsquently a redirect script that, among other things, does some text munging on the URL, and queries various ipfw tables to determine what context the user is in. Some of this could be optimized to launch fewer processes, but the code would be less maintainable. I only really see two options, neither of which I particularly like: * Throw more disk at the problem (but given what I've seen, I don't like the odds that within a month or two, I'll realize I didn't give it enough). * Turn off accounting on these boxes. Are these really my only options? Is there any kind of tuning I can be doing? -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgptwA2Kb9F2S.pgp Description: PGP signature
Re: Lots of accounting data
Bill Moran wrote: In response to Christopher Cowart [EMAIL PROTECTED]: I only really see two options, neither of which I particularly like: * Throw more disk at the problem (but given what I've seen, I don't like the odds that within a month or two, I'll realize I didn't give it enough). * Turn off accounting on these boxes. * Rotate and compress more frequently; and store less history? The compressed history amounts to nothing in comparison (1.5GB per file as opposed to 17GB). I suppose I could configure our hourly logrotate to replace the functionality of /etc/periodic/daily/310.accounting. Sounds like a viable solution to me. Thanks, -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp208uNMWxQ6.pgp Description: PGP signature
Re: Lots of accounting data
Dan Nelson wrote: I only really see two options, neither of which I particularly like: * Throw more disk at the problem (but given what I've seen, I don't like the odds that within a month or two, I'll realize I didn't give it enough). * Turn off accounting on these boxes. * edit /etc/periodic/daily/310.accounting to keep less historical copies of acct. * edit /sys/kern/kern_acct.c to not write accounting records for the squid userid. * Mount a ZFS filessytem on /var/account/ with compression enabled. Even lzjb compression will get you 3:1 compression on the acct files; gzip-1 should get you even more. Thank you for the extra suggestions. I've uncovered the root cause of the problem. It's documented in bin/120293: [patch] sa(8) fails to summarize/truncate accounting data. It appears that the daily execution of `sa -s -q' is *not* actually sumarizing the data, and thus not truncating the file. As such, /var/account/acct is growing without bound -- not being restored to a size of 0 after the periodic run. This is a bug in sa(8). Will this patch be MFCd to 7.0 as an errata? Should somebody submit a request to [EMAIL PROTECTED] -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp90T19ZbD4H.pgp Description: PGP signature
Re: Transparent Bridge with VLAN Tagging - How?
Mike Sweetser - Adhost wrote: Hello, I'm attempting to set up a transparent bridge in FreeBSD 7.0 to eventually act as a PF/Snort box, and it needs to be VLAN aware. However, I don't seem to be on the right track as far as setting it up. I have, for instance, VLAN 10 that it needs to be aware of, and this network segment is on VLAN 10 from a switch higher up. I have the current setup, but once it's running, I can't ping anything. bge0 is the outside interface, bge1 is inside: defaultrouter=192.168.1.1 gateway_enable=YES cloned_interfaces=bridge0 vlan0 vlan1 ifconfig_vlan0=vlan 10 vlandev bge0 ifconfig_vlan1=vlan 10 vlandev bge1 ifconfig_bridge0=inet 192.168.1.10 netmask 255.255.0.0 addm bge0 addm bge1 addm vlan0 addm vlan1 up ifconfig_bge0=up ifconfig_bge1=up What am I doing wrong? I'm pretty sure you *don't* want to bridge the interfaces with their parents (vlan0 shouldn't be bridged with bge0 -- if it even works, it would cause tagged packets to be untagged and retransmitted out the incoming interface (what cisco calls the native vlan) and vice versa). I've only bridged vlan interfaces -- not their parents. E.g.: cloned_interfaces=bridge0 vlan190 vlan590 ifconfig_bge0=up ifconfig_vlan190=vlan 190 vlandev bge1 ifconfig_vlan590=vlan 590 vlandev bge1 ifconfig_bridge0=addm vlan190 addm vlan590 If you want to bridge the parents, I think it would look like this (YMMV): cloned_interfaces=bridge0 vlan10 ifconfig_bge0=up ifconfig_bge1=up ifconfig_bridge0=addm bge0 addm bge1 ifconfig_vlan10=vlan 10 vlandev bridge0 I don't know how well if_bridge(4) copes with vlan tags -- I know it breaks if you bridge a vlan(4) with a gif(4). I also don't know if a vlan interface will happily accept a bridge parent. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpGk1VCg7bG3.pgp Description: PGP signature
Re: carp interface and running manual scripts
Omer Faruk SEN wrote: Is it possible to run a script after carp interface becomes MASTER? Ie external script that runs the required services.. You should look at the ucarp implementation provided in ports (net/ucarp). I believe it does its magic in userland and supports the execution of arbitrary scripts. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp5Z7EgST3cI.pgp Description: PGP signature
Re: time drift
David Kelly wrote: Its PC commodity-grade. Not all that unusual even for stuff sold claiming to be a server. This is in no small part why ntpd exists. nptd calculates a correction coefficient and (under FreeBSD) stores it in /var/db/ntpd.drift for use on next start so as to more quickly establish a lock. So in short ntpd calibrates your clock in order to minimize the corrections required. Is The Right Thing To Do. We run a large number of FreeBSD servers under vmware. We've seen ntpd silently die, because the drift becomes insane. What do others do in this situation? (We've resorted to croning ntpdate for VMs.) -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpU238ai1J1l.pgp Description: PGP signature
Re: How to delete One line on tcsh history....??
Agus wrote: I've been trying to delete one line from my user tcsh history cause i made a su and it seems didnt hit enter very well so i typed the password on the console...Now anyone that can look my history will see my pass... I tried to edit and delete a few lines but it all comes againtried history clear but when i login again it apperas all again..hehe... Its so secure and cool tcsh taht i have no idea how to do it...been a bash user... I use this strategy with bash, so YMMV: $ vim .bash_history (kill line) $ kill -9 $$ $$ should expand to the pid of the running shell; if it doesn't in tcsh, sub it out yourself. The kill -9 prevents the shell from doing it's normal exit stuff (like writing out the history) and just kills the process. You'll need to kill -9 any shell that you launched while the bad line was in the history file. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp9sn6dYe85v.pgp Description: PGP signature
lang/php5 fails in apxs
Hello, I stumbled across this behavior roughly a year ago. The php5 port has the following lines in the pkg-plist: [EMAIL PROTECTED] %D/sbin/apxs -e -a -n %%AP_NAME%% %f [EMAIL PROTECTED] %D/sbin/apxs -e -A -n %%AP_NAME%% %f This command reads /usr/local/etc/apache22/httpd.conf, looks for LoadModule lines, appends a LoadModule for php5, and exits. I don't have any LoadModule lines in my httpd.conf; they've all been separated out into include files. The result is the port fails to install: | apxs:Error: Activation failed for custom | /usr/local/etc/apache22/httpd.conf file.. | apxs:Error: At least one `LoadModule' directive already has to exist.. | pkg_add: command '/usr/local/sbin/apxs -e -a -n php5 libphp5.so' failed | --- Removing old package' | ** Fix the installation problem and try again. Needless to say, this is annoying. I have to remember to add a LoadModule foo foo.so line to the httpd.conf whenever I upgrade php5, and remove both it and the PHP LoadModule directive when I'm done. Why does the port think it's kosher to touch live configuration files? A lot of people keep their configurations under revision control (and most probably should). On the next commit on my system, this change is gone anyways. Does anyone have any decent work arounds? Better yet, is there any interest in fixing the php5 port so that it doesn't touch configuration files? At the very least, I'd love a knob to disable the feature. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpKoAwIlilXW.pgp Description: PGP signature
Re: gmirror disk fail questions...
Gary Newcombe wrote: [...] # gmirror status [mesh:/var/log]# gmirror status NameStatus Components mirror/gm0 DEGRADED ad4 looking in /dev/ however, we have crw-r- 1 root operator0, 83 17 Apr 13:58 ad4 crw-r- 1 root operator0, 91 17 Apr 13:58 ad4s1 crw-r- 1 root operator0, 84 17 Apr 13:58 ad6 crw-r- 1 root operator0, 92 17 Apr 13:58 ad6a crw-r- 1 root operator0, 99 17 Apr 13:58 ad6as1 crw-r- 1 root operator0, 93 17 Apr 13:58 ad6b crw-r- 1 root operator0, 94 17 Apr 13:58 ad6c crw-r- 1 root operator0, 100 17 Apr 13:58 ad6cs1 crw-r- 1 root operator0, 95 17 Apr 13:58 ad6d crw-r- 1 root operator0, 96 17 Apr 13:58 ad6e crw-r- 1 root operator0, 97 17 Apr 13:58 ad6f crw-r- 1 root operator0, 98 17 Apr 13:58 ad6s1 crw-r- 1 root operator0, 101 17 Apr 13:58 ad6s1a crw-r- 1 root operator0, 102 17 Apr 13:58 ad6s1b crw-r- 1 root operator0, 103 17 Apr 13:58 ad6s1c crw-r- 1 root operator0, 104 17 Apr 13:58 ad6s1d crw-r- 1 root operator0, 105 17 Apr 13:58 ad6s1e crw-r- 1 root operator0, 106 17 Apr 13:58 ad6s1f I am guessing that a failing disk is responsible for the data corruption, but I have no errors in /var/log/messages or console.log. On every boot, the mirror is marked clean ad there's no warnings about a disk failing anywhere? Where should I be looking for or what should I be doing to get any warnings? Also, how-come if ad4 is the working disk, ad4's slices seem to be labelled as ad6. What's going on here? To me, ad6 appears to have correct labelling for the mirror from ad6s1a-f I believe the kernel hides individual labels for a gmirror volume. The labels on ad4 should be visible in /dev/mirror/. Because gmirror really just mirrors the data block by block (with a little bit of meta data at the very end of the drive), once the drive is no longer a member of an array, the kernel treats it as an individual drive and allows visibility of all the labels. How can I test for sure whether the disk is damaged or dying, or whether this is just a temporary glitch in the mirror? This is the first time I've had a gmirror raid give me problems. The first time a drive gets kicked out, I typically try to re-insert it. We have monitoring, so we receive notifications if it fails again. After that, I get the vendor to replace it. Assuming ad6 has been deactivated/disconnected, I was thinking of trying: gmirror activate gm0 ad6 gmirror rebuild gm0 ad6 Is this safe? You have to kick ad6 out and re-insert it: # gmirror forget # gmirror insert gm0 /dev/ad6 After doing that, I would watch closely for a while in case your drive is actually failing. I've written a small nagios check for gmirror; let me know if you'd like me to send it (it could easily be adapted to a cron job). You can also get `gmirror status' output in your dailies by adding daily_status_gmirror_enable=YES to /etc/periodic.conf. But, given it's timing out on boot, I would personally bag the drive and replace it. You'll still need to run the same 2 commands above. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp8qKDBrFFs1.pgp Description: PGP signature
Re: file/directory names with space in between
Simon Gao wrote: I need to work on some files and directories that have spaces in them like: interesting story\2008 March\{story one,story two}. When using find with -exec, part of the file/directory name will be missing and therefore lead to error. What should I do to put escape key in there to include full names? $ echo foo test 1 $ find . -type f -exec cat {} \; foo Looks like it Just Works(tm), no quoting necessary. Could you provide the actually command you're running that isn't doing what you expect? -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpok0Zsz3fiS.pgp Description: PGP signature
Re: FreeBSD Traffic Shaping
[EMAIL PROTECTED] wrote: I am trying to limit the bandwidth available to some connections and I'm not sure FreeBSD can handle this. Maybe some of you can help. Here's what I need to have exactly. No matter what the number of connections, each connection should have at most/least 50kbps guaranteed outbound on port 80. I've tried dummynet but it doesn't do what I need because if I define a pipe with 1mbps and if I have 1000 connections, each connection will have less than 50kbps. Any way to do this in FreeBSD ? The ipfw(8) man page describes a mask configuration parameter. # /sbin/ipfw pipe 1 config mask src-ip 0x bw 56Kbit/s This creates a separate dynamic pipe per source ip address. Each pipe has a dedicated 56kbps. The man page implies that the mask can combine fields, so to uniquely identify each connection, you would mask all bits of source and destination IP and ports. It looks like the all keyword might do just the trick. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp5KnNOvP2bP.pgp Description: PGP signature
Re: Suppressing Limiting icmp unreach response log messages
Paul Hoffman wrote: How can I eliminate the Limiting icmp unreach response messages from getting to /var/log/messages or to the console? I have a spate of them that is causing log rollovers. I think I know the source of the problem, but need to get rid of the messages first. The icmp unreach responses happen when someone sends a UDP packet to your computer on a port with no running service (or at least, this is the most likely explanation). Some options: * Set up a firewall to deny the inbound traffic * Configure blackhole(4) to do the same I wouldn't recommend attacking the problem from the point of view of just making the log messages go away, but if you're comfortable with that, then the other post recommendinding syslog-ng might work for you (though I'd recommend configuring a pattern match on the message you want to discard or re-route). -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpqbExdtafce.pgp Description: PGP signature
Missing SATA drive after upgrade to 7.0
Hello, I was in the process of upgrading from 6.2 to 7.0. After the installkernel, I rebooted into single, only to find the mountroot prompt: | Trying to mount root from ufs:/dev/ad2s1a | | Manual root filesystem specification: | fstype:device Mount device using filesystem fstype |eg. ufs:da0s1a | ? List valid disk boot devices | empty line Abort manual input | | mountroot ? | | List of GEOM managed disk devices: | acd0 fd0 Boot messages for 7.0 (grep -i ata dmesg-7.0): | atapci0: Intel 6300ESB SATA150 controller port | 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x1470-0x147f at device 31.2 | on pci0 | ata0: ATA channel 0 on atapci0 | ata0: [ITHREAD] | ata1: ATA channel 1 on atapci0 | ata1: [ITHREAD] | acd0: CDROM LG CD-ROM CRN-8245B/1.16 at ata0-master UDMA33 Boot messages for 6.2 (grep -i ata dmesg-6.2): | atapci0: Intel 6300ESB SATA150 controller port | 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x1470-0x147f at device 31.2 | on pci0 | ata0: ATA channel 0 on atapci0 | ata1: ATA channel 1 on atapci0 | acd0: CDROM LG CD-ROM CRN-8245B/1.16 at ata0-master UDMA33 | ad2: 76324MB Seagate ST380013AS 3.25 at ata1-master SATA150 Any ideas where my harddrive went? I can `boot kernel.old' without any problems. I think this post [1] might be related. Unfortunately, the problem went away for the person who submitted the referenced PR. [1] http://lists.freebsd.org/pipermail/freebsd-i386/2008-January/006239.html -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpYN0a0UEtrD.pgp Description: PGP signature
Re: confusion configuring NAT
Josh Paetzel wrote: I don't see much in the man page for ipfw concerning nat, certainly not the rules you are specifying. Try man natd NAT support was added to ipfw with the 7.0 release. You don't need to run natd if you're using ipfw nat. Robert Huff wrote: ipfw nat 10 config log ip 10.0.0.0/8 You should disable natd. Try the following command to configure the nat rule: # ipfw nat 10 config if $OIF log reset -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpYGsmbVUU0y.pgp Description: PGP signature
Re: (more) confusion configuring NAT
Robert Huff wrote: 1) when I add the nat instance, it assigns it rule # 65100. Is this a problem? Is there a way to assign my own rule #? (ipfw seems not to like two adds in the same line.) 2) NAT still doesn't work. Still connected, but can't surf to www.google.com using Firefox. My kernel conf: | options IPFIREWALL | options IPFIREWALL_VERBOSE | options IPFIREWALL_VERBOSE_LIMIT=100 | options IPFIREWALL_FORWARD | options IPFIREWALL_NAT | options LIBALIAS My (abbreviated) ipfw.rules script: | /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only same_ports | $CMD allow all from any to any via lo0 | $CMD nat 1 ip4 from any to any | $CMD allow icmp from any to any | $CMD deny log ip from any to me | $CMD allow ip4 from any to any -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpYoAxu6uvwQ.pgp Description: PGP signature
Re: (more) confusion configuring NAT
Robert Huff wrote: Christopher Cowart writes: 2) NAT still doesn't work. Still connected, but can't surf to www.google.com using Firefox. My kernel conf: | options IPFIREWALL | options IPFIREWALL_VERBOSE | options IPFIREWALL_VERBOSE_LIMIT=100 | options IPFIREWALL_FORWARD | options IPFIREWALL_NAT | options LIBALIAS I do not have options IPFIREWALL_FORWARD (it's commented out) because the attached comment says: enable xparent proxy support Since that machine doesn't do proxy ... is this necessary? Should be fine. My (abbreviated) ipfw.rules script: | /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only same_ports | $CMD allow all from any to any via lo0 | $CMD nat 1 ip4 from any to any | $CMD allow icmp from any to any | $CMD deny log ip from any to me | $CMD allow ip4 from any to any Not an ipfw guru, but don't see anything that contradicts what I have. Do you have gateway_enable=YES in your /etc/rc.conf? $ sysctl -a net.inet.ip.forwarding net.inet.ip.forwarding: 1 Is the interface mentioned in the nat config the interface with the public IP? Try putting `$CMD count log ip from any to any' rules to see if traffic is matching where you expect it to; I have found this incredibly useful in the past, because interface and direction tags are not always intuitive (especially once you get fwd rules, which luckily you don't have). -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpCBhRmMXKVg.pgp Description: PGP signature
Re: (more) confusion configuring NAT
Robert Huff wrote: Christopher Cowart writes: Do you have gateway_enable=YES in your /etc/rc.conf? huff@ grep gate /etc/rc.conf gateway_enable=YES $ sysctl -a net.inet.ip.forwarding net.inet.ip.forwarding: 1 huff@ sysctl -a net.inet.ip.forwarding net.inet.ip.forwarding: 1 Is the interface mentioned in the nat config the interface with the public IP? em0 connects to the cable modem. Try putting `$CMD count log ip from any to any' rules to see if traffic is matching where you expect it to; Where do I find the results of this Typically /var/log/security. Assuming you have IPFIREWALL_VERBOSE in your kernel config. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpxjcbgkCprP.pgp Description: PGP signature
Re: Right way to build package from non-port software
On Tue, Mar 11, 2008 at 12:38:40AM +0100, Catalin Miclaus wrote: What is the right way of building packages for non-ports applications? AFAIK 'make package' and ' pkg_create -b name' are based on ports installed packages. Is there any way of using same commands or additional scripts to achieve similar results? If it matters I'm trying to create packages from net-snmp-5.4.1 sources (needed for 64-bits counters feature) since ports version is based on 5.3.2. Suggestions are welcome. In this situation, my team generally gets its hands dirty and bumps the port. Usually it's as easy as updating the PORTVERSION variable. Then attach the port diff to a PR and it'll be updated in the official ports tree fast. Unfortunately, net-snmp looks like a pretty complex port that isn't going to be quite so easy. You might consider pinging the maintainer about the new upstream version to see if there's any interest in bumping the port. You might also just be able to write your own port for the new version from scratch (it sounds like you just grabbed the source tarball and didn't apply all the FreeBSD patches). See the handbook [1]. Your best bet may be a combination of the two approaches. [1] http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/quick-porting.html Good luck, -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp4cAyRWxXrN.pgp Description: PGP signature
Re: PF vs. ping6
On Fri, Feb 22, 2008 at 01:14:55AM +0100, Colin Brace wrote: Hi all, I am trying to set up a IPv6 tunnel following the instructions in the handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-ipv6.html. aiccu starts ok: # sixxs-aiccu start Tunnel Information for T14342: POP Id : nlams05 IPv6 Local : x2/64 IPv6 Remote : x1/64 Tunnel Type : 6in4-heartbeat Adminstate : enabled Userstate : enabled I can ping6 localhost, I can ping6 the tunnel begin point (local), but I can't ping6 the (remote) end point. Firing up tcpdump, I see that the firewall is blocking the ping packets. I have these (provisional) rules at the top of the filter section in PF: pass quick on fxp0 inet6 # ext if I don't use pf, but I'm guessing from the man page that you may need to try: pass quick on fxp0 proto 41 You might be able to substitue 41 with the symbolic name in /etc/protocols (ipv6). Note that you're trying to match the protocol field of an IPv4 address which, for the majority of internet traffic, is tcp, udp, or icmp; in this case its ipv6, because the contents of your IPv4 packets are the tunneled v6 packets. I think 'pass quick on fxp0 inet6' is checking against the type of the outer packet, which is actually an IPv4 packet. Good luck, -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgprydPnNwzke.pgp Description: PGP signature
Re: Limit # of connections per IP using ipfw?
On Wed, Feb 13, 2008 at 09:23:31AM -0800, patrick wrote: Is there a way to limit the number of TCP connections from a particular IP at a given time using ipfw? We are running Cyrus IMAP on FreeBSD 6.2, and are sometimes subject to POP3 brute force login attacks. I'm not sure if it's Cyrus or the SASL SQL plugin, but these attacks grind the server to halt (the load level goes up beyond 350!). The database against which authentication takes places is on a separate server, so I know it's not MySQL's fault. I'd like to be able to set a firewall rule to set a reasonable limit per IP for these sorts of connections. I know that pf can do it, and I'm in the process of figuring out how to migrate all of our stuff over to pf, but in the meantime, I'd like to try to do this with ipfw. You can use limit rules. This should do the trick: # ipfw add allow tcp from any to me pop3s limit src-addr 5 Check the ipfw man page section on limit for more info (though it's pretty brief). -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpQqf8woDCZ5.pgp Description: PGP signature
Re: FreeBSD 6.3 racoon cpu 99,9% after some time workin
On Tue, Jan 29, 2008 at 08:46:18AM +0100, Norman Maurer wrote: I have some strange problem.. After racoon works some hours it seems to freeze and get a cpu usage of 99,9%. The vpns don't work anymore too.. Any idea ? By any chance do you have a large number of tunnels? We went so far as to write a daemon to watch racoon and restart it automatically. We finally ended up bumping up buffer sizes in the ipsec-tools sources and sysctl. See this thread from -net: http://lists.freebsd.org/pipermail/freebsd-net/2007-August/015046.html -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpZ3cTJbg4Oy.pgp Description: PGP signature
Re: FreeBSD 6.3 racoon cpu 99,9% after some time workin
On Tue, Jan 29, 2008 at 10:47:05AM +0100, Norman Maurer wrote: Am Dienstag, den 29.01.2008, 10:24 +0100 schrieb Norman Maurer: Am Dienstag, den 29.01.2008, 00:04 -0800 schrieb Christopher Cowart: On Tue, Jan 29, 2008 at 08:46:18AM +0100, Norman Maurer wrote: I have some strange problem.. After racoon works some hours it seems to freeze and get a cpu usage of 99,9%. The vpns don't work anymore too.. Any idea ? By any chance do you have a large number of tunnels? We went so far as to write a daemon to watch racoon and restart it automatically. We finally ended up bumping up buffer sizes in the ipsec-tools sources and sysctl. See this thread from -net: http://lists.freebsd.org/pipermail/freebsd-net/2007-August/015046.html We have about 15 tunnels.. Can you please show me the changes you did ( maybe a diff ) and the shell script ? 15 tunnels doesn't sound like enough to cause problems; we were dealing with 80-100 SAs before we saw problems. The patch is here: http://lists.freebsd.org/pipermail/freebsd-net/2007-September/015456.html Our sysctl change is this: $ sysctl -a kern.ipc.maxsockbuf kern.ipc.maxsockbuf: 4194304 You might try pinging -net with the symptoms or drawing some of these old threads. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpR72KWKeZYy.pgp Description: PGP signature
Re: Network configuration in FreeBSD
On Mon, Jan 28, 2008 at 04:29:49PM -0500, Bhuvaneswari Ramkumar wrote: I'm a newbie FreeBSD user, I've just installed the 5.5 version. I know this is a very silly question but I've searched the archives and any suggestions are welcome. I think my system is not connected to the internet or any external network, ping dosent work ( nor ftp or dig) When I try to do a post-install configuration and choose to enable the inetd daemon option from the sysinstall, it doesnt invoke the editor to change the inetd.conf at all, so I did a root-login and enabled ftp, even pftp and other services in the file as mentioned in the installation document. This file affects running an ftp server, not an ftp client from the command line. But still I'm unable to ftp to any server, the message I get is ftp: hostname or servname not known or not provided. Do you guys have any ideas ? Send the list the output of the following commands: # ifconfig -a # netstat -rn With that info, we can probably help you out better. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpdTB3co0zcU.pgp Description: PGP signature
Re: is there a /bin/sh method to tell the ending of a file
On Tue, Jan 08, 2008 at 12:01:18AM -0600, Jon Hamilton wrote: } On Mon, Jan 07, 2008 at 09:10:58PM -0800, Gary Kline wrote: } Paul Procacci [EMAIL PROTECTED], said on Mon Jan 07, 2008 [11:34:08 PM]: } Hi All, } } Is there an easy way of determing whether a string//filename ends in } *.gz? using /bin/sh? } Is this what you mean? } } - } #!/bin/sh } } STRING=mystring.gz } } if [ .gz = `echo \$STRING\ | sed -n 's/.*\(\.gz\)$/\1/p'` ]; then } echo test; } fi } } --- Works (I assume) but perhaps easier to read and more native might be: case $STRING in *\.gz) echo Found .gz suffix ;; *) echo Not a .gz suffix ;; esac Sh is a pretty versatile creature; I'm sure there are a thousand more ways all of which work, and some of which will cause religious arguments for decades :) Right. Here's another way using parameter expansion: | if [ ${STRING##*.} = gz ] ; then | echo true | else | echo false | fi The syntax is terse, but pretty popular in the /etc/rc family of scripts. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpWUJi3EfOiH.pgp Description: PGP signature
Re: sudo never asks me for a password
On Fri, Nov 23, 2007 at 03:43:39PM -0800, Kamil Kisiel wrote: For some reason, on this particular FreeBSD machine, sudo never asks me for a password, even if I haven't logged in for days. I've been struggling with this problem for some time but still haven't been able to find a solution. Any ideas? Maybe something is misconfigured in your pam stack? Check /etc/pam.d/sudo. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpziZhMm0oiV.pgp Description: PGP signature
Re: sudo never asks me for a password
On Fri, Nov 23, 2007 at 07:09:36PM -0800, Kamil Kisiel wrote: On 11/23/07, Christopher Cowart [EMAIL PROTECTED] wrote: On Fri, Nov 23, 2007 at 03:43:39PM -0800, Kamil Kisiel wrote: For some reason, on this particular FreeBSD machine, sudo never asks me for a password, even if I haven't logged in for days. I've been struggling with this problem for some time but still haven't been able to find a solution. Any ideas? Maybe something is misconfigured in your pam stack? Check /etc/pam.d/sudo. /etc/pam.d/sudo looks like this: # # $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $ # # PAM configuration for the su service # # auth authsufficient pam_rootok.so no_warn authsufficient pam_self.so no_warn authrequisite pam_group.sono_warn group=wheel root_only fail_safe authinclude system # account account include system # session session requiredpam_permit.so This looks like it was copied verbatim from su. I suspect the pam_self.so is causing problems. Sudo authenticates the user for their current account, not the target account. That line will cause authentication to short-circuit on a UID match w/o any need to provide a password. Try commenting it out. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpFD1relxoDg.pgp Description: PGP signature
Re: sudo never asks me for a password
On Fri, Nov 23, 2007 at 08:01:23PM -0800, Kamil Kisiel wrote: Alright, maybe my impression of success was slightly premature. It seems that the problem now is that sudo doesn't like the pam_unix.so module for whatever reason. If I use the default sudo pam file, which simply includes all settings from /etc/pam.d/system it gives me an error like the following: sudo: pam_authenticate: conversation failure My /etc/pam.d/sudo file looks like: authinclude system account include system session include system I recommend you add the debug option to modules and watch the log files for more specific error messages. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgp4v7nFZww7o.pgp Description: PGP signature
Re: Kernel pty limit
On Thu, Nov 15, 2007 at 02:27:47PM -0600, Kevin Kinsey wrote: Christopher Cowart wrote: Hello, I went to open up a new shell to our login server (recently rebuilt from Debian to FreeBSD) and found problems allocating a new pty. With a 256-pty limit, I'm surprised more people haven't had this problem. With team of 8 SysAdmins, each leaving about 30 windows open in screen sessions, 256 starts feeling a bit claustrophobic. Hmm, 8 guys root on one boxen? Sounds like a cushy job! Got an IP and a couple of partners I could play xtank with? J/k, of course. :-D I found a questions thread from January 2006 and these PRs: standards/90896: not enough PTYs in the FreeBSD kern/25866: [patch] more than 256 ptys, up to 1302 ptys. There was also discussion on hackers@ at the time[1], and a mention from rwatson@ that a new tty_pts.c and support in libc for this was added to HEAD then[2]; I haven't checked, but I'm assuming it's still in the new 7 branch and will be a part of 7.0 Real Soon Now(tm), if that's any comfort. There may be patches available, there was some discussion. Also, if it *IS* in 7.0, I guess you could holler for a MFC. I suppose that counts as Good News. Does this mean the change will be part of the increasingly anticipated 7.0 release? In the meantime, I'll have to use /dev/bat to remind the team to close their windows. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgp8sOt2eFOd4.pgp Description: PGP signature
Kernel pty limit
Hello, I went to open up a new shell to our login server (recently rebuilt from Debian to FreeBSD) and found problems allocating a new pty. With a 256-pty limit, I'm surprised more people haven't had this problem. With team of 8 SysAdmins, each leaving about 30 windows open in screen sessions, 256 starts feeling a bit claustrophobic. I found a questions thread from January 2006 and these PRs: standards/90896: not enough PTYs in the FreeBSD kern/25866: [patch] more than 256 ptys, up to 1302 ptys. The latter appears to have been kicking around since FreeBSD 4.3 (still open). What can I do to help get that limit raised? Does anyone have a patch against 6.2? If not, would anyone be interested in writing one? Thanks for any help, -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpAJXmfMsg5l.pgp Description: PGP signature
Re: Where is pkgdb?
On Thu, Nov 15, 2007 at 09:39:10PM +0100, Tino Engel wrote: Which port do I have to install to get pkgdb? $ pkg_info -W `which pkgdb` /usr/local/sbin/pkgdb was installed by package portupgrade-2.2.2_4,2 I recommend installing ports-mgmt/port-maintenance-tools when building a system. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpdY8AqyA7uT.pgp Description: PGP signature
Re: X screen film recording
On Wed, Nov 07, 2007 at 08:25:19AM +0100, Wojciech Puchar wrote: is there any app for this. to simply record what's going on X server as movie file (like .mov, .avi) or animated .gif? or any other way to convert flash animation (no links, menus etc.) to animated .gif? I once used vnc2swf on Linux. It looks like it's in ports, so I'm assuming it'll work on FreeBSD. Or by the sounds of your flash animation question, have you already found this option? -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpmqsxIrmieq.pgp Description: PGP signature
Re: ifconfig -- how to remove address and mask?
On Sun, Oct 28, 2007 at 09:14:48PM -0700, [EMAIL PROTECTED] wrote: running 6.1, Is there a way to bring an interface down and remove the ipaddr and mask? I've tried ifconfig destroy with no effect, and I'm getting tired of twiddling rc.conf and rebooting... Have you tried `ifconfig fxp0 -alias 192.168.1.10'? -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgp1s3uwpi4uA.pgp Description: PGP signature
Re: su: not running setuid
On Tue, Oct 23, 2007 at 09:09:04PM +0100, Adam J Richardson wrote: Christopher Cowart wrote: Unless you can find some local privilege escalation exploit, I'm thinking you're stuck. You can probably fix it in single-user mode: * Reboot * Pick single user mode from the boot menu * Accept the default shell $ fsck -p $ mount -u / $ mount -a -t ufs $ chown root /usr/bin/su But if the command above ran to completion, you probably have a mess of permissions on your filesystem. You may want to look into rebuilding / reinstalling world while you're in single. What about going to single user mode and editing /etc/passwd so the root line has the username uname? Or add user uname with UID 0? The chown command would have looked up uname via libnss and used the numeric UID to alter the filesystem entries. The most you could do here is change the symbolic name for the uname user and make the ls -l output look different. Either way, you're stuck with the files on the filesystem not being owned by UID 0. I would highly recommend not mucking with /etc/passwd and letting rebuild world fix things. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgp7j5Q3F2IX7.pgp Description: PGP signature
Re: su: not running setuid
On Mon, Oct 22, 2007 at 06:51:48PM +, Mayank Jain wrote: Hi all, I have run chown -R uname:wheel . as root in the / directory. Now it is not allowing me to log in as su. Giving the following error su su: not running setuid I have also tried su -l but still same error. Can any body suggest me some solution to this problem. uname -a FreeBSD mayankjain.in.niksun.com 6.2-RC1-p1 FreeBSD 6.2-RC1-p1 #0: Mon Dec 4 09:56:16 UTC 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SMP i386 I have also tried following but it didn't allow me to do so. chown root:wheel /usr/bin/su chown: /usr/bin/su: Operation not permitted Unless you can find some local privilege escalation exploit, I'm thinking you're stuck. You can probably fix it in single-user mode: * Reboot * Pick single user mode from the boot menu * Accept the default shell $ fsck -p $ mount -u / $ mount -a -t ufs $ chown root /usr/bin/su But if the command above ran to completion, you probably have a mess of permissions on your filesystem. You may want to look into rebuilding / reinstalling world while you're in single. Good luck... -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpbawGHsu8Y6.pgp Description: PGP signature
Re: wyswyg editors for tex (was re: replacement for open office)
On Mon, Oct 08, 2007 at 02:10:56AM +, Aryeh Friedman wrote: I finally got around to compiling abiword and I get the following when I try to run it: abiword Segmentation fault (core dumped) uname -a FreeBSD monsert 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Sun Oct 7 20:47:51 UTC 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MONSTER amd64 I don't want to bother with attempting to figure out why it broke. My question is since it looks like I am stuck with Tex is there any wyswyg editors for it? I've heard good things about kile (editors/kile), but have never used it on FreeBSD. It's also from the KDE folks, so you might be waiting a long time for all libraries to compile. I must say I'm a fan of just using vim combined with this guide at hand: http://www.ctan.org/tex-archive/info/lshort/english/lshort.pdf Good luck, -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpIaGBXHnDED.pgp Description: PGP signature
Re: tcpdump -- non-local traffic not showing
On Fri, Oct 05, 2007 at 05:31:25PM -0600, [EMAIL PROTECTED] wrote: I'm having trouble seeing packets which are not going to or from the machine on which tcpdump is running. Is there something special I need to do to enable this? It's my understanding tcpdump puts the interface in promiscuous mode, and dmesg seems to confirm this. However I see the following behavior using tcpdump -fntl -i ed1: If hosts .x, .y, and .z are all on the same network, and if tcpdump is running on host a.b.c.x and on host a.b.c.y I do ping a.b.c.x I see the icmp packets. But if on host a.b.c.y I do ping a.b.c.z I see nothing. Does the interface drop packets with a different mac address, even when supposedly put in promiscuous mode? Clues? You're probably plugged into a switch (learning bridge). Switches partition your collision domain -- they learn which MAC is available on which port and only send on that port. You either need a hub or a really expensive switch (the kind that you log in to and set up port mirrors). -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpHpDgl1KEhH.pgp Description: PGP signature
Re: Bridging interfaces
On Sat, Sep 29, 2007 at 09:49:36PM -0600, Simon Timms wrote: That makes a lot of sense, but I suppose I still don't understand why this isn't working. The handbook section on routing is pretty basic and it seems to come down to setting net.inet.ip.forwarding to 1 if you want to route packets between interfaces on a dual-homed host. I'm able to reach hosts on both subnets from the router and my routing table looks like: Internet: DestinationGateway Flags Refs Use Netif Expire default wireless UGS 0 9905 sis0 localhost localhost UH0 134 lo0 192.168.1 link#1 UC0 0 sis0 orinoco 00:d0:09:f8:f7:5a UHLW 1 268lo0 192.168.1.255ff:ff:ff:ff:ff:ffUHLWb 1 87 sis0 192.168.2 link#2 UC0 0 rl0 192.168.2.255ff:ff:ff:ff:ff:ffUHLWb 187 rl0 Are your 192.168.2/24 machines configured to use 192.168.2.2 as their default router? They don't know where 192.168.1.2 is, because they don't see it as being on the same link. The subnet mask is used to determine this kind of reachability. You could probably use 192.168.1.2 as your default router, as long as you created a static route `route add 192.168.1/24 192.168.2.2', telling the system that to get to 192.168.1/24, the next-hop is 192.168.2.2. This seems needlessly complex when you can just configure 192.168.2.2 as your default router and skip the static route configuration all together. Regardless, bridging isn't going to help unless the host and the default router have the same subnet configurations. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpCEPtjnYgPE.pgp Description: PGP signature
Re: Bridging interfaces
On Sat, Sep 29, 2007 at 07:06:55PM -0600, Simon Timms wrote: Hello, I seem to be having some trouble bridging interfaces in FreeBSD 6.2-STABLE. What I have are two interfaces rl0 - 192.168.2.2 sis0 - 192.168.1.2 and a bridge I've set up following the pages in the handbook. However frames don't seem to be routed from one interface to the other. The internet gateway for the networks lives on 192.168.1.1 and I am able to reach the internet from boxes on the 192.168.1.0/24 subnet but not from the other. Tracing the route from a box on the 192.168.2.0/24 subnet the connection times out on the freebsd box, orinoco. A layer 2 bridge connects two physical network segments to create the illusion of a single layer 2 network. In general, you have a single IP subnet sitting on top of a layer 2 network. Think of a bridge as a 2-port ethernet switch. If you want a single layer 2 network, try readdressing the 192.168.2/24 side to be on the 192.168.1/24 subnet. If you need different subnets, you'll want to configure *routing* and not bridging (See: handbook/network-routing.html). Good luck, -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpKLlRzREkCS.pgp Description: PGP signature
Re: relaying mail
On Tue, Jul 31, 2007 at 08:03:50PM +0200, Michael Grant wrote: In one of my domains, I have the MX record for it set up to my server. But for one of the users within that domain, their mail needs to be shuffled off to a different server at google. But I can't just forward it because it's like an MX host I'd need to forward it to. And I can't alter the MX to point to google for the entire domain because it's only one user within that domain, the other users will be screwed in that case. For example, mydomain.com, let's say the mx for that comes to my box. For [EMAIL PROTECTED], I need to send his mail to ASPMX.L.GOOGLE.COM as if it were the MX for mydomain.com. In the old days, one would simply forward email to [EMAIL PROTECTED] That would cause mydomain.com's sendmail to connect to ASPMX.L.GOOGLE.COM and shove down a message for [EMAIL PROTECTED] But that seems long deprecated because it didn't seem to work. I am using sendmail and procmail. Can anyone think of some way I can cause something like this to happen for just one user, ideally in a .procmailrc file? We use postfix and transport maps to accomplish this for internal mail routing (bugzilla and RT messages go to an internal web server, user messages to our internal mailserver). The map would look something like: [EMAIL PROTECTED]smtp:[ASPMX.L.GOOGLE.COM] mydomain.comlocal I don't know how to accomplish similar routing with sendmail. In order to solve this completely at the user level, you could write a little bit of perl that opens an SMTP connection to the server of your choosing. You could then use .forward or .procmailrc or whatever to pipe the incoming messages to this script. Good luck, -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Re: Policy Based Routing problem help me
On Thu, Jul 26, 2007 at 01:26:17AM +0500, Narek Gharibyan wrote: I have a firewall/router with FreeBSD 6.2 installed on it. 2 ISP connection and 2 LAN connections. I need to do a policy-based routing. All I need that packets coming from one ISP interface return to that interface (incoming connections' source based routing) and the other hand do a IP based routing from the LAN (Some packets will goes out via ISP 1 some others via ISP 2 depending on IPs requested). I tried to do that with ipfw fwd but it didn't work any way (e.g. with ip.forwarding enabled or no). Even I've disabled my static routes, default gw. Just it do nothing. Sample configs are ipfw add fwd ISP_gw from ${my lan} to any via ${eif} ipfw add fwd ISP_gw from ${my lan} to any out via ${eif} ipfw add fwd ISP_gw from any to any xmit ${eif} Ipfw add fwd ISP_gw from any to any via ${eif} out I don't use nat, proxy. Just need to route. Have you compiled your kernel with the following options? | options IPFIREWALL_FORWARD | options IPFIREWALL_FORWARD_EXTENDED I found that this kind of forwarding silently failed until I enabled the EXTENDED option in addition to the typical option. `man ipfw' briefly mentions these two kernel options in the fwd section. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Re: /dev/random in jails
On Wed, Jul 18, 2007 at 06:30:50PM -0700, Tech Valley Internet - Tony Kivits wrote: I am attempting to run portions (if not all) of the software called HSphere inside of jailed subsystems of FreeBSD. I am able to create the jails no problem but the devices /dev/random and /dev/urandom are not created automatically in the jail despite the fact that a handful of other devices are mounted correctly when the jail is created. Is there a specific reason for these devices not being created in a jail or is there a way to create these devices so that they will be available inside a jail? We run bind instances in FreeBSD jails. This is how we get /dev/random: | # /etc/devfs.rules: | [devfsrules_thin_jail=100] | add include $devfsrules_hide_all | add include $devfsrules_unhide_basic | # /etc/rc.conf: | jail_cachingdns_devfs_enable=YES | jail_cachingdns_devfs_ruleset=devfsrules_thin_jail HTH, -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Re: /dev/random in jails
On Wed, Jul 18, 2007 at 08:34:21PM -0700, Tech Valley Internet - Tony Kivits wrote: At 07:32 PM 7/18/2007, Christopher Cowart wrote: On Wed, Jul 18, 2007 at 06:30:50PM -0700, Tech Valley Internet - Tony Kivits wrote: I am attempting to run portions (if not all) of the software called HSphere inside of jailed subsystems of FreeBSD. I am able to create the jails no problem but the devices /dev/random and /dev/urandom are not created automatically in the jail despite the fact that a handful of other devices are mounted correctly when the jail is created. Is there a specific reason for these devices not being created in a jail or is there a way to create these devices so that they will be available inside a jail? We run bind instances in FreeBSD jails. This is how we get /dev/random: | # /etc/devfs.rules: | [devfsrules_thin_jail=100] | add include $devfsrules_hide_all | add include $devfsrules_unhide_basic | # /etc/rc.conf: | jail_cachingdns_devfs_enable=YES | jail_cachingdns_devfs_ruleset=devfsrules_thin_jail Thanks Chris, So if my jail is called cp, the only thing that I would have to change from your scripts would be replace to replace cachingdns with cp? Yes. Are you configuring the jail via /etc/rc.conf already? Are you using the rc script /etc/rc.d/jail to start your jails? My complete config from /etc/rc.conf is: | # Enable jails | jail_enable=YES | jail_list=cachingdns | | # Caching-nameserver jail | jail_cachingdns_hostname=ns1.example.com | jail_cachingdns_ip=192.0.2.15 | jail_cachingdns_interface=bge0 | jail_cachingdns_rootdir=/var/jails/caching-dns | jail_cachingdns_exec=/usr/local/sbin/named | jail_cachingdns_devfs_enable=YES | jail_cachingdns_devfs_ruleset=devfsrules_thin_jail You can replace cachingdns with cp or whatever else you want. You can also create multiple jails with different names. I don't know if you're following the typical FreeBSD jail documentation which gives you a complete FreeBSD installation inside the jail. Given that I only need to run named, I have not done that. Are you trying to run a complete FreeBSD install that allows user logins inside your jail? Or are you simply trying to jail a single process? My example above jails the single process named, and does not have an OS install inside the jail's root. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Re: /dev/random in jails
On Wed, Jul 18, 2007 at 09:41:35PM -0700, Tech Valley Internet - Tony Kivits wrote: At 08:42 PM 7/18/2007, Christopher Cowart wrote: On Wed, Jul 18, 2007 at 08:34:21PM -0700, Tech Valley Internet - Tony Kivits wrote: At 07:32 PM 7/18/2007, Christopher Cowart wrote: On Wed, Jul 18, 2007 at 06:30:50PM -0700, Tech Valley Internet - Tony Kivits wrote: I am attempting to run portions (if not all) of the software called HSphere inside of jailed subsystems of FreeBSD. I am able to create the jails no problem but the devices /dev/random and /dev/urandom are not created automatically in the jail despite the fact that a handful of other devices are mounted correctly when the jail is created. Is there a specific reason for these devices not being created in a jail or is there a way to create these devices so that they will be available inside a jail? We run bind instances in FreeBSD jails. This is how we get /dev/random: | # /etc/devfs.rules: | [devfsrules_thin_jail=100] | add include $devfsrules_hide_all | add include $devfsrules_unhide_basic | # /etc/rc.conf: | jail_cachingdns_devfs_enable=YES | jail_cachingdns_devfs_ruleset=devfsrules_thin_jail Thanks Chris, So if my jail is called cp, the only thing that I would have to change from your scripts would be replace to replace cachingdns with cp? Yes. Are you configuring the jail via /etc/rc.conf already? Are you using the rc script /etc/rc.d/jail to start your jails? My complete config from /etc/rc.conf is: | # Enable jails | jail_enable=YES | jail_list=cachingdns | | # Caching-nameserver jail | jail_cachingdns_hostname=ns1.example.com | jail_cachingdns_ip=192.0.2.15 | jail_cachingdns_interface=bge0 | jail_cachingdns_rootdir=/var/jails/caching-dns | jail_cachingdns_exec=/usr/local/sbin/named | jail_cachingdns_devfs_enable=YES | jail_cachingdns_devfs_ruleset=devfsrules_thin_jail You can replace cachingdns with cp or whatever else you want. You can also create multiple jails with different names. I don't know if you're following the typical FreeBSD jail documentation which gives you a complete FreeBSD installation inside the jail. Given that I only need to run named, I have not done that. Are you trying to run a complete FreeBSD install that allows user logins inside your jail? Or are you simply trying to jail a single process? My example above jails the single process named, and does not have an OS install inside the jail's root. I am doing a complete OS inside the jail and am starting it through the rc.conf. The default devfs ruleset for jails (devfsrules_jail, found in /etc/defaults/devfs.rules) should work fine for you then. Perhaps try specifying that ruleset explicitly? I have modified the devfs.rules so that they are now passing random and urandom as devices. But the installation software is still reporting that /dev/random is not working properly. Do you know of a way that I can test /dev/random to see if it is actually working? $ ls -l caching-dns/dev/random crw-rw-rw- 1 root wheel 0, 8 Jul 3 18:08 caching-dns/dev/random $ dd if=/dev/random bs=1 count=12 2/dev/null | openssl base64 Should give you a base64 encoding of some random data (base64 to prevent it from messing up your terminal) if /dev/random is working. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Re: /dev/random in jails
On Wed, Jul 18, 2007 at 09:49:12PM -0700, Christopher Cowart wrote: $ dd if=/dev/random bs=1 count=12 2/dev/null | openssl base64 Should give you a base64 encoding of some random data (base64 to prevent it from messing up your terminal) if /dev/random is working. I meant to point if=jailroot/dev/random. Testing /dev/random for the host OS isn't going to be too meaningful. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Re: fsck on a read only partition?
On Thu, Jul 05, 2007 at 01:49:47AM +0100, Joe Holden wrote: Alfred Perlstein wrote: Hello, how do I fsck my disk if it's mounted? I have downgraded the mount to read-only, but still geom seems to disallow fsck access to it. Is there a way to tell the system to allow fsck to open it read/write? thanks, If you unmount it first, you should be able to fsck it fine, /dev/blah (ad0/1/2/whatever) I think that misses the point; what if it's the / filesystem? I have personally wanted to do this before myself. I had a situation where a deleted file was still being written to by a backgrounded tcpdump, resulting in a full filesystem but no file to rm. It would have been great to quick remount ro, fsck, then remount rw. Instead, I had to schedule downtime, reboot into single, and run fsck -- not fun. -- Chris Cowart Lead Systems Administrator Network Infrastructure, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Re: svn+ssh over nonstandard port fails to connect
On Thu, Jun 28, 2007 at 03:45:50PM -0600, Chad Perrin wrote: I'm attempting to connect to a Subversion repository via SSH using a nonstandard port to check out the repository. The names and numbers in the following have been changed to protect the guilty: svn co svn+ssh://[EMAIL PROTECTED]:1234/usr/home/svn-repos/project project Try: SVN_SSH=ssh -p 1234 svn co svn+ssh://[EMAIL PROTECTED]/path The result I get is as follows: ssh: 123.45.678.90:1234: hostname nor servname provided, or not known svn: Connection closed unexpectedly Am I having a brainless moment here? What am I missing? ssh doesn't support the hostname:port syntax. You have to use -p. Hope that helps, -- Chris Cowart Lead Systems Administrator Network Infrastructure, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Re: svn+ssh over nonstandard port fails to connect
On Thu, Jun 28, 2007 at 04:44:10PM -0600, Chad Perrin wrote: On Thu, Jun 28, 2007 at 03:10:18PM -0700, Christopher Cowart wrote: On Thu, Jun 28, 2007 at 03:45:50PM -0600, Chad Perrin wrote: I'm attempting to connect to a Subversion repository via SSH using a nonstandard port to check out the repository. The names and numbers in the following have been changed to protect the guilty: svn co svn+ssh://[EMAIL PROTECTED]:1234/usr/home/svn-repos/project project Try: SVN_SSH=ssh -p 1234 svn co svn+ssh://[EMAIL PROTECTED]/path Are you suggesting setting an environment variable? I have more than one repository checked out on this system, and they do not all use the same port for access. This is the only way I know to do it. You don't have to set it in your shell's environment if you use this syntax to prefix the specific command. The result I get is as follows: ssh: 123.45.678.90:1234: hostname nor servname provided, or not known svn: Connection closed unexpectedly Am I having a brainless moment here? What am I missing? ssh doesn't support the hostname:port syntax. You have to use -p. Hope that helps, I thought that might be the case, but I'm not sure how to specify it in the svn command string -- which seems to be necessary since making a universal (to this user account) configuration change would then break access to other svn repositories. You can also create a new tunneling protocol. Look at the SSH authentication and authorization section of this part of the handbook: http://svnbook.red-bean.com/en/1.0/ch06s03.html Good luck, -- Chris Cowart Lead Systems Administrator Network Infrastructure, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Re: Spaces in SSID in /etc/rc.conf
On Mon, May 14, 2007 at 09:45:48PM +0200, Gunther Mayer wrote: Hi there, I got a low key server who is wirelessly connected to the net using an SSID that contains a space. In rc.conf I define the ifconfig line for configuration of my wireless interface upon bootup, but the entire line reads something like ifconfig_ath0=' inet 192.168.0.1 ssid my network ' No matter how I tweak the quotes (single then double, other way round, with lots of \\) I never get my interface to configure properly upon bootup and I need to get to the console to fix it up. I thought I knew shell syntax but this is beyond me or manpages... What's the right way to do this? One approach would be to navigate the series of function calls defined in /etc/network.subr. I just took a brief look, but it's not immediately obvious how many times you're going to have to escape exactly what to get the behavior you desire. Another option would be to make the file /etc/start_if.ath0, containing the line `ifconfig ... ssid my network`. This file would be sourced when /etc/rc.d/netif starts the network interfaces, before the rc variable ifconfig_ath0 is run. You can then omit the variable ifconfig_ath0 from /etc/rc.conf. For more hints, look in /etc/netif, /etc/network.subr, and /etc/rc.subr. -- Chris Cowart Lead Systems Administrator Network Infrastructure, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Re: sshd segfaults on exit when no tty allocated
On Fri, May 11, 2007 at 10:59:19AM -0400, Lowell Gilbert wrote: Christopher Cowart [EMAIL PROTECTED] writes: When I ssh into FreeBSD hosts without allocating a tty, sshd segfaults after the process terminates. This problem occurs on both 6_1_REL and 6_2_REL installations at all sorts of patch levels. Examples: Client: `ssh -t server ls` Server Logs: | May 9 15:33:44 server sshd[1503]: Accepted publickey for ccowart from | client port 43604 ssh2 | May 9 15:33:45 server sshd[1505]: pam_sm_close_session(): no utmp | record for ttyp5 Client: `ssh server ls` Server Logs: | May 9 15:33:50 server sshd[1509]: Accepted publickey for ccowart from | client port 42119 ssh2 | May 9 15:33:51 server pid 1511 (sshd), uid 1225: exited on signal 11 In either example, the client thinks the command has completed successfully, shows proper output, and propogates the return value from the remote command. The main problem is I don't like seeing a bunch of segfaults being logged in the daily run output. Our sshd_config stock, except we set `PermitRootLogin yes`. Does anyone know why this happens? Should I file a problem report? I can't reproduce it on my own machines (-STABLE, a few weeks old), so a PR probably would need a more precise reproduction scenario. Thanks for the sanity check. I went back and did some more thourough troubleshooting. I am currently using pam_ldap and pam_require from ports. I went through my pam configuration, set everything to pam_permit, and the segfaults went away. Uncommenting one rule at a time in my pam stack, I discovered the culprit: pam_lastlog The session section of my system pam configuration looks like this: | # session | session requiredpam_lastlog.so no_fail debug | session optional/usr/local/lib/pam_ldap.so no_warn When I comment out the pam_lastlog, the segfaults vanish. Should I file a PR with this new information? Thanks, -- Chris Cowart Lead Systems Administrator Network Infrastructure, RSSP-IT UC Berkeley signature.asc Description: Digital signature
sshd segfaults on exit when no tty allocated
Hello, When I ssh into FreeBSD hosts without allocating a tty, sshd segfaults after the process terminates. This problem occurs on both 6_1_REL and 6_2_REL installations at all sorts of patch levels. Examples: Client: `ssh -t server ls` Server Logs: | May 9 15:33:44 server sshd[1503]: Accepted publickey for ccowart from | client port 43604 ssh2 | May 9 15:33:45 server sshd[1505]: pam_sm_close_session(): no utmp | record for ttyp5 Client: `ssh server ls` Server Logs: | May 9 15:33:50 server sshd[1509]: Accepted publickey for ccowart from | client port 42119 ssh2 | May 9 15:33:51 server pid 1511 (sshd), uid 1225: exited on signal 11 In either example, the client thinks the command has completed successfully, shows proper output, and propogates the return value from the remote command. The main problem is I don't like seeing a bunch of segfaults being logged in the daily run output. Our sshd_config stock, except we set `PermitRootLogin yes`. Does anyone know why this happens? Should I file a problem report? Thanks, -- Chris Cowart Lead Systems Administrator Network Infrastructure, RSSP-IT UC Berkeley signature.asc Description: Digital signature
isc-dhcpd logging breaks when syslog-ng HUP'd
Hello, I have 2 servers running isc-dhcp3-server and syslog-ng. I have configured dhcpd to run in a chroot. The following (reproducible) sequence of events cause dhcpd logging to break: 1) Start syslog-ng 2) Start isc-dhcpd (At this point, logging is working fine) 3) `pkill -HUP syslog-ng` (This happens on the hour whenever logfiles need rotating, but can also be effected manually) 4) dhcpd logging is now broken 5) Restart isc-dhcpd (logging works again) My theory is that when isc-dhcpd starts, it gets an fd to the syslog socket. When syslog-ng receives a HUP, that socket is reopened and isc-dhcpd's fd is now broken. Relevant options from rc.conf: | syslogd_enable=NO | newsyslog_enable=NO | syslog_ng_enable=YES | dhcpd_enable=YES | dhcpd_flags=-q | dhcpd_conf=/usr/local/etc/dhcpd.conf | dhcpd_includedir=/usr/local/etc/dhcpd.d | dhcpd_withumask=022 | dhcpd_chuser_enable=YES | dhcpd_withuser=dhcpd | dhcpd_withgroup=dhcpd | dhcpd_devfs_enable=YES | dhcpd_rootdir=/var/jails/dhcpd | dhcpd_chroot_enable=YES | dhcpd_ifaces=bge0 My workaround: For the hosts in question, I've added to the logrotate postrotate script: `/usr/local/etc/rc.d/isc-dhcpd restart /dev/null` This workaround makes me a little uncomfortable, because these instances of dhcpd are critical for thousands of end users. Is this a bug? Is there a better workaround? Logging from all other applications on the system is unaffected by the HUP to syslog-ng, including two jailed instances of bind9 (syslog-ng on the host opens up the socket /var/run/log inside those jails). Any insight would be greatly appreciated. Thanks, -- Chris Cowart Lead Systems Administrator Network Infrastructure, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Re: xorg on a headless, mouseless, keyboardless box
I've used this ssh -X that you mention. This works fine for userland programs, but in order to troubleshoot my particular issue I'd need to be logged in as root. When I try to su remotely to run the command I get: X11 connection rejected because of wrong authentication. X connection to localhost:10.0 broken (explicit kill or server shutdown). I think what's going on is that X puts some authentication information in your home directory: ~/.Xauthority. You might try: $ su -m That will preserve your environment (including $HOME). Now when X goes looking for the ~/.Xauthority, it will find the one sshd set up in your user home directory. I might try logging in locally as root and see what happens But in the long run I think that if I could understand how to grant myself an actual X session on the remote box then I could figure out how to do this and potentially other stuff. Thanks for any information you might share. lane ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Chris Cowart Network and Infrastructure Systems Administrator RSSP-IT, UC Berkeley May all your pushes be popped signature.asc Description: Digital signature
Re: openssh security issues
On Sat, Dec 16, 2006 at 10:47:39PM -0500, Michael P. Soulier wrote: So, portaudit keeps complaining about openssh, but when I try to upgrade... [EMAIL PROTECTED] ~]$ sudo portupgrade -R openssh [Updating the pkgdb format:bdb1_btree in /var/db/pkg ... - 207 packages found (-1 +1) (...). done] --- Upgrading 'openssh-3.6.1_5' to 'openssh-3.6.1_6' (security/openssh) --- Building '/usr/ports/security/openssh' === Cleaning for openssh-3.6.1_6 === openssh-3.6.1_6 has known vulnerabilities: = openssh -- multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/32db37a5-50c3-11db-acf3-000c6ec775d9.html This says it only affects SSH Protocol version 1. If you only use version 2 or you're not too concerned, you could do: $ sudo portupgrade -m DISABLE_VULNERABILITIES=yes -R openssh = Please update your ports tree and try again. *** Error code 1 Stop in /usr/ports/security/openssh. ** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade.20685.0 env UPGRADE_TOOL=portupgrade UPGRADE_PORT=openssh-3.6.1_5 UPGRADE_PORT_VER=3.6.1_5 make ** Fix the problem and try again. ** Listing the failed packages (*:skipped / !:failed) ! security/openssh (openssh-3.6.1_5)(unknown build error) --- Packages processed: 0 done, 0 ignored, 0 skipped and 1 failed So, before bothering the port maintainer, is there a standard place to look for a status update on this kind of thing? Thanks, Mike -- Michael P. Soulier [EMAIL PROTECTED] Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction. --Albert Einstein -- Chris Cowart Network and Infrastructure Systems Administrator RSSP-IT, UC Berkeley May all your pushes be popped signature.asc Description: Digital signature
Re: Local DNS Caching not caching on external interface
On 14:57 Thu 14 Dec , Tek Bahadur Limbu wrote: Dear All, I am very new to Bind and FreeBSD. I have just configured a Local DNS server using the built-in Bind 9.3.1 on a FreeBSD 5.4 machine. My problem is that the machine can cache queries on the localhost and loop back (127.0.0.1) interface only. I have a public static IP on this machine too and I can't seem to query the caching name server from my local network. In Linux, this is no problem. I just can't seem to get Bind to work as in my local network. It works only on the loopback interface. The default /etc/namedb/named.conf configuration file for BIND says: | // If named is being used only as a local resolver, this is a safe default. | // For named to be accessible to the network, comment this option, specify | // the proper IP address, or delete this option. | listen-on { 127.0.0.1; }; It looks like if you comment out that option, it will listen on * by default. You could also add the other IP address on which you want named to listen. -- Chris Cowart Network and Infrastructure Systems Administrator RSSP-IT, UC Berkeley May all your pushes be popped signature.asc Description: Digital signature
Multihomed router with NAT
Hello, I'm working on a router that acts as a captive portal and transparent http proxy for unregistered or disabled hosts that plug in to our network. The router has a public administrative interface on em0, 192.168.100.10/24. The router has a physically seperate interface, 192.168.200.10/24 on vlan200 using em1, for the NAT clients. The router also has the interface vlan100 on em1 with the address 10.100.0.1/16. The captured machines are assigned addresses on the 10.100/16 subnet. The router's firewall allows certain http traffic through the NAT, such as windows updates. All other http requests are forwarded through an instance of squid to an apache instance. The system's default route is configured on the administrative interface, via 192.168.100.1. My firewall includes the rule: $cmd 0013 divert natd ip from not me to any via vlan200 The NAT does not work. From a captured machine, I am able to ping both 192.168.200.10 and the gateway 192.168.200.1, but nothing off-subnet. We suspect the packets leaving the NAT, tagged with source-address 192.168.200.10 are being routed via the system's default route at 192.168.100.1. The router is dropping these packets on the floor, because the source address doesn't match the subnet it's routing. Is it possible to tell the system to use a different default route based on the source address of the packet? We want to keep the administrative interface on a separate subnet from the client traffic. I tried using an ipfw fwd rule: $cmd 0014 fwd 192.168.200.1 ip from 192.168.200.10 to not \ 192.168.200.10/24 But this had no effect. Any suggestions would be greatly appreciated. Thanks, -- Chris Cowart Unix Systems Administrator Residential Computing, UC Berkeley May all your pushes be popped signature.asc Description: Digital signature
Re: jail removal
I've partially removed a jail and I want to start over and recreate it differently, but I'm having trouble removing files. Getting permission denied on some files I am unable to chmod to +w. Try 'sudo chflags -R noschg /path/to/jail'. I'm thinking the immutable flag got set on something like var/empty. -- Chris Cowart Unix Systems Administrator Residential Computing, UC Berkeley May all your pushes be popped signature.asc Description: Digital signature
isc-dhcpd.sh rc script and jails
Hello, The port for isc-dhcp3-server has config options for enabling FreeBSD process jails. Basically, through a series of command line arguments that are generated by the isc-dhcpd.sh script, the chroot is auto-generated when you start the service and dhcpd makes the syscall to jail itself. This is actually really nifty and makes the process of running dhcpd in a thin jail brainless. The problem happens when I run isc-dhcpd.sh stop: dhcpd not running? (check /var/jails/dhcpd/var/run/dhcpd/dhcpd.pid). Well, I know better. dhcpd is clearly running with the pid indicated in the pid file. After investigating /etc/rc.subr, I've determined the cause (where $JID is the jid of the running rc script and $_jid is the jid of the process, determined by ps output): if [ $JID -eq $_jid ]; Therefore, I cannot run isc-dhcpd.sh stop on the host system. However, given that I'm using a thin jail, I can't just log in to the jail to call the rc script. Further, the rc script was written to be called from the host machine. My question is how do I get around this? I'd prefer not to hack rc.subr unless it's a community-useable patch that can be incorporated back into the official sources. One option would be to allow rc scripts to set some sort of CHECK_JAILS variable and to implement the necessary logic to handle it in rc.subr. Is there a better solution? -- Chris Cowart Unix Systems Administrator Residential Computing, UC Berkeley May all your pushes be popped signature.asc Description: Digital signature
scripting sysinstall for pxeboot
Hello- I'm working on a project to netboot servers and perform a custom installation of FreeBSD. I have pxeboot working with tftp, providing an mfs image over the network. sysinstall runs as init and attempts to follow my install.cfg. However, when running my mediaSetFTP command, sysinstall errors with: The fxp0 device is not configured. You will need to do so in the Networking configuration menu before proceeding. However, I did set tryDHCP=YES. DHCP is working because 1) it just netbooted from it; and 2) I tried with the installation CD. It doesn't appear to be honoring my request that it try DHCP. If I take sysinstall over manually, specifying the network information, it works just fine. I want the installation to work with DHCP. Does anyone have any suggestions for debugging sysinstall in this way? On a not-a-show-stopper note, is there any way to get around specifying the hostname and/or net device? I'd rather not specify the hostname so that I can have one generic script for many machines. Further, what if a some other machine has a different kind of NIC? By hardcoding these values into install.cfg, the solution becomes much less maintainable. Why can't it obtain the hostname from DHCP? Any thoughts on this? Thanks for your help, Chris === My install.cfg: # This is the installation configuration file for our rackmounted FreeBSD # cluster machines # Turn on extra debugging. debug=YES nonInteractive=YES noWarn=NO tryDHCP=YES noConfirm=YES releaseName=6.0-RELEASE # My host specific data #hostname=firefly #domainname=rescomp.berkeley.edu netDev=fxp0 hostname=firefly _ftpPath=ftp://ftp.FreeBSD.org/pub/FreeBSD/ #nameserver=169.229.70.164 #defaultrouter=169.229.70.1 #ipaddr=169.229.70.170 #netmask=255.255.254.0 # # Which installation device to use RC ##Need to set this! ## #nfs=MyNfsServer:/export/ari_scratch2/gallatin/freebsd-dist mediaSetFTP #mediaSetNFS [[SNIP]] === -- Christopher Cowart Unix Systems Administrator Residential Computing, UC Berkeley May all your pushes be popped pgpCT4ovf0iPr.pgp Description: PGP signature
pxeboot fails to load acpi.ko
Hey- I've been working on a project to automate FreeBSD installations over the network, using PXE boot capabilities. I've been following the howtos, as documented starting here: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pxe/index.html and http://www.daemonsecurity.com/pxe/jumpstart.html I'm having a difficult time finding posts from other people who have experienced similar problems. Everything is setup. I'm using a tftpd that can handle large files. DHCPD is configured correctly. The client boots the PXE boot loader, as it should. It then begins loading the kernel. Upon loading the file acpi.ko, the boot hangs. Doing a tcpdump on the traffic, it looks like the machine receives the last packet of acpi.ko, and before it even has a chance to send an ACK, it's done. The twirly status bar stops spinning. The machine is doomed for a hard reboot. I've tried with two very different boxes to ensure it's not a hardware anomoly. The machines boot fine from the installation CDs -- loading acpi.ko. Further, I started with 5.3-REL, stepped up to 5.4-REL, and lastly, 6.0-REL. The problem occurs with all these versions. I'm not sure how to continue debugging this problem. Any tips in terms of troubleshooting or known workarounds would be great. Thanks, Chris -- Christopher Cowart Unix Systems Administrator Residential Computing, UC Berkeley May all your pushes be popped pgpH4SPmXT1cw.pgp Description: PGP signature