Re: Gateway problem

2006-10-20 Thread Dancho Penev 
I'm moving this thread to freebsd-questions because it's the appropriate 
place for such questions.

On Friday 20 October 2006 21:42, Brian Hawk wrote:
 I'm having a strange situation for quite sometime. I have two external
 interfaces one of which is an ADSL interface tun0 and obtains IP address
 dynamically and the other is a (xl1) leased line which has a static
 global IP address, lets say 212.64.212.180. Both interfaces access
 internet without any problem.

 Recently I've configured qmail on this system to send out email thru xl1
 interface and use ADSL only for web traffic. It used to work quite good
 for a while but recently I noticed TCP packets have been going out from
 tun0 and responses coming in thru xl1. tun0 and ADSL is the default
 gateway. But the TCP packets are bound to 212.64.212.180 IP address
 which should send them out thru xl1. But it doesn't.

No, you are wrong. Packet will be forwarded to default gateway through the 
interface which is on same network with it. You need some kind of policy 
routing. I'm not very familiar with ipf but with pf you can do:

pass out on $ext_if0 route-to ($ext_if1 $ext_gw1) inet from $ext_if1 to any
pass out on $ext_if1 route-to ($ext_if0 $ext_gw0) inet from $ext_if0 to any

or with ipfw you can use fwd rule action.


 For the test, I did these

 tcpdump -nt -i xl1 tcp 
 telnet -s 212.64.212.180 smtp.tnet.com 25

 connection establishes but I can see only the TCP response packets
 coming from xl1, like the following

 x.y.z.t  212.64.212.180
 x.y.z.t  212.64.212.180

 All from external IPs to my xl1 int. No packets going out from xl1 they
 all go thru default gateway even if TCP connections are bound to xl1's
 IP address.

 I'd like to know if anybody knows why this happened and I can I turn
 things back the way they were. Any help would be much appreciated.

 My configuration is like this;

 FreeBSD 5.4-RELEASE
 ipf: IP Filter: v3.4.35 (336)
 Kernel: IP Filter: v3.4.35
 ipfw has no rules; allow ip from any to any
 there's also a transparent proxy setup for squid

 #~netstat -rn
 Routing tables

 Internet:
 DestinationGatewayFlagsRefs  Use  Netif Expire
 default88.234.8.1 UGS 0 78722302   tun0
 10/24  link#1 UC  00rl0 =
 10 10.1.1.222 UGS 026233xl0
 10.0.0.99  link#1 UHLW04rl0
 10.1.1/24  link#2 UC  00xl0
 10.1.1.13  00:50:8d:ed:88:94  UHLW0 1876xl0   1118
 10.1.1.222 00:01:02:df:c1:19  UHLW1  689lo0
 10.1.1.225 00:b0:d0:20:b7:9e  UHLW096690xl0706
 88.234.8.1 88.234.14.26   UH  10   tun0
 127.0.0.1  127.0.0.1  UH  0  2305904lo0
 192.168.0/16   link#3 UCS 00xl1
 212.64.212.176 ff:ff:ff:ff:ff:ff  UHLWb   0   15xl1 =
 212.64.212.176/29  link#3 UC  00xl1
 212.64.212.180 00:04:76:9b:3d:f8  UHLW0  125lo0

 ___
 freebsd-net@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-net
 To unsubscribe, send any mail to [EMAIL PROTECTED]

-- 
Dancho Penev
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Questions on file descriptors and squid

2004-10-20 Thread Dancho Penev 
On Mon, Oct 18, 2004 at 07:17:18PM -0700, Mark Jayson Alvarez wrote:
Date: Mon, 18 Oct 2004 19:17:18 -0700 (PDT)
From: Mark Jayson Alvarez [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Questions on file descriptors and squid
Good day,
  I have a pc which I am going to turn into one of
our siblings proxy servers. The squid book says, the
file descriptor values should not go below 1024.
Qestion1: Do you know how do freebsd 4.10 sets its
default(fresh install) file descriptor value? For
example, here are the components of the workstation I
am installing squid into.
Pentium III 600 MHz
64 MB SD RAM
15 GB hard disk
When I run 'sysctl kern.maxfilesperproc' this value
appeared:
kern.maxfilesperproc: 957
so, it already violates the squids recommended
settings which should be not less than 1024 file
descriptor(Squid: The Definitive Guide -Duane
Wessels). 

On the other hand, another workstation of mine with
the following components...
256 DDR PC333
Athlon XP 2000
80 GB seagate harddisk
...shows its file descriptor as
beebopsysctl kern.maxfilesperproc
   kern.maxfilesperproc: 3636
Qestion2: both of the kern.maxfiles and
kern.maxfilesperproc's values are changeable and so, 
how will I know what is the maximum value I can set
them to(with regards to my hardware setup)? 


All these variables depend on maxusers option in your kernel config
file. Look at /usr/src/sys/kern/subr_param.c to find how they are
calculated.





___
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
Home page:   http://www.mnet.bg/~dpenev
GnuGP public key:http://www.mnet.bg/~dpenev/gnupg.asc
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgpCd3j6eqqYg.pgp
Description: PGP signature

Re: throughput test

2004-10-20 Thread Dancho Penev 
On Tue, Oct 19, 2004 at 05:20:58PM +0800, Tomoki Taniguchi wrote:
Date: Tue, 19 Oct 2004 17:20:58 +0800
From: Tomoki Taniguchi [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: throughput test
I have a freebsd firewall/router.  I want to test the data throughput
through the router with and without the firewall turned on.
How would I go about testing the network throughput of a machine?
You can use benchmarks/ttcp port.
TIA,
tomoki
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
Home page:   http://www.mnet.bg/~dpenev
GnuGP public key:http://www.mnet.bg/~dpenev/gnupg.asc
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgpu1p6OZkKs3.pgp
Description: PGP signature

Re: Use pkg_delete or make deinstall?

2004-10-16 Thread Dancho Penev 
On Fri, Oct 15, 2004 at 11:31:19PM -0500, Dan Nelson wrote:
Date: Fri, 15 Oct 2004 23:31:19 -0500
From: Dan Nelson [EMAIL PROTECTED]
To: Ben Washington-Yule [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Use pkg_delete or make deinstall?
In the last episode (Oct 16), Ben Washington-Yule said:
I've been wondering lately if there is any difference between the two 
methods of removing software from the system; pkg_delete software-name 
and cd /usr/ports/catagory/software-name  make deinstall. This 
question is not answered in the FAQ, I mainly ask out of curiousity.
make deinstall just runs pkg_delete, so they're identical.
It's important to know that make deinstall runs pkg_delete -f ...
--
Dan Nelson
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
Home page:   http://www.mnet.bg/~dpenev
GnuGP public key:http://www.mnet.bg/~dpenev/gnupg.asc
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgpNb29woGg1n.pgp
Description: PGP signature

Re: ACL and write permission

2004-10-04 Thread Dancho Penev 
On Mon, Oct 04, 2004 at 11:47:52AM +0500, Sergey Velikanov [UzPAK] wrote:
Date: Mon, 4 Oct 2004 11:47:52 +0500
From: Sergey Velikanov [UzPAK] [EMAIL PROTECTED]
To: freebsd-questions [EMAIL PROTECTED]
Subject: ACL and write permission
Hi again
I can't add write permission via ACL
mkdir /dir/docs 
chown user:user /dir/docs 
setfacl -n -dm u::rwx,g::rx,o::,u:user2:rwx,m::rwx /dir/docs 
setfacl -m u:user2:rwx /dir/docs 
chmod 750 /dir/docs 

I create file in /dir/docs, but user2 have only read permission,
That's because when new file is creating file permissions are get
from directory's default ACL, and then they are mask with umask. The
entries, that are mask, are u::, m:: and o::, so if you have umask 022
(which is default) file's acl mask entry is set to r. Robert Watson has
plan acl mask to override umask, but he doesn't realize that yet.
getfacl says that #efective rights r--, how should i set ACL to
/dir/docs if I want give write permission to user2
Sergey Velikanov
Technical  Division
National Data Network UzPAK
tel +(99871) 114-6326
e-mail:  [EMAIL PROTECTED]
http://www.uzpak.uz/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
Home page:   http://www.mnet.bg/~dpenev
GnuGP public key:http://www.mnet.bg/~dpenev/gnupg.asc
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgpwWIhkV3gIr.pgp
Description: PGP signature

Re: Troubleshoting with nat

2004-10-04 Thread Dancho Penev 
On Mon, Oct 04, 2004 at 12:49:53PM +0530, deepak wrote:
From: deepak [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Mon, 4 Oct 2004 12:49:53 +0530
Subject: Troubleshoting with nat
Dear sir
I have two network on two different switch. My pc have two lan cards
among which 1st is connected to 1st switch and 2nd is connected to
second switch. Both the switch are not cascaded. One pc from 1st network
can ping to 1st card and not to 2nd card and 2nd network , in the same
manner pc from 2nd network can't ping to 1st card and 1st network . How
to do it without cascading .  All my pc are running windows 2000 server
and professional.
You didn't mention anything about NAT. Do you have NAT between these two
networks? And if so what is your configuration?
Deepak Srivastava
Lafance Overseas Private Ltd.
Handy: 011 38750887
Ph: +91 11 26827333
Think Positively and Masterfully, With Confidence and Faith, and life
becomes more secure... richer in achievement and experience - Swami
Vivekananda
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
Home page:   http://www.mnet.bg/~dpenev
GnuGP public key:http://www.mnet.bg/~dpenev/gnupg.asc
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgpv4eDsBfhkM.pgp
Description: PGP signature

Re: Outbound SMTP filtering

2004-08-10 Thread Dancho Penev 
On Mon, Aug 09, 2004 at 05:49:27PM -0600, Nick Rogness wrote:
Date: Mon, 9 Aug 2004 17:49:27 -0600 (MDT)
From: Nick Rogness [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Outbound SMTP filtering
I am looking for an Outbound SMTP filtering solution to prevent SPAM and 
Virii from being sent through our SMTP relay machine (FreeBSD running 
sendmail).

A plugin module for sendmail or maybe some external appliance?  Just 
outbound SMTP traffic only.  Any suggestions?
You may try mail/smtp-vilter.
Nick Rogness [EMAIL PROTECTED]
-
  How many people here have telekenetic powers? Raise my hand.
-Emo Philips
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
GnuGP public key: http://www.mnet.bg/~dpenev/gnupg.asc
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgpNaH2n3NWnG.pgp
Description: PGP signature

Re: NEWBIE: FreeBSD 4.10 Internet gateway/DNS problem

2004-07-13 Thread Dancho Penev 
20
   192.168.1.110  255.255.255.255127.0.0.1   127.0.0.120
   192.168.1.255  255.255.255.255192.168.1.110   192.168.1.11020
   224.0.0.0240.0.0.0192.168.1.110   192.168.1.11020
 255.255.255.255  255.255.255.255192.168.1.110   192.168.1.1101
Default Gateway:   192.168.1.1
===
Persistent Routes:
 None
I'm not sure what to do next.  For some reason the Windows cannot access a
name server.  From what I understand from the literature I've been using
(FreeBSD Handbook, Lehey's The Complete FreeBSD, and Anderson's FreeBSD: An
Open-Source etc etc) all that should be needed is set gateway_enable=YES
in /etc/rc.conf and I've done that.
Google revealed some info on using natd for PPOE, but not sure if that
applies to this problem.
Definitely you must use NAT. Search Handbook for Network Address
Translation.
All suggestions/out-right solutions appreciated.
TIA,
Jim C.  

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
GnuPG public key: http://www.mnet.bg/~dpenev/gnupg.asc
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgph1IxroIC5G.pgp
Description: PGP signature

Re: Confusion / minor problem using nss_ldap

2004-07-12 Thread Dancho Penev 
On Mon, Jul 12, 2004 at 12:01:04PM +0200, Daniel Ruthardt wrote:
Date: Mon, 12 Jul 2004 12:01:04 +0200
From: Daniel Ruthardt [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Confusion / minor problem using nss_ldap
Hi list,
I've installed FreeBSD 5.1-RELEASE connecting to an OpenLDAP Server 
running on a Linux box.
nss_ldap as well as pam_ldap is working fine.
I am able to connect to my FreeBSD box via ssh without any problmes.
`id` shows my correct user information, which is:

   %id
   uid=503(daniel.ruthardt) gid=503(serverAdmins) 
groups=503(serverAdmins), 501(sambaUsers), 502(sambaAdmins)

Now the problem / confusing thing:
(1) Although my primary group id should be 503 , everything created by 
my user shows up with group wheel.
It's normal behavior if the directory group is wheel.
(2) Although everyhting seems to work without any problems, `ls`never 
shows my username, only my user id (and that although I can see a 
successful query for my user id in the log file of the LDAP server).
5.1 uses statically linked binaries in /bin and /sbin, that's why
ls(1) doesn't print names for users that not exist in the local
password file. It's not a big problem, but if you prefer ls(1) and
the others programs from /bin and /sbin to work with user names
instead of UIDs you must upgrade to 5.2 or better ;-)
   %mkdir daniel
   %ls -l
   total 4
   drwxr-xr-x  2 503  wheel  512 Jul 12 11:56 daniel
   drwxr-xr-x  2 503  wheel  512 Jul 12 11:37 test
   %
Can anybody point me in the right direction what might go wrong here?
Greets and thanks in advance,
Daniel
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
GnuPG public key: http://www.mnet.bg/~dpenev/gnupg.asc
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgpz9HHmRqsfH.pgp
Description: PGP signature

[fwd] IPFW fwd to remote address (from: iaccounts@ibctech.ca)

2004-07-09 Thread Dancho Penev 
- Forwarded message from Steve Bertrand [EMAIL PROTECTED] -
From: Steve Bertrand [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Fri, 9 Jul 2004 12:44:33 -0400 (EDT)
Subject: IPFW fwd to remote address
I am trying to set up a forward from one machine to another on a remote
network across the Internet.
I want to receive requests on one box on port 8080 and simply forward them
to a remote machine on the same port. I have tried the following rules, to
no avail. I have IPFIREWALL_FORWARD in my kernel (4.10), and # ipfw show
reports the hits to the rule.
# ipfw add 1000 fwd 216.209.x.x tcp from any to me 8080
# ipfw add 1000 fwd 216.209.x.x,8080 tcp from any to me 8080
# ipfw add 1000 fwd 216.209.x.x tcp from any to me 8080
# ipfw add 1000 fwd 216.209.x.x,8080 from any to any 8080
I can not see the packets going back out of the machine, nor does ipfw log
anything at the other end. # tcpdump at the remote end does not pick up
any traffic.
Does this have something to do with the fact that I am going across the
Internet, and it is trying to route the packets back to itself (I
understand the dest does not get changed). If so, how could I re-write the
packets so they will get delivered?
Tks for any help on this
Steve
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
- End forwarded message -
You have answered yourself why doesn't forwarding work at this
situation. If you want to forward http traffic you may try
squid (www/squid) in accelerator mode.
--
Dancho Penev
GnuPG public key: http://www.mnet.bg/~dpenev/gnupg.asc
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgpJHXRaqQyqF.pgp
Description: PGP signature

Re: Unable to boot FreeBSD (dual-boot)

2004-06-26 Thread Dancho Penev 
On Sun, Jun 27, 2004 at 12:25:24AM +1000, Gautam Gopalakrishnan wrote:
Date: Sun, 27 Jun 2004 00:25:24 +1000
From: Gautam Gopalakrishnan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Unable to boot FreeBSD (dual-boot)
Hi,
Hello
I have a dual boot with Windows 2000 (ad0s1 is windows, ad0s2 is
FreeBSD 5.2.1). I trashed a working dual-boot somehow. Now the
problem is, I get the boot menu listing both Windows and FreeBSD,
but only Windows boots (with F1). Pressing F2 for FreeBSD just
gives a beep.I booted from the fixit cd and ran the commands seen
in the handbook:
# fdisk -B -b /hd/boot/boot0 /dev/ad0
# disklabel -B -b /hd/boot/boot0 /dev/ad0s2
For label use /boot/boot file, /boot/boot0 is for mbr.
/hd is the temporary directory I created to mount /dev/ad0s2a,
so I guess my slice is still ok.
Please help!
Thanks
Gautam
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
GnuPG public key: http://www.mnet.bg/~dpenev/gnupg.asc
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgpfXg7R6il6I.pgp
Description: PGP signature

Re: Identifying traffic logged by ipfw

2004-04-17 Thread Dancho Penev 
On Fri, Apr 16, 2004 at 12:51:31PM -0500, Ben Beuchler wrote:
Date: Fri, 16 Apr 2004 12:51:31 -0500
From: Ben Beuchler [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Identifying traffic logged by ipfw
I'm working on a new bridging firewall using ipfw on FBSD 5.1.  The goal
is to default to closed with a few exceptions.  To test my ruleset, I end
with this rule:
add 420 allow log ip from any to any

The idea is that by watching the logs I could see what protocols I forgot
to create rules for.  This is what I'm getting in the logs:
Apr 16 16:43:40 bfw kernel: ipfw: 420 Accept MAC in via em2

I'm guessing this means it's matching non-ip traffic, but I couldn't find
any info to confirm this.  Is there any sort of trick I could use to log
the entire packet?  Since nothing about the source or destination was
logged, I don't have enough info to create a tcpdump filter.  Perhaps some
sort of divert rule?
I don't now about FreeBSD 5.1, but on -CURRENT I use follow patch
for /sys/netinet/ip_fw2.c :
--- ip_fw2.c.orig   Fri Dec 26 15:21:46 2003
+++ ip_fw2.cSun Jan 25 22:45:45 2004
@@ -577,6 +577,16 @@
if (hlen == 0) {/* non-ip */
snprintf(SNPARGS(proto, 0), MAC);
+   if (eh != NULL)
+   snprintf(SNPARGS(proto, 3),
+%02x:%02x:%02x:%02x:%02x:%02x 
%02x:%02x:%02x:%02x:%02x:%02x 0x%04x,
+   eh-ether_dhost[0], eh-ether_dhost[1],
+   eh-ether_dhost[2], eh-ether_dhost[3],
+   eh-ether_dhost[4], eh-ether_dhost[5],
+   eh-ether_shost[0], eh-ether_shost[1],
+   eh-ether_shost[2], eh-ether_shost[3],
+   eh-ether_shost[4], eh-ether_shost[5],
+   ntohs(eh-ether_type));
} else {
struct ip *ip = mtod(m, struct ip *);
/* these three are all aliases to the same thing */
Thanks!

-Ben

--
Ben Beuchler   There is no spoon.
[EMAIL PROTECTED]-- The Matrix
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
GnuGP public key: http://www.mnet.bg/~dpenev/gnupg.key
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgp0.pgp
Description: PGP signature

Re: FreeBSD mirror in Bulgaria

2004-03-16 Thread Dancho Penev 
On Tue, Mar 16, 2004 at 02:06:57PM +, Matthew Seaman wrote:
Date: Tue, 16 Mar 2004 14:06:57 +
From: Matthew Seaman [EMAIL PROTECTED]
To: Lyubomir Russev [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: FreeBSD mirror in Bulgaria
On Tue, Mar 16, 2004 at 11:20:14AM +0200, Lyubomir Russev wrote:

What criterias should be met and what should be done in order to establish
FreeBSD mirror site in Bulgaria?
Give this document a read through:

   http://www.freebsd.org/doc/en_US.ISO8859-1/articles/hubs/index.html

which should answer most of your questions.  Anything else, try asking
on the [EMAIL PROTECTED] mailing list.  But basically it boils
down to providing a sufficiently powerful machine with good network
bandwidth and plenty of free space and agreeing to certain conditions
on how you configure and manage the thing.
Always good to see a new mirror in previously uncharted territory.
Well, it's not quite right. There was one ({www|ftp}.bg.freebsd.org),
but I can't see it these days, so I suppose that it's down (may be
forever). It seems that I must change MASTER_SITE_BACKUP...
	Cheers,

	Matthew

--
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
 Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK


--
Dancho Penev
GnuGP public key: http://www.mnet.bg/~dpenev/gnupg.key
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2  7554 2AA8 C347 71A1 4277


pgp0.pgp
Description: PGP signature

Re: Running Linux binaries

2004-03-09 Thread Dancho Penev 
On Tue, Mar 09, 2004 at 03:16:12PM +0300, Dmitry wrote:
To: [EMAIL PROTECTED]
From: Dmitry [EMAIL PROTECTED]
Date: Tue, 09 Mar 2004 15:16:12 +0300
Subject: Running Linux binaries
Hi all.
I'm trying to run a Linux binary in FreeBSD 5.2.
I have Linux compat installed and kld module linux.ko loaded
I'm getting this error message:

$ ./breve
./breve: error while loading sharing libraries: libglut.so.3:
cannot open shared object file: No such file or directory
It looks like it need libglut.so.3. I have it. I copy it from
/usr/X11R6/lib to /compat/linux/lib and try to run the binary again:
$ ./breve
./breve: error while loading sharing libraries: libglut.so.3:
ELF file OS ABI invalid
I tried branding it as written in Handbook but it changes nothing.

Is there any way to use FreeBSD libraries to run Linux binaries or
No.

I have to get the Linux versions of them?
Yes.

And how to cross-compile libraries if i have sources?
Install devel/linux_devtools port.

And the last question. If a binary uses a Linux proc filesystem
will it be anought to mount linprocfs to /compat/linux/proc
Thanks.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
GnuGP public key: http://www.mnet.bg/~dpenev/gnupg.key
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2 7554 2AA8 C347 71A1 4277


pgp0.pgp
Description: PGP signature

Re: out of file descriptors

2004-03-09 Thread Dancho Penev 
On Tue, Mar 09, 2004 at 11:14:57AM -0500, Chris Strzelczyk wrote:
Date: Tue, 09 Mar 2004 11:14:57 -0500
From: Chris Strzelczyk [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: out of file descriptors
Hello,

I am trying to start big brother on FreeBSD 5.2.1 as the bb user.  When 
I run runbb.sh I get the following message:

Out of file descriptors

sysctl reports:

kern.maxfiles: 1
kern.maxusers: 256
I can change the kern.maxfiles attribute but not the maxusers.  Maxusers 
tells me it is not writable.  What is the proper way to correct this 
problem;
Set kern.maxusers=xxx in /boot/loader.conf. See
/boot/defaults/loader.conf for more details.
.

Thanks in advance for any help.

-cs
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
GnuGP public key: http://www.mnet.bg/~dpenev/gnupg.key
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2 7554 2AA8 C347 71A1 4277


pgp0.pgp
Description: PGP signature

Re: How do I add a local patch to a port?

2004-03-09 Thread Dancho Penev 
On Tue, Mar 09, 2004 at 02:44:26PM -0500, Shaun T. Erickson wrote:
Date: Tue, 09 Mar 2004 14:44:26 -0500
From: Shaun T. Erickson [EMAIL PROTECTED]
To: Alexander Haderer [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: How do I add a local patch to a port?
Alexander Haderer wrote:

Just another guess: Probably it makes a difference if the patchfile 
patches ./dir/tobepatched and dir/tobepatched. A brief look into other 
ports shows me that the latter is used. I don't know if it have to be 
this way or not.
Ok. I'm trying to patch 
/usr/ports/security/cyrus-sasl2-saslauthd/work/cyrus-sasl-2.1.17/saslauthd/auth_pam.c. 
The patchfile is named patch-aa and is located in 
/usr/ports/security/cyrus-sasl2-saslauthd/files. Here is the contents of 
the patchfile that works manually, when I cd to 
/usr/ports/security/cyrus-sasl2-saslauthd/work/cyrus-sasl-2.1.17 and run 
patch  /usr/ports/security/cyrus-sasl2-saslauthd/files/patch-aa:

Index: saslauthd/auth_pam.c
diff -u saslauthd/auth_pam.c.orig saslauthd/auth_pam.c
--- saslauthd/auth_pam.c.orig   Sat May 31 13:00:24 2003
+++ saslauthd/auth_pam.cTue Mar  9 11:53:44 2004
@@ -178,7 +178,7 @@
   const char *login,   /* I: plaintext authenticator */
   const char *password,/* I: plaintext password */
   const char *service, /* I: service name */
-  const char *realm __attribute__((unused))
+  const char *realm
   /* END PARAMETERS */
   )
 {
@@ -186,17 +186,25 @@
 pam_appdata my_appdata;/* application specific data */
 struct pam_conv my_conv;   /* pam conversion data */
 pam_handle_t *pamh;/* pointer to PAM handle */
+char user[256];
 int rc;/* return code holder */
 /* END VARIABLES */
-my_appdata.login = login;
+strlcpy(user, login, 256);
+
+if (realm) {
+strlcat(user, @, 256);
+strlcat(user, realm, 256);
+}
+
+my_appdata.login = user;
 my_appdata.password = password;
 my_appdata.pamh = NULL;
 my_conv.conv = saslauthd_pam_conv;
 my_conv.appdata_ptr = my_appdata;
-rc = pam_start(service, login, my_conv, pamh);
+rc = pam_start(service, user, my_conv, pamh);
 if (rc != PAM_SUCCESS) {
syslog(LOG_DEBUG, DEBUG: auth_pam: pam_start failed: %s,
   pam_strerror(pamh, rc));
It all looks right to me, but when I do a make clean follwed by a 
make, the file does not get patched. What am I doing wrong?
Put the patch in security/cyrus-sasl2/files directory. Take a look in
port's Makefile where ${PATCHDIR} is set to different location.
	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
GnuGP public key: http://www.mnet.bg/~dpenev/gnupg.key
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2 7554 2AA8 C347 71A1 4277


pgp0.pgp
Description: PGP signature

Re: forwarding with ttl=1

2004-02-05 Thread Dancho Penev 
On Thu, Feb 05, 2004 at 03:17:04PM +0200, Alexander Botov wrote:
From: Alexander Botov [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Thu, 5 Feb 2004 15:17:04 +0200
Subject: forwarding with ttl=1
Hi All 

I am newbie with configuring networks under FreeBSD . I have small network with gateway running on FreeBSD 5.2 Release .My ISP offers me pppoe service for connecting to Internet . I didn't have problems with configuring ppp with pppoe . I used nat option wchich works fine for masquerading the local network from the world . The problem is that the ISP's gateway returns every time packets with ttl=1 which makes further forwarding impossible . My gateway returns icmp error mesage time exceeded and discards packets . I want to know if I made some mistake with configuring nat service or if not what is the solution of the problem ? Is there any service that can increment ttl and process the packet ? I tried to avoid the checking of ttl in the ip_forward() function in ip_input.c and skipping the decrement of ttl and everything works fine but i think that this is very ugly kernel hack . Probably there is an easy and elegant solution . Any ideas ?
You don't need to hack the kernel because this was already did.
Add
options		IPSTEALTH

in your kernel configuration file, build the new kernel and
set net.inet.ip.ipstealt sysctl variable to 1.
For more information see /usr/src/sys/conf/NOTES and
/usr/src/sys/netinet/ip_input.c.
please excuse my English
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: smbmount problem

2003-09-13 Thread Dancho Penev 
On Sat, Sep 13, 2003 at 11:22:57AM +0200, sebastian ssmoller wrote:
From: sebastian ssmoller [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: 13 Sep 2003 11:22:57 +0200
Subject: smbmount problem
hi,
i am running fbsd 5.1. when i try to mount a samba share on a debian
system i get :
smbfs: server name x.y too long
the server name is 16 chars long and i found out (looking at the
sources) that there is a limit of 15.
my question: why is there such a limit? (i used this share from several
In Windows world computer's NetBIOS names are limited to 15 bytes,
so I suppose that the author of mount_smbfs is conform with that.
linux distros without any problem). does this mean i have to change the
hostname of the debian system (which could not be really a solution...)
No, just use netbios name option in smb.conf, and attend name to be
no more than 15 chars long.
or is there any other workaround ?

thx for ur help
seb
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Dancho Penev
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: smbmount problem

2003-09-13 Thread Dancho Penev 
 On Sat, 2003-09-13 at 15:04, Dancho Penev wrote:
 On Sat, Sep 13, 2003 at 11:22:57AM +0200, sebastian ssmoller wrote:
 From: sebastian ssmoller [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Date: 13 Sep 2003 11:22:57 +0200
 Subject: smbmount problem
 
 hi,
 i am running fbsd 5.1. when i try to mount a samba share on a debian
 system i get :
 smbfs: server name x.y too long
 the server name is 16 chars long and i found out (looking at the
 sources) that there is a limit of 15.
 
 my question: why is there such a limit? (i used this share from several

 In Windows world computer's NetBIOS names are limited to 15 bytes,
 so I suppose that the author of mount_smbfs is conform with that.

 linux distros without any problem). does this mean i have to change the
 hostname of the debian system (which could not be really a solution...)

 No, just use netbios name option in smb.conf, and attend name to be
 no more than 15 chars long.

 i tried that but i found out that the netbios name in the smb.conf
 (client and server) is already shorter than 15 chars.
 the problem seems to be that the full qualified name hostname.domain (as
 used in the mount command line and as returned by the nameserver) is
 longer than 15 chars.  but this should be ok, shouldn't it ?

Yes, this isn't problem. What command you use to mount the share?


 any ideas ?

 thx
 seb

 or is there any other workaround ?
 
 thx for ur help
 seb
 
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]

 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]


---
Dancho Penev

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Default ACL entries.

2003-08-03 Thread Dancho Penev 
On Sat, Aug 02, 2003 at 06:37:24PM +0200, Grzegorz Czaplinski wrote:
Date: Sat, 2 Aug 2003 18:37:24 +0200
From: Grzegorz Czaplinski [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Default ACL entries.
Hi there!
Does anyone know how to set default ACL entries?
Any examples how to use -d, -k, -X switches with setfacl?
# setfacl -dm u::rwx,u:nobody:rwx,m::rwx,g::rx,o::rx /foo
There are three required ACL entries: u::,g::,o::, that unlike files acls
doesn't exist when you set default acl for first time, so don't forget
to set them. (BTW I have patch for setfacl somewhere that check default
acl for missing entries)
# setfacl -k /foo
This will remove default acl for foo directory.
# setfacl -dX acls /foo
Where acls file contains entries like these:
u:nobody:rwx
g:somegroup:rx
This is all different to Solaris... ;)
Thanks,
gregory
--
Grzegorz Czaplinski gregory at prioris.mini.pw.edu.pl
The Power to Serve, Right for the Power Users! - http://www.FreeBSD.org/
Fingerprint: EB77 E19D CFA2 5736 810F  847C A70F A275 2489 469F


--
Dancho Penev
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Serial Console Port Settings ?

2003-06-17 Thread Dancho Penev 
On Tue, Jun 17, 2003 at 05:29:03AM -0700, Dave Bloodgood wrote:
From: Dave Bloodgood [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Tue, 17 Jun 2003 05:29:03 -0700
Subject: Serial Console Port Settings ?
In order to trouble shoot booting a newer pc, I have tried to configure a serial console...Unfortunately, I dont 
know what port settings ( baud rate, # bits, parity etc ) to use on the receiving machine...Ive tried lots of combinations
at get gibberish at low settingslots of @ signs at 9600 and nothing at speeds above 9600. Is there an auto-baud
routine ?
FreeBSD Handbook is your friend 
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/serialconsole-setup.html

9600 baud, 8 bits, no parity, 1 stop bit.

Dave
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Regards,
Dancho Penev
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: How to ignore arp error message

2003-04-04 Thread Dancho Penev 
On Fri, Apr 04, 2003 at 10:04:21AM +1000, Carl Morley wrote:
From: Carl Morley [EMAIL PROTECTED]
To: [EMAIL PROTECTED], 'Dancho Penev' [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: How to ignore arp error message
Date: Fri, 4 Apr 2003 10:04:21 +1000
Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Murphy
Sent: Friday, 4 April 2003 09:52
To: Dancho Penev
Cc: [EMAIL PROTECTED]
Subject: Re: How to ignore arp error message
Dancho Penev [EMAIL PROTECTED] wrote:

On Thu, Apr 03, 2003 at 07:14:24AM +1000, Carl Morley wrote:
From: Carl Morley [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Thu, 3 Apr 2003 07:14:24 +1000
Subject: How to ignore arp error message

arp: 10.1.21.80 moved from 00:03:47:f1:b8:3b to 00:03:47:f1:b8:3a on
fxp2
arp: 10.1.21.80 moved from 00:03:47:f1:b8:3a to 00:03:47:f1:b8:3b on
fxp2
is it possible to ignore these messages?
# sysctl net.link.ether.inet.log_arp_movements=0
Where ISP = blueyonder.co.uk that is a very useful sysctl.

Many Thanks.
John.
Yes I agree!  Thanks to Dancho.  But I am actually having problems
running it; 
sysctl: unknown oid 'net.link.ether.inet.log_arp_movements';

But I suspect that I am due to do a cvsup etc.  Will see what happens
after that!
Sorry I forgot to say that this sysctl variable is for 5.0, I don't know
is it exist in 4.x branch.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
--
Regards,
Dancho Penev
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: How to ignore arp error message

2003-04-03 Thread Dancho Penev 
On Thu, Apr 03, 2003 at 07:14:24AM +1000, Carl Morley wrote:
From: Carl Morley [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Thu, 3 Apr 2003 07:14:24 +1000
Subject: How to ignore arp error message
Hi,
I have a server on a network which is inhabited by an Intel rack-mount
box running Win2k.  The Intel server has got two of it's NIC's 'teamed'
- the Intel redundant NIC method.  

Problem is that to the FreeBSD box, it looks like the MAC address of
that IP address keeps changing, so I get endless kernel messages like
the ones below.  You can see the swap from 3a to 3b, and can probably
guess the next in the sequence!  Yeah, back to 3a
arp: 10.1.21.80 moved from 00:03:47:f1:b8:3b to 00:03:47:f1:b8:3a on
fxp2
arp: 10.1.21.80 moved from 00:03:47:f1:b8:3a to 00:03:47:f1:b8:3b on
fxp2
1.  Does anyone know if my fellow admin (who looks after the Intel box)
has configured incorrectly?  Or is this a symptom of all 'teamed' NIC's?
2.  If nothing can be done on the Intel box, is it possible to ignore
these messages?
# sysctl net.link.ether.inet.log_arp_movements=0

Cheers,
Carl.
___

Webize Pty Ltd
ph: (03) 9561 3353
fx: (03) 9561 4583
[EMAIL PROTECTED]
___ 



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Regards,
Dancho Penev
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw question

2003-03-29 Thread Dancho Penev 
On Fri, Mar 28, 2003 at 10:34:16AM -0500, Walter wrote:
Date: Fri, 28 Mar 2003 10:34:16 -0500
From: Walter [EMAIL PROTECTED]
To: Questions [EMAIL PROTECTED]
Subject: ipfw question
Hi all,

   I see a strange entry in my mail log from the
ipfw log output.  I don't really have a firm grasp
on ipfw yet and need help understanding how this
log entry came about (17 times), below:
 ipfw: 1700 Deny TCP 0.0.0.0:80 192.168.xxx.xxx:49339 in via fxp0

The output of ipfw list starts as:

00100 allow ip from any to any via lo0
00200 deny log logamount 100 ip from any to 127.0.0.0/8
00300 deny log logamount 100 ip from 192.168.1.0/24 to any in recv fxp0
00400 deny log logamount 100 ip from 24.170.166.0/24 to any in recv ep0
00500 deny log logamount 100 ip from any to 10.0.0.0/8 via fxp0
00600 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0
00700 deny log logamount 100 ip from any to 192.168.0.0/16 via fxp0
00800 deny log logamount 100 ip from any to 0.0.0.0/8 via fxp0
00900 deny log logamount 100 ip from any to 169.254.0.0/16 via fxp0
01000 deny log logamount 100 ip from any to 192.0.2.0/24 via fxp0
01100 deny log logamount 100 ip from any to 224.0.0.0/4 via fxp0
01200 deny log logamount 100 ip from any to 240.0.0.0/4 via fxp0
01300 divert 8668 ip from any to any via fxp0
01400 deny log logamount 100 ip from 10.0.0.0/8 to any via fxp0
01500 deny log logamount 100 ip from 172.16.0.0/12 to any via fxp0
01600 deny log logamount 100 ip from 192.168.0.0/16 to any via fxp0
01700 deny log logamount 100 ip from 0.0.0.0/8 to any via fxp0
01800 deny log logamount 100 ip from 169.254.0.0/16 to any via fxp0
01900 deny log logamount 100 ip from 192.0.2.0/24 to any via fxp0
02000 deny log logamount 100 ip from 224.0.0.0/4 to any via fxp0
02100 deny log logamount 100 ip from 240.0.0.0/4 to any via fxp0
remaining omitted
My question is how come rule 00700 did not kick out the
prober, rather falling to rule 01700??  I realize the log
Because the original packet was from 0.0.0.0 to YOUR_PUBLIC_IP
and natd (rule 1300) rewrite destination address YOUR_PUBLIC_IP
with your private IP address. You should have to find who sends
this kind of packets from your net to outside world, because
they are not very regular.
amounts are limited, but how did rule 01700 get activated
when rule 00700, seems to me, should have knocked out the
packet?  Is this evidence of someone having broken into my
FBSD router, as there are no other entries I've seen to
other possible internal IP's, or was someone just lucky?
Thanks.

Walter

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Regards,
Dancho Penev
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: your mail

2003-03-26 Thread Dancho Penev 
On Wed, Mar 26, 2003 at 02:55:00PM +, Tiago Andre wrote:
From: Tiago Andre [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Wed, 26 Mar 2003 14:55:00 +
Subject: 

Hi there
iam trying to establish a tunnnel ip6 on my pc..
but when i try to
#route add -inte6 default -interface gif0

it gave me this

route: writing to routing socket: File exists
add net default: gateway gif0: File exists
What does it means??
I'm not ipv6 expert but this message means that you already have default
route (you have ipv6_defaultroute in rc.conf).
And when i try to

ping6 3ffe:31ff:0:::82

that is my end tunnel (not my ipv6 address)
it doesn get any packet received
my public ip4 193.137.232.35
my public ip6 3ffe:31ff:0:::83
what is append?

this is my rc.config:

# -- sysinstall generated deltas -- # Mon Dec  9 10:52:02 2002
# Created: Mon Dec  9 10:52:02 2002
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter=193.137.232.1
font8x14=iso-8x14
font8x16=iso-8x16
font8x8=iso-8x8
gateway_enable=YES
hostname=samaell.ipg.pt
ifconfig_xl0=inet 193.137.232.35  netmask 255.255.255.0
ipv6_enable=YES
ipv6_firewal_enable=NO
ipv6_firewal_type=simple
ipv6_ifconfig_xl0=3ffe:31ff:0:::83/127
ipv6_ifconfig_xl1=3ffe:31ff:0:::84/127
ipv6_static_routes=xl1 xl0
ipv6_defaultrouter=3ffe:31ff:0:::82
ipv6_gateway_enable=YES
kern_securelevel_enable=NO
keymap=pt.iso.acc
linux_enable=YES
moused_enable=YES
nfs_reserved_port_only=YES
nisdomainname=NO
ntpdate_enble=YES
ntpdate_flags=leeloo.ipg.pt hal.ipg.pt
router_enable=YES
router=/usr/local/sbin/mrtd
router_flags=
rtadvd_enable=YES
rtadvd_interfaces=-s -c /etc/rtadvd.conf xl0 xl1
saver=logo
scrnmap=NO
sendmail_enable=YES
sshd_enable=YES
usbd_enable=YES
Thanks
Tiago Camilo
_
MSN Hotmail, o maior webmail do Brasil. http://www.hotmail.com
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
--
Regards,
Dancho Penev
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: a bit confused with new rc.d system in 5.0

2003-03-16 Thread Dancho Penev 
On Sun, Mar 16, 2003 at 07:05:56AM -0500, Jorge Mario G. wrote:
Date: Sun, 16 Mar 2003 07:05:56 -0500 (EST)
Subject: a bit confused with new rc.d system in 5.0
From: Jorge Mario G. [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Hi there
I just installed 5.0
the first thing I noticed is the new rc system
yeah looks good but I'm totally lost!
so what is the difference between /etc/rc.sendmail and /erc/rc.d/sendmail
I tried the handbook but there is no info about how to properly use this
new system!.
I like to integrate my scripts with the system so I would like to learn
this new stuff
so please if anyone could point me to some kind of doc/info I'll
appreciate it
rc man page is pretty well starting point, also look at NetBSD site:
http://www.netbsd.org/Documentation/rc/ (because rc.d system is
imported from netbsd).
Thanks

Jorge





To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
--
Regards,
Dancho Penev
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: How to enable ACL support in 5.0?

2003-03-11 Thread Dancho Penev 
On Mon, Mar 10, 2003 at 01:48:23PM +0100, Gabriel Ambuehl wrote:
Date: Mon, 10 Mar 2003 13:48:23 +0100
From: Gabriel Ambuehl [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: How to enable ACL support in 5.0?
Hello,
I might appear stupid or not having read the manual, but whatever I
try, I can't get setfacl to work (keeps failing:
setfacl: acl_get_file() failed: Operation not supported).
I read the manual and it says I should add acls as option to fstab
which I did:
/dev/ad7s1g /home   ufs rw,acls 2   2
What version is this filesystem: UFS1 or UFS2 ? UFS2 has full support
for acls but with UFS1 you must enable extended attributes. If you
have kernel source files I'll suggest you to read
/usr/src/sys/ufs/ufs/README.acls.


or use tunefs to set the flag statically in the superblock but tunefs
man page knows nothing at all about ACL.
From tunefs man page:

-a enable | disable
Turn on/off the administrative ACL enable flag.
So what do I need to do to get ACLs to work? Also, I was wondering
when to use ugidfw (more exotic stuff, I presume) and when just basic
ACLs. I think the whole ACL stuff could use some more docs, anyway.
For most users, this could be the single most visible change to the
system (SMPng etc are mostly under the hood so that's not as obvious
to most).
I'd appreciate any comments or pointers on this issue.

TIA  regards,
Gabriel
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
--
Regards,
Dancho Penev
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Where did I go wrong?

2003-02-28 Thread Dancho Penev 
On Fri, Feb 28, 2003 at 12:56:56PM -0500, Sam Drinkard wrote:
Date: Fri, 28 Feb 2003 12:56:56 -0500
From: Sam Drinkard [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Where did I go wrong?
For some time, I've been seeing all these entries in my console log, the 
dmesg, and in the security logs.  I don't remember when or what change I 
made to create them, but looking thru what I thought would turn them 
off, I see nothing.  Can somebody refresh my memory and tell me where I 
need to make the change?  System is 4.7-Stable, no ipfilter, only ipfw.
Most likely you was put in /etc/rc.conf:
log_in_vain=1 


vortex.wa4phy.net kernel log messages:
 

127.0.0.1:2725 from 127.0.0.1:53
Connection attempt to UDP 127.0.0.1:2936 from 127.0.0.1:53
Connection attempt to TCP 69.1.2.172:445 from 24.73.116.177:1724
Connection attempt to TCP 69.1.2.172:445 from 24.73.116.177:1724
Connection attempt to TCP 69.1.2.172:445 from 24.73.116.177:1724
Connection attempt to UDP 127.0.0.1:3055 from 127.0.0.1:53
Connection attempt to UDP 127.0.0.1:3185 from 127.0.0.1:53
Connection attempt to UDP 127.0.0.1:3235 from 127.0.0.1:53
Connection attempt to UDP 127.0.0.1:3307 from 127.0.0.1:53

Thanks...

Sam

PS.. would appreciate a CC: as I'm not subscribed to -questions





To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
--
Regards,
Dancho Penev
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: mount_ntfs fails

2003-02-27 Thread Dancho Penev 
On Fri, Feb 21, 2003 at 02:26:02PM +0100, Wiroth Didier wrote:
From: Wiroth Didier [EMAIL PROTECTED]
Subject: Re: mount_ntfs fails
To: [EMAIL PROTECTED]
Date: Fri, 21 Feb 2003 14:26:02 +0100
On Fri, 21 Feb 2003 13:15:03 +
Daniel Bye [EMAIL PROTECTED] wrote:
On Fri, Feb 21, 2003 at 01:54:57PM +0100, Didier Wiroth
wrote:
 Hey, 
 
 I have two harddisks:
 1) ad0 with 1 slice containing Windows XP pro
 2) ad2 with two slices s1 is ntfs and s2 is freebsd
4.7-release
 
 I can mount_ntfs without problems ad2s1 from freebsd!
 
 BUT I can't mount_ntfs ad0s! When I try to mount it
with the following
 command:
 mount_ntfs /dev/ad0s1 /mnt
 
 I get the following error:
 mount_ntfs: /dev/ad0s1: Invalid argument
 
 And in /var/log/messages I see this:
 Feb 21 13:46:39 lucifer /kernel: ad0s1: slice extends
beyond end of
 disk: truncating from 78140097 to 4408785 sectors
 Feb 21 13:46:39 lucifer /kernel: ntfs_loadntnode: BREAD
FAILED
 Feb 21 13:46:39 lucifer /kernel: ntfs_vget: CAN'T LOAD
ATTRIBUTES FOR
 INO: 0
 
 1) What is the problem with ad0?
 2) What can I do to resolve the problem so that I'm
able to mount_ntfs
 ad0s1?

Does mount_ntfs /dev/ad0s1c /mnt work?  I have had
similar moments of
darkness, and seem to recall that was one way out.  I'm
not sure of the
reason for this - it is something to do with the way
Windows installs itself
on the disk, and with the BSD disk name convention, the c
partition
represents the whole slice.  That's my theory, anyway
 ;-)
Nope, does not work :-(
Any other ideas are welcome! :-))
Yet another idea ;-)

Did you change first disk from basic to dynamic with WinXP?
The dynamic disks in XP world uses different way to store information 
for slices and are incompatible with mbr.

Thanks anyway!
Didier
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
--
Regards,
Dancho Penev
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: mount_smbfs password file

2003-02-18 Thread Dancho Penev 
On Tue, Feb 18, 2003 at 10:49:16AM -0600, Brian Henning wrote:

From: Brian Henning [EMAIL PROTECTED]
To: freebsd [EMAIL PROTECTED]
Subject: mount_smbfs password file
Date: Tue, 18 Feb 2003 10:49:16 -0600

Hello-
i log into samba share alot in bsd so i put some entries in my fstab to automate
the process a little.
is there a password file i can store my smb share password in so fstab can find
and and not prompt me for it each time?


Edit /etc/nsmb.conf file. Look in mount_smbfs man page for more details.



thanks,
b

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message


--
Regards,
Dancho Penev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Supress ARP messages?

2003-02-17 Thread Dancho Penev 
On Mon, Feb 17, 2003 at 11:34:03AM +0100, Lasse Laursen wrote:

From: Lasse Laursen [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Supress ARP messages?
Date: Mon, 17 Feb 2003 11:34:03 +0100

Hi all,

We have a clustered setup of FreeBSD machines and we get a load of there
messages:

arp: 10.0.0.254 moved from 00:d0:b7:7e:b1:6d to 00:d0:b7:a0:07:2f on fxp0
arp: 10.0.0.254 moved from 00:d0:b7:a0:07:2f to 00:d0:b7:7e:b1:6d on fxp0
arp: 10.0.0.254 moved from 00:d0:b7:7e:b1:6d to 00:d0:b7:a0:07:2f on fxp0
arp: 10.0.0.254 moved from 00:d0:b7:a0:07:2f to 00:d0:b7:7e:b1:6d on fxp0

each time a machine takes over another machines IP addresses. Are there any
way to supress these messages?


# sysctl net.link.ether.inet.log_arp_movements=0





Regards

--
Lasse Laursen [EMAIL PROTECTED] - Systems Developer
NetGroup A/S, St. Kongensgade 40H, DK-1264 K?benhavn K, Denmark
Phone: +45 3370 1526 - Fax: +45 3313 0066 - Web: www.netgroup.dk

- We don't surf the net, we make the waves.



To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message


--
Regards,
Dancho Penev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: arplookup going mad

2003-02-17 Thread Dancho Penev 
On Sun, Feb 16, 2003 at 06:47:47PM +0100, Marc Schneiders wrote:

Date: Sun, 16 Feb 2003 18:47:47 +0100 (CET)
From: Marc Schneiders [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: arplookup going mad

I have posted a question about this earlier, without getting an
answer. Then the problem was occasionally. Now the machine is going
mad over the same thing. It gives this every second in messages:

Feb 16 18:35:06 voo /kernel: arpresolve: can't allocate llinfo for
13.16.2.97rt
Feb 16 18:35:06 voo /kernel: arplookup 213.196.2.97 failed: host is
not on local network
Feb 16 18:35:06 voo /kernel: arpresolve: can't allocate llinfo for
13.16.2.97rt
Feb 16 18:35:06 voo /kernel: arplookup 213.196.2.97 failed: host is
not on local network
Feb 16 18:35:06 voo /kernel: arpresolve: can't allocate llinfo for
13.16.2.97rt
Feb 16 18:35:06 voo /kernel: arplookup 213.196.2.97 failed: host is
not on local network
Feb 16 18:35:06 voo /kernel: arpresolve: can't allocate llinfo for
13.16.2.97rt
Feb 16 18:35:06 voo /kernel: arplookup 213.196.2.97 failed: host is
not on local network
Feb 16 18:35:06 voo /kernel: arpresolve: can't allocate llinfo for
13.16.2.97rt
Feb 16 18:35:06 voo /kernel: arplookup 213.196.2.97 failed: host is
not on local network
Feb 16 18:35:06 voo /kernel: arpresolve: can't allocate llinfo for
13.16.2.97rt
Feb 16 18:35:06 voo /kernel: arplookup 213.196.2.97 failed: host is
not on local network
Feb 16 18:35:06 voo /kernel: arpresolve: can't allocate llinfo for
13.16.2.97rt

How do I put an end to this? The IP mentioned is NOT on the local
network. I do NOT tell it anywhere it is. Nothing has changed in my
config. Why does it do this, and why every second all of a sudden? How
do I stop it?

man llinfo gives 0, apropos llinfo gives 0. man arplookup: nothing,
apropos arplookup: nothing.


man 4 arp (not an answer but may be help you to resolve the problem)



I rebooted, to no avail. It came back within half an hour.

Since the machine is colocated (and not next door) I do not want to
lock myself out by trying funny things with arp -s. And I tried that
on a machine here, and it refused it anyway for a host not on the
local network. As it should, I am sure.

Any really good ideas?

uname -a: FreeBSD [hostname] 4.7-STABLE FreeBSD 4.7-STABLE #13: Sat
Nov 16 16:09:35 CET 2002
marc@[hostname]:/usr/obj/usr/src/sys/FUCHSIA  i386




To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message


--
Regards,
Dancho Penev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Wrong Timestamps in /var/log/messages from ipmon

2003-02-14 Thread Dancho Penev 
On Fri, Feb 14, 2003 at 04:10:42PM +1100, Murray Taylor wrote:

From: Murray Taylor [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Wrong Timestamps in /var/log/messages from ipmon
Date: Fri, 14 Feb 2003 16:10:42 +1100

Using 

ipmon -Dsv

We were seeing timestamps in /var/log/messages that were 11 hours out from our 
real timezone... other messages (interspersed) from other programs were 
correctly timestamped. 
Date was returning the correct time, and we are running xntpd against our 
timeserver.

We reset the /etc/locatime via /stand/sysinstall then killed ipmon and 
restarted it and all the timestamps are now correct.. Any ideas.. ?

Which timestamps ? Can you show messages ?
Note that in log message you have two timestamps:
1. The time when ipmon log to syslogd
2. The time when ipfilter log to /dev/ipl

When ipmon is run it read ipl buffer and log messages if there is any,
and they may be from 11 seconds, 11 hours or 11 days ...



FreeBSD 4.7-STABLE


Murray Taylor
Special Projects Engineer
-
Bytecraft Systems  Entertainment
Phone: 61 3 8710 2555
Fax: 61 3 8710 2599
Direct: 61 3 9238 4275
Mobile: 61 0417 319 256
Email: [EMAIL PROTECTED]
or visit us on the web
http://www.bytecraftsystems.com
http://www.bytecraftentertainment.com


This Email has been scanned for Viruses by MailMarshal.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message


--
Regards,
Dancho Penev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: squid and ipfw ... fwd ...

2003-02-13 Thread Dancho Penev 
On Thu, Feb 13, 2003 at 06:44:24PM +0100, P. U. Kruppa wrote:

Date: Thu, 13 Feb 2003 18:44:24 +0100 (CET)
From: [EMAIL PROTECTED] (P. U. Kruppa)
To: [EMAIL PROTECTED]
Subject: squid and ipfw ... fwd ...

Hi!

I am trying to setup a transparent proxy with Squid.

Proxying and caching itself works fine (thanks to the help of
this list!) - my Squid is listening on port 80.

I have got the ipfw kernel module running and seem to be able to
change all kinds of rules via ipfw or from bootup via some
firewall configuration file. As all kinds of manuals advise I do
# ipfw add 200 allow tcp from 192.168.10.1 to any
and still everything works fine. But when I try the next line
# ipfw add 300 fwd 127.0.0.1 tcp from any to any 80
I keep receiving access denied messages from squid.


Put in squid config file something like this (change ip address and netmask):

acl permitednet src 192.168.0.0/255.255.0.0
http_access allow permitednet

Take a look at ACCESS CONTROLS section in squid.conf for more details.
In fact if you keep above two ipfw rules transparent proxy will not work for
192.168.10.1 .



I found several emails about this problem in Google but no
solution.


What can be done now?

Thanks for any ideas,

Uli.

*---*
*Peter Ulrich Kruppa*
*  -  Wuppertal -   *
*  Germany  *
*---*

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message


--
Regards,
Dancho Penev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Questions

2003-01-15 Thread Dancho Penev 
On Wed, Jan 15, 2003 at 09:15:05AM -0500, Alvaro Rosales R. wrote:

From: Alvaro Rosales R. [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Wed, 15 Jan 2003 09:15:05 -0500
Subject: Questions

Hi fellows .
Is it posible to have a box with 2 default gateways?, if thew answer is 

No. FreeBSD box can have only one default gateway.


yes, is it posible to route the packages based on the IP source address  

Take a look to ipfw manual page for fwd rule action.


of the clients? .For example:

bsd BOX with 2 nics ( actin as router) 
nic1 10.10.1.10 default gw 10.10.1.1
nic2 200.37.53.5  default gw 200.37.53.1

client1 10.10.1. 5 default gw 10.10.1.1

client2 10.10.1.22  default gw 10.10.1.1

If client1 connects to 10.10.1.1 the packets sould be routed trough nic2 
of the multihomed BSD BOX

If client2 connects to 10.10.1.1 the packets sould be routed trough nic1 
of the multihomed BSD BOX.

Thanks in advance for your help


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

--
Regards,
Dancho Penev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: ipfilter/ipmon log msgs

2003-01-14 Thread Dancho Penev 
On Mon, Jan 13, 2003 at 05:23:52PM -0500, JoeB wrote:

From: JoeB [EMAIL PROTECTED]
To: Wayne Pascoe [EMAIL PROTECTED]
Cc: FBSDQ [EMAIL PROTECTED]
Subject: RE: ipfilter/ipmon log msgs
Date: Mon, 13 Jan 2003 17:23:52 -0500

Did ipf -V and the which command on both ipf  ipmon and they are
both in same directory.
The only thing that look questionable is ipf -V says  log flags:  0
= none set.


This mean that you haven't enable default logging of packets.
(man 8 ipf  search for -l option)

And now to you original question:
The author of ipmon man page when say that day, month and year
are removed from messages he means that they are removed from
messages that are taken from /dev/ipl, not that they aren't logged
in log files. What you see in yours log files from beginning of line
to colon character is appended from syslog and it's day, month and
time of sending messages to system logger. We have two distinct
events:

1. The date and time when packets are blocked or passed, the time
when they are logged to /dev/ipl (what is actually removed, without
time it's always logged)
2. The date and time when ipmon logs messages, the time when ipmon
reads /dev/ipl and logs via syslog or write to console) 

Between this two events we have some time interval, so you must
not mix up them.

Does this mean   ipfilter_flags=   or  ipmon_flags=-Ds

What is this talking about??

In rc.conf I have

ipfilter_enable=YES
ipfilter_flags=
ipnat_enable=YES
ipmon_enable=YES
ipmon_flags=-Ds

Is there a ipfilter web site that I can check  man info page on
ipmon to see if it has newer information that what FBSD has in it's
man ipmon which would mean that the new man info was not updated
into the new FBSD release of ipfilter which happened in FBSD 4.7


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Wayne
Pascoe
Sent: Monday, January 13, 2003 4:35 PM
To: [EMAIL PROTECTED]
Cc: FBSDQ
Subject: Re: ipfilter/ipmon log msgs

JoeB [EMAIL PROTECTED] writes:


Man ipmon says than when option -s is selected to send ipfilter
log messages to syslogd the day, month, year prefix is removed

from

the message before posting to syslogd.  This does not happen.


Firstly, ensure you're starting ipmon with the -Ds flags. This will
put it in daemon mode and log through syslogd.

I've had a problem with logfile formats in the past and this was
because I was not running the correct version of ipmon.

do
sudo ipf -V

Check the version. Then do which ipf

Then check to see that the ipmon is running is in the same
directory.

Otherwise, post a sample log line...

Regards,

--
- Wayne Pascoe
   You know, it's simply not true that wars never
   settle anything - James Burnham


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message


--
Regards,
Dancho Penev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: IPFW Help

2002-11-27 Thread Dancho Penev 
On Mon, Nov 25, 2002 at 08:57:15PM -0500, Phierce wrote:

From: Phierce [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: IPFW Help
Date: Mon, 25 Nov 2002 20:57:15 -0500

Hello All,

	New to the FreeBSD os, but learning...   havint some trouble with IPFW
below is what it looks like I can sh rc.firewall with no errors, but yet my
root account is still unable to ping out  I recieve permission denied.
Wondering if anyone could help me out.


How did you run script? I suposse you forgot parameter and in rc.conf
firewall_type is not set.

# sh /etc/rc.firewall custom
or
in /etc/rc.conf
firewall_type=custom



#
# Suck in the configuration variables.
if [ -z ${source_rc_confs_defined} ]; then
   if [ -r /etc/defaults/rc.conf ]; then
   . /etc/defaults/rc.conf
   source_rc_confs
   elif [ -r /etc/rc.conf ]; then
   . /etc/rc.conf
   fi
fi
#

if [ -n ${1} ]; then
   firewall_type=${1}
fi
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
   fwcmd=/sbin/ipfw -q
   ;;
*)
   fwcmd=/sbin/ipfw
   ;;
esac

###
# Flush out the list before we begin.
#
${fwcmd} -f flush

case ${firewall_type} in
[Cc][Uu][Ss][Tt][Oo][Mm])
   # set these to your network netmask and ip
   net=192.168.1.1
   mask=255.255.255.0
   ip=192.168.1.10

# Deny all fragments as bogus packets
${fwcmd} add 00100 deny log all from any to any frag

#Allow any TCP UDP traffic from my own net.
${fwcmd} add 00200 allow all from any to any via lo0
${fwcmd} add 00300 deny log ip from any to 127.0.0.1/8

#We should allow inout some TCP and udp ports.
${fwcmd} add 00400 allow tcp from any to any 32000-65535
${fwcmd} add 00500 allow udp from any to any 32000-65535

#Allow TCP through if setup succeeded
${fwcmd} add 00600 allow tcp from any to any established

#Allow access to FTPD
${fwcmd} add 00700 allow tcp from any to ${ip} 21
${fwcmd} add 00800 allow tcp from any 20 to any 1024-49151 out

#Allow access to OPENSSH
${fwcmd} add 00900 allow tcp from any to ${ip} 22

#Allow access to SENDMAIL
${fwcmd} add 01000 allow tcp from any to any 25

#Allow access to BIND
${fwcmd} add 01100 allow udp from ${ip} to any
${fwcmd} add 01200 allow udp from any to ${ip}


#Allow access to FINGER
${fwcmd} add 01300 allow tcp from any to any 79

#Allow access to HTTP
${fwcmd} add 01400 allow tcp from any to any 80

#Allow access to POP3
${fwcmd} add 01500 allow tcp from any to any 110

#Allow access to IDENT
${fwcmd} add 01600 allow tcp from any to any 113
${fwcmd} add 01700 allow udp from any to any 113

#Allow access to IMAP
${fwcmd} add 01800 allow tcp from any to any 143

#Allow access to HTTPS
${fwcmd} add 01900 allow tcp from any to any 443

#Allow access to SUBMISSION
${fwcmd} add 02000 allow udp from any to any 512
${fwcmd} add 02100 allow udp from any to any 520

#Allow access to IRC
${fwcmd} add 02200 allow tcp from any to any 6667
${fwcmd} add 02300 allow tcp from any to any 6668
${fwcmd} add 02400 allow tcp from any to any 6669

#Extended account access
${fwcmd} add 02500 allow all from any to any uid USERNAME
${fwcmd} add 02600 allow icmp from any to any uid USERNAME
${fwcmd} add 02700 allow tcp from any to any uid USERNAME
${fwcmd} add 02800 allow icmp from any to any uid USERNAME

#root access non-restrictive
${fwcmd} add 02900 allow all from any to any uid root
${fwcmd} add 03000 allow icmp from any to any uid root

#lastly we deny everything by default here as well as in the kernel.
${fwcmd} add 03100 deny log all from any to any

;;
esac


Thanks

-Zack
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.419 / Virus Database: 235 - Release Date: 11/13/2002


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message


--
Regards,
D. Penev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Kerberos is set up - now what?

2002-11-24 Thread Dancho Penev 
On Sun, Nov 24, 2002 at 05:48:22AM +0100, Peter Much wrote:

From: Peter Much [EMAIL PROTECTED]
Subject: Re: Kerberos is set up - now what?
To: [EMAIL PROTECTED]
Date: Sun, 24 Nov 2002 05:48:22 +0100 (CET)


Hi all, 

as it seems to me, Kerberos5 is mostly unsupported in FreeBSD.

It's not very correct(it's totally incorrect).
If kerberos is installed (port or one in the base system) you have
all services that you want to use. They are not enabled by default
but it isn't mean that FreeBSD hasn't support for kerberos. Scroll 
down in inetd.conf and look for kerberos services. I use pam_krb5
and MIT Kerberos for a year without any problems, with single
login to workstation and access to other computers via telnet,
rlogin etc. If you can't configure kerberos services to work then
ask for help and don't make conclusion has or hasn't FreeBSD 
support for something.


BTW Kerberos5 access control file is .k5login(5) not .klogin.


Yes, this is going to be a rant.

If you have an appropriate Kerberos support, no rsh, rlogin,
ftp, telnet or elsewhat will ever ask you for a password, if
you login to an account where you are allowed to do so via its
.klogin file.
This means, that support for Kerberos5 needs to be built into
the servers and clients for ftp, telnet, rsh, rlogin, etc. It
is not enough to just run a kerberos5 server (aka kdc) and
make logins kerberos-aware via PAM.

This was already implemented with FreeBSD 2.2 and kerberos4
at least for rsh and rlogin, but now(*) with Kerberos5, if I 
connect to the kshell port, I just get:
rshd[8654]: usage: rshd [-alnDL]

Furthermore, it is possible to do session encryption based
on the principal, so essentially we could throw ssh etc. and all
that crap completely into the wastebasket, and instead had
a third-party based authentication scheme with single-sign-on
over the whole network and a central (and replicateable) server 
that can optionally be adminstered remotely. (Supposed the 
crypt stuff inside kerberos5 is hardened enough for today's
purposes.)

Ok, I do not know of any unix distribution that actually engages 
these possibilities, but they are there. Well, AIX got fairly
far with 4.3.3, telnet and ftp and all the rsh stuff actually
works without passwords there, and K4 and K5 and standard
logins all do work simultaneously. But when I asked the support
how to run telnet with session encryption based on my DCE/K5
principal (aka packet-level privacy as documented for DCE
and practically used in DFS), they shrugged and suggested me
to install ssh!


(*) now means FreeBSD 4.4, I didnt get the time to upgrade 
   further yet. No doubt the PAM integration has evolved since 
   then, but it doesnt look like a really substantial progress to 
   what I described above.

PMc

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

--
Regards,
D. Penev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message