Re: FreeBSD:: How to set VLAN priority?
On Jun 26, 2013, at 1:55 PM, Alex Liptsin wrote: > Hello. > > I work with FreeBSD 9.1 RELEASE. > I had configured VLANs on my server, but I can't find a way to configure VLAN > priority. > How can I do it? > > Thanks. ??? vlan priority as in… ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sshd - time out idle connections
On May 3, 2013, at 5:16 PM, Arthur Chance wrote: > On 05/03/13 15:28, Fleuriot Damien wrote: >> Hello list, >> >> >> >> I'm facing this unusual demand at work where we need to time out idle SSH >> connections for security purposes. >> >> I've checked the following options from sshd_config but none seems to fit my >> needs : >> TCPKeepAlive >> ClientAliveCountMax >> ClientAliveInterval >> >> >> Basically, I'm trying to defeat the use of the following client-side option: >> ServerAliveInterval 5 >> >> >> I'm afraid all I've hit now is dead ends. >> >> >> Has anyone ever had the same requirements before and, perhaps, found a >> solution to this ? > > There's an idletime parameter in login.conf which will log out idle users. > Normally sshd bypasses login, but the sshd config parameter UseLogin can > change that, although it disables X11Forwarding. > > Note: this is all from a quick perusal of the source and manuals, I've not > done it myself. > > -- > In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a > new race of servants. Called Uruk-Oh-Hai in the Black Speech, they > were cruel and delighted in torturing spelling and grammar. > > _Lord of the Rings 2.0, the Web Edition_ I've already tried using login.conf 's idle timeout option and was sad indeed that it didn't apply to SSH connections. It never occured to me that UseLogin might be involved there… I'll have a look at it as well, thanks for your help Arthur. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sshd - time out idle connections
Allow me to add a bit of context here. We're wrapping things up to obtain the PCI DSS certification which is awarded for running through a long and annoying series of hoops. This certification is rather important to our business so like it or not, we have to play along. Allowing the use of screen defeats the purpose of logging out idle connections, I don't think we're going to pass this specific requirement if we let users run screen. On May 3, 2013, at 5:18 PM, "Mikel King" wrote: > Firing people for violating the 5 minute rule seems a tad extreme. If there > is indeed a company policy regarding the 5 minute idle window you and you > intend to roll forward with a connection kill script then also make screen or > tmux available. In my experience people tend to be more accepting of > connection outages if they can reconnect to where the were when they were > last on. > > Regards, > Mikel King > BSD News > > > From: Fleuriot Damien [mailto:m...@my.gd] > To: FreeBSD questions [mailto:freebsd-questions@freebsd.org] > Sent: Fri, 03 May 2013 10:28:31 -0400 > Subject: sshd - time out idle connections > > Hello list, > > > > I'm facing this unusual demand at work where we need to time out idle SSH > connections for security purposes. > > I've checked the following options from sshd_config but none seems to fit my > needs : > TCPKeepAlive > ClientAliveCountMax > ClientAliveInterval > > > Basically, I'm trying to defeat the use of the following client-side option: > ServerAliveInterval 5 > > > I'm afraid all I've hit now is dead ends. > > > Has anyone ever had the same requirements before and, perhaps, found a > solution to this ? > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sshd - time out idle connections
Thanks for your response Markham, I'm afraid labor law is much too protective here for us to be able to "educate" users in this way ;) Your idea to run a cron job every X minutes has merit though, I'll try and check into that ! On May 3, 2013, at 4:51 PM, markham breitbach wrote: > Depending on the shell you are using, you may be able to set that to > auto-logout, or you > could set a cron job to run every 5 minutes and terminate tty's with > 5min > idle time. > > Honestly though, you will rarely find a good technical solution to a social > problem--there's always a work-around--and this is a social problem. If > there is a > company security policy stating that ssh sessions are not to be left idling > > 5 min, then > make sure everyone is aware of this policy and start handing out pink slips > to people that > violate it. > > -M > > > On 13-05-03 8:28 AM, Fleuriot Damien wrote: >> Hello list, >> >> >> >> I'm facing this unusual demand at work where we need to time out idle SSH >> connections for security purposes. >> >> I've checked the following options from sshd_config but none seems to fit my >> needs : >> TCPKeepAlive >> ClientAliveCountMax >> ClientAliveInterval >> >> >> Basically, I'm trying to defeat the use of the following client-side option: >> ServerAliveInterval 5 >> >> >> I'm afraid all I've hit now is dead ends. >> >> >> Has anyone ever had the same requirements before and, perhaps, found a >> solution to this ? >> >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
sshd - time out idle connections
Hello list, I'm facing this unusual demand at work where we need to time out idle SSH connections for security purposes. I've checked the following options from sshd_config but none seems to fit my needs : TCPKeepAlive ClientAliveCountMax ClientAliveInterval Basically, I'm trying to defeat the use of the following client-side option: ServerAliveInterval 5 I'm afraid all I've hit now is dead ends. Has anyone ever had the same requirements before and, perhaps, found a solution to this ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: /etc/sudoers
On Mar 27, 2013, at 4:54 PM, Joe wrote: > I have been moving this file forward since about release 5.0. > Today is tried the do a man sudoers and got no page found. > The su man page does not reference it. > > Has the file been removed? > Does it maybe belong to some port? > Any ideas? > > Thanks The file is actually /usr/loal/etc/sudoers and is tied to /usr/ports/security/sudo Install sudo from there and you automagically get the man page. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: I made a mess. libc
As per Devin's suggestion, I just set up a RCP server from which you'll be able to grab libc.so.7 using /rescue/rcp I'm gonna need, in private, your IP address so I can add you both to .rhosts and firewall rules. I'm leaving work now so I may not answer again before 2-3 hours. On Feb 21, 2013, at 6:46 PM, "Teske, Devin" wrote: > Can you specify perhaps "/rescue/sh" as the single-user shell? > > That should get you in. > > Then you have to stick to static executables like /rescue/rcp to remotely > transfer files. > > Perhaps someone can host a file on a machine that can be reached via > /rescue/rcp for you. > -- > Devin > > > > From: Bernt Hansson [b...@bananmonarki.se] > Sent: Thursday, February 21, 2013 9:22 AM > To: Teske, Devin > Cc: Fleuriot Damien; questions FreeBSD > Subject: Re: I made a mess. libc > > 2013-02-21 18:01, Teske, Devin skrev: >> Is it the base machine that won't boot? I got this ... > > That is correct. So no cd burning no nothing...Well it want to drop in > to a single shell bla bla bla press enter for /bin/sh > > > libexec* libc.so.7: invalid file format > > I do not want to reinstall, have 4 encrypted disks. > > >> My latest version of Druid has a very sophisticated "Interactive Disk >> Repair" script that will assemble your system "humpty-dumpty style" while >> booted from a CD or Thumb drive (you said you couldn't burn a CD, but it >> wasn't clear whether you could master a thumb drive). >> >> https://urldefense.proofpoint.com/v1/url?u=http://sourceforge.net/projects/druidbsd/files/FreeBSD-8.3_Druid-1.0b60.iso/download&k=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=LTzUWWrRnz2iN3PtHDubWRSAh9itVJ%2BMUcNBCQ4tyeo%3D%0A&m=07piZUd2tTTVmRt2abbbhXwBr9OUC7olyXwRy6BdjoM%3D%0A&s=a0b244b57abd48f38a1cd817513b96950f4c6f2f035b3d33ddee2a27938b2f04 >> >> When you run the "Interactive Disk Repair (IDR) Shell" option, it presents >> you with a few questions (like, "I've found a saved network interface in >> rc.conf(5) -- would you like me to activate it for you?"), and ultimately >> mounts your system to present a working shell to fix your problems. >> >> Important: when it asks you if you want to chroot into the mounted >> filesystem, say NO (you're libc isn't working, so that would be a bad idea) >> -- rather, run from the LiveFS environment where /mnt is your mounted >> system. There's even a copy of libc in the LiveFS environment that you can >> copy over your old one... >> >> cp /cdrom/freebsd/rescue/lib/libc.so.7 /mnt/lib/libc.so.7 >> >> (if I recall correctly) >> > > _ > The information contained in this message is proprietary and/or confidential. > If you are not the intended recipient, please: (i) delete the message and all > copies; (ii) do not disclose, distribute or use the message in any manner; > and (iii) notify the sender immediately. In addition, please be aware that > any message addressed to our domain is subject to archiving and review by > persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: I made a mess. libc
On Feb 21, 2013, at 6:22 PM, Bernt Hansson wrote: > 2013-02-21 18:01, Teske, Devin skrev: >> Is it the base machine that won't boot? I got this ... > > That is correct. So no cd burning no nothing...Well it want to drop in to a > single shell bla bla bla press enter for /bin/sh > > > libexec* libc.so.7: invalid file format > > I do not want to reinstall, have 4 encrypted disks. And you have absolutely no way to boot I don't know, PXE, USB ? Do you have remote console access, anything ? I'll tell you what, I'll still scp the file to a www and give you the link, if you should find a way to access your file system, you can always copy it over. http://my.gd/libc.so.7 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: I made a mess. libc
On Feb 21, 2013, at 3:34 PM, Bernt Hansson wrote: > Hello list! > > It's me again. > > I was happily upgrading my jail make build* and so on. > > Make installworld failed with som chflag set on libc.so.7 > so i left jail and went to the host and tought I fixit from there. > > I did remove the chflag and all was well I tought, but no. > > Copy it to the jail, someone screamed, ok I'll do that > > Well the problem is I copied it to the host amd64 and jail is i386. > > the host locked up hard and after a reboot I get > > libc.so.7 invalid file format. How do I get it back. > > I can not burn a cd with livefs, wich should be on memorystick > anyway. > > Thanks for any help and it's needed. This is my libc.so.7 from the 19th, for 8-stable amd64, after the patch for the security advisory. root@pf1:/usr/ports/emulators/fuse # ls -l /lib/libc.so.7 -r--r--r-- 1 root wheel 1399225 Feb 19 15:27 /lib/libc.so.7 root@pf1:/usr/ports/emulators/fuse # md5 /lib/libc.so.7 MD5 (/lib/libc.so.7) = 9e4b09aa6dbc731bf56593b736e9fef1 root@pf1:/usr/ports/emulators/fuse # shasum /lib/libc.so.7 19e856f287586f52611aca9a4aa8a4104b65fb4e /lib/libc.so.7 root@pf1:/usr/ports/emulators/fuse # uname -a FreeBSD pf1.backbone.dev 8.3-STABLE FreeBSD 8.3-STABLE #6 r247008M: Tue Feb 19 20:14:57 UTC 2013 r...@pf1.backbone.dev:/usr/obj/usr/src/sys/UNIVERSAL amd64 I can host the file over HTTP if you want. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
On Feb 20, 2013, at 2:55 PM, Anton Shterenlikht wrote: > From feenb...@nber.org Wed Feb 20 13:39:28 2013 > > > From: Fleuriot Damien > > To: me...@bristol.ac.uk > > Subject: Re: cannot ssh into a box with DHCP assigned IP address > > Date: Wed, 20 Feb 2013 10:31:22 +0100 > > Cc: freebsd-questions@freebsd.org > > > > On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht > wrote: > > > > > I have a laptop with FreeBSD -current, > > > with ip address assigned via DHCP. > > > The laptop has neither a static ip address, > > > nor a domain. > > > > > > I can ping the laptop fine, but cannot > > > ssh into it. The sshd is running, /etc/ssh/ssd_config > > > seems fine, /etc/hosts.allow is fine. > > > However, /etc/hosts is just the default: > > While on the problem machine, can you ssh to localhost? ssh to the IP > address? > > yes to both > > I would suspect the problem is in /etc/hosts.allow >or /etc/hosts.deny, > > The first non-comment line in /etc/hosts.allow is > ALL : ALL : allow > > and I don't have /etc/hosts.deny: > > root@zzz:~ # ls /etc/hosts* > /etc/hosts /etc/hosts.equiv > /etc/hosts.allow/etc/hosts.lpd > root@zzz:~ # > > or perhaps the subnet mask is incorrect. > > Well.. what should it be? > I have on the problem box (ssh server): > > wlan0: flags=8943 metric 0 > mtu 1 > 500 >ether 00:21:5c:50:68:c3 >inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255 >nd6 options=29 >media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g >status: associated >ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0 >country US authmode WPA2/802.11i privacy ON deftxkey UNDEF >AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10 scanvalid 450 >bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 >protmode CTS wme roaming MANUAL > > I'm trying to ssh from 137.222.187.241. > > I wonder, perhaps it somehow built into the > Eduroam wireless, provided by the University, > that the devices connected to it cannot be > accessible. They can only initiate outgoing > connections, but all incoming connections are > somehow blocked? Given that the majority of > the devices will be unsecured MS boxes, maybe > the university thought that this is wise idea > for safety. Perhaps I can investigate this > with my IT guys. > > Or I might be talking complete nonsense here, not my area at all. > > Thanks > > Anton > Any luck with Daniel's suggestion to try it directly on the problematic host ? ssh 127.0.0.1 ssh localhost ssh 172.21.220.12 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
Ok I think you've got a DNS resolution problem here, so when you try to establish the connection, SSHD tries to resolve your client's hostname. It fails and times out, however your ssh login gracetime is already over. You have several options here: 1/ increase the login grace time in sshd_config 2/ set usedns no (or do both, btw) 3/ fix DNS resolution ;) I would definitely recommend turning off hostname resolution for sshd, it is of marginal value (to me at least). On Feb 20, 2013, at 11:21 AM, Anton Shterenlikht wrote: > From m...@my.gd Wed Feb 20 10:11:12 2013 > > Run this on your server: > > tcpdump -ni wlan0 ip and port 22 > > Then try to ssh to the box, >see if SYN packets arrive, >see if your box sends SYN/ACK back. > > 172.21.220.12 is the ssh server > 137.222.187.241 is the ssh client (where I login from) > > There's lots of output on the server: > > 10:13:40.396933 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [P.], seq > 528 > :576, ack 897, win 1040, options [nop,nop,TS val 166697722 ecr 2764601194], > leng > th 48 > 10:13:40.400142 IP 137.222.187.241.22 > 172.21.220.12.20541: Flags [P.], seq > 897 > :945, ack 576, win 1040, options [nop,nop,TS val 2764601829 ecr 166697722], > leng > th 48 > 10:13:40.499768 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [.], ack > 945, > win 1040, options [nop,nop,TS val 166697825 ecr 2764601829], length 0 > 10:13:41.126804 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [P.], seq > 576 > :624, ack 945, win 1040, options [nop,nop,TS val 166698452 ecr 2764601829], > leng > th 48 > 10:13:41.129465 IP 137.222.187.241.22 > 172.21.220.12.20541: Flags [P.], seq > 945 > :993, ack 624, win 1040, options [nop,nop,TS val 2764602558 ecr 166698452], > leng > th 48 > 10:13:41.229792 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [.], ack > 993, > win 1040, options [nop,nop,TS val 166698555 ecr 2764602558], length 0 > 10:14:06.042148 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 691 > 166491:691166555, ack 2147595671, win 1040, options [nop,nop,TS val > 2121228740 e > cr 166423364], length 64 > 10:14:06.043854 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [P.], seq > 1:3 > 3, ack 64, win 1040, options [nop,nop,TS val 166723368 ecr 2121228740], > length 3 > 2 > 10:14:06.144924 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [.], ack > 33, > win 1040, options [nop,nop,TS val 2121228843 ecr 166723368], length 0 > > 10:15:02.017361 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 159 > 04:16240, ack 7169, win 1040, options [nop,nop,TS val 2121284715 ecr > 166779337], > length 336 > 10:15:02.017969 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 162 > 40:16576, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr > 166779337], > length 336 > 10:15:02.018079 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack > 1657 > 6, win 1035, options [nop,nop,TS val 166779343 ecr 2121284715], length 0 > 10:15:02.018319 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 165 > 76:16896, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr > 166779337], > length 320 > 10:15:02.018510 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 168 > 96:17232, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr > 166779337], > length 336 > 10:15:02.018626 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack > 1723 > 2, win 1030, options [nop,nop,TS val 166779344 ecr 2121284716], length 0 > 10:15:02.019583 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 172 > 32:17568, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr > 166779337], > length 336 > 10:15:02.019840 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 175 > 68:17840, ack 7169, win 1040, options [nop,nop,TS val 2121284717 ecr > 166779337], > length 272 > 10:15:02.019927 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack > 1784 > 0, win 1036, options [nop,nop,TS val 166779345 ecr 2121284716], length 0 > > Thanks > > Anton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
On Feb 20, 2013, at 10:45 AM, Anton Shterenlikht wrote: > From: Fleuriot Damien > To: me...@bristol.ac.uk > Subject: Re: cannot ssh into a box with DHCP assigned IP address > Date: Wed, 20 Feb 2013 10:31:22 +0100 > Cc: freebsd-questions@freebsd.org > > On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht > wrote: > > > I have a laptop with FreeBSD -current, > > with ip address assigned via DHCP. > > The laptop has neither a static ip address, > > nor a domain. > > > > I can ping the laptop fine, but cannot > > ssh into it. The sshd is running, /etc/ssh/ssd_config > > seems fine, /etc/hosts.allow is fine. > > However, /etc/hosts is just the default: > > > > # > > ::1 localhost localhost.my.domain > > 127.0.0.1 localhost localhost.my.domain > > # > > > > Is it the lack of a domain that prevents > > me from getting ssh access? > > I try to ssh with just a dynamic ip address, > > for which ping seems to work fine. > > Or is the problem somewhere else? > > > > I'm not even sure I'm asking the right > > questions. > > > > Thanks > > > > Anton > > > First, check what ports SSH listens on: > sockstat | grep ssh > > root@zzz:~ # sockstat | grep ssh > mexasssh16193 3 tcp4 172.21.220.12:20541 137.222.187.241:22 > root sshd 1091 3 tcp6 *:22 *:* > root sshd 1091 4 tcp4 *:22 *:* > root@zzz:~ # > > I also see: > > /var/log/auth.log:Feb 18 11:54:25 zzz sshd[1091]: Server listening on :: port > 22 > . > /var/log/auth.log:Feb 18 11:54:25 zzz sshd[1091]: Server listening on 0.0.0.0 > po > rt 22. > > Is 0.0.0.0 expected? > 0.0.0.0 = * = all IPs / interfaces > Anything else I should check in the logs? > Not that I'm aware of > > Then, assuming SSH indeed listens on *:22 , >check if you have a firewall running that >could be preventing packets from reaching your box. > > I don't think so. > There's nothing in the kernel config > > By the way, do you get a login prompt at all, >over SSH, or just a plain timeout or connection reset ? > > Just a timeout: > > root@zzz:~ # ifconfig wlan0 > wlan0: flags=8843 metric 0 mtu 1500 >ether 00:21:5c:50:68:c3 >inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255 >nd6 options=29 >media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g >status: associated >ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0 >country US authmode WPA2/802.11i privacy ON deftxkey UNDEF >AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10 scanvalid 450 >bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 >protmode CTS wme roaming MANUAL > root@zzz:~ # > > TZAV> ping 172.21.220.12 > PING 172.21.220.12 (172.21.220.12): 56 data bytes > 64 bytes from 172.21.220.12: icmp_seq=0 ttl=60 time=2.056 ms > 64 bytes from 172.21.220.12: icmp_seq=1 ttl=60 time=1.766 ms > ^C > > TZAV> ssh 172.21.220.12 > ssh: connect to host 172.21.220.12 port 22: Operation timed out > TZAV> > > Thanks > > Anton > Run this on your server: tcpdump -ni wlan0 ip and port 22 Then try to ssh to the box, see if SYN packets arrive, see if your box sends SYN/ACK back. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht wrote: > I have a laptop with FreeBSD -current, > with ip address assigned via DHCP. > The laptop has neither a static ip address, > nor a domain. > > I can ping the laptop fine, but cannot > ssh into it. The sshd is running, /etc/ssh/ssd_config > seems fine, /etc/hosts.allow is fine. > However, /etc/hosts is just the default: > > # > ::1 localhost localhost.my.domain > 127.0.0.1 localhost localhost.my.domain > # > > Is it the lack of a domain that prevents > me from getting ssh access? > I try to ssh with just a dynamic ip address, > for which ping seems to work fine. > Or is the problem somewhere else? > > I'm not even sure I'm asking the right > questions. > > Thanks > > Anton First, check what ports SSH listens on: sockstat | grep ssh Then, assuming SSH indeed listens on *:22 , check if you have a firewall running that could be preventing packets from reaching your box. By the way, do you get a login prompt at all, over SSH, or just a plain timeout or connection reset ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ZFS + iSCSI architecture
On Feb 19, 2013, at 11:20 PM, "b...@todoo.biz" wrote: > Hello, > > > I am about to start deploying a large system (about 18 To which can grow up > to 36 To) based on a big Intel platform with lot's of fancy features to have > turbo boosted platform (ZIL on SSD + system on dongle if I go for FreeNAS). > Since I want to move on quite fast I might decide to use FreeNAS in it's > latest version. > > > The idea behind all that was to grant 5 or six critical servers access to the > NAS so that they can take advantage of : > > 1. space available on the NAS > > 2. ability of the NAS to use ZFS and of clients to support this file system > (including snapshots) > > 3. Access the server using iSCSI (at least this is what I initially planned). > > 4. Mount part of their filesystem using data stored on the SAN (like > /usr/local/ or other parts of the system). > > > > The server accessing the data will be of two types : > > 1. 2 x Ubuntu server 10.04 LTS > > 2. 4 x FreeBSD (mainly 8 and 9) with jail configured > > > I have started reading about iSCSI and potential problems with FreeBSD. > What problems do you mean ? > So my main questions would be : > > > • Should I go for iSCSI ? > Well in all use cases, iscsi should perform faster than NFS. > • Should I rather choose / prefer NFS ? > > • Should I export a Volume as UFS rather than ZFS (is ZFS supported as a > target) ? > I'm not sure what you mean here, when you export a zvol over ISCSI: - your SAN is the target and presents a block device (the zvol) - your client is the initiator - your client attaches to the ISCSI drive and formats it using filesystem XYZ, be it ext3, ufs or ntfs > > The main idea is stability, redundancy of data and ease of maintenance (in a > headless FreeBSD / Linux world) before anything else ! > ISCSI is a bit harder to setup IMO, however I think it''s more reliable than NFS, what with its auto retries if it loses the network link to a device. > > > That's the big pictures, if you have any pointers, advise, they are all > welcome. > > > It is quite late where I leave, so I will reply to posts in 8 to 10 hours, > but I hope to have enough answer(s) to start an interesting thread (as I > think this question is very interesting and not so clearly explained (at > least in my mind))… > This is idd a very interesting topic and I hope to see more :) > > Thx very much for your infos and feedback. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Ports & Packages [Stable] in sync
On Feb 17, 2013, at 3:44 PM, Jeff Tipton wrote: > On 02/17/2013 13:13, Damien Fleuriot wrote: >> On 16 Feb 2013, at 16:56, Jeff Tipton wrote: >> >>> Hi, >>> >>> I upgraded 9.0 -> 9.1 on my netbook and only then found out that there are >>> no packages for 9.1-RELEASE. On my desktops, I keep ports and packages at >>> the RELEASE versions, so I only have to compile when I need non-default >>> options or when there are no packages. Would it be possible to get the >>> ports snapshot that was used to compile the 9-STABLE packages? I think I >>> could use subversion but then I need to know the revision number of that >>> snapshot. What do you suggest? >>> >>> Thanks, >>> Jeff >>> >> Hi Jeff, >> >> I think you might be confused here. >> >> It is my understanding that there are ports for: >> - HEAD >> - x.y-RELEASE >> >> I don't think you're going to be able to get a snapshot from 9-STABLE, >> because -STABLE is a continuing work. >> >> What version do you consider to be 9-STABLE ? >> Every time there's a new commit you get a "new" 9-STABLE. >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > Thank you, Damien, for the reply. AFAIK, STABLE gets updated every 2 weeks > but not every day, and it seems to be that because of the intrusion, it has > not been updated for long. The versions of the ports that come with the > 9.1-RELEASE are even slightly newer than those of 9-STABLE packages. I think > if I don't get the revision number from which the 9-STABLE was updated last > time I'll use the ports tree that comes with 9.1-RELEASE. I hope it won't > cause much version incompatibilities. I'm not sure where you're getting your 9-STABLE ports from, Jeff. In the SVN repository I only see release tags and HEAD: http://svn.freebsd.org/ports/ I also second Gilbert's advice about using HEAD for your ports tree, we do this here in production with over 50 boxes and have had no problems so far. If you still want to use the branch from 9.1-RELEASE, it's here: svn://svn.freebsd.org/ports/tags/RELEASE_9_1_0/ Note that, unless I'm wrong, you will not be getting *ANY* update to the ports tree then, it's frozen. This means no security updates and all, AFAICT. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
vmstat -w not honored
Hello list, I'm running 8.3-STABLE and apparently, vmstat won't honor both -i (interrupts) and -w (repeat display every wait delay seconds) flags at the same time. The problem also arises with -z. The manual doesn't mention these flags being incompatible with -w. Anyone knows if this is intended behavior ? I wanna make sure before filling a PR, either to get this fixed or the man pages adjusted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: setting MIBs on a per jail bases
On Feb 6, 2013, at 5:57 PM, Fbsd8 wrote: > Fleuriot Damien wrote: >> Running 8.3 here and the answer is no. >> On Feb 6, 2013, at 5:39 PM, Fbsd8 wrote: >>> Is there a way to set these MIBs >>> on a per jail bases? >>> >>> allow.mount.nullfs >>> allow.raw_sockets >>> cpuset.id >>> securelevel > > Rereading the "man jail" for 9.1 talks about securelevel as a jail > parammeter. So correct me if I an wrong. All the security.jail.param.* MIBs > are set in rc.conf or /etc/jail.conf file on a per jail bases by > changing the word "parm" to the jailname? > I'm afraid I wouldn't know, I don't have a single 9.x box here. Does the man mention the secure level as a PER JAIL parameter, or as a systemwide parameter applied only to jails ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: setting MIBs on a per jail bases
Running 8.3 here and the answer is no. On Feb 6, 2013, at 5:39 PM, Fbsd8 wrote: > Is there a way to set these MIBs > on a per jail bases? > > allow.mount.nullfs > allow.raw_sockets > cpuset.id > securelevel > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysctl security.jail.* descriptions
# sysctl -d security.jail.socket_unixiproute_only security.jail.socket_unixiproute_only: Processes in jail are limited to creating UNIX/IP/route sockets only On Feb 6, 2013, at 4:02 PM, Fbsd8 wrote: > Where do I find the descriptions of what these jail MIBs do? > > > security.jail.param.allow.mount.zfs: 0 > security.jail.param.allow.mount.procfs: 0 > security.jail.param.allow.mount.nullfs: 0 > security.jail.param.allow.mount.devfs: 0 > security.jail.param.allow.mount.: 0 > security.jail.param.allow.socket_af: 0 > security.jail.param.allow.quotas: 0 > security.jail.param.allow.chflags: 0 > security.jail.param.allow.raw_sockets: 0 > security.jail.param.allow.sysvipc: 0 > security.jail.param.allow.set_hostname: 0 > security.jail.param.ip6.saddrsel: 0 > security.jail.param.ip6.: 0 > security.jail.param.ip4.saddrsel: 0 > security.jail.param.ip4.: 0 > security.jail.param.cpuset.id: 0 > security.jail.param.host.hostid: 0 > security.jail.param.host.hostuuid: 64 > security.jail.param.host.domainname: 256 > security.jail.param.host.hostname: 256 > security.jail.param.host.: 0 > security.jail.param.children.max: 0 > security.jail.param.children.cur: 0 > security.jail.param.dying: 0 > security.jail.param.persist: 0 > security.jail.param.devfs_ruleset: 0 > security.jail.param.enforce_statfs: 0 > security.jail.param.securelevel: 0 > security.jail.param.path: 1024 > security.jail.param.name: 256 > security.jail.param.parent: 0 > security.jail.param.jid: 0 > security.jail.devfs_ruleset: 0 > security.jail.enforce_statfs: 2 > security.jail.mount_zfs_allowed: 0 > security.jail.mount_procfs_allowed: 0 > security.jail.mount_nullfs_allowed: 0 > security.jail.mount_devfs_allowed: 0 > security.jail.mount_allowed: 0 > security.jail.chflags_allowed: 0 > security.jail.allow_raw_sockets: 0 > security.jail.sysvipc_allowed: 0 > security.jail.socket_unixiproute_only: 1 > security.jail.set_hostname_allowed: 1 > security.jail.jail_max_af_ips: 255 > security.jail.jailed: 0 > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: VirtualBox 4.1.22 and Bridged Network problems
This was brought up a few weeks/months ago and I seem to recall that setting the interface in *promiscuous* mode (monitoring) in the Host configuration (read, in your hypervisor) was mandatory. See if that helps. On Feb 6, 2013, at 3:03 PM, CeDeROM wrote: > Hello :-) > > I cannot get Bridged Network setup in VBox 4.1.22 on my 9.1RC3 AMD64 - > I get no traffic to the host interface at all. Did anyone noticed this > or related problems? > > I have tried to watch the host interface with WireShark. I have > disabled local firewall. I have set net.inet.ip.forwarding=1. Still > can't get the bridged connection working :-( > > Any hints appreciated :-) > Tomek > > -- > CeDeROM, SQ7MHZ, http://www.tomek.cedro.info > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
make release doesn't correctly include EXTLOCALDIR ?
Hello list, I'm running 8.3-stable r245223 from a mere 2 days ago and am in the process of building a custom release for our internal use as preconfigured firewalls. "make release" works pretty fine except for a few quirks here and there. First of all, I have set EXTLOCALDIR so that the release contains my existing /usr/local/ , and thus the collection of installed ports. The problem here is that while /release/usr/local/ is correctly populated, the ISO images and ftp install directory have an empty usr/local/ Extracting the ISO's base.?? files doesn't yield the /usr/local/ contents either. The second problem I encounter is with the kernel's build. Apparently "make release" doesn't pull MODULES_OVERRIDE from /etc/make.conf and decides to build every single module, as opposed to my own restricted list. I'm going to try with with KERNEL_FLAGS=-DMODULES_OVERRIDE module1 module2 in /usr/src/release/Makefile Has anyone else ever experienced the same problem regarding the inclusion of /usr/local/ in their release ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: make install package?
On Jan 10, 2013, at 10:21 PM, Fbsd8 wrote: > Gökşin Akdeniz wrote: >> Thu, 10 Jan 2013 14:04:59 -0500 tarihinde >> Fbsd8 yazmış: >>> What is the default path for the packages to be stored in? >>> Is it /usr/packages? >>> >> It is "/usr/ports/packages/All". >>> If that is indeed the default location, how do I get the >>> "make install package" command put it there automatically? >>> >> All packages will be stored >> in /usr/ports/packages/All/relevant/sub/directory. There is no need >> for any any configuration or files. "# make package" is the proper >> command for building packages which are/is installed via ports. > > Is the upcoming pkgng going to have any effect on this? Funny you should ask, I was toying with that just yesterday, as a matter of fact. Works well with pkgng, it lets me create static packages of already installed ports: # pkg create -nao /usr/ports/packages/All Then creating the repo.txz file for use by clients is rather easy" # pkg repo -qf /usr/ports/packages And then, on your client host: # /usr/local/etc/pkg.conf PACKAGESITE : http://195.158.241.101 # pkg stats Local package database: Installed packages: 158 Disk space occupied: 797 MB Remote package database(s): Number of repositories: 1 Packages available: 182 Unique packages: 182 Total size of packages: 648 MB ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Is csup still working?
On Jan 10, 2013, at 12:38 PM, Mario Lobo wrote: > Hi; > > I have 8-STABLE and I just did, > > csup -L 2 src-supfile > > with > > *default host=cvsup.FreeBSD.org > *default release=cvs tag=RELENG_8 > > and it finished with: > > Edit src/usr.sbin/zzz/zzz.sh > Add delta 1.2.32.2 2012.11.17.10.37.28 svnexp > Shutting down connection to server > Finished successfully > > Can I trust this update to be correct, with the latest sources? > > Thanks, > > -- > Mario Lobo > http://www.mallavoodoo.com.br > FreeBSD since 2.2.8 [not Pro-Audio YET!!] (99% winblows FREE) Regarding the source tree, I've not found the notice for CVSup's retirement. Regarding the ports tree, this is from Beat Gaetzi on 07/09/2012 dd/mm/ : > For those reasons by February 28th 2013 the FreeBSD ports tree will > no longer be exported to CVS. Therefore ports tree updates via CVS > or CVSup will no longer available after that date. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Which ports tree through svn?
On Jan 9, 2013, at 3:41 PM, Andrei Brezan wrote: > Hello list, > > I'm using: > FreeBSD myhost.mydomain.com 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun > 12 02:52:29 UTC 2012 > r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 > > I want/need to use svn for my ports tree mainly because I need to downgrade > ports. There is portdowngrade in the ports tree but that relies on cvs which > is no longer available. The only way that I'm able to do this now is with svn > log and svn up -r to the revision needed so I get the version that I need in > the port. > > My problem is what do i need to checkout in the first place for 9.0-RELEASE? > svn co svn://svn.freebsd.org/ports/head /usr/ports or svn co > snv://svn.freebsd.org/tags/RELEASE_9_0_0 /usr/ports? > > The first one seems to be up to date but the latter has for eg apache version > 2.2.21 from 2011; I presume from the portfreeze before 9 was released. > > Maybe there are any means to downgrade ports while using portsnap that I'm > not aware of. > > Thank you, > Andrei http://svn.freebsd.org/ports/tags/RELEASE_9_0_0/ Note that, unless I'm mistaken, this branch is frozen so you won't be getting any update. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: how to change from STABLE to RELEASE?
On Jan 9, 2013, at 3:56 PM, Warren Block wrote: > On Tue, 8 Jan 2013, Antonio Olivares wrote: > >> Dear folks, >> >> I am happily running FreeBSD 9.0-STABLE on one of my machines, but I >> want to move to FreeBSD-RELEASE and use >> # freebsd-update upgrade -r 9.1-RELEASE >> but it does not find a valid repository. How can I solve this issue >> to move to newer RELEASE and avoid staying on STABLE because I will >> have to compile/build world and it takes a good while to build and >> then may have to rebuild all the ports. > > As long as you stay on 9-STABLE, it is not necessary to rebuild all ports. > Actually, that is what the "stable" part means, a stable ABI: > > http://www.wonkity.com/~wblock/docs/html/stable.html Interesting article, Warren. If I may say, you may want, on occasion, to update the section about csup. I'm going to take the opportunity to favorite your post, which I had read previously, regarding the simplification of kernel config files. http://www.wonkity.com/~wblock/docs/html/kernelconfig.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: how to change from STABLE to RELEASE?
On Jan 9, 2013, at 2:26 PM, Antonio Olivares wrote: >>> Give this a try >>> >>> setenv UNAME_r "9.0-RELEASE" >>> freebsd-update fetch update >>> freebsd-update upgrade -r 9.1-RELEASE >> >> Thank you very much! It seems to be working: >> >> $ su - >> Password: >> %seten UNAME_r "9.0-RELEASE" >> seten: Command not found. >> %setenv UNAME_r "9.0-RELEASE" >> %freebsd-update fetch update >> usage: freebsd-update [options] command ... [path] >> >> Options: >> -b basedir -- Operate on a system mounted at basedir >> (default: /) >> -d workdir -- Store working files in workdir >> (default: /var/db/freebsd-update/) >> -f conffile -- Read configuration options from conffile >> (default: /etc/freebsd-update.conf) >> -k KEY -- Trust an RSA key with SHA256 hash of KEY >> -r release -- Target for upgrade (e.g., 6.2-RELEASE) >> -s server-- Server from which to fetch updates >> (default: update.FreeBSD.org) >> -t address -- Mail output of cron command, if any, to address >> (default: root) >> Commands: >> fetch-- Fetch updates from server >> cron -- Sleep rand(3600) seconds, fetch updates, and send an >> email if updates were found >> upgrade -- Fetch upgrades to FreeBSD version specified via -r option >> install -- Install downloaded updates or upgrades >> rollback -- Uninstall most recently installed updates >> IDS -- Compare the system against an index of "known good" files. >> %freebsd-update fetch >> Looking up update.FreeBSD.org mirrors... 3 mirrors found. >> Fetching public key from update5.freebsd.org... done. >> Fetching metadata signature for 9.0-RELEASE from update5.freebsd.org... done. >> Fetching metadata index... done. >> Fetching 2 metadata files... done. >> Inspecting system... done. >> Preparing to download files... >> >> Will get back to see if it went through all the way! >> >> Best Regards, >> >> >> Antonio > > Dear folks, > > Everything almost worked. Now I get some errors. > /etc/defaults/rc.conf: 18: Syntax error: redirection unexpected > Enter full pathname of shell or RETURN for /bin/sh: > > I try to edit the file, but I cannot see it I get a readonly file > system. There were some mistakes that I could not correct some lines > like << and then === were present in the file, but vi could > not allow me to remove them I got error and I wanted to :wq! quickly > and now I cannot boot. How can I get into the computer with > read/write permission to fix this one and a /boot/device.hints error > that is present here? > > Thanks for any pointers and help/advice. > > Regards, > > > Antonio > > === > > When I reboot I get: > > Enter full pathname of shell or RETURN for /bin/sh: > I press enter and try: > > # mount -a > mount: not found > # mount -urw / > mount: not found > # > > I try > # /rescue/vi /etc/defaults/rc.conf > which is the one that is borked, to fix it and remove the "" that > present in there, I get > > ex/vi: Error: /var/tmp/vi.recover: Read-only file sytem > ex/vi: Modifications not recoverable if the session fails > ex/vi: Error: /etc/defaults/rc.conf: Read-only file sytem > ex/vi: Error: Unable to create temporary file: Read-only file system > > I can boot the livedvd for FreeBSD 9.1 or 8.2/8.3 series as I have > them available. There used to be the fixit command and I could use > it. I try the advice in System Administration chapter of handbook, > but it does not work here :( > > boot -s > mount -a > mount -urw / > > as found in: > > http://www.freebsd.org/doc/faq/admin.html#rcconf-readonly > > > Words of advice and suggestions are greatly appreciated and would get > me to fix the mess that I started by myself :( > > Regards, mount -o rw / Alternatively boot a livefs CD (or martin matuska's mfsbsd) and mount your / partition from there, read-write. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: problem to compile lang/gcc
On Jan 7, 2013, at 2:15 PM, Xavier wrote: > Hi to all, > > I try compile lang/gcc port but it stopped with required 'file to patch': > > root@casa:/usr/ports/lang/gcc # make > Making GCC 4.6.3 for i386-portbld-freebsd9.1 [c,c++,objc,fortran,java] > ===> Found saved configuration for gcc-4.6.3 > ===> Extracting for gcc-4.6.3 > => SHA256 Checksum OK for gcc-4.6.3.tar.bz2. > => SHA256 Checksum OK for ecj-4.5.jar. > ===> gcc-4.6.3 depends on file: /usr/local/bin/perl5.14.2 - found > ===> Patching for gcc-4.6.3 > ===> gcc-4.6.3 depends on file: /usr/local/bin/perl5.14.2 - found > ===> Applying extra patch /usr/ports/lang/gcc/files/java-patch-hier > File to patch: > No file found--skip this patch? [n] > File to patch: > No file found--skip this patch? [n] y > 1 out of 1 hunks ignored--saving rejects to libjava/Makefile.in.rej > Can't create libjava/Makefile.in.rej, output is in /tmp//patchr1fhKR5: No > such f > ile or directory > *** [do-patch] Error code 1 > > Stop in /usr/ports/lang/gcc. > *** [build] Error code 1 > > Stop in /usr/ports/lang/gcc. > root@casa:/usr/ports/lang/gcc # > > In this case, what to do for continue ? > > Thanks. First of all, ensure that your ports tree is up to date. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: uname -r output values?
mybsd dam ~ $ uname -r 8.2-STABLE On Dec 21, 2012, at 2:36 PM, Fbsd8 wrote: > When issuing the uname -r command what are the different values possible to > expect? > > So far I have this list. > > Where X.X = major release . Sub release numbers > Where y = number 1 through 9 > > X.X-BETAy > X.X-RCy > X.X-RELEASE > X.X-RELEASE-py > X.X-PRERELEASE > X.X-CURRENT > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Brian Blencoe
On Dec 7, 2012, at 3:09 PM, Brian Blencoe wrote: > Hello > > I am a student, doing a presentation project on FreeBSD. I have been surfing > your web site, getting some reading done. If you have any good ideas that I > could include into my presentation, please email me. > > Thank You > > Brian Blencoe > 910-470-7001 > blenc...@gmail.com What exactly is your presentation about ? Open source software ? Web servers ? root privileges and the 101 funniest ways to abuse them ? There are tons of things to be said about FreeBSD, or any OS for that matter ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Somewhat OT: Is Full Command Logging Possible?
On Dec 6, 2012, at 9:20 PM, Paul Schmehl wrote: > --On December 6, 2012 1:19:00 PM -0600 Tim Daneliuk > wrote: >> >> I understand this. Even the organization in question understands >> this. They are not trying to *prevent* any kind of access. All >> they're trying to do *log* it. Why? To meet some obscure >> compliance requirement they have to adhere to in order to >> remain in business. >> >> >> I know all of this is silly but that's our future when you >> let Our Fine Government regulate pretty much anything. >> >> > > I sent this last night, but for some reason it never showed up. > > /usr/ports/security/sudoscript > > I believe this will meet your requirements. I'm sorry to say it won't. Nothing will prevent a user from removing sudoscript's FIFO once he gets root privileges. Basically, what Tim wants to do sounds very akin to the PCI DSS requirements that every user's action be logged. The bad news is _this is not achievable on MS/nux/bsd_ systems. The kind of logging and security required can only be attained on mainframes (read: i/Series , z/Series) using RACF and other absolutely awesome features. The only thing Tim can do is try to approach the level of security that's required. Devin's suggestion of a kernel module is what comes closest to achieving the goal, provided that: - the functionnality is compiled in-kernel to prevent kldunload'ing the module - the system runs at a secure level high enough to prevent kldunloads , if it can't be compiled in-kernel - the functions used by the module cannot be overriden by another module (for example redeclare this module's sendlog() function with another dummy module, making sendlog() basically do a NOOP) Another contestant that comes a close second is the use of the AUDIT framework, however one would need to ensure: - audit trails cannot be tampered (chflags sappend) - the audit daemon cannot be killed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Somewhat OT: Is Full Command Logging Possible?
On Dec 6, 2012, at 1:35 AM, Kurt Buff wrote: > On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk wrote: >> On 12/05/2012 05:44 PM, Kurt Buff wrote: >>> >>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk >>> wrote: I am working with an institution that today provides limited privilege escalation on their servers via very specific sudo rules. The problem is that the administrators can do 'sudo su -'. >>> >>> >>> >>> >>> sudo is misconfigured. >>> >>> man 5 sudoers and man 8 visudo >>> >>> >>> >>> Kurt >>> >> >> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're >> saying. Are you suggesting that there is a way to configure >> sudo so that if someone does 'sudo su -' to become an admin, >> sudo can be made to log every command they execute thereafter? > > No, I'm saying that sudo should not be configured to allow 'sudo su -'. This is an ineffective solution. So what, you're going to forbid "sudo su -" Fine, I'll just run "sudo csh" . If you forbid csh, I'll just copy the existing `which csh` to ~/toto and "sudo ~/toto" . Basically, anything short of actually whitelisting what people can run won't do. And apparently that's not in Tim's list of desirable things ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Somewhat OT: Is Full Command Logging Possible?
On Dec 6, 2012, at 12:47 AM, Tim Daneliuk wrote: > On 12/05/2012 05:42 PM, Damien Fleuriot wrote: >> >> >> On 6 Dec 2012, at 00:19, Tim Daneliuk wrote: >> >>> sudo chown root:wheel my_naughty_script >>> sudo chmod 700 my_naughty script >>> sudo ./my_naughty_script >>> >>> The sudo log will note that I ran the script, but not what it did. >>> >>> >> >> wow, way to complicate matters. > > Hey, I didn't dream up this problem :) > >> >> sudo csh >> >> >> >>> So Gentle Geniuses, is there prior art here that could be applied >>> to give me full coverage logging of every action taken by any person or >>> thing running with effective or actual root? >>> >>> P.S. I do not believe >> >> Now would be a good time to start, then. > > > Well ... does auditd provide a record of every command issued within a script? > I was under the impression (and I may well be wrong) that it noted only > the name of the script being executed. > While it won't log every single command invoked from inside a script, it *can* log every single file access that's made. Apart from IBM z/Series and i/Series mainframes, there is no hardware/software combination that I am aware of which will do that. The Audit framework is your next best bet IMHO. >> >> The only things you need to ensure are: >> - auditd cannot be killed off (this is an interesting bit actually, anyone >> knows how to do that ?) >> - the audit trail files can only be appended to ; man chflags >> >> >> An alternative would be lshell, however you'll have to whitelist commands >> people can execute. >> >> > > Remember that we want admins to be able to do *anything* but we just want > to log what they do, in fact do. > > -- > > Tim Daneliuk tun...@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
SOLVED - Re: CARP within VirtualBox Does it work?
On Dec 4, 2012, at 8:17 PM, dweimer wrote: > On 2012-12-01 03:14, Damien Fleuriot wrote: >> On 30 November 2012 20:44, dweimer wrote: >>> On 2012-11-29 14:07, dweimer wrote: >>>> >>>> On 2012-11-29 12:53, Fleuriot Damien wrote: >>>>> >>>>> On Nov 29, 2012, at 6:43 PM, dweimer wrote: >>>>> >>>>>> I was trying to setup a test of CARP on two virtual machines running in >>>>>> VirtualBox 4.2.4r81684 I am not sure if I have something wrong with my >>>>>> CARP >>>>>> configuration or if VirtualBox just doesn't work right with it. I can >>>>>> only >>>>>> ping the CARP interface IP address from the machine listed as MASTER, if >>>>>> I >>>>>> do an ifconfig carp0 down on the MASTER the other machine correctly >>>>>> switches >>>>>> form BACKUP to MASTER and then I can ping the interface from it but not >>>>>> from >>>>>> the Original system. >>>>>> >>>>>> The VirtualBox systems are both using bridged networking, and the host >>>>>> cannot ping the carp0 IP address but can ping the interface IP address. >>>>>> >>>>>> Before I go through more trouble shooting, does anyone know if CARP >>>>>> doesn't work with VirtualBox? >>>>>> >>>>>> carp configuration >>>>>> Machine1: >>>>>> ifconfig_em0="UP" >>>>>> ifconfig_em0_name="LAN" >>>>>> ipv4_addrs_LAN="10.20.190.201/16" >>>>>> defaultrouter="10.20.111.2" >>>>>> cloned_interfaces="carp0" >>>>>> ifconfig_carp0="vhid 1 advskew 100 pass ReduntantCarpTest >>>>>> 10.20.190.203/16 >>>>>> >>>>>> ifconfig carp0: >>>>>> carp0 flags=49 metric 0 mtu 1500 >>>>>> inet 10.20.190.203 netmask 0x >>>>>> nd6 options=29 >>>>>> carp: MASTER vhid 1 advbase 1 advskew 100 >>>>>> >>>>>> >>>>>> Machine2: >>>>>> ifconfig_em0="UP" >>>>>> ifconfig_em0_name="LAN" >>>>>> ipv4_addrs_LAN="10.20.190.202/16" >>>>>> defaultrouter="10.20.111.2" >>>>>> cloned_interfaces="carp0" >>>>>> ifconfig_carp0="vhid 1 pass ReduntantCarpTest 10.20.190.203/16 >>>>>> >>>>>> ifconfig carp0: >>>>>> carp0 flags=49 metric 0 mtu 1500 >>>>>> inet 10.20.190.203 netmask 0x >>>>>> nd6 options=29 >>>>>> carp: BACKUP vhid 1 advbase 1 advskew 0 >>>>>> >>>>>> FreeBSD version is 9.1RC3 on both test machines. >>>>> >>>>> >>>>> >>>>> >>>>> We're using FreeBSD and CARP in virtualized environments at work, >>>>> albeit not on VirtualBox but on Proxmox/KVM. >>>>> >>>>> First, I would advise replacing 10.20.190.203/16 with 10.20.190.203/32 >>>>> >>>>> >>>>> I notice your carp0 is MASTER on machine1 with an advskew of 100 vs >>>>> machine 2 advskew 0, same advbase. >>>>> Confirm this is *after* you've set carp0 down on machine2. >>>>> >>>>> If both carps are up and machine1 with advskew 100 beats machine2 >>>>> with advskew 0, you have an additional problem. >>>>> >>>>> >>>>> See if you have any more luck with the /32 address on carp0 anyway. >>>> >>>> >>>> The documentation shows the mask matching that of the interface: >>>> hostname="hostb.example.org" >>>> ifconfig_fxp0="inet 192.168.1.4 netmask 255.255.255.0" >>>> cloned_interfaces="carp0" >>>> ifconfig_carp0="vhid 2 pass testpass 192.168.1.51/24" >>>> >>>> This is consistent with the man page for CARP on the system as well. >>>> Regardless I tried with the /32 and had the same result as I did with >>>> the /16. I had done various UP/DOWN on interfaces so the current >>>> MASTER was just the last one to have not been DOWN. I think I might >>>>
Re: Install on Intel
On Dec 4, 2012, at 11:28 AM, "ksg" wrote: > Do you know if FreeBSD will install with a Intel Core 2 CPU 6400 @ 2.13 GHz > > Carlos Griffith Yes it will. You'll want the amd64 version, likely. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: pfctl
On Nov 30, 2012, at 12:02 PM, Laszlo Danielisz wrote: > Hi Everybody, > > Recently I've discover the following issues: I can't display my firewalls > rules, and the firewall is enabled. > Take a look what is happening: > > ktulu# pfctl -s rules > No ALTQ support in kernel > ALTQ related functions disabled > ktulu# pfctl -e > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: pf already enabled > > ktulu# uname -a > FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Mon Jun > 11 23:52:38 UTC 2012 > r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 > > > > Do you have any idea why I can not see them? > > Thx! > Laszlo Kindly do not cross-post to -pf and -questions at the same time. I've replied on -pf , hope that helps. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: CARP within VirtualBox Does it work?
On Nov 29, 2012, at 6:43 PM, dweimer wrote: > I was trying to setup a test of CARP on two virtual machines running in > VirtualBox 4.2.4r81684 I am not sure if I have something wrong with my CARP > configuration or if VirtualBox just doesn't work right with it. I can only > ping the CARP interface IP address from the machine listed as MASTER, if I do > an ifconfig carp0 down on the MASTER the other machine correctly switches > form BACKUP to MASTER and then I can ping the interface from it but not from > the Original system. > > The VirtualBox systems are both using bridged networking, and the host cannot > ping the carp0 IP address but can ping the interface IP address. > > Before I go through more trouble shooting, does anyone know if CARP doesn't > work with VirtualBox? > > carp configuration > Machine1: > ifconfig_em0="UP" > ifconfig_em0_name="LAN" > ipv4_addrs_LAN="10.20.190.201/16" > defaultrouter="10.20.111.2" > cloned_interfaces="carp0" > ifconfig_carp0="vhid 1 advskew 100 pass ReduntantCarpTest 10.20.190.203/16 > > ifconfig carp0: > carp0 flags=49 metric 0 mtu 1500 > inet 10.20.190.203 netmask 0x > nd6 options=29 > carp: MASTER vhid 1 advbase 1 advskew 100 > > > Machine2: > ifconfig_em0="UP" > ifconfig_em0_name="LAN" > ipv4_addrs_LAN="10.20.190.202/16" > defaultrouter="10.20.111.2" > cloned_interfaces="carp0" > ifconfig_carp0="vhid 1 pass ReduntantCarpTest 10.20.190.203/16 > > ifconfig carp0: > carp0 flags=49 metric 0 mtu 1500 > inet 10.20.190.203 netmask 0x > nd6 options=29 > carp: BACKUP vhid 1 advbase 1 advskew 0 > > FreeBSD version is 9.1RC3 on both test machines. We're using FreeBSD and CARP in virtualized environments at work, albeit not on VirtualBox but on Proxmox/KVM. First, I would advise replacing 10.20.190.203/16 with 10.20.190.203/32 I notice your carp0 is MASTER on machine1 with an advskew of 100 vs machine 2 advskew 0, same advbase. Confirm this is *after* you've set carp0 down on machine2. If both carps are up and machine1 with advskew 100 beats machine2 with advskew 0, you have an additional problem. See if you have any more luck with the /32 address on carp0 anyway. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: clearing /var/tmp in periodic.conf?
On Nov 29, 2012, at 5:19 PM, Gary Aitken wrote: > Any reasons why one should not clear /var/tmp via periodic.conf? > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Hi Gary, Well, /var/tmp/nginx is reason enough, for starters ;) /var/tmp/vi.recover is another, if you use vi. Basically, there is really no awesome reason for emptying it periodically. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: i386 vs amd64
On Nov 28, 2012, at 6:36 PM, mike miskulin wrote: > About to build a replacement system for an older i386 setup. A few > years ago I had tried the amd64 port on it and found it was frustrating > as things that just worked on i386 did not on amd64. IIRC ports were > large annoyance too. > > Now I have a new system with 8GB, etc,etc and wonder if I am best off to > stick with i386 and PAE or is the amd64 version finally on a par or > close enough that I would not likely have many issues like in the past? > > Thanks for your thoughts/(recent) experiences. What port was that ? I've never had a *single* problem due to using amd64 over i386. >From a professional point of view, we're using over 60 amd64 fbsd 8.0 8.1 8.2 >and 8.3 boxes at work and they work just fine. I for one can recommend the 64 bits version. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
On Nov 27, 2012, at 6:34 PM, Doug Sampson wrote:
> [...]
>
>> Rules from pf.conf
>>
>>
>> # macros
>> ext_if="xl0"
>> int_if="bge0"
>>
>> tcp_services="{ 22, 993, 5910:5917 }"
>> tcp_priv_services="{ 389, 443 }"
>> proxy_services = "{ 21, 80 }"
>> icmp_types="{ echoreq unreach squench timex }"
>> internal_net = "172.18.0.0/16"
>> proxy = "172.18.0.1"
>> proxyport="8021"
> ^
> No whitespace here
>
>>
>> # tables
>> table persist
>> table persist
>>
>> # options
>> set block-policy return # ports are closed but can be seen
>> set loginterface $ext_if
>>
>> set skip on lo0
>>
>> # scrub
>> scrub in
>>
>> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>>
>> # redirect www trafic to proxy
>> rdr on $int_if inet proto tcp from $internal_net to any port
>> $proxy_services -> $proxy port 8080
> ^
> Whitespace here. Maybe that's the issue here?
>
Erm, working as intended, Doug.
He's redirecting from his internal net to any port defined as proxiable, to his
$proxy machine on port 8080.
Looks good to me.
>> # ext_if IP address could be dynamic, hence ($ext_if)
>> nat on $ext_if from !($ext_if) to any -> ($ext_if)
>
> [...]
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: When Is The Ports Tree Going To Be Updated?
On Nov 27, 2012, at 4:27 PM, Greg Larkin wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 11/27/12 4:36 AM, Damien Fleuriot wrote: >> On 26 November 2012 21:15, jb wrote: >>> Tim Daneliuk tundraware.com> writes: >>> ... One wonders if using svn to keep the ports tree up-to-date might not be simpler, and perhaps, more reliable ... >>> >>> As managed by portsnap: $ du -hs /usr/ports/ 850M/usr/ports/ >>> >>> As managed by svn (it took much longer to checkout/download it by >>> comparison): $ du -hs /usr/local/ports/ 1.4G >>> /usr/local/ports/ $ du -hs /usr/local/ports/.svn/ 702M >>> /usr/local/ports/.svn/ >>> >>> One thing about svn is that it is a developer's tool, with its >>> own commands set (that should never be mixed with UNIX commands >>> w/r to dir/file manipulation), and that should not be expected to >>> be learned by non-devs. >>> >>> For that reasons alone the portsnap-managed ports repo is more >>> generic, flexible to be handled by user and add-on >>> apps/utilities, looks like more efficient without that svn >>> overhead resulting from its requirements and characteristics as a >>> source control system. >>> >>> But, svn offers to a user a unique view into ports repo, e.g. >>> history, logs, info, attributes, etc. >>> >>> jb >>> >> >> While we're on the binary vs SVN topic, I'd like to point out I'm >> *actually running out of inodes* on a virtualized machine (we use >> these a lot for our dev and preproduction environments) with 5gb >> of space, when checking out the ports tree. >> >> Of course 5gb is quite small but then, this was installed a while >> back. >> >> The transition to SVN means I'm going to have to reinstall these >> firewalls. There are a lot of them it's going to be a major pain. >> >> >> idk, I'm loathe to use portsnap, I liked CSup just fine. > > Unless you plan to use svn commands other than checkout in your ports > tree, I would suggest switching to "svn export" or perhaps the > svn-export script (http://xyne.archlinux.ca/projects/svn-export/) to > fetch your ports tree. > > The export command will not create the .svn metadata directory and > will save on inode usage. Of course, you could also create a new > virtual disk for /usr/ports and tune it with more inodes if you'd > rather use svn checkout. > > Hope that helps, > Greg > > - -- > Greg Larkin Well I definitely don't plan on making changes to local files or committing stuff, I'd just like to keep an updated ports tree and switch from CVS to SVN. I guess I'll have a look at svn export, thanks for the tip Greg. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: When Is The Ports Tree Going To Be Updated?
I don't get what you're trying to show here. What commands you've run indicate that: 1/ you have an up to date ports tree 2/ one of the installed ports needs to be updated So what ? Just run # portmaster libreoffice I think you might be confused, "new version available" means that you have version 1.2.3 installed and that 1.2.4 is available *from the local ports tree*. It does not indicate that there is a newer version of a package available remotely and that you should update your ports tree. Hope this helps. On Nov 26, 2012, at 4:21 PM, jb wrote: > Stas Verberkt legolasweb.nl> writes: > >> >> jb schreef op : >>> Tim Daneliuk tundraware.com> writes: >>> ... > I use portsnap fetch update and it works... Ah, maybe that was the problem. That works for me as well. >>> >>> Well, not quite ... >>> >> I think, after the security incident, you had to obtain a fresh >> snapshot of the ports tree, >> i.e. you had to do "portsnap fetch extract" before usual service >> continued. >> May this be your problem? > > # portsnap fetch extract > # ls -al /usr/ports/IN* > -rw-r--r-- 1 root wheel 26879597 Nov 26 15:37 /usr/ports/INDEX-7 > -rw-r--r-- 1 root wheel 26763600 Nov 26 15:38 /usr/ports/INDEX-8 > -rw-r--r-- 1 root wheel 26744834 Nov 26 15:38 /usr/ports/INDEX-9 > -rw-r--r-- 1 root wheel 1654048 Nov 11 11:45 /usr/ports/INDEX-9.bz2 > # portsnap fetch update > Looking up portsnap.FreeBSD.org mirrors... 6 mirrors found. > Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done. > Latest snapshot on server matches what we already have. > No updates needed. > Ports tree is already up to date. > # > > This fixed it. > > But, let's see what happens with this test: > > # rm -rf /usr/ports/ > # portsnap extract > # ls -al /usr/ports/IN* > -rw-r--r-- 1 root wheel 26879563 Nov 26 16:07 /usr/ports/INDEX-7 > -rw-r--r-- 1 root wheel 26763566 Nov 26 16:07 /usr/ports/INDEX-8 > -rw-r--r-- 1 root wheel 26744800 Nov 26 16:07 /usr/ports/INDEX-9 > # portmaster -L | egrep '(ew|ort) version|total install' >===>>> New version available: java-zoneinfo-2012.j >===>>> New version available: liberation-fonts-ttf-2.00.1,1 >===>>> New version available: libxul-10.0.11 >===>>> New version available: firefox-17.0,1 >===>>> New version available: libreoffice-3.5.7 >===>>> New version available: vigra-1.9.0 > ===>>> 545 total installed ports >===>>> 6 have new versions available > # portmaster -L --index | egrep '(ew|ort) version|total install' > /tmp/d-78227-index/INDEX-9.bz2100% of 1615 kB 176 kBps 00m00s >===>>> New version available: libreoffice-3.5.7 > ===>>> 545 total installed ports >===>>> 1 has a new version available > # portmaster -L --index-only | egrep '(ew|ort) version|total install' >===>>> New version available: libreoffice-3.5.7 > ===>>> 545 total installed ports >===>>> 1 has a new version available > # ls -al /usr/ports/IN* > -rw-r--r-- 1 root wheel 26879563 Nov 26 16:07 /usr/ports/INDEX-7 > -rw-r--r-- 1 root wheel 26763566 Nov 26 16:07 /usr/ports/INDEX-8 > -rw-r--r-- 1 root wheel 26665016 Nov 26 16:12 /usr/ports/INDEX-9 > -rw-r--r-- 1 root wheel 1654048 Nov 11 11:45 /usr/ports/INDEX-9.bz2 > # portsnap update > Ports tree is already up to date. > # > > Well, what do you say about this ? > jb > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: PF and tables for disabling network
On Nov 23, 2012, at 3:46 PM, David Demelier wrote: > Hello, > > I would like to disable the network traffic for specific IPs, for the > moment I just add to my pf.conf a rule that will block everything for a > specified table like this : > > table > > [...] others rules [...] > > block from > > Then I just need to add my IP using pfctl, it will works, no packet can be > send / recv to the machine, however if that machine had some active > connections, these won't be closed and they can still use them (a SSH > client, game, ...) > > How can I disable everything then? > > Cheers > > -- > Demelier David First, you might want to use "block in quick on $externalif inet from " , to have: - a quick rule, which stops ruleset evaluation immediately - a more specific rule, which applies only to your WAN interface's inbound traffic Be careful with the quick keyword, it's going to match packets immediately and entirely block these IPs. Then, if you want to kill the active connections from people in the table, you might want to "script" a bit, like: for i in `pfctl -t closed -T show` do pfctl -kK $i done Would that do the trick for you ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: high performance server design approach
Define "high performance" , what are your expectations in terms of concurrent connections, requests/second and all ? Allow me to shed some measure of light here, we're running 16x web servers with nginx doing *permanent* (as in, for all requests) URL rewriting and serving 500 req/s each. These servers admittedly running debian are behind 4x freebsd boxes using a combination of PF, CARP and relayd on 8.3-STABLE. The web servers deliver 200mb/second worth of *small* files (roughly 1kb javascripts). They hardly ever reach 0.25 load average, on 8 cores + hyperthreading. What I'm getting at here is, nginx *totally rapes* performance-wise, at least for our own needs. If it is able to deliver 500 req/s (for each server) of small files, surely it can handle the load you're planning on throwing at it ? On Nov 13, 2012, at 11:28 AM, Friedrich Locke wrote: > Thank you Mark for suggestion, but my doubt still remains. > > Regards. > > On Tue, Nov 13, 2012 at 8:26 AM, Mark Blackman wrote: > >> On 13 Nov 2012, at 10:23, Friedrich Locke >> wrote: >> >>> Hi list members, >>> >>> i would like to be an http server for static content only. Due to this >> >> [snip] >> >>> >>> >>> What you have to say >> >> benchmark nginx to see if it does the job already. >> >> - Mark >> > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
