Simple firewall question: Blocking a handful of IPs
I'm not extremely comfortable with doing firewall testing remotely on production systems, but I need to set up some incoming IP blocks. I've got a FreeBSD RELENG_5_4 system with public interface rl0. I want all traffic allowed unfettered, except traffic from particular IPs to be completely blocked coming in. Can someone show me which ipf rules to use to get that result? Thanks, Wade ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Simplest way to block a single IP?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've got a system that's sending a ton of referral spam to websites on my RELENG_4_9 system. I'd like to block them from accessing my system at the TCP level. What's the best and easiest way to do this? I assume I'll need to recompile the kernel with IPFIREWALL or IPFILTER support, then set up some rules. Does anyone have a recommendation for a simple ruleset to block one particular IP? Thanks, Wade -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iD8DBQFAcMGvo4DwsyRGDscRAvoIAJ4qSJcJ9Xsd4QxR+Z4rjENzGhGY1QCgtIX6 FkU9HaQ3VOhAvY4RAYHvj2c= =ZkOR -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Postfix and SASL2 authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've been able to get Postfix and SASL1 to authenticate to system accounts under FreeBSD with no problem, but now I'm trying to use SASL2. I'm running into problems. I built postfix and sasl2 from ports with no problems. I created /usr/local/lib/sasl2/smtpd.conf: pwcheck_method: saslauthd mech_list: plain login saslauthd is being run with the -a getpwent flags from /etc/rc.conf. Postfix is set up to use SASL: enable_sasl_authentication = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes However, when I test with a base64-encoded username\0username\0password string, it doesn't authenticate: Nov 13 07:46:29 taz postfix/smtpd[327]: localhost[127.0.0.1]: AUTH PLAIN bWludGVyAG1pbnRlcgBjaGFuZ2VtZQ== Nov 13 07:46:29 taz postfix/smtpd[327]: smtpd_sasl_authenticate: sasl_method PLAIN, init_response bWludGVyAG1pbnRlcgBjaGFuZ2VtZQ== Nov 13 07:46:29 taz postfix/smtpd[327]: smtpd_sasl_authenticate: decoded initial response minter Nov 13 07:46:29 taz postfix/smtpd[327]: warning: SASL authentication failure: Password verification failed Nov 13 07:46:29 taz postfix/smtpd[327]: warning: localhost[127.0.0.1]: SASL PLAIN authentication failed Nov 13 07:46:29 taz postfix/smtpd[327]: localhost[127.0.0.1]: 535 Error: authentication failed Does anyone know what I'm doing wrong? - --Wade -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/s6fHo4DwsyRGDscRAtq5AJ9jV/BCr0r8n/Mc6n73Miv07b1NAwCePs5m uOeXWaE2WlXwBSvWJuW8mfA= =XVfP -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Updating ports perl from 5.8.0 to 5.8.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'd like to update my ports-installed version of Perl from 5.8.0 to 5.8.1. On my test system, I did a portupgrade -rR perl, but it didn't update any of my installed p5- modules, which caused breakage until I reinstalled all of them by hand. Is there a better way to update Perl? Would a portupgrade -rRf have helped? - --Wade -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/pTdTo4DwsyRGDscRArjSAKDsLo+KvDtfjzxtoKcNuOV6KWnvNACfUjjr dhHEfSs1sjElij1tJEPm2nE= =B+XJ -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Updating ports perl from 5.8.0 to 5.8.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Nov 2, 2003, at 12:01 PM, Lowell Gilbert wrote: H.Wade Minter [EMAIL PROTECTED] writes: I'd like to update my ports-installed version of Perl from 5.8.0 to 5.8.1. On my test system, I did a portupgrade -rR perl, but it didn't update any of my installed p5- modules, which caused breakage until I reinstalled all of them by hand. Is there a better way to update Perl? Would a portupgrade -rRf have helped? Yes. portupgrade -rf perl is *exactly* what the incantation I would have recommended. That didn't seem to work. I ran that on one system, and it only upgraded perl, it didn't attempt to do any of the p5-* packages. - --Wade -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/pTuRo4DwsyRGDscRAlCHAJwKaGy4LQ5BwxhQQEZoLfqfYLE74wCeKzKv e0oQC33yGTQ5FtzsV/d4xUI= =rs6u -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
vsftpd port not honoring /etc/shells
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I installed the vsftpd port on my RELENG_4_8 system as a replacement for the standard ftpd. However, it doesn't appear to be honoring /etc/shells - a user listed in the passwd file with a shell (/sbin/nologin) that does not appear in /etc/shells is still allowed to FTP into the system. I'm guessing this may be a problem with PAM, as I have check_shell=YES in /usr/local/etc/vsftpd.conf, and the manpage for vsftpd.conf says that this setting is only valid for non-PAM builds. But I'm stumped as to how to lock down users via /etc/shells in the default port build. Any suggestions would be appreciated. - --Wade -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (Darwin) iD8DBQE/R4Hmo4DwsyRGDscRAuXjAJ9dYM8XaMx3JEb+tQPOM+uuhiRZ6QCfSHM7 E0Nxl/fzYqkAbxYlvc4FA/M= =kF8x -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Constantly crashing RELENG_4_8 server
One of my RELENG_4_8 servers is crashing regularly. I think it's hardware, but I'm not sure which part is the culprit. The crash messages are below - any suggestions? My googling is pointing to disk, but I'd like a second opinion. # Jun 16 19:50:56 carlton /kernel: panic: pmap_enter: attempted pmap_enter on 4MB page Jun 16 19:50:56 carlton /kernel: Jun 16 19:50:56 carlton /kernel: syncing disks... 9 Jun 19 21:29:23 carlton /kernel: panic: pmap_enter: attempted pmap_enter on 4MB 0age Jun 19 21:29:23 carlton /kernel: Jun 19 21:29:23 carlton /kernel: syncing disks... 6 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ^Q Jun 19 21:29:23 carlton /kernel: Copyright (c) 1992-2003 The FreeBSD @roject. Jun 20 11:00:57 carlton /kernel: panic: vput: negative ref cnt Jun 20 11:00:57 carlton /kernel: Jun 20 11:00:57 carlton /kernel: syncing disks... Copyright (c) 1992-2003 The Fr ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Postfix auth problems on one system, not the other
On 5 Nov 2002, Simon J Mudd wrote: In your case it may also be useful to enable debugging in smtpd by modifying master.cf and adding a -v line, and then restarting postfix with postfix reload. Turns out the problem was that postfix didn't have access to the /var/pwcheck directory. Putting postfix in the cyrus group solved the problem. This URL proved to be the key: http://groups.google.com/groups?hl=enlr=ie=UTF-8oe=UTF-8selm=20021101204024.A69576%40volt.iem.pw.edu.pl Thanks for the help! -- If you have a VCR or MP3 player, you need to read these links: http://www.digitalconsumer.org/ http://digitalspeech.org/ http://www.libertyboard.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Postfix auth problems on one system, not the other
This is a tale of two postfix installs. Install one was on a clean 4.7 system, and works like a charm. Using pwcheck_pam, everything's peachy. On the other system, also a 4.7 install, currently running sendmail, I'm attempting to migrate to postfix. Everything seems to be working fine, except I cannot get SMTP AUTH to work properly. I've got pwcheck_pam running, just like on System 1. /usr/local/lib/sasl/smtpd.conf contains: pwcheck_method: pwcheck just like on System 1. However, when I connect to System 2, and do an AUTH PLAIN (base64-encoded-string), it hangs for 5 seconds or so and spits back Authentication failed, whereas on System 1, it immediately returns with authentication accepted. One clue - when I truss pwcheck_pam on System 1, it shows lots of activity. When I truss it on System 2, there's no activity at all. So it looks like System 2 isn't even contacting the pwcheck daemon to try to auth the password. I'm at my wit's end, so hopefully someone will be able to point me toward something to try to get this working. Any help will be appreciated. Package info, System 1: cyrus-sasl-1.5.27_7 postfix-1.1.11,1 Package info, System 2: cyrus-sasl-1.5.27_7 postfix-1.1.11,1 --Wade -- If you have a VCR or MP3 player, you need to read these links: http://www.digitalconsumer.org/ http://digitalspeech.org/ http://www.libertyboard.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message