Re: /var/log/messages question
Danny Howard ([EMAIL PROTECTED]) wrote: > Mike Jackson wrote: > > >I pipe those, and other messages to a virtual terminal, like this: > > > >syslog.conf > >-- > >*.err;kern.debug;auth.notice/dev/ttyv3 > > > > > ... and then what do you do with this virtual terminal? Just check > alt+f3 every so often? Yep. Nice thing about virtual terminals on fbsd, you can touch the ScrLk key and then PageUp or arrow keys to scroll back and watch the messages. Anything that I want to be kept in a logfile goes to a logfile. I might send auth.notice to a central loghost, once I get one setup. Of course, if I wanted to be really sure I'd send it to a line printer :-) -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: /var/log/messages question
Darryl Hoar ([EMAIL PROTECTED]) wrote: > Greetings, > I have a 4.4-stable box configured as my firewall > running IPFilter and doing nat and routing to > the internet. > > I keep getting: > > Mar 16 13:10:09 darryl /kernel: arplookup 10.2.2.2 failed: host is not on > local network > > in my /var/log/messages file. It is coming from my DSL facing interface. I > used ethereal > to capture packets and determine the MAC address. Turns out to be a "vendor > testpoint" > on some OSI gear the ISP is using. They cannot correct this problem. > > ARP comes way before IPFilter, therefore I do not believe it can be > filtered. > > Is there anything I can do to prevent these warnings/errors from clogging up > my > log files ? This will happen if you have a public static ip address on your freebsd box, connected to an adsl router but the adsl router's lan interface is on a different network. This situation primarily occurs when you turn an adsl router into an adsl modem, e.g. you enable ppp half-bridge mode. I pipe those, and other messages to a virtual terminal, like this: syslog.conf -- *.err;kern.debug;auth.notice/dev/ttyv3 BR, -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: store freebsd accounts in mysql ???
[EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: > > Hi: > I am using freebsd5.2, because i have a large number of users counted by ten > thousand, use the passwd file to store user accounts and password lead to unbearable > delay. I want to know if freebsd support store accounts in places other than > '/etc/passwd' file, best support mysql database for passwd database backend. > any hints is welcome. > regards billy Hi, Newest versions of FreeBSD support PAM authentication, which can abstract the authentication database to anything which there is a PAM module available. I would advise against storing user accounts in MySQL, but rather store them in OpenLDAP (or your LDAP server software of choice). To perform user lookup you need "nss_ldap", and to perform authentication you need "pam_ldap". BR, Mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Server automatically Shuts down.
samy lancher ([EMAIL PROTECTED]) wrote: > > The system just crashes. After nightly event, when i start the system I see a > message "Warning: / was not mounted properly" . It does not happen at the same time > every night. This box does not have anonymous FTP. > Hi, I once had a similar situation, and it was caused by an overloaded power supply. The box would auto-reboot quite regularly. I removed two cd drives from it and it has not happened since. I can't say if this is your problem or not, but it's worth considering. -- Mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: A laptop worth saving?
[EMAIL PROTECTED] wrote: > Greetings all, I'm a long time unix/linux user but have been away from > FreeBSD for about a year or so and would like to solve that personal > fault. I have a laptop (IBM ThinkPad T20) that once ran FreeBSD but > currently sits with out floppy, OS, and at last test no CDROM. > So my question is what are my options if I wanted to get FreeBSD running > on it? I have another Linux box on the LAN but that's about it. Thanks > for any help You can install FreeBSD over the serial port with a null-modem cable. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/install-advanced.html -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall rules for mail gateway
Kevin D. Kinsey, DaleCo, S.P. ([EMAIL PROTECTED]) wrote: > > have something to do with it. If the machine > is running NAT/divert whatever, it might > well be diverting before blocking? But I'm > wrong so often it's not very funny ... and > I use ipfw instead of ipf. One last thing, I forgot to mention that I am running NAT. iprules.nat -- map xl0 192.168.1.0/16 -> 0.0.0.0/32 -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall rules for mail gateway
Kevin D. Kinsey, DaleCo, S.P. ([EMAIL PROTECTED]) wrote: > So, you're using ipf or ipfilter, not > ipfw, as I take it from your syntax. # ipfilter logging ipmon_enable="yes" ipmon_flags="-D /var/log/ipflog" > I imagine the ipfilter gurus on the > list would like to see your entire > ruleset. I had to set my tw=80 in order to prevent wrapping. Hope this doesn't tick anybody off. Please, if anybody sees any huge, gaping holes, point them out, preferrably in private email. #- # # ipfilter rules # # interfaces: # xl0 - external # xl1 - internal # # # Outside Interface # # # Allow traffic for services we provide # pass in quick on xl0 proto tcp/udp from any to any port = 53# DNS pass in quick on xl0 proto tcp from any to any port = 22# SSH pass in quick on xl0 proto tcp from any to any port = 25# SMTP pass in quick on xl0 proto tcp from any to any port = 80# WWW # # Allow out all TCP, UDP, and ICMP traffic & keep state on it # so that it's allowed back in. # pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state block out quick on xl0 all #--- # Block all inbound traffic from non-routable or reserved address spaces #--- block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on xl0 from 127.0.0.0/8 to any #loopback block in log quick on xl0 from 0.0.0.0/8 to any #loopback block in log quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on xl0 from 192.0.2.0/24 to any#reserved for doc's block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast # # Allow bootp traffic in from your ISP's DHCP server only. # pass in quick on xl0 proto udp from 10.0.0.0/8 to any port = 68 keep state # # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way # block return-rst in log quick on xl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any block in log quick on xl0 all # # Inside Interface # # # Allow out all TCP, UDP, and ICMP traffic & keep state # pass out quick on xl1 proto tcp from any to any keep state pass out quick on xl1 proto udp from any to any keep state pass out quick on xl1 proto icmp from any to any keep state block out quick on xl1 all # # Allow in all TCP, UDP, and ICMP traffic & keep state # pass in quick on xl1 proto tcp from any to any keep state pass in quick on xl1 proto udp from any to any keep state pass in quick on xl1 proto icmp from any to any keep state block in quick on xl1 all # # Loopback Interface # # # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) # pass in quick on lo0 all pass out quick on lo0 all ## EOF -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any
firewall rules for mail gateway
Hi, I have a 5.2.1 firewall box that also has a mailserver. Goal: - firewall can send and receive mail <-> rest of the world - firewall can send and receive mail <-> internal LAN machines - firewall blocks internal LAN machines from connecting to external SMTP servers firewall/mail gw --- xl0 - public interface xl1 - private interface (gateway ip for LAN) 192.168.1.1 I tried something like: block out quick on xl1 proto tcp from any to any port = 25 with no effect, workstations could still get past it. Any help would be appreciated :-) Thanks, -- Mike Jackson ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: chrooted ssh/scp
ext Luke Kearney ([EMAIL PROTECTED]) wrote: > > excuse me if this seems off topic but a quick check over at ssh.com > revealed no obvious links to a downloadable version that would not > require a license. Pray tell where I might find the binaries. I would > like to give sshd2 a run and see if it might fix a problem that has been > nagging at me for a bit. Hi, You can find the license here (FreeBSD is expressly mentioned): ftp://ftp.ssh.com/pub/ssh/LICENSE And the source code for the non-commercial version (missing PKI) here: ftp://ftp.ssh.com/pub/ssh/ssh-3.2.9.1.tar.gz Or like somebody else mentioned, you can use the port. But there were no problems compiling on BSD last time I tried a few months ago. BR, Mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 5.2.1 ?
ext Andrew Boothman ([EMAIL PROTECTED]) wrote: > > 5.2.1-RC1 still gives piles of arp warnings when you use an ADSL router > > in half-bridge mode. I wish I knew of a way to disable this. For now, I > > did some tuning to syslog and fixed it so that junk only goes to ttyv3 > > instead of filling up /var. > > What arp warnings are you getting? > > There are ARP sysctls that you might be able to tweak in order to stop > getting these. Hi, The adsl router is set to 10.0.0.2, offering via DHCP it's WAN IP address to the FreeBSD box. PPP half-bridge mode is something strange, but very useful anyway. So, the FreeBSD box gets a live internet IP from the router and since the router is on a different network, the logfiles fill with arp errors that 10.0.0.2 can't be arp'ed because it's not on the same network, blah, blah, blah. Read this to understand the setup of my networking: http://www.adslnation.com/phpapps/phpBB2/viewtopic.php?t=402&sid=7f658e15ff642da866cd437cc7f0b841 You see that I have to force the subnet mask to something other than the one that the adsl router uses, in order to get routing working at all. Strangely enough, this problem doesn't exist at all on linux. It's a FreeBSD peculiarity. Anyway, I wouldn't consider using linux for my firewall/gateway. BR, -- Mike Jackson ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 5.2.1 ?
ext J.D. Bronson ([EMAIL PROTECTED]) wrote: > I see there is a 5.2.1-RC1 ISO out already?? > > Is there anything that states what the difference is between 5.2 and this? > > I had thought 5.2 JUST came out ?? I was sort of surprised about this as well. I cvsup'ed my sources with the tag RELENG_5_2 and I noticed when it rebooted that I have an even newer release :-) I upgraded from 5.0 RC1, and there were some changes in the sysctl kernel oids. At least the bridging oids are more fine grained, and caused one of my boot scripts to fail. 5.2.1-RC1 still gives piles of arp warnings when you use an ADSL router in half-bridge mode. I wish I knew of a way to disable this. For now, I did some tuning to syslog and fixed it so that junk only goes to ttyv3 instead of filling up /var. BR, Mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: boot.config problem, can't boot
ext Sebastian Kutsch ([EMAIL PROTECTED]) wrote: > Hi, > > if you have a bootebel CD-Rom installed you can get a live CD from > http://www.freesbie.org/ and boot with it. then you can mount your > root-FS and edit the boot.config file. Hey, I looked at that page and that sounds cool. Sort of like the Knoppix linux project. Anyhow, the download site for the iso is not visible in DNS, at least from my perspective: $ host www.willystudios.com Host www.willystudios.com not found: 3(NXDOMAIN) BR, Mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: toor & root
ext Markus Kovero ([EMAIL PROTECTED]) wrote: > Toor is for security paranoid people? Dunno, its way to get more secure from > most "script kiddie"-r00t-kit things. Does it btw have superuser id? The "toor" user is nothing more than a backup root account, in case your "root" account happens to get locked out for some odd reason. The "toor" user does not have a password by default, and is thus a disabled account. I normally add my own "root user" account, which serves the same purpose but helps auditing because that username appears in logfiles instead of "root" or "toor". The best way to protect against somebody trying to remotely hack root, other than the obvious of turning off unneeded services, is to disable remote root logins. Then to get root, you have to first login as a normal user and then su to root. Disable remote root logins in /etc/ttys by setting terminals to insecure. -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: df oddity (to a newbie)
ext Joshua Eckroth ([EMAIL PROTECTED]) wrote: > I installed a 80gig harddrive for /usr/home, but df has been consistently giving me > weird numbers: > > Filesystem 1K-blocks UsedAvail Capacity Mounted on > /dev/ad5s1d 75685352 24426308 4520421635%/usr/home > > what's with Used + Avail != 1K-blocks? Hi, What's weird about it? FreeBSD reserves 5% of the space for the root user on every filesystem. That's why it's not showing as available. It's a feature, not a bug :-) BR, -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
boot.config problem, can't boot
Hi, I was doing some work on my gateway and decided to tighten up the security a bit... In essence, I had "-h" in /boot.config, but I commented it out (because I thought that somehow comments would be understood). So, now I have "#-h" in /boot.config, which by the way I set the immutable flag on according to one unofficial HOWTO I was reading. BTW, the comment in the /boot.config was not part of that HOWTO. It was my own lack of understanding about how that file is parsed during boot. Yes, I feel stupid, but I'm also wondering why the file can't include a comment. I think that this a bug. And then I rebooted for some other reason. And now, I can't get past the boot: prompt. The #-h is not understood and I can't override it. There are some changes to files which are on that box that I'd like to keep, which have been made since the last backup. Is there any way to recover from this situation, or is it "re-install" time? Thanks, -- Mike Jackson ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Booting without keyboard.
ext [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: > Hi, > > I have recently installed FreeBSD 4.8-RELEASE-p10 on a Intel SE7501WV2 board. I am > using a PS2 keyboard without mouse. It works fine. However, when i boot without the > keyboard plugged into the system, it is not able to accept the keyboard when i plug > in later. > > Is there a way to turn the keyboard always 'on' so that i can get it to work > whenever i plug it in after the system is up and running. > Hi, You could try a USB keyboard. I'm not sure if USB Hotplugging is working in FBSD or not, but it *should* work theoretically. I don't know of any systems that allow PS/2 hotplugging. BR, -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: adding webmail
ext Timothy J. Luoma ([EMAIL PROTECTED]) wrote: > > To paraphrase a Mutt slogan, "All Webmail sucks" so the key is finding one > that sucks less. Hi, I'm a mutt user myself :-) And as for a webmail software that sucks the least, it's Sqwebmail. Only caveat is that your mailboxes need to be in maildir format, e.g. you need to use Qmail or Postfix as your MTA. There are good utils available for converting mbox to maildir. And procmail works just fine with maildir. Maildir is really great in that your webmail cgi, etc, doesn't have to read a 100mb mbox file into memory before displaying a single message :-) -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: bridging multiple interfaces
ext Manuel Rabade (MiG) ([EMAIL PROTECTED]) wrote: > > That's fine, but you must check the netmask of the interfaces and your computers > in the network, it should be 255.255.0.0. Aha, that could be the problem then. I'm using 255.255.255.0 currently. > How are you bridging the interfaces ?? i think it should be: > > sysctl net.link.ether.bridge_cfg=xl0,xl1,wi0 Yep, that's what I did :-) I'll give it a test with the different netmask and tell you how it goes. Thanks, Mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: bridging multiple interfaces
ext Manuel Rabade (MiG) ([EMAIL PROTECTED]) wrote: > On Sun, Oct 05, 2003 at 02:12:49AM +0300, Mike Jackson wrote: > > ext Manuel Rabade (MiG) ([EMAIL PROTECTED]) wrote: > > > You want to use the NAT of your ASDL router or that pc1 do the nat for xl0 > > > and wi0 ? > > > > I'm using the NAT on the ADSL router, because that's the only public IP > > that I have. > > > > Humm .. are you using diferent subnets in each interface or how do you bring up > the interfaces ? Hi, Yes, I have the following networks: xl0 - 192.168.3.0 xl1 - 192.168.1.0 wi0 - 192.168.2.0 -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: bridging multiple interfaces
ext Manuel Rabade (MiG) ([EMAIL PROTECTED]) wrote: > You want to use the NAT of your ASDL router or that pc1 do the nat for xl0 > and wi0 ? I'm using the NAT on the ADSL router, because that's the only public IP that I have. -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
bridging multiple interfaces
Hi, I would like to ask for some advice on configuring my home network, with a FreeBSD 5.1 being the main player. In a nutshell, I want to route wired and wireless traffic through my FBSD box, do some ipfw, perhaps IPSec, and some bandwidth shaping, and finally send the traffic out to the internet. I have an ADSL router/switch with a public IP, running NATD. I have a 5.1 box with three interfaces: - Netgear MA301(wi0) - 3Com 905b(xl0) - 3Com 905b(xl1) wi0 is bridged to xl1, so that wireless boxes can connect to the internet. xl0 is plugged into a 5-port switch, and is turned down. The current configuration is: - pc1 (5.1 box) is plugged into the ADSL switch - pc2 (linux box) is plugged into the ADSL switch - pc3 (win2k laptop) is using pc1 (wi0) as it's wireless access point The desired configuration is: - pc1 (xl1) is plugged into the ADSL switch - pc1 (xl0) is plugged into the 5-port switch - pc2 is plugged into the 5-port switch - pc3 is using pc1 (wi0) as it's wireless access point - pc1 is serving DHCP in xl0 and wi0 - all machines plugged into the 5-port switch can access internet - all machines using pc1 (wi0) as wireless access point can access internet - pc1 (wi0) is only accessible via IPSec - pc1 (wi0 and xl0) or xl1 doing bandwidth shaping - preferable to be able to limit bandwidth per workstation I tried to bridge both xl0 and wi0 to xl1, but the network just stopped completely and I had to reboot the machine. And I'm not even sure if this is the correct or best approach. Any suggestions? Thanks! -- mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
