pfctl and verbosely listing tables not giving full output on 9.x
On some of my older systems, I try and view some tables verbosely as the manual describes: We can now use the table show command to output, for each address and packet direction, the number of packets and bytes that are being passed or blocked by rules referencing the table. The time at which the current accounting started is also shown with the ``Cleared'' line. # pfctl -t test -vTshow 129.128.5.191 Cleared: Thu Feb 13 18:55:18 2003 In/Block:[ Packets: 0Bytes: 0] In/Pass: [ Packets: 10 Bytes: 840 ] Out/Block: [ Packets: 0Bytes: 0] Out/Pass:[ Packets: 10 Bytes: 840 ] and I get what I would expect when I issue the command: # uname -r 8.3-RELEASE-p3 # pfctl -t spam -vTshow No ALTQ support in kernel ALTQ related functions disabled 61.156.238.56 Cleared: Mon May 27 16:06:03 2013 In/Block:[ Packets: 23 Bytes: 1673 ] In/Pass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] 101.44.1.135 Cleared: Tue May 28 11:14:23 2013 In/Block:[ Packets: 21 Bytes: 1520 ] In/Pass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] All of my newer systems seem to not be showing me the data I expect: # uname -rm 9.1-RELEASE-p3 amd64 # pfctl -t spam -vTshow No ALTQ support in kernel ALTQ related functions disabled 46.21.161.37 Cleared: Tue May 14 10:37:11 2013 46.29.248.152 Cleared: Sat May 25 03:47:26 2013 46.165.236.153 Cleared: Tue May 14 06:12:05 2013 [...] # uname -rm 9.1-RELEASE i386 # pfctl -t spam -vTshow No ALTQ support in kernel ALTQ related functions disabled 1.235.138.249 Cleared: Sat Apr 27 19:55:15 2013 27.50.140.140 Cleared: Fri Apr 26 13:43:11 2013 31.3.245.178 Cleared: Tue Apr 30 19:30:29 2013 [...] # uname -rm 9.1-RELEASE amd64 # pfctl -t spam -vTshow No ALTQ support in kernel ALTQ related functions disabled 46.29.248.152 Cleared: Sat May 25 03:49:12 2013 50.73.11.52 Cleared: Wed May 22 01:57:10 2013 61.132.228.240 Cleared: Sun May 19 23:46:07 2013 Can anyone confirm similar behaviour on their systems, or has anyone even tried? I didn't see any active PRs about this. Thanks, Philip ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
So, did I mis-file this PR? [bin/141175: New cpio(1) in FreeBSD 8 regressed and left out a previous option: -V (dots) [regression]]
When FreeBSD-8 came out, it came with a newly rewritten cpio(1) that no longer offered an option I originally started using with SunOS/Solaris, but came to expect on FreeBSD and Linux as well. Since it was pretty trivial to add it back, I did so and offered the patch in PR bin/141175: http://www.freebsd.org/cgi/query-pr.cgi?pr=141175 The option is -V to print a dot per file copied rather than the much more verbose -v and the dots variant that can be useful for some feedback when copying a large hierarchy. My PR was filed on 2008/Dec/4, over a month ago, yet there has not even been a single response to it. Did I mis-file it? Thanks, Philip ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PAM-SSH-LDAP problem
You had said: O/H Panos έγραψε: the strange thing is that the ldapsearch command gives me this: ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' '((objectClass=*)(uid=ldap_test))' # extended LDIF # # LDAPv3 # base ou=users,dc=something,dc=something,dc=something with scope subtree # filter: ((objectClass=*)(uid=ldap_test)) # requesting: ALL dn: cn=ldap_test,dc=something,dc=something,dc=something cn: ldap_test [...] gecos: ldap_test homeDirectory: /home/ldap/ldap_test loginShell: /bin/sh [...] uidNumber: 1003 uid: ldap_test gidNumber: 1000 userPassword:: XX And then later: O/H Panos έγραψε: I think I found what is the problem but I don't kow how to fix it. from the error messages err=49 means that the password is wrong. I'm sure that I type it correctly. So I captured traffic using whireshark when the manager tires toy bind everything is normal and the bind is succeful. In the field authentication simple of the packet the password was the correct but when ldap_test tries to bind the password that it send to ldap server is INCORECT ( 08 0a 0d 7f 49 4e 43 4f 52 52 45 43 54 the hex field), so ldap server returns invalid credentials. I think that this is the problem but I don't have a clue how to solve it. I can't understand why it sends an incorect password, and most important which of ssh, pam, pam_ldap has the problem. Any ideas? On 2009, Apr 23, at 09:54, Panos wrote: Anyone? With the later message where you say you found a message that the bind attempt resulted in the password reported as INCORRECT, I do not see you describe how you initiated the BIND attempt, only that you captured it with wireshark. When you login as cn=manager,[...] that you say works, is that via ssh, or your admin tool you mentioned in a previous message, or more directly using something like ldapsearch(1)? I highly recommend you test things from the ground-up to try and find at which level the failure is occurring: network (already covered, you know you can talk to the LDAP server from the client you are testing) LDAP: Try performing the LDAP searches manually using ldapsearch(1), more on that below Account: getent passwd ldap_test SSH: If those work, try more logging in the PAM or SSH layers For doing the direct LDAP test, you've already checked that the entry is in your database: ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' '((objectClass=*)(uid=ldap_test))' next, make sure you can actually bind as that user: % ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' - D 'cn=ldap_test,dc=something,dc=something,dc=something' -W '((objectClass=*)(uid=ldap_test))' Enter LDAP Password: x [...] If that fails, bump up the logging on either the client and/or server side of the LDAP server and see what clues you get from those logs. If it works, move on to the next layer and see if it can properly access the information you could get manually. -philip ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: i have a system that will not installworld.
On 2007, May 28, at 22:14, Jonathan Horne wrote: i just did a buildkernel and world, and installing the kernel was normal with no issues. mergemaster -p, and then when i installworld, i get this: phoenix# make installworld mkdir -p /tmp/install.iA4Zk47v for prog in [ awk cap_mkdb cat chflags chmod chown date echo egrep find grep install-info ln lockf make mkdir mtree mv pwd_mkdb rm sed sh sysctl test true uname wc zic; do cp `which $prog` /tmp/install.iA4Zk47v; done cd /usr/src; MAKEOBJDIRPREFIX=/usr/obj MACHINE_ARCH=i386 MACHINE=i386 CPUTYPE= GROFF_BIN_PATH=/usr/obj/usr/src/tmp/legacy/usr/bin GROFF_FONT_PATH=/usr/obj/usr/src/tmp/legacy/usr/share/groff_font GROFF_TMAC_PATH=/usr/obj/usr/src/tmp/legacy/usr/share/tmac PATH=/usr/obj/usr/src/tmp/legacy/usr/sbin:/usr/obj/usr/src/tmp/ legacy/usr/bin:/usr/obj/usr/src/tmp/legacy/usr/games:/usr/obj/usr/ src/tmp/usr/sbin:/usr/obj/usr/src/tmp/usr/bin:/usr/obj/usr/src/tmp/ usr/games:/tmp/install.iA4Zk47v make -f Makefile.inc1 reinstall make: Permission denied *** Error code 126 What are your mount options on /tmp, they wouldn't include noexec, would they? If so: mount -u -o exec /tmp -p ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PCI and PCIX Fiber SCSI host adapters (HBAs) [was: EMCsq/SAN]
Danny Braniss [EMAIL PROTECTED] wrote on freebsd-hackers: Any experiance with EMCsq./SAN? I know FreeBSD is not on their list, but was wondering if it works even without the 'qualified' stamp. If not, then is there some recomendation for any other SAN? I'm following up in -questions with a question of my own, point me to the best place (-scsi or -stable?) and I'll happily repost my question in a more suitable venue. the related question I have been meaning to ask is which Fiber HBAs are prople using with success on 4-STABLE? (And have there been any notable additions to 5-CUR for that matter?) We love the JNIs on our Solaris boxes, but when I talked to Qlogic they stated the semi-reasonable we will support the hardware, but we don't do anything with the driver and do not provide any support to FreeBSD response. That aside, from looking at the isp(4) man page, it looks like Qlogic hardware has fairly complete drivers. So, what Fiber SCSI HBAs are people using out there, we'll have both PCI and PCIX, mostly Dell 2550/2650/etc. Any recommendations? Thanks, Philip ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Need help with strange routing situation
Donald Burr of Borg [EMAIL PROTECTED] wrote: [Description of:] Our gateway machine and server gets its own IP, IP A. My desktop machine is hooked up via ethernet. It should get IP B. Same thing as above for my roomie's desktop, except it gets IP C. [all else] Ideally I'd like them to be NAT'ted behindIP A Not really that strange a routing situation, and definitely pretty easy, here's one possible way: # KERNCONF, make sure you have: options IPFILTER#ipfilter support # rc.conf settings: ipfilter_enable=YES # Set to YES to enable ipfilter functionality ipnat_enable=YES # Set to YES to enable ipnat functionality # ipnat.rules example [change $variables to match your numbers]: bimap $ext_eth $IP_B_INT/32 - $IP_B/32 # your desktop bimap $ext_eth $IP_C_INT/32 - $IP_C/32 # roomie's desktop map $ext_eth $INT_NET/16 - 0/32 proxy port ftp ftp/tcp map $ext_eth $INT_NET/16 - 0/32 portmap tcp/udp auto map $ext_eth $INT_NET/16 - 0/32 # ipf.rules incomplete example [many $variables to change]: ### Put whatever default 'quick' blocks you want, RFC1918, anti-spoofing, etc. ### Hopefully your ISP has sane edge rules and would block them, but ### definitely put RFC1918 blocks in here too keep your private-address ### space from ever leaking out to your provider or the Internet. block out log quick on $ext_eth from 192.168.0.0/16 to any ### etc... ### Then default to blocking: block in log on $ext_eth block return-rstin on $ext_et proto tcp from any to any block return-icmp-as-dest(port-unr) in on $ext_et proto udp from any to any block return-icmp-as-dest in on $ext_et proto icmp from any to any ### Allow out verything and keep state on it: pass out quick on $ext_eth proto tcp from $EXT_NET/28 to any flags S keep state pass out quick on $ext_eth proto udp from $EXT_NET/28 to any keep state pass out quick on $ext_eth proto icmp from $EXT_NET/28 to any keep state # Allow state-capable ICMP in, add/etc as needed: pass in quick on $ext_eth proto icmp from any to any icmp-type echo keep state ### Allow services for desktop B pass in quick on $ext_eth proto tcp from any to $IP_B port = 22 flags S keep state pass in quick on $ext_eth proto tcp from any to $IP_B port = $YOUR_PROTOCOLS flags S keep state ### Ditto for C ... ### Put some rules to allow local-net to talk to the gateway and visa versa ... There's a lot more examples to be found in: /usr/share/examples/ipfilter http://coombs.anu.edu.au/~avalon/ http://www.phildev.net/ipf/ http://www.obfuscation.org/ipf/ Once you get into it and begin working on your own rules to meet your needs, tcpdump is your best friend; don't forget -i to be sure what is being sent and received on each interface so you can compare it with the firewall and NAT rules. Just use typical problem solving methods, Slowly building it up from one working system to the whole set is the way to go, change as few variables at a time as you can. -p ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]