awstats for a single directory

[Redmond Militante]

hello

i was previously using webalizer to analyze my apache log files.  i was able to 
generate webalizer reports for a single directory using webalizer's IgnoreURL 
directive.

is it possible to get awstats to do the same thing - generate a report for an 
individual directory i.e., http://www.myserver.com/just_this_directory/ ?  i 
wasn't able to find any documentation related to this.

any advice appreciated.

redmond

-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.4-STABLE #0: Wed Sep 7 15:00:27 CDT 2005 i386
12:15PM  up  1:54, 1 user, load averages: 0.24, 0.27, 0.22


pgp2uOlaQUKvJ.pgp
Description: PGP signature

error installing graphics/ImageMagick from ports

[Redmond Militante]

 but not used
coders/jp2.c:153: warning: `IsJPC' defined but not used
coders/jp2.c:272: warning: `ReadJP2Image' defined but not used
gmake[1]: *** [coders/magick_libMagick_la-jp2.lo] Error 1
gmake[1]: Leaving directory 
`/usr/ports/graphics/ImageMagick/work/ImageMagick-6.2.2'
gmake: *** [all] Error 2
*** Error code 2

Stop in /usr/ports/graphics/ImageMagick.



-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p14 #0: Fri Jun 10 16:46:59 CDT 2005 i386
 5:30AM  up 21 days, 18:08, 4 users, load averages: 0.00, 0.00, 0.00


pgpHSOxVBnArZ.pgp
Description: PGP signature

Re: error installing graphics/ImageMagick from ports

[Redmond Militante]

 definition has no type or storage class
 coders/jp2.c:599: syntax error before `for'
 coders/jp2.c:86: warning: `WriteJP2Image' declared `static' but never defined
 coders/jp2.c:117: warning: `IsJP2' defined but not used
 coders/jp2.c:153: warning: `IsJPC' defined but not used
 coders/jp2.c:272: warning: `ReadJP2Image' defined but not used
 gmake[1]: *** [coders/magick_libMagick_la-jp2.lo] Error 1
 gmake[1]: Leaving directory 
 `/usr/ports/graphics/ImageMagick/work/ImageMagick-6.2.2'
 gmake: *** [all] Error 2
 *** Error code 2
 
 Stop in /usr/ports/graphics/ImageMagick.
 
 
 
 -- 
 Redmond Militante
 Software Engineer / Medill School of Journalism
 FreeBSD 5.2.1-RELEASE-p14 #0: Fri Jun 10 16:46:59 CDT 2005 i386
  5:30AM  up 21 days, 18:08, 4 users, load averages: 0.00, 0.00, 0.00



-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p14 #0: Fri Jun 10 16:46:59 CDT 2005 i386
 3:30PM  up 22 days,  4:08, 5 users, load averages: 0.00, 0.00, 0.00


pgpYzLEncpxN5.pgp
Description: PGP signature

Re: error installing openssh-portable

[Redmond Militante]

hi

i'm bumping this, still having this problem.  upgrading to 4.11 did not fix 
it...


 please if anyone has any ideas...
 
 
  Don't top-post, please.
  
  Redmond Militante [EMAIL PROTECTED] writes:
  
   is /usr/ports/cryptlib the port you're referring to?
  
  No, I'm talking about the crypto distribution in the base system.  I
  don't remember when it was folded into the main distribution, but for
  a long time it was separate because of concerns about export
  regulations and patent issues.
  
   i've also read that make -DWITHOUT_KERBEROS=yes would also work, but it 
   didn't in my case.
   
   
   
   [Tue, Mar 29, 2005 at 09:14:07AM -0500]
   This one time, at band camp, Lowell Gilbert said:
   
Redmond Militante [EMAIL PROTECTED] writes:

 hi all
 
 i get this installing the openssh-portable port on a 4.8-RELEASE 
 machine
 
 ===  Building for openssh-portable-3.9.0.1,1
 if test ! -z ; then  /usr/bin/perl5 ./fixprogs ssh_prng_cmds ;  fi
 (cd openbsd-compat  make)
 cc -o ssh ssh.o readconf.o clientloop.o sshtty.o  sshconnect.o 
 sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/lib  
 -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib -lssh 
 -lopenbsd-compat -lcrypto -lutil -lz -lcrypt -lkrb5 -lcrypto 
 -lcom_err -lasn1 -lroken
 /usr/lib/libkrb5.so: undefined reference to `des_is_weak_key'
 /usr/lib/libkrb5.so: undefined reference to `des_pcbc_encrypt'
 /usr/lib/libkrb5.so: undefined reference to `des_cfb64_encrypt'
 /usr/lib/libkrb5.so: undefined reference to `des_cbc_encrypt'
 /usr/lib/libkrb5.so: undefined reference to `des_set_odd_parity'
 /usr/lib/libkrb5.so: undefined reference to `des_read_pw_string'
 /usr/lib/libkrb5.so: undefined reference to `des_set_key'
 /usr/lib/libkrb5.so: undefined reference to `des_ede3_cbc_encrypt'
 /usr/lib/libkrb5.so: undefined reference to `des_cbc_cksum'
 *** Error code 1
 
 Stop in /usr/ports/security/openssh-portable/work/openssh-3.9p1.
 *** Error code 1
 
 Stop in /usr/ports/security/openssh-portable.
 
 
 any ideas on how to fix?  cvsup'ing ports didn't work.

I seem to recall DES being optional back when; you'll need to install
it to get this linking.  It should be in the crypto library.

Or maybe my memory is just off...
   
   -- 
   Redmond Militante
   Software Engineer / Medill School of Journalism
   FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386
   11:15AM  up 45 mins, 2 users, load averages: 0.00, 0.02, 0.05
   
   
  
  -- 
  Lowell Gilbert, embedded/networking software engineer, Boston area
  http://be-well.ilk.org/~lowell/
 
 -- 
 Redmond Militante
 Software Engineer / Medill School of Journalism
 FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386
 12:00PM  up 2 days,  1:30, 1 user, load averages: 0.41, 0.16, 0.05



-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386
 2:00PM  up 4 days, 29 mins, 4 users, load averages: 0.07, 0.11, 0.20


pgpTSokQw0kSj.pgp
Description: PGP signature

Re: error installing openssh-portable

[Redmond Militante]

please if anyone has any ideas...


 Don't top-post, please.
 
 Redmond Militante [EMAIL PROTECTED] writes:
 
  is /usr/ports/cryptlib the port you're referring to?
 
 No, I'm talking about the crypto distribution in the base system.  I
 don't remember when it was folded into the main distribution, but for
 a long time it was separate because of concerns about export
 regulations and patent issues.
 
  i've also read that make -DWITHOUT_KERBEROS=yes would also work, but it 
  didn't in my case.
  
  
  
  [Tue, Mar 29, 2005 at 09:14:07AM -0500]
  This one time, at band camp, Lowell Gilbert said:
  
   Redmond Militante [EMAIL PROTECTED] writes:
   
hi all

i get this installing the openssh-portable port on a 4.8-RELEASE machine

===  Building for openssh-portable-3.9.0.1,1
if test ! -z ; then  /usr/bin/perl5 ./fixprogs ssh_prng_cmds ;  fi
(cd openbsd-compat  make)
cc -o ssh ssh.o readconf.o clientloop.o sshtty.o  sshconnect.o 
sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/lib  
-rpath=/usr/lib:/usr/local/lib -L/usr/local/lib -lssh -lopenbsd-compat 
-lcrypto -lutil -lz -lcrypt -lkrb5 -lcrypto -lcom_err -lasn1 -lroken
/usr/lib/libkrb5.so: undefined reference to `des_is_weak_key'
/usr/lib/libkrb5.so: undefined reference to `des_pcbc_encrypt'
/usr/lib/libkrb5.so: undefined reference to `des_cfb64_encrypt'
/usr/lib/libkrb5.so: undefined reference to `des_cbc_encrypt'
/usr/lib/libkrb5.so: undefined reference to `des_set_odd_parity'
/usr/lib/libkrb5.so: undefined reference to `des_read_pw_string'
/usr/lib/libkrb5.so: undefined reference to `des_set_key'
/usr/lib/libkrb5.so: undefined reference to `des_ede3_cbc_encrypt'
/usr/lib/libkrb5.so: undefined reference to `des_cbc_cksum'
*** Error code 1

Stop in /usr/ports/security/openssh-portable/work/openssh-3.9p1.
*** Error code 1

Stop in /usr/ports/security/openssh-portable.


any ideas on how to fix?  cvsup'ing ports didn't work.
   
   I seem to recall DES being optional back when; you'll need to install
   it to get this linking.  It should be in the crypto library.
   
   Or maybe my memory is just off...
  
  -- 
  Redmond Militante
  Software Engineer / Medill School of Journalism
  FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386
  11:15AM  up 45 mins, 2 users, load averages: 0.00, 0.02, 0.05
  
  
 
 -- 
 Lowell Gilbert, embedded/networking software engineer, Boston area
   http://be-well.ilk.org/~lowell/

-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386
12:00PM  up 2 days,  1:30, 1 user, load averages: 0.41, 0.16, 0.05


pgpwZV057j3VB.pgp
Description: PGP signature

Re: error installing openssh-portable

[Redmond Militante]

hi

is /usr/ports/cryptlib the port you're referring to?

i've also read that make -DWITHOUT_KERBEROS=yes would also work, but it didn't 
in my case.



[Tue, Mar 29, 2005 at 09:14:07AM -0500]
This one time, at band camp, Lowell Gilbert said:

 Redmond Militante [EMAIL PROTECTED] writes:
 
  hi all
  
  i get this installing the openssh-portable port on a 4.8-RELEASE machine
  
  ===  Building for openssh-portable-3.9.0.1,1
  if test ! -z ; then  /usr/bin/perl5 ./fixprogs ssh_prng_cmds ;  fi
  (cd openbsd-compat  make)
  cc -o ssh ssh.o readconf.o clientloop.o sshtty.o  sshconnect.o 
  sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/lib  
  -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib -lssh -lopenbsd-compat 
  -lcrypto -lutil -lz -lcrypt -lkrb5 -lcrypto -lcom_err -lasn1 -lroken
  /usr/lib/libkrb5.so: undefined reference to `des_is_weak_key'
  /usr/lib/libkrb5.so: undefined reference to `des_pcbc_encrypt'
  /usr/lib/libkrb5.so: undefined reference to `des_cfb64_encrypt'
  /usr/lib/libkrb5.so: undefined reference to `des_cbc_encrypt'
  /usr/lib/libkrb5.so: undefined reference to `des_set_odd_parity'
  /usr/lib/libkrb5.so: undefined reference to `des_read_pw_string'
  /usr/lib/libkrb5.so: undefined reference to `des_set_key'
  /usr/lib/libkrb5.so: undefined reference to `des_ede3_cbc_encrypt'
  /usr/lib/libkrb5.so: undefined reference to `des_cbc_cksum'
  *** Error code 1
  
  Stop in /usr/ports/security/openssh-portable/work/openssh-3.9p1.
  *** Error code 1
  
  Stop in /usr/ports/security/openssh-portable.
  
  
  any ideas on how to fix?  cvsup'ing ports didn't work.
 
 I seem to recall DES being optional back when; you'll need to install
 it to get this linking.  It should be in the crypto library.
 
 Or maybe my memory is just off...

-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p13 #0: Mon Mar 28 17:07:51 CST 2005 i386
11:15AM  up 45 mins, 2 users, load averages: 0.00, 0.02, 0.05


pgpXB0dpxBM4y.pgp
Description: PGP signature

error installing openssh-portable

[Redmond Militante]

hi all

i get this installing the openssh-portable port on a 4.8-RELEASE machine

===  Building for openssh-portable-3.9.0.1,1
if test ! -z ; then  /usr/bin/perl5 ./fixprogs ssh_prng_cmds ;  fi
(cd openbsd-compat  make)
cc -o ssh ssh.o readconf.o clientloop.o sshtty.o  sshconnect.o sshconnect1.o 
sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/lib  -rpath=/usr/lib:/usr/local/lib 
-L/usr/local/lib -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt -lkrb5 
-lcrypto -lcom_err -lasn1 -lroken
/usr/lib/libkrb5.so: undefined reference to `des_is_weak_key'
/usr/lib/libkrb5.so: undefined reference to `des_pcbc_encrypt'
/usr/lib/libkrb5.so: undefined reference to `des_cfb64_encrypt'
/usr/lib/libkrb5.so: undefined reference to `des_cbc_encrypt'
/usr/lib/libkrb5.so: undefined reference to `des_set_odd_parity'
/usr/lib/libkrb5.so: undefined reference to `des_read_pw_string'
/usr/lib/libkrb5.so: undefined reference to `des_set_key'
/usr/lib/libkrb5.so: undefined reference to `des_ede3_cbc_encrypt'
/usr/lib/libkrb5.so: undefined reference to `des_cbc_cksum'
*** Error code 1

Stop in /usr/ports/security/openssh-portable/work/openssh-3.9p1.
*** Error code 1

Stop in /usr/ports/security/openssh-portable.


any ideas on how to fix?  cvsup'ing ports didn't work.

thanks
redmond




-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386
 2:00PM  up  1:32, 1 user, load averages: 0.35, 0.16, 0.09


pgpVWiz3neLYg.pgp
Description: PGP signature

maxtor one touch usb 2.0 drive

[Redmond Militante]

hello

i have a 250 maxtor one touch usb 2/1.1 external hard drive, i'm trying to get 
it to work with my rel_end 5.21 box.
i have 

device scbus
device da
device pass
device uhci
device ohci
device usb
device umass

in my kernel.  i'm trying to fdisk the drive to partition it right now, but 
when i plug it in, it's not showing up in dmesg (no umass or da0 device appears 
in dmesg).  

am i missing a step or is this device even incompatible?  

thanks



-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386
12:45AM  up 3 days, 10:45, 2 users, load averages: 0.58, 0.94, 0.96


pgpseRmMkgujT.pgp
Description: PGP signature

Re: httpd in /tmp - Sound advice sought

[Redmond Militante]

 To unsubscribe, send any mail to
 [EMAIL PROTECTED]



-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386
 1:30PM  up 1 day,  1:21, 2 users, load averages: 0.00, 0.04, 0.19


pgpu76wLNdjsN.pgp
Description: PGP signature

Re: httpd in /tmp - Sound advice sought

[Redmond Militante]

[Tue, Feb 08, 2005 at 01:43:36PM -0600]
This one time, at band camp, Bret Walker said:

 I do read it, but not every day (weekends, especially).


i use logcheck to mail me the messages log every 15 mins
 
 Do you have a way for suspicious activity to be reported to you?


logcheck, and portsentry as well
 
 Also, I'm tarring /usr and am going to run a diff on it compared to a
 clean install.

 Bret
 
 -Original Message-
 From: Redmond Militante [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, February 08, 2005 1:45 PM
 To: Bret Walker
 Subject: Re: httpd in /tmp - Sound advice sought
 
 
 hi
 
 [Tue, Feb 08, 2005 at 10:46:19AM -0600]
 This one time, at band camp, Bret Walker said:
 
  Redmond-
  
  Here is the response I got from the list.
  
  I also found another file - shellbind.c - it's essentially this - 
  http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html
  (although phpBB has never been installed).
  
  I had register_globals on in PHP for a month+ because a reservation 
  system I was using required them.  I now know better.  We also had php 
  errors set to display for a while as bugs were being worked out.
  
  The owner of this file is www, so it was put in /tmp by the apache 
  daemon. I messed the file up trying to tar it, so I can't get a good 
  md5. Register globals and php file uploads are both off now.  I don't 
  think the system was compromised because anything written to /tmp 
  (which is the temp dir php defaults to) could not be executed.
  
  Do you think we're safe to continue as is?
 
 
 this person is telling you that slapper is nothing to worry about because
 it's a linux only virus - but if you didn't put httpd in /tmp then you
 should be worried about this situation.
 
 this is probably your call what you want to do.
  
  Also, I would like to talk with you about what preventative measures 
  you take with herald.  I know you run tripwire, but what else do you 
  do on a regular basis?
 
 
 one thing i do is i read /var/log/messages every day.  do you do that?
 
  
  Bret
  
  
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mark A. 
  Garcia
  Sent: Tuesday, February 08, 2005 9:57 AM
  To: Bret Walker
  Cc: freebsd-questions@freebsd.org
  Subject: Re: httpd in /tmp - Sound advice sought
  
  
  Bret Walker wrote:
  
  Last night, I ran chkrootkit and it gave me a warning about being 
  infected with Slapper.  Slapper exploits vulnerabilities in OpenSSL 
  up to version 0.96d or older on Linux systems.  I have only run 
  0.97d. The file that set chkrootkit off was httpd which was located 
  in /tmp. /tmp is always mounted rw, noexec.
  
  I update my packages (which are installed via ports) any time there 
  is a security update.  I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl 
  2.8.22/OpenSSL 0.97d on 4.10.  Register_globals was on in PHP for a 
  couple of weeks, but the only code that required it to be on was in a 
  .htaccess/SSL password protected directory.
  
  Tripwire didn't show anything that I noted as odd.  I reexamined the 
  tripwire logs, which are e-mailed to an account off of the machine 
  immediately after completion, and I don't see anything odd for the 
  3/4 days before or after the date on the file. (I don't scan /tmp)
  
  I stupidly deleted the httpd file from /tmp, which was smaller than 
  the actual apache httpd.  And I don't back up /tmp.
  
  The only info I can find regarding this file being in /tmp pertains 
  to Slapper.  Could something have copied a file there?  Could I have 
  done it by mistake at some point - the server's been up ~60 days, 
  plenty of time for me to forget something?
  
  This is production box that I very much want to keep up, so I'm 
  seeking some sound advice.
  
  Does this box need to be rebuilt?  How could a file get written to 
  /tmp, and is it an issue since it couldn't be executed?  I run 
  tripwire nightly, and haven't seen anything odd to the best of my 
  recollection. I also check ipfstat -t frequently to see if any odd 
  connections are happening.
  
  I appreciate any sound advice on this matter.
  
  Thanks,
  Bret
  
  
  Slapper is a linux only virus.  You shouldn't have to worry about it 
  doing harm on your freebsd machine.  Seeing as the binary was in your 
  tmp directory on your system, and that you might have not placed it 
  there, this could be a good reason for a host of other things to look 
  into.  The httpd binary with 96d= ssl is not a virus itself, just a 
  means to carry out the exploit.  The slapper virus is a bunch of 
  c-code that is put in your tmp directory and the exploit allows one to 
  compile, chmod, and execute the code, leaving open a backdoor.
  
  chrootkit does scan for the comparable scalper virus which is a 
  freebsd cousin to the slapper (in that they attempt to exploit the 
  machine via the apache conduit.)
  
  I would think real hard, if you did put the httpd binary in there.  If 
  you

Re: httpd in /tmp - Sound advice sought

[Redmond Militante]

ok

[Tue, Feb 08, 2005 at 02:40:19PM -0600]
This one time, at band camp, Bret Walker said:

 Thanks.
 Could you send me your conf file for portsentry so I can see how you do
 it?
 Bret
 
 -Original Message-
 From: Redmond Militante [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, February 08, 2005 2:21 PM
 To: Bret Walker
 Subject: Re: httpd in /tmp - Sound advice sought
 
 
 [Tue, Feb 08, 2005 at 01:43:36PM -0600]
 This one time, at band camp, Bret Walker said:
 
  I do read it, but not every day (weekends, especially).
 
 
 i use logcheck to mail me the messages log every 15 mins
 
  Do you have a way for suspicious activity to be reported to you?
 
 
 logcheck, and portsentry as well
 
  Also, I'm tarring /usr and am going to run a diff on it compared to a
  clean install.
 
  Bret
 
  -Original Message-
  From: Redmond Militante [mailto:[EMAIL PROTECTED]
  Sent: Tuesday, February 08, 2005 1:45 PM
  To: Bret Walker
  Subject: Re: httpd in /tmp - Sound advice sought
 
 
  hi
 
  [Tue, Feb 08, 2005 at 10:46:19AM -0600]
  This one time, at band camp, Bret Walker said:
 
   Redmond-
  
   Here is the response I got from the list.
  
   I also found another file - shellbind.c - it's essentially this -
   http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html
   (although phpBB has never been installed).
  
   I had register_globals on in PHP for a month+ because a reservation
   system I was using required them.  I now know better.  We also had php
 
   errors set to display for a while as bugs were being worked out.
  
   The owner of this file is www, so it was put in /tmp by the apache
   daemon. I messed the file up trying to tar it, so I can't get a good
   md5. Register globals and php file uploads are both off now.  I don't
   think the system was compromised because anything written to /tmp
   (which is the temp dir php defaults to) could not be executed.
  
   Do you think we're safe to continue as is?
  
 
  this person is telling you that slapper is nothing to worry about
  because it's a linux only virus - but if you didn't put httpd in /tmp
  then you should be worried about this situation.
 
  this is probably your call what you want to do.
 
   Also, I would like to talk with you about what preventative measures
   you take with herald.  I know you run tripwire, but what else do you
   do on a regular basis?
  
 
  one thing i do is i read /var/log/messages every day.  do you do that?
 
 
   Bret
  
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Mark A.
   Garcia
   Sent: Tuesday, February 08, 2005 9:57 AM
   To: Bret Walker
   Cc: freebsd-questions@freebsd.org
   Subject: Re: httpd in /tmp - Sound advice sought
  
  
   Bret Walker wrote:
  
   Last night, I ran chkrootkit and it gave me a warning about being
   infected with Slapper.  Slapper exploits vulnerabilities in OpenSSL
   up to version 0.96d or older on Linux systems.  I have only run
   0.97d. The file that set chkrootkit off was httpd which was located
   in /tmp. /tmp is always mounted rw, noexec.
   
   I update my packages (which are installed via ports) any time there
   is a security update.  I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl
   2.8.22/OpenSSL 0.97d on 4.10.  Register_globals was on in PHP for a
   couple of weeks, but the only code that required it to be on was in a
 
   .htaccess/SSL password protected directory.
   
   Tripwire didn't show anything that I noted as odd.  I reexamined
   the
   tripwire logs, which are e-mailed to an account off of the machine
   immediately after completion, and I don't see anything odd for the
   3/4 days before or after the date on the file. (I don't scan /tmp)
   
   I stupidly deleted the httpd file from /tmp, which was smaller than
   the actual apache httpd.  And I don't back up /tmp.
   
   The only info I can find regarding this file being in /tmp pertains
   to Slapper.  Could something have copied a file there?  Could I have
   done it by mistake at some point - the server's been up ~60 days,
   plenty of time for me to forget something?
   
   This is production box that I very much want to keep up, so I'm
   seeking some sound advice.
   
   Does this box need to be rebuilt?  How could a file get written to
   /tmp, and is it an issue since it couldn't be executed?  I run
   tripwire nightly, and haven't seen anything odd to the best of my
   recollection. I also check ipfstat -t frequently to see if any odd
   connections are happening.
   
   I appreciate any sound advice on this matter.
   
   Thanks,
   Bret
   
   
   Slapper is a linux only virus.  You shouldn't have to worry about it
   doing harm on your freebsd machine.  Seeing as the binary was in your
   tmp directory on your system, and that you might have not placed it
   there, this could be a good reason for a host of other things to look
   into.  The httpd binary with 96d= ssl is not a virus itself, just a
   means

trouble with rsync script - large tar files

[Redmond Militante]

hi

i have a 'push' type rsync script, which pushes out tar backup files to a 
backup repository machine that looks like

/usr/local/bin/rsync -e ssh -avz --delete --stats 
/usr/home/user/backupserver*tar.gz server2:/mnt/drive2/serverdailybackup/

this script rsyncs over ssh, over a short distance w t1 connections at both 
ends and works fine.

i have a 'pull' type rsync script which pulls tar backups from the backup 
repository machine that looks like

/usr/local/bin/rsync -e ssh -avz --delete --stats 
server2:/mnt/drive2/serverdailybackup/backupserverusrlocal.tar.gz
/mnt/drive2/serverbackup/

this script rsyncs over ssh, over a long distance - the two machines are not in 
the same building, geographically like 10 miles apart. this script is pulling 
some large tar files, some 1-2 gig in size. it has yet to finish pulling tar 
files off the repository. it usually cuts off before it completes - i get:

'read from remote host host.ip.address.com: connection reset by peer rsync: 
connection unexpectedly closed...'

any advice on how to modify either the ssh setup on either host, or the script 
itself, so that rsync through the secondd script would be stable enough to 
allow the rsync operation to finish completely?

in the second script, we're doing a 'pull' rsync operation from host a (on 
cable modem), to host b (t1). in the first script, we're doing a 'push' rsync 
operation from host c (t1) to host b (t1).


thanks for any advice.

-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386
 9:45AM  up 21:57, 1 user, load averages: 0.01, 0.18, 0.24


pgpos1KZNHawJ.pgp
Description: PGP signature

limit login attempts with pam

[Redmond Militante]

hello

i'm interested in configuring PAM on my 4x system so that a user is locked out of 
ignored if trying to log in unsuccessfully via ftp within the space of a minute or so. 
i'm trying to eliminate brute force attacks...


can anyone point me towards some good tutorials on how to do this?

thanks
redmond
-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p9 #0: Thu Jul 1 14:36:26 CDT 2004 i386
10:15AM  up 10 days, 16:19, 3 users, load averages: 0.08, 0.09, 0.08


pgpH9184nEEUW.pgp
Description: PGP signature

Stop in /usr/ports/x11-toolkits/tk84/work/tk8.4.6/unix.

[Redmond Militante]

hi

i'm getting another error attempting to reinstall kde on my machine.  the errors are 
related to x11-toolkits/tk84

sample...
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.h:97: error: syntax error 
before void
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:23: error: syntax error 
before char
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:31: error: syntax error 
before _ANSI_ARGS_
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:32: error: syntax error 
before _ANSI_ARGS_
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:34: error: syntax error 
before _ANSI_ARGS_
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:35: error: syntax error 
before _ANSI_ARGS_
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:37: error: syntax error 
before _ANSI_ARGS_
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:38: error: syntax error 
before _ANSI_ARGS_
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:50: warning: initialization 
makes integer from pointer without a cast
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:51: error: 
`FreeBorderObjProc' undeclared here (not in a function)
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:51: warning: excess elements 
in scalar initializer
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:51: warning: (near 
initialization for `tkBorderObjType')
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:52: error: `DupBorderObjProc' 
undeclared here (not in a function)
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:52: warning: excess elements 
in scalar initializer
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:52: warning: (near 
initialization for `tkBorderObjType')
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:53: warning: excess elements 
in scalar initializer
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:53: warning: (near 
initialization for `tkBorderObjType')
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:55: warning: excess elements 
in scalar initializer
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:55: warning: (near 
initialization for `tkBorderObjType')
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:55: warning: data definition 
has no type or storage class
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:83: error: syntax error 
before Tcl_Interp
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:85: error: syntax error 
before '*' token
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:85: warning: data definition 
has no type or storage class
/usr/ports/x11-toolkits/tk84/work/tk8.4.6/generic/tk3d.c:87: error: syntax error 
before '{' token
*** Error code 1

Stop in /usr/ports/x11-toolkits/tk84/work/tk8.4.6/unix.
*** Error code 1

Stop in /usr/ports/x11-toolkits/tk84.
*** Error code 1

Stop in /usr/ports/x11-toolkits/tk84.


has anyone seen this?  fresh install of freebsd5.2.1, ports tree is cvsupp'd, 
portupgrade -rf gettext, portupgrade -rf textproc/expat2.

i've been trying to compile kde on this box for a couple of days now, and i keep 
hitting these random errors...

any advice appreciated
thanks
redmond
-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p5 #0: Fri Apr 16 06:34:06 CDT 2004 i386
 5:30AM  up 2 days,  7:09, 5 users, load averages: 0.00, 0.00, 0.00


pgp0.pgp
Description: PGP signature

libgthread error building arts

[Redmond Militante]

hi

i'm having trouble building kde3 on a freshly installed box.  the ports tree has been 
cvsupp'ed, i've portupgraded -rf gettext, and portupgraded -rf textproc/expat2.

the kde3 install errors out while installing arts.  the error i get is

/usr/local/lib/libgthread-2.0.so: undefined reference to 'pthread_attr_destroy'
/usr/local/lib/libgthread-2.0.so: undefined reference to 'pthread_create'
/usr/local/lib/libgthread-2.0.so: undefined reference to 'pthread_attr_init'
...
gmake[2] *** [mcopid1] Error 1
gmake[2] Leaving directory '/usr/ports/audio/arts/work/arts-1.2.2/mcopid1'
gmake[1] *** [all-recursive] Error 1
gmake[1] Leaving directory '/usr/ports/audio/arts/work/arts-1.2.2/'
gmake[1] *** [all] Error 2
*** Error code 2

i've tried to google this one.  all i could find were references to people having the 
same sort of problem while installing other apps, but no solution.  anyone know what's 
going on?

thanks
redmond 


-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p5 #0: Fri Apr 16 06:34:06 CDT 2004 i386
11:00AM  up 1 day, 12:39, 6 users, load averages: 0.41, 0.09, 0.03


pgp0.pgp
Description: PGP signature

PERC3 SCSI RAID firmware upgrade dell poweredge 1650

[Redmond Militante]

hi all

does anyone on the list have any production dell poweredge 1650 servers?

we have several.  we recently got a memo from our dell reps that there is a firmware 
upgrade to the PERC3 dual channel SCSI raid cards.  this firmware upgrade is 
supposedly a preventative measure - apparently, dell has had some experience with the 
cards not being able to recover after one of the raid controllers goes down, they 
explained to me on the phone that this firmware upgrade is pretty much mandatory.

of course, since our boxen are running freebsd 4.6-4.9-RELENG, the dell rep who came 
over to our server room to run the firmware upgrade would not touch them.  he left a 
disk for me to do this myself - apparently, the the firmware upgrade involves booting 
to a cdrom which applies the firmware for you, rebooting, then hitting control-m to 
get into the perc3 management console, running a consistency check (could take an hour 
or so), then rebooting into the o/s.  they informed me that i would not have to 
upgrade the kernel or download patches for freebsd's native scsi raid drivers for this 
card.

has anyone applied the firmware upgrade to their own dells?  seems relatively 
straightforward, but thought i'd check with the list before taking down machines that 
have been running flawlessly for almost a year to apply something which may be 
arbitrary...

thanks
redmond


-- 
FreeBSD 5.2-RELEASE-p2 FreeBSD 5.2-RELEASE-p2 #0: Wed Feb 11 13:58:31 CST 2004
 6:00PM  up 5 days,  3:26, 4 users, load averages: 0.21, 0.18, 0.29
 
Conceit causes more conversation than wit.
-- LaRouchefoucauld
 


pgp0.pgp
Description: PGP signature

sharity-light/winxp issues

[Redmond Militante]

hi all
i almost have sharity-light working well enough to be able to map a windows share to 
my freebsd5.1 box.

the two machines are: 
1. Freebsd 5.1-RELEASE, DHCP but i'm using dyndns.org to map the address of 
'machine1.gotdns.org' to this machine, ipfilter enabled
2. Windows Xp pro, DHCP but i'm using dyndns.org to map the address of 
'machine2.gotdns.org' to this machine, windows xp built in firewall turned on

i'm able to successfully map a windows share on the winxp machine using

as root:
shlight //24.24.24.24/files /mnt/win -U username -P password

in order to do this i had to disable the built in windows firewall on the winxp box. 
is there a way to do this without having to disable the built in windows firewall 
entirely? or is there a way to set up a stateful connection from a specific ip address 
using the windows built in firewall? (i doubt it)

also - if you notice, i've had to use the 24.24.24.24 ip address in my line above. i 
have to use the ip address, and to put the following line in my /etc/hosts to get this 
working

24.24.24.24 machine2.gotdns.org machine2

i'd really like to use 'machine2' or machine2.gotnds.org' in my sharity-light command, 
but it doesn't seem to like it (says either machine name doesn't exist or is too 
long). this kind of defeats the purpose of using dyndns.org for dhcp mapping to a 
hostname. is there any way around this, so i don't have to edit my /etc/hosts every 
time my ip address changes?

any comments welcome...


-- 
FreeBSD 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #0: Fri Oct 3 21:30:51 CDT 2003
12:00PM  up 22 days,  9:12, 5 users, load averages: 0.01, 0.09, 0.19
 
Oh, I don't blame Congress.  If I had $600 billion at my disposal, I'd
be irresponsible, too.
-- Lichty  Wagner
 


pgp0.pgp
Description: PGP signature

php4-cli install with mod_php4

[Redmond Militante]

hi all

i'd like to run a php file as a cron job on my apache box.  in order to do this, i'm 
trying to install /usr/ports/lang/php4-cli.

i cd to the dir, make install clean, set php compile options, etc.  it errors out like 
this:

--snip--

# make install
===  Installing for php4-cli-4.3.4_2
===  php4-cli-4.3.4_2 conflicts with installed package(s):
  mod_php4-4.3.4_2,1

  They install files into the same place.
  Please remove them first with pkg_delete(1).
*** Error code 1

Stop in /usr/ports/lang/php4-cli.
*** Error code 1

Stop in /usr/ports/lang/php4-cli.
--snip--

what's the best way to get php4-cli installed on a box with mod_php4?  any suggestions 
would be appreciated

thanks
redmond





-- 
FreeBSD 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #0: Fri Oct 3 21:30:51 CDT 2003
12:30PM  up 14 days,  9:42, 5 users, load averages: 0.00, 0.05, 0.09
 
Bare feet magnetize sharp metal objects so they point upward from the
floor -- especially in the dark.
 


pgp0.pgp
Description: PGP signature

apache/auth_ldap authentication to win2k active directory

[Redmond Militante]

hi all

i've been given the task of setting up ldap authentication against a windows 2000 
active directory from a webpage served up by our apache box.

the documentation that exists for this is sparse.  so far, i've: 
installed auth_ldap as an apache module
recompiled php4 for openldap support
recompiled apache for modssl support

i've been going through the examples listed on http://www.rudedog.org/auth_ldap/ 
(auth_ldap homepage) - but the examples listed on this page are mainly for iPlanet, no 
examples are given for windows active directory authentication, just some notes on the 
subject...

ideally, i'd like to have a webpage/pages protected by .htaccess that authenticates 
against my win2k pdc.  i've tried the following in my httpd.conf file

#Directory /usr/local/www/data-dist/ldap
#Options Indexes FollowSymLinks
#AllowOverride None
#Order allow,deny
#Allow from all
#AuthLDAPEnabled on
#AuthLDAPAuthoritative on
#AuthName Secure Access
#AuthType Basic
#AuthLDAPBindDN CN=users,DC=my.domaincontroller.edu,DC=edu
#AuthLDAPBindPassword MyP4sswurd 
#AuthLDAPUrl ldap://my.domaincontroller.edu:389/DC=my.domaincontroller
.edu,DC=edu?sAMAccountName?sub?(objectClass*)
#require valid-user
#/Directory

(these have been commented out, but it wasn't working when i tried it, i didn't even 
get an login prompt)

i'm kind of unsure if my syntax above is ok, whether or not i've compiled in the right 
modules/options, whether i should be putting the above directives directly into my 
httpd.conf file, or whether i should put these into an .htaccess file, etc.

anyone have any experience with auth_ldap/apache authentication to a win2k active 
directory? any pointers or recommendations would be welcome.  

thanks
redmond

-- 
FreeBSD 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #0: Fri Oct 3 21:30:51 CDT 2003
 9:30AM  up  1:11, 4 users, load averages: 0.03, 0.01, 0.05
 
Death is Nature's way of recycling human beings.
 


pgp0.pgp
Description: PGP signature

weird ftp-related logcheck msgs

[Redmond Militante]

hi all

the last couple of days, i've noticed strange security notifications sent to the root 
user of one of my boxen.  this box is running proftpd as an ftp server.  the messages 
appear whenever somebody authenticates via ftp.  most often, it's me ftp'ing to the 
machine, so it's probably not someone doing something malicious (just in case, i ran 
chkrootkit and yafic, which turn up clean...)

the messages look like

Oct 10 11:27:06 server proftpd[45750]: server.com
+(my.box.com[129.xxx.xx.xx]) - PAM(secure): Permission denied.
Oct 10 11:17:25 server sendmail[45703]: h9AGHPbK045703: h9AGHPbL045703: DSN: To:... 
List:;
+syntax illegal for recipient addresses
Oct 10 11:17:41 server sendmail[45708]: h9AGHfPB045708: h9AGHfPC045708: DSN: To:... 
List:;
+syntax illegal for recipient addresses
Oct 10 11:18:43 server sendmail[45715]: h9AGIhBK045715: h9AGIhBL045715: DSN: To:... 
List:;
+syntax illegal for recipient addresses
Oct 10 11:19:13 server sendmail[45720]: h9AGJDEV045720: h9AGJDEW045720: DSN: To:... 
List:;
+syntax illegal for recipient addresses
Oct 10 11:19:29 server sendmail[45725]: h9AGJTMA045725: h9AGJTMB045725: DSN: To:... 
List:;
+syntax illegal for recipient addresses
Oct 10 11:19:56 server sendmail[45730]: h9AGJuBg045730: h9AGJuBh045730: DSN: To:... 
List:;
+syntax illegal for recipient addresses


i'm not sure what to make of these messages.  ftp still seems to work (fyi - i 
upgraded to the latest version of proftpd today - 1.2.8 stable, didn't fix the 
situation though), my server is 

FreeBSD server.com 4.7-RELEASE-p23 FreeBSD 4.7-RELEASE-p23 #0: Fri Oct  3 21:37:09 CDT 
2003

if anyone can shed some light, i'd really appreciate it...

thanks again

redmond

-- 
FreeBSD 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #0: Fri Oct 3 21:30:51 CDT 2003
11:45AM  up 5 days,  2:01, 2 users, load averages: 0.82, 0.51, 0.48
 
Oh, wow!  Look at the moon!
 


pgp0.pgp
Description: PGP signature

rsync/mirroring permissions problem

[Redmond Militante]

hi all

i'm trying to do a 'push' rsync operation to mirror the contents of my websites root 
directory on one machine over to a remote machine.  rsync is installed on both 
machines.  the command i'm using to rsync is

rsync -e ssh -avz --exclude /phpSysInfo --exclude /webalizer --exclude 
/phpMyAdmin --delete --stats /usr/local/www/data-dist/ 
remote.machine.com=:/usr/local/www/data-dist/ 

this works, for the most part. the majority of files on the remote directory are 
sync'ed correctly after the operation.  the problem is - this websites root directory 
is owned by one user - webuser, who is a member of group - webuser.  various 
subdirectories inside of the websites root folder are owned by other users, who are 
also members of the 'webuser' group.  the files/folders in the websites root direcotry 
are chmod'ed 775.

this causes problems with the rsync operation, as i'm rsync'ing as webuser:webuser.  i 
get errors during the rsync process such as

failed to set permissions on studentwork/winter03old/war/images : Operation not 
permitted

again, the majority of files sync correctly.  but can anyone recommend a good way 
around this?  i'm not able at this point to limit the websites root directory to only 
one user account...

thanks
redmond

-- 
FreeBSD 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #0: Fri Oct 3 21:30:51 CDT 2003
 8:30AM  up 22:46, 1 user, load averages: 1.69, 1.61, 1.47
 
Ever notice that even the busiest people are never too busy to tell you
just how busy they are.
 


pgp0.pgp
Description: PGP signature

var partition is too small

[Redmond Militante]

hi all

the var partition on my apache box may be too small.
this is a problem because - 
i originally had newsyslog set at

/var/log/httpd-access.log   644  7 100  24B /var/run/httpd.pid 30

which sets httpd-access.log to be rotated in binary format everytime it reaches 100 mb 
or once every hour for 24 hours.
which basically means we only archive less than a day's worth of httpd-access.log's on 
this machine...


the /var partition on this machine is 252 mb.

yesterday i was told asked to start archiving httpd-access.logs for analysis over 
longer periods of time - that i should be keeping a year's worth of logs, if possible. 
 i remember the original reason i set up newsyslog.conf to rotate httpd-access.logs on 
this machine so frequently is because the webserver is really busy, and this file 
tends to grow pretty rapidly, and i didn't want to have to log in, stop apache, and 
archive the logs by hand every day...

yesterday i looked into expanding the size of my /var partition by symlinking.

-drop to single user mode
-stop syslogd
-mv /var to /usr/var
-umount /var
-delete /var directory
-create symlink from /usr/var to /var

it seems easy, and i did it successfully once, but i hosed a (non)production box 
yesterday practicing the above procedure.

i have a number of questions:
-if i copy the contents of /var to /usr/var, then delete the var directory, do i need 
to modify my fstab?

my fstab right now looks like

/dev/aacd0s1g   /usrufs rw  2   2
/dev/aacd0s1e   /varufs rw  2   2

-do i need to modify this so that /var now points to a directory inside /usr? and how?
-i'm thinking that this may be too risky a procedure to try on a production box (i 
guess i'm spooked from ruining the practice box...) - anyone think i should just 
archive these logs by hand to someplace in my home directory (/usr is very large on 
this box - 65 gb - and hardly used)?  my goal is basically to keep an archive of 
httpd-access.logs for as long as possible to produce a comprehensive webalizer 
report...

thanks again

redmond






-- 
FreeBSD 5.1-RELEASE-p5 FreeBSD 5.1-RELEASE-p5 #0: Wed Sep 24 09:12:23 CDT 2003
 8:30AM  up 1 day, 17:54, 2 users, load averages: 0.61, 0.58, 0.55
 
Ken Thompson has an automobile which he helped design.  Unlike most
automobiles, it has neither speedometer, nor gas gauge, nor any of the
numerous idiot lights which plague the modern driver.  Rather, if the
driver makes any mistake, a giant ? lights up in the center of the
dashboard.  The experienced driver, he says, will usually know
what's wrong.
 


pgp0.pgp
Description: PGP signature

Re: var partition is too small

[Redmond Militante]

hi

a cron job that moves httpd-access.logs to an archive directory sounds like a fine 
idea - is it safe, though to move these logs while apache and syslogd are running?  or 
would the cron job need to stop those apps first, move the logs, then restart 
apache/syslogd?

thanks

redmond

[Fri, Oct 03, 2003 at 02:27:00PM +]
This one time, at band camp, Jens Rehsack said:

 Redmond Militante wrote:
 hi all
 
 the var partition on my apache box may be too small.
 this is a problem because - 
 i originally had newsyslog set at
 
 /var/log/httpd-access.log   644  7 100  24B 
 /var/run/httpd.pid 30
 
 which sets httpd-access.log to be rotated in binary format everytime it 
 reaches 100 mb or once every hour for 24 hours.
 which basically means we only archive less than a day's worth of 
 httpd-access.log's on this machine...
 
 
 the /var partition on this machine is 252 mb.
 
 Looks like sysinstalls defaults.
 Maybe this should be fixed some fine day :-)
 
 yesterday i was told asked to start archiving httpd-access.logs for 
 analysis over longer periods of time - that i should be keeping a year's 
 worth of logs, if possible.  i remember the original reason i set up 
 newsyslog.conf to rotate httpd-access.logs on this machine so frequently 
 is because the webserver is really busy, and this file tends to grow 
 pretty rapidly, and i didn't want to have to log in, stop apache, and 
 archive the logs by hand every day...
 
 yesterday i looked into expanding the size of my /var partition by 
 symlinking.
 
 -drop to single user mode
 -stop syslogd
 -mv /var to /usr/var
 -umount /var
 -delete /var directory
 -create symlink from /usr/var to /var
 
 That's really bad, because this means that there will be permanent
 write accesses to you /usr label.
 
 A better way could be a cron job which moves the old http-logs
 once a day into a place in /usr, eg. /usr/save-logs.
 
 it seems easy, and i did it successfully once, but i hosed a 
 (non)production box yesterday practicing the above procedure.
 
 i have a number of questions:
 -if i copy the contents of /var to /usr/var, then delete the var 
 directory, do i need to modify my fstab?
 
 If you've done it as described, that would be better.
 But I think you should re-think about the procedure.
 
 my fstab right now looks like
 
 /dev/aacd0s1g   /usrufs rw  2   2
 /dev/aacd0s1e   /varufs rw  2   2
 
 -do i need to modify this so that /var now points to a directory inside 
 /usr? and how?
 -i'm thinking that this may be too risky a procedure to try on a 
 production box (i guess i'm spooked from ruining the practice box...) - 
 anyone think i should just archive these logs by hand to someplace in my 
 home directory (/usr is very large on this box - 65 gb - and hardly used)? 
 my goal is basically to keep an archive of httpd-access.logs for as long 
 as possible to produce a comprehensive webalizer report...
 
 thanks again
 
 redmond
 
 Best,
 Jens
 

-- 
FreeBSD 5.1-RELEASE-p5 FreeBSD 5.1-RELEASE-p5 #0: Wed Sep 24 09:12:23 CDT 2003
 9:30AM  up 1 day, 18:54, 2 users, load averages: 0.07, 0.17, 0.18
 
Rules for Academic Deans:
(1)  HIDE
(2)  If they find you, LIE
-- Father Damian C. Fandal
 


pgp0.pgp
Description: PGP signature

Re: var partition is too small

[Redmond Militante]

hello

i have a practice box set up, i've been trying to resizing /var by symlinking it to 
/usr/var

in theory this is simple - my methodology is

drop to single user mode
fsck -p
mount -u /
mount -a -t ufs
swapon -a
adjkerntz -i
mkdir /usr/var
cd /var
cp -R * /usr/var
cd ../
mv /var /var-old
ln -s /usr/var
comment out the var line in fstab
reboot


-this works, except the permissions in the var directory are lost.  dmesg shows that 
/var/spool/clientmqueue needs to be owned by smmsp:smmsp and be chmod 770.  i get 
around this by going to one of my backups, unzipping the var directory, and trying the 
above procedure again, only this time mv'ing the /var contents i extracted from backup 
into /usr/var

this seems to work ok - no errors in dmesg - however, i was using the machine, and i 
opened up mutt - mutt complained about /var/tmp's permissions not being set right.

so - it looks like i may run the risk of losing the correct permissions on some 
files/directories in var if i decide to try symlinking to give my var partition more 
space...

is there anything i'm missing?  i'd really like this to go seamlessly...

thanks again
redmond




[Fri, Oct 03, 2003 at 11:32:30AM -0400]
This one time, at band camp, Robert Huff said:

 
 Redmond Militante writes:
 
   which sets httpd-access.log to be rotated in binary format
   everytime it reaches 100 mb or once every hour for 24 hours.
 
   the /var partition on this machine is 252 mb.
 
   In my opinion, if you acknowledge the real possibility of
 haveing a 100mb file (never mind 100 users' mailboxes) there then
 /var is _way_ too small.   I would have 500mb, and do 1gb if I could
 afford it.
 
 
   Robert Huff
 
 


pgp0.pgp
Description: PGP signature

WARNING unreserved major device number...

[Redmond Militante]

hi all

i have a couple of errors when i run dmesg

...
IP Filter: already initialized
WARNING: driver rtc used unreserved major device number 202
WARNING: driver vmmon used unreserved major device number 200
/dev/vmmon: Module vmmon: registered with major=200 minor=0 tag=$Name: build-570
+ $
/dev/vmmon: Module vmmon: initialized

i just noticed these and don't know when it started.  anything to worry about?

my setup info is in my sig.

thanks
redmond

-- 
FreeBSD 5.1-RELEASE-p5 FreeBSD 5.1-RELEASE-p5 #0: Wed Sep 24 09:12:23 CDT 2003
 1:45PM  up 9 mins, 1 user, load averages: 0.72, 0.42, 0.21
 
Spelling is a lossed art.
 


pgp0.pgp
Description: PGP signature

ipfilter vs. firewall appliance

[Redmond Militante]

hi

i have an ipfilter/ipnat box, that i'm using to protect an apache webserver.
the machine is 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #1: Mon Aug 11 18:27:06 CDT
2003.  the machine is a dell optiplex gx260 Intel(R) Pentium(R) 4 CPU 2.40GHz
512 mb of ram.  it's been doing a fine job.

i'd like to get extra nics for this machine and stick additional servers, such as our 
win2k domain controllers, and a mysql box, possibly more, behind the firewall/nat.  

i wanted to ask - for a firewall/nat that would potentially be protecting multiple 
production machines, is ipfilter's performance comparable to production firewall 
appliances and software such as netscreen and symantec firewall?

i'm the only unix person where i work, and sometimes it's hard to get projects green 
lighted when a) i'm the only one on staff who knows the technology and b) it probably 
seems hard to believe to windows admins that a little pentium3 box with 2 nic cards 
and hand written firewall rules can do the same thing as an appliance that some 
companies are charging tens of thousands of dollars for.

i'd like to be able to present a case to my employers - that the ipfilter/ipnat box 
that i set up would be able to provide the performance of commercial firewall 
solutions, and was wondering if anyone knows of any benchmarks/reviews/etc. that i can 
cite.

any comments welcome

thanks as always
redmond

-- 
FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Thu Aug 28 12:42:04 CDT 2003
 2:45PM  up 8 days,  1:42, 1 user, load averages: 0.73, 0.23, 0.13
 
You should, without hesitation, pound your typewriter into a
plowshare, your paper into fertilizer, and enter agriculture.
-- Business Professor, University of Georgia
 


pgp0.pgp
Description: PGP signature

need advice: core dumps during buildworld

[Redmond Militante]

hi all

i am having trouble trying to cvsup a 5_1-RELEASE machine

i'm at the 'cd /usr/src/ make buildworld' stage. i can't run 'make buildworld'
successfully on this machine. i'm able to on my other 5_1-RELEASE machine
(although it's different hardware...). the buildworld seems to fail at
different points randomly. for ex., the most current kernel core dump/error i
get when trying to complete this operation is

Illegal instruction(core dumped)
Error code 132

stop in /usr/src/usr.bin/objformat
***Error code 1
stop in /usr/src/usr.bin.
***Error code 1...

Aug 28 12:30:39 host kernel : pid 61508 (make), uid 0: exited on signal 4 (core
+dumped)

my hardware:

dell optiplex gx250 p4 2.4 ghz
500 mhz ram

FreeBSD 5.1-RELEASE-p2 #1

-i was advised that problems like these most often are a result of bad ram. i ran 
memtest on this machine, it found no errors. i ran dell hardware diagnostics on this 
machine, also found no errors. i pull each stick of ram separately - the buildworld 
problem reappeared no matter which stick of ram is in the machine, or which ram slot 
on the motherboard it's plugged into.

one thing to note is that, before i wiped this machine and reinstalled 5_1, this 
machine cvsupped flawlessly for a year as a 4x-RELEASE machine, with the same ram.

i'm hoping that there's something else i can try before wiping/reinstalling 5_1. i'm 
not even sure if reinstalling will fix the problem. 

if anyone has any words of advice, i'd appreciate it

thanks
-- 
FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Thu Aug 28 12:42:04 CDT 2003
 6:55PM  up 3 days,  5:53, 3 users, load averages: 0.81, 0.54, 0.33
 
Individualists unite!
 


pgp0.pgp
Description: PGP signature

[r-militante@northwestern.edu: Re: need advice: core dumps duringbuildworld]

[Redmond Militante]

- Forwarded message from Redmond Militante [EMAIL PROTECTED] -

Date: Mon, 1 Sep 2003 09:22:52 -0500
From: Redmond Militante [EMAIL PROTECTED]
To: Jonathan Chen [EMAIL PROTECTED]
Subject: Re: need advice: core dumps during buildworld
Reply-To: Redmond Militante [EMAIL PROTECTED]
In-Reply-To: [EMAIL PROTECTED]
User-Agent: Mutt/1.4.1i
X-Sender: [EMAIL PROTECTED]
X-URL: 
http://darkpossum.medill.northwestern.edu/modules.php?name=Contentpa=showpagepid=1
X-DSA-and-ElGamal-Fingerprint: 2AA2 E78E A6FC 9144 3534 39A2 EE0F 8D26 5FDF 481D

hi

thanks for responding!

my make.conf seems ok to me, is there something i should change?

CFLAGS= -O -pipe
COPTFLAGS= -O -pipe
NOPROFILE= true
USA_RESIDENT= YES
# -- use.perl generated deltas -- #
# Created: Wed Aug  6 16:28:04 2003
# Setting to use base perl from ports:
PERL_VER=5.6.1
PERL_VERSION=5.6.1
PERL_ARCH=mach
NOPERL=yo
NO_PERL=yo
NO_PERL_WRAPPER=yo


thanks
redmond


[Mon, Sep 01, 2003 at 03:37:21PM +1200]
This one time, at band camp, Jonathan Chen said:

 On Sun, Aug 31, 2003 at 06:56:16PM -0500, Redmond Militante wrote:
  hi all
  
  i am having trouble trying to cvsup a 5_1-RELEASE machine
  
  i'm at the 'cd /usr/src/ make buildworld' stage. i can't run 'make buildworld'
  successfully on this machine. i'm able to on my other 5_1-RELEASE machine
  (although it's different hardware...). the buildworld seems to fail at
  different points randomly. for ex., the most current kernel core dump/error i
  get when trying to complete this operation is
  
  Illegal instruction(core dumped)
  Error code 132
 
 Check your make.conf flags. You're very likely using some odd CPU
 specific flags.
 -- 
 Jonathan Chen [EMAIL PROTECTED]
 --
 The human mind ordinarily operates at only ten percent of its capacity
  -- the rest is overhead for the operating system.
 

-- 
FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Thu Aug 28 12:42:04 CDT 2003
 9:15AM  up 3 days, 20:12, 1 user, load averages: 0.28, 0.53, 0.49
 
University, n.:
Like a software house, except the software's free, and it's
usable, and it works, and if it breaks they'll quickly tell you how to
fix it, and ...
 



- End forwarded message -

-- 
FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Thu Aug 28 12:42:04 CDT 2003
 9:15AM  up 3 days, 20:12, 1 user, load averages: 0.28, 0.53, 0.49
 
University, n.:
Like a software house, except the software's free, and it's
usable, and it works, and if it breaks they'll quickly tell you how to
fix it, and ...
 


pgp0.pgp
Description: PGP signature

ipfilter/natd for windows domain controllers

[Redmond Militante]

hi

i have an ipfilter/ipnat box, that i'm using to protect an apache webserver.
the machine is 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #1: Mon Aug 11 18:27:06 CDT 2003. 
 the machine is a dell optiplex gx260 Intel(R) Pentium(R) 4 CPU 2.40GHz 512 mb of ram. 
 it's been doing a fine job.

my boss asked me today whether he could stick his two windows 2000 domain controllers 
behind the ipf/ipnat box.  the domain controllers are pretty busy.  they get about 
4000-5000 authentication requests on a typical day.  while i was at it, i was thinking 
of putting my mysql server behind the firewall.

my question is - do i need to upgrade my hardware?  or is my setup sufficient to 
handle the 3 extra machines?

thanks
redmond


-- 
FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Thu Aug 28 12:42:04 CDT 2003
 9:00AM  up 19:57, 2 users, load averages: 0.08, 0.15, 0.26
 
'I generally avoid temptation unless I can't resist it.
-- Mae West
 


pgp0.pgp
Description: PGP signature

kernel core dump during make buildworld

[Redmond Militante]

hi all

i am trying to cvsup a 5_1-RELEASE machine

i'm at the 'cd /usr/src/ make buildworld' stage.  i can't run 'make buildworld' 
successfully on this machine.  i'm able to on my other 5_1-RELEASE machine (although 
it's different hardware...).  the buildworld seems to fail at different points 
randomly.  for ex., the most current kernel core dump/error i get when trying to 
complete this operation is

Illegal instruction(core dumped)
Error code 132

stop in /usr/src/usr.bin/objformat
***Error code 1
stop in /usr/src/usr.bin.
***Error code 1...

Aug 28 12:30:39 host kernel : pid 61508 (make), uid 0: exited on signal 4 (core dumped)

any advice would be appreciated.  my hardware:

dell optiplex gx250 p4 2.4 ghz
500 mhz ram

FreeBSD 5.1-RELEASE-p2 #1

thanks
redmond

-- 
FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Mon Aug 11 13:00:11 CDT 2003
12:15PM  up 14 days, 11:59, 4 users, load averages: 0.00, 0.00, 0.00
 
It's a very *__UN*lucky week in which to be took dead.
-- Churchy La Femme
 


pgp0.pgp
Description: PGP signature

changed root alias/unusual system events

[Redmond Militante]

hi all

i have a general question, probably no big deal.  a while ago, i edited /etc/aliases 
and did 'new aliases', so that root's email account now points to one of my email 
accounts - i have logcheck set up as a cron job every fifteen minutes to notify me of 
unusual system events.

ever since this happened, the great majority of emails to root have looked like

--
Subject: my.hostname.com 08/19/03:14.00 system check
X-UIDL: 4%\!![P/!lU=!!4=N!!


Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Aug 19 13:45:01 chronicle sm-mta[28345]: h7JIj1ZT028345:
+from=[EMAIL PROTECTED], size=1061, class=0, nrcpts=1,
+msgid=[EMAIL PROTECTED], proto=ESMTP,
+daemon=Daemon0, relay=localhost [127.0.0.1]
Aug 19 13:45:01 chronicle sm-mta[28346]: h7JIj1ZT028345: [EMAIL PROTECTED],
+ctladdr=[EMAIL PROTECTED] (0/0), delay=00:00:00, xdelay=00:00:00,
+mailer=esmtp, pri=31400, relay=relay.my.mailserver [111.222.333.444], dsn=2.0.0,
+stat=Sent (Mail accepted)

--

can someone  interpret this message for me?  i'm guessing that it's telling me that it 
just forwarded root's mail to my regular email account, which would be normal 
behavior, but i'm not sure...

thanks
redmond


-- 
FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Mon Aug 11 13:00:11 CDT 2003
 7:35AM  up 6 days,  7:20, 3 users, load averages: 0.01, 0.20, 0.57
 
An exotic journey in downtown Newark is in your future.
 


pgp0.pgp
Description: PGP signature

ip filter: already initialized 5.1-RELEASE

[Redmond Militante]

hi all

i'm trying to get ipfilter set up on my new 5.1-RELEASE box.  i think i
have everything configured properly

my kernel config looks like

options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK

my /etc/rc.conf looks like

ipfilter_enable=YES
ipfilter_flags=
ipfilter_rules=/etc/ipfilter.rules
ipmon_enable=YES
ipmon_flags=-Dsvn


does my setup look ok?  or is there additional procedures involved in
setting up ipfilter on 5x?

thanks
redmond


pgp0.pgp
Description: PGP signature

recompile php/upgrade apache

[Redmond Militante]

hi all

i have a production server running
freebsd4.8-RELEASE/apache1.3.27-modssl/mod_php4

i would like to recompile php4 for gdlib support.  i'd also like to
upgrade apache to 1.3.28.  i'd like to have minimal downtime if
possible.

i was thinking the easiest way of doing this was to

stop apache
backup httpd.conf and php.ini-dist
portupgrade -rR apache13-modssl
make deinstall /usr/ports/lang/php4, make install clean
/usr/ports/lang/php4 with gdlib support
restart apache

i just wanted to run this past the list in case i'm missing something
above, or if anyone can suggest a more efficient way of accomplishing
this

thanks
redmond


pgp0.pgp
Description: PGP signature

newsyslog.conf syntax 5.1-RELEASE

[Redmond Militante]

hi all

i'm getting the following message from the cron daemon on a 5.1-RELEASE box.

newsyslog: malformed at:
/var/log/firewall_logs  600  14*$DO   Z

i've been trying to set up newsyslog so that it archives my firewall logs every night 
at midnight.  can anyone tell me what's wrong with my syntax on this line?

thanks
redmond


pgp0.pgp
Description: PGP signature

urgent: how to downgrade php4.3.3rc2

[Redmond Militante]

hi

i upgraded mod_php4 via ports on my apache box the other day
i just went to the mod_php4 directory, make deinstall, make clean
install and restarted apache.

i was upgraded to php4.3.3rc2 from 4.3.1.

i need to get the old version back as we make extensive use of pdflib.
pdflib5x is not supported in php4.3.3rc2.  can anyone please tell me how
to downgrade php4.3.3rc2 on this machine?  it's pretty critical.. 

thanks
redmond


pgp0.pgp
Description: PGP signature

cvsup on 5.1-RELEASE

[Redmond Militante]

hi all

i had a question about the correct procedure to cvsup your machine on 5.1-RELEASE

at the end of my cvsup routine on 4.8-REL_ENG, i used to:

... 
# cd /dev
# /bin/sh MAKEDEV all
13. Update /stand:
This step is included for completeness. It can be safely omitted.
# cd /usr/src/release/sysinstall
# make clean
# make all install
14. Reboot to multi-user mode:
# reboot

-it seems that MAKEDEV is deprecated for 5x, and there is no 
/usr/src/release/sysinstall folder in 5x.  

what would be the equivalent to these steps in the cvsup process on 5x-RELEASE?  are 
there any other differences involved in cvsup'ing on 5x-RELEASE vs. 4x-RELEASE that 
one should be aware of?

thanks
redmond
 


pgp0.pgp
Description: PGP signature

problems with ipfilter on 5.1-RELEASE

[Redmond Militante]

hi all

i'm trying to get ipfilter set up on my new 5.1-RELEASE box. ipfilter
seems to be working fine.  i just have a couple of issues that are
probably not very serious...

one thing is that during network startup at boot, i get the message
IPFilter: already initialized
repeated 4 times.

i think i have everything configured properly

my kernel config looks like

options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK

my /etc/rc.conf looks like

ipfilter_enable=YES
ipfilter_flags=
ipfilter_rules=/etc/ipfilter.rules
ipmon_enable=YES
ipmon_flags=-Dsvn


the other problem i have is that: it now seems that ipmon is logging to
/var/log/messages.  i've set up ipfilter successfully on many freebsd
4x boxes, but this is the first time i've tried to set it up on 5x.

in my /etc/syslog.conf i have

local0.*/var/log/firewall_logs
*.notice;local0.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
/var/log/messages

am i missing some things that i should be doing to set up ipfilter on
5x-RELEASE.  on 4x-RELEASE, i've followed the procedures outlined at
schlacter.net to set up ipfilter.  i'm basically following the same
procedures here, with unexpected results.

any advice would be appreciated

thanks
redmond


pgp0.pgp
Description: PGP signature

arplookup host not on local network

[Redmond Militante]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi all

i rebooted my dual boot (with winxp), dhcp, 4.8-REL_ENG machine today,
and noticed for the first time some strange behavior.

i can boot successfully, but i notice recurring messages in
/var/log/messages, which read

Jul  5 21:04:23 hostname-15m1kxku /kernel: arplookup xx.xx.xx.xx failed:
host is
not on local network

note: xx.xx.xx.xx looks like an ip on the same subnet as my box, ie.,
the first two octets are similar.

i can boot into freebsd, looks like i'm still receiving a network
connection, however - certain things now don't work - namely, kde takes
forever to start up (hangs during 'initializing network services'), kde
terminates unexpectedly, and i can no longer start konqueror from within
kde.  this was a stab in the dark, but i tried deleting the contents of
/tmp, and rebooting. it didn't help.

if anyone has experienced this type of behavior before, i'd appreciate
hearing from you...

thanks
redmond
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE/B4NSFNjun16SvHYRAutaAKDG3uKYDNN6akYe9jnAnjeYVtYRlwCdGb39
q1iuynkUgCxCZVPsfuWDvmc=
=Bta0
-END PGP SIGNATURE-


pgp0.pgp
Description: PGP signature

basic ipf question

[Redmond Militante]

hi 
i have a basic question regarding ipf/ipnat setup.
at the moment my setup is:  

i have a ipf/ipnat box hooked up to a switch, and one internal client hooked up to the 
switch.  the public ip of the internal client is aliased to the external (xl0) nic of 
the ipf/ipnat box.

this is working ok for me.  i would now like to add a second internal client.  i'd 
like to alias the public ip of the second internal client to the external nic (xl0) of 
the ipf/ipnat box, hook the second internal client to the switch and protect it behind 
the ipf/ipnat box in the same way that i do the first internal client machine.

this isn't working for me.  when i add the second alias to the external nic of the 
ipf/ipnat box, change rc.conf on the second internal client, and hook it up to the 
switch, then reboot both internal clients, they freeze up during reboot.  hitting 
ctrl-c during the reboot process forces them to complete the reboot process, but only 
the first - original - internal client is working correctly.  the second - newer - 
internal client doesn't seem to be receiving connectivity.  am i going about this the 
wrong way?

thanks again


pgp0.pgp
Description: PGP signature

trolltech qt questions

[Redmond Militante]

hi

i'm trying to teach myself a little qt programming.  i'm on the first tutorial 
http://doc.trolltech.com/3.1/tutorial1-01.html

i created main.cpp in vi and saved it to a directory.  i type qmake -project and
 it generates a hello.pro file.  when i try to issue 'qmake', i get the error

QMAKESPEC has not been set, so configuration cannot be deduced.

upon reading the INSTALL instructions at ftp://ftp.trolltech.com/qt/source/INSTALL, i 
figured out that this was probably due to my path not being set correctly
trolltech's docs recommend you place

QTDIR=/usr/local/qt
PATH=$QTDIR/bin:$PATH
MANPATH=$QTDIR/doc/man:$MANPATH
LD_LIBRARY_PATH=$QTDIR/lib:$LD_LIBRARY_PATH

export QTDIR PATH MANPATH LD_LIBRARY_PATH

in your .bash_profile - since i'm on freebsd, the directory /usr/local/qt doesn't 
exist.  i was confused about whether or not i needed to install the qt 3.1.2 free 
version from tar archive downloaded off the trolltech website.  i had downloaded the 
tar file and was halfway through installing it manually when i was informed by someone 
on irc not to do this.
i have kde 3.1 installed, so i have qt 3.1.1.4.  i was wondering what the correct 
directory was to set as QTDIR in my path, so that i can use qmake and finish the 
tutorial.  i was informed that i could get my correct QTDIR from 
/usr/ports/Mk/bsd.kde.mk, but i can't make out from that file what the correct path to 
my QTDIR should be.

has anyone done this before?  i'd like to continue with the tutorial but am not sure 
how to proceed

thanks again
 


pgp0.pgp
Description: PGP signature

passive ftp on ipf/ipnat

[Redmond Militante]

hi all

i had a couple of general questions about ftp serving through an ipf/ipnat gateway.

i had set up my gateway box to redirect port 21 to my internal ftp server, i.e., to 
only allow active ftp sessions.  this has been working ok, i've just been telling 
users to set their ftp clients for 'active' mode, or unselect 'passive' mode.

i have run into a weird situation with one particular ftp user.  this user is 
connecting to the ftp server remotely from behind a router that does nat translation 
for the subnet that this person is on.  this is the only thing different between this 
person and my 30 or so other ftp users who have been successfully connecting using 
active mode.  this person is able successfully log in and connect to the server, but 
their ftp client immediately gives off an error 425 - unable to establish data 
connection...  when this person ftp's via the command line in win2000, i.e.,

ftp  my.ftpserver.org
enter username
enter password
(they're successfully authenticated at this point)

when they try to issue the 'ls' statement, they are given the same 'error 425 - unable 
to establish data connection'... i've spoken to this person's isp.  there are no 
firewall restrictions on their router.  the person can ftp to other servers fine.  i'm 
not quite sure how to proceed troubleshooting this problem - whether or not i should 
tweak my gateway config to allow for passive ftp, or if i should try to enable 
transparent proxy support (or both).

for the record, i've tried enabling both, and seem to be having trouble.  but at this 
point, i would just like to know what the issue is exactly, so that i can proceed 
troubleshooting it...

any advice would be appreciated, if anyone has dealt with this type of issue before...

thanks
redmond



msg19099/pgp0.pgp
Description: PGP signature

portsentry in combination with ipfilter

[Redmond Militante]

hi all

 i have an ipf/ipnat gateway machine protecting an internal network of - so far one, 
hopefully 2 or more - computers.
 the first thing i did after i observed that i have my setup successfully nat'ing, was 
to try to portscan myself from an outside machine, using nmap.
 at first i thought something was up, and that my ipf.rules were being ignored, 
because when i ran
 
 nmap -sS -v -O 

 on my the public ip of my internal host - which was aliased to the external nic of my 
gateway box - it showed that a huge amount of tcp and udp ports were open. i could 
copy the nmap results, but they're long, and suffice it to say ports i thought were 
closed or inactive were shown as open.
 
 after discussing it with the -security listserv, and running a 'sockstat' on the 
gateway box, it turns out that portsentry was indeed listening on the great majority 
of ports that the nmap showed to be open. when i turn portsentry off and run nmap 
again on my setup, it only shows ports that i specially allow open in my ipf/ipnat 
rules like 80,22, etc.
 
 my question is: first if anyone knows how to get portsentry to not broadcast the fact 
that it's listening on a wide variety ports when the host is being portscanned. i 
checked the portsentry.conf file, there didn't seem to be an option for this. also - i 
have
 
 block return-rst in log quick on xl0 proto tcp from any to any
 
 in my ipf.rules, so i thought that any ports not be nat'd would show up in portscans 
as not listening. not sure why this isn't working.
 
 also, i had wanted to run logcheck, portsentry, and snort or tripwire on my ipf/ipnat 
gateway box. is this a good combination of apps? as of now, i have portsentry turned 
off, but would like to use it or an app that performs the same function.
 
 any thoughts?
 
 thanks again

redmond



msg18948/pgp0.pgp
Description: PGP signature

Re: portsentry in combination with ipfilter

[Redmond Militante]

hi
i've used portsentry on standalone workstations before with ipfilter setup as a
+firewall, and for some reason, now when i'm trying to use it on a ipf/ipnat
+gateway box, it's being really verbose about the ports it's binding to.  if i
+nmap a standalone workstation i have configured ipfilter/portsentry on, i don't
+get the huge list of ports that it's binding to...  i thought perhaps there was
+a config option to hide this information


 
  hi all
 
   i have an ipf/ipnat gateway machine protecting an internal network of -
  so far one, hopefully 2 or more - computers. the first thing i did
  after i observed that i have my setup successfully nat'ing, was to try
  to portscan myself from an outside machine, using nmap. at first i
  thought something was up, and that my ipf.rules were being ignored,
  because when i ran
 
   nmap -sS -v -O
 
   on my the public ip of my internal host - which was aliased to the
  external nic of my gateway box - it showed that a huge amount of tcp
  and udp ports were open. i could copy the nmap results, but they're
  long, and suffice it to say ports i thought were closed or inactive
  were shown as open.
 
   after discussing it with the -security listserv, and running a
  'sockstat' on the gateway box, it turns out that portsentry was indeed
  listening on the great majority of ports that the nmap showed to be
  open. when i turn portsentry off and run nmap again on my setup, it
  only shows ports that i specially allow open in my ipf/ipnat rules like
  80,22, etc.
 
   my question is: first if anyone knows how to get portsentry to not
  broadcast the fact that it's listening on a wide variety ports when the
  host is being portscanned. i checked the portsentry.conf file, there
  didn't seem to be an option for this. also - i have
 
 This is exactly what portsentry is designed to do.  Can't tell if a port
 is hit without first binding to it.  I have placed portsentry on other
 machines than the firewall for just this sort of information.  A better
 solution on a firewall is to turn on logging for specific ports or rules
 that you are interested in.
 
   block return-rst in log quick on xl0 proto tcp from any to any
 
   in my ipf.rules, so i thought that any ports not be nat'd would show up
  in portscans as not listening. not sure why this isn't working.
 
 What ports exactly are still listening that aren't getting allowed through?
 


when i turn portsentry off and nmap again, all appears as i expected it to - only 80 
22 and 21 are listed as open - as i defined it in my ipf.rules

   also, i had wanted to run logcheck, portsentry, and snort or tripwire
  on my ipf/ipnat gateway box. is this a good combination of apps? as of
  now, i have portsentry turned off, but would like to use it or an app
  that performs the same function.
 
 logcheck - not really syslog should be sent inside either via syslog or
 msyslog (in ports)


logcheck is not a good idea?  could you elaborate on this point please?

 portsentry - nope (see above)


would you recommend running portsentry on an internal host behind the gateway machine? 
 

thanks
redmond

 snort - i 'spose (no harm per say)
 tripwire - definately
 
   any thoughts?
 
   thanks again
 
  redmond
 
 Hope this helps.
 
 -- 
 Scott A. Moberly
 [EMAIL PROTECTED]
 
 BASIC is the Computer Science equivalent of `Scientific Creationism'.
 
 
 
 
 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with unsubscribe freebsd-questions in the body of the message
 



msg18969/pgp0.pgp
Description: PGP signature

Re: portsentry in combination with ipfilter

[Redmond Militante]

hi

thanks again.

i think i'm going to move portsentry to hosts behind the gateway - makes more sense 
considering the info you sent, and then look into snort/tripwire on the gateway (i 
actually have tripwire installed, i just haven't generated a new config db lately, 
since i've been messing around with my configs so much).  

redmond

 Redmond Militante [EMAIL PROTECTED] wrote:
 
  hi
  i've used portsentry on standalone workstations before with ipfilter setup as a
  +firewall, and for some reason, now when i'm trying to use it on a ipf/ipnat
  +gateway box, it's being really verbose about the ports it's binding to.  if i
  +nmap a standalone workstation i have configured ipfilter/portsentry on, i don't
  +get the huge list of ports that it's binding to...  i thought perhaps there was
  +a config option to hide this information
 
 Redmond,
 
 There is a good article regrading using portsentry @
 
 http://www.sans.org/rr/intrusion/portsentry.php
 
 They talk about version 1 on Linux being able to monitor ports 
 using a socket instead of binding to a port, so this should 
 look different to an nmap scan. As to wheather or not FreeBSD 
 supports this feature, I do not know, Anyone out there chime in?
 
 
 From the SANS article
 snip-
 Example One ? Default configuration
 
 By default, the portsentry.conf is designed to listen and block 
 attacking hosts using TCP Wrappers. The default configuration 
 is set up to bind with some of the most commonly probed TCP ports 
 and UDP ports on a Unix system. If any attacking host scans or 
 makes an attempt to attach to one of the PortSentry bound ports, 
 PortSentry will instantly drop the attacking host into the 
 hosts.deny file, thus blocking _ALL_ traffic from the attacking 
 IP address. 
 snip-
 
 What bothers me about this method of defense is the possibilty 
 of an attacker causing a DOS by spoofing their source scan IP 
 and causing your system to deny traffic from a vaild host like 
 your upstream DNS server.
 
 I have not worked with portsentry at all so, this default 
 behavior is probably not the optimum way to use this tool.
 
 Scanning is so common on the net that the gain from this 
 seems minimal on a gateway firewall, inside your LAN is 
 another story ;-)
 
 As to system integrity checking, I like to use Aide, 
 found in /usr/ports/security/aide but tripwire is 
 probably a more commonly used tool.
 
 Using a tight ipf firewall in conjunction with snort on 
 a gateway firewall is a common and well liked setup.
 
 Regards,
 
 Stephen Hilton
 [EMAIL PROTECTED]
 
 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with unsubscribe freebsd-questions in the body of the message
 



msg18977/pgp0.pgp
Description: PGP signature

rc.conf syntax for ip alias on external nic

[Redmond Militante]

hi

i have the following lines in my rc.conf, and i was wondering if my syntax was ok:

---
#here, i'm setting the ip/subnet mask for outside nic interface for a dual homed 
gateway box
ifconfig_xl0=inet 129.x.x.35 netmask 255.255.255.0

#declaring three network interfaces - outside nic interface for gateway, internal 
interface for private subnet, and loopback
network_interfaces=xl0 xl1 lo0

#not sure about the following lines: trying to alias two public ip's to the outside 
nic interface for the gateway.  the gateway will use ipnat to nat these public ip's to 
two internal client machines hooked up to the internal interface - xl1- of the gateway 
box
ifconfig_xl0_alias0=inet 129.x.x.6 netmask 255.0.0.0
ifconfig_xl0_alias1=inet 129.x.x.5 netmask 255.0.0.0

#inside nic of gateway box
ifconfig_xl1=inet 192.168.1.1 netmask 255.0.0.0
---

i'm having trouble i think with the two aliases to the outside nic of the gateway.  it 
works fine when i have only one client hooked up to the gateway, but when i have both 
clients hooked up to the gateway through a hub, i have problems - mainly, i reboot 
both machines, and one machine usually freezes on reboot.

any advice would be really appreciated

thanks
redmond



msg18735/pgp0.pgp
Description: PGP signature

gtk themes in kde 3.1 fbsd 4.7-release

[Redmond Militante]

hi all

anyone know how to get gtk themes going from from within kde 3.1?  i've tried googling 
this and asking in irc, to no avail.  i've installed gtk-theme-switch and 
gtk-themes-collection from ports, it doesn't seem to work from within kde, it works 
however, from within gnome.  the error i get when i try to apply a gtk theme is 

Gtk-CRITICAL **: file gtkentry.c: line 440 (gtk_entry_set_text): assertion `text != 
NULL' failed.

not sure if the error is related...

thanks again
redmond



msg18255/pgp0.pgp
Description: PGP signature

ipf/ipnat and passive ftp

[Redmond Militante]

hi all

i have an ftp server behind an ipf/ipnat gateway box.

active ftp works fine.  i'm trying to get passive ftp working, at the moment it is 
*slow*, eventually connects in most cases, but will not display directory contents 
unless you switch the ftp client to 'active'ly connect...

relevant portions of my config files

/etc/ipf.rules

 pass in quick on xl0 proto tcp from any to 192.168.1.50/8 port = 21 flags S kee
p state keep frags
 pass in quick on xl0 proto tcp from any to any port  1023 flags S keep state


rdr xl0 0.0.0.0/0 port 21 - 192.168.1.50 port 21 tcp
rdr xl0 0.0.0.0/0 port  1023 - 192.168.1.50 port  1023 tcp

any advice you could give would be highly appreciated.  

thanks
redmond



msg17748/pgp0.pgp
Description: PGP signature

ipf/ipnat setup

[Redmond Militante]

hi all

setting up ipf/ipnat on a gateway box to protect a single workstation was prett 
painless.  i'm now trying to protect two servers - a web/ftp server and a mysql server 
- through an ipf/ipnat gateway box, and am running into some problems

most of my setup i've gleaned from JoeB and people on this list, as well as tutorials 
on schlacter.net and obfuscation.org/ipf

the problems i'm having right now - i can't seem to get passive ftp working on the 
webserver through the gateway.  active works fine, i've commented my ipf.rules and 
ipnat.rules where i *thought* i was allowing passive ftp connections, but was 
unsuccessful (connection times out or connects, but doesn't give directory listing), 
webmin on the webserver and db server doesn't work through the nat, despite the fact i 
have port 1 open.  also - i can't seem to successfully connect the webserver and 
db server to the gateway at the same time - when a second machine is hooked up, it 
hangs when trying to mount nfs shares and when initiating sendmail.  i can't get a 
successful mysql connection through the gateway, but that may be more a mysql 
permissions/coding problem than an ipf problem.  regardless, i'm stumped.  

if anyone sees anything glaringly wrong - i probably messed up in several places - i'd 
really appreciate it if you could help me out

gateway: 129.0.0.1 bound to outside nic, 192.168.1.1 to inner nic
webserver 192.168.1.50, gateway is inner nic on gateway box
db server 192.168.1.51, gateway is inner nic on gateway box
ip's of db and webserver are aliased to xl0 on gateway box

/etc/rc.conf
-
hostname=gateway.ipfipnat.com
ifconfig_lo0=inet 127.0.0.1
ifconfig_xl0=inet 129.x.x.35 netmask 255.255.255.0
network_interfaces=xl0 xl1 lo0
#aliasing webserver's ip to the outside nic of gateway box
ifconfig_xl0_alias0=inet 129.x.x.6 netmask 255.0.0.0
#aliasing db server's ip to the outside nic of gateway box
ifconfig_xl0_alias1=inet 129.x.x.5 netmask 255.0.0.0
#inside nic of gateway box
ifconfig_xl1=inet 192.168.1.1 netmask 255.0.0.0
ipfilter_enable=YES
ipfilter_flags=
ipfilter_rules=/etc/ipf.rules
ipmon_enable=YES
ipmon_flags=-Dsvn
ipnat_enable=YES
ipnat_rules=/etc/ipnat.rules
icmp_drop_redirect=YES
gateway_enable=YES
--

/etc/ipf.rules
--
# 
# Outside Interface  
# 
 
# 
# Allow out all TCP, UDP, and ICMP traffic  keep state on it 
# so that it's allowed back in. 
# 
# If you wanted to do egress filtering...here's where you'd do it. 
# You'd change the lines below so that rather than allowing out any 
# arbitrary TCP connection, it would only allow out mail, pop3, and http 
# connections (for example). So, the first line, below, would be  
# replaced with: 
#  pass out quick on xl0 proto tcp from any to any port = 25 keep state 
#  pass out quick on xl0 proto tcp from any to any port = 110 keep state 
#  pass out quick on xl0 proto tcp from any to any port = 80 keep state 
# ...and then do the same for the remaining lines so that you allow 
# only specified protocols/ports 'out' of your network 
# 
pass out quick on xl0 proto tcp from any to any keep state 
pass out quick on xl0 proto udp from any to any keep state 
pass out quick on xl0 proto icmp from any to any keep state 
block out quick on xl0 all 
 
#--- 
# Block all inbound traffic from non-routable or reserved address spaces 
#--- 
block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP 
block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP 
block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP 
block in log quick on xl0 from 127.0.0.0/8 to any #loopback 
block in log quick on xl0 from 0.0.0.0/8 to any #loopback 
block in log quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config 
block in log quick on xl0 from 192.0.2.0/24 to any #reserved for doc's 
block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect 
block in quick on xl0 from 224.0.0.0/3 to any #Class D  E multicast 
 
# 
# Allow bootp traffic in from your ISP's DHCP server only.  
# 
pass in quick on xl0 proto udp from 129.105.49.1/32 to any port = 53 keep state 
pass in quick on xl0 proto udp from 129.105.49.10/32 to any port = 68 keep state 
# 
# If you wanted to set up a web server or mail server on your box 
# (which is outside the scope of this howto), or allow another system 
# on the Internet to externally SSH into your 

ipf/ipnat setup

[Redmond Militante]

- Forwarded message from Redmond Militante [EMAIL PROTECTED] -

Date: Mon, 3 Feb 2003 17:32:55 -0600
From: Redmond Militante [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: ipf/ipnat setup
Reply-To: Redmond Militante [EMAIL PROTECTED]
User-Agent: Mutt/1.4i
X-Sender: [EMAIL PROTECTED]
X-URL: 
http://darkpossum.medill.northwestern.edu/modules.php?name=Contentpa=showpagepid=1
X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836
X-Tofu: The other white meat substitute.

hi all

setting up ipf/ipnat on a gateway box to protect a single workstation was prett 
painless.  i'm now trying to protect two servers - a web/ftp server and a mysql server 
- through an ipf/ipnat gateway box, and am running into some problems

most of my setup i've gleaned from JoeB and people on this list, as well as tutorials 
on schlacter.net and obfuscation.org/ipf

the problems i'm having right now - i can't seem to get passive ftp working on the 
webserver through the gateway.  active works fine, i've commented my ipf.rules and 
ipnat.rules where i *thought* i was allowing passive ftp connections, but was 
unsuccessful (connection times out or connects, but doesn't give directory listing), 
webmin on the webserver and db server doesn't work through the nat, despite the fact i 
have port 1 open.  also - i can't seem to successfully connect the webserver and 
db server to the gateway at the same time - when a second machine is hooked up, it 
hangs when trying to mount nfs shares and when initiating sendmail.  i can't get a 
successful mysql connection through the gateway, but that may be more a mysql 
permissions/coding problem than an ipf problem.  regardless, i'm stumped.  

if anyone sees anything glaringly wrong - i probably messed up in several places - i'd 
really appreciate it if you could help me out

gateway: 129.0.0.1 bound to outside nic, 192.168.1.1 to inner nic
webserver 192.168.1.50, gateway is inner nic on gateway box
db server 192.168.1.51, gateway is inner nic on gateway box
ip's of db and webserver are aliased to xl0 on gateway box

/etc/rc.conf
-
hostname=gateway.ipfipnat.com
ifconfig_lo0=inet 127.0.0.1
ifconfig_xl0=inet 129.x.x.35 netmask 255.255.255.0
network_interfaces=xl0 xl1 lo0
#aliasing webserver's ip to the outside nic of gateway box
ifconfig_xl0_alias0=inet 129.x.x.6 netmask 255.0.0.0
#aliasing db server's ip to the outside nic of gateway box
ifconfig_xl0_alias1=inet 129.x.x.5 netmask 255.0.0.0
#inside nic of gateway box
ifconfig_xl1=inet 192.168.1.1 netmask 255.0.0.0
ipfilter_enable=YES
ipfilter_flags=
ipfilter_rules=/etc/ipf.rules
ipmon_enable=YES
ipmon_flags=-Dsvn
ipnat_enable=YES
ipnat_rules=/etc/ipnat.rules
icmp_drop_redirect=YES
gateway_enable=YES
--

/etc/ipf.rules
--
# 
# Outside Interface  
# 
 
# 
# Allow out all TCP, UDP, and ICMP traffic  keep state on it 
# so that it's allowed back in. 
# 
# If you wanted to do egress filtering...here's where you'd do it. 
# You'd change the lines below so that rather than allowing out any 
# arbitrary TCP connection, it would only allow out mail, pop3, and http 
# connections (for example). So, the first line, below, would be  
# replaced with: 
#  pass out quick on xl0 proto tcp from any to any port = 25 keep state 
#  pass out quick on xl0 proto tcp from any to any port = 110 keep state 
#  pass out quick on xl0 proto tcp from any to any port = 80 keep state 
# ...and then do the same for the remaining lines so that you allow 
# only specified protocols/ports 'out' of your network 
# 
pass out quick on xl0 proto tcp from any to any keep state 
pass out quick on xl0 proto udp from any to any keep state 
pass out quick on xl0 proto icmp from any to any keep state 
block out quick on xl0 all 
 
#--- 
# Block all inbound traffic from non-routable or reserved address spaces 
#--- 
block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP 
block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP 
block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP 
block in log quick on xl0 from 127.0.0.0/8 to any #loopback 
block in log quick on xl0 from 0.0.0.0/8 to any #loopback 
block in log quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config 
block in log quick on xl0 from 192.0.2.0/24 to any #reserved for doc's 
block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect 
block in quick on xl0 from 224.0.0.0/3 to any #Class D  E multicast 
 
# 
# Allow bootp traffic in from your ISP's

test

[Redmond Militante]

msg17672/pgp0.pgp
Description: PGP signature

please comment on my nat/ipfw rules (resent)

[Redmond Militante]

hi all
 
 i have my test machine set up as a gateway box, with ipfw/natd configured on it, set 
up to filter/redirect packets bound for a client on my internal network.
 
 external ip of my internal client is aliased to the outside nic of the gateway box
 
 
 gateway machine's kernel has been recompiled with:
 
 options IPFIREWALL
 options IPDIVERT
 options IPFIREWALL_DEFAULT_TO_ACCEPT
 options IPFIREWALL_VERBOSE
 
 
 
 gateway's /etc/rc.conf looks like 
 
 defaultrouter=129.x.x.1
 hostname=hostname.com
 ifconfig_xl0=inet 129.x.x.1 netmask 255.255.255.0
 #aliasing internal client's ip to the outside nic of gateway box
 ifconfig_xl0_alias0=inet 129.x.1.20 netmask 255.0.0.0
 #inside nic of gateway box
 ifconfig_xl1=inet 10.0.0.1 netmask 255.0.0.0
 gateway_enable=YES
 firewall_enable=YES
 #firewall_script=/etc/rc.firewall
 firewall_type=/etc/ipfw.rules
 natd_enable=YES
 #natd interface is outside nic
 natd_interface=xl0
 #natd flags redirect any traffic bound for ip of www3 to internal ip of www3
 natd_flags=-redirect_address 10.0.0.2 129.x.x.20
 kern_securelevel_enable=NO
 .
 
 
 
 internal client's /etc/rc.conf looks like
 
 second machine's /etc/rc.conf:
 
 defaultrouter=10.0.0.1
 ifconfig_xl0=inet 10.0.0.2 netmask 255.0.0.0
 
 
 
 looks like this setup is working. the internal client is a basic webserver/ftp 
server. i am able to ftp to it, ssh to it, view webpages that it serves up, etc. with 
it hooked up to the internal nic of the gateway box.
 
 i am now trying to come up with a good set of firewall rules on the gateway box to 
filter out all unnecessary traffic to my internal network. the following is my 
/etc/ipfw.rules on the gateway box.
 
 -snip--
 
 # firewall_type=/etc/ipfw.rules
 # enquirer ipfw.rules
 
 # NAT
 add 00100 divert 8668 ip from any to any via xl0
 
 # loopback
 add 00210 allow ip from any to any via lo0
 add 00220 deny ip from any to 127.0.0.0/8
 add 00230 deny ip from 127.0.0.0/8 to any
 
 #allow tcp in for nfs shares
 #add 00301 allow tcp from 129.x.x.x to any in via xl0
 #add 00302 allow tcp from 129.x.x.x to any in via xl0
 
 #allow tcp in for ftp,ssh, smtp, httpd
 add 00303 allow tcp from any to any in 21,22,25,80,1 via xl0
 
 #deny rest of incoming tcp
 add 00309 deny log tcp from any to any in established
 
 #from man 8 ipfw: allow only outbound tcp connections i've created
 add 00310 allow tcp from any to any out via xl0
 
 
 #allow udp in for gateway for DNS
 add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0
 
 #allow udp in for nfs shares
 #add 00401 allow udp from 129.x.x.x to any in recv xl0
 #add 00402 allow udp from 129.x.x.x to any in recv xl0
 
 #allow all udp out from machine
 add 00404 allow udp from any to any out via xl0
 
 #allow some icmp types (codes not supported)
 ##allow path-mtu in both directions
 add 00500 allow icmp from any to any icmptypes 3
 ##allow source quench in and out
 add 00501 allow icmp from any to any icmptypes 4
 ##allow me to ping out and receive response back
 add 00502 allow icmp from any to any icmptypes 8 out
 add 00503 allow icmp from any to any icmptypes 0 in
 ##allow me to run traceroute
 add 00504 allow icmp from any to any icmptypes 11 in
 add 00600 deny log ip from any to any
 
 #--- end ipfw.rules ---#
 
 -snip--
 
 
 any comments on how i could improve this set of ipfw rules to better secure my 
internal client would be appreciated. thanks again

 redmond



msg17337/pgp0.pgp
Description: PGP signature

Re: please comment on my nat/ipfw rules (resent)

[Redmond Militante]

hi

you've sold me :)
do you have any good online tutorials to recommend for setting up a 
gateway/firewall/natd machine using ipfilter/ipnat?

thanks
redmond

 1. Your firewall rules are not working at all, except for the natd
 redirect option. This is caused by the kernel compile time option
 IPFIREWALL_DEFAULT_TO_ACCEPT.This option tell your firewall that
 any packet that does not match a rule is allowed to pass on through
 the firewall. Comment out that option in your kernel options source
 and recompile your kernel to take the default of default-to-deny and
 your current rules set will stop functioning.
 
 2. You are using the simplest of the rule types 'state-less'. Using
 this type of rules you have to not only have a rule to allow the
 packet out you also have to have a rule to allow the packet in. See
 rules 220  230 of your posted rule set to see how it should be
 done.
 
 3.  There are 3 classes of rules, each class has separate packet
 interrogation abilities. Each proceeding class has greater packet
 interrogation abilities than the previous one. These are stateless,
 simple stateful, and advanced stateful. The advanced stateful rule
 class is the only class having technically advanced interrogation
 abilities capable of defending against the flood of different attack
 methods currently employed by perpetrators. Stateless and Simple
 Stateful IPFW firewall rules are inadequate to protect the users
 system in today's internet environment and leaves the user
 unknowingly believing they are protected when in reality they are
 not.
 
 
 4. The advanced stateful rule option keep-state works as documented
 only when used in a rule set that does not use the divert rule.
 Simply stated the IPFW advanced stateful rule option keep-state does
 not function correctly when used in a IPFW firewall that also is
 using the IPFW built in NATD function. For the most complete
 keep-state protection the other FIREWALL solution (IPFILTER) that
 comes with FBSD should be used. Just checkout the IPFW list archives
 and you will see this subject discussed in detail with out any
 solution forthcoming.
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Redmond
 Militante
 Sent: Friday, January 31, 2003 8:18 AM
 To: [EMAIL PROTECTED]
 Subject: please comment on my nat/ipfw rules (resent)
 
 
 hi all
 
  i have my test machine set up as a gateway box, with ipfw/natd
 configured on it, set up to filter/redirect packets bound for a
 client on my internal network.
 
  external ip of my internal client is aliased to the outside nic of
 the gateway box
 
 
  gateway machine's kernel has been recompiled with:
 
  options IPFIREWALL
  options IPDIVERT
  options IPFIREWALL_DEFAULT_TO_ACCEPT
  options IPFIREWALL_VERBOSE
 
 
 
  gateway's /etc/rc.conf looks like
 
  defaultrouter=129.x.x.1
  hostname=hostname.com
  ifconfig_xl0=inet 129.x.x.1 netmask 255.255.255.0
  #aliasing internal client's ip to the outside nic of gateway box
  ifconfig_xl0_alias0=inet 129.x.1.20 netmask 255.0.0.0
  #inside nic of gateway box
  ifconfig_xl1=inet 10.0.0.1 netmask 255.0.0.0
  gateway_enable=YES
  firewall_enable=YES
  #firewall_script=/etc/rc.firewall
  firewall_type=/etc/ipfw.rules
  natd_enable=YES
  #natd interface is outside nic
  natd_interface=xl0
  #natd flags redirect any traffic bound for ip of www3 to internal
 ip of www3
  natd_flags=-redirect_address 10.0.0.2 129.x.x.20
  kern_securelevel_enable=NO
  .
 
 
 
  internal client's /etc/rc.conf looks like
 
  second machine's /etc/rc.conf:
 
  defaultrouter=10.0.0.1
  ifconfig_xl0=inet 10.0.0.2 netmask 255.0.0.0
  
 
 
  looks like this setup is working. the internal client is a basic
 webserver/ftp server. i am able to ftp to it, ssh to it, view
 webpages that it serves up, etc. with it hooked up to the internal
 nic of the gateway box.
 
  i am now trying to come up with a good set of firewall rules on the
 gateway box to filter out all unnecessary traffic to my internal
 network. the following is my /etc/ipfw.rules on the gateway box.
 
  -snip--
 
  # firewall_type=/etc/ipfw.rules
  # enquirer ipfw.rules
 
  # NAT
  add 00100 divert 8668 ip from any to any via xl0
 
  # loopback
  add 00210 allow ip from any to any via lo0
  add 00220 deny ip from any to 127.0.0.0/8
  add 00230 deny ip from 127.0.0.0/8 to any
 
  #allow tcp in for nfs shares
  #add 00301 allow tcp from 129.x.x.x to any in via xl0
  #add 00302 allow tcp from 129.x.x.x to any in via xl0
 
  #allow tcp in for ftp,ssh, smtp, httpd
  add 00303 allow tcp from any to any in 21,22,25,80,1 via xl0
 
  #deny rest of incoming tcp
  add 00309 deny log tcp from any to any in established
 
  #from man 8 ipfw: allow only outbound tcp connections i've created
  add 00310 allow tcp from any to any out via xl0
 
 
  #allow udp in for gateway for DNS
  add 00300 allow udp from 10.0.0.0/24

new ipfw/nat ruleset for gateway

[Redmond Militante]

hi all

i have my test machine set up as a gateway box, with ipfw/natd configured on it, set 
up to filter/redirect packets bound for a client on my internal network.

external ip of my internal client is aliased to the outside nic of the gateway box

gateway machine's kernel has been recompiled with:

options IPFIREWALL
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE



gateway's /etc/rc.conf looks like 

defaultrouter=129.x.x.1
hostname=hostname.com
ifconfig_xl0=inet 129.x.x.1 netmask 255.255.255.0
#aliasing internal client's ip to the outside nic of gateway box
ifconfig_xl0_alias0=inet 129.x.1.20 netmask 255.0.0.0
#inside nic of gateway box
ifconfig_xl1=inet 10.0.0.1 netmask 255.0.0.0
gateway_enable=YES
firewall_enable=YES
#firewall_script=/etc/rc.firewall
firewall_type=/etc/ipfw.rules
natd_enable=YES
#natd interface is outside nic
natd_interface=xl0
#natd flags redirect any traffic bound for ip of www3 to internal ip of www3
natd_flags=-redirect_address 10.0.0.2 129.x.x.20
kern_securelevel_enable=NO
.



internal client's /etc/rc.conf looks like

second machine's /etc/rc.conf:

defaultrouter=10.0.0.1
ifconfig_xl0=inet 10.0.0.2 netmask 255.0.0.0



looks like this setup is working. the internal client is a basic webserver/ftp server. 
i am able to ftp to it, ssh to it, view webpages that it serves up, etc. with it 
hooked up to the internal nic of the gateway box.

i am now trying to come up with a good set of firewall rules on the gateway box to 
filter out all unnecessary traffic to my internal network. the following is my 
/etc/ipfw.rules on the gateway box.

-snip--

# firewall_type=/etc/ipfw.rules
# enquirer ipfw.rules

# NAT
add 00100 divert 8668 ip from any to any via xl0

# loopback
add 00210 allow ip from any to any via lo0
add 00220 deny ip from any to 127.0.0.0/8
add 00230 deny ip from 127.0.0.0/8 to any

#allow tcp in for nfs shares
#add 00301 allow tcp from 129.x.x.x to any in via xl0
#add 00302 allow tcp from 129.x.x.x to any in via xl0

#allow tcp in for ftp,ssh, smtp, httpd
add 00303 allow tcp from any to any in 21,22,25,80,1 via xl0

#deny rest of incoming tcp
add 00309 deny log tcp from any to any in established

#from man 8 ipfw: allow only outbound tcp connections i've created
add 00310 allow tcp from any to any out via xl0


#allow udp in for gateway for DNS
add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0

#allow udp in for nfs shares
#add 00401 allow udp from 129.x.x.x to any in recv xl0
#add 00402 allow udp from 129.x.x.x to any in recv xl0

#allow all udp out from machine
add 00404 allow udp from any to any out via xl0

#allow some icmp types (codes not supported)
##allow path-mtu in both directions
add 00500 allow icmp from any to any icmptypes 3
##allow source quench in and out
add 00501 allow icmp from any to any icmptypes 4
##allow me to ping out and receive response back
add 00502 allow icmp from any to any icmptypes 8 out
add 00503 allow icmp from any to any icmptypes 0 in
##allow me to run traceroute
add 00504 allow icmp from any to any icmptypes 11 in
add 00600 deny log ip from any to any

#--- end ipfw.rules ---#

-snip--


any comments on how i could improve this set of ipfw rules to better secure my 
internal client would be appreciated. thanks again

redmond



msg17284/pgp0.pgp
Description: PGP signature

tx underrun error when ftp'ing large file

[Redmond Militante]

hi
 
i get the following error
 
l0: transmissions error: 90
xl0: tx underrun, increasing tx start threshold to 120 bytes
 
when trying to ftp a large tar.gz file to a dell poweredge network storage appli
ance.
 
the commands i'm using to upload this large tar.gz file are:
 
ftp -n -v storageappliance.organization.com
user myaccount
mypassword
bin
prompt
mput largefile.tar.gz
 
-i've used this method to ftp smaller tar.gz files, but when i try to upload thi
s large file (several gig in size) i get the tx underrun error, and the transfer

 freezes.

i've done some research on this error

i've found the following off the mailing list archives:

According to:
http://www.freebsd.org/cgi/getmsg.cgi?fetch=1651362+1653480+/usr/local/www/db/te
xt/1999/freebsd-questions/19990926.freebsd-questions

Tx under runs occur when the tx state machine cannot get packet
data from memory fast enough to keep up with wire transmit
rate. Setting the start threshold higher increases the number
of bytes which are buffered in the tx fifo which increases the
allowable bus latency.

And according to the linux driver for the 3com cards:
Tx underrun (not enough PCI bus bandwidth).

It's not a problem as far as I know, if the message stops (depending on how
mutch traffic there is on your network, at my FreeBSD box it sometimes rizes to
300 bytes) the systems works fine. 

so - i'm wondering if anyone has deal w this type of issue before, and if so, how to 
configure my nic card to perform this type of ftp transfer.

any advice would be appreciated
thanks again
redmond



msg17093/pgp0.pgp
Description: PGP signature

another go at natd

[Redmond Militante]

hi all

this is a followup to an email i sent out to the list a week or so ago.  i was having 
trouble getting the following natd setup to work:

---snip--
two machines - one has two nics, one has one nic. i'd like to set up the machine with 
two nics as a gateway/natd box, and place the second machine behind it.

gateway machine's kernel has been recompiled with:

options IPFIREWALL
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE

gateway machine's /etc/rc.conf:

defaultrouter=129.x.x.1
hostname=enquirer.medill.northwestern.edu
ifconfig_xl0=inet 129.x.x.35 netmask 255.255.255.0
ifconfig_xl1=inet 10.0.0.1 netmask 255.0.0.0
gateway_enable=YES
firewall_enable=YES
#firewall_script=/etc/rc.firewall
firewall_type=OPEN
natd_enable=YES
natd_interface=xl0
natd_flags=

second machine's /etc/rc.conf:

defaultrouter=10.0.0.1
ifconfig_xl0=inet 10.0.0.2 netmask 255.0.0.0

'ipfw list' on the gateway machine gives me:
00050 divert 8668 ip from any to any via xl0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 allow ip from any to any

i'm following the instructions in the handbook 
http://www.freebsd.org/doc/en_US.IS...dbook/natd.html 
snip-

-turns out my setup above was exactly right. i was informed by various members of the 
list that my original problem was that i was running a connection from the client 
machine directly to the internal nic on the gateway box, and all i needed to do was to 
run everything through a hub to get it to work.

so, i'm nat'ing. i'm redirecting packets to my internal lan on the gateway box.  i 
guess my question to the list would be:  is a vanilla natd setup like this enough?  
today, i tried changing firewall_type to '/etc/ipfw.rules' instead of OPEN, it's 
been problematic.  i'm having trouble getting the following /etc/ipfw.rules file 
working with my nat setup:

add 00100 allow ip from any to any via lo0
add 00200 deny ip from any to 127.0.0.0/8
add 00300 check-state
add 00301 allow tcp from 129.x.x.20 to any in setup keep-state
add 00302 allow tcp from 10.0.0.2 to any in setup keep-state
#allow tcp in for ftp,ssh, smtp, httpd
add 00304 allow tcp from any to any 21 in setup keep-state
add 00305 allow tcp from any to any 22 in setup keep-state
add 00306 allow tcp from any to any 25 in setup keep-state
add 00307 allow tcp from any to any 80 in setup keep-state
#allow tcp in for webmin port
add 00308 allow tcp from any to any 1 in setup keep-state
#deny rest of incoming tcp
add 00309 deny log tcp from any to any in established
#from man 8 ipfw: allow only outbound tcp connections i've created
add 00310 allow tcp from any to any out setup keep-state
#allow udp in for gateway for DNS
add 00400 allow udp from 129.105.49.1 to any in recv xl0
add 00401 allow udp from 129.x.x.20 to any in recv xl0
add 00402 allow udp from 10.0.0.2 to any in recv xl0
#allow all udp out from machine
add 00404 allow udp from any to any out
#allow some icmp types (codes not supported)
##allow path-mtu in both directions
add 00500 allow icmp from any to any icmptypes 3
##allow source quench in and out
add 00501 allow icmp from any to any icmptypes 4
##allow me to ping out and receive response back
add 00502 allow icmp from any to any icmptypes 8 out
add 00503 allow icmp from any to any icmptypes 0 in
##allow me to run traceroute
add 00504 allow icmp from any to any icmptypes 11 in
add 00600 deny log ip from any to any


sorry, this is long winded.  any comments on how to get the above rules working with 
my nat setup, or if these measures are even necessary would be greatly appreciated.

thanks
redmond



msg17195/pgp0.pgp
Description: PGP signature

need help in setting up a demilitarized zone

[Redmond Militante]

hi all

so i have my gateway/ipfw/natd machine working, protecting a test client box. this 
gateway box is an dell optiplex gx150 pIII 930 mhz with 128 mb of ram, 2 nics - one 
integrated intel pro 1000, the other a really old 3com 3c905b that i pulled out of an 
old junker computer that we were going to throw out.

i would like this gateway box to protect our webserver, our mysql server, and possibly 
another webserver. our webserver is a dual xeon dell poweredge 1650 with 2 gig of ram, 
it gets sometimes more than 10 hits a day, and is hooked up to a t100 line.

will my little optiplex gateway box be able to keep up with a webserver that's this 
busy? i know i at least have to replace the 3com 3c905b card on it, as i'm pretty sure 
that that type of nic can't even handle a t100 connection. but - is the computer 
itself fast enough? also - does anyone have any recommendations for a good 4 port hub 
or switch for this particular purpose? right now i'm using an old netgear en 104tp, 
which is probably not ideal.

thanks again




msg15810/pgp0.pgp
Description: PGP signature

another go at ipfw/natd

[Redmond Militante]

hi again

i have two machines - one has two nics, one has one nic. i'd like to set up the 
machine with two nics as a gateway/natd box, and place the second machine behind it.

gateway machine's kernel has been recompiled with:

options IPFIREWALL
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE

gateway machine's /etc/rc.conf:

defaultrouter=129.x.x.1
hostname=enquirer.medill.northwestern.edu
ifconfig_xl0=inet 129.x.x.35 netmask 255.255.255.0
ifconfig_xl1=inet 10.0.0.1 netmask 255.0.0.0
gateway_enable=YES
firewall_enable=YES
#firewall_script=/etc/rc.firewall
firewall_type=OPEN
natd_enable=YES
natd_interface=xl0
natd_flags=

second machine's /etc/rc.conf:

defaultrouter=10.0.0.1
ifconfig_xl0=inet 10.0.0.2 netmask 255.0.0.0

'ipfw list' on the gateway machine gives me:
00050 divert 8668 ip from any to any via xl0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 allow ip from any to any

i'm following the instructions in the handbook 
http://www.freebsd.org/doc/en_US.IS...dbook/natd.html 

Each machine and interface behind the LAN should be assigned IP address numbers in 
the private network space as defined by RFC 1918 and have a default gateway of the 
natd machine's internal IP address.


this isn't working for me. i cannot ping outside machines from the client machine. 
'ping www.freebsd.org' times out. pinging the ip address outside the router gives me 
'no route to host', pinging the ip address of the gateway box gives me 'no route to 
host'. 'ping 10.0.0.1' gives me 'host is down'. the client machine can ping itself and 
get a response, however - 'ping 10.0.0.2' gives me a response.

please help, i'm stuck.




msg15692/pgp0.pgp
Description: PGP signature

Re: another go at ipfw/natd

[Redmond Militante]

 
 Let me ask some questions to help diagnose this:
 1. From the gateway: Can you ping www.freebsd.org? Can you ping 129.x.x.1?


yes to both

 2. What's in /etc/resolv.conf on the gateway and the client machine?



/etc/resolv.conf is identical on gateway and client machines

search northwestern.edu
nameserver 129.105.49.1
nameserver 165.124.49.21
~

 3. What does ifconfig display on the gateway?  Does xl1 show as up with a 
 valid media type?


xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=3rxcsum,txcsum
inet 129.105.51.35 netmask 0xff00 broadcast 129.105.51.255
inet6 fe80::210:5aff:fec6:8bcb%xl0 prefixlen 64 scopeid 0x1 
ether 00:10:5a:c6:8b:cb
media: Ethernet autoselect (100baseTX full-duplex)
status: active
xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=3rxcsum,txcsum
inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2 
ether 00:06:5b:80:98:5b
media: Ethernet autoselect (none)
status: no carrier

(ifconfig has changed slightly here - i was experimenting by giving xl1 a subnet mask 
of 255.255.255.0 - still doesn't work)



Do your net card and hub both have link lights?
i

i am hooking the client directly into the internal nic on the gateway, so no hub.  
i've verified that both nics on the gateway work - did this by configuring xl1 as the 
primary nic, and it worked.

thanks

redmond

 
 -- 
 Bill Moran
 Potential Technologies
 http://www.potentialtech.com
 



msg15695/pgp0.pgp
Description: PGP signature

Re: another go at ipfw/natd

[Redmond Militante]

hi

thanks this worked :)

In the gothic chambers of the underworld on Thu, Jan 16, 2003 at 03:51:55PM -0600, 
Daniel Schrock darkly muttered:
 Redmond Militante wrote:
 xl1: flags=3D8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 options=3D3rxcsum,txcsum
 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
 inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2=20
 ether 00:06:5b:80:98:5b
 media: Ethernet autoselect (none)
 status: no carrier
 ^^
 This is your problem.
 
 
 Do your net card and hub both have link lights?
 
 i
 
 
 i am hooking the client directly into the internal nic on the gateway, so 
 n=
 o hub.  i've verified that both nics on the gateway work - did this by 
 conf=
 iguring xl1 as the primary nic, and it worked.
 
 You can't do this.
 You _must_ use a crossover cable to connect 2 NICs directly together.
 You need to use a hub or switch to use straight-through ethernet cables.
 
 
 .daniel.schrock
 
 
 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with unsubscribe freebsd-questions in the body of the message
 



msg15703/pgp0.pgp
Description: PGP signature

ipfw/natd questions

[Redmond Militante]

now i'm trying to set up a gateway box using ipfw/natd. i have 2 test machines - 
machine 1 has two nics, one's an integrated intel 1000 pro, the other is an old pci 
3com 3c905b. machine 1 has a static ip and hostname. machine 2 is virtually identical 
except it has only one nic - the intel 1000 pro integrated. machine 2 also has a 
static ip and hostname. i'd like machine 1 to act as a gateway/packet filtering 
firewall/natd box. i'd like to hook up machine 2 to the internal network interface 
card of machine 1 and be able to filter/log/divert packets bound for machine 2 through 
ipfw/natd on machine 1.

i've been basically following the instructions at 
http://www.mostgraveconcern.com/freebsd/ for 'setting up a dual-homed host'

- on machine 1, ifconfig returns

xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=3rxcsum,txcsum
inet 129.x.x.35 netmask 0xff00 broadcast 129.x.x.255
inet6 fe80::210:5aff:fec6:8bcb%xl0 prefixlen 64 scopeid 0x1 
ether 00:10:5a:c6:8b:cb
media: Ethernet autoselect (100baseTX full-duplex )
status: active
xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=3rxcsum,txcsum
inet 10.20.155.1 netmask 0xff00 broadcast 10.20.155.255
inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2 
ether 00:06:5b:80:98:5b
media: Ethernet autoselect (none)
status: no carrier

i'd like xl0 to be my external nic, and xl1 to be my internal nic

-on machine 1, my /etc/rc.conf reads

ifconfig_xl0=inet 129.x.x.35 netmask 255.255.255.0
ifconfig_xl1=inet 10.20.155.1 netmask 255.255.255.0
gateway_enable=YES
#required for ipfw support
firewall_enable=YES
firewall_script=/etc/rc.ipfw
firewall_type=open
firewall_quiet=NO #change to yes once happy with rules
firewall_logging_enable=YES
#extra firewalling options
log_in_vain=YES
tcp_drop_synfin=YES
icmp_drop_redirect=YES
natd_program=/sbin/natd
natd_enable=YES
natd_interface=xl0
natd_flags=-f /etc/natd.conf

- machine 1's kernel has been recompiled with the following options

#to enable ipfirewall with default to deny all packets
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
#to hide the firewall from traceroute
options IPSTEALTH
options IPDIVERT
#to hide from nmap
options TCP_DROP_SYNFIN

- machine's firewall_script, /etc/rc.ipfw, is taken from the tutorial mostly verbatim, 
the only part of it i changed was

# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi

if [ -n ${1} ]; then
firewall_type=${1}
fi

# Firewall program
fwcmd=/sbin/ipfw
# Outside interface network and netmask and ip
oif=xl0
onet=129.x.x.1
omask=255.255.255.0
oip=129.x.x.35

# Inside interface network and netmask and ip
iif=xl1
inet=10.20.155.0
imask=255.255.255.0
iip=10.20.155.1

# My ISP's DNS servers
dns1=129.x.x.1
dns2=165.x.x.21

# Flush previous rules
${fwcmd} -f flush

# Allow loopbacks, deny imposters
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via ${natd_interface}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 

apache mod_rewrite not registering configuration change

[Redmond Militante]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi all

i was using this code in my httpd.conf

#
# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
# 

RewriteEngine on 
rewriterule ^(/folderatlocation1/.*) http://location2.org$1; [r]

this points mod_rewrite to rewrite all requests for any documents in 
'folderatlocation1' to http://location2.org/(equivalent folder)

i modified the httpd.conf file today to


RewriteEngine on 
rewriterule ^(/folderatlocation1/.*) http://location3.org$1; [r]

here i want to point mod_rewrite to location3.org instead of location2.org

i did 'apachectl graceful', and mod_rewrite still points to the old location.  i did a 
couple of reboots, it still points to the old location.

am i missing something?  like a cache someplace that i have to flush to get 
mod_rewrite pointing to a new location after editing it?

thanks for any advice

redmond





-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE+DQoqFNjun16SvHYRAjNFAKCSlK69PiQEzPEx4ciz5p2BTAm60QCeKF2r
zJDl876TTTSfwmrL4+DQZxY=
=LEwl
-END PGP SIGNATURE-



msg13441/pgp0.pgp
Description: PGP signature

portsentry KILL_RUN_CMD

[Redmond Militante]

hi all

i'm configuring portsentry and i wanted to set the value of the KILL_RUN_CMD option to 
reverse finger a scanning host.  can somebody tell me what the correct syntax this 
would be in this file?

thanks



msg12345/pgp0.pgp
Description: PGP signature

dell poweredge 1650

[Redmond Militante]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi all

we're thinking of buying a dell poweredge 1650 at work to be our new webserver. i'd 
like to run the most recent version of freebsd RELENG_4_7, apache, and proftpd on it. 
our site has approximately 45000-5 documents on it, and receives about 9 hits 
a day. we host about 10 php/mysql database apps, i am not sure whether or not we will 
maintain a separate box for mysql. we probably will, though. i am listing the hardware 
quote below - any thoughts you guys may have, particularly in relation to hardware 
compatability and processing requirements would be highly appreciated.

here are the server specs.

PowerEdge 1650,Intel Pentium III,1.26GHz w/512K Cache
165126 - [ 220-8249 ]
Additional Processors:
Dual Processor Intel Pentium III,1.13GHz w/512K Cache
2P113 - [ 311-1478 ]
Memory:
512MB SDRAM,133MHz,2X256MB DIMMs
512M2D - [ 311-1480 ]

PCI Riser:
PCI Riser,1x64bit/66MHz slot and 1x32bit/33MHz slot
32BPCI - [ 430-0289 ]
First Hard Drive:
36GB 10K RPM Ultra 160 SCSI Hard Drive
36GB10 - [ 340-3599 ]
Primary Controller:
PERC3-DI,128MB Battery Backed Cache,1 Int,1 Ext Channels- Embedded RAID
ROMB128 - [ 340-3605 ]
Dual On-Board NICs
OBNICS - [ 430-8991 ]
CD ROM or DVD ROM:
24X IDE Internal CD ROM Drive
CD24X - [ 313-0317 ]

Hard Drive Backplane:
3 Bay (1x3) Hot Plug SCSI Hard Drive Backplane
1X3BKPL - [ 311-1586 ]

Second Hard Drive:
36GB 10K RPM Ultra 160 SCSI Hard Drive
36GB10 - [ 340-3599 ]
Secondary Controller:
Single Fibre Channel Host Bus Adapter,Copper 2200/66
FHBA1C6 - [ 340-7360 ]
Hard Drive Configuration:
On-Board RAID5,3 drives connected to on-board RAID
MR5 - [ 340-3608 ]
Third Hard Drive:
36GB 10K RPM Ultra 160 SCSI Hard Drive
36GB10 - [ 340-3599 ]

regards,

redmond
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9yn1uFNjun16SvHYRAm1TAJ9FsMWozrhmTUmfFWgoq2+p38tcjwCfexCF
pAkM+WX5XJCRSodI+UoMJAk=
=XcSv
-END PGP SIGNATURE-



msg08079/pgp0.pgp
Description: PGP signature

need help with ipfw rules

[Redmond Militante]

hi all

my apologies, this could get long as i'm including the text of various
config files:

i've been trying to learn ipfw. i've recompiled a kernel with the
following options

options ICMP_BANDLIM
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options TCP_DROP_SYNFIN
options IPFIREWALL_FORWARD
options IPSTEALTH
options DUMMYNET

my rc.conf:

# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter=1.1.1.1
gateway_enable=YES
hostname=hostname.com
ifconfig_xl0=inet 1.1.1.1 netmask 255.255.255.0
inetd_enable=YES
firewall_enable=YES
firewall_script=/etc/ipfw.rules
firewall_type=open
firewall_quiet=NO
tcp_drop_synfin=NO
firewall_logging_enable=YES
icmp_drop_redirect=YES
log_in_vain=YES
sendmail_flags=-bd
kern_securelevel_enable=NO
linux_enable=YES
moused_enable=YES
moused_port=/dev/psm0
moused_type=auto
nfs_reserved_port_only=YES
saver=logo
sendmail_enable=YES
sshd_enable=YES
usbd_enable=YES
portmap_enable=YES
nfs_server_enable=YES
mountd_flags=-r

i haven't edited rc.firewall

this machine is a combinationi desktop/web/ftp/nfs server. my
/etc/ipfw.rules looks like

ipfw add allow ip from any to any
ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0
ipfw add allow udp from any to any 53
ipfw add check-state
ipfw add allow tcp from any to any 80 setup keep-state
ipfw add allow tcp from any to any 53 setup keep-state
ipfw add allow tcp from any to any 21 setup keep-state
ipfw add allow tcp from any to any 22 setup keep-state
ipfw add allow tcp from any to any 25 setup keep-state
ipfw add allow tcp from any to any 110 setup keep-state
ipfw add allow tcp from any to any 587 setup keep-state
ipfw add allow tcp from any to any 3306 setup keep-state
ipfw add allow tcp from any to any 1 setup keep-state
ipfw add reject tcp from any to any
ipfw add allow udp from any to any 53
ipfw add allow icmp from any to any icmptype 0,3,4,8,11
ipfw add deny log logamount 5000 ip from any to any

(i was following phoenix's and kirk's ipfw advice in another thread)

i've also added

!ipfw
*.* /var/log/firewall.log

to /etc/syslog.conf, touch /var/log/firewall.log, and restarted syslogd.

upon reboot, the machine hangs in 3 different places during the bootup
process.  my bootup messages look like:

[snip]
additional network daemons:mountd oct 21 15:27:47 hostname mountd[96]: get
hostname failed for www3
oct 21 15:27:47 hostname mountd[96]: bad host www3, skipping
oct 21 15:27:47 hostname mountd[96]: bad exports list line
/mnt/drive2/dailybackup www3
nfs on reserved port only=YES nfsd rpc.statd
[snip]

here it hangs on mountd for a minute or two, then proceeds

[snip]
starting standard daemons: inetd cron sshd usbd sendmail
sendmail-clientmqueue
[snip]
here it hangs on sendmail and sendmail-clientmqueue, then proceeds

it then hangs for hours at 'recovering vi sessions:'.
it eventually boots all the way through after a few hours.

this is not workable for me. i've switched my /etc/ipfw.rules to

ipfw add allow ip from any to any
ipfw add allow udp from any to any 53

temporarily, so that i can use the machine, but would like to have a set
of basic ipfw rules in place.

can anyone tell me where i'm going wrong? i think it's hanging on the
bootup process because my ipfw.rules are messed up.

thanks
redmond

Redmond Militante
Northwestern University, Evanston, IL. USA
[EMAIL PROTECTED]
847-467-7617


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: need help with ipfw rules

[Redmond Militante]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi
thanks for responding

On Mon, Oct 21, 2002 at 09:16:36PM -0400, Dan Pelleg expatiated with great perspicuity:
 
  hi all
  
  my apologies, this could get long as i'm including the text of various
  config files:
  
  i've been trying to learn ipfw. i've recompiled a kernel with the
  following options
 
 
  ipfw add allow ip from any to any


typo
 
 Do you really want to allow everything in, or is this just a typo?
 If this rule is really in effect, the rest of the rules are
 not doing anything.
 
  ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0
 
 I'm assuming vua is a typo - should be via.


typo again
 
  ipfw add allow udp from any to any 53
  ipfw add check-state
 
 You're not letting DNS replies to come back. You are allowing the queries
 to go *out*, but when the remote server's reply packets hit the firewall
 they have port 53 on the *source* address, not on the destination.
 So they don't match that rule anymore and are discarded.
 
 What you probably want instead is:
 ipfw add allow udp from any to any 53 keep-state
 


i changed this line.  boots up fine.  webserver, ssh, nfs, mail, etc. work.  there's 
only one problem i noticed right off the bat - it looks like ftp users can 
authenticate fine, but when their ftp client tries to bring up a list of files in 
their ftp directories, it hangs at 'getting file list...'

any ideas on how to fix?

thanks
redmond 
 Another point: you're not using the divert rule for natd,
 and I see you have NAT enabled in your rc.conf. This is likely to
 be a problem later (well, you'll just not have NAT).
 
 A very good resource for this is /etc/rc.firewall. Just try
 to follow what the CLIENT, SIMPLE and OPEN targets
 do, or even let them run, then output the generated ruleset
 and use it as the skeleton of your own ruleset.
 
 Another useful debugging tool is ipfw show - typed repeatedly to watch
 which counters increased and so to know which rules were hit.
 Once you get into stateful filtering, you'll want ipfw -d show.
 
 Having said that, good ol' tcpdump is always handy to have around.
 Just fire up tcpdump -ni XXX with XXX for your external interface
 and see what's going out and what's coming in. Once you start
 firewalling for a network, a tcpdump -ni III with III being
 the internal interface becomes useful as well, either in itself
 or in addition to the external-watching tcpdump.
 
 --
  Dan Pelleg
 
 
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9tK3rFNjun16SvHYRAnSNAJ9RPPcFelXQwS3R7ELFN+A8UdEWDwCgsJWS
3TUBFhcGrtRa9eCIrhrnv0w=
=07L+
-END PGP SIGNATURE-



msg05849/pgp0.pgp
Description: PGP signature

favorite security software

[Redmond Militante]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi

just wanted to get people's opinions - 

i'm probably going to configure ipfw on a new box.  this box is a combo web/ftp/mysql 
box.  

do people have any favorite security software that they always run in addition to ipfw 
or ipfilter?

thanks for any feedback you may have

redmond
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9sJv2FNjun16SvHYRAleLAJ462zDoYIsHaaK8XEd88WCsd2ThIQCdHltt
SbbvP0NcNGQdgapf4wn5pRo=
=4g9N
-END PGP SIGNATURE-



msg05679/pgp0.pgp
Description: PGP signature