Re: Change gateway

[Steve Bertrand]

I'm trying to set the gateway 10.0.253.1 to the host 10.0.253.161/27 but i've  received the answer: 


# route flush
# route add default 10.0.253.1

route: writing to routing socket: Network is unreachable

The gateway and the host are connected in the same switch


Even though the physical connection is the same, the .1 address is in a 
different subnet entirely than .161, due to the /27 prefix length.


10.0.253.160/27 encompasses 161-190. It's a good thing FreeBSD breaks in 
this case ;)


You will need to change your prefix length to /24 on the host, or add a 
secondary IP from the 160/27 range to the gateway to make this work.


Regards,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: PPPoe trick?

[Steve Bertrand]

We(An ISP) have already established PPPoe internet connection and have many
users. 


PPPoE...you mean that you are an established Internet Provider that 
supplies xDSL connections that require authentication to several users, 
to which your termination point resides on a FreeBSD box?



I want my users to view our web site very first time of their web cruzing
progress.


Sure, whats the site? We can make sure of it.


Is there any possibility of it?


Absolutely. There are numerous solutions to this issue, but it would 
help significantly if you let us know what services you have running 
under the guidance of FreeBSD that you need help with.


For instance, are you trying to hijack all of your user traffic destined 
for port 80 at the transport layer as soon as they log in?


Any information regarding FreeBSD would be most beneficial.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: network configuration problem

[Steve Bertrand]

Warren Block wrote:

On Tue, 8 Apr 2008, Steve Bertrand wrote:
If you ever need to add any other workstations to the network, you 
will want to ensure that the IP you added to FreeBSD manually does not 
fall within the DHCP scope of the gateway.


For instance, if you plug a Windows PC into the gateway, it will by 
default request an address via DHCP. If the gateway provides the 
Windows PC the same address as FreeBSD, you will have communication 
problems.


It's neater and safer to keep static and dynamic addresses in separate 
ranges, but often not strictly necessary.


I agree, however, my rule of thumb is to not trust hardware to strictly 
adhere to proper standards or RFC's, especially when it comes down to CPE ;)


Anyone who has managed a sizable network will know that not properly 
managing things like this manually is asking for trouble.


Cheers,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: network configuration problem

[Steve Bertrand]

Johannes-Maria Kaltenbach wrote:

Hello,

many thanks for your help.

The problem was already solved with the first answer I read
by Steve Bertrand,


Derek does have an important point.

If you ever need to add any other workstations to the network, you will 
want to ensure that the IP you added to FreeBSD manually does not fall 
within the DHCP scope of the gateway.


For instance, if you plug a Windows PC into the gateway, it will by 
default request an address via DHCP. If the gateway provides the Windows 
PC the same address as FreeBSD, you will have communication problems.


Regards,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: network configuration problem

[Steve Bertrand]

I've bought a router/gateway from my provider (Telekom/T-Online)
which is called "Speedport W 502V Typ A" an has the ip address
192.168.2.1; it is connectet to an ethernet card (rl0).


192.168.2.1/24 is in a different network than 192.168.10.1/24. Your 
gateway and your workstation will not be able to communicate with one 
another.



Then I assigned an address (e. g. 192.168.10.1) to the ethernet card
with the help of



and made it the default route:

route add default 192.168.10.1


You essentially gave yourself an address outside of the gateways LAN 
address scope, and then proceeded to route all unknown traffic to yourself.


You probably want:

# ifconfig rl0 192.168.2.100 255.255.255.0

...and

# route add default 192.168.2.1

Then, for name resolution:

# echo "nameserver ip.of.isp.dns" >> /etc/resolv.conf

Regards,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Multihoming VPN endpoint

[Steve Bertrand]

I have a question regarding setting up a VPN on a multihomed WAN link,
we are thinking about setting up a site with two load balanced ADSL
links that includes a site to site VPN.


Will this multi-home setup be co-ordinated with a single ISP?

The problem with this setup is that most ISP's can not guarantee which 
LNS your ADSL will connect to, ingress traffic may not be load-balanced, 
or may not work at all.



Does anyone have any experience in this kind of setup that could offer
up any advice?


Yes, but we need a few questions answered first.

- one or more ISP's (are you looking for ISP redundancy)
- will this particular site be the VPN end point for the other sites 
(and do you have other ingress traffic to this site, ie web server, 
email server etc)
- is your ISP(s) co-operative when it comes to changing their network to 
suit it's clients

- does your ISP(s) support multi-link (aka bonded, aka bundled) ADSL links
- are you looking strictly for load-balancing, or do you want redundancy too

If you don't get too far here, you may want to migrate the thread over 
to -net.


Regards,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Upgrading a removable disk installation

[Steve Bertrand]

Hi all,

I have a couple of systems that run from USB thumb sticks. These 
machines run 6.2.


I'd like to do a typical source upgrade to 7.0 on a test machine.

To do this, I plug the USB disk into a 'host' machine, and to save space 
on the thumb drive, I csup the sources to the standard locations on the 
host machine.


My thumb drive 'OS' slice is mounted as /var/removable-os on the host 
machine.


What I am unclear about is how I go about telling buildworld etc on the 
host machine. that I want to install the updates to the 
/var/removable-os location, instead of the default '/'.


I know how to do this with sysinstall, but I'm not sure if I need to put 
an entry into /etc/make.conf, or use a command-line switch to get my 
desired results.


Can someone please help clarify how I go about this?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: routing question

[Steve Bertrand]

> Internet  -> [Hw Router]  (LAN1: 192.168.2.0/24)  ->  [
> 192.168.2.138 GatewayComp  192.168.0.1 ] -- (LAN2: 192.168.0.0/24)
> 
> I would like to access a computer from LAN1 to LAN2.

Perform the following and post the results of:

- ping from GatewayComp to pc on 0.0 network and a pc on 2.0 network
- ping from pc on 2.0 network to 192.168.0.1
- ping from pc on 0.0 network to 192.168.2.138
- sysctl -a net.inet.ip.forwarding (on the GatewayComp)

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: (postfix) SPAM filter?

[Steve Bertrand]

>> * Once it is setup then it would require no additional maintenance.
>> * Potential spam messages are marked with a special header that can be
>> filtered on user discretion on their local mail client software.

> Yes, one recommendation for sure. Give up on your first goal. It'll
> never happen, because fighting spam is an arms race, with new tactics
> needing to be adopted.

Amen (or Ahem, or what BSDie would say). There will *ALWAYS* be
maintenance. If you are not developing new regexs and/or solutions to
fight the daily produced techniques that make up SPAM, then you are
implementing them.

If there is anyone who disagrees, then you likely have not dealt with
SPAM in an organization larger than a few thousand dispersed and
non-educated users.

If you have such, and you have no maintenance, then I beg your pardon.

> Others will talk about other packages. It's worth taking a look at
> each of them to figure out what works for you.

...agreed. It's also worth taking a look at ALL options, not just
'packages' to "figure out what works for you".

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: (postfix) SPAM filter?

[Steve Bertrand]

Duane Hill wrote:
> On Wed, 12 Dec 2007 20:55:45 -0500
> Steve Bertrand <[EMAIL PROTECTED]> wrote:
> 
>> I was going to recommend that, but from my experience, there is no
>> real *easy* way to allow users directly to modify their own settings.
>> I am probably wrong though.
> 
> Postfix is running here on a FreeBSD server as a boarder filter server.
> All bayes and per-user SpamAssassin settings are stored within a MySQL
> database on our SQL server.
> 
> The web mail interface is SquirrelMail installed on a different FreeBSD
> server and has the sasql plugin interfaced to the MySQL server so the
> customers have control over what they want to set their spam score,
> whitelist, blacklist, whether they want bayes filtering, whether they
> want bayes autolearn and so forth.
> 
> It has been pretty low maintenance. I am in the process of evaluating
> the possibility of using amavis-new.

For myself, I've run a very similar environment with a lot of custom
hacked software to integrate it all. The reason I haven't upgraded yet
is because I've hacked so much of squirrelmail and other aspects of the
setup since 2004 that there will be no way for me to carry things over
(easily;)

Depending on what way one looks at it, It may be good or bad that I
don't really have time to follow what is happening with SPAM prevention
in regards to Open Source anymore.

I agree that SA/ClamAV/maildrop is an excellent setup, particularly
running atop of Qmail with VPOPMail etc.

I also have used Sendmail with milters and procmail to do the same
thing...extensively.

Realistically, it comes down to what the OP wants. I am but one operator
in a 'small' ISP. I also manage it's support department. The truth is
that once the OP stated that budget wasn't an issue, and he wanted
essentially a turnkey solution, the easiest and most cost-effective
method that I have learned is outsource it.

If you can afford the bandwidth to filter in house, then you can also
afford to have a 24*7*1hr support contract with a vendor so your support
staff can do some of your work for you (or play games).

If you can't afford bandwidth inbound, but still want your help-desk
staff and yourself available, outsource to someone or some entity who
specializes on only email security so they can filter before the mail
touches your network.

Otherwise, install/maintain yourself. Understand I am not trying to
negate the use/feasibility of any software. I am running with the fact
that cost for the OP is no issue. If that is truly the case, then why do
it yourself when you can pay someone else who knows better to do it for
you? The cost savings on headaches and lost time on downed equipment
alone are more than worth it.

...I'm being too business-minded, and too obtuse. Back to figuring out
why DBD::mysql won't compile on my legacy FreeBSD box I go...

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: (postfix) SPAM filter?

[Steve Bertrand]

>> * Once it is setup then it would require no additional maintenance.
>> * Potential spam messages are marked with a special header that can
>> be filtered on user discretion on their local mail client software.
>>
>> Neither performance, scalability, license nor cost is of much
>> importance to me at this point.
>>
>> Any hints?
> 
> SpamAssassin (in the ports tree). It's relatively easy to set up and 
> can be used server wide or on an individual basis. Individuals can 
> also override site-wide settings. Links to setting up with postfix 
> can be found on the postfix site.

I was going to recommend that, but from my experience, there is no real
*easy* way to allow users directly to modify their own settings. I am
probably wrong though.

Another solution (which is also not a do-it-yourself), is
http://barracuda.com.

We switched from Postini to an internal Barracuda cluster and have never
looked back.

I might add that I personally run an ancient version of SpamAssassin on
my personal box which still works, and I have an upgraded box coming
down the pipe. I have no experience with having inexperienced users
manage their own account with it though.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: (postfix) SPAM filter?

[Steve Bertrand]

Sten Daniel Soersdal wrote:
> We have a need for a relatively painless anti-spam solution that would
> reduce the amount of incoming spam (via postfix mail router). The
> problem is that i have little knowledge on what this actually means.
> Googling reveals a whole "universe" of interesting ways but what should
> i pursue?
> The things that are important to me is:
> 
> * Once it is setup then it would require no additional maintenance.
> * Potential spam messages are marked with a special header that can be
> filtered on user discretion on their local mail client software.
> 
> Neither performance, scalability, license nor cost is of much importance
> to me at this point.
> 
> Any hints?

No additional maintenance (less user add/delete)?:

http://www.postini.com

Unfortunately, it's been years since I've used their services so I can't
remember if they have the ability to mark and pass.

It's a hands-off solution that works.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: /tmp: filesystem full

[Steve Bertrand]

>> Apparently someone out there keeps trying to resend that awful
>> huge mail file, so whenever you restart, it gets stuck in that
>> same condition.  If you can track down the source of the file,
>> either nuke it or block it.

In addition to finding the actual cause of the problem, you may want to
consider symlinking /tmp under a larger partition until the problem is
resolved.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Secure remote shell

[Steve Bertrand]

>> Although sudo and SSH are part of the solution, providing a web server
>> with full rights on a remote server if they can gain keyless entry is a
>> large mistake.
> 
> Steve,
>at no point does the original email say "we need to execute user
> input".  sudo does not equate to providing full rights. I suggest
> reading the manpage. check yourself before you wreck yourself.

I apologize, you are correct.

Perhaps I was in a different context. I was assuming that data passed
via a web browser was in fact data that needed to be executed as the
user (web server context).

"Registering users is done wia a web page, and the web server will
remote execute a script on the mail server to add the users in the
aliases and run newaliases, remote execute a script to the radius
server to add the user in the radius tables and restart radius, etc."

Pardon my ignorance, I don't regularly use sudo. However, depending on
how the user is being added to the mail and/or RADIUS server, if the web
server has root auth via sudo to adduser, does that not allow the web
server to create a user within whatever group it wants to?

> check yourself before you wreck yourself

Fair enough. Strong statement, I'll stand by it if necessary :)

A legitimate question:

If I add user 'www' to 'sudoers' with the ability to run adduser, does
that not give user 'www' to put the added user in a group, perhaps wheel?

If said commands are passed via 'user' to web browser to web server, run
within context of the web server user, and web server user has sudo
rights to the remote box, does that not mean that the server is
essentially 'executing user input'?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Secure remote shell

[Steve Bertrand]

> ssh using key authentication and sudo configured to allow a certain
> user to run the needed commands and only the needed commands as root.
> http://www.gratisoft.us/sudo/
> http://sial.org/howto/openssh/publickey-auth/

Yes but in the OP's context, providing this would mean that ANY command
supplied via the web interface would be allowed whether SSH or sudo was
used to perform the remote execution via the web server.

IMHO, there needs to be a distinctive separation as the 'support'
persons request comes via the browser. If it is an 'adduser' type
request, all aspects (mail, radius etc) need to have their own
input-type authentication/authorization check on the input.

Although sudo and SSH are part of the solution, providing a web server
with full rights on a remote server if they can gain keyless entry is a
large mistake.

Tunnel via SSH, and escalate via sudo is both a good idea. But I think
in the OP's context, there needs to be some intensive checks and bounds
in between that make it *harder* for him to achieve his goals than what
it could be.

I don't think anyone would want the following scenario:

- you pass https://url.com?blah&blahetc to webserver
- webserver, via password-less ssh executes via sudo a command on remote
RADIUS/mail to introduce a new user, perhaps in wheel group
- owned

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Secure remote shell

[Steve Bertrand]

> What other solution would you suggest to execute a shell remotely as
> root, that could be automated in a script (no password required).

- have information input into browser
- have web server save information to server disk in non-executable format
- have script (or admin) authenticate/authorize commands to be performed
(recommend doing this manually for a while to ensure you capture as many
escape type bugs as possible)
- have commands via another script scrubbed/cleaned/tested
- have cron perform commands at every X minutes

Dirty, but it works. Just ensure that your input variables are very
clean during the request, and their storage.

All this said, I have an environment that may *semi* relate to what you
are doing.

It appears you are running your mail with sendmail on one box, RADIUS on
another, and perhaps your web interface on yet another. Is this correct?
Perhaps it's all on the same box...

Can you state:

- mail server software
- RADIUS software
- web interface (server) software

...assuming further, the web interface is custom right?

How many users do you have? How many support people? Perhaps you could
mail me off-list to discuss, as myself, and my support staff just went
through this last year, and are just finishing up the details.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ...WELL, latest adventures of The Gary in the Dell

[Steve Bertrand]

>   And this is to all the wizards on-list:  Why does Gnome take
>   minutes to load?   Yes, I finally got 6.3-PRERELEASE to boot
>   after learning that Dell has problems with its serial ports
>   (and Unix).  I did see a few postings about the increased
>   delay time to bring up the windowing system, but didn't know it 
>   would apply to 6.3 

Since I don't run any windowing system on any of my FBSD boxen, I may be
way off here, but could this load time be due to DNS timeouts of some sort?

Many things hang if they can not resolve names, perhaps this could be
part of the issue?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: routing problem

[Steve Bertrand]

Alaor Barroso de Carvalho Neto wrote:
> Sorry,
>  searchdomain ...
> nameserver 192.168.1.2
> 
> not 192.168.1.1 as I've said before.

What about:

# dig @192.168.1.2 google.ca

Also, I don't know if it has any impact, but my resolv.conf shows just
'search mydomain.com' as opposed to searchdomain. Perhaps you could fix
that to see if it helps.

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: routing problem

[Steve Bertrand]

Alaor Barroso de Carvalho Neto wrote:
> If I turn off linux and set the rl0 to 192.168.1.1 it
> stop resolving names but can ping to anywhere. Help!!!
> in the rc.conf
> gateway_enable="YES"
> defaultrouter="X.X.X.X"

I don't know if I quite understand on which machine things are breaking,
but if it is a FreeBSD box, can you post the output to:

# cat /etc/resolv.conf

...and

# dig @192.168.1.2 google.ca

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: arbitrary build can't find libs - right way to do this?

[Steve Bertrand]

> I'd love to (submit a port), but how do I make a port if I can't even
> get it to work the first time myself?
> configure --includedir=/usr/local/include doesn't work;
> export CPATH =/usr/local/include doesn't work;
> export CPPFLAGS -l/usr/local/include doesn't work;
> I've checked the permissions,
> and I can see the file right there, but configure/gcc can't.  The
> developer swears something must be 'different' about freebsd because
> his gcc finds the same file in /usr/local/include.  Appears his system
> is gentoo...

Would you be able to provide access to a tarball of what you are trying
to compile/install for external testing so more eyeballs can see?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Data management (devel) and network size increase

[Steve Bertrand]

I know there are quite a few members here who have grown through ranks
and network size increases since I've joined this list, hence I'll ask
my question here. Pardon the length, but if you follow through, I'm
certain I'll get good feedback.

Problem:

Our network has grown exponentially in the last few years (without
extensive forward-looking thought), and I have development work, data
files etc on each server that has been implemented.

Todo:

Overhaul the entire network from Layer 1 up.

Need:

To be able to access data very quickly no matter what box I am on, and
to do it securely.

More in depth:

Let's assume I have 30 servers, all within one PoP. Instead of having to
SSH into server 'A' from server 'C' to look for a file I need for a
program I have written (or just a normal data file), I want a way that I
can have one source of ALL my data, then from ALL servers, be able to:

# find /home/steve -name file.name

Instead, I have to either remember (yeah, good luck), or guess what
server the file is on, look for it remotely, then scp it over.

For development, I had CVS set up at one point, but I found it to be too
much effort for my simple tasks (I was probably using it beyond what I
needed). I know about NFS, but I've heard it is a hassle to initially
configure and relatively insecure. (This is not my stand, and I'm
willing to be corrected).

Does anyone have some recommendations on how I can consolidate my data
(including development (almost all Perl)), so that it can be accessed as
I would a local directory tree? Beyond that, also a suggestion on
particularly the development files. If CVS is the way for that, I'll do
it, but file management/access is more important.

A key factor will be the ease of implementation of a new server into the
mix.

I have no problem throwing up a box with GELI, but it's gaining the
access to the data like it were a local drive I want to make easy.

Make sense?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD router and WCCP

[Steve Bertrand]

>> I am familiar with IPFW, but I'd like to know all options in order to
>> choose the best one.
>>
>> I would very much prefer to do this in a way without having to have
>> Squid running on the box, but will if I have to.
> 
> If filtering is all you want, you don't have to set up squid as a
> caching proxy. I.e. it won't need much RAM and disk space. I have
> yet to set up ICAP (with c-icap) in our workshop, but from
> discussions on squid mailing lists it seems ICAP is in a pretty
> usable state, both in squid 2.x and 3.x.

Essentially, I simply need a method to redirect layer 3/4 traffic
destined for anything:80 from the router to the appliance.

I've got a few options now, so I'll be testing all of them in the coming
days.

Thanks for your suggestions.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD router and WCCP

[Steve Bertrand]

> ipfw forwarding is a very easy way to redirect traffic without
> changing it. PF has similar functionality. It all depends on what
> the appliance supports. If wccp is the only way it can eat
> packets, try playing with gre(4). But maybe it'll consume just
> plain packets with "wrong" IP destinations arriving on its MAC
> address, just the way squid on FreeBSD does.
> 
> BTW, if the appliance supports ICAP, you'll be much better off
> running squid on a FreeBSD box and filtering content through
> ICAP.

The appliance does indeed have ICAP capabilities, but I have never
dabbled with it before.

I am familiar with IPFW, but I'd like to know all options in order to
choose the best one.

I would very much prefer to do this in a way without having to have
Squid running on the box, but will if I have to.

>> The filter will not be inline, and it will be an opt-in type service, so
>> only certain traffic will need to be redirected.
> 
> You'll be able to use ipfw or pf to tune the policies to a very
> fine degree.

Thanks for your help!

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD router and WCCP

[Steve Bertrand]

Andrew Pantyukhin wrote:
> On Fri, Nov 16, 2007 at 12:48:52PM -0500, Steve Bertrand wrote:
>> Does anyone know of a way to configure WCCP redirect support into a
>> FreeBSD based router without having to install squid?
> 
> I've only used FreeBSD as a WCCPv1/v2 sink (receiver), but you
> can try sending out packets out of gre(4). That should probably
> work.
> 
> If you're trying to redirect traffic to another machine running
> squid, consider avoiding WCCP, it's not a very bright protocol.j

Thanks for the response.

We are deploying a commercial appliance as a content filter, so I can
only assume that it is running a customized version of Squid but I don't
know.

Do you have any recommendation on what I should use if WCCP is not
recommended?

The filter will not be inline, and it will be an opt-in type service, so
only certain traffic will need to be redirected.

Tks,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: multihome network

[Steve Bertrand]

alexus wrote:
> i dont see any difference as at the end i still get this
> 
> 216.112.241.24/29  216.112.241.25 UGS 00   fxp1
> 
> in my netstat -rn, and no its still doesn't work...

This is not the point.

You need a route via the gateway that 216 is connected to for the REMOTE
IP/network. Say for instance your 'home' connection is:

64.39.177.22, then you need a route like this:

route add 64.39.177.22/32 $isp_gateway

What you have:

216.112.241.24/29  216.112.241.25 UGS 00   fxp1

...says '206.112.241.24/29 should be routed to 216.112.241.25. That is
ALL it will route via that path.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: multihome network

[Steve Bertrand]

alexus wrote:
> my private IP that eventually resolves to public IP through PIX is
> different then coming from my other public IP that assigned on my fxp1
> that comes from another ISP, the fxp1 IP already configured this way
> so it pass everything to my box
> 
> what i've tried is adding route on my box
> 
> route add 216.112.241.24 216.112.241.25 255.255.255.248

Wait a minute...this doesn't look right...

Try this:

# route add $homeIP/$netmask $gateway

Where:

- if you have a static IP at 'home', $netmask should be /32, otherwise,
you'll need to shorten the prefix (such like /24) This will depend on
your 'home' Internet provider setup

- $gateway is the next hop upstream on the interface that has
216.112.241.x address on it.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FreeBSD router and WCCP

[Steve Bertrand]

Does anyone know of a way to configure WCCP redirect support into a
FreeBSD based router without having to install squid?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: multihome network

[Steve Bertrand]

Girish Venkatachalam wrote:
> On 00:18:42 Nov 16, alexus wrote:
>> Hello,
>>
>> I have two NICs on my box, one (primary) connected to switch and have
>> private IP. that IP also have a static route on Cisco PIX for
>> accessing this box from outside. the other interface has public IP
>> that is connected to another switch, i configure both IPs through
>> /etc/rc.conf, but I can not for some reason access my box through that
>> public IP, no firewall rules would prevent me from doing so. here is
>> my output for netstat -rn
>>

-- snip

> Your default route is 192.168.1.1 and not 216.112.241.24

Yes, but if he changes that, then he won't be able to access the box via
the PIX (private) connection.

I will make these assumptions, then elaborate:

The box in question is at your office. You are at home trying to access
it. The connection works by connecting to the public IP of the PIX (that
gets port-forwarded back), but does not work when accessing the direct
Internet facing port.

I'm willing to bet that if you run a tcpdump on your machine at home you
are attempting the connection to the 216.112.241.x IP, you will actually
find that the machine is getting back to you just fine. However, many
OS's will drop a 'spoofed' packet. Essentially what is likely happening
is this:

- you send from home a packet to 216.112.241.x.
- the office router/box accepts it
- the office router looks up in it's routing table a path back to your
home IP
- it has no particular route, so it sends it out the default gateway
(192.168.1.1)
- your pc at home notices that the packet was sent to a destination IP,
but it came back from a different one (the outside IP of the PIX)
- the packet is dropped as the source address is spoofed

There are a couple ways to fix this. The first and easiest is if you are
only trying to connect to this box's public IP from one location, add a
static route on the office box to that network that routes to it's
public upstream

The other way is to utilize policy-based routing. IPFW can do this, and
(from what I understand) so can PF. (In Cisco-land, you would use a
route-map).

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: cron/send mail question

[Steve Bertrand]

zbigniew szalbot wrote:
> Dear all,
> 
> What command (when using cron) should I invoke to automatically sent
> /var/log/exim/rejectlog file to a specified email address? I just need
> to analyze it and would best prefer to have it in my inbox in the morning.

The following should be on one line in crontab :

1 * * * * mail -s "File contents" [EMAIL PROTECTED] < /home/steveb/file.name

It will send your file to you inline in an email ad one minute after
midnight every day.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: OT: Beastie 3D-rendered

[Steve Bertrand]

cpghost wrote:
> On Mon, 12 Nov 2007 06:50:40 +
> Tino Engel <[EMAIL PROTECTED]> wrote:
> 
>> http://www.tilolit.de/images/tb/wallpapers/teufel.jpg
> 
> [snip]
> 
>> Nevertheless I can check out the author (he is german, too) and ask
>> him about the license issues...
> 
> It would be *really* great if the author not only agreed to put the
> rendering under a permissive license, but also considered releasing
> and licensing the (graphics/povray?) source code too. I'd love to
> experiment a little bit with that! ;)
> 
> Anyway, whatever comes out of it, kudos for the great find! :-)))

Amen to that! I just would like to put it on my desktop/use it legally!

Seriously, if someone here can gain the free rights to it and pass it
along, then we all can say 'yay beastie!'.

/* will keep hidden on desktop
 * until told not to.
 * Would be nice if someone says
 * that we can use it!!!
 */

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: OT: Beastie 3D-rendered

[Steve Bertrand]

> Well, a couple of people think, I made this rendering.
> That is wrong... I just found it... (I NEVER mentioned having made it...)
> Though I do not know what license it falls under...
> I just wanted you to see it, cause I regarded it as beautiful...
> Nevertheless I can try to check out the license issues...

LOL

You post, and they will come...

At least you are honest about it :)

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: OT: Beastie 3D-rendered

[Steve Bertrand]

Marc G. Fournier wrote:
> 
> 
> --On Sunday, November 11, 2007 20:55:18 + Tino Engel <[EMAIL PROTECTED]> 
> wrote:
> 
>> Look what happened to Beastie:
> 
>> http://www.tilolit.de/images/tb/wallpapers/teufel.jpg
> 
> Reminds me of a character from one of my kids tv shows ... cute :)

It's much better than what we have!

What license does it fall under?

What do the elders think?

Yay BSDie!

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: OT: Beastie 3D-rendered

[Steve Bertrand]

Tino Engel wrote:
> Look what happened to Beastie:
> 
> http://www.tilolit.de/images/tb/wallpapers/teufel.jpg

COOL!!!

Can I use it?!?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: OT: disk clone app

[Steve Bertrand]

Jean-Paul Natola wrote:
> Hi everyone, sorry for the off-topic, but im ready to pull the last hairs off
> my head- a few months I downloaded an open source disk clone program for a
> friend of mine but it was like 3 am,  it worked great booted from floppy and
> cloned the drive-

g4u?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: New FreeBSD art?

[Steve Bertrand]

Giorgos Keramidas wrote:
> On 2007-11-07 13:49, James <[EMAIL PROTECTED]> wrote:
>> I know for sure. We shall rue the day beastie was ever demoted
>> to mere mascot.
>>
>> RUE I TELL YOU
> 
> The beastie is here[1] to stay, no worries...
> [1] 'Here' as in anywhere I can attach a sticker :-)

...and now I'll elaborate on my last reply...

After I had thought about my comment, I realized that it might of
implied that some of my boxen were unreliable because of FreeBSD.

Of course that is the farthest from the truth, due to the fact that I
have never had a failure due to the FreeBSD OS itself [1], but always
problems occur because hardware failures. I still have boxen that run
FBSD 4.3 for legacy purposes, and it has *never* failed.

FreeBSD 4.3 - FreeBSD 6.2 currently in production. 7.0 in testing. It
just works. I was just hoping the BSDie logo's would make my hardware
think twice about failing ;)

[1] -- unless it was my negligence or -current testing that I was doing
on non-production gear.

Yay for BSDie! This thread will eventually turn into a flame war, so I
may as well put in my piece now!

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: New FreeBSD art?

[Steve Bertrand]

> It's just coincidence, but the many rack-mounted servers I've put a
> Beastie sticker on tend to run much smoother and reliably 

LOL, I thought there was a trick to it! I'll take about three dozen  ;)

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: C compiler cannot create executables

[Steve Bertrand]

Rod Person wrote:
> I seem to have really hosed up my system somehow and I'm not sure what
> I did. I'm running FreeBSD 7 Beta 1 i386.
> 
> I was going to upgrade to Beta 2, but when ever I compile anything it
> fails and the last line is always:
> 
> configure: error: C compiler cannot create executables
> 
> I googled for awhile and found the suggestion to reinstall libtool, but
> that also fails with the same error.

I had this exact problem with a production box quite a while ago.

This was on a machine that was running 5.x.

What I did was remove one of the mirrored drives, booted it in another
machine. I put in a 6.x CD, ran sysinstall and did a binary upgrade.

This was the only way I could fix the problem. Since then, the same box
after being put back into production is currently running fine at 6.2

If you have good backups, or even better, a RAID1 system, a binary
upgrade may be the easiest fix. It was for me.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: curious DNS behavior on a 7.0...

[Steve Bertrand]

>> however, right now "new" every website i browse is penalized with a 10-20 
>> second delay before the page finally starts loading.  tcpdump is full of 
>> these:

> wouldn't it be your browser requesting the IPv6 address?  you can check easy
> enough by pinging any website (which you haven't resolved yet) and see if u 
> get
> the same calls.

Good observation.

> unless you are pointing your resolver to localhost, and  your local named is
> requesting the v6  records. Look into disabling this behaviour @ 
> named.conf.

I don't personally believe disabling this is the right approach.

For instance, I set up a test IPv6 IP on an interface on a 100Mbps LANx
WAN fast Ethernet connection. I then added an  record to a named
server. Working from another server on the same physical network (albeit
different subnet across separate interfaces), the query time for both is
exactly the same.

Note that my resolver on 'cohiba' points to 208.70.104.3.

cohiba# dig  lanx-fa1.ibctech.ca

lanx-fa1.ibctech.ca.7087IN  3ffe:ff00:1::1
;; Query time: 0 msec

cohiba# dig lanx-fa1.ibctech.ca

;lanx-fa1.ibctech.ca.   IN  A
;; Query time: 0 msec


...Now, performing the same test, from the same server, using the same
DNS box looking for the exact same www site that the OP stated that was
a problem originally:

# INITIAL DNS LOOKUP

cohiba# dig www.srh.noaa.gov

; <<>> DiG 9.3.2 <<>> www.srh.noaa.gov
;; ANSWER SECTION:
www.srh.noaa.gov.   86400   IN  A   216.38.80.20

;; Query time: 210 msec
;; SERVER: 208.70.104.3#53(208.70.104.3)

# SPECIFIC IPv6 LOOKUP (no answer)

cohiba# dig  www.srh.noaa.gov

; <<>> DiG 9.3.2 <<>>  www.srh.noaa.gov

;www.srh.noaa.gov.  IN  

;; Query time: 102 msec


CONCLUSION:

If the last poster is right and it's only the browser is failing because
it uses it's own faulty internal DNS resolver, then this is obviously a
serious hindrance to the implementation of IPv6. Of course most 'users'
aren't on the 'Internet' if their MSN page doesn't display, and will
take the path of least cost to make it work ;)

I'm not a protocol expert, but from what I can tell, a web browser DNS
resolver/cache that works this way may also have quite an impact on the
view regarding usability of any OS as IPv6 becomes more prevalent, not
just FreeBSD.

I've never noticed these problems before. Running Portable Firefox on my
Windows XP workstation, I see the IPv6 and IPv4 address of all sites I
go to, if they are v6 enabled. However, I have 16^N variables involved
that make that an unfair evaluation.

-- Does anyone else have issues in this regard? Particularly, does
anyone else have IPv6 enabled, or better yet in use that can provide any
feedback?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: curious DNS behavior on a 7.0...

[Steve Bertrand]

Jonathan Horne wrote:
> reading the /etc/defaults/rc.conf, ipv6 appears disabled by default:
> 
> ### IPv6 options: ###
> ipv6_enable="NO"# Set to YES to set up for IPv6.
> 
> however, right now "new" every website i browse is penalized with a 10-20 
> second delay before the page finally starts loading.  tcpdump is full of 
> these:
> 
> 20:38:57.915695 IP athena.dfwlp.com.59056 > castor.dfwlp.com.domain: 3505+ 
> ? www.srh.noaa.gov. (34)
> 
> arent 's ipv6 lookups?  as i mentioned in another thread, i cant get the 
> kernel to compile right now (thus eliminating the INET6 line), so im trying 
> to figure another way out to stop this behavior).

It's not required you remove IPv6 from the kernel in order to receive
proper DNS A record responses, and even if IPv6 name services take
precedence, it shouldn't cause such a delay (unless all of your
boxen/DNS servers point to the same forwarders that cause this issue).

I have several machines under 4.10 to 6.2, and at least two running 7.0
that are v6 enabled that don't have this issue.

I do run IPv6 in my network with a legitimate block, however, I do not
have any IPv6 name servers that contain any outside DNSv6 records.

That said, more particulars are needed to find out what is happening.

The most important thing to know in order to break this down is what
name server(s) are you using on this particular server to resolve names.

If you can post the output from the following whilst logged into one of
the problematic machines, it will likely help:

# cat /etc/resolv.conf

If your box is a DHCP client, I won't know what to look for in that
output. If by chance your box attains it's IP information via DHCP, then
the next following output (particularly the last few lines) will help:

# dig www.srh.noaa.gov

Your  queries may or may not be detrimental to the time in which you
receive your DNS responses. I would personally lean toward the latter,
given the lack of information.

Don't go about recompiling the kernel without v6 support yet. It seems
DNS is timing out for you somewhere, so post the above requested info
and it can go from there.

Steve






___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: memory pool, rfc

[Steve Bertrand]

> And is it better than bzip?

This is in essence why I tried to lead this thread off of this list.

The OP stated nothing of being 'better'. On top of that, the OP was
referencing libraries, not applications.

The OP is trying to get his own code under the BSD license and that is
great.

Asking whether his app is 'better' than something else is a VERY
relative question. 'Better' or 'faster' is something that you will
have to answer for yourself after you've implemented it and given it
appropriate benchmarks within your particular environment.

Just like everything else in FreeBSD, there are always multiple ways
to do it. This, as anything else, could possibly prove to be a way to
do it 'better' for what you need it for.

This truly was not meant to be a flame war.

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: memory pool, rfc

[Steve Bertrand]

>> No, i don't want to sell anything to anyone. I'm already on hackers
>>  list but has very low traffic (9 messages last 5 days) and this is
>> a question list no ? ;-) I think that in this list are FreeBSD
>> *gurus*/hacks too which could say a "try it" or a "are you crazy?"
>>
> Even though you might get a little critized for being slightly off
> topic (at least until you add your code) try -current

I apologize if I came across as critical, I did not intend it that way.

Perhaps if the OP goes to -current with it, this thread could be
referenced (in addition to the inclusion of code).

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: memory pool, rfc

[Steve Bertrand]

> I think that in this list are FreeBSD
> *gurus*/hacks too which could say a "try it" or a "are you crazy?"
> answer. If other developers thinks that they need my rfc i'll add my
> code to FreeBSD.

Agreed, so could it be added as a port, or can you license the code
with the BSD license and post a link to it?

To be honest, from what you say about your application, it sounds
beneficial. I personally would be willing to try it on one of the
boxes that I boot from removable USB disk and run the entire OS in
memory, with no hard disk whatsoever.

> The point to zlib / libbzip2 is because when i talk about compression
>  *always* someone says " Why don't use zlib?" Short answer No, Medium
>  Answer: deflate is 15 years old and there are better and faster algs
> now.

Understood. Can you provide a compilable product with reasonable
documentation that can be tested?

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: memory pool, rfc

[Steve Bertrand]

> I have some free time and want to do an memory pool. The idea is
> to have a memory zone of N KB (or several MB) compressed in memory. I
> have fast compression algorithms now that can release under BSD
> licence that are faster than hd i/o, so it take less
> compress/decompress a memory zone than read/write it to disk. I don't
>  know if it already exist for FreeBSD, so if it's already done i'll
> try to improve it.

Perhaps you should try the freebsd-hackers list... this list is
generally for user operational questions.

> Don't point me to zlib or libbzip2, they are on another league and
> are much slower than my code.

Ouch! ...you are not trying to sell anything are you? It may be in
your best interest if you proceed to the hackers list, to initiate
conversation in a way that explains how your code will benefit a
cause, not slam other people (and their work) that are already
established!

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ifconfig -- how to remove address and mask?

[Steve Bertrand]

[EMAIL PROTECTED] wrote:
> I tried delete, but it only works for *additional* ip addresses added
> using the alias command, not the original, primary one.  I can't
> remember the error message.

Are you specifying the primary IP as an argument to delete? It works
here for me with a primary IP ok:

# ifconfig fxp1 delete 192.168.0.3

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: How to provide fail-over capability for servers?

[Steve Bertrand]

> I will have 3 net-facing servers which must be available 24/7.  I had
> planned to have an additional box located in a different building on the
> same site (in case of part power-outage) that will run VMware server and
> host all the fail-over servers.

Is it safe to assume that both boxes, albeit being in different
buildings on the same site are located within the same logical network?

If that is the case, you may want to see if CARP will do what you want:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/carp.html

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Sendmail and SMTP AUTH, I need a hand

[Steve Bertrand]

> Hi,
>
>
> I tried to activate the SMTP AUTH in Sendmail
> following the steps of the man page
> (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.
> html).
>
> Everythigns was ok, but...
>
>
> If on the client (Outlook Express or MS Outlook)
> is activated "My server requires authentication" the SMTP AUTH occurs
> and the mail is sent but if this option is disabled the mail is sent
> too.

I can't really help on the config side of things, but:

Are all of your clients under the domain you have listed in the access
file?

That essentially (AFAIR) means allow anyone sending from this domain
to relay through me, no matter what, which (again AFAIR) means that
any domain listed in that file can relay through you, even if I slap
your domain into my mail client on my own IP address (please correct
if wrong).

If this is the case, remove the domain from access, and if it's in
relaydomains, remove it from there too.

After it's removed from access, do this:

# cd /etc/mail
# makemap hash access < access

I don't think you have to restart sendmail, but I can't remember.

You should be able to eliminate all entries from both files after AUTH
is enabled (again, AFAIR. I haven't used sendmail other than for
system messages for a long time).

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Sendmail error mesage

[Steve Bertrand]

> What does "451 Could not complete sender verify callout" mean ?

I have seen this before when a mail server is trying to send email
from itself but does not listen on port 25.

Do you have an SMTP server running on port 25 that at least the
localhost can reach?

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Booting a GELI encrypted hard disk

[Steve Bertrand]

Oliver Fromme wrote:
> Steve Bertrand wrote:
>  > I haven't tried it yet, but I don't think that /boot on the encrypted
>  > disk is necessary. I will rename the directory and reboot and see if it
>  > barfs.
> 
> It shouldn't be necessary.  Once the kernel is loaded, the
> system never looks at /boot again.
> 
> Unless, of course, you want to load a kernel module.  Those
> are located in /boot/kernel by default, but you can change
> the if needed (see sysctl kern.module_path).
> 
> Also, some system utilities that use KVM functions (vmstat,
> top, ps) might require access to the kernel file.  But that
> can be changed, too:  sysctl kern.bootfile.
> 
> Other than that, the /boot directory isn't used at all
> during normal operation.

This is correct, I tested it.

Also, this system (with GEOM_ELI built into kernel) successfully
upgraded from 6.2 to 7.0 with ULE scheduler enabled with no problems at all.

Cheers!

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Booting a GELI encrypted hard disk

[Steve Bertrand]

>  > The boot directory is different that root file system. /boot/ directory
>  > is only accessed by loader before root file system is mounted.
> 
> Ah, right.  I forgot that the /boot directory is only
> accessed by the boot blocks and loader(8) during boot,
> but not by the kernel, so it isn't actually mounted.
> Once the kernel mounts its root file system, it will
> be the "real" one from the encrypted disk.

I don't know if this is absolutely true.

I haven't tried it yet, but I don't think that /boot on the encrypted
disk is necessary. I will rename the directory and reboot and see if it
barfs.

On the same track, upgrading this system has been easy so far.

I do a build/install kernel into /boot on the encrypted disk, then
simply copy the /boot/kernel directory over to the thumb drives /boot
directory.

However, making a mistake such as building and installing the wrong
kernel config without crypto and GEOM_ELI leads to all sorts of
problems. Relatively easy to recover from, but a waste of time to track
down (I posted about this to -stable this AM).

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Booting a GELI encrypted hard disk

[Steve Bertrand]

> The ONLY information on the thumb drive is /boot, a directory /keys and
> an /etc that has only an fstab (to mount the .eli partitions from the
> hard disk) and a loader.conf file to locate the keys.

My bad, my bad.

loader.conf is located under /boot of course.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Booting a GELI encrypted hard disk

[Steve Bertrand]

Pawel Jakub Dawidek wrote:
> On Thu, Oct 25, 2007 at 12:46:53AM +0800, Daniel Marsh wrote:
>> Even if all data on a drive is encrypted, the partition table is not.
>> Software based disk encryption works on partitions.
> 
> That's not true. One can configure full disk encryption using GELI. To
> do it you need to have a small USB pen-drive or CD-ROM with /boot/
> directory, but that's all you need. Then you actually boot from your
> unencrypted pen-drive, but mount all file systems from encrypted disk.
> The pen-drive is not needed for your system to run and you can be easly
> take it with you, which is not always the case for your laptop.

This is EXACTLY what I have now. Soon as the machine is booted, my thumb
disk comes with me.

The ONLY information on the thumb drive is /boot, a directory /keys and
an /etc that has only an fstab (to mount the .eli partitions from the
hard disk) and a loader.conf file to locate the keys.

This was originally my objective and have got it in place. Now the
machine is nearly upgraded to 7.0.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Is it difficult to move from Linux?

[Steve Bertrand]

> I have been using Linux for over 10 years, but have for a number of
> reasons become very interested in learning to use FreeBSD. Are there
> any ex or current Linux users here and could you tell me how hard it
> is to make the shift from Linux?  Is there anything in particular
> which has been written which would be useful to read?

I have had a reason to run Linux, and have been running FreeBSD for
nearly 10 years, so I'm backwards to your situation.

Personally, I find it difficult to operate under a Linux platform, and
I'll explain why without trying to start a flame war.

My boxes that run FreeBSD do not have a GUI. I found that many of the
Linux commands, start up scripts, configuration files et-al were in
the Wrong Place (relative).

Essentially, it's as simple as that. If you want to cross platforms
like I've had to do from time to time, the majority of stuff comes
near-naturally, and what doesn't, Google will take up the slack.

You have come to a good place if you need to move forward with FBSD,
and especially with a 10 yr background in *nix to begin with, a little
time in frustration of learning the new locations of files it should
be a cakewalk.

What to read? Start with the FreeBSD handbook. One could say that it's
TFM to begin with ;)

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Booting a GELI encrypted hard disk

[Steve Bertrand]

>>> I am voraciously attempting to get a FreeBSD system to boot from
>>> a GELI encrypted hard disk, but am having problems.
>>
>> You don't need to encrypt the whole harddisk. You can encrypt
>> separate slices. There is no need to encrypt stuff like / or /usr;
>> what is there that needs to be kept secret?
>
> Maybe not encryption, but integrity protection is very important for
> laptops. GELI supports integrity protection for a while now. If you
> don't protect integrity of your entire laptop disk, it is trivial to
> trojan userland utilities and/or kernel and steal your password. If
> someone needs your data, he can dump encrypted partition, trojan your
>  system and once you connect to the internet and attach your
> encrypted partition, the trojan will send the password to the
> attacker. Many people often leave their laptops in hotels rooms, for
> example.

I don't quite grasp in what level you are using the term 'integrity'
here.

My knowledge of encryption at the storage level is limited at best...
I'm just finding out all the finer points (temp directories, swap
etc).

However, I'll throw out what I wanted, what I have and then a question:

Want:

- a FreeBSD system that runs from a fully encrypted disk with
passphrase and an encryption key on a removable thumb disk that can be
removed so that upon reboot, can not be started

Have:

- a FreeBSD system that runs from a fully encrypted disk with NO
passphrase (due to known, seemingly unsolved keyboard interaction
problems) that boots from a thumb drive that has an encryption key so
that when rebooted, does not boot (thumb drive can be removed once
boot procedure complete))

Question:

- if the disk (PC) is stolen, having the entire disk encrypted so no
one can even tell what OS is on it, does it make it secure to the
point that no one will know what to look for anyway (eg: what is in
/usr)? If someone does not know the OS, then it makes it more
difficult to know what string or text attacks to perform, right? (I'm
not trying to start a security via obscurity/bikeshed war, I seriously
wouldn't mind opinion).

I think it's fantastic. I'm not a disk forensic specialist, but it's
good enough for what I want. Again...thanks to everyone who worked on
the GEOM infrastructure.

Performance is adequate in my benches so far for what I need, so long
as one has adequate memory as to not have to run a disk-based swap
space.

Steve






>


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: sendmail problems

[Steve Bertrand]

Duane Winner wrote:
> Hello,
> 
> I need help to resolve a problem with my sendmail server.

Usually when 'sendmail' is in a subject line, one can usually expect
Giorgos respond :)

This is not a Sendmail issue, per-se.

If we can take this back one step to re-evaluate the entire situation it
may help:

- what is the domain you are seeing issues with (are there more than
one? If so, are they on the same box/IP?)
- what IP is this domain's mail operating on
- examples of domains you see problems with, and examples of those you don't
- is it only mailing lists you have problems with
- do you receive this email I am sending on the problematic server

Do you have another site that you can confirm working/not working?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ahd0 Transmission error [was: can you help me?]

[Steve Bertrand]

I am beyond confident that there are people here that can help, but
you must certainly wrap this in context:

# uname -a

...would be a start, more importantly, what context is this in (boot?).

This is beyond me, but with more context and a better subject line,
you have a MUCH better chance of the busy people that offer their time
to work with the hardware/drivers in question will review your request
and possibly offer a response, or notice the need to file a PR.

I don't have Greg's 'howto get good responses from the list' monthly
post handy, but take a look in Google for how to submit a question to
a mailing list to get a good response.

Even a subject line of "Hardware _insert-vendor-product_ causes fault
on boot" would help attract attention of people that selflessly claim
responsibility for it's operation (and therefore communication with
the people that take care of it's lower-level workings).

I don't personally recognize many of the drivers in question, so
hopefully someone else who does know will help out.

Steve


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: GELI and shutdown

[Steve Bertrand]

>> Is it necessary or even advisable to unmount and/or detach GELI
>> partitions prior to performing a halt or shutdown?
>
> This will be done automatically.

Thank you. This is good, and important to know.

My appreciation goes out to everyone who has ever had a say in the
development of the GEOM framework. It has come very far and continues
to accumulate value to users at all levels.

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

GELI and shutdown

[Steve Bertrand]

A quick question:

Is it necessary or even advisable to unmount and/or detach GELI
partitions prior to performing a halt or shutdown?

If so, what is the best way to go about automating it?

I've got a FreeBSD 6.2 system finally running on a fully encrypted disk now.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: How To Change Email Addr?

[Steve Bertrand]

[EMAIL PROTECTED] wrote:
> 
> chmod 644 /etc/mail/aliases
> I tried that and checked the permissions on 
> /etc/mail/aliases.db
> but nothing works :( Any other ideas?

Try this:

# cd /etc/mail
# makemap hash aliases < aliases

Then post to this list output from:

# ls -la | grep aliases

If the timestamp of aliases.db had not been updated, post output to the
list from:

# whoami
# ls -la /etc/mail

Regards,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: gtn bot ?

[Steve Bertrand]

> Does anyone know where I might find some info on 'gtn'??

It would be advisable to review the thread entitled "Strange perl
script" that is currently active on the list, dated from Oct 17th.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: How To Change Email Addr?

[Steve Bertrand]

[EMAIL PROTECTED] wrote:
> Hi;
> I need to update the email address to which emails from the server are sent 
> ([EMAIL PROTECTED], cron stuff, etc.). I created a file:
> /root/.foreward
> and added the new address, but that didn't do it? How?

If you are running sendmail, check for the root: line in:

# /etc/mail/aliases

Change the second parameter to what email address you want root's mail
to go to, and then run:

# newaliases

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Strange perl script

[Steve Bertrand]

>> Looks sort of like a Perl script running.
>> That, of course, doesn't say what it is doing.
> 
> The stangest thing is that I cann't find sploger on  my system. After a
> reboot sploger doesn't appear anymore, which makes it more stranger.

Post output of:

# last
# cat /root/.history
# ls -la /root
# ls -la /tmp
# ls -la /var/tmp
# ps aux

Ensure you leave the command you perform with the associated output, and
leave a few newlines between each command for ease of reading.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Strange perl script

[Steve Bertrand]

Jack Raats wrote:
> HI
> 
> Can anyone explain this after ps -ax | grep perl
> 
> 21893  ??  I  1:02.37 sploger (perl5.8.8)
> 29536  ??  R184:14.94 sploger (perl5.8.8)
> 29538  ??  R184:36.44 sploger (perl5.8.8)
> 30668  ??  R168:56.54 sploger (perl5.8.8)
> 
> What is sploger?

# locate sploger
# head /path/to/sploger

If the first line states something similar to:

#!/usr/bin/perl

Post a chunk of the code here and someone should be able to tell you
what it is, or at least attempting to do.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Dual Routers

[Steve Bertrand]

> Is it possible to run two routers?  I have an ADSL modem 192.168.1.1 and a
> wireless router 192.168.2.1.  The both are accessed using dhcp.  I would
> like to be able to switch from one the the other, or have both available.
> Is this possible?

If I understand you correctly, you could do this:

Change the LAN IP of the wireless unit to 192.168.1.2.

Plug the ADSL modems ethernet port to the LAN side of the wireless router.

Plug your PC's into the remaining LAN ports on the wireless unit.

Essentially, this turns your wireless 'router' into a bridged access point.

You will have to disable DHCP on the wireless router, and let the ADSL
modem hand out addresses.

You will surf just fine, and you will be able to access the wireless
router for maintenance at 1.2, and the ADSL modem at 1.1

Hope this is what you were after.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Booting a GELI encrypted hard disk

[Steve Bertrand]

>>> As you can see only /home is encrypted because the rest doesn't hold
>>> data worth encrypting.
>> Well, on mine it will.
> 
> I was talking about my system. Yours will of course be different. :-)

I know. I was not trying to be sarcastic in any way. Sorry if it seemed
that way :)

> You can even encrypt /tmp with a one-time key (see 'geli onetime').

I will likely do this with /tmp and swap.

> Also have a look at the geli_* variables in /etc/defaults/rc.conf.

Will do.

> It only needs to be present during creation of the GELI devices (geli
> attach). The rc scripts know they have to load GELI and attach the
> devices if they see an .eli device in /etc/fstab. Geli will ask for the
> passphrase(s) during boot-up if you're using them. You can specify which
> key-file to use in the geli_[devicename]_flags variable in /etc/rc.conf
> 
> However using a USB device presents it's own problems. If you plug-in a
> USB stick there's no telling which device node it ends up with,
> depending on how many other USB devices are on the bus. To make device
> recognition easier, you should use a GEOM label on the USB stick, so
> you'll know which /dev/label/* device node it gets. And you'd probably
> have to hack an rc script to mount the USB stick _before_ the system
> tries to attach the GELI device(s).

Getting around these issues is trivial. The only requirement is that my
thumbdrive comes with me after the machine is reloaded.

> And remember that this USB stick is another thing you have to back-up
> and store in a safe place. It would be bad if you lost your data because
> your USB stick died or got lost.

Understood. This has been considered, and it's exactly what I do with my
TrueCrypt encrypted information on my Windows workstation.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Booting a GELI encrypted hard disk

[Steve Bertrand]

> That's a heck of a lot of trouble to go to, considering someone would
> have to steal your drive, alter it and put it back without you knowing it!

Essentially, what I'm looking for is thus:

- someone breaks into my always-locked equipment room
- someone steals the box(es) in question, which obviously means shutting
down the unit

I don't want said thief to be able to retrieve the data after the box is
stolen, which is why I'd like a passphrase, and a removable key. Even if
the passphrase is captured, the data will still be protected because I
have the only key to the system 35 miles away on my person.

> If the intruder has physical access to the machine, it would be much
> easier to put a keylogger device between the keyboard and the machine.

There is no possible way this would go unnoticed. Anyone that could gain
access to the already secured room would have a window of about 15
seconds to break into the building after hours (secured/alarmed), smash
in the secured equipment room door, grab the box (out of about 40) and run.

>> It's questionable though, whether you should leave your computer in an 
>> environment where this can happen undetected and probably better solved by 
>> increasing real life security.

Like I said, it won't go undetected. The equipment is in a very secure
equipment area, inside of a secured and alarmed building. All equipment
is monitored 24/7, so if the box was physically altered, I would be
alerted via SMS/email immediately.

> An important point that too many people forget.

I agree, but this is not the case here. I just want the data protected
if the box goes down, whether by physical intruder, or I force it down
myself.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Booting a GELI encrypted hard disk

[Steve Bertrand]

> Put all the data that really needs to be encrypted on a separate slice,
> and encrypt that. Leave the rest unencrypted, especially /boot. As a
> rule of thumb; don't bother encrypting anything that you can just
> download from the internet. :-)

Fair enough, this makes sense. Thank you.

> As you can see only /home is encrypted because the rest doesn't hold
> data worth encrypting.

Well, on mine it will.

> If you encrypted / and /usr, you might actually make the system more
> vulnerable to a known-plaintext attack, because there are a lot of files
> with well-known contents there.

I can get away with not having / encrypted, but I need /var encrypted
for databases and logs etc, /tmp so any temporary files are secured and
the swap file (swap very rarely gets used).

So, I will test it as you suggested, however, would it be possible to
still house my key on a removable USB stick, and after the slices are
mounted into the file system successfully to then unmount and remove the
USB drive and have the box remain in operation, or does the key need to
be accessed throughout all disk reads/writes?

Essentially, I'd like it so that if the box reboots while I am gone, or
if I want to reboot it remotely there is theoretically no way for
someone at the console to re-mount the encrypted slices?

Thank you for all of this info!

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Booting a GELI encrypted hard disk

[Steve Bertrand]

Daniel Marsh wrote:
> On 10/10/07, Steve Bertrand <[EMAIL PROTECTED]> wrote:
>> Hi all,
>>
>> I am voraciously attempting to get a FreeBSD system to boot from a GELI
>> encrypted hard disk, but am having problems.
>>
>> All of my searches lead to the same problem...GELI passphrase can not be
>> entered correctly upon boot. I have tried everything I have found on the
>> web (including disabling 'kbdmux' in the kernel) to no avail.
>>
>> Is there any chance that anyone here has found a resolution to this
>> problem, in the 6.x branch, and if not, has it been looked/resolved
>> within -current?
>>
>> Does anyone have a suggestion for a workaround?
> 
> 
> You could always use a key without a passphrase... unsafe as it is, put the
> key on a usb device that you remove once the machine has booted?

That is what I was going to try next. The 'howtos' I've been reading
require putting many of the boot files on the thumb drive, so would it
even be possible to unmount/remove the usb stick after the machine is
booted up?

If I was to do it this way, I would likely use two separate key files,
on two separate USB sticks.

Reference:

http://www.proportion.ch/index.php?page=31

Thanks for your feedback.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Booting a GELI encrypted hard disk

[Steve Bertrand]

Hi all,

I am voraciously attempting to get a FreeBSD system to boot from a GELI
encrypted hard disk, but am having problems.

All of my searches lead to the same problem...GELI passphrase can not be
entered correctly upon boot. I have tried everything I have found on the
web (including disabling 'kbdmux' in the kernel) to no avail.

Is there any chance that anyone here has found a resolution to this
problem, in the 6.x branch, and if not, has it been looked/resolved
within -current?

Does anyone have a suggestion for a workaround?

Thanks for any advice.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Managing very large files

[Steve Bertrand]

>> The reason for the massive file size was my haste in running out of the
>> office on Friday and forgetting to kill the tcpdump process before the
>> weekend began.
> 
> Sounds like you may want a Perl script to automate managing your
> tcpdumps.

99% of the time I use tcpdump for less than one minute to verify the
presence or lack thereof of ingress/egress traffic on a box or network.

This was the one time that I actually left the shell to continuously let
it capture.

I will next time however wrap it with something to stop this from
happening, or simply use the functions within the program itself:

-c Exit after receiving count packets.

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Managing very large files

[Steve Bertrand]

> Check out Tie::File on CPAN. This Perl module treats every line in a
> file as an array element, and the array element is loaded into memory
> when it's being requested. In other words: This will work great with
> huge files such as these, as not the entire file is loaded into memory
> at once.
> 
> http://search.cpan.org/~mjd/Tie-File-0.96/lib/Tie/File.pm

Thanks everyone who replied to me regarding this issue.

The above appears to be my best approach.

Although I have not the time yet to look into Tie::Find (and I've never
used that module before) but I will.

So long as I can read chunks of the file, load the data into variables
(I like the array approach above) and process each array independently
without loading all of them at once into memory, and without having to
load the entire file into memory.

Tks!

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Managing very large files

[Steve Bertrand]

Heiko Wundram (Beenic) wrote:
> Am Donnerstag 04 Oktober 2007 22:16:29 schrieb Steve Bertrand:
>> This is what I am afraid of. Just out of curiosity, if I did try to read
>> the entire file into a Perl variable all at once, would the box panic,
>> or as the saying goes 'what could possibly go wrong'?
> 
> Perl most certainly wouldn't make the box panic (at least I hope so :-)), but 
> would barf and quit at some point in time when it can't allocate any more 
> memory (because all memory is in use). Meanwhile, your swap would've filled 
> up completely, and your box would've become totally unresponsive, which goes 
> away instantly the second Perl is dead/quits.
> 
> Try it. ;-) (at your own risk)

LOL, on a production box?...nope.

Hence why I asked here, probing if someone has made this mistake before
I do ;)

The reason for the massive file size was my haste in running out of the
office on Friday and forgetting to kill the tcpdump process before the
weekend began.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Managing very large files

[Steve Bertrand]

>> man 1 split
>>
>> (esp. -l)
> 
> That's probably the best option for a one-shot deal like this.  On the
> other hand, Perl itself provides the ability to go through a file one
> line at a time, so you could just read a line, operate, write a line (to
> a new file) as needed, over and over, until you get through the whole
> file.
> 
> The real problem would be reading the whole file into a variable (or even
> multiple variables) at once.

This is what I am afraid of. Just out of curiosity, if I did try to read
the entire file into a Perl variable all at once, would the box panic,
or as the saying goes 'what could possibly go wrong'?

Steve

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Managing very large files

[Steve Bertrand]

Heiko Wundram (Beenic) wrote:
> Am Donnerstag 04 Oktober 2007 14:43:31 schrieb Steve Bertrand:
>> Is there any way to accomplish this, preferably with the ability to
>> incrementally name each newly created file?
> 
> man 1 split

Thanks.

Sheesh it really was that easy.

*puts head in sand*

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Managing very large files

[Steve Bertrand]

Hi all,

I've got a 28GB tcpdump capture file that I need to (hopefully) break
down into a series of 100,000k lines or so, hopefully without the need
of reading the entire file all at once.

I need to run a few Perl processes on the data in the file, but AFAICT,
doing so on the entire original file is asking for trouble.

Is there any way to accomplish this, preferably with the ability to
incrementally name each newly created file?

TIA,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBsd e-mail question

[Steve Bertrand]

> Is there anyway to have rmuser remover the mail drop file associated
> with that account also, or am I just going to have to remove these
> manually?

It really depends on what version of rmuser you have.

In /usr/sbin/rmuser, do you have something similar to this code snippet?:

if [ -f ${MAILSPOOL}/${login}.pop ]; then
verbose && echo -n " ${MAILSPOOL}/${login}.pop" ||
echo -n " pop3"
rm ${MAILSPOOL}/${login}.pop
fi

...if so, try putting a . character before each instance of ${login}.pop.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: http://www.freebsd.org site unreachable

[Steve Bertrand]

John Fitzgerald wrote:
> New York is down
> 
> ICMP and telnet 80 are OK

Still down for me. Not only HTTP, but ICMP and telnet.

A trace hangs at the following for about 90 seconds:

traceroute to www.freebsd.org (69.147.83.33), 30 hops max, 40 byte packets

 1  cisco-lanx-srv (208.70.104.1)  1.415 ms  1.437 ms  1.570 ms

 2  208.113.10.210 (208.113.10.210)  4.737 ms  4.933 ms  4.513 ms

 3  if-1-103.core1.TNK-Toronto.teleglobe.net (63.243.175.193)  4.507 ms
 4.665 ms  4.909 ms

 4  if-9-0.mcore3.TTT-Scarborough.teleglobe.net (216.6.98.53)  5.878 ms
 5.504 ms  5.488 ms

 5  if-4-0.mcore4.NJY-Newark.teleglobe.net (216.6.98.2)  23.318 ms
23.553 ms  23.401 ms

 6  if-7-0.core2.NJY-Newark.teleglobe.net (216.6.63.6)  23.642 ms
23.264 ms  23.347 ms

 7  if-3-2.mcore3.NJY-Newark.teleglobe.net (216.6.57.29)  23.429 ms
24.179 ms  24.604 ms

 8  216.6.97.37 (216.6.97.37)  24.239 ms  24.090 ms  24.050 ms

...probably due to DNS lookup, but then breaks here:

 9  if-1-0-0.core3.AEQ-Ashburn.teleglobe.net (216.6.51.5)  29.478 ms
29.716 ms  29.771 ms

10  ix-14-2.core3.AEQ-Ashburn.teleglobe.net (63.243.149.110)  28.604 ms
 39.023 ms  28.556 ms

11  so-0-0-0.pat1.pao.yahoo.com (216.115.101.128)  87.663 ms  87.225 ms
 87.382 ms

12  g-1-0-0-p140.msr1.sp1.yahoo.com (216.115.107.53)  88.111 ms
g-1-0-0-p150.msr2.sp1.yahoo.com (216.115.107.77)  87.821 ms
g-0-0-0-p150.msr2.sp1.yahoo.com (216.115.107.73)  87.739 ms

13  ge-1-42.bas-b2.sp1.yahoo.com (209.131.32.35)  88.383 ms
ge-1-43.bas-b2.sp1.yahoo.com (209.131.32.37)  87.973 ms
ge-1-47.bas-b2.sp1.yahoo.com (209.131.32.53)  89.173 ms

14  * * *

Steve


> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steve Bertrand
> Sent: Friday, September 14, 2007 4:03 PM
> To: [EMAIL PROTECTED]
> Cc: freebsd-questions@freebsd.org
> Subject: Re: http://www.freebsd.org site unreachable
> 
> [EMAIL PROTECTED] wrote:
>> I am unable to get to freebsd.org
>>
>> is this on my end only ?
> 
> Failing from Southern Ontario, Canada as well.
> 
> Steve
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
> 
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: kernel log messages

[Steve Bertrand]

> +pid 85092 (httpd), uid 80: exited on signal 11 pid 85097 (httpd), uid 
> 
> +80: exited on signal 11 pid 85099 (httpd), uid 80: exited on signal 11 
> 
> Is this something I should care about ? First time I see this, and since the
> os mention it to me, I guess it's something important :-)

In almost every case I've seen posted to this list regarding sig 11
problems, the response has nearly always been replace memory.

Even in a case of my own a few years back, said recommendation fixed my
problem. (I think mine was during a buildworld).

Aside from that, I've also heard of heat (as already stated this
thread), and flaky power supply.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Service providers using Quagga

[Steve Bertrand]

I just want to say thank you very much to everyone who has replied to me
thus far, on this list, and on other groups.

>From what I can tell, I should have no performance issues whatsoever in
my relatively small environment.

To be honest, I do prefer the Cisco IOS like command structure of
Quagga, however, the documentation I found to be not overly friendly.

I've received more recommendations for OpenBGPD and OpenOSPFD so I will
install and test with them next week. They even appear to handle IPv6
natively, which is a requirement in my case.

Again, thanks to everyone who posted back to me, and if anyone has
anything else to add, or any more known large sites as examples, by all
means, please keep them coming!

Regards,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: http://www.freebsd.org site unreachable

[Steve Bertrand]

[EMAIL PROTECTED] wrote:
> I am unable to get to freebsd.org
> 
> is this on my end only ?

Failing from Southern Ontario, Canada as well.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Good FreeBSD Supported Gigabit Ethernet Card?

[Steve Bertrand]

>> No offence meant, but why would you like to upgrade a "home" network to
>> Gbit? Is it required at all?
> 
> This is a useless response. Why do you feel the need to question his
> intentions?
> 
> Maybe he wants faster throughput. Maybe he'd like to utilize GigE
> speeds on a switch he bought. Maybe he wants to learn more about
> gigabit networking.
> 
> At any rate, "why" really doesn't matter.

Why really does matter.

It was a genuine inquisitive inquiry.

There was nothing wrong with his question...it was relatively polite and
quoted in context properly as to emphasize why this sort of upgrade
would need to be done in a particular location.

Perhaps the poster was questioning the OP because he wanted to learn
about GigE himself, and why it may/would be needed/wanted...

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Scripting question

[Steve Bertrand]

>>> I don't have the perl skills, though that would be ideal.

-- snip --

> Another approach in Perl would be:
> 
> #!/usr/bin/perl
> my (%names, %dups);
> while (<>) {
> my ($key) = split;
> $dups{$key} = 1 if $names{$key};
> $names{$key} = 1;
> }
> delete @names{keys %dups};
> #
> # keys %names is now an unordered list of only non-repeated elements
> # keys %dups is an unordered list of only repeated elements
> 
> split splits on whitespace, returning a list of fields which can be assigned 
> to a list of variables. Here we only want to capture the first field: split 
> is more efficient for this than using a regex. The first occurrence of $key 
> is in parens because it's actually a list of one variable name.
> 
> We build two hashes, one, %name, keyed by the original names (this is the 
> classic way to reduce duplicates to single occurrences, since the duplicated 
> keys overwrite the originals), and one, %dup, whose keys are names already 
> appearing in %names - the duplicated entries. Having done that we use a hash 
> slice to delete from %names all the keys of %dups, which leaves the keys of 
> %names holding all the entries which only appear once (and the keys of %dups 
> all the duplicated entries if that's useful).

I don't know if this is completely relevant, but it appears as though it
 may help.

Bob Showalter once advised me on the Perl Beginners list as such,
quoted, but snipped for clarity:

see "perldoc -q duplicate" If the array elements can
be compared with string semantics (as you are doing here), the following
will work:

   my @array = do { my %seen; grep !$seen{$_}++, @clean };

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Service providers using Quagga

[Steve Bertrand]

First off, sorry to cross-post, but *isp@ does not see much traffic.

I'm wondering if there are any network service providers here that run
any of their routing infrastructure within Quagga running on FreeBSD.

I'd like to know what software alternatives are deployed out in the
field, and how large a shop utilizes such software methods
instead/combined with standard hardware router offerings.

If this is a relatively common practice out there, what size environment
do you run it in, and at what level within your network?

Cheers,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Good FreeBSD Supported Gigabit Ethernet Card?

[Steve Bertrand]

OP said:

>> The use will probably be a firewall, proxy, file server, and
>> DVR.


> No offence meant, but why would you like to upgrade a "home" network to
> Gbit? Is it required at all?

Say for instance you have three 'items' on your home network trying to
communicate with a central box on your 'home' LAN, and said LAN was
operating on 100Mpbs NIC's.

The 'home server' is also on a 100Mbps NIC.

That gives the home server a theoretical up/down throughput at 200Mpbs.

If all three items at home are trying to connect with/through this
central box simultaneously, then you now have theoretically 600Mpbs
in/out all at the same time. The central server can't handle this, nor
can any 10/100 layer-2 equipment in between.

Upgrade all the NIC's in all the items on the home network to GigE,
throw in a GigE switch, and now you can see how you just cut open the
garden hose and now have a small river.

Even on the smallest of networks, if you've ever tried to transfer
multiple-gigabyte files across it, you will very quickly appreciate the
exponential transfer rate when it comes to the relatively cheap
'upgrade' to GigE equipment in the home.

Just make sure you're not still using that old Cat3 cable ;)

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Good FreeBSD Supported Gigabit Ethernet Card?

[Steve Bertrand]

Oliver Hansen wrote:
> I'm looking to eventually upgrade my home network to all gigabit so I'm
> going to start by purchasing a few NICs for some old servers I just
> received. I know there are quite a few supported by FreeBSD6 which I
> found ( http://www.freebsd.org/releases/6.0R/hardware-i386.html#ETHERNET
> ) but I'm wondering if there is any real benefit in buying a $40 or $50
> NIC like the Netgear GA311 or just get a $20 NIC like the D-Link
> DFE-530TX+. The use will probably be a firewall, proxy, file server, and
> DVR.
> 

I have a few Netgear GA311's in production, and although I haven't done
any benchmarking, I know that they work rock solid operating atop the re
driver in my backup infrastructure:

backup# uname -a
FreeBSD backup 6.2-RELEASE-p2 FreeBSD 6.2-RELEASE-p2 #0: Mon Mar  5
16:57:55 EST 2007

backup# ifconfig
re0: flags=8843 mtu 1500
options=1b

 I can't speak of D-Link however. Aside from the NIC's, I have found
some performance issues with NetGear GigE managed switches though,
whereas they seem to slowly loose throughput width after a few months
without a reboot.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Sadly, my tinker-time has run out....

[Steve Bertrand]

> As I said, don't apologize for using an OS that matches your needs
> better than FreeBSD.  Just don't assume that everyone's needs are
> the same as yours, and we would all be spending less time tinkering
> with Ubuntu, or even FreeBSD for that matter.

This is an exceptionally good point.

I use Windows on my workstation at work. 90% of our servers run FreeBSD.

In the past, I have run into issues using particular software with
FreeBSD at home, so I just ran Windows.

Since I rarely use a PC when I'm at home, and it's more for the
kids/wife, I recently acquired a new PC for my home environment from a
corporation that had no OS on it.

I knew FreeBSD would not do the job in it's entirety (none of my FBSD
boxes have anything resembling a GUI near it), so I tried Ubuntu.

Looks great, the GUI comes up perfectly right after install. Personally
though, the only thing I have a hard time with is commands aren't in the
 *right* place, or missing entirely. Same for config files etc. (CLI
obviously). Not only that, there are specific tasks that I want to do
via GUI, but you (OP) like I, have not the time to figure it out.

The entire issue comes down to what works for *YOU*. Does FBSD do what
you need, and also satisfy the requirements for everyone else who will
use it? If not, does Windows? I didn't go with Windows, because I am
certain I can have our home PC do what my family needs it to do with
something else.

However, that said, if it comes down to it, and I have to fudge too much
longer to make it just work, then yes, Windows it is, and I will
begrudgingly go purchase another license.

If you don't have time to get one OS working properly to your
requirements, then go for one that you know will work globally in your
environment.

Your original post stated:

"Sadly, I need to get an OS that my wife would be more
comfortable using and that wouldn't be as time-comsuming to make it more
comfortable for her."

...how 'bout you ask HER what SHE wants here? By reviewing the thread,
you are busy on the road working, so if she feels a license for Windows
is the answer, then you are obviously busy enough with work to justify
the cost to offset the lost time in implementing something else...right?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Bonded multilink ADSL connection

[Steve Bertrand]

Nikos Vassiliadis wrote:
>> I would very much appreciate a working config. I can easily adjust to my
>> environment.
> 
> I am afraid I cannot find the particular configuration file I was talking
> about. But, it should be something like this:

With a tiny bit of tweaking, it works like a charm!!!

Defined bundles:
Bundle Links
-- -
saml0[Opened/UP] l1[Initial/DOWN]

Since I don't have the second link connected to this box yet, I suspect
it will come up as soon as I do.

Thank you so much!

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Bonded multilink ADSL connection

[Steve Bertrand]

> Do you have the two modems required for such a configuration?
> Each link of the bond must get its ethernet interface. So, you
> need two ethernet cards at least and two ADSL modems in bridging
> mode. The configuration itself is pretty straightforward.

Yes, I have more than the required number of modems, and same with NIC's ;)

Essentially, I want to swap out my Cisco 2651 with the FreeBSD box with
the hardware configuration you just described.

It's either put the BSD box in to the 100Mbps connection and leave the
Cisco in place on the ADSL connections and route between them when
necessary, or what I really want is to replace the Cisco entirely if I
can multi-link with FreeBSD.

> If you cover the requirements, I can send you a working configuration.
> Not necessarily an exact replicate of what you send, but close enough.

I would very much appreciate a working config. I can easily adjust to my
environment.

Thanks!

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: OT: Workgroup not available. The network name cannot be found. on Windows 2000 Pro SP4

[Steve Bertrand]

L Goodwin wrote:
> This is what I was hoping for. Thanks all!

Well, even though this is a FreeBSD list and not a Microsoft list, was
the problem resolved? What fixed it?

> BTW, I did my second successful FreeBSD installation
> this week on a server that I could not get it to run
> on for the longest time. :-)

Great! Now Google for Samba, and start posting your pre-and-post FreeBSD
installation questions here ;)

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: OT: Workgroup not available. The network name cannot be found. on Windows 2000 Pro SP4

[Steve Bertrand]

> What is the "correct" procedure for recovering from
> this mishap? TIA! :-)

- download FreeBSD disk-1 from freebsd.org
- insert CD into drive, and install :)

Seriously..

It's been a while since I've actually managed a Windows network per-se,
but from what I recall, you can change the workgroup to something else
(then reboot), then re-assign the PC to the proper workgroup (then
reboot again), it may fix it. AFAIR, you can do this by right-clicking
on My Computer, and changing the computers identity or name.

If that doesn't work, then ensure that Norton or some other so called
'firewall' or 'security suite' isn't blocking outbound traffic via the
NetBIOS protocol ports:

# grep -i netbios /etc/services

netbios-ns  137/tcp#NETBIOS Name Service
netbios-ns  137/udp#NETBIOS Name Service
netbios-dgm 138/tcp#NETBIOS Datagram Service
netbios-dgm 138/udp#NETBIOS Datagram Service
netbios-ssn 139/tcp#NETBIOS Session Service
netbios-ssn 139/udp#NETBIOS Session Service

Also, port 445 TCP and UDP may come into play here.

Interesting though that inbound is allowed/working but outbound is fudged.

Is this PC on a win2k Domain? Is there anything in the 'logs' (stated
very loosely) in the Event Viewer on the remote/local hosts?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Bonded multilink ADSL connection

[Steve Bertrand]

Hi all,

I am attempting to create a bonded multilink connection with two ADSL
links to my upstream using FreeBSD.

Based on info I have read, I want/need to use mpd, however, I have not
found a definitive answer on whether mpd will actually act as a true
bonded connection as opposed to a load-balancer.

Essentially, can anyone help me out replicate what I have working on my
Cisco on FreeBSD? I'd really like to see an example working config.

Here is the config in the Cisco (less the config of the actual ATM
interfaces):

interface Dialer1
 mtu 1492
 bandwidth 12000
 bandwidth inherit
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username * password *
 ppp ipcp dns request
 ppp multilink
 ppp multilink links maximum 2
 ppp multilink links minimum 2
 ppp multilink load-threshold 1 outbound
 ppp multilink interleave

Regards,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Test on FreeBSD site

[Steve Bertrand]

>> I haven't noticed if the mail servers are doing greylisting, but it
>> wouldn't surprise me if they were.
> 
> They do.

That's quite the response.

Care to elaborate for purposes of archive accuracy?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: spammers harvesting emaill address from this list

[Steve Bertrand]

...I will feed...

The solution to this problem is...if you don't like what you are into,
get yourself out of the situation.

Anyone who finds the information on this list non-informative enough to
complain about a few spam per week that make it through a spam filter,
then it isn't worth your time and you are on the wrong list.

I belong to ~40 mailing lists. They all see spam. The info I gain from
the lists is far more important. Well more than half of the lists
display the full address in the header. It's by design, and it has
always worked. I would not have it changed. Most MLM's have an option to
obscure/hide your address, as someone has already stated.

Seriously, the standard 'user' coming from Windows to FreeBSD should
never be expected to immediately be pushed into doing something for
themselves.

However, someone who decides to operate on a Road Runner cable
connection and relay their mail through a:

mail-03.name-services.com Microsoft ESMTP MAIL Service, Version:
6.0.3790.3959

...server, should immediately contact the person responsible for email
management and complain...

Moreover, those who use an address like:

[EMAIL PROTECTED]

...as a technical and admin contact in the global WHOIS database for
their domain should reconsider complaining about anything.

Wow, I'd trust the fact that my abuse email would make it to a
responsible person.

We are all feeding the troll. The troll has not stated his name in any
of his emails. Is that you:

# whois a1poweruser.com | grep [EMAIL PROTECTED]

Whoever this is, has not replied in a while, at least under the original
email address. Can we leave well enough alone and get on with technical
stuff?

*sigh*

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: DJBDNS && IPv6

[Steve Bertrand]

> - is there a special way that I need to use tinydns-conf to create a new
> 'server'
> 
> - what should a proper v6 entry look like in the data file
> 
> My research has told me that I should have new 'v6' type binaries in the
> ./bin directory, but I do not see those.

To answer my own question, and to ensure quality in the archive, thanks
to this:

http://tomclegg.net/djbdns-ipv6

I managed to solve my own question.

I had to:

# echo WITH_IPV6=yes >> /etc/make.conf

...and now I have:

-rwxr-xr-x  1 root  wheel  78 Aug 21 20:58 add-alias6
-rwxr-xr-x  1 root  wheel  77 Aug 21 20:58 add-host6

...which is what I was looking for.

I don't know what ramifications leaving this in the /etc/make.conf file
will have on future ports, so if someone can answer that, it would be great!

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

DJBDNS && IPv6

[Steve Bertrand]

Hi all,

I am doing some serious testing with IPv6, however I can not get the
name resolution side of things on my DJBDNS DNS servers to work as expected.

On my legacy 4.10 box running BIND, I can resolve v6 addresses
inherently even without v6 enabled in the kernel, but on my
pre-production tinydns boxes (6.2, IPv6 kernel), I can't.

I have installed the port, 'sup'd today on:

FreeBSD 6.2-RELEASE-p6 #0: Wed Jul 18 20:31:03 EDT 2007

...and installed it with the v6 patch in the Makefile turned 'on', but I
can not identify any indication that IPv6 is enabled.

What I'd like to know is:

- is there a special way that I need to use tinydns-conf to create a new
'server'

- what should a proper v6 entry look like in the data file

My research has told me that I should have new 'v6' type binaries in the
./bin directory, but I do not see those.

Any help would be greatly appreciated. I'm sorry if this should be
directed to the djbdns list, however, I know I can compile from source
and get it to work, I just want the port to work for future maintenance
purposes.

Regards,

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Share folder over internet

[Steve Bertrand]

Laszlo Nagy wrote:
> Peter Svec wrote:
>> Hello Laszlo,
>>
>> you don't need static IP address if you use hamachi. It is zero
>> configuration VPN tool, which creates peer-to-peer tunnel between two
>> host (with static or dynamic addresses). The problem is, that hamachi
>> isn't in the ports yet. Take a look at
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=112982 and
>> https://secure.logmein.com/products/hamachi/vpn.asp
>>
>> peter
> Sounds great. I'll ask my ISP about the fix IP though. Thank you for
> your answers!

Alternatively, you could use Dynamic DNS, as IIRC, OpenVPN supports
using hostnames as opposed to IP's for the connection endpoint identifiers.

Cheers!

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Problem booting from memory-stick with ASUS A7V-133

[Steve Bertrand]

[EMAIL PROTECTED] wrote:
> Hi all,
> 
> hope this is the right list.
> 
> I have a problem with booting from a 128MB USB-memory-stick with the ASUS 
> A7V-133 motherboard. I downloaded the boot-floppy-image"boot.flp" (version 
> 6.2) from the FreeBSD-FTP-server and "dd"-ed it to a memory stick. Booting 
> from this stick works fine with every other computer I have (a notebook and a 
> newer workstation also with an ASUS-board). But trying to boot from the stick 
> with the A7V gives me the following output:
> 
> <- 8< --->
> Not ufs
> Not ufs
> No /boot/loader
> FreeBSD/i386 boot
> Default: 0:fd(0,a)/boot/kernel/kernel
> boot:
> Not ufs
> No /boot/kernel/kernel
> <- 8< --->
> 

What happens if you enter:

0:da(0,a)/boot/kernel/kernel

...at the boot: prompt (as opposed to fd(0,a)?

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: add route failed for ppp

[Steve Bertrand]

Michael P. Soulier wrote:
> Hi,
> 
> I'm on an ADSL connection at home, and ppp in BSD is working great. But, I get
> this in the logs. 
> 
> Jul 16 17:34:54 kanga ppp[79728]: Phase: Pap Input: SUCCESS ()
> Jul 16 17:34:54 kanga ppp[79728]: Phase: deflink: lcp -> open
> Jul 16 17:34:54 kanga ppp[79728]: Phase: bundle: Network
> Jul 16 17:34:54 kanga ppp[79728]: Warning: Add! route failed: 0.0.0.0/0:
> errno: Network is unreachable
> 
> Now, everything is working fine, but I'm wondering why ppp is complaining
> about not being able to set up the route. 

What is the next hop for the route you are trying to add?

This error generally means you have set a next-hop IP address of a
subnet of which you are not directly connected, and either a previous
line in your config(s) set an appropriate route (hisaddr for instance),
or a later line in the process as to make things work.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: is is able to setting up DNS server reverse lookup with DynamicIP?

[Steve Bertrand]

Chuck Swiger wrote:
> On Jul 13, 2007, at 10:44 AM, Dan Casey wrote:
 I'm using dynamicDNS, so I will able to specify the forward *AND*
 reverse lookups?
>>>
>>> No.  Reverse lookups are controlled by whoever owns the IP delegation
>>> for the netblock in question, and they are not going to configure PTR
>>> records for dynamic IPs.  If you want to have reverse lookups you
>>> control, you'll need to get static IPs.
>>
>> Slight correction.  To do what you want, you will need to get a static
>> ip.  Then you can request your isp (or whoever owns the ip block) to
>> setup the PTR record for you.
> 
> That's not really a correction.  :-)

Correct ;)

> If you get a single static IP, for example, normally the ISP or netblock
> owner will not delegate that, but are willing to setup a PTR record.

That is, if the ISP *is* willing to set up a rDNS entry. I have had
clients move from their previous provider to us because the old provider
would not set up a reverse DNS entry for their statically assigned
IP(s). Sounds bad, but it happens.

> If you get a larger static netblock, especially a /24 or larger, then
> your ISP can delegate reverse DNS to nameservers you run, and thus you
> can set up and change the reverse lookup results at will without needing
> your ISP to make PTR record changes.  See
> http://www.ietf.org/rfc/rfc2317.txt about "Classless IN-ADDR.ARPA
> delegation" for the deal with regard to delegation of smaller netblocks
> than a /24.

I personally wouldn't do this. If anything, I would delegate permissions
on our name servers so that the client can log in to our DNS interface
and make the changes there. That way, we always have control over the
names in the event you ever have a rogue employee at the other end.

However, we don't do anything of the sort. When clients need rDNS
entries changed, the client requests it, and we make it so. It is the
same way that we work with one of our external ADSL wholesalers.

Mind you, when you call us, someone answers the phone. You can ask for
the button pushers directly, and changes are made live time mostly. Try
that with a Sympatico, AOL or the like.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: is is able to setting up DNS server reverse lookup with DynamicIP?

[Steve Bertrand]

vuthecuong wrote:
> Olivier Nicole wrote:
>>> But my postfix only can receive mails from freebsd-questions mailing
>>> list, it can not send mail to this. 
>>
>> There is another thing you have to consider. As it is explained in
>> http://www.bsdforums.org/forums/showthread.php?p=265093#post265093
>> your dynamic IP has been black listed (the IP was used before by
>> someone else who sent SPAM, so now the IP is in a list of bad guys and
>> many mail server will refuse to receive emails from your IP).
>>
>> So it is really a better idea that you sent all your email thought FPT
>> email server.
>>
>> Best regards,
>>
>> Olivier
>>
>>   
> OK I understood, this is one lession I learned today: In order to run
> "real" mail server,
> fixed IP address for forward and reverse DNS is must-have.
> I will choose method of relaying through ISP though I prefer the first one.
> Tnx you very much.

The ISP who assigns you the IP from their allocated block are
responsible for the reverse entry. You can create one locally, but the
Internet as a whole will never look to anything you set up for an rDNS
entry. I believe that every IP that is in use on a network, no matter
what piece of infrastructure or computer it is assigned to should have a
reverse entry.

Most ISP's now are configuring rDNS entries for dynamic clients as such,
with prefixes that include ppp, dynamic, dialin etc. Almost all of these
such entries will cause mail blocks leading to blacklists due to the
fact 99.99% of dynamic IP entries should never be sending mail directly
to another MX to begin with.

In your case, you can still run a fully functional email server at your
end, however, instead of sending out directly, you use your upstream as
your smart host as stated above.

Aside from that, if you are a non-business client without static IP(s),
your ISP should be blocking you from sending outbound 25 traffic into
their network, except to their mail servers directly anyway.

Of course, your ISP should also be blocking port 25 inbound into their
network from the outside world, and outbound from their network to you
(except to their own legit mail servers) to protect against exploitation
of someone with an open relay. (You shouldn't be able to use yourself on
the dynamic IP as an SMTP server from outside your own location). If
they have implemented this, then you will have to use SMTP Auth on port
587. As a matter of fact, you should be using this anyway.

This ISP uses SMTP Auth across the board for all of our users (ADSL,
SDSL, dial-up etc). Only a very small handful are permitted to use port
25, and those clients would be the ones (like old Mac OS mail software)
that do not have the ability to implement port 587.

Cheers!

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Transfering a File From One Server To Another

[Steve Bertrand]

Pat Singer wrote:
> Hi;
>   I have a server that's screwed up. I'm building out another server now. I 
> need to transfer a 1/2G file from the old one. FTP doesn't work. I tried this:
>   wget http://203.223.111.11/path/to/file
>   It connected to the machine but threw a 404. Ideas?

Oh, and BTW, /path/to/file must be under your web servers documents
directory (if it wasn't to begin with). If it wasn't, it would throw the
404.

Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"