[pfSense Support] RRD
Hi, Are pfsense team have any planning to add RRD graph for Memoru Usage and SWAP usage? -saidy- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DST 2007-ready?
On Feb 28, 2007, at 11:44 PM, stephan peterson wrote: What can I do to make sure the new zoneinfo file(s) are being used? I'm not sure from LJ's message what to look for. in the USA, run this command line: date -r 1175386460 ; date -r 1175486460 you should get something like this on a corrected system: Sat Mar 31 20:14:20 EDT 2007 Mon Apr 2 00:01:00 EDT 2007 Whereas on an incorrect (ie, older zone file) system you would get: Sat Mar 31 19:14:20 EST 2007 Mon Apr 2 00:01:00 EDT 2007 If you have any other freebsd system, you can simply copy a working / etc/localtime file onto the one on your pfsense box. my understanding is that any unix system using the same zone info compiler (pretty much any unix in existence) should produce working zone files. smime.p7s Description: S/MIME cryptographic signature
AW: [pfSense Support] DHCP + Cisco sip phones
All config files get rewritten dynamically if needed so your changes won't be in there for long. It has been discussed here already: http://forum.pfsense.org/index.php/topic,1192.15.html Holger -Ursprüngliche Nachricht- Von: Andrew Kemp [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 1. März 2007 04:09 An: support@pfsense.com Betreff: Re: [pfSense Support] DHCP + Cisco sip phones so im having some problems getting it to work. the dhcp part is working and the phones had already been configured once so it remembers the previous config, however, the dhcp server is not passing along the tftp server name value like it should. i added this line to my dhcpd.conf option tftp-server-name xxx.xxx.140.88; i also tried it without the quotes. i have tried it in the pool section and below it where the routers and name servers go. i also kill -HUP'd the dhcpd process after changing it but still the phones do not ever recieve the tftp server ip in the config. ideas? andrew Wade Blackwell wrote: You would have to manually edit the config file and restartd dhcpd. Wade B On 2/11/07, Andrew Kemp [EMAIL PROTECTED] wrote: im looking to do dhcp on a small /29 network for my sip phones. i know dhcp is capable of passing info such as default tftp server and the like. i looked in the dhcp page but dont see anything like this available from the web page. is this a possiblity to add so that cisco sip phones will get all the info they need through dhcp? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: AW: [pfSense Support] new user... need help with Rules
First match wins. Rules are always applied top down. So if you allow something with your top rule you can't restrict it anymore with a further down rule. Holger -Ursprüngliche Nachricht- Von: Jeremy Bennett [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 1. März 2007 07:37 An: support@pfsense.com Betreff: Re: AW: [pfSense Support] new user... need help with Rules AHA! Holger, Espen, Thank you. Holger, apologies - I had that first rule that passed LAN2 Traffic to WAN and everything else... I didn't realize it was working against me. Now I realize that I only need two rules on the LAN2 net to do what I was aiming for. Success. Mahalo, Jeremy On Feb 28, 2007, at 11:51 AM, Espen Johansen wrote: This is how I deal with wireless to internet acess but not lan. add a rule that says: Pass WLAN-subnet to destination NOT (!) LAN (meaning if it's not rying to acess lan then it's all good) You can also add rules to drop connections from WLAN clients to destination firewall when port is 80/22 (GUI/ssh) etc. Then VPN into the firewall from WLAN zone to acess LAN. -lsf On 2/28/07, Jeremy Bennett [EMAIL PROTECTED] wrote: In review, I'd like to grant full access to the internet for all computers on LAN (private, wired, my machines) and LAN2 (wireless segment - friends, families, neighbors). I'd like to make LAN invisible as far as LAN2 is concerned, yet allow my laptop to access LAN when it is attached to LAN2 wirelessly. I may not have been totally clear... I still need my LAN2 to see the internet, so the first rule WAS: PASS | Proto: * | Source: LAN2 net | Port: * | Destination: * | Port: * | Gateway: * So I changed it as such PASS | Proto: * | Source: * | Port: * | Destination: WAN address | Port: * | Gateway: * (Pass LAN2 to wan) PASS | Proto: * | Source: 192.168.12.99 | Port: * | Destination: * | Port: * | Gateway: * (Pass Powerbook to LAN) PASS | Proto: * | Source: LAN2 net | Port: * | Destination: ! LAN net | Port: * | Gateway: * (Block LAN2 from LAN) It seems to work... Have I introduced any sort of horrible security issue by doing this? Thanks for the help. On Feb 26, 2007, at 1:13 AM, Holger Bauer wrote: First create a DHCP-server fort he LAN2 segment at services| dhcpserver|lan2-tab and add a static mapping for the mac of your notebook. Then go to firewall|rules|lan2tab Add a rule: pass, protocol any, source (IP of notebook), destination any, gateway default Below this add a rule: pass protocol any, source lan2 net, destination NOT LAN, gateway default That's all that is needed. Holger -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Montag, 26. Februar 2007 10:39 An: support@pfsense.com Betreff: [pfSense Support] new user... need help with Rules I have pFsense 1.0.1, with a WAN, LAN and LAN2. The WAN gets an address via DHCP from local cable provider. LAN (192.168.12.1) is my (soon to be) private network, and LAN2 (192.168.12.1) has a couple of wireless bridges|APs at 192.168.12.253 254. What I need to do is create a rule that blocks traffic between LAN2 and LAN, yet still allows my laptop (192.168.12.99, assigned via MAC|static) to access LAN while wirelessly connected to LAN2. Any help or guidance on this is much appreciated. Mahalo, Jeremy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VLAN'S on pfSense
On 2/28/07, Sloan Miller [EMAIL PROTECTED] wrote: Users of Small Office and Home Office networks are quickly finding the need for more advanced features such as VLAN's These people are graduating from the basic Netgear and Linksys gear, and needing the features of pfSense. pf docs are not clear in the VLAN area. We can make the Docs better. would anyone like to work on a tutorial about setting up pfSense and creating VLAN's. Thanks for volunteering. Let us know when it's done and we'll get it posted on the site. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Native VLAN Question
Will the switch send vlan 1 tagged or untagged? If it's tagged, just create vlan1 on the pfsense box. If it's going to send it untagged (most switches will for native vlans), then you'll need an IP on the physical interface (I'm not entirely sure if we support that setup). --Bill On 2/22/07, Esteban Zarikian [EMAIL PROTECTED] wrote: Hi, I was wondering, if I'm going to use one NIC for access to 5 VLANs through a 802.1q trunk, what is the proper way to access the native VLAN in PFSense. I am using some SRW248G4 linksys switches and they force VLAN1 to be present on all trunks, also I don't know where the setting is, but I'm pretty sure the native VLAN on these trunks is VLAN1. The native VLAN is the VLAN where the trunk port sees frames that come in untagged to the Trunk port. Since I'm using VLAN1, I want to make the Firewall's trunk port so that it sees VLANs 1,2,3,10 and 11, but I'm unsure if I should be using xl0 (the parent interface to the trunk port) as the port for VLAN1 or set up a vlan type interface for VLAN1, that way the two options are: xl0-VLAN1 vlan0-VLAN2 vlan1-VLAN3 vlan2-VLAN10 vlan3-VLAN11 and the other is vlan0-VLAN1 vlan1-VLAN2 vlan2-VLAN3 vlan3-VLAN10 vlan4-VLAN11 Do you have any tips on doing this? thanks in advance guys! Regards, Esteban Zarikian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots
I think what you're thinking about is the different between AH and ESP. AH provides origin authentication so it adds a hash checksum for the IP header if that gets changed by NAT the packet will be dropped by the other IPSEC endpoint as it fails the checksum match. ESP on the other hand does encryption on the data and does not touch the IP Header so it's free to be modified by NAT. Thanks John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 28, 2007 7:27 AM To: support@pfsense.com Subject: Re: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots if I remember the protocol correctly, IPSec has a checksum that's embedded into it to show if the packet has been altered. NAT alters the crap out of the packet to make it traverse the network, hence breaking the IPSec security and therefore making it a worthless packet. meaning IPSec into a NAT tunnel will never work but outbound from said tunnel would. -Sean - Original Message - From: John Cianfarani [EMAIL PROTECTED] To: support@pfsense.com Sent: Wednesday, February 28, 2007 12:53 AM Subject: RE: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots I can always hope :P Good to know I can NAT out of an IPSec tunnel that atleast is useful for me. Good work anyhow. Thanks John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 10:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots On 2/20/07, John Cianfarani [EMAIL PROTECTED] wrote: Catching up on the list here and I saw this, that awesome work! Curious does this mean we are any closer to doing NAT for traffic in/out of a IPSec tunnel. For some form of closer. Sadly, not really. IPSec policy takes affect before filtering/nating, so while coming out of a tunnel you could nat (inside interface), traffic initiated _inside_ your network across the tunnel will hit the tunnel before PF sees it to nat (nat only occurs egress on an interface). Maybe someday we'll see this, but it's going to take alot more kernel reorg I think. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VLAN'S on pfSense
I will be happy to write it. The problem is I am one of those people who is coming over from the cheaper SOHO gear and can't get this working on my test LAN. So I need someone to show me how. I have posted requests for help 2x on the forums to no avail. Once I have the steps I will write it up and post it. Sloan On 3/1/07, Bill Marquette [EMAIL PROTECTED] wrote: On 2/28/07, Sloan Miller [EMAIL PROTECTED] wrote: Users of Small Office and Home Office networks are quickly finding the need for more advanced features such as VLAN's These people are graduating from the basic Netgear and Linksys gear, and needing the features of pfSense. pf docs are not clear in the VLAN area. We can make the Docs better. would anyone like to work on a tutorial about setting up pfSense and creating VLAN's. Thanks for volunteering. Let us know when it's done and we'll get it posted on the site. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] VLAN'S on pfSense
Well what part are you stuck on... you'll have a lot better luck asking specifics than something so time consuming and general... there are a million different combinations you could be looking for. Work your way through, ask questions when you get stuck, and write the docs as you go. In the end you will have a working configuration, a lot of knowledge of how things work, and a document you can share with the community. After all... that's what opensource is all about! -Tim _ From: Sloan Miller [mailto:[EMAIL PROTECTED] Sent: Thursday, March 01, 2007 11:10 AM To: support@pfsense.com Subject: Re: [pfSense Support] VLAN'S on pfSense I will be happy to write it. The problem is I am one of those people who is coming over from the cheaper SOHO gear and can't get this working on my test LAN. So I need someone to show me how. I have posted requests for help 2x on the forums to no avail. Once I have the steps I will write it up and post it. Sloan On 3/1/07, Bill Marquette [EMAIL PROTECTED] wrote: On 2/28/07, Sloan Miller [EMAIL PROTECTED] wrote: Users of Small Office and Home Office networks are quickly finding the need for more advanced features such as VLAN's These people are graduating from the basic Netgear and Linksys gear, and needing the features of pfSense. pf docs are not clear in the VLAN area. We can make the Docs better. would anyone like to work on a tutorial about setting up pfSense and creating VLAN's. Thanks for volunteering. Let us know when it's done and we'll get it posted on the site. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Native VLAN Question
On Thu, Mar 01, 2007 at 12:07:32PM -0600, Bill Marquette wrote: Will the switch send vlan 1 tagged or untagged? If it's tagged, just create vlan1 on the pfsense box. If it's going to send it untagged Stupid question: if I have two switches (a HP ProCurve 2650 and a Netgear GS724T to be precise, which are both quite reasonable products for the price tag, especially if you reflash the Netgear firmware, which is buggy out of the box), which are both vlan-capable (it's supposedly standartized, whatever little that means in this business), can I make tagged vlans which span across two or more switches? (most switches will for native vlans), then you'll need an IP on the physical interface (I'm not entirely sure if we support that setup). Apropos of nothing, I managed to down my hoster's network segment by an inadvertent ARP storm, made with pfSense (it's a great dual-use product, doubles as a nuclear weapon in a pinch). I had a firewall with two interfaces (two firewalls, in fact) on the same switch. While playing around with the port-based vlans (I tried to not have two interfaces on the same VLAN, thinking that Something Bad might happen, and was proven right) I managed to actually put two interfaces on the same (main) VLAN, which took everything offline (and my entire subnet banned because of a DoS) in a mere few seconds. It required a manual intervention (switching off the firewalls by power button), disabling the switch ports, and unbanning the network to get me back in business. The firewalls were still unaccessible (I almost triggered another ARP storm by trying to get back to them, but this time fortunately managed to disable the port in time), but fortunately I had a crossover serial to a Linux machine in the rack, and a PDU which allowed me to remotely power-cycle the firewalls, so I could reconfigure the firewalls via the serial console (I used minicom, which is in the Debian depository -- anyone knows anything more basic?). The other firewall, unfortunately, lacked such a crossover serial, so it's dead until a physical visit, or at least until I pay for a pair of remote hands, and a crossover cable. Well, this means that I have to try a filtered bridge next, and think later about pfsync/carp cluster failover. Moral: networking is unsuitable for dumb people. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
Re: AW: [pfSense Support] DHCP + Cisco sip phones
now i know why, however i was working with information given by the poster below. thanks for the CORRECT information. any plans on adding additional dhcp options to the pfsense gui or at least allowing modification of the dhcpd.conf without it getting rewritten in the near future? the thread mentioned the desire to have this done, but there was no other information about wether or not it was going to happen. andrew Holger Bauer wrote: All config files get rewritten dynamically if needed so your changes won't be in there for long. It has been discussed here already: http://forum.pfsense.org/index.php/topic,1192.15.html Holger -Ursprüngliche Nachricht- Von: Andrew Kemp [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 1. März 2007 04:09 An: support@pfsense.com Betreff: Re: [pfSense Support] DHCP + Cisco sip phones so im having some problems getting it to work. the dhcp part is working and the phones had already been configured once so it remembers the previous config, however, the dhcp server is not passing along the tftp server name value like it should. i added this line to my dhcpd.conf option tftp-server-name xxx.xxx.140.88; i also tried it without the quotes. i have tried it in the pool section and below it where the routers and name servers go. i also kill -HUP'd the dhcpd process after changing it but still the phones do not ever recieve the tftp server ip in the config. ideas? andrew Wade Blackwell wrote: You would have to manually edit the config file and restartd dhcpd. Wade B On 2/11/07, Andrew Kemp [EMAIL PROTECTED] wrote: im looking to do dhcp on a small /29 network for my sip phones. i know dhcp is capable of passing info such as default tftp server and the like. i looked in the dhcp page but dont see anything like this available from the web page. is this a possiblity to add so that cisco sip phones will get all the info they need through dhcp? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Native VLAN Question
On 3/1/07, Eugen Leitl [EMAIL PROTECTED] wrote: firewalls, so I could reconfigure the firewalls via the serial console (I used minicom, which is in the Debian depository -- anyone knows anything more basic?). tip/cu? :) Moral: networking is unsuitable for dumb people. Ahahaha, yep :-P Glad you learned this painlessly *duck*. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Native VLAN Question
Hello Eugen, as mentoided tip/cu or for linux appended code, i have it found in the net, an it seems to me as an rewrite of cu from BSD. cheers michael 2007/3/1, Eugen Leitl [EMAIL PROTECTED]: On Thu, Mar 01, 2007 at 12:07:32PM -0600, Bill Marquette wrote: Will the switch send vlan 1 tagged or untagged? If it's tagged, just create vlan1 on the pfsense box. If it's going to send it untagged Stupid question: if I have two switches (a HP ProCurve 2650 and a Netgear GS724T to be precise, which are both quite reasonable products for the price tag, especially if you reflash the Netgear firmware, which is buggy out of the box), which are both vlan-capable (it's supposedly standartized, whatever little that means in this business), can I make tagged vlans which span across two or more switches? (most switches will for native vlans), then you'll need an IP on the physical interface (I'm not entirely sure if we support that setup). Apropos of nothing, I managed to down my hoster's network segment by an inadvertent ARP storm, made with pfSense (it's a great dual-use product, doubles as a nuclear weapon in a pinch). I had a firewall with two interfaces (two firewalls, in fact) on the same switch. While playing around with the port-based vlans (I tried to not have two interfaces on the same VLAN, thinking that Something Bad might happen, and was proven right) I managed to actually put two interfaces on the same (main) VLAN, which took everything offline (and my entire subnet banned because of a DoS) in a mere few seconds. It required a manual intervention (switching off the firewalls by power button), disabling the switch ports, and unbanning the network to get me back in business. The firewalls were still unaccessible (I almost triggered another ARP storm by trying to get back to them, but this time fortunately managed to disable the port in time), but fortunately I had a crossover serial to a Linux machine in the rack, and a PDU which allowed me to remotely power-cycle the firewalls, so I could reconfigure the firewalls via the serial console (I used minicom, which is in the Debian depository -- anyone knows anything more basic?). The other firewall, unfortunately, lacked such a crossover serial, so it's dead until a physical visit, or at least until I pay for a pair of remote hands, and a crossover cable. Well, this means that I have to try a filtered bridge next, and think later about pfsync/carp cluster failover. Moral: networking is unsuitable for dumb people. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFF5yn4dbAkQ4sp9r4RAuemAKCQFcoNkWlRw2h0WFmJ6KBsclEveACfbyT0 KDfnrHMP/k26PhLbN4qMuiU= =X0Nv -END PGP SIGNATURE- -- michael-schuh.net Michael Schuh Preußenstr. 13 66111 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: [EMAIL PROTECTED] com Description: Binary data com.c Description: Binary data - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Native VLAN Question
Eugen Leitl wrote: Stupid question: if I have two switches (a HP ProCurve 2650 and a Netgear GS724T to be precise, which are both quite reasonable products for the price tag, especially if you reflash the Netgear firmware, which is buggy out of the box), which are both vlan-capable (it's supposedly standartized, whatever little that means in this business), can I make tagged vlans which span across two or more switches? Yes. Just use the 802.1q trunking appropriately. I have networks that pass VLAN's between Cisco, HP, Netgear and Dell switches with no problems. Apropos of nothing, I managed to down my hoster's network segment by an inadvertent ARP storm, made with pfSense (it's a great dual-use product, doubles as a nuclear weapon in a pinch). I had a firewall with two interfaces (two firewalls, in fact) on the same switch. What you did was create a layer 2 loop, your provider obviously isn't using STP or it would have done nothing but immediately shut down one of the ports to cut off the loop. Shame on you a little, bigger shame on them. In a network where you have all kinds of various customers plugging in stuff, STP is essential - you have to protect yourself and your customers from crap of this nature. Moral: networking is unsuitable for dumb people. I'm feeling nice today, no comment. ;) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DST 2007-ready?
Vivek, Here are my results: # date -r 1175386460 ; date -r 1175486460 Sat Mar 31 19:14:20 CDT 2007 Sun Apr 1 23:01:00 CDT 2007 Mine are off an hour, but I'm in a different time zone so does that account for the difference? I wish I could have done this little test before doing the upgrade. :-) Thanks, Stephan On Mar 1, 2007, at 10:06 AM, Vivek Khera wrote: On Feb 28, 2007, at 11:44 PM, stephan peterson wrote: What can I do to make sure the new zoneinfo file(s) are being used? I'm not sure from LJ's message what to look for. in the USA, run this command line: date -r 1175386460 ; date -r 1175486460 you should get something like this on a corrected system: Sat Mar 31 20:14:20 EDT 2007 Mon Apr 2 00:01:00 EDT 2007 Whereas on an incorrect (ie, older zone file) system you would get: Sat Mar 31 19:14:20 EST 2007 Mon Apr 2 00:01:00 EDT 2007 If you have any other freebsd system, you can simply copy a working /etc/localtime file onto the one on your pfsense box. my understanding is that any unix system using the same zone info compiler (pretty much any unix in existence) should produce working zone files. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]