Re: freebsd ipfw question
> for some reason lost in time, i have the following in `/etc/ipfw.rules` > on a freebsd system running bind9 > > add allow tcp from any to me 53 limit src-addr 1 setup > add deny tcp from any to me 53 and now i know why # lsof -i :53 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME named 14689 bind6u IPv6 0xfe00cd91d8f0 0t0 TCP [2001:418:1::39]:domain->[2607:f8b0:4002:c2c::10c]:35195 (ESTABLISHED) named 14689 bind 33u IPv4 0xf80134af5800 0t0 UDP 147.28.0.39:domain named 14689 bind 34u IPv4 0xf8013492c020 0t0 UDP 147.28.0.39:domain named 14689 bind 35u IPv4 0xf8000480d320 0t0 UDP 147.28.0.39:domain named 14689 bind 36u IPv4 0xfe00cd8200c0 0t0 TCP 147.28.0.39:domain (LISTEN) named 14689 bind 37u IPv4 0xfe00cdbcd890 0t0 TCP 147.28.0.39:domain (LISTEN) named 14689 bind 38u IPv4 0xfe00cd958060 0t0 TCP 147.28.0.39:domain (LISTEN) named 14689 bind 42u IPv6 0xf801347a5a40 0t0 UDP [fe80:1::a800:ff:fe5e:1e04]:domain named 14689 bind 43u IPv6 0xf801341121a0 0t0 UDP [fe80:1::a800:ff:fe5e:1e04]:domain named 14689 bind 44u IPv6 0xf800046db660 0t0 UDP [fe80:1::a800:ff:fe5e:1e04]:domain named 14689 bind 45u IPv6 0xfe00cd834478 0t0 TCP [fe80:1::a800:ff:fe5e:1e04]:domain (LISTEN) named 14689 bind 46u IPv6 0xfe00cdbdb830 0t0 TCP [fe80:1::a800:ff:fe5e:1e04]:domain (LISTEN) named 14689 bind 47u IPv6 0xfe00cdbe38f0 0t0 TCP [fe80:1::a800:ff:fe5e:1e04]:domain (LISTEN) named 14689 bind 48u IPv6 0xf8000480dd60 0t0 UDP [2001:418:1::39]:domain named 14689 bind 49u IPv6 0xf80004755a80 0t0 UDP [2001:418:1::39]:domain named 14689 bind 50u IPv6 0xf801347a5ee0 0t0 UDP [2001:418:1::39]:domain named 14689 bind 51u IPv6 0xfe00cd9148f0 0t0 TCP [2001:418:1::39]:domain (LISTEN) named 14689 bind 52u IPv6 0xfe00cd834ca8 0t0 TCP [2001:418:1::39]:domain (LISTEN) named 14689 bind 53u IPv6 0xfe00cdadf830 0t0 TCP [2001:418:1::39]:domain (LISTEN) named 14689 bind 54u IPv6 0xf80134af5620 0t0 UDP [::1]:domain named 14689 bind 55u IPv6 0xf8013492cea0 0t0 UDP [::1]:domain named 14689 bind 56u IPv6 0xf80134af5140 0t0 UDP [::1]:domain named 14689 bind 57u IPv6 0xfe00cd9770c0 0t0 TCP [::1]:domain (LISTEN) named 14689 bind 58u IPv6 0xfe00cdbc7ca8 0t0 TCP [::1]:domain (LISTEN) named 14689 bind 59u IPv6 0xfe00cd97f890 0t0 TCP [::1]:domain (LISTEN) named 14689 bind 60u IPv6 0xf801347a5aa0 0t0 UDP [fe80:2::1]:domain named 14689 bind 61u IPv6 0xf801341126a0 0t0 UDP [fe80:2::1]:domain named 14689 bind 62u IPv6 0xf80134112b00 0t0 UDP [fe80:2::1]:domain named 14689 bind 63u IPv6 0xfe00cd8c9418 0t0 TCP [fe80:2::1]:domain (LISTEN) named 14689 bind 64u IPv6 0xfe00cd5aa060 0t0 TCP [fe80:2::1]:domain (LISTEN) named 14689 bind 65u IPv6 0xfe00cd53cc48 0t0 TCP [fe80:2::1]:domain (LISTEN) named 14689 bind 66u IPv4 0xf8000480dba0 0t0 UDP 127.0.0.1:domain named 14689 bind 67u IPv4 0xf800046db920 0t0 UDP 127.0.0.1:domain named 14689 bind 68u IPv4 0xf80134112e40 0t0 UDP 127.0.0.1:domain named 14689 bind 69u IPv4 0xfe00cdb07478 0t0 TCP 127.0.0.1:domain (LISTEN) named 14689 bind 70u IPv4 0xfe00cdafe060 0t0 TCP 127.0.0.1:domain (LISTEN) named 14689 bind 71u IPv4 0xfe00cd8fcc48 0t0 TCP 127.0.0.1:domain (LISTEN) named 14689 bind 74u IPv6 0xfe00cd978830 0t0 TCP [2001:418:1::39]:domain->[2607:f8b0:4002:c1b::10a]:64903 (ESTABLISHED) named 14689 bind 75u IPv6 0xfe00cd9140c0 0t0 TCP [2001:418:1::39]:domain->[2607:f8b0:4002:c02::10b]:41168 (ESTABLISHED) named 14689 bind 76u IPv4 0xfe00cdb93830 0t0 TCP 147.28.0.39:domain->159.69.157.209:44218 (ESTABLISHED) named 14689 bind 77u IPv4 0xfe00cd5fd8f0 0t0 TCP 147.28.0.39:domain->161.97.189.52:48370 (ESTABLISHED) named 14689 bind 78u IPv6 0xfe00cd942000 0t0 TCP [2001:418:1::39]:domain->[2607:f8b0:4002:c2c::109]:52023 (ESTABLISHED) named 14689 bind 79u IPv6 0xfe00cdbb68f0 0t0 TCP [2001:418:1::39]:domain->[2607:f8b0:4002:c11::107]:52217 (ESTABLISHED) named 14689 bind 80u IPv4 0xfe00cdb96418 0t0 TCP 147.28.0.39:domain->159.69.249.231:53078 (ESTABLISHED) named 14689 bind 81u IPv6 0xfe00cd5294d8 0t0 TCP [2001:418:1::39]:domain->[2607:f8b0:4002:c09::102]:56650 (ESTABLISHED) named 14689 bind 82u IPv6 0xfe00cd96f830 0t0 TCP [2001:418:1::39]:domain->[2a02:c206:5028::2:53]:43550 (ESTABLISHED) named 14689 bind 83u IPv6 0xfe00cdb10ca8 0t0 TCP [2001:418:1::39]:domain->[2607:f8b0:4002:c02::108]:44
BIND 9.18.0 and Mac OS X 10.15.7 - cannot build
So, just for fun, I decided to see if I could build 9.18.0 on my current MacBookPro (where I already run 9.16.26). It’s on MacOS Catalina 10.15.7 (cannot go higher - new MacBookPro coming soon!). First attempt to configure told me I either needed libnghttp2 or to configure with --disable-doh. I downloaded nghttp2 (v1.46.0) from nghttp2.org per the link in the release notes, built and installed it. Attempted to configure bind 9.18.0 and this time configure aborted with: configure: error: in `[redacted dirpath]/bind-9.18.0': configure: error: EVP_DigestSignInit/EVP_DigestVerifyInit support in OpenSSL is mandatory. Tried configuring with --disable-doh and received the same error. Googling that message and variations of it have turned up nothing useful (at least to me). OpenSSL version was 1.1.1a, I subsequently upgraded to 1.1.1m but same error. OpenSSL is installed in /usr/local/ssl and built with the standard ./configure; make. From config.log, the relevant part appears to be: configure:17852: checking for EVP_DigestSignInit configure:17852: gcc -o conftest -g -O2 -pthread -I/usr/local/ssl/include conftest.c -lpthread -lssl -lcrypto >&5 ld: library not found for -lssl clang: error: linker command failed with exit code 1 (use -v to see invocation) configure:17852: $? = 1 (I then tried to build 9.18.0 on an older system I have running macOS 10.13.6. I did not try to install nghttp2 on it and configure worked fine with --disable-doh. But it then errored with some SSL issues (./openssl_shim.h:99:1: error: conflicting types for ‘OPENSSL_init_crypto’ was the first) but I have not started to dig into that (this system still has OpenSSL 1.1.1a)). Anyway, I’m stuck on the "configure: error: EVP_DigestSignInit/EVP_DigestVerifyInit support in OpenSSL is mandatory” error and not sure what direction to go. I think it’s an issue with OpenSSL but I can’t see what it is (and Bind 9.16.x builds fine). Probably something simple but I need a nudge in the right direction. Thanks. -- Larry Stone lston...@stonejongleux.com -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: freebsd ipfw question
On 21-Feb-22 18:36, Randy Bush wrote: for some reason lost in time, i have the following in `/etc/ipfw.rules` on a freebsd system running bind9 add allow tcp from any to me 53 limit src-addr 1 setup add deny tcp from any to me 53 Except that rule wouldn't help. I put the non-local connections into a file, and executed: sed zz.tmp -e's/^.*->//; s/:[0-9]\+ .*$//;' | sort | wc -l sed zz.tmp -e's/^.*->//; s/:[0-9]\+ .*$//;' | sort -u | wc -l I get the same number in both cases - 156. They're mostly IPv6 remotes. So while there are IPv6 address blocks that are making a lot of connections, each address only makes one. So the rule (limiting to 1 connection/address) would have no effect. Interestingly, they come from sequentially numbered hosts. Mostly in 2607:f8b0:4002::. (use 'less' instead of wc-l to see this). Whois says the address block 2607:f8b0::/32 is assigned to google (AS15169). Why these blocks are making connections - and how long they persist may deserve some investigation. They could be a DDOS - or a parallelized DNS survey. If you decide they are abusive, the previous firewall rule isn't the right mitigation. It's important not to jump to conclusions... Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. OpenPGP_signature Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.18.0 and Mac OS X 10.15.7 - cannot build
When building with OpenSSL in non system locations ensure that the PKG_CONFIG_PATH is properly set. e.g. OPENSSL=/opt/local PKG_CONFIG_PATH=$OPENSSL/lib/pkgconfig Mark > On 22 Feb 2022, at 12:29, Larry Stone wrote: > > So, just for fun, I decided to see if I could build 9.18.0 on my current > MacBookPro (where I already run 9.16.26). It’s on MacOS Catalina 10.15.7 > (cannot go higher - new MacBookPro coming soon!). > > First attempt to configure told me I either needed libnghttp2 or to configure > with --disable-doh. I downloaded nghttp2 (v1.46.0) from nghttp2.org per the > link in the release notes, built and installed it. Attempted to configure > bind 9.18.0 and this time configure aborted with: > configure: error: in `[redacted dirpath]/bind-9.18.0': > configure: error: EVP_DigestSignInit/EVP_DigestVerifyInit support in OpenSSL > is mandatory. > > Tried configuring with --disable-doh and received the same error. Googling > that message and variations of it have turned up nothing useful (at least to > me). > > OpenSSL version was 1.1.1a, I subsequently upgraded to 1.1.1m but same error. > OpenSSL is installed in /usr/local/ssl and built with the standard > ./configure; make. > > From config.log, the relevant part appears to be: > configure:17852: checking for EVP_DigestSignInit > configure:17852: gcc -o conftest -g -O2 -pthread -I/usr/local/ssl/include > conftest.c -lpthread -lssl -lcrypto >&5 > ld: library not found for -lssl > clang: error: linker command failed with exit code 1 (use -v to see > invocation) > configure:17852: $? = 1 > > (I then tried to build 9.18.0 on an older system I have running macOS > 10.13.6. I did not try to install nghttp2 on it and configure worked fine > with --disable-doh. But it then errored with some SSL issues > (./openssl_shim.h:99:1: error: conflicting types for ‘OPENSSL_init_crypto’ > was the first) but I have not started to dig into that (this system still has > OpenSSL 1.1.1a)). > > Anyway, I’m stuck on the "configure: error: > EVP_DigestSignInit/EVP_DigestVerifyInit support in OpenSSL is mandatory” > error and not sure what direction to go. I think it’s an issue with OpenSSL > but I can’t see what it is (and Bind 9.16.x builds fine). Probably something > simple but I need a nudge in the right direction. Thanks. > > -- > Larry Stone > lston...@stonejongleux.com > > > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.18.0 and Mac OS X 10.15.7 - cannot build
Thanks. That gave me a good configure and make on the 10.15.7 system. Have not
installed or tried to run it yet.
Unfortunately, on the 10.13.6 system, with OpenSSL 1.1.1m now installed as well
as nghttp2, while it configures OK, make throws an error with references to
Xcode (MacOS proprietary subsystem). The 10.13.6 system has Xcode version 10 on
it while the 10.15.7 system has Xcode version 11. Unfortunately, Xcode 11
requires MacOS 10.14 so upgrading the 10.13.6 system does not appear to be an
option. The 10.13.6 system (a mid-2010 iMac) is also due for replacement so it
may just have to live with Bind 9.16.x until it is replaced.
But in case anyone has any ideas, the error make throws is:
Making all in isc
CC netmgr/libisc_la-netmgr.lo
netmgr/netmgr.c:3536:10: error: address argument to atomic operation must be a
pointer to non-const _Atomic type ('const isc_refcount_t *' (aka 'const
_Atomic(uint_fast32_t) *') invalid)
REQUIRE(VALID_NMHANDLE(handle));
^~~
netmgr/netmgr-int.h:236:3: note: expanded from macro 'VALID_NMHANDLE'
atomic_load(&(t)->references) > 0)
^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/10.0.0/include/stdatomic.h:134:29:
note:
expanded from macro 'atomic_load'
#define atomic_load(object) __c11_atomic_load(object, __ATOMIC_SEQ_CST)
^
./include/isc/util.h:279:34: note: expanded from macro 'REQUIRE'
#define REQUIRE(e) ISC_REQUIRE(e)
^~
./include/isc/assertions.h:46:11: note: expanded from macro 'ISC_REQUIRE'
((void)((cond) || \
^~~~
netmgr/netmgr.c:3544:10: error: address argument to atomic operation must be a
pointer to non-const _Atomic type ('const isc_refcount_t *' (aka 'const
_Atomic(uint_fast32_t) *') invalid)
REQUIRE(VALID_NMHANDLE(handle));
^~~
netmgr/netmgr-int.h:236:3: note: expanded from macro 'VALID_NMHANDLE'
atomic_load(&(t)->references) > 0)
^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/10.0.0/include/stdatomic.h:134:29:
note:
expanded from macro 'atomic_load'
#define atomic_load(object) __c11_atomic_load(object, __ATOMIC_SEQ_CST)
^
./include/isc/util.h:279:34: note: expanded from macro 'REQUIRE'
#define REQUIRE(e) ISC_REQUIRE(e)
^~
./include/isc/assertions.h:46:11: note: expanded from macro 'ISC_REQUIRE'
((void)((cond) || \
^~~~
2 errors generated.
make[4]: *** [netmgr/libisc_la-netmgr.lo] Error 1
make[3]: *** [all-recursive] Error 1
make[2]: *** [all-recursive] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
--
Larry Stone
lston...@stonejongleux.com
> On Feb 21, 2022, at 4:19 PM, Mark Andrews wrote:
>
> When building with OpenSSL in non system locations ensure that the
> PKG_CONFIG_PATH is properly set.
>
> e.g.
>
> OPENSSL=/opt/local
> PKG_CONFIG_PATH=$OPENSSL/lib/pkgconfig
>
> Mark
>
>> On 22 Feb 2022, at 12:29, Larry Stone wrote:
>>
>> So, just for fun, I decided to see if I could build 9.18.0 on my current
>> MacBookPro (where I already run 9.16.26). It’s on MacOS Catalina 10.15.7
>> (cannot go higher - new MacBookPro coming soon!).
>>
>> First attempt to configure told me I either needed libnghttp2 or to
>> configure with --disable-doh. I downloaded nghttp2 (v1.46.0) from
>> nghttp2.org per the link in the release notes, built and installed it.
>> Attempted to configure bind 9.18.0 and this time configure aborted with:
>> configure: error: in `[redacted dirpath]/bind-9.18.0':
>> configure: error: EVP_DigestSignInit/EVP_DigestVerifyInit support in OpenSSL
>> is mandatory.
>>
>> Tried configuring with --disable-doh and received the same error. Googling
>> that message and variations of it have turned up nothing useful (at least to
>> me).
>>
>> OpenSSL version was 1.1.1a, I subsequently upgraded to 1.1.1m but same
>> error. OpenSSL is installed in /usr/local/ssl and built with the standard
>> ./configure; make.
>>
>> From config.log, the relevant part appears to be:
>> configure:17852: checking for EVP_DigestSignInit
>> configure:17852: gcc -o conftest -g -O2 -pthread -I/usr/local/ssl/include
>> conftest.c -lpthread -lssl -lcrypto >&5
>> ld: library not found for -lssl
>> clang: error: linker command failed with exit code 1 (use -v to see
>> invocation)
>> configure:17852: $? = 1
>>
>> (I then tried to build 9.18.0 on an older system I have running macOS
>> 10.13.6. I did not try to install nghttp2 on it and configure worked fine
>> with --disable-doh. But it then errored with some SSL issues
>> (./openssl_shim.h:99:1: error: conflicting types for ‘OPENSSL_init_crypto’
