Sharity Light -v- SMBFS

[Micheal Patterson]

I've got an interesting issue that I'm having trouble locating anything on.
Here's the situation.

I've got a win2k server running IIS that keeps it's logs on a local drive.

I'm running awstats from my fbsd server.

Here's the glitch that I'm running into.

If I use smbfs to access the shares so I can run awstats on the iis log
files, I can't read the current log file if iis is running.  However, if I
run sharity light on the same share, I can then read the current file. At
first glance, there appears to be a lock in place that smbfs honors whereas
sharity light does not. I would prefer to use smbfs as it's internal to the
os, and I'm mounting to a remote san connected to another windows server for
my daily dump backups. I'd prefer not to have to use both of them to get the
job done. Has anyone any information at all on just what is occuring here or
is there something just plain simple that I'm missing?

The smbfs mount is configured as noauto,rw in fstab. I can write to the
slice, but just can't read the active server log file.

Thanks.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

MailScanner and sendmail

[Micheal Patterson]

Has anyone successfully gotten MailScanner working with a version of
sendmail from version 8.12.9 onward?  I tried to add this last night and ran
into an evil circle of permissions issues. Set normally, mail would go into
the clientqueue after scanned, but owned by root with 600 permissions and
the smmsp account couldn't read these files, then with sendmail and
MailScanner set to use smmsp user / groups, it could send form clientqueue
but the sendamil daemon couldn't store mail in mqueue. I would like to use
this as it's got advantages over using Amavis however, with this much hassle
on a stock sendmail installation, I'm beginning to think it would just be
best to stick with Amavis and forget about the hassle.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: MailScanner and sendmail

[Micheal Patterson]

- Original Message - 
From: "Micheal Patterson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, November 21, 2003 2:25 PM
Subject: MailScanner and sendmail


> Has anyone successfully gotten MailScanner working with a version of
> sendmail from version 8.12.9 onward?  I tried to add this last night and
ran
> into an evil circle of permissions issues. Set normally, mail would go
into
> the clientqueue after scanned, but owned by root with 600 permissions and
> the smmsp account couldn't read these files, then with sendmail and
> MailScanner set to use smmsp user / groups, it could send form clientqueue
> but the sendamil daemon couldn't store mail in mqueue. I would like to use
> this as it's got advantages over using Amavis however, with this much
hassle
> on a stock sendmail installation, I'm beginning to think it would just be
> best to stick with Amavis and forget about the hassle.
>
> --

I'll add to this that both sendmail and MailScanner have both been installed
on Fbsd 4.9 from ports.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: firewall rules do not get read

[Micheal Patterson]

- Original Message - 
From: "Alex de Kruijff" <[EMAIL PROTECTED]>
To: "Chip" <[EMAIL PROTECTED]>
Cc: "FreeBSD Questions List" <[EMAIL PROTECTED]>
Sent: Friday, November 21, 2003 1:24 PM
Subject: Re: firewall rules do not get read


> On Thu, Nov 20, 2003 at 04:19:09PM -0800, Chip wrote:
> >
> >
> > Alex de Kruijff wrote:
> >
> > >On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote:
> > >
> > >>I noticed my firewall rules are not being read. I have rc.conf set to
> > >>read the file rc.firewall. In rc.firewall the first line is add divert
> > >>natd etc etc. that is followed by pass all from any to any etc etc.
Then
> > >>nothing after that is read, it is all ignored.
> > >>If I comment out the line pass all from any to any then nothing works
to
> > >>access the internet.
> > >>I don't know what to do to make it read past those first two lines.
> > >>Any suggestions?
> > >
> > >
> > >Can you give me the output of 'ipfw s'. If that one doesn't work then
> > >try 'ipfw l'?
> >
> > No problem, below are the results of the two commands. Question - do I
> > have to use rc.firewall?
>
> No you can create your own configuration file for ipfw. You need these
> two line in rc.conf:
>
> firewall_enable="YES"
> firewall_type="/etc/firewall.conf"
>
> The configuration file looks something like:
> add divert natd ip from any to any via xl1
> add allow ip from any to any
>
> > Or is it just a generic ruleset that can be
> > replaced by a custom ruleset, as I have done (called firewall.rules
> > pasted in below)?
>
> Its posible to place your own ruleset in the default script, but i would
> adive *not* to do this, because when you update this file can be
> overriden in the process.


It is also possible to simply create an ipfw.sh script in
/usr/local/etc/rc.d and add all of your rules to that script.

ipfw.sh
ipfw -f flush

#NATD Rules here
ipfw add 3 divert natd all from any to any via xl1
etc..

I've used both rc.conf and this method but I prefer to number my rule sets
so that I can easily tell which one is causing an issue should I
inadvertantly block traffic that needs to get through.  To my knowledge,
either method works well, it's just that what I do is generally not
mentioned. :)

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600





___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Linux_Base-8 install

[Micheal Patterson]

I'm running 4.7 Release on one of my systems and am trying to install the
linux_base-8 from ports. It's failing with the following error:

===>   linux_base-8-8.0_1 depends on executable: rpm - found
kern.fallback_elf_brand: 3 -> 3
glibc-common-2.3.2-4.80.6.i386.rpm
/usr/sbin/build-locale-archive: cannot lock new archive: Invalid argument
execution of glibc-common-2.3.2-4.80.6 script failed, exit status 1
*** Error code 1

Has anyone run into this before?

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: migrating users

[Micheal Patterson]

- Original Message - 
From: "Rob Evers" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 27, 2003 7:50 AM
Subject: migrating users


> Hi all,
>
> I'm going to move move my sendmail server to a new machine.
> The new machine will use postfix and virtual users, now what I cant't
> figure out is how to migrate the users (and keep the old passwords).
> Does anyone know of a procedure to extract plain text passwords for all
> users ?
> Or maybe just pointers where to look.
>
> Thanks
>
> Rob Evers
>


Rob,

There's a really simple solution to this that so far I've not seen anyone
mention. Especially if you want to make an exact duplicate of the existing
password file and you have a system with a ssh / telnet client that you can
copy / paste from / into. Just run vipw on the existing mail server, scroll
through the listing so it's in your buffer, copy the password file into your
clipboard, ssh into the new system, run vipw and paste it into the new
system. When you exit vipw, it will update the database and you're done.
I've done this when moving to new mail servers in the past.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: NATD remote management

[Micheal Patterson]

- Original Message - 
From: "Jack L. Stone" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, December 13, 2003 10:25 AM
Subject: NATD remote management


> Dear list:
> I manage a remote gateway/nat/router/fw server where it is not convenient
> for anyone to go downtown to the colo and do reboots.
>
> I've managed to do everything here remotely from my own console, including
> reboots when updating the OS requires it -- that is except when
> reconfiguring the natd.conf file to add another forwarding service. I can
> reboot and it comes up okay, but rather would avoid a reboot. BUT, if I
try
> to kill/restart the natd daemon remotely, it kills my SSH session -- no
> restart of NATD -- cannot log back in and that means a 30-min trip for
> someone to the colo. That gets old and rather just reboot which is a lot
> less inconvenient.
>
> Obviously, when I do the kill of natd, it disconnects my SSH session and I
> can't restart the daemon so it can reread the natd.conf file for my
changes.
>
> I've tried a background script, but that hasn't worked either. Perhaps a
> second session would stay alive either SSH or even a telnet session
> just for the duration for this event??? Or a better background script...??
>
> I'd rather not do any uninformed guessing/gambling on different techniques
> to cause a lock out. There's probably a simple answer and hope someone
will
> remind me what it is
>
> Many thanks & Happy Holidays to the list.
>
> Best regards,
> Jack L. Stone,
> Administrator
>
> SageOne Net
> http://www.sage-one.net
> [EMAIL PROTECTED]

I don't run ipfw or natd from rc.conf as many folks do because I've had a
need to make changes remotely to both, and this is the method that I learned
way back when.  I've got scripts in rc.d that I use for those. Make the
change, run the script, and viola, change is active.

This script, natkill, will search for the natd pid, kill it with a -9,
restart natd and reload the ipfw ruleset. You'll still lose your session but
it should reconnect. Use this at your own risk.

- natkill --
!/bin/sh
#
pid=`/bin/ps -ax | grep 'natd' | sed -e 's/^ *//' -e 's/ .*//'`
if [ "${pid}" != "" ]
then
kill -9 ${pid}
fi
/etc/rc.d/natd.sh
/etc/rc.d/ipfw.sh
 end 

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Email problem

[Micheal Patterson]

- Original Message - 
From: "samy lancher" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, December 15, 2003 2:03 PM
Subject: Email problem


> Hello all,
> I have 4.5 freebsd server with apache, php and mysql. i wrote a simple php
program using mail(). The mail() function returns true without any error.
but the problem is the email is never delivered. I viewed the log file for
mail(/var/log/maillog) and i saw the following error:
>
> Server sendmail[351]:NOQUEUE:SYSERR(www):can not
chdir(/var/spool/clientmqueue/): Permission denied.
>
> I would be really thankful if someone could tell me where i am doing
wrong.
> In php.ini, i have set sendmail_path = "/usr/sbin/sendmail".
>
> thanks in advance.
> Naveen.
>
>
>

Change the group that http is running under to smmsp via the httpd.conf and
it should run. I don't know if this the "best" approach to this problem, but
it will allow the httpd to access the clientmqueue folder. Be warned, if
you're using mailman for mailing lists, it will have to be recompiled with
the proper gid or it will fail out.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Email problem

[Micheal Patterson]

- Original Message - 
From: "samy lancher" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, December 16, 2003 11:57 AM
Subject: Re: Email problem


> hello steve,
> httpd belongs to user:www and group:www; is it ok if i change only the
group to smmsp? does it effect the webserver in any way? the webserver and
email server is working fine now. i am worried if the change might have any
bad effect.
>
> thanks,
> Naveen.
>

I've not noticed any ill effects as of yet with a group of smmsp. To be
honest, it's a catch all until I can come up with a better way. I've just
not found that way yet.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: fetch / wget problem

[Micheal Patterson]

- Original Message - 
From: "Toomas Aas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, December 16, 2003 12:38 PM
Subject: fetch / wget problem


> Hi!
>
> I'm trying to write a script which gets a file from remote FTP server.
>
> The FTP username contains dots and this cannot be changed.
>
> There are two firewalls involved, one running on the same server where
> I'm doing this (ipfilter, using ipnat ftp proxy) and one between this
> server and the FTP server. The FTP server itself is in internal network
> using RFC1918 addresses and a port in firewall is being forwarded to
> this server.
>
> I think that firewalls are configured correctly, because I can
> successfully get the file manually, using the 'ftp' command.
>
> However, when I try this command:
>
> fetch ftp://user.name:[EMAIL PROTECTED]/directory/file.ext
>
> I get an error message:
> fetch: ftp://user.name:[EMAIL PROTECTED]/directory/file.ext:
> Host not found.
>
> I suspect that fetch, seeing a dot in username, attempts to 'resolve'
> the entire URL, instead of just the part after @. Is there a known
> workaround to this?
>
> I also tried wget, which succeeds to connect, but then, no matter what
> I do, insists on using passive mode.
>
> wget ftp://user.name:[EMAIL PROTECTED]/directory/file.ext
> Connecting to server.mydomain.com[12.34.56.78]:2100... connected.
> Logging in as user.name ... Logged in!
> ==> SYST ... done.==> PWD ... done.
> ==> TYPE I ... done.  ==> CWD /directory ... done.
> ==> PASV ...
> and then the process just hangs.
>
> I suspect it would work if I could somehow tell wget to NOT use passive
> mode. I initially had FTP_PASSIVE_MODE environment variable set, but
> removing this didn't affect wget's behaviour.
>
> Any ideas?
> --
> Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/
> * RUNTIME ERROR 6D at 417A:32CF : Incompetent user
>


You may be able to do this with a .netrc in the user folder that's running
the script.

In .netrc, you'll have:

machine 
login 
password 

Then you can script it with the exact commands that you'd use to get the
file if you did it manually. For example, if you wanted /etc/test.sh and you
wanted to store it in /root/down and the remote site was ftp.foo.com you'd
do:

Contents of .netrc
---
machine ftp.foo.com
login joe.user
pass password
---

Then, in your script, let's say autofetch.sh you'd have:

#!/bin/sh
ftp << EOF
open ftp.foo.com
cd /etc/
lcd /root/down
ascii
get test.sh
bye
EOF

---

Now, you've got a scripted ftp session from within FreeBSD. As long as the
servernames in the script and .netrc match, ftp will use the info from
.netrc to make the connection. Of course, you'd want to make certain that
the .netrc file is NOT world readable. Perhaps not even group readable if
there are other users of the system.

Hope it helps.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: master.passwd -- securing

[Micheal Patterson]

- Original Message - 
From: "Rhys John" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 18, 2003 5:44 AM
Subject: Re: master.passwd -- securing


> Both accounts are now active but i would like to remove the encrypted
> password from master.passwd and replace it with a *. Is this possible with
> "vipw"?
>
> Thanks for your reply hugle

In normal stand alone operation, no. It's not possible at all. There has to
be a password hash local to the machine. Now, if you're configured to use
another method of password storage as has been previously mentioned, that's
a different story. Although, best practice would be to have at least one
user account in wheel, and the root user with a valid login password. If
you're worried about someone viewing the master.passwd file and obtaining
the hash, don't. Only root, by default, can touch that file. If you have
someone that has breeched the system to the point they're able to open that
file, then the problem of them viewing the password hash is quite moot.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: top -- and dual cpu quesitons ...

[Micheal Patterson]

- Original Message - 
From: "Vahric MUHTARYAN" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 25, 2003 11:04 AM
Subject: top -- and dual cpu quesitons ...


> Hi ,
>
> I'm using FreeBSD 4.9 . Does top utility have problem about showing
> dual CPU output ... But I can see CPU0 AND CPU1 on STATE column  When
I
> make something for example compiling something ... !?!!
>
>
>
>
> Vahric



The column labeled C shows the cpu number currently being used for a
particular process.


  PID USERNAME  PRI NICE  SIZE    RES STATE  C   TIME   WCPUCPU
COMMAND


--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD 4.9 Can't find second CPU ...

[Micheal Patterson]

(B- Original Message - 
(BFrom: "horio shoichi" <[EMAIL PROTECTED]>
(BTo: "Vahric MUHTARYAN" <[EMAIL PROTECTED]>
(BCc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
(BSent: Thursday, December 25, 2003 7:32 PM
(BSubject: Re: FreeBSD 4.9 Can't find second CPU ...
(B
(B
(B> On Thu, 25 Dec 2003 18:54:26 +0200
(B> "Vahric MUHTARYAN" <[EMAIL PROTECTED]> wrote:
(B> > Hi ,
(B> >
(B> > I checked LINT it said that I have to disabke I386 AND I486 from
(B> > kernel .. I marked those values from GENERIC and LINT too and recompile
(Bit .
(B> >
(B> > But I can't see any changes 
(B> >
(B> > Then I checked my messages file 
(B> >
(B> >
(B> > Dec 25 20:30:33 freebsdcgp /kernel: FreeBSD/SMP: Multiprocessor
(Bmotherboard:
(B> > 2 CPUs
(B> > Dec 25 20:30:33 freebsdcgp /kernel: cpu0 (BSP): apic id:  3, version:
(B> > 0x00040011, at 0xfee0
(B> > Dec 25 20:30:33 freebsdcgp /kernel: cpu1 (AP):  apic id:  0, version:
(B> > 0x00040011, at 0xfee0
(B> > Dec 25 20:30:33 freebsdcgp /kernel: io0 (APIC): apic id:  4, version:
(B> > 0x000f0011, at 0xfec0
(B> > Dec 25 20:30:33 freebsdcgp /kernel: io1 (APIC): apic id:  5, version:
(B> > 0x000f0011, at 0xfec01000
(B> >
(B> > Dec 25 20:30:33 freebsdcgp /kernel: SMP: AP CPU #1 Launched!
(B> >
(B> > And this is my sysctl out 
(B> >
(B> > freebsdcgp# sysctl hw.ncpu
(B> > hw.ncpu: 2
(B> >
(B> >
(B> > But when I run top utulity there is only one CPU there ..
(B> >
(B> > Now I will try cvsup RELENG_4 ... Maybe I can handle it ...
(B> > Does anybody have advise ?!
(B> >
(B> > Vahri__...
(B> >
(B
(BTop on a Dual CPU system looks like this:
(B
(Blast pid: 97678;  load averages:  0.00,  0.07,  0.06up
(B13+13:04:44  21:40:15
(B62 processes:  1 running, 61 sleeping
(BCPU states:  0.2% user,  0.0% nice,  0.4% system,  0.4% interrupt, 99.0%
(Bidle
(BMem: 126M Active, 528M Inact, 138M Wired, 46M Cache, 112M Buf, 165M Free
(BSwap: 2048M Total, 140K Used, 2048M Free
(B
(BPID  USERNAME  PRI NICE  SIZERES STATE  C   TIME   WCPUCPU
(BCOMMAND
(B2594 mailman  2   0  7032K  5680K poll   1   3:20  0.00%  0.00%
(Bpython
(B2590 mailman  2   0  7044K  5684K poll   0   3:13  0.00%  0.00%
(Bpython
(B
(BThere will be a 0 or 1 in the C column. That indicates the CPU the process
(Bis on. The "CPU states" is a combination of both cpu's if I recall
(Bcorrectly. Also, if you watch your STATE column while running Top, you can
(Bsee after some time that Top is handed back and forth between the CPU's.  In
(Bthe above list, I have one mailman process running on cpu0 and one on cpu1.
(B
(B--
(B
(BMicheal Patterson
(BNetwork Administration
(BTSG Incorporated
(B405-917-0600
(B
(B___
(B[EMAIL PROTECTED] mailing list
(Bhttp://lists.freebsd.org/mailman/listinfo/freebsd-questions
(BTo unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Forward and NAT question

[Micheal Patterson]

- Original Message - 
From: "Pierrick Brossin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 26, 2003 9:02 AM
Subject: Forward and NAT question


> Hi!
>
> I'm a little bit confused.
> I got my server up and running with nat and stuff for a little while now
> and I was wondering why would one need both net.inet.ip.forwarding set
> to 1 and NAT ?
>
> I've been searching in the docs and on google for 3 days but I can't
> figure out what is forwarding needed for if NAT is enabled...
>
> Regards
>
> -Pierrick Brossin
> http://www.swissgeeks.com


>From the FreeBSD handbook
(http://www.freebsd.org/doc/en_US.ISO8859-1/books/ppp-primer/x237.html)

"By default the FreeBSD system will not forward IP packets between various
network interfaces. In other words, routing functions (also known as gateway
functions) are disabled."

If you're running NATD, you have at least 2 interfaces, this has to be
enabled for the packets to traverse the interfaces properly. NATD and packet
forwarding don't go hand in hand, NATD and IPFW do.

net.inet.ip.forwarding allows traffic from the internal interface to gain
access to the external interface where NATD is by default listening.

Normal NATD traffic flow is this:

- Packet is inbound via internal interface
- net.inet.ip.forwarding allows the traffic to traverse to external
interface
- IPFW intercepts traffic at external interface and diverts it to NATD
- NATD translates the packet and injects it at the next IPFW rule set
- If traffic is allowed by IPFW, traffic exits the system to it's
destination

Without net.inet.ip.forwarding enabled, the FreeBSD system is merely a
system on each network instead of a gateway between them.

That's my take on it in a nut shell.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: natd problem (but close!)

[Micheal Patterson]

- Original Message - 
From: "The Bean" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 26, 2003 11:27 AM
Subject: natd problem (but close!)


> Hi all,
>
> I've been trying to get natd up on a FreeBSD 4.9-Stable box.
> I think I've followed every step, and it's still not quite working,
> although I believe it's getting close. My dual-homed box has
> two interfaces: internal ed0=10.13.0.1/8, and external
> xl0=xx.yy.zz.187/29 (note I've cleverly obscured the IP).
>
> Here's what I've done on the dual-homed box:
> - Kernel compiled with IPFIREWALL & IPDIVERT
> - gateway_enabled="YES", verified with sysctl -a list | grep ipforwarding
> - firewall set to open
> - natd_enabled="YES"
> - natd_interface=my external interface
> - natd_flags=-f /etc/natd.conf
> - /etc/natd.conf contains one line: redirect_address 10.0.0.13
xx.yy.zz.186,
> where xx.yy.zz.186 is the desired public IP for a client on my internal
> network, whose internal IP is 10.0.0.13
>
> On my client, I've set the default router to 10.13.0.1, which is the IP
for the
> internal interface for the gateway box.
>
> The gateway can access the Internet just fine. The client has some
problems,
> which I've attempted to diagnose by running tcpdump on the gateway, and
> trying a ping and a lynx from the client. Here are the results, as
reported
> by the gateway:
>


Do an ipfw list and you should see an entry at or very near the top similar
to:
divert 8668 ip from any to any via xl0

If you don't, traffic isn't being diverted to NAT and it's trying to route
the 10 /8 traffic to it's connected router and dieing there.


--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: natd.conf problem (was: natd problem (but close!) )

[Micheal Patterson]

- Original Message - 
From: "The Bean" <[EMAIL PROTECTED]>
To: "freebsd" <[EMAIL PROTECTED]>
Sent: Friday, December 26, 2003 2:36 PM
Subject: natd.conf problem (was: natd problem (but close!) )


> I've made a tad of progress. Since everyone and his
> brother can configure FreeBSD to act as a gateway,
> I decided to focus on the one difference between my
> setup and the generic gateway setup: my one-line
> natd.conf file, with the line
>
>   redirect_address 10.0.0.13 xx.yy.zz.186
>
> It looked like the gateway was doing the internal-to-
> external translation on outgoing packets, but was unable
> to translate from external to internal. Anyway, I commented
> that one line, so my natd.conf is essentially empty.
> Success -- I can get packets forwarded no problem (otherwise
> you wouldn't be reading this!)
>
> Of course, this means I can't really serve anything, so
> I'm not done yet. It would make sense I have a snag in my
> natd.conf file, since it's the one piece I was taking a wild
> stab at. Does anyone know what that file should look like,
> for a simple address redirection?
>
> Thanks a lot,
> T.B.

Um. How many real IP's you have sitting on XL0?

If it's only one, you don't to redirect_address on it otherwise, it will
lose internet access itself since all return traffic will go to the internal
address. If you have multiple IP's on xl0, redirect one of the aliased IP's
to the internal system. Otherwise, use redirect_port instead.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: natd.conf problem (was: natd problem (but close!) )

[Micheal Patterson]

- Original Message - 
From: "The Bean" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>; "freebsd"
<[EMAIL PROTECTED]>
Sent: Friday, December 26, 2003 4:05 PM
Subject: Re: natd.conf problem (was: natd problem (but close!) )


> > Um. How many real IP's you have sitting on XL0?
> >
> > If it's only one, you don't to redirect_address on it otherwise, it will
> > lose internet access itself since all return traffic will go to the
internal
> > address. If you have multiple IP's on xl0, redirect one of the aliased
IP's
> > to the internal system. Otherwise, use redirect_port instead.
>
> I have 1 real IP sitting on xl0 on the gateway, and 1 real IP sitting
> on xl0 on the client (they both use xl0, coincidentally). The gateway's
> xl0 is configured for public IP xx.yy.zz.187 -- however, I'm doing
> redirect_address on xx.yy.zz.186, which isn't assigned to any interface.
> I suppose that's why my gateway could still access the Internet even
though
> I had a redirect_address on.
>
> H, I'm starting to feel like I've been misunderstanding how to
> use redirect_address . . . could it be that if I want to redirect a
> public IP to an interal host on my LAN, I must create an alias for that IP
> on the gateway's external interface? That would make sense -- otherwise,
the NIC
> wouldn't know to use it.
>
> If so, where would I have read this? I'm not saying it's undocced; I'm
sure it is,
> and so I'm wondering what I misread!
>
> Thanks Micheal -- I look forward to being educated.
> - T.B.


You're getting the idea. You're trying to set up a static nat configuration
instead of a dynamic nat. Dynamic NAT uses one IP for all traffic from the
internal systems. Perhaps I should've stated it this way first, my bad. For
Static Nat setups, a gateway has to have the redirected IP associated with
it's external nic. It's best if this is an aliased IP so that no traffic to
the gateway is lost. Then redirect that address to the internal system.
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/book.html
specifically,  section 19.13.5 Address Redirection describes this best.

"Address redirection is useful if several IP addresses are available, yet
they must be on one machine. With this, natd(8) can assign each LAN client
its own external IP address. natd(8) then rewrites outgoing packets from the
LAN clients with the proper external IP address and redirects all traffic
incoming on that particular IP address back to the specific LAN client. This
is also known as static NAT"


--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: natd.conf problem (was: natd problem (but close!) )

[Micheal Patterson]

- Original Message - 
From: "The Bean" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>; "freebsd"
<[EMAIL PROTECTED]>
Sent: Friday, December 26, 2003 5:19 PM
Subject: Re: natd.conf problem (was: natd problem (but close!) )


> > You're getting the idea. You're trying to set up a static nat
configuration
> > instead of a dynamic nat. Dynamic NAT uses one IP for all traffic from
the
> > internal systems. Perhaps I should've stated it this way first, my bad.
For
> > Static Nat setups, a gateway has to have the redirected IP associated
with
> > it's external nic. It's best if this is an aliased IP so that no traffic
to
> > the gateway is lost. Then redirect that address to the internal system.
> > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/book.html
> > specifically,  section 19.13.5 Address Redirection describes this best.
>
> Indeed, from 19.3.5 (which I just checked) . . .
>
> "The external IP addresses on the natd machine must be active and aliased
> to the external interface."
>
> I'm sure I read this section. Since that quote was right at the end, I'm
> also sure I got lost before I got to that part . . . but since I checked
> that section off my list, I probably never reread it.
>
> Anyway, I took a stab at this a while ago, and sure enough, it fixed the
problem.
>
> "Your bad"? I beg to differ -- you're the guy who fixed this!!! And it's
been
> bugging me for weeks.
Aaaa!!!
>
> Thanks so much Micheal.
> - The Bean


Glad I could help. I've been using static NAT for about 2 years now here at
home. :)

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Can't login to machine any more!

[Micheal Patterson]

- Original Message - 
From: "Trey Sizemore" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, December 27, 2003 6:10 PM
Subject: Can't login to machine any more!


> Just recently I can no longer login to my machine. When I get to the gdm
> screen and enter my username and password I get:
>
> "The system administrator has disabled your account."
>
> This happens with both my normal account and THE ROOT ACCOUNT!
>
> Is this recoverable and, if so, how?
>
> Thanks.

You should be able to boot up in single user mode and correct this problem.
I'm not sure what would cause it though.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Can't login to machine any more!

[Micheal Patterson]

- Original Message - 
From: "Trey Sizemore" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Saturday, December 27, 2003 6:40 PM
Subject: Re: Can't login to machine any more!


> Micheal Patterson wrote:
>
> >- Original Message - 
> >From: "Trey Sizemore" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Saturday, December 27, 2003 6:10 PM
> >Subject: Can't login to machine any more!
> >
> >
> >
> >
> >>Just recently I can no longer login to my machine. When I get to the gdm
> >>screen and enter my username and password I get:
> >>
> >>"The system administrator has disabled your account."
> >>
> >>This happens with both my normal account and THE ROOT ACCOUNT!
> >>
> >>Is this recoverable and, if so, how?
> >>
> >>Thanks.
> >>
> >>
> >
> >You should be able to boot up in single user mode and correct this
problem.
> >I'm not sure what would cause it though.
> >
> >
> >
> >
> Logged into single user mode and ran:
>
> #grep root /etc/passwd
>
> It showed the shell to be /bin/sh
>
> Did a reboot and tried to login with gdm again and got the same message.

Sorry, missed the gdm part. Thought you were locked out of shell.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipf / pf availability in 4.9

[Micheal Patterson]

- Original Message - 
From: "Will Prater" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, December 31, 2003 1:27 PM
Subject: Re: ipf / pf availability in 4.9


>
> On Dec 31, 2003, at 5:12 AM, fbsd_user wrote:
>
> > The post you are replying to tells you pf has been ported to FBSD.
>
> Yes, and my question was how to get a port to 4.9. I am aware of the
> port being available for 5.0, 5.1.
>
> I would like to know if anyone has gotten it to run on 4.9 and what
> patches were necessary.
>
> Thanks


Are you talking about PF or IPF in 4.9? If it's IPF, it's a kernel option.
Check out LINT and you'll find:

options IPFILTER#ipfilter support
options IPFILTER_LOG#ipfilter logging
options IPFILTER_DEFAULT_BLOCK  #block all packets by default

Also, you should be able to do a man ipf on 4.9.
--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipf / pf availability in 4.9

[Micheal Patterson]

> > Are you talking about PF or IPF in 4.9? If it's IPF, it's a kernel 
> > option.
> 
> PF. I already have IPF working. I am more familiar with PF and would 
> rather be using it.
> 
> Thanks
> 
Ah. Ok. Misunderstood. 

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Have I been hacked or is nmap wrong?

[Micheal Patterson]

- Original Message - 
From: "Kilian Hagemann" <[EMAIL PROTECTED]>

To: 
Sent: Tuesday, January 17, 2006 11:07 AM
Subject: Have I been hacked or is nmap wrong?



Hi there,

I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the
other 5.3-STABLE, both not having been updated since I installed from ISO
images. They both have custom ipfw firewalls that are dropping pretty much
everything that's not supposed to come in.

All was fine and dandy until one day I noticed that when I nmap'ed them 
from

the outside, the one shows

The 1663 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp   open  http
554/tcp  open  rtsp
1755/tcp open  wms
5190/tcp open  aol



Kilian, what does a sockstat show you on those systems and are there any 
nats on either of these systems that would have a redirect_address to 
something behind them?


--

Micheal Patterson 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Routing problem in IPv4/IPSec VPN environment

[Micheal Patterson]

- Original Message - 
From: "James P. Howard, II" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 29, 2004 2:57 PM
Subject: Routing problem in IPv4/IPSec VPN environment


> As a personal favor, I am building a VPN for a small business.  I
> have chosen FreeBSD for this due to my greater familiarity.  The
> project will consist of linking four sites, each with a FreeBSD
> system providing DHCP, NAT, and VPN services.  I have built DHCP and
> NAT servers before, but the IPSec and VPN is new to me.
>
> Right now, the first two systems are nearly complete.  The two
> machines are named goldengate and waltwhitman.  Here's the IP
> config, currently:
>
>   goldengate:  external 192.168.1.101 internal 10.1.1.1
>   waltwhitman: external 192.168.1.102 internal 10.1.2.1
>
> The external interfaces are in the reserved space because testing is
> taking place behind a cable/DSL router providing NAT services.  The
> output of "gifconfig -a; ifconfig -a; netstat -rn" for each will be
> provided at the end of this message.
>
> IPSec, with Racoon, is properly exchanging keys.  From goldengate, I
> can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1.
>
> If a Windows computer is connected behind either system, they
> receive an IP (10.1.x.254, where x is the network number).
>
> The problem is, if behind the 10.1.2.1 firewall, I cannot ping
> 10.1.1.1 and vice-versa.  I assume, at this point, this is some type
> of routing issue and not a problem with IPSec.  This seems to be
> confirmed by the fact tracerouting to the local internal interface
> goes through the *other* internal interface first:



Not to be disrespectful, but did you do what I've done in the past and
forget to enable forwarding so the systems can route traffic?

[EMAIL PROTECTED]/>sysctl -a |grep forward
net.inet.ip.forwarding: 1

If not, make sure that gateway_enable="YES" in rc.conf and reboot, or sysctl
net.inet.ip.forwarding=1 from command line to enable it without a reboot.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: NATD Port Forwarding question

[Micheal Patterson]

Is the system configured to accept remote desktop requests? Windows XP has
it disabled by default.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


- Original Message - 
From: "Jon Kurjakovich" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, July 04, 2004 3:57 AM
Subject: NATD Port Forwarding question


> Hi there,
>
> I am currently using FreeBSD 4.8-RELEASE. I do plan on upgrading to
> 5.2-CURRENT shortly but I know people who are using 5.2-CURRENT and are
> experiencing the same problem as me. If this email is not appropriate in
> this mailing list, could you please forward me to the correct one. Thank
> you.
>
> My problem: I am trying to use NATD to forward packets to machines on
> the internal network using the redirect_port command. I am specifically
> trying to connect to a Terminal Server on a Windows 2000 machine. It
> never seems to work for me. I am running natd using the following
> command: natd -f /etc/natd.conf with the following options in my
> natd.conf file.
>
> interface tun0
> same_ports yes
> use_sockets yes
> unregistered_only
> redirect_port tcp 192.168.1.2:3389 3389
>
> When I create an SSH tunnel using putty, that works fine. It is only
> when I try and use natd w/ port-forwarding that it doesn't work. I
> configure an extremely open firewall to ensure it is not my firewall
> causing the problems. The commands I use are:
>
> /sbin/ipfw -f flush
> /sbin/ipfw add 50 divert natd all from any to any via tun0
> /sbin/ipfw add pass all from any to any
>
> If anybody could shine any light on this problem for me - it'd be
> greatly appreciated. I have been trying to resolve the problem
> on-and-off for months now to no avail. I finally decided I should try
> the mailing list.
>
> Thanks.
>
> Regards,
> Jon
>
>
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
>

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: OK i feel stupid about this noob question but....

[Micheal Patterson]

- Original Message - 
From: "Jammet" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, July 10, 2004 3:52 AM
Subject: OK i feel stupid about this noob question but


> I dont know whats wrong with me but for some reason i cant add users to
> my system. I go through the whole bit of adduser -s but it asks "user
> names must match reguilar expressions [regext] "  ...  I dont even
> remember that happening when i use to add users or i might just be going
> insane, anyways i put in regext or the username or something but when i
> finaly get through the other 4 questions on there and get to acually try
> to add the user it says it must follow the expression ... I decided to
> beat my head agenst my desk to see if i could knock something lose,
> anyone wanna help with this? i have added users before ( back when i
> first got everything installed about 2 years ago) and have not really
> needed to since, but now im trying again..
>
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
>

Jammet,

adduser.conf doesn't yet exist on your system and adduser is asking you for
the defaults.  If you accept the default entries, it will ask you at the end
to save them. Tell it yes and run add user again and you're all set and back
to your normal routine.


--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: VPN server

[Micheal Patterson]

- Original Message - 
From: "lycanthrope" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 13, 2004 6:59 PM
Subject: VPN server


> hello
> I would like to setup my freebsd 5.2-CURRENT box as a VPN server for
windows 2k/xp clients, and enable them to use internet (PPPoE ADSL)
connection. the clients are on various subnets connected to my box via LAN.
> I consider using pptop port for setting up VPN server, but if you have
some other idea, please tell me...all I need is it to support win clients
(and authentication usrname/pass) and I want the users to be able to access
internet..that's all...
> the simpler the merrier :)
>
> thank you!!
>
> regards,marin
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"[EMAIL PROTECTED]"


If you want to support mppe128, you can use netgraph-mpd
(/usr/ports/net/mpd/ in the 4.x tree)
It supports username / pass and ip to the vpn client. I would imagine this
is also available in the 5.x tree as well.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall, OpenVPN and Squid question

[Micheal Patterson]

- Original Message - 
From: "Paul Hillen" <[EMAIL PROTECTED]>
To: "Steve Bertrand" <[EMAIL PROTECTED]>; "Paul Hillen" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, July 21, 2004 1:33 PM
Subject: RE: Firewall, OpenVPN and Squid question


> I have around 100 users at our site that would require the use of squid,
we
> house are own webserver, mail server, public DNS servers in the DMZ and 2
> private DNS servers on the internal network, used by both Internal and VPN
> users.
>
> Sites connecting Gateway to Gateway, there are apprx as follows;
> Site 1 - 25 users
> Site 2 - 5 users
> Site 3 - 12 users
> Our site VPN users are Apprx 25, and about 50% of them are connected at
any
> given time.
>
> My first thought is to put up a Firewall box that can the load of
publishing
> many internal boxes and "publish" a box with OpenVPN and another for SQUID
> and just keep them all separate.
>
> Will this setup put to much strain on the FIREWALL box or will it have no
> problem handling the NAT/ROUTING in this configuration.
>
> Thanks in advance
> Paul
>

Considering that many of the current hardware firewall solutions aren't much
more than either a BSD or Linux kernel in a ROM chip, with a 486 or 586
based cpu, memory, and a nice gui (Windows or Internal Web interface), I
can't see why a similar system on a PC would be any different.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: BigApache for Windows - Why doesn't BSD have an installerpackage like this ???

[Micheal Patterson]

.
- Original Message - 
From: "Ed Budd" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, July 28, 2004 5:59 PM
Subject: Re: BigApache for Windows - Why doesn't BSD have an 
installerpackage like this ???


...damn I have gone way off track here... sorry for the ranting 
people... but after 6 days
straight of messing around trying to install 
Apache/MySQL/Mod_Perl/Mod_SSL/PHP.. I am a little
tired... 3 days of that was trying to get a basic GUI/File 
Manager/Find Files/Editor working


It must be very tiring and stressful to be a Troll. Perhaps you should 
consider another occupation...

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"


If this wasn't a troll, perhaps he needs to stick with Windows until he 
has a better understanding of what the difference between workstations 
and servers really are.

--
Micheal Patterson
TSG Network Administration
405-917-0600
Confidentiality Notice:  This e-mail message, including any attachments, 
is
for the sole use of the intended recipient(s) and may contain 
confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, 
please
contact the sender by reply e-mail and destroy all copies of the 
original
message 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Re: BigApache for Windows - Why doesn't BSD have an installerpackage like this ???

[Micheal Patterson]

- Original Message - 
From: "DK" <[EMAIL PROTECTED]>
To: "Guillermo_García-Rojas" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Thursday, July 29, 2004 1:36 AM
Subject: Re: Re: BigApache for Windows - Why doesn't BSD have an
installerpackage like this ???




> >
> > Can you live without your Windows 2000 GUI? Can you work without it?
>
> Why would I want to... a GUI makes life easier & makes my ability to do
work
> more productive :)

Not really. Your windows 2k pro doesn't allow for remote administration
unless you have pc anywhere running, or it's connected to a domain to allow
remote management. If your gui crashes, the box dies. If IE crashes to far,
the box will die. No pretty gui for you then.

> > What if some big company ask you to work for them, but they have UNIX
> > systems, are you prepared or can you handle that work?
>
> Any OS will take me about 1 week to get up to speed - if its a MS product,
> about 2 days :)

You've been playing with FreeBSD 4.10 for 6 days, and still have issues.
You've played with 4.5 in the past also. Yet you still have problems.

>
> > One more thing, my OpenBSD 3.5 costs me $0, FreeBSD price is $0 too.
> > Did you spend the same amount of money on your Windows 2000??
>
> Yea 0$ - all my software is War... *cough* ... donated

You should be used to the problems of not having docs on the software that's
"donated" to your hard drive then.  Except in this case, the docs ARE freely
available, it would just appear that you decided to not use them and run
head long into something you know little to nothing about. Not that there's
anything wrong with that, but it's just like buying a car and not knowing it
needs gas. First thing you'd do is blame the car for not running when if you
look at the owners manual, it will plainly tell you that fuel is required.

>
> Kind Regards,
>
> DK
>
>
>
> __
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> http://promotions.yahoo.com/new_mail
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
>

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: BigApache for Windows - Why doesn't BSD have an installer

[Micheal Patterson]

- Original Message - 
From: "DK" <[EMAIL PROTECTED]>
To: "Jerry McAllister" <[EMAIL PROTECTED]>
Cc: "Giorgos Keramidas" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Thursday, July 29, 2004 1:55 AM
Subject: Re: BigApache for Windows - Why doesn't BSD have an installer


> --- Jerry McAllister <[EMAIL PROTECTED]> wrote:
> > > - Installing Packages is nice & easy & straight forward from the
> > docs(should be more of these!)
> > > - Installing ports/packages via ftp/net - Forget it!!
> > > I have barely got BSD running, the last thing I want is connecting a
BSD
> > > box to my broadband
> > > connection ?? Does BSD have a default firewall ?? Don't know, having
> > > trouble installing stuff let
> > > alone configuring a firewall via scripts/files
> >
> > You are probably better off and more secure with an initial install,
with
> > no additional work or tweaking, of FreeBSD on the net than you would be
> > with a MS system with every know "fix" available.   The system is
> > inherently more secure and in addition - and maybe partially because of
> > this - fewer, by far,  attempts at cracking FreeBSD are made than are
> > made against MS systems.  Some of this is, of course, because there are
> > much fewer FreeBSD systems out there to tempt kiddies.  But, the fact
> > that cracking FreeBSD is more difficult contributes to this effect.
>
> So if I do a default install of FreeBSD & then connect to the net for
> ports/packages, is there a default firewall running in the background ??


No, but then again, there are hardly any services either. See, unlike
Windows, you're not going to have the same issues with trojans and breeches.
If it's just you, and you've not added anyone else, you're pretty damn safe.
Root can't log in from remote at all unless you specifically change the
options that would allow it.




--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: freebsd How do you restart rc.conf without rebooting

[Micheal Patterson]

- Original Message - 
From: "Dan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 30, 2004 3:28 PM
Subject: freebsd How do you restart rc.conf without rebooting


How do you restart rc.conf without rebooting your machine.
Dan

/etc/netstart if I recall will reload and execute the settings within 
rc.conf without rebooting.

--
Micheal Patterson
TSG Network Administration
405-917-0600
Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: using FreeBSD within a cluster

[Micheal Patterson]

- Original Message - 
From: "бОФПО уХИПОПУЕОЛП" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 03, 2004 1:22 AM
Subject: using FreeBSD within a cluster


> Hi there. :$
> Perhaps it is not a good start for a letter to such an organization, but I
hope to be excused (please). And, quite straightforward, i wish to ask you a
question. I can't find an answer to it in any FreeBSD FAQ, so -
>
> The problem that I have is how to orgainze cluster between (with) a number
of FreeBSD AND Linux servers. OR, if that is not suitable, using several
FreeBSD servers. I couldn't find any information explaining that variant of
using FreeBSD, so here goes the question:
>
> are FreeBSD-with-Linux clusters really possible?
>
> And, in case of positive answer, here is the next question - where can I
find any information about how it will become possible?
> How to make Linux/FreeBSD (preferably), or only FreeBSD servers work
together in a cluster?
>
> Again wishing you all the best and waiting for answer -
> Anton Suhonosenko
> [EMAIL PROTECTED]
> ICQ 143779294
>
> P.S. I am sorry for my terrible english.


Are you wanting to truely cluster the servers or are you wanting to load
balance services (web, mail, pop3, etc) between a group of servers?


--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Opening ports

[Micheal Patterson]

- Original Message - 
From: "Curtis Vaughan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 17, 2004 12:20 PM
Subject: Re: Opening ports


>
> On 17 Dec, 2004, at 09:24, Curtis Vaughan wrote:
>
> > I realized that apparently by default most all ports are closed on my
> > 5.3-Release box. The reason I say this is because besides port 22, 80
> > and 1 no other port seems to be open (based on a port scan). I
> > just installed postfix and courier-imap and wanted to test ports 25
> > and 110, but they do not respond even though postfix is running, I
> > have enabled the ports in master.cf. Also they are in /etc/services.
> >
> > Looking over documents and checking my install, /etc/rc.firewall is
> > not enabled in /etc/defaults/rc.conf.
> >
> > I assume I could go through rc.firewall and set it up for those ports
> > I need opened, and enable it in rc.conf, but whereas we have a
> > gatewall/firewall for our company, I don't see a lot of
> > reason for having all the ports closed down on this server. Is there
> > an easy way to enable them all?
> >
> > Curtis
> >
>
> OK, I've got courier-imap running now and it opened port 143, but there
> is still no reply on 25. Which makes me think that the problem isn't
> the fact that ports are closed, but that nothing is listening.
> However, netstat shows:
>
> cod# netstat -na | grep LISTEN
> tcp4   0  0  *.143  *.*
> LISTEN
> tcp6   0  0  *.143  *.*
> LISTEN
> tcp4   0  0  *.80   *.*
> LISTEN
> tcp4   0  0  *.25   *.*
> LISTEN
> tcp4   0  0  *.1*.*
> LISTEN
> tcp4   0  0  *.22   *.*
> LISTEN
> tcp6   0  0  *.22   *.*
> LISTEN
>
> So, something is listening on port 25, but why no response to telnet
> requests?
>
> Curtis
>


I realize that this may sound strange, but do you have an allow in your
hosts.allow file for sendmail? Sendmail now uses wrappers by default as I
recall, and without it, you'll get refused.

--

Micheal Patterson
Senior Communications Systems Engineer
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: bash - superuser

[Micheal Patterson]

- Original Message - 
From: "Joshua Lokken" <[EMAIL PROTECTED]>
To: "David Landgren" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, December 20, 2004 11:04 AM
Subject: Re: bash - superuser


> On Mon, 20 Dec 2004 12:29:37 +0100, David Landgren <[EMAIL PROTECTED]>
wrote:
> > Giuliano Cardozo Medalha wrote:
> > > Hi,
> > >
> > > I have a machine with FreeBSD 5.3 - release -p2.
> > >
> > > I have installed bash from ports.
> > >
> > > How is possible to use bash in root account ?
> > >
> > > Thanks a lot
> >
> > Don't.
> >
> > Leave /bin/sh as your shell.
>
> 'Leave' /bin/sh as your shell makes it sound like /bin/sh is the
> default root shell.  Did this change in FreeBSD 5.x?  It appears
> that in 4.x, the root shell is /bin/csh by default, which [I believe]
> is linked to /bin/tcsh.
>
>
> -- 
> Joshua Lokken
> Open Source Advocate

csh is still the default root shell.

At one time, systems required multiple drives due to space. So, these
systems would have a partioning scheme such as:

hda0 - /
hda1 - /var
hda2 - /swap
hda3 - /usr

... and so on depending on their drive capacity at the time. Please keep in
mind that this OS (and it's ancestors) were running on systems that had
multiple drives with 20mb or less in their day. The tree has constantly
grown from those days. As such, many admins use this scheme today because
they either have used this scheme for 10's of years and don't wish to change
their ways. Personal and/or financial reasoning aside as to why they don't
wish to change is totally their decision.

Even so, there are some good points to this methodology. It provides the
ability to not lose the entire system in the event of drive failure. In this
method, having the root shell on another partition invites failure for the
entire system should root's shell reside on a crashed / failed partition. No
root, no repair capability.

On the other hand, many admins use a system with a single drive in them and
use NIS/NFS as their userland drive space. Some may even have /usr/ itself
fed from NFS.

In either method, if you want to use anything other than csh, you will need
to move it to /bin. You want it to be uncorruptable in the event of breach.
So, if you still wish to use bash as the root shell, copy the executable
into /bin, add it to /etc/shells, and set it immutable ("chflags schg
/bin/bash") so that in the event of breach, the shell is still unable to be
modified and will be reachable in the event of NFS or partition failure.

With the state of drives, raid arrays, etc in todays world, either way will
work just as good as the other. Each person has their own preferences for
their own reasons.

--

Micheal Patterson
Senior Communications Systems Engineer
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: traffic volume monitoring - what program

[Micheal Patterson]

- Original Message - 
From: "Matthias F. Brandstetter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, December 20, 2004 2:05 PM
Subject: Re: traffic volume monitoring - what program


> -- quoting David Banning --
> > I am looking at a new ISP that charges for a certain number
> > gigabites of traffic. I have -no- idea what my traffic volume
> > is.
> >
> > Can anyone recommend a good traffic volume checker in the
> > ports?
> 
> I only found ipac-ng for Linux based IPTABLES firewalls.
> But none so far for *BSD firewalls :(
> 
> Any ideas?
> 
> -- 
> As far as anyone knows we're a nice, normal family.
> 
>   -- Homer Simpson
>  There's No Disgrace Like Home

Can't MRTG get you close enough for that wouldn't it?

--

Micheal Patterson
Senior Communications Systems Engineer
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain 
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all 
copies of the original message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Linux libs missing dependancies

[Micheal Patterson]

- Original Message - 
From: "Stephen Maver" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, December 20, 2004 1:16 PM
Subject: Linux libs missing dependancies


> Dear List,
>
> I've installed the linux steam client the other day,
>
> /usr/ports/games/linux-steam
>
> This theoretically allows you to download and run steam based games,
> such as Halflife and Counter Strike Source.
>
> Related ports installed:
> linux-steam-1.0 Half Life dedicated server running on steam
> linux_base-7.1_7The base set of packages needed in Linux mode
>
> # uname -a
> FreeBSD lupus.ntropy.net 5.3-RELEASE-p2 FreeBSD 5.3-RELEASE-p2 #1:
> Sun Dec  5 16:11:09 GMT 2004 ...
>
> # kldstat
> Id Refs AddressSize Name
>  1   10 0xc040 39dcf8   kernel
>  2   14 0xc079e000 537f0acpi.ko
>  31 0xc15e1000 6000 linprocfs.ko
>  41 0xc15ef000 17000linux.ko
>
> I chanced it and used the linux steam client to download the Counter
> Strike Source files, with no obvious problems.
>
> When I try to run the dedicated server it immediately crashes,
> probably as it should as it is linux specific I'd guess.
>
> $ ./srcds_run  -console -game cstrike +map de_dust +maxplayers 16
>  -steamuser  -steampass 
> --
> Auto detecting CPU
> Using default binary.
> Auto-restarting the server on crash
> ./srcds_i486: error while loading shared libraries:
> /usr/compat/linux/lib/libm.so.6: ELF file OS ABI invalid
> Mon Dec 20 17:53:37 GMT 2004: Server restart in 10 seconds
> 
>
> # ldd ./srcds_i486
> ./srcds_i486:
> ./srcds_i486: error while loading shared libraries:
> /lib/libm.so.6: ELF file OS ABI invalid
> ./srcds_i486: exit status 127
>
> The binary 'srcds_i486' relies on several other files that
> have missing dependancies.
>
> #  ldd bin/dedicated_i486.so
> bin/dedicated_i486.so:
> libm.so.6 => not found (0x0)
> libdl.so.2 => not found (0x0)
> tier0_i486.so (0x0)
> vstdlib_i486.so (0x0)
> libc.so.6 => not found (0x0)
>
> All of these libs exist in /usr/compat/linux/lib, and, with
> the linux emulation running, are seen as being in /lib/* if I
> understand it all correctly.
>
> Also, last night I was trying to use ldd, and suicidal symbolic
> linking, to show the *so files where their libs were. At one
> point it failed with an error about being unable to use the
> libraries as they were not freebsd native.
>
> Sorry for the lack of the specific error I am unable to
> recreate it today.
>
> So, the questions are:
>
> 1) What would cause the error "ELF file OS ABI invalid" on
>  `ldd ./srcds_i486` above ?
>
> 2) How would I go about teaching the linux *.so files where
> their linux libraries are located ?
>
> Pointers to docs, or FMs I should have read, are welcome. I
> had a look through the manual and googled about on the error,
> but didnt turn up anything that helped.
>
> Thanks,
>
> Ste
>

This is my post to the hlds_linux list on how to get Source running on
FreeBSD. Hopefully it will get you where you need to go.

--

Micheal Patterson
Senior Communications Systems Engineer
405-917-0600

-

Micheal Patterson [EMAIL PROTECTED]
Fri Aug 20 05:08:02 2004
Previous message: [hlds_linux] CS:S and FreeBSD 4.10-STABLE
Next message: [hlds_linux] CS:S and FreeBSD 4.10-STABLE
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ok folks.. Here's what I did to get Source running on FreeBSD 4.10 with
an Intel cpu. AMD should be no different system wise.

1. Install source :)

2. Install the Linux_base-8 port. Once this is done,  run:
shell$> ldconfig -m /compat/linux/lib

** This merges the linux compat lib paths into your existing environment
and is what allows source to locate lib.so.6

3. Then recompile your kernel with the following options:

## SSE/MMX2 instructions support
options CPU_ENABLE_SSE

** This allows source to determine your CPU speed.

3. Reboot

Log back into the account you installed steam to, and execute:
./srcds_run -game cstrike +ip xx.xx.xx.xx -port 27015 +maxplayers 20
+map de_dust

This procedure worked for me with a clean freebsd 4.10 install and no
linux base. If you have linux base 7 installed, you'll need to run a
pkg_delete linux_base-7.1_7 before base 8 will install.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Mounting smbfs

[Micheal Patterson]

- Original Message - 
From: "Robert Fitzpatrick" <[EMAIL PROTECTED]>
To: "FreeBSD" 
Sent: Thursday, December 30, 2004 10:19 AM
Subject: Mounting smbfs


Familiar with Webmin way of mounting smbfs type file systems on our
Linux boxes, I tried it with one of the FreeBSD 5.3 machines. It works
fine, but when rebooted, it sits waiting for a password. After
investigating a bit on the web I found that FreeBSD is uses the
/etc/nsmb.conf file for configuration and in that file I find
information evidently setup by Webmin, for example:
[spc2k:backupexec:backup]
workgroup=SPCLOCAL
password=x
addr=192.168.1.13
First, was this properly setup by Webmin? From the comments in the 
file,
it looks good. Since I am at a remote location, I had someone locally
just hit Ctrl+C during boot to get back in and look at these things. I
go to Webmin and click to mount, but then it wipes out all the mount
points except the one I clicked and does not mount that one. From
looking around the web, I realize Webmin may not be the best way to
manage this, I found this document:

http://www.freebsd.org/cgi/query-pr.cgi?pr=34247
I am looking for something that can guide me on how to make the 
entries
in my fstab file. I assume what I have now below is incorrect as the
boot up fails as previously mentioned.

//[EMAIL PROTECTED]/backup  /home/backup/Veritas/SPC2K  smbfs  rw  0  0
Can someone help or guide me to some more documentation on this?
--
Robert
--
Make your fstab entry something like this:
//[EMAIL PROTECTED]/backup  /home/backup/Veritas/SPC2K   smbfs 
rw,-N,-I=192.168.1.13 0   0

See how that works for you.
--
Micheal Patterson
TSG Network Administration
405-917-0600
Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: NIS

[Micheal Patterson]

- Original Message - 
From: "Brian McCann" <[EMAIL PROTECTED]>
To: "FreeBSD mailinglist" 
Cc: "Bob Van Zant" <[EMAIL PROTECTED]>
Sent: Wednesday, January 05, 2005 7:36 AM
Subject: Re: NIS


Nope...just tried that with no luck.  Thanks though.  Any other ideas 
anyone?

--Brian
On Tue, 04 Jan 2005 15:43:40 -0800, Bob Van Zant 
<[EMAIL PROTECTED]> wrote:
Are your dates screwed up? By that I mean is master.passwd newer than
your NIS file? Try touch(1)ing your NIS file and then running make.
I've never actually setup NIS before. My comment is just based on my
experiences with make.
-Bob
On Tue, 2005-01-04 at 17:29 -0500, Brian McCann wrote:
> HI all...I'm having a NIS problem I can't figure out.  I've done 
> this
> before on 4.7, and countless other times on RedHat...but this is
> evading me.  I'm trying to re-make my databases since I've added a
> user, I go into /var/yp and run "make mynis" and get "`mynis' is up 
> to
> date.", which I know can't be right.  I've got to be missing 
> something
> somewhere.
>  I've added the line to the Makefile "MASTER_PASSWD =
> /etc/master.passwd" so that YP uses the file in /etc...or at
> least...that's all I recall having to do on 4.7, and doctored up 
> the
> sections that involve the passwd files changed it to only look at 
> UIDs
> greater then 3.
>  Can someone point out my probably obvious mistake?
>
> Thanks,
> --Brian
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "[EMAIL PROTECTED]"
>
> ===
>This footer was appended by the Honeypot Injector
>The message was injected from 216.136.204.119
>on 04 Jan 2005 14:29:24 -0800.  This IP
>was classified in the WHITELIST sender group.
>The org ID is 1681939, and the SBRS is 2.1
> ===


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"

If you've added a user with adduser and need to update your nis maps, cd 
/var/yp and type make.

--
Micheal Patterson
TSG Network Administration
405-917-0600
Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message. 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: mpd VPN Server / W2K Clients

[Micheal Patterson]

- Original Message - 
From: "Anton Zavrin" <[EMAIL PROTECTED]>
To: 
Sent: Monday, April 04, 2005 9:27 AM
Subject: mpd VPN Server / W2K Clients


> Hello Jonathan,
>
> I found this thread from a long time ago at FreeBSD addicts:
>
http://lists.freebsd.org/pipermail/freebsd-questions/2003-December/027869.ht
> ml
>
> I'm having absolutely identical problem with my MPD (it used to work and
> then it just stopped, who knows why). I tried to follow up on that
solution
> you posted, but that page no longer opens up. Any help is greatly
> appreciated.
>
> Thank you much!
>
> -- 
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.308 / Virus Database: 266.9.1 - Release Date: 4/1/2005
>
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"[EMAIL PROTECTED]"

Anton, some things too look for here. Are the remote systems using Win XP?
If so, are their firewalls configured to allow traffic from your network on
TCP ports 1723? Also, is GRE being blocked at any point between your mpd
system and their end? If it just stopped working, has anyone placed a
firmware firewall device in recently? Many of them that I've run across
recently don't even know what GRE is so a specific entry has to be made to
allow protocol 47 to pass freely in order to get pptp to function properly.

Hope it helps.

--

Micheal Patterson
Senior Communications Systems Engineer
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: iSCSI (revisited?)

[Micheal Patterson]

- Original Message - 
From: "Justin Bennett" <[EMAIL PROTECTED]>
To: "FreeBSD Hackers" 
Cc: "FreeBSD Questions" 
Sent: Monday, April 04, 2005 5:30 PM
Subject: iSCSI (revisited?)


> All,
>
> I was wondering what people thought of iSCSI and FreeBSD. Is it a viable
> option for creating SANs?
>
> I want to move away from tape backups, and have numerous production
> FreeBSD machines that I need to back up data from.
>
> Any other ideas for a disk to disk backup solution that people have used?
>
> Thanks,
>
> Justin
>


Justin, what I'm currently using is the following for just that:

Promise Vtrak 15100 with 15 250gb sata's, connected to a dual channel
Adaptec 39160 housed in a Compaq ML 330 running FreeBSD 5.3. The Vtrak has 2
logical arrays assigned, where my other 14 servers (windows and freebsd
alike) back up to one or the other arrays. I have one array shared via nfs
for the bsd boxes to back up to and the other is samba shared so that
windows systems can back up to that one. So far, it's worked well for me.
All I need to do now is get the company to realize they still need tape if
they want long term storage and then I can chain that to the Promise raid
and have it back up to take during the day and still have my backup window
in the early morning hours.

--

Micheal Patterson
Senior Communications Systems Engineer
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: cmpq dl380 server. ipmi bmc question

[Micheal Patterson]

- Original Message - 
From: "Aaron Sloan" <[EMAIL PROTECTED]>
To: 
Sent: Friday, April 08, 2005 11:16 AM
Subject: cmpq dl380 server. ipmi bmc question


>
> Hello guys and gals,
>
>
>
> Does system fan control on a Compaq DL380 ,first edition, have any
support?
> Sounds like a jet at idle in the machine room.
>
> I have looked through the acpi and port recomendations I have come
> across via google and I'm not having any luck at all.  I believe it is
supported in Linux
> but I don't know how. I can't say I'm any hardware wizard on this kind of
thing.
>
> Update:  I installed freeipmi and ipmitool and I'm not having any luck
with these apps.
> The cli commands are apparently over my head because I haven't been able
to get it to work and now my head hurts.
> Am I barking up the right tree or just peeing on it?
> HP was not terribly helpful. All the recent ROMpaks have been installed.
> Thanks,
> Aaron
>

Aaron, are you sure that you're supposed to be able to adjust the fan speed
on the 380 from within the OS? The reason that I ask, is that the 330's and
350's have a temp sensor that isn't detected until during post, so there's a
few seconds on them that the fans run full on. I'm just curious because if
the 380's are set up the same, you may have a faulty sensor.

--

Micheal Patterson
Senior Communications Systems Engineer
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Automounting smbfs?

[Micheal Patterson]

- Original Message - 
From: "Kirk Strauser" <[EMAIL PROTECTED]>
To: 
Sent: Friday, April 08, 2005 12:52 PM
Subject: Automounting smbfs?

The built-in amd automounter may work great for NFS, but I increasingly find
myself mounting Windows shares and amd doesn't seem to support them.  Any
suggestions?
-- 
Kirk Strauser



Kirk,  here's what I did to auto mount my pesky windows shared backup folder
prior to having a seperate nfs mount to put them.


Configure your share as noauto in /etc/fstab (example)

### SMBFS Mounts
#
#//[EMAIL PROTECTED]/share  /smbfs
noauto,rw,-N,-I= 0   0

Then, in the root crontab, add this:

"@reboot//mbfs.sh"


Then, in  create a file named mbfs.sh and edit it as
such:

#!/bin/sh
echo " "
echo " "
echo "mounting smbfs slices..."
sleep 5
/sbin/mount /backups

Please keep in mind, that this method will require the proper share auth
info to be in /etc/nsmb.conf, so protect this file as it holds plain text
passwords for your windows systems.

Then on system restart, after everything else is accessible and running,
cron will launch and remount those drives for you.

Hope it helps.

--

Micheal Patterson
Senior Communications Systems Engineer
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Portupgrade problem

[Micheal Patterson]

- Original Message - 
From: "Aperez" <[EMAIL PROTECTED]>
To: 
Sent: Friday, April 08, 2005 1:23 PM
Subject: Portupgrade problem


> Hi
>
> I am having the following problem when I try to upgrade my ports:
>
> portupgrade -arR
> cd: can't cd to /usr/ports/multimedia/nautilus-media
> Port directory not found: multimedia/nautilus-media
> !multimedia/nautilus-media (nautilus-media-0.8.0_4) (port directory error)
>
> I checked in /usr/ports/multimedia and of course there is not such
> directory.
>
> Is there a way I can fix this?
>
> Thanks
>
>


Is your ports tree current via cvs? If not, I'd update the tree, then
rebuild portupgrade and see how that works for you.

--

Micheal Patterson
Senior Communications Systems Engineer
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Automounting smbfs?

[Micheal Patterson]

- Original Message - 
From: "Kirk Strauser" <[EMAIL PROTECTED]>
To: 
Sent: Friday, April 08, 2005 3:40 PM
Subject: Re: Automounting smbfs?

On Friday 08 April 2005 14:12, you wrote:

> Kirk,  here's what I did to auto mount my pesky windows shared backup
> folder prior to having a separate nfs mount to put them.
>
> Configure your share as noauto in /etc/fstab (example)

[...]

Out of curiosity, why would you do that instead of just letting FreeBSD
mount it automatically (which is what I do now)?

The goal I'm trying to accomplish is pushing the same map to multiple
machines (eg via LDAP).  I never bothered to do that with my NFS mounts,
but I'm using the addition of the SMB shares as an excuse to rework the
system before it grows much more.
-- 
Kirk Strauser


In my experience, automounting it via fstab doesn't always work correctly.
Some folks have great success with it where others don't. For example, I can
remove the noauto and with the very same config files and 5 out of 10 times
the mount won't take on system startup. When I remove the noauto and cron it
for @reboot, it works just fine. I've no idea why but it works for me.


--

Micheal Patterson
Senior Communications Systems Engineer
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: sendmail aliases not worked as expected

[Micheal Patterson]

- Original Message - 
From: "mgmcomm @hotmail.com" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, January 11, 2004 9:50 AM
Subject: sendmail aliases not worked as expected


> I am having trouble getting /etc/mail/aliases to properly forward system
> messages such as cron or periodic events.  Actually this problem affects
> even mail input using the mail command or any other method.  Although the
> cron/periodic is what I require the most.
>
> When a cron or periodic task creates an email to say root...it gets mailed
> to [EMAIL PROTECTED] instead of [EMAIL PROTECTED]  Which results in an
> error message
>
> Jan  7 03:03:01 butters sm-mta[1511]: i07331me001498: SYSERR(root):
> butters.kibserv.org. config error: mail loops back to me (MX problem?)
>
> A bounce message is generated and sends cleanly to [EMAIL PROTECTED]
> The original message is removed from the queue...apparently this error is
> fatal to the original message.
>
> my alias file contains the following
> root:   [EMAIL PROTECTED]
> seti:   [EMAIL PROTECTED]
> kib:[EMAIL PROTECTED]
> virtualuser:[EMAIL PROTECTED]
>
> and many other entries...most are the defaults in the original file
enabled
> and almost all eventually point to root anyhow.  And yes I have run
> newaliases and received successful and positive response.
>
> 10:17am butters:/etc/mail # newaliases
> /etc/mail/aliases: 38 aliases, longest 22 bytes, 504 bytes total
>
> This problem seemed to start about the time I upgrades from 4.7 to 5.2.
> Presently I am loosely tracking current...usually up to a month behind
with
> a 1 week run on a test box.  I plan to track 5-stable as soon as I see it
> since I am too deep into 5.x features to go back to 4.x now.  Current is
not
> really all I bargained for  :)
>
> 10:25am butters:/etc/mail # uname -a
> FreeBSD butters 5.2-CURRENT FreeBSD 5.2-CURRENT #3: Tue Dec 16 19:32:35
UTC
> 2003 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/CUSTOM  i386
>
> in my rc.conf file I thought maybe my sendmail options were wrong.
> historically I have used:
> sendmail_enable="YES"
> but after reading the defaults and the rc.sendmail file I find that this
> option is exclusive of two other sendmail options
> sendmail_submit_enable and sendmail_outbound_enable
>
> So I tried each in turn with no change in result.  But since I can't find
> much documentation on these other than what I can make from the
rc.sendmail
> I might still just be using the wrong rc.conf the wrong way.
>
> It seems to me that sendmail is completely ignoring the /etc/mail/aliases
> file
> Even when I try to send mail to kib (a real user) or the virtualuser the
> mail always tries to go to [EMAIL PROTECTED] eventually bounces
> and gets attached to a message to the postmaster.  I suppose the aliases
are
> not completely ignored because no mail ever gets to the local user mail
> accounts.
>
> Also note that the kibserv.org is an old domain no longer registered...but
> we still use it for testing purposes.  To prove this is not a dns related
> issue here is a few digs.  Our local dns server has all the correct
records.
>
> 10:29am butters:/etc/mail # dig kibserv.org mx
>


If the system is sending mail to itself for processing, as most mx's do, you
need to have the full host name in the local-host-names file. Otherwise, it
doesn't know it's the controlling mx and will reject the mail.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Configuring E-mail Services on a Standalone Wkst

[Micheal Patterson]

- Original Message - 
From: "Bob Perry" <[EMAIL PROTECTED]>
To: "FreeBSD-Questions" <[EMAIL PROTECTED]>
Sent: Sunday, January 18, 2004 1:47 AM
Subject: Configuring E-mail Services on a Standalone Wkst


> Hello,
>
> I have two PCs, an NT 4.0 box and a FreeBSD 4.8 system.   I'm connected
> to the internet via dial-up (56k modem) and using the mail system found
> in Mozilla.  I understood that mail services was a natural with FreeBSD
> so I thought I would take the opportunity to learn what I could about
> setting up a mail server.  I've become familiar with SMTP, MUAs, MTAs,
> qpopper, and fetchmail but it seems like some of the more necessary
> components are a static IP address, 24/7 connection, and accurate DNS
> information set up on my system.  If this an accurate assessment, I may
> have to be satisfied setting up my e-mail services for a standalone
> workstation because I can't afford a static IP address or 24/7 connection.
>
> If a full-fledged e-mail server isn't feasible, can I still use software
> like sendmail, mutt, qpopper, and fetchmail for a standalone
> workstation?  Do they offer any real advantages over the mail systems
> that come with Mozilla, Netscape, etc.?   Any, and all comments are
welcome.
>
> Thank you.
> Bob Perry
>
> -- 
> FreeBSD 4.8-RELEASE-p13 0#

What I've done in the past with dialup is this:

Configure sendmail to use a smart host. This would point to your ISP's mail
server.
Configure fetchmail to run every 10 minutes to check for incoming mail.
Configure qpopper, imapd services so you can recieve your mail from the bsd
box.

On your client computer (Windows), configure it to send and recieve mail
from your unix box.

In this config, fetchmail will retrieve mail from your isp, pipe it through
your local sendmail. This allows you to place your own filters on incoming
mail and scan it for viri using the software of your choice. Then when you
send mail out, it hits the sendmail server and is forwarded on to your ISP.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipfw/nated stateful rules example

[Micheal Patterson]

- Original Message - 
From: "Ken Bolingbroke" <[EMAIL PROTECTED]>
To: "fbsd_user" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, January 19, 2004 10:28 PM
Subject: RE: ipfw/nated stateful rules example


>
> On Mon, 19 Jan 2004, fbsd_user wrote:
>
> > That's a play on words. And still does not prove stateful rules work on
> > the interface facing the public internet. There is no documentation that
> > says keep-state and limit only works on the interface facing the private
> > Lan network. And the implied meaning is they are to be used on the
> > interface facing the public internet.
>
> I just jumped in the middle here, so I may be out of context.
>
> But, stateful rules don't play nice with NAT.  Consider non-NAT, a public
> IP address contacting an Internet address:
>
>   67.161.59.61 -> 66.218.71.91
>
> A rule is created for 66.218.71.91 coming to 67.161.59.61.  When
> 66.218.71.91 replies, the stateful rule lets it in.  This is good.
>
>
> But consider NAT:
>
>  10.0.0.10 changed to 67.161.59.61 -> 66.218.71.91
>
> If you do a keep-state before NAT, you have a rule to allow 66.218.71.91
> to 10.0.0.10, but the return incoming packet will be 66.218.71.91 ->
> 67.161.59.61, so the rule doesn't match.
>
> If you do a keep-state after NAT, then you have a rule to allow
> 66.218.71.91 to 67.161.59.61.  The return incoming packet matches that
> rule, but it accepts the packet and packet processing stops, so it's never
> passed through NAT, and never makes it back to 10.0.0.10.
>
>
> So as it stands now, I don't see that you can use stateful connections
> with NAT, unless check-state is changed to allow a packet to be passed
> through NAT.
>
> Ken Bolingbroke

Ken, try this one. This is what I use here at home and it does indeed work:

Launch NATD with natd -interface ep0 -s -m -u (Only RFC1918 packets get
altered)

## Divert everything to NAT.
ipfw add 1 divert natd ip from any to any via ep0

#Prevent inbound spoof attempts for my lan range
ipfw add 10 deny ip from 192.168.1.0/24 to any in via ep0

#Check State Rules
ipfw add 20 check state

#LAN Allow Stateful
ipfw add 31 allow ip from 192.168.1.0/24 to any keep-state

#Allow Outbound Stateful.
ipfw add 40 allow ip from 68.12.xx.xx to any keep-state

NAT keeps a seperate table of it's translations to provide a back channel.
Traffic comes in, generates a dynamic ruleset, gets translated, heads out
and creates the 2nd dynamic for the packet. You'll end up with something
like this

ipfw -d list



## Dynamic rules:
00040 4 692 (T 18, slot 215) <-> tcp, 68.12.xx.xx3777<-> 216.239.57.99 80
00031 35 20374 (T 10, slot 219) <-> udp, 192.168.1.3 4986<-> 198.247.231.41
27019
00031 3 216 (T 1, slot 483) <-> tcp, 192.168.1.1 22<-> 192.168.1.2 3574
00031 16 11902 (T 298, slot 752) <-> tcp, 192.168.1.2 3777<-> 216.239.57.99
80

Granted, you'll end up with a dual entry for each packet in stateful space,
but it does work. Perhaps not as intended with a single match but you can
use statful with NAT.


--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipfw/nated stateful rules example

[Micheal Patterson]

- Original Message - 
From: "fbsd_user" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>; "Ken Bolingbroke"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, January 20, 2004 8:41 AM
Subject: RE: ipfw/nated stateful rules example


> As the original poster of this thread, I want to say thank you to
> Ken Bolingbroke who posted his rule set and to the other posters who
> voiced their comments.
>
> I want to point out that Ken Bolingbroke acknowledged that has work
> around of doing keep-state on both the Lan interface and the public
> interface only works because the returning public packet is being
> matched by stateful table entries posted from the Lan interface
> keep-state rules. Yes he provided he could make it work, but not
> work correctly. In the true security sense, this is un-secure and
> invalidates the whole purpose of using keep-state rules at all.
>
> I an surprised that I have not yet heard the old timers dogma that
> the Nated process it self is really performing an keep-state like
> process and that is why keep-state does not work with divert/Natd.
> There is some truth to that because the Nat process does have to
> keep it's own internal table to remap IP address, but it just
> blindly does the mapping with out any regard to if the packet
> belongs to an authorized session conversation, like the keep-state
> function does.
>
> The conclusion so far is that ipfw1 and ipfw2 using keep-state rules
> on the interface facing the public internet with divert/nated does
> not work period. By all accounts this is an long time bug propagated
> by the continued use of the legacy divert keyword sub-routine call
> to ipfw's userland Natd function. The using of keep-state rules on
> the interface facing the public internet is restricted to situations
> where there are no Lans behind the ipfw firewall or when 'user
> ppp' -NAT function is used. I have tested using ipnat as an front
> end to ipfw with keep-state but that also ends up handing off the
> packet to ipfw at the wrong time.
>
> Now that ipfw2 has replaced ipfw1 in 5.2, maybe some of that ipfw2
> programming teams effort can be directed at fixing this problem. The
> IPNAT code of IPFILTER runs in the kernel and could be modified to
> be ipfw2's external Nat function.
>
> So firewall users who want the maximum level of protection have to
> use IPFILTER. IPFILTER has had the keep state function long before
> the keep-state option was ever added to ipfw1.
>
> Still would like to be provided wrong on my conclusion.

Again I'll use this simple ruleset as a base. I've just used it on my
network here at home to test for stateful inspection.

## Divert everything to NAT.
ipfw add 1 divert natd ip from any to any via ep0

#Prevent inbound spoof attempts for my lan range
ipfw add 10 deny ip from 192.168.1.0/24 to any in via ep0

#Check State Rules
ipfw add 20 check-state

#Stateful Test Deny Rule
ipfw add 25 deny log ip from any to any in via ep0

#LAN Allow Stateful
ipfw add 31 allow ip from 192.168.1.0/24 to any keep-state

#Allow Outbound Stateful.
ipfw add 40 allow ip from 68.12.xx.xx to any keep-state

#Default Deny
ipfw add 65000 deny ip from any to any

In order for traffic to hit your internal network, for a packet inbound to
your LAN, 2 things have to happen.

1.  A NAT entry that matches source ip / port to target ip / port.

2. A stateful dynamic rule that matches the LAN ip / port pair as well.

If #1. doesn't occur, the traffic is treated as if it were heading to the
firewall system itself. If there's no state match, it's dropped by the
default deny rule at  65000.

If #1 occurs, the traffic is translated, handed back to ipfw to check for
#2. If #2 exists, the traffic passes onwards to the LAN. If not, it's
dropped by the deny rule at 65000.

If #1 doesn't occur, the traffic is treated as if it's heading to the
firewall system and is checked against state for a match for the WAN IP /
Port. If there's a match, traffic is allowed. If there's no match, the
traffic is dropped by the default route.

If you'd like to test this, here's how. Create the firewall ruleset as above
(adjusted for your setup of course). Get on the net. Run an ipfw -d list to
show your statefule rules, then edit the rulset and simply comment ouf the
check-state entry. Rerun your ipfw ruleset and try again. Tail your
/var/log/security file and watch the denies come rolling in for rule 25.
Then try it with it enabled again and you'll see that stateful is indeed
working as it jumps rule 25 completely and allows the traffic to pass once
you're tried to access the remote site.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600




SecureCRT 3.3.lnk
Description: Binary data
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipfw/nated stateful rules example

[Micheal Patterson]

- Original Message - 
From: "fbsd_user" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, January 20, 2004 8:18 PM
Subject: RE: ipfw/nated stateful rules example


> You are doing keep-state on both the Lan interface and the public
> interface and it only works because the returning public packet is
> being matched to stateful table entries posted by the Lan interface
> keep-state rules and not the stateful table entries posted by the
> external interface. Yes you are making it work, but not work
> correctly. In the true security sense, this is un-secure and
> invalidates the whole purpose of using keep-state rules at all. This
> would never be allowed by an real firewall security professional.
>
> If you fell secure in using this method, be my guest. But know it's
> not really providing you protection for packets inserted by an
> attacker.  It nullifies the benefits of keep state on the interface
> facing the public internet.

It's working because my fbsd box is in router mode and I don't want people
to communicate with it's serial ip unless I request it. That's why there are
two stateful entries. One to protect the serial and one to protect my lan.
NAT sits happily in the middle.

Let's take this to a more real world scenario though.

You have the following:

Cisco 3745 connected to a Sprint ATM circuit.
Serial IP's: 62.121.1.2 Your side / 62.121.1.1 Sprint side.
Cisco LAN: 10.0.0.1/30
Firewall WAN: 10.0.0.2/30
Firewall LAN: 64.1.1.1

The above is a generic dmz setup. Since this is on Sprint, the routers
serial IP is not accessible either unless you specifically request it via
their NOC so they can remove their default filters. I'm assuming that we're
in agreement here. In this scenario, where would you put stateful? On the
LAN side.

Now, assume that this is a nat'd network with 128 IP's and you've got 200+
systems behind it.

Cisco 2620 connected to Sprint DS1:
Serial IP's: 62.121.1.2 Your side / 62.121.1.1 Sprint side
Cisco LAN: 64.1.1.1
Firewall WAN  w/NAT: 64.1.1.2
Firewall LAN: 192.168.1.0/24

In this scenario, you have NAT running on the firewall and doing the
translations for the internal range. NAT sits on your WAN interface and does
it's merry little thing.

If I understand you correctly, you're saying that "Private > NAT > WAN
Keep-State > World" is the accepted manner of a network security
professional and is secure.

Whereas what I'm doing "Private LAN Keep-State > NAT > World" is not secure
and would not be accepted by a security professional?  How do you figure
that either method is more or less secure than the other? If stateful is
breached in either method, the underlying network is compromised. Sorry,
it's late and I may be missing something but I just don't see it.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipfw/nated stateful rules example

[Micheal Patterson]

- Original Message - 
From: "Jonathan Chen" <[EMAIL PROTECTED]>
To: "fbsd_user" <[EMAIL PROTECTED]>
Cc: "Micheal Patterson" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, January 20, 2004 11:20 PM
Subject: Re: ipfw/nated stateful rules example


> On Tue, Jan 20, 2004 at 09:18:27PM -0500, fbsd_user wrote:
> > Yes you are making it work, but not work
> > correctly. In the true security sense, this is un-secure and
> > invalidates the whole purpose of using keep-state rules at all. This
> > would never be allowed by an real firewall security professional.
>
> I'm curious as to why you'd consider it insecure. How would applying
> the keep-state rules on the public IP be anymore secure that using it
> on the internal IP? The mechanism works the same regardless. You
> haven't provided an case as to why you think it is unsecure.
> -- 
> Jonathan Chen <[EMAIL PROTECTED]>

That's what I'm trying to figure out.  As far as I can tell, it's working
exactly how I want it to work. My public IP traffic is stateful from the
firewall to the world and the LAN traffic is stateful to the world. I'd just
like to hear what the firewall security professional would have to say about
it.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipfw/nated stateful rules example

[Micheal Patterson]

- Original Message - 
From: "fbsd_user" <[EMAIL PROTECTED]>
To: "Jonathan Chen" <[EMAIL PROTECTED]>
Cc: "Micheal Patterson" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Wednesday, January 21, 2004 7:29 AM
Subject: RE: ipfw/nated stateful rules example


> You must have missed reading some parts of the thread. The problem
> is not whether you just do keep-state on the public side or the
> private side, it's with doing keep-state on both sides at the same
> time from within ipfw along with using divert statement.

If you have multiple lans (which in effect you do in my situation) you
state inspect traffic into and out of each network.

> The stated problem is
> ipfw1 and ipfw2 does not work when keep-state rules are used on an
> single interface along with divert/nated.
> They do work if divert/nated is not used and user ppp nat is used to
> perform the nat function.

They also work if NAT is used. That's because keep-state monitors the source
of the packet and relies on that.  So what you're telling me is that you'd
prefer a masqueraded IP to be the source for all of your stateful
inspections instead of the true tcp source? And you feel that is more secure
than applying stateful to the true source of the traffic prior to network
translation?

 > As far as the question of using keep-state rules on both the private
> and public interfaces this is cross population of the single
> stateful table and returning packets are being matched to entries in
> the stateful table which do not belong to the interface the original
> enter was posted from. This is an logic error and invalidates the
> function of the purpose of the whole stateful concept.

It's not cross population of the stateful table. It's how stateful works
with multiple networks. Regardless if you are running NAT or not, if you
have 3 /24's behind your firewall, do you expect to secure them all by
simply having stateful on the firewall's wan port? What keeps them from
infiltrating each other? Don't make the assumption that all are welcome
behind the firewall. You treat them as entirely separate networks unless
otherwise stated. Now, what's going to happen to your stateful table then?
It's going to be so cross populated with traffic from 762 other systems
that you'll not see straight.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: sendmail help?

[Micheal Patterson]

- Original Message - 
From: "fbsd_user" <[EMAIL PROTECTED]>
To: "Dinesh Nair" <[EMAIL PROTECTED]>
Cc: "Adam Bozanich" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, January 22, 2004 10:43 AM
Subject: RE: sendmail help?


> Yes I am serious. I have used 5 different ISP's over the years and
> not one let sendmail have direct access to their smtp email servers.
> They all required me to use their pop3 server which is something
> totally different. I believe the original poster was asking about
> using sendmail to retrieve email from his ISP's smtp server.  And
> it's still a lot easier to install fetchmail than to reinstall
> sendmail.
>

Did you place pop3.ispname.com in your smtp server field of Outlook and
change the default port 25 to something else? If you didn't change the port,
then their smtp daemon is listening for your traffinc on port 25 of the same
server that they're running pop3 on. This isn't too uncommon. If the OP was
asking about getting the ISP smtp server to send to his sendmail. For that
to happen, at minimum, the following has to be done. He's got a static ip
and the isp places a forward on his ISP account to forward to
[EMAIL PROTECTED] and his system is configured to accept mail for
xxx.xxx.xxx.xxx, or, he has a domain assigned with an mx record pointing to
his home system. Fetchmail can't retrieve mail from an smtp server that I am
currently aware of as it's designed to speak pop protocol and then deliver
it locally to an awaiting smtp server for local delivery.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: sendmail help?

[Micheal Patterson]

- Original Message - 
From: "Matthew Seaman" <[EMAIL PROTECTED]>
To: "fbsd_user" <[EMAIL PROTECTED]>
Cc: "Dinesh Nair" <[EMAIL PROTECTED]>; "Adam Bozanich"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, January 22, 2004 10:57 AM
Subject: Re: sendmail help?

On Thu, Jan 22, 2004 at 11:43:45AM -0500, fbsd_user wrote:

>>I believe the original poster was asking about
>> using sendmail to retrieve email from his ISP's smtp server.  And
>> it's still a lot easier to install fetchmail than to reinstall
>> sendmail.

>The OP said:
>
>> I have a dial up DSL account that gives me an outgoing smtp account that
>> requires smtp authentication.
>>
>Which part of "outgoing" are you having difficulty understanding?
>
> Cheers,
>
> Matthew
>
> -- 
> Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
>  Savill Way
> PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
> Tel: +44 1628 476614  Bucks., SL7 1TH UK


Apparently he's having trouble understanding a number of things lately and
I'm beginning to wonder if he's a troll or not.

To assist the OP on this issue, check out this link:

http://www.sendmail.org/~ca/email/auth.html#DefaultAuthInfo

Within that site, it will give you assistance in setting up sendmail to act
as an smtp client using smtp-auth.



DefaultAuthInfo (confDEF_AUTH_INFO)
specifies a file in which the authorization identity, the authentication
identity, the secret, and the realm to be used for authentication are
stored. This file must be in a safe directory and unreadable by everyone
except root (or TrustedUser). It is used when sendmail acts as a client to
authenticate itself to a server. Example:
admin
admin
MySecretPassword
example.domain

Notes: all data is case sensitive (usually) and the entire line is used in
each case (including any white space!).
recommended filename: /etc/mail/default-auth-info



I trust this is what the OP's original intentions were.


--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: sendmail help?

[Micheal Patterson]

- Original Message - 
From: "Peter Risdon" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 22, 2004 11:31 AM
Subject: Re: sendmail help?


> Micheal Patterson wrote:
>
> > Fetchmail can't retrieve mail from an smtp server that I am
> >
> >currently aware of as it's designed to speak pop protocol and then
deliver
> >it locally to an awaiting smtp server for local delivery.
> >
> >
> Fetchmail can use various protocols, including etrn, which is used to
> flush queues on smtp servers. This is a common protocol: Microsoft
> Exchange 2000 and 2003 ship without a pop3 client and use etrn
> exclusively (unless you install some 3rd party client).
>
> So you can use sendmail to collect mail using etrn, and most ISPs offer
> etrn, but this isn't what the OP was asking about.
>
> PWR.

The only current reference that I had when I made that post was for version
5.7.2 which states in it's man page:

  "In ETRN  and  ODMR  modes,  fetchmail  does  not  actually
   retrieve messages; instead, it asks the server's SMTP lis-
   tener to start a queue  flush  to  the  client  via  SMTP.
   Therefore it sends only undelivered messages."

I've not used fetchmail for quite some time simply because I've no need to
do so. If that's not the current version, then that may have changed
considerably. But, as you stated, the OP was asking about smtp-auth via
sendmail.


--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Why BSD?

[Micheal Patterson]

- Original Message - 
From: "Jesse Guardiani" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 24, 2004 3:26 PM
Subject: Re: Why BSD?


> Jeff Elkins wrote:
>
> > This is not a troll.
> >
> > I've installed FreeBSD 5.2 on a spare SCSI drive and am compiling
kernels,
> > updating ports, etc,etc. Thus far, other than some minor hassles, it's
> > equivilent to my Debian sid.
> >
> > I have to ask: Why FreeBSD rather than Linux?
> >
> > Honest question.
>
> For me, this question has been answered twice in different attempts to
"give
> linux a try". I'm a Sys Admin, and we run FreeBSD almost exclusively at
work.
> However, every new employee we hire walks into the building with an
attitude
> that Linux is somehow better than FreeBSD because they're heard so much
about
> it and haven't heard anything about FreeBSD. So, on two separate
occasions, I
> decided to "give linux a try". Both ended miserably:


For me, this is what severely soured my stomach to Linux.

I ran Redhat quite a few years ago for about 3 months. Granted, it wasn't as
easy as it is now. This version had no gui installer and you had to know the
ftp site location to point the installer to back then. FreeBSD wasn't much
easier at the time as I recall so that was not really an issue. Well, I then
I decided that I wanted to learn bind. But the OS version of course wasn't
current so I went and grabbed the rpm for my version of linux that was
current. I then went to uninstall the existing system bind portion and it
gave an error that permission was denied. I was logged in from console as
root, and it wouldn't allow me to uninstall it, nor would it allow me to
install over it or upgrade it. So, I blew it away.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Problem With Configuring Name Servers

[Micheal Patterson]

- Original Message - 
From: "Gerard Seibert" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 24, 2004 4:40 PM
Subject: Problem With Configuring Name Servers


> I am fairly new to BSD. I seem to be having a problem setting up my name
servers correctly.
>
> I have the following in the resolv.conf file:
>
> domain rcn.com
> nameserver 207.172.3.8
> nameserver 207.172.3.9
>
> The following entry is in the re.conf file
>
> ifconfig_rl0="DHCP"
>
> Everything, including nslookup, etc works fine until I reboot. Then the
files are over written. The resolv.conf file then has the following entries:
>
> search cable.rcn.com
> nameserver 192.168.0.1
>
> Obviously, I am doing something incorrectly here. Why are these files
being rewritten upon rebooting of the machine, and how do I stop it. I have
a cable connection that uses "DHCP" . I have the latest release of FreeBSD
5.2 installed.
>
> Thanks in advance.
>
> Gerard Seibert
> [EMAIL PROTECTED]
>
>

In /etc there will be a file called dhclient.conf. If it doesn't exist,
create it and add the following:

interface "rl0" {
prepend domain-name-servers 207.172.3.8;
prepend domain-name-servers 207.172.3.9;
request subnet-mask, broadcast-address, routers, domain-name-servers ;
require subnet-mask, broadcast-address, routers ;
}

What this will do is take the information that is provided during the dhcp
initialization and add the above to the information it recieves from the
server. If you don't want to use any of the name servers provided by dhcpd,
remote the domain-name-servers portion from the request entry. If you need
any further specifics, check out man dhclient.conf for other options to add
to this file.  I think that this will do what you're looking for though.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Problem With Configuring Name Servers

[Micheal Patterson]

- Original Message - 
From: "Micheal Patterson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, January 24, 2004 4:48 PM
Subject: Re: Problem With Configuring Name Servers


>
>
> - Original Message - 
> From: "Gerard Seibert" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, January 24, 2004 4:40 PM
> Subject: Problem With Configuring Name Servers
>
>
> > I am fairly new to BSD. I seem to be having a problem setting up my name
> servers correctly.
> >
> > I have the following in the resolv.conf file:
> >
> > domain rcn.com
> > nameserver 207.172.3.8
> > nameserver 207.172.3.9
> >
> > The following entry is in the re.conf file
> >
> > ifconfig_rl0="DHCP"
> >
> > Everything, including nslookup, etc works fine until I reboot. Then the
> files are over written. The resolv.conf file then has the following
entries:
> >
> > search cable.rcn.com
> > nameserver 192.168.0.1
> >
> > Obviously, I am doing something incorrectly here. Why are these files
> being rewritten upon rebooting of the machine, and how do I stop it. I
have
> a cable connection that uses "DHCP" . I have the latest release of FreeBSD
> 5.2 installed.
> >
> > Thanks in advance.
> >
> > Gerard Seibert
> > [EMAIL PROTECTED]
> >
> >
>
> In /etc there will be a file called dhclient.conf. If it doesn't exist,
> create it and add the following:
>
> interface "rl0" {
> prepend domain-name-servers 207.172.3.8;
> prepend domain-name-servers 207.172.3.9;
> request subnet-mask, broadcast-address, routers, domain-name-servers ;
> require subnet-mask, broadcast-address, routers ;
> }
>
> What this will do is take the information that is provided during the dhcp
> initialization and add the above to the information it recieves from the
> server. If you don't want to use any of the name servers provided by
dhcpd,
> remote the domain-name-servers portion from the request entry. If you need

> any further specifics, check out man dhclient.conf for other options to
add
> to this file.  I think that this will do what you're looking for though.

Argh. spellcheckers are evil I say.  remove !remote


--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: mail

[Micheal Patterson]

- Original Message - 
From: "Chad Albert" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 31, 2003 3:46 PM
Subject: mail


> I am writing a script that mails me when certain events occur.  I am
> using mail(1) to notify me by email when some things happen.  I have
> read the man page and I don't see a way to attach a file, does anyone
> know how to use mail(1) to attach a file?


If it's a text file, just cat filename.ext |mail -s "subject" [EMAIL PROTECTED]
to send the contents to the target address. On the other hand, if you want
to attach the file, use mailx from ports. There's an -a flag to attach files
to outbound emails.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: how to tell if my ISP is blocking email & web ports

[Micheal Patterson]

- Original Message - 
From: "fbsd_user" <[EMAIL PROTECTED]>
To: "Dinesh Nair" <[EMAIL PROTECTED]>
Cc: "[EMAIL PROTECTED] ORG" <[EMAIL PROTECTED]>
Sent: Wednesday, January 21, 2004 2:38 PM
Subject: RE: how to tell if my ISP is blocking email & web ports


> My friends PC is an MS/Windows 98 box.
> I know all windows system have telnet in command.com.
> Which is reachable from start/run and opens an native dos window.
>
> Would anybody know the syntax of the native dos telnet command
>  to include the port number to use?
>
> telnet xxx.xxx.xxx.xxx would get me to the telnet port
> at that IP address.

Actually, the native "dos" mode versions of telnet came standard starting
with Win2k but I won't go into that. :)

The syntax is start > run > telnet xxx.xxx.xxx.xxx port#

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: How to build FreeBSD entirely from sources?

[Micheal Patterson]

- Original Message - 
From: "Geert Hendrickx" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 27, 2004 12:48 AM
Subject: How to build FreeBSD entirely from sources?


> Hello,
>
> "FreeBSD from Scratch" describes a method for REbuilding a FreeBSD system
> entirely from sources, starting from an existing FreeBSD system.
>
> But I want to build a new FreeBSD system on a machine currently NOT
> running FreeBSD.  How can I do this?
>
> I'm used to doing this with Gentoo Linux:
> With Gentoo, one extracts a "stage" tarball to the target partition, which
> contains gcc, glibc and some other binary programs, just enough to rebuild
> itself, using a "bootstrapping" script.  Then one does "emerge system"
> which fetches sources for the entire base system, compiles them and
> installs them.  After that, other applicantions can be installed with
> "emerge packagename" (comparable to Ports system).
>
> Can I install FreeBSD in a similar way?  Sysinstall only installs binary
> packages.
>
> I am new to FreeBSD but not to building stuff from sources (I've been
> using Gentoo Linux for quite a while now).
>
> Thanks in advance,
>
> GH
>


o Install from cd image and choose the package that includes all sources
(with or without X-Windows depending on if you want a gui or not).

o Synchronize your sources with cvs.

o make world.

All of the above is in the FreeBSD handbook
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/book.html


--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Configuring Ethernet Interface for 100 Half Duplex

[Micheal Patterson]

- Original Message - 
From: "Danie du Toit" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 29, 2004 9:50 AM
Subject: Configuring Ethernet Interface for 100 Half Duplex


>
>I need t   with no IP pr
>Currently the card autosense 100 Full -interface. I could not find
it in ifconfig, so I g   init?
>
>Thanks
>
>dsh

What type of nic is it? Which driver xl#, ep#, dc# ? is it using?

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Ctrl+Alt+Delete

[Micheal Patterson]

- Original Message - 
From: "yo _" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 29, 2004 5:37 PM
Subject: Ctrl+Alt+Delete


> Hi, this is a rather auxilary question but my curiosity overpowered my
self
> control. This is also more of a i386 specific question, but then again i'm
> not completely sure if FreeBSD handles it the same way on different
> machines.
>
> Does anyone on the list know what Ctrl+Alt+Delete does on a running
FreeBSD
> machine?
>
> The funniest part of this question is that FreeBSD has never frozen on me,
> so that I could actually find out. I run it on my server systems, and i
> don't want to test it and then run the risk of ruining some drives.
> -rian
>

On 4.9, it does the same as a shutdown -r now or reboot does. Stops services
then reboots the system same as it does on a dos box.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

5.2 Release and issues

[Micheal Patterson]

I went to install 5.2 tonight on a system that had 4.9 running flawlessly on
it. I newfs'd the system, installed from cd and after configuring the
interfaces, all was fine. Until I went to access the net. Throughput was
horrible. 30 - 40 seconds for a telnet echo to reply after a keypress on an
3c509 nic (ep driver), then after recompiling kernel to add ipdivert, it
simply went into a panic / reboot cycle with no alternative but to reinstall
again. Single user mode, safe mode, and disabling acpi boot up's showed the
same symptoms. The system is an amd k62 500 with 128mb ram with an ide
drive. 1 x 3c509 nic and 1 x 3c905 nic. Are there known issues with the ep
driver that I've been unable to locate yet? I put 4.9 back onto the system
and all is well. Anyone else having any similar problems with 5.2?

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Fiber card support.

[Micheal Patterson]

Has anyone been able to get a AT-2700FTX  fiber card to work in 4.9 by
chance? I'm in the need of a fiber card but many of the ones listed in the
hardware guide are at end of life and I'd rather not purchase eol unless
necessary.

Thanks.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD and Hot Swap rebuild on SCSI disks.

[Micheal Patterson]

- Original Message - 
From: "Edy Lie" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 09, 2003 10:02 AM
Subject: FreeBSD and Hot Swap rebuild on SCSI disks.


> Greetings,
>
> I have setup the following:
>
> FreeBSD 4.8 and using Adaptec 2100s for the SCSI RAID 5.
>
> Currently there are 5 harddisks which have been setup as RAID 5 and 1
> harddisk acts as hot spare.
>
> Interestingly, is there any tool on FreeBSD which allows to rebuild the
> array on the fly or is it a must to reboot and goto Adaptec 2100s SMOR
> to rebuild? If latter is the only option it defects the purpose of HOT
> SWAP capabilities.
>
> Anyone using Adaptec 2100s on FreeBSD please share some informations on
> how do you manage the array.
>
> TIA!
>
> Regards,
> Edy
> -- 
>
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"[EMAIL PROTECTED]"

I do believe that this is what you're looking for. It's available directly
from Adaptec.

*
Release Notes for Adaptec 2100S, 3200S and 3400S SCSI RAID Controllers
as of August 14, 2000



RAIDUTIL (Command Line Interface):

* RAIDUTIL, a command line storage management utility,
  allows you to create and manage your disk arrays from a
  command prompt on the following platforms:

BSDi 4.x
FreeBSD 4.x
Linux (see Linux section for details)
MS-DOS 6.22 or higher
Novell NetWare 4.11, 4.2 and 5.x
    SCO UNIX 3.2v4.2
SCO ODT 3.0 and OpenServer 5
SCO UnixWare 7.x
Windows NT 4.0
Windows 2000

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD and Hot Swap rebuild on SCSI disks.

[Micheal Patterson]

- Original Message - 
From: "Edy Lie" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, September 10, 2003 9:05 AM
Subject: Re: FreeBSD and Hot Swap rebuild on SCSI disks.


> Hi Michael,
>
> Thanks for the reply. I have tried to search raidutil in /usr/ports but
> i could not find any.
>
> Is that in FreeBSD ports or do i need to compile it manually from
> somewhere ?
>
> Thank you.
> Best Regards,
> Edy Lie

It's an Adaptec provided utility with precompiled binaries. Here's the link:

http://www.adaptec.com/worldwide/support/driversbycat.html?sess=no&language=English+US&cat=%2fOperating+System%2fFreeBSD

Since that link will wrap, if it won't work after you enter it manually,
here's the long route. Go to http://www.adaptec.com, go to Support >
Downloads. In the 2nd section, go to FreeBSD. The manager for the 2100S,
3200S, and 3400S  will be the bottom link.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD and Hot Swap rebuild on SCSI disks.

[Micheal Patterson]

raidstatus.sh



#!/bin/sh
/raidutil -L all |mailx -s "Raid Status" root

-

Add that script to the root crontab, and it will output the status of the
raid and send an email to root how ever often you want/need it. Now,
granted, this may not indicate a direct failure, however, if you stop
recieving these mails, you'll know something's up. :)

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


- Original Message - 
From: "Edy Lie" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, September 10, 2003 10:42 AM
Subject: Re: FreeBSD and Hot Swap rebuild on SCSI disks.


> Hi Michael,
> Thanks for the prompt response ... it was my bad to send you an email
> before googling. :-)
>
> I have managed to install the tool right after the email.
>
> Do you happen to use any script which will notify the health of the raid
> ?
>
> I have done some researching the only script which i found was on
> adaptec site but it is not "useful" and it fires up a process dpteng
> (aint sure that is what)
>
> In case you are interested the script is in the following URL:
>
> http://linux.adaptec.com/linux_092001.html
>
> Please let me know if you have more information about monitoring Adaptec
> RAID on FreeBSD.
>
> Thank you so much for your assistance.
>
> Best Regards,
> Edy Lie
> On Wed, 2003-09-10 at 23:27, Micheal Patterson wrote:
> > - Original Message - 
> > From: "Edy Lie" <[EMAIL PROTECTED]>
> > To: "Micheal Patterson" <[EMAIL PROTECTED]>
> > Cc: <[EMAIL PROTECTED]>
> > Sent: Wednesday, September 10, 2003 9:05 AM
> > Subject: Re: FreeBSD and Hot Swap rebuild on SCSI disks.
> >
> >
> > > Hi Michael,
> > >
> > > Thanks for the reply. I have tried to search raidutil in /usr/ports
but
> > > i could not find any.
> > >
> > > Is that in FreeBSD ports or do i need to compile it manually from
> > > somewhere ?
> > >
> > > Thank you.
> > > Best Regards,
> > > Edy Lie
> >
> > It's an Adaptec provided utility with precompiled binaries. Here's the
link:
> >
> >
http://www.adaptec.com/worldwide/support/driversbycat.html?sess=no&language=English+US&cat=%2fOperating+System%2fFreeBSD
> >
> > Since that link will wrap, if it won't work after you enter it manually,
> > here's the long route. Go to http://www.adaptec.com, go to Support >
> > Downloads. In the 2nd section, go to FreeBSD. The manager for the 2100S,
> > 3200S, and 3400S  will be the bottom link.
> >
> > --
> >
> > Micheal Patterson
> > TSG Network Administration
> > 405-917-0600
> >
> > Confidentiality Notice:  This e-mail message, including any attachments,
is
> > for the sole use of the intended recipient(s) and may contain
confidential
> > and privileged information. Any unauthorized review, use, disclosure or
> > distribution is prohibited. If you are not the intended recipient,
please
> > contact the sender by reply e-mail and destroy all copies of the
original
> > message.
> -- 
>
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
>

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Conection sharing

[Micheal Patterson]

- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 11, 2003 3:18 PM
Subject: Conection sharing


> hey people , my name is pedro and I'm from brazil . I'm having problems
> to find docs that talks about sharinga a ADSL conection between a FreeBSD
> and a Windows machine in witch the BSD machine is the server so maybe some
> of you may have a link with a doc or can tell me how to do it please ?
Last
> time I've done it , it was with two win98 machines and I just used a proxy
> program ... but it sucks =P , to instable.
>
>  Pedro
>

Pedro, check out the documentation on enabling NATD.

In short, as long as the DSL is connected to the FreeBSD box, you can
configure and enable NATD on that box, install a 2nd nic, connect it to the
other system with a crossover cable.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: freeBSD 4.8

[Micheal Patterson]

- Original Message - 
From: "John Mascardo" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 11, 2003 9:50 PM
Subject: freeBSD 4.8


> I am a very-very new LINUX/UNIX user. After being convinced by friends
that it is far better and stablethan windows architechture. So I bought the
LINUX Format magazine because it offered a full OS called FREEBSD 4.8
> I tried to install it and after a few a attempts I managed to install
it atlast but when it started up it asked for a login and password.
> I must have missed something along the way because for the life of me
I had no clue what was happening on install. I searched the mag and the disc
and unfortunately I can't find any login or password detail. I tried typing
different stuff but to know avail...
>
> PLEASE tell me what I'm doing wrong and what I should do...
>
> CLUELESS JOHN

First, welcome to a whole new world. :)

When you were installing the OS, at one point, it asked you for an
administrative or Super User password. This password will be the root
account password. So, the login will be root with the password that you
provided. Keep in mind, that you can only use this account from the system
keyboard.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: "Connection refused" when setting up cyrus-imapd

[Micheal Patterson]

- Original Message - 
From: "Brian Bobowski" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 11, 2003 10:31 PM
Subject: "Connection refused" when setting up cyrus-imapd


> I've been trying to set up cyrus-imapd-2.1.14 for a while now, and though
I'm sure I'd got farther than this before, now I keep getting stuck.
>
> I'm using FreeBSD 5.1. The port downloaded, compiled, and installed just
fine, I customised imapd.conf and copied one of the sample files to
cyrus.conf, made the appropriate directories, ran mkimap, put the
appropriate entries in /etc/services, and followed the including directions
for generating an OpenSSL certificate and key. For good measure, I sent a
HUP signal to the inetd process, and then I ran /usr/local/cyrus/bin/master
&
>
> However, when I run imtest and point it to my localhost, it immediately
gives me the following response:
>
> connect: Connection refused
> failure: Network initialization
>
> Now, I know I'm a relative newbie to this business, and this particular
situation has me completely mystified. At one point, I was able to connect
but was having trouble with authentication. Now it seems like the imap(s)
port just isn't there or something like that. I haven't yet installed any
firewall software that I'm aware of - I was afraid to do so until I got the
rest up and running.
>
> Is there something I'm likely to have missed here?
>
> On a related note, I noticed some discussion in the cyrus-imapd docs and
config files about mbox versus Mailbox format. The latter seemed to be
preferable, being able to rearrange with less worry; is there any way I can
make it be the storage format?
>
> -Brian Bobowski

Not being familiar with imap that well as my organizaiton prefers pop3, I'll
assume that it hooks into wrappers. If so, you'll need an entry in the
hosts.allow file to allow connections to the daemon. Check out your
/var/log/messages to see if there's any rejected connections.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Sendmail Spam Block question.

[Micheal Patterson]

I'm getting numerous spam messages that are coming in with headers such as:


Received: from 67.66.xxx.x. ([220.201.80.37])

Where 67.66.xxx.x is the actual Ip of my sendmail server and the actual
sending host is 220.201.80.37. Is there any way to block this type of spam
other than blocking 220.201.80.37? I can't place the ip in the access list
as it kills outbound mail from that system.

Thanks.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Sendmail Spam Block question.

[Micheal Patterson]

- Original Message - 
From: "Micheal Patterson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 12, 2003 7:58 AM
Subject: Sendmail Spam Block question.


> I'm getting numerous spam messages that are coming in with headers such
as:
>
> 
> Received: from 67.66.xxx.x. ([220.201.80.37])
>
> Where 67.66.xxx.x is the actual Ip of my sendmail server and the actual
> sending host is 220.201.80.37. Is there any way to block this type of spam
> other than blocking 220.201.80.37? I can't place the ip in the access list
> as it kills outbound mail from that system.
>
> Thanks.
>
> --
>
> Micheal Patterson
> Network Administration
> Cancer Care Network
> 405-917-0600
>


I realize that I'm responding to my own initial message, but after reading
it again, let me clarify.

The source of the spam is 220.201.80.37, it's spoofing the hostname portion
as 67.66.xxx.x which is the IP of my mx. Is there any way to configure
Sendmail that, in this example, if it recieves connection that has the
hostname field of 67.66.xxx.x. and it doesn't resolve back to the ip
220.201.80.37, to reject the message?
--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: samba PDC vs IBM T21 keyboard

[Micheal Patterson]

- Original Message - 
From: "Stacey Roberts" <[EMAIL PROTECTED]>
To: "FreeBSD Questions" <[EMAIL PROTECTED]>
Sent: Saturday, September 13, 2003 9:25 PM
Subject: samba PDC vs IBM T21 keyboard


> Hello,
>I've got a strange (to me at least) problem here.
>
> I'm running samba (version: samba-2.2.8a) as a PDC on a network. I've
> just joined an IBM T21 WinXP Pro laptop to the domain, which went
> through okay, except for one unexpected factor:
>
> The T21's keymapping appears to be all crazy. By that, I'd refer you to
> keys U, I, O, P, J, K, L, : and M.
>
> All of these keys have alternate chars printed on them - for instance
> the "P" has "*" and "O" has a "6", and so on.
>
> Whenever a user logs onto the domain, these "secondary" chars appear to
> be the ones in use, and what you'd expect for "P" actually gets output
> as the "*" char. This happens regardless of the user that logs in, as
> long as its on the network, then those other chars appear to take
> precedence. This behaviour appears in all applications as well, from M$
> Word to attempts at typing a url into the address bar in IE.
>
> If I didn't know any better, I'd almost want to suggest that the key
> mapping appears to be that of a regular PS/2 keyboard!
>
> Has anyone noticed anything like this? If there's any more info I can
> provide, I'm willing to.
>
> Thanks for the time.
>
> Regards,
>
> Stacey
> -- 
> Stacey Roberts
> B.Sc (HONS) Computer Science
>
> Web: www.vickiandstacey.com
>
>
> ___________
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
>

Sounds like the 10 key function of the keyboard has been enabled.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

atacontrol

[Micheal Patterson]

Has anyone ever run across this error when trying to run atacontrol?

"$:> atacontrol list
atacontrol: control device not found: No such file or directory"

I can't locate much information on the command itself other than the man
pages and they don't indicate which device the "control device" would be.

Thanks.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: atacontrol

[Micheal Patterson]

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600


- Original Message - 
From: "Todd Stephens" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Sunday, September 21, 2003 10:57 AM
Subject: Re: atacontrol


> On Sunday 21 September 2003 11:56 am, Micheal Patterson wrote:
> > Has anyone ever run across this error when trying to run atacontrol?
> >
> > "$:> atacontrol list
> > atacontrol: control device not found: No such file or directory"
> >
>
> atacontrol has to be run as root.
>
> -- 
> Todd Stephens
> ICQ# 3150790
> "A witty saying proves nothing."
> -Voltaire
>

I was running it as root.  I've no idea what device it's looking for.

--

Micheal Patterson
Network Administration
Cancer Care Network



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: atacontrol

[Micheal Patterson]

- Original Message - 
From: "Mike Tancsa" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Sunday, September 21, 2003 4:10 PM
Subject: Re: atacontrol


>
> cd /dev
> sh MAKEDEV ata
>
> then try atacontrol.
>
>  ---Mike

Tried that as well..

It reports:

ata - no such device name

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Cvsup refuse confusion

[Micheal Patterson]

- Original Message - 
From: "Charles Howse" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 22, 2003 11:13 AM
Subject: Cvsup refuse confusion


> Hi,
> I'm trying to eliminate all the non-English ports and documentation.
> I've deleted the relevant directories in /usr/ports and /usr/share/doc,
> But they reappear on subsequent cvsups.
> Where have I gone wrong?
>
> * /etc/cvsupfile *
>
> *default  host=cvsup11.FreeBSD.org
> *default  base=/usr
> *default  prefix=/usr
> *default  release=cvs
> *default  tag=RELENG_4_8
> *default  delete use-rel-suffix
>
> src-all
> *default tag=.
> ports-all

The entry "ports-all" grabs all available ports from the site. You'll need
to comment that out and only select the ports areas that you want to have it
download.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: help with installing port kde3

[Micheal Patterson]

- Original Message - 
From: "ALIAS" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 22, 2003 9:33 PM
Subject: help with installing port kde3


> so i updated my ports with cvs then i installed xfree4 from port then i
tried
> to install kde3 from port too, took about a day and a half until some
error
> came up with bison-1.75 the work/bison-1.75/doc/bison.texinfo has some
errors
> in it with unknown commands copying and insertcopying and unmatched @end
> command or something like that and i didn't know how to fix it and i had
to
> reinstall everything again, can someone tell me how to fix the error?
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
>

I just had that very same problem today when attempting to get atacontrol
working after a kernel recompile. What ended up being the problem was the
kernel source and user/src were out of sync. I cvs'd the current src tree,
rebuilt world and recompiled kernel and the problem was corrected.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD,Linux and any other os besides Microsoft.

[Micheal Patterson]

- Original Message - 
From: "Ajax Munroe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 22, 2003 9:52 PM
Subject: FreeBSD,Linux and any other os besides Microsoft.


>   Hello,
>
>  I dont have a question but I would like to make a statement.
I downloaded Freebsd version 5.0 release
>  and unpacked it in great anticipation. I made a bootable CD
(the best I could, It's not as easy as making
>  a bootable windows CD) put the cd in my rom and found that
BSD is not for me. Look, Im not trying
>   to put BSD down or anything, I would love to have it on my
computer fully working so that I could
>   use something other than Windows! Im by no means bored with
Windows, I find new and exciting
>   things out with it all the time.I feel that im pretty
literate when it comes to computers, which brings
>   me to this: You people have to make a product that is just
slightly more user friendly.Cant you
>   think of a way to auto-mount your os like windows? Setting
up your os is like trying to work your
>   way through a jigsaw puzzle.(Windows even partitions your
drive for you) If someone expects to
>   challenge the makers of Windows they are going to have to
come up with a user friendly system
>like Windows where you have an easy command format instead
of what your trying to do. I mean
>come on, first you have to figure out what to partition the
drive in because you dont explain any
>of this, then you have to mount everything,which is beyond
the average users comprehension,
>then you have to figure out commands to pass along to the
kernel..etc...etc...etc. With Windows
>all you do is stick in the disk and it's all pretty
straight forward from there on out.
>
>
>Please, if you could just tell me of one of your systems
thats a little more user friendly I would
>love to use it, and tell all my friends about it too so
that they can spread the word about the new
>operating system thats fun and easy to use.
>
>
>
Your Friend;
>
>
AJAX
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"[EMAIL PROTECTED]"

If you download the iso image and burn it, it turns out as a bootable cd. As
for the partitions, there is an option to autosize in the bottom menu
(unless it's been removed in 5.x). Even with Windows and multiple drives,
you have to tell it how large you want your partitions to be. FreeBSD is no
different in this respect. For most users, 2 slices are all that is
necessary. Root "/" and "swap". Swap is generally 2 x the amount of system
ram, the same as with Windows if you specify it and not allow Windows to
control it. I will admit, FreeBSD isn't for everyone, and you need to
understand it's basic function and be willing to learn more than you know
when you start. I've ran Solaris, OpenBSD, NetBSD, work with AIX, Slackware
Linux, Redhat Linux and a few others. I've always come back to FreeBSD
because of it's simplicity in installation and ease of system configuration.
Many of the other OS's that I've installed in my lifetime require you to
know the actual disk geometry in order to partition it properly, or at least
when I installed them they did. Meaning, if you didn't have the disk in your
hands, you had to tear the system down to get the info. I'm not meaning to
be insulting, but you'll probably find that anything other than Windows will
require a bit of study before you attempt to install it. It's the nature of
the beast. If you want to run a Windows server, it will cost you. If you
want to run exchange as a mail service, that will be an additional cost. If
you want to run a good quality, economical firewall for your network, that
cost you. You want to run mssql, that will also cost you. These items are
either included with the open source OS's or available as an addon and
usually at no additional cost. It just depends on which way  you're willing
to go. In the end, you'll do one of two things, 1) spend some time with the
available documentation and save yourself some money, or 2) spend that money
on the necessary Windows addons to do the same job. Everyone that is in this
list has made the same decision or is in the process of making that
decision. The outcomes will vary depending on the individual and their needs
and abilities.

--

Micheal Patterson
Network Administration
Cancer Care Network

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: It's time to get angry

[Micheal Patterson]

- Original Message - 
From: "Harald Schmalzbauer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, September 23, 2003 11:10 PM
Subject: It's time to get angry


> Dear M$ users,
>
> PLEASE clean your systems.
>
> I get 15Megs of virus/day (~100 Mails each 150k with M$ trash). Now for
> over one week, so it's REALLY annoying.
> Not that there weren't enough great junk filters, it's wasted bandwidth.
> Not only on my site. If you have to use M$ systems on machines on which
> you take part in dicussions on FreeBSD-lists, please at least take care
> that you don't stress the others nerves too much. It's hard enough to
> read your "quoting". Don't know much about that worm/virus but I'm quiet
> sure just changing the mail client to something non-M$ would help
> (before the system were infected).
>
> So please format your infected discs, block all outgoing smtp
> connections, remove the hous' main fuse, whatever, try to stop that
torture.
>
> -Harry
>
Maybe you should've sent this to a list that is predominantly Windows users.
The majority of us in the lists that you sent this to already know this and
live with it on a daily basis. You have one of the best software systems
that is available today. Use the available tools for it so you don't get a
cluttered inbox. Use fetchamil, dump it to your local smtpd, run amavis on
it, /dev/null the offending messages. It won't stop the feed into your
dialup pipe, but it will keep your inbox clear.  You might even ask your ISP
to help in scanning messages for viri. Who knows, they might just do it.
I'll admit, it's always best to have the problem corrected at the source,
but it's few of us against the many of them. They're winning so far so we
have to do what we can to keep them at arms length or farther if possible.

--

Micheal Patterson
Network Administration
Cancer Care Network


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Sound

[Micheal Patterson]

- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 23, 2003 10:50 AM
Subject: Sound


> Hello!
>
> Lets start with some info on the system so you know what it is:
> [EMAIL PROTECTED]:~# uname -a
> FreeBSD lnx.bylzz.se 5.1-RELEASE FreeBSD 5.1-RELEASE #0: Mon Sep 22
> 19:44:00 CEST 2003 [EMAIL PROTECTED]:/usr/src/sys/i386/compile/LNX
> i386
>
> [EMAIL PROTECTED]:~# grep pcm /var/run/dmesg.boot
> pcm0:  on sbc0
>
> And I have added the lines "device pcm" and "device sbc" in my kernel
> config file. And I have also done
> # sysctl hw.snd.pcm0.vchans=4
> # sysctl hw.snd.maxautovchans=4
> And it dident work after that either. Here is my output from
> /var/log/message when I try to play a song:
> pcm0:virtual:0: play interrupt timeout, channel dead
>
> What is the problem? I will be very greatfull for all help I get!
>
> Please reply to [EMAIL PROTECTED]
> -- 
> bylzz
>
>

--

>From a google search resulting in this:
http://www.freebsdforums.org/forums/showthread.php?threadid=8606

Im getting the error message: "pcm0:play:0: play interrupt timeout, channel
dead" when i try to play any mp3-file with mpg123. I have FreeBSD 4.7 and I
have loaded the appropriate modules for my Yamaha ISA sound card. Does
anybody have a similar problem or know a solution?


EDIT: *SOLUTION**
Open irq 5 for ISA devices in BIOS

---

I don't know if this will help you or not, but it's worth a try.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: A question about host...

[Micheal Patterson]

- Original Message - 
From: "Armand Passelac" <[EMAIL PROTECTED]>
To: "Payne" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, September 24, 2003 10:46 AM
Subject: Re: A question about host...


> [ On Wed, 24 Sep, 2003 at  9:51, Payne wrote: ]
> > Hi,
> >
> > I am wanting to use host.allow and host.deny to make my box more secure.
> > Is there a site that can explain how to use them.
>
> If I remember well :
>
> The lib libwrap.a corresponds to the famous name "tcp_wrappers".
> This lib is designed to secure the access of some network services :
xinetd,sshd,portmap, ...
>
> Syntax of hosts_access files :
> service:host
>
> examples :
> # Manage ALL tcp_wrapped services for the source address 192.168.1.2
> ALL: 192.168.1.2
> # Manage the pop3 service for the source address corresponding to the name
my.computer.fr
> pop3d: my.computer.fr
>
> You can specify multiple services with the comma (pop3d, in.telnetd)
> There is also the tag EXCEPT to specify an exception :
> ALL: EXCEPT 173.22.7.9
>
> Order of reading :
> The tcp_wrapped network service will read before the hosts.allow and AFTRE
the hosts.deny.
> The current  advice is to put the ALL:ALL in the hosts.deny
>
>
> I hope it will help you.
>
>

Unless things have changed in the 5.x series, libwrap is integrated into
inetd now (-w -W flags apply). Also, there is no need for a hosts.deny file
as hosts.allow contains both allow and deny entries now. Just have the
all:all:deny at the very bottom of hosts.allow.  The default hosts.allow
file gives examples of how to use the file for access control to various
daemons / services.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: converting ext3 to ffs

[Micheal Patterson]

- Original Message - 
From: "David Benfell" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 24, 2003 12:30 PM
Subject: Re: converting ext3 to ffs


This should be considered mandatory.  Linux support for ffs is broken
-- and apparently no one cares enough to fix it.

And if there's any support for ext2/3 on the BSDs, it's news to me.

-- 
David Benfell, LCP
[EMAIL PROTECTED]
---
Resume available at http://www.parts-unknown.org/resume.html

David, man mount_ext2fs

:)

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: vpn

[Micheal Patterson]

- Original Message - 
From: "synrat" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 24, 2003 2:37 PM
Subject: vpn


> I'm trying to find vpn software for freebsd that supports pptp.
> I don't care much for ipsec, unless I have no other choice.
> Goal being :), windows clients mounting samba shares remotely over vpn.
> I found a howto for poptop, but it said that encryption is not supported
> in poptop on bsd. Is that true ? It kind of defeats the purpose in my
> opinion. What other choices are there ?
>
> thank you all

If you're wanting to terminate windows clients on the freebsd box using PPTP
with encryption of mppe-40 or mppe-128, check out /usr/ports/net/mpd.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: A question about host...

[Micheal Patterson]

- Original Message - 
From: "Armand Passelac" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, September 24, 2003 1:37 PM
Subject: Re: A question about host...


> [---- On Wed, 24 Sep, 2003 at 11:11, Micheal Patterson wrote: ]
> >
> >
>
> Excuse me Payne, Michael is totaly *right* !
> You can see the /etc/hosts.allow ... there is a lot of good examples for
you.
> Thanks Michael for the updating of _my_old_ view ;-)
>
> Bye.
>
> >

Not a problem I recall in 3.x when they first integrated wrappers into
inetd. Many people were completely lost about it and many more even
continued to install tcp_wrappers from ports until theport was marked 
broken.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Limit login attempts (how do I do it)

[Micheal Patterson]

- Original Message - 
From: "Bob Collins" <[EMAIL PROTECTED]>
To: "FreeBSD" <[EMAIL PROTECTED]>
Sent: Wednesday, September 24, 2003 4:11 PM
Subject: Limit login attempts (how do I do it)


> A NB question here.
>
> I am trying to limit the number of allowed login attempts against my
> FreeBSD box. I cannot find anything for a limit to this other than;
> login-retries=x in the /etc/login.conf. This does not seem to work with
5.0
> Release, which is what I am running.
>
> A nudge to the FM or Man Pages would be helpful.
>
> Thanks
> Bob
>

There once was a way to do this but damn if I can remember it. You could
change the amount of attempts that could be tried, and instead of a delay
after the max out the attempts,  you could terminate the connection. Anyone
know what I'm referring to?

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD and SMP support

[Micheal Patterson]

- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 24, 2003 7:28 PM
Subject: FreeBSD and SMP support


> Hi
>
> I'm after some general information on SMP support on FreeBSD.
>
> I've been running FreeBSD 5.1 for a couple of months as a Web server on a
single CPU system and have had no problems - in fact it's performed
excellent. I've now got a "new" PC that has dual PII 300 CPU's.
>
> I have read a lot of articles regarding the supposed poor support of SMP
in Pre 5 releases but that now apparently is starting to change in 5.X
releases.
>
> I've also read articles relating to performance issues with MySQL on
FreeBSD. Although apparently performance has drastically improved in MySQL 4
series releases though - if compile with Linux Threads Support (?)
>
> My questions really are how well does FreeBSD 5.X or 4.X running Apache
and MySQL perform with 2 CPU's and does Linux perform better?
>
> Many thanks
>
> David
>
> -
> Email provided by http://www.ntlhome.com/
>
>

I can't speak for anyone else but myself, but I'm currently running
Sendmail, Apache, Mailman, Qpopper, Mysql, and Samba on a dual 800mhz system
and it's doing just fine on 4.8 and processing approx 25k messages every 24
hours including AV scanning. I've yet to see it fall below 60% idle under
heavy traffic. It normally sits at 86 - 99% idle. So, for me, the smp works
rather well.

--

Micheal Patterson
Network Administration
Cancer Care Network

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Limit login attempts (how do I do it)

[Micheal Patterson]

- Original Message - 
From: "Bob Collins" <[EMAIL PROTECTED]>
To: "FreeBSD" <[EMAIL PROTECTED]>
Sent: Wednesday, September 24, 2003 4:11 PM
Subject: Limit login attempts (how do I do it)


> A NB question here.
>
> I am trying to limit the number of allowed login attempts against my
> FreeBSD box. I cannot find anything for a limit to this other than;
> login-retries=x in the /etc/login.conf. This does not seem to work with
5.0
> Release, which is what I am running.
>
> A nudge to the FM or Man Pages would be helpful.
>
> Thanks
> Bob
>

To anyone else looking for this, here's how to change these settings.
They're defined in login.c:

#define TTYGRPNAME  "tty"   /* name of group to own ttys */
#define DEFAULT_BACKOFF 3
#define DEFAULT_RETRIES 10
#define DEFAULT_PROMPT  "login: "
#define DEFAULT_PASSWD_PROMPT   "Password:"

Unless there's another way to do this, change those variables as desired and
recompile login.


--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: how to get system information

[Micheal Patterson]

- Original Message - 
From: "Per olof Ljungmark" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, September 28, 2003 5:36 AM
Subject: how to get system information


> Hi all,
>
> I am wondering how to find out system hardware information from a
> running system, I know for instance pciconf(8) but what are the
> corresponding ones for memory, cpu etc?
>
> Many thanks,
>
> Per olof
>

more /var/run/dmesg.boot  to get the info at boot time.
vmstat 5 5 will give you 5 items 5 sconds apart to show you procs, memory,
page, disks, faults and cpu info.

--

Micheal Patterson
Network Administration
Cancer Care Network

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Using poptop....

[Micheal Patterson]

- Original Message - 
From: "Jim Hatfield" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 17, 2003 10:00 AM
Subject: Using poptop


> If anyone can give me a recipe for setting up poptop
> I'd be very grateful. I want to run it on a machine which
> is a gateway/firewall. One NIC has a public address and the other
> is on a private network, ie 192.168.1.x. I want to allow XP
> clients to connect into the private network.
>
> I found the man pages a bit terse(!) and they seem to assume
> that kernel ppp will be used whereas AIUI the port is built to
> use userland ppp.
>
> I would use mpd but it has problems with XP clients.
>
>

What type of problems are you seeing with MPD (Netgraph variety) and WinXP?
That's my VPN terminator software and all of my remote XP systems seem to
have no problems with it.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipfw with four interfaces

[Micheal Patterson]

- Original Message - 
From: "Arvinn Lokkebakken" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 03, 2003 7:24 AM
Subject: Re: ipfw with four interfaces




> Haven't been able to try them out yet, but I don't feel allowing  The
> first 300 rule will probably help me having the firewall allowing
> traffic for me, but I wasn't really planning to allow everything in. And
> will deny rules have effect  when the traffic allready is allowed?
>
> Arvinn
>

Disregard my firewall ruleset for the time being. Do you have this system
configured to be a gateway unit? If not, no traffic will pass interface
boundaries.If your interface setup is this:

fxp0: flags=8843 mtu 1500
inet w.x.y.81 netmask 0xfff0 broadcast w.x.y.95
xl0: flags=8843 mtu 1500
inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255
xl1: flags=8843 mtu 1500
inet 172.16.0.1 netmask 0xff00 broadcast 172.16.0.255
xl2 is the interface that is connected back-to-back with the router.

Also, from the info above, xl2 connects to the router via a crossover cable.
If so, does it pull and IP?  If so, it needs to be something other than the
x.w.y.81, 192.168.0.1 or 172.16.0.1 network.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

IPSEC tunnel issue..

[Micheal Patterson]

Here's my situation.

I've got 2 networks at different facilities that are using public routable
IP's. Each end has a fbsd box in bridge mode as their firewall between the
lan and the cisco routers at each end. I've been tasked to establish a
secure tunnel between these two networks and I'm having some trouble. I've
searched google for ipsec information on this but every thing that I have
found depicts a private lan behind the public ip's of the tunnel endpoints.
Has anyone been able to establish this type of tunnel successfully? If so,
can you please direct me to some information on this?

Thanks.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Internal Cable modem support (or, recommendations for a goodexternal CM)

[Micheal Patterson]

- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 23, 2003 10:53 PM
Subject: Internal Cable modem support (or, recommendations for a
goodexternal CM)


> Hey gang,
> I think the problems I have been having lately are due to the Com21
DoxPort
> cable modem. The brand spanking new FreeBSD based router is acting just
like
> the old NetGear router (which may be good news - the router may actually
be
> OK!).
>
> The symptoms are fairly repeatable. Under duress, the interface will
appear to
> go down. On the NetGear, I could recover by rebooting (via command - the
> router itself, and the LAN ports, would work fine). On the FreeBSD router,
I
> can ifconfig xl0 down; ifconfig xl0 up - and regain connectivity. I would
> suspect the card, but the same symptoms on two routers? That sounds
> suspiciously like a problem with the CM.
>
> Also, having poked around on google, the concensus is that Com21 modems
are a
> load of poop - and I have one of the earliest models (I was an @home
customer
> before the big bang)
>
> That said, I'm looking to replace the Com21 modem with a new one. I'd like
to
> go with an Internal unit, but I'm not sure (1) whether they are any good
or
> not, and (2) if they are supported by FreeBSD 4.8-REL (or 4.9, which I
hope
> is coming soon)
>
> Otherwise, can anyone recommend a good DOCSIS 1.1 cable modem (with an
RJ45
> port)? I'm on Comcast in Maryland, but I believe any DOCSIS modem should
do
> the job.
>
> Thanks,
> Seth Henry


A Toshiba 1100 (if I recall the model correctly) or a Surfborard 3100 on up
should do you just fine with Comcast. Cox uses those modems generally.


--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: wrong name on emails

[Micheal Patterson]

- Original Message - 
From: "M.D. DeWar" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 24, 2003 9:03 AM
Subject: wrong name on emails


> Hello,
> When I first setup from FreeBSD 4.8 box I gave it one name, badboy. Then
> later to due to dns issues I changed it to match DNS. Now when I get an
> email from the box it says [EMAIL PROTECTED] instead of the new name.
> I searched every file I can think of. rc.local,rc.conf , resolv.conf and
> other files but with no luck.
> I tried egrep -iR "badboy" /
> to find it but it was taking a long long time. So killed it.
> Were do I find it and change it or is it permanently at the original
> hostname.
>
> Thanks
> Mark
>

Use the command hostname to verify that it's using the new name. If it shows
the old name there, do a hostname  to correct it.. Provided it's
correct in your rc.conf file as well.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: System Backup help.

[Micheal Patterson]

- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, October 26, 2003 4:52 PM
Subject: System Backup help.


> I have been running BSD for a week or so now.  I have everything setup
> just right, Webmail, DNS, IMAP, Webserver, etc
>
> I just install a DDS-2 tape drive, I have been reading about using dump
> for backing up filesystems.  How can I use dump to backup the entire
> drive?  If I try using:
>
> dump 0 -A ad0
>
> it fails.. do I have to run dump on each slice?  I plan on setting up a
> chron job that runs every night to do a incremental backup, then a full
> backup at the end of the week.

I realize that a lot of folks prefer dump / restore for system backups,
however, to dump to tape, I would recommend using tar since that's what it
does best. As long as the system sees the tape drive, tar -c / dumps
everything to the tape drive.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IPSEC tunnel issue..

[Micheal Patterson]

- Original Message - 
From: "Brent Wiese" <[EMAIL PROTECTED]>
To: "'Micheal Patterson'" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, October 28, 2003 5:25 PM
Subject: RE: IPSEC tunnel issue..


>
> > Here's my situation.
> >
> > I've got 2 networks at different facilities that are using
> > public routable
> > IP's. Each end has a fbsd box in bridge mode as their
> > firewall between the
> > lan and the cisco routers at each end. I've been tasked to establish a
> > secure tunnel between these two networks and I'm having some
> > trouble. I've
> > searched google for ipsec information on this but every thing
> > that I have
> > found depicts a private lan behind the public ip's of the
> > tunnel endpoints.
> > Has anyone been able to establish this type of tunnel
> > successfully? If so,
> > can you please direct me to some information on this?
>
> So if I understand correctly, you're running the FreeBSD firewall in
> "transparent" mode? Hosts behind the firewall use public addresses on the
> same subnet as the firewall public?
>
> I think you may need to switch to NAT mode so you're running a
> non-net-routeable (private) LAN. You can always stack more public Ips on
the
> firewall and port forward.
>
> Or, if you run a routing daemon and have all your hosts point to it as the
> default gateway, build the tunnel and route anything that isn't through
the
> tunnel at your real gateway.
>
> Or, build the tunnel and add routes to all the hosts specifing the FreeBSD
> box as the gateway for the remote network. This can be a pain to admin
long
> term, but if, for instance, you run a Windows domain, you can run a "route
> add" batch file when users log into the network.
>
> Brent
>

Yea, the firewalls are in bridge mode, dual nic'd. What we've decided to do
for this is to just subnet out the ip ranges that the circuits have been
assigned. That way, we'll have a routable subnet between the router <>
firewall, and a routable subnet behind the firewall with it acting as the
lan gateway and take it out of bridge mode.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IPSec/VPN - Issues

[Micheal Patterson]

- Original Message - 
From: "Tommy Forrest - KE4PYM" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 31, 2003 2:18 PM
Subject: IPSec/VPN - Issues


> I am trying to setup an IPSec connection using
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html.
>
> When I get to the bit about gifconfig gif0 a.b.c.d w.x.y.z (though I'm
> using my real values) I get the following error:
>
> weedwhacker# gifconfig gif0 a.b.c.d w.x.y.z
> gifconfig: interface gif0 does not exist
>
> FreeBSD 4.8-Release.
>
> Relavant Items in my kernel config:
> pseudo-device   gif # IPv6 and IPv4 tunneling
>
> #Turn on VPN
> options IPSEC
> options IPSEC_ESP
>
> Still no dice.
>
> Also, does Racoon support Aggressive mode?  As well as PFS?
>
> Finally, the firewall administrator does not want to give me the IP
> address of his internal interface (I'm mapping to a 10.*.*.* network).
> Is this going to be a problem?
>
>
> Tommy Forrest - KE4PYM -  [EMAIL PROTECTED]
> My two cents:
> A hangover is the wrath of grapes
>
> PGP Public Key Fingerprint: A6E9 D0CB 2ABC 520A  883D 8008 F660 364A
>

Often, you will need to create the gifx interface manually. Just run an
ifconfig gif0 create before you do your gifconfig entry.



--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Ssh missing 'login as' prompt

[Micheal Patterson]

- Original Message - 
From: "Mike Loiterman" <[EMAIL PROTECTED]>
To: "'Kevin Stevens'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday, November 02, 2003 3:33 PM
Subject: RE: Ssh missing 'login as' prompt


>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Kevin Stevens <mailto:[EMAIL PROTECTED]> wrote:
> > On Oct 31, 2003, at 22:25, Mike Loiterman wrote:
> >
> >>
> >> -BEGIN PGP SIGNED MESSAGE-
> >> Hash: SHA1
> >>
> >> Whenever I try to ssh into my machie, it just goes straight to
> >> [EMAIL PROTECTED] password: by passing the traditional login as: . How can
> >> I turn that back on?
> >
> > Remove the client machine's public key from the server's
> > ~/.ssh/authorized_keys2 file for that user id.
> >
> > KeS
>
> That works but only temporarily.  The next time I login, it goes
> directly to the password prompt.  Am I fooling myself?  Is it any
> more secure to get a login as: prompt and then a password prompt as
> compared to just going directly to a password prompt?
>
> - --
> Mike Loiterman
> grantADLER
> Tel: 630-302-4944
> Fax: 773-868-0071
> Email: [EMAIL PROTECTED]
> PGP Key 0xD1B9D18E
>

What you're describing is normal behavior for ssh. Telnet does the same
thing from a fbsd to fbsd system. It uses the login id on the connecting
terminal as the user to auth against on the remote. I would recommend using
an rsa pass phrase instead of the password if you wish it to be more secure.


--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Ssh missing 'login as' prompt

[Micheal Patterson]

- Original Message - 
From: "Mike Loiterman" <[EMAIL PROTECTED]>
To: "'Micheal Patterson'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday, November 02, 2003 7:40 PM
Subject: RE: Ssh missing 'login as' prompt



> >
> > What you're describing is normal behavior for ssh. Telnet does the
> > same thing from a fbsd to fbsd system. It uses the login id on the
> > connecting terminal as the user to auth against on the remote. I
> > would recommend using an rsa pass phrase instead of the password if
> > you wish it to be more secure.
>
> That's strange, to me at least.  I have a number of other systems
> that just give a login as: prompt.  Specifically FreeBSD 4.x.  Has
> things changed?
>
> - --
> Mike Loiterman
> grantADLER
> Tel: 630-302-4944
> Fax: 773-868-0071
> Email: [EMAIL PROTECTED]
> PGP Key 0xD1B9D18E

Fbsd telnet attempts and SRA secure login on when connecting to another FBSD
box and will include the detected login ID in ()'s at the User prompt.
Hitting enter will pass you on to the password prompt.  With SSH/SSHD, the
hosts exchange keys to encrypt the initial connection. Once done, the client
sends the logon ID to the remote server. Regardless if the ID exists or not,
you'll be prompted for the password.  I honestly can't remember the last
time that I've been prompted with a login as: prompt. It's been quite a long
time ago. Of course, it could be because ssh/sshd is incorporated into the
system core now instead of requiring an install from ports with the
ssh.com's version of sshd.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"