Re: apache-1.3.19 segfaulting on FreeBSD-4.3 RC
okay set servername in main config: segv problems are gone with or without the patch /k David W. Chapman Jr.([EMAIL PROTECTED])@2001.03.31 22:22:58 +: > does that have anything to do with this > > http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/apache13/files/patch-util.c > > > - Original Message - > From: "Karsten W. Rohrbach" <[EMAIL PROTECTED]> > To: "Ron Klinkien" <[EMAIL PROTECTED]> > Cc: "Dan Larsson" <[EMAIL PROTECTED]>; "FreeBSD Stable List" <[EMAIL PROTECTED]> > Sent: Saturday, March 31, 2001 7:12 PM > Subject: Re: apache-1.3.19 segfaulting on FreeBSD-4.3 RC > > > > why that? if dns works... it should not be a problem. > > that issue puzzles me a bit > > /k > > > > Ron Klinkien([EMAIL PROTECTED])@2001.03.30 22:28:49 +: > > > Make sure your /etc/hosts file is up to date. ie. it > > > lists the ip adress of the host you run apache on. > > > > > > Ron. > > > > > > - Original Message - > > > From: "Dan Larsson" <[EMAIL PROTECTED]> > > > To: "FreeBSD Stable List" <[EMAIL PROTECTED]> > > > Sent: Friday, March 30, 2001 6:50 PM > > > Subject: apache-1.3.19 segfaulting on FreeBSD-4.3 RC > > > > > > > > > > Does anyone have a clue why I get these segfaults? > > > > > > > > (The apache port installed is /usr/ports/www/apache13 with no > > > > optimizations or extra modules) > > > > > > > > I have attached the debug and dmesg. > > > > > > > > > > > > Regards > > > > +-- > > > > Dan Larsson | Tel: +46 8 550 120 21 > > > > Tyfon Svenska AB | Fax: +46 8 550 120 02 > > > > GPG and PGP keys | finger [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > > with "unsubscribe freebsd-stable" in the body of the message > > > > -- > > > "I didn't change a thing and from the moment I didn't change it, > > > it didn't work anymore." -- Anonymous > > KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de > > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe freebsd-stable" in the body of the message > > > -- > Floppy now, hard later. KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: Network performance question
Mike Smith([EMAIL PROTECTED])@2001.04.02 16:15:23 +: > It's a reasonable assumption; it sounds like you haven't tuned the > FreeBSD box very well, so it's doing a lot of disk I/O. > > > I tried the test under FreeBSD with the NetGear card too - in addition to > > the 3COM. It's kinda strange, but when using the NetGear card and outputting > > tcpdump to /dev/null there were no problems, not even many interface errors > > (where as writing to a file causes the network to go down and tons of > > interface errors about halfway through the capture). > > This sounds like the NetGear card has issues with other PCI bus activity. > what exactly is the mainboard hardware? in which slot is the card? i recall having had severe problems on some bx tyan board with 5 pci slots. when i used slot 1 or 5 i had dropped interrupts since they were shared with i tink the onboard scsi. using the middle 3 slots the problem was gone. linux seems to handle interrupt sharing on pci differently from feebsd. /k -- > Experiments must be reproducible; they should all fail in the same way. KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: apache-1.3.19 segfaulting on FreeBSD-4.3 RC
i did not check the apache port for quite a while, but last time i tested it it had a rather hairy configuration ;-) apache on my boxes usually is very stripped down, only the stuff really needed with php with dso support, etc. are the ports (apache, apache-php, ...) built as dso? can configure them that apache's base path is not /usr/local but /opt/apache? /k David W. Chapman Jr.([EMAIL PROTECTED])@2001.04.02 10:55:12 +: > > * Karsten W. Rohrbach <[EMAIL PROTECTED]> [010402 01:17]: > > > it seems. i installed the patch (my apache is NOT built from ports) and > > > The patch has been merged into the port now, so perhaps cvsupping > > and rebuilding the port will fix it. > > If not, let the maintainer know. > > He's not using the ports, just this patch, probably should be using the > ports though. > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-stable" in the body of the message -- > knowledge is power. power corrupts. study hard, be evil KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
4.3-RC2 install freezes on sony vaio c1xd
i have strange things happening when trying to run a freebsd install from boot floppies on my vaio c1xd. the kern.flp will find a loader and load the kernel, then ask me for the mfsroot.flp which also gets read in without a problem (the floppy on the vaio is a y-e flashbuster usb device which has boot support in the system bios for real mode). then the kernel would start, but all that happens is, that the box locks up. it is not dependent on the pcmcia card inserted and i disabled the pnp os setting in bios. the lockup is hard, so i got to switch it off an on again, keyboard is not resonding as a matter of fact, too. the 4.2-RELEASE boot floppies work, btw. any ideas how i can track this one down or if this happens with other vaios as well? i will try to boot the install cd when i got my burner at work so i can create a boot cd later next week. /k -- > Parts that don't exist can't break. -- Russell Nelson KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de [Key] [KeyID---] [Created-] [Fingerprint-] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: Running Stable on remote production server
Stephen Hilton([EMAIL PROTECTED])@2001.05.13 10:57:03 +:
> Subject: Re: Running Stable on remote production server
>
> How can you accomplish the single user installworld steps on a remote system ?
> Especially the mergemaster program that involves interactive routines ?
> I would be using SSH to connect to a remote FreeBSD box.
separate the payload (eg. datafile) fs hierarchy from the standard
bsd userland ("/opt"), then
:START
make release on a master
customize ports tree to your needs
make packages
burn cd
test it thouroughly on your reference platform
if something fails goto :START
duplicate cds
hand them out to remote-hands monkeys
tell them to shutdown -r now, insert cd and watch ;-)
makes sense if you got more than let's say 50 machines in remote
locations but you should stick to a standardized hardware setup.
drawbacks are the work for your own release engineering but this quite
expensive action in terms of time pay back by the short amount of
upgrade time (copying).
we had this setup for quite some time at my former employer until some
really stupid tie-wearing monkeys bought the company and made the
engineering folks switch to a zoo of hardware.
/k
>
>
>
> > I have been reading the instructions for tracking stable and what is
> > recommended in the way of procedures. It seems from this that it would be
> > extremely hard to follow these recommendations for a remote POP. IE moving
> > to single user mode and on the whole messing with the machine for several
> > hours at a time.
>
>
> Stephen Hilton
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-stable" in the body of the message
--
> Experiments must be reproducible; they should all fail in the same way.
KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de
[Key] [KeyID---] [Created-] [Fingerprint-]
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
Re: Running Stable on remote production server
Juha Saarinen([EMAIL PROTECTED])@2001.05.14 08:12:07 +: > On Sun, 13 May 2001, Stephen Hilton wrote: > > > How can you accomplish the single user installworld steps on a remote system ? > > Especially the mergemaster program that involves interactive routines ? > > I would be using SSH to connect to a remote FreeBSD box. > > Why do you have to run mergemaster in single-user mode? i think you don't explicitly have to but you should because it touches delicate files that could at least irritate running and active subsystems. i could imagine some daemons to badly barf about changing uids in the password db while they are running ;-) /k -- > knowledge is power. power corrupts. study hard, be evil KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de [Key] [KeyID---] [Created-] [Fingerprint-] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: building apache from /usr/ports
Calvin NG([EMAIL PROTECTED])@2001.06.06 11:31:19 +: > Greetings, > > Correct me if I m wrong. > For in-core web server , every copy of server loaded has the perl and/or php > in it. For modules, its a shared library, the server is smaller size, and only > a copy of the module is loaded in memory. > > However, in-core is slightly faster then modules, IIRC. > > I remember reading the performance pages of mod_perl, they recommend running > mod_perl in-core servers separately as a application server. > > Thats my understanding of the difference between in-core and modules. i think this is correct. /k > > Regards, > /calvin > > lines with :> are quotes from Mike Meyer's email > :> Karsten W. Rohrbach <[EMAIL PROTECTED]> types: > :> > you won't recognize it until you have to implement a heavily loaded > :> > server with php or perl in-core. position independent code is know to be > :> > slower, but it outperforms monolithic compiles by saving a lot of ram. > :> > :> Ok, where does the savings come from? You get one copy of the code, > :> shared by all the processes running the binary, whether or not the > :> code is in a shared library. COW for data should mean that data should > :> be shared pretty much the same. So what have I missed? > :> > :>Thanx, > :> :> -- > -- > In protocol design, perfection has been reached not when there is nothing > left to add, but when there is nothing left to take away. > --Networking truth #12, Ross Callon, RFC 1925 KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- [EMAIL PROTECTED] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 PGP signature
Re: building apache from /usr/ports
Mike Meyer([EMAIL PROTECTED])@2001.06.06 12:32:02 +: > Calvin NG <[EMAIL PROTECTED]> types: > > Correct me if I m wrong. > > For in-core web server , every copy of server loaded has the perl and/or php > > in it. For modules, its a shared library, the server is smaller size, and only > > a copy of the module is loaded in memory. > > That's all correct. However, it wouldn't surprise me if the server + > module is larger than the server with an in-core module. Since there's > no reason to have more than one copy of the server loaded - even for a > high-load server - there's still only one copy of the module > loaded. Since everything shared in the module should also be shared > with the in-core version, the total memory usage won't be very > different. it is, since apache is not multithreaded (1.x). so, on a heavily loaded box you got "several" process images in mem, thus more overhead. /k -- > ASCII Ribbon Campaign - NO HTML/RTF in e-mail - NO Word docs in e-mail KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- [EMAIL PROTECTED] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 PGP signature
Re: IPFilter licence update
Brian Behlendorf([EMAIL PROTECTED])@2001.06.06 22:21:29 +: > On Wed, 6 Jun 2001, Gordon Tetlow wrote: > > I removed Darren from the CC list as I don't think he really needs to be > > in on this discussion > > > > On Mon, 4 Jun 2001, Thomas T. Veldhouse wrote: > > > > > While meaning no disrespect to Darren with this followup. What good does a > > > signed memorandum with FreeBSD do if I decide at some point (which I won't) > > > to take the FreeBSD source and branch it into my own variant? This is how > > > the various BSDs came about in the first place. It does seem rather > > > restrictive of a license for the FreeBSD core system. Why can't this be > > > released under the BSD license? > > > > > > It's not released under a BSD license because he doesn't want to. His > > perogative. We have some much more restrictive licenses (ie GPL) in the > > base OS and no one complains about them. > > > > Wait, I'm confused. I thought the resolution was that the ipfilter code > that was a part of FreeBSD was under the standard BSD license like > everything else under /usr/src (aside from /usr/src/gnu), and that > Darren's no-redistribution-of-modifications clause applied to > non-"release" versions of the software, i.e. beta releases, etc, the > implication being that once released, it'd be put under a BSD license and > then integrated into FreeBSD. Is that not the case? i understood it perfectly this way. this makes sense, actually. > > If not, that's pretty bad - it means that you can't really say anymore > that 'FreeBSD is under the BSD license, aside from some GNU bits', you > have to say 'FreeBSD is under a multitude of licenses, some of them not > open source, please examine all source code files for potential licenses > before redistributing'. That would suck. freebsd already has a way of being able to handle those otherwise very quirky to handle things. remember the ssecure/scrypto distributions from before rsa patent expiry? one could easily add a WITHOUT_IPFILTER toggle to /etc/make.conf and that's pretty it. > > Frankly, Darren's "no modified versions may be redistributed" > "clarification" is much worse than even the GPL. But I'll avoid > recrossing well-covered ground. as with all intellectual property and the resulting code thereof, it's the choice of the author. providing source which dows not comply with the open source terms as in several other licenses covered is not a bad thing. IMHO it is better than providing binary releases or no redistributable code at all. /k -- > God smiles upon the little children, the alcoholics, > and the permanently stoned. --Steven King KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- [EMAIL PROTECTED] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 PGP signature
Re: /var/mail permissions: 0755 or 01777 ?
Nick Sayer([EMAIL PROTECTED])@2001.06.22 09:45:47 +: > > > Karsten W. Rohrbach wrote: > > > Nuno Teixeira([EMAIL PROTECTED])@2001.06.21 21:51:34 +: > > > >>Hello to all, > >> > >>The FreeBSD default permissions for /var/mail are 0755. > >> > >>Why is that PINE says that the /var/mail directory is vulnerable and it > >>says to change it to 01777 > > > 1777 makes it possible for users to create files in /var/mail. The good > news is that they can make lock files, which make "simultaneous" > delivery and reading more reliable. The bad news is that they can make > files named like other people's mailfiles. This can either be an attack > on their reader of choice or a denial of service, depending on how smart > the client and MDA are. that is, why i consequently killed /var/mail delivery on all of the systems i administer (administrate? whatever)... > As such, /var/mail is A Bad Thing. Putting mail into a file in the > user's home directory is much safer. But the spec is too old to change > by this point. So the best idea is to dispense with Unix formatted mail > files alltogether. Thus this advice: > > > > use Maildir > > faster, simpler, secure -- simply put: better ;-) > > > cyrus is better still, so long as you don't mind _only_ being able to > use IMAP to play with your mail. Cyrus is particularly good for > companies, as lmtp deliveries result in multiple ccs being hard links > rather than separate copies. Great for when Marketing sends 20 copies of > a 50M powerpoint presentation. :-) indeed, but as you said, imap only. i switched to multiple boxes with qmtp transport and big mail volumes, in other words: i hit the problem with iron ;-) > As for MUAs, nothing I've tried has beaten Netscape 4.x yet, although I netscape mangles headers. thus, netscape is bad, IMVHO. > have switched over to Mozilla and it is close. For non-GUI, I prefer > pine despite its tarnished security reputation. Surprisingly enough, a over the past years i started to hate pine with all the security flaws and other operational problem that arise (mainly lack of support for maildir). for my fellow *bsd shell people, mutt does the best job and even newbies to unix and the like take a preconfigured muttrc and there they go. my personal mutt config is linked from my homepage and from the mutt faq, so you might give it a spin (configured vs. unconfigured)... > close second place behind Mozilla for me is SquirrelMail in a web > browser. It really is good, believe it or not. I would make a port for > it, but it's sort of pointless as it's just a bunch of php scripts you > unpack into your www data direectory (www.squirrelmail.org if you are > curious). heard about that, gonna try it out on some intranet server next week. /k -- > If it ain't broke, overclock it! KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- [EMAIL PROTECTED] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 Please do not remove my address from To: and Cc: fields in mailing lists. 10x PGP signature
Re: BIND-9.x
Dan Larsson([EMAIL PROTECTED])@2001.07.02 14:33:33 +: > What are the plans regarding updating to BIND version 9 bind should be made a port, IMHO, and take it's way out of the base system, being replaced by an asynchronous resolver library (there are many). bind9 already is a port, btw /k > > > Regards > +-- > Dan Larsson | Tel: +46 8 550 120 21 > Tyfon Svenska AB | Fax: +46 8 550 120 02 > GPG and PGP keys | finger [EMAIL PROTECTED] > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-stable" in the body of the message -- > Nothing is better than Sex. > Masturbation is better than nothing. > Therefore, Masturbation is better than Sex. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- [EMAIL PROTECTED] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 Please do not remove my address from To: and Cc: fields in mailing lists. 10x PGP signature
Re: HEADS UP: sendmail 8.12.2 MFC'ed
Helge Oldach([EMAIL PROTECTED])@2002.03.26 23:26:57 +: [...] > standard, well- and widely-known piece of software around. You may not > like it but both S*** and B*** are the de facto standards. Period. they are not, but this is not the issue. "it is just convenient to have emacs in the base system", it's a de facto standard, it's widely known and i guess it's much more widespread than the use of sendmail. but, again, this is not the issue here. why not have apache in the base dist? (to quote one part of the original again). > You have all hooks to throw them away and substitute them with something > different, so please don't bother the world if they don't grok your > personal taste. this isn't about my "personal taste", this is about "philosophy", just as i stated in the other pragraph you generously deleted. thank you. > Not another sendmail-versus-whatever discussion please... Please! this isn't it neither. re-read the original mail and think about it again. > P.S. Get rid of vi; cat should be enough for everyone! do you really expect me to comment on this? btw, "guessing" from the domain part of you mail address, you should actually be interested in straightforwardness and stability of implementations in the field your company operates in, shouldn't you? btw2, it's very hard to make a point if the first sentence of an email ends with "period.", even harder if you fail to make a point in your whole argumentation. btw3, if you didn't still did not understand what i meant in the original mail (i know, i'm not a native english speaker, so are you, so the chosen language might not be as efficient due to my deficiencies), please think about it _again_. it is about simplicity of implementation. straighforwardness. ease of administration. this in context to what i see as the basic paradigms in bsd's design. and this all in relation to "how-it-is-done in -RELEASE". i don't want to change somebody's lifestyle. i don't want to change the release engineer's way of thinking. i want the people involved to think about the questions i posed in the original mail and i _know_ that this is a good idea. with people like you, "guarding" the borders of "their" sandlot, of course, there's not as much probability to come to a point of _discussion_, because you appear to _insist_ on the correctness of your view of the world. fwiw, let me tell you one thing my friend: when the catholic church around 1490 AD taught a picture of a world being flat as a dish, columbus was apparently the only one idealistic enough to prove them wrong. this was not the result of saying "we did this since 1300, why should we think different now?". you get my point. have a nice day, /k -- > Coders do it with a routine. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x msg43137/pgp0.pgp Description: PGP signature
Re: HEADS UP: sendmail 8.12.2 MFC'ed
Helge Oldach([EMAIL PROTECTED])@2002.03.27 09:15:42 +: > Karsten W. Rohrbach: > >Helge Oldach([EMAIL PROTECTED])@2002.03.26 23:26:57 +: > >[...] > >> standard, well- and widely-known piece of software around. You may not > >> like it but both S*** and B*** are the de facto standards. Period. > > Please quote correctly and don't falsify my words here. I am not willing > to discuss with you showing this unacceptable attitude. as i pointed out in my previous mail, this is _not_ a software[A] vs. software[B] discussion, and your way of approaching the questions i posed does not bring you, me, the community or anyone any further. i blanked out two "buzzwords", and that on purpose. this was not meant to falsify, and i admit that i should have marked this removal of non-relevant co-information. i think i made my point clear by now, so that everybody interested understands what i mean. in case of not understanding my words, everyone is free to _ask_. bashing on people without reason does not make any sense and i find your way to approach a discussion to be not very fruitful or constructive. that said i ask you if you also think of that as an "unacceptable attitude"? on the other hand, quoting you as "[...]not willing to discuss[...]", your behaviour ultimately proves that obviously this is the case, yes. if you are not able to discuss this on a technical level, or perhaps you are not in the mood to do so, please, consider not commenting on the whole thing here. if you want to tell me your personal feelings about my person, please do so via private mail. you are always welcome to do that. my native language is german (i guess your's, too) so this might work out a little more productive than the stuff you posted here. thank you. have a nice day, /k -- > Hackers do it with fewer instructions. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x msg43142/pgp0.pgp Description: PGP signature
Re: HEADS UP: sendmail 8.12.2 MFC'ed
no text deleted, everything quoted, not reformatted, no information removed. please, read on. Helge Oldach([EMAIL PROTECTED])@2002.03.27 09:36:19 +: > Yeasah Pell: > >The question is > >simply this: why are there large, complex, non-BSD packages in src-contrib > >that are not critical to the running of many types of systems, and not > >strictly a dependency of the system proper? > > Because they always have been. BSD users (those who have been running > BSD systems for *years* and not those who jumped on the wagon lately) do > expect that a decent, full-function MTA and DNS server are on board by > default. And further they expect that those beasts are being configured > as they have always been configured, in other words: No learning curve, > no additional installation of the ports. if you consider doing cd /usr/ports/whereever && make install clean as steep learning curve, i guess you disqualify yourself in this very forum. > This BSD thing is about tradition. "Alternative" software is what the > word says: It's about re-inventing the wheel. This is the Linux spirit. wrong, it is called evolution, a natural way of things evolving which does not stop just because somebody puts up a sign "this is bsd, we do it this way since 1970 and it won't change in the future". this has nothing to do with linux at all. it is also not about re-inventing the wheel. you seem to mix up the terms "tradition" and "religion" here, introducing an implicit amount of folklore, hoping that it will support your nonexistant line of argumentation. define: - "this bsd thing" - "linux spirit" when it comes to tradition, i cannot remember a single freebsd distribution which natively supports to be booted from tape. running bsd on pc hardware does not have anything to do with tradition. another point is that, if the community would stick to your way of "tradition", freebsd nowadays would run on laptop computers (why support pcmcia/cardbus? it's not been there in the 70's, so why should we bother to implement it today?). do i need to go on? > >The suggestion that moving sendmail or bind into the ports tree is > >tantamount to doing the same to vi is interesting, but I see a major > >difference between the two: I can hardly contrive an example where vi > >wouldn't be useful to have, whereas I have actually encountered many cases > >in my work where a DNS server and an MTA are both unwanted and even needed > >to be removed due to constraints unrelated to name resolution or mail > >transport. > > I have the exactly opposite experience. Most of my systems need at least > an outbound-only MTA, and it's much easier to add a single rc.conf > line than to build a port, set aside installing the entire ports tree > first. (Yes, I have a couple of machines without ports tree. Consider, > for instance firewalls or VPN gateways.) Moving it into ports will > complicate matters for almost everybody, while having some decent > full-function package in the base system will make it easy at least for > those who use that. generally, you make a point here. to come back to your original thought, do you consider having sendmail on a firewall a good thing[tm]? sell that to your customers and prove me that you do this successfully. this, just as a sidenote. as another sidenote, nobody prevents you from building a package yourself on a machine having a ports tree installed. these systems are known as "builder" machines, and most of the folks in the bsd community having more than just a handful of machines operate one. just to build their custom packages. you don't have many machines in the field, have you? this question just out of curiosity. > Count this my strong vote against removal of packages that are > traditionally part of the base system. > > Helge /k > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-stable" in the body of the message -- > If you think sex is a pain in the ass, try a different position. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x msg43143/pgp0.pgp Description: PGP signature
Re: Another possible solution for non-sendmail users
Scot W. Hetzel([EMAIL PROTECTED])@2002.03.28 14:49:49 +: > Qmail install shouldn't need to install anything into /usr/[sbin,bin] > directories with mailwrapper properly configured (see `man mailer.conf` & > 'man mailwrapper'). a quick glance into /usr/ports/mail/qmail/pkg-plist shows, that no sendmail or mailwrapper binaries are harmed during installation process. regards, /k -- > cd /pub; more beer KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x msg43265/pgp0.pgp Description: PGP signature
Re: *** HEAD'S UP ***
Doug Barton([EMAIL PROTECTED])@2002.04.23 21:58:34 +:
> On Mon, 22 Apr 2002, JJ Behrens wrote:
>
> > I strongly disagree with your disagreement of his disagreement :)) Citing
> > /etc/defaults/rc.conf once more:
> >
> > # The ${rc_conf_files} files should only contain values which override
> > # values set in this file.
>
> The comment exists because some people with commit privileges to
> this file have different ideas as to how it should be used. If you want to
> blindly trust your system to changing winds of fortune, that's your right.
> Personally, I don't recommend it.
in _both_ of the scenarios (eg. copying /etc/defaults/rc.conf to
/etc/rc.conf and editing configuration in place, or just "superseding"
default settings the other way round), a sensible systems administrator
does _in no way_ get around the task to diffing the new
/etc/defaults/rc.conf against the old one and do customizations to
/etc/rc.conf.
How about a Changelog? NOTES (HEAD) and UPDATING in /usr/src are one
way, but a semi-automatic way of making changes transparent to the
administrator would be a good start, i think.
[putting on asbestos suit]
for one of my workstations at home i use debian woody, and they got this
glorious idea of apt-changelog. installing this package gives you a diff
between old changelogs (installed packages) and the new ones (updates).
having this mechanism in place gives you a really good time when you
upgrade a system from binaries, which - if apt-changelog is not
installed - is pretty intransparent to the operator due to the amount of
automation behind the scenes. they tackle a different problem with it,
but i think it makes sense.
[im pretty sweaty now, putting asbestos suit off again ;-)]
so, how about the idea of having a Changelog for the userland
(/usr/src/etc based or somewhere in the source hierarchy it would make
sense), and one for the kernel (/usr/src/sys)?
this would provide the following improvements to administrators and
users:
- major kernel issues (device numbering changes, fixes and changes in
behaviour of major kernel subsystems) are documented centrally. i
recognize that most folks out there do not have their provate mirror
of the cvs to pull out the commit logs (even in case an admin _has_
knowledge and access to anoncvs, it is a pretty PITA to dig through
the source tree and pull out cvs commit logs to find out what has
changed)
- changes to default configuration, mods to the /etc/rc* system
- most important, a list of _resolved_ SAs that are in the current dist.
in fact, i recognize this as a major point, judging from several
threads on -hackers and -security of the last weeks. finding out what
"patch level" you are on an arbitrary box would be "more
/etc/Changelog" and there you go. mergemaster would display the diff
between old and new version right when it starts, so the admin
instantly gets an overview of what major things have changed
of course, this implies these two or three files to be maintained by
someone. the release engineer, who must have a certain overview and
insight of the system as a whole before generating a release, would be
the best to commit the Changelogs, IMHO. i see that warner maintains
the UPDATING file, but he is (according to the docs) not directly
involved in release generation.
comments?
regards,
/k
--
> Life is a sexually transmitted disease.
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6
REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46
REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44
My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/
Please do not remove my address from To: and Cc: fields in mailing lists. 10x
msg44414/pgp0.pgp
Description: PGP signature
Re: ipfilter problem
Jens Rehsack([EMAIL PROTECTED])@2002.05.06 00:46:58 +: > "Karsten W. Rohrbach" wrote: > > > > Michael Riexinger([EMAIL PROTECTED])@2002.05.05 15:32:04 +: > > > On Sun May 5 15:23:14 2002, Karsten W. Rohrbach wrote: > > > > the problem can only be analyzed efficiently if you show us the rest of > > > > the ruleset. anything else is pure guesswork, based on assumptions about > > > > your ipf configuration. > > > > > > > > regards, > > > > /k > > > Ok, here they are. But I wonder why it worked withot problems with > > > previous versions of FreeBSD/ipfilter. With netstat I can see FIN_WAIT_1 > > > states to the newsserver. > > > (tcp4 0 0 dialin-212-144-1.49368 news.fu-berlin.d.nntp > > > FIN_WAIT_1) > > > > > > > > > pass in quick on lo0 all > > > pass out quick on lo0 all > > > > > > pass in quick on ed0 all > > > pass out quick on ed0 all > > > > > > pass out quick on isp0 proto tcp/udp from any to any keep state > > > > pass out quick on isp0 proto tcp from any to any flags S/SA keep state > > pass out quick on isp0 proto udp from any to any keep state > I don't use the flags, but my ruleset works. But I have seen many times > (others and me, too) that being confused about the "last rule match" and > the "quick leaves promptly" behaviour. > > I do following: I write all global rules at the top of the file/section, > in this case the 3 lines with "return-unr". Then I specialize in the next > lines using "quick" rules. that's a matter of style, not functionality. i can hardly see the improvements for a 10 line ruleset here. all entries are "quick", so they get matched from top to bottom. the order of processing for non-quick rules is somewhat different (and affects processing speed, but that's not the issue here). having a flat matching strategy in a "personal firewall" style rule set is pretty intuitive, compared to "global"/"quick" mix'n'match or grouped sub rule sets, but hey, it's his dsl/isdn router and no rocket science... opposing to your apparent ideas, i implement firewall policies the following way: - as simple as possible - documented - structured by access groups/protocols/services, or both, or all three - optimized for performance by rule groups, if applicable the main problem here might be that he just had _one_ line for _both_ protocols, tcp and udp, which might lead to trouble in several points. that's a totally different thing. > This works, if I do not write it after the 4th beer. But sometimes even then ;-) ...and makes things more complicated by sticking to different rule matching strategies in a set of 10 or some rules. i can see your point with the beer, but what do you do after the 8th one, being confronted with your own rulesets? > > instead of the above one line should work. if it doesn't then give me a > > slap on the head, i'm still a bit drunk from yesterday ;-) > > > > > pass out quick on isp0 proto icmp from any to any keep state > > > > > > pass in quick on isp0 proto tcp from any to any port = 80 > > > pass in quick on isp0 proto tcp from any to any port = 6 > > > > > > block return-icmp-as-dest(host-unr) in log quick on isp0 proto icmp from > > > any to any > > > block return-rst in log quick on isp0 proto tcp from any to any > > > block return-icmp(port-unr) in log quick on isp0 proto udp from any to > > > any > > > > > > > 'ipfstat -s' on your box will tell you about state statistics. > > > > when you reload your rule set for testing, you should invoke it like > > 'ipf -Fa -FS -f/etc/ipf.rules' or similar, just to kick out the old > > state table. > > > > 'ipfstat -t' gives you a "top" style display of current states, so you > > can check them in realtime. regards, /k -- > Wenn in der Kueche alles stimmt, geht auch die Musik in Ordnung. WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x msg44987/pgp0.pgp Description: PGP signature
Re: ipfilter problem
Jens Rehsack([EMAIL PROTECTED])@2002.05.06 15:04:14 +: > "Karsten W. Rohrbach" wrote: > > pass in quick on isp0 proto tcp from any to any port = 80 flags S/SA keep state > > # we want state added when establishing a > > # session, not for every tcp packet that passes > > # this rule > If you read your own statement above you can cut the flags, because all dynamic > rules added "quick" before this rule/line, so this rule is never parsed for > any already matched ... valid point, my reasoning was wrong (worse: it hurts so bad, that i wonder why nobody else intervened ;-) the reasoning about "why flags S/SA" boils down to the point that no out-of-session packet should be allowed to create a state. session establishment is restricted to SYN/SYN+ACK packets, nothing more. IIRC, the state will just hang there until it times out, but it will be there and use a slot in the state table; ipfilter will not pass a matching packet because of the incomplete session state which is tracked in the state table, anyway. regards, /k -- > Experience is a teacher that gives the examination first and the > lesson afterwards. WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x msg45004/pgp0.pgp Description: PGP signature
Re: conf/11376 still suspended
Kris Kennaway([EMAIL PROTECTED])@2002.05.10 17:01:09 +: > There's also the important point that -stable is entirely the wrong > list to be asking on, because it's a technical support list and not a > development list. one might note that there's the -qa mailing list which should hold discussion on issues pending a release, IIRC. the question is, if -stable isn't a bad choice either. i think that there are many more folks subscribed to -stable than to -qa, which might lead to more thorough tests through more folks involved in testing, when a problem got fixed, just as a sidenote. correct me if i'm wrong, but i don't have access to the subscriber lists, so this is just an assumption ;-) regards, /k -- > Should the US government lift the export controls on strong encryption? > Yes, I think so. You can buy better stuff in Europe than you can here. > We don't have a monopoly on brains. > --Interview with Walter Wriston as reported in Wired 4.10 WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x msg45131/pgp0.pgp Description: PGP signature
