Hello,
If I create a lot of vn-backed filesystems ... say ... 30 of them, and
then do heavy i/o inside one or more of them, I can reliably lock up a
FreeBSD 4.x system.
I have seen this in every version from 4.5-4.8.
Two questions:
1) can anyone confirm this ? Has this been discussed ?
2) I
1. What is the workaround for this issue ? Be creative. Not everyone can
update their userland in a normal fashion - and no, I won't sit here and
justify that statement. Think embedded systems.
2. Is there really an exploit in the wild ? Any comments appreciated.
___
I know it's lame, but I am curious if there is a ETA on 4.9.
Any feedback (one day, one week) appreciated.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED
On Wed, 16 Jul 2003, Bruce M Simpson wrote:
> On Tue, Jul 15, 2003 at 10:43:19PM -0700, Josh Brooks wrote:
> > I have loaded two 5.1-RELEASE systems, both of them have PROCFS and
> > PSEUDOFS in the kernel, and yet neither of them have a procfs mounted.
>
> I think on
Hello,
I have loaded two 5.1-RELEASE systems, both of them have PROCFS and
PSEUDOFS in the kernel, and yet neither of them have a procfs mounted.
There is no procfs line in /etc/fstab by default, and no procfs is mounted
on the system in any way.
Question 1: Is this intentional ? Is it no lo
Hello,
A new option in FreeBSD 5.x `dump` is the -L option for backing up a
live filesystem ...
Is there a way to examine/check a dump file to see if it was created
using the -L or not ?
ALSO, if I do use -L when creating a dump, do I need to restore it any
differently, or can I restore it the
Long story short, I have a 4gig vn-backed filesystem. The file backing it
is now missing the last 750megs ... I can vnconfig it, but when I fsck it
I see:
# fsck -y /dev/vn1
** /dev/vn1
CANNOT READ: BLK 44109856
CONTINUE? yes
THE FOLLOWING DISK SECTORS COULD NOT BE READ: 44109856, 44109857,
44
I have been researching the various of ways people add devfs to a jail to
give the jail certian /dev devices necessary to function ...
One strategy I saw was:
mount -t devfs devfs /home/jail/dev
( cd /home/jail/dev ; rm $devices_i_dont_want_in_my_jails )
mount -u -o nonewdev /home/jail/dev
Ho
Hi Robert,
On Mon, 30 Jun 2003, Robert Watson wrote:
> As you may have noticed in trying the vn-backed mechanism, there are some
> inefficiencies that turn up in FreeBSD when have large numbers of
> pseudo-devices, etc. The resizing problem is real, also, since we don't
> have online file syste
Normally, quotas work on a per-user, per-filesystem basis - so if a user
has a home directory and other processes _not owned by that user_ are
placing files and using up space into that directory, it will not count
toward the quota (unless they get chowned/chgrpd to that user/group).
Is there any
On Fri, 27 Jun 2003, Joshua Oreman wrote:
> > maxusers to 512 ... any new toggles I should know of to be able to use max
> > ptys on the system, or can I just follow whatever directions I hope to
> > receive regarding creating the devices ?
>
> 5.x creates the devices automatically. So if you ha
For various reasons, in 4.x, I have been creating all possible pty /dev
nodes ...
# pwd
/dev
# ls *pty* | wc -l
256
So far so good...now I am wondering how to do this in 5.x, what with the
devfs and all. Basically the number of interactive users that log into
this system means I need to h
Hello,
When I run out of files, I can see how many files are actually open by
looking at the kern.openfiles sysctl. This makes it easy to see if I am
hitting my limit or not.
However, I am experiencing "No buffer space available" errors, and since I
am not running out of mbufs:
netstat -m
1728
Hello,
I have a new system that has 4gigs of physical memory ... and I am
concerned about running into problems due to running out of KVM.
I am running FreeBSD 4.8, and in addition to 4gigs of ram, I have
configured 2gigs of swap space. The system does not swap much at all, but
I need it there
> If I remember correctly he has less then 10Mbit
> uplink and a lot of count rules for client accounting.
> It is reason I recommend him to use userland accounting.
> And as far as I understand a lot of count rules is
> the reason for trouble.
I removed all the count rules a week or so ago. Now
> In any case, he's got something else strange going on, because
> his load under attack, according to his numbers, never gets above
> the load you'd expect on 10Mbit old-style ethernet, so he's got
> something screwed up; probably, he has a loop in his rules, and
> a packet gets trapped and repro
> Run 'ipfw -v list' on it.
Yes .. I do that ... and it shows me a list of my firewall rules. I
usually use `ipfw show`. What is the difference, and what does this
accomplish ? Sorry if I am missing somthing.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hacker
>
> If attacks are a predominant problem for you, I recommend sticking a
> machine in between your internet connection and everything else whos
Actually this is what I already do - my ISP does all the routing, and it
feeds in one interface of my freebsd machine, and everything else is on
t
> You don't want to stick the 'block abnormal packets' rules at the top of
> the list, IMO. You want those at the end, since abnormal packets are
> *usually* the exception. Optimize for the standard case.
Wow - that is _very interesting_ that you say this. We were having a
similar discussion
Nate,
So you are saying that if I put in:
ipfw add 1 deny tcp from any to 10.10.10.10 6667
That an incoming packet for 10.10.10.10 on port 6667 will go through the
rule set _twice_ (once for each interface) ? I don't understand this - if
it comes in on the external and hits that rule, it i
Again, thank you very much for your advice and comments - they are very
well taken.
I will clarify and say that the fbsd system I am using / talking about is
a _dedicated_ firewall. Only port 22 is open on it.
The problem is, I have a few hundred ipfw rules (there are over 200
machines behind t
know if it is all just a waste because no matter how good I get at
a freebsd firewall, a netscreen 10 will always be better ?
thanks.
On Thu, 16 Jan 2003, Terry Lambert wrote:
> Josh Brooks wrote:
> > If I have a large network with high profile hosts (50+ shell servers, 50
> > or
Hi,
If I have a large network with high profile hosts (50+ shell servers, 50
or more different ircds running) am I wasting my time trying to hack and
tweak a FreeBSD host-based firewall running ipfw ?
I am getting hammered by a different (D)DoS attack every single day - it's
always something new
en after a day or two you can go see how many there were..
>
>
> On Wed, 15 Jan 2003, Josh Brooks wrote:
>
> >
> > Will I ever see a _legitimate_ packet in the wild that is a SYN, and has
> > no MSS ?
> >
> >
> > If the answer is no, then is this a
Will I ever see a _legitimate_ packet in the wild that is a SYN, and has
no MSS ?
If the answer is no, then is this a good rule to block those:
ipfw add 1 deny tcp from any to any tcpflags syn tcpoptions !mss
Or is this one better:
ipfw add 2 deny tcp from any to any setup tcpoptions
Hi,
I have a rc.conf that looks like:
defaultrouter="10.10.10.1"
ifconfig_fxp0="inet 10.10.10.2 netmask 255.255.255.0"
ifconfig_fxp0_alias0="inet 10.10.10.3 netmask 255.255.255.255"
Ok, easy enough - one interface, one default router, and two IPs on that
subnet.
BUT - as it happens, 10.10.10.1
Hello, I just noticed in the advisory (FreeBSD-SA-02:44.filedesc) that the
patch has only been verified for 4.6 and 4.7.
Hs anyone used it on 4.5 ? If not, can anyone comment on the chances it
will apply and work on 4.5 ?
thanks.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscrib
First off, the target looks like this:
Port State Service
21/tcp openftp
22/tcp openssh
25/tcp opensmtp
53/tcp opendomain
80/tcp openhttp
110/tcpopenpop-3
/tcp opendec-notes
1/tcp opensn
ectly when they are done inside the jail - which is
worrisome, since these counters are system-wide...
On Thu, 5 Dec 2002, Ian Dowse wrote:
> In message <[EMAIL PROTECTED]>, Josh Brooks
> writes:
> >
> >I run netstat -i fxp0 while _innside_ a jail:
>
> >and
I run netstat -i fxp0 while _innside_ a jail:
Name Mtu Network AddressIpkts IerrsOpkts Oerrs
fxp0 1500 10.10.10.10/ host 7908671 -39559 -
and then, I transfer a large file from the jail to some external host.
Name Mtu Network Address
30 matches
Mail list logo
