From driodeiros at gmail.com Fri Jun 1 11:53:34 2007 From: driodeiros at gmail.com (David Rio Deiros) Date: Fri, 1 Jun 2007 11:53:34 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <20070520054906.GA95859@r2d2.reverse.net> References: <8933.160.33.20.11.1178052246.squirrel@webmail.nomadlogic.org> <20070503224759.GA62365@r2d2.reverse.net> <1053AC2D-8AEB-43FC-9048-3197EDB4A3F8@schmonz.com> <20070509053321.GA85382@r2d2.reverse.net> <68D543AF-216B-46F9-AA2B-16CEB038448C@schmonz.com> <20070515172433.GA14825@r2d2.reverse.net> <3F3B1A9A-023D-4020-BF3F-8B93A87661C1@schmonz.com> <20070518001459.GA93011@r2d2.reverse.net> <20070520054906.GA95859@r2d2.reverse.net> Message-ID: <20070601155334.GA88943@r2d2.reverse.net> On Sun, May 20, 2007 at 01:49:06AM -0400, David Rio Deiros wrote: > On Thu, May 17, 2007 at 08:14:59PM -0400, David Rio Deiros wrote: > > On Wed, May 16, 2007 at 03:57:48PM -0400, Amitai Schlair wrote: > > > On May 15, 2007, at 1:24 PM, David Rio Deiros wrote: > > > > > > > How do you skip this?: > > > > > > > > drio at simba:/Volumes/NetBSD/pkgsrc/bootstrap $ sudo ./bootstrap \ > > > >> --prefix /usr/pkg \ > > > >> --pkgdbdir /usr/pkg/.pkgdb > > > > ... > > > > ... > > > > ===> running: /bin/sh /Volumes/NetBSD/pkgsrc/bootstrap/work/install-sh > > > > -d -o root -g wheel /usr/pkg/pkgsrc-REQUIRES-case-SENSITIVE-filesystem > > > > "/usr/pkg" needs to be on a case-sensitive filesystem (see > > > > README.Darwin) > > > > > > Pass "--ignore-case-check" to the bootstrap script. > > > > Sweet! > > > > I have one more question though: I have been reading the pkgsrc guide > > but I cannot find a proper way to upgrade your packages once you > > update the pkgsrc tree. How do you keep your installation packages > > up2date? Is there some tool like portupgrade? > > This seems a very good approach: > > lintpkgsrc -i >/tmp/out_of_date > pkgdepgraph -D /tmp/out_of_date >/tmp/delete > pkgdepgraph -R /tmp/out_of_date >/tmp/rebuild > pkg_delete `cat /tmp/delete` > sh /tmp/rebuild This covers the topic: http://julipedia.blogspot.com/2007/05/keeping-pkgsrc-packages-up-to-date.html also: http://wiki.netbsd.se/index.php/How_to_upgrade_packages From nycbug-list at 2xlp.com Wed Jun 6 18:09:52 2007 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Wed, 6 Jun 2007 18:09:52 -0400 Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: <538DB0B5-7BF8-4C41-AC3F-975E9A9D02D5@ceetonetechnology.com> References: <538DB0B5-7BF8-4C41-AC3F-975E9A9D02D5@ceetonetechnology.com> Message-ID: <7E06614F-7A33-4E2C-B979-208C63346194@2xlp.com> I seriously doubt my ability to get there in time, plus I have a skeeball match at 7:30... this looks to be an amazing talk -- is there any chance somene can point one of the webcams in the store on the stage, and broadcast it live via some online service ? maybe on mogulus or stickam ? // Jonathan Vanasco | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | CEO/Founder SyndiClick Networks | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | FindMeOn.com - The cure for Multiple Web Personality Disorder | Web Identity Management and 3D Social Networking | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | RoadSound.com - Tools For Bands, Stuff For Fans | Collaborative Online Management And Syndication Tools | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - On Jun 6, 2007, at 11:34 AM, NYC*BUG Announcements wrote: > June 06, 2007 > > Steven Kreuzer on Denial of Service Mitigation Techniques > > 6:30pm, Soho Apple Store at 103 Prince Street > > http://www.apple.com/retail/soho/ > > > Protecting your servers, workstations and networks can only go so > far. Attacks which consume your available Internet-facing bandwidth, > or overpower your CPU, can still take you offline. His presentation > will discuss techniques for mitigating the effects of such attacks on > servers designed to provide network intensive services such as HTTP > or routing. > > about the speaker: > > Steven Kreuzer is currently employed by Right Media as a Systems > Administrator focusing on building and managing high transaction > infrastructures around the globe. He has been working with Open > Source technologies since as long as he can remember, starting out > with a 486 salvaged from a dumpster behind his neighborhood computer > store. In his spare time he enjoys doing things with technology that > have absolutely no redeeming social value. > _______________________________________________ > announce mailing list > announce at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/announce > From alex at pilosoft.com Wed Jun 6 18:23:44 2007 From: alex at pilosoft.com (alex at pilosoft.com) Date: Wed, 6 Jun 2007 18:23:44 -0400 (EDT) Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: <7E06614F-7A33-4E2C-B979-208C63346194@2xlp.com> Message-ID: On Wed, 6 Jun 2007, Jonathan Vanasco wrote: > I seriously doubt my ability to get there in time, plus I have a > skeeball match at 7:30... > > this looks to be an amazing talk -- is there any chance somene can point > one of the webcams in the store on the stage, and broadcast it live via > some online service ? maybe on mogulus or stickam ? Regretfully, I'm at NANOG conference in seattle, and I wouldn't be able to heckle in person. However, I hope someone will tape it and I can do a post-mortem heckling! -alex From carton at Ivy.NET Wed Jun 6 18:37:53 2007 From: carton at Ivy.NET (Miles Nordin) Date: Wed, 06 Jun 2007 18:37:53 -0400 Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: (alex@pilosoft.com's message of "Wed, 6 Jun 2007 18:23:44 -0400 (EDT)") References: <7E06614F-7A33-4E2C-B979-208C63346194@2xlp.com> Message-ID: >>>>> "a" == alex writes: a> However, I hope someone will tape it and I can do a a> post-mortem heckling! haha, ``just turn on SYN cookies!'' i think the heckling is likely to be the best part of a talk like this no matter who's giving it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From alex at pilosoft.com Wed Jun 6 18:47:09 2007 From: alex at pilosoft.com (alex at pilosoft.com) Date: Wed, 6 Jun 2007 18:47:09 -0400 (EDT) Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: Message-ID: On Wed, 6 Jun 2007, Miles Nordin wrote: > >>>>> "a" == alex writes: > > a> However, I hope someone will tape it and I can do a > a> post-mortem heckling! > > haha, ``just turn on SYN cookies!'' > > i think the heckling is likely to be the best part of a talk like this > no matter who's giving it. I have to say...DDOS mitigation is a *complicated thing*. There may be a few dozen people on the planet who understand what is a ddos and how to deal with it. Dealing with anything sub 1G of traffic is trivial enough that it could be discussed on nycbug meetings. Oh wait :P -alex From george at ceetonetechnology.com Wed Jun 6 22:32:50 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 6 Jun 2007 22:32:50 -0400 Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: <7E06614F-7A33-4E2C-B979-208C63346194@2xlp.com> References: <538DB0B5-7BF8-4C41-AC3F-975E9A9D02D5@ceetonetechnology.com> <7E06614F-7A33-4E2C-B979-208C63346194@2xlp.com> Message-ID: <5C9CDED0-45B2-4D21-BDF5-3F80980CE702@ceetonetechnology.com> On Jun 6, 2007, at 6:09 PM, Jonathan Vanasco wrote: > I seriously doubt my ability to get there in time, plus I have a > skeeball match at 7:30... > > this looks to be an amazing talk -- is there any chance somene can > point one of the webcams in the store on the stage, and broadcast it > live via some online service ? maybe on mogulus or stickam ? > Steve is dealing with uploading his slides, and I've no doubt that you-know-who will be providing the video link (Nikolai :) Very good meeting. . . George From george at ceetonetechnology.com Wed Jun 6 22:38:42 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 6 Jun 2007 22:38:42 -0400 Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: References: Message-ID: On Jun 6, 2007, at 6:47 PM, alex at pilosoft.com wrote: > On Wed, 6 Jun 2007, Miles Nordin wrote: > >>>>>>> "a" == alex writes: >> >> a> However, I hope someone will tape it and I can do a >> a> post-mortem heckling! >> >> haha, ``just turn on SYN cookies!'' >> >> i think the heckling is likely to be the best part of a talk like >> this >> no matter who's giving it. > I have to say...DDOS mitigation is a *complicated thing*. There may > be a > few dozen people on the planet who understand what is a ddos and > how to > deal with it. > Yes, and we literally spent the meeting wondering, "how can we figure this out without one of the few dozen best and the brightest in the room." Of course, you're one of them Alex. > Dealing with anything sub 1G of traffic is trivial enough that it > could be > discussed on nycbug meetings. Oh wait :P > Yeah, the meeting was all about the speaker's home dsl with IPCop. . . :-' On the serious side, I thought the meeting was on the mark in terms of dealing with the issue, but of course it's people like the above replied-to that really matter. Not because they're so smart, but rather because we sit on their bandwidth. The only reason "end-user sysadmins" talk have meetings on topics like this is due to the shortcomings of those who do deal with the bandwidth for us. Therefore, Alex and all, please deal with this upstream from us, and we promise never to have another meeting on the topic. :) George From nikolai at fetissov.org Thu Jun 7 10:46:05 2007 From: nikolai at fetissov.org (nikolai) Date: Thu, 7 Jun 2007 10:46:05 -0400 (EDT) Subject: [nycbug-talk] June 2007 meeting audio Message-ID: <21059.63.66.6.15.1181227565.squirrel@www.geekisp.com> Folks, Audio of Steven's presentation is online at http://www.fetissov.org/public/nycbug/ -- Nikolai From george at ceetonetechnology.com Thu Jun 7 10:51:05 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 7 Jun 2007 10:51:05 -0400 Subject: [nycbug-talk] June 2007 meeting audio In-Reply-To: <21059.63.66.6.15.1181227565.squirrel@www.geekisp.com> References: <21059.63.66.6.15.1181227565.squirrel@www.geekisp.com> Message-ID: On Jun 7, 2007, at 10:46 AM, nikolai wrote: > Folks, > > Audio of Steven's presentation is online at > http://www.fetissov.org/public/nycbug/ Thanks Nikolai. The slides should be up soon too. George From skreuzer at f2o.org Thu Jun 7 12:52:24 2007 From: skreuzer at f2o.org (Steven Kreuzer) Date: Thu, 7 Jun 2007 09:52:24 -0700 Subject: [nycbug-talk] IMAP Caching Message-ID: <20070607165221.GA12793@clamps.exit2shell.com> Greetings- At last nights meeting, someone in the audience asked if anyone had any tips for increasing the performace of an IMAP server. I did a little searching and found a caching proxies for IMAP Take a look at http://www.imapproxy.org/ >From the FAQ: imapproxy was written to compensate for webmail clients that are unable to maintain persistent connections to an IMAP server. Most webmail clients need to log in to an IMAP server for nearly every single transaction. This behaviour can cause tragic performance problems on the IMAP server. imapproxy tries to deal with this problem by leaving server connections open for a short time after a webmail client logs out. When the webmail client connects again, imapproxy will determine if there's a cached connection available and reuse it if possible. Hope this helps. Also, if the person who asked the question can post a little more about the problems he is experiancing, as well as details of his setup, I am sure numerious people on this list will be able to offer advice. -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From spork at bway.net Thu Jun 7 16:22:02 2007 From: spork at bway.net (Charles Sprickman) Date: Thu, 7 Jun 2007 16:22:02 -0400 (EDT) Subject: [nycbug-talk] IMAP Caching In-Reply-To: <20070607165221.GA12793@clamps.exit2shell.com> References: <20070607165221.GA12793@clamps.exit2shell.com> Message-ID: On Thu, 7 Jun 2007, Steven Kreuzer wrote: > Greetings- > > At last nights meeting, someone in the audience asked if anyone > had any tips for increasing the performace of an IMAP server. > > I did a little searching and found a caching proxies for IMAP > > Take a look at http://www.imapproxy.org/ I've been using this to speed up webmail (squirrelmail) for some time now. I have not run into any problems with it so far. If you are dealing with a php-based webmail app, a php accelerator really, really helps. Charles >> From the FAQ: > imapproxy was written to compensate for webmail clients that are > unable to maintain persistent connections to an IMAP server. Most > webmail clients need to log in to an IMAP server for nearly every > single transaction. This behaviour can cause tragic performance > problems on the IMAP server. imapproxy tries to deal with this > problem by leaving server connections open for a short time after > a webmail client logs out. When the webmail client connects > again, imapproxy will determine if there's a cached connection > available and reuse it if possible. > > Hope this helps. > > Also, if the person who asked the question can post a little more > about the problems he is experiancing, as well as details of his > setup, I am sure numerious people on this list will be able to > offer advice. > > -- Steven Kreuzer > http://www.exit2shell.com/~skreuzer > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > From nycbug-list at 2xlp.com Thu Jun 7 16:35:23 2007 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Thu, 7 Jun 2007 16:35:23 -0400 Subject: [nycbug-talk] IMAP Caching In-Reply-To: <20070607165221.GA12793@clamps.exit2shell.com> References: <20070607165221.GA12793@clamps.exit2shell.com> Message-ID: <53B11F12-B81A-40C1-A6E9-A67BAC368757@2xlp.com> On Jun 7, 2007, at 12:52 PM, Steven Kreuzer wrote: > Greetings- > > At last nights meeting, someone in the audience asked if anyone > had any tips for increasing the performace of an IMAP server. > > I did a little searching and found a caching proxies for IMAP nginx does imap proxying too. and dovecot is a really lightwieght imap server. between the 2, you should cut down a lot on the standard courier setup/ // Jonathan Vanasco | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | CEO/Founder SyndiClick | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | FindMeOn.com - The cure for Multiple Web Personality Disorder | Web Identity Management and 3D Social Networking | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | RoadSound.com - Tools For Bands, Stuff For Fans | Collaborative Online Management And Syndication Tools | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From asr+nycbug at latency.net Thu Jun 7 17:55:06 2007 From: asr+nycbug at latency.net (Adam Rothschild) Date: Thu, 7 Jun 2007 17:55:06 -0400 Subject: [nycbug-talk] June 2007 meeting audio In-Reply-To: References: <21059.63.66.6.15.1181227565.squirrel@www.geekisp.com> Message-ID: <20070607215506.GU12560@latency.net> On 2007-06-07-10:51:05, George Rosamond wrote: > > Audio of Steven's presentation is online at > > http://www.fetissov.org/public/nycbug/ > > Thanks Nikolai. > > The slides should be up soon too. Do you have a URL these slides can be found at? I'd be very interested in having a look. Thanks, -a From george at ceetonetechnology.com Thu Jun 7 18:50:10 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 7 Jun 2007 18:50:10 -0400 Subject: [nycbug-talk] Slides from last night Message-ID: <8D476F53-FD66-4454-9778-489CF489AF6E@ceetonetechnology.com> The slides are up. . . http://tinyurl.com/27ee58 g From josh at rivels.org Thu Jun 7 20:19:22 2007 From: josh at rivels.org (Josh Rivel) Date: Thu, 7 Jun 2007 20:19:22 -0400 Subject: [nycbug-talk] (Slightly OT) Good knapsack recommendation Message-ID: <20070608001922.GA30314@rivels.org> I'm looking for a good lightweight, but comfortable knapsack to carry my Dell D420 (12.1" widescreen) in. I'm currently using a LL Bean knapsack, which is very big, and doesn't offer any padding or cushioning for the laptop. I also have a Ogio knapsack (Don't recall the model) but it's very heavy even whem empty, and does not have a lot of space despite it being a large bag. I know this is a pretty subjective question, but the choice of knapsacks is kind of overwhelming, and if people could let me know what knapsacks they are using for lugging around their laptops, that would be gerat. Feel free to reply back off-list so as not to clutter it up with this highly non-technical question! Thanks so much in advance, Josh From nycbug-list at 2xlp.com Thu Jun 7 20:57:08 2007 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Thu, 7 Jun 2007 20:57:08 -0400 Subject: [nycbug-talk] (Slightly OT) Good knapsack recommendation In-Reply-To: <20070608001922.GA30314@rivels.org> References: <20070608001922.GA30314@rivels.org> Message-ID: <01B3A3C8-38EB-43A0-B416-B45D8F298F05@2xlp.com> On Jun 7, 2007, at 8:19 PM, Josh Rivel wrote: > I'm looking for a good lightweight, but comfortable knapsack to > carry my Dell D420 (12.1" widescreen) in. I'm currently using a LL > Bean knapsack, which is very big, and doesn't offer any padding or > cushioning for the laptop. I also have a Ogio knapsack (Don't > recall the model) but it's very heavy even whem empty, and does not > have a lot of space despite it being a large bag. > > I know this is a pretty subjective question, but the choice of > knapsacks is kind of overwhelming, and if people could let me know > what knapsacks they are using for lugging around their laptops, that > would be gerat. Feel free to reply back off-list so as not to > clutter it up with this highly non-technical question! > > Thanks so much in advance, > Josh Josh- I use 2 items that I can suggest i said screw damage a while back, and started buying disposable laptops ( $1k price point ). after looking for months, i finally bought a laptop bag from Jack Spade. http://www.jackspade.com/shop/product.php? productid=19618&cat=248&sku=CH8446765C600 its a little pricey, but completely worth it. it has a removable padded laptop sleeve, a ton of pockets & organizers. it handles a book (why not?), laptop, misc cables, ipod, camera, etc etc etc , in a super convenient & accessible manner. if you're worried about damage, the laptop case from ZeroHalliburton is great. its the same thing that they use for guns, drugs & cash in spy movies ( polished aluminum hard case ) http://www.zerohalliburton.com/computers/aluminum/computer_zseries.jsp From netmantej at gmail.com Thu Jun 7 22:03:06 2007 From: netmantej at gmail.com (tim jacques) Date: Thu, 7 Jun 2007 22:03:06 -0400 Subject: [nycbug-talk] (Slightly OT) Good knapsack recommendation In-Reply-To: <20070608001922.GA30314@rivels.org> References: <20070608001922.GA30314@rivels.org> Message-ID: <1aa60f4d0706071903r2fecf1bat97e75cf2a478f6e9@mail.gmail.com> On 6/7/07, Josh Rivel wrote: > > I'm looking for a good lightweight, but comfortable knapsack to > carry my Dell D420 (12.1" widescreen) in. I'm currently using a LL > Bean knapsack, which is very big, and doesn't offer any padding or > cushioning for the laptop. I also have a Ogio knapsack (Don't > recall the model) but it's very heavy even whem empty, and does not > have a lot of space despite it being a large bag. > > I know this is a pretty subjective question, but the choice of > knapsacks is kind of overwhelming, and if people could let me know > what knapsacks they are using for lugging around their laptops, that > would be gerat. Feel free to reply back off-list so as not to > clutter it up with this highly non-technical question! > > Thanks so much in advance, > Josh > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > ------------------------------------------------------------------------------ Josh - I discovered this last year . The Osprey Transit . http://www.ospreypacks.com/Packs/DaytoolPacks/Transit/ 1700 cu. in. and it will fit up to a 17" screen laptop . My Dell 2650 with a 15.4" screen fits comfortably , As well as all of my gear . It turned my " daily carry " from two bags to one . It is the perfect solution for me .. There is a smaller one also . The Osprey Tourqe . http://www.ospreypacks.com/Packs/DaytoolPacks/Torque/ 1200 cu. in. and it fits most 15.4" laptops . Tim .. -------------- next part -------------- An HTML attachment was scrubbed... URL: From josh at rivels.org Fri Jun 8 08:11:54 2007 From: josh at rivels.org (Josh Rivel) Date: Fri, 8 Jun 2007 08:11:54 -0400 Subject: [nycbug-talk] (Slightly OT) Good knapsack recommendation In-Reply-To: <01B3A3C8-38EB-43A0-B416-B45D8F298F05@2xlp.com> References: <20070608001922.GA30314@rivels.org> <01B3A3C8-38EB-43A0-B416-B45D8F298F05@2xlp.com> Message-ID: <20070608121154.GA5936@rivels.org> Thanks to everyone for their suggestions for knapsacks. Guess this weekend it's off to the stores to check some of them out!! Josh From alex at pilosoft.com Fri Jun 8 09:13:16 2007 From: alex at pilosoft.com (alex at pilosoft.com) Date: Fri, 8 Jun 2007 09:13:16 -0400 (EDT) Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: Message-ID: On Wed, 6 Jun 2007, George Rosamond wrote: > > Dealing with anything sub 1G of traffic is trivial enough that it > > could be discussed on nycbug meetings. Oh wait :P > > > > Yeah, the meeting was all about the speaker's home dsl with IPCop. . . > :-' might as well have been. to be honest, if the presentation was named "tuning freebsd, 5 years ago, 101", it'd be more appropriate. syn cookies are 1996, fbsd implementation '98 syn cache implemented in 2001 polling is early 2002 tcp/udp blackhole sysctl is pre-2002 these are not necessarily ddos avoidance - this is basic tuning. (the bit about disabling autoneg is factually incorrect and actually harmful) ddos protection in 2007 would discuss cooperative work with your upstream[s] in handling ddos's over 10gbit in size (see below) > On the serious side, I thought the meeting was on the mark in terms of > dealing with the issue, but of course it's people like the above > replied-to that really matter. > > Not because they're so smart, but rather because we sit on their > bandwidth. > > The only reason "end-user sysadmins" talk have meetings on topics like > this is due to the shortcomings of those who do deal with the bandwidth > for us. > > Therefore, Alex and all, please deal with this upstream from us, and we > promise never to have another meeting on the topic. :) Wrong. These are your bits, you requested them, you pay for them, you deal with them. We'll help you to do things you *cannot* but it is your responsibility to do everything that you can before bothering us. Asking us to help you with ddos is similar to putting up a webserver and not knowing how to handle large amount of traffic and saying "I didn't expect all this traffic and don't want to pay for it". Today, dealing with ddos means: * Getting *large* pipes to your upstream (you want a GE port at minimum, if you get ddos'd with 1G of traffic and you have 100M port, I'll just tell you to upgrade first before anything else). If you have GE port and get 700Mbit of traffic, I'll tell you its your problem. We do our job and deliver bits to you. * Scalability: If you get 1gbit of traffic and you simply can't handle dealing with all of it on a single box due to CPU limits, you need to figure out how to spread it over multiple boxes. This may be untrivial in certain cases. * Distinguishing bad traffic from good traffic. This is *key*. If you cannot tell the "good" traffic from bad traffic, you have to deal with *all* of it. For example, syncache/syncookies will make your system deal with all traffic - in a better manner. However, if you see all bad traffic have same tcp SN, you can just drop it before it is handled. If you see specific IPs generate 10kpps of syns - drop them. * Cooperation with upstream: Once you figured out what kind of traffic is bad (example: list of IPs ddosing you, or UDP traffic that you actually don't want), you can then contact upstream to put filters on your port. These are all not rocket science, but a very manual endeavor. For each type of attack, you have to figure out how to mitigate. Automated-ish solutions exist (riverhead, arbor) but cost obscene amounts of money (50K$+) and don't scale for *huge* attacks anyway. There are still ddos's that cannot be handled by upstream - when all traffic is potentially good. It's all complicated. :) -- Alex Pilosov | DSL, Colocation, Hosting Services President | alex at pilosoft.com 877-PILOSOFT x601 Pilosoft, Inc. | http://www.pilosoft.com From bonsaime at gmail.com Mon Jun 11 11:58:46 2007 From: bonsaime at gmail.com (Jesse Callaway) Date: Mon, 11 Jun 2007 11:58:46 -0400 Subject: [nycbug-talk] cdce devices Message-ID: Anyone using a cdce device reliably? I'm about to purchase one for a q/a setup, but want to make sure others are reliably using something before i go spend money on a device. -jesse From bkominik at gmail.com Mon Jun 11 12:23:51 2007 From: bkominik at gmail.com (Barry Kominik) Date: Mon, 11 Jun 2007 12:23:51 -0400 Subject: [nycbug-talk] OpenBSD PF help Message-ID: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> Hi, I'm having problems getting a pf filter working. I must be doing something simple wrong, anybody have any advice? I have two public routable IP blocks, let's say 1.1.1.1/29 and 2.2.2.1/28. The colo routes both networks to my handoff. I have the int0 connected to the handoff from the co-lo and ext0 configured as the 2.2.2.1. I have net.inet.ip.forwarding=1. Shouldn't basic routing work without even enabling the firewall? Hosts on the 2 network can ping trough to the 1.1.1.1interface, but not beyond. Hosts on the internet can see 1.1.1.1 but nothing on the 2. network. I can get this to work by setting up a bridge between the interfaces, but this strikes me as incorrect. Am I missing something simple? If not I can pay for some consulting time. Thanks, Barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From lavalamp at spiritual-machines.org Mon Jun 11 12:34:38 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Mon, 11 Jun 2007 12:34:38 -0400 (EDT) Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> References: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> Message-ID: <20070611123108.P1140@arbitor.digitalfreaks.org> Yes is the answer to your question. Show me "netstat -rn" and "ifconfig -a" (shielded). Is there any CARP involved? What is the subnetting like on the "handoff" or "WAN" or "Upstream"? Your ISP should have static routes for your /28 and /29 via to your int0 IP address (or if they are contiguous, the larger /27). ~BAS On Mon, 11 Jun 2007, Barry Kominik wrote: > Hi, > I'm having problems getting a pf filter working. I must be doing something > simple wrong, anybody have any advice? > > I have two public routable IP blocks, let's say 1.1.1.1/29 and 2.2.2.1/28. > The colo routes both networks to my handoff. I have the int0 connected to > the handoff from the co-lo and ext0 configured as the 2.2.2.1. I have > net.inet.ip.forwarding=1. Shouldn't basic routing work without even enabling > the firewall? Hosts on the 2 network can ping trough to the > 1.1.1.1interface, but not beyond. Hosts on the internet can see > 1.1.1.1 but nothing on the 2. network. I can get this to work by setting up > a bridge between the interfaces, but this strikes me as incorrect. Am I > missing something simple? If not I can pay for some consulting time. > > Thanks, > Barry > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~James Maynard Keenan -------------- next part -------------- _______________________________________________ % NYC*BUG talk mailing list http://lists.nycbug.org/mailman/listinfo/talk %Be sure to check out our Jobs and NYCBUG-announce lists %We meet the first Wednesday of the month From lists at intricatesoftware.com Wed Jun 13 08:34:46 2007 From: lists at intricatesoftware.com (Kurt Miller) Date: Wed, 13 Jun 2007 08:34:46 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> References: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> Message-ID: <200706130834.46749.lists@intricatesoftware.com> On Monday 11 June 2007 12:23:51 pm Barry Kominik wrote: > Hi, > I'm having problems getting a pf filter working. I must be doing something > simple wrong, anybody have any advice? > > I have two public routable IP blocks, let's say 1.1.1.1/29 and 2.2.2.1/28. > The colo routes both networks to my handoff. I have the int0 connected to > the handoff from the co-lo and ext0 configured as the 2.2.2.1. I have > net.inet.ip.forwarding=1. Shouldn't basic routing work without even enabling > the firewall? Hosts on the 2 network can ping trough to the > 1.1.1.1interface, but not beyond. Hosts on the internet can see > 1.1.1.1 but nothing on the 2. network. I can get this to work by setting up > a bridge between the interfaces, but this strikes me as incorrect. Am I > missing something simple? If not I can pay for some consulting time. > > Thanks, > Barry > Is /etc/mygate on the router set? From swygue at gmail.com Wed Jun 13 10:40:52 2007 From: swygue at gmail.com (Rodrique Heron) Date: Wed, 13 Jun 2007 10:40:52 -0400 Subject: [nycbug-talk] BIND and MX records Message-ID: <467001F4.9090805@gmail.com> Hi Guys, I inherited a bind server and I'm trying to clean it up, I noticed that allot of the host records have MX entries like this: mailstore01 A 192.168.2.1 MX 10 mx1 MX 12 mx2 MX 14 mx3 From what I understand, this forces mail sent to host.domain to always go through one of the MX servers. But is this necessary for the mail store ? Are their any known side effects ? I am trying to ascertain if it's causing an occasional problem I'm having with mail delivered to our domain bouncing with the following error: Maximum hop count exceeded. Message probably in a routing loop. Thanks From alex at pilosoft.com Wed Jun 13 10:44:35 2007 From: alex at pilosoft.com (alex at pilosoft.com) Date: Wed, 13 Jun 2007 10:44:35 -0400 (EDT) Subject: [nycbug-talk] BIND and MX records In-Reply-To: <467001F4.9090805@gmail.com> Message-ID: On Wed, 13 Jun 2007, Rodrique Heron wrote: > Hi Guys, > > I inherited a bind server and I'm trying to clean it up, I noticed that > allot of the host records have MX entries like this: > mailstore01 A 192.168.2.1 > MX 10 mx1 > MX 12 mx2 > MX 14 mx3 > > From what I understand, this forces mail sent to host.domain to always > go through one of the MX servers. But is this necessary for the mail > store ? Are their any known side effects ? I am trying to ascertain if > it's causing an occasional problem I'm having with mail delivered to our > domain bouncing with the following error: No. If there's no hostname on the left, it means "domain" itself. In other words, the MX entries apply to the domain, not the hostname. > Maximum hop count exceeded. Message probably in a routing loop. That means message is bouncing between the mx's probably. Check that the highest-priority mx is in fact accepting mail instead of bouncing it around. -alex From alex at pilosoft.com Wed Jun 13 10:46:46 2007 From: alex at pilosoft.com (alex at pilosoft.com) Date: Wed, 13 Jun 2007 10:46:46 -0400 (EDT) Subject: [nycbug-talk] BIND and MX records In-Reply-To: Message-ID: On Wed, 13 Jun 2007 alex at pilosoft.com wrote: > On Wed, 13 Jun 2007, Rodrique Heron wrote: > > > Hi Guys, > > > > I inherited a bind server and I'm trying to clean it up, I noticed that > > allot of the host records have MX entries like this: > > > mailstore01 A 192.168.2.1 > > MX 10 mx1 > > MX 12 mx2 > > MX 14 mx3 > > > > From what I understand, this forces mail sent to host.domain to always > > go through one of the MX servers. But is this necessary for the mail > > store ? Are their any known side effects ? I am trying to ascertain if > > it's causing an occasional problem I'm having with mail delivered to our > > domain bouncing with the following error: > No. If there's no hostname on the left, it means "domain" itself. In > other words, the MX entries apply to the domain, not the hostname. Erm, I'm trippin' today. Sorry, you were right, means it has to go through MX's. Whether it is *necessary* depends on your local setup. Does host really accept mail directly? > highest-priority mx is in fact accepting mail instead of bouncing it > around. yeah ; From bkominik at gmail.com Wed Jun 13 10:51:48 2007 From: bkominik at gmail.com (Barry Kominik) Date: Wed, 13 Jun 2007 10:51:48 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: <200706130834.46749.lists@intricatesoftware.com> References: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> <200706130834.46749.lists@intricatesoftware.com> Message-ID: <447281df0706130751l598e3f40q85ad44db071b4d9c@mail.gmail.com> On 6/13/07, Kurt Miller wrote: > > On Monday 11 June 2007 12:23:51 pm Barry Kominik wrote: > > Hi, > > I'm having problems getting a pf filter working. I must be doing > something > > simple wrong, anybody have any advice? > > > > I have two public routable IP blocks, let's say 1.1.1.1/29 and > 2.2.2.1/28. > > The colo routes both networks to my handoff. I have the int0 connected > to > > the handoff from the co-lo and ext0 configured as the 2.2.2.1. I have > > net.inet.ip.forwarding=1. Shouldn't basic routing work without even > enabling > > the firewall? Hosts on the 2 network can ping trough to the > > 1.1.1.1interface, but not beyond. Hosts on the internet can see > > 1.1.1.1 but nothing on the 2. network. I can get this to work by setting > up > > a bridge between the interfaces, but this strikes me as incorrect. Am I > > missing something simple? If not I can pay for some consulting time. > > > > Thanks, > > Barry > > > > Is /etc/mygate on the router set? Yes /etc/mygate is set and net.inet.ip.forwarding=1. I also configured /etc/networks and tried /etc/gateway. pf is disabled. Shouldn't basic routing work straight away? The routing table looks to me like it gets populated correctly. If I do a tcpdump on the northbound interface I can see the proper packets, but they are not traversing the router. B -------------- next part -------------- An HTML attachment was scrubbed... URL: From af.dingo at gmail.com Wed Jun 13 11:51:49 2007 From: af.dingo at gmail.com (Jeff Quast) Date: Wed, 13 Jun 2007 11:51:49 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: References: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> <200706130834.46749.lists@intricatesoftware.com> Message-ID: duh... sent it to the wrong guy! ---------- Forwarded message ---------- From: Jeff Quast Date: Jun 13, 2007 9:27 AM Subject: Re: [nycbug-talk] OpenBSD PF help To: kurt at intricatesoftware.com On 6/13/07, Kurt Miller wrote: > On Monday 11 June 2007 12:23:51 pm Barry Kominik wrote: > > Hi, > > I'm having problems getting a pf filter working. I must be doing something > > simple wrong, anybody have any advice? > > > > I have two public routable IP blocks, let's say 1.1.1.1/29 and 2.2.2.1/28. > > The colo routes both networks to my handoff. I have the int0 connected to > > the handoff from the co-lo and ext0 configured as the 2.2.2.1. I have > > net.inet.ip.forwarding=1. Shouldn't basic routing work without even enabling > > the firewall? Hosts on the 2 network can ping trough to the > > 1.1.1.1interface, but not beyond. Hosts on the internet can see > > 1.1.1.1 but nothing on the 2. network. I can get this to work by setting up > > a bridge between the interfaces, but this strikes me as incorrect. Am I > > missing something simple? If not I can pay for some consulting time. > > > > Thanks, > > Barry > > > > Is /etc/mygate on the router set? The client on the 2.2.2.* network needs to understand that 2.2.2.1 is the router for reaching the 1.1.1.* network. add it manualy to the client(s) via route From bkominik at gmail.com Wed Jun 13 12:32:42 2007 From: bkominik at gmail.com (Barry Kominik) Date: Wed, 13 Jun 2007 12:32:42 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: References: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> <200706130834.46749.lists@intricatesoftware.com> Message-ID: <447281df0706130932k1c1a5f99le6a8756917144bc9@mail.gmail.com> On 6/13/07, Jeff Quast wrote: > > duh... sent it to the wrong guy! > > ---------- Forwarded message ---------- > From: Jeff Quast > Date: Jun 13, 2007 9:27 AM > Subject: Re: [nycbug-talk] OpenBSD PF help > To: kurt at intricatesoftware.com > > > On 6/13/07, Kurt Miller wrote: > > On Monday 11 June 2007 12:23:51 pm Barry Kominik wrote: > > > Hi, > > > I'm having problems getting a pf filter working. I must be doing > something > > > simple wrong, anybody have any advice? > > > > > > I have two public routable IP blocks, let's say 1.1.1.1/29 and > 2.2.2.1/28. > > > The colo routes both networks to my handoff. I have the int0 connected > to > > > the handoff from the co-lo and ext0 configured as the 2.2.2.1. I have > > > net.inet.ip.forwarding=1. Shouldn't basic routing work without even > enabling > > > the firewall? Hosts on the 2 network can ping trough to the > > > 1.1.1.1interface, but not beyond. Hosts on the internet can see > > > 1.1.1.1 but nothing on the 2. network. I can get this to work by > setting up > > > a bridge between the interfaces, but this strikes me as incorrect. Am > I > > > missing something simple? If not I can pay for some consulting time. > > > > > > Thanks, > > > Barry > > > > > > > Is /etc/mygate on the router set? > > The client on the 2.2.2.* network needs to understand that 2.2.2.1 is > the router for reaching the 1.1.1.* network. > > add it manualy to the client(s) via route The clients on 2.2.2 have the southbound interface of the router as the default gateway. Shouldn't that have all traffic for other networks go to the router? -------------- next part -------------- An HTML attachment was scrubbed... URL: From bonsaime at gmail.com Wed Jun 13 13:27:42 2007 From: bonsaime at gmail.com (Jesse Callaway) Date: Wed, 13 Jun 2007 13:27:42 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: <447281df0706130932k1c1a5f99le6a8756917144bc9@mail.gmail.com> References: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> <200706130834.46749.lists@intricatesoftware.com> <447281df0706130932k1c1a5f99le6a8756917144bc9@mail.gmail.com> Message-ID: You'll have to reply to Brian Seklecki's query to get any further with this one. Please send your netstat -rn, and ifconfig. Also a 'route show' wouldn't hurt. What is the error message you get when you ping out to yahoo from a client behind the router? You sholud see some stupid message... host is down or something... this is useful. The exact message is useful, not whether you could or could not ping. and of course you can ping yahoo from the router, or otherwise access the Internet... right? >From what I see, you have some machines which don't use your router at all.. What interface is the 1.1.1.1 ip assigned to? Is that your router or the colo? -jesse From bkominik at gmail.com Wed Jun 13 15:06:14 2007 From: bkominik at gmail.com (Barry Kominik) Date: Wed, 13 Jun 2007 15:06:14 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: References: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> <200706130834.46749.lists@intricatesoftware.com> <447281df0706130932k1c1a5f99le6a8756917144bc9@mail.gmail.com> Message-ID: <447281df0706131206q1eae54bfg7502f64d0a839b66@mail.gmail.com> > From what I see, you have some machines which don't use your router at > all.. What interface is the 1.1.1.1 ip assigned to? Is that your > router or the colo? > > -jesse > the handoff network is 1.1.1.232/29 connected to bge0 The inside is 2.2.2.224/28 connected to bge1 The networks do not overlap. The firewall machine can access the internet fine. I get "ping: unknown host xxx.com". A tcp dump on the south interface, bge1, shows the packets going to the dns server. A dump on the north side, bge0, shows the request going out and the response coming back. The response never traverses the router. I have net.inet.ip.forwarding=1. pf is not running. Does the bge0 need to be in promiscuous mode in order to process the packets? $ netstat -rn -f inet Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 1.1.1.233 UGS 9 311171 - bge0 10.1.1/24 link#1 UC 0 0 - nfe0 2.2.2.224/28 link#4 UC 4 0 - bge1 2.2.2.225 00:05:dc:93:38:00 UHLc 0 0 - bge1 2.2.2.226 00:1b:24:3d:73:5f UHLc 0 3543 - lo0 2.2.2.234 00:17:f2:c7:ef:15 UHLc 2 4828 - L bge1 2.2.2.237 00:14:4f:7d:a1:34 UHLc 1 334 - bge1 127/8 127.0.0.1 UGRS 0 0 33192 lo0 127.0.0.1 127.0.0.1 UH 1 210 33192 lo0 1.1.1.232/29 link#3 UC 1 0 - bge0 1.1.1.233 00:05:dc:93:38:00 UHLc 1 0 - bge0 224/4 127.0.0.1 URS 0 0 33192 lo0 $ ifconfig -a lo0: flags=8049 mtu 33192 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 nfe0: flags=8843 mtu 1500 lladdr 00:1b:24:3d:73:60 media: Ethernet 1000baseT full-duplex (none) status: no carrier inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255 inet6 fe80::21b:24ff:fe3d:7360%nfe0 prefixlen 64 scopeid 0x1 nfe1: flags=8802 mtu 1500 lladdr 00:1b:24:3d:73:61 media: Ethernet autoselect (none) status: no carrier bge0: flags=8843 mtu 1500 lladdr 00:1b:24:3d:73:5e groups: egress media: Ethernet 100baseTX full-duplex status: active inet 1.1.1.235 netmask 0xfffffff8 broadcast 1.1.1.239 inet6 fe80::21b:24ff:fe3d:735e%bge0 prefixlen 64 scopeid 0x3 bge1: flags=8843 mtu 1500 lladdr 00:1b:24:3d:73:5f media: Ethernet 1000baseT full-duplex (1000baseT full-duplex,master) status: active inet 2.2.2.226 netmask 0xfffffff0 broadcast 2.2.2.239 inet6 fe80::21b:24ff:fe3d:735f%bge1 prefixlen 64 scopeid 0x4 pflog0: flags=0<> mtu 33192 enc0: flags=0<> mtu 1536 From okan at demirmen.com Wed Jun 13 15:17:10 2007 From: okan at demirmen.com (Okan Demirmen) Date: Wed, 13 Jun 2007 15:17:10 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: <447281df0706131206q1eae54bfg7502f64d0a839b66@mail.gmail.com> References: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> <200706130834.46749.lists@intricatesoftware.com> <447281df0706130932k1c1a5f99le6a8756917144bc9@mail.gmail.com> <447281df0706131206q1eae54bfg7502f64d0a839b66@mail.gmail.com> Message-ID: <20070613191710.GS12161@clam.khaoz.org> On Wed 2007.06.13 at 15:06 -0400, Barry Kominik wrote: > > From what I see, you have some machines which don't use your router at > > all.. What interface is the 1.1.1.1 ip assigned to? Is that your > > router or the colo? > > > > -jesse > > > > the handoff network is 1.1.1.232/29 connected to bge0 > The inside is 2.2.2.224/28 connected to bge1 > > The networks do not overlap. The firewall machine can access the > internet fine. I get "ping: unknown host xxx.com". A tcp dump on the > south interface, bge1, shows the packets going to the dns server. A > dump on the north side, bge0, shows the request going out and the > response coming back. The response never traverses the router. I have > net.inet.ip.forwarding=1. pf is not running. Does the bge0 need to be > in promiscuous mode in order to process the packets? your first hint was when you did your bridging test; brian mentioned what your isp needs to be doing; and 3rd, your tcpdump results. you are *supposed* to have one 'connected' network and one 'routed' network. it seems that latter is _not_ 'routed', but rather 'connected'. talk to your isp. From bkominik at gmail.com Wed Jun 13 15:44:04 2007 From: bkominik at gmail.com (Barry Kominik) Date: Wed, 13 Jun 2007 15:44:04 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: <20070613191710.GS12161@clam.khaoz.org> References: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> <200706130834.46749.lists@intricatesoftware.com> <447281df0706130932k1c1a5f99le6a8756917144bc9@mail.gmail.com> <447281df0706131206q1eae54bfg7502f64d0a839b66@mail.gmail.com> <20070613191710.GS12161@clam.khaoz.org> Message-ID: <447281df0706131244k2577d784o84f0e345fe03d25d@mail.gmail.com> On 6/13/07, Okan Demirmen wrote: > On Wed 2007.06.13 at 15:06 -0400, Barry Kominik wrote: > > > From what I see, you have some machines which don't use your router at > > > all.. What interface is the 1.1.1.1 ip assigned to? Is that your > > > router or the colo? > > > > > > -jesse > > > > > > > the handoff network is 1.1.1.232/29 connected to bge0 > > The inside is 2.2.2.224/28 connected to bge1 Forgive my ignorance, but I want to clarify this before talking to the isp. As per the above, you are saying that the 1.1.1 should be 'connected' and 2.2.2 should be 'routed'? From okan at demirmen.com Wed Jun 13 15:53:29 2007 From: okan at demirmen.com (Okan Demirmen) Date: Wed, 13 Jun 2007 15:53:29 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: <447281df0706131244k2577d784o84f0e345fe03d25d@mail.gmail.com> References: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> <200706130834.46749.lists@intricatesoftware.com> <447281df0706130932k1c1a5f99le6a8756917144bc9@mail.gmail.com> <447281df0706131206q1eae54bfg7502f64d0a839b66@mail.gmail.com> <20070613191710.GS12161@clam.khaoz.org> <447281df0706131244k2577d784o84f0e345fe03d25d@mail.gmail.com> Message-ID: <20070613195329.GU12161@clam.khaoz.org> On Wed 2007.06.13 at 15:44 -0400, Barry Kominik wrote: > On 6/13/07, Okan Demirmen wrote: > > On Wed 2007.06.13 at 15:06 -0400, Barry Kominik wrote: > > > > From what I see, you have some machines which don't use your router at > > > > all.. What interface is the 1.1.1.1 ip assigned to? Is that your > > > > router or the colo? > > > > > > > > -jesse > > > > > > > > > > the handoff network is 1.1.1.232/29 connected to bge0 > > > The inside is 2.2.2.224/28 connected to bge1 > > Forgive my ignorance, but I want to clarify this before talking to the > isp. As per the above, you are saying that the 1.1.1 should be > 'connected' and 2.2.2 should be 'routed'? yes. they need a static route (or you advertise to them via a routing procotol - very likely the former) for 2.2.2.224/28. From bkominik at gmail.com Wed Jun 13 18:00:18 2007 From: bkominik at gmail.com (Barry Kominik) Date: Wed, 13 Jun 2007 18:00:18 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: <20070613195329.GU12161@clam.khaoz.org> References: <447281df0706110923p1f44c7f8ie77ba2949eb1ddcd@mail.gmail.com> <200706130834.46749.lists@intricatesoftware.com> <447281df0706130932k1c1a5f99le6a8756917144bc9@mail.gmail.com> <447281df0706131206q1eae54bfg7502f64d0a839b66@mail.gmail.com> <20070613191710.GS12161@clam.khaoz.org> <447281df0706131244k2577d784o84f0e345fe03d25d@mail.gmail.com> <20070613195329.GU12161@clam.khaoz.org> Message-ID: <447281df0706131500o1338f8f7s1261f2c6aefe299b@mail.gmail.com> ok, maybe I'm getting somewhere. ISP says "2.2.2.224/28 is routed to you statically. It is up to you to take the routing from the handoff for this subnet." Does this mean I need to run routed? Since I only have two networks, each connected to an interface and the routing table gets set up properly, do I still need to have an /etc/gateways file? From okan at demirmen.com Wed Jun 13 19:55:01 2007 From: okan at demirmen.com (Okan Demirmen) Date: Wed, 13 Jun 2007 19:55:01 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: <447281df0706131500o1338f8f7s1261f2c6aefe299b@mail.gmail.com> References: <200706130834.46749.lists@intricatesoftware.com> <447281df0706130932k1c1a5f99le6a8756917144bc9@mail.gmail.com> <447281df0706131206q1eae54bfg7502f64d0a839b66@mail.gmail.com> <20070613191710.GS12161@clam.khaoz.org> <447281df0706131244k2577d784o84f0e345fe03d25d@mail.gmail.com> <20070613195329.GU12161@clam.khaoz.org> <447281df0706131500o1338f8f7s1261f2c6aefe299b@mail.gmail.com> Message-ID: <20070613235501.GA12161@clam.khaoz.org> On Wed 2007.06.13 at 18:00 -0400, Barry Kominik wrote: > ok, maybe I'm getting somewhere. ISP says "2.2.2.224/28 is routed to > you statically. It is up to you to take the routing from the handoff > for this subnet." Does this mean I need to run routed? Since I only > have two networks, each connected to an interface and the routing > table gets set up properly, do I still need to have an /etc/gateways > file? no need for anything, except for /etc/mygate with your default route to the 'world' (e.g. your isp). when they say "2.2.2.224/28 is routed to you statically..." to *what* are they supposedly routing 'to'? basically their routing table *should* have a 'next hop' of 1.1.1.238 (or whatever your 'outside', 'north', or 'connected' interface is bound) for 2.2.2.224/28. ask them to what their static route points. (in layman's terms...) From kacanski_s at yahoo.com Wed Jun 13 22:39:23 2007 From: kacanski_s at yahoo.com (Aleksandar Kacanski) Date: Wed, 13 Jun 2007 19:39:23 -0700 (PDT) Subject: [nycbug-talk] BSD gfs/qfs alternatives Message-ID: <458222.69849.qm@web53612.mail.re2.yahoo.com> Hello, what are *BSD alternatives for global file system(RH) and sun's qfs? thanks, Aleksandar (Sasha) Kacanski ____________________________________________________________________________________ Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222 -------------- next part -------------- An HTML attachment was scrubbed... URL: From carton at Ivy.NET Thu Jun 14 02:55:50 2007 From: carton at Ivy.NET (Miles Nordin) Date: Thu, 14 Jun 2007 02:55:50 -0400 Subject: [nycbug-talk] BSD gfs/qfs alternatives In-Reply-To: <458222.69849.qm@web53612.mail.re2.yahoo.com> (Aleksandar Kacanski's message of "Wed, 13 Jun 2007 19:39:23 -0700 (PDT)") References: <458222.69849.qm@web53612.mail.re2.yahoo.com> Message-ID: >>>>> "ak" == Aleksandar Kacanski writes: ak> what are *BSD alternatives for global file system(RH) and ak> sun's qfs? I don't think we have any. not sure how good the FC stack is, either. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From carton at Ivy.NET Thu Jun 14 03:00:38 2007 From: carton at Ivy.NET (Miles Nordin) Date: Thu, 14 Jun 2007 03:00:38 -0400 Subject: [nycbug-talk] BIND and MX records In-Reply-To: <467001F4.9090805@gmail.com> (Rodrique Heron's message of "Wed, 13 Jun 2007 10:40:52 -0400") References: <467001F4.9090805@gmail.com> Message-ID: >>>>> "rh" == Rodrique Heron writes: stuff like this is traditional: amber.Ivy.NET. A 1.2.3.4 MX 0 amber.Ivy.NET. I think it saves one DNS round-trip for the guy sending you mail. but it's mostly for tradition that you put it there, so we can recognize each other as part of the old tribe. your example was not like the above. It was different. If you have a mail loop, just look at the Received-by: headers in the bounced message. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From lists at stringsutils.com Thu Jun 14 09:45:33 2007 From: lists at stringsutils.com (Francisco Reyes) Date: Thu, 14 Jun 2007 09:45:33 -0400 Subject: [nycbug-talk] BSD gfs/qfs alternatives References: <458222.69849.qm@web53612.mail.re2.yahoo.com> Message-ID: Miles Nordin writes: >>>>>> "ak" == Aleksandar Kacanski writes: > ak> what are *BSD alternatives for global file system(RH) and > ak> sun's qfs? > > I don't think we have any. There is a network RAID 1 setup (well sort off) that seems to work. It is geom_gate Unfortunately there is very little information on how to set it up. A co-worker set it up and is in the testing phase. I am hoping to convince "management" to allow us to write up a guide. So far the only issue we found is that it locks up with files 5GB or greater. Can't even find you links to point you in the right direction right now. Will ask co-worker for the right man pages so you can take a look. We initially found it while looking for DRBD in FreeBSD. You may try googling for that. The only thing I recall about the setup is that you change two variables in /boot/default/loader.conf geom_mirror_load="NO" geom_gate_load="NO" From swygue at gmail.com Thu Jun 14 09:50:38 2007 From: swygue at gmail.com (Rodrique Heron) Date: Thu, 14 Jun 2007 09:50:38 -0400 Subject: [nycbug-talk] BSD gfs/qfs alternatives In-Reply-To: References: <458222.69849.qm@web53612.mail.re2.yahoo.com> Message-ID: <467147AE.5000007@gmail.com> Francisco Reyes wrote: > Miles Nordin writes: > > >>>>>>> "ak" == Aleksandar Kacanski writes: >>>>>>> >> ak> what are *BSD alternatives for global file system(RH) and >> ak> sun's qfs? >> >> I don't think we have any. >> > > There is a network RAID 1 setup (well sort off) that seems to work. > It is geom_gate > Unfortunately there is very little information on how to set it up. > > A co-worker set it up and is in the testing phase. > I am hoping to convince "management" to allow us to write up a guide. > > So far the only issue we found is that it locks up with files 5GB or > greater. > > Can't even find you links to point you in the right direction right now. > Will ask co-worker for the right man pages so you can take a look. > We initially found it while looking for DRBD in FreeBSD. You may try > googling for that. > > The only thing I recall about the setup is that you change two variables in > /boot/default/loader.conf > > geom_mirror_load="NO" > geom_gate_load="NO" > Check Gianpaolo Del Matto site: http://phaq.phunsites.net/, he did a write up on geom_gate. From pete at nomadlogic.org Thu Jun 14 12:36:54 2007 From: pete at nomadlogic.org (Peter Wright) Date: Thu, 14 Jun 2007 09:36:54 -0700 (PDT) Subject: [nycbug-talk] BSD gfs/qfs alternatives In-Reply-To: <458222.69849.qm@web53612.mail.re2.yahoo.com> References: <458222.69849.qm@web53612.mail.re2.yahoo.com> Message-ID: <48107.160.33.20.11.1181839014.squirrel@webmail.nomadlogic.org> > Hello, > what are *BSD alternatives for global file system(RH) and sun's qfs? > thanks, > sure! isilon systems makes an appliance that is based on FreeBSD and uses a global filesystem to stripe data between nodes in the cluster: http://www.isilon.com/ you get excellent read performance, writes - not so much... although i suspect you are looking for a more DYI approach ;) i am yet to see a decent OSS implementation of a high performance global filesystem - we've done some R&D work on RHEL's GFS2, and it's not anywhere close to being there yet in terms of production use. the foundation is there in FreeBSD to do something like this using GEOM - and zfs has also made it into 7.x as well, so depending on your needs there may be some steam growing behind this in the future.... -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From bkominik at gmail.com Thu Jun 14 14:00:57 2007 From: bkominik at gmail.com (Barry Kominik) Date: Thu, 14 Jun 2007 14:00:57 -0400 Subject: [nycbug-talk] OpenBSD PF help In-Reply-To: <20070613235501.GA12161@clam.khaoz.org> References: <200706130834.46749.lists@intricatesoftware.com> <447281df0706130932k1c1a5f99le6a8756917144bc9@mail.gmail.com> <447281df0706131206q1eae54bfg7502f64d0a839b66@mail.gmail.com> <20070613191710.GS12161@clam.khaoz.org> <447281df0706131244k2577d784o84f0e345fe03d25d@mail.gmail.com> <20070613195329.GU12161@clam.khaoz.org> <447281df0706131500o1338f8f7s1261f2c6aefe299b@mail.gmail.com> <20070613235501.GA12161@clam.khaoz.org> Message-ID: <447281df0706141100o73bf9819g66b79a9bff519c7b@mail.gmail.com> Thanks everyone! I now have it working. The issue turned out to be that the ISP was routing to my port, not my northbound interface. Now they route to the interface ip address and packets are flowing. Thanks to the comminity for helping me work through this.I learned a lot about routing ,even though what I was doing was "correct" Thanks! B From carton at Ivy.NET Fri Jun 15 06:15:07 2007 From: carton at Ivy.NET (Miles Nordin) Date: Fri, 15 Jun 2007 06:15:07 -0400 Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: (alex@pilosoft.com's message of "Fri, 8 Jun 2007 09:13:16 -0400 (EDT)") References: Message-ID: >>>>> "a" == alex writes: a> Wrong. These are your bits, you requested them, you pay for a> them, you deal with them. I think the idea is that netadmins at ISP's need to show some stewardship over the part of the Internet they control, just as sysadmins did very diligently and aggressively with the spam problem. I don't see that happening so far. I'm in Dubai right now setting up some 6500's on a dark fiber ring. It's kinda fun, and easy. one thing I found in reading about them is: ip verify unicast source reachable-via {any | rx} -- loose/strict uRPF. acl-permitted packets skip the uRPF check -- note this is an interface command, so usually you won't need the acl. mls ip cef rpf hw-enable-rpf-acl -- hardware PFC uRPF acceleration. yes = PFC-switch acl-denied uRPF-subject packets, and MSFC-switch (more slowly) acl-permitted no-uRPF-check packets no = PFC-switch acl-permitted no-uRPF-check packets, and MSFC-switch (more slowly) acl-denied uRPF-subjet maybe-DDoS packets -- both ways are not so good if you need the ACL. :' also note this is a global command. you can't pick a different preference on each interface. mls ip cef rpf interface-group mls ip cef rpf multipath ? -- hardware uRPF has some complicated limitations for multipath routes. the newest stuff supports two paths automatically, but if you want three you have to deal with these commands. some of this only a few months old in the 6500. and it seems to have lots of limitations. but, it's there, and it's meant specifically for building the beginnings of an anti-DDoS architecture. uRPF is an old idea, and it looks now like we are just now getting hardware that can do it performantly. Long-term I think we need some way to recognize infected windows machines and turn off their accounts, and we need to give ISP's that host infected windows machines some incentive for doing this. At this point, not only is that ability far away tools-wise, but I don't think ISP's would be willing to do it because it would upset customers and load their support lines, so they don't give a shit and say ``never mind, the web hosters are requesting to receive massive extortionist attacks from our virus-cesspool customer APRU-farm.'' DDoS is a problem that Level3 customers cause for Cogent customers, so the division between Interweb ISP's and hosting ISP's means the incentive is missing---if people are just going to be small businessmen rather than stewards, this DDoS problem will never be solved. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From alex at pilosoft.com Fri Jun 15 11:09:43 2007 From: alex at pilosoft.com (Alex Pilosov) Date: Fri, 15 Jun 2007 11:09:43 -0400 (EDT) Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: Message-ID: On Fri, 15 Jun 2007, Miles Nordin wrote: > >>>>> "a" == alex writes: > > a> Wrong. These are your bits, you requested them, you pay for > a> them, you deal with them. > > I think the idea is that netadmins at ISP's need to show some > stewardship over the part of the Internet they control, just as > sysadmins did very diligently and aggressively with the spam problem. I > don't see that happening so far. > > I'm in Dubai right now setting up some 6500's on a dark fiber ring. It's > kinda fun, and easy. one thing I found in reading about them is: I'm sorry (for your customers). > some of this only a few months old in the 6500. and it seems to have > lots of limitations. but, it's there, and it's meant specifically for > building the beginnings of an anti-DDoS architecture. uRPF is an old > idea, and it looks now like we are just now getting hardware that can do > it performantly. No, uRPF has really nothing to do with DDOS. The DDOS traffic is not spoofed. Try again. > Long-term I think we need some way to recognize infected windows > machines and turn off their accounts, and we need to give ISP's that > host infected windows machines some incentive for doing this. At this > point, not only is that ability far away tools-wise, but I don't think > ISP's would be willing to do it because it would upset customers and > load their support lines, so they don't give a shit and say ``never > mind, the web hosters are requesting to receive massive extortionist > attacks from our virus-cesspool customer APRU-farm.'' DDoS is a problem > that Level3 customers cause for Cogent customers, so the division > between Interweb ISP's and hosting ISP's means the incentive is > missing---if people are just going to be small businessmen rather than > stewards, this DDoS problem will never be solved. There aren't good tools nor cooperation at the moment. There are many smart people working on this, though, and maybe in X years we'll have something. -alex From asr+nycbug at latency.net Fri Jun 15 11:10:11 2007 From: asr+nycbug at latency.net (Adam Rothschild) Date: Fri, 15 Jun 2007 11:10:11 -0400 Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: References: Message-ID: <20070615151011.GT12560@latency.net> On 2007-06-15-06:15:07, Miles Nordin wrote: > I think the idea is that netadmins at ISP's need to show some > stewardship over the part of the Internet they control Yes and no. Play too much of an active role, and customers will (as you've later commented) complain. Legally and politically, "common carrier" boundaries and their associated protections get further blurred... > sysadmins did very diligently and aggressively with the spam problem. "not so much"... > [...] uRPF is an old idea, and it looks now like we are just now > getting hardware that can do it performantly. On paper, strict-mode uRPF is a sane baseline configuration for simple ("cookie cutter") singly-homed customers. And loose-mode uRPF should satisfy the needs of most multi-homed customers and their potentially asymmetric traffic flows. In practice, this isn't as simple as it may seem. Much of the provider-edge hardware you'll find commonly deployed today simply does not support uRPF, or does so by halving the FIB (or some other equally brain-dead method), which doesn't scale particularly well. (Could you mimic uRPF-like functionality with ACLs? Perhaps, and some folk are, but that's a bit of a provisioning/config-gen nightmare on a large scale; plus you're playing with fire and run the risk of TCAM scaling limitations depending on platform...) ...and when was the last time you saw a multi-gigabit attack where spoofed address space was even a significant factor? > Long-term I think we need some way to recognize infected windows > machines and turn off their accounts, and we need to give ISP's that > host infected windows machines some incentive for doing this. At this > point, not only is that ability far away tools-wise This is somewhat workable today with a combination of coarse netflow analysis, octets/packets-per second trending on customer-facing interfaces ("CS 101" type stuff), and looking at what gets hit in internal and external "dark space". > DDoS is a problem that Level3 customers cause for Cogent customers Perhaps, but I can assure you that's not why their peerings are running hot. :-) -a From chsnyder at gmail.com Fri Jun 15 11:12:21 2007 From: chsnyder at gmail.com (csnyder) Date: Fri, 15 Jun 2007 11:12:21 -0400 Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: References: Message-ID: On 6/15/07, Miles Nordin wrote: > Long-term I think we need some way to recognize infected windows > machines and turn off their accounts, and we need to give ISP's that > host infected windows machines some incentive for doing this. At this > point, not only is that ability far away tools-wise, but I don't think > ISP's would be willing to do it because it would upset customers and > load their support lines, so they don't give a shit and say ``never > mind, the web hosters are requesting to receive massive extortionist > attacks from our virus-cesspool customer APRU-farm.'' DDoS is a > problem that Level3 customers cause for Cogent customers, so the > division between Interweb ISP's and hosting ISP's means the incentive > is missing---if people are just going to be small businessmen rather > than stewards, this DDoS problem will never be solved. > Purely from a lay point of view, this is extremely sensible. It would also be easy to do if the infected desktops only existed in North America. Sell it as the equivalent of handing out fix-it tickets to motorists with dangerous cars, and people would suck it up and pretend to be glad that you caught their computers behaving badly. -- Chris Snyder http://chxo.com/ From carton at Ivy.NET Sat Jun 16 05:00:48 2007 From: carton at Ivy.NET (Miles Nordin) Date: Sat, 16 Jun 2007 05:00:48 -0400 Subject: [nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store In-Reply-To: (Alex Pilosov's message of "Fri, 15 Jun 2007 11:09:43 -0400 (EDT)") References: <20070615151011.GT12560@latency.net> Message-ID: >>>>> "ap" == Alex Pilosov writes: >>>>> "ar" == Adam Rothschild writes: ap> I'm sorry (for your customers). hah. well, they are quite happy so far. and i'm happy to have discovered this 'bfd' hardware fast-HELLO feature in Cisco. I think it has some real value. I hope I won't have to eat those words. :) ar> Play too much of an active role, and customers will (as you've ar> later commented) complain. That makes sense. I guess there is plenty of this problem in the anti-spam world, also---people complaining about falsely-bounced mail and vindictive blackhole lists. ar> Much of the provider-edge hardware you'll find commonly ar> deployed today simply does not support uRPF, or does so by ar> halving the FIB (or some other equally brain-dead method), I saw that---I think this is one thing which improved on the 6500 from Sup2 to Sup720. but there still seem to be some tricky bits to it---the multipath limitations, and the complicated rule about partial software-switching when you use the ``exempt from uRPF'' access list. ar> ...and when was the last time you saw a multi-gigabit attack ar> where spoofed address space was even a significant factor? well, never---no experience with multi-gigabit attacks at all, so maybe uRPF isn't so important. But I would add (1) it's important for the final architecture to work on attacks that are problems for customers, too, not just the attacks that are problems for ISP's. If we're designing some new architecture, even attacks that are so small you throw your heads back and laugh and say we've ``requested'' the attack ought to be dealt with. And (2) I bet some form of uRPF will be part of a final architecture, that the other pieces won't work well without it. Maybe I'm wrong, but one way this is already happening, uRPF is immediately useful for non-spoofed attacks because you can distribute null routes over iBGP to quickly block by source address at the edge. my first hack at an architecture would be: (1) some ISP's implement the plan, and some don't. (1a) implementing ISP's do uRPF on customers (2) customers of implementing ISP's can request that traffic from a certain IP be blocked, and it will be, but only traffic from that IP _to_ the requesting customer. (3) there's some ACL distribution protocol for pushing out these customer requests. If the source of the traffic is an implementing ISP, then that ISP must accept the request and block traffic at the source. the traffic-source ISP will validate requests, and only take add-ACL requests with destination IP's advertised into BGP by the AS submitting the add-ACL request. ACL's time out after a couple hours. (4) if the source isn't advertised by an implementing ISP, and the requesting customer doesn't have any incompetence/maliciousness points against him, the source IP is advertised over eBGP among implementing ISP's as a null route, and now ALL traffic from that IP passing through any implementing ISP, even traffic to non-implementing destinations, is blocked, not just traffic from that IP to the requesting customer. (5) some kind of much more complicated uRPF to defend implementing ISP's against non-implementing ISP's trying to spoof traffic sourced from a prefix advertised by an implementing ISP. This may be best-effort, and needs the most further thought and is probably more than a SMOP. the incentive to become an implementing ISP is: (a) prebuilt tools you can offer customers to do (2), (b) less DDoS flowing over your links because you gain the right to submit ACL's and null routes to at least _some_ other ISP's (c) you won't have to worry about being blocked by uRPF/BGPnull in (4), so you can sell customers more reliable access into and through the clan of implementing ISP's Obviously there's a lot to work out in this architecture. For example the ``source'' AS may be a multi-homed customer who isn't implementing the scheme. The scheme should be ready to send ACL-add requests in (3) at least one hop up in the AS path (if not even to any hop along the AS path), to at least try to reach the multi-homed customer's ISP before fully-blocking him with (4). so hopefully the great minds already working on this are way ahead of me. The last thing I heard on the topic was this uRPF/BGPnull thing, which is really not very far along. I think the hardware is getting closer, though, at least ASIC-wise. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From spork at bway.net Sat Jun 16 11:56:17 2007 From: spork at bway.net (Charles Sprickman) Date: Sat, 16 Jun 2007 11:56:17 -0400 (EDT) Subject: [nycbug-talk] [OT] Cisco Parts FAST? Message-ID: Hi all, Long shot, but I'm out of the loop on this. Anyone local know of a place to get a PA-A3-T3 card today? And if that's not the actual problem, a loaded 7206-VXR chassis? Thanks, Charles From alex at pilosoft.com Sat Jun 16 12:07:15 2007 From: alex at pilosoft.com (Alex Pilosov) Date: Sat, 16 Jun 2007 12:07:15 -0400 (EDT) Subject: [nycbug-talk] [OT] Cisco Parts FAST? In-Reply-To: Message-ID: On Sat, 16 Jun 2007, Charles Sprickman wrote: > Hi all, > > Long shot, but I'm out of the loop on this. > > Anyone local know of a place to get a PA-A3-T3 card today? And if > that's not the actual problem, a loaded 7206-VXR chassis? if you want to borrow, i have a spare. if you want to buy, i'll probably charge assrape prices :) dont have 7206vxr but have 7204 nonvxr spare - but it'll probably work just as fine. -alex From spork at bway.net Sat Jun 16 17:38:29 2007 From: spork at bway.net (Charles Sprickman) Date: Sat, 16 Jun 2007 17:38:29 -0400 (EDT) Subject: [nycbug-talk] [OT] Cisco Parts FAST? In-Reply-To: References: Message-ID: Just a follow-up to everyone, reinsert of the card a few times fixed it. Alex, thanks again for the offer... Also, for future reference, does anyone have any favorite Cisco resellers, especially ones that can ship same-day in emergencies? Thanks, Charles On Sat, 16 Jun 2007, Alex Pilosov wrote: > On Sat, 16 Jun 2007, Charles Sprickman wrote: > >> Hi all, >> >> Long shot, but I'm out of the loop on this. >> >> Anyone local know of a place to get a PA-A3-T3 card today? And if >> that's not the actual problem, a loaded 7206-VXR chassis? > if you want to borrow, i have a spare. if you want to buy, i'll probably > charge assrape prices :) > > dont have 7206vxr but have 7204 nonvxr spare - but it'll probably work > just as fine. > > -alex > > From dave at donnerjack.com Sat Jun 16 20:40:58 2007 From: dave at donnerjack.com (David Lawson) Date: Sat, 16 Jun 2007 20:40:58 -0400 Subject: [nycbug-talk] [OT] Cisco Parts FAST? In-Reply-To: References: Message-ID: <9CF49B67-5E7D-4B8B-B435-48B857D4D6B7@donnerjack.com> I've had really, really good experiences with CDW for that kind of thing. I'm not positive they can get stuff to you same day, but they've done next day for me a couple times and I suppose if you were willing to throw enough money at it they might be able to same day courier parts. --Dave On Jun 16, 2007, at 5:38 PM, Charles Sprickman wrote: > Just a follow-up to everyone, reinsert of the card a few times > fixed it. > > Alex, thanks again for the offer... > > Also, for future reference, does anyone have any favorite Cisco > resellers, > especially ones that can ship same-day in emergencies? > > Thanks, > > Charles > > On Sat, 16 Jun 2007, Alex Pilosov wrote: > >> On Sat, 16 Jun 2007, Charles Sprickman wrote: >> >>> Hi all, >>> >>> Long shot, but I'm out of the loop on this. >>> >>> Anyone local know of a place to get a PA-A3-T3 card today? And if >>> that's not the actual problem, a loaded 7206-VXR chassis? >> if you want to borrow, i have a spare. if you want to buy, i'll >> probably >> charge assrape prices :) >> >> dont have 7206vxr but have 7204 nonvxr spare - but it'll probably >> work >> just as fine. >> >> -alex >> >> > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > From pete at nomadlogic.org Mon Jun 18 13:10:38 2007 From: pete at nomadlogic.org (Peter Wright) Date: Mon, 18 Jun 2007 10:10:38 -0700 (PDT) Subject: [nycbug-talk] USENIX '07 Message-ID: <52657.160.33.20.11.1182186638.squirrel@webmail.nomadlogic.org> Hi - Anyone here going to Usenix this week? I'll be there weds and thurs, so if anyone if going to make it out there let me know. I'll definitely be at Kirk's FreeBSD guru session on thurs. -pete -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From mspitzer at gmail.com Mon Jun 18 19:47:23 2007 From: mspitzer at gmail.com (Marc Spitzer) Date: Mon, 18 Jun 2007 19:47:23 -0400 Subject: [nycbug-talk] when sysadmins ruled the earth Message-ID: <8c50a3c30706181647k59bcb874r677ba80a9b372369@mail.gmail.com> http://www.boingboing.net/2007/06/17/when_sysadmins_ruled.html -- Freedom is nothing but a chance to be better. Albert Camus From spork at bway.net Tue Jun 19 21:02:48 2007 From: spork at bway.net (Charles Sprickman) Date: Tue, 19 Jun 2007 21:02:48 -0400 (EDT) Subject: [nycbug-talk] Backups: Bacula vs. Amanda Message-ID: Hi all, Anyone here evaluated both of these lately? Quite some time ago I did, and found Amanda to be the winner... These days though I'm finding that Amanda has been getting really buggy (at least on FreeBSD) and more full of linuxisms since the Zmanda folks took over development. Looking through the Bacula docs, it looks pretty decent. I barely remember why I disqualified it 4 or 5 (or maybe 6) years ago... Any input on these two packages is appreciated. Or if there's something else out there I haven't heard of, I'd like to know about it. Thanks, Charles From mspitzer at gmail.com Thu Jun 21 12:18:49 2007 From: mspitzer at gmail.com (Marc Spitzer) Date: Thu, 21 Jun 2007 12:18:49 -0400 Subject: [nycbug-talk] local source of sun memory? Message-ID: <8c50a3c30706210918p5d5c2ebcp667806cb3256b995@mail.gmail.com> I need 4 of these: S U N X O P T 5 1 2 M B D I M M T 1 A C 2 0 0 / D C 2 0 0 Mfg#: SUN-X7092A Anybody know of a local person who has them in stock? Thanks, marc -- Freedom is nothing but a chance to be better. Albert Camus From matt at atopia.net Sun Jun 24 02:24:18 2007 From: matt at atopia.net (Matt Juszczak) Date: Sun, 24 Jun 2007 02:24:18 -0400 (EDT) Subject: [nycbug-talk] Issue with freebsd 6.2 and disk drives Message-ID: <20070624022336.I82939@saturn.atopia.net> Hi all, My dedicated server company is deploying me a new FreeBSD 6.2 server. The box uses SATA drives, and is an AMD Athlon box. I was getting the following error flooding my dmesg: ad4: TIMEOUT - WRITE_DMA retrying (1 retry left) LBA=********* so they replaced all the hardware in the box. Still, with entirely different hardware, I am getting the same error: ad4: TIMEOUT - WRITE_DMA retrying (1 retry left) LBA=106848207 The hard drive in the new box is: ad4: 76319MB at ata2-master SATA150 Before I start telling them that this new hardware is also bad, I figured I would see if there are any known problems/bugs with 6.2, or possibly a known compatibility issue with SATA (and maybe if I should ask them to switch to IDE). Thanks all, Matt From jonathan at kc8onw.net Sun Jun 24 08:06:48 2007 From: jonathan at kc8onw.net (Jonathan Stewart) Date: Sun, 24 Jun 2007 08:06:48 -0400 Subject: [nycbug-talk] Issue with freebsd 6.2 and disk drives In-Reply-To: <20070624022336.I82939@saturn.atopia.net> References: <20070624022336.I82939@saturn.atopia.net> Message-ID: <467E5E58.7050305@kc8onw.net> Matt Juszczak wrote: > Hi all, > > My dedicated server company is deploying me a new FreeBSD 6.2 server. The box > uses SATA drives, and is an AMD Athlon box. > > I was getting the following error flooding my dmesg: > > ad4: TIMEOUT - WRITE_DMA retrying (1 retry left) LBA=********* > > so they replaced all the hardware in the box. Still, with entirely different > hardware, I am getting the same error: > > ad4: TIMEOUT - WRITE_DMA retrying (1 retry left) LBA=106848207 > > The hard drive in the new box is: > > ad4: 76319MB at ata2-master SATA150 > > Before I start telling them that this new hardware is also bad, I figured I > would see if there are any known problems/bugs with 6.2, or possibly a known > compatibility issue with SATA (and maybe if I should ask them to switch to > IDE). What controller are you using? Silicon Image controllers especially the 3112 and 3114 are notorious for being crappy. HTH, Jonathan From alex at pilosoft.com Sun Jun 24 09:33:37 2007 From: alex at pilosoft.com (Alex Pilosov) Date: Sun, 24 Jun 2007 09:33:37 -0400 (EDT) Subject: [nycbug-talk] Issue with freebsd 6.2 and disk drives In-Reply-To: <20070624022336.I82939@saturn.atopia.net> Message-ID: On Sun, 24 Jun 2007, Matt Juszczak wrote: > Before I start telling them that this new hardware is also bad, I > figured I would see if there are any known problems/bugs with 6.2, or > possibly a known compatibility issue with SATA (and maybe if I should > ask them to switch to IDE). let me guess: silicon image 3114 controller? freebsd support of "cheap"/crappy sata controllers is crappy. putting IDE drive instead will resolve the problem. -alex From skreuzer at exit2shell.com Sun Jun 24 14:50:27 2007 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Sun, 24 Jun 2007 11:50:27 -0700 Subject: [nycbug-talk] Issue with freebsd 6.2 and disk drives In-Reply-To: <20070624022336.I82939@saturn.atopia.net> References: <20070624022336.I82939@saturn.atopia.net> Message-ID: <20070624185027.GA20369@clamps.exit2shell.com> On Sun, Jun 24, 2007 at 02:24:18AM -0400, Matt Juszczak wrote: > Hi all, > > My dedicated server company is deploying me a new FreeBSD 6.2 server. The box > uses SATA drives, and is an AMD Athlon box. > > I was getting the following error flooding my dmesg: > > ad4: TIMEOUT - WRITE_DMA retrying (1 retry left) LBA=********* at the boot loader, choose option 6 to escape to the loader prompt. At the 'OK' prompt type "set hw.ata.ata_dma=0", hit return and then type "boot" -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From matt at atopia.net Sun Jun 24 16:33:56 2007 From: matt at atopia.net (Matt Juszczak) Date: Sun, 24 Jun 2007 16:33:56 -0400 (EDT) Subject: [nycbug-talk] Issue with freebsd 6.2 and disk drives In-Reply-To: <467E5E58.7050305@kc8onw.net> References: <20070624022336.I82939@saturn.atopia.net> <467E5E58.7050305@kc8onw.net> Message-ID: <20070624163320.D70980@saturn.atopia.net> > What controller are you using? Silicon Image controllers especially the > 3112 and 3114 are notorious for being crappy. > > HTH, > Jonathan They replaced the controller with a non-silicon image controller.... now, just because I've been getting these errors with the Si controller, is it safe to say that the data on the drive is OK? From matt at atopia.net Sun Jun 24 17:04:49 2007 From: matt at atopia.net (Matt Juszczak) Date: Sun, 24 Jun 2007 17:04:49 -0400 (EDT) Subject: [nycbug-talk] Issue with freebsd 6.2 and disk drives In-Reply-To: <20070624185027.GA20369@clamps.exit2shell.com> References: <20070624022336.I82939@saturn.atopia.net> <20070624185027.GA20369@clamps.exit2shell.com> Message-ID: <20070624170323.I74115@saturn.atopia.net> > at the boot loader, choose option 6 to escape to the loader > prompt. > > At the 'OK' prompt type "set hw.ata.ata_dma=0", hit return and > then type "boot" I don't have access to the console of the box. They are switching to a different type of SATA controller. I'm hoping this will fix the problem. If not, can this be done from loader.conf? Also, are these warning messages causing data corruption/loss at all, or are they just indicative of retries that are effectively inefficient? In other words, if swapping to a new controller has a positive outcome (no more error messages), should I force an OS reload anyway? -Matt From matt at atopia.net Sun Jun 24 17:14:47 2007 From: matt at atopia.net (Matt Juszczak) Date: Sun, 24 Jun 2007 17:14:47 -0400 (EDT) Subject: [nycbug-talk] Issue with freebsd 6.2 and disk drives In-Reply-To: <20070624170323.I74115@saturn.atopia.net> References: <20070624022336.I82939@saturn.atopia.net> <20070624185027.GA20369@clamps.exit2shell.com> <20070624170323.I74115@saturn.atopia.net> Message-ID: <20070624171420.B75034@saturn.atopia.net> > I don't have access to the console of the box. They are switching to a > different type of SATA controller. I'm hoping this will fix the problem. > If not, can this be done from loader.conf? > > Also, are these warning messages causing data corruption/loss at all, or > are they just indicative of retries that are effectively inefficient? In > other words, if swapping to a new controller has a positive outcome (no > more error messages), should I force an OS reload anyway? > > -Matt It seems they have now replaced the card with a 3ware SATA card. Do these have a bit better compatibility with FreeBSD 6.2? twed0: on twe0 twed0: 76319MB (156301488 sectors) Trying to mount root from ufs:/dev/twed0s1a From pete at nomadlogic.org Sun Jun 24 17:16:50 2007 From: pete at nomadlogic.org (Peter Wright) Date: Sun, 24 Jun 2007 14:16:50 -0700 (PDT) Subject: [nycbug-talk] Issue with freebsd 6.2 and disk drives In-Reply-To: <20070624170323.I74115@saturn.atopia.net> References: <20070624022336.I82939@saturn.atopia.net> <20070624185027.GA20369@clamps.exit2shell.com> <20070624170323.I74115@saturn.atopia.net> Message-ID: <25760.160.33.20.11.1182719810.squirrel@webmail.nomadlogic.org> >> at the boot loader, choose option 6 to escape to the loader >> prompt. >> >> At the 'OK' prompt type "set hw.ata.ata_dma=0", hit return and >> then type "boot" > > I don't have access to the console of the box. They are switching to a > different type of SATA controller. I'm hoping this will fix the problem. > If not, can this be done from loader.conf? yes, loader.conf is the place to modify your loader config -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From jonathan at kc8onw.net Sun Jun 24 22:14:59 2007 From: jonathan at kc8onw.net (Jonathan Stewart) Date: Sun, 24 Jun 2007 22:14:59 -0400 Subject: [nycbug-talk] Issue with freebsd 6.2 and disk drives In-Reply-To: <20070624171420.B75034@saturn.atopia.net> References: <20070624022336.I82939@saturn.atopia.net> <20070624185027.GA20369@clamps.exit2shell.com> <20070624170323.I74115@saturn.atopia.net> <20070624171420.B75034@saturn.atopia.net> Message-ID: <467F2523.4050509@kc8onw.net> Matt Juszczak wrote: >> I don't have access to the console of the box. They are switching to a >> different type of SATA controller. I'm hoping this will fix the problem. >> If not, can this be done from loader.conf? >> >> Also, are these warning messages causing data corruption/loss at all, or >> are they just indicative of retries that are effectively inefficient? In >> other words, if swapping to a new controller has a positive outcome (no >> more error messages), should I force an OS reload anyway? >> >> -Matt > > It seems they have now replaced the card with a 3ware SATA card. Do these > have a bit better compatibility with FreeBSD 6.2? 3ware cards are traditionally some of the best supported RAID cards in FreeBSD from what I've seen on the lists. As far as whether your data is fine, as you asked in another mail, I would check it to be safe I couldn't really tell you. HTH, Jonathan From bonsaime at gmail.com Mon Jun 25 15:19:53 2007 From: bonsaime at gmail.com (Jesse Callaway) Date: Mon, 25 Jun 2007 15:19:53 -0400 Subject: [nycbug-talk] Issue with freebsd 6.2 and disk drives In-Reply-To: <467F2523.4050509@kc8onw.net> References: <20070624022336.I82939@saturn.atopia.net> <20070624185027.GA20369@clamps.exit2shell.com> <20070624170323.I74115@saturn.atopia.net> <20070624171420.B75034@saturn.atopia.net> <467F2523.4050509@kc8onw.net> Message-ID: make sure to download the twecli from ports! Will let you monitor the status of the controller, whether it's rebuilding or what. -jesse From george at ceetonetechnology.com Thu Jun 28 15:02:50 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 28 Jun 2007 15:02:50 -0400 Subject: [nycbug-talk] rsync on ftp.usa.openbsd.org Message-ID: <468405DA.3020902@ceetonetechnology.com> Quoting Mickey. . . re this is a limited announcement for the new service. please any of you pplz that are using ftp to suck whole snapshot tree or otherwise interested in mirroring cvs repo -- try rsync now! i would appreciate comments at how well it does it for you. 10x cu From george at ceetonetechnology.com Thu Jun 28 15:11:43 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 28 Jun 2007 15:11:43 -0400 Subject: [nycbug-talk] rsync on ftp.usa.openbsd.org In-Reply-To: <468405DA.3020902@ceetonetechnology.com> References: <468405DA.3020902@ceetonetechnology.com> Message-ID: <468407EF.1070103@ceetonetechnology.com> George Rosamond wrote: > Quoting Mickey. . . > > re > this is a limited announcement for the new service. > please any of you pplz that are using ftp to suck > whole snapshot tree or otherwise interested in > mirroring cvs repo -- try rsync now! > i would appreciate comments at how well it does it for you. > 10x > cu > > Correction. . . It's ftp2.usa.openbsd.org or ftp.nyc.openbsd.org. I was being presumtuous about us conquering the lead role :) George From tux at penguinnetwerx.net Fri Jun 29 11:06:23 2007 From: tux at penguinnetwerx.net (Kevin Reiter) Date: Fri, 29 Jun 2007 11:06:23 -0400 (EDT) Subject: [nycbug-talk] Help for pf on FreeBSD running Snort Message-ID: <6426.67.135.244.1.1183129583.squirrel@www.geekisp.com> Hey all, I'm hoping someone on the list can help with this. I have a box running FreeBSD 6.2-Release, which I'm using as a Snort sensor/database. I have 2 NICs on the box, bge0 for sniffing traffic, and fxp0 for management access. Both cards on are different subnets/vlans. What I need to do is allow bge0 to listen to everything ("sniff"), and only allow traffic to 22,80, and 443 on fxp0. The catch is a MySQL database running locally, so I don't want 3306 exposed on bge0. Does this make sense? Does anyone know how I could configure pf.conf for this? I'm currently reading through "Building Firewalls with OpenBSD and PF" 2nd ed. by Jack Artymiak, and it's been extremely helpful to date, but this isn't a typical scenario, and I'm pretty much lost. Here's what ifconfig shows (notice nothing is in promisc mode - bge0 should be): root at snort01 [~]# ifconfig bge0: flags=8843 mtu 1500 options=1b inet 192.168.8.211 netmask 0xffffff00 broadcast 172.20.8.255 ether 00:10:18:27:fe:12 media: Ethernet autoselect (100baseTX ) status: active fxp0: flags=8843 mtu 1500 options=b inet 192.168.30.60 netmask 0xffffff00 broadcast 172.20.30.255 ether 00:0e:0c:59:e7:44 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=0<> mtu 33208 Here's my somewhat sanitized pf.conf I'm currently using: # $FreeBSD: /etc/pf.conf,v 1.2 2007/01/16 10:31:20 kreiter Exp $ # Just put this in this morning, haven't done anything with it yet.. #snort_if="bge0" #mgmt_if="fxp0" # replace with actual internal interface name i.e., dc1 #internal_net="192.168.30.0/24" #external_addr="192.168.8.211" # Define some tables table const {list of admin subnets and IPs} table const {list of admin subnets and IPs} # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # Allow everything on the local loopback: set skip on lo0 # Filtering: the implicit first two rules are block log all pass out keep state # Allow the Snort interface to listen to everything: pass in all on bge0 # <- I have to rewrite this, since it's wrong # Admins have all the phun: pass in proto tcp from to any keep state # Only allow people on the admin subnet to connect via SSH/SCP/sFTP: pass in proto tcp from to port 22 keep state # Allow SSH and rsync from admins (might be redundant, but...): pass in proto tcp from to any port { 22,80,443 } keep state # Block access to MySQL on everything: # (this should work, haven't tested it yet) # Since I want to allow everything inbound on bge0, I # don't want anything sneaking in.. deny in proto tcp from any to port 3306 # Allow ICMP echo requests: pass out inet proto icmp all icmp-type 8 code 0 keep state pass in inet proto icmp all icmp-type 8 code 0 keep state Thanks, Kev From tux at penguinnetwerx.net Fri Jun 29 11:13:59 2007 From: tux at penguinnetwerx.net (Kevin Reiter) Date: Fri, 29 Jun 2007 11:13:59 -0400 (EDT) Subject: [nycbug-talk] Help for pf on FreeBSD running Snort In-Reply-To: <6426.67.135.244.1.1183129583.squirrel@www.geekisp.com> References: <6426.67.135.244.1.1183129583.squirrel@www.geekisp.com> Message-ID: <29755.67.135.244.1.1183130039.squirrel@www.geekisp.com> (yes, I know, I forgot to change the broadcast subnets during my edit. Haven't had coffee yet..) > root at snort01 [~]# ifconfig > bge0: flags=8843 mtu 1500 > options=1b > inet 192.168.8.211 netmask 0xffffff00 broadcast 172.20.8.255 > ether 00:10:18:27:fe:12 > media: Ethernet autoselect (100baseTX ) > status: active > fxp0: flags=8843 mtu 1500 > options=b > inet 192.168.30.60 netmask 0xffffff00 broadcast 172.20.30.255 > ether 00:0e:0c:59:e7:44 > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > pflog0: flags=0<> mtu 33208 > From mspitzer at gmail.com Fri Jun 29 15:15:59 2007 From: mspitzer at gmail.com (Marc Spitzer) Date: Fri, 29 Jun 2007 15:15:59 -0400 Subject: [nycbug-talk] Any Ideas on wireless cards Message-ID: <8c50a3c30706291215m6647b496x5b47c2797783ea32@mail.gmail.com> Hello all, I am looking to replace my old wireless card and was looking at Netgear WAG511, it uses the awi driver and the atheros AR5004X chipset which should work ( per awi(4)). Any other ideas? I would prefer a a/b/g card if possible and I am running a reasonably current 6.2 Thanks, marc -- Freedom is nothing but a chance to be better. Albert Camus From carton at Ivy.NET Fri Jun 29 19:10:39 2007 From: carton at Ivy.NET (Miles Nordin) Date: Fri, 29 Jun 2007 19:10:39 -0400 Subject: [nycbug-talk] Any Ideas on wireless cards In-Reply-To: <8c50a3c30706291215m6647b496x5b47c2797783ea32@mail.gmail.com> (Marc Spitzer's message of "Fri, 29 Jun 2007 15:15:59 -0400") References: <8c50a3c30706291215m6647b496x5b47c2797783ea32@mail.gmail.com> Message-ID: >>>>> "ms" == Marc Spitzer writes: ms> Any other ideas? given ideals you've stated in the past, I would think you'd use NDISAPI/ndisgen. supposedly the binary drivers perform better under crappy radio conditions or on busy bands like at conferences. I got an old Atheros card made by NEC from a Yahoo! store for cheap. It does work. Old cards might be a good idea. finally, FWIW, Theo raves about the Ralink cards on URL's that have been posted here in the past such as: http://www.openbsd.org/papers/opencon06-drivers/mgp00024.html because they are not really that crappy, have simple drivers with more hope of being bug-free (laptops will probably be exploited through their wireless card drivers relatively commonly in the future), and they are cooperative about releasing documentation without NDA. so that's what I would get. My understanding is, Atheros would suck less if we were able to take release engineering of the hal away from Sam Leffler. He pushes out highly unstable versions and uses the community as his private beta testers, and he has a vested interest in making sure Reyk's driver stays out of FreeBSD because, since he's signed the NDA, he's crossed over, and he can't work on Reyk's driver because he's signed an agreement that he's tainted. so if Reyk's HAL is imported, Sam will be excluded from wireless work. I find the whole thing disgusting, mostly since OpenBSD is the only group seeing the big issue and doing something about it---everyone else, Linux NetBSD FreeBSD Solaris, took the bait. so, for you Marc, use the NDIS driver. And let us know which Windows installer .EXE gives you files that work well under FreeBSD. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From mspitzer at gmail.com Sat Jun 30 00:25:05 2007 From: mspitzer at gmail.com (Marc Spitzer) Date: Sat, 30 Jun 2007 00:25:05 -0400 Subject: [nycbug-talk] Any Ideas on wireless cards In-Reply-To: References: <8c50a3c30706291215m6647b496x5b47c2797783ea32@mail.gmail.com> Message-ID: <8c50a3c30706292125y29c3cf80p6e0da14ff358a4c3@mail.gmail.com> On 6/29/07, Miles Nordin wrote: > >>>>> "ms" == Marc Spitzer writes: > > > so, for you Marc, use the NDIS driver. And let us know which Windows > installer .EXE gives you files that work well under FreeBSD. Thanks for the pointer to the ralink carts, just ordered a SMCWCB-GM marc -- Freedom is nothing but a chance to be better. Albert Camus From carton at Ivy.NET Sat Jun 30 02:47:52 2007 From: carton at Ivy.NET (Miles Nordin) Date: Sat, 30 Jun 2007 02:47:52 -0400 Subject: [nycbug-talk] Any Ideas on wireless cards In-Reply-To: <8c50a3c30706292125y29c3cf80p6e0da14ff358a4c3@mail.gmail.com> (Marc Spitzer's message of "Sat, 30 Jun 2007 00:25:05 -0400") References: <8c50a3c30706291215m6647b496x5b47c2797783ea32@mail.gmail.com> <8c50a3c30706292125y29c3cf80p6e0da14ff358a4c3@mail.gmail.com> Message-ID: >>>>> "ms" == Marc Spitzer writes: ms> Thanks for the pointer to the ralink carts, just ordered a ms> SMCWCB-GM :))))) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From marco at metm.org Sat Jun 30 13:05:33 2007 From: marco at metm.org (Marco) Date: Sat, 30 Jun 2007 13:05:33 -0400 Subject: [nycbug-talk] Help for pf on FreeBSD running Snort In-Reply-To: <6426.67.135.244.1.1183129583.squirrel@www.geekisp.com> References: <6426.67.135.244.1.1183129583.squirrel@www.geekisp.com> Message-ID: <46868D5D.60909@metm.org> Kevin Reiter wrote: > Hey all, > > I'm hoping someone on the list can help with this. I have a box running > FreeBSD 6.2-Release, which I'm using as a Snort sensor/database. I have 2 > NICs on the box, bge0 for sniffing traffic, and fxp0 for management > access. Both cards on are different subnets/vlans. > > What I need to do is allow bge0 to listen to everything ("sniff"), and > only allow traffic to 22,80, and 443 on fxp0. The catch is a MySQL > database running locally, so I don't want 3306 exposed on bge0. Does this > make sense? > > By default mysql won't be exposed. You would have to do extra configuration of mysql to get it to listen on an external interface. So unless I misunderstood, I don't think you have a problem. -- Marco From okan at demirmen.com Sat Jun 30 15:55:28 2007 From: okan at demirmen.com (Okan Demirmen) Date: Sat, 30 Jun 2007 15:55:28 -0400 Subject: [nycbug-talk] Help for pf on FreeBSD running Snort In-Reply-To: <6426.67.135.244.1.1183129583.squirrel@www.geekisp.com> References: <6426.67.135.244.1.1183129583.squirrel@www.geekisp.com> Message-ID: <20070630195528.GJ25244@clam.khaoz.org> On Fri 2007.06.29 at 11:06 -0400, Kevin Reiter wrote: > Hey all, > > I'm hoping someone on the list can help with this. I have a box running > FreeBSD 6.2-Release, which I'm using as a Snort sensor/database. I have 2 > NICs on the box, bge0 for sniffing traffic, and fxp0 for management > access. Both cards on are different subnets/vlans. > > What I need to do is allow bge0 to listen to everything ("sniff"), and > only allow traffic to 22,80, and 443 on fxp0. The catch is a MySQL > database running locally, so I don't want 3306 exposed on bge0. Does this > make sense? pf(4) does not come into play - just write the filter as you please.