miercuri, 24 septembrie 2008

ipfw shaping sample

Sample ipfw shaping

without guaranteed bandwidth
fxp3 - router internal interface

#download
/sbin/ipfw add pipe 2174 ip from any to 192.168.5.27/32 xmit fxp3
/sbin/ipfw pipe 2174 config bw 384Kbit/s
#upload
/sbin/ipfw add pipe 2175 ip from 192.168.5.27/32 to any recv fxp3
/sbin/ipfw pipe 2175 config bw 384Kbit/s

if you want to put the limit on the port range

#download
/sbin/ipfw add pipe 2174 ip from any to 192.168.5.27/32 src-port 1-8079 xmit fxp3
/sbin/ipfw add pipe 2174 ip from any to 192.168.5.27/32 src-port 8081-65535 xmit fxp3
/sbin/ipfw pipe 2174 config bw 384Kbit/s
#upload
/sbin/ipfw add pipe 2175 ip from 192.168.5.27/32 to any recv fxp3
/sbin/ipfw pipe 2175 config bw 384Kbit/s

If you want to add guaranteed bandwidth and rules priority

#download
/sbin/ipfw add 2174 queue 30986 ip from any to 192.168.5.27 src-port 1-8079,8081-65535 xmit fxp3
/sbin/ipfw pipe 2174 config bw 6144Kbit/s queue 32Kbit/s
/sbin/ipfw queue 2174 config pipe 30986 weight 30
#upload
/sbin/ipfw add 2175 queue 30987 ip from 192.168.5.27 to any recv fxp3
/sbin/ipfw pipe 2175 config bw 1536Kbit/s queue 8Kbit/s
/sbin/ipfw queue 2175 config pipe 30987 weight 30

luni, 22 septembrie 2008

[Bug 5340] New: sa-compile fails to write to 'compiled/3.00200' dir

Summary: sa-compile fails to write to 'compiled/3.00200' dir
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: Macintosh
OS/Version: Mac OS X
Status: NEW
Severity: normal
Priority: P5
Component: sa-compile
AssignedTo: dev@spamassassin.apache.org
ReportedBy: [EMAIL PROTECTED]

i've built up a test-instance of,

% spamassassin --version
SpamAssassin version 3.2.0-pre1-r499012
running on Perl version 5.8.8

on,

% uname -a
Darwin snowcrash 8.8.0 Darwin Kernel Version 8.8.0: Fri Sep 8
17:18:57 PDT
2006; root:xnu-792.12.6.obj~1/RELEASE_PPC Power Macintosh powerpc

currently, on launch of sa, i see @ console,

[21402] error: Can't locate Mail/SpamAssassin/CompiledRegexps/body_0.pm
in @INC
(@INC ...
/var/mail/spamassassin/updates/compiled/3.002000
/var/mail/spamassassin/updates/compiled/3.002000/auto) at (eval 536) line 1.

this is with,

loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody

in init.pre

if i disable the compile plugin, on restart i get no errors.

i was informed on-list that,

> that's to be expected until you actually run "sa-compile" to compile
> the ruleset...

now,

% /usr/local/spamassassin/bin/sa-compile --sudo -D
[21503] dbg: logger: adding facilities: all
[21503] dbg: logger: logging level is DBG
[21503] dbg: generic: SpamAssassin version 3.2.0-pre1-r499012
[21503] dbg: config: score set 0 chosen.
[21503] dbg: dns: is Net::DNS::Resolver available? yes
[21503] dbg: dns: Net::DNS version: 0.59
sa-compile: cannot write to
/var/mail/spamassassin/updates/compiled/3.002000, aborting

checking,

% ls -ald /var/mail/spamassassin/updates/compiled/3.002000
/usr/local/bin/ls: cannot access
/var/mail/spamassassin/updates/compiled/3.002000: No such file
or
directory

then,

% mkdir -p /var/mail/spamassassin/updates/compiled/3.002000
% chown -R spam:spam /var/mail/spamassassin/updates/compiled/3.002000

and again,

% /usr/local/spamassassin/bin/sa-compile --sudo -D

still reports,

[21503] dbg: logger: adding facilities: all
[21503] dbg: logger: logging level is DBG
[21503] dbg: generic: SpamAssassin version 3.2.0-pre1-r499012
[21503] dbg: config: score set 0 chosen.
[21503] dbg: dns: is Net::DNS::Resolver available? yes
[21503] dbg: dns: Net::DNS version: 0.59
sa-compile: cannot write to
/var/mail/spamassassin/updates/compiled/3.002000, aborting

thanks.

vineri, 19 septembrie 2008

qmail SMTP Authentication

1- Download qmail-1.03, vpopmail 5.2 and smtp-auth patch from
http://members.elysium.pl/brush/qmail-smtpd-auth/dist/qmail-smtpd-auth-0.30.tar.gz

2- Read the README.auth to patch qmail with smtp-auth patch
3- Compile qmail normaly
4- Compile vpopmail as you need
5- # chmod 4755 ~vpopmail/bin/vchkpw
# chown root.root ~vpopmail/bin/vchkpw

6- You can run qmail-smtpd from inetd or tcpserver
I recommend you to use tcpserver,
If you are using tcpserver, use following command to start qmail-smtpd (Note!! all of them are in a single line !)

exec /usr/local/bin/softlimit -m 4000000 tcpserver -H -l0 -R -c 512 -x /home/vpopmail/etc/tcp.smtp.cdb -u VPOPMAILUID -g VPOPMAILGUID 0 smtp /var/qmail/bin/qmail-smtpd your.qmail.server.name /home/vpopmail/bin/vchkpw /bin/true &

change following parameters depend of your system configuration

-x /home/vpopmail/etc/tcp.smtp.cdb //change this with your tcp.smtpd.cdb file path
VPOPMAILUID is your vpopmail user id
VPOPMAILGUID is your vpopmail group id
your.qmail.server.name is your fully qualified server name
/home/vpopmail/bin/vchkpw is your vchkpw file path
/bin/true is your true command path (this is /usr/bin/true in FreeBSD)

if you do NOT add your .qmail.server.name parameter after /var/qmail/bin/qmail-smtpd , your smtp-auth gives fake authentication. It returns true for any username and password

if you are using inetd, add following lines to inetd.conf and send kill -HUP to inetd

smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env \
/var/qmail/bin/qmail-smtpd your.qmail.server.name /home/vpopmail/bin/vchkpw /bin/true

that's all

Regards

marți, 16 septembrie 2008

How do you enable .mkv subs in mplayer?

How do you enable .mkv subs in mplayer?
Press V to toggle the subs on and off, and press J to cycle languages. You can cycle the audio by pressing #

duminică, 14 septembrie 2008

How To Patch / Upgrade BIND 9.x Under FreeBSD Operating Syste

To fix this issue under FreeBSD 6.3, download patch:

# cd /tmp # fetch -o bind.patch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch

If you are using FreeBSD 7.0, enter:

# cd /tmp # fetch -o bind.patch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch

Type the following commands to compile and install bind 9 patch:

# cd /usr/src # patch < /tmp/bind.patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install

Restart bind 9:

# /etc/rc.d/named restart # tail -f /var/log/messages

vineri, 12 septembrie 2008

FreeBSD geli encryption

configuration

My installation testserver has the following hardware configuration:

ar0: IDE-RAID controller (RAID 5)
..with four SATA harddisks ad4, ad6, ad8 and ad10

ad14: SATA harddisk containing the system installation

da0: USB Stick - will contain the boot files and geli decryption key

As the operating system I am using the FreeBSD 6.1-RELEASE version. We will encrypt the ar0 RAID and use it as our main working system. In order to set it up we need a standard system which I installed on the single harddisk ad14. It won't be needed afterwards. As the final encrypted operating system will not be able to boot up by itself we need a memory-stick da0 containing the files which are needed for the booting process. The stick also contains the geli key which will be necessary for decrypting the filesystem.

The goal is to have an encrypted RAID-5 system which can only be booted up using a memory stick with a key and a password.

installation

First of all we clear all previous data we have on the ar0 harddisk.

# dd if=/dev/random of=/dev/ar0

WARNING: This will delete your entire data on the harddisk! Depending on the size of the disk this may take a while.

As we would like to use a key-file for the geli encryption we need to create this file first before initializing the geli container:

# mkdir /boot/keys # dd if=/dev/random of=/boot/keys/ar0.key bs=128k count=1

The dd command creates a new file (ar0.key) of 128Kb filled with random data (/dev/random).

In a next step we initialize the geli container on the ar0 harddisk:

# geli init -b -K /boot/keys/ar0.key -s 4096 -l 256 /dev/ar0

The -b parameter specifies that a password is needed on bootup. The second parameter -K specifies the key which is used for encryption - the one we have just created. The -s 4096 increases the sector size which really boosts up encrypting/decrypting performance. The -l 256 parameter tells geli to use an AES 256 encryption - which is the strongest currently supported. And finally /dev/ar0 is our RAID device. Type in your secret password and the initialization is completed.

Next, the device will be attached which creates the decrypted device with which we will work.

# geli attach -K /boot/keys/ar0.key /dev/ar0

We specify the location to the encryption key for attaching. Enter the password you chose during initialization and a new device /dev/ar0.eli will be created for you.

Ok, as we now have the decrypted device its time to partition it:

# bsdlabel -w /dev/ar0.eli # bsdlabel -e /dev/ar0.eli

The first commands creates a standard label and the second one is used to specify the single partitions to create. It will bring up an editor. The first column contains a single character. This is the partitions label. "c" is reserved for the complete disk and may not be changed. "b" is usually the swap partition. The second column specifies the size of the partition (in sectors). Note: We told geli during initialization to use 4096 bytes per sector. The offset needs to be calculated manually and is simply the sum of the sizes of the predecessing partitions. In the fstype column you need to write 4.2BSD for all partitions except the swap partition (and the c partition of course!). The next two columns can be filled with a 0 in each one and on the last one we do not write anything. This will be completed by FreeBSD. Here is my configuration:

# /dev/ar0.eli 8 partitions: # size offset fstype [fsize bsize bps/cpg] a: 512M 0 4.2BSD 0 0 b: 2048M * swap c: 19544356 0 unused 0 0 d: 4096M * 4.2BSD 0 0 e: 2048M * 4.2BSD 0 0 f: * * 4.2BSD 0 0

Note the * at the partition f: this will cause FreeBSD to use the rest of the available disk space for the final partition. The * at the offset column tells FreeBSD to calculate the offsets by itself based on the predecessing partitions.

Now that we have the partitions it's time to create the filesystems:

# newfs /dev/ar0.elia # newfs /dev/ar0.elid # newfs /dev/ar0.elie # newfs /dev/ar0.elif

installing operating system

The target harddisk is now partitioned and the filesystems have been
created. Let's put the operating system on it. First we create a new
directory:

# mkdir /fixed

This
creates a new directory called "fixed" on the root directory. This
directory will contain the target filesystem structure. Next, we mount
the target root partition on fixed:

# mount /dev/ar0.elia /fixed

Then we create the following directories to create the desired structure:

# mkdir /fixed/var # mkdir /fixed/tmp # mkdir /fixed/usr

Now mount the previously created partitions to the new directories:

# mount /dev/ar0.elid /fixed/var# mount /dev/ar0.elie /fixed/tmp # mount /dev/ar0.elif /fixed/usr

It's
time to copy the operating system files to the target filesystem. To do
so we need to set an environment variable which is used by the install
script to determine where to extract the OS files. Switch to the
bash-shell and export the variable and switch back:

# /bin/sh # export DESTDIR=/fixed/ # /bin/csh

Ok we are ready to install the files. Mount the CD-ROM drive (yes insert your FreeBSD CD 1 now) and install!

# mount /cdrom # cd /cdrom/6.1-RELEASE/base # ./install.sh

Ensure that the export directory is /fixed and confirm the copy process.
FreeBSD 6.1 does not install automatically the kernel. So let's do it manually:

# cd /cdrom/6.1-RELEASE/kernels # ./install.sh GENERIC

This will install the generic kernel on the encrypted geli device. If you have a multi-processor system you can use the SMP instead of the GENERIC kernel in the command above.

kbdmux and geli are enemies!

In the current version (FreeBSD 6.1-RELEASE) there is a major problem with the kbdmux keyboard multiplexer driver and geli. Either the keyboard or geli worked, but never both at the same time. Tomas Snackerstrom pointed out that problem in one of his precious comments. This brought me to the solution of removing the kbdmux driver from the generic kernel by compiling a custom one.

In the following few steps we will compile a custom kernel. If you have not installed the kernel sources do this now. You can find detailed explanations here.

First, we create a copy of the GENERIC kernel configuration file and alter it:

# cd /usr/src/sys/i386/conf # mkdir /root/kernels # cp GENERIC /root/kernels/PROPORTION # ln -s /root/kernels/PROPORTION

This creates a new kernel configuration file called PROPORTION in the roots home directory. Of course you can name the file whatever you like. Now alter the PROPORTION kernel configuration file with your favorite editor:

# vi PROPORTION

Put your kernels name in the "ident" line, so you will recognize your custom kernel during boot-up. And most important: remove the line "device kbdmux". Close and save the file.

Now build and install the kernel:

# cd /usr/src # make buildkernel KERNCONF=PROPORTION # make installkernel KERNCONF=PROPORTION

This will take a while - especially builing the kernel. Now, as the kernel is built and installed we will copy it to the geli encrypted harddisk:

# cp -Rpv /boot/kernel /fixed/boot

configuring removable device

It's time to take care of the removable device which plays an important role in the whole installation. It contains the files which are essential for booting.

First of all we create a new slice on the device:

# fdisk -BI /dev/da0

WARNING: This will remove all data on the device. Make sure no important data is stored on it.

Next, we create the partition on the slice:

# bsdlabel -Brw /dev/da0s1 # bsdlabel -e /dev/da0s1

Again this will bring up an editor in where you can specify the desired partitions. This time we only create one single partition:

# size offset fstype [fsize bsize bps/cpg] a: 528600 0 4.2BSD 0 0 c: 528600 0 unused 0 0

Create a new filesystem on the previously created partition and mount the filesystem so we can start putting the required files on it.

# newfs /dev/da0s1 # mount /dev/da0s1 /mnt

A couple of minutes ago we installed the base distribution on the encrypted target harddisk. As we are not able to boot from that disk we need to put the boot files on the removable (non-encrypted) medium:

# cp -Rpv /fixed/boot /mnt

Done. Now let's speed up the booting process by zipping the kernel and the two needed modules. Switch to the kernel's directory and zip it:

# cd /mnt/boot/kernel # gzip kernel geom_eli.ko acpi.ko

To make sure we will be asked for the password at boottime we need to add the needed module to the /boot/loader.conf file:

# echo geom_eli_load="YES" >> /mnt/boot/loader.conf

Now we also need to specify where to load the encryption key from during startup. First copy the keyfile to the USB stick:

# mkdir /mnt/boot/keys # cp /boot/keys/ar0.key /mnt/boot/keys/

Second, specify the corresponding geli commands to load the key from the stick. This is also defined in the /boot/loader.conf file. Open it and add the following lines to it:

geli_ar0_keyfile0_load="YES" geli_ar0_keyfile0_type="ar0:geli_keyfile0"geli_ar0_keyfile0_name="/boot/keys/ar0.key"

We are almost there. The final step is to tell the kernel which filesystem to load. By creating the directory etc and putting the file fstab into it we can achieve this:

# mkdir /mnt/etc # vi fstab

This opens up the editor and we can start specifying the filesystems. This needs to be the same structure we created on our target harddisk (see the similarities?):

# Device Mountpoint FStype Options Dump Pass# /dev/ar0.elib none swap sw 0 0 /dev/ar0.elia / ufs rw 1 1 /dev/ar0.elie /tmp ufs rw 2 2 /dev/ar0.elif /usr ufs rw 2 2 /dev/ar0.elid /var ufs rw 2 2 /dev/acd0 /cdrom cd9660 ro,noauto 0 0

I additionally added the cdrom. It is not mandatory but quite handy. Finally copy the fstab file to the target harddisk:

# cp /mnt/etc/fstab /fixed/etc/

Congratulations. Let's see if it works!

testing

Now it's time to bring Frankenstein alive! Remove the installation CD and shutdown the computer. Remove the operating systems harddisk (ad14), plug in the removable device and switch it on. If everything runs smooth you will be promted for the password during boot and afterwards the system will be booted.

Here are some problems I encountered afterwards:

Problem: The bios tells you that the operating system cannot be found.
Solution: Make sure your bios is capable of booting from removable devices such as USB sticks and check the bios boot-order settings.

Problem: I get multiple password prompts during bootup.
Solution: I played around with the geli init command before and initialized some other disks. You can kill those initializations by typing:

# geli kill /dev/adX

Where /dev/adX is the concerning device. This will kill the encryption keys! WARNING: Do not try this on the correct disk you've just created! (Well, unless the FBI is knocking on your door and you have a good reason doing so).

miercuri, 23 iulie 2008

FreeBSD Raid 1

Configuring the Mirror/Duplex During the Install

If you're going to use RAID 1, make your life easy and purchase two identical disks (of the same model and size). You can complicate things by insisting on different disks with different sizes, but in the end you just end up with a harder configuration that wastes the extra disk space on the larger disk. Cable the identical drives so that one is the primary master and the other is the secondary master. Before installing the operating system, double-check that your CMOS recognizes both disks.

Using your favorite installation method, start a FreeBSD install of any version (5.3 or higher). When you get to the Select Drives menu, it should show ad0 and ad2. Select ad0, as you will be installing the operating system on the primary master.

Within the fdisk utility, remove any existing partitions and then select "Use entire disk." When asked about the boot menu, choose "Standard MBR."

In the disklabel editor, set up the partitions on ad0 according to your requirements. If in doubt, choose a for automatic. Then choose your install sets and your install media, and let the operating system install as usual.

When finished, go through the postinstall configurations and set your time zone, create a user account, set the root password, and so on.

However, don't reboot when you end up back at the sysinstall main menu. Instead, press Alt-F4, which will take you to a command prompt. The first command I type is csh so I can get a shell with history (the default shell is Bourne).

Creating a mirror/duplex is as simple as typing:

# gmirror label -v -b round-robin gm0 /dev/ad0

where gmirror label creates the mirror; -v enables verbose mode; -b round-robin chooses a balance algorithm (at the moment, round-robin is the algorithm with the best performance); gm0 is the name of mirror/duplex (this name represents the first GEOM mirror); and /dev/ad0 represents the disk containing the data to mirror.

However, you'll be disappointed if you try the command now:

# gmirror label -v -b round-robin gm0 /dev/ad0
Can't store metadata on /dev/ad0: Operation not permitted

This is a security feature that indicates that the disk is currently mounted for writing and therefore is unavailable. However, you can get around this chicken-and-egg problem and temporarily force gmirror to bypass this measure in order to create the mirror/duplex by setting a sysctl MIB:

# sysctl kern.geom.debugflags=16
kern.geom.debugflags: 0 -> 16

Don't worry; this MIB will return to 0 when you reboot (which I'll have you do in just a few minutes). Try again:

# gmirror label -v -b round-robin gm0 /dev/ad0
Metadata value stored on /dev/ad0

That's it; you now have a RAID 1 system.

It is, however, useful to tell the operating system to load it whenever you boot. This requires edits to two files. The first one is currently empty, so just echo over the required line:

# echo geom_mirror_load="YES" > /boot/loader.conf

However, /etc/fstab is not empty, so I recommend making a backup copy before editing it:

# cp /etc/fstab /etc/fstab.orig
# vi /etc/fstab

Change each ad to a gm, and insert a mirror after /dev. For example, /dev/ad0s1a becomes /dev/mirror/gm0s1a. Unless you've made extra partitions, you'll have ad0s1 devices ending in a, b, d, e, and f and will need to edit each of those lines.

When finished, triple-check your changes to both /etc/fstab and /boot/loader.conf. While it is fixable, it sucks not being able to boot into a new system because of a typo.

Note: some tutorials indicate you also need to add a swapoff option to /etc/rc.conf. This is no longer necessary, and neither is using shutdown -r now instead of reboot.

Once you're sure you don't have any typos, return to Alt-F1 and exit the installation menu after removing your installation media.

Pages: 1, 2

Booting into the Mirror/Duplex

If you watch your boot-up messages, you should see this in bold white text right after the disks are probed:

GEOM_MIRROR: Device gm0 created (id=2125638583).
GEOM_MIRROR: Device gm0: provider ad0 detected.
GEOM_MIRROR: Device gm0: provider ad0 activated.
GEOM_MIRROR: Device gm0: provider mirror/gm0 launched.
GEOM_MIRROR: Device gm0 already configured.
Mounting root from ufs:/dev/mirror/gm0s1a

and the system will continue to boot. However, if you have a typo in /etc/fstab, the boot will stop at this point and wait for you to type something meaningful. In this example, I forgot to insert mirror when I edited /etc/fstab, meaning /dev/gm0s1a should have been /dev/mirror/gm0s1a so that FreeBSD could find my root filesystem:

Mounting root from ufs:/dev/gm0s1a
setrootbyname failed
ffs_mountroot: can't find rootvp
Root mount failed: 6

Manual root filesystem specification:
  <fstype>:<device>  Mount <device> using filesystem <fstype>
            e.g. ufs:da0s1a
  ?             List valid disk boot devices
  <empty line>       Abort manual input

mountroot>

Fortunately, that's not as scary as it looks. Start by listing your valid disk boot devices:

mountroot> ?

List of GEOM managed disk devices:
  mirror/gm0s1f mirror/gm0s1e mirror/gm0s1d mirror/gm0s1c mirror/gm0s1b 
mirror/gm0s1a mirror/gm0s1 ad2s1 mirror/gm0 ad0s1 ad2 acd0 ad0 fd0

If you type in the correct location of the / filesystem, the system will continue to reboot:

mountroot> ufs:/dev/mirror/gm0s1a
Mounting root from /dev/mirror/gm0s1a

After logging in, be sure to edit the offending line in /etc/fstab and try rebooting again. When you can boot up and log in successfully, verify that each partition on the mirror mounted successfully with:

% df -h

Filesystem            Size    Used    Avail    Capacity    Mounted on
/dev/mirror/gm0s1a    248M     35M     193M       15%        /
devfs                 1.0K    1.0K       0B      100%        /dev
/dev/mirror/gm0s1e    248M     12K     228M        0%        /tmp
/dev/mirror/gm0s1f    7.3G     99M     6.7G        1%        /usr
/dev/mirror/gm0s1d    248M    196K     228M        0%        /var

df won't show your swap partition; you can verify it with:

% swapinfo
Device                1K-blocks    Used    Avail    Capacity
/dev/mirror/gm0s1b       629544       0   629544        0%

Synchronizing the Mirror/Duplex

The only thing left to do is to synchronize the data on both hard drives. This will happen automatically as soon as you issue the command to insert the second drive into the mirror:

# gmirror insert gm0 /dev/ad2
GEOM_MIRROR: Device gm0: provider ad2 detected.
GEOM_MIRROR: Device gm0: rebuilding provider ad2.

To see what's happening:

# gmirror list | more
Geom name: gm0
State: DEGRADED
Components: 2
Balance: round-robin
Slice: 4096
Flags: NONE
GenID: 0
SyncID: 1
ID: 2125638583
Providers:
1. Name: mirror/gm0
   Mediasize: 10262568448 (9.6G)
   Sectorsize: 512
   Mode: r6w5e2
Consumers:
1. Name: ad0
   Mediasize: 10262568448 (9.6G)
   Sectorsize: 512
   Mode: r1w1e1
   State: ACTIVE
   Priority: 0
   Flags: DIRTY
   GenID: 0
   SyncID: 1
   ID: 3986018406
2. Name: ad2
   Mediasize: 10262568448 (9.6G)
   Sectorsize: 512
   Mode: r1w1e1
   State: SYNCHRONIZING
   Priority: 0
   Flags: DIRTY, SYNCHRONIZING
   GenID: 0
   SyncID: 1
   Synchronized: 1%
   ID: 1946262342

Note the SYNCHRONIZING on the Flags line. It will take a while for these two drives to synchronize, as it is currently at 1 percent. I've seen times ranging from about 30 minutes for a 10GB drive to about two and a half hours for a 75GB drive. If you're curious, check the progress with:

# gmirror status
Name    Status    Components
mirror/gm0    DEGRADED    ad0
            ad2 (2%)

You'll see a status message in bold white text when the synchronization finishes:

GEOM_MIRROR: Device gm0: rebuilding provider ad2 finished.
GEOM_MIRROR: Device gm0: provider ad2 activated.

If you repeat gmirror list, you'll note that the State has changed from DEGRADED to COMPLETE and the Synchronized line is now gone. Don't worry if you see DIRTY on the Flags line, as it simply indicates that the system has written new data to the disk but hasn't mirrored it yet. If you were to wait a few seconds on a quiet disk, you would see the Flags line change to NONE.

For the final test, reboot the system.

This time your startup messages should include:

GEOM_MIRROR: Device gm0 created (id=2125638583).
GEOM_MIRROR: Device gm0: provider ad0 detected.
GEOM_MIRROR: Device gm0: provider ad2 detected.
GEOM_MIRROR: Device gm0: provider ad0 activated.
GEOM_MIRROR: Device gm0: provider ad2 activated.
GEOM_MIRROR: Device gm0: provider mirror/gm0 launched.
Mounting root from ufs:/dev/mirror/gm0s1a

Final Notes

GEOM utilities are works in progress, and the developers constantly add new features and updates to the man pages. It's well worth your while to keep your favorite version of FreeBSD up-to-date using cvsup or to choose a newer release when deciding which version of FreeBSD to install.

If you wish to gather performance statistics on your mirror/duplex, try gstat(8). A good read through gmirror(8) is also in order, especially if you want an overview of the procedure for replacing a failed disk.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.

miercuri, 16 iulie 2008

FreeBSD recovery root password

Step # 1: Start FreeBSD server/workstation

Step # 2: Press Enter key at boot loader

At Welcome to FreeBSD! boot menu press spacebar key to pause default booting

Type number 4 key (type 4 number) to boot into single user mode

(click to enlarge)

Next you will see following prompt from system:

When prompted Enter full pathname of shell or RETURN for /bin/sh:

Press Enter key to boot into single user mode. Next, you will be immediately dropped into a single user mode without a root password.

You need to remount / (root) file system in read and write mode with mount command, type following two commands:

# mount -u / # mount -a

Setup a new password with passwd command:

# passwd

Next type exit command to boot FreeBSD into multi-user mode environment:

# exit

OR You can just reboot the system:

OPenBSD Recovery root password

Procedure to reset root password

At boot> prompt type boot -s to boot into single user mode:

boot> boot -s

Next you will see a message as follows:

Enter pathname of shell or RETURN for sh:

Just hit [Enter] key to load sh shell.

Next mount / and /usr file system in read-write mode:

# mount -uw / # mount /usr

Finally set or change the password for root user, enter:

# passwd

Press CTRL+D to boot into multiuser mode or just reboot server:

# reboot

duminică, 6 iulie 2008

FreeBSD Upgrade

FreeBSD install portsnap (for older system version <6 .0="" h2="">
On FreeBSD 6.0+, portsnap is contained in the FreeBSD base (core) system. You only need to to install portsanp as follows for older FreeBSD system:

`# cd /usr/ports/ports-mgmt/portsnap # make install clean`

FreeBSD install portmanager

Simply type the following command:

# cd /usr/ports/ports-mgmt/portmanager

# make install clean

Upgrade FreeBSD ports collection

Run portsnap as follows:

# portsnap fetch extract

OR

# portsnap fetch

# portsnap extract

Output:

Looking up portsnap.FreeBSD.org mirrors... 4 mirrors found.
Fetching public key from portsnap3.FreeBSD.org... done.
Fetching snapshot tag from portsnap3.FreeBSD.org... done.
Fetching snapshot metadata... done.
Fetching snapshot generated at Sun Aug  5 19:38:18 CDT 2007:
b73e908500446b6593a4f763b8b2128490e733547cdaa7100% of   49 MB  195 kBps 00m00s
Extracting snapshot... done.
Verifying snapshot integrity... done.
Fetching snapshot tag from portsnap3.FreeBSD.org... done.
Fetching snapshot metadata... done.
Updating from Sun Aug  5 19:38:18 CDT 2007 to Mon Aug  6 05:58:34 CDT 2007.
Fetching 4 metadata patches... done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 18 patches.....10.... done.
Applying patches... done.
Fetching 0 new ports or files... done.
....
..
...

Display outdated ports list

You can list outdated ports list with pkg_version command:

# pkg_version -vIL=

OR

# pkg_version -vIL'<'

Output:

bash-3.1.17                         <   needs updating (index has 3.2.17_2)
gettext-0.14.5_2                    <   needs updating (index has 0.16.1_3)
libtool-1.5.22_2                    <   needs updating (index has 1.5.22_4)
linux_base-fc-4_9                   <   needs updating (index has 4_10)
....
......
.

Where,

v : Enable verbose output.

I : Use only the index file for determining if a package is out of date (faster result)

L= : Limit the output to those packages whose status flag does not match = (the installed version of the package is current.)

L'<' : Limit the output to those packages whose status flag does not match < (the installed version of the package is older than the current version.)

Update FreeBSD packages / software

Now run portmanager to upgrade installed ports:

# portmanager -u

It will updates ports in the correct order based on their dependencies. If a port fails to "make" during update it is marked as ignored. Portmanager will continue updating any ports not marked as "ignored" so long as they are not dependent on the ignored port. Also note that it may take some time if you have large number of application installed.

If you need to upgrade all installed ports with logging, enter:

# portmanager -u -l

How do I upgrade a single software only?

portmanager allows you to update a single port and all of its dependencies. For example update port called bash i.e. bash shell (shells/bash), enter:

# portmanager shells/bash -l -u -f

How do I apply update again?

In order to update system again just type the following command:

# portsnap fetch


# portsnap update

# portmanager -u -l

How do I apply binary security updates for FreeBSD?

Latest version includes a tool called freebsd-update (thanks to Bok for pointing out this tool). The freebsd-update tool is used to fetch, install, and rollback binary updates to the FreeBSD base system.

Fetch updates

Use fetch option to get all available binary updates:

# freebsd-update fetch

Output:

Looking up update.FreeBSD.org mirrors... 1 mirrors found.
Fetching public key from update1.FreeBSD.org... done.
Fetching metadata signature from update1.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 18 patches.....10.... done.
Applying patches... done.

The following files will be updated as part of updating to 6.2-RELEASE-p7:
/boot/kernel/kernel
/etc/rc.d/jail
....
.....
/usr/lib/libmagic.so.2
/usr/sbin/dnssec-signzone
/usr/sbin/freebsd-update
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/tcpdump

WARNING: FreeBSD 6.2-RELEASE is approaching its End-of-Life date.
It is strongly recommended that you upgrade to a newer
release within the next 5 months.

Install updates

Install the most recently fetched updates:

# freebsd-update install

Output:

Installing updates... done.

Rollback updates

Optional: You can uninstall most recently installed updates:

# freebsd-update  rollback

Reboot system

You must reboot FreeBSD to take advntage of newly patched kernel:

$ uname -a

Output:

FreeBSD vip-1.freebsd.nixcraft.com 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007
root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

$ sudo reboot

After reboot verify system:

$ uname -a

Output:

FreeBSD vip-1.freebsd.nixcraft.com 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 17:40:53 UTC 2007     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

To repair package database run ' pkgdb -F'.

duminică, 22 iunie 2008

FreeBSD + sendmail + ClamAV + SpamAssassin

Setting Up SpamAssassin and ClamAV with Sendmail on FreeBSD

This document covers setting up a mail server on FreeBSD 5.4 RELEASE using Sendmail 8.13.3, SpamAssassin 3.1.0 and ClamAV 0.87. Combining these altogether results in a mail server with strong protection against spam and virus-infected mails.

Below are the procedures to setup the MTA (Mailer Transfer Agent) Sendmail. Configuration for other MTAs will be different so please be aware of this.

NB: All the following operations are performed as the root user.

Install FreeBSD

Fetch and burn the FreeBSD ISO images available at: (just disc1 should be sufficient)

ftp://ftp.jp.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/5.4/

Don't install the ports collection from the CD as it's an old version. Download the latest from:

ftp://ftp.jp.freebsd.org/pub/FreeBSD/ports/ports/ports.tar.gz

and untar it in /usr after the OS has installed such that /usr/ports/* will be created.

After installation is done, run the sysinstall command and goto Configure (Do post-install configuration of FreeBSD ) -> Networking (Configure additional network services) -> Mail (This machine wants to run a Mail Transfer Agent) and select Sendmail (Use sendmail). See the following picture:

The line sendmail_enable="YES" will be automatically added to /etc/rc.conf so Sendmail will be run at boottime. If the line doesn't get added just add it yourself using your favourite editor.

Now would be a good time for you to update your system to the latest release of FreeBSD. Instructions for these procedures are out of the scope of this document but check here for info on how to do so. Use cvsup.

Get The Latest Perl 5.8

The default version of Perl in FreeBSD 5.4 is 5.8.6 but version 5.8.7 was the latest at the time of writing this article and I often found that having only 5.8.6 installed prevented various ports from installing properly so we'll upgrade Perl:

cd /usr/ports/lang/perl5.8

make deinstall

make install

It's necessary to upgrade Perl before going ahead and doing the SpamAssassin and ClamAV installs as the locations of libraries and such change.

Install SpamAssassin

Compile and install SpamAssassin:

cd /usr/ports/mail/p5-Mail-SpamAssassin

make install

The following dialogue will appear (this will not appear again after the first installation):

From experience here on RBL.JP we know DOMAINKEYS and RAZOR are worthwhile having so leave them selected. I chose SPF_QUERY because it's becoming more and more popular. I'm not sure exactly what TOOLS and RELAY_COUNTRY are but I included them anyway :-)

At this point there should be the following startup script:

# ls -l /usr/local/etc/rc.d

total 2

-r-xr-xr-x  1 root  wheel  696 Sep  2 18:01 sa-spamd.sh

Install spamassassin-milter

spamassassin-milter is the software that bridges SpamAssassin and Sendmail.

cd /usr/ports/mail/spamass-milter

make install

Now there should be the following two startup scripts:

# ls -l /usr/local/etc/rc.d

total 4

-r-xr-xr-x  1 root  wheel   696 Sep  2 18:01 sa-spamd.sh

-r-xr-xr-x  1 root  wheel  1013 Sep  2 18:04 spamass-milter.sh

Install ClamAV

ClamAV is free anti-virus software which can scan mails for virii.

cd /usr/ports/mail/p5-Mail-ClamAV

make install

After a while the above dialog screen will appear. Check MILTER.

A permission error saying clamd.log cannot be read/write accessed when executing clamav-milter can be solved by creating an empty file in advance:

touch /var/log/clamav/clamd.log

chown clamav /var/log/clamav/clamd.log

Now you should have all the following startup scripts:

# ls -l /usr/local/etc/rc.d

total 10

-r-xr-xr-x  1 root  wheel   687 Sep  2 18:17 clamav-clamd.sh

-r-xr-xr-x  1 root  wheel   722 Sep  2 18:17 clamav-freshclam.sh

-r-xr-xr-x  1 root  wheel  1066 Sep  2 18:17 clamav-milter.sh

-r-xr-xr-x  1 root  wheel   696 Sep  2 18:01 sa-spamd.sh

-r-xr-xr-x  1 root  wheel  1013 Sep  2 18:04 spamass-milter.sh

Configure Sendmail

Sendmail is software for handling mail delivery (MTA). When installing FreeBSD the other two MTAs you can choose from are PostFix and Exim but I chose Sendmail as that's the one I'm most familiar with. The following procedures can only be used for Sendmail.

In order to use SpamAssassin and ClamAV with Sendmail there are various mechanisms which need to be defined in sendmail.cf (the configuration file). Also, definitions must be added to use RBLs (Real-time Black Lists - lists of hostnames, domains, mail addresses etc. found to be used by spammers that can be used to reject spam from these spammers).

Usually you do not directly modify sendmail.cf but rather modify the macro file (m4's .mc file format) which when parsed by m4 will generate sendmail.cf.

When you configure Sendmail on FreeBSD as described below, a macro file with its name as the server's hostname will be automatically created. Do the following:

cd /etc/mail

make

then, for example, if your machine is called mail.example.jp then a file called mail.example.jp.mc will be created in that directory. From here on I will use mail.example.jp.mc to refer to the sendmail.mc macro file as we add various configurations below, eventually leading up to the creation of the final Sendmail configuration file, sendmail.cf.

Once mail.example.jp.mc has been created it'll not be overwritten if you run make again so when you want to add/modify some configuration, edit the file directly.

0) Basic configuration

First we define what kind of e-mail address formats your mail server will receive.

The e-mail address formats mail.example.jp will receive are:

test@example.jp

test@mail.example.jp

We create a file called /etc/mail/local-host-names and add the following:

example.jp

mail.example.jp

mail.example.jp is optional because it has the same domain as the first entry (example.jp). Please make sure that there are no inconsistencies between this file and the DNS MX settings for example.jp. Regardless of which e-mail address format is used, all mail will be delivered to mail.example.jp.

Next, create /etc/mail/relay-domains and add the following to define who is allowed to send mail from this server:

example.jp

192.168.0

The second line allows any machines on the local 192.168.0.0/24 network (assuming the mail server has global and local network interfaces) to relay e-mail through this server. Change this value according to your local network.

With the above configuration basic mail delivery can now be performed.

1) Add SpamAssassin and ClamAV settings

cd /etc/mail

vi mail.example.jp.mc

and add the following:

INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl

INPUT_MAIL_FILTER(`clmilter', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl

define(`confINPUT_MAIL_FILTERS', `clmilter,spamassassin')dnl

2) Settings related to reverse DNS lookups

Here we configure Sendmail to reject mail sent from hosts with no reverse DNS lookup. By doing this we're able to avoid most spam from Chinese and Korean servers which don't have reverse DNS lookup entries.

A side effect of this setting though is that mail from legit hosts maybe rejected due to bad server configuration. There are some people who are against setting their SMTP to use this mechanism. Do some research on Google yourself first before deciding if you want to set this on your mail server.

Add these settings to mail.example.jp if you want to ONLY reject hosts with no reverse DNS lookup.

OR if you want to reject both the above and hosts whose reverse DNS lookup and normal DNS lookup do not match then add these settings.

The tab characters must be preserved so be careful when copy/pasting.

If you want to be able to receive mail from hosts which do not have a reverse DNS lookup entry then you must not use these settings. Likewise, if you're likely to receive lots of legit mail from China and/or Korea (which have many such mail servers) you should avoid using these settings.

3) Setting up Sendmail RBLs

If an incoming mail is marked as spam by SpamAssassin the mail will still be delivered (and left for something else to filter it) but if you enable the RBL features in Sendmail, as we do below, then mail from a host that is rejected because of some RBL policy will not be delivered. Please keep this in mind when deciding whether to use the following.

There are various RBLs out there, we chose to use the following 4. Add this to mail.example.jp.mc:


FEATURE(dnsbl,`bl.spamcop.net')dnl

FEATURE(dnsbl,`sbl-xbl.spamhaus.org')dnl

FEATURE(dnsbl,`list.dsbl.org')dnl

FEATURE(dnsbl,`all.rbl.jp')dnl

Make sure the above lines come before MAILER(smtp) and MAILER(local) lines in mail.example.jp.mc.

There are many stories in Japanese mailing lists that too many legit addresses get registered in spamcop.net so if you are thinking on the safe side it would be okay to leave this line out.

The following 3 RBLs have not so good reputations , we don't recommend to use them.

BLARS

JAMM

SORBS

Sendmail's requests to the RBLs are done in the order listed in the configuration file. Even if all RBLs had exactly the same data, a culprit host would be rejected by the first RBL and the rejection would stop there. So only the rejection from the first RBL would be recorded in the Sendmail log file.

Just because you have a high number of RBLs configured it does not mean your server will be effective in avoiding spam. Unnecessary amounts of traffic and server load will be generated if you have too many RBLs defined so please choose an amount suitable for your mail server's purpose and intended use. Once all your configuration is done, run your server for a while, look at the mail log and see if there are one or more configured RBLs which don't appear much (or at all). This would indicate that they're not doing much in the way of contributing to rejecting hosts, most probably because they've got data in their databases similar (or the same) as one of the RBLs you've configured higher up in the list which do the rejecting first. Determine which one(s) are so and delete them.

So far, the updates we've added to mail.example.jp.mc are here. The tab characters must be preserved so make sure your browser doesn't break them if you copy/paste.

MAILER(local) and MAILER(smtp) were already in mail.example.jp.mc before we started changing it. It's important that the RBL definitions (FEATURE(...) etc) come before the MAILER(...) definitions. The order is critical. The stuff below LOCAL_RULESETS are the definitions to only reject mail from hosts which don't have a reverse DNS lookup and not when the normal and reverse DNS entries do not match.

4) Generating sendmail.cf

After the above configuration steps have been completed:

cd /etc/mail

make

and a file called mail.example.jp.cf will be made. This will now become our new Sendmail configuration file. Copy the file as follows:

cp mail.example.jp.cf sendmail.cf

Configure Autoboot

Add the following to /etc/rc.conf:

spamass_milter_enable="YES"

spamd_enable="YES"

clamav_clamd_enable="YES"

clamav_milter_enable="YES"

clamav_freshclam_enable="YES"

There we have it, Sendmail with SpamAssassin and ClamAV support running on FreeBSD configured to use some RBLs. However, please also install the packages below to make your mail server even more efficient in stamping out spam. Look at Running and Checking below for executing everything.

Other Software to Install

1) procmail

cd /usr/ports/mail/procmail

make install

Procmail is installed by default on Linux but on FreeBSD you need to install it manually.

Procmail allows you to manipulate mails marked as spam, for example placing them in a different folder, making them unreadable etc. As is out of the scope of this document, please Google to find more info on how to use it.

2) portupgrade

cd /usr/ports/sysutils/portupgrade

make install

portupgrade will make updating your installed ports to the newest versions easy. So, seeing as we installed SpamAssassin and ClamAV from ports we can use the following commands to update them to their latest versions.

Remember, you must download and untar the latest version of ports.tar.gz into /usr/ports yourself beforehand.

portupgrade -vr p5-Mail-ClamAV



portupgrade -vr p5-Mail-SpamAssassin

portupgrade -vr clamav

Extra

If you decide to upgrade ClamAV without using portupgrade do it the following way:
cd /usr/ports/security/clamav

make WITH_MILTER=yes

make deinstall

make WITH_MILTER=yes install

If you've updated SpamAssassin and/or ClamAV and it's not the first time (ie. the programs are already running) then you need to restart them:

/usr/local/etc/rc.d/clamav-clamd.sh restart

/usr/local/etc/rc.d/clamav-freshclam.sh restart

/usr/local/etc/rc.d/clamav-milter.sh restart

/usr/local/etc/rc.d/sa-spamd.sh restart

Beefing up SpamAssassin

Add RBL.JP settings to SpamAssassin

By default, SpamAssassin is not configured to use RBL.JP so please look here to see how and what to add to SpamAssassin's configuration file (/usr/local/etc/mail/spamassassin/local.cf). If this is a fresh install of SpamAssassin then you'll need to copy local.cf.sample to local.cf. RBL.JP is an RBL with a focus on spam written in Japanese and offers excellent protection against fighting Japanese spam but also against English spam.

Below are the basic settings you'll need to add to local.cf in order to use RBL.JP but please read the link above beforehand to get an understanding of how it all works.

urirhssub URLBL_RBLJP  url.rbl.jp.      A   2

body      URLBL_RBLJP  eval:check_uridnsbl('URLBL_RBLJP')

describe  URLBL_RBLJP  Has URI in url.rbl.jp

tflags    URLBL_RBLJP  net

score URLBL_RBLJP    2.0



uridnsbl        URLBL_IP_RBLJP    url.rbl.jp.       TXT

body            URLBL_IP_RBLJP    eval:check_uridnsbl('URLBL_IP_RBLJP')

describe        URLBL_IP_RBLJP    Has IP URL in url.rbl.jp

tflags          URLBL_IP_RBLJP    net

score           URLBL_IP_RBLJP    2.0



header  RCVD_IN_ALL_RBL_JP   eval:check_rbl_txt('rbl.jp', 'all.rbl.jp.')

describe RCVD_IN_ALL_RBL_JP Received via a relay in all.rbl.jp

tflags RCVD_IN_ALL_RBL_JP   net

score RCVD_IN_ALL_RBL_JP 1.5

Running and Checking

Reboot the server and check by making sure the following processes are running:

# ps -axw | grep -e clam -e spam

  480  ??  Is     0:09.97 /usr/local/sbin/clamd

  487  ??  Is     0:00.13 /usr/local/bin/freshclam --daemon

  494  ??  Ss     2:57.21 /usr/local/sbin/clamav-milter --pidfile /var/run/clamav/clamav-milter.pid --postmaster-only --local --pos

  522  ??  Ss     0:45.65 /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock

 5314  ??  Is     0:03.04 /usr/local/bin/spamd -c -d -r /var/run/spamd/spamd.pid (perl5.8.7)

28621  ??  I      2:44.87 spamd child (perl5.8.7)

28632  ??  I      2:43.92 spamd child (perl5.8.7)

After confirming this, try sending a mail to yourself on the server and look at the header, checking for the word SpamAssassin on the X-Spam-Checker-Version line and ClamAV on the X-Virus-Scanned line.

Post-config Changes

If you make any updates to SpamAssassin's local.cf:

/usr/local/etc/rc.d/sa-spamd.sh restart

will restart spamd (the SpamAssassin daemon). Then check the following processes are running:

# ps -ax | grep spam

  522  ??  Ss     0:46.57 /usr/local/sbin/spamass-milter -f -p /var/run/spamass

46349  ??  Ss     0:02.89 /usr/local/bin/spamd -c -d -r /var/run/spamd/spamd.pi

46356  ??  S      0:00.71 spamd child (perl5.8.7)

46360  ??  S      0:00.01 spamd child (perl5.8.7)



The following might or might not be running:



46347  ??  S      0:00.03 /usr/local/bin/spamc



depending on whether SpamAssassin is processing anything at that time.

If you make any updates to sendmail.cf:

cd /etc/mail

make restart

will restart Sendmail. Then check the following processes are running:

# ps -ax | grep sendmail

16383  ??  Is     0:01.10 sendmail: Queue runner@00:30:00 for /var/spool/client

16385  ??  Ss     1:57.27 sendmail: accepting connections (sendmail)

Having a Local Reject List

Using /etc/mail/access it is possible for you to have your own reject list. In this file you can specify e-mail address, domain names, hostnames and/or IP addresses.

Edit the file:

cd /etc/mail

vi access

and create your list based on the following format. The format is simply the address, hostname or IP followed by a TAB or space character and then the word REJECT. You may have as many lines as you like with one address per line but you must not have repeated lines.

privatefun@usa.net      REJECT

mta163060.savings1friend.com	REJECT

69.63.161.83  REJECT

72.26.220 REJECT

exrim.net	REJECT

The first line rejects any incoming mail from this address.

The second line rejects any incoming mail from a server with that hostname and also any mail with that hostname in the From: field.

The third line rejects any incoming mail from the machine with that IP address.

The fourth line rejects any incoming mail from any host on the 72.26.220 subnet, ie from any machine with an IP address that is in the range 72.26.220.0-255.

The fifth line rejects any incoming mail from any machine whose reverse DNS belongs to this domain and also any mail with this domain in the From: field.

In the case of all the lines above, mails will also not be able to be sent to the corresponding hostname/domain/IP/address. Usually if you're rejecting from you won't have the need to send to the same place, but in case you do, to enable only rejection from but allow sending to add "From: " at the beginning of the line, for example:

From:exrim.net	   REJECT

to reject all mails from exrim.net but still allow sending to this domain.

When you've finished making the reject list:

cd /etc/mail

make

and then the changes will become immediately effective. There is no need to restart Sendmail.

Troubleshooting

If you have a syntax error in SpamAssassin's local.cf then all configuration after that syntax error will not be read properly. Check the syntax by running:

spamassassin --lint

to find out where the problem is that needs fixing. There will be no output if there are no errors.

If a process (or processes) is not running as expected, check /var/log/maillog and /var/log/messages for any relevant messages. There will probably be something in one or both of these log files explaining the problem.

In the case a process is not running you can try starting it manually by running its bootup script in /usr/local/etc/rc.d, for example:

/usr/local/etc/rc.d/sa-spamd.sh start

will manually start SpamAssassin. Other valid arguments are usually stop and restart. If something's wrong a message will likely be displayed after running the script (if not also in the log files mentioned above).

If you edit a configuration file on Windows be careful with the carriage return character (CR) as Windows uses CR LF (carriage return line feed) but Unix (FreeBSD et al) only uses LF. When you upload the configuration file from Windows to your FreeBSD server make sure only the LF exists on the end of each line and that there is no CR in sight otherwise you'll get unexpected errors on the FreeBSD box because the configuration file.

Miscellaneous

The FreeBSD OS and ports packages are constantly evolving. If the packages being used are old there is a chance the virus definition data etc will be unusable. Please make sure you keep your server updated with the most recent versions.

There are a ton of possible configurations in Sendmail's local.cf. We've only covered some of them in this document. Check the Spam Rejection Diary Hart Computer often updates with tips and tricks to further beef up SpamAssassin, you can find it here (sorry but it's only available in Japanese).

Disclaimer: We take no responsibility for whatever happens as a result of you following the instructions in this document. It's your choice, thus the consequences are your responsibility. Be warned! Also, we're busy with work so we won't reply to any e-mails. This document comes with no support.

RBL.JP

marți, 3 iunie 2008

Migraea Userilor din Linux in FreeBSD

I managed migrate the accounts, without a hitch (so far so good
anyway). Here is a step by step account of what i did, for future
reference:

1) Created an NFS share on the linux machine, which was exported to the
freebsd machine with the no_root_squash option. The entry in
/etc/exports was:

/home <freebsd_machine>(ro,no_root_squash)

2) Copied the home directories accross with the tar command given by Konrad:

tar cCf /path/to/nfs/mount - . | tar xvpCf /path/to/new/home/dirs -

The following 5 steps where copied from:
http://www.openbsd.org/faq/faq9.html#passwd

3) Merged /etc/passwd and /etc/shadow from the linux machine, using
unshadow, part of the john the ripper suite - see
http://www.openwall.com/john/ (a ports package is available)

unshadow /etc/passwd /etc/shadow > linux_passwd

4) Next, I converted the results to the /etc/master.passwd format using awk:

# cat linux_passwd | awk -F : '{printf("%s:%s:%s:%s::0:0:%s:%s:%s\n", \
> $1,$2,$3,$4,$5,$6,$7); }' > new_passwd

5) Now I edited new_passwd, removing any of the system account entries
(root, daemon etc) and any of the user accounts that overlapped with
user accounts already on the freebsd machine.

6) Merge new_passwd with /etc/master.passwd on the freebsd box
# cat new_passwd >> /etc/master.passwd

7) And then generate the password database files (/etc/spwd.db and
/etc/pwd.db), and the normal /etc/passwd file.
# pwd_mkdb -p /etc/master.passwd

8) On both the linux box and the freebsd one, each user has its own
group (of the same name of the user). For any users migrated from the
linux machine to the bsd one, I also copied the corresponding entries
from linux:/etc/group to freebsd:/etc/group. I hadn't seen anyone
suggest doing this, but I can't see why it would be problem, and it
seems to work fine.

miercuri, 30 aprilie 2008

ipkg software

Ipkg (tutorial) - DD-WRT Wiki

[edit] Commandline Structure

[edit] Usage

usage: ipkg [options...] sub-command [arguments...]

[edit] Options

-d <dest_name> or       Install, upgrade, or remove package from <dest_name>
-dest <dest_name>       where <dest_name> is '''either''' a folder path '''or''' a pre-defined
                      path in /etc/ipkg.conf
                      by default, ipkg on DD-WRT supports these pre-defined names:
                      root /jffs
                      ram /tmp

-o <offline_root>       Use <offline_root> as the root for offline installation.
-offline <offline_root> where <offline_root> is a path

-force-depends          Make dependency checks warnings instead of errors

-force-defaults         Use default options for questions asked by ipkg.
                      (no prompts). Note that this will not prevent
                      package installation scripts from prompting.

[edit] Sub Commands


update                  Update list of available packages from <src> defined in /etc/ipkg.conf
upgrade                 Upgrade all installed packages to latest version
install <pkg>           Download and install <pkg> (and dependencies)
remove <pkg>            Remove package <pkg>

list                    List available packages and descriptions
files <pkg>             List all files belonging to <pkg>
search <file>           Search for a packaging providing <file>
info [pkg [<field>]]    Display all/some info fields for <pkg> or all
status [pkg [<field>]]  Display all/some status fields for <pkg> or all
depends <pkg>           Print uninstalled package dependencies for <pkg>

- <pkg> may be a package name, or a URI to the *.ipk or *.deb file
- arguments displayed in [ ] are optional

[edit] Finding Packages

OpenWRT.org hosts a list of Official Packages, as well as a Package Tracker and openwrt.alphacore.net listing all known packages. Packages from the tracker will usually have to be installed by using <pkg> as a URI rather than a package name, unless you've updated your /etc/ipkg.conf file to point to a different repository.

Another source of software for the wrt is here ipkg.nslu2-linux.org, most of the files in this directory works fine on DD-WRT.

[edit] Installing ipkg Packages

The general steps for installing ipkg modules are as follows

-Pick a location to install to. Currently available locations are:

ram (/tmp)

root (the flash partition at /jffs)

mmc (/mmc)

smbfs (/tmp/smbshare)

Then from the command line in the jffs directory, run the following commands:

 ipkg update # pulls latest list of package listing from the default sites.
ipkg list # gives the list of ipkg's available
ipkg -d <location> install <packagename> # installs the package of your choice

If the package you want is not in the list, substitute the URI of the package for the <packagename> you want to install.

Packages installed to ram will be deleted on reboot. There is more ram than flash space, however.

jffs must be configured and initialized before packages can be install to root

Ex: to install the noip package to ram:

   ipkg update
 ipkg list

Since noip is not in the list, see Finding Packages

   ipkg -d ram install http://www.ramereth.net/openwrt/ipkg/noip_1.6.0_mipsel.ipk

[edit] Required uClibc installation

There is much confusion about LD_LIBRARY_PATH setting and some programs failing due to uClibc binary incompatibility between system provided uClibc libraries that DD-WRT provides in /lib/ directory and OpenWRT programs that require its own uClibc and is also provided as IPK package. For example http://downloads.openwrt.org/whiterussian/packages/ To assure that program will run stable one must provide compatible uClibc library to the program. It is recommended to install OpwnWRT uClibc manually with

cd /tmp
wget http://downloads.openwrt.org/whiterussian/packages/uclibc_0.9.27-9_mipsel.ipk
wget http://downloads.openwrt.org/whiterussian/packages/libgcc_3.4.4-9_mipsel.ipk
/bin/ipkg -force-depends install uclibc_0.9.27-9_mipsel.ipk libgcc_3.4.4-9_mipsel.ipk

This procedure overcomes installation of OpenWRT base-files package that are not required for running ipkg provided programs.

[edit] Setting LD_LIBRARY_PATH

Running OpenWRT programs also requires correct setting of the shared library search path. Default shared library search path is specified in /etc/ld.so.conf. But /etc/ld.so.conf is not used if LD_LIBRARY_PATH is set with /etc/profile. To see if LD_LIBRARY_PATH is set or no just enter

set

in console.

If unshure or if special paths are used one can also override /etc/ld.so.conf search paths with setting correct LD_LIBRARY_PATH. For example programs that reside in /jffs/bin or /jffs/sbin could be run with the following script openwrt-run.sh that should be located somewhere in the default search path.

#!/bin/sh
export PATH=/jffs/bin:/jffs/sbin:${PATH}   
export LD_LIBRARY_PATH=/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib
$1 $2 $3 $4 $5 $6

One shoud use this script like

 /jffs/bin/openwrt-run.sh swapon /dev/discs/disc0/part2

This will assure that program swapon will use correct uClibc library and not use paths provided in /etc/ld.so.conf

[edit] Starting Programs/Daemons

If you installed some daemons you need to manually activate them, because the openwrt /etc/init.d/ startup method is not (yet?) implemented. One possibility would be to

nvram set rc_startup=/jffs/etc/init.d/*

Or use the Samba-Startup script.

For further Information see Startup Scripts.

[edit] What if your jffs partition is full (routers with NO JFFS space avail)

You have to enable jffs anyway even if it is useless... and to create some required directory in your Sambashare:

~# mkdir -p /tmp/smbshare/tmp/ipkg

Download then the packages directly to your Samba share and type:

~# ipkg -d smbfs install /tmp/smbshare/directory/package.ipk

or download and install at the same time with the same command:

~# ipkg -d smbfs install http://www.ramereth.net/openwrt/ipkg/noip_1.6.0_mipsel.ipk

You should see some warning messages like these ones:

ERROR: File not found: //jffs/usr/lib/ipkg/lists/whiterussian
     You probably want to run `ipkg update'
ERROR: File not found: //jffs/usr/lib/ipkg/lists/non-free
     You probably want to run `ipkg update'

which you can safely ignore.

[edit] Use ipkg on DD-WRT 24

In my dd-wrt 24, I found cifs included, not smbfs or smbmount as told elsewhere on this page.

Here is how I partly solved it:
On the Administration webpage, fill in the CIFS Automount options.
Create a script with this and set it to be the startup script:

 mount --bind /tmp/smbshare /jffs
nvram set sys_enable_jffs2=1

ipkg update failed for me, so I did a work-around:

 mkdir -p /jffs/tmp/ipkg
ipkg update
ipkg list

I found it's key when using ipkg and jffs that you are in the jffs directory. In other words:

~# cd /jffs

/jffs # ipkg -d root install <pkg>.

(end of dd-wrt 24)

[edit] Ipkg on Startup

Since the available RAM is larger, is it possible to set up a startup script to install an ipkg?
That way, each time it's rebooted the router will automatically download and install the ipkg we need.

One way to accomplish this is to write a startup script

Arhivă blog