ipfw shaping sample

Sample ipfw shaping

without guaranteed bandwidth
fxp3 - router internal interface

#download
/sbin/ipfw add pipe 2174 ip from any to 192.168.5.27/32 xmit fxp3
/sbin/ipfw pipe 2174 config bw 384Kbit/s
#upload
/sbin/ipfw add pipe 2175 ip from 192.168.5.27/32 to any recv fxp3
/sbin/ipfw pipe 2175 config bw 384Kbit/s

if you want to put the limit on the port range

#download
/sbin/ipfw add pipe 2174 ip from any to 192.168.5.27/32 src-port 1-8079 xmit fxp3
/sbin/ipfw add pipe 2174 ip from any to 192.168.5.27/32 src-port 8081-65535 xmit fxp3
/sbin/ipfw pipe 2174 config bw 384Kbit/s
#upload
/sbin/ipfw add pipe 2175 ip from 192.168.5.27/32 to any recv fxp3
/sbin/ipfw pipe 2175 config bw 384Kbit/s

If you want to add guaranteed bandwidth and rules priority

#download
/sbin/ipfw add 2174 queue 30986 ip from any to 192.168.5.27 src-port 1-8079,8081-65535 xmit fxp3
/sbin/ipfw pipe 2174 config bw 6144Kbit/s queue 32Kbit/s
/sbin/ipfw queue 2174 config pipe 30986 weight 30
#upload
/sbin/ipfw add 2175 queue 30987 ip from 192.168.5.27 to any recv fxp3
/sbin/ipfw pipe 2175 config bw 1536Kbit/s queue 8Kbit/s
/sbin/ipfw queue 2175 config pipe 30987 weight 30

[Bug 5340] New: sa-compile fails to write to 'compiled/3.00200' dir

Summary: sa-compile fails to write to 'compiled/3.00200' dir
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: Macintosh
OS/Version: Mac OS X
Status: NEW
Severity: normal
Priority: P5
Component: sa-compile
AssignedTo: dev@spamassassin.apache.org
ReportedBy: [EMAIL PROTECTED]


i've built up a test-instance of,

% spamassassin --version
SpamAssassin version 3.2.0-pre1-r499012
running on Perl version 5.8.8

on,

% uname -a
Darwin snowcrash 8.8.0 Darwin Kernel Version 8.8.0: Fri Sep 8
17:18:57 PDT
2006; root:xnu-792.12.6.obj~1/RELEASE_PPC Power Macintosh powerpc

currently, on launch of sa, i see @ console,

[21402] error: Can't locate Mail/SpamAssassin/CompiledRegexps/body_0.pm
in @INC
(@INC ...
/var/mail/spamassassin/updates/compiled/3.002000
/var/mail/spamassassin/updates/compiled/3.002000/auto) at (eval 536) line 1.

this is with,

loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody

in init.pre

if i disable the compile plugin, on restart i get no errors.

i was informed on-list that,

> that's to be expected until you actually run "sa-compile" to compile
> the ruleset...

now,

% /usr/local/spamassassin/bin/sa-compile --sudo -D
[21503] dbg: logger: adding facilities: all
[21503] dbg: logger: logging level is DBG
[21503] dbg: generic: SpamAssassin version 3.2.0-pre1-r499012
[21503] dbg: config: score set 0 chosen.
[21503] dbg: dns: is Net::DNS::Resolver available? yes
[21503] dbg: dns: Net::DNS version: 0.59
sa-compile: cannot write to
/var/mail/spamassassin/updates/compiled/3.002000, aborting

checking,

% ls -ald /var/mail/spamassassin/updates/compiled/3.002000
/usr/local/bin/ls: cannot access
/var/mail/spamassassin/updates/compiled/3.002000: No such file
or
directory

then,

% mkdir -p /var/mail/spamassassin/updates/compiled/3.002000
% chown -R spam:spam /var/mail/spamassassin/updates/compiled/3.002000

and again,

% /usr/local/spamassassin/bin/sa-compile --sudo -D

still reports,

[21503] dbg: logger: adding facilities: all
[21503] dbg: logger: logging level is DBG
[21503] dbg: generic: SpamAssassin version 3.2.0-pre1-r499012
[21503] dbg: config: score set 0 chosen.
[21503] dbg: dns: is Net::DNS::Resolver available? yes
[21503] dbg: dns: Net::DNS version: 0.59
sa-compile: cannot write to
/var/mail/spamassassin/updates/compiled/3.002000, aborting


thanks.

qmail SMTP Authentication

1- Download qmail-1.03, vpopmail 5.2 and smtp-auth patch from
http://members.elysium.pl/brush/qmail-smtpd-auth/dist/qmail-smtpd-auth-0.30.tar.gz

2- Read the README.auth to patch qmail with smtp-auth patch
3- Compile qmail normaly
4- Compile vpopmail as you need
5- # chmod 4755 ~vpopmail/bin/vchkpw
# chown root.root ~vpopmail/bin/vchkpw

6- You can run qmail-smtpd from inetd or tcpserver
I recommend you to use tcpserver,
If you are using tcpserver, use following command to start qmail-smtpd (Note!! all of them are in a single line !)

exec /usr/local/bin/softlimit -m 4000000 tcpserver -H -l0 -R -c 512 -x /home/vpopmail/etc/tcp.smtp.cdb -u VPOPMAILUID -g VPOPMAILGUID 0 smtp /var/qmail/bin/qmail-smtpd your.qmail.server.name /home/vpopmail/bin/vchkpw /bin/true &

change following parameters depend of your system configuration

-x /home/vpopmail/etc/tcp.smtp.cdb //change this with your tcp.smtpd.cdb file path
VPOPMAILUID is your vpopmail user id
VPOPMAILGUID is your vpopmail group id
your.qmail.server.name is your fully qualified server name
/home/vpopmail/bin/vchkpw is your vchkpw file path
/bin/true is your true command path (this is /usr/bin/true in FreeBSD)

if you do NOT add your .qmail.server.name parameter after /var/qmail/bin/qmail-smtpd , your smtp-auth gives fake authentication. It returns true for any username and password

if you are using inetd, add following lines to inetd.conf and send kill -HUP to inetd

smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env \
/var/qmail/bin/qmail-smtpd your.qmail.server.name /home/vpopmail/bin/vchkpw /bin/true

that's all

Regards

How do you enable .mkv subs in mplayer?

How do you enable .mkv subs in mplayer?
Press V to toggle the subs on and off, and press J to cycle languages. You can cycle the audio by pressing #

How To Patch / Upgrade BIND 9.x Under FreeBSD Operating Syste

How To Patch / Upgrade BIND 9.x Under FreeBSD Operating Syste

To fix this issue under FreeBSD 6.3, download patch:

# cd /tmp

# fetch -o bind.patch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch

If you are using FreeBSD 7.0, enter:

# cd /tmp

# fetch -o bind.patch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch

Type the following commands to compile and install bind 9 patch:


# cd /usr/src

# patch < /tmp/bind.patch

# cd /usr/src/lib/bind

# make obj && make depend && make && make install

# cd /usr/src/usr.sbin/named


# make obj && make depend && make && make install



Restart bind 9:

# /etc/rc.d/named restart

# tail -f /var/log/messages

FreeBSD geli encryption

configuration

My installation testserver has the following hardware configuration:

ar0: IDE-RAID controller (RAID 5)
..with four SATA harddisks ad4, ad6, ad8 and ad10

ad14: SATA harddisk containing the system installation

da0: USB Stick - will contain the boot files and geli decryption key

As the operating system I am using the FreeBSD 6.1-RELEASE version. We will encrypt the ar0 RAID and use it as our main working system. In order to set it up we need a standard system which I installed on the single harddisk ad14. It won't be needed afterwards. As the final encrypted operating system will not be able to boot up by itself we need a memory-stick da0 containing the files which are needed for the booting process. The stick also contains the geli key which will be necessary for decrypting the filesystem.

The goal is to have an encrypted RAID-5 system which can only be booted up using a memory stick with a key and a password.

installation

First of all we clear all previous data we have on the ar0 harddisk.

# dd if=/dev/random of=/dev/ar0

WARNING: This will delete your entire data on the harddisk! Depending on the size of the disk this may take a while.

As we would like to use a key-file for the geli encryption we need to create this file first before initializing the geli container:

# mkdir /boot/keys
# dd if=/dev/random of=/boot/keys/ar0.key bs=128k count=1

The dd command creates a new file (ar0.key) of 128Kb filled with random data (/dev/random).

In a next step we initialize the geli container on the ar0 harddisk:

# geli init -b -K /boot/keys/ar0.key -s 4096 -l 256 /dev/ar0

The -b parameter specifies that a password is needed on bootup. The second parameter -K specifies the key which is used for encryption - the one we have just created. The -s 4096 increases the sector size which really boosts up encrypting/decrypting performance. The -l 256 parameter tells geli to use an AES 256 encryption - which is the strongest currently supported. And finally /dev/ar0 is our RAID device. Type in your secret password and the initialization is completed.

Next, the device will be attached which creates the decrypted device with which we will work.

# geli attach -K /boot/keys/ar0.key /dev/ar0

We specify the location to the encryption key for attaching. Enter the password you chose during initialization and a new device /dev/ar0.eli will be created for you.

Ok, as we now have the decrypted device its time to partition it:

# bsdlabel -w /dev/ar0.eli
# bsdlabel -e /dev/ar0.eli

The first commands creates a standard label and the second one is used to specify the single partitions to create. It will bring up an editor. The first column contains a single character. This is the partitions label. "c" is reserved for the complete disk and may not be changed. "b" is usually the swap partition. The second column specifies the size of the partition (in sectors). Note: We told geli during initialization to use 4096 bytes per sector. The offset needs to be calculated manually and is simply the sum of the sizes of the predecessing partitions. In the fstype column you need to write 4.2BSD for all partitions except the swap partition (and the c partition of course!). The next two columns can be filled with a 0 in each one and on the last one we do not write anything. This will be completed by FreeBSD. Here is my configuration:

# /dev/ar0.eli
8 partitions:
#      size   offset   fstype  [fsize bsize bps/cpg]
a:     512M        0   4.2BSD       0     0
b:    2048M        *     swap
c: 19544356        0   unused       0     0
d:    4096M        *   4.2BSD       0     0
e:    2048M        *   4.2BSD       0     0
f:        *        *   4.2BSD       0     0

Note the * at the partition f: this will cause FreeBSD to use the rest of the available disk space for the final partition. The * at the offset column tells FreeBSD to calculate the offsets by itself based on the predecessing partitions.

Now that we have the partitions it's time to create the filesystems:

# newfs /dev/ar0.elia
# newfs /dev/ar0.elid
# newfs /dev/ar0.elie
# newfs /dev/ar0.elif

installing operating system

The target harddisk is now partitioned and the filesystems have been
created. Let's put the operating system on it. First we create a new
directory:

# mkdir /fixed

This
creates a new directory called "fixed" on the root directory. This
directory will contain the target filesystem structure. Next, we mount
the target root partition on fixed:

# mount /dev/ar0.elia /fixed

Then we create the following directories to create the desired structure:

# mkdir /fixed/var
# mkdir /fixed/tmp
# mkdir /fixed/usr

Now mount the previously created partitions to the new directories:

# mount /dev/ar0.elid /fixed/var
# mount /dev/ar0.elie /fixed/tmp
# mount /dev/ar0.elif /fixed/usr

It's
time to copy the operating system files to the target filesystem. To do
so we need to set an environment variable which is used by the install
script to determine where to extract the OS files. Switch to the
bash-shell and export the variable and switch back:

# /bin/sh
# export DESTDIR=/fixed/
# /bin/csh

Ok we are ready to install the files. Mount the CD-ROM drive (yes insert your FreeBSD CD 1 now) and install!

# mount /cdrom
# cd /cdrom/6.1-RELEASE/base
# ./install.sh

Ensure that the export directory is /fixed and confirm the copy process.
FreeBSD 6.1 does not install automatically the kernel. So let's do it manually:

# cd /cdrom/6.1-RELEASE/kernels
# ./install.sh GENERIC

This will install the generic kernel on the encrypted geli device. If you have a multi-processor system you can use the SMP instead of the GENERIC kernel in the command above.

kbdmux and geli are enemies!

In the current version (FreeBSD 6.1-RELEASE) there is a major problem with the kbdmux keyboard multiplexer driver and geli. Either the keyboard or geli worked, but never both at the same time. Tomas Snackerstrom pointed out that problem in one of his precious comments. This brought me to the solution of removing the kbdmux driver from the generic kernel by compiling a custom one.

In the following few steps we will compile a custom kernel. If you have not installed the kernel sources do this now. You can find detailed explanations here.

First, we create a copy of the GENERIC kernel configuration file and alter it:

# cd /usr/src/sys/i386/conf
# mkdir /root/kernels
# cp GENERIC /root/kernels/PROPORTION
# ln -s /root/kernels/PROPORTION

This creates a new kernel configuration file called PROPORTION in the roots home directory. Of course you can name the file whatever you like. Now alter the PROPORTION kernel configuration file with your favorite editor:

# vi PROPORTION

Put your kernels name in the "ident" line, so you will recognize your custom kernel during boot-up. And most important: remove the line "device kbdmux". Close and save the file.

Now build and install the kernel:

# cd /usr/src
# make buildkernel KERNCONF=PROPORTION
# make installkernel KERNCONF=PROPORTION

This will take a while - especially builing the kernel. Now, as the kernel is built and installed we will copy it to the geli encrypted harddisk:

# cp -Rpv /boot/kernel /fixed/boot

configuring removable device

It's time to take care of the removable device which plays an important role in the whole installation. It contains the files which are essential for booting.

First of all we create a new slice on the device:

# fdisk -BI /dev/da0

WARNING: This will remove all data on the device. Make sure no important data is stored on it.

Next, we create the partition on the slice:

# bsdlabel -Brw /dev/da0s1
# bsdlabel -e /dev/da0s1

Again this will bring up an editor in where you can specify the desired partitions. This time we only create one single partition:

#      size   offset   fstype  [fsize bsize bps/cpg]
a:   528600        0   4.2BSD       0     0
c:   528600        0   unused       0     0

Create a new filesystem on the previously created partition and mount the filesystem so we can start putting the required files on it.

# newfs /dev/da0s1
# mount /dev/da0s1 /mnt

A couple of minutes ago we installed the base distribution on the encrypted target harddisk. As we are not able to boot from that disk we need to put the boot files on the removable (non-encrypted) medium:

# cp -Rpv /fixed/boot /mnt

Done. Now let's speed up the booting process by zipping the kernel and the two needed modules. Switch to the kernel's directory and zip it:

# cd /mnt/boot/kernel
# gzip kernel geom_eli.ko acpi.ko

To make sure we will be asked for the password at boottime we need to add the needed module to the /boot/loader.conf file:

# echo geom_eli_load="YES" >> /mnt/boot/loader.conf

Now we also need to specify where to load the encryption key from during startup. First copy the keyfile to the USB stick:

# mkdir /mnt/boot/keys
# cp /boot/keys/ar0.key /mnt/boot/keys/

Second, specify the corresponding geli commands to load the key from the stick. This is also defined in the /boot/loader.conf file. Open it and add the following lines to it:

geli_ar0_keyfile0_load="YES"
geli_ar0_keyfile0_type="ar0:geli_keyfile0"
geli_ar0_keyfile0_name="/boot/keys/ar0.key"

We are almost there. The final step is to tell the kernel which filesystem to load. By creating the directory etc and putting the file fstab into it we can achieve this:

# mkdir /mnt/etc
# vi fstab

This opens up the editor and we can start specifying the filesystems. This needs to be the same structure we created on our target harddisk (see the similarities?):

# Device       Mountpoint  FStype Options   Dump Pass#
/dev/ar0.elib  none        swap   sw        0    0
/dev/ar0.elia  /           ufs    rw        1    1
/dev/ar0.elie  /tmp        ufs    rw        2    2
/dev/ar0.elif  /usr        ufs    rw        2    2
/dev/ar0.elid  /var        ufs    rw        2    2
/dev/acd0      /cdrom      cd9660 ro,noauto 0    0

I additionally added the cdrom. It is not mandatory but quite handy. Finally copy the fstab file to the target harddisk:

# cp /mnt/etc/fstab /fixed/etc/

Congratulations. Let's see if it works!

testing

Now it's time to bring Frankenstein alive! Remove the installation CD and shutdown the computer. Remove the operating systems harddisk (ad14), plug in the removable device and switch it on. If everything runs smooth you will be promted for the password during boot and afterwards the system will be booted.

Here are some problems I encountered afterwards:

Problem: The bios tells you that the operating system cannot be found.
Solution: Make sure your bios is capable of booting from removable devices such as USB sticks and check the bios boot-order settings.

Problem: I get multiple password prompts during bootup.
Solution: I played around with the geli init command before and initialized some other disks. You can kill those initializations by typing:

# geli kill /dev/adX

Where /dev/adX is the concerning device. This will kill the encryption keys! WARNING: Do not try this on the correct disk you've just created! (Well, unless the FBI is knocking on your door and you have a good reason doing so).