archive-org.com » ORG » N » NETBSD.ORG

Total: 1243

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • tech-repository
    vendor source even addremove command isn t in trunk at the time of writing It has been merged to trunk and is part of the pkgsrc version No it isn t part of pkgsrc version at the moment TIAS Sorry you are right Merged to trunk in ceab53718f Merge state sticks You can t undo it Not sure what you mean but revert resets the merge state since d13054ce84 This is quite recent late October fix I didn t check it You can t amend your source when you ve just merged you are forced to commit after merge To clarify the merge has to be committed first no separate commits are possible from the checkout before that In practice this makes critical defect in combination of fossil diff inability to generate difference for added files You can t tune diff command to ignore RCS keywords Since RCS keywords are not really a native command it is no surprise An external diff program can be used for this purpose though Since there s no external diff program that supports it it is really not quite easy You can t diff single file between two given versions diff from version1 to version2 path to file That didn t work and I m not sure it works now It used to ignore path to file argument It used to bail out when both from and to were used There s no way to change commit messages easily done via ui select a commit and under Other Links you can find Edit given the necessary permissions How It should be possible via command line nevertheless There s no documented way to select commit messages of current branch or branch by given commit id Or there s a bug preventing it fossil info This isn t about info command it is about timeline Please clarify what you mean BTW this command doesn t support R flag perhaps you have to check the source out to use it Commands are under documented usage messages don t list many available options This applies to trunk at least there s a branch that states documentation as its goal There s no convenient way to look at commit contents files affected diff fossil ui and use a web browser We don t have web browser in base system this information should be accessible with command line Some of above problems are reported Note all problems above are usability problems I didn t explore e g scalability Joerg did and had problems but this is another story Experiences with git Experience with the imported repositories on morden no problem in principle with the smaller modules like othersrc or htdocs CVS tags are one off but that is expected the large repos are really fragile and gits idea of how to fix a broken repo seems to be to retrieve a copy from someone somewhere that happens to not be broken Experiences with Subversion please fill in Experiences with Bazaar

    Original URL path: http://wiki.netbsd.org/mailing-lists/tech-repository/ (2016-02-01)
    Open archived version from archive


  • netbsd kernel development setup
    Wiki Support Problem report guide Report a bug Query bug database Security Community Blogs Mailing lists List archives Developers Browse source Cross reference Release engineering Projects list Ports History Emulators Packages Browse packages Release engineering Wiki Home Edit Comment Source History New RecentChanges NetBSD Wiki netbsd kernel development setup Moved The instructions that used to be on this page have moved to Kernel debugging with QEMU Add a comment Last

    Original URL path: http://wiki.netbsd.org/netbsd_kernel_development_setup/ (2016-02-01)
    Open archived version from archive

  • netbsd kernel runtime memory consumption
    1 2 39 40 39 2 1 0 1 2 40 0 40 1 0 if i previous value of i start a new child by calling fork the child process does infinite sleep else i less than previous value of i kill the last started child and rip it Remember page counter value for i in 1 2 3 4 5 allocate all the memory in the system see below Remember page counter value and mark the first and the last with The allocate all the memory step above is performed as follows A new child consuming memory in a infinite loop is starting After the system is running out of memoty this child is killed by the kernel thus all the memory allocated by it is freed The red line marked fork and kill for i in the same list as above Kill and rip ALL the children if any exist Start i new children by calling fork and sleep Remember page counter value Allocate all the memory five times as above Writing files Open up to 40 files the green curve represents temporary files on tmpfs the red one is the same for nfs the blue curve represents writing to dev null and write some data to them for i in 0 40 0 40 0 40 0 if i previous value of i open a new file unlink the opened file unless writing media is NOT dev null else i previous value of i close the last opened connection FILO Write forty kilobytes to every opened file Remember page counter value Allocate all the memory five times as test 1 above Reading data from the network Open connections to the server on remote host and read some data from them for i in 0 40 0

    Original URL path: http://wiki.netbsd.org/netbsd_kernel_runtime_memory_consumption/ (2016-02-01)
    Open archived version from archive

  • nsps
    ftp pass in log proto tcp from any to any port www keep state pass in proto tcp from any to any port ftp keep state pass in proto tcp from any to any port ftp data keep state pass in proto tcp from any port ftp data to any port 1023 keep state pass in log proto icmp all keep state IP Filter for Dial Ups Dial up connections offer somewhat of a challenge for ipfilter in that most dial up interfaces are assigned a different IP address each time the user makes the connection In dial up or any dynamic address situation the rules must be written in a slightly less secure manner In other words rules cannot use the internet side IP address however even just using the interface is normally enough to guarantee pretty good security As an example here is one of the rules that uses an IP address pass out as if we were a single internet client pass out quick on ep0 proto tcp from 216 68 250 60 32 to any keep state pass out quick on ep0 proto udp from 216 68 250 60 32 to any keep state pass out quick on ep0 proto icmp from 216 68 250 60 32 to any keep state For our dial up connection we will have to change the ruleset to this pass out as if we were a single internet client pass out quick on ep0 proto tcp from any to any keep state pass out quick on ep0 proto udp from any to any keep state pass out quick on ep0 proto icmp from any to any keep state Now what good does this do us now Well first any ports that are still blocked are still inaccessible Second if a service is not turned on and no inbound proxying is enabled all of this traffic is just passing through There is no way for anyone to connect to the firewall except via ssh Configuring IPNAT Network Address Translation NAT is part of IPfilter which comes by default with the NetBSD release The job of NAT is to take a source IP address and translate it to another out a different network interface This is also known as masquerading Luckily for you as the exhausted reader and I the exhausted author configuring NAT is pretty simple especially with the example we are using What our etc ipnat conf needs to look like It is very simple map ep0 172 16 0 0 16 216 68 250 60 32 proxy port ftp ftp tcp map ep0 172 16 0 0 16 216 68 250 60 32 portmap tcp udp 10000 20000 map ep0 172 16 0 0 16 216 68 250 60 32 First we are proxying ftp thru the ep0 interface The next line says go ahead and map all tcp udp traffic right on through the interface and assign each out bound connection a port from 10000 to 20000 and finally the last line says just plain map from 172 16 0 0 16 to 216 68 250 60 32 For our purposes this is all we need so the rest of this document is of limited interest to those of you in a crunch trying to get a firewall up Other Nifty Stuff A few items of interest for the curious we can also map into the local network as well map fxp0 216 68 250 60 32 172 16 14 1 32 add whatever service here This might be handy to connect to a specific server inside such as a web server or if you recall the DMZ example before we may wish to translate into the DMZ from the world Additionally it can be used as a poor man s router to link internal networks together but there are much better was of doing that Instead of this however most administrators would locate the web server within a DMZ and use ipfilter to ensure only http and ssh connections can be made to the system If you look closely you will see all outbound connections map to a single IP address what if you wanted to be able to map to more You can do so by simply changing the single address to a network map ep0 172 16 0 0 16 216 68 250 0 24 Finally the portmap range can be adjusted to whatever you feel is necessary IPNAT With Dial Up Networking Many home users use dial up connections to access the internet Many dial up connections are assigned a dynamic IP address every time the user connects At first glance it may appear that some method for putting this new address into etc ipnat conf is required Luckily that is not so Take note of how addresses can be shown on the internet side of the ipnat conf file Actually entire subnets can be used like so map ep0 172 16 0 0 16 216 68 0 0 16 What this is saying is that addresses from 172 16 0 0 can be assigned any address on 216 68 0 0 s network Keeping that in mind on a dial up connection you know you will be given one and one address so the following entries effectively do the same map ppp0 172 16 0 0 0 32 proxy port ftp ftp tcp map ppp0 172 16 0 0 0 32 portmap tcp udp 40000 60000 map ppp0 172 16 0 0 0 32 Here we are saying map anything on 172 16 0 0 to one single address the address the interface will have Activating Services At this point in theory we are ready to start everything up All of the services we will need running are ipfilter ipnat ipmon sshd Additionally we need to make sure that ip forwarding is enabled in the kernel Turning on IP Forwarding To turn on IP forwarding use the sysctl facility sysctl w net inet

    Original URL path: http://wiki.netbsd.org/nsps/ (2016-02-01)
    Open archived version from archive


  • 64 0 23 to any block in quick on any from 224 0 0 0 3 to any pass out as if we were a single internet client pass out quick on ep0 proto tcp from 216 68 250 60 32 to any keep state pass out quick on ep0 proto udp from 216 68 250 60 32 to any keep state pass out quick on ep0 proto icmp from

    Original URL path: http://wiki.netbsd.org/nsps/ipf.conf (2016-02-01)
    Open archived version from archive


  • 68 250 60 32 proxy port ftp ftp tcp map ep0 172 16 0 0 16 216 68 250 60 32 portmap tcp udp 10000 20000 map ep0 172 16

    Original URL path: http://wiki.netbsd.org/nsps/ipnat.conf (2016-02-01)
    Open archived version from archive


  • action that will be run if an attack is detected If you don t want a particular option then comment it out and it will be skipped The variable TARGET will be substituted with the target attacking host when an attack is detected The variable PORT will be substituted with the port that was scanned Ignore Options These options allow you to enable automatic response options for UDP TCP This is useful if you just want warnings for connections but don t want to react for a particular protocol i e you want to block TCP but not UDP To prevent a possible Denial of service attack against UDP and stealth scan detection for TCP you may want to disable blocking but leave the warning enabled I personally would wait for this to become a problem before doing though as most attackers really aren t doing this The third option allows you to run just the external command in case of a scan to have a pager script or such execute but not drop the route This may be useful for some admins who want to block TCP but only want pager e mail warnings on UDP etc 0 Do not block UDP TCP scans 1 Block UDP TCP scans 2 Run external command only KILL RUN CMD BLOCK UDP 1 BLOCK TCP 1 Dropping Routes This command is used to drop the route or add the host into a local filter table The gateway 333 444 555 666 should ideally be a dead host on the local subnet On some hosts you can also point this at localhost 127 0 0 1 and get the same effect NOTE THAT 333 444 555 66 WILL NOT WORK YOU NEED TO CHANGE IT All KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY Make sure you uncomment the correct line for your OS If you OS is not listed here and you have a route drop command that works then please mail it to me so I can include it ONLY ONE KILL ROUTE OPTION CAN BE USED AT A TIME SO DON T UNCOMMENT MULTIPLE LINES NOTE The route commands are the least optimal way of blocking and do not provide complete protection against UDP attacks and will still generate alarms for both UDP and stealth scans I always recommend you use a packet filter because they are made for this purpose Generic KILL ROUTE sbin route add TARGET 333 444 555 666 Generic Linux KILL ROUTE sbin route add host TARGET gw 333 444 555 666 Newer versions of Linux support the reject flag now This is cleaner than the above option KILL ROUTE sbin route add host TARGET reject Generic BSD BSDI OpenBSD NetBSD FreeBSD KILL ROUTE sbin route add TARGET 333 444 555 666 Generic Sun KILL ROUTE usr sbin route add TARGET 333 444 555 666 1 NEXTSTEP KILL ROUTE usr etc route add TARGET 127 0 0 1 1 FreeBSD Not well tested KILL ROUTE route add

    Original URL path: http://wiki.netbsd.org/nsps/portsentry.conf (2016-02-01)
    Open archived version from archive


  • the command line Load the defaults in from etc defaults rc conf if it s readable These can be overridden below if r etc defaults rc conf then etc defaults rc conf fi If this is not set to YES

    Original URL path: http://wiki.netbsd.org/nsps/rc.conf (2016-02-01)
    Open archived version from archive