up_the_irons \o
Do some support now :D
up_the_irons: thanks :)
I have a pf question for those that are more experienced with pf than I (read: everyone).
We might have an answer.
I use BIND locally in a forward-only configuration.
my forwarders are 8.8.8.8 and 8.8.4.4 (Google).
The oddity that I'm trying to understand / resolve is this output in my daily logs:
http://pastebin.com/mxVDuNGG
if I'm initiating the connection I wouldn't think there would be problems getting back in. If they are initiating a connection, 1) why? 2) sholud that be something I let through?
and if so how to I allow randomized destination ports, or do I set a source port allow rule?
with udp there is no such thing as a connection or session
this seems so be the return traffic that contains the answer of your dns queries
http://www.openbsd.org/faq/pf/filter.html#udpstate describes this more detailed
the strange thing is that DNS is functioning as I would expect.
so I'm sure some/most requests are being answered and returned properly.
I just started noticing those lines in my logs though, so I thought it was worth looking into.
could also be that this is return dns traffic that arrives after the timeout is reached
in which case it's harmless
yes
you could increase the timeout in PF
default is 10 seconds
doesn't sound like it's too critical. I may just watch it and see if it keeps up.
I've found a few more pf related lines in my logs. I think I need to learn how to read this output better.
Yeay - upgraded to 8.0-release-p3
Had troubles booting the box though... maybe I was just impatient
looked like it was sitting at the freebsd boot menu
so I hard-cycled it one more time, and everything worked the second time
mine didn't seem to have any problems coming up, thankfully.
well - yeah, the smaller $20 VPS worked just fine
maybe the big 200GB disk took a bit to verify
anyway, I'm now at least protected against the latest OPIE potential attack
RandalSchwartz: haven't bothered rebooting yet. The kernel patch bit doesn't actually affect me.
you're not using anything with logins?
opie isn't a kernel patch
the kernel patch is for the nfs fix
have you restarted the services then?
so they link to the new shared lib?
my box just went crazy and I had to hard-boot it. strange.
it's already disabled for ossh, I don't use ftp
so I should be safe on that front too.
at least, that's my understanding.
gotta say though, I love how freebsd doesn't have a kernel patch every 30 seconds.
freebsd <3
zfs ftw
I just did some major maintenance on my webserver, and the whole time I was thinking to myself "I did a snapshot yesterday. No need to worry"
cedwards: tell that to Joyent ;)
man it is _so_ dead at work today.
three day weekend
my boss started his on Wed.
quiet here too.
"a little TOO quiet...."
is it too early to say Gary Coleman died of some sort of different stroke?
Nah, we just said that at work.
heh
so I wasn't the only one thinking it
I wonder if the press is very careful not to call it a Stroke for that reason
I doubt it. Headlines are written for pagerank not to be clever, they're clearly trying to cash in on the highly desired "intercranial hemorrhage" search market...
"stroke 'em if you got 'em"
aw dude come on :(
we don't need to bring sexism into this
heh - looks like the tweet crowd beat me too it
"Gary Coleman used to be under 4 feet.  Now he's four feet under!"
wish me luck. doing a perl5.8 -> 5.10 port upgrade on one of my jails.
hrm...
hi
hi
whee.
whee!
hrm.
I thought File::Fetch was core... maybe only in 5.12 :/
never
hrm
File::Fetch was new in 5.10
... so why doesn't my 5.10 install have it.
oh it does.
... but my shebang is /usr/bin, not /opt/csw/bin
... and /usr/bin is 5.8
ugh. Speaking of very slowly, perl 5.8.4 was released April 23rd, 2004.
naturally, it's the default perl in the OpenSolaris dev builds...