Solved

Bind910 installation on FreeBSD

Posted on 2014-10-02
9
792 Views
Last Modified: 2016-02-11
pkg install bind910
waits for "Updating FreeBSD repository catalogue..." about 10 minutes
and then
pkg: http://pkg.FreeBSD.org/freebsd:10:x86:64/latest/meta.txz: Operation timed out
pkg: repository FreeBSD has no meta file, using default settings

And then it's failed.  I'm wait for 10 minutes  and will tell you.

Update:
Okay, I finally got the response:

The following 3 packages will be affected (of 0 checked):

New packages to be INSTALLED:
      bind910: 9.10.1
      libxml2: 2.9.1_1
      idnkit: 1.0_5

The process will require 53 MB more space.
7 MB to be downloaded.

Proceed with this action? [y/N]: y
0
Comment
Question by:Nusrat Nuriyev
  • 6
  • 2
9 Comments
 

Author Comment

by:Nusrat Nuriyev
Comment Utility
pkg: http://pkg.FreeBSD.org/freebsd:10:x86:64/latest/All/bind910-9.10.1.txz: No route to host
Why no route  to host?

fetch http://pkg.FreeBSD.org/freebsd:10:x86:64/latest/All/bind910-9.10.1.txz

Also stucks

Ok there was a problem with firewall.
0
 

Author Comment

by:Nusrat Nuriyev
Comment Utility
00100 allow ip from any to any via lo0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16

what all this stuff does mean?
Can this cause the a lot of problems with routing? can't ssh, rsync, pkg install,  fetch, ping?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Please most netstat -rn output to see your routing table.
if you have public IPs on the system, masquerade the first three octets by replcing them with xxx.xxx.xxx
These are firewall rules that deal with what type of traffic and direction is permitted/denied.
You can install using your CD/DVD as the source without the need to go out to the internet to retrieve the package. See within the config whether the DVD/CDROM is setup as a possible source.
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
Comment Utility
Can you check counters of those firewall rules? I doubt they ever caught any packet at all.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:Nusrat Nuriyev
Comment Utility
arnold,

root@ns2:~ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            74.200.120.1        UGS         0     6929   bge0
74.200.120.0/26     link#1             U           1     2347   bge0
74.200.120.42       link#1             UHS         0      230    lo0
127.0.0.1          link#3             UH          0       11    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#3                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%bge0/64                    link#1                        U          bge0
fe80::21c:c4ff:fec3:d472%bge0     link#1                        UHS         lo0
fe80::%lo0/64                     link#3                        U           lo0
fe80::1%lo0                       link#3                        UHS         lo0
ff01::%bge0/32                    fe80::21c:c4ff:fec3:d472%bge0 U          bge0
ff01::%lo0/32                     ::1                           U           lo0
ff02::/16                         ::1                           UGRS        lo0
ff02::%bge0/32                    fe80::21c:c4ff:fec3:d472%bge0 U          bge0
ff02::%lo0/32                     ::1                           U           lo0
0
 

Author Comment

by:Nusrat Nuriyev
Comment Utility
Gheist,
when I add this rule to ns2
ipfw add allow ip from 74.200.120.41 to me dst-port 9333

Open in new window

I can't conect to ns2 from ns1
when I add this rule to ns2
ipfw add allow ip from  74.200.120.41 to me

Open in new window

Then, I can  connect to ns2 from ns1

ommitting port makes difference, what man be the reason?
Both sshd are configured with the port 9333 instead of 22.
0
 

Author Comment

by:Nusrat Nuriyev
Comment Utility
also, there is no packet matching to the rule above, you were right

00200    0      0 deny ip from any to 127.0.0.0/8
00200    0      0 deny ip from any to 127.0.0.0/8
00300    0      0 deny ip from 127.0.0.0/8 to any
00300    0      0 deny ip from 127.0.0.0/8 to any
00400    0      0 deny ip from any to ::1
00500    0      0 deny ip from ::1 to any
00600    0      0 allow ipv6-icmp from :: to ff02::/16
00700    0      0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800    0      0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900    0      0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000    0      0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
0
 

Author Comment

by:Nusrat Nuriyev
Comment Utility
Another question: why some of those  rules are duplicated? I suppose because I have two physical ethernet interfaces on the server? so it's because of interface information were omitted while this listing was printed?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Would be nice if you manage to start WITHOUT firewall, make sure new package works, then lock+log everything with firewall and allow everything that was needed+denied.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Creating a Samba server for a small office. Ubuntu Linux and Samba can breathe new life into a retired PC and save an office money on new hardware/software. Our example server will have two hard disks, one exclusively for storing shared data. …
This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now