Date: Sun, 22 May 2005 20:10:10 GMT From: Aaron Dalton <acdalton@ucalgary.ca> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/81367: Update Port: mark as BROKEN Message-ID: <200505222010.j4MKAA5j048940@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/81367; it has been noted by GNATS.
From: Aaron Dalton <acdalton@ucalgary.ca>
To: Lupe Christoph <lupe@lupe-christoph.de>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: ports/81367: Update Port: mark as BROKEN
Date: Sun, 22 May 2005 14:04:05 -0600
This is a multi-part message in MIME format.
--------------030806050202030404030103
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Lupe Christoph wrote:
>
> As I've already invested some time in making the daemon run on FreeBSD, I
> would be willing to take the port. I also had problems getting replies
> from both the original developer, Bruce Ward (one reply), and the
> port maintainer, aaron@daltons.ca (none). Before I take on the port,
> I would rather check back with Bruce to see if doorman is still in
> active development.
>
> Lupe Christoph
Hello, Lupe. This is Aaron Dalton, the current maintainer. I certainly
didn't mean to ignore you. I sent replies to Pav (and I thought I sent
some to you, but apparently not). I have attached the email I just sent
to Bruce, including all of the emails you have sent me in the past. I
wish I could be more help. I'm not a C programmer and that's a
disadvantage when a port goes awry. Maybe I'll stick to my perl module
ports from now on =) You are welcome to take over if you wish.
Sure appreciate your time and understanding!
Aaron
--------------030806050202030404030103
Content-Type: message/rfc822;
name="Attached Message.eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Attached Message.eml"
Message-ID: <4290D417.4080502@daltons.ca>
Disposition-Notification-To: Aaron Dalton <aaron@daltons.ca>
Date: Sun, 22 May 2005 12:48:55 -0600
From: Aaron Dalton <aaron@daltons.ca>
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: bward2@users.sourceforge.net
Subject: FreeBSD Doorman Port
Content-Type: multipart/mixed;
boundary="------------070108030706090105010700"
This is a multi-part message in MIME format.
--------------070108030706090105010700
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hello again, Bruce. Attached are the emails I have received regarding
Doorman and various FreeBSD issues to date. I am submitting them to you
for your consideration. Feel free to contact Lupe directly. I am not a
C programmer, so I'm not quite sure what else to do with this
information. I sent this stuff a while ago and haven't heard back, so
for now I'm going to mark the FreeBSD port as broken.
Cheers!
Aaron
--------------070108030706090105010700
Content-Type: message/rfc822;
name="Attached Message"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Attached Message"
Return-Path: <lupe@lupe-christoph.de>
Received: from mail.finch.st ([unix socket])
by mail.finch.st (Cyrus v2.2.5) with LMTPA;
Sun, 13 Mar 2005 05:35:16 -0700
X-Sieve: CMU Sieve 2.2
Received: from [84.19.0.30] (helo=buexe.b-5.de)
by mail.finch.st with esmtp (Exim 4.50 (FreeBSD))
id 1DASJP-0003fs-Pv
for aaron@daltons.ca; Sun, 13 Mar 2005 05:35:16 -0700
Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9])
by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-3.4) with ESMTP id j2DCaGkA030968;
Sun, 13 Mar 2005 13:36:17 +0100
Received: from localhost (localhost [127.0.0.1])
by antalya.lupe-christoph.de (Postfix) with ESMTP id BDD27344F3;
Sun, 13 Mar 2005 13:36:11 +0100 (CET)
Received: from antalya.lupe-christoph.de ([127.0.0.1])
by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 29872-01-5; Sun, 13 Mar 2005 13:36:06 +0100 (CET)
Received: from firewally.lupe-christoph.de (firewally.lupe-christoph.de [172.17.0.7])
by antalya.lupe-christoph.de (Postfix) with ESMTP id A63C2344F4;
Sun, 13 Mar 2005 13:36:03 +0100 (CET)
Received: by firewally.lupe-christoph.de (Postfix, from userid 100)
id 6FC75A812; Sun, 13 Mar 2005 13:36:03 +0100 (CET)
To: FreeBSD-gnats-submit@freebsd.org
Subject: Lexer collision with pcap library
From: Lupe Christoph <lupe@lupe-christoph.de>
Reply-To: Lupe Christoph <lupe@lupe-christoph.de>
Cc: aaron@daltons.ca, bward2@users.sourceforge.net
X-send-pr-version: 3.113
X-GNATS-Notify:
Message-Id: <20050313123603.6FC75A812@firewally.lupe-christoph.de>
Date: Sun, 13 Mar 2005 13:36:03 +0100 (CET)
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at lupe-christoph.de
>Submitter-Id: current-users
>Originator: Lupe Christoph
>Organization:
>Confidential: no
>Synopsis: Lexer collision with pcap library
>Severity: serious
>Priority: medium
>Category: ports
>Class: sw-bug
>Release: FreeBSD 4.10-RELEASE-p5 i386
>Environment:
System: FreeBSD firewally.lupe-christoph.de 4.10-RELEASE-p5 FreeBSD 4.10-RELEASE-p5 #2: Sat Dec 11 17:38:51 CET 2004 lupe@firewally.lupe-christoph.de:/usr/obj/usr/src/sys/FIREWALLY i386
FreeBSD 4.10-RELEASE-p5
>Description:
doormand fails with the message
emerg: Bad service name "port" on line 17 of guest list phase 3; portnumber or secret 9876
This message is generated in pcap_compile which seems to use doorman's
guestfile lexer to scan "udp and port 9876 and dst 172.17.0.7"
>How-To-Repeat:
Install doorman, copy EXAMPLE files to the real files,
run "doormand -D"
>Fix:
Hide the doorman lexer. This can be done with the flex "-P" option,
but that changes yywrap(), too. Flex allows one to work around this
by adding %option noyywrap. Note that e.g. Solaris' lex does not have
-P. In the long run I believe the pcap library should implement this
rather than every program using it.
--------------070108030706090105010700
Content-Type: message/rfc822;
name="Attached Message"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Attached Message"
Return-Path: <lupe@lupe-christoph.de>
Received: from mail.finch.st ([unix socket])
by mail.finch.st (Cyrus v2.2.5) with LMTPA;
Sun, 13 Mar 2005 05:45:07 -0700
X-Sieve: CMU Sieve 2.2
Received: from [84.19.0.30] (helo=buexe.b-5.de)
by mail.finch.st with esmtp (Exim 4.50 (FreeBSD))
id 1DASSw-0003gT-40
for aaron@daltons.ca; Sun, 13 Mar 2005 05:45:06 -0700
Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9])
by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-3.4) with ESMTP id j2DCk8kA031098;
Sun, 13 Mar 2005 13:46:08 +0100
Received: from localhost (localhost [127.0.0.1])
by antalya.lupe-christoph.de (Postfix) with ESMTP id 90BDB344F2;
Sun, 13 Mar 2005 13:46:03 +0100 (CET)
Received: from antalya.lupe-christoph.de ([127.0.0.1])
by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 30807-02; Sun, 13 Mar 2005 13:45:59 +0100 (CET)
Received: by antalya.lupe-christoph.de (Postfix, from userid 1000)
id 76D28344F3; Sun, 13 Mar 2005 13:45:59 +0100 (CET)
Date: Sun, 13 Mar 2005 13:45:59 +0100
To: aaron@daltons.ca, bward2@users.sourceforge.net
Subject: Further problems with doorman on FreeBSD
Message-ID: <20050313124559.GO25969@lupe-christoph.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
From: lupe@lupe-christoph.de (Lupe Christoph)
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at lupe-christoph.de
Hi!
I'm sorry to report that even after solving some problems with doorman
on FreeBSD, I did not get it to run. It starts up OK, and I traced it
with gdb until pcap_next() is called. There it hangs and does not get
the packets I send from another machine on my local net.
I have run tcpdump on the same interface with the same filter expression
("udp and port 9876 and dst 172.17.0.7") and it sees the packet:
13:44:51.012326 172.17.0.9.56416 > 172.17.0.7.9876: udp 53 (DF)
I've never used the pcap library, and everything looks plausible to me.
Please advise,
Lupe Christoph
--
| lupe@lupe-christoph.de | http://www.lupe-christoph.de/ |
| Ask not what your computer can do for you |
| ask what you can do for your computer. |
--------------070108030706090105010700
Content-Type: message/rfc822;
name="Attached Message"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Attached Message"
Return-Path: <lupe@lupe-christoph.de>
Received: from mail.finch.st ([unix socket])
by mail.finch.st (Cyrus v2.2.5) with LMTPA;
Wed, 16 Mar 2005 06:59:23 -0700
X-Sieve: CMU Sieve 2.2
Received: from [84.19.0.30] (helo=buexe.b-5.de)
by mail.finch.st with esmtp (Exim 4.50 (FreeBSD))
id 1DBZ3S-000HGx-3X
for aaron@daltons.ca; Wed, 16 Mar 2005 06:59:22 -0700
Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9])
by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-3.4) with ESMTP id j2GE0nkA005498;
Wed, 16 Mar 2005 15:00:50 +0100
Received: from localhost (localhost [127.0.0.1])
by antalya.lupe-christoph.de (Postfix) with ESMTP id 72FA8344F2;
Wed, 16 Mar 2005 15:00:44 +0100 (CET)
Received: from antalya.lupe-christoph.de ([127.0.0.1])
by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 17055-01-2; Wed, 16 Mar 2005 15:00:31 +0100 (CET)
Received: by antalya.lupe-christoph.de (Postfix, from userid 1000)
id CE04F344F3; Wed, 16 Mar 2005 15:00:31 +0100 (CET)
Date: Wed, 16 Mar 2005 15:00:31 +0100
From: Lupe Christoph <lupe@lupe-christoph.de>
To: Bruce Ward <bward@nbnet.nb.ca>
Cc: Aaron Dalton <aaron@daltons.ca>
Subject: Re: Further problems with doorman on FreeBSD
Message-ID: <20050316140031.GF26010@lupe-christoph.de>
References: <20050313124559.GO25969@lupe-christoph.de> <200503152013.47257.bward@nbnet.nb.ca> <20050316065357.GV25969@lupe-christoph.de>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="Qbvjkv9qwOGw/5Fx"
Content-Disposition: inline
In-Reply-To: <20050316065357.GV25969@lupe-christoph.de>
User-Agent: Mutt/1.5.6+20040907i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at lupe-christoph.de
--Qbvjkv9qwOGw/5Fx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Wednesday, 2005-03-16 at 07:53:57 +0100, Lupe Christoph wrote:
> I will send you a fixed doormand.c and my fixed IPFilter scripts later
> today, along with some comments. I still need to write an rc script to
> control doormand.
Attached you will find a patch for doormand.c, IPFilter scripts that
insert rules into the standard ruleset and remove from it, and a start
script. Please note that it has been written for rcNG, so it needs the
sysutils/rc_subr port on FreeBSD 4. On FreeBSD 5, the port is not
needed. I think it should only go in the doorman port, not the
distribution. Aaraon, can you please integrate it?
doorman requires a newer version of libpcap than the one that is in
/usr/lib on FreeBSD 4, so I would like to ask Aaron to add a dependency
for /usr/local/lib/libpcap.a on FreeBSD 4. This also fixes the problem
that the pcap lexer collides with doorman's.
I would like to comment on a couple of my changes to doormand. All of
them are idef'ed for __FreeBSD__. Most of the changes are genuine
portability changes. A few things need explanations, I believe.
1) Please remove all C++-style comment delimiters. A non-gcc compiler
will probably complain about them.
2) Please use a regular expression to parse the lsof output, or even
better, don't use lsof at all but netstat.
3) I had to change the timeout value from the default 0 which means an
indefinite wait on FreeBSD to a non-zero value. This changes the
behaviour of doorman to polling. Not very nice. And I'm beginning to
think that the value of 1000 (1 second) is too high. 100 is probably
better.
Changing doorman to use pcap_dispatch() or pcap_loop() would probably
be better. I wanted to avoid a large change in the program logic like
this.
4) I wanted to use statefull filtering with IPFilter but didn't get it
to work with the scripts. It works when I twiddle the rules manually.
I may try again to rewrite the scripts to support this, but only if
you think this is a good idea. After all this means that doorman does
not need to watch the established connection. It can remove the rule
just after the connection has been established.
And finally, a question. I did not implement locking in the scripts. The
doorman daemon does not seem to do anything concurrently, but what if
you have two or more daemons running on different interfaces or ports?
Do you think locking should go into doormand or into the scripts?
Thanks for the doorman, it will allow me to make access to a few
machines safer or possible at all!
Lupe Christoph
--
| lupe@lupe-christoph.de | http://www.lupe-christoph.de/ |
| Ask not what your computer can do for you |
| ask what you can do for your computer. |
--Qbvjkv9qwOGw/5Fx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="doormand.patch"
--- Work/doorman-0.8.orig/doormand.c Thu Jul 29 21:24:02 2004
+++ work/doorman-0.8/doormand.c Tue Mar 15 17:18:09 2005
@@ -397,7 +397,11 @@
int datalink_header_lengths[] = {
// hdr len code data link type
// ------- --- ---------------------------
+#ifdef __FreeBSD__
+ 4, // 0 no link-layer encapsulation
+#else
0, // 0 no link-layer encapsulation
+#endif
14, // 1 Ethernet (10Mb)
-1, // 2 Experimental Ethernet (3Mb)
-1, // 3 Amateur Radio AX.25
@@ -557,6 +561,14 @@
// more readable.
//
+/*
+// lsof on FreeBSD produces one more field.
+// This should be rewritten to use a regular expression, anyway.
+//
+// And who said using C++ style comments in C was good for portability?!?
+*/
+
+#ifdef __FreeBSD__
#define LSOF()\
sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\
\
@@ -578,6 +590,7 @@
if ((p1 = token (&p2, " ")) == NULL) continue ;\
if ((p1 = token (&p2, " ")) == NULL) continue ;\
if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
if ((p1 = token (&p2, " :")) == NULL) continue ;\
local_ip = inet_addr(p1) ;\
if ((p1 = token (&p2, "-")) == NULL) continue ;\
@@ -602,7 +615,53 @@
}\
}\
pclose(f) ;
-
+#else
+#define LSOF()\
+sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\
+\
+f = popen (cmd, "r") ;\
+if (f == NULL) {\
+ croak (errno, "Can't execute '%s'; exiting.", cmd) ;\
+}\
+\
+fgets(buffer, 254, f) ; /* throw away the first line. */ \
+while (fgets(buffer, 254, f)) {\
+ p2 = buffer ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ dname = p1 ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ pid = p1 ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ uname = p1 ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ if ((p1 = token (&p2, " :")) == NULL) continue ;\
+ local_ip = inet_addr(p1) ;\
+ if ((p1 = token (&p2, "-")) == NULL) continue ;\
+ local_port = atoi(p1) ;\
+ if ((p1 = token (&p2, "->:")) == NULL) continue ;\
+ aptr = p1 ;\
+ remote_ip = inet_addr(p1) ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ pptr = p1 ;\
+ remote_port = atoi(p1) ;\
+ if ((p1 = token (&p2, " ()")) == NULL) continue ;\
+ status = p1 ;\
+\
+ if ((saddr == remote_ip) &&\
+ (daddr == local_ip) &&\
+ (sport == remote_port) &&\
+ (dport == local_port) && \
+ (strcmp(status, "ESTABLISHED") == 0))\
+ {\
+ connected = TRUE ;\
+ break ;\
+ }\
+}\
+pclose(f) ;
+#endif
@@ -647,7 +706,11 @@
snprintf (cmd, 254, "tcp and dst port %s and src %s and dst %s",
dport_string, src_addr, interface_ip_str) ;
DEBUG "open a secondary pcap: '%s'", cmd) ;
+#ifdef __FreeBSD__
+ hdr_len = open_a_pcap (device, 1000, &cap, cmd) ;
+#else
hdr_len = open_a_pcap (device, 0, &cap, cmd) ;
+#endif
// set broad firewall rule
sprintf (G_fw_broad_rule, " %s %s 0 %s %s",
@@ -659,7 +722,22 @@
for (;;) {
+#ifdef __FreeBSD__
+ {
+ int ret = 0;
+ struct pcap_pkthdr * packet_hdr_p;
+
+ while (ret == 0) {
+ ret = pcap_next_ex (cap, &packet_hdr_p, (const u_char **)&p) ;
+ packet_hdr = *packet_hdr_p;
+ if (ret < 0) {
+ p = NULL;
+ }
+ }
+ }
+#else
p = (unsigned char*)pcap_next (cap, &packet_hdr) ;
+#endif
if (p == NULL) {
WARNX "manage_firewall got null from 'pcap_next'. Exiting.") ;
exit (1) ;
@@ -1222,9 +1300,13 @@
croak (errno, "Can't get interface address of %s", device) ;
}
+#ifdef __FreeBSD__
+ hdr_len = open_a_pcap (device, 1000, &G_cap, "udp and port %d and dst %s",
+ port, interface_ip) ;
+#else
hdr_len = open_a_pcap (device, 0, &G_cap, "udp and port %d and dst %s",
port, interface_ip) ;
-
+#endif
if (G_reconfigure) {
G_reconfigure = FALSE ;
NOTICE "reconfigured.") ;
@@ -1252,7 +1334,22 @@
char src_addr_buff[16] ;
errno = 0 ;
+#ifdef __FreeBSD__
+ {
+ int ret = 0;
+ struct pcap_pkthdr * packet_hdr_p;
+
+ while (ret == 0) {
+ ret = pcap_next_ex (G_cap, &packet_hdr_p, (const u_char **)&p) ;
+ packet_hdr = *packet_hdr_p;
+ if (ret < 0) {
+ p = NULL;
+ }
+ }
+ }
+#else
p = (unsigned char *)pcap_next (G_cap, &packet_hdr) ;
+#endif
if (G_reconfigure) {
if (daemonize) err_closelog() ;
goto reconfigure ;
--Qbvjkv9qwOGw/5Fx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipf_add.insert"
#!/bin/sh
#
# *********************************************************************
# This script is used with IPFilter if the ruleset (/etc/ipf.rules)
# contains a drop rule that interferes with doorman because rules can
# only be added at the end, i.e. after the drop rule.
#
# The script will insert it's rule before a line containing the string
# @@@Insert doorman rule here@@@
#
# Note that it does not use locking, so concurrent accesses may
# interfere with each other.
# *********************************************************************
#
# file "ipf_add"
# IPFilter add script, called by "doormand".
# This adds a "pass in quick" rule to the firewall.
#
# Called with five arguments:
#
# $1 : name of the interface (e.g. ne0)
# $2 : source IP; i.e. dotted-decimal address of the 'knock' client
# $3 : source port; when this script is called for the first time
# for a connection (man 8 doormand), this argument will be set
# to a single "0" (0x30) character. This means that the source
# port is not yet known, and a broad rule allowing any source
# port is required.
# $4 : destination IP; that is, the IP address of the interface
# in argument 1.
# $5 : The port number of the requested service (e.g. 22 for ssh, etc.)
#
BEGINTAG='@@@doorman rules begin@@@'
ENDTAG='@@@doorman rules end@@@'
# We use kept state for this, so we ignore the invocation with
# a specific source port.
if [ $3 = 0 ]; then
inrule="pass in quick on $1 proto TCP from $2 to $4 port = $5"
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2"
else
inrule="pass in quick on $1 proto TCP from $2 port = $3 to $4 port = $5"
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3"
fi
#
# acquire lock (not implemented)
#
if [ -f /etc/ipf.rules.doorman ]; then
# Add another rule
mv /etc/ipf.rules.doorman /etc/ipf.rules.doorman.old
cat /etc/ipf.rules.doorman.old | sed -e "/@@@doorman rules end@@@/i\\
$inrule\\
$outrule" > /etc/ipf.rules.doorman
rm /etc/ipf.rules.doorman.old
else
# Create /etc/ipf.rules.doorman
cat /etc/ipf.rules | sed -e "/@@@Insert doorman rule here@@@/c\\
# $BEGINTAG\\
$inrule\\
$outrule\\
# $ENDTAG" > /etc/ipf.rules.doorman
fi
# Activate the edited ruleset
ret=`/sbin/ipf -Fa -I -f /etc/ipf.rules.doorman 2>&1`
#
# release lock (not implemented)
#
if [ -z "$ret" ]; then
/sbin/ipf -s > /dev/null 2>&1
echo 0
else
echo -1 3 $ret
fi
--Qbvjkv9qwOGw/5Fx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipf_delete.remove"
#!/bin/sh
#
# *********************************************************************
# This script is used with IPFilter if the ruleset (/etc/ipf.rules)
# contains a drop rule that interferes with doorman because rules can
# only be added at the end, i.e. after the drop rule.
#
# The script will delete it's rule from the intermediate file
# /etc/ipf.rules.doorman. If no lines are left between the markers
# @@@doorman rules begin@@@ and @@@doorman rules end@@@, the
# intermediate file is deleted and the original rulesset is reloaded.
#
# Note that it does not use locking, so concurrent accesses may
# interfere with each other.
# *********************************************************************
#
# file "ipf_delete"
# IPFilter delete script, called by "doormand".
# This deletes a "pass in quick" rule from the firewall.
#
# Called with five arguments:
#
# $1 : name of the interface (e.g. ne0)
# $2 : source IP; i.e. dotted-decimal address of the 'knock' client
# $3 : source port; when this script is called for the first time
# for a connection (man 8 doormand), this argument will be set
# to a single "0" (0x30) character. This means that the source
# port is not yet known, and a broad rule allowing any source
# port is required.
# $4 : destination IP; that is, the IP address of the interface
# in argument 1.
# $5 : The port number of the requested service (e.g. 22 for ssh, etc.)
#
BEGINTAG='@@@doorman rules begin@@@'
ENDTAG='@@@doorman rules end@@@'
# We use kept state for this, so we ignore the invocation with
# a specific source port.
if [ $3 = 0 ]; then
inrule="pass in quick on $1 proto TCP from $2 to $4 port = $5"
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2"
else
inrule="pass in quick on $1 proto TCP from $2 port = $3 to $4 port = $5"
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3"
fi
#
# acquire lock (not implemented)
#
if [ ! -f /etc/ipf.rules.doorman ]; then
# Huh? How come?
echo -1 3 /etc/ipf.rules.doorman missing
exit
fi
mv /etc/ipf.rules.doorman /etc/ipf.rules.doorman.old
cat /etc/ipf.rules.doorman.old | sed -e "/^$inrule\$/d" -e "/^$outrule\$/d" > /etc/ipf.rules.doorman
rm /etc/ipf.rules.doorman.old
if [ `sed -n -e "/$BEGINTAG/,/$ENDTAG/p" /etc/ipf.rules.doorman |\
wc -l` -le 2 ]; then
# No rules left
rm /etc/ipf.rules.doorman
FILE=/etc/ipf.rules
else
FILE=/etc/ipf.rules.doorman
fi
# Activate the edited ruleset
ret=`/sbin/ipf -Fa -I -f $FILE 2>&1`
#
# release lock (not implemented)
#
if [ -z "$ret" ]; then
/sbin/ipf -s > /dev/null 2>&1
echo 0
else
echo -1 3 $ret
fi
--Qbvjkv9qwOGw/5Fx
Content-Type: application/x-sh
Content-Disposition: attachment; filename="doorman.sh"
Content-Transfer-Encoding: quoted-printable
#!/bin/sh=0A#=0A=0A# PROVIDE: doorman=0A# REQUIRE: LOGIN=0A# KEYWORD: FreeB=
SD=0A=0A#=0A# Add the following lines to /etc/rc.conf to enable doorman:=0A=
# doorman_enable (bool): Set to "NO" by default.=0A# =
Set it to "YES" to enable doorman=0A# doorman_config (path): =
Set to "/usr/local/etc/doormand/doormand.cf" by default.=0A#=0A=0Aif [ -f=
/etc/rc.subr ]; then=0A . /etc/rc.subr=0Aelif [ -f /usr/local/etc/rc.subr=
]; then=0A . /usr/local/etc/rc.subr=0Aelse=0A exit 1=0Afi=0A=0Aname=3D"d=
oorman"=0Arcvar=3D`set_rcvar`=0A=0A[ -z "$doorman_enable" ] && doorman_enab=
le=3D"NO"=0A[ -z "$doorman_config" ] && doorman_config=3D"/usr/local/etc/do=
ormand/doormand.cf"=0A=0Acommand=3D/usr/local/sbin/doormand=0Apidfile=3D/va=
r/run/doormand.pid=0Acommand_args=3D"-p $pidfile -f $doorman_config"=0A=0Al=
oad_rc_config $name=0Arun_rc_command "$1"=0A
--Qbvjkv9qwOGw/5Fx--
--------------070108030706090105010700
Content-Type: message/rfc822;
name="Attached Message"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Attached Message"
Return-Path: <pav@FreeBSD.org>
Received: from mail.finch.st ([unix socket])
by mail.finch.st (Cyrus v2.2.5) with LMTPA;
Wed, 16 Mar 2005 14:44:21 -0700
X-Sieve: CMU Sieve 2.2
Received: from [212.27.205.50] (helo=hood.oook.cz)
by mail.finch.st with esmtp (Exim 4.50 (FreeBSD))
id 1DBgJQ-000HlX-ER
for aaron@daltons.ca; Wed, 16 Mar 2005 14:44:21 -0700
Received: from hood.oook.cz (localhost.oook.cz [127.0.0.1])
by hood.oook.cz (8.13.3/8.13.3) with ESMTP id j2GLjpO2087871
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Wed, 16 Mar 2005 22:45:51 +0100 (CET)
(envelope-from pav@FreeBSD.org)
Received: (from pav@localhost)
by hood.oook.cz (8.13.3/8.13.3/Submit) id j2GLjpwV087870;
Wed, 16 Mar 2005 22:45:51 +0100 (CET)
(envelope-from pav@FreeBSD.org)
X-Authentication-Warning: hood.oook.cz: pav set sender to pav@FreeBSD.org using -f
Subject: Re: ports/78777: security/doorman: lexer collision with pcap
library
From: Pav Lucistnik <pav@FreeBSD.org>
Reply-To: pav@FreeBSD.org
To: aaron@daltons.ca, freebsd-gnats-submit@FreeBSD.org
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: Wed, 16 Mar 2005 22:45:51 +0100
Message-Id: <1111009551.4377.6.camel@hood.oook.cz>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.0 FreeBSD GNOME Team Port
Can you or the maintainer provide a patch for this issue?
--
Pav Lucistnik <pav@oook.cz>
<pav@FreeBSD.org>
The final screw holding up a rackmount server is always possessed by demons.
--------------070108030706090105010700
Content-Type: message/rfc822;
name="Attached Message"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Attached Message"
Return-Path: <lupe@lupe-christoph.de>
Received: from mail.finch.st ([unix socket])
by mail.finch.st (Cyrus v2.2.5) with LMTPA;
Thu, 17 Mar 2005 01:32:11 -0700
X-Sieve: CMU Sieve 2.2
Received: from [84.19.0.30] (helo=buexe.b-5.de)
by mail.finch.st with esmtp (Exim 4.50 (FreeBSD))
id 1DBqQM-000IMp-Cy
for aaron@daltons.ca; Thu, 17 Mar 2005 01:32:10 -0700
Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9])
by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-3.4) with ESMTP id j2H8XjkA031457
for <aaron@daltons.ca>; Thu, 17 Mar 2005 09:33:46 +0100
Received: from localhost (localhost [127.0.0.1])
by antalya.lupe-christoph.de (Postfix) with ESMTP id 8E54B344F2
for <aaron@daltons.ca>; Thu, 17 Mar 2005 09:33:40 +0100 (CET)
Received: from antalya.lupe-christoph.de ([127.0.0.1])
by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 08982-06-4 for <aaron@daltons.ca>;
Thu, 17 Mar 2005 09:33:36 +0100 (CET)
Received: by antalya.lupe-christoph.de (Postfix, from userid 1000)
id 6BC63344F3; Thu, 17 Mar 2005 09:33:36 +0100 (CET)
Date: Thu, 17 Mar 2005 09:33:36 +0100
From: Lupe Christoph <lupe@lupe-christoph.de>
To: aaron@daltons.ca
Subject: Re: Further problems with doorman on FreeBSD
Message-ID: <20050317083336.GH26010@lupe-christoph.de>
References: <20050313124559.GO25969@lupe-christoph.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050313124559.GO25969@lupe-christoph.de>
User-Agent: Mutt/1.5.6+20040907i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at lupe-christoph.de
Hi!
I'm attaching the patch for doormand.c I mentioned in the mail to update
the PR, the two IPFilter scripts, and an rc.d script I wrote. You may
wish to include the rdc.d script with your port. It's all yours.
Please note that the script uses rcNG, so you may need to depend on
sysutils/rc_subr for FreeBSD 4.
Please integrate my changes in your port.
Lupe Christoph
--
| lupe@lupe-christoph.de | http://www.lupe-christoph.de/ |
| Ask not what your computer can do for you |
| ask what you can do for your computer. |
--------------070108030706090105010700
Content-Type: message/rfc822;
name="Attached Message"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Attached Message"
Return-Path: <lupe@lupe-christoph.de>
Received: from mail.finch.st ([unix socket])
by mail.finch.st (Cyrus v2.2.5) with LMTPA;
Thu, 17 Mar 2005 02:28:30 -0700
X-Sieve: CMU Sieve 2.2
Received: from [84.19.0.30] (helo=buexe.b-5.de)
by mail.finch.st with esmtp (Exim 4.50 (FreeBSD))
id 1DBrIq-000IQH-Mi
for aaron@daltons.ca; Thu, 17 Mar 2005 02:28:29 -0700
Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9])
by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-3.4) with ESMTP id j2H9U0kA000321
for <aaron@daltons.ca>; Thu, 17 Mar 2005 10:30:03 +0100
Received: from localhost (localhost [127.0.0.1])
by antalya.lupe-christoph.de (Postfix) with ESMTP id DACC0344F2
for <aaron@daltons.ca>; Thu, 17 Mar 2005 10:29:54 +0100 (CET)
Received: from antalya.lupe-christoph.de ([127.0.0.1])
by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 28446-01-3 for <aaron@daltons.ca>;
Thu, 17 Mar 2005 10:29:41 +0100 (CET)
Received: by antalya.lupe-christoph.de (Postfix, from userid 1000)
id 5017F344F3; Thu, 17 Mar 2005 10:29:41 +0100 (CET)
Date: Thu, 17 Mar 2005 10:29:41 +0100
From: Lupe Christoph <lupe@lupe-christoph.de>
To: aaron@daltons.ca
Subject: Re: Further problems with doorman on FreeBSD
Message-ID: <20050317092941.GI26010@lupe-christoph.de>
References: <20050313124559.GO25969@lupe-christoph.de> <20050317083336.GH26010@lupe-christoph.de>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="P+33d92oIH25kiaB"
Content-Disposition: inline
In-Reply-To: <20050317083336.GH26010@lupe-christoph.de>
User-Agent: Mutt/1.5.6+20040907i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at lupe-christoph.de
--P+33d92oIH25kiaB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Thursday, 2005-03-17 at 09:33:36 +0100, Lupe Christoph wrote:
> I'm attaching ...
No, I didn't. Trying again...
Lupe Christoph
--
| lupe@lupe-christoph.de | http://www.lupe-christoph.de/ |
| Ask not what your computer can do for you |
| ask what you can do for your computer. |
--P+33d92oIH25kiaB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="doormand.patch"
--- Work/doorman-0.8.orig/doormand.c Thu Jul 29 21:24:02 2004
+++ work/doorman-0.8/doormand.c Tue Mar 15 17:18:09 2005
@@ -397,7 +397,11 @@
int datalink_header_lengths[] = {
// hdr len code data link type
// ------- --- ---------------------------
+#ifdef __FreeBSD__
+ 4, // 0 no link-layer encapsulation
+#else
0, // 0 no link-layer encapsulation
+#endif
14, // 1 Ethernet (10Mb)
-1, // 2 Experimental Ethernet (3Mb)
-1, // 3 Amateur Radio AX.25
@@ -557,6 +561,14 @@
// more readable.
//
+/*
+// lsof on FreeBSD produces one more field.
+// This should be rewritten to use a regular expression, anyway.
+//
+// And who said using C++ style comments in C was good for portability?!?
+*/
+
+#ifdef __FreeBSD__
#define LSOF()\
sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\
\
@@ -578,6 +590,7 @@
if ((p1 = token (&p2, " ")) == NULL) continue ;\
if ((p1 = token (&p2, " ")) == NULL) continue ;\
if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
if ((p1 = token (&p2, " :")) == NULL) continue ;\
local_ip = inet_addr(p1) ;\
if ((p1 = token (&p2, "-")) == NULL) continue ;\
@@ -602,7 +615,53 @@
}\
}\
pclose(f) ;
-
+#else
+#define LSOF()\
+sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\
+\
+f = popen (cmd, "r") ;\
+if (f == NULL) {\
+ croak (errno, "Can't execute '%s'; exiting.", cmd) ;\
+}\
+\
+fgets(buffer, 254, f) ; /* throw away the first line. */ \
+while (fgets(buffer, 254, f)) {\
+ p2 = buffer ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ dname = p1 ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ pid = p1 ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ uname = p1 ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ if ((p1 = token (&p2, " :")) == NULL) continue ;\
+ local_ip = inet_addr(p1) ;\
+ if ((p1 = token (&p2, "-")) == NULL) continue ;\
+ local_port = atoi(p1) ;\
+ if ((p1 = token (&p2, "->:")) == NULL) continue ;\
+ aptr = p1 ;\
+ remote_ip = inet_addr(p1) ;\
+ if ((p1 = token (&p2, " ")) == NULL) continue ;\
+ pptr = p1 ;\
+ remote_port = atoi(p1) ;\
+ if ((p1 = token (&p2, " ()")) == NULL) continue ;\
+ status = p1 ;\
+\
+ if ((saddr == remote_ip) &&\
+ (daddr == local_ip) &&\
+ (sport == remote_port) &&\
+ (dport == local_port) && \
+ (strcmp(status, "ESTABLISHED") == 0))\
+ {\
+ connected = TRUE ;\
+ break ;\
+ }\
+}\
+pclose(f) ;
+#endif
@@ -647,7 +706,11 @@
snprintf (cmd, 254, "tcp and dst port %s and src %s and dst %s",
dport_string, src_addr, interface_ip_str) ;
DEBUG "open a secondary pcap: '%s'", cmd) ;
+#ifdef __FreeBSD__
+ hdr_len = open_a_pcap (device, 1000, &cap, cmd) ;
+#else
hdr_len = open_a_pcap (device, 0, &cap, cmd) ;
+#endif
// set broad firewall rule
sprintf (G_fw_broad_rule, " %s %s 0 %s %s",
@@ -659,7 +722,22 @@
for (;;) {
+#ifdef __FreeBSD__
+ {
+ int ret = 0;
+ struct pcap_pkthdr * packet_hdr_p;
+
+ while (ret == 0) {
+ ret = pcap_next_ex (cap, &packet_hdr_p, (const u_char **)&p) ;
+ packet_hdr = *packet_hdr_p;
+ if (ret < 0) {
+ p = NULL;
+ }
+ }
+ }
+#else
p = (unsigned char*)pcap_next (cap, &packet_hdr) ;
+#endif
if (p == NULL) {
WARNX "manage_firewall got null from 'pcap_next'. Exiting.") ;
exit (1) ;
@@ -1222,9 +1300,13 @@
croak (errno, "Can't get interface address of %s", device) ;
}
+#ifdef __FreeBSD__
+ hdr_len = open_a_pcap (device, 1000, &G_cap, "udp and port %d and dst %s",
+ port, interface_ip) ;
+#else
hdr_len = open_a_pcap (device, 0, &G_cap, "udp and port %d and dst %s",
port, interface_ip) ;
-
+#endif
if (G_reconfigure) {
G_reconfigure = FALSE ;
NOTICE "reconfigured.") ;
@@ -1252,7 +1334,22 @@
char src_addr_buff[16] ;
errno = 0 ;
+#ifdef __FreeBSD__
+ {
+ int ret = 0;
+ struct pcap_pkthdr * packet_hdr_p;
+
+ while (ret == 0) {
+ ret = pcap_next_ex (G_cap, &packet_hdr_p, (const u_char **)&p) ;
+ packet_hdr = *packet_hdr_p;
+ if (ret < 0) {
+ p = NULL;
+ }
+ }
+ }
+#else
p = (unsigned char *)pcap_next (G_cap, &packet_hdr) ;
+#endif
if (G_reconfigure) {
if (daemonize) err_closelog() ;
goto reconfigure ;
--P+33d92oIH25kiaB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipf_add.insert"
#!/bin/sh
#
# *********************************************************************
# This script is used with IPFilter if the ruleset (/etc/ipf.rules)
# contains a drop rule that interferes with doorman because rules can
# only be added at the end, i.e. after the drop rule.
#
# The script will insert it's rule before a line containing the string
# @@@Insert doorman rule here@@@
#
# Note that it does not use locking, so concurrent accesses may
# interfere with each other.
# *********************************************************************
#
# file "ipf_add"
# IPFilter add script, called by "doormand".
# This adds a "pass in quick" rule to the firewall.
#
# Called with five arguments:
#
# $1 : name of the interface (e.g. ne0)
# $2 : source IP; i.e. dotted-decimal address of the 'knock' client
# $3 : source port; when this script is called for the first time
# for a connection (man 8 doormand), this argument will be set
# to a single "0" (0x30) character. This means that the source
# port is not yet known, and a broad rule allowing any source
# port is required.
# $4 : destination IP; that is, the IP address of the interface
# in argument 1.
# $5 : The port number of the requested service (e.g. 22 for ssh, etc.)
#
BEGINTAG='@@@doorman rules begin@@@'
ENDTAG='@@@doorman rules end@@@'
# We use kept state for this, so we ignore the invocation with
# a specific source port.
if [ $3 = 0 ]; then
inrule="pass in quick on $1 proto TCP from $2 to $4 port = $5"
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2"
else
inrule="pass in quick on $1 proto TCP from $2 port = $3 to $4 port = $5"
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3"
fi
#
# acquire lock (not implemented)
#
if [ -f /etc/ipf.rules.doorman ]; then
# Add another rule
mv /etc/ipf.rules.doorman /etc/ipf.rules.doorman.old
cat /etc/ipf.rules.doorman.old | sed -e "/@@@doorman rules end@@@/i\\
$inrule\\
$outrule" > /etc/ipf.rules.doorman
rm /etc/ipf.rules.doorman.old
else
# Create /etc/ipf.rules.doorman
cat /etc/ipf.rules | sed -e "/@@@Insert doorman rule here@@@/c\\
# $BEGINTAG\\
$inrule\\
$outrule\\
# $ENDTAG" > /etc/ipf.rules.doorman
fi
# Activate the edited ruleset
ret=`/sbin/ipf -Fa -I -f /etc/ipf.rules.doorman 2>&1`
#
# release lock (not implemented)
#
if [ -z "$ret" ]; then
/sbin/ipf -s > /dev/null 2>&1
echo 0
else
echo -1 3 $ret
fi
--P+33d92oIH25kiaB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipf_delete.remove"
#!/bin/sh
#
# *********************************************************************
# This script is used with IPFilter if the ruleset (/etc/ipf.rules)
# contains a drop rule that interferes with doorman because rules can
# only be added at the end, i.e. after the drop rule.
#
# The script will delete it's rule from the intermediate file
# /etc/ipf.rules.doorman. If no lines are left between the markers
# @@@doorman rules begin@@@ and @@@doorman rules end@@@, the
# intermediate file is deleted and the original rulesset is reloaded.
#
# Note that it does not use locking, so concurrent accesses may
# interfere with each other.
# *********************************************************************
#
# file "ipf_delete"
# IPFilter delete script, called by "doormand".
# This deletes a "pass in quick" rule from the firewall.
#
# Called with five arguments:
#
# $1 : name of the interface (e.g. ne0)
# $2 : source IP; i.e. dotted-decimal address of the 'knock' client
# $3 : source port; when this script is called for the first time
# for a connection (man 8 doormand), this argument will be set
# to a single "0" (0x30) character. This means that the source
# port is not yet known, and a broad rule allowing any source
# port is required.
# $4 : destination IP; that is, the IP address of the interface
# in argument 1.
# $5 : The port number of the requested service (e.g. 22 for ssh, etc.)
#
BEGINTAG='@@@doorman rules begin@@@'
ENDTAG='@@@doorman rules end@@@'
# We use kept state for this, so we ignore the invocation with
# a specific source port.
if [ $3 = 0 ]; then
inrule="pass in quick on $1 proto TCP from $2 to $4 port = $5"
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2"
else
inrule="pass in quick on $1 proto TCP from $2 port = $3 to $4 port = $5"
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3"
fi
#
# acquire lock (not implemented)
#
if [ ! -f /etc/ipf.rules.doorman ]; then
# Huh? How come?
echo -1 3 /etc/ipf.rules.doorman missing
exit
fi
mv /etc/ipf.rules.doorman /etc/ipf.rules.doorman.old
cat /etc/ipf.rules.doorman.old | sed -e "/^$inrule\$/d" -e "/^$outrule\$/d" > /etc/ipf.rules.doorman
rm /etc/ipf.rules.doorman.old
if [ `sed -n -e "/$BEGINTAG/,/$ENDTAG/p" /etc/ipf.rules.doorman |\
wc -l` -le 2 ]; then
# No rules left
rm /etc/ipf.rules.doorman
FILE=/etc/ipf.rules
else
FILE=/etc/ipf.rules.doorman
fi
# Activate the edited ruleset
ret=`/sbin/ipf -Fa -I -f $FILE 2>&1`
#
# release lock (not implemented)
#
if [ -z "$ret" ]; then
/sbin/ipf -s > /dev/null 2>&1
echo 0
else
echo -1 3 $ret
fi
--P+33d92oIH25kiaB
Content-Type: application/x-sh
Content-Disposition: attachment; filename="doorman.sh"
Content-Transfer-Encoding: quoted-printable
#!/bin/sh=0A#=0A=0A# PROVIDE: doorman=0A# REQUIRE: LOGIN=0A# KEYWORD: FreeB=
SD=0A=0A#=0A# Add the following lines to /etc/rc.conf to enable doorman:=0A=
# doorman_enable (bool): Set to "NO" by default.=0A# =
Set it to "YES" to enable doorman=0A# doorman_config (path): =
Set to "/usr/local/etc/doormand/doormand.cf" by default.=0A#=0A=0Aif [ -f=
/etc/rc.subr ]; then=0A . /etc/rc.subr=0Aelif [ -f /usr/local/etc/rc.subr=
]; then=0A . /usr/local/etc/rc.subr=0Aelse=0A exit 1=0Afi=0A=0Aname=3D"d=
oorman"=0Arcvar=3D`set_rcvar`=0A=0A[ -z "$doorman_enable" ] && doorman_enab=
le=3D"NO"=0A[ -z "$doorman_config" ] && doorman_config=3D"/usr/local/etc/do=
ormand/doormand.cf"=0A=0Acommand=3D/usr/local/sbin/doormand=0Apidfile=3D/va=
r/run/doormand.pid=0Acommand_args=3D"-p $pidfile -f $doorman_config"=0A=0Al=
oad_rc_config $name=0Arun_rc_command "$1"=0A
--P+33d92oIH25kiaB--
--------------070108030706090105010700--
--------------030806050202030404030103--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505222010.j4MKAA5j048940>