'unregistered_only' in natd does not work?
Summary: NATD translates source addresses even though it should not because
unregistered_only is set and the IPs do not belong to RFC 1918 (like
192.168)
Hi List,
I have a very strange problem in my
FreeBSD bigb3 6.1-STABLE FreeBSD 6.1-STABLE #0: Tue Jun 6
I am using the ftpd with inetd.
I have specified via sysctl IP_PORTRANGE_DEFAULT and IP_PORTRANGE_HIGH
net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535
and I have opened my ipfw firewall for these ranges.
In natd.conf I am using:
same_ports yes
unregistered_only yes
use_sockets yes
log_denied yes
interface vr0
and I am using ipfw with
$fwcmd add 15000 divert natd all from any to any via $oif
* T H E P R O B L E M **
I have trouble making a passive ftp connection to work, because
every time natd changed source port even though it should not. Sometimes it
changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to
something completely irrelevant like 3
The verbose log of natd shows this:
Out {default} [TCP] 193.92.?:55211 - 193.92.:3866 aliased to
[TCP] 193.92.??:37962 - 193.92.?:3866
Thus it shows that the outside IP and port (55211) in the source field was
changed to another source port (37962), even though this is not required.
My IPFW denies ports lowers than 49152 and thus it drops this and logs
that this packets was denied.
Can you help me please of how to either
1) instruct natd NOT to translate ports if it is not required
(unregistered_only seems that it does not work)
or,
2) instruct natd to translate ports which belong to either
IP_PORTRANGE_DEFAULT or another defined portrange?
Thank you very very much in advance,
Best Regards,
BB
p.s. After searching the freebsd bugs database I found
Problem Report bin/77089 : /sbin/natd: natd ignores -u with passive FTP
http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/77089, which seems similar.
Any clues except re-arranging the firewall rules, as the author of the
previous post suggests?
---
Dixi et animan levavi
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 'unregistered_only' in natd does not work?
On Fri, 7 Jul 2006, Chuck Swiger wrote:
BigBrother-{BigB3} wrote:
[ ... ]
I have trouble making a passive ftp connection to work, because every time
natd changed source port even though it should not. Sometimes it changes
within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something
completely irrelevant like 3
The verbose log of natd shows this:
Out {default} [TCP] 193.92.?:55211 - 193.92.:3866 aliased to
[TCP] 193.92.??:37962 - 193.92.?:3866
You might try using the punch_fw keyword or flag to natd to try and control
the portrange used for ephermeral FTP IRC data channels, BTW...but if your
problem also affects passive-mode FTP, something else is going on.
What happens if you change your IPFW divert statement to only match the
RFC-1918 unroutable addresses which you're using, and not send internal
routable traffic to NATD...?
--
-Chuck
Dear Chuck,
Thank you for your answer.
1) I have already tried punch_fw keyword with
different settings but nothing happened. I mean that no dynamic rule was
added. I think that punch_fw works when you are on the box and try to
connect to another ftp server (thus, when you are client). I do not think
that punch_fw works when this box is the server. Passive mode from the box
itself is ok...works without any problem.
2) I am not sure how to change the divert command because take notice that
divert should be applied to both incoming and both outgoing packets. I
think that messing with divert may cause some strange problems...
I followed your suggestion and It seems that the following works (not
tested thoroughly though)
$fwcmd add 14999 skipto 15001 all from $oip to any via $oif
$fwcmd add 15000 divert natd all from any to any via $oif
(do you have any feeling for possible faults on the skipto line?)
I will test but I think it should be noted that this is a but in natd
code (I mean the 'unregistered_only').
Thanks for the support!
BB
---
Dixi et animan levavi
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Files corrupt after copy!!!
I just copied my entire home directory from my Windows XP harddrive (ad6) running NTFS over to my FreeBSD harddrive (ad4) running UFS2: .. In the past I had faced a similar program. I found out that the errors were caused by the DMA controller. So I have disabled DMA hard disc and no write errors occur. So In the rc.d directory I have created a script that runs 'atacontrol mode [0-3] pio4 pio4' . Thus I make all hard discs to operate in PIO4 mode. Even though it is a bit slow I do not have any write errors at any disc any more. My machine has the following two controllers: atapci0: VIA 82C686 ATA66 controller port 0xd800-0xd80f at device 4.1 on pci0 atapci1: Promise ATA100 controller port 0x8400-0x843f,0x8800-0x8803,0x9000-0x9007,0x9400-0x9403,0x 9800-0x9807 mem 0xda00-0xda01 irq 10 at device 17.0 on pci0 So try to use PIO4 mode for your discs and see if your data is ok. --- Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE:VM pager read error
I have a distributed network of systems running FreeBSD 4.10-Release, and periodically, I see the following errors on the console: vm_fault: pager read error, pid 1 (init) I have also a network with many diskless boxes of 4.11 FreeBSD and every now and then I see messages like this. The process that dies varies...It is not always (init)..Some times it is (mrtg) some times (sshd) or (syslogd) and some other processes that the boxes are running. I have resolved this situation by running a series of crontab scripts that rlogin to every diskless box and checks/restarts every service that is critical for that box (e.g. syslogd, cron, sshd...). Of course if your (init )dies then you cannot do anything with it and you should ask/phone a worker there to do a reboot on that machine. I think the problem relies on poor hardware (my network has some low-end network cards). It would be nice if we could find any solution to this (without buying new cards). Perhaps if we could define that some processes would never be swapped out (like init) this problem would disappeared, but I do not have time for such experiments. BB p.s. Even though people leave the office, perhaps crontab and periodic execute some scripts...So perhaps the machines have a high cpu load and some NFS packets are dropped resulting in the process to die. --- Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Too many unknown dynamic rule type 244 in syslog..
hi, For the past weeks I have been receiving in my syslog the following message ikaros /kernel: unknown dynamic rule type 244 ikaros last message repeated XXX times ipfw -d show | grep 244 does not show anything I have rebooted the machine, I have flushed reloaded the ruleset...the message remains Can you help me of how to debug this situation? I do not know what is causing this. googling does not revealled something usefull (just the printf of the corresponding file) Thanks in advance, BB --- Dreams have no limits! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I used boot0cfg and destroyed the MBR.All labels dissapear! (How I Fixed it)
Hi, I managed to fix the error of all slices being destroyed. My system is up and running. i did not reinstall any programs, just edited the partition table and the labels. It took me 3 days to figure out the exact values, so I post here my findings, in case somebody faces the same problem. The problem was solved using two programs from the fixit disk: fdisk and disklabel. Note that I am using a whole disc dedicated to freebsd. no other partitions exist. This is a short guide of how to fix it: a) boot the computer using the floppy disks and enter the Fixit menu with the fixit disc inserted. b) go to menu Configure-Fdisk and delete all partitions (NOTE: I am using all the disc dedicated to freebsd. No other OS exist. On your situation this may vary). c) On this screen then I pressed [A] - use Entire disc and saw the new automatically calculated sector values (and the offset). d) I pressed CTRL+C to abort this screen. Only the numbers interested me. e) i went to menu and pressed the fixit prompt. I went to fixit prompt. ( I run 'disklabel ad0' and 'disklabel -r ad0' and I noted down some numbers of the fake partitions. Especially I noted the size (in sectors) of itIf this process fails, then you have to repeat the disklabel step after every fdisk commans that follows. Also note the number of fsize,bsize, and bps/cpg). f) I edited the partition table using fdisk. fdisk -u ad0 (ad0 is my first disc) I deleted all (fake) partitions and created one accoring to the numbers that I have extracted from the previous screen. The type was 165 Freebsd. Thus I have created a big slice ad0s1. I edited the slice ad0s1 because I saw that there is a hidden parition on every freebsd system with thse values: fdisk ad0s1 Media sector size is 512 Warning: BIOS sector numbering starts with sector 1 Information from DOS bootblock is: The data for partition 1 is: UNUSED The data for partition 2 is: UNUSED The data for partition 3 is: UNUSED The data for partition 4 is: sysid 165,(FreeBSD/NetBSD/386BSD) start 0, size 5 (24 Meg), flag 80 (active) beg: cyl 0/ head 0/ sector 1; end: cyl 1023/ head 255/ sector 63 I do not know why, but every freebsd system (on my possesion) has a partition 4 on slice 1 with these values. I then edit the labels on that slice using disklabel -e ad0s1 If that operation fails then you have to install a fresh disklabel using disklabel -w ad0s1 auto or disklabel -w ad0 auto I edit the labels of that slice. The sectors off-set was known from a previous step where I had extracted them using disklabel. The offset is calulated by adding the sectors until know. The fsize and other numbers are known from the previous step also. Then you edit the label and write the first line of a: sectors size offset=0 4.2BSD fsize bsize bps/cpg On the b label put in the offset the sectors size of the previous ( a slice) and repeat the process. Note that the label 'c' correspongs to whole disc so this value shoule have size from offset 0 until size the number of disklabel: [sectors/unit: X]. The lats label starts from the sum of all the previous labels until the number of sectors/units. Thus if the calulcated offset it 100 and sectors/unit is 300, then the last label will have size 200 and offset 100. After editing the label, try to mount. Note that the /mnt2/ holds the devices for mounting labels. try to: mount /mnt2/dev/ad0s1a /mnt if this succeeds then label a has correct values. If not try to edit disklabel with oteher numbers. Remember that as long as you do no issue [newfs] the inode table is somewhere hidden on the disc and you just have to figure out the label information (where it starts and where it ends for every slice). Finally, install bootblocks using fdisk -B ad0 fdisk -B ad0s1 disklabel -B ad0 auto disklabel -B ad0s1 auto and to be 100% sure enter sysinstall and go to fdisk menu and press Q quit. it will then ask you to install a boot manager...Say yes to it and your PC is 100% ready! Reboot and enjoy:) it took me 3 days to figure out this process but I managed to succeed in it. Of course the best advice is (in order to avoid this) to print the partitoin information for your hard disc so you know before hand all the values... Just issue (in case you have a ad0 disc) fdisk ad0 [depending on your disc] fdisk ad0s1 [--] disklabel ad0 disklabel ad0s1 i hope that you will not need my short guide on fixing such kind of problems, but your never know :) BB --- Dreams have no limits! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
I used boot0cfg and destroyed the MBR.All labels dissapear!
Dear, Please help me with this strange situation, that is due to using boot0cfg with wrong switches. I googled it but I did not find any similar case. On a working 4.11 freebsd system I wanted to create a floppy bootable disk. This system had one slice and four labels. I run this command: boot0cfg -B -o update -s 1 -t 20 fd0 After I run this command I rebooted and I faced a situation where a) the floppy booting only showed F1 ??? F2 ??? F3 ??? F4 ??? (whatever I pressed it causes to beep and nothing happens) b) I removed the floppy disk and booted from the hard disc, but the same list appeared..and nothing happened. c) I boot with the 2 kernel/mfsroot diskcs with fixit also and I saw: fdisk from the 'sysinstall' shows that no slices exist, and all the space is unused. fdisk ad0 shows that there are 4 partitions with information like == sysid 32 (uknown) 1919950958, 544437093 (265838 Meg) (flag 0x80 active) beggining: cylinder 356 head 97 sector 46 end: cyllinder 357 head 116 secotr 40 sysid 107 (unknown) sysid 83 (unknown) ... sysid 73 (unknown) ... Meanwhile I got the message slice ad0s1 starts beyong end of the disk: rejecting it slice ad0s2 ..rejecting it slice ad0s3 rejecting it slice ad0s4 ... rejecting it It seems that all the labels of the single slice have become seperated slices. As a result I cannot mount anything and it seems that all my data is inaccessible. because this is my home freeBSD firewall and I would like to bring it back online without reinstalling and setting it up from the beggining (no backups sniff:( ) how can I fix this? If I recreate partitions (how?) without erasing the file/inode table? how can I change the type of every partition to be freebsd? And how can i change the slices to be one big slice? I think disklabel can help but I am not sure how. How can I save/backup the data on the disk? Thank you very much in advance!!! Please if you have any hint of where to search or what to do help me and I will post the results (and hopefully the solution) of this case as a reference. regards, BB --- Dreams have no limits! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Channel Bonding on FreeBSD without peer support
Hi, I would like to combine the bandwidth of two network cards on FreeBSD (which are connected to 2 different ADSL modems of the same ISP) in order to double the bandwidth of the Internet connection of the LAN that is behind this box. I have searched Google and FreeBSD question and people suggest to use netgraph, like ng_fec, or ng_one2many. However, these approaches require support from the other peer (the ISP), which is not possible in my situation. Do you know if there is any way of combining the bandwidth of the two modems? Or it is easier to just route services (like www traffic on modem 1, email traffic on modem 2..) or route nodes behind it (subnet A routes (has gateway) through modem 1, subnet B routes (has gateway) through modem 2). Also, if anybody of you has some real-life experience with such things it would be very nice to hear from. Thank you very much in advance, BB p.s. Renting a faster bandwidth line is not an option. --- Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NFS data integrity failure
Dear all, I have noticed a very strange NFS problem between two FreeBSD machines running both 4.10-Release-p2. -Short description: NFS copy transfers from A to B (A controls the transfer, e.g. he gets data ) produce (always!!) CRC errors and MD5 mismatch between (some) original files and copies (6-7 files out of 90) NFS copy transfers from A to B (B controls the transfer, e.g. he puts data) make exact copies EVERYTIME!!! NFS mounts have been tried with TCP, UDP, read/write of 8K or 16K,nfsv2, nfsv3 Long description: MachineA mount machineB:/disk and copies 1.2 GB of data from machineB:/disk to local disc (gets data) (almost 90 files of 15MB each). After, the transfer I compare the CRC of every copied file with the original CRC and some files produce different CRCs. If I copy again the failed file the CRC is correct. Of course this means that I should manually verify every time that copies are 100% the same with original, which is a bit waste of time. MachineB mounts machineA:/disk and puts 1.2 GB of data from its disk to the machineA dick. A CRC check performed on the copied files show that everything is correct. (always!) Other tests: MachineB mounts machineA:/disk and gets 1.2GB of data from machineA:/disk. Everything is correct MachineA mounts machineB:/disk and puts data on machineB. Some files have CRC errors!! Every time the files that are damaged are different. NFS mounts are done with the same parameters every time Different combinations of NFS mount parameters have been tried and every time the results are the same. MachineA: CPU: AMD Athlon(tm) Processor (807.19-MHz 686-class CPU) real memory = 134135808 (130992K bytes) Network card: Realtec 8139 MachineB: CPU: Intel Pentium III (731.47-MHz 686-class CPU) real memory = 536870912 (524288K bytes) Network card: 3Com 3c905C-TX Fast Etherlink XL Both machines are not in any load. No errors reported by syslog!!! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What is happening? How can I find out what is causing this? Is it possible that realtek card causes such behavior? On the other hand why some transfers succeed every time? I am not in the situation of buying another network card for my home machine, so if you have any suggestion of how to resolve this problem let me know...Have you got any similar situations? How did you solved them? I have searched the net and have not found any useful information about it. Thank you a lot in advance!! --- Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Strange Files Created, FSCK problems: how to deal without single user mode (/unmounting disc)?
Dear all, Today I found out (due to my backup process failure) that some strange files were created on a users dir. Specifically: --wx--s-wx 16217 1062905872 13116693781061708166 Jan 1 1970 .irssi b---rwx--x 16240 rootwheel 174, 0x3f590067 Jan 1 1970 .mc These entries were supposed to be directories, but somehow they changed to something else. I tried to remove them: rm .irssi override -wx--s-wx 1062905872/1311669378 sappnd,arch,schg,uappnd,opaque for .irssi? y rm: .irssi: Operation not permitted rm .mc override ---rwx--x root/wheel schg,uappnd,nodump for .mc? y rm: .mc: Operation not permitted Without success! I fscked the disc (note that his is an active disc with many users) and the report is located at the end of this email. Because the disc is read-write active changed are not written on the disc. My questions: 1) Have you got any clue how a healthy IDE disc can cause and corrupt files on the file system? 2) How can I fix the problem WITHOUT rebooting or without UNMOUNTING the discs? If I fsck and instruct to actually fix the errors, will they be fixed, or it might crash corrupt the whole file system? 3) How serious is this problem? Should I start worrying, even though nothing else strange exist? Thanks in advance, BB ATTACHED FSCK output: UNKNOWN FILE TYPE I=87227 UNEXPECTED SOFT UPDATE INCONSISTENCY UNKNOWN FILE TYPE I=87231 UNEXPECTED SOFT UPDATE INCONSISTENCY DUP/BAD FILE=/home/fallen/.mc UNEXPECTED SOFT UPDATE INCONSISTENCY BAD TYPE VALUE FILE=/home/fallen/.mc UNEXPECTED SOFT UPDATE INCONSISTENCY DUP/BAD FILE=/home/fallen/.irssi UNEXPECTED SOFT UPDATE INCONSISTENCY BAD TYPE VALUE FILE=/home/fallen/.irssi UNEXPECTED SOFT UPDATE INCONSISTENCY UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE U NREF FILE UNREF FILE LINK COUNT DIRLINK COUNT DIRUNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF F ILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FI LE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FILE UNREF FIL E UNREF FILE LINK COUNT FILEUNREF FILE UNREF FILE UNREF FILE LINK COUNT FILELINK COUNT DIRFREE BLK C OUNT(S) WRONG IN SUPERBLKSUMMARY INFORMATION BADBLK(S) MISSING IN BIT MAPS8852 files, 295095 used, 2 20964 free ** /dev/ad0s1h (NO WRITE) ** Last Mounted on /diskless ** Phase 1 - Check Blocks and Sizes CLEAR? no CLEAR? no ** Phase 2 - Check Pathnames I=87227 OWNER=root MODE=60071 SIZE=0 MTIME=Jan 1 02:00 1970 REMOVE? no I=87227 OWNER=root MODE=60071 SIZE=0 MTIME=Jan 1 02:00 1970 FIX? No I=87231 OWNER=1062905872 MODE=102313 SIZE=1061708166 MTIME=Jan 1 02:00 1970 REMOVE? no I=87231 OWNER=1062905872 MODE=102313 SIZE=1061708166 MTIME=Jan 1 02:00 1970 FIX? no I=87202 OWNER=root MODE=0 SIZE=0 MTIME=Oct 18 23:29 2003 REMOVE? no ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts I=21963 OWNER=bigbrother MODE=100644 SIZE=0 MTIME=Jun 10 17:16 2004 RECONNECT? no CLEAR? no I=21965 OWNER=bigbrother MODE=100644 SIZE=5376392 MTIME=Jun 9 01:33 2004 RECONNECT? no CLEAR? no I=21973 OWNER=bigbrother MODE=100644 SIZE=4016799 MTIME=Jun 9 01:37 2004 RECONNECT? no CLEAR? no I=21974 OWNER=bigbrother MODE=100644 SIZE=7213486 MTIME=Jun 9 01:38 2004 RECONNECT? No (snip.this list continues for 2-3 pages) --- Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Diskcheckd Port and Freebsd 4.7
Dear, I have Freebsd 4.7-Release-p7 and I tried to install the port Sysutils/diskcheckd(ports are daily cvsuped) The message that I received is: ** 'sysutils/diskcheckd' is marked as IGNORE: Not tested on anything less than 5.0, use at discretion But the fact is that in an old machine [freebsd 4.4] I had succesfully compiled Installed and executed the diskcheckd there 1 year ago. So I copied the executable from the 4.4 to 4.7 and it run smoothly. My question is why it says that it isn't tested on anything less than 5.0, even though I had compiled and used it on 4.X fbsds in the past? And how can I find a similar tool for 4.X branch? Thanx very much in advance! P.s. I tried to fiddle with the makefile removing the IGNORE line but the compilation failed in a lot of places... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
CRON and error message 'EOF in bacquote substitution'
Hi friends, Recently I put into my crontab the following line 4 0 */10 * * /usr/bin/tar -cyf /backup/lab.`date +%d%m%Y`.tar.bz /lab But although I can execute the command into my shell, crond refuses to execute and send me an email saying: Syntax error: EOF in backquote substitution What am I doing wrong? I suspect that my problem relies on having a tcsh as my default shell, but crontab perhaps is running a different shell. Thanks in advance! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: SAMBA performance and FreeBSD
I forgot to say: uname -a FreeBSD matrix.vlsi.gr 4.7-RELEASE-p7 FreeBSD 4.7-RELEASE-p7 #1: Tue Mar 4 12:09:06 EET 2003 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/matrix i386 - ifconfig wb0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.3.200 netmask 0xff00 broadcast 192.168.3.255 ether 00:80:48:b5:b9:6d media: Ethernet autoselect (100baseTX full-duplex) status: active wb1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 ether 00:80:48:b5:92:2f media: Ethernet autoselect (100baseTX full-duplex) status: active --- dmesg CPU: Pentium 4 (2394.02-MHz 686-class CPU) Origin = GenuineIntel Id = 0xf27 Stepping = 7 Features=0xbfebfbffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE ,MCA,C MOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,b28,ACC,b31 real memory = 536854528 (524272K bytes) atapci0: SiS 5591 ATA33 controller port 0xb400-0xb40f,0xb800-0xb803,0xd000-0xd 007,0xd400-0xd403,0xd800-0xd807 irq 11 at device 2.5 on pci0 ad0: 78167MB Maxtor 6Y080L0 [158816/16/63] at ata0-master PIO4 ad1: 78167MB Maxtor 6Y080L0 [158816/16/63] at ata0-slave PIO4 ad2: 78167MB Maxtor 6Y080L0 [158816/16/63] at ata1-master PIO4 --- more /boot/loader.conf hw.ata.ata_dma=0 hw.ata.atapi_dma=0 [* I have disabled the DMA, because otherwise the boot process is halted and trying to reset the hard disc, because of a strange timeout] -- I used to experiment with two network cards simultaneous connected to the same switch and using netgraph, but when I was using the local 100Mbits net, the load of the server went 6 [because in netgraph, one card is working on promiscuous mode...]. So I am using only wb0, with an average load of the machine of 0.12 Finally if I put the value net.inet.tcp.delayed_ack=0 Then comparing with the previous situation the speed is much worst. That is the value net.inet.tcp.delayed_ack=1 is much better (on my local 100Mbits net). This was measured for both small and large files (7MB, and 700MB). All the tests are done using Windows XP. On my smb.conf I only have TCP_NODELAY in socket options. P.s. I disabled the NFS server [because this is an nfs server as well for other machines] and the samba read/write speed on my 100Mbits network has increased to 3 Mbytes/sec (no load on the machine). This is still lower than the 7Mbytes/sec on the local 100Mbits network that I have using FTP. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
SAMBA performance and FreeBSD
I started to use samba with freebsd and I cant say that I am satisfied with the performance of it. Specifically on my local 100Mbits network the samba read speed on the server (athlon 1700) is 1Mbit/sec, while the write speed is much much worse. If I ftp to that machine I have read speed of minimum 7Mbits/sec. I am puzzled why the samba has so much worse performance. Is anyone that using samba on his freebsd machine without any performance loss? Or what typical read/write speeds do usually achieve on your samba +freebsd machine? Also if you have extra tips and tricks about samba and freebsd that can boost the performance, they would be much appreciated. About tunning parameters and so onThis machine will be the main server of a laboratory of the university, and its not acceptable to have a low speed. Thanks very much in advance!! P.s. I searched the net and I saw the people suggested changing the net.inet.tcp.delayed_ack value, or measuring with tcpdump the MSS window size and trying to put a formula on it to calculate the parameter SO_RCVBUF Of the samba and various other tricksDo they have a point? P.s.2 I am also mounting with SUIDDIR the filesystems. Does this make a performance loss? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Renaming files with spaces in the name to files without spaces..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 10 Jan 2003, Rob wrote: Sorry for this OT but I am trying for some hours to achieve a massive rename of files using a simple script and I have not success yet. I want to rename files like RESULTS OF JAN 01 2002.txt to RESULTS_OF_JAN_01_2002.txt i.e. all the spaces, being substituted by '_', and the last space being completely removed [yes it has a space after the suffix] I tried to experiment with sed/awk and creating a sample sh script with for i in 'ls' but the i takes values of 'RESULTS' 'OF' 'JAN'. This means that it doesnt take the full filename as value, but parts of the filenames. Can u please suggest an easy way to implement the massive rename? If you want to do it for all files in a directory: # for file in *; do mv $file `echo $file | sed -e 's/ /_/g'`; done should do the trick. I think Perl is overkill for something this simple. Someone else suggested tr, which probably works, but I've had more success with sed. But if you do this, won't the spaces be mistaken for filename separators? Try this instead - make sure you're using sh, not csh: ls *\ * | while read OLD ; do NEW=`echo $OLD | tr ' ' _` echo mv -i $OLD $NEW done This works because ls prints them on separate lines. Once you're sure that it will do the right thing, take out the echo and run it for real. If the files are all over the place, you can use find the same way: find * -name '* *' -type f | while read OLD ; do NEW=`echo $OLD | tr ' ' _` echo mv -i $OLD $NEW done You'll have to fix the directories separately (otherwise find gets lost). Thank you all for your quick reply. I followed Rob's way and it was fairly easy to do. I had to change a bit something but it worked. The rename script that I used is: - --cut here-- #!/bin/sh ls *\ * | while read OLD ; do NEW=`echo $OLD | tr ' ' _` mv -i $OLD $NEW done - -cut here-- As u notice I had to add the semicolon in the $OLD variable because otherwise the mv was complaining. So this was a nice and fast way to do it. Thank you all people for your quick reply!! BigBrother - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+HZgpGe/V3CxAyHoRAnYRAJ9qGvtXc7cA7bdGJAbmRGNbyrHW9ACeLN95 1+0+V1Q76jtCW1jbVMdZZQA= =8IWO -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
NFS client hang after umount -f
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was transferring a huge file (700 MB) to an nfs mounted disc and I umount -f the nfs mounted directory. After this I lost control of that pc (I was remotely administering it). The machine responds to pings and forwards packets as well, but if I try to telnet or ssh to it, I connect to that box but no login prompt appear. I dont have physical access to that box and so I wait for 1 week for someone to go there and reboot it, but I am very curious why this situation happened. Is it normal to happen when u use unmount -f on nfs mounted drives??? I am running 4.7-p2 and I dont have any noticable problems. The gateway machine is a diskless machine with local mounted discs for storing files only. Thanks in advance!!! - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+FXpoGe/V3CxAyHoRAt1OAJ9q9eTCKN6Xfj7sX+uu8S7D50ulPACeJRW3 BPjpAAhV0RcrgZ/VqZ6l3UI= =u2dQ -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Slow network - ed driver, Realtek 8029
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm having a problem with slow transfers to my FreeBSD 4.7-RELEASE box using a D-Link 528CT (Realtek 8029 chipset). When I try to upload files to this machine from a windowsXP box, I only get about 30KB/s on the 10BaseT cat 5 network. This identical machine previously was able to receive transfers of 1000KB/s when it was running under windows 98. I'm only getting 3% of the windows receive performance. My best guess is that this is a driver issue. I had possibly similar problem with the same card under win98. The issue was if you set the driver to full duplex when the card hardware was not setup for full duplex (it is capable of full duplex, but you need to tell the hardware in some way), the transfer rate would be ridiculously slow. I'm guessing this is a similar problem, however, ifconfig shows: I also have the same problem with this network card. For some strange reason when something is uploaded to the freebsd machine, the speed is very ridiculous [4~5 KBytes/sec] but when I download from it I have 500KBytes/sec How can somebody change the SIMPLEX on the ifconfig? If I change to half duplex the speed, will it be better for uploads to the box? And by the way I think SIMPLEX is anotehr word for UNICAST I am planning to buy another network card to achieve better performance... Regards, BigB - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+AepAGe/V3CxAyHoRApZ8AJ9uhSfGNanBHjxcmJWaHGb5aokfhQCfYPKK BREklo/y498pQsh0P0u/hlE= =X4lS -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw firewall help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ipfw add 108 allow tcp from any to xx.250.227.0/22 20,21,25,80,110 via bge0 snip #Outbound from inside ipfw add 109 check-state ipfw add 110 allow tcp from xx.250.224.0/22 via bge0 keep-state ipfw add 111 allow udp from xx.250.224.0/22 via bge0 keep-state ipfw add 112 allow tcp from any to any established setup #Machine specific ports #Server NEWS 1 ipfw add 120 allow tcp from any to xx.250.227.2 53 via bge0 ipfw add 121 allow tcp from any to xx.250.227.3 53 via bge0 ipfw add 122 allow tcp from any to xx.250.227.4 53 via bge0 ipfw add 123 allow udp from any to xx.250.227.2 via bge0 ipfw add 124 allow udp from any to xx.250.227.3 via bge0 ipfw add 125 allow udp from any to xx.240.227.4 via bge0 snip #Deny all after above allows - here we go ipfw add 400 deny tcp from any to xx.250.227.0/22 via bge0 ipfw add 410 deny udp from any to xx.250.227.0/22 via bge0 Goal is if we're on any of the 227 subnetted machines and wish to do anything on the internet that we be allowed to do so, such as ftp, telnet, browse the web, etc. 1)General tip when using firewalls, especially if you are having problems.. ALWAYS log the denied packetsso in ruleset 400 you should put a log statement. 2) When using firewall always remember that packets are usually two way packets..which means somebody connectes to your port and your port sends a reply. So rule 108 should also include a 'keep state' option or it should be immediately followed byt a ipfw add 108 allow tcp from xx.250.227.0/22 20,21,25,80,110 to any via bge 3) Your problem is located on a missing rule. You have rules for the 224 subnet but not for the 227 for outgoing... So you should also include a line ipfw add 113 allow all from xx.250.227.0/22 via bge keep-state 4) Also whatever is not specifically writen with 2 rules (one incoming and other outgoing) it should have a keep-state option. For example rule 120 it has only the incoming connection to 53. You dont allow the outgoing. So prefereably you should i) make two rules for it ii) use a keep-state directive Regards, BigB - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE98F9jGe/V3CxAyHoRAn+sAJ0X65d6o/+YrI1iLMq+mHvDxtCrdACffrMb Uz0a1/8Z6fgUOuspgXeOjVk= =Dh2k -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Administering a large number of freebsd machines
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (I sent this email to freebsd-security but it never appeared on the list, nor it returned back-very strange for freebsd-security;does freebsd security has any problem?) I have a small question. When I was administering one freebsd box the things were quite easily. I could easily read the emails that were sent to root, the logcheck reports and the tripwire reports. After administering one box, I was made responsible for other freebsd boxes...The fact is that now the email reports have been multiplied. Also making all the neccesary upgrades, monitoring and other everyday things has been made very time consuming. My question is...Is there any usefull guide or book of how you can administer efficiently large number of freebsd boxes in term of security, upgrades and software deployment? My job is not being a full day system administrator and thus I have to be involved as low time i administering the boxes as possible. Thank you very much in advance for any usefull tip! - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE98OpbGe/V3CxAyHoRAmt6AKDGIxyQqPE+R8/TzcAbYisy6VpZvACcDxpU jwoKbT2q84uRDtc5tPyq1EU= =rNDW -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
STATEFULL IPFW AND NATD (Was: NAT IPFW)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nelis wrote ... inside machines cannot telnet... #allow all outbound and only inbound TCP connections I've created add 0301 divert natd all from any to any via rl0 add 00302 check-state add 00303 allow tcp from any to any established add 00304 allow tcp from any to any out setup keep-state add 00305 allow tcp from any to 192.x.x.0/24 22,25,53,80,443 setup add 00306 allow tcp from 192.x.x.125 to 192.x.x.0/24 161,162 setup add 00307 allow tcp from any to 192.168.x.0/27 in recv rl1 #allow all outbound and only inbound UDP connections I've created add 00400 allow udp from 192.x.x.0/24 to any 53,123 keep-state out via rl0 add 00401 allow udp from any to 192.x.x.0/24 53,123 keep-state in via rl0 add 00402 allow udp from 192.x.x.0/24 to 192.x.x.125 161,162 keep-state out via rl0 add 00403 allow udp from 192.x.x.125 to 192.x.x.0/24 161,162 keep-state in via rl0 add 00404 allow udp from any to 192.168.x.0/27 in recv rl1 add 00405 allow udp from any to any out #allow some icmp types (codes not supported) ##allow path-mtu in both directions add 00600 allow icmp from any to any icmptypes 3 ##allow source quench in and out add 00601 allow icmp from any to any icmptypes 4 ##allow me to ping out and receive response back add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in ##allow people to ping me add 00604 allow icmp from any to any icmptypes 8 in add 00605 allow icmp from any to any icmptypes 0 out ##allow me to run traceroute add 00606 allow icmp from any to any icmptypes 11 in #allow ident requests add 00700 allow tcp from any to any 113 keep-state setup #deny syn and fin bits used for OS finger printing using nmap add 00701 deny log tcp from any to any in tcpflags syn,fin #log anything that falls through add 09000 deny log ip from any to any Using statefull IPFW and NATD is a very very tricky thing. I have invested a lot of efford to try to create a ruleset that combines all these, so perhaps u could use this advice... In order to use statefull and NATD you should learn what NAT does. Lets say u have an internal net of 192.168.3.1/24 and an external IP of 300.400.500.345 (hypothetically). When an internal machine of 192.168.3.10 tryies to establish a telnet connection with outside that is what happens when the packet reachs the gw 1) 192.168.3.10 request to connect to 216.136.204.117 port 23 Rule 301 makes the request 300.400.500.345 request to connect to 216.136.204.117 port 23 2) Packet reinjected to firewall rule with changed SRC field 3) Rule 304 will allow it so the SYN packet will leave... 4) what about the ACK packet? An ACK is sent back so now a packet has to be checked 216.136.204.117 port 23 ACK to 300.400.500.345 5) 301 rule matches...is the ACK to our internal telnet request...so its translated to 216.136.204.117 23 ACK destination to 192.168.3.10 6) NO rule allows thisoops ACK lost and all every responses. - In order to compensate this...I give u a part of my own firewall any comments welcome... You have to put a lot of extra things in ur ruleset...take an example of this #!/bin/sh oip=X #external ip of gateway oif=XXX #external if iif=YYY #internal if iip=ZZZ #internal ip of gateway ...snip...other local variables # ### # ## F I R E W A L L R U L E S S T A R TH E R E # ### # Force a flush of the current firewall rules before we reload $fwcmd -f flush # Allow the loopback to work $fwcmd add 100 allow all from any to any via lo0 # Prevent spoofing of your loopback $fwcmd add 200 deny log all from any to 127.0.0.0/8 # Deny suspicious packets $fwcmd add 300 deny log tcp from any to any in tcpflags syn,fin # Deny fragmented packetsthey may cause our server to crash...(network buffers exchaustion) $fwcmd add 301 deny all from any to any frag # ### # Stop private networks (RFC1918) from entering the outside interface. # $fwcmd add 351 deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add 352 deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add 353 deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add 354 deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add 355 deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add 356 deny log ip from any to 10.0.0.0/8 in via $oif # # # Stop draft-manning-dsua-01.txt nets on the outside interface # ## # The following line stops all broadcasts also #$fwcmd add 350 deny all from 0.0.0.0/8 to any in via $oif $fwcmd add 357 deny log
Statefull IPFW + YP/NIS = Server hang.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SORT: Stetefull IPFW rules combined in a router that is a ypclient may make the box loose connectivity and a irreleavent error too many dynamic rules appear in the log eventhough only 20 dynamic rules may exist. LONG: I am reporting a strange observation that happened on my network. My P166 router/firewall box runs 4.7 -p2 For many years this box was running a STATELESS ipfw firewall and was using another NIS server to have account information (shared passwd file). Some days ago I changed the STELESS ipfw firewall to statefull IPFW with NATD also support. For the first couple of hours all things where normal. After some time (t2h) my logs start flooding by messages NIS SERVER [XXX] for domain not responding... and after this a message /kernel: Too many dynamic rules, sorry The box at the first occurence of this message lost all connectivity with the net (internal+external), although INTERNAL rules were stateless rules (e.g. they have no KEEP-STATE). I was barely to login to the box from console and when I did ipfw -d show, only 10 dynamic rules existed... but the messages keep complaining 'too many dynamic rules' My sysct variable that defines the #dynamic rules was not changed and it was 1000. ipfw -f flush had no effect on the system. I was forced to reboot the machine as the only solution. This was repeated for many times. finally I removed the ypbind (yp client) from my freebsd box thus only root could login (why normal users to login to the firewall after all). After this all the things were normal again. And my measring the number of dynamic rules for different times is 20. So my network is not overloaded. Conclusion: For some reason when dynamic rules are used the firewall box queries the yp server for information, but with a very big rate. My NIS server is a slackware linux 166 box running 2.2 series kernel for 2 years and nobody is touching it, because all things work there nicely. Although this box can handle queries with a small rate, when is overhelming by queries it may delay to answer it. Solution: Dont run STATEFULL IPFW firewall on a box that acts as a client to a NIS/YP network (especially if the NIS server cannot keep up with tooo many queries simultaneously). p.s. And for people that will ask. I still run linux on that box behind firewall because it has a lot of ext2fs hard discs (180GB) with a lot of data and I cannot covnert them to FFS to change the OS to linux. - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE95O/HGe/V3CxAyHoRAvVCAJ0azIYeBt7V6GavCqWVHhA2dzDtMQCgo5VO 7uhiverd6gZ+zBfnGbbC1I8= =voim -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Performance degration of moving FFS hdd from a slow to a fast pc.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have a question about FFS filesystem. According to a paper about the design of UFS filesystem[1], if you create the FFS filesystem on a slow cpu and then move it to a fast cpu with a fast controller, theh the FFS wont perform efficient. This is justified because when the UFS is created having in mind the speed of the system, in order to create the cyllinder group summary information with optimal rotationally blocks [see page 7 of the paper]. If somebody takes the hdd of the slow pc and put it on a much faster pc, then it is reported that the throughput will drop significantly because of lost disk revolutions. I would like to know if this is true. Can I move my hdd of my old slow pc [intel 486] to a pentium III 600Mhz machine without performance penatly, or its better to re-create the filesystem? Thank you very much... References: [1] http://citeseer.nj.nec.com/mckusick84fast.html - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE93M3XGe/V3CxAyHoRAtCKAJsFEPJAEgYOzE8NkszHO5jUBETrnwCfTC+V vLYTHw2fXGYPIwfuzA3TitM= =/4V2 -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: UDMA ICRC error's
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What is the best way to resolve these? ad0s1e: UDMA ICRC error reading fsbn 897759 of 144-159 (ad0s1 bn 897759; cn 55 tn 225 sn 9) retrying ad0s1a: UDMA ICRC error reading fsbn 45439 of 22688-22719 (ad0s1 bn 45439; cn 2 tn 211 sn 16) retrying ad0s1a: UDMA ICRC error reading fsbn 39391 of 19664-19695 (ad0s1 bn 39391; cn 2 tn 115 sn 16) retrying ad0s1a: UDMA ICRC error reading fsbn 39391 of 19664-19695 (ad0s1 bn 39391; cn 2 tn 115 sn 16) retrying I've tried bringing the system down to single user mode, umounting the filesystems and running fsck but it never finds anything wrong. Next I'm going to switch out the ide cable, and i'm hoping that is the problem as I'd prefer not to have my drive go out. What else can I do besides running fsck? Are there any other utilites to check the disk, maybe something from the ports tree? I would suggest to run badsect (8) so u can mark the sector as bad, unreadable and thus u can continue accessing ur drive. Of course in the badsect you have to put sectors and not fsbn, and I dont know in your error message how u can find the sector number...(anyone can help on this?) perhaps the sectors for example are 144-159 ? But I dont know... Perhaps u should try to find out the 'fsdb' tool...but it will be a tricky thing.. Any help is appreciated... - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE90XunGe/V3CxAyHoRArxBAKDIf32vQwNtyN6P20yLeslc/tHokwCgp9bb BN+Nr6Ezrq5ZDR+5Rgkdaec= =pf4d -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NFS Performance woes
I recently did some research into NFS performance tuning and came across the suggestion in an article on onlamp.com by Michael Lucas, that 32768 is a good value for the read and write buffers. His suggestion is these flags: tcp,intr,nfsv3,-r=32768,-w=32768 I used these options (I found tcp was mandatory, as we have multiple IPs and UDP was refusing to play nice), also adding dumbtimer to avoid the log messages about server not responding. According to my experience UDP is much preffered for NFS transport protocols. Also try to have the NFSIOD daemon being executed on every machine by putting in the /etc/rc.conf nfs_client_enable=YES nfs_client_flags=-n 10 [u may put more than 10 instances if u suspect that more than 10 simultaneous transactions will happen] Also use the -w=32768,-r=32768 switch only on the machines that have a fast cpu and a good network card [e.g. nestat -w 1, doesnt show errors under heavy load] On all the other machines dont put any w,r values [which will default to 8k blocks] In some machines of mine I have even used blocks of -r=4096,-w=4096 because they were old machines that could not keep up with the traffic and they were complaining about mbufs [they run out of mbufs and after some time they crashed]..(and because they machines were diskless it was unable to change the value of mbufss, after the kernel loading the value is readonly and cannot be changed). Use good networking hardware...scrappy hardware will certainly put you into great trouble. If you use TCP for NFS on a 1GB network you will sure have problems on your machines and they will not be able to keep up. TCP causes a great overhead. UDP doesnt. So bottom line: a) Use UDP b) Run a lot of NFSIOD - the more the better c) Examine what is the best block size for every host idividually! (dont assume that 32k block is good for every host) Hopes it does your job..I was searching for over 3 months when I once dealt with thisRead also from the 'Sun' site the 'Optimizing and Tunning NFS' guide which is a nice PDF document that you can download for free, and has a lot of interesting things similar with FreeBSD! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NFS Performance woes
According to my experience UDP is much preffered for NFS transport protocols. Also try to have the NFSIOD daemon being executed on every machine by putting in the /etc/rc.conf nfs_client_enable=YES nfs_client_flags=-n 10 [u may put more than 10 instances if u suspect that more than 10 simultaneous transactions will happen] How is the optimum number of nfsd processes determined on the server? On our current setup we have 4 nfs daemons running serving 3 clients (webservers) Is the number of daemons to start determined by the number of clients or the number of files that has to be transferred simultaniously? Same question goes for the number of nfsiod processes... Well the only rule for selecting the number of nfsiods and nfsd is the maximum number of threads that are going to request an NFS operation on the server. For example assume that your web server has a typical number of httpd dameons of 50, that means that every httpd can access files on the server, and in the worst case both 50 httpd will request simultaneoulsy different NFS operations. This means that you should have at least 50 NFSIOD (on the client+server) and 50 NFSD running (on the server). Remember that NFSIOD must run both on CLIENT and SERVER. So you determine what is the maximum number of NFS operations...for example in your client you dont have only 50 httpd running, but you make from time to time compile with the -j 4 (4 parallel compilation jobs), this means that you should increase the number of 50 by +4... also in your client you usually have some users that login and their home directories are on NFS mounted media...usually 10 people are using NFS mounted home, which means that in the worst case 10 people may request something from their home so you have to increase the number fo 54 by 10 more I know the handbook says taht 8 nfsiod/nfsd is a nice number but I think that is not correct. I have an ftp server that uses NFS mounted directories, and usually 15 people are connected...so I have put a 20 NFS processes running... Having too much NFSIOD is not bad...every NFSIOD eats just 220KB of memory (which means that you should also consider your memory-if you can afford to run a lot of nfsiod) Having too much NFSD also is not bad...every NFS eats just 356Kbyte of memory, which again you have to note it. So with simple words, just add all the things that you can imagine that can happen simultaneously on all the NFS mounted dirs and put that number...let it run for one week and note down how many NFSIOD are idle or NFSD.If you have put 100 NFSIOD and you see that usually there are more than 50 NFSIOD idle (doing nothing) [on your ps axwu or TOP output] then its a safe bet to reduce the number... Of course you cannot optimize the NFS system in one day...it needs a lot of time to take measurements and check from time to time if you have enough NFSIOD or NFSD, because system load distribution tend may change and you may see that more or less NFS processes have to exist.. I hope I make it clear for you!! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: divxplayer
ELF binary type 3 not known. Abort trap. I've tried running netscape communciator as well with the same msg. so it's definitely linux ports.. and i have linux-base-7.1.1 installed. If the output of kldstat shows that 'linux.ko' is loaded and you still have this problem then try to use the brandelf to tag the file that is a linux file. U can do this by brandelf -t Linux your_application where your application is the name of the application that you are trying to execute... if the kldstat doesnt show the 'linux.ko' module loaded then write 'linux' and the module will be loaded automatically! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
What do you do about your FFS fragmention?
I know how the FFS (filesystem) works, and that it really does an excelent job in allocating clusters as local as possible. But it is also true that after some period of extensive use of it, the filesystem get fragmented, and results in severe degration of speed. One way is to dump/restore everything which is very painfull thing. --- So, what do you do [except dump/restore] to defrag the FFS after some time of extensive use? Or you dont care for the degration in speed? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
IPNAT/NATD issues-questions..
Dear, I have a couple of issues regarding the IPNAT or NATD of freebsd. In case that you dont have enough time, skip the next paragraph [description] and go to questions section. -=Description of problem=- I was using NATD for more than 3 years with no problem. By debbuging a problem in my IRC Fserve I noticed that connections originating from my router [that run NATD] were using very high port ranges, even though I had specifically configured the IRC fserve to be in a different lower range. When I stop using NATD and changed to IPNAT the problem dissaper and every client on my router allocated a port in his specified range. This was also solved my problem with DCC+RESUME. Because the NATD was changing the originating ports, the dcc transfer resume was not able to happen. With IPNAT the resume of DCC transfers had no problems, because the client was using what port he had requested. I am using statefull IPFW and for this reason, I wanted an exact port range. natd config file has only the use_same_ports and use sockets options. In IPFW rules I had the first line 50 divert natd all from any to any via ed0 -=END OF DESCRIPTION of problem=- Questions - a) Why did NATD changed my originating ports on my router. IPNAT didn't do anything like this, and the functionality is the same [my lan can connect with no problems to net] b) when NATD was used, I could see that the process of NATD consumed a high cpu time [almost 10-20% on a P166]. Where is the cpu time of the IPNAT? c) I believe that IPNAT doesnt have the overhead of NATD. So is IPNAT suggested for slower cpu machines (??). Am I wrong in this assumption? d) In my IPFW there was the rule '50 divert natd all from any to any'. Is this correct? I mean with this rule ALL packets were forced to pass through this and then re-injected to the chain. I try to put it after some rules of the firewall but the NATD didnt worked [I tryied many places...] e) Is IPFW + IPNAT a good combination? I know that the pairs are (IPFW + NATD) and (IPF + IPNAT). What I am doing is good or not suggested [and why?] f) I have understand that the 'official' firewall for freebsd is IPFW, and ipf is just a 'contributed' software. But a lot of people suggest the use of IPF and name it as supperior firewall. Is there a comparison page/site that states the overhead of these two firewalls, or pros/cons of them? g) Why some people say that IPFW is a 'userland' application even though it has not process vissible running? Thank you very much in advance, and I really hope that my questions will be answered To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: 'screen' causing 100% cpu utilization on 4.6.2-Release-p2
I had noticed this problem a lot time ago. Screen was consuming too much cpu power. In fact every 'screen' that I opened it put my load +1.0 so with 3 screens I had a 3.0 constant load... the problem was solved after CVSUP the latest port collection and make a 'portinstall screen' . This will fix the problem. DONT try the binary package because I've heard that has similar problems. Try to compile on your system the screen port! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
CVSUP update from 4.6 - 4.7
I have freebsd 4.6 release and I am interesting to update it to 4.7 via CVSUP The box is located 3000 Kms away and I can only connect via ssh. a) How much space is required in order to make a buildworld (downloading CVSUP, compiling, installing) b) What is the best failsafe method, so in case I do this and happen to have an error, my system will continue to operate on the 4.6? As I said I am too far away to go to fix it there... c) Can somebody point me or give me a sample CVSUP configuration for updating to the 4.7 release? d) Are there any tips for remote updates/buildworld? I know that is not suggested but I find too difficult to live with all the critical bugs that 4.6 has and I would like to get rid of them. e) Do I have to compile only a kernel on 4.7 or to make a buildworld too for the new binaries to be replaced? If I compile only a 4.7 kernel and my binaries are 4.6 will this poses any trouble? Thanks in advance guys! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: monitor ALL connections to ALL ports
It sounds to me that you are looking for a Network Intrusion system. 1) try: /usr/ports/security/snort It has plenty of rules that can help you log whatever u like. 2) Also another possibility is to use tcpdump host YOUR_IP -w LOGFILE which will log all the packets heading for your IP in raw form in the logifle. TCPdump has many swithches. The format of the logfile is in libcap format and there are plenty of parsers of this file [including tcpdump, ethereal, snort] IMO, try to log ALL connections to ALL ports ONLY if ur box is faster than a PIII, 500Mhz, 256 RAM. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Monitor IP Traffic from many BSD computers
A nice solution which I make use is: a) install a SNMPD client on every box /usr/ports/net/net-snmp b) change the community string to something else than `public` c) create sample config file for snmpd d) install MRTG /usr/ports/net/mrtg e) Configure MRTG to be daemon and query every 5 minutes the SNMPD on all the boxes. f) If u like security :) use firewall to protect the SNMP port! -- I am using this setup on my local cluster. It works nicely! p.s. Of course if u like something more thatn measuring bandwidth then u can run a sniffer on every machine and forward the results to a main server, or u could capture the packets in raw form in a file and another workstation to be used to analyze these packets. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
