Re: Some questions about in-kernel NAT

On Wed, 8 Mar 2017 16:52:36 +0100, Andrea Venturoli wrote: Just on one point: > Second question: > _ if I issue "ipfw nat 2 config if re0", I'll see the output "ipfw nat 2 > config if re0"; > _ if I issue "ipfw nat 2 config ip 192.168.0.1", I'll see the output "ipfw > nat 2 config ip

Re: Working divert socket example prog?

On Fri, 29 Apr 2016 00:32:05 -0300, lpa lpa wrote: > On Thu, Apr 28, 2016 at 4:06 PM, Nikolay Denev wrote: >> Hi, >> >> Have you looked at the natd(8) source code? > yes but it's a complete application, it does a lot of stuff and I am > not able to "clean" it up to

Re: IPFW with NAT : Problems with duplicate packets on FreeBSD 10.3-RC3

On Thu, 7 Apr 2016 17:08:38 +0100, Dr Josef Karthauser wrote: [ AppleMail msgs fail to quote properly in pine, so a partial quote: ] > Looks like the first packet is being retransmitted, which means that > the nat is probably misconfigured and the TCP connection is broken in > some strange

Re: Source routing howto

On Wed, 9 Mar 2016 14:40:16 +0100, el...@sentor.se wrote: > On Wed, 9 Mar 2016, Jan Bramkamp wrote: [..] > > I would avoid policies based on IP addresses and prefer to define policies > > based on (pseudo-) interfaces e.g. route (and nat?) traffic from vlan123 > > through the VPN tunnel. >

Re: gateway machine port redirect question

On Sun, 21 Feb 2016 16:32:53 -0800, Julian Elischer wrote: > On 20/02/2016 6:22 PM, Valeri Galtsev wrote: > > Dear Experts, > > > > I'm one of Linux refugees who several years ago migrated majority of > > servers from Linux to FreeBSD and is happy since. When recently I needed > > to set up

Re: ipfw NAT /etc/rc.firewall question

On Sun, 24 Jan 2016 17:41:17 -0700, Russell L. Carter wrote: > Hi, > > I am making myself learn better how ipfw works. I am curious about > the optimal location of the NAT rule definition code. My immediate > application is a generic NATing gateway with an outside iface armored > up and

Re: arp response fails

On Tue, 15 Dec 2015 23:47:39 +0100, bcs wrote: [..] > I use ipfw but "ipfw -q -f flush" didn't solve the issue. Here are my [..] > /boot/loader.conf: > ipfw_load="YES" > net.inet.ip.fw.default_to_accept=1 ipfw(8): Tunables can be set in loader(8) prompt, loader.conf(5) or kenv(1) before

RE: Timing issue with Dummynet on high kernel timer interrupt

On Sat, 7 Nov 2015 01:51:29 +, Rasool Al-Saadi wrote: > On Saturday, 7 November 2015 2:05 AM, Hans Petter Selasky wrote: > > On 11/06/15 11:08, Luigi Rizzo wrote: > > > On Fri, Nov 6, 2015 at 10:52 AM, Hans Petter Selasky > > wrote: > > >> On 11/06/15 09:50, Luigi

Re: ixl 40G bad performance?

On Mon, 19 Oct 2015 21:47:36 -0700, Kevin Oberman wrote: > > I suspect it might not touch the c states, but better check. The safest is > > disable them in the bios. > > > > To disable C-States: > sysctl dev.cpu.0.cx_lowest=C1 Actually, you want to set hw.acpi.cpu.cx_lowest=C1 instead.

Re: nice stuff from cloudflare (and, we need something like ethtool!)

On Thu, 15 Oct 2015 17:03:55 +0800, Julian Elischer wrote: > On 10/10/15 10:59 PM, Luigi Rizzo wrote: > > the nice folks at cloudflare implemented a nice feature > > in netmap that puts some queues of the NIC in netmap mode > > leaving others attached to the host stack > > > >

Re: Struggling with IPFW on CURRENT

On Wed, 7 Oct 2015 08:57:42 -0500, Mark Felder wrote: > Hi all, > > I've only used IPFW in the past for the most basic of tasks. I'd like to > use it with in-kernel NAT protecting both v4 and v6 and add > dummynet/pipe later, but I have to get the basic working first. I'm > either

Re: HELP! Mysterious socket 843/tcp listening on CURRENT system

On Tue, 15 Sep 2015 07:51:11 -0600 (MDT), Warren Block wrote: > On Tue, 15 Sep 2015, Ian Smith wrote: > O. Hartmann wrote: > > > But that is an other issue and it is most likely > > > due to the outdated documentation (that doc still uses port 37 for NTP &g

Re: HELP! Mysterious socket 843/tcp listening on CURRENT system

On Tue, 15 Sep 2015 09:47:57 +0200, O. Hartmann wrote: > On Tue, 15 Sep 2015 10:21:21 +0300 > Kimmo Paasiala wrote: > > > On Tue, Sep 15, 2015 at 10:06 AM, O. Hartmann > > wrote: > > > Hopefully, I'm right on this list. if not, please

Re: a couple /etc/rc.firewall questions

On Sun, 23 Aug 2015 08:44:53 +0900, Hiroki Sato wrote: Don Lewis truck...@freebsd.org wrote in 201508222103.t7ml3gax000...@gw.catspoiler.org: tr The example /etc/rc.firewall has provisions to use either in-kernel NAT tr or natd for the open and client firewall types, but the simple

Re: bugzilla chatter?

On Thu, 6 Aug 2015 01:13:31 +1000, Kubilay Kocak wrote: On 6/08/2015 1:02 AM, Sean Bruno wrote: On 08/04/15 16:13, grenville armitage wrote: de-lurk I'm curious about the uptick of bugzilla chatter turning up in freebsd-net@ the last few days. Whilst I can filter it

Re: question on NAT + IPFW

On Fri, 12 Jun 2015 08:59:40 +0200, Guido Falsi wrote: looks correct, assuming xl0 is your internal interface (better put it in a variable and use the variable in your rules imho) Forgot one thing, working around this block is as easy as changing the machine IP, teenager can learn

Re: question on NAT + IPFW

On Thu, 11 Jun 2015 19:49:06 -0700, John Reynolds wrote: Hello all, I've read in sections 30.4.4 and 30.4.3 of the handbook about using IPFW and I've got some clarification questions. 1) When you're using any sort of firewall rules outside the open/client/simple/closed, etc. pre-canned

Re: question on NAT + IPFW

On Fri, 12 Jun 2015 10:24:05 +0200, Guido Falsi wrote: On 06/12/15 10:07, Ian Smith wrote: On Fri, 12 Jun 2015 08:59:40 +0200, Guido Falsi wrote: looks correct, assuming xl0 is your internal interface (better put it in a variable and use the variable in your rules imho

Re: Fwd: netmap-ipfw on em0 em1

On Mon, 4 May 2015 15:29:13 +, Barney Cordoba via freebsd-net wrote: It's not faster than wedging into the if_input()s. It simply can't be. Your getting packets at interrupt time as soon as their processed and  you there's no network stack involved, and your able to receive and

Re: RTT and TCP Window size doubts, bandwidth issues

On Wed, 8 Apr 2015 00:10:51 +0200, Marek Salwerowicz wrote: Hi list, I am trying to find correct setup of sysctl's for following machines (VMs under Vmware Workstation 8) to test large TCP window size: There are 2 boxes, each of them has following setup: - % uname -a FreeBSD

Re: Patch to reduce use of global IP ID value(s) to avoid leaking information

On Sat, 4 Apr 2015 18:11:55 +0100, Robert N. M. Watson wrote: On 4 Apr 2015, at 16:59, Hans Petter Selasky h...@selasky.org wrote: Thankyou Robert for this most interesting dissertation. And thanks Hans for the provocation to draw it forth .. cheers from the peanut gallery, Ian

Re: What is this?

On Wed, 25 Feb 2015 14:59:18 +, Gary Palmer wrote: On Wed, Feb 25, 2015 at 09:30:49PM +1100, Ian Smith wrote: This snippet is from an old linux 2.4 router/firewall/proxy box, usually clockwork. Clipped this while monitoring one night, saved it, forgot, but still find it curious

What is this?

This snippet is from an old linux 2.4 router/firewall/proxy box, usually clockwork. Clipped this while monitoring one night, saved it, forgot, but still find it curious and haven't seen anything similar before or since. 31.13.70.1 173.252.102.24 are facebook, our guy 192.168.9.21 25/9/2014

Re: Problems with IP fragments

On Tue, 10 Feb 2015 19:34:20 +0100, Andre Albsmeier wrote: On Wed, 11-Feb-2015 at 04:33:15 +1100, Ian Smith wrote: On Tue, 10 Feb 2015 14:26:52 +0100, Andre Albsmeier wrote: On Tue, 10-Feb-2015 at 13:49:23 +0300, Lev Serebryakov wrote: On 10.02.2015 00:21, Andre Albsmeier wrote

Re: Problems with IP fragments

On Tue, 10 Feb 2015 14:26:52 +0100, Andre Albsmeier wrote: On Tue, 10-Feb-2015 at 13:49:23 +0300, Lev Serebryakov wrote: On 10.02.2015 00:21, Andre Albsmeier wrote: The ipfw man page says: Usually a simple rule like: # reassemble incoming fragments ipfw add reass all

Re: does nat redirect_port tcp works for you on -CURRENT?

On Thu, 5 Feb 2015 02:14:41 +0300, Lev Serebryakov wrote: On 05.02.2015 01:16, Lev Serebryakov wrote: I have such rules in my firewall: nat 9 config redirect_port tcp 192.168.134.2:16881 16881 redirect_port udp 192.158.134.2:16881 16881 redirect_port tcp 192.168.134.2:22 2

Re: [RFC][patch] Two new actions: state-allow and state-deny

On Tue, 3 Feb 2015 13:23:38 +0300, Lev Serebryakov wrote: On 03.02.2015 13:04, Ian Smith wrote: Now to make stateful firewall with NAT you need to make some not very readable tricks to record state (allow) of outbound connection before NAT, but pass packet to NAT after that. I know

Re: [RFC][patch] Two new actions: state-allow and state-deny

On Mon, 2 Feb 2015 22:17:25 +0300, Lev Serebryakov wrote: Now to make stateful firewall with NAT you need to make some not very readable tricks to record state (allow) of outbound connection before NAT, but pass packet to NAT after that. I know two: (a) skipto-nat-allow pattern from

Re: Problems with DNSSEC -- answer in fragmented UDP doesn't work

On Fri, 30 Jan 2015 16:57:28 -0800, Kevin Oberman wrote: On Wed, Jan 28, 2015 at 9:13 AM, Lev Serebryakov l...@freebsd.org wrote: I could not resolve names with DNSSEC (for example, in freebsd.org domain) on two of my installations, one with FreeBSD 11 and other with FreeBSD 9.3.

Re: ipfw, nat and stateful firewall: why keep-state on skipto works at all and how do this properly?

On Fri, 30 Jan 2015 12:05:07 +0300, Lev Serebryakov wrote: On 30.01.2015 05:33, Julian Elischer wrote: 12700 skipto 12900 ip from any to any keep-state 12800 deny ip from any to any 12900 nat 1 ip from any to any out 12999 allow ip from any to any And rules for inbound ones

Re: NICs devices switches pshycial place on each boot

On Thu, 4 Dec 2014 06:01:06 +0100, Martin Hanson wrote: (Warren Block wrote:) I would use three of these sections, one with the serial number of each interface.  So: action ifconfig $device-name name wan inet ... action ifconfig $device-name name dmz inet ... action ifconfig $device-name

Re: Whither ep(4) on 9.3-RELEASE?

On Tue, 11 Nov 2014 13:15:30 -0800, John-Mark Gurney wrote: Ian Smith wrote this message on Tue, Nov 11, 2014 at 21:31 +1100: [..] So can anyone confirm that ep(4) is present on 9.3-R, even if only i386? Yeh, it looks like ep is in GENERIC on i386.. We also compile ep on amd64 too

Whither ep(4) on 9.3-RELEASE?

In a conversation on questions@ re natd(8), Gary said he was about to upgrade to 9.3 from some (embarrassingly :) old version, and I said: Strangely, there's no man page for ep nor if_ep on 8.x or 9.x? To which Gary replied: ugh. That will be interesting when my upgrade starts in a few

Re: any reason not to enable IPDIVERT for ipfw module?

On Fri, 31 Oct 2014 18:28:28 -0700, Freddie Cash wrote: On Oct 31, 2014 12:12 PM, John-Mark Gurney j...@funkthat.com wrote: Can any one think of a good reason not to enable IPDIVERT sockets in the ipfw module? Yes, two. Nowadays people are just as or perhaps more likely to use

Re: transparent udp proxy

On Sat, 1 Nov 2014 15:38:33 +0330, Hooman Fazaeli wrote: On 10/31/2014 8:30 PM, Ian Smith wrote: [..] : ipfw add 10 fwd localhost,7000 udp from any to any recv em1 Given these are local packets and that ipfw(8) /fwd states: The fwd action does not change the contents

Re: transparent udp proxy

On Fri, 31 Oct 2014 18:30:00 +0330, Hooman Fazaeli wrote: On 10/31/2014 5:30 PM, Mark Felder wrote: I'm not sure if this is what you're looking for, but perhaps the solution is in net/samplicator ? From the project's website: This simple program listens for UDP datagrams on

Re: How can sshuttle be used properly with FreeBSD (and with DNS) ?

On Sat, 6 Sep 2014 02:52:22 +, John Case wrote: I would like to use sshuttle (http://github.com/apenwarr/sshuttle) on FreeBSD. I have it working for TCP connections, but it does not properly tunnel DNS requests. The documentation for sshuttle says that ipfw forward rules will

Re: How can sshuttle be used properly with FreeBSD (and with DNS) ?

On Tue, 9 Sep 2014 19:33:05, Ian Smith wrote: add 1000 divert natd ip from any to any in recv xl0 add 2000 divert natd ip from any to any out xmit xl0 Oops, 'ip' should nowadays be 'ip4|ipv4' for divert rules, if ip6 is configured on that interface. Last I heard, ip6 packets break

RE: [CFT]: ipfw named tables / different tabletypes

On Fri, 6 Jun 2014 00:10:26 +0800, bycn82 wrote: Hi Bill, Sorry for waste you time to explain it again, I will read the code first. Especially the code provided in free tutorials by your busy professor .. And the latest patch of `PPS` should be OK, I checked the logic carefully this

Re: netmap and other discussions on freebsd-net: please be open minded.

On Mon, 19 May 2014 01:02:42 _0200, Luigi Rizzo wrote: Folks, i have two requests for you: 1. please do not complain about questions on this list related to a core network-related FreeBSD subsystem (netmap, dummynet, netgraph, tcp stack...) even if they are concerned with ports

Re: TCP packets remain unsent

On Sat, 29 Mar 2014 15:02:29 +0100, Willy Offermans wrote: Dear FreeBSD friends, On Fri, Mar 28, 2014 at 05:25:54PM +0100, Willy Offermans wrote: Dear FreeBSD friends, I have a problem with my relatively new FreeBSD server. I came across the problem when sending e-mails of

Re: ipfw / routing issue on 9.2-RELEASE

On Wed, 5 Mar 2014 20:44:51 +0100, Andreas Nilsson wrote: On Wed, Mar 5, 2014 at 7:49 PM, Andrey V. Elsukov bu7c...@yandex.ru wrote: On 04.03.2014 09:58, Andreas Nilsson wrote: Why do I need the explict fwd rule? As far as I can see the ipfw man page says nothing about skipto

Re: impact of disabling firewall on performance?

On Wed, 18 Sep 2013 12:00:30 +0430, h bagade wrote: Hi all, I've heard that disabling firewall with commands or setting related sysctl parameter wouldn't increase performance and still firewalls participate in forwarding process. The only way to reach a better performance is making

Re: impact of disabling firewall on performance?

On Wed, 18 Sep 2013 11:18:38 +0200, Luigi Rizzo wrote: On Wed, Sep 18, 2013 at 10:07 AM, Ian Smith smi...@nimnet.asn.au wrote: On Wed, 18 Sep 2013 12:00:30 +0430, h bagade wrote: Hi all, I've heard that disabling firewall with commands or setting related sysctl

Re: it's the output, not ack coalescing (Re: TSO and FreeBSD vs Linux)

On Sun, 18 Aug 2013 14:03:27 -0700, Barney Cordoba wrote: Criticism is the bedrock of innovation. Constructive criticism, with clear design even without code, can be. Relentless negativity achieves nothing, and fails to compile. Ian ___

Re: DNAT in freebsd

On Sat, 6 Jul 2013 18:37:55 +0700, Eugene Grosbein wrote: On 06.07.2013 14:47, Sami Halabi wrote: Hi, Any hope? Have you used intedmediate ipfw count log rules between ipfw nat rules I recommended? If yes, why have not you show that logs yet? Include tcpdump output from external

Re: high cpu usage on natd / dhcpd

On Thu, 7 Feb 2013 12:50:51 +, Eggert, Lars wrote: Hi, On Feb 7, 2013, at 13:40, Ian Smith smi...@nimnet.asn.au wrote: On Thu, 7 Feb 2013 08:08:59 +, Eggert, Lars wrote: On Jan 31, 2013, at 16:03, Matthew Luckie m...@luckie.org.nz wrote: 00510 allow ip from me to not me

Re: high cpu usage on natd / dhcpd

On Thu, 7 Feb 2013 08:08:59 +, Eggert, Lars wrote: On Jan 31, 2013, at 16:03, Matthew Luckie m...@luckie.org.nz wrote: 00510 allow ip from me to not me out via em1 00550 divert 8668 ip from any to any via em1 Rule 510 fixes it. Yep, it does. Can I ask someone to commit

Re: To SMP or not to SMP

On Tue, 8 Jan 2013 07:57:04 -0800, Garrett Cooper wrote: On Jan 8, 2013, at 7:50 AM, Barney Cordoba wrote: --- On Mon, 1/7/13, Erich Dollansky erichsfreebsdl...@alogt.com wrote: From: Erich Dollansky erichsfreebsdl...@alogt.com Subject: Re: To SMP or not to SMP To: Barney

Re: MAC cloning available like Linux has?

On Sat, 15 Dec 2012 12:51:11 -0800, Chris H wrote: in rc.conf, adding the following (order is important!), everything works as expected/desired/anticipated; --- begin rc,conf -- ifconfig_ue0=ether ##:##:##:##:##:##

Re: [RFC] Enabling IPFIREWALL_FORWARD in run-time

On Fri, 19 Oct 2012 15:25:24 +0400, Andrey V. Elsukov wrote: Hi All, Many years ago i have already proposed this feature, but at that time several people were against, because as they said, it could affect performance. Now, when we have high speed network adapters, SMP kernel and

Re: kernel: arpresolve: can't allocate llinfo for 65.59.233.102

On Thu, 13 Sep 2012 21:53:23 +0300, ? ??? wrote: Then my guess is wrong. I found the message, where similiar problem was described in ipfw mailling list http://lists.freebsd.org/pipermail/freebsd-ipfw/2011-March/004582.html, with no answer. Maybe it will be usefull for somebody.

Re: ipfw, ip|all proto and PPPoE -- does PPPoE packets passed to ipfw?

On Wed, 29 Aug 2012 22:31:25 +0400, Lev Serebryakov wrote: Hello, Michael. You wrote 29 ??? 2012 ?., 19:01:08: I have interface (vr1), most of traffic on which is PPPoE. I have ipfw firewall, which splits traffic by interfaces via: add 2000 skipto 5000 all from any to

Re: problem with mac option on ipfw rule

On Sun, 5 Aug 2012 13:40:21 +0430, h bagade wrote: Hi all, I have problem with setting mac option on ipfw rule. I want to drop all traffic but the traffic with source mac for example 11:22:33:44:55:66. I thought it would be possible using the not option to do the work and I have a set

Re: B.a.t.m.a.n.

On Mon, 14 May 2012 16:02:40 +0300, Ivo Vachkov wrote: Hello all, On Mon, May 14, 2012 at 1:52 PM, Monthadar Al Jaberi montha...@gmail.comwrote: On Sun, May 13, 2012 at 2:49 PM, Ivan Voras ivo...@gmail.com wrote: On 13 May 2012 06:46, Ivo Vachkov ivo.vach...@gmail.com wrote:

Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states

On Sat, 21 Apr 2012 15:41:30 +0400, Dmitry S. Kasterin wrote: [..] 9.0-STABLE / custom kernel Also, if you choose to use stateful TCP filtering, it is probably best to do it in the manner shown in the ipfw(8) man page under DYNAMIC RULES. This is very different from the way you

Re: stateful firewall implementation in FreeBSD

On Fri, 27 Jan 2012, Nikolay Denev wrote: On Jan 27, 2012, at 4:41 AM, Kevin Oberman wrote: On Thu, Jan 26, 2012 at 11:41 AM, Chuck Swiger cswi...@mac.com wrote: Hi-- On Jan 26, 2012, at 9:24 AM, satish amara wrote: I have question regarding the size of the state table kept in

Re: how to debug non-working hole in nat

On Tue, 3 Jan 2012 17:52:53 +0900, Randy Bush wrote: ignore. i sorted it. Too late, sucked in .. diff from prior config might be bone enough? cheers, Ian ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net

Re: Bridging + VLANS

On Sat, 21 May 2011, Doug Barton wrote: On 05/21/2011 01:58, Matthew Bowman wrote: I have an uplink to my ISP on a 2 IP /30 network (1.1.1.0/30 in the diagram) No help for your actual problem, sorry. I just wanted to point out that 1/8 has been assigned by IANA to APNIC, so it

Re: natd starting after firewall rules are loaded

On Sun, 17 Apr 2011, J. Hellenthal wrote: On Sun, Apr 17, 2011 at 03:36:40PM +1000, Ian Smith wrote: On Sat, 16 Apr 2011, rondzie...@comcast.net wrote: After the firewall rules are loaded, the rc script then loads natd, Once the system is up, i can ipfw list and the divert command

Re: natd starting after firewall rules are loaded

On Sat, 16 Apr 2011, rondzie...@comcast.net wrote: After the firewall rules are loaded, the rc script then loads natd, Once the system is up, i can ipfw list and the divert command is, in fact, not there, but by this time natd is running. If I run the rc.firewall script

Re: Setting up Novatel Mifi 2200 on 8.2-REL

On Mon, 14 Mar 2011, Ryan Coleman wrote: I've searched high and low and have no idea where to start to get this thing going... It's recognizing it now but I am not finding any details online (like people who have shared their full configuration details) on how they got the VirginMobile

Re: An IPFW problem when going from release to stable on 8.2/ Maybe bge0 network card?

On Sun, 6 Mar 2011, Dave Johnson wrote: Hi all An IPFW problem when going from release to stable on 8.2 An help gladly accepted LOG ON Flushed all rules. 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00030 divert 8668 ip from any to any via bge0 ipfw:

Re: routed source code

On Sun, 14 Nov 2010, Milen Dzhumerov wrote: Hi all, We're investigating some ways to perform symbolic execution of distributed systems and we're looking for real-world programs to test. The routed daemon[1] which is included with FreeBSD seemed like a good candidate and I was

Re: [patch] WOL support for nfe(4)

On Tue, 9 Nov 2010, Pyun YongHyeon wrote: On Tue, Nov 09, 2010 at 10:01:36PM +0100, Yamagi Burmeister wrote: On Tue, 9 Nov 2010, Pyun YongHyeon wrote: [..] You can switch to suspend mode with acpiconf -s1. If all goes well, driver would put the controller into suspend mode after

Re: Tcpdump showing ghost traffic

On Fri, 22 Oct 2010, Thomas Sevestre wrote: Le 21 oct. 10 à 19:04, Julian Elischer a écrit : On 10/21/10 8:26 AM, Thomas Sevestre wrote: Hi all, I'm using freebsd 8 as a router. Say I have a sis0 interface. The

Re: Problems with 8.1, PPPoE server, and Cisco client

On Wed, 20 Oct 2010, Paul Thornton wrote: [..] With a Windows XP client (I know, it was nearby though) the following things happen: Server - Client PPP CHAP Success (Welcome!! message). Server - Client PPP CCP config request Server - Client IPCP Config request (setting IP address

Re: strange resolver behavour

On Mon, 11 Oct 2010, Eugene Grosbein wrote: Hi! FreeBSD 8.1-STABLE: # host koin-nkz.com. koin-nkz.com has address 62.231.164.101 Host koin-nkz.com not found: 3(NXDOMAIN) This domain does not have MX records but NXDOMAIN seems to wrong return code to me. Think about MTA that

Re: strange resolver behavour

On Tue, 12 Oct 2010, Tom Evans wrote: On Tue, Oct 12, 2010 at 10:05 AM, Ian Smith smi...@nimnet.asn.au wrote: On Mon, 11 Oct 2010, Eugene Grosbein wrote:   Hi!     FreeBSD 8.1-STABLE:     # host koin-nkz.com.   koin-nkz.com has address 62.231.164.101   Host koin-nkz.com

Re: strange resolver behavour

On Tue, 12 Oct 2010, Tom Evans wrote: On Tue, Oct 12, 2010 at 3:39 PM, Ian Smith smi...@nimnet.asn.au wrote: On Tue, 12 Oct 2010, Tom Evans wrote:   On Tue, Oct 12, 2010 at 10:05 AM, Ian Smith smi...@nimnet.asn.au wrote: [..]   If a domain has no MX server, how's an MTA supposed

Re: Intel 82574L Gigabit Ethernet Controller

On Wed, 7 Jul 2010, Shtorm wrote: Yow, 30 vlans, but only em1 is using vlans not em0? Is only em1 having watchdogs? I noticed you appear to have flow control off, maybe turning it on would help. I would like to see the log messages from the watchdogs. Jack Yes, em0 -

Re: Intel 82574L Gigabit Ethernet Controller

On Fri, 9 Jul 2010, Shtorm wrote: Yeah, saw this too, it was first boot for this install and I forgot to run tzsetup during flash image build. As for the latest log, this box connected to internet via em0, ntpd just says it have some peers to sync with after interface flap.

Re: Intel 82574L Gigabit Ethernet Controller

On Fri, 9 Jul 2010, Ryan Stone wrote: No, defining EM_WATCHDOG as 10 * hz should mean that the watchdog expires after 10 seconds no matter what your kern.hz is. hz is set to the number of ticks in a second. Ok, one more probably wild punt .. Shtorm you say HZ=4000, giving: === And here

Re: Intel 82574L Gigabit Ethernet Controller

On Sat, 10 Jul 2010, Ian Smith wrote: HZ=4000 ticks are 250ns, not 25ms. Up way too late .. that's 250us of course, thanks Ryan. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any

Re: Deterministic lockup / panic in networking stack with ipfw / natd enabled on recent amd64 STABLE / CURRENT

On Tue, 15 Jun 2010, Garrett Cooper wrote: Hi, I'm experiencing a deterministic situation on a development box I manage when I do the following to enable ipfw and natd to bridge a network with two bce(4) enabled NICs, where if I do the following steps below, then try to push a few

Re: Deterministic lockup / panic in networking stack with ipfw / natd enabled on recent amd64 STABLE / CURRENT

On Sat, 3 Jul 2010, Ian Smith wrote: On Tue, 15 Jun 2010, Garrett Cooper wrote: Hi, I'm experiencing a deterministic situation on a development box I manage when I do the following to enable ipfw and natd to bridge a network with two bce(4) enabled NICs, where if I do

Re: Poor performance with natd/ipfw and TSO enabled on bce(4) card and 8.1-PRERELEASE

On Thu, 1 Jul 2010, Garrett Cooper wrote: On Thu, Jul 1, 2010 at 4:54 PM, Pyun YongHyeon pyu...@gmail.com wrote: On Wed, Jun 30, 2010 at 07:00:53PM -0700, Garrett Cooper wrote: Hi,     Just an observation I made while transferring a file: # time scp floppy.img somehost:

Re: kern/147191: [ppp] Problems with ppp -nat [pppoe], ipfw, dummynet

On Wed, 2 Jun 2010, Jose M Rodriguez wrote: The following reply was made to PR kern/147191; it has been noted by GNATS. From: Jose M Rodriguez jos...@freebsd.jazztel.es To: bug-follo...@freebsd.org Cc: Subject: Re: kern/147191: [ppp] Problems with ppp -nat [pppoe], ipfw, dummynet

Re: RFC: documented and actual behaviour of ipfw tee

On Tue, 29 Dec 2009, Julian Elischer wrote: Luigi Rizzo wrote: There a difference between the documented and actual behaviour of ipfw tee which occurs when there are multiple rules with the same number, e.g. rule_id number body r1 500 tee port1 dst-ip

Re: pf tcpdump

On Fri, 13 Nov 2009, Stephane D'Alu wrote: Is there a way to have tcpdump only showing packed that have pass the filtering rules, so to check that firewall rules were correctly written and not letting unwanted packets in. tcpdump sees packets before they're passed to the firewall coming in,

Re: pf tcpdump

On Fri, 13 Nov 2009, Stephane D'Alu wrote: On 13/11/2009 13:08, Ian Smith wrote: On Fri, 13 Nov 2009, Stephane D'Alu wrote: Is there a way to have tcpdump only showing packed that have pass the filtering rules, so to check that firewall rules were correctly written

Re: dummynet dropping too many packets

On Wed, 7 Oct 2009, rihad wrote: Robert Watson wrote: I would suggest making just the HZ - 4000 change for now and see how it goes. OK, I will try testing HZ=4000 tomorrow morning, although I'm pretty sure there still will be some drops. Even if there are, I'd like to know

Re: Wireless mesh networking

On Sun, 24 May 2009, Rui Paulo wrote: Hi, If anyone is interested in testing out wireless mesh networking under FreeBSD, the project has now reached a point where you can transfer packets between mesh nodes. Always a good point to celebrate :) I try to keep the branch in sync with head

Re: Wireless mesh networking

On Tue, 26 May 2009, Brooks Davis wrote: On Tue, May 26, 2009 at 08:06:25PM +1000, Ian Smith wrote: On Sun, 24 May 2009, Rui Paulo wrote: Hi, If anyone is interested in testing out wireless mesh networking under FreeBSD, the project has now reached a point where you can

Re: MAC locking and filtering in FreeBSD

On Wed, 13 May 2009, Brett Glass wrote: I need to find a way to do MAC address locking in FreeBSD -- that is, to ensure that only a machine with a particular MAC address can use a particular IP address. Unfortunately, it appears that rules in FreeBSD's IPFW are stuck on one layer: rules

Re: MAC locking and filtering in FreeBSD

On Thu, 14 May 2009, Brett Glass wrote: At 12:17 AM 5/14/2009, Ian Smith wrote: You can use fixed leases with MAC specified in dhcp for that, This lets you assign specific addresses to machines with specific MAC addresses. But it doesn't inhibit MAC address cloning, and the DHCP

Re: IPFW MAX RULES COUNT PERFORMANCE

that despite 20 times the CPU clock rate, probably at least 30 times CPU throughput and likely 10 times the tick rate, you appear to be suffering something like 30 to 900 times the increased latency to be expected by traversing 'too many' ipfw rules. Ian Smith escreveu: On Fri, 24 Apr 2009, Daniel

Re: A more pliable firewall

On Fri, 20 Feb 2009, Artyom Viklenko wrote: On Thu, 19 Feb 2009, Bakul Shah wrote: I am wondering if there is a more dynamic and scriptable firewall program. The idea is to send it alerts (with sender host address) whenever a dns probe fails or ssh login fails or smtpd finds it

Re: A more pliable firewall

On Fri, 20 Feb 2009, Bakul Shah wrote: Thanks to everyone who responded. Looks like all the pieces to do this exist. All I have to do is to package it all in one program sheriff that watches various log files and pulls the trigger on the bad guy(s) at appropriate time. Wild West imagery

Re: MTU or Fragmentation Problems on 7.0?

to two different ISPs. I can live with having a Web Proxy on FreeBSD # 1, but I am concerned that this issue will crop up someplace else. -- Len On Sun, Jan 25, 2009 at 9:51 PM, Ian Smith smi...@nimnet.asn.au wrote: On Sun, 25 Jan 2009, Len Gross wrote: The following

Re: BIND 9.4.3-P1: internal_send: 199.7.83.42#53: Device not configured, where 199.7.83.42 is RANDOM IP address

On Sun, 25 Jan 2009, Daniel O'Connor wrote: On Sunday 25 January 2009 11:43:48 Mark Andrews wrote: Doug Barton wrote: I've never used mpd myself, but you might want to try adding the following line to /usr/local/etc/rc.d/mpd and see if it helps: # BEFORE: named This

Re: BIND 9.4.3-P1: internal_send: 199.7.83.42#53: Device not configured, where 199.7.83.42 is RANDOM IP address

On Sun, 25 Jan 2009, Daniel O'Connor wrote: On Sunday 25 January 2009 11:43:48 Mark Andrews wrote: Doug Barton wrote: I've never used mpd myself, but you might want to try adding the following line to /usr/local/etc/rc.d/mpd and see if it helps: # BEFORE: named This

Re: MTU or Fragmentation Problems on 7.0?

On Sun, 25 Jan 2009, Len Gross wrote: The following configuration works fine _until_ I make a change in MTU setting on the link between FreeBSD1 and FreeBSD2 Internet | Router x.x.x.x 192.168.0.1/16

Re: FreeBSD 7.0R ADSL

On Sat, 10 Jan 2009, Skip Ford wrote: Matthias Apitz wrote: El d?a Saturday, January 10, 2009 a las 05:54:56AM -0500, Skip Ford escribi?: Matthias Apitz wrote: What kind of software I could use in FreeBSD? There is some port net/rp-pppoe but the man pages speaks about

Re: (partly) SOLVED: tun0 not responding to ping

On Sun, 4 Jan 2009, per...@pluto.rain.com wrote: Ian Smith nimnet.asn.au!smi...@agora.rdrop.com wrote: On Fri, 2 Jan 2009, per...@pluto.rain.com wrote: Why would a local interface, reported as up in ifconfig, not respond to a ping of its own IP address? The tun0 reported below

Re: tun0 not responding to ping

On Sat, 3 Jan 2009, per...@pluto.rain.com wrote: Ian Smith nimnet.asn.au!smi...@agora.rdrop.com wrote: On Fri, 2 Jan 2009, per...@pluto.rain.com wrote: Ian Smith nimnet.asn.au!smi...@agora.rdrop.com wrote: uucp .. how quaint :) Yep, but running over ssh since agora no longer

Re: tun0 not responding to ping

On Fri, 2 Jan 2009, per...@pluto.rain.com wrote: Ian Smith nimnet.asn.au!smi...@agora.rdrop.com wrote: uucp .. how quaint :) ... tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1412 inet6 fe80::2b0:d0ff:fe28:ad4f%tun0 prefixlen 64 scopeid 0x4 inet

Re: tun0 not responding to ping

On Fri, 2 Jan 2009, per...@pluto.rain.com wrote: Why would a local interface, reported as up in ifconfig, not respond to a ping of its own IP address? The tun0 reported below doesn't, and I have no idea how to debug it. (I've overwritten the two most- significant octets of its IP

Re: Heads up --- Thinking about UDP and tunneling

On Sat, 13 Dec 2008, Peter Jeremy wrote: On 2008-Dec-13 13:55:18 +1100, Ian Smith smi...@nimnet.asn.au wrote: I guess submitting patches for style(9) is considered a suicide method? Not necessarily but you need to have very good justification for any change. It's much easier to read

Re: Heads up --- Thinking about UDP and tunneling

On Fri, 12 Dec 2008, Randall Stewart wrote: Bruce: So lets see: 1) I went ahead and fixed the comments.. even added a ! instead of :-( Personally: emoticons ARE punctuation; adding a period is totally anal. 2) No problem using func_t.. changed to that.. seems nicer :-D I guess

  1   2   >