Re: ifconfig: BRDGADD vr1: Invalid argument

On Wed, 12 Dec 2007, Randy Bush wrote: did you start off with? # ifconfig bridge create when your ifconfig -a should then also show: bridge0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 (etc) though it looks like 'cloned_interfaces=bridge0' is

Re: Pipe queues

On Tue, 11 Dec 2007, Peter Jeremy wrote: On Tue, Dec 11, 2007 at 12:31:00PM +0400, rihad wrote: Peter Jeremy wrote: On Tue, Dec 11, 2007 at 09:21:17AM +0400, rihad wrote: And if I _only_ want to shape IP traffic to given speed, without prioritizing anything, do I still need queues?

Re: ifconfig: BRDGADD vr1: Invalid argument

On Wed, 12 Dec 2007, Bruce M. Simpson wrote: My shot from the hip, although I'm pretty much away from this stuff at the moment. Randy Bush wrote: # ifconfig bridge0 addm ath0 addm vr1 up ifconfig: BRDGADD ath0: Invalid argument ath0 is IFT_ETHER, so it should be OK to

Re: bikeshed for all!

On Wed, 12 Dec 2007, Chris Dillon wrote: Quoting Julian Elischer [EMAIL PROTECTED]: I need a word to use to describe the network view one is currently on.. e.g. if you are usinghe second routing table, you could say I've set xxx to 1 (0 based).. current;y in my code I'm

Re: ifconfig: BRDGADD vr1: Invalid argument

On Thu, 13 Dec 2007, Randy Bush wrote: ok, i have bridging working (kernel/userland version skew likely culprit, thanks max), except that ath0 does not seem to completely bridge. bms may have warned me in saying although you won't get the 802.11 frames bridged. I'm wondering just

Re: ath wep confusion

On Sun, 16 Dec 2007, Randy Bush wrote: ifconfig_ath0=channel 4 ssid rgnet-aden wep wepkey 13-characters mediaopt hostap up doh! thank you. Now I'm confused. Isn't that what you already had? also needed to tell winxp that it was private security not enterprise. Ahah.

Re: ath wep confusion

On Sun, 16 Dec 2007, Randy Bush wrote: Ian Smith wrote: ifconfig_ath0=channel 4 ssid rgnet-aden wep wepkey 13-characters mediaopt hostap up doh! thank you. ^deftxkey 1 'k

Re: simple, adaptive bandwidth throttling with ipfw/dummynet ?

On Sun, 2 Mar 2008, Peter Jeremy wrote: On Fri, Feb 29, 2008 at 02:28:04PM -0800, Juri Mianovich wrote: after 30 minutes of maxed dummynet rule, add X mbps to the rule for every active TCP session, with a max ceiling of Y mbps and: after 30 minutes of less than max usage,

Re: Trouble with IPFW or TCP?

On Thu, 3 Apr 2008, Julian Elischer wrote: Ivan Voras wrote: Erik Trulsson wrote: On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote: In which case would an ipfw ruleset like this: 00100 114872026 40487887607 allow ip from any to any via lo0 00200 0

Re: Trouble with IPFW or TCP?

On Thu, 3 Apr 2008, Julian Elischer wrote: Ian Smith wrote: On Thu, 3 Apr 2008, Julian Elischer wrote: Ivan Voras wrote: Erik Trulsson wrote: On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote: In which case would an ipfw ruleset like this: 00100

Re: Trouble with IPFW or TCP?

On Fri, 4 Apr 2008, Julian Elischer wrote: Ian Smith wrote: On Thu, 3 Apr 2008, Julian Elischer wrote: Not that I have known... keep-state does not (and never has) include an implicit check-state. Sorry (and surprised!) to have to differ, but you MADE me read the code

Re: Jailed Samba not getting broadcasts

On Thu, 24 Apr 2008, [windows-1252] Nejc Škoberne wrote: what netmask does ifconfig show for this IP? Host: rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 00:40:f4:27:7e:a8 inet 192.168.15.198 netmask

Re: Jailed Samba not getting broadcasts

On Thu, 24 Apr 2008, [windows-1252] Nejc Škoberne wrote: I can't help wondering what would happen if you assigned the single jail IP to be the subnet's broadcast address, in this case 192.168.15.255 ? You mean if I did this: jail_samba_ip=192.168.15.255 ? I can't even ssh to

bridge with access on both interfaces

Hello net crew, We're new to bridges; please be gentle. 4.8-RELEASE box, 2 ed NICs, test rig with 10-base coax. Bridging itself is working nicely. Aim is for the box to bridge a 192.168.0.1 gateway (satellite down / ISDN back proxy server black box) to a /24 of about a dozen mostly winXP

Re: bridge with access on both interfaces

On Tue, 23 Dec 2003, Michael W. Oliver wrote: On Wed, Dec 24, 2003 at 04:38:32AM +1100, Ian Smith wrote: [...] In short, ifconfig appears unwilling to have two NICs covering the same /24. Can this be set up? I'm also at a bit of a loss with the routing, so inside packets

kludgily solved: bridge with access on both interfaces

On Thu, 25 Dec 2003, Bruce A. Mah wrote: If memory serves me right, Ian Smith wrote: In short, ifconfig appears unwilling to have two NICs covering the same /24. Can this be set up? I'm also at a bit of a loss with the routing, so inside packets to the bridge box (ie unbridged

Re: bridge with access on both interfaces - reprise

On Thu, 25 Dec 2003, Bruce A. Mah sent me a useful Christmas present: In 4-STABLE, there's a bug that prevents ARP from working correctly on unnumbered bridge interfaces when bridging is enabled using the bridge.ko module. Basically, there are some checks in the ARP code that decide when

Re: 5.1r Bridge with one ip - no access from non-ip side - WORKS

On Tue, 6 Jan 2004, Maxim Konovalov wrote: On Tue, 6 Jan 2004, 06:33+0100, Bjorn Eikeland wrote: P? Tue, 6 Jan 2004 07:41:26 +0300 (MSK), skrev Maxim Konovalov [EMAIL PROTECTED]: Try sysctl net.inet.ip.check_interface=0. Well that did the trick! Thank you very

Re: Efficient use of Dummynet pipes in IPFW

On Mon, 19 Sep 2005, Brett Glass wrote: At 10:20 AM 9/19/2005, Luigi Rizzo wrote: original ipfw add 1000 dosomething cond1 cond2 cond3 cond4 cond5 ... condN negated: ipfw add 1000 skipto 1001 cond1 cond2 cond3 cond4 cond5 ... condN ipfw add 1000

Re: improving transport over lossy links ?

On Fri, 19 May 2006 at 11:06:48 -0400, Mike Tancsa wrote: I am looking for a way to improve the reliability of a lossy link (dialup from remote sites). I am going to try multilink PPP but was wondering if something like ng_one2many might work as well ? Does anyone have any suggestions

Re: improving transport over lossy links ?

On Fri, 19 May 2006 at 12:38:31 -0400, Mike Tancsa wrote: At 12:06 PM 19/05/2006, Ian Smith wrote: Assuming that V.42 error correction is working properly - forced if need be - there shouldn't =be= any data loss, however slow getting through, this side of protocol timeouts of course

Re: improving transport over lossy links ?

On Sun, 21 May 2006 at 11:09:23 -0400, Mike Tancsa wrote: At 05:26 AM 21/05/2006, Brian Candler wrote: On Fri, May 19, 2006 at 12:38:31PM -0400, Mike Tancsa wrote: Thanks for the reply. Even at 28.8 I am seeing loss with the connection dropping and seeing dropped packets (e.g.

Re: improving transport over lossy links ?

Hi Mike, On Sun, 21 May 2006 at 16:03:39 -0400, Mike Tancsa wrote: Correct. Its always dialing into a terminal server that is connected via PRIs. Usually Lucent PM3, sometimes Cisco 5800s depending on the location they dial from. I guess you won't want to be messing with their configs,

Re: Zeroconfig and Multicast DNS

I've been watching this thread with great interest, having recently been introduced to the possibilities of OLSR (net/olsrd) for local (and beyond) P2P wi-mesh networks, and wondering if/how zeroconf fits in. Some refs: My discovery point, a great (online) book found from a review by Geoff Huston

Re: A way to disable reception of broadcast UDP?

On Wed, 11 Oct 2006, Yar Tikhiy wrote: Is there a well-known way for a UDP application to tell to the system that it doesn't want to receive broadcast datagrams? E.g., it would be very good for TFTP as required by RFC 1123. In general, accepting broadcast UDP is a security flaw unless

Re: A way to disable reception of broadcast UDP?

On Wed, 11 Oct 2006, Yar Tikhiy wrote: On Wed, Oct 11, 2006 at 11:07:36PM +1000, Ian Smith wrote: On Wed, 11 Oct 2006, Yar Tikhiy wrote: Is there a well-known way for a UDP application to tell to the system that it doesn't want to receive broadcast datagrams? E.g

Re: Bad loopback traffic not stopped by ipfw.

On Tue, 24 Feb 2004, Andrea Venturoli wrote: 4.8-RELEASE-p15: ipfw1? In /var/log/all.log I get a lot of: snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 - xx.xx.xx.xx:1055 (src port is always 80, dst

Re: Bad loopback traffic not stopped by ipfw.

These packets never reach IPFW as we can see. Only point of interest being that the old 2.2.6+ IPFW sees them fine, ie they're being picked up by 'deny ip from 127.0.0.0/8 to any' here. Cheers, Ian On Sun, Feb 29, 2004 at 01:28:23AM +1100, Ian Smith wrote: On Sat, 28 Feb 2004, Tony

Re: My planned work on networking stack

[-current out of ccs, I'm not subscribed] On Tue, 2 Mar 2004, Andre Oppermann wrote to Wes Peters: Wowsers. I can't wait to hear more. When do you expect to have a design for the ARP stuff and TCP buffer sizing, since they are underway? The ARP stuff is pretty simple and is a hash

Re: cuaa0ttyd0's bug?

On Wed, 19 May 2004, Bernd Walter wrote: On Tue, May 18, 2004 at 09:05:52PM +0800, wsk wrote: hi,folks: It seems that the ttyd0 isn't the dialin line to login , and the cuaa0 like is both the dialin/out device!under 4.9 above and 5.X .but the ttyd0 work well under 4.8. here is my

ipfw and bridging [was: pf and bridging]

On Fri, 3 Dec 2004, Max Laier wrote: On Thursday 02 December 2004 19:45, Petr Holub wrote: Hi all, I wonder if it is possible to use the new pf firewall together with bridging as it is possible to use it with ipf and ipfw. Unfortunately the PFIL_HOOKS in bridge.c don't work too

Re: ipfw and bridging [was: pf and bridging]

On Sat, 4 Dec 2004, Chuck Swiger wrote: Ian Smith wrote: [ ... ] Read those ones for interest, but it leaves me wondering: can you use stateful filtering in ipfw, then? (here ipfw1 on a 4.8-RELEASE box with BRIDGE in kernel so far, but I imagine this would apply also to ipfw2

Re: transparent udp proxy

On Fri, 31 Oct 2014 18:30:00 +0330, Hooman Fazaeli wrote: On 10/31/2014 5:30 PM, Mark Felder wrote: I'm not sure if this is what you're looking for, but perhaps the solution is in net/samplicator ? From the project's website: This simple program listens for UDP datagrams on

Re: any reason not to enable IPDIVERT for ipfw module?

On Fri, 31 Oct 2014 18:28:28 -0700, Freddie Cash wrote: On Oct 31, 2014 12:12 PM, John-Mark Gurney j...@funkthat.com wrote: Can any one think of a good reason not to enable IPDIVERT sockets in the ipfw module? Yes, two. Nowadays people are just as or perhaps more likely to use

Re: transparent udp proxy

On Sat, 1 Nov 2014 15:38:33 +0330, Hooman Fazaeli wrote: On 10/31/2014 8:30 PM, Ian Smith wrote: [..] : ipfw add 10 fwd localhost,7000 udp from any to any recv em1 Given these are local packets and that ipfw(8) /fwd states: The fwd action does not change the contents

Whither ep(4) on 9.3-RELEASE?

In a conversation on questions@ re natd(8), Gary said he was about to upgrade to 9.3 from some (embarrassingly :) old version, and I said: Strangely, there's no man page for ep nor if_ep on 8.x or 9.x? To which Gary replied: ugh. That will be interesting when my upgrade starts in a few

Re: Whither ep(4) on 9.3-RELEASE?

On Tue, 11 Nov 2014 13:15:30 -0800, John-Mark Gurney wrote: Ian Smith wrote this message on Tue, Nov 11, 2014 at 21:31 +1100: [..] So can anyone confirm that ep(4) is present on 9.3-R, even if only i386? Yeh, it looks like ep is in GENERIC on i386.. We also compile ep on amd64 too

Re: NICs devices switches pshycial place on each boot

On Thu, 4 Dec 2014 06:01:06 +0100, Martin Hanson wrote: (Warren Block wrote:) I would use three of these sections, one with the serial number of each interface.  So: action ifconfig $device-name name wan inet ... action ifconfig $device-name name dmz inet ... action ifconfig $device-name

Re: [RFC][patch] Two new actions: state-allow and state-deny

On Tue, 3 Feb 2015 13:23:38 +0300, Lev Serebryakov wrote: On 03.02.2015 13:04, Ian Smith wrote: Now to make stateful firewall with NAT you need to make some not very readable tricks to record state (allow) of outbound connection before NAT, but pass packet to NAT after that. I know

Re: [RFC][patch] Two new actions: state-allow and state-deny

On Mon, 2 Feb 2015 22:17:25 +0300, Lev Serebryakov wrote: Now to make stateful firewall with NAT you need to make some not very readable tricks to record state (allow) of outbound connection before NAT, but pass packet to NAT after that. I know two: (a) skipto-nat-allow pattern from

Re: Problems with IP fragments

On Tue, 10 Feb 2015 14:26:52 +0100, Andre Albsmeier wrote: On Tue, 10-Feb-2015 at 13:49:23 +0300, Lev Serebryakov wrote: On 10.02.2015 00:21, Andre Albsmeier wrote: The ipfw man page says: Usually a simple rule like: # reassemble incoming fragments ipfw add reass all

Re: Problems with DNSSEC -- answer in fragmented UDP doesn't work

On Fri, 30 Jan 2015 16:57:28 -0800, Kevin Oberman wrote: On Wed, Jan 28, 2015 at 9:13 AM, Lev Serebryakov l...@freebsd.org wrote: I could not resolve names with DNSSEC (for example, in freebsd.org domain) on two of my installations, one with FreeBSD 11 and other with FreeBSD 9.3.

Re: Problems with IP fragments

On Tue, 10 Feb 2015 19:34:20 +0100, Andre Albsmeier wrote: On Wed, 11-Feb-2015 at 04:33:15 +1100, Ian Smith wrote: On Tue, 10 Feb 2015 14:26:52 +0100, Andre Albsmeier wrote: On Tue, 10-Feb-2015 at 13:49:23 +0300, Lev Serebryakov wrote: On 10.02.2015 00:21, Andre Albsmeier wrote

Re: does nat redirect_port tcp works for you on -CURRENT?

On Thu, 5 Feb 2015 02:14:41 +0300, Lev Serebryakov wrote: On 05.02.2015 01:16, Lev Serebryakov wrote: I have such rules in my firewall: nat 9 config redirect_port tcp 192.168.134.2:16881 16881 redirect_port udp 192.158.134.2:16881 16881 redirect_port tcp 192.168.134.2:22 2

Re: What is this?

On Wed, 25 Feb 2015 14:59:18 +, Gary Palmer wrote: On Wed, Feb 25, 2015 at 09:30:49PM +1100, Ian Smith wrote: This snippet is from an old linux 2.4 router/firewall/proxy box, usually clockwork. Clipped this while monitoring one night, saved it, forgot, but still find it curious

What is this?

This snippet is from an old linux 2.4 router/firewall/proxy box, usually clockwork. Clipped this while monitoring one night, saved it, forgot, but still find it curious and haven't seen anything similar before or since. 31.13.70.1 173.252.102.24 are facebook, our guy 192.168.9.21 25/9/2014

Re: ipfw, nat and stateful firewall: why keep-state on skipto works at all and how do this properly?

On Fri, 30 Jan 2015 12:05:07 +0300, Lev Serebryakov wrote: On 30.01.2015 05:33, Julian Elischer wrote: 12700 skipto 12900 ip from any to any keep-state 12800 deny ip from any to any 12900 nat 1 ip from any to any out 12999 allow ip from any to any And rules for inbound ones

Re: Fwd: netmap-ipfw on em0 em1

On Mon, 4 May 2015 15:29:13 +, Barney Cordoba via freebsd-net wrote: It's not faster than wedging into the if_input()s. It simply can't be. Your getting packets at interrupt time as soon as their processed and  you there's no network stack involved, and your able to receive and

Re: Patch to reduce use of global IP ID value(s) to avoid leaking information

On Sat, 4 Apr 2015 18:11:55 +0100, Robert N. M. Watson wrote: On 4 Apr 2015, at 16:59, Hans Petter Selasky h...@selasky.org wrote: Thankyou Robert for this most interesting dissertation. And thanks Hans for the provocation to draw it forth .. cheers from the peanut gallery, Ian

Re: RTT and TCP Window size doubts, bandwidth issues

On Wed, 8 Apr 2015 00:10:51 +0200, Marek Salwerowicz wrote: Hi list, I am trying to find correct setup of sysctl's for following machines (VMs under Vmware Workstation 8) to test large TCP window size: There are 2 boxes, each of them has following setup: - % uname -a FreeBSD

Re: question on NAT + IPFW

On Fri, 12 Jun 2015 08:59:40 +0200, Guido Falsi wrote: looks correct, assuming xl0 is your internal interface (better put it in a variable and use the variable in your rules imho) Forgot one thing, working around this block is as easy as changing the machine IP, teenager can learn

Re: question on NAT + IPFW

On Thu, 11 Jun 2015 19:49:06 -0700, John Reynolds wrote: Hello all, I've read in sections 30.4.4 and 30.4.3 of the handbook about using IPFW and I've got some clarification questions. 1) When you're using any sort of firewall rules outside the open/client/simple/closed, etc. pre-canned

Re: question on NAT + IPFW

On Fri, 12 Jun 2015 10:24:05 +0200, Guido Falsi wrote: On 06/12/15 10:07, Ian Smith wrote: On Fri, 12 Jun 2015 08:59:40 +0200, Guido Falsi wrote: looks correct, assuming xl0 is your internal interface (better put it in a variable and use the variable in your rules imho

Re: a couple /etc/rc.firewall questions

On Sun, 23 Aug 2015 08:44:53 +0900, Hiroki Sato wrote: Don Lewis truck...@freebsd.org wrote in 201508222103.t7ml3gax000...@gw.catspoiler.org: tr The example /etc/rc.firewall has provisions to use either in-kernel NAT tr or natd for the open and client firewall types, but the simple

Re: bugzilla chatter?

On Thu, 6 Aug 2015 01:13:31 +1000, Kubilay Kocak wrote: On 6/08/2015 1:02 AM, Sean Bruno wrote: On 08/04/15 16:13, grenville armitage wrote: de-lurk I'm curious about the uptick of bugzilla chatter turning up in freebsd-net@ the last few days. Whilst I can filter it

RE: Timing issue with Dummynet on high kernel timer interrupt

On Sat, 7 Nov 2015 01:51:29 +, Rasool Al-Saadi wrote: > On Saturday, 7 November 2015 2:05 AM, Hans Petter Selasky wrote: > > On 11/06/15 11:08, Luigi Rizzo wrote: > > > On Fri, Nov 6, 2015 at 10:52 AM, Hans Petter Selasky > > wrote: > > >> On 11/06/15 09:50, Luigi

Re: Struggling with IPFW on CURRENT

On Wed, 7 Oct 2015 08:57:42 -0500, Mark Felder wrote: > Hi all, > > I've only used IPFW in the past for the most basic of tasks. I'd like to > use it with in-kernel NAT protecting both v4 and v6 and add > dummynet/pipe later, but I have to get the basic working first. I'm > either

Re: nice stuff from cloudflare (and, we need something like ethtool!)

On Thu, 15 Oct 2015 17:03:55 +0800, Julian Elischer wrote: > On 10/10/15 10:59 PM, Luigi Rizzo wrote: > > the nice folks at cloudflare implemented a nice feature > > in netmap that puts some queues of the NIC in netmap mode > > leaving others attached to the host stack > > > >

Re: ixl 40G bad performance?

On Mon, 19 Oct 2015 21:47:36 -0700, Kevin Oberman wrote: > > I suspect it might not touch the c states, but better check. The safest is > > disable them in the bios. > > > > To disable C-States: > sysctl dev.cpu.0.cx_lowest=C1 Actually, you want to set hw.acpi.cpu.cx_lowest=C1 instead.

Re: HELP! Mysterious socket 843/tcp listening on CURRENT system

On Tue, 15 Sep 2015 07:51:11 -0600 (MDT), Warren Block wrote: > On Tue, 15 Sep 2015, Ian Smith wrote: > O. Hartmann wrote: > > > But that is an other issue and it is most likely > > > due to the outdated documentation (that doc still uses port 37 for NTP &g

Re: HELP! Mysterious socket 843/tcp listening on CURRENT system

On Tue, 15 Sep 2015 09:47:57 +0200, O. Hartmann wrote: > On Tue, 15 Sep 2015 10:21:21 +0300 > Kimmo Paasiala wrote: > > > On Tue, Sep 15, 2015 at 10:06 AM, O. Hartmann > > wrote: > > > Hopefully, I'm right on this list. if not, please

Re: arp response fails

On Tue, 15 Dec 2015 23:47:39 +0100, bcs wrote: [..] > I use ipfw but "ipfw -q -f flush" didn't solve the issue. Here are my [..] > /boot/loader.conf: > ipfw_load="YES" > net.inet.ip.fw.default_to_accept=1 ipfw(8): Tunables can be set in loader(8) prompt, loader.conf(5) or kenv(1) before

Re: gateway machine port redirect question

On Sun, 21 Feb 2016 16:32:53 -0800, Julian Elischer wrote: > On 20/02/2016 6:22 PM, Valeri Galtsev wrote: > > Dear Experts, > > > > I'm one of Linux refugees who several years ago migrated majority of > > servers from Linux to FreeBSD and is happy since. When recently I needed > > to set up

Re: ipfw NAT /etc/rc.firewall question

On Sun, 24 Jan 2016 17:41:17 -0700, Russell L. Carter wrote: > Hi, > > I am making myself learn better how ipfw works. I am curious about > the optimal location of the NAT rule definition code. My immediate > application is a generic NATing gateway with an outside iface armored > up and

Re: Source routing howto

On Wed, 9 Mar 2016 14:40:16 +0100, el...@sentor.se wrote: > On Wed, 9 Mar 2016, Jan Bramkamp wrote: [..] > > I would avoid policies based on IP addresses and prefer to define policies > > based on (pseudo-) interfaces e.g. route (and nat?) traffic from vlan123 > > through the VPN tunnel. >

Re: IPFW with NAT : Problems with duplicate packets on FreeBSD 10.3-RC3

On Thu, 7 Apr 2016 17:08:38 +0100, Dr Josef Karthauser wrote: [ AppleMail msgs fail to quote properly in pine, so a partial quote: ] > Looks like the first packet is being retransmitted, which means that > the nat is probably misconfigured and the TCP connection is broken in > some strange

Re: Working divert socket example prog?

On Fri, 29 Apr 2016 00:32:05 -0300, lpa lpa wrote: > On Thu, Apr 28, 2016 at 4:06 PM, Nikolay Denev wrote: >> Hi, >> >> Have you looked at the natd(8) source code? > yes but it's a complete application, it does a lot of stuff and I am > not able to "clean" it up to

Re: Some questions about in-kernel NAT

On Wed, 8 Mar 2017 16:52:36 +0100, Andrea Venturoli wrote: Just on one point: > Second question: > _ if I issue "ipfw nat 2 config if re0", I'll see the output "ipfw nat 2 > config if re0"; > _ if I issue "ipfw nat 2 config ip 192.168.0.1", I'll see the output "ipfw > nat 2 config ip

<    1   2