Hi--
On Jan 26, 2012, at 9:24 AM, satish amara wrote:
I have question regarding the size of the state table kept in FreeBSD for
stateful packet inspection. Say we have a valid senario where we have
stateful firewall rule for HTTP and we get lot of incoming new HTTP session
and state table is
On Feb 8, 2012, at 1:53 PM, Коньков Евгений wrote:
some host on LAN can send packets to MAC address of FreeBSD server
and server accept packets even if frame is not in its subnet and pass them
further %-)
details here
http://www.freebsd.org/cgi/query-pr.cgi?pr=164914
Um, what were you
On Mar 13, 2012, at 10:18 PM, hiren panchasara wrote:
What difference does it make when I have each (separately) in my rc.conf:
1) no network_interfaces at all
2) network_interfaces=AUTO
These two are the same.
3) network_interfaces=em0
This will configure em0 only, using ifconfig_em0 if
On Mar 14, 2012, at 3:32 PM, Adarsh Joshi wrote:
I assigned a 00:00:00:00:00:00 MAC address to one of my interfaces on a
machine and tried to ping the peer machine. The ping did go through fine.
I can the see the request and reply packets on the packet capture. I am
wondering if that is
On Mar 14, 2012, at 4:05 PM, Adarsh Joshi wrote:
Thank you for the quick replies.
I am aware of the importance of the second bit. By invalid, I was wondering
if that particular address is reserved or if it has any special meaning or
purpose.
There isn't a special meaning for all-zeros MAC
On Mar 15, 2012, at 12:49 PM, Seyit Özgür wrote:
Today we tried to see what happens Malformed syn packets on FreeBSD 9.0
release..
Those packets rise to CPU %100 and stucks..
listening on ix0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:33:30.010215 IP
On Mar 15, 2012, at 1:17 PM, Seyit Özgür wrote:
Thanks for quick reply.. but i don't use firewall. i tried to use PF..
Packer filter stucks up to 100.000 syn packets flooding(on open port)..
Without packet filter it handle much more syn flooding. Like 1Mpps can handle
w/o interrupts that i
On Mar 21, 2012, at 7:15 AM, Seyit Özgür wrote:
Hello chris,
I'm Chuck, but no matter.
Here i get tcpdump with X param..
First look input errors.. its about 60 mbit/sec and much more packets can't
process
packets errs idrops bytespackets errs bytes colls
36356
On Apr 9, 2012, at 12:33 PM, Randy Bush wrote:
dum0# ipfw 900 pipe 1 config queue 20 delay 10ms
remove the '900'
ipfw pipe 1 config queue 20 delay 10ms
thanks! but ...
sure, it's not really part of the programmitic sequence. but one can
not see it's there!
randy
dum0# ipfw
On Apr 9, 2012, at 3:27 PM, Randy Bush wrote:
Try ipfw pipe show instead
thanks!
You're most welcome.
now to figure out what all that means. especially worried about the
queue length, as will be using varying delays in an experiment.
Well, you should look at your bandwidth-delay
On Apr 21, 2012, at 4:41 AM, Dmitry S. Kasterin wrote:
The DYNAMIC RULES section gives the following recommendation:
ipfw add check-state
ipfw add deny tcp from any to any established
ipfw add allow tcp from my-net to any setup keep-state
Is the second rule
Hi--
On Feb 19, 2013, at 10:42 AM, Alex Yong wrote:
I've been looking around in the IPv6 code recently and I noticed that
time_second seems to be the clock of choice for calculating expiry times
for prefixes, routers and addresses. Is there any specific reason it uses
wall clock time and not
Hi--
On Mar 13, 2013, at 8:21 AM, Matt Miller wrote:
If we have a connection that has received a SYN and ip_output()
returns, say, EHOSTUNREACH, is there anything that guarantees the
connection would always eventually be dropped if the condition
persists?
If the local TCP stack is unable to
On Oct 28, 2010, at 1:21 PM, Коньков Евгений wrote:
[ ... ]
What is sysctl kern.clockrate, and have you increased kern.hz in
/boot/loader.conf to at least 1000, if not 2000 or 4000?
Polling mode operation generally performs better when using older 100Mbs
ethernet NICs which do not support
On Oct 28, 2010, at 11:39 PM, Коньков Евгений wrote:
Здравствуйте, Chuck.
Um, greetings?
Вы писали 28 октября 2010 г., 23:41:58:
CS On Oct 28, 2010, at 1:21 PM, Коньков Евгений wrote:
[ ... ]
CS What is sysctl kern.clockrate, and have you increased kern.hz
CS in /boot/loader.conf to
Hi, Rozhuk--
On Dec 7, 2010, at 11:19 AM, rozhuk...@gmail.com wrote:
Hi!
1. ah-ar_hln - is depend from ar_hrd?
Yes, and for ARPHRD_ETHER is 6 (ETHER_ADDR_LEN)
For ARPHRD_IEEE1394 - sizeof(struct fw_hwaddr)
ah-ar_hln ignored in ether_output: bcopy(ar_tha(ah), edst, ETHER_ADDR_LEN);
If you
On Dec 13, 2010, at 11:54 AM, Gabor Radnai wrote:
Realtek 8111 is not supported - that's the final conclusion? If so can this
be made clear in re driver manual?
At least some people have reported the Realtek 8111 working for them.
This said, Realtek's older 10/100 NICs were infamous for being
On Jan 7, 2011, at 4:26 PM, Boris Kochergin wrote:
As everything else I can think of zero-pads them, this makes it a little
annoying to grep for addresses, etc. Is this intentional? It is the case in
7.x through CURRENT and the fix is quite simple:
+1. MAC addresses should be displayed as
On Jan 13, 2011, at 1:42 PM, Charles Owens wrote:
This is very good news overall, in that we can certainly disable polling for
igb. This begs the question, though, as to whether polling is recommended
these days at all for em/igb NICs... or even in general. From other
conversations we've
On Jan 13, 2011, at 8:54 PM, Bruce Evans wrote:
To quote an earlier post:
Polling mode operation generally performs better when using older 100Mbs
ethernet NICs which do not support interrupt mitigation and various
capabilities like TSO4; gigabit ethernet NICs are smarter hardware and can
On Jan 14, 2011, at 2:12 AM, Bruce Evans wrote:
On a good day, my MUA sends Content-type: text/plain; format=flowed and
should contain line breaks following the 80-character-per-line Usenet
conventions, which modern MUAs might well reassemble based upon the user's
window size. If it is
On Jan 18, 2011, at 6:14 AM, Axel Rau wrote:
Am 18.01.2011 um 14:40 schrieb Artyom Viklenko:
Make sure DB2 got ICMP need-frag message and it not blocked.
Also, check sysctl variable 'net.inet.tcp.path_mtu_discovery'.
Yes to both. So this is a bug in 8.1?
If DF is true and the packet exceeds
On Feb 18, 2011, at 1:12 PM, Oliver Lehmann wrote:
that unfortunally requires QT for whatever reason (yeah KDE - but
QT for a proxy??) I do not have this on my router of course :(
Most of this stuff uses subnet-local broadcasts to perform device discovery.
It would probably be a lot easier to
On Apr 4, 2011, at 11:58 AM, Marc G. Fournier wrote:
Be careful; multiple access from different processes even on a single host
can still run into locking issues against NFS filesystems, or data
corruption if locking isn't available. You're most at risk with local
delivery to an mbox-style
On Apr 4, 2011, at 12:14 PM, Marc G. Fournier wrote:
OK-- Cyrus IMAP uses a variant of maildir, so you're relatively safe even if
locking is not available.
So, just to get this clear ...
If I were to boot a diskless station using an NFS backend, then that instance
would be prone to
On Apr 4, 2011, at 11:09 AM, Marc G. Fournier wrote:
'k, based on someone else's recommendation, I add 'nolockd' to the mount
entry,a nd postfix now appears to work ... since I can safely guarantee that
only the one host will have access to these files, that doesn't pose a
porblem for me,
On Apr 4, 2011, at 12:37 PM, Marc G. Fournier wrote:
Okay, next question ... if lockd is running, should fcntl locks work? My
read of the NFS_README.html above indicates to me that they should ... but if
that is the case, then it comes back to why doesn't it?
If rpc.lockd was bug-free and
Hi, Rick--
On Apr 4, 2011, at 5:24 PM, Rick Macklem wrote:
On Apr 4, 2011, at 11:09 AM, Marc G. Fournier wrote:
Be careful; multiple access from different processes even on a single
host can still run into locking issues against NFS filesystems, or
data corruption if locking isn't available.
On Apr 5, 2011, at 1:01 AM, per...@pluto.rain.com wrote:
Chuck Swiger cswi...@mac.com wrote:
It's fairly common to scale up a mail infrastructure from one box
handling both SMTP and IMAP (or POP) to a SMTP-only box writing to
NFS-mounted user mailboxes, and have one or more dedicated reader
On Apr 6, 2011, at 1:09 AM, per...@pluto.rain.com wrote:
People tend to take advantage of the resources they have; if you
have an EMC or NetApp filer handy, it's might well be reasonable
to use it ...
s/reasonable/tempting/
When the only tool you have is a hammer, every problem tends to
On Apr 7, 2011, at 8:02 AM, Marc G. Fournier wrote:
Part of the recent thread I had about mounting nfs point to using nolockd to
disable locking ... checking the mount_nfs man page, it lists 'lockd' as a
deprecated option, but doesn't list 'nolockd' anywhere ...
Much as with gcc, if mount
On Apr 25, 2011, at 11:47 AM, fbsdm...@dnswatch.com wrote:
I have a /24 with a prefix of 168.103.150.xxx with a gateway on this prefix
(DSLmodem).
I also have a /24 with a prefix of 75.160.109.xxx
My question(s) is/are:
1) is it possible to route both of these across the same GW?
If these
On May 13, 2011, at 1:07 PM, Ivan Voras wrote:
I'm seeing an an unusual problem at a remote machine; this machine is
the FreeBSD server, and the client is a probably Windows machine (but I
don't know the details yet). Something happens which causes FreeBSD to
send ACKs to the client, and the
On May 17, 2011, at 6:16 AM, Cole wrote:
I was hoping to keep this clean, and use existing methods for hooking
into the stream. Also the goal im working for is to be able to use
this on a box doing routing to hopefully get some sort of compression
working between 2 end points. So most of the
On Jul 4, 2011, at 6:32 PM, Charles Sprickman wrote:
We're running a few 8.1-R servers with Broadcom bce interfaces (Dell R510)
and I'm seeing occasional packet loss on them (enough that it trips nagios
now and then). Cabling seems fine as neither the switch nor the sysctl info
for the
On Jul 6, 2011, at 11:01 AM, Marek Salwerowicz wrote:
The idea is to share the Internet connection to both networks, and block any
traffic between them.
I was trying to set up the firewall like this:
#!/bin/sh
cmd=ipfw -q
$cmd flush
$cmd add 50 check-state
$cmd add 80 divert
On Jul 6, 2011, at 12:27 PM, Kevin Oberman wrote:
1 in 10**6? That is totally excessive.
It's high for a switched LAN, but I'd imagine you remember collision rates on
hubs, which might well exceed 1% of the packets when the network is under load.
The Ethernet spec requires no worse than
On Jul 6, 2011, at 5:50 PM, Kevin Oberman wrote:
[ ... ]
Any modern Ethernet should be running full-duplex.
Sure. With a price point of ~$10 per port for unmanaged gigabit switches
nowadays, this is cheap enough that it's widely deployed even for SOHO and
small offices. Also, I don't believe
On Jul 7, 2011, at 4:45 AM, Paul Keusemann wrote:
My setup is something like this:
- My local network is a mix of AIX, HP-UX, Linux, FreeBSD and Solaris
machines running various OS versions.
- My gateway / firewall machine is running FreeBSD-8.1-RELEASE-p1 with ipfw,
nat and racoon for the
On Jul 12, 2011, at 12:26 PM, Paul Keusemann wrote:
So, any other ideas on how to debug this?
Gather data with tcpdump. If you do it on one of the VPN endpoints, you ought
to see the VPN contents rather than just packets going by in the encrypted
tunnel.
Anybody know how to get racoon to
On Aug 9, 2011, at 4:57 AM, Marek Salwerowicz wrote:
Right now everything works from the Internet - if I do ssh to xx.yy.zz.170, I
really can connect to host 192.168.0.10 etc.
The problem is that when I want to connect from my 10.0.0.0/24 network (and
even from router) to any DMZ host,
On Aug 9, 2011, at 6:15 AM, Marek Salwerowicz wrote:
It's not working because you configured natd to work against traffic flowing
via vr3, but traffic from your LAN is coming via vr0. While you can change
natd to run against all traffic, it's much better to avoid re-writing purely
internal
On Aug 9, 2011, at 6:45 AM, Marek Salwerowicz wrote:
W dniu 2011-08-09 15:26, Chuck Swiger pisze:
dummynet (or Altq, or whatever else you might be using) works fine with pure
routing config, yes-- you don't have to NAT traffic to do bandwidth control
on the router.
How it should be done
Hi--
On Sep 26, 2011, at 9:53 AM, Martin Wilke wrote:
Any other Idea what we can do to get a failover between both servers?
Multi datacenter failover is *hard*. You have to evaluate which parts are
static systems-- ie, display the same web images from all DCs, provide a
current UTC timestamp
On May 4, 2008, at 6:32 AM, [EMAIL PROTECTED] wrote:
Can I port 4.4BSD-Lite's TCP/IP protocol stack soure code to my own
OS kernel which is GPL Licence?
Modern 2- or 3-clause BSD licenses are fully compatible with the GPL,
as are most simple, permissive licenses like the MIT/X11, Zlib, and
On Jun 27, 2008, at 1:01 PM, Freddie Cash wrote:
Mainly, I'm wondering where to put the ipfw queue rules (the ones
that send the packets to dummynet), in relation to the packet
filtering rules, or if it even matters.
For instance, do the queue rules apply to all the rules in the set, or
only to
On Jun 27, 2008, at 3:01 PM, Freddie Cash wrote:
[ ... ]
If net.inet.ip.fw.one_pass is true, then you definitely want to
apply your
deny rules first, as once something matches a pipe rule, it's going
to be
passed. The tradeoff is that the accounting/fairness of traffic is
less
accurate
David DeSimone wrote:
[ ... ]
Again, I did see these messages in my environment, but in my case, the
error was correct: The IP *was not* on the local network. The reason
being that we had multiple subnets configured on the same broadcast
domain, so the BSD box could indeed hear ARP for subnets
On Jul 17, 2008, at 3:33 PM, Doug Barton wrote:
[ ... ]
About the ntp stuff, 2 questions. First, you did not make the same
changes in the NTP section in the second hunk as you did in the
first, is that intentional? Second, wouldn't it be better to
specify the port number (123) on both
Hi, all--
On Aug 6, 2008, at 11:50 AM, Bill Moran wrote:
It seems, however, that the packets would just go to local
network. Is
it possible to get packets to non-conflicting IP addresses (i.e. only
exist in either local network, or remote VPN'ed network) to go
through
the tun0 device?
On Oct 27, 2008, at 2:53 PM, Eitan Shefi wrote:
When I change the MTU to a value greater then 1500, for example 3000,
and then send ping with message size 2500, from one host to the
other,
the other host gets more then one ICMP packet, even thaw the message
that was send is match smaller then
On Jan 16, 2009, at 3:50 AM, Eugene Perevyazko wrote:
On Fri, Jan 16, 2009 at 12:20:21PM +0300, Alexey Ivanov wrote:
Is there any command identical to:
iptables -A INPUT -p tcp -m tcp -dport 80 -j TARPIT
If no, does anyone ever tried to implement this feature?
I'm thinking on
On Feb 26, 2009, at 3:43 PM, Shawn Everett wrote:
Here's a weird one... I set up FreeBSD 5.2 to act as a router.
[ ... ]
Any suggestions would be appreciated.
Try upgrading to a supported version of the OS, first, then work on
debugging any deadlocks if they still reoccur.
Early 5.x
On May 13, 2009, at 12:29 PM, Brett Glass wrote:
It has not been committed yet but I beleieve is ready to go in, you
can
find the code on the svn branch
http://svn.freebsd.org/viewvc/base/projects/l2filter/
How does one generate a diff between this code and, say, 7.1-RELEASE
or 7.2-RELEASE
Hi--
On Jun 19, 2009, at 10:44 AM, Harti Brandt wrote:
When the TCP is in SYN-SENT state (the user has called connect())
and the peer answers with an almost-lamp test packet which has SYN,
FIN, ACK and data larger than the window, TCP ACKs a window full of
data, drops the rest, but
Hi--
On Jun 19, 2009, at 1:15 PM, Harti Brandt wrote:
CSSee figure 12-- I think you should be sending a RST back
I think this is too drastic. A segment is unacceptable only if it is
completly out of the window. Here part is in the window.
Well, perhaps you're right that it would be
On Oct 30, 2009, at 5:22 PM, Sebastian Hyrwall wrote:
A /31 subnet is only defined for point-to-point network links, per:
http://www.rfc-editor.org/rfc/rfc3021.txt
Ordinary ethernet links have BROADCAST flag set instead of
POINTOPOINT.
Well how do I set the POINTOPOINT flag and remove
Hi--
On Feb 16, 2010, at 2:09 PM, Martin Lopreiato wrote:
note: if i use a configured address, my code works perfectly. so the
error message i'm getting when trying to forge an ipv6 address does
not seem to be related to a bug in my code.
You're not trying to send this traffic from a jail, by
On Mar 26, 2010, at 3:08 AM, Giulio Ferro wrote:
Outset:
1 NFS server (with lockd)
2 NFS client (with lockd)
The clients serve several jails with apache, whose data (www) resides on the
server
If you need file locking to work reliably, you pretty much have to give up on
using NFS +
Hi, all--
On Apr 26, 2010, at 1:59 AM, Guido Falsi wrote:
Regarding launchd, I don't know much about it, but I do like the rc
system and having the boot sequence managed by scripts one can easily
modify to taste. I'd rather not modify this system with some daemon
performing obscure tasks
Hi, Lev--
On Jul 26, 2010, at 10:14 PM, Lev Serebryakov wrote:
I have huge losses (netstat -s -p tcp shows 4% of packets, but
35% of bytes are retransmitted) on my intenret connection, which is PPPoE over
100Mbit ehternet link.
This description means larger packets are having
On Oct 12, 2010, at 9:30 AM, Tom Evans wrote:
[ ... ]
Thats what I said wasn't it?
Oh wait, I missed the words 'If we assume it doesn't have an MX record' :/
Yep. Perhaps we are in violent agreement...? :-)
--
-Chuck
___
freebsd-net@freebsd.org
On Oct 12, 2010, at 8:30 AM, Tom Evans wrote:
Taking the '5.3. Master file example' in RFC1035, what is the A response
for 'ISI.EDU.' where the domain itself has no specific A RR? Would it
be that of VENERA.ISI.EDU, or that of the first A listed, ie A.ISI.EDU?
That domain has an MX record,
On Feb 12, 2007, at 7:16 AM, Fernando Gont wrote:
Looking at FreeBSD's TCP implementation, I see that by default,
ephemeral ports are selected from the range 49152-65535. This means
that only 15K ports out of the available 65K port range are used
for ephemeral port selection.
You can
On Mar 20, 2007, at 3:31 PM, Jon Otterholm wrote:
Basically I have a admin-net where all routers and switches are
connected. On this net I have a nagios-machine for surveillance
(running
FreeBSD). Sometimes when my Nagios sends icmp-echo-replies to
equipment
on my admin-net my
Stefan Lambrev wrote:
I'm having very strange problem.
I have near 200 sockets reported by netstat -An, which are NOT reported
by sockstat and fstat.
All of them look like (output from netstat -An) :
ff0169282000 tcp4 0 0 192.168.13.12.4965
192.168.13.3.8080 FIN_WAIT_2
I'm
On Apr 24, 2007, at 11:19 AM, Alexandre DELAY wrote:
I am searching for a solution to my problem.
I have a fixed NFS server connected to Internet. Clients have
dynamic IP
addresses. How can I secure clients NFS connections?
Setup and use a VPN so that the clients appear to be on a trusted
On Apr 24, 2007, at 11:55 AM, Alexandre DELAY wrote:
Why not, but my probem is that my NFS server must accept 300 clients.
Using a VPN for each client will probably use a lot of processor
ressources.
Moreover I'm not sure it is possible to get so much VPN connections
on a
server.
For 300
[EMAIL PROTECTED] wrote:
Hi,
I'm looking for a network testbench / simulator to stimulate known
networking conditions to test out a component for a product at work.
I was wondering if there was a network simulator available
(preferably open source) that's FreeBSD / Linux compatible
On May 25, 2007, at 12:34 PM, Andrei Manescu wrote:
If I want to put two public IP addresses, with different
subnetmasks (my ISP is changing some subnets and for two months I
will be able to use two public ip addresses) on the same interface
(xl0) my rc.conf shuld look like this:
On Jun 15, 2007, at 12:27 AM, Jeremie Le Hen wrote:
It appears nearly impossible to firewall a NFS server on FreeBSD.
Yes and no. It's quite easy to firewall NFS along with everything
else using a default deny ruleset. It's highly difficult to place
a restrictive firewall ruleset between
On Jun 25, 2007, at 10:46 AM, John-Mark Gurney wrote:
It's not the correct behaviour if the only packet coming back is
an Ack of
the FIN (and a FIN) because in the real world, making IE7 throw an
error
screen is not an acceptable option. This is the sort of thing
that gets FreeBSD thrown out
On Jul 13, 2007, at 12:27 PM, Bill Moran wrote:
I agree with others that MTU means limit what I transmit. It
does not
mean limit what someone else can transmit to me.
Interesting viewpoint. I disagree with it, but I can't quote any
standard
or otherwise to support my view. You didn't
On Jul 13, 2007, at 1:24 PM, Stephen Clark wrote:
Designers of gateways should be prepared for the fact that
successful
gateways will be copied and used in other situation and
installations. Gateways must be prepared to accept datagrams as
large as can be sent in the maximum
On Aug 13, 2007, at 7:34 AM, Jon Otterholm wrote:
I have a problem with proxy-arp entries.
If I add an arp-entry:
arp -s $hostip $routermac permanent pub only
the router sends an arp and replies to it's own arp like:
15:40:02.074419 arp who-has $hostip tell $hostip
15:40:02.074663 arp reply
On Aug 13, 2007, at 12:19 PM, Jon Otterholm wrote:
This is a problem because some clients interpret this as an ip-
address conflict.
Are you sure that your router is issuing the ARPOP_REQUESTS?
Is the entry you've published already listed in arp -a?
Yes, the entry is already listed as an
On Oct 24, 2007, at 11:17 AM, Stephen Clark wrote:
I must be doing something wrong. I can't seem to get proxy arp to
work. Is there some
magic.
I have the following setup isp router 205.x.x.1 - 205.x.x.100/25
rl1 freebsd vr0 205.x.x.129/25
- 205.x.x.193/25
I'm not really sure what you're
On Dec 10, 2007, at 8:56 AM, rihad wrote:
Hi,
I'm having a hard time to understand what pipe queues are with
respect to bandwidth limitation. ipfw(8) and dummynet(4) manuals
didn't help me much.
Pipes and queues are two different things; a pipe simulates a network
link, and a queue is
On Jan 22, 2008, at 1:44 PM, Stephen Clark wrote:
does anyone have a program that uses the divert socket to duplicate
an incoming packet so it can be
sent to another address.
Well, I assume you could start with the ipfw tee directive and /usr/
src/sbin/natd ...?
--
-Chuck
Hi--
On Feb 14, 2008, at 9:59 AM, Nerius Landys wrote:
Howdy folks. I have several computers behind a FreeBSD router (NAT
192.168.0.x using OpenBSD's PF) . One of those computers is a Windows
machine which is using software called Cisco Systems VPN Client to
connect
to some other computers
On Apr 8, 2008, at 11:10 AM, Martes G Wigglesworth wrote:
When fielding a newer, less resource rich system as access point/
router,
I noticed that after about five minutes of a client securing a good
connection, the ip address of the ath0 device dissappeared from the
routing table, and routed
back?
Based on the source IP?
-Chuck
Chuck Swiger | [EMAIL PROTECTED] | All your packets are belong to
us.
-+---+---
The human race's favorite method for being in control of the facts
is to ignore them
behavior
when you probably can use it to help solve the problem?
-Chuck
Chuck Swiger | [EMAIL PROTECTED] | All your packets are belong to
us.
-+---+---
The human race's favorite method for being in control of the facts
On Wednesday, December 4, 2002, at 05:33 PM, Don Bowman wrote:
From: Chuck Swiger [mailto:[EMAIL PROTECTED]]
[ ... ]
Yes, but the complicated internal routes maintained within
those networks isn't your problem if your machine or network isn't BGP
peering with them.
It is in the sense that I
Petri Helenius wrote:
How do I compile/load ipfw kld so that it has default to accept which seems to be
required to allow hostnames to be used in firewall configuration loaded at boot time.
You are strongly advised to use IP addresses instead of hostnames in firewall
rulesets, to avoid DNS
Petri Helenius wrote:
[ ...using DNS in firewall rules... ]
I know that, I control the domains and additionally they are for non-critical
resources like NTP access.
OK: it's good to keep your firewall clocks syncronized.
External NTP servers are best accessed by name, agreed.
So run a NTP server
Petri Helenius wrote:
[ ... ]
That´s an another defect in ipfw client utility, it stops processing rules if
it fails to lookup something. There should at least be a switch to allow
it to continue and ignore the lines it cannot do.
If you really want to use names instead of IP addresses, try
Matthew Grooms wrote:
Is there any way to generate a udp broadcast ( all routes
255.255.255.255 ) packet using a standard sendto() without it being
translated into a local network broadcast? Is this just not allowed?
Are you trying to use 255.255.255.255 to reach something not on a local
Michael Sierchio wrote:
Barney Wolff wrote:
NAT is not a security feature,
Many would disagree with that assertion.
Many people are wrong, then. NAT is not a security feature.
Check the list archives of [EMAIL PROTECTED]...
[ ... ]
If you believe you need to NAT at even 1Gb, I'd look
very hard
Michael Sierchio wrote:
Chuck Swiger wrote:
Many people are wrong, then. NAT is not a security feature.
We simply disagree.
To the extent that security is a matter of opinion, I guess that's all right:
I'm not concerned if other people have different opinions than I do.
To the extent
Michael Sierchio wrote:
Chuck Swiger wrote:
[ ... ]
Security is an ill-defined concept. I prefer to think in terms
of mitigating risk.
Sure, that works for me.
In any case, deny_incoming offers some extra measure of security.
Does it? Serious question, as none of the connections deny_incoming
Mike Silbersack wrote:
[ ... ]
Please explain this point more.
Say I have 1000 win 9x boxes connected to the internet with routable IPs
and no firewall. How will placing them behind a NAT box make them less
secure?
man natd suggests that you've just enabled IP spoofing for the LAN:
Michael Sierchio wrote:
[ ... ]
(NB: smiley. You're not a humorless, literal-minded prat, but some
of us are.)
Nice. The last one-liner I heard that had such a good pacing to it was the
remark about some politician being off his meds and out of therapy.
--
-Chuck
Wes Peters wrote:
On Tuesday 01 July 2003 12:01, Chuck Swiger wrote:
If you have multiple interfaces, a broadcast to 255.255.255.255
should go out on all of them. That being said, the all-ones
broadcast address means all local networks, and most routers will
block such traffic from passing
Wes Peters wrote:
[ ... ]
The idea is, we have listener on each ethernet interface listening via a
bpf. The listener listens for an 'appliance discovery' packet which is
broadcast by the console application running on the admin's
workstation. When we receive this discovery packet, we're
Nick wrote:
I have a server running DHCPD, FTP, DNS (namedb), and OpenSSH. My current
network card is a 3Com 10mbit. I want to change it out for another network
card, but make it a 3com 100mbit. Am I going to have to reconfigure my
DHCP, DNS and OpenSSH to use this new interface, or is there
Stoyan Stratev wrote:
[ ... ]
The ISP is using a network with hubs therefore we receive echo packets on
the outside interface, that are not meant for our machine. The problem is
that that the box forwards those packets multiple times and so the ISP
thinks we have a virus or are doing portscans.
i
Bjorn Eikeland wrote:
[ ... ]
DUMMYNET and HZ=1 is in the kernel.
Any suggestions what can be causing this? (I've only got the one nic,
and use a adsl router for internett)
I seem to recall some issues with setting HZ very fast, in that it breaks the
uniqueness assumptions made by TCP
jha miku wrote:
In case of active open, the SYN segments always have
timestamp enabled, since the RFC flg is set. But,
Currently, I am seeing some SYN segments without
timestamp option.
FreeBSD (and OS X, and other things using a BSD network stack) will generate
initial TCP SYN packets
Miku Jha wrote:
[ ... ]
The situation is that if the client crashes, the server eventually sends a
RST (10.39.53) Following this RST, the client comes back in lets say around
2-3 minutes. Now when the client sends a SYN(10.42.23), there is no
timestamp option.
If the client opens a connection
1 - 100 of 171 matches
Mail list logo