Re: Apparent packet duplication logged by IPF
Thanks. I am a little apprehensive about publishing my entire firewall ruleset on a public list, as you can surely understand. Especially since I am still learning, and will probably show everyone some glaring holes which have not yet closed... Anyway, the entire ruleset does not have a single log directive: --- root fox:~# ipfstat -nioh | grep log root fox:~# --- I have enabled global logging of accepted packets by 'ipf -l pass'. Also, as you can see in the extract I sent all the packets being logged are from my rule #21, so I think that rules out duplication due to multiple rule matches. Rule 21 is for HTTPS traffic, and it does Keep State, as can be seen in the log entries too. As for nat, the only rule I have which affects 192.168.0.180 is this: --- map ed1 from 192.168.0.0/16 to any - 168.209.221.66/32 --- The result of this NAT rule can be seen in snip (2) included with my original mail. If this is not enough info I'll email you direct with more... Thanks for your response. Patrick. - Original Message - From: fbsd_user [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 05, 2004 3:40 PM Subject: RE: Apparent packet duplication logged by IPF Kind of like asking someone to work in the dark. You need to post your rules for both ipf ipnat so people can compare the log results to the actual rules. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, January 05, 2004 3:00 AM To: FreeBSD Question List Subject: IPF: Apparent packet duplication logged by IPF Hi all. I am having a strange situation with IPF. I am trying to log all passed packets (the log is passed to a third-party stats program for graphical analysis). The problem is that I see many packets apparently being duplicated in the ipmon.log. The packet enters the firewall from the internal interface OK, but it appears to be transmitted out to the internet twice. Conversely, there are often multiple inbound packets from the internet which become just one on the internal interface. See these two examples (beware of line-wrap): 1) Internet to LAN 09:30:00.508378 2x ed1 @0:21 P 196.35.72.139,443 - 192.168.0.180,1277 PR tcp len 20 296 -AP K-S IN 09:30:00.509446 hdlc5 @0:21 P 196.35.72.139,443 - 192.168.0.180,1277 PR tcp len 20 296 -AP K-S OUT 2) LAN to internet (168.209.221.66 is my NAT address) 09:30:00.616102 hdlc5 @0:21 P 192.168.0.180,1277 - 196.35.72.139,443 PR tcp len 20 40 -A K-S IN 09:30:00.616188 ed1 @0:21 P 168.209.221.66,1277 - 196.35.72.139,443 PR tcp len 20 40 -A K-S OUT 09:30:00.616275 ed1 @0:21 P 168.209.221.66,1277 - 196.35.72.139,443 PR tcp len 20 40 -A K-S OUT I don't believe the packets are ACTUALLY being resent twice, because the stats I have under MRTG indicate matching traffic volumes on the corresponding interfaces. I suspect the issue has something to do with how IPF and IPMON log the packets. But I'm not sure. Any help in understanding/fixing this would be greatly appreciated. Regards, Patrick O'Reilly. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipf - sample rulesets
Fernando - thanks! I have not yet learned to rely on google - but I will get there This is what I found: http://www.obfuscation.org/ipf/ipf-howto.html Regards, Patrick. - Original Message - From: Fernando Gleiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: FreeBSD Question List [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 5:43 PM Subject: Re: ipf - sample rulesets On Thu, 9 Oct 2003 [EMAIL PROTECTED] wrote: Hi all. Are there any good references and/or sample ipf rulesets that I could use to look-and-learn from. Search google for the IPF HOWTO and the FAQ. Fer ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portupgrade -Fa
Here's a strange thing: I have a number of servers which all run a portupgrade script every night to fetch the latest distfiles automatically. I then complete the upgrade when I decide I'm in the mood :) The strange part is that on some of the servers the script works just fine, and on others it runs, and emails me what looks like a job well done, but the distfile has NOT been fetched. When I then go to do the actual upgrade, the distfile must first be fetched by portupgrade before it proceeds to build. Does anyone know what might cause this? Regards, Patrick. PS: here is the script which is triggered by cron: = #!/usr/local/bin/bash # Copyright 2002,2003 - Perimeter Networks CC. All rights reserved. # PCR:manualmars.connectivit.net:/peri/scr/cron/portupgrade # 09/10/2003Patrick O'Reilly #--# # !!! THIS FILE IS MAINTAINED BY PCR!!! # # !!! DO NOT MAKE CHANGES MANUALLY - THEY WILL BE LOST !!! # #--# # Perimeter's cronified portupgrade -Fa script # 19/09/2003 11:20 ( echo Running 'portupgrade -Fa' on mars ... echo `date`: portupgrade -Fa echo cd /usr/ports /usr/local/sbin/portupgrade -Fa echo echo `date`: Done. echo That's All Folks! ) | mail -s [mars] portupgrade -Fa [EMAIL PROTECTED] = ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Error building XFree86-Clients
Hi Folks! I have a number of XFree86 Font ports which will not upgrade from 4.2 to 4.3, and in each case the error is as below. I'm afraid the error /usr/libexec/elf/ld: cannot find -lXfont does not mean much to me! Can anyone give a pointer here? snip --- Installing the new version via the port === XFree86-fontEncodings-4.3.0 depends on executable: ucs2any - not found ===Verifying reinstall for ucs2any in /usr/ports/x11/XFree86-4-clients === Building for XFree86-clients-4.3.0_2 making all in lib/lbxutil/lbx_zlib... making all in lib/lbxutil/delta... making all in lib/lbxutil/image... making all in programs/appres... making all in programs/bdftopcf... rm -f bdftopcf cc -o bdftopcf -O -pipe -ansi -Dasm=__asm -Wall -Wpointer-arith -Wundef -L/u sr/ports/x11/XFree86-4-clients/work/xc/exports/lib bdftopcf.o -lXfont -lfntstu bs -L/usr/X11R6/lib -lz -lm -Wl,-rpath,/usr/X11R6/lib /usr/libexec/elf/ld: cannot find -lXfont *** Error code 1 Stop in /usr/ports/x11/XFree86-4-clients/work/xc/programs/bdftopcf. *** Error code 1 /snip -- Regards, Patrick O'Reilly. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Error building XFree86-Clients
On Saturday 09 August 2003 21:41, Kent Stewart wrote: You upgraded an old version of -server, which deleted the Xfonts that -libraries just installed. You have to reinstall -libraries to fix the problem. Kent Thanks Kent! What you say lines up with what Dan told me to do too. Is this a known issue - ie you MUST do -libraries AFTER -server ??? I'm busy rebuilding libraries now? -- Regards, Patrick O'Reilly. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Error building XFree86-Clients
On Saturday 09 August 2003 21:20, Stephen Hilton wrote: On Sat, 9 Aug 2003 20:48:23 +0200 Patrick O'Reilly [EMAIL PROTECTED] wrote: Hi Folks! I have a number of XFree86 Font ports which will not upgrade from 4.2 to 4.3, and in each case the error is as below. I'm afraid the error /usr/libexec/elf/ld: cannot find -lXfont does not mean much to me! Can anyone give a pointer here? Patrick, Install portupgrade from ports and use that to upgrade. It really is the *best* IMHO way to get around these kind of problems. Regards, Stephen Hilton [EMAIL PROTECTED] Hi Stephen - thanks for your response too. I do use portupgrade actually. This is probably why I am now so lost, because usually everything just works so easily. I've tried these upgrades with and without -r and -R, all to no avail. The only option I have NOT tried is to manually de-install the ports, and then re-install them. But that would seem pointless as this is basically what portupgrade does for you. Hurumph ! Might there be any merit in portupgrade -f on the libraries? -- Regards, Patrick O'Reilly. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Error building XFree86-Clients
On Saturday 09 August 2003 22:05, Kent Stewart wrote: What you say lines up with what Dan told me to do too. Is this a known issue - ie you MUST do -libraries AFTER -server ??? I'm busy rebuilding libraries now? Yes, it is a known problem. If you had searched the archives, you would have found many similar problems. I just don't know where you can search the archives right now :). Kent Oh?!? Well it's going into my personal archive right now! :) Thanks. -- Regards, Patrick O'Reilly. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Error building XFree86-Clients (Solution)
Hi folks! A Word of thanks to Kent and Dan who took the time to help me figure out my problem. In the end I rebiult XFree86-libraries using portupgrade -f, and thereafter I was able to use portupgrade to upgrade all the Xfree86-font* ports from 4.2 to 4.3 without any further problems. Apparently there was a specific issue somewhere between 4.2 and 4.3 where the installation of the Xfree86-server at version 4.3 would remove a component of XFree86-libraries which is required by the Xfree86-font* ports. So, the sequence to follow is this: 1) upgrade -server to 4.3 2) upgrade -libraries to 4.3 3) upgrade -font* to 4.3 I had unwittingly done (2) before (1). Thanks again to the more knowledgable folks who take the time to answer questions on this list! -- Regards, Patrick O'Reilly. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Error building XFree86-Clients
On Saturday 09 August 2003 21:39, Dan Nelson wrote: Wait; so you've got XFree86-libraries-4.3.0_5 installed but have no /usr/X11R6/lib/libXfont.a? I guess that might be caused by old freetype or fontconfig packages (they are currently at freetype2-2.1.4_1 and fontconfig-2.2.90_3), but I would have expected the XFree86-libraries build to have failed instead of not producing libXfont. Try running portupgrade -vf XFree86-libraries freetype2 fontconfig, then see if upgrading any of the dependant ports build. Thanks Dan. I was just considering the -f option a few minutes ago - so with your prompting it is busy building as we speak (well, type...). BTW: I use 'make update' and portupgrade -Fa daily, and then run portupgrade whenever I feel the urge. I am in the habit of using -rR on portupgrade, so generally my ports are fairly current, and well co-ordinated. For example, the versions of freetype and fontconfig you listed above are correct on my system. The problems I am having here are really quite unusual. Anyway, let's see what happens after the portupgrade -f is done. This may take a little while though. Thanks again for your time. -- Regards, Patrick O'Reilly. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bandwidth Question
From: Chris [EMAIL PROTECTED] I was wondering what is the best way to limit bandwidth to a set of IP addresses? I've read some about dummynet. Would this be the preffered tool to use? Yes - dummynet must be used in conjunction with ipfw. ipfw is for firewalling, but you can use it to select traffic which must be limitted by dummynet. 'man ipfw' and 'man dummynet' Also, if someone could recommend a program to log how much bandwidth a particular IP uses per month etc..., and also display graphs about bandwidth usage I would appreciate it. check out mrtg in the ports collection. Thank You -Chris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Alias on loopback interface???
Hi folks. I'd appreciate any comments on the pros and cons of configuring an alias IP on the loopback interface. I've tried it and it works OK, but perhaps there are repercussions that have not occurred to me. Why? Well I have a number of BSD gateways, each of which has numerous interfaces, and I am forever confusing myself about which IP address really identifies that box. I am planning to set assign each box a unique IP for my internal admin purposes, but then got to wondering which interface is most suitable to carry this new alias. That's when I though - Hey - why not use lo0 ? I do run ipf/ipnat and ipfw/DUMMYNET on many of these. Clearly I will need to make provision for this unusual traffic on the lo0 interface too. Of course, the IPs I intend using will be RFC1918 compliant private addresses. Thanks for any comments. Regards, Patrick. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mount My Creation
| | Ponder this... Why does M$FT Windows have Created, Accessed, and Modified, | while UNIX (beware of unresearched, wide-sweeping generalizations...) only | provides one the Last modified date and time stamp? | I have noticed in the man page for 'find' that the primaries allow selection based on time last accessed, last modified and last change of status. Evidently this info is held somewhere. I don't have more info off hand, but perhaps this will nudge you in a useful direction? Patrick. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: de0 recognized but not configurable
- Original Message - From: Gary Aitken [EMAIL PROTECTED] I'm building a kernel with two ethernet devices, an ed0 and a de0. Both devices are recognized during the hardware probe at system startup: de0: Digital 21041 Ethernet irq 9 at device 18.0 on pci 0 device_probe_and_attach: de0 attach returned 6 ed0: Netgear EA201 Ethernet Card at port 0x240-0x25f irq 5 on isa 0 I presume the device_probe_and_attach: de0 attach returned 6 has something to do with this; Gary, just taking a flier here - I had a similar issue with another NIC which was resolved by disabling Plug 'n Play in the BIOS. Give it a try - it can't hurt :) Patrick. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache - mod_perl - PostgreSQL
From: Kliment Ognianov [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi all! I did the portupgrade of postgresql 7.3.2 - 7.3.3 this morning. Since then my mod_perl web pages will not talk to the databases. Update DBD::Pg through CPAN shell Thanks Kliment. Actually, I am using the Pg module, not DBD::Pg, nor DBI. As far as I can tell, anyways. I'm no expert on the intricacies of perl modules. As far as I can see on CPAN, Pg has not changed since April 2000. Perhaps it does not work with the new PostgreSQL? Should I change my code to use DBD::Pg instead? Regards, Patrick. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
mysql root user
Hi all. Does anyone know if there is a special trick to setting the mysql root user's password after installing mysql323-server on FreeBSD? I've done like the manuals say (mysqladmin -uroot password xyz), but all I get is: mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user: '[EMAIL PROTECTED]' (Using password: NO)' I don't remember any passwords being set during the installation Regards, Patrick. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql root user
- Original Message - From: Patrick O'Reilly [EMAIL PROTECTED] Hi all. Does anyone know if there is a special trick to setting the mysql root user's password after installing mysql323-server on FreeBSD? I've done like the manuals say (mysqladmin -uroot password xyz), but all I get is: mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user: '[EMAIL PROTECTED]' (Using password: NO)' I don't remember any passwords being set during the installation Thanks all for your replies. I realised I must have broken something, so I reinstalled the port and now it is behaving... Regards, Patrick. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP Compaq DL380 G1 - hangs on boot
On Wednesday 02 April 2003 20:20, David Muir Sharnoff wrote: I'm trying to install FreeBSD 4.7-RELEASE on a dual CPU Compaq DL380 G1. It hangs on boot. Does anyone have a clues how to fix this? Programming 35 pins in IOAPIC #0 IOAPIC #0 intpin 2 - irq 0 SMP: CPU0 apic_initialize(): lint0: 0x lint1: 0x TPR: 0x SVR: 0x That's it. No more output. Hmmm. I had the same thing on a similar platform once I built the kernel with SMP. Also curious, though I have reverted to a non-SMP kernel for now while I get everything else set up. -- Regards, Patrick O'Reilly. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PHY drivers for Proliant ML370
Hi folks! I have been asked to set up a server for mail and FTP for a customer. The box they have supplied is a Proliant ML370 with dual CPU, SCSI RAID et al. The most recent installation CD I have is 4.6 (I keep my kit up to date by cvsup). The 4.6 CD installs OK, but it does not recognise the on-board PHYs Snooping around on the Board I have found to chips which appear to me to be for the two PHY interfaces. 1) Broadcom BCM5703CKHB 2) Am79C874VC In LINT (and GENERIC) I find references to BCM5700 and BCM5701, and also to Am79C97x - close but no cigar :( I tried using a floppy to copy the driver code from my desktop which is currently at 4.7 patch 7. It compiled, but the kernel still fails to recognise these chips. So - finally - can anyone advise me on next steps? Yours in eager anticipation :) Patrick. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: route settings in rc.conf - question, with details.
From: Firsto Lasto [EMAIL PROTECTED] Hi, I have a system with IPs assigned from 192.168.0.0/24 and 192.168.1.0/24 Right now I have this in my rc.conf: defaultrouter=10.10.10.10 ifconfig_fxp0=inet 192.168.0.1 netmask 255.255.255.0 ifconfig_fxp0_alias0=inet 192.168.0.2 netmask 255.255.255.255 ifconfig_fxp0_alias1=inet 192.168.1.1 netmask 255.255.255.255 So, as you can see I have one default route, and both /24s use that single 10.10.10.10 as the default router. But, because I have simply added the 192.168.1.1 IP as one more plain old alias, I now get this in my logs: /kernel: arplookup 10.10.10.10 failed: host is not on local network So, how do I add 192.168.1.1 as an alias, without adding another defaultrouter, since my current defaultrouter setting is already correct ? The problem is not with the aliases - it is (as the message says) because the default router is not on a local network. If the router is attached via fxp0, then try adding an alias like this: ifconfig_fxp0_alias2=inet 10.10.10.1 netmask 255.255.255.0 Then your system will know which interface to use to talk to 10.10.10.10. --- Regards, Patrick O'Reilly. ______ / _ )__ __ (_)_ __ ___ _/ / __ / __/ -_) _) / ~ ) -_), ,-/ -_) _) /_/ \__/_//_/_/~/_/\__/ \__/\__/_/ http://www.perimeter.co.za To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: block icmp with ipfw
From: master [EMAIL PROTECTED] hi all i would like to know the syntax of ipfw to block icmp ping ? (echo and reply) ipfw add 123 deny ip from any to any icmtypes 8 man ipfw and search for icmptypes . --- Regards, Patrick O'Reilly. ______ / _ )__ __ (_)_ __ ___ _/ / __ / __/ -_) _) / ~ ) -_), ,-/ -_) _) /_/ \__/_//_/_/~/_/\__/ \__/\__/_/ http://www.perimeter.co.za To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW DUMMYNET shaping 4.6.2-R - Speed limited to half of pipe limit
From: Randy Smith [EMAIL PROTECTED] Hi all, I am using IPFW and DUMMYNET to do traffic shaping on 4.6.2-R gateway (uname -a below). I have set the upload to 800Kbit/s and the download to 1500Kbit/s. Here is the relevent section from ipfw.conf. add 500 pipe 1 ip from 192.169.91.16:255.255.255.240 to any pipe 1 config bw 800Kbit/s add 500 pipe 2 ip from any to 192.168.91.16:255.255.255.240 pipe 2 config bw 1500Kbit/s If I've read the docs correctly, the network 192.168.91.16/240 should have it's upload limited to 800Kbs it's download to 1500Kbs. However, MRTG is reporting that the upload traffic is maxing out at around 400Kbs. I have played with the upload speed and the connection always maxes out at about half of what I set it to. My questions: 1) How do I get the traffic limited to the bw I set it to? 2) What is causing this? 3) Would changing/setting the queuing method help? Randy, Your problem is simple: Remember that IPFW interacts with packets as they pass through interfaces. Your ipfw rules will match each packet twice - once as it enters the gateway from the source network, and a second time as it leaves the gateway en route to the destination. Both times you are queuing the packet in the same pipe. This means that each packet uses twice its own bandwidth in the pipe The solution is to change your rules as follows (assume fxp0 is your internet NIC): add 500 pipe 1 ip from 192.169.91.16:255.255.255.240 to any via fxp0 add 500 pipe 2 ip from any to 192.168.91.16:255.255.255.240 via fxp0 --- Regards, Patrick O'Reilly. ______ / _ )__ __ (_)_ __ ___ _/ / __ / __/ -_) _) / ~ ) -_), ,-/ -_) _) /_/ \__/_//_/_/~/_/\__/ \__/\__/_/ http://www.perimeter.co.za To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: portupgrade
From: Rahim Anderson [EMAIL PROTECTED] On a whim I used portupgrade today, just to see how it worked and everything (this is on a box used mostly for testing) and got the following errors... dhcp-849-11# portupgrade -a cd: can't cd to /usr/ports/devel/ruby-fnmatch cd: can't cd to /usr/ports/devel/ruby-optparse ** The port directory for 'devel/ruby-optparse' does not exist. ** The port directory for 'devel/ruby-fnmatch' does not exist. ** The port directory for 'sysutils/pkg_tarup' does not exist. --- Skipping 'sysutils/portupgrade' (portupgrade-20020429) because 'sysutils/pkg_tarup' (pkg_tarup-1.2_3) failed Is this somethig that will resolve itself, or did I do something to cause this? all ports were updated before running portupgrade, and again afterwards to see if there had been any further changes. I had this too - I did a pkg_delete pkg_tarup, and then ran portupgrade portupgrade, and it all _seems_ OK now. Regards, Patrick O'Reilly. ______ / _ )__ __ (_)_ __ ___ _/ / __ / __/ -_) _) / ~ ) -_), ,-/ -_) _) /_/ \__/_//_/_/~/_/\__/ \__/\__/_/ http://www.perimeter.co.za To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Traffic shaping - current best practice?
From: Fernando Gleiser [EMAIL PROTECTED] You need a fair sharing queueing discipline, something like CBQ. I don't know if you can do that with dummynet. I know for sure ALTQ works great for this. It supports a bunch of queueing disciplines (CBQ, RED, WFQ and others). I recall seeing in the man page that DUMMYNET has RED and GRED algorithms built in - I don't know any more detail than that though... --- Regards, Patrick O'Reilly. ______ / _ )__ __ (_)_ __ ___ _/ / __ / __/ -_) _) / ~ ) -_), ,-/ -_) _) /_/ \__/_//_/_/~/_/\__/ \__/\__/_/ http://www.perimeter.co.za To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
/usr/doc# make
Hi all. I have been unable to 'make' the documentation for a while now. I cannot find any reference to this problem in the Archives. Below is the output from the 'make'. It starts from cron at 05:42 in the morning, and as you can see in the header, I killed the jade process at 09:56 - more than 4 hours later (I would expect an Athlon XP 1700 to be a bit faster than that!). The CPU was running at 100% during that time. No doubt the error is something I have done - can someone help me identify the problem? Regards, Patrick O'Reilly. ______ / _ )__ __ (_)_ __ ___ _/ / __ / __/ -_) _) / ~ ) -_), ,-/ -_) _) /_/ \__/_//_/_/~/_/\__/ \__/\__/_/ - Original Message - From: Charlie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 25, 2002 9:56 AM Subject: [Peri Obelix] /usr/doc# make === en_US.ISO8859-1 === en_US.ISO8859-1/articles === en_US.ISO8859-1/articles/committers-guide === en_US.ISO8859-1/articles/console-server === en_US.ISO8859-1/articles/contributing === en_US.ISO8859-1/articles/contributors === en_US.ISO8859-1/articles/cvs-freebsd === en_US.ISO8859-1/articles/cvsup-advanced === en_US.ISO8859-1/articles/dialup-firewall === en_US.ISO8859-1/articles/diskless-x === en_US.ISO8859-1/articles/euro === en_US.ISO8859-1/articles/explaining-bsd === en_US.ISO8859-1/articles/filtering-bridges === en_US.ISO8859-1/articles/fonts === en_US.ISO8859-1/articles/formatting-media === en_US.ISO8859-1/articles/freebsd-questions === en_US.ISO8859-1/articles/hats === en_US.ISO8859-1/articles/hubs === en_US.ISO8859-1/articles/ipsec-must === en_US.ISO8859-1/articles/laptop === en_US.ISO8859-1/articles/java-tomcat === en_US.ISO8859-1/articles/mh === en_US.ISO8859-1/articles/multi-os === en_US.ISO8859-1/articles/new-users === en_US.ISO8859-1/articles/pam === en_US.ISO8859-1/articles/pr-guidelines /usr/local/bin/jade -V nochunks -ioutput.html -d /usr/doc/en_US.ISO8859-1/articles/pr-guidelines/../../../share/sgml/defa ult.dsl -ioutput.html.images -V %generate-article-toc% -D /usr/obj/usr/doc/en_US.ISO8859-1/articles/pr-guidelines -c /usr/doc/en_US.ISO8859-1/articles/pr-guidelines/../../../en_US.ISO8859-1 /share/sgml/catalog -c /usr/doc/en_US.ISO8859-1/articles/pr-guidelines/../../../share/sgml/cata log -c /usr/local/share/sgml/docbook/dsssl/modular/catalog -c /usr/local/share/sgml/iso8879/catalog -c /usr/local/share/sgml/docbook/catalog -c /usr/local/share/sgml/jade/catalog -t sgml /usr/doc/en_US.ISO8859-1/articles/pr-guidelines/article.sgml article.html || (/bin/rm -f article.html false) /usr/local/bin/tidy -i -m -raw -preserve -f /dev/null article.html *** Error code 1 (ignored) === en_US.ISO8859-1/articles/problem-reports === en_US.ISO8859-1/articles/programming-tools === en_US.ISO8859-1/articles/pxe /usr/local/bin/jade -V nochunks -ioutput.html -d /usr/doc/en_US.ISO8859-1/articles/pxe/../../../share/sgml/default.dsl - ioutput.html.images -D /usr/obj/usr/doc/en_US.ISO8859-1/articles/pxe -c /usr/doc/en_US.ISO8859-1/articles/pxe/../../../en_US.ISO8859-1/share/sgm l/catalog -c /usr/doc/en_US.ISO8859-1/articles/pxe/../../../share/sgml/catalog -c /usr/local/share/sgml/docbook/dsssl/modular/catalog -c /usr/local/share/sgml/iso8879/catalog -c /usr/local/share/sgml/docbook/catalog -c /usr/local/share/sgml/jade/catalog -t sgml /usr/doc/en_US.ISO8859-1/articles/pxe/article.sgml article.html || (/bin/rm -f article.html false) /usr/local/bin/tidy -i -m -raw -preserve -f /dev/null article.html *** Error code 1 (ignored) === en_US.ISO8859-1/articles/releng /usr/local/bin/jade -V nochunks -ioutput.html -d /usr/doc/en_US.ISO8859-1/articles/releng/../../../share/sgml/default.dsl -ioutput.html.images -D /usr/obj/usr/doc/en_US.ISO8859-1/articles/releng -c /usr/doc/en_US.ISO8859-1/articles/releng/../../../en_US.ISO8859-1/share/ sgml/catalog -c /usr/doc/en_US.ISO8859-1/articles/releng/../../../share/sgml/catalog -c /usr/local/share/sgml/docbook/dsssl/modular/catalog -c /usr/local/share/sgml/iso8879/catalog -c /usr/local/share/sgml/docbook/catalog -c /usr/local/share/sgml/jade/catalog -t sgml /usr/doc/en_US.ISO8859-1/articles/releng/article.sgml article.html || (/bin/rm -f article.html false) /usr/local/bin/tidy -i -m -raw -preserve -f /dev/null article.html *** Error code 1 (ignored) === en_US.ISO8859-1/articles/releng-packages /usr/local/bin/jade -V nochunks -ioutput.html -d /usr/doc/en_US.ISO8859-1/articles/releng-packages/../../../share/sgml/de fault.dsl -ioutput.html.images -D /usr/obj/usr/doc/en_US.ISO8859-1/articles/releng-packages -c /usr/doc/en_US.ISO8859-1/articles/releng-packages/../../../en_US.ISO8859 -1/share/sgml/catalog -c /usr/doc/en_US.ISO8859-1/articles/releng-packages/../../../share/sgml/ca talog -c /usr/local/share/sgml/docbook/dsssl/modular/catalog -c /usr/local/share/sgml/iso8879/catalog -c /usr/local/share/sgml/docbook/catalog -c /usr/local/share/sgml/jade/catalog -t sgml /usr/doc
Re: [Fwd: RE: Cannot start bind in sandbox?]
On Sunday 14 July 2002 19:13, Steve Wingate wrote: If you're reading this link for sandboxing BIND this is as standard as it gets. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/dns.html From what I've read from you it appears you haven't done everything these steps tell you to do. I must concur with Steve. Just yesterday I set up bind in it's own little sandbox. I did it by following the instructions in the link Steve quoted above. It works just fine! OK - I stumbled over one tiny problem. when building the statically linked 'named-xfer', the Handbook concludes with : # cp named-xfer /etc/namedb/bin chmod 555 /etc/namedb/bin/named-xfer But the newly built 'named-xfer' is not in the current directory. A tiny bit of lateral thinking prompted me to look in /usr/obj`pwd` - and there it was - nice and fresh! I actually built myself a script as I went along, because I intend doing this again in future without always reading the manual. It's brand new, so please forgive the rough edges. And I have changed a couple of things to suit my personal taste and setup. Here's my script: (Beware line wrap in the mailer) === #!/usr/local/bin/bash cd /etc/namedb mkdir -p usr/libexec dev etc var/tmp var/run master slave chown bind:bind slave var/* cp /etc/localtime etc [ -L named.conf ] || mv named.conf etc ln -sf etc/named.conf [ -f named.root ] mv named.root master/FWD_root # I'm not interested in ipv6, so I dump it sh make-localhost mv localhost.rev master/REV_localhost rm localhost-v6.rev echo $ORIGIN localhost. $TTL 6h @ IN SOA localhost. postmaster.localhost. ( 1 ; serial 3600; refresh 1800; retry 604800 ; expiration 3600 ) ; minimum IN NS localhost. IN A127.0.0.1 master/FWD_localhost cd /usr/src/lib/libisc make clean all cd /usr/src/lib/libbinf make clean all cd /usr/src/libexec/named-xfer make NOSHARED=yes clean all cp /usr/obj/usr/src/libexec/named-xfer/named-xfer /etc/namedb/usr/libexec chmod 555 /etc/namedb/usr/libexec/named-xfer cd /etc/namedb if [ ! -c dev/null ] then cd /etc/namedb/dev mknod null c 2 2 chmod 666 null cd /etc/namedb fi [ -L /var/run/ndc ] || ln -sf /etc/namedb/var/run/ndc /var/run/ndc echo # These three lines added by ${0} # named_enable=\YES\ # named_flags=\-u bind -g bind -t /etc/namedb /etc/named.conf\ # syslogd_flags=\-ss -l /etc/namedb/dev/log\ /etc/rc.conf echo *** Remember edit /etc/rc.conf and sort out the three lines I\'ve added! *** === HTH :) -- Regards, Patrick O'Reilly. Perimeter Networks CC. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
cvsup-mirror
Hi everyone :) I just installed cvsup-mirror. When it asked me about 'distributions' I was not entirely sure what that meant, so I accepted them all. I actually just need to create a mirror from which I can locally distribute 'src-all' and 'ports-all' using cvsup on my collection of local machines. Perhaps 'doc-all' would be nice too (later). Now, cvsup-mirror started running the distribution 'FreeBSD.cvs', and that seems to include docs, etc. Is that all I will need? What exactly are the other distributions, like 'FreeBSD-mail', etc? Finally, can I enable/disable the distributions simply by editing the value of 'distribs=...' in the file '/usr/local/etc/cvsup/config.sh'? Thanks. -- Regards, Patrick O'Reilly. Perimeter Networks CC. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message