From owner-freebsd-net Sun May 21 7: 8:54 2000 Delivered-To: freebsd-net@freebsd.org Received: from peace.mahoroba.org (peace.calm.imasy.or.jp [202.227.26.34]) by hub.freebsd.org (Postfix) with ESMTP id AD99537B77B for ; Sun, 21 May 2000 07:08:48 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from localhost (localhost [::1]) by peace.mahoroba.org (8.10.1/3.7W-peace) with ESMTP id e4LE3sc08739; Sun, 21 May 2000 23:03:54 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sun, 21 May 2000 23:03:54 +0900 (JST) Message-Id: <200005211403.e4LE3sc08739@peace.mahoroba.org> To: koji@jp.above.net Cc: freebsd-net@freebsd.org Subject: Re: cannot ftp to link-local address In-Reply-To: <20000519.003843.41647712.koji@jp.above.net> References: <20000519.003843.41647712.koji@jp.above.net> X-Mailer: xcite1.20> Mew version 1.94.2 on Emacs 20.6 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-OS: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: Hajimu UMEMOTO (=?ISO-2022-JP?B?GyRCR19LXBsoQiA=?= =?ISO-2022-JP?B?GyRCSCUbKEI=?=) X-Dispatcher: imput version 20000228(IM140) Lines: 17 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> On Fri, 19 May 2000 00:38:43 +0900 (JST) >>>>> Koji Kondo said: koji> I'm using 4.0-stable(20000516). I cannot ftp to link-local address. koji> % ftp fe80::1%lo0 koji> ftp: fe80: No address associated with hostname koji> ftp: Can't connect or login to host `fe80' Command line syntax of ftp allows `ftp host:[/path/]file[/]'. So, there is conflict with IPv6 address syntax. When you specify IPv6 address, you must enclose IPv6 address with `[' and `]'. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun May 21 8:36:12 2000 Delivered-To: freebsd-net@freebsd.org Received: from peace.mahoroba.org (peace.calm.imasy.or.jp [202.227.26.34]) by hub.freebsd.org (Postfix) with ESMTP id 062B937B7D8 for ; Sun, 21 May 2000 08:36:05 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from localhost (IDENT:thmPzdLPNG/uJ/LOOxrllofOmQ/7td4uodV3a/KJX+2ROgRXOPULMzwc+Py65xwC@localhost [::1]) by peace.mahoroba.org (8.10.1/3.7W-peace) with ESMTP id e4LFVEc09590; Mon, 22 May 2000 00:31:14 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Mon, 22 May 2000 00:31:14 +0900 (JST) Message-Id: <200005211531.e4LFVEc09590@peace.mahoroba.org> To: koji@jp.above.net Cc: freebsd-net@freebsd.org Subject: Re: cannot ftp to link-local address In-Reply-To: <20000522.002603.125131755.koji@jp.above.net> References: <20000519.003843.41647712.koji@jp.above.net> <200005211403.e4LE3sc08739@peace.mahoroba.org> <20000522.002603.125131755.koji@jp.above.net> X-Mailer: xcite1.20> Mew version 1.94.2 on Emacs 20.6 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-OS: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: Hajimu UMEMOTO (=?ISO-2022-JP?B?GyRCR19LXBsoQiA=?= =?ISO-2022-JP?B?GyRCSCUbKEI=?=) X-Dispatcher: imput version 20000228(IM140) Lines: 12 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> On Mon, 22 May 2000 00:26:03 +0900 (JST) >>>>> Koji Kondo said: koji> BTW, NetBSD-current could be connect without "[" and "]" characters. Ftp(1) doesn't have `host:[/path/]file[/]' syntax at least on my NetBSD-current box. So, there is no conflict. :-) -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun May 21 8:38:22 2000 Delivered-To: freebsd-net@freebsd.org Received: from 00.gate0.tokyo.iaest.attnet.ne.jp (00.gate0.tokyo.iaest.attnet.ne.jp [165.76.15.33]) by hub.freebsd.org (Postfix) with ESMTP id 9DD6137B7BD for ; Sun, 21 May 2000 08:38:19 -0700 (PDT) (envelope-from koji@jp.above.net) Received: from localhost ([127.0.0.1]) by titan.jp.above.net with esmtp (Exim 3.13 #1) id 12tXcB-0000CG-00; Mon, 22 May 2000 00:26:03 +0900 Date: Mon, 22 May 2000 00:26:03 +0900 (JST) Message-Id: <20000522.002603.125131755.koji@jp.above.net> To: ume@mahoroba.org Cc: freebsd-net@freebsd.org Subject: Re: cannot ftp to link-local address From: Koji Kondo In-Reply-To: <200005211403.e4LE3sc08739@peace.mahoroba.org> References: <20000519.003843.41647712.koji@jp.above.net> <200005211403.e4LE3sc08739@peace.mahoroba.org> X-Mailer: Mew version 1.95b35 on Emacs 20.6 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >koji> I'm using 4.0-stable(20000516). I cannot ftp to link-local address. >koji> % ftp fe80::1%lo0 >koji> ftp: fe80: No address associated with hostname >koji> ftp: Can't connect or login to host `fe80' > >Command line syntax of ftp allows `ftp host:[/path/]file[/]'. So, >there is conflict with IPv6 address syntax. When you specify IPv6 >address, you must enclose IPv6 address with `[' and `]'. ok. I could connect as follows. % ftp '[fe80::1%lo0]' Connected to fe80::1%lo0. 220 aluminum.jp.above.net FTP server (Version 6.00LS) ready. Name ([fe80::1%lo0]:koji): BTW, NetBSD-current could be connect without "[" and "]" characters. % ftp fe80::1%lo0 Connected to fe80::1%lo0. 220- 220 fe80::1 FTP server (NetBSD-ftpd 20000520) ready. Name (fe80::1%lo0:koji): -koji To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun May 21 8:43:22 2000 Delivered-To: freebsd-net@freebsd.org Received: from peace.mahoroba.org (peace.calm.imasy.or.jp [202.227.26.34]) by hub.freebsd.org (Postfix) with ESMTP id D89F937B7BD for ; Sun, 21 May 2000 08:43:18 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from localhost (IDENT:E3y/H3ibKlbLgrHFNVfmibaigvxLAQWkKgvF0aIdfnL+2pRixPU1FlnaMSTM+/sZ@localhost [::1]) by peace.mahoroba.org (8.10.1/3.7W-peace) with ESMTP id e4LFckc09611; Mon, 22 May 2000 00:38:46 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Mon, 22 May 2000 00:38:46 +0900 (JST) Message-Id: <200005211538.e4LFckc09611@peace.mahoroba.org> To: koji@jp.above.net Cc: freebsd-net@freebsd.org Subject: Re: cannot ftp to link-local address In-Reply-To: <200005211531.e4LFVEc09590@peace.mahoroba.org> References: <200005211403.e4LE3sc08739@peace.mahoroba.org> <20000522.002603.125131755.koji@jp.above.net> <200005211531.e4LFVEc09590@peace.mahoroba.org> X-Mailer: xcite1.20> Mew version 1.94.2 on Emacs 20.6 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-OS: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit From: Hajimu UMEMOTO (=?ISO-2022-JP?B?GyRCR19LXBsoQiA=?= =?ISO-2022-JP?B?GyRCSCUbKEI=?=) X-Dispatcher: imput version 20000228(IM140) Lines: 19 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>> Mon, 22 May 2000 00:31:14 +0900 (JST) の刻に「うめ」、すなわち >>> Hajimu UMEMOTO (梅本 肇) 氏曰く >>>>> On Mon, 22 May 2000 00:26:03 +0900 (JST) >>>>> Koji Kondo said: koji> BTW, NetBSD-current could be connect without "[" and "]" characters. うめ> Ftp(1) doesn't have `host:[/path/]file[/]' syntax at least on my うめ> NetBSD-current box. So, there is no conflict. :-) Sorry, I had confuse. My NetBSD-current box has it and needs '[]'. My box is considerably old (1.4P). Is there any improvement between recent NetBSD-current around ftp? -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun May 21 11:47: 7 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.surf1.de (mail.surf1.de [194.25.165.21]) by hub.freebsd.org (Postfix) with ESMTP id 7960137B574; Sun, 21 May 2000 11:46:59 -0700 (PDT) (envelope-from alex@cichlids.com) Received: from cichlids.com (p3E9D38E7.dip0.t-ipconnect.de [62.157.56.231]) by mail.surf1.de (8.9.3/8.9.3) with ESMTP id UAA28521; Sun, 21 May 2000 20:46:43 +0200 Received: from cichlids.cichlids.com (cichlids.cichlids.com [192.168.0.10]) by cichlids.com (Postfix) with ESMTP id C0A93AC2C; Sun, 21 May 2000 20:47:21 +0200 (CEST) Received: (from alex@localhost) by cichlids.cichlids.com (8.9.3/8.9.3) id UAA27192; Sun, 21 May 2000 20:46:55 +0200 (CEST) (envelope-from alex) Date: Sun, 21 May 2000 20:46:55 +0200 From: Alexander Langer To: freebsd-net@freebsd.org Cc: freebsd-alpha@freebsd.org Subject: device ed (PCI) on alphas Message-ID: <20000521204655.A25896@cichlids.cichlids.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I've build in this Ne2000 (Realtek 8029) into the alpha. I've fixed some stuff in kernel and such, but now the device doesn't get attached, though it was identified correctly. That is, the call to ed_probe_generic8390() returns 0. If I comment out ed_probe_generic8390, the code fails int he test-pattern-write stuff. (joins the else {} part, which returns ENXIO). I don't know why. Ideas? Alex -- I need a new ~/.sig. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun May 21 12: 0: 9 2000 Delivered-To: freebsd-net@freebsd.org Received: from smtpf.casema.net (smtpf.casema.net [195.96.96.173]) by hub.freebsd.org (Postfix) with SMTP id 7411E37B935 for ; Sun, 21 May 2000 12:00:05 -0700 (PDT) (envelope-from aernoudt@wanadoo.nl) Received: (qmail 15674 invoked by uid 0); 21 May 2000 19:00:03 -0000 Received: from unknown (HELO wanadoo.nl) (212.64.80.120) by smtpf.casema.net with SMTP; 21 May 2000 19:00:03 -0000 Message-ID: <39283216.75A95EB6@wanadoo.nl> Date: Sun, 21 May 2000 20:59:34 +0200 From: AB X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: de, en, nl, fr MIME-Version: 1.0 To: Maxim Konovalov Cc: Assar Westerlund , freebsd-net@FreeBSD.ORG Subject: Re: ftpd error message: can somebody explain me what it means ? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maxim Konovalov wrote: > > > AB writes: > > > No matter how many books/man pages I read, I can not find the > > > explanation for this error message: > > > > > > ftpd[proces-ID] "getpeername (/usr/libexec/ftpd): socket operation on > > > non-socket" > > > > ftpd assumes it has been started from inetd and therefore that file > > descriptor 0 is a TCP-socket. If this is not the case you get the > > error you quotes above. > > > > I repeat: ftpd has to be started by inetd (or something inetd-like). > > > > /assar > > But if you steel want to run standalone ftpd try > > # /usr/libexec/ftpd -D -4 > > It works for me. Does not work for me however: the following is the error message I get when I use this ftpd[proces-ID]: control socket: protocol not supported That is strange since the kernel has the options for INET, INET6 (the not supported error message) Aernoudt -- Aernoudt Bottemanne * Powered by FreeBSD * http://www.freebsd.org http://www.openbsd.org http://www.nlfug.nl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun May 21 12:28:19 2000 Delivered-To: freebsd-net@freebsd.org Received: from panchito.Austria.EU.net (panchito.Austria.EU.net [193.154.160.103]) by hub.freebsd.org (Postfix) with ESMTP id 4215637B5C9 for ; Sun, 21 May 2000 12:28:15 -0700 (PDT) (envelope-from Ferdinand.Cap@eunet.at) Received: from eunet.at (innsb-088.static.AT.EU.net [193.80.64.88]) by panchito.Austria.EU.net (8.9.3/8.9.3) with ESMTP id VAA03438; Sun, 21 May 2000 21:28:02 +0200 (MET DST) Message-ID: <3928383F.B537D193@eunet.at> Date: Sun, 21 May 2000 21:25:52 +0200 From: Ferdinand CAP X-Mailer: Mozilla 4.72 [en] (X11; I; HP-UX B.10.20 9000/780) X-Accept-Language: en MIME-Version: 1.0 To: archie@whistle.com, freebsd-net@freebsd.org Subject: QUESTION ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, please inform me, if netgraph and mpd-3.0.b7 can be used on a Hewlett Packard workstation C160 using UNIX hpux10.20 ? My machine with 10.20 has only a SLIP Protocol and I am looking desparately for a PPP Protocol, so I found mpd. Please comment F Cap To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun May 21 14:53:46 2000 Delivered-To: freebsd-net@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 15E7537BA13 for ; Sun, 21 May 2000 14:53:26 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id OAA28255; Sun, 21 May 2000 14:53:22 -0700 (PDT) From: Archie Cobbs Message-Id: <200005212153.OAA28255@bubba.whistle.com> Subject: Re: QUESTION ? In-Reply-To: <3928383F.B537D193@eunet.at> from Ferdinand CAP at "May 21, 2000 09:25:52 pm" To: Ferdinand.Cap@eunet.at (Ferdinand CAP) Date: Sun, 21 May 2000 14:53:22 -0700 (PDT) Cc: freebsd-net@freebsd.org X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ferdinand CAP writes: > Hi, please inform me, if netgraph and mpd-3.0.b7 can be used on a > Hewlett Packard > workstation C160 using UNIX hpux10.20 ? My machine with 10.20 has only a > SLIP > Protocol and I am looking desparately for a PPP Protocol, so I found > mpd. Please comment Nope.. sorry, it only works with FreeBSD. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun May 21 18:49:54 2000 Delivered-To: freebsd-net@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id B46DC37BA89 for ; Sun, 21 May 2000 18:49:51 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id KAA03684; Mon, 22 May 2000 10:49:14 +0900 (JST) To: Hajimu UMEMOTO (=?ISO-2022-JP?B?GyRCR19LXBsoQiAbJEJIJRsoQg==?=) Cc: koji@jp.above.net, freebsd-net@freebsd.org In-reply-to: ume's message of Mon, 22 May 2000 00:38:46 JST. <200005211538.e4LFckc09611@peace.mahoroba.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: cannot ftp to link-local address From: itojun@iijlab.net Date: Mon, 22 May 2000 10:49:14 +0900 Message-ID: <3682.958960154@coconut.itojun.org> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Ftp(1) doesn't have `host:[/path/]file[/]' syntax at least on my >> NetBSD-current box. So, there is no conflict. :-) >Sorry, I had confuse. My NetBSD-current box has it and needs '[]'. >My box is considerably old (1.4P). Is there any improvement between >recent NetBSD-current around ftp? http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.bin/ftp/main.c?rev=1.48&content-type=text/x-cvsweb-markup (Jul 12 1999) itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun May 21 18:53:54 2000 Delivered-To: freebsd-net@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 5A38537B972 for ; Sun, 21 May 2000 18:53:52 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id KAA03774 for ; Mon, 22 May 2000 10:53:51 +0900 (JST) To: freebsd-net@freebsd.org In-reply-to: itojun's message of Mon, 22 May 2000 10:49:14 JST. <3682.958960154@coconut.itojun.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: cannot ftp to link-local address From: itojun@iijlab.net Date: Mon, 22 May 2000 10:53:51 +0900 Message-ID: <3772.958960431@coconut.itojun.org> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>> Ftp(1) doesn't have `host:[/path/]file[/]' syntax at least on my >>> NetBSD-current box. So, there is no conflict. :-) >>Sorry, I had confuse. My NetBSD-current box has it and needs '[]'. >>My box is considerably old (1.4P). Is there any improvement between >>recent NetBSD-current around ftp? > http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.bin/ftp/main.c?rev=1.48&content-type=text/x-cvsweb-markup > (Jul 12 1999) oops, this should be better... http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.bin/ftp/main.c.diff?r1=1.47&r2=1.48 itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon May 22 5:36:29 2000 Delivered-To: freebsd-net@freebsd.org Received: from citadel.cequrux.com (citadel.cdsec.com [192.96.22.18]) by hub.freebsd.org (Postfix) with ESMTP id DC3DA37C04B; Mon, 22 May 2000 05:35:49 -0700 (PDT) (envelope-from gram@cequrux.com) Received: (from nobody@localhost) by citadel.cequrux.com (8.8.8/8.6.9) id OAA08918; Mon, 22 May 2000 14:35:30 +0200 (SAST) Received: by citadel.cequrux.com via recvmail id 8838; Mon May 22 14:34:32 2000 Message-ID: <39292998.4C55739A@cequrux.com> Date: Mon, 22 May 2000 14:35:36 +0200 From: Graham Wheeler Organization: Cequrux Technologies X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Dmitry Samersoff Cc: freebsd-hackers@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: bpf question References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dmitry Samersoff wrote: > > I have stoped on perforamnce bpf itself. > > Is there alternate driver or can changing of bpf queue in kernel help, and where > I can read about it? If my memory serves me correctly, Marcus Ranum wrote a white paper on IDS systems in the early days of NFR, in which he said that the existing configuration of BPF was inadequate for capturing all packets on a fast link, and suggested a patch to improve the situation. THe patch involved bumping up a buffer from about 16kb to 256kb. Unfortunately I no longer have the details handy, but if you did a search for BPF/IDS/NFR/Ranum you might find something. -- Dr Graham Wheeler E-mail: gram@cequrux.com Director, Research and Development WWW: http://www.cequrux.com CEQURUX Technologies Phone: +27(21)423-6065 Firewalls/VPN Specialists Fax: +27(21)424-3656 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon May 22 10:20:46 2000 Delivered-To: freebsd-net@freebsd.org Received: from peace.mahoroba.org (peace.calm.imasy.or.jp [202.227.26.34]) by hub.freebsd.org (Postfix) with ESMTP id CB12137BB87 for ; Mon, 22 May 2000 10:20:36 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from localhost (IDENT:uYkh/91LDHV2WB1gDXKLK8Ca0F81nTknVzdXMPI+XAyv8gFx7/kkD1WdhC2YWvdo@localhost [::1]) by peace.mahoroba.org (8.10.1/3.7W-peace) with ESMTP id e4MHFtc19654; Tue, 23 May 2000 02:15:55 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Tue, 23 May 2000 02:15:55 +0900 (JST) Message-Id: <200005221715.e4MHFtc19654@peace.mahoroba.org> To: itojun@iijlab.net Cc: freebsd-net@freebsd.org Subject: Re: cannot ftp to link-local address In-Reply-To: <3772.958960431@coconut.itojun.org> References: <3682.958960154@coconut.itojun.org> <3772.958960431@coconut.itojun.org> X-Mailer: xcite1.20> Mew version 1.94.2 on Emacs 20.6 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-OS: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: Hajimu UMEMOTO (=?ISO-2022-JP?B?GyRCR19LXBsoQiA=?= =?ISO-2022-JP?B?GyRCSCUbKEI=?=) X-Dispatcher: imput version 20000228(IM140) Lines: 20 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> On Mon, 22 May 2000 10:53:51 +0900 >>>>> itojun@iijlab.net said: >>> Ftp(1) doesn't have `host:[/path/]file[/]' syntax at least on my >>> NetBSD-current box. So, there is no conflict. :-) >>Sorry, I had confuse. My NetBSD-current box has it and needs '[]'. >>My box is considerably old (1.4P). Is there any improvement between >>recent NetBSD-current around ftp? > http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.bin/ftp/main.c?rev=1.48&content-type=text/x-cvsweb-markup > (Jul 12 1999) itojun> oops, this should be better... itojun> http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.bin/ftp/main.c.diff?r1=1.47&r2=1.48 Thanks. I just committed it. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon May 22 11:52: 9 2000 Delivered-To: freebsd-net@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id F34A637B8DB; Mon, 22 May 2000 11:52:02 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id MAA18970; Mon, 22 May 2000 12:51:58 -0600 (MDT) Date: Mon, 22 May 2000 12:51:58 -0600 (MDT) From: Nick Rogness To: freebsd-hackers@freebsd.org, freebsd-net@freebsd.org Subject: IP tunnel Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can anyone tell me the difference between nos-tun(8) and gif(4) (Other than IPv6)? I want to create a tunnel between 2 networks (IPv4), 2 FreeBSD boxes... will one of these work or is this a different type of tunnel. I am familiar with Cisco tunnelling, I am assuming a similar concept. Anyone doing this already, if so sample configs? Is it possible? Thanks. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon May 22 12: 8:35 2000 Delivered-To: freebsd-net@freebsd.org Received: from jason.argos.org (a1-3b058.neo.rr.com [24.93.181.58]) by hub.freebsd.org (Postfix) with ESMTP id D5D8A37B62D; Mon, 22 May 2000 12:08:30 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id PAA21551; Mon, 22 May 2000 15:08:17 -0400 Date: Mon, 22 May 2000 15:08:17 -0400 (EDT) From: Mike Nowlin To: Nick Rogness Cc: freebsd-hackers@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: IP tunnel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Can anyone tell me the difference between nos-tun(8) and gif(4) (Other > than IPv6)? I want to create a tunnel between 2 networks (IPv4), 2 > FreeBSD boxes... will one of these work or is this a different type > of tunnel. I am familiar with Cisco tunnelling, I am assuming a similar > concept. Anyone doing this already, if so sample configs? Is it > possible? I'm using nos-tun(8) between Cisco 2610/1720 routers and FBSD machines to make various subnets show up where they shouldn't... I have a /24 at one office and a /25 at another one -- wanted to have a /29 from each of these appear at my house. Works quite well... mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon May 22 12:17:52 2000 Delivered-To: freebsd-net@freebsd.org Received: from hotmail.com (law-f195.hotmail.com [209.185.130.105]) by hub.freebsd.org (Postfix) with SMTP id A972237BB4D for ; Mon, 22 May 2000 12:17:33 -0700 (PDT) (envelope-from ronnetron@hotmail.com) Received: (qmail 61405 invoked by uid 0); 22 May 2000 19:17:33 -0000 Message-ID: <20000522191733.61404.qmail@hotmail.com> Received: from 63.203.116.218 by www.hotmail.com with HTTP; Mon, 22 May 2000 12:17:33 PDT X-Originating-IP: [63.203.116.218] From: "Ron Smith" To: freebsd-net@freebsd.org Cc: freebsd-ipfw@freebsd.org Subject: Non-existent domain Date: Mon, 22 May 2000 12:17:33 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, O.K. gang I need your help on this one. I have a particular problem that I can't seem to solve on my own. Here's what's happening: I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything works fine for those on the LAN when browsing HTTP. DNS is also running on this machine as primary and I have a name server at the ISP as secondary. However, the problem is that when looking for the domain name "crcfx.com" out on the web, It's not seen. An error message comes up saying: "A network error occurred: Unable to connect to server. The server may be down or unreachable." Also, I don't get a proper response, from outside our LAN, when doing an 'nslookup stargate.crcfx.com', which has the primary DNS running locally. This is preventing us from putting other services on-line, such as 'HTTP' and 'SMTP'. I've talked to several sources (including my ISP), to no avail. There's lots of confusion all around. I have a suspicion my problem may stem from the way my zones are set up, or the firewall rules, but I'm not sure. Anyway, here are the details: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ping 127.0.0.1 (loopback) ping 192.x.x.1 (inside interface) ping 63.x.x.218 (outside interface) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ All show 0% packet loss. ~~~~~~~~~~~~~~~ 'rc.conf' says: ~~~~~~~~~~~~~~~ # This file now contains just the overrides from/etc/defaults/rc.conf # please make all changes to this file. # -- sysinstall generated deltas -- # ifconfig_fxp0="inet 192.x.x.1 netmask 255.255.255.0" ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248" hostname="stargate.crcfx.com" linux_enable="YES" moused_enable="YES" gateway_enable="YES" defaultrouter="63.x.x.217" # -- The following deltas were generated by Ron Smith on Apr. 17, 2000 firewall_enable="YES" firewall_type="simple" firewall_script="/etc/rc.firewall" inetd_enable="NO" sendmail_enable="NO" dumpdev=/dev/wd0s1b natd_enable="YES" natd_interface="pn0" named_enable="YES" ~~~~~~~~~~~~~~~~~~~ 'rc.firewall' says: ~~~~~~~~~~~~~~~~~~~ # set these to your outside interface network and netmask and ip oif="pn0" onet="63.x.x.216" omask="255.255.255.248" oip="63.x.x.218" # set these to your inside interface network and netmask and ip iif="fxp0" inet="192.x.x.0" imask="255.255.255.0" iip="192.x.x.1" # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif} #$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Allow ICMP inside only #$fwcmd add deny icmp from any to any via ${oif} #$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow setup of incoming email #$fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW #$fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 $fwcmd add pass udp from ${inet}:${imask} to any 53 # Allow stuff to 192 net in from the outside, since we're # checking after NAT does the conversion $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif} $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif} # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then $fwcmd ${firewall_type} fi ~~~~~~~~~~~~~~~~~~~~~~~ 'whois crcfx.com' says: ~~~~~~~~~~~~~~~~~~~~~~~ Whois Server Version 1.1 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: CRCFX.COM Registrar: REGISTER.COM, INC. Whois Server: whois.register.com Referral URL: www.register.com Name Server: NS1.PBI.NET Name Server: STARGATE.CRCFX.COM Updated Date: 28-apr-200 >>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<< The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars. Access to register.com's WHOIS information is for informational purposes only. Register.com makes this information available "as is," and does not guarantee its accuracy. The compilation, repackaging, dissemination or other use of register.com's WHOIS information in its entirety, or a substantial portion thereof, is expressly prohibited without the prior written consent of register.com. By accessing and using our WHOIS information, you agree to these terms. Organization: Cinema Research Corp 6860 Lexington Ave Hollywood, CA 90038 US Registrar..: Register.com (http://www.register.com) Domain Name: CRCFX.COM Created on..............: Fri, Mar 24, 2000 Expires on..............: Sat, Mar 24, 2001 Record last updated on..: Fri, Apr 28, 2000 Administrative Contact: Smith, Ron ronnetron@hotmail.com 323-460-4111 Technical Contact, Zone Contact: Internic, Registrar internic-free@register.com 212-594-988 Domain servers in listed order: STARGATE.CRCFX.COM 63.x.x.218 NS1.PBI.NET 206.13.28.11 Register your domain name at http://www.register.com ~~~~~~~~~~~~~~~~~ ifconfig -a says: ~~~~~~~~~~~~~~~~~ fxp0: flags=8843 mtu 1500 inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255 pn0: flags=8843 mtu 1500 inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'netstat -na crcfx.com' says: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) icmp 0 0 *.* *.* tcp 0 0 *.111 *.* LISTEN tcp 0 0 127.0.0.1.53 *.* LISTEN tcp 0 0 63.x.x.218.53 *.* LISTEN tcp 0 0 192.x.x.1.53 *.* LISTEN udp 0 0 *.111 *.* udp 0 0 *.1024 *.* udp 0 0 127.0.0.1.53 *.* udp 0 0 63.x.x.218.53 *.* udp 0 0 192.x.x.1.53 *.* udp 0 0 *.514 *.* ~~~~~~~~~~~~~~~~~~~~~ 'db.crcfx.com' says: ~~~~~~~~~~~~~~~~~~~~~ ; Definition of zone crcfx.com crcfx.com. IN SOA stargate.crcfx.com. root.crcfx.com. ( 2000042901 ; Serial (date, two digits version of day) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400 ) ; minimum (1 day) ; name servers IN NS stargate.crcfx.com. IN NS ns1.pbi.net. IN NS ns2.pbi.net. stargate IN A 63.x.x.218 ns1.pbi.net. IN A 206.13.28.11 ns2.pbi.net. IN A 206.13.29.11 ~~~~~~~~~~~~~~~~~~~~~ 'crcfx-reverse' says: ~~~~~~~~~~~~~~~~~~~~~ @ IN SOA stargate.crcfx.com. root.crcfx.com. ( 2000042901 ; Serial (date, 2 digits version of day) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400 ) ; minimum (1 day) IN NS stargate.crcfx.com. IN NS ns1.pbi.net. IN NS ns2.pbi.net. 218.x.x.63.in-addr.arpa IN PTR stargate.crcfx.com. 11.28.13.206.in-addr.arpa IN PTR ns1.pbi.net. 11.29.13.206.in-addr.arpa IN PTR ns2.pbi.net. ~~~~~~~~~~~~~~~~~~~~~ 'localhost.rev' says: ~~~~~~~~~~~~~~~~~~~~~ ; From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90 ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29 peter Exp $ ; ; This file is automatically edited by the `make-localhost' script in ; the /etc/namedb directory. ; @ IN SOA stargate.crcfx.com. root.stargate.crcfx.com. ( 2000042901 ; Serial 86400 ; Refresh (1 day) 7200 ; Retry (2 hours) 8640000 ; Expire (100 days) 86400 ) ; Minimum IN NS stargate.crcfx.com. 1 IN PTR localhost.crcfx.com. ~~~~~~~~~~~~~~~~~~~ 'resolv.conf' says: ~~~~~~~~~~~~~~~~~~~ domain crcfx.com nameserver 127.0.0.1 nameserver 192.x.x.1 nameserver 63.x.x.218 nameserver 206.13.28.11 nameserver 206.13.29.11 ~~~~~~~~~~~~~~~~~~ 'named.conf' says: ~~~~~~~~~~~~~~~~~~ options { directory "/etc/namedb"; forwarders { 206.13.28.11; }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; zone "crcfx.com" { type master; file "db.crcfx.com"; }; zone "0.x.192.IN-ADDR.ARPA" { type master; file "crcfx-reverse"; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry, This is a lot to swallow, but they are all the pertinent files, in regards to the problem. I would appreciate any feedback on how to get our local name server to do proper zone transfers to our upstream ISP, and to get a proper 'nslookup stargate.crcfx.com' from outside our LAN ...same thing. TIA Ron ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon May 22 12:50: 2 2000 Delivered-To: freebsd-net@freebsd.org Received: from arf.bussert.COM (arf.bussert.com [209.183.67.130]) by hub.freebsd.org (Postfix) with ESMTP id 5B89537BB5A; Mon, 22 May 2000 12:49:44 -0700 (PDT) (envelope-from matheny@bussert.com) Received: from localhost (matheny@localhost) by arf.bussert.COM (8.9.3/8.9.3) with ESMTP id PAA09142; Mon, 22 May 2000 15:19:23 -0500 (EST) (envelope-from matheny@bussert.com) Date: Mon, 22 May 2000 15:19:23 -0500 (EST) From: Blake Matheny To: Ron Smith Cc: freebsd-net@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: Non-existent domain In-Reply-To: <20000522191733.61404.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I had this problem before, I had to add an A record in dns on the firewall for the web server. For instance, let's say bussert.com was hosted at 111.111.111.111, I had to add that in the dns records. add teh following records to be able to browse: @ IN A ipaddressofwebserver www IN A ipaddressofwebserver the first line will allow for resolation of crcfx.com, the second line will allow of resolution of www.crcfx.com. I /think/ that answered your question, but I was a little unclear, let me know if that helps. -Blake Blake Matheny Bussert Consulting Network Engineer (765)423-2100 matheny@bussert.com On Mon, 22 May 2000, Ron Smith wrote: > Hi all, > > O.K. gang I need your help on this one. I have a particular problem that I > can't seem to solve on my own. Here's what's happening: > > I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything > works fine for those on the LAN when browsing HTTP. DNS is also running on > this machine as primary and I have a name server at the ISP as secondary. > However, the problem is that when looking for the domain name "crcfx.com" > out on the web, It's not seen. An error message comes up saying: "A network > error occurred: Unable to connect to server. The server may be down or > unreachable." Also, I don't get a proper response, from outside our LAN, > when doing an 'nslookup stargate.crcfx.com', which has the primary DNS > running locally. This is preventing us from putting other services on-line, > such as 'HTTP' and 'SMTP'. I've talked to several sources (including my > ISP), to no avail. There's lots of confusion all around. I have a suspicion > my problem may stem from the way my zones are set up, or the firewall rules, > but I'm not sure. Anyway, here are the details: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ping 127.0.0.1 (loopback) > ping 192.x.x.1 (inside interface) > ping 63.x.x.218 (outside interface) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > All show 0% packet loss. > > ~~~~~~~~~~~~~~~ > 'rc.conf' says: > ~~~~~~~~~~~~~~~ > > # This file now contains just the overrides from/etc/defaults/rc.conf # > please make all changes to this file. > > # -- sysinstall generated deltas -- # > ifconfig_fxp0="inet 192.x.x.1 netmask 255.255.255.0" > ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248" > hostname="stargate.crcfx.com" > linux_enable="YES" > moused_enable="YES" > gateway_enable="YES" > defaultrouter="63.x.x.217" > # -- The following deltas were generated by Ron Smith on Apr. 17, 2000 > firewall_enable="YES" > firewall_type="simple" > firewall_script="/etc/rc.firewall" > inetd_enable="NO" > sendmail_enable="NO" > dumpdev=/dev/wd0s1b > natd_enable="YES" > natd_interface="pn0" > named_enable="YES" > > ~~~~~~~~~~~~~~~~~~~ > 'rc.firewall' says: > ~~~~~~~~~~~~~~~~~~~ > > # set these to your outside interface network and netmask and ip > oif="pn0" > onet="63.x.x.216" > omask="255.255.255.248" > oip="63.x.x.218" > > # set these to your inside interface network and netmask and ip > iif="fxp0" > inet="192.x.x.0" > imask="255.255.255.0" > iip="192.x.x.1" > > # Stop spoofing > $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} > $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif} > #$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add > deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > > # Allow ICMP inside only > #$fwcmd add deny icmp from any to any via ${oif} > #$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif} > > # Allow TCP through if setup succeeded > $fwcmd add pass tcp from any to any established > > # Allow setup of incoming email > #$fwcmd add pass tcp from any to ${oip} 25 setup > > # Allow access to our DNS > $fwcmd add pass tcp from any to ${oip} 53 setup > > # Allow access to our WWW > #$fwcmd add pass tcp from any to ${oip} 80 setup > > # Reject&Log all setup of incoming connections from the outside > $fwcmd add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > $fwcmd add pass tcp from any to any setup > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${oip} > $fwcmd add pass udp from ${oip} to any 53 > $fwcmd add pass udp from ${inet}:${imask} to any 53 > > # Allow stuff to 192 net in from the outside, since we're > # checking after NAT does the conversion > $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif} > $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif} > > # Allow NTP queries out in the world > $fwcmd add pass udp from any 123 to ${oip} > $fwcmd add pass udp from ${oip} to any 123 > > # Everything else is denied as default. > > elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then > $fwcmd ${firewall_type} > fi > > ~~~~~~~~~~~~~~~~~~~~~~~ > 'whois crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~~~ > > Whois Server Version 1.1 > > Domain names in the .com, .net, and .org domains can now be registered > with many different competing registrars. Go to http://www.internic.net for > detailed information. > > Domain Name: CRCFX.COM > Registrar: REGISTER.COM, INC. > Whois Server: whois.register.com > Referral URL: www.register.com > Name Server: NS1.PBI.NET > Name Server: STARGATE.CRCFX.COM > Updated Date: 28-apr-200 > > >>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<< > > The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and > Registrars. > > Access to register.com's WHOIS information is for informational purposes > only. Register.com makes this information available > "as is," and does not guarantee its accuracy. The compilation, repackaging, > dissemination or other use of register.com's WHOIS information in its > entirety, or a substantial portion thereof, is expressly prohibited without > the prior written consent of register.com. By accessing and using our WHOIS > information, you agree to these terms. > > Organization: > Cinema Research Corp > 6860 Lexington Ave > Hollywood, CA 90038 > US > > Registrar..: Register.com (http://www.register.com) > Domain Name: CRCFX.COM > Created on..............: Fri, Mar 24, 2000 > Expires on..............: Sat, Mar 24, 2001 > Record last updated on..: Fri, Apr 28, 2000 > > Administrative Contact: > Smith, Ron ronnetron@hotmail.com > 323-460-4111 > > Technical Contact, Zone Contact: > Internic, Registrar internic-free@register.com > 212-594-988 > > Domain servers in listed order: > > STARGATE.CRCFX.COM 63.x.x.218 > NS1.PBI.NET 206.13.28.11 > > Register your domain name at http://www.register.com > > ~~~~~~~~~~~~~~~~~ > ifconfig -a says: > ~~~~~~~~~~~~~~~~~ > > fxp0: flags=8843 mtu 1500 > inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255 > > pn0: flags=8843 mtu 1500 > inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223 > > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 'netstat -na crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address (state) > icmp 0 0 *.* *.* > tcp 0 0 *.111 *.* LISTEN > tcp 0 0 127.0.0.1.53 *.* LISTEN > tcp 0 0 63.x.x.218.53 *.* LISTEN > tcp 0 0 192.x.x.1.53 *.* LISTEN > udp 0 0 *.111 *.* > udp 0 0 *.1024 *.* > udp 0 0 127.0.0.1.53 *.* > udp 0 0 63.x.x.218.53 *.* > udp 0 0 192.x.x.1.53 *.* > udp 0 0 *.514 *.* > > ~~~~~~~~~~~~~~~~~~~~~ > 'db.crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~ > > ; Definition of zone crcfx.com > crcfx.com. IN SOA stargate.crcfx.com. root.crcfx.com. ( > 2000042901 ; Serial (date, two digits version of day) > 86400 ; refresh (1 day) > 7200 ; retry (2 hours) > 8640000 ; expire (100 days) > 86400 ) ; minimum (1 day) > > ; name servers > IN NS stargate.crcfx.com. > IN NS ns1.pbi.net. > IN NS ns2.pbi.net. > stargate IN A 63.x.x.218 > ns1.pbi.net. IN A 206.13.28.11 > ns2.pbi.net. IN A 206.13.29.11 > > ~~~~~~~~~~~~~~~~~~~~~ > 'crcfx-reverse' says: > ~~~~~~~~~~~~~~~~~~~~~ > > @ IN SOA stargate.crcfx.com. root.crcfx.com. ( > 2000042901 ; Serial (date, 2 digits version of day) > 86400 ; refresh (1 day) > 7200 ; retry (2 hours) > 8640000 ; expire (100 days) > 86400 ) ; minimum (1 day) > > IN NS stargate.crcfx.com. > IN NS ns1.pbi.net. > IN NS ns2.pbi.net. > > 218.x.x.63.in-addr.arpa IN PTR stargate.crcfx.com. > 11.28.13.206.in-addr.arpa IN PTR ns1.pbi.net. > 11.29.13.206.in-addr.arpa IN PTR ns2.pbi.net. > > ~~~~~~~~~~~~~~~~~~~~~ > 'localhost.rev' says: > ~~~~~~~~~~~~~~~~~~~~~ > > ; From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90 > ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29 > peter Exp $ > ; > ; This file is automatically edited by the `make-localhost' script in > ; the /etc/namedb directory. > ; > > @ IN SOA stargate.crcfx.com. root.stargate.crcfx.com. ( > 2000042901 ; Serial > 86400 ; Refresh (1 day) > 7200 ; Retry (2 hours) > 8640000 ; Expire (100 days) > 86400 ) ; Minimum > IN NS stargate.crcfx.com. > 1 IN PTR localhost.crcfx.com. > > ~~~~~~~~~~~~~~~~~~~ > 'resolv.conf' says: > ~~~~~~~~~~~~~~~~~~~ > > domain crcfx.com > nameserver 127.0.0.1 > nameserver 192.x.x.1 > nameserver 63.x.x.218 > nameserver 206.13.28.11 > nameserver 206.13.29.11 > > ~~~~~~~~~~~~~~~~~~ > 'named.conf' says: > ~~~~~~~~~~~~~~~~~~ > > options { > directory "/etc/namedb"; > > forwarders { > 206.13.28.11; > }; > > zone "." { > type hint; > file "named.root"; > }; > > zone "0.0.127.IN-ADDR.ARPA" { > type master; > file "localhost.rev"; > }; > > zone "crcfx.com" { > type master; > file "db.crcfx.com"; > }; > > zone "0.x.192.IN-ADDR.ARPA" { > type master; > file "crcfx-reverse"; > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry, > > This is a lot to swallow, but they are all the pertinent files, in regards > to the problem. I would appreciate any feedback on how to get our local name > server to do proper zone transfers to our upstream ISP, and to get a proper > 'nslookup stargate.crcfx.com' from outside our LAN ...same thing. > > TIA > Ron > > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon May 22 15:15:22 2000 Delivered-To: freebsd-net@freebsd.org Received: from guppy.evolunet.com (guppy.evolunet.com [195.154.101.161]) by hub.freebsd.org (Postfix) with ESMTP id BFA2E37B547 for ; Mon, 22 May 2000 15:15:17 -0700 (PDT) (envelope-from renaud@guppy.evolunet.com) Received: (from renaud@localhost) by guppy.evolunet.com (8.8.7/8.8.7) id AAA26890 for freebsd-net@freebsd.org; Tue, 23 May 2000 00:15:30 +0200 (CEST) (envelope-from renaud) From: Renaud Waldura Message-Id: <200005222215.AAA26890@guppy.evolunet.com> Subject: PPP dropping IPSec packets? To: freebsd-net@freebsd.org Date: Tue, 23 May 100 00:15:29 +0200 (CEST) Reply-To: renaud@evolunet.com (Renaud Waldura) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Keywords: PPP PPPoE IPSec pipsecd tunnel I'm having a problem with PPP (userland PPP) apparently dropping IPSec packets. I'm using PPP for PPPoE (DSL connection) with a tunnel interface tun0. That tun0 is bound to my ethernet interface eth0, and sends packets back and forth to the telco router. ---> tun0 ---> eth0 ---> telco ---> IP <--- tun0 <--- eth0 <--- telco <--- IP All is neat, it's working great. For info: $ ifconfig tun0 tun0: flags=8151 mtu 1492 inet 63.203.70.250 --> 63.203.71.254 netmask 0xff000000 Opened by PID 70 Now I want to setup an encrypted tunnel using pipsecd between my machine and a remote site. Pipsecd creates an interface tun1 that is ifconfig'ed with the right parameters, shared by the two sites. $ ifconfig tun1 tun1: flags=8151 mtu 1440 inet 192.168.255.14 --> 192.168.255.13 netmask 0xfffffffc Opened by PID 164 I try to ping the remote end of the encrypted link, but the packets never make it back to me. They do flow from tun1 to tun0 to eth0 to the telco router to ... to the remote site, _which_replies_ to my ICMP echo, but for some reason PPP drops the IPSec packets, they never come back up to neither tun0 (tunnel interface opened by ppp), nor to tun1 (tunnel opened by pipsecd). But they *do* make it back to the Ethernet interface, they're just not transmitted back to the tunnel tun0. Included below two tcpdumps that clearly show the problem. My local machine is 63.203.70.250, the remote site at the end of the encrypted link 24.201.61.127. I ping the remote end of the encrypted link: $ ping 192.168.255.13 and I see: # tcpdump -i eth0 -n 13:29:26.793274 PPPoE [ses 0x2f6] 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x80) 13:29:26.933926 PPPoE [ses 0x2f6] 24.201.61.127 > 63.203.70.250: ESP(spi=1001,seq=0x9c9) 13:29:27.802402 PPPoE [ses 0x2f6] 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x81) 13:29:27.923656 PPPoE [ses 0x2f6] 24.201.61.127 > 63.203.70.250: ESP(spi=1001,seq=0x9ca) ^C 4 packets received by filter 0 packets dropped by kernel # tcpdump -i tun0 -n 13:29:26.792053 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x80) 13:29:27.801794 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x81) ^C 2 packets received by filter 0 packets dropped by kernel I _did_ run the same tcpdumps at the remote site, they show the packets coming in and out. To me it looks like packets are lost at my local machine, by either the PPP code, the PPPoE code, or something else. To summarize, this is what happens: ---> tun1 ---> tun0 ---> rl0 ---> telco ----> remote site but: remote site ---> telco ---> rl0 -/***/-> tun0 ---> tun1 ---> I'm not familiar with the new Netgraph stuff, could it be involved in what's happenning? (ppp relies on ng_pppoe for doing PPPoE). Thanks a lot for any ideas on how to solve this problem, -- -- Renaud Waldura (temporarily renaud@evolunet.com) -- The Netsurfers' Organization -- 610 Clipper St. #19, San Francisco CA 94114, USA -- +1 415 642-5364 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon May 22 15:57:32 2000 Delivered-To: freebsd-net@freebsd.org Received: from Awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id C1A4737B658 for ; Mon, 22 May 2000 15:57:26 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by Awfulhak.org (8.9.3/8.9.3) with ESMTP id XAA65711; Mon, 22 May 2000 23:56:07 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id XAA15436; Mon, 22 May 2000 23:56:01 +0100 (BST) (envelope-from brian@Awfulhak.org) Message-Id: <200005222256.XAA15436@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: renaud@evolunet.com (Renaud Waldura) Cc: freebsd-net@FreeBSD.ORG, brian@hak.lan.Awfulhak.org Subject: Re: PPP dropping IPSec packets? In-Reply-To: Message from Renaud Waldura of "Tue, 23 May 0100 00:15:29 +0200." <200005222215.AAA26890@guppy.evolunet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 22 May 2000 23:55:59 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmm, you mustn't have received my last email: brian@Awfulhak.org said: : Hi, : : I'm not sure if I know the answer to this, but I may have bumped into : similar problems in the past. I don't use ipsec myself, but I've set : up tunnels with a PPPoUDPoPPPoSerial setup. : : Maybe your problems lie in your routing tables, where one side is : routing the reply packets through tun0 rather than tun1 because of a : bogus route ? You probably want to make sure that your ethernet : segment has a very minimal netmask - or even a ffffffff netmask with : a -interface route to the provider IP ? : : This sort of thing is particularly difficult to get working if you : don't have access to both sides of the link, but if you do, I'd try : getting tcpdump running on each end and trying to trace ``ping -c1''s : and see where they're disappearing. > Keywords: PPP PPPoE IPSec pipsecd tunnel > > > I'm having a problem with PPP (userland PPP) apparently dropping > IPSec packets. > > I'm using PPP for PPPoE (DSL connection) with a tunnel interface > tun0. That tun0 is bound to my ethernet interface eth0, and > sends packets back and forth to the telco router. > > ---> tun0 ---> eth0 ---> telco ---> IP > <--- tun0 <--- eth0 <--- telco <--- IP > > All is neat, it's working great. For info: > > $ ifconfig tun0 > tun0: flags=8151 mtu 1492 > inet 63.203.70.250 --> 63.203.71.254 netmask 0xff000000 > Opened by PID 70 > > Now I want to setup an encrypted tunnel using pipsecd between > my machine and a remote site. Pipsecd creates an interface tun1 > that is ifconfig'ed with the right parameters, shared by the two > sites. > > $ ifconfig tun1 > tun1: flags=8151 mtu 1440 > inet 192.168.255.14 --> 192.168.255.13 netmask 0xfffffffc > Opened by PID 164 > > I try to ping the remote end of the encrypted link, but the packets > never make it back to me. They do flow from tun1 to tun0 to eth0 > to the telco router to ... to the remote site, _which_replies_ > to my ICMP echo, but for some reason PPP drops the IPSec packets, > they never come back up to neither tun0 (tunnel interface opened > by ppp), nor to tun1 (tunnel opened by pipsecd). > > But they *do* make it back to the Ethernet interface, they're > just not transmitted back to the tunnel tun0. > > Included below two tcpdumps that clearly show the problem. My local > machine is 63.203.70.250, the remote site at the end of the > encrypted link 24.201.61.127. > > I ping the remote end of the encrypted link: > $ ping 192.168.255.13 > > and I see: > > # tcpdump -i eth0 -n > 13:29:26.793274 PPPoE [ses 0x2f6] 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x80) > 13:29:26.933926 PPPoE [ses 0x2f6] 24.201.61.127 > 63.203.70.250: ESP(spi=1001,seq=0x9c9) > 13:29:27.802402 PPPoE [ses 0x2f6] 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x81) > 13:29:27.923656 PPPoE [ses 0x2f6] 24.201.61.127 > 63.203.70.250: ESP(spi=1001,seq=0x9ca) > ^C > 4 packets received by filter > 0 packets dropped by kernel > > # tcpdump -i tun0 -n > 13:29:26.792053 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x80) > 13:29:27.801794 63.203.70.250 > 24.201.61.127: ESP(spi=1001,seq=0x81) > ^C > 2 packets received by filter > 0 packets dropped by kernel > > I _did_ run the same tcpdumps at the remote site, they show the packets > coming in and out. To me it looks like packets are lost at my local > machine, by either the PPP code, the PPPoE code, or something else. > > To summarize, this is what happens: > > ---> tun1 ---> tun0 ---> rl0 ---> telco ----> remote site > > but: > > remote site ---> telco ---> rl0 -/***/-> tun0 ---> tun1 ---> > > > I'm not familiar with the new Netgraph stuff, could it be involved > in what's happenning? (ppp relies on ng_pppoe for doing PPPoE). > > Thanks a lot for any ideas on how to solve this problem, > > -- > -- Renaud Waldura (temporarily renaud@evolunet.com) > -- The Netsurfers' Organization > -- 610 Clipper St. #19, San Francisco CA 94114, USA > -- +1 415 642-5364 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon May 22 16:18:12 2000 Delivered-To: freebsd-net@freebsd.org Received: from cassandra.wayward-volvo.org (cassandra.wayward-volvo.org [207.181.249.203]) by hub.freebsd.org (Postfix) with SMTP id 129E337B70A for ; Mon, 22 May 2000 16:18:09 -0700 (PDT) (envelope-from cnielsen@pobox.com) Received: (qmail 6212 invoked by uid 1000); 22 May 2000 23:16:57 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 May 2000 23:16:56 -0000 Date: Mon, 22 May 2000 16:16:56 -0700 (PDT) From: Christopher Nielsen X-Sender: enkhyl@cassandra.wayward-volvo.org Reply-To: cnielsen@pobox.com To: Graham Wheeler Cc: Dmitry Samersoff , freebsd-hackers@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: [net] bpf question In-Reply-To: <39292998.4C55739A@cequrux.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 22 May 2000, Graham Wheeler wrote: > If my memory serves me correctly, Marcus Ranum wrote a white paper on > IDS systems in the early days of NFR, in which he said that the existing > configuration of BPF was inadequate for capturing all packets on a fast > link, and suggested a patch to improve the situation. THe patch involved > bumping up a buffer from about 16kb to 256kb. Unfortunately I no longer > have the details handy, but if you did a search for BPF/IDS/NFR/Ranum > you might find something. http://www.nfr.net/forum/publications/LISA-97.htm -- Christopher Nielsen (enkhyl|cnielsen)@pobox.com Enkhyl on IRC Space monekys ate my brain: No such file or directory To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon May 22 20:19:31 2000 Delivered-To: freebsd-net@freebsd.org Received: from camel.ethereal.net (camel.ethereal.net [216.200.22.209]) by hub.freebsd.org (Postfix) with ESMTP id 1725037B53C; Mon, 22 May 2000 20:19:26 -0700 (PDT) (envelope-from jkb@camel.ethereal.net) Received: (from jkb@localhost) by camel.ethereal.net (8.10.0.Beta10/8.10.0.Beta10) id e4N3J0940092; Mon, 22 May 2000 20:19:00 -0700 (PDT) Date: Mon, 22 May 2000 20:19:00 -0700 From: Jan Koum To: Christopher Nielsen Cc: Graham Wheeler , Dmitry Samersoff , freebsd-hackers@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: [net] bpf question Message-ID: <20000522201900.A39617@ethereal.net> References: <39292998.4C55739A@cequrux.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.1i In-Reply-To: ; from cnielsen@pobox.com on Mon, May 22, 2000 at 04:16:56PM -0700 X-Operating-System: FreeBSD camel.ethereal.net 3.4-RELEASE FreeBSD 3.4-RELEASE X-Unix-Uptime: 8:11PM up 17 days, 6:48, 30 users, load averages: 1.15, 1.17, 1.16 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i think the buffer is 32K (from BPF_MAXBUFSIZE in bpf.h) and you should be able to bump it up a bit on your box if you wish. it might help. also, maybe we should consider upping the default buffer size in our tree? On Mon, May 22, 2000 at 04:16:56PM -0700, Christopher Nielsen wrote: > On Mon, 22 May 2000, Graham Wheeler wrote: > > > If my memory serves me correctly, Marcus Ranum wrote a white paper on > > IDS systems in the early days of NFR, in which he said that the existing > > configuration of BPF was inadequate for capturing all packets on a fast > > link, and suggested a patch to improve the situation. THe patch involved > > bumping up a buffer from about 16kb to 256kb. Unfortunately I no longer > > have the details handy, but if you did a search for BPF/IDS/NFR/Ranum > > you might find something. > > http://www.nfr.net/forum/publications/LISA-97.htm > > -- > Christopher Nielsen > (enkhyl|cnielsen)@pobox.com > Enkhyl on IRC > Space monekys ate my brain: No such file or directory > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 5: 6:51 2000 Delivered-To: freebsd-net@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id 74F1C37B977 for ; Tue, 23 May 2000 05:06:45 -0700 (PDT) (envelope-from mikel@ocsny.com) Received: from ocsny.com (thoth.upan.org [204.107.76.16]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id IAA88775; Tue, 23 May 2000 08:04:33 -0400 (EDT) Message-ID: <392A74D8.4802C999@ocsny.com> Date: Tue, 23 May 2000 08:08:56 -0400 From: Mikel Organization: Optimized Computer Solutions, Inc. X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en,it MIME-Version: 1.0 To: ponomare@uni-duesseldorf.de Cc: freebsd-net@FreeBSD.ORG Subject: Re: Routing Table in FreeBSD 4.0 References: <00052018403701.00771@ponomare.krion> Content-Type: multipart/mixed; boundary="------------0FC636C7957C3ABF75E3FCAA" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------0FC636C7957C3ABF75E3FCAA Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit to route an entire class 'c' do this... route add -net 123.23.43.0 -netmask 255.255.255.0 134.99.26.17 Kirill Ponomarew wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Hallo > I have the following problem with my network configuration: > my normal routing tables is: > Destination Gateway Genmask IFace > 134.99.26.17 0.0.0.0 255.255.255.255 eth0 > 134.99.26.0 0.0.0.0 255.255.255.0 eth0 > 127.0.0.0 0.0.0.0 255.0.0.0. etho > 0.0.0.0 134.99.26.1 > > (sorry that i'm using here route table from Linux, I can't mail from FreeBSD > because of network troubles) > > IP is 134.99.26.17 > Gateway is 134.99.26.1 > > the problem is that gateway 134.99.26.1 is behind firewall at the university > I can't use such things like ftp <-- for ports downloading, icq, real audio etc. > On purpose to make our student life better, our UniAdmin has made the second > gateway, we have to log in the second gateway with ssh and then we can use all > services like ftp etc. > The question is - how to add in FreeBSD the second gateway from the other > subnetwork ??? > > IP of second gateway is 134.99.162.254 > I tried the following things: > route add -net 134.99.162.0 -mask 255.255.255.0 0.0.0.0 > route add default 134.99.162.254 > route: writing to routing socket: File exists > > in Linux it worked always: > route add -net 134.99.162.0 netmask 255.255.255.0 dev eth0 > route add default gw 134.99.162.254 > > thank you for your help > > -- > Kirill Ponomarew > Tro New Media GmbH > Zimmerstr. 19 > 40215 Duesseldorf > Deutschland > > Fon: +49 211 / 31 16 55-21 > Fax: +49 211 / 31 16 55-33 > Mobile: +49 173 / 43-5555-4 > Mail: kirill@tro.de > > "That vulnerability is completely theoretical." > -- > Microsoft > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 5.0i for non-commercial use > MessageID: NnF8YVk2MEyRqGD68pa0Y6j9kagUiD54 > > iQA/AwUBOSbACLSU3AmMQCDLEQLZKACgo+ZVb5le3oifooIKRhbFdeNq+wYAoIAs > PJ0r9/ry4FjJ1WVJdOg0esbG > =/l0y > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- Cheers, Mikel +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | Optimized Computer Solutions, Inc http://www.ocsny.com | 39 W14th Street, Suite 203 212 727 2238 x132 | New York, NY 10011 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ --------------0FC636C7957C3ABF75E3FCAA Content-Type: text/x-vcard; charset=us-ascii; name="mikel.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mikel Content-Disposition: attachment; filename="mikel.vcf" begin:vcard n:King;Mikel tel;fax:2124638402 tel;home:http://www.upan.org tel;work:2127272100 x-mozilla-html:TRUE org:Optimized Computer Solutions version:2.1 email;internet:mikel@ocsny.com title:Director of Network Operations & Technology adr;quoted-printable:;;39 W14th St.=0D=0ASte 203;New York;NY;10011;US note;quoted-printable:fBSD, PHP, MySql and OCS Rule!!!=0D=0A=0D=0AGoal is to be MS free by the end of 2k. x-mozilla-cpt:;7312 fn:Mikel King end:vcard --------------0FC636C7957C3ABF75E3FCAA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 5:33:45 2000 Delivered-To: freebsd-net@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id 007F537B9B6; Tue, 23 May 2000 05:33:15 -0700 (PDT) (envelope-from mikel@ocsny.com) Received: from ocsny.com (thoth.upan.org [204.107.76.16]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id IAA89254; Tue, 23 May 2000 08:31:02 -0400 (EDT) Message-ID: <392A7B0B.ADB515FD@ocsny.com> Date: Tue, 23 May 2000 08:35:23 -0400 From: Mikel Organization: Optimized Computer Solutions, Inc. X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en,it MIME-Version: 1.0 To: Ron Smith Cc: freebsd-net@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: Non-existent domain References: <20000522191733.61404.qmail@hotmail.com> Content-Type: multipart/mixed; boundary="------------C455D02C0A2C666CF8F47901" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------C455D02C0A2C666CF8F47901 Content-Type: multipart/alternative; boundary="------------AA2BA8898E99FD0E9F3CBCFE" --------------AA2BA8898E99FD0E9F3CBCFE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Uh Ron, check your firewall rules....I've taken the liberty in highlighting those that I feel are suspect.... -- Cheers, Mikel +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | Optimized Computer Solutions, Inc http://www.ocsny.com | 39 W14th Street, Suite 203 212 727 2238 x132 | New York, NY 10011 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ Ron Smith wrote: > Hi all, > > O.K. gang I need your help on this one. I have a particular problem that I > can't seem to solve on my own. Here's what's happening: > > I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything > works fine for those on the LAN when browsing HTTP. DNS is also running on > this machine as primary and I have a name server at the ISP as secondary. > However, the problem is that when looking for the domain name "crcfx.com" > out on the web, It's not seen. An error message comes up saying: "A network > error occurred: Unable to connect to server. The server may be down or > unreachable." Also, I don't get a proper response, from outside our LAN, > when doing an 'nslookup stargate.crcfx.com', which has the primary DNS > running locally. This is preventing us from putting other services on-line, > such as 'HTTP' and 'SMTP'. I've talked to several sources (including my > ISP), to no avail. There's lots of confusion all around. I have a suspicion > my problem may stem from the way my zones are set up, or the firewall rules, > but I'm not sure. Anyway, here are the details: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ping 127.0.0.1 (loopback) > ping 192.x.x.1 (inside interface) > ping 63.x.x.218 (outside interface) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > All show 0% packet loss. > > ~~~~~~~~~~~~~~~ > 'rc.conf' says: > ~~~~~~~~~~~~~~~ > > # This file now contains just the overrides from/etc/defaults/rc.conf # > please make all changes to this file. > > # -- sysinstall generated deltas -- # > ifconfig_fxp0="inet 192.x.x.1 netmask 255.255.255.0" > ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248" > hostname="stargate.crcfx.com" > linux_enable="YES" > moused_enable="YES" > gateway_enable="YES" > defaultrouter="63.x.x.217" > # -- The following deltas were generated by Ron Smith on Apr. 17, 2000 > firewall_enable="YES" > firewall_type="simple" > firewall_script="/etc/rc.firewall" > inetd_enable="NO" > sendmail_enable="NO" > dumpdev=/dev/wd0s1b > natd_enable="YES" > natd_interface="pn0" > named_enable="YES" > > ~~~~~~~~~~~~~~~~~~~ > 'rc.firewall' says: > ~~~~~~~~~~~~~~~~~~~ > > # set these to your outside interface network and netmask and ip > oif="pn0" > onet="63.x.x.216" > omask="255.255.255.248" > oip="63.x.x.218" > > # set these to your inside interface network and netmask and ip > iif="fxp0" > inet="192.x.x.0" > imask="255.255.255.0" > iip="192.x.x.1" > > # Stop spoofing > $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} > $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif} > #$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add > deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > > # Allow ICMP inside only > #$fwcmd add deny icmp from any to any via ${oif} > #$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif} > > # Allow TCP through if setup succeeded > $fwcmd add pass tcp from any to any established > > # Allow setup of incoming email > #$fwcmd add pass tcp from any to ${oip} 25 setup > > # Allow access to our DNS > $fwcmd add pass tcp from any to ${oip} 53 setup > > # Allow access to our WWW > #$fwcmd add pass tcp from any to ${oip} 80 setup > > # Reject&Log all setup of incoming connections from the outside > $fwcmd add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > $fwcmd add pass tcp from any to any setup > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${oip} > $fwcmd add pass udp from ${oip} to any 53 > $fwcmd add pass udp from ${inet}:${imask} to any 53 > > # Allow stuff to 192 net in from the outside, since we're > # checking after NAT does the conversion > $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif} > $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif} > > # Allow NTP queries out in the world > $fwcmd add pass udp from any 123 to ${oip} > $fwcmd add pass udp from ${oip} to any 123 > > # Everything else is denied as default. > > elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then > $fwcmd ${firewall_type} > fi > > ~~~~~~~~~~~~~~~~~~~~~~~ > 'whois crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~~~ > > Whois Server Version 1.1 > > Domain names in the .com, .net, and .org domains can now be registered > with many different competing registrars. Go to http://www.internic.net for > detailed information. > > Domain Name: CRCFX.COM > Registrar: REGISTER.COM, INC. > Whois Server: whois.register.com > Referral URL: www.register.com > Name Server: NS1.PBI.NET > Name Server: STARGATE.CRCFX.COM > Updated Date: 28-apr-200 > > >>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<< > > The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and > Registrars. > > Access to register.com's WHOIS information is for informational purposes > only. Register.com makes this information available > "as is," and does not guarantee its accuracy. The compilation, repackaging, > dissemination or other use of register.com's WHOIS information in its > entirety, or a substantial portion thereof, is expressly prohibited without > the prior written consent of register.com. By accessing and using our WHOIS > information, you agree to these terms. > > Organization: > Cinema Research Corp > 6860 Lexington Ave > Hollywood, CA 90038 > US > > Registrar..: Register.com (http://www.register.com) > Domain Name: CRCFX.COM > Created on..............: Fri, Mar 24, 2000 > Expires on..............: Sat, Mar 24, 2001 > Record last updated on..: Fri, Apr 28, 2000 > > Administrative Contact: > Smith, Ron ronnetron@hotmail.com > 323-460-4111 > > Technical Contact, Zone Contact: > Internic, Registrar internic-free@register.com > 212-594-988 > > Domain servers in listed order: > > STARGATE.CRCFX.COM 63.x.x.218 > NS1.PBI.NET 206.13.28.11 > > Register your domain name at http://www.register.com > > ~~~~~~~~~~~~~~~~~ > ifconfig -a says: > ~~~~~~~~~~~~~~~~~ > > fxp0: flags=8843 mtu 1500 > inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255 > > pn0: flags=8843 mtu 1500 > inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223 > > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 'netstat -na crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address (state) > icmp 0 0 *.* *.* > tcp 0 0 *.111 *.* LISTEN > tcp 0 0 127.0.0.1.53 *.* LISTEN > tcp 0 0 63.x.x.218.53 *.* LISTEN > tcp 0 0 192.x.x.1.53 *.* LISTEN > udp 0 0 *.111 *.* > udp 0 0 *.1024 *.* > udp 0 0 127.0.0.1.53 *.* > udp 0 0 63.x.x.218.53 *.* > udp 0 0 192.x.x.1.53 *.* > udp 0 0 *.514 *.* > > ~~~~~~~~~~~~~~~~~~~~~ > 'db.crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~ > > ; Definition of zone crcfx.com > crcfx.com. IN SOA stargate.crcfx.com. root.crcfx.com. ( > 2000042901 ; Serial (date, two digits version of day) > 86400 ; refresh (1 day) > 7200 ; retry (2 hours) > 8640000 ; expire (100 days) > 86400 ) ; minimum (1 day) > > ; name servers > IN NS stargate.crcfx.com. > IN NS ns1.pbi.net. > IN NS ns2.pbi.net. > stargate IN A 63.x.x.218 > ns1.pbi.net. IN A 206.13.28.11 > ns2.pbi.net. IN A 206.13.29.11 > > ~~~~~~~~~~~~~~~~~~~~~ > 'crcfx-reverse' says: > ~~~~~~~~~~~~~~~~~~~~~ > > @ IN SOA stargate.crcfx.com. root.crcfx.com. ( > 2000042901 ; Serial (date, 2 digits version of day) > 86400 ; refresh (1 day) > 7200 ; retry (2 hours) > 8640000 ; expire (100 days) > 86400 ) ; minimum (1 day) > > IN NS stargate.crcfx.com. > IN NS ns1.pbi.net. > IN NS ns2.pbi.net. > > 218.x.x.63.in-addr.arpa IN PTR stargate.crcfx.com. > 11.28.13.206.in-addr.arpa IN PTR ns1.pbi.net. > 11.29.13.206.in-addr.arpa IN PTR ns2.pbi.net. > > ~~~~~~~~~~~~~~~~~~~~~ > 'localhost.rev' says: > ~~~~~~~~~~~~~~~~~~~~~ > > ; From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90 > ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29 > peter Exp $ > ; > ; This file is automatically edited by the `make-localhost' script in > ; the /etc/namedb directory. > ; > > @ IN SOA stargate.crcfx.com. root.stargate.crcfx.com. ( > 2000042901 ; Serial > 86400 ; Refresh (1 day) > 7200 ; Retry (2 hours) > 8640000 ; Expire (100 days) > 86400 ) ; Minimum > IN NS stargate.crcfx.com. > 1 IN PTR localhost.crcfx.com. > > ~~~~~~~~~~~~~~~~~~~ > 'resolv.conf' says: > ~~~~~~~~~~~~~~~~~~~ > > domain crcfx.com > nameserver 127.0.0.1 > nameserver 192.x.x.1 > nameserver 63.x.x.218 > nameserver 206.13.28.11 > nameserver 206.13.29.11 > > ~~~~~~~~~~~~~~~~~~ > 'named.conf' says: > ~~~~~~~~~~~~~~~~~~ > > options { > directory "/etc/namedb"; > > forwarders { > 206.13.28.11; > }; > > zone "." { > type hint; > file "named.root"; > }; > > zone "0.0.127.IN-ADDR.ARPA" { > type master; > file "localhost.rev"; > }; > > zone "crcfx.com" { > type master; > file "db.crcfx.com"; > }; > > zone "0.x.192.IN-ADDR.ARPA" { > type master; > file "crcfx-reverse"; > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry, > > This is a lot to swallow, but they are all the pertinent files, in regards > to the problem. I would appreciate any feedback on how to get our local name > server to do proper zone transfers to our upstream ISP, and to get a proper > 'nslookup stargate.crcfx.com' from outside our LAN ...same thing. > > TIA > Ron > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message --------------AA2BA8898E99FD0E9F3CBCFE Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Uh Ron, check your firewall rules....I've taken the liberty in highlighting those that I feel are suspect....

--
Cheers,
Mikel
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
| Optimized Computer Solutions, Inc        http://www.ocsny.com
| 39 W14th Street, Suite 203                   212 727 2238  x132
| New York, NY 10011
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+

Ron Smith wrote:

Hi all,

O.K. gang I need your help on this one. I have a particular problem that I
can't seem to solve on my own. Here's what's happening:

I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything
works fine for those on the LAN when browsing HTTP. DNS is also running on
this machine as primary and I have a name server at the ISP as secondary.
However, the problem is that when looking for the domain name "crcfx.com"
out on the web, It's not seen. An error message comes up saying: "A network
error occurred: Unable to connect to server. The server may be down or
unreachable." Also, I don't get a proper response, from outside our LAN,
when doing an 'nslookup stargate.crcfx.com', which has the primary DNS
running locally. This is preventing us from putting other services on-line,
such as 'HTTP' and 'SMTP'. I've talked to several sources (including my
ISP), to no avail. There's lots of confusion all around. I have a suspicion
my problem may stem from the way my zones are set up, or the firewall rules,
but I'm not sure. Anyway, here are the details:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ping 127.0.0.1 (loopback)
ping 192.x.x.1 (inside interface)
ping 63.x.x.218 (outside interface)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

All show 0% packet loss.

~~~~~~~~~~~~~~~
'rc.conf' says:
~~~~~~~~~~~~~~~

# This file now contains just the overrides from/etc/defaults/rc.conf #
please make all changes to this file.

# -- sysinstall generated deltas -- #
ifconfig_fxp0="inet 192.x.x.1  netmask 255.255.255.0"
ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248"
hostname="stargate.crcfx.com"
linux_enable="YES"
moused_enable="YES"
gateway_enable="YES"
defaultrouter="63.x.x.217"
# -- The following deltas were generated by Ron Smith on Apr. 17, 2000
firewall_enable="YES"
firewall_type="simple"
firewall_script="/etc/rc.firewall"
inetd_enable="NO"
sendmail_enable="NO"
dumpdev=/dev/wd0s1b
natd_enable="YES"
natd_interface="pn0"
named_enable="YES"

~~~~~~~~~~~~~~~~~~~
'rc.firewall' says:
~~~~~~~~~~~~~~~~~~~

# set these to your outside interface network and netmask and ip
oif="pn0"
onet="63.x.x.216"
omask="255.255.255.248"
oip="63.x.x.218"

# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="192.x.x.0"
imask="255.255.255.0"
iip="192.x.x.1"

# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif}
#$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add
deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}

# Allow ICMP inside only
#$fwcmd add deny icmp from any to any via ${oif}
#$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif}

# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established

# Allow setup of incoming email
#$fwcmd add pass tcp from any to ${oip} 25 setup

# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup

# Allow access to our WWW
#$fwcmd add pass tcp from any to ${oip} 80 setup

# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup

# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
$fwcmd add pass udp from ${inet}:${imask} to any 53

# Allow stuff to 192 net in from the outside, since we're
# checking after NAT does the conversion
$fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif}
$fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif}

# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123

# Everything else is denied as default.

elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
$fwcmd ${firewall_type}
fi

~~~~~~~~~~~~~~~~~~~~~~~
'whois crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~~~

Whois Server Version 1.1

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net for
detailed information.

Domain Name: CRCFX.COM
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: www.register.com
Name Server: NS1.PBI.NET
Name Server: STARGATE.CRCFX.COM
Updated Date: 28-apr-200

>>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

Access to register.com's WHOIS information is for informational purposes
only.  Register.com makes this information available
"as is," and does not guarantee its accuracy.  The compilation, repackaging,
dissemination or other use of register.com's WHOIS information in its
entirety, or a substantial portion thereof, is expressly prohibited without
the prior written consent of register.com.  By accessing and using our WHOIS
information, you agree to these terms.

Organization:
Cinema Research Corp
6860 Lexington Ave
Hollywood, CA 90038
US

Registrar..: Register.com (http://www.register.com)
Domain Name: CRCFX.COM
Created on..............: Fri, Mar 24, 2000
Expires on..............: Sat, Mar 24, 2001
Record last updated on..: Fri, Apr 28, 2000

Administrative Contact:
Smith, Ron  ronnetron@hotmail.com
323-460-4111

Technical Contact, Zone Contact:
Internic, Registrar  internic-free@register.com
212-594-988

Domain servers in listed order:

STARGATE.CRCFX.COM                               63.x.x.218
NS1.PBI.NET                                      206.13.28.11

Register your domain name at http://www.register.com

~~~~~~~~~~~~~~~~~
ifconfig -a says:
~~~~~~~~~~~~~~~~~

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255

pn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'netstat -na crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address         Foreign Address      (state)
icmp       0      0 *.*                   *.*
tcp        0      0 *.111                 *.*                  LISTEN
tcp        0      0 127.0.0.1.53          *.*                  LISTEN
tcp        0      0 63.x.x.218.53         *.*                  LISTEN
tcp        0      0 192.x.x.1.53          *.*                  LISTEN
udp        0      0 *.111                 *.*
udp        0      0 *.1024                *.*
udp        0      0 127.0.0.1.53          *.*
udp        0      0 63.x.x.218.53         *.*
udp        0      0 192.x.x.1.53          *.*
udp        0      0 *.514                 *.*

~~~~~~~~~~~~~~~~~~~~~
'db.crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~

; Definition of zone crcfx.com
crcfx.com.      IN      SOA     stargate.crcfx.com. root.crcfx.com. (
                2000042901 ; Serial (date, two digits version of day)
                86400   ; refresh (1 day)
                7200    ; retry (2 hours)
                8640000 ; expire (100 days)
                86400 ) ; minimum (1 day)

; name servers
                IN      NS      stargate.crcfx.com.
                IN      NS      ns1.pbi.net.
                IN      NS      ns2.pbi.net.
stargate        IN      A       63.x.x.218
ns1.pbi.net.    IN      A       206.13.28.11
ns2.pbi.net.    IN      A       206.13.29.11

~~~~~~~~~~~~~~~~~~~~~
'crcfx-reverse' says:
~~~~~~~~~~~~~~~~~~~~~

@     IN     SOA   stargate.crcfx.com.      root.crcfx.com. (
                   2000042901 ; Serial (date, 2 digits version of day)
                   86400   ; refresh (1 day)
                   7200    ; retry (2 hours)
                   8640000 ; expire (100 days)
                   86400 ) ; minimum (1 day)

      IN     NS    stargate.crcfx.com.
      IN     NS    ns1.pbi.net.
      IN     NS    ns2.pbi.net.

218.x.x.63.in-addr.arpa         IN      PTR     stargate.crcfx.com.
11.28.13.206.in-addr.arpa       IN      PTR     ns1.pbi.net.
11.29.13.206.in-addr.arpa       IN      PTR     ns2.pbi.net.

~~~~~~~~~~~~~~~~~~~~~
'localhost.rev' says:
~~~~~~~~~~~~~~~~~~~~~

;       From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90
; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29
peter Exp $
;
; This file is automatically edited by the `make-localhost' script in
; the /etc/namedb directory.
;

@     IN     SOA     stargate.crcfx.com. root.stargate.crcfx.com. (
                     2000042901 ; Serial
                     86400      ; Refresh (1 day)
                     7200       ; Retry (2 hours)
                     8640000    ; Expire (100 days)
                     86400 )    ; Minimum
      IN     NS      stargate.crcfx.com.
1     IN     PTR     localhost.crcfx.com.

~~~~~~~~~~~~~~~~~~~
'resolv.conf' says:
~~~~~~~~~~~~~~~~~~~

domain  crcfx.com
nameserver 127.0.0.1
nameserver 192.x.x.1
nameserver 63.x.x.218
nameserver 206.13.28.11
nameserver 206.13.29.11

~~~~~~~~~~~~~~~~~~
'named.conf' says:
~~~~~~~~~~~~~~~~~~

options {
      directory "/etc/namedb";

        forwarders {
              206.13.28.11;
        };

zone "." {
      type hint;
      file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
      type master;
      file "localhost.rev";
};

zone "crcfx.com" {
      type master;
      file "db.crcfx.com";
};

zone "0.x.192.IN-ADDR.ARPA" {
      type master;
      file "crcfx-reverse";

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry,

This is a lot to swallow, but they are all the pertinent files, in regards
to the problem. I would appreciate any feedback on how to get our local name
server to do proper zone transfers to our upstream ISP, and to get a proper
'nslookup stargate.crcfx.com' from outside our LAN ...same thing.

TIA
Ron

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message


 
 
  --------------AA2BA8898E99FD0E9F3CBCFE-- --------------C455D02C0A2C666CF8F47901 Content-Type: text/x-vcard; charset=us-ascii; name="mikel.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mikel Content-Disposition: attachment; filename="mikel.vcf" begin:vcard n:King;Mikel tel;fax:2124638402 tel;home:http://www.upan.org tel;work:2127272100 x-mozilla-html:TRUE org:Optimized Computer Solutions version:2.1 email;internet:mikel@ocsny.com title:Director of Network Operations & Technology adr;quoted-printable:;;39 W14th St.=0D=0ASte 203;New York;NY;10011;US note;quoted-printable:fBSD, PHP, MySql and OCS Rule!!!=0D=0A=0D=0AGoal is to be MS free by the end of 2k. x-mozilla-cpt:;7312 fn:Mikel King end:vcard --------------C455D02C0A2C666CF8F47901-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 7:13:44 2000 Delivered-To: freebsd-net@freebsd.org Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id ECC6037BB05 for ; Tue, 23 May 2000 07:13:40 -0700 (PDT) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.9.3/8.9.1) with ESMTP id KAA59407; Tue, 23 May 2000 10:13:34 -0400 (EDT) (envelope-from louie@whizzo.transsys.com) Message-Id: <200005231413.KAA59407@whizzo.transsys.com> X-Mailer: exmh version 2.1.1 10/15/1999 To: "Wilbert de Graaf" Cc: freebsd-net@FreeBSD.ORG, "Olaf Hoyer" X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" Subject: Re: PPPoE standard? References: <4.1.20000521000029.00c86bd0@mail.rz.fh-wilhelmshaven.de> <000a01bfc2d2$ae4d85a0$bcf0fea9@icsi.berkeley.edu> In-reply-to: Your message of "Sat, 20 May 2000 20:14:28 PDT." <000a01bfc2d2$ae4d85a0$bcf0fea9@icsi.berkeley.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 23 May 2000 10:13:34 -0400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hi Olaf, > > > Is this standardized already in a RFC? > > Heard some opinions from some guys that this is not standardized yet... > > I's RFC 2516 (http://www.ietf.org/rfc/rfc2516.txt) As one of the authors of this protocol, I'll also mention to be complete that this is an informational RFC, which has a different standing than a protocol that has gone through the entire IETF standardization process. At the time, we had a problem that needed to be solved, but wanted to esure that the solution was an open one. Much of the work was happening within the ADSL Forum (imagine the cantina scene from the original Star Wars movie, and you'll get a sense of what I thought of how well that body works). Since work done in the ADSL forum (e.g, documents) are only available to ADSL Forum members at $6K a year, we (e.g., UUNET along with Redback Networks) decided to publish it within the IETF, and then reference it in the ADSL Forum contribution we made. Essentially, it says "See RFC-2516 for how it works." The success of PPPOE in the marketplace doesn't seem to have been hurt any by the status of the RFC (for example, RADIUS was also an Informational RFC until very recently). It's been widely adopted by lots of folks. > > Anyone knows what OS is used in those "routers" for cable modems/DSL lines > > manufactured by DLink, Linksys etc.? > > You mean the router terminating this PPP ? I don't know the OS, but router > manufacturers like Cisco and Redback.support it. I've got one of the Linksys boxes, and they work pretty hard to hide what runs inside. (If you're not familiar with the Linksys box, it's a box with an Ethernet "uplink" to the Cable Modem or DSL box, a small router or NAT, and a 4 port ethernet switch on the "local network" side.) If I had to guess, I'd say it ran Linux since some of their other small boxes seem to run Linux. louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 7:24:11 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.snickers.org (snickers.org [216.126.90.2]) by hub.freebsd.org (Postfix) with ESMTP id 400C037B869 for ; Tue, 23 May 2000 07:24:09 -0700 (PDT) (envelope-from josh@snickers.org) Received: by mail.snickers.org (Postfix, from userid 1037) id 743123D2A; Tue, 23 May 2000 10:24:07 -0400 (EDT) Date: Tue, 23 May 2000 10:24:07 -0400 From: Josh Tiefenbach To: Renaud Waldura Cc: freebsd-net@freebsd.org Subject: Re: PPP dropping IPSec packets? Message-ID: <20000523102407.A52508@zipperup.org> References: <200005222215.AAA26890@guppy.evolunet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <200005222215.AAA26890@guppy.evolunet.com> Organization: Hah Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I try to ping the remote end of the encrypted link, but the packets > never make it back to me. They do flow from tun1 to tun0 to eth0 > to the telco router to ... to the remote site, _which_replies_ > to my ICMP echo, but for some reason PPP drops the IPSec packets, > they never come back up to neither tun0 (tunnel interface opened > by ppp), nor to tun1 (tunnel opened by pipsecd). > > But they *do* make it back to the Ethernet interface, they're > just not transmitted back to the tunnel tun0. I had the *exact* same problem. You dont mention whether or not you are using NAT on your gateway box. I noticed that when I turned off ppp's NAT facility that the pipsecd tunnel automagically started to work. I havent had the chance to delve any further, but it would appear that either ppp or libalias has some problems trying to map ESP packets. josh -- "Just because we know the value of G won't make better cell phones" -- Jens Gundlach To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 8: 0:25 2000 Delivered-To: freebsd-net@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id A241737B59F for ; Tue, 23 May 2000 08:00:21 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id QAA14881; Tue, 23 May 2000 16:00:19 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id QAA03189; Tue, 23 May 2000 16:00:14 +0100 (BST) (envelope-from brian@Awfulhak.org) Message-Id: <200005231500.QAA03189@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Josh Tiefenbach Cc: Renaud Waldura , freebsd-net@FreeBSD.ORG, brian@hak.lan.Awfulhak.org Subject: Re: PPP dropping IPSec packets? In-Reply-To: Message from Josh Tiefenbach of "Tue, 23 May 2000 10:24:07 EDT." <20000523102407.A52508@zipperup.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 23 May 2000 16:00:14 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Do they get reported if you ``set log +tcp/ip'' ? Also, please make sure you've got the very latest version of ppp (000523 from my web site or from people.freebsd.org/~brian) as I've just committed a forgotten patch that may be relevant (although I don't think it will be). If the latest ppp code doesn't show the data in the logs, I'd suspect the problems in libalias.... > > I try to ping the remote end of the encrypted link, but the packets > > never make it back to me. They do flow from tun1 to tun0 to eth0 > > to the telco router to ... to the remote site, _which_replies_ > > to my ICMP echo, but for some reason PPP drops the IPSec packets, > > they never come back up to neither tun0 (tunnel interface opened > > by ppp), nor to tun1 (tunnel opened by pipsecd). > > > > But they *do* make it back to the Ethernet interface, they're > > just not transmitted back to the tunnel tun0. > > I had the *exact* same problem. > > You dont mention whether or not you are using NAT on your gateway box. I > noticed that when I turned off ppp's NAT facility that the pipsecd tunnel > automagically started to work. > > I havent had the chance to delve any further, but it would appear that either > ppp or libalias has some problems trying to map ESP packets. > > josh > > -- > "Just because we know the value of G won't make better cell phones" > -- Jens Gundlach -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 9:42:29 2000 Delivered-To: freebsd-net@freebsd.org Received: from guppy.evolunet.com (guppy.evolunet.com [195.154.101.161]) by hub.freebsd.org (Postfix) with ESMTP id AE5D337B6DE for ; Tue, 23 May 2000 09:42:25 -0700 (PDT) (envelope-from renaud@guppy.evolunet.com) Received: (from renaud@localhost) by guppy.evolunet.com (8.8.7/8.8.7) id SAA03454; Tue, 23 May 2000 18:42:31 +0200 (CEST) (envelope-from renaud) From: Renaud Waldura Message-Id: <200005231642.SAA03454@guppy.evolunet.com> Subject: Re: PPP dropping IPSec packets? In-Reply-To: <20000523102407.A52508@zipperup.org> from Josh Tiefenbach at "May 23, 0 10:24:07 am" To: josh@zipperup.org (Josh Tiefenbach) Date: Tue, 23 May 100 18:42:31 +0200 (CEST) Cc: freebsd-net@FreeBSD.ORG Reply-To: renaud@evolunet.com (Renaud Waldura) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > You dont mention whether or not you are using NAT on your gateway box. I > noticed that when I turned off ppp's NAT facility that the pipsecd tunnel > automagically started to work. Yup, that's it. Without NAT, I have no problems. Good call! > I havent had the chance to delve any further, but it would appear that either > ppp or libalias has some problems trying to map ESP packets. My guess also... BUT Brian's most excellent brand-spanking new version of ppp fixes the problem -- see my next e-mail. Thanks for your help Josh, -- -- Renaud Waldura (temporarily renaud@evolunet.com) -- The Netsurfers' Organization -- 610 Clipper St. #19, San Francisco CA 94114, USA -- +1 415 642-5364 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 10:12:31 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.snickers.org (snickers.org [216.126.90.2]) by hub.freebsd.org (Postfix) with ESMTP id C0DCD37B530 for ; Tue, 23 May 2000 10:12:28 -0700 (PDT) (envelope-from josh@snickers.org) Received: by mail.snickers.org (Postfix, from userid 1037) id 1181A3D2A; Tue, 23 May 2000 13:12:25 -0400 (EDT) Date: Tue, 23 May 2000 13:12:24 -0400 From: Josh Tiefenbach To: Brian Somers Cc: Renaud Waldura , freebsd-net@FreeBSD.ORG Subject: Re: PPP dropping IPSec packets? Message-ID: <20000523131224.B52508@zipperup.org> References: <200005231500.QAA03189@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <200005231500.QAA03189@hak.lan.Awfulhak.org> Organization: Hah Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 23, 2000 at 04:00:14PM +0100, Brian Somers wrote: > Do they get reported if you ``set log +tcp/ip'' ? Also, please make At the time, I didnt have set log +tcp/ip set, but here's a snippet when +debug is set: May 18 23:15:53 cerebus ppp[259]: Debug: m_enqueue: len = 1 May 18 23:15:53 cerebus ppp[259]: Debug: m_dequeue: queue len = 1 May 18 23:15:53 cerebus ppp[259]: Debug: nat_LayerPush: PROTO_IP -> PROTO_IP May 18 23:15:53 cerebus ppp[259]: Debug: proto_LayerPush: Using 0x0021 May 18 23:15:53 cerebus ppp[259]: Debug: link_PushPacket: Transmit proto 0x0021 May 18 23:15:53 cerebus ppp[259]: Debug: m_enqueue: len = 1 May 18 23:15:53 cerebus ppp[259]: Debug: m_dequeue: queue len = 1 May 18 23:15:53 cerebus ppp[259]: Debug: link_Dequeue: Dequeued from queue 0, containing 0 more packets May 18 23:15:53 cerebus ppp[259]: Debug: deflink: DescriptorWrite: wrote 126(126) to 1 May 18 23:15:53 cerebus ppp[259]: Debug: deflink: DescriptorRead: read 126/2048 from 1 May 18 23:15:53 cerebus ppp[259]: Debug: proto_LayerPull: unknown -> 0x0021 May 18 23:15:53 cerebus ppp[259]: Debug: nat_LayerPull: PROTO_IP -> PROTO_IP > sure you've got the very latest version of ppp (000523 from my web > site or from people.freebsd.org/~brian) as I've just committed a > forgotten patch that may be relevant (although I don't think it will > be). Its -current circa 4/16. I'm at work right now, so its kinda hard for me to test things. I'll see if I can take a look when I get home. > Brian > > Don't _EVER_ lose your sense of humour ! josh -- "Just because we know the value of G won't make better cell phones" -- Jens Gundlach To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 11:13:58 2000 Delivered-To: freebsd-net@freebsd.org Received: from hotmail.com (law-f235.hotmail.com [209.185.130.200]) by hub.freebsd.org (Postfix) with SMTP id E1A9E37B65F for ; Tue, 23 May 2000 11:13:54 -0700 (PDT) (envelope-from pstoev@hotmail.com) Received: (qmail 80986 invoked by uid 0); 23 May 2000 18:13:53 -0000 Message-ID: <20000523181353.80985.qmail@hotmail.com> Received: from 212.50.29.2 by www.hotmail.com with HTTP; Tue, 23 May 2000 11:13:53 PDT X-Originating-IP: [212.50.29.2] From: "Plamen Stoev" To: freebsd-net@FreeBSD.org Date: Tue, 23 May 2000 21:13:53 EEST Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am using sendmail as a mail server and I was looking for a statistics package or script do give summaries or statistics from the log file. Have you heard of any? ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 11:35:24 2000 Delivered-To: freebsd-net@freebsd.org Received: from guppy.evolunet.com (guppy.evolunet.com [195.154.101.161]) by hub.freebsd.org (Postfix) with ESMTP id 4D6FF37B50F for ; Tue, 23 May 2000 11:35:21 -0700 (PDT) (envelope-from renaud@guppy.evolunet.com) Received: (from renaud@localhost) by guppy.evolunet.com (8.8.7/8.8.7) id UAA04400; Tue, 23 May 2000 20:35:32 +0200 (CEST) (envelope-from renaud) From: Renaud Waldura Message-Id: <200005231835.UAA04400@guppy.evolunet.com> Subject: Re: PPP dropping IPSec packets? In-Reply-To: <200005231500.QAA03189@hak.lan.Awfulhak.org> from Brian Somers at "May 23, 0 04:00:14 pm" To: brian@Awfulhak.org (Brian Somers) Date: Tue, 23 May 100 20:35:32 +0200 (CEST) Cc: freebsd-net@freebsd.org Reply-To: renaud@evolunet.com (Renaud Waldura) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > sure you've got the very latest version of ppp (000523 from my web > site or from people.freebsd.org/~brian) as I've just committed a > forgotten patch that may be relevant (although I don't think it will YES! That does it. This latest version fixes my problem, and I'm able to communicate with the remote site over the encrypted link. On the other hand, that code is kind of unstable. I've had it dump core on me a couple of times already. I'll look into that. Thanks a bunch to Brian and Josh, and to the FreeBSD-Net people as a whole, -- -- Renaud Waldura (temporarily renaud@evolunet.com) -- The Netsurfers' Organization -- 610 Clipper St. #19, San Francisco CA 94114, USA -- +1 415 642-5364 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 13:12:14 2000 Delivered-To: freebsd-net@freebsd.org Received: from Awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id 69F9937B65E for ; Tue, 23 May 2000 13:12:09 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by Awfulhak.org (8.9.3/8.9.3) with ESMTP id VAA86098; Tue, 23 May 2000 21:08:25 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id VAA01350; Tue, 23 May 2000 21:08:24 +0100 (BST) (envelope-from brian@Awfulhak.org) Message-Id: <200005232008.VAA01350@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: renaud@evolunet.com (Renaud Waldura) Cc: brian@Awfulhak.org (Brian Somers), freebsd-net@FreeBSD.org, brian@hak.lan.Awfulhak.org Subject: Re: PPP dropping IPSec packets? In-Reply-To: Message from Renaud Waldura of "Tue, 23 May 0100 20:35:32 +0200." <200005231835.UAA04400@guppy.evolunet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 23 May 2000 21:08:23 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > sure you've got the very latest version of ppp (000523 from my web > > site or from people.freebsd.org/~brian) as I've just committed a > > forgotten patch that may be relevant (although I don't think it will > > YES! That does it. This latest version fixes my problem, and > I'm able to communicate with the remote site over the encrypted > link. > > On the other hand, that code is kind of unstable. I've had it dump > core on me a couple of times already. I'll look into that. Thanks. Your best approach is probably to build ppp (and maybe libalias) with make CFLAGS=-g STRIP= and then attach to the running process with gdb ppp PID A trace and a couple of strategic prints would be good :-) > Thanks a bunch to Brian and Josh, and to the FreeBSD-Net people > as a whole, > > > -- > -- Renaud Waldura (temporarily renaud@evolunet.com) > -- The Netsurfers' Organization > -- 610 Clipper St. #19, San Francisco CA 94114, USA > -- +1 415 642-5364 > -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 15:52:12 2000 Delivered-To: freebsd-net@freebsd.org Received: from pluto.entic.net (pluto.entic.net [209.157.122.124]) by hub.freebsd.org (Postfix) with SMTP id 4348C37B97D for ; Tue, 23 May 2000 15:52:07 -0700 (PDT) (envelope-from aj@entic.net) Received: (qmail 42049 invoked from network); 23 May 2000 22:50:59 -0000 Received: from pluto.entic.net (aj@209.157.122.124) by pluto.entic.net with SMTP; 23 May 2000 22:50:59 -0000 Date: Tue, 23 May 2000 15:50:59 -0700 (PDT) From: Anil Jangity To: Plamen Stoev Cc: freebsd-net@FreeBSD.org Subject: Re: your mail In-Reply-To: <20000523181353.80985.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Plamen: Use MRTG at this URL: http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html MRTG can be configured to "run" a script that will output numbers which it will use to do those pretty graphs. Hope that helps. On Tue, 23 May 2000, Plamen Stoev wrote: > I am using sendmail as a mail server and I was looking for a statistics > package or script do give summaries or statistics from the log file. > Have you heard of any? > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 16:42:39 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rz.fh-wilhelmshaven.de (mail.rz.fh-wilhelmshaven.de [139.13.25.134]) by hub.freebsd.org (Postfix) with ESMTP id 5D3DB37B513 for ; Tue, 23 May 2000 16:42:30 -0700 (PDT) (envelope-from ohoyer@fbwi.fh-wilhelmshaven.de) Received: from fettesau.stuwo.fh-wilhelmshaven.de (stuwopc5.stuwo.fh-wilhelmshaven.de [139.13.209.5]) by mail.rz.fh-wilhelmshaven.de (8.9.3/8.9.3) with SMTP id BAA08257 for ; Wed, 24 May 2000 01:42:25 +0200 (MET DST) Message-Id: <4.1.20000524014001.009e0bc0@mail.rz.fh-wilhelmshaven.de> X-Sender: ohoyer@mail.rz.fh-wilhelmshaven.de X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 24 May 2000 01:43:06 +0200 To: freebsd-net@freebsd.org From: Olaf Hoyer Subject: BPF vs. promiscuous mode Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi! Whats the real difference between the berkeley packet filter and promiscuous mode? Any URLs explaining that? Also, what about detecting some folks using that from an administrative point of view, e.g. running some software like Antisniff? BTW: Which mechanisms one can use to "fake" MAC entries on (preferrable) Linux systems, and how to detect them? On our dorm network some students do some things that, seen from an administrative point of view, needs to get some ... measures... Regards Olaf Hoyer -------- Olaf Hoyer www.nightfire.de mailto:Olaf.Hoyer@nightfire.de FreeBSD- Turning PC's into workstations ICQ:22838075 Liebe und Hass sind nicht blind, aber geblendet vom Feuer, dass sie selber mit sich tragen. (Nietzsche) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 17: 6: 3 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail-out2.apple.com (mail-out2.apple.com [17.254.0.51]) by hub.freebsd.org (Postfix) with ESMTP id 8DA1D37BA6C for ; Tue, 23 May 2000 17:05:59 -0700 (PDT) (envelope-from justin@rhapture.apple.com) Received: from mailgate1.apple.com (A17-128-100-225.apple.com [17.128.100.225]) by mail-out2.apple.com (8.9.3/8.9.3) with ESMTP id RAA23258 for ; Tue, 23 May 2000 17:05:58 -0700 (PDT) Received: from scv1.apple.com (scv1.apple.com) by mailgate1.apple.com (Content Technologies SMTPRS 4.1.5) with ESMTP id ; Tue, 23 May 2000 17:05:43 -0700 Received: from rhapture.apple.com (rhapture.apple.com [17.202.40.59]) by scv1.apple.com (8.9.3/8.9.3) with ESMTP id RAA14623; Tue, 23 May 2000 17:05:58 -0700 (PDT) Received: by rhapture.apple.com (8.9.1/8.9.1) id RAA00688; Tue, 23 May 2000 17:05:58 -0700 (PDT) Message-Id: <200005240005.RAA00688@rhapture.apple.com> To: Olaf Hoyer Subject: Re: BPF vs. promiscuous mode Cc: freebsd-net@freebsd.org Date: Tue, 23 May 2000 17:05:56 -0700 From: "Justin C. Walker" Reply-To: justin@apple.com X-Mailer: by Apple MailViewer (2.105.dev) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From: Olaf Hoyer > Date: 2000-05-23 16:42:57 -0700 > To: freebsd-net@FreeBSD.ORG > Subject: BPF vs. promiscuous mode > Delivered-to: freebsd-net@freebsd.org > X-Sender: ohoyer@mail.rz.fh-wilhelmshaven.de > X-Loop: FreeBSD.org > X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 > > hi! > > Whats the real difference between the berkeley packet filter and > promiscuous mode? The Berkeley Packet Filter is a mechanism to filter incoming packets based on a "machine language" scheme that is supposed to compile filter requests into a matching algorithm. It can act on a variety of network devices, even those that don't support anything like "promiscuous mode". Promiscuous mode is an operating mode of some network interfaces that causes them to accept packets other than those that are directly or indirectly (broadcast, multicast) addressed to the interface. The two concepts are only marginally related. > Any URLs explaining that? Don't know them off-hand. > Also, what about detecting some folks using that from an administrative > point of view, e.g. running some software like Antisniff? Check the mail archives. There are only mildly effective ways of doing this. > BTW: Which mechanisms one can use to "fake" MAC entries on (preferrable) > Linux systems, and how to detect them? I'm not sure what a "fake" MAC 'entry' would be. First, 'entry' where? Second, how "fake". Do you mean "different from the one that's in the adapter's address ROM"? Third, this is a BSD list, not a Linux list. If you need info specific to Linux, try a different list. > On our dorm network some students do some things that, seen from an > administrative point of view, needs to get some ... measures... Ah, those pesky students. We tend to hire them if they get too pesky :-}. Regards, Justin -- Justin C. Walker, Curmudgeon-At-Large * Institute for General Semantics | Manager, CoreOS Networking | When crypto is outlawed, Apple Computer, Inc. | Only outlaws will have crypto. 2 Infinite Loop | Cupertino, CA 95014 | *-------------------------------------*-------------------------------* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 18:19:14 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rz.fh-wilhelmshaven.de (mail.rz.fh-wilhelmshaven.de [139.13.25.134]) by hub.freebsd.org (Postfix) with ESMTP id A759537BAC5 for ; Tue, 23 May 2000 18:19:03 -0700 (PDT) (envelope-from ohoyer@fbwi.fh-wilhelmshaven.de) Received: from fettesau.stuwo.fh-wilhelmshaven.de (stuwopc5.stuwo.fh-wilhelmshaven.de [139.13.209.5]) by mail.rz.fh-wilhelmshaven.de (8.9.3/8.9.3) with SMTP id DAA06656 for ; Wed, 24 May 2000 03:18:57 +0200 (MET DST) Message-Id: <4.1.20000524031209.027cb820@mail.rz.fh-wilhelmshaven.de> X-Sender: ohoyer@mail.rz.fh-wilhelmshaven.de X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 24 May 2000 03:19:28 +0200 To: freebsd-net@FreeBSD.ORG From: Olaf Hoyer Subject: Re: BPF vs. promiscuous mode In-Reply-To: <200005240005.RAA00688@rhapture.apple.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Also, what about detecting some folks using that from an administrative >> point of view, e.g. running some software like Antisniff? > >Check the mail archives. There are only mildly effective ways of >doing this. > >> BTW: Which mechanisms one can use to "fake" MAC entries on >(preferrable) >> Linux systems, and how to detect them? > >I'm not sure what a "fake" MAC 'entry' would be. First, 'entry' >where? Second, how "fake". Do you mean "different from the one >that's in the adapter's address ROM"? Third, this is a BSD list, not >a Linux list. If you need info specific to Linux, try a different >list. Hi! Well, I'm working on adiministering stuff on our local dorm. (Or what would be the correct term for that? ,-) Its a chaotic peer-to-peer network, with a DHCP server and a gateway to university. We already had some sniffer attack to sniff out Pop3 passwords. As some of the folks are running Linux, I'm also concerned of that possibility, so I have to take that into account. Some simple reference wou ld be enough. I mean with fake adress that you pretend that your NIC had a differentz adress fro,m that stored in PROM. Say, your NIC had an adress of (fictional) 00:00:00:1e:3d:2a and you could make it appear to other boxes on the same network as say, 3e:2e:4b:3d:5c:00, in this case I'd like to know a) how this is done and b) how can it be detected As Linux is more common than *BSD, I also have to take that possibility into account. Some general hints on the mechanism used there would be sufficient. Regards Olaf Hoyer -------- Olaf Hoyer www.nightfire.de mailto:Olaf.Hoyer@nightfire.de FreeBSD- Turning PC's into workstations ICQ:22838075 Liebe und Hass sind nicht blind, aber geblendet vom Feuer, dass sie selber mit sich tragen. (Nietzsche) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 18:35:29 2000 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 96D9337BB3D for ; Tue, 23 May 2000 18:35:21 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 19335 invoked by uid 1000); 24 May 2000 01:35:17 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 May 2000 01:35:17 -0000 Date: Tue, 23 May 2000 20:35:17 -0500 (CDT) From: Mike Silbersack To: Olaf Hoyer Cc: freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode In-Reply-To: <4.1.20000524031209.027cb820@mail.rz.fh-wilhelmshaven.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 May 2000, Olaf Hoyer wrote: > Its a chaotic peer-to-peer network, with a DHCP server and a gateway to > university. > We already had some sniffer attack to sniff out Pop3 passwords. > ... > I mean with fake adress that you pretend that your NIC had a differentz > adress fro,m that stored in PROM. > > Say, your NIC had an adress of (fictional) 00:00:00:1e:3d:2a and you could > make it appear to other boxes on the same network as say, > 3e:2e:4b:3d:5c:00, in this case I'd like to know > a) how this is done and > b) how can it be detected Well, as one of those pesky students who has reprogramming his MAC address on multiple occasions (so DHCP would give me the same IP when switching NICs), I'm curious why that's a problem. Changing IPs doesn't really pose any threat that I'm aware of, unless you're impersonating the gateway. (Such attacks may be doable even without changing MAC addresses, actually. I think impersonating the DHCP server would do - no packet sniffing required!) However, that's really unimportant anyway; it sounds like you're using regular hubs from your above statements. You should probably just get cheap switches; any other countermeasures to prevent sniffers are just going to take a lot of time, and not really be effective. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 18:43:10 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rz.fh-wilhelmshaven.de (mail.rz.fh-wilhelmshaven.de [139.13.25.134]) by hub.freebsd.org (Postfix) with ESMTP id DE06937BB14 for ; Tue, 23 May 2000 18:43:03 -0700 (PDT) (envelope-from ohoyer@fbwi.fh-wilhelmshaven.de) Received: from fettesau.stuwo.fh-wilhelmshaven.de (stuwopc5.stuwo.fh-wilhelmshaven.de [139.13.209.5]) by mail.rz.fh-wilhelmshaven.de (8.9.3/8.9.3) with SMTP id DAA13592; Wed, 24 May 2000 03:42:52 +0200 (MET DST) Message-Id: <4.1.20000524033815.00a76340@mail.rz.fh-wilhelmshaven.de> X-Sender: ohoyer@mail.rz.fh-wilhelmshaven.de X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 24 May 2000 03:43:32 +0200 To: Mike Silbersack From: Olaf Hoyer Subject: Re: BPF vs. promiscuous mode Cc: freebsd-net@FreeBSD.ORG In-Reply-To: References: <4.1.20000524031209.027cb820@mail.rz.fh-wilhelmshaven.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> I mean with fake adress that you pretend that your NIC had a differentz >> adress fro,m that stored in PROM. >> >> Say, your NIC had an adress of (fictional) 00:00:00:1e:3d:2a and you could >> make it appear to other boxes on the same network as say, >> 3e:2e:4b:3d:5c:00, in this case I'd like to know >> a) how this is done and >> b) how can it be detected > >Well, as one of those pesky students who has reprogramming his MAC address >on multiple occasions (so DHCP would give me the same IP when switching >NICs), I'm curious why that's a problem. Changing IPs doesn't really pose >any threat that I'm aware of, unless you're impersonating the gateway. >(Such attacks may be doable even without changing MAC addresses, >actually. I think impersonating the DHCP server would do - no packet >sniffing required!) > >However, that's really unimportant anyway; it sounds like you're using >regular hubs from your above statements. You should probably just get >cheap switches; any other countermeasures to prevent sniffers are just >going to take a lot of time, and not really be effective. Hi! Well, the IP assignment is not that problem. Fact is, that there are run some jobs that check if on some network segment is some card present that is in promiscuous mode and /or has its MAC adress changed, seen independently from the assigned (via DHCP) IP adress. (Of course, you might assign your IP adress manually). Are there some programs/techniques that do that? BSD or Linux, some program/trick/whatsoever that pretends(return to arp queries) a different MAC adress than stored on the ROM of the NIC. We have (due to costs) one cenral switch running (3com, IIRC), with about of twelve hubs attached, which hold altogether about 235 connections. Regards Olaf Hoyer -------- Olaf Hoyer www.nightfire.de mailto:Olaf.Hoyer@nightfire.de FreeBSD- Turning PC's into workstations ICQ:22838075 Liebe und Hass sind nicht blind, aber geblendet vom Feuer, dass sie selber mit sich tragen. (Nietzsche) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue May 23 22:16: 1 2000 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 8CC6B37BA33 for ; Tue, 23 May 2000 22:15:59 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 19776 invoked by uid 1000); 24 May 2000 05:15:55 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 May 2000 05:15:55 -0000 Date: Wed, 24 May 2000 00:15:55 -0500 (CDT) From: Mike Silbersack To: Olaf Hoyer Cc: freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode In-Reply-To: <4.1.20000524033815.00a76340@mail.rz.fh-wilhelmshaven.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 May 2000, Olaf Hoyer wrote: > Hi! > > Well, the IP assignment is not that problem. > > Fact is, that there are run some jobs that check if on some network segment > is some card present that is in promiscuous mode and /or has its MAC adress > changed, seen independently from the assigned (via DHCP) IP adress. (Of > course, you might assign your IP adress manually). > Are there some programs/techniques that do that? I'm sure there are programs which can detect such changes, I think someone mentioned arpwatch? > BSD or Linux, some program/trick/whatsoever that pretends(return to arp > queries) a different MAC adress than stored on the ROM of the NIC. Changing the MAC address of a NIC is extremely simple, it's easily done even in windows - don't single out students who run unix as troublemakers. > We have (due to costs) one cenral switch running (3com, IIRC), with about > of twelve hubs attached, which hold altogether about 235 connections. I guess the real issue is the question of if your network is configured in such a way that a student box could take the IP of one of your boxes (dns server, etc). If the only issue is students fooling with each other, I wouldn't worry too much about it, personally. Though logging as you mention above certainly can't hurt. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 2: 2: 2 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rz.fh-wilhelmshaven.de (mail.rz.fh-wilhelmshaven.de [139.13.25.134]) by hub.freebsd.org (Postfix) with ESMTP id 20B7437BC53 for ; Wed, 24 May 2000 02:01:58 -0700 (PDT) (envelope-from ohoyer@fbwi.fh-wilhelmshaven.de) Received: from fettesau.stuwo.fh-wilhelmshaven.de (stuwopc5.stuwo.fh-wilhelmshaven.de [139.13.209.5]) by mail.rz.fh-wilhelmshaven.de (8.9.3/8.9.3) with SMTP id LAA00971; Wed, 24 May 2000 11:01:47 +0200 (MET DST) Message-Id: <4.1.20000524105140.00a108d0@mail.rz.fh-wilhelmshaven.de> X-Sender: ohoyer@mail.rz.fh-wilhelmshaven.de X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 24 May 2000 10:59:06 +0200 To: Mike Silbersack From: Olaf Hoyer Subject: Re: BPF vs. promiscuous mode Cc: freebsd-net@FreeBSD.ORG In-Reply-To: References: <4.1.20000524033815.00a76340@mail.rz.fh-wilhelmshaven.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Fact is, that there are run some jobs that check if on some network segment >> is some card present that is in promiscuous mode and /or has its MAC adress >> changed, seen independently from the assigned (via DHCP) IP adress. (Of >> course, you might assign your IP adress manually). >> Are there some programs/techniques that do that? > >I'm sure there are programs which can detect such changes, I think someone >mentioned arpwatch? Hi! Will have a look at that. > >> BSD or Linux, some program/trick/whatsoever that pretends(return to arp >> queries) a different MAC adress than stored on the ROM of the NIC. > >Changing the MAC address of a NIC is extremely simple, it's easily done >even in windows - don't single out students who run unix as troublemakers. Yes, thats what I meant. Extremely simple? Then you know something I don't know yet- examples/names of programs-drivers/URLs? >> We have (due to costs) one cenral switch running (3com, IIRC), with about >> of twelve hubs attached, which hold altogether about 235 connections. > >I guess the real issue is the question of if your network is configured in >such a way that a student box could take the IP of one of your boxes (dns >server, etc). If the only issue is students fooling with each other, I >wouldn't worry too much about it, personally. Though logging as you >mention above certainly can't hurt. Well, yes, thats the major issue, but as I also belong to that big group (some administration is done in the dorm internally) and my personal box also is hooked up to that LAN, so I have a vital personal interest. Because I have to work under Winblows frequently due to various reasons related to study topics and work I do (making some money on support etc.) I have some reasons to care... Real problem is the implemenatation style of that network, that each room where the puter is, is private, so only way to enforce some policy is to pull the user. Regards Olaf Hoyer -------- Olaf Hoyer www.nightfire.de mailto:Olaf.Hoyer@nightfire.de FreeBSD- Turning PC's into workstations ICQ:22838075 Liebe und Hass sind nicht blind, aber geblendet vom Feuer, dass sie selber mit sich tragen. (Nietzsche) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 7:24:21 2000 Delivered-To: freebsd-net@freebsd.org Received: from dune.clickarray.com (adsl-63-197-76-246.dsl.snfc21.pacbell.net [63.197.76.246]) by hub.freebsd.org (Postfix) with ESMTP id 890F937BC1A for ; Wed, 24 May 2000 07:24:11 -0700 (PDT) (envelope-from sshah@dune.clickarray.com) Received: (from sshah@localhost) by dune.clickarray.com (8.9.3/8.9.3) id HAA14615; Wed, 24 May 2000 07:23:20 -0700 Date: Wed, 24 May 2000 07:23:20 -0700 From: Steve Shah To: Mike Silbersack Cc: Olaf Hoyer , freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode Message-ID: <20000524072320.C14568@clickarray.com> References: <4.1.20000524031209.027cb820@mail.rz.fh-wilhelmshaven.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 23, 2000 at 08:35:17PM -0500, Mike Silbersack wrote: > On Wed, 24 May 2000, Olaf Hoyer wrote: > > Its a chaotic peer-to-peer network, with a DHCP server and a gateway to > > university. > > We already had some sniffer attack to sniff out Pop3 passwords. Consider forcing all e-mail services to be accessable only through secure tunnels. If the students are using Outlook, then they can use SSL. If you want to allow generic POP3 clients, then make the stunnel utility available to them with a batch file that runs: stunnel -c -d 110 -r pop3server.school.edu:995 I've done this for my "VPN" so that my road warriors could access our mail servers from remote without worrying about what type of net connection they have or what other people they may have to share it with. It works quite well. > NICs), I'm curious why that's a problem. Changing IPs doesn't really pose > any threat that I'm aware of, unless you're impersonating the gateway. > (Such attacks may be doable even without changing MAC addresses, > actually. I think impersonating the DHCP server would do - no packet > sniffing required!) Generally the problem is students changing their MAC addy's to get another IP address from the DHCP server. It's more of an annoyance than anything else, esp. when you run out of IP addresses and legit students start whining about it. (Those pesky students! ;-)) The tool that you are looking for is "arpwatch". This will watch all of the MAC<->IP mappings on a segment and alert you if this changes. A tool that takes DHCP logs and filters out accepted changes could probably be hacked up quickly. #include "magic_perl_script_here.pl" Aside: If you haven't already, I assume you have NAT'd off your dorms and firewalled them up the wazoo, right? I know at my old university, unauthorized servers were a real ugly problem. On more than one occation, we would see MRTG graphs go all green.... It was not a pretty sight. This was because students were given real IP addy's. What should have been done (and hopefully done by now... it's been a while since I've seen their network) is to have all the students NAT off into the 10.0.0.0 network. This would keep the servers from coming in. What would have been entertaining is to try and put ever student on their own subnet. This would keep the script kiddies from doing broadcast based attacks since all the other hosts would just ignore the packets within the first few checks in their IP stack. There are certainly enough networks to support a few thousand 30 bit netmasks.... -Steve -- ___________________________________________________________________________ Steve Shah (sshah@clickarray.com) | Developer/Systems Administrator/Author http://www.clickarray.com | Voice: 408.772.8202 (e-mail preferred) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Beating code into submission, one OS at a time... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 9: 0:31 2000 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id AD05E37B639 for ; Wed, 24 May 2000 09:00:27 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 21288 invoked by uid 1000); 24 May 2000 16:00:25 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 May 2000 16:00:25 -0000 Date: Wed, 24 May 2000 11:00:25 -0500 (CDT) From: Mike Silbersack To: Olaf Hoyer Cc: freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode In-Reply-To: <4.1.20000524105140.00a108d0@mail.rz.fh-wilhelmshaven.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 May 2000, Olaf Hoyer wrote: > >> BSD or Linux, some program/trick/whatsoever that pretends(return to arp > >> queries) a different MAC adress than stored on the ROM of the NIC. > > > >Changing the MAC address of a NIC is extremely simple, it's easily done > >even in windows - don't single out students who run unix as troublemakers. > Yes, thats what I meant. > Extremely simple? Then you know something I don't know yet- examples/names > of programs-drivers/URLs? Well, under windows, it's just a setting in the advanced properties in my tulip's drivers (but it's not there with my pnic.) Under linux, it's just an ifconfig option - I forget the exact command line, it's been a while. I'm sure the man page lists it, though. Under FreeBSD, changing your MAC address isn't directly supported yet, but there are patches in the mailing list archives for compiling a kernel module which will allow you to do it. All in all, it's easy. > Well, yes, thats the major issue, but as I also belong to that big group > (some administration is done in the dorm internally) and my personal box > also is hooked up to that LAN, so I have a vital personal interest. > Because I have to work under Winblows frequently due to various reasons > related to study topics and work I do (making some money on support etc.) I > have some reasons to care... > > Real problem is the implemenatation style of that network, that each room > where the puter is, is private, so only way to enforce some policy is to > pull the user. Hm, it could be worse than that. With a hub style setup, I'm not sure how you could trace back who the offender is if he's good. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 9: 6:42 2000 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 4B63F37B734 for ; Wed, 24 May 2000 09:06:37 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 21311 invoked by uid 1000); 24 May 2000 16:06:34 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 May 2000 16:06:34 -0000 Date: Wed, 24 May 2000 11:06:34 -0500 (CDT) From: Mike Silbersack To: Steve Shah Cc: Olaf Hoyer , freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode In-Reply-To: <20000524072320.C14568@clickarray.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 May 2000, Steve Shah wrote: > Aside: If you haven't already, I assume you have NAT'd off your dorms > and firewalled them up the wazoo, right? I know at my old university, > unauthorized servers were a real ugly problem. On more than one > occation, we would see MRTG graphs go all green.... It was not a pretty > sight. This was because students were given real IP addy's. What > should have been done (and hopefully done by now... it's been a while > since I've seen their network) is to have all the students NAT off > into the 10.0.0.0 network. This would keep the servers from coming > in. Bah! I'm giving you the no fun network administrator badge. NATing might help in the short-term, but it also breaks stuff like ICQ/video games/etc, which students probably use a lot. (What? They're there to study?) I'd guess the next-generation mp3/file sharing programs will probably find ways to avoid the roadblocks NAT puts up anyway, unfortunately - and that's where the major bandwidth is, not http/ftp servers (at madison, anyway.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 9:17: 0 2000 Delivered-To: freebsd-net@freebsd.org Received: from alpha.dante.org.uk (alpha.dante.org.uk [193.63.211.19]) by hub.freebsd.org (Postfix) with ESMTP id 1C02537B614 for ; Wed, 24 May 2000 09:16:50 -0700 (PDT) (envelope-from david.harmelin@dante.org.uk) Received: from eilat.dante.org.uk ([193.63.211.55] helo=eilat) by alpha.dante.org.uk with esmtp (Exim 3.12 #4) id 12udpv-0002Ja-00 for freebsd-net@freebsd.org; Wed, 24 May 2000 17:16:48 +0100 Message-Id: <4.2.2.20000524170030.00b0f100@alpha.dante.org.uk> X-Sender: david@alpha.dante.org.uk X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 24 May 2000 17:16:42 +0100 To: freebsd-net@freebsd.org From: David Harmelin Subject: nd6_lookup: failed to add route for neighbor Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'll try to make it as brief as possible. I have a Freebsd 4.0 connected through a v6-on-v4 tunnel to a remote router. The gif0 tunnel works fine (can ping the other v6 end). My local v6 address is 3ffe:8038:80:3::3, configured on the fxp1 (ethernet) interface, the other end is 3ffe:8038:80:3::2 . There is no autoconfiguration so I edited /etc/rc.conf so that /etc/rc.network6 adds the local address it gets from there. When I originally booted the station, netstat -rn output was: 3ffe:8038:80:3::/64 link#2 UGSc fxp1 What adds this line? could not find it in rc.network6 My second question is: what link#2 stands for? I could not ping the other v6 end with that, so I added manually a route: 3ffe:8038:80:3::2 gif0 UHS gif0 and I would get ping6 replies. Still, I could not seem to get replies from further hops, which are within 3ffe:8038:80:3::/64 too. So I deleted the first entry to 3ffe:8038:80:3::/64 and added another one, so my routing table now looks like this: 3ffe:8038:80:3::/64 3ffe:8038:80:3::2 UGSc fxp1 3ffe:8038:80:3::2 gif0 UHS gif0 3ffe:8038:80:3::3 0:d0:b7:20:8a:7b UHLW lo0 But, when I try to ping6 further down some hops (3ffe:8038:80:3::1 for instance), now I get messages: /kernel: nd6_lookup: failed to add route for a neighbor (3ffe:8038:0080:0003::0002) Any idea what this message means/where it comes from/what I am doing wrong? I know I should use route6d instead of struggling with static routes (and I will) but I need to satisfy my curiosity first. DH. ___________________________________________________________________ * * David Harmelin Network Engineer * * DANCERT Representative * Francis House * 112 Hills Road Tel +44 1223 302992 * Cambridge CB2 1PQ Fax +44 1223 303005 D A N T E United Kingdom WWW http://www.dante.net ____________________________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 9:39:57 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rz.fh-wilhelmshaven.de (mail.rz.fh-wilhelmshaven.de [139.13.25.134]) by hub.freebsd.org (Postfix) with ESMTP id 3793137BCEA for ; Wed, 24 May 2000 09:39:52 -0700 (PDT) (envelope-from ohoyer@fbwi.fh-wilhelmshaven.de) Received: from fettesau.stuwo.fh-wilhelmshaven.de (stuwopc5.stuwo.fh-wilhelmshaven.de [139.13.209.5]) by mail.rz.fh-wilhelmshaven.de (8.9.3/8.9.3) with SMTP id SAA06166; Wed, 24 May 2000 18:39:32 +0200 (MET DST) Message-Id: <4.1.20000524181102.02652a10@mail.rz.fh-wilhelmshaven.de> X-Sender: ohoyer@mail.rz.fh-wilhelmshaven.de X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 24 May 2000 18:27:10 +0200 To: Steve Shah From: Olaf Hoyer Subject: Re: BPF vs. promiscuous mode Cc: freebsd-net@FreeBSD.ORG In-Reply-To: <20000524072320.C14568@clickarray.com> References: <4.1.20000524031209.027cb820@mail.rz.fh-wilhelmshaven.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:23 24.05.00 -0700, you wrote: >On Tue, May 23, 2000 at 08:35:17PM -0500, Mike Silbersack wrote: >> On Wed, 24 May 2000, Olaf Hoyer wrote: >> > Its a chaotic peer-to-peer network, with a DHCP server and a gateway to >> > university. >> > We already had some sniffer attack to sniff out Pop3 passwords. > >Consider forcing all e-mail services to be accessable only through >secure tunnels. If the students are using Outlook, then >they can use SSL. If you want to allow generic POP3 clients, then >make the stunnel utility available to them with a batch file >that runs: > >stunnel -c -d 110 -r pop3server.school.edu:995 Hi! Well, sorry forgot t o tell that the dorm is connected via a gateway / router to the university, where the "real" servers (mail etc.) stand. They switched some months ago to the IMAP protocol dueto various reasons. Those attacks that "were done because of showing need to do something" were done by some yet undisclosed party before that. > >Generally the problem is students changing their MAC addy's to get >another IP address from the DHCP server. It's more of an annoyance >than anything else, esp. when you run out of IP addresses and legit >students start whining about it. (Those pesky students! ;-)) Yes, that would be another problem that needs to be adressed, if someone gets more than his available share. (If its just an other IP adress, the pool size will remain the same, and some other chap gets also a changed IP adress handed out from DHCP) The _real_ threat would be if some actions are undertaken with a fake MAC adress, so that you cannot trace the machines. Imagine someone taking the AMC adress of the neighbor whilst his machine is off. sneaking his IP number from DHCP, making Netbios name resolution (Parts of our communication in-house runs via the M$-network style with file shares etc and "popups" in Lan-Manager style via Netbios) and doing some bad things like insulting other fellows, or hacking/cracking their boxes. Even if that leaves traces, it won't be attributed to him... >The tool that you are looking for is "arpwatch". This will watch all >of the MAC<->IP mappings on a segment and alert you if this changes. >A tool that takes DHCP logs and filters out accepted changes could >probably be hacked up quickly. #include "magic_perl_script_here.pl" Looked it up already. Sounds good. (Is this a BSD specific port, or can I expect to find some Linux version? We have some small proxy here, running Linux (was decision and money from university which gave us that box)) >Aside: If you haven't already, I assume you have NAT'd off your dorms >and firewalled them up the wazoo, right? I know at my old university, >unauthorized servers were a real ugly problem. On more than one >occation, we would see MRTG graphs go all green.... It was not a pretty >sight. This was because students were given real IP addy's. What >should have been done (and hopefully done by now... it's been a while >since I've seen their network) is to have all the students NAT off >into the 10.0.0.0 network. This would keep the servers from coming >in. No, not yet. the entire setup was done by the university, so we had only the possibility to accept or decline. AT least, we didn't paid much money for that, they forked over the most... the university is on a Class B net in the 139.13.xxx range. (FH Wilhelmshaven, if someone cares) From that, we got a class C subnet, as we roughly need 240 IP numbers (235 rooms, and some IP numbers for gateway, DHCP server, proxy and some spares) Those are _public IP_ numbers. They wanted to change something some time ago, but notthing happened yet. (we also have a small connection to university, one ISDN line 64kbit) At least there is afirewall in the university... > > >What would have been entertaining is to try and put ever student >on their own subnet. This would keep the script kiddies from >doing broadcast based attacks since all the other hosts would just >ignore the packets within the first few checks in their IP stack. >There are certainly enough networks to support a few thousand >30 bit netmasks.... > Yes, would be entertaining... But raises the administrative work, as some lusers won't get it or are not willing to get it... (Well, for the nice girls in the first semester (I guess you call them freshmen?) of course you offer free on-site support ;-)) ) As we have an internal 10 Mbit network, bandwidth is no real issue for lots of DoS attacks... Another issue could be the switch... IIRC a 3com manageable switch. I could imagine some real bad things with SNMP etc... Regards Olaf Hoyer -------- Olaf Hoyer www.nightfire.de mailto:Olaf.Hoyer@nightfire.de FreeBSD- Turning PC's into workstations ICQ:22838075 Liebe und Hass sind nicht blind, aber geblendet vom Feuer, dass sie selber mit sich tragen. (Nietzsche) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 9:41:41 2000 Delivered-To: freebsd-net@freebsd.org Received: from milquetoast.cs.mcgill.ca (milquetoast.CS.McGill.CA [132.206.2.5]) by hub.freebsd.org (Postfix) with ESMTP id 9BBBC37B674 for ; Wed, 24 May 2000 09:41:37 -0700 (PDT) (envelope-from andrewb@milquetoast.cs.mcgill.ca) Received: (from andrewb@localhost) by milquetoast.cs.mcgill.ca (8.9.3/8.9.3) id MAA21840 for freebsd-net@freebsd.org; Wed, 24 May 2000 12:41:36 -0400 (EDT) Date: Wed, 24 May 2000 12:41:36 -0400 From: Andrew Bogecho To: freebsd-net@freebsd.org Subject: ppp and nat Message-ID: <20000524124136.F2003@cs.mcgill.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wed May 24 12:37:53 EDT 2000 Hi all, I asked about this three weeks ago on questions, but got no responses. Hopefully, some here might be able to help me. Here goes: I am using FreeBSD 4.0-RELEASE I have been having a big problem with my internal network. I am using PPPoE. Below is my configuration file. I must say that everything works, other than port forwarding. I only have one forwarding line, and no matter what I have tried I cannot get it to work. Any help would be appreciated. # /etc/ppp/ppp.conf - beginning # # PPP Version 2.26 - Mar 20 2000 # default: set device PPPoE:dc0 set MRU 1492 set MTU 1492 set authname ********@sympatico.ca set authkey ******** set log Phase tun command set dial set login set ifaddr 10.0.0.1/0 10.0.0.2/0 add default HISADDR set cd 5 set crtscts off # Only added the line below so that I could use pppctl set server /var/run/internet "" 0177 # Comments were removed when I was testing # alias enable yes # alias port tcp 192.168.1.21:80 80 # alias log yes # nat enable yes # nat port tcp 192.168.1.21:80 80 # nat log yes papchap: set authname ********@sympatico.ca set authkey ******** ##### # /etc/ppp/ppp.conf - end Please note that I tried both the alias version and the nat version to no avail. I do have a network connection from my internal network out, but I cannot get the port forwarding. Below is my netstat table: Routing tables Internet: Destination Gateway Flags Netif Expire 0/24 link#1 UC dc0 => default 64.228.205.1 UGSc tun0 64.228.205.1 64.228.205.204 UH tun0 127.0.0.1 127.0.0.1 UH lo0 192.168.1 link#2 UC xl0 => 192.168.1.10 0:a0:c:c1:65:bf UHLW xl0 684 192.168.1.11 0:0:e2:29:b6:b1 UHLW xl0 433 192.168.1.26 0:a0:c:c1:67:2 UHLW xl0 943 192.168.1.30 0:a0:c:c1:65:bf UHLW xl0 1175 192.168.1.248 0:10:4b:7a:53:58 UHLW xl0 1180 192.168.1.249 0:a0:c:c1:46:be UHLW xl0 1140 My /sbin/ifconfig -a dc0: flags=8843 mtu 1500 inet 0.0.0.0 netmask 0xffffff00 broadcast 0.0.0.255 ether 00:a0:0c:c1:42:8b media: autoselect (10baseT/UTP) status: active supported media: autoselect 100baseTX 100baseTX 10baseT/UT P 10baseT/UTP 100baseTX none xl0: flags=8843 mtu 1492 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:10:4b:13:7e:6a media: autoselect (100baseTX ) status: active supported media: autoselect 100baseTX 100baseTX 10baseT/UT P 10baseT/UTP 100baseTX lp0: flags=8810 mtu 1500 sl0: flags=c010 mtu 552 ppp0: flags=8010 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 gif0: flags=8010 mtu 1280 gif1: flags=8010 mtu 1280 gif2: flags=8010 mtu 1280 gif3: flags=8010 mtu 1280 stf0: flags=8000 mtu 1280 faith0: flags=8000 mtu 1500 tun0: flags=8151 mtu 1492 inet 64.228.205.204 --> 64.228.205.1 netmask 0xff000000 Opened by PID 576 netstat does not show the port as open. I have also tried using pppctl and typing in the commands by hand, but have had no luck. Am I missing something? is my ppp.conf file somehow wrong? Thanks in advance for all those that try to help. Andrew. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 9:59:54 2000 Delivered-To: freebsd-net@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id 08DD937BD00 for ; Wed, 24 May 2000 09:59:48 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id RAA49476; Wed, 24 May 2000 17:59:44 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id RAA89074; Wed, 24 May 2000 17:59:40 +0100 (BST) (envelope-from brian@Awfulhak.org) Message-Id: <200005241659.RAA89074@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Andrew Bogecho Cc: freebsd-net@FreeBSD.ORG, brian@hak.lan.Awfulhak.org Subject: Re: ppp and nat In-Reply-To: Message from Andrew Bogecho of "Wed, 24 May 2000 12:41:36 EDT." <20000524124136.F2003@cs.mcgill.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 May 2000 17:59:40 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, What does /var/log/alias.log say about port 80 traffic ? > Wed May 24 12:37:53 EDT 2000 > > Hi all, > > I asked about this three weeks ago on questions, but got no responses. > Hopefully, some here might be able to help me. > > Here goes: > > I am using FreeBSD 4.0-RELEASE > > I have been having a big problem with my internal network. I am using > PPPoE. Below is my configuration file. I must say that everything > works, other than port forwarding. I only have one forwarding line, and > no matter what I have tried I cannot get it to work. Any help would be > appreciated. > > # /etc/ppp/ppp.conf - beginning > # > # PPP Version 2.26 - Mar 20 2000 > # > > default: > set device PPPoE:dc0 > set MRU 1492 > set MTU 1492 > set authname ********@sympatico.ca > set authkey ******** > set log Phase tun command > set dial > set login > set ifaddr 10.0.0.1/0 10.0.0.2/0 > add default HISADDR > set cd 5 > set crtscts off > # Only added the line below so that I could use pppctl > set server /var/run/internet "" 0177 > > # Comments were removed when I was testing > # alias enable yes > # alias port tcp 192.168.1.21:80 80 > # alias log yes > > # nat enable yes > # nat port tcp 192.168.1.21:80 80 > # nat log yes > > papchap: > > set authname ********@sympatico.ca > set authkey ******** > > ##### > # /etc/ppp/ppp.conf - end > > Please note that I tried both the alias version and the nat version to > no avail. I do have a network connection from my internal network out, > but I cannot get the port forwarding. Below is my netstat table: > > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > 0/24 link#1 UC dc0 => > default 64.228.205.1 UGSc tun0 > 64.228.205.1 64.228.205.204 UH tun0 > 127.0.0.1 127.0.0.1 UH lo0 > 192.168.1 link#2 UC xl0 => > 192.168.1.10 0:a0:c:c1:65:bf UHLW xl0 684 > 192.168.1.11 0:0:e2:29:b6:b1 UHLW xl0 433 > 192.168.1.26 0:a0:c:c1:67:2 UHLW xl0 943 > 192.168.1.30 0:a0:c:c1:65:bf UHLW xl0 1175 > 192.168.1.248 0:10:4b:7a:53:58 UHLW xl0 1180 > 192.168.1.249 0:a0:c:c1:46:be UHLW xl0 1140 > > My /sbin/ifconfig -a > > dc0: flags=8843 mtu 1500 > inet 0.0.0.0 netmask 0xffffff00 broadcast 0.0.0.255 > ether 00:a0:0c:c1:42:8b > media: autoselect (10baseT/UTP) status: active > supported media: autoselect 100baseTX 100baseTX > 10baseT/UT > P 10baseT/UTP 100baseTX none > xl0: flags=8843 mtu 1492 > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 > inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255 > ether 00:10:4b:13:7e:6a > media: autoselect (100baseTX ) status: active > supported media: autoselect 100baseTX 100baseTX > 10baseT/UT > P 10baseT/UTP 100baseTX > lp0: flags=8810 mtu 1500 > sl0: flags=c010 mtu 552 > ppp0: flags=8010 mtu 1500 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > gif0: flags=8010 mtu 1280 > gif1: flags=8010 mtu 1280 > gif2: flags=8010 mtu 1280 > gif3: flags=8010 mtu 1280 > stf0: flags=8000 mtu 1280 > faith0: flags=8000 mtu 1500 > tun0: flags=8151 mtu 1492 > inet 64.228.205.204 --> 64.228.205.1 netmask 0xff000000 > Opened by PID 576 > > netstat does not show the port as open. > > > I have also tried using pppctl and typing in the commands by hand, but > have had no luck. Am I missing something? is my ppp.conf file somehow > wrong? > > Thanks in advance for all those that try to help. > > Andrew. -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 10:11:56 2000 Delivered-To: freebsd-net@freebsd.org Received: from dune.clickarray.com (adsl-63-197-76-246.dsl.snfc21.pacbell.net [63.197.76.246]) by hub.freebsd.org (Postfix) with ESMTP id DC55537BD00 for ; Wed, 24 May 2000 10:11:53 -0700 (PDT) (envelope-from sshah@dune.clickarray.com) Received: (from sshah@localhost) by dune.clickarray.com (8.9.3/8.9.3) id JAA14771; Wed, 24 May 2000 09:29:18 -0700 Date: Wed, 24 May 2000 09:29:18 -0700 From: Steve Shah To: Mike Silbersack Cc: Olaf Hoyer , freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode Message-ID: <20000524092918.B14746@clickarray.com> References: <20000524072320.C14568@clickarray.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 24, 2000 at 11:06:34AM -0500, Mike Silbersack wrote: > Bah! I'm giving you the no fun network administrator badge. NATing might > help in the short-term, but it also breaks stuff like ICQ/video games/etc, > which students probably use a lot. (What? They're there to study?) I'd > guess the next-generation mp3/file sharing programs will probably find > ways to avoid the roadblocks NAT puts up anyway, unfortunately - and > that's where the major bandwidth is, not http/ftp servers (at madison, > anyway.) The messaging stuff is easy to proxy for, and I don't mind doing that. Napster I'd block off from the standpoint of bandwidth consumption. And now that there is legal precidence on schools getting sued for crap like that, I'd rather save myself the hassle. There are better battles to fight. The definate win for NATting would be against the web server folks who are serving up commercial stuff and MP3's. Although Napster is a ugly problem in that regard. (Today's User Friendly explains why in ugly, ugly detail...) Most importantly, it's a case of protecting students from attacks. There are (sadly) people out there who still find it amusing to BOINK large numbers of Winders machines that aren't patched up. And I wouldn't trust most students to keep their boxes patched up. In the end, there is always a way to get back in. (Tunnels, etc.) but just looking at the small handful of people who know how to do that means that I still would not have to be overly concerned with bandwidth. Of course if I *really* wanted to be a punk, I'd put a rate limitor on outgoing traffic. -Steve -- ___________________________________________________________________________ Steve Shah (sshah@clickarray.com) | Developer/Systems Administrator/Author http://www.clickarray.com | Voice: 408.772.8202 (e-mail preferred) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Beating code into submission, one OS at a time... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 10:25:47 2000 Delivered-To: freebsd-net@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 5572B37B618 for ; Wed, 24 May 2000 10:25:44 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id LAA51098; Wed, 24 May 2000 11:24:57 -0600 (MDT) Date: Wed, 24 May 2000 11:24:57 -0600 (MDT) From: Nick Rogness To: Mike Silbersack Cc: Steve Shah , Olaf Hoyer , freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 May 2000, Mike Silbersack wrote: [snip] > > Bah! I'm giving you the no fun network administrator badge. NATing might > help in the short-term, but it also breaks stuff like ICQ/video games/etc, I have yet to have problems with FreeBSD's NAT working with ICQ or games. Which games are you talking about? Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 10:32:59 2000 Delivered-To: freebsd-net@freebsd.org Received: from gw-laissus.laissus.fr (gw-laissus.laissus.fr [193.104.1.2]) by hub.freebsd.org (Postfix) with ESMTP id A512637BD2E for ; Wed, 24 May 2000 10:32:45 -0700 (PDT) (envelope-from fla@laissus.fr) Received: from myriade.laissus.fr by gw-laissus.laissus.fr with ESMTP (8.9.3/fla-28.10.1999) id TAA17981; Wed, 24 May 2000 19:32:37 +0200 (CEST) Received: by myriade.laissus.fr Date: Wed, 24 May 2000 19:32:36 +0200 From: Francois LAISSUS To: freebsd-net@freebsd.org Subject: Multilink on Ethernet Message-ID: <20000524193236.A64820@myriade.laissus.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i X-Operating-System: FreeBSD 3.4-STABLE #30 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Is there a way to do multilink on ethernet ? BTW have redundancy/load balancing on a stressed nfs server (under FBSD of course)... Thanks F.Laissus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 10:43: 8 2000 Delivered-To: freebsd-net@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 939F037B743 for ; Wed, 24 May 2000 10:43:00 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id CAA01843; Thu, 25 May 2000 02:42:38 +0900 (JST) To: David Harmelin Cc: freebsd-net@freebsd.org In-reply-to: david.harmelin's message of Wed, 24 May 2000 17:16:42 +0100. <4.2.2.20000524170030.00b0f100@alpha.dante.org.uk> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: nd6_lookup: failed to add route for neighbor From: itojun@iijlab.net Date: Thu, 25 May 2000 02:42:38 +0900 Message-ID: <1841.959190158@coconut.itojun.org> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I'll try to make it as brief as possible. >I have a Freebsd 4.0 connected through a v6-on-v4 tunnel to a remote >router. The gif0 tunnel works fine (can ping the other v6 end). >My local v6 address is 3ffe:8038:80:3::3, configured on the fxp1 (ethernet) >interface, the other end is 3ffe:8038:80:3::2 . is the following diagram correct? if so, do not configure 3ffe:8038:80:3::3 onto fxp1. configure the address to gif0, not fxp1. you are not supposed to use 3ffe:8038:80:3::/64 on fxp1. the other end of tunnel | 3ffe:8038:80:3::2 | | tunnel link | |gif0 3ffe:8038:80:3::3 my end of tunnel |fxp1 ==+=== ethernet >There is no autoconfiguration so I edited /etc/rc.conf so that >/etc/rc.network6 adds the local address it gets from there. >When I originally booted the station, netstat -rn output was: >3ffe:8038:80:3::/64 link#2 UGSc fxp1 >What adds this line? could not find it in rc.network6 ifconfig to fxp1. >My second question is: what link#2 stands for? fxp1. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 11: 7:25 2000 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 4619437B743 for ; Wed, 24 May 2000 11:07:21 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 21658 invoked by uid 1000); 24 May 2000 18:07:20 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 May 2000 18:07:20 -0000 Date: Wed, 24 May 2000 13:07:20 -0500 (CDT) From: Mike Silbersack To: Steve Shah Cc: Olaf Hoyer , freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode In-Reply-To: <20000524092918.B14746@clickarray.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 May 2000, Steve Shah wrote: > The messaging stuff is easy to proxy for, and I don't mind doing that. > Napster I'd block off from the standpoint of bandwidth consumption. And > now that there is legal precidence on schools getting sued for > crap like that, I'd rather save myself the hassle. There are better battles > to fight. > > The definate win for NATting would be against the web server folks > who are serving up commercial stuff and MP3's. Although Napster is > a ugly problem in that regard. (Today's User Friendly explains why > in ugly, ugly detail...) > > Most importantly, it's a case of protecting students from attacks. > There are (sadly) people out there who still find it amusing to BOINK > large numbers of Winders machines that aren't patched up. And I > wouldn't trust most students to keep their boxes patched up. It may just be simpler to block outgoing connections to napster/etc, and block incoming connections to port 21/80/137/138/139; then you don't have to worry about the hassles of proxification. I guess what you choose depends on your local policies / etc. I think 137/138/139 would be a no-brainer in any case, though. I've seen a few people become bandwidth hogs due to scour.net without even knowing it. (Also, blocking those ports would stop a good percentage of the windows attacks dead.) > In the end, there is always a way to get back in. (Tunnels, etc.) > but just looking at the small handful of people who know how to do > that means that I still would not have to be overly concerned with > bandwidth. Of course if I *really* wanted to be a punk, I'd put a > rate limitor on outgoing traffic. > > -Steve Rate limiting might actually be the most fair solution for the future, as it's likely napster-like programs are going to evolve to the point where explicitly blocking them is impossible. I think something like 16K/sec is more than acceptable. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 11:17:36 2000 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id C6C5937B87F for ; Wed, 24 May 2000 11:17:27 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 21685 invoked by uid 1000); 24 May 2000 18:17:27 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 May 2000 18:17:27 -0000 Date: Wed, 24 May 2000 13:17:27 -0500 (CDT) From: Mike Silbersack To: Nick Rogness Cc: Steve Shah , Olaf Hoyer , freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 May 2000, Nick Rogness wrote: > On Wed, 24 May 2000, Mike Silbersack wrote: > > [snip] > > > > Bah! I'm giving you the no fun network administrator badge. NATing might > > help in the short-term, but it also breaks stuff like ICQ/video games/etc, > > I have yet to have problems with FreeBSD's NAT working with ICQ or > games. Which games are you talking about? ICQ starts out ok, but due to their server jumping around the destination port it uses for the udp channel to the client, people behind nat become inaccessable to others and don't see status updates of others after a few minutes of being connected. The tcp ports used for direct connections can be told to be outgoing only by telling ICQ you're behind a firewall, but then two people behind firewalls can't establish direct connections. While you could manually setup specific tcp ports, ICQ still won't allow communication between two firewalled clients (an error on their part, IMHO - they probably didn't consider such setups as common.) I know age of empires won't work through nat whatsoever, and since starcraft uses port 6112 (udp) as source for all packets, I'm under the impression that NAT would quickly get confused if multiple people from behind the same NAT gateway were playing in the same game, or if you wanted to host a game. Don't get me wrong, I love NAT, it's great for home networks and certainly for businesses (where you'd have none of the above traffic), but you're going to just have a large, screaming mass of students if you try it at a school, I suspect. Next on fox: When silby uses too many commas and not enough periods. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 11:44:25 2000 Delivered-To: freebsd-net@freebsd.org Received: from milquetoast.cs.mcgill.ca (milquetoast.CS.McGill.CA [132.206.2.5]) by hub.freebsd.org (Postfix) with ESMTP id 28BEA37BD2A for ; Wed, 24 May 2000 11:44:18 -0700 (PDT) (envelope-from andrewb@milquetoast.cs.mcgill.ca) Received: (from andrewb@localhost) by milquetoast.cs.mcgill.ca (8.9.3/8.9.3) id OAA24343; Wed, 24 May 2000 14:44:14 -0400 (EDT) Date: Wed, 24 May 2000 14:44:14 -0400 From: Andrew Bogecho To: Brian Somers Cc: freebsd-net@freebsd.org Subject: Re: ppp and nat Message-ID: <20000524144414.H2003@cs.mcgill.ca> References: <200005241659.RAA89074@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i In-Reply-To: <200005241659.RAA89074@hak.lan.Awfulhak.org>; from Brian Somers on Wed, May 24, 2000 at 05:59:40PM +0100 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wed May 24 14:41:32 EDT 2000 Thank you for the quick reply. My alias.log file really did not help much. All it had were lines like the following: file: /var/log/alias.log icmp=0, udp=1, tcp=4, frag_id=0 frag_ptr=0 / tot=5 (sock=0) icmp=0, udp=1, tcp=3, frag_id=0 frag_ptr=0 / tot=4 (sock=0) icmp=0, udp=2, tcp=3, frag_id=0 frag_ptr=0 / tot=5 (sock=0) icmp=0, udp=1, tcp=3, frag_id=0 frag_ptr=0 / tot=4 (sock=0) icmp=0, udp=1, tcp=4, frag_id=0 frag_ptr=0 / tot=5 (sock=0) icmp=0, udp=2, tcp=4, frag_id=0 frag_ptr=0 / tot=6 (sock=0) icmp=0, udp=2, tcp=3, frag_id=0 frag_ptr=0 / tot=5 (sock=0) icmp=0, udp=2, tcp=4, frag_id=0 frag_ptr=0 / tot=6 (sock=0) icmp=0, udp=2, tcp=3, frag_id=0 frag_ptr=0 / tot=5 (sock=0) icmp=0, udp=1, tcp=3, frag_id=0 frag_ptr=0 / tot=4 (sock=0) icmp=0, udp=2, tcp=3, frag_id=0 frag_ptr=0 / tot=5 (sock=0) icmp=0, udp=3, tcp=3, frag_id=0 frag_ptr=0 / tot=6 (sock=0) icmp=0, udp=4, tcp=3, frag_id=0 frag_ptr=0 / tot=7 (sock=0) icmp=0, udp=4, tcp=4, frag_id=0 frag_ptr=0 / tot=8 (sock=0) icmp=0, udp=5, tcp=4, frag_id=0 frag_ptr=0 / tot=9 (sock=0) icmp=0, udp=6, tcp=4, frag_id=0 frag_ptr=0 / tot=10 (sock=0) icmp=0, udp=7, tcp=4, frag_id=0 frag_ptr=0 / tot=11 (sock=0) icmp=0, udp=8, tcp=4, frag_id=0 frag_ptr=0 / tot=12 (sock=0) icmp=0, udp=9, tcp=4, frag_id=0 frag_ptr=0 / tot=13 (sock=0) icmp=0, udp=10, tcp=4, frag_id=0 frag_ptr=0 / tot=14 (sock=0) icmp=0, udp=11, tcp=4, frag_id=0 frag_ptr=0 / tot=15 (sock=0) icmp=0, udp=12, tcp=4, frag_id=0 frag_ptr=0 / tot=16 (sock=0) ..... etc. I know that doesn't help much. I was mainly worried that I had something wrong in m ppp.conf. Do I need a special section for the nat area. Or does the file look ok? Thanks again for your help. Andrew. On Wed, May 24, 2000 at 05:59:40PM +0100, Brian Somers wrote: > Hi, > > What does /var/log/alias.log say about port 80 traffic ? > > > Wed May 24 12:37:53 EDT 2000 > > > > Hi all, > > > > I asked about this three weeks ago on questions, but got no responses. > > Hopefully, some here might be able to help me. > > > > Here goes: > > > > I am using FreeBSD 4.0-RELEASE > > > > I have been having a big problem with my internal network. I am using > > PPPoE. Below is my configuration file. I must say that everything > > works, other than port forwarding. I only have one forwarding line, and > > no matter what I have tried I cannot get it to work. Any help would be > > appreciated. > > > > # /etc/ppp/ppp.conf - beginning > > # > > # PPP Version 2.26 - Mar 20 2000 > > # > > > > default: > > set device PPPoE:dc0 > > set MRU 1492 > > set MTU 1492 > > set authname ********@sympatico.ca > > set authkey ******** > > set log Phase tun command > > set dial > > set login > > set ifaddr 10.0.0.1/0 10.0.0.2/0 > > add default HISADDR > > set cd 5 > > set crtscts off > > # Only added the line below so that I could use pppctl > > set server /var/run/internet "" 0177 > > > > # Comments were removed when I was testing > > # alias enable yes > > # alias port tcp 192.168.1.21:80 80 > > # alias log yes > > > > # nat enable yes > > # nat port tcp 192.168.1.21:80 80 > > # nat log yes > > > > papchap: > > > > set authname ********@sympatico.ca > > set authkey ******** > > > > ##### > > # /etc/ppp/ppp.conf - end > > > > Please note that I tried both the alias version and the nat version to > > no avail. I do have a network connection from my internal network out, > > but I cannot get the port forwarding. Below is my netstat table: > > > > Routing tables > > > > Internet: > > Destination Gateway Flags Netif Expire > > 0/24 link#1 UC dc0 => > > default 64.228.205.1 UGSc tun0 > > 64.228.205.1 64.228.205.204 UH tun0 > > 127.0.0.1 127.0.0.1 UH lo0 > > 192.168.1 link#2 UC xl0 => > > 192.168.1.10 0:a0:c:c1:65:bf UHLW xl0 684 > > 192.168.1.11 0:0:e2:29:b6:b1 UHLW xl0 433 > > 192.168.1.26 0:a0:c:c1:67:2 UHLW xl0 943 > > 192.168.1.30 0:a0:c:c1:65:bf UHLW xl0 1175 > > 192.168.1.248 0:10:4b:7a:53:58 UHLW xl0 1180 > > 192.168.1.249 0:a0:c:c1:46:be UHLW xl0 1140 > > > > My /sbin/ifconfig -a > > > > dc0: flags=8843 mtu 1500 > > inet 0.0.0.0 netmask 0xffffff00 broadcast 0.0.0.255 > > ether 00:a0:0c:c1:42:8b > > media: autoselect (10baseT/UTP) status: active > > supported media: autoselect 100baseTX 100baseTX > > 10baseT/UT > > P 10baseT/UTP 100baseTX none > > xl0: flags=8843 mtu 1492 > > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > > inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 > > inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255 > > ether 00:10:4b:13:7e:6a > > media: autoselect (100baseTX ) status: active > > supported media: autoselect 100baseTX 100baseTX > > 10baseT/UT > > P 10baseT/UTP 100baseTX > > lp0: flags=8810 mtu 1500 > > sl0: flags=c010 mtu 552 > > ppp0: flags=8010 mtu 1500 > > lo0: flags=8049 mtu 16384 > > inet 127.0.0.1 netmask 0xff000000 > > gif0: flags=8010 mtu 1280 > > gif1: flags=8010 mtu 1280 > > gif2: flags=8010 mtu 1280 > > gif3: flags=8010 mtu 1280 > > stf0: flags=8000 mtu 1280 > > faith0: flags=8000 mtu 1500 > > tun0: flags=8151 mtu 1492 > > inet 64.228.205.204 --> 64.228.205.1 netmask 0xff000000 > > Opened by PID 576 > > > > netstat does not show the port as open. > > > > > > I have also tried using pppctl and typing in the commands by hand, but > > have had no luck. Am I missing something? is my ppp.conf file somehow > > wrong? > > > > Thanks in advance for all those that try to help. > > > > Andrew. > > -- > Brian > > Don't _EVER_ lose your sense of humour ! > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 13:22:12 2000 Delivered-To: freebsd-net@freebsd.org Received: from alpham.uni-mb.si (alpham.uni-mb.si [164.8.1.101]) by hub.freebsd.org (Postfix) with ESMTP id 058BC37BAAD for ; Wed, 24 May 2000 13:22:09 -0700 (PDT) (envelope-from maddave@suxx.eu.org) Received: from spider.y0u.net ([164.8.70.227]) by alpham.uni-mb.si (PMDF V5.2-32 #44902) with ESMTP id <01JPSLP8YS7W003O41@alpham.uni-mb.si> for freebsd-net@FreeBSD.ORG; Wed, 24 May 2000 22:21:57 MET Received: by spider.y0u.net (Postfix, from userid 500) id 2B3D817812; Wed, 24 May 2000 22:36:25 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by spider.y0u.net (Postfix) with ESMTP id 0F1363E834; Wed, 24 May 2000 22:36:25 +0200 (CEST) Date: Wed, 24 May 2000 22:36:24 +0200 (CEST) From: MadDave Subject: Re: BPF vs. promiscuous mode In-reply-to: X-Sender: maddave@spider.y0u.net To: Nick Rogness Cc: Mike Silbersack , Steve Shah , Olaf Hoyer , freebsd-net@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hellow !!! Almost all games that are using DirectX ..... like Microsoft Age of Empires.. bye, MadDave On Wed, 24 May 2000, Nick Rogness wrote: > On Wed, 24 May 2000, Mike Silbersack wrote: > > [snip] > > > > Bah! I'm giving you the no fun network administrator badge. NATing might > > help in the short-term, but it also breaks stuff like ICQ/video games/etc, > > I have yet to have problems with FreeBSD's NAT working with ICQ or > games. Which games are you talking about? > > Nick Rogness > - Speak softly and carry a Gigabit switch. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 14:32:19 2000 Delivered-To: freebsd-net@freebsd.org Received: from Awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id 7A87437B56E for ; Wed, 24 May 2000 14:32:13 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by Awfulhak.org (8.9.3/8.9.3) with ESMTP id WAA99147; Wed, 24 May 2000 22:34:25 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id WAA02032; Wed, 24 May 2000 22:34:22 +0100 (BST) (envelope-from brian@Awfulhak.org) Message-Id: <200005242134.WAA02032@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Andrew Bogecho Cc: Brian Somers , freebsd-net@freebsd.org, brian@hak.lan.Awfulhak.org Subject: Re: ppp and nat In-Reply-To: Message from Andrew Bogecho of "Wed, 24 May 2000 14:44:14 EDT." <20000524144414.H2003@cs.mcgill.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 May 2000 22:34:21 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Wed May 24 14:41:32 EDT 2000 > > Thank you for the quick reply. My alias.log file really did not help > much. All it had were lines like the following: > > file: /var/log/alias.log > icmp=0, udp=1, tcp=4, frag_id=0 frag_ptr=0 / tot=5 (sock=0) > icmp=0, udp=1, tcp=3, frag_id=0 frag_ptr=0 / tot=4 (sock=0) [.....] Hmm, that's not too useful, although it does prove that libalias is being used :-) FWIW, this definitely works ok for me: nat: nat enable yes nat port tcp dev:http http Can we assume that outgoing connections from 192.168.1.21 work ok ? -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 16:27:27 2000 Delivered-To: freebsd-net@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id AD9B737BAFA; Wed, 24 May 2000 16:27:24 -0700 (PDT) (envelope-from erik@whistle.com) Received: from whistle.com (erik.whistle.com [207.76.205.71]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id QAA39478; Wed, 24 May 2000 16:27:23 -0700 (PDT) Message-ID: <392C655B.5966AE30@whistle.com> Date: Wed, 24 May 2000 16:27:23 -0700 From: Erik Salander X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-net@FreeBSD.ORG Cc: archie@whistle.com, julian@elischer.org, eivind@FreeBSD.ORG, kris@FreeBSD.ORG, ru@FreeBSD.ORG, imp@village.org, brian@Awfulhak.org, cmott@scientech.com Subject: libalias changes for PPTP, RTSP, FTP(passive) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've got some changes for libalias that are ready to be reviewed. The general features are: - add support to alias RTSP and RTP (see new module alias_rtsp.c) - add support to alias PPTP and GRE (see new module alias_pptp.c and all "LINK_GRE" references) - adding support for passive mode FTP, aliasing the 227 replies (see alias_ftp.c) - a new utility function, PacketUnaliasOut (see alias.c) Note, the FTP aliasing now ensures that: 1. the segment preceding a PORT/227 segment terminates with a \r\n. 2. the IP address in the PORT/227 matches the source IP address of the packet. 3. the port number in the PORT command or 277 reply is greater than or equal to 1024 Here are the changes: ftp://ftp.whistle.com/pub/archie/misc/libalias.patch.1 Please review when you can and let me know if you have comments. Thanks! Erik Salander Whistle Communications To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed May 24 18:48:58 2000 Delivered-To: freebsd-net@freebsd.org Received: from mta02.onebox.com (mta02.onebox.com [216.33.158.209]) by hub.freebsd.org (Postfix) with ESMTP id E24D537B59B for ; Wed, 24 May 2000 18:48:55 -0700 (PDT) (envelope-from chutima_s@zdnetonebox.com) Received: from onebox.com ([216.33.158.151]) by mta02.onebox.com (InterMail v4.01.01.07 201-229-111-110) with SMTP id <20000525014855.HSOT20287.mta02@onebox.com> for ; Wed, 24 May 2000 18:48:55 -0700 Received: from [203.107.232.70] by onebox.com with HTTP; Wed, 24 May 2000 18:48:55 -0700 Date: Wed, 24 May 2000 18:48:55 -0700 Subject: Network communication problem. From: "Chutima S." To: freebsd-net@FreeBSD.ORG Message-Id: <20000525014855.HSOT20287.mta02@onebox.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear all, I have one box of FreeBSD-2.2.5. Few weeks ago it always disappeared from network I have to reboot daily. And when I ping localhost time seem too much than normal (others use time 0.03 ms). But process and everything look like normal. Can any body have any idea? bash# ping localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=3.243 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=1.827 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=255 time=1.817 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=255 time=1.909 ms 64 bytes from 127.0.0.1: icmp_seq=4 ttl=255 time=1.816 ms 64 bytes from 127.0.0.1: icmp_seq=5 ttl=255 time=1.830 ms 64 bytes from 127.0.0.1: icmp_seq=6 ttl=255 time=1.818 ms Thanks for you all, Chutima S. ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu May 25 2:30:43 2000 Delivered-To: freebsd-net@freebsd.org Received: from alpha.dante.org.uk (alpha.dante.org.uk [193.63.211.19]) by hub.freebsd.org (Postfix) with ESMTP id 1136C37BDF2 for ; Thu, 25 May 2000 02:30:38 -0700 (PDT) (envelope-from david.harmelin@dante.org.uk) Received: from eilat.dante.org.uk ([193.63.211.55] helo=eilat) by alpha.dante.org.uk with esmtp (Exim 3.12 #4) id 12utxq-0004Y9-00; Thu, 25 May 2000 10:30:02 +0100 Message-Id: <4.2.2.20000525102612.00b1ea30@alpha.dante.org.uk> X-Sender: david@alpha.dante.org.uk X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 25 May 2000 10:29:57 +0100 To: itojun@iijlab.net From: David Harmelin Subject: Re: nd6_lookup: failed to add route for neighbor Cc: freebsd-net@freebsd.org In-Reply-To: <1841.959190158@coconut.itojun.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The diagram is correct. If I configure 3ffe:8038:80:3::3 to gif0, how is the mapping between that address and fxp1 done? (there are more than one network card) I tried it, but the following routing entry is not there anymore: 3ffe:8038:80:3::3 0:d0:b7:20:8a:7b UHLW lo0 which maps the ipv6 address to the mac address. Best regards, DH. At 02:42 AM 5/25/00 +0900, itojun@iijlab.net wrote: > >I'll try to make it as brief as possible. > >I have a Freebsd 4.0 connected through a v6-on-v4 tunnel to a remote > >router. The gif0 tunnel works fine (can ping the other v6 end). > >My local v6 address is 3ffe:8038:80:3::3, configured on the fxp1 (ethernet) > >interface, the other end is 3ffe:8038:80:3::2 . > > is the following diagram correct? if so, do not configure > 3ffe:8038:80:3::3 onto fxp1. configure the address to gif0, not > fxp1. > you are not supposed to use 3ffe:8038:80:3::/64 on fxp1. > > the other end of tunnel > | 3ffe:8038:80:3::2 > | > | tunnel link > | > |gif0 3ffe:8038:80:3::3 > my end of tunnel > |fxp1 > ==+=== ethernet > > >There is no autoconfiguration so I edited /etc/rc.conf so that > >/etc/rc.network6 adds the local address it gets from there. > >When I originally booted the station, netstat -rn output was: > >3ffe:8038:80:3::/64 link#2 UGSc fxp1 > >What adds this line? could not find it in rc.network6 > > ifconfig to fxp1. > > >My second question is: what link#2 stands for? > > fxp1. > >itojun ___________________________________________________________________ * * David Harmelin Network Engineer * * DANCERT Representative * Francis House * 112 Hills Road Tel +44 1223 302992 * Cambridge CB2 1PQ Fax +44 1223 303005 D A N T E United Kingdom WWW http://www.dante.net ____________________________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu May 25 3:50:47 2000 Delivered-To: freebsd-net@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 0B94337B55C for ; Thu, 25 May 2000 03:50:44 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id TAA14035; Thu, 25 May 2000 19:50:30 +0900 (JST) To: David Harmelin Cc: freebsd-net@freebsd.org In-reply-to: david.harmelin's message of Thu, 25 May 2000 10:29:57 +0100. <4.2.2.20000525102612.00b1ea30@alpha.dante.org.uk> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: nd6_lookup: failed to add route for neighbor From: itojun@iijlab.net Date: Thu, 25 May 2000 19:50:30 +0900 Message-ID: <14033.959251830@coconut.itojun.org> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >The diagram is correct. >If I configure 3ffe:8038:80:3::3 to gif0, how is the mapping between that >address and fxp1 done? (there are more than one network card) you should have some address space assigned from the upstream, separately from 3ffe:8038:80:3::3. if you do not have one, then too bad, you cannot assign IPv6 address to fxp1 - you are assigned single IPv6 address for your tunnel, not for your ethernet. for example, suppose you have got 3ffe:8038:ffff::/48 address space assigned from the upstream. you have 65536 subnet addresses, starting from 3ffe:8038:ffff:0000::/64 to 3ffe:8038:ffff:ffff::/64, for you to play with. you need to pick one for the ethernet segment which is directly connected to fxp1, and configure that to fxp1. let's pick 3ffe:8038:ffff:0000::/64 for the ethernet segment. now, try % ifconfig fxp1 and see what is your link-local address, and what is your interface identifier. >fxp1: flags=8863 mtu 1500 > media: Ethernet manual > inet xx.yy.zz.uu netmask 0xffffff00 broadcast xx.yy.zz.0 > inet6 fe80::a00:5aff:fe38:6f86%fxp1 prefixlen 64 scopeid 0x1 the IPv6 address staring from "fe80::" is the link-local address for fxp1. the lowermost 64 bits (a00:5aff:fe38:6f86) are interface identifier. you append the interface identifier to the address for segment, and make the address for fxp1. that is: 3ffe:8038:ffff:0000:a00:5aff:fe38:6f86 you need to configure it to fxp1. # ifconfig fxp1 inet6 3ffe:8038:ffff:0000:a00:5aff:fe38:6f86 \ prefixlen 64 alias (I'm not sure how to configure it in freebsd /etc/rc.conf framework) >I tried it, but the following routing entry is not there anymore: >3ffe:8038:80:3::3 0:d0:b7:20:8a:7b UHLW lo0 >which maps the ipv6 address to the mac address. you don't need it. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu May 25 8:20:41 2000 Delivered-To: freebsd-net@freebsd.org Received: from entropy.tmok.com (entropy.tmok.com [204.17.163.11]) by hub.freebsd.org (Postfix) with ESMTP id 6DA2C37C539; Thu, 25 May 2000 08:20:24 -0700 (PDT) (envelope-from wonko@entropy.tmok.com) Received: (from wonko@localhost) by entropy.tmok.com (8.9.3/8.9.3) id LAA59553; Thu, 25 May 2000 11:26:25 -0400 (EDT) From: Brian Hechinger Message-Id: <200005251526.LAA59553@entropy.tmok.com> Subject: question about natd/ipfw To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Date: Thu, 25 May 2000 11:26:25 -0400 (EDT) Reply-To: wonko@entropy.tmok.com X-Useless-Header: why? because i can. X-Organization: The Ministry of Knowledge X-Dreams: an OpenWin that is based on current MIT X11 releases X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org NOTE: sorry for the cross-post, tell me which list is more appropriate and i'll drop the other one. a freebsd user has been helping me with this, but this is out of his realm of experience. i am setting up a NAT box/router for my Covad/DCA Net DSL link. i will have two sets of outside IP addresses, a single IP address that will be bound to my outside interface which comes from covad, and a /29 block from DCA Net. the /29 will be routed through the outside interface into the NAT box, and from there i want to be able to use them as an "outside NAT pool" externally they will just look like an average domain, but that i will be able to redirect as i please internally. so, my question is: what do i do with the /29? do i create aliases on my outside interface for them all? do i create aliases on my inside interface for them all? do i bind them to lo0? attatching them to the outside interface seems wrong to me as well as attatching them to the inside interface since they should be listened to on either interface, hence my thought to bind them to the loopback device since i view these things as being "virtual" ipfw: using NAT and firewall_type="open" NAT blocks all non-redirected traffic? thanks, -brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu May 25 11:14:15 2000 Delivered-To: freebsd-net@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 95DE037B58C; Thu, 25 May 2000 11:14:09 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id MAA81370; Thu, 25 May 2000 12:14:03 -0600 (MDT) Date: Thu, 25 May 2000 12:14:03 -0600 (MDT) From: Nick Rogness To: wonko@entropy.tmok.com Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: question about natd/ipfw In-Reply-To: <200005251526.LAA59553@entropy.tmok.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 May 2000, Brian Hechinger wrote: > i will have two sets of outside IP addresses, a single IP address that will be > bound to my outside interface which comes from covad, and a /29 block from > DCA Net. the /29 will be routed through the outside interface into the NAT > box, and from there i want to be able to use them as an "outside NAT pool" > externally they will just look like an average domain, but that i will be able > to redirect as i please internally. They just statically routed a /29 subnet to your outside IP. Nothing unusual about that. Just set natd to handle them. It is not very hard to implement...see below. > > so, my question is: what do i do with the /29? do i create aliases on my > outside interface for them all? do i create aliases on my inside interface > for them all? do i bind them to lo0? attatching them to the outside interface NO. do not bind them to your interfaces. NATd will take care of all of that for you. FOr example, if your net looked like this: A B DSL --> (Outside ethernet interface)==FreeBSD==(Inside interface) At point A, setup your interface as the single outside IP that was given to you. At point B, you do nothing, keep your inside IP's the way they are. In ipfw rules: ipfw add 150 divert natd ip from any to any (outside_interface) In your nat setup (/etc/natd.conf): interface outside_interface port 8668 redirect_address inside_ip_A outside_IP_from_/29 redirect_address inside_ip_B outside_IP_from_/29 redirect_address inside_ip_C outside_IP_from_/29 redirect_address inside_ip_D outside_IP_from_/29 redirect_address inside_ip_E outside_IP_from_/29 redirect_address inside_ip_F outside_IP_from_/29 Start natd: /sbin/natd -f /etc/natd.conf This setup will allow you to shift which outside IP goes to which internal IP. You can use redirect_port if you wish for more security. > seems wrong to me as well as attatching them to the inside interface since > they should be listened to on either interface, hence my thought to bind them > to the loopback device since i view these things as being "virtual" > NO. DO no binding. It will not work. > ipfw: using NAT and firewall_type="open" NAT blocks all non-redirected > traffic? That is because you must add the natd ipfw rule from above and setup nat to handle them. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu May 25 15:19:39 2000 Delivered-To: freebsd-net@freebsd.org Received: from marao.utad.pt (marao.utad.pt [193.136.40.3]) by hub.freebsd.org (Postfix) with ESMTP id 678CB37BDB3 for ; Thu, 25 May 2000 15:19:34 -0700 (PDT) (envelope-from jsilva@utad.pt) Received: from apache (pceii041.utad.pt [193.137.96.76]) by marao.utad.pt (8.9.3/8.9.3) with SMTP id XAA09041 for ; Thu, 25 May 2000 23:18:05 +0200 (MET DST) Message-Id: <200005252118.XAA09041@marao.utad.pt> X-Sender: mop35705@mail.telepac.pt X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Thu, 25 May 2000 23:19:53 +0100 To: freebsd-net@FreeBSD.org From: "Jorge Sa' Silva" Subject: help Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi I am new to FreeBSD and I would appreciate you sharing your expertise. I have installed the FreeBSD 4.0. How can I use the IPv6 functionalities - for example the ping6 between 2 IPv6 - Ethernet machines? Is it necessary to modify any configuration file or to use the ifconfig? How? Is it possible to run and debug the FreeBSD kernel source in the same machine, without the need of a null modem between 2 machines? Thanks in advance Jorge To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu May 25 16:27:22 2000 Delivered-To: freebsd-net@freebsd.org Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by hub.freebsd.org (Postfix) with ESMTP id 4752837BE58 for ; Thu, 25 May 2000 16:27:18 -0700 (PDT) (envelope-from Dean.Brundage@EBay.Sun.COM) Received: from ebaymail2.EBay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id QAA13178 for ; Thu, 25 May 2000 16:27:16 -0700 (PDT) Received: from ha1mil.EBay.Sun.COM (phys-ha1mila.EBay.Sun.COM [129.150.34.210]) by ebaymail2.EBay.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with SMTP id QAA20492 for ; Thu, 25 May 2000 16:27:15 -0700 (PDT) Received: from malfunction by ha1mil.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id QAA04350; Thu, 25 May 2000 16:27:15 -0700 Message-Id: <200005252327.QAA04350@ha1mil.EBay.Sun.COM> Date: Thu, 25 May 2000 16:27:15 -0700 (PDT) From: Dean Brundage Reply-To: Dean Brundage Subject: ipfilter and bridge To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: GiplcHy9dTuGW7yJzDbtRw== X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.4 SunOS 5.8 sun4u sparc Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All, Is anyone working on incorporating ipf support into a BRIDGE configuration? Please include me in replys. Regards, --Dean Unscrambler of eggs. IT Ops aka ITPS aka SunIT aka SunIR aka ENS aka Desktop Support -------------------------------------------------------------------------------- Some men like the fishing, and some men like the fowling. Some men like to hear the cannon balls roaring. Me, I like sleeping, especially in my Adie's chamber. -- Old Irsh folk song To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu May 25 20:49:14 2000 Delivered-To: freebsd-net@freebsd.org Received: from chmls06.mediaone.net (chmls06.mediaone.net [24.128.1.71]) by hub.freebsd.org (Postfix) with ESMTP id 7C4DE37B563 for ; Thu, 25 May 2000 20:49:10 -0700 (PDT) (envelope-from davep@who.net) Received: from h0000f806dfda.ne.mediaone.net (h0000f806dfda.ne.mediaone.net [24.147.250.67]) by chmls06.mediaone.net (8.8.7/8.8.7) with ESMTP id XAA25851 for ; Thu, 25 May 2000 23:49:09 -0400 (EDT) Received: from h0000f806dfda.ne.mediaone.net (localhost [127.0.0.1]) by h0000f806dfda.ne.mediaone.net (8.9.3/8.9.3) with ESMTP id XAA01157 for ; Thu, 25 May 2000 23:49:09 -0400 (EDT) (envelope-from davep@who.net) Message-Id: <200005260349.XAA01157@h0000f806dfda.ne.mediaone.net> To: freebsd-net@freebsd.org Subject: kernel panic in in_delayed_cksum() Reply-To: "David A. Panariti" X-Attribution: davep Date: Thu, 25 May 2000 23:49:09 -0400 From: "David A. Panariti" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I sent this to freebsd-stable but have gotten no solutions, so I'll post it here, too. I believe I have found a bug in netinet. After a cvsup and make world/kernel + mergemaster, I started getting the followiing panics: delayed m_pullup, m->len: 40 off: 23040 p: 6 Fatal trap 12: page fault while in kernel mode fault virtual address = 0x8 fault code = supervisor read, page not present instruction pointer = 0x8:0xc01b10a8 stack pointer = 0x10:0xcd069ae4 frame pointer = 0x10:0xcd069b10 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 5740 (itnd) interrupt mask = trap number = 12 panic: page fault syncing disks... done Uptime: 10h22m23s I cannot remember exactly when I cvsup'd. It was either May 17 or May 20. (Any easy way to tell?) UPDATE: Thanks to Trond Endrest, I know it was cvsup'd on May 20, 16:05 EDT. Unfortunately, I can only reproduce the panics using an old version of the AltaVista tunnel. The tunnel worked perfectly with up to 4-RELEASE. I only have the binary of the tunnel code and it was compiled for FreeBSD2.2. The fact that it ran perfectly up to 4R is a testament to backward compatibility! Anyway, after some investigation, it looks like the m_pullup() is failing inside in_delayed_cksum(). The mbuf is then NULL and we panic when we set the csum. It looks like m_pullup() is failing since offset is very big. Some prints I added yield this: (IP_VHL_HL(ip->ip_vhl) << 2): 0, csum_data: 23040 off too big, skipping csum (I added code to return w/o setting the csum if I see a bogus offset and I no longer panic, and the ftp which was failing now works better, but now can panic elsewhere) Further investigation shows csum_data being mangled here in ip_output(): ip = mtod(m, struct ip *); /* * Fill in IP header. */ if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) { ip->ip_vhl = IP_MAKE_VHL(IPVERSION, hlen >> 2); ip->ip_off &= IP_DF; >>>>>>>>>>> ip->ip_id = htons(ip_id++); ipstat.ips_localout++; } else { hlen = IP_VHL_HL(ip->ip_vhl) << 2; dp_ck_csum_data(m, "a-7.1"); /* davep */ } More prints show: off too big @ a-7.3, off: 0x14, csum_data: 0x5a00 ip: 0xc0a91920, m: 0xc0a91900, &csum_data: 0xc0a91924 Where: ip is ip header inside mbuf m is mbuf pointer &csum_data = &m->m_pkthdr.csum_data csum_data is inside the IP header! And, coincidentally(NOT) ip_id is 4 bytes inside the struct ip, thus overlaying csum_data. So it looks like the m_data is pointing at M_databuf which should imply (as the comment states) /* !M_PKTHDR, !M_EXT */ And yet the code is using fields from struct pkthdr MH_pkthdr; /* M_PKTHDR set */ This is where I leave it for those more familiar with the code to pursue. Hopefully someone who knows the code can use this info to find and fix the bug quickly. It's taken me ~6 hrs just to find out this much. thanks, davep -- David Panariti / I can't complain, davep@who.net but sometimes I still do. (see also http://www.four11.com) / -- Joe Walsh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu May 25 23:12: 8 2000 Delivered-To: freebsd-net@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 811A737B81D for ; Thu, 25 May 2000 23:11:59 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id IAA36705; Fri, 26 May 2000 08:12:14 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200005260612.IAA36705@info.iet.unipi.it> Subject: Re: ipfilter and bridge In-Reply-To: <200005252327.QAA04350@ha1mil.EBay.Sun.COM> from Dean Brundage at "May 25, 2000 04:27:15 pm" To: Dean Brundage Date: Fri, 26 May 2000 08:12:14 +0200 (CEST) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > All, > Is anyone working on incorporating ipf support into a BRIDGE > configuration? Please include me in replys. not that i know. however, ipfw now does most things you might want (including stateful inspection) so maybe it already suits your needs. Performancewise the two are equivalent. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri May 26 2:50:27 2000 Delivered-To: freebsd-net@freebsd.org Received: from marao.utad.pt (marao.utad.pt [193.136.40.3]) by hub.freebsd.org (Postfix) with ESMTP id 57A0B37B751 for ; Fri, 26 May 2000 02:50:23 -0700 (PDT) (envelope-from jsilva@utad.pt) Received: from apache (pceii041.utad.pt [193.137.96.76]) by marao.utad.pt (8.9.3/8.9.3) with SMTP id KAA09332 for ; Fri, 26 May 2000 10:48:55 +0200 (MET DST) Message-Id: <200005260848.KAA09332@marao.utad.pt> X-Sender: sasilva@gcom.utad.pt X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Fri, 26 May 2000 10:50:41 +0100 To: freebsd-net@FreeBSD.org From: "Jorge Sa' Silva" Subject: help Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi I am new to FreeBSD and I would appreciate you sharing your expertise. I have installed the FreeBSD 4.0. How can I use the IPv6 functionalities - for example the ping6 between 2 IPv6 - Ethernet machines? Is it necessary to modify any configuration file or to use the ifconfig? How? Is it possible to run and debug the FreeBSD kernel source in the same machine, without the need of a null modem between 2 machines? Can I use the route command to the IPv6 address translation tables, like the arp in IPv4? Thanks in advance Jorge To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri May 26 6: 0: 7 2000 Delivered-To: freebsd-net@freebsd.org Received: from ns.unet.ru (ns.unet.ru [195.9.254.3]) by hub.freebsd.org (Postfix) with ESMTP id 90DA837B57C for ; Fri, 26 May 2000 05:59:59 -0700 (PDT) (envelope-from vick@unet.ru) Received: from unet.ru (localhost [127.0.0.1]) by ns.unet.ru (8.9.3/Unet) with ESMTP id QAA82027 for ; Fri, 26 May 2000 16:59:56 +0400 (MSD) (envelope-from vick@unet.ru) Message-ID: <392E754B.BCF8AC96@unet.ru> Date: Fri, 26 May 2000 16:59:56 +0400 From: Victor Ponomarev Organization: LPI X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Net Subject: VLAN improvement needed... Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All! Now VLAN support in stable is bad. Suppose you would like to really route two VLAN using a FreeBSD box as router. host---vlan port---trunk port---vlan port---host | | | router Usually in that config router port configured as a trunk also, this mean that it can received large packet. When host send a packet about 1514 byte switch trunk port add 4 byte and router trunk port substitute vlan tag to another and send it back to switch. The latter remove vlan header and send packet to appropriate vlan ports. Currently FreeBSD router simply drop large packet on it's interface. That's very bad... Second, standard ethernet MTU size is 1500, now we have vlan interface with MTU 1496, so large packet will be fragmented in BSD router on large and small packet. It's also bad because it's a) stupid resource consumed work for a router in that ethernet environment, b) small packet have large overhead and at last c) we should transmit two packet to medium instead one... The existing solution on these problem for Intel card may be found at http://www.euitt.upm.es/~pjlobo/ But there's another problem with small ip packet. When BSD router strip ethernet header for payload < 46 it strip padding bytes also. But when it reinserted data with another vlan header it don't add padding bytes and we have runts packets on interface... Sorry but I'm not a kernel programming expert so I can't change this things myself :( Bye, Vick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat May 27 13: 8:15 2000 Delivered-To: freebsd-net@freebsd.org Received: from vitaly.vangyzen.net (vitaly.vangyzen.net [205.245.185.194]) by hub.freebsd.org (Postfix) with ESMTP id 2D7AB37B62D; Sat, 27 May 2000 13:08:10 -0700 (PDT) (envelope-from vangyzen@hiro.vangyzen.net) Received: from hiro.vangyzen.net (pm-iog1s.greenvillenc.com [208.25.244.170]) by vitaly.vangyzen.net (8.9.3/8.9.3) with ESMTP id PAA18141; Sat, 27 May 2000 15:06:23 -0500 (EST) Received: (from vangyzen@localhost) by hiro.vangyzen.net (8.9.3/8.9.3) id QAA58763; Sat, 27 May 2000 16:08:20 -0400 (EDT) (envelope-from vangyzen) Date: Sat, 27 May 2000 16:08:20 -0400 From: "Eric S. Van Gyzen" To: freebsd-net@freebsd.org, freebsd-questions@freebsd.org Subject: How do I close a hung connection? Message-ID: <20000527160820.A58752@hiro.vangyzen.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There is a tcp4 connection to my machine hung in the CLOSING state, according to 'netstat'. It has been that way for several days, maybe a week. Is there a manual way that I can finish closing the connection? Thanks, -- Eric S. Van Gyzen Acts get axed, but eric@vangyzen.net ACKs don't get ACKed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message