From owner-freebsd-net Sun Sep 16 11:43: 8 2001 Delivered-To: freebsd-net@freebsd.org Received: from fepE.post.tele.dk (fepE.post.tele.dk [195.41.46.137]) by hub.freebsd.org (Postfix) with ESMTP id DAEEB37B401 for ; Sun, 16 Sep 2001 11:43:05 -0700 (PDT) Received: from arnold.neland.dk ([62.243.124.200]) by fepE.post.tele.dk (InterMail vM.4.01.03.21 201-229-121-121-20010307) with ESMTP id <20010916184304.HYXO13589.fepE.post.tele.dk@arnold.neland.dk> for ; Sun, 16 Sep 2001 20:43:04 +0200 Received: from gina ([192.168.5.109]) by arnold.neland.dk (8.11.5/8.11.5) with SMTP id f8GIjY574698 for ; Sun, 16 Sep 2001 20:45:35 +0200 (CEST) (envelope-from leifn@neland.dk) Message-ID: <039101c13edf$4ef51c00$6d05a8c0@neland.dk> From: "Leif Neland" To: Subject: Davicom DM9102: Cheap, fast or reliable? Date: Sun, 16 Sep 2001 20:42:15 +0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My local discount-pc dealer used to use realtec 8139's as a low cost, no name NIC. The realtec's appearently has a bad reputation. Now he carries a CNet 10/100, with a Davicom DM9102 chip on it. It is the same price, around $20 as the realtec's I have only tried it at 10Mb. Is Davicom better or worse than the realtec's? So far, the only difference is that davicom has better documentation, and is open-source friendly, it appears. They are even listed at www.freebsd.org/commercial/hardware.html (That at least seems to be a good reason to support Davicom...) Leif --- http://members.ud.com/services/teams/team.htm?id=C47FB770-0A0A-452B-88 51-874646C2B375 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Sep 17 15:12:29 2001 Delivered-To: freebsd-net@freebsd.org Received: from imo-d01.mx.aol.com (imo-d01.mx.aol.com [205.188.157.33]) by hub.freebsd.org (Postfix) with ESMTP id 0F51C37B417 for ; Mon, 17 Sep 2001 15:12:25 -0700 (PDT) Received: from HKim2603@aol.com by imo-d01.mx.aol.com (mail_out_v31_r1.7.) id n.b7.13d024ba (8231) for ; Mon, 17 Sep 2001 18:12:17 -0400 (EDT) From: HKim2603@aol.com Message-ID: Date: Mon, 17 Sep 2001 18:12:17 EDT Subject: auth c5595ad4 subscribe freebsd-net HKim2603@aol.com To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: AOL 5.0 for Windows sub 140 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth c5595ad4 subscribe freebsd-net HKim2603@aol.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 0:58:58 2001 Delivered-To: freebsd-net@freebsd.org Received: from smtp4.ihug.co.nz (smtp4.ihug.co.nz [203.109.252.5]) by hub.freebsd.org (Postfix) with ESMTP id 6ED7C37B416 for ; Tue, 18 Sep 2001 00:58:53 -0700 (PDT) Received: from neoprene (203-173-200-205.nzwide.ihug.co.nz [203.173.200.205]) by smtp4.ihug.co.nz (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id TAA17215 for ; Tue, 18 Sep 2001 19:58:48 +1200 X-Authentication-Warning: smtp4.ihug.co.nz: Host 203-173-200-205.nzwide.ihug.co.nz [203.173.200.205] claimed to be neoprene Message-ID: <001501c14017$9c2e73c0$0a00a8c0@neoprene> From: "Matthew Luckie" To: Subject: arp X moved from Y to Z messages Date: Tue, 18 Sep 2001 19:57:43 +1200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there At work there are several freebsd machines that route packets through a "load balanced" or "redundant" router configuration. The gateway's IP address actually refers to two different machines. Naturally the gateway is used quite a bit, and the syslog fills up with "arp X moved from Y to Z on fxp0" messages. I'm guessing that not many people would have this problem. Below is a patch that I have found useful for these machines. I'm aware that there are security considerations with this patch; by default the sysctl is not activated. I'm not subscribed to the list, CC me on any responses please. Matthew --- if_ether.c.orig Tue Sep 18 13:56:16 2001 +++ if_ether.c Tue Sep 18 14:27:46 2001 @@ -502,6 +502,12 @@ &log_arp_wrong_iface, 0, "log arp packets arriving on the wrong interface"); +static int log_arp_moved = 1; + +SYSCTL_INT(_net_link_ether_inet, OID_AUTO, log_arp_moved, CTLFLAG_RW, + &log_arp_moved, 0, + "log arp moved"); + static void in_arpinput(m) struct mbuf *m; @@ -586,12 +592,13 @@ } if (sdl->sdl_alen && bcmp((caddr_t)ea->arp_sha, LLADDR(sdl), sdl->sdl_alen)) { - if (rt->rt_expire) + if (rt->rt_expire) { + if(log_arp_moved) log(LOG_INFO, "arp: %s moved from %6D to %6D on %s%d\n", inet_ntoa(isaddr), (u_char *)LLADDR(sdl), ":", ea->arp_sha, ":", ac->ac_if.if_name, ac->ac_if.if_unit); - else { + } else { log(LOG_ERR, "arp: %6D attempts to modify permanent entry for %s on %s%d\n", ea->arp_sha, ":", inet_ntoa(isaddr), To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 1: 5:20 2001 Delivered-To: freebsd-net@freebsd.org Received: from relay1.macomnet.ru (relay1.macomnet.ru [195.128.64.10]) by hub.freebsd.org (Postfix) with ESMTP id 1836637B40C for ; Tue, 18 Sep 2001 01:05:14 -0700 (PDT) Received: from news1.macomnet.ru (maxim@news1.macomnet.ru [195.128.64.14]) by relay1.macomnet.ru (8.11.3/8.11.3) with ESMTP id f8I856k12840378; Tue, 18 Sep 2001 12:05:06 +0400 (MSD) Date: Tue, 18 Sep 2001 12:05:05 +0400 (MSD) From: Maxim Konovalov To: Matthew Luckie Cc: Subject: Re: arp X moved from Y to Z messages In-Reply-To: <001501c14017$9c2e73c0$0a00a8c0@neoprene> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, On Tue, 18 Sep 2001, Matthew Luckie wrote: > Hi there > > At work there are several freebsd machines that route packets through a > "load balanced" or "redundant" router configuration. > The gateway's IP address actually refers to two different machines. > Naturally the gateway is used quite a bit, and the syslog fills up with "arp > X moved from Y to Z on fxp0" messages. > > I'm guessing that not many people would have this problem. > Below is a patch that I have found useful for these machines. > I'm aware that there are security considerations with this patch; by default > the sysctl is not activated. There *is* a sysctl for it: $ sysctl net.link.ether.inet.log_arp_wrong_iface=0 > I'm not subscribed to the list, CC me on any responses please. > > Matthew > > --- if_ether.c.orig Tue Sep 18 13:56:16 2001 > +++ if_ether.c Tue Sep 18 14:27:46 2001 > @@ -502,6 +502,12 @@ > &log_arp_wrong_iface, 0, > "log arp packets arriving on the wrong interface"); > > +static int log_arp_moved = 1; > + > +SYSCTL_INT(_net_link_ether_inet, OID_AUTO, log_arp_moved, CTLFLAG_RW, > + &log_arp_moved, 0, > + "log arp moved"); > + > static void > in_arpinput(m) > struct mbuf *m; > @@ -586,12 +592,13 @@ > } > if (sdl->sdl_alen && > bcmp((caddr_t)ea->arp_sha, LLADDR(sdl), sdl->sdl_alen)) > { > - if (rt->rt_expire) > + if (rt->rt_expire) { > + if(log_arp_moved) > log(LOG_INFO, "arp: %s moved from %6D to %6D on > %s%d\n", > inet_ntoa(isaddr), (u_char *)LLADDR(sdl), > ":", > ea->arp_sha, ":", > ac->ac_if.if_name, ac->ac_if.if_unit); > - else { > + } else { > log(LOG_ERR, > "arp: %6D attempts to modify permanent entry > for %s on %s%d\n", > ea->arp_sha, ":", inet_ntoa(isaddr), > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > -- Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 1:11: 5 2001 Delivered-To: freebsd-net@freebsd.org Received: from relay1.macomnet.ru (relay1.macomnet.ru [195.128.64.10]) by hub.freebsd.org (Postfix) with ESMTP id A46C437B414 for ; Tue, 18 Sep 2001 01:10:58 -0700 (PDT) Received: from news1.macomnet.ru (maxim@news1.macomnet.ru [195.128.64.14]) by relay1.macomnet.ru (8.11.3/8.11.3) with ESMTP id f8I8Ask12955841; Tue, 18 Sep 2001 12:10:54 +0400 (MSD) Date: Tue, 18 Sep 2001 12:10:52 +0400 (MSD) From: Maxim Konovalov To: Matthew Luckie Cc: Subject: Re: arp X moved from Y to Z messages In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Oh, i am sorry, i was wrong, net.link.ether.inet.log_arp_wrong_iface is for another problem. On Tue, 18 Sep 2001, Maxim Konovalov wrote: > > Hello, > > On Tue, 18 Sep 2001, Matthew Luckie wrote: > > > Hi there > > > > At work there are several freebsd machines that route packets through a > > "load balanced" or "redundant" router configuration. > > The gateway's IP address actually refers to two different machines. > > Naturally the gateway is used quite a bit, and the syslog fills up with "arp > > X moved from Y to Z on fxp0" messages. > > > > I'm guessing that not many people would have this problem. > > Below is a patch that I have found useful for these machines. > > I'm aware that there are security considerations with this patch; by default > > the sysctl is not activated. > > There *is* a sysctl for it: > > $ sysctl net.link.ether.inet.log_arp_wrong_iface=0 > > > I'm not subscribed to the list, CC me on any responses please. > > > > Matthew > > > > --- if_ether.c.orig Tue Sep 18 13:56:16 2001 > > +++ if_ether.c Tue Sep 18 14:27:46 2001 > > @@ -502,6 +502,12 @@ > > &log_arp_wrong_iface, 0, > > "log arp packets arriving on the wrong interface"); > > > > +static int log_arp_moved = 1; > > + > > +SYSCTL_INT(_net_link_ether_inet, OID_AUTO, log_arp_moved, CTLFLAG_RW, > > + &log_arp_moved, 0, > > + "log arp moved"); > > + > > static void > > in_arpinput(m) > > struct mbuf *m; > > @@ -586,12 +592,13 @@ > > } > > if (sdl->sdl_alen && > > bcmp((caddr_t)ea->arp_sha, LLADDR(sdl), sdl->sdl_alen)) > > { > > - if (rt->rt_expire) > > + if (rt->rt_expire) { > > + if(log_arp_moved) > > log(LOG_INFO, "arp: %s moved from %6D to %6D on > > %s%d\n", > > inet_ntoa(isaddr), (u_char *)LLADDR(sdl), > > ":", > > ea->arp_sha, ":", > > ac->ac_if.if_name, ac->ac_if.if_unit); > > - else { > > + } else { > > log(LOG_ERR, > > "arp: %6D attempts to modify permanent entry > > for %s on %s%d\n", > > ea->arp_sha, ":", inet_ntoa(isaddr), > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > > -- Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 6:56: 2 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns2.sysadmin-inc.com (ns2.sysadmin-inc.com [209.16.228.145]) by hub.freebsd.org (Postfix) with SMTP id 5D2FF37B415 for ; Tue, 18 Sep 2001 06:55:59 -0700 (PDT) Received: (qmail 40935 invoked by alias); 18 Sep 2001 13:55:58 -0000 Received: from unknown (HELO skyrunne6e8soa) (208.150.25.130) by ns2.sysadmin-inc.com with SMTP; 18 Sep 2001 13:55:58 -0000 From: "Peter Brezny" To: Subject: simple static NAT question Date: Tue, 18 Sep 2001 09:54:35 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you have multiple private ip's pointing to the same public ip will traffic originating from each individual ip going out find it's way back to the original internal ip on its way back in? the man page states that inbound traffic will be handed to the last private ip in the list, but it wasn't clear as to whether this was referring only to traffic that originates on the public internet, or if it's for all traffic coming in from the public. here's the snip from the natd man page. If several address aliases specify the same public address as follows redirect_address 192.168.0.2 public_addr redirect_address 192.168.0.3 public_addr redirect_address 192.168.0.4 public_addr the incoming traffic will be directed to the last translated local address (192.168.0.4), but outgoing traffic from the first two addresses will still be aliased to appear from the specified public_addr. Thanks in advance. Peter Brezny Skyrunner.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 7: 2:48 2001 Delivered-To: freebsd-net@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 4F90737B408 for ; Tue, 18 Sep 2001 07:02:44 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8IE2fg43192; Tue, 18 Sep 2001 15:02:41 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8IE2ZR63870; Tue, 18 Sep 2001 15:02:35 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200109181402.f8IE2ZR63870@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "Peter Brezny" Cc: freebsd-net@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: simple static NAT question In-Reply-To: Message from "Peter Brezny" of "Tue, 18 Sep 2001 09:54:35 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 18 Sep 2001 15:02:35 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > If you have multiple private ip's pointing to the same public ip will > traffic originating from each individual ip going out find it's way back to > the original internal ip on its way back in? Yes. -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 7:57:16 2001 Delivered-To: freebsd-net@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id F207737B40C for ; Tue, 18 Sep 2001 07:57:12 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f8IEutZ50461; Tue, 18 Sep 2001 10:56:55 -0400 (EDT) (envelope-from wollman) Date: Tue, 18 Sep 2001 10:56:55 -0400 (EDT) From: Garrett Wollman Message-Id: <200109181456.f8IEutZ50461@khavrinen.lcs.mit.edu> To: "Matthew Luckie" Cc: Subject: arp X moved from Y to Z messages In-Reply-To: <001501c14017$9c2e73c0$0a00a8c0@neoprene> References: <001501c14017$9c2e73c0$0a00a8c0@neoprene> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > The gateway's IP address actually refers to two different machines. > Naturally the gateway is used quite a bit, and the syslog fills up with "arp > X moved from Y to Z on fxp0" messages. That's really not the right way to do it, and probably doesn't balance the load as well as you might think it would. The right way to do it is to advertise a single *multicast* MAC address, allocated out of the local MAC space (i.e., first two bits 11), and have both routers join the group; then both will get all the packets and can decide which ones to forward. This gives you automatic fail-over trivially. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 16:44:35 2001 Delivered-To: freebsd-net@freebsd.org Received: from miles.method.cx (gateway.method.cx [216.221.97.178]) by hub.freebsd.org (Postfix) with ESMTP id F0E0137B403 for ; Tue, 18 Sep 2001 16:44:29 -0700 (PDT) Received: from schizo.method.cx (schizo.method.cx [10.0.0.2]) by miles.method.cx (Postfix) with ESMTP id 05D8A1B03F for ; Tue, 18 Sep 2001 18:44:28 -0500 (CDT) Date: Tue, 18 Sep 2001 18:45:18 -0500 (CDT) From: Mike Saunders To: freebsd-net@freebsd.org Subject: kernel arp messages Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! I'm hoping somebody can help me with this problem. I'm about at my wit's end. The problem is that i'm receiving the following messages constantly, at the console, in the syslog, and to root's terminal. Sep 18 15:01:54 router /kernel: arp: 209.74.92.1 is on xl0 but got reply from 00 :00:a2:66:83:41 on ep0 Sep 18 15:01:54 router last message repeated 4 times Sep 18 15:01:54 router /kernel: arp: 209.74.87.1 is on lo0 but got reply from 00 :60:08:35:57:4e on xl0 Sep 18 15:01:55 router last message repeated 2 times Sep 18 15:01:55 router /kernel: arp: 209.74.87.193 is on ep0 but got reply from 00:50:da:c7:e7:68 on xl0 Sep 18 15:01:55 router /kernel: arp: 209.74.87.1 is on lo0 but got reply from 00 :60:08:35:57:4e on xl0 I'm running a 3.4-RELEASE i386 machine with two network cards. The machine acts as a router between my LAN and my provider's network. ep0 is the NIC connected to my LAN and xl0 is my provider's network. Here's my network configuration: bash# ifconfig ep0 ep0: flags=8843 mtu 1500 inet 209.74.87.1 netmask 0xffffff00 broadcast 209.74.87.255 ether 00:60:08:35:57:4e bash# ifconfig xl0 xl0: flags=8843 mtu 1500 inet 209.74.92.209 netmask 0xffffff00 broadcast 209.74.92.255 ether 00:50:da:c7:e3:1a media: 10baseT/UTP my /etc/rc.conf looks like this: ifconfig_xl0="inet 209.74.92.209 netmask 255.255.255.0" ifconfig_ep0="inet 209.74.87.1 netmask 255.255.255.0" hostname="router.cland-minot.com" gateway_enable="YES" defaultrouter="209.74.92.1" I tried to enable arpproxy_all="YES" in /etc/rc.conf, but that's not helping, I still got spammed by all the arp messages. With the new IIS exploit causing such increased traffic flow, the arp messages are making console useless by filling the screen as well as lagging the system horribly by churning the disk so much (It's only a pentium 60). I can't even log into the machine via ssh. The only way to get a shell on it is to pull the network lines and use the console. So, in short, besides redirecting console and syslog to /dev/null, what can I do to make these arp messages go away? Thanks! -Mike Saunders method@method.cx Network Administrator - cland-minot.com msaunders@cland-minot.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 17: 1:15 2001 Delivered-To: freebsd-net@freebsd.org Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10]) by hub.freebsd.org (Postfix) with ESMTP id 957EC37B405 for ; Tue, 18 Sep 2001 17:01:09 -0700 (PDT) Received: from ntt27f48otgmw8 (dhcp246.nttmcl.com [216.69.69.246]) by alicia.nttmcl.com (8.10.1/8.10.1) with SMTP id f8J012v17455; Tue, 18 Sep 2001 17:01:02 -0700 (PDT) Reply-To: From: "Anuranjan" To: "'Mike Saunders'" , Subject: RE: kernel arp messages Date: Tue, 18 Sep 2001 17:01:34 -0700 Message-ID: <001501c1409e$3f5acbd0$f64545d8@ntt27f48otgmw8> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I recently came across the same prblem myself. You're facing it because of the same subnet mask on your cards. In freeBSD if you configure two cards on the same subnet the kernel gets confused as to which card is the gateway to the router. THe kernel seems to make this decision based on the fact that if you want to configure two cards on the same machine you want to use it as a gateway between two different networks/subnets. --A -----Original Message----- From: owner-freebsd-net@FreeBSD.ORG [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Mike Saunders Sent: Tuesday, September 18, 2001 4:45 PM To: freebsd-net@FreeBSD.ORG Subject: kernel arp messages Hello! I'm hoping somebody can help me with this problem. I'm about at my wit's end. The problem is that i'm receiving the following messages constantly, at the console, in the syslog, and to root's terminal. Sep 18 15:01:54 router /kernel: arp: 209.74.92.1 is on xl0 but got reply from 00 :00:a2:66:83:41 on ep0 Sep 18 15:01:54 router last message repeated 4 times Sep 18 15:01:54 router /kernel: arp: 209.74.87.1 is on lo0 but got reply from 00 :60:08:35:57:4e on xl0 Sep 18 15:01:55 router last message repeated 2 times Sep 18 15:01:55 router /kernel: arp: 209.74.87.193 is on ep0 but got reply from 00:50:da:c7:e7:68 on xl0 Sep 18 15:01:55 router /kernel: arp: 209.74.87.1 is on lo0 but got reply from 00 :60:08:35:57:4e on xl0 I'm running a 3.4-RELEASE i386 machine with two network cards. The machine acts as a router between my LAN and my provider's network. ep0 is the NIC connected to my LAN and xl0 is my provider's network. Here's my network configuration: bash# ifconfig ep0 ep0: flags=8843 mtu 1500 inet 209.74.87.1 netmask 0xffffff00 broadcast 209.74.87.255 ether 00:60:08:35:57:4e bash# ifconfig xl0 xl0: flags=8843 mtu 1500 inet 209.74.92.209 netmask 0xffffff00 broadcast 209.74.92.255 ether 00:50:da:c7:e3:1a media: 10baseT/UTP my /etc/rc.conf looks like this: ifconfig_xl0="inet 209.74.92.209 netmask 255.255.255.0" ifconfig_ep0="inet 209.74.87.1 netmask 255.255.255.0" hostname="router.cland-minot.com" gateway_enable="YES" defaultrouter="209.74.92.1" I tried to enable arpproxy_all="YES" in /etc/rc.conf, but that's not helping, I still got spammed by all the arp messages. With the new IIS exploit causing such increased traffic flow, the arp messages are making console useless by filling the screen as well as lagging the system horribly by churning the disk so much (It's only a pentium 60). I can't even log into the machine via ssh. The only way to get a shell on it is to pull the network lines and use the console. So, in short, besides redirecting console and syslog to /dev/null, what can I do to make these arp messages go away? Thanks! -Mike Saunders method@method.cx Network Administrator - cland-minot.com msaunders@cland-minot.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 17: 7:32 2001 Delivered-To: freebsd-net@freebsd.org Received: from backup.dagupan.com (www.psysc.org.ph [206.101.69.5]) by hub.freebsd.org (Postfix) with ESMTP id 4584B37B405 for ; Tue, 18 Sep 2001 17:07:25 -0700 (PDT) Received: by chat.dagupan.com with Internet Mail Service (5.5.2653.19) id ; Wed, 19 Sep 2001 08:08:01 +0800 Message-ID: <10F29E27A956D511B0940050DA8D86A908F8F9@chat.dagupan.com> From: francisv@dagupan.com To: anu@nttmcl.com, method@method.cx, freebsd-net@FreeBSD.ORG Subject: RE: kernel arp messages Date: Wed, 19 Sep 2001 08:08:01 +0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is it possible to specify a gateway for each NIC on the next release of FreeBSD? > -----Original Message----- > From: Anuranjan [mailto:anu@nttmcl.com] > Sent: Wednesday, September 19, 2001 8:02 AM > To: 'Mike Saunders'; freebsd-net@FreeBSD.ORG > Subject: RE: kernel arp messages > > I recently came across the same prblem myself. You're facing it because of > the same subnet mask on your cards. In freeBSD if you configure two cards > on the same subnet the kernel gets confused as to which card is the > gateway > to the router. THe kernel seems to make this decision based on the fact > that if you want to configure two cards on the same machine you want to > use > it as a gateway between two different networks/subnets. > > --A > > > -----Original Message----- > From: owner-freebsd-net@FreeBSD.ORG > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Mike Saunders > Sent: Tuesday, September 18, 2001 4:45 PM > To: freebsd-net@FreeBSD.ORG > Subject: kernel arp messages > > > Hello! > I'm hoping somebody can help me with this problem. I'm about at my > wit's end. The problem is that i'm receiving the following messages > constantly, at the console, in the syslog, and to root's terminal. > > Sep 18 15:01:54 router /kernel: arp: 209.74.92.1 is on xl0 but got reply > from 00 > :00:a2:66:83:41 on ep0 > Sep 18 15:01:54 router last message repeated 4 times > Sep 18 15:01:54 router /kernel: arp: 209.74.87.1 is on lo0 but got reply > from 00 > :60:08:35:57:4e on xl0 > Sep 18 15:01:55 router last message repeated 2 times > Sep 18 15:01:55 router /kernel: arp: 209.74.87.193 is on ep0 but got reply > from > 00:50:da:c7:e7:68 on xl0 > Sep 18 15:01:55 router /kernel: arp: 209.74.87.1 is on lo0 but got reply > from 00 > :60:08:35:57:4e on xl0 > > I'm running a 3.4-RELEASE i386 machine with two network cards. The > machine acts as a router between my LAN and my provider's network. ep0 is > the NIC connected to my LAN and xl0 is my provider's network. > > > Here's my network configuration: > > bash# ifconfig ep0 > ep0: flags=8843 mtu 1500 > inet 209.74.87.1 netmask 0xffffff00 broadcast 209.74.87.255 > ether 00:60:08:35:57:4e > bash# ifconfig xl0 > xl0: flags=8843 mtu 1500 > inet 209.74.92.209 netmask 0xffffff00 broadcast 209.74.92.255 > ether 00:50:da:c7:e3:1a > media: 10baseT/UTP > > my /etc/rc.conf looks like this: > > ifconfig_xl0="inet 209.74.92.209 netmask 255.255.255.0" > ifconfig_ep0="inet 209.74.87.1 netmask 255.255.255.0" > hostname="router.cland-minot.com" > gateway_enable="YES" > defaultrouter="209.74.92.1" > > I tried to enable arpproxy_all="YES" in /etc/rc.conf, but that's > not helping, I still got spammed by all the arp messages. With the new > IIS exploit causing such increased traffic flow, the arp messages are > making console useless by filling the screen as well as lagging the system > horribly by churning the disk so much (It's only a pentium 60). I can't > even log into the machine via ssh. The only way to get a shell on it is > to pull the network lines and use the console. > > So, in short, besides redirecting console and syslog to /dev/null, > what can I do to make these arp messages go away? > > Thanks! > > -Mike Saunders > method@method.cx > > Network Administrator - cland-minot.com > msaunders@cland-minot.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 17:21:42 2001 Delivered-To: freebsd-net@freebsd.org Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10]) by hub.freebsd.org (Postfix) with ESMTP id A539237B416 for ; Tue, 18 Sep 2001 17:21:36 -0700 (PDT) Received: from ntt27f48otgmw8 (dhcp246.nttmcl.com [216.69.69.246]) by alicia.nttmcl.com (8.10.1/8.10.1) with SMTP id f8J0LWv18596; Tue, 18 Sep 2001 17:21:32 -0700 (PDT) Reply-To: From: "Anuranjan" To: , , Subject: RE: kernel arp messages Date: Tue, 18 Sep 2001 17:22:04 -0700 Message-ID: <001701c140a1$1c931c80$f64545d8@ntt27f48otgmw8> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <10F29E27A956D511B0940050DA8D86A908F8F9@chat.dagupan.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't know but am quite interested in knowing about that. Couldn't do that in my case with 4.3version. -----Original Message----- From: francisv@dagupan.com [mailto:francisv@dagupan.com] Sent: Tuesday, September 18, 2001 5:08 PM To: anu@nttmcl.com; method@method.cx; freebsd-net@FreeBSD.ORG Subject: RE: kernel arp messages Is it possible to specify a gateway for each NIC on the next release of FreeBSD? > -----Original Message----- > From: Anuranjan [mailto:anu@nttmcl.com] > Sent: Wednesday, September 19, 2001 8:02 AM > To: 'Mike Saunders'; freebsd-net@FreeBSD.ORG > Subject: RE: kernel arp messages > > I recently came across the same prblem myself. You're facing it because of > the same subnet mask on your cards. In freeBSD if you configure two cards > on the same subnet the kernel gets confused as to which card is the > gateway > to the router. THe kernel seems to make this decision based on the fact > that if you want to configure two cards on the same machine you want to > use > it as a gateway between two different networks/subnets. > > --A > > > -----Original Message----- > From: owner-freebsd-net@FreeBSD.ORG > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Mike Saunders > Sent: Tuesday, September 18, 2001 4:45 PM > To: freebsd-net@FreeBSD.ORG > Subject: kernel arp messages > > > Hello! > I'm hoping somebody can help me with this problem. I'm about at my > wit's end. The problem is that i'm receiving the following messages > constantly, at the console, in the syslog, and to root's terminal. > > Sep 18 15:01:54 router /kernel: arp: 209.74.92.1 is on xl0 but got reply > from 00 > :00:a2:66:83:41 on ep0 > Sep 18 15:01:54 router last message repeated 4 times > Sep 18 15:01:54 router /kernel: arp: 209.74.87.1 is on lo0 but got reply > from 00 > :60:08:35:57:4e on xl0 > Sep 18 15:01:55 router last message repeated 2 times > Sep 18 15:01:55 router /kernel: arp: 209.74.87.193 is on ep0 but got reply > from > 00:50:da:c7:e7:68 on xl0 > Sep 18 15:01:55 router /kernel: arp: 209.74.87.1 is on lo0 but got reply > from 00 > :60:08:35:57:4e on xl0 > > I'm running a 3.4-RELEASE i386 machine with two network cards. The > machine acts as a router between my LAN and my provider's network. ep0 is > the NIC connected to my LAN and xl0 is my provider's network. > > > Here's my network configuration: > > bash# ifconfig ep0 > ep0: flags=8843 mtu 1500 > inet 209.74.87.1 netmask 0xffffff00 broadcast 209.74.87.255 > ether 00:60:08:35:57:4e > bash# ifconfig xl0 > xl0: flags=8843 mtu 1500 > inet 209.74.92.209 netmask 0xffffff00 broadcast 209.74.92.255 > ether 00:50:da:c7:e3:1a > media: 10baseT/UTP > > my /etc/rc.conf looks like this: > > ifconfig_xl0="inet 209.74.92.209 netmask 255.255.255.0" > ifconfig_ep0="inet 209.74.87.1 netmask 255.255.255.0" > hostname="router.cland-minot.com" > gateway_enable="YES" > defaultrouter="209.74.92.1" > > I tried to enable arpproxy_all="YES" in /etc/rc.conf, but that's > not helping, I still got spammed by all the arp messages. With the new > IIS exploit causing such increased traffic flow, the arp messages are > making console useless by filling the screen as well as lagging the system > horribly by churning the disk so much (It's only a pentium 60). I can't > even log into the machine via ssh. The only way to get a shell on it is > to pull the network lines and use the console. > > So, in short, besides redirecting console and syslog to /dev/null, > what can I do to make these arp messages go away? > > Thanks! > > -Mike Saunders > method@method.cx > > Network Administrator - cland-minot.com > msaunders@cland-minot.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 17:26:17 2001 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 88AEA37B406 for ; Tue, 18 Sep 2001 17:26:12 -0700 (PDT) Received: from hbo (hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with SMTP id f8J0QAC24780; Tue, 18 Sep 2001 17:26:10 -0700 (PDT) From: "Lars Eggert" To: "Mike Saunders" , Subject: RE: kernel arp messages Date: Tue, 18 Sep 2001 17:26:10 -0800 MIME-Version: 1.0 Message-ID: X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_000C_01C14067.0213DD70" In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000C_01C14067.0213DD70 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit > I'm running a 3.4-RELEASE i386 machine with two network cards. The > machine acts as a router between my LAN and my provider's network. ep0 is > the NIC connected to my LAN and xl0 is my provider's network. These ARP messages usually occur when people think they must hook two NICs up to the same LAN. But your description sounds like they go out onto two separate networks? Or do I misunderstand? Could you draw a picture maybe? Thanks, Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California ------=_NextPart_000_000C_01C14067.0213DD70 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF5jCCArUw ggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEPMA0GA1UEBBMGRWdnZXJ0 MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEcMBoGCSqGSIb3DQEJARYNbGFy c2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0AvLBsD78nxcUHeHkaMgl3b4 qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD11uZDy4CNNJUu3gKxKSb+zRV70O+lkwwf tuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcUSF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEA AaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIBBAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREE ETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQ A8zI7U2K1ZIAl11j0a1DKxnp3GtTvOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2 OhB+jeKEqY7IDAJE4/fI0e+d6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4 fdcOo1S34r4wggMpMIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEV MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0 ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5WjCB kjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQD Ex9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y 8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtU ihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJp dmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN AQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQfuIdjdBxtt88aU5FL4c3mONnt UPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe17BzX7xe21Yibt6KIGu05Wzl9NPy2 lhglTWr0ncXDkS+plrgFPFL83eliA0gxggKqMIICpgIBATCBmjCBkjELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFp bCBSU0EgMjAwMC44LjMwAgMFgUcwCQYFKw4DAhoFAKCCAWUwGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMDEwOTE5MDEyNjEwWjAjBgkqhkiG9w0BCQQxFgQUAQCcUu5a EccBhCVQzyn44l+HzTUwWAYJKoZIhvcNAQkPMUswSTAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC AIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUwgasGCSsGAQQB gjcQBDGBnTCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UE BxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZI hvcNAQEBBQAEgYA6UMZnVHrqMCbJjnUcZyucC2G3CpQ7gJm52j93PJHgSzlgbHYQD/1pKLMzmdCa KnG639HNA6vEp4NYfmiTrIel6knBgQJdEA7resCRGaeNdGzE/NeMSxDc6UWQ2KL9m5sxjMFrU2Po GWSKcIG8wfnt17QDLvSGSHp9h2+GEjqesgAAAAAAAA== ------=_NextPart_000_000C_01C14067.0213DD70-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 17:31:32 2001 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 3C8AF37B413 for ; Tue, 18 Sep 2001 17:31:27 -0700 (PDT) Received: from hbo (hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with SMTP id f8J0VOC25669; Tue, 18 Sep 2001 17:31:24 -0700 (PDT) From: "Lars Eggert" To: "Mike Saunders" , Subject: RE: kernel arp messages Date: Tue, 18 Sep 2001 17:31:24 -0800 MIME-Version: 1.0 Message-ID: X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_0012_01C14067.BD4AA740" In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0012_01C14067.BD4AA740 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit > Sep 18 15:01:54 router /kernel: arp: 209.74.87.1 is on lo0 but got reply > from 00:60:08:35:57:4e on xl0 And this is *really* ugly! Are you proxy-arping? Someone is advertising one of your local IP addresses. Again, I think a picture of your setup would help. It sounds like you're simply trying to set up a FreeBSD router between to networks, this should not be so complicated. Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California ------=_NextPart_000_0012_01C14067.BD4AA740 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF5jCCArUw ggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEPMA0GA1UEBBMGRWdnZXJ0 MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEcMBoGCSqGSIb3DQEJARYNbGFy c2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0AvLBsD78nxcUHeHkaMgl3b4 qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD11uZDy4CNNJUu3gKxKSb+zRV70O+lkwwf tuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcUSF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEA AaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIBBAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREE ETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQ A8zI7U2K1ZIAl11j0a1DKxnp3GtTvOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2 OhB+jeKEqY7IDAJE4/fI0e+d6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4 fdcOo1S34r4wggMpMIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEV MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0 ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5WjCB kjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQD Ex9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y 8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtU ihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJp dmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN AQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQfuIdjdBxtt88aU5FL4c3mONnt UPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe17BzX7xe21Yibt6KIGu05Wzl9NPy2 lhglTWr0ncXDkS+plrgFPFL83eliA0gxggKqMIICpgIBATCBmjCBkjELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFp bCBSU0EgMjAwMC44LjMwAgMFgUcwCQYFKw4DAhoFAKCCAWUwGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMDEwOTE5MDEzMTI0WjAjBgkqhkiG9w0BCQQxFgQUeukcytEY WLCbr6ClOT7csXeWsOowWAYJKoZIhvcNAQkPMUswSTAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC AIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUwgasGCSsGAQQB gjcQBDGBnTCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UE BxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZI hvcNAQEBBQAEgYAtZH1qtjM8srmE6651yQ4AT0VhxT2mzHuQH0wUMxIDLycqMY08wfVBXEdXMgQK AQHtRUkXADCo4zrT4dRMoRODd1Hhm5R/p/TI7eGP32xPdgzfWfPadxdlkM0UvDjOTtHu6qVfX2ZO 052gZ4YEAnun+GzZnU/T/lbqEelYsn+upQAAAAAAAA== ------=_NextPart_000_0012_01C14067.BD4AA740-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 17:31:40 2001 Delivered-To: freebsd-net@freebsd.org Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10]) by hub.freebsd.org (Postfix) with ESMTP id A5EA337B405 for ; Tue, 18 Sep 2001 17:31:35 -0700 (PDT) Received: from ntt27f48otgmw8 (dhcp246.nttmcl.com [216.69.69.246]) by alicia.nttmcl.com (8.10.1/8.10.1) with SMTP id f8J0VSv19110; Tue, 18 Sep 2001 17:31:28 -0700 (PDT) Reply-To: From: "Anuranjan" To: "'Lars Eggert'" , "'Mike Saunders'" , Subject: RE: kernel arp messages Date: Tue, 18 Sep 2001 17:32:00 -0700 Message-ID: <001901c140a2$800511a0$f64545d8@ntt27f48otgmw8> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ifconfig_xl0="inet 209.74.92.209 netmask 255.255.255.0" ifconfig_ep0="inet 209.74.87.1 netmask 255.255.255.0" the netmasks are for the same subnet ... that is the thing that results in the kernel giving out these messages. If it's two different networks/subnets that're in picture then you could try using different masks. -----Original Message----- From: owner-freebsd-net@FreeBSD.ORG [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Lars Eggert Sent: Tuesday, September 18, 2001 6:26 PM To: Mike Saunders; freebsd-net@FreeBSD.ORG Subject: RE: kernel arp messages > I'm running a 3.4-RELEASE i386 machine with two network cards. The > machine acts as a router between my LAN and my provider's network. ep0 is > the NIC connected to my LAN and xl0 is my provider's network. These ARP messages usually occur when people think they must hook two NICs up to the same LAN. But your description sounds like they go out onto two separate networks? Or do I misunderstand? Could you draw a picture maybe? Thanks, Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 17:34: 8 2001 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 9EC5537B403 for ; Tue, 18 Sep 2001 17:34:03 -0700 (PDT) Received: from hbo (hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with SMTP id f8J0Y0C26166; Tue, 18 Sep 2001 17:34:00 -0700 (PDT) From: "Lars Eggert" To: , "'Mike Saunders'" , Subject: RE: kernel arp messages Date: Tue, 18 Sep 2001 17:34:00 -0800 MIME-Version: 1.0 Message-ID: X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_001D_01C14068.1A572620" In-Reply-To: <001901c140a2$800511a0$f64545d8@ntt27f48otgmw8> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_001D_01C14068.1A572620 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit > ifconfig_xl0="inet 209.74.92.209 netmask 255.255.255.0" > ifconfig_ep0="inet 209.74.87.1 netmask 255.255.255.0" > > the netmasks are for the same subnet ... that is the thing that results in > the kernel giving out these messages. If it's two different > networks/subnets > that're in picture then you could try using different masks. How are these for the same subnet? One is for 209.74.92/24, the other for 209.74.87/24. -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California ------=_NextPart_000_001D_01C14068.1A572620 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF5jCCArUw ggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEPMA0GA1UEBBMGRWdnZXJ0 MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEcMBoGCSqGSIb3DQEJARYNbGFy c2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0AvLBsD78nxcUHeHkaMgl3b4 qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD11uZDy4CNNJUu3gKxKSb+zRV70O+lkwwf tuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcUSF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEA AaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIBBAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREE ETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQ A8zI7U2K1ZIAl11j0a1DKxnp3GtTvOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2 OhB+jeKEqY7IDAJE4/fI0e+d6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4 fdcOo1S34r4wggMpMIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEV MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0 ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5WjCB kjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQD Ex9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y 8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtU ihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJp dmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN AQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQfuIdjdBxtt88aU5FL4c3mONnt UPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe17BzX7xe21Yibt6KIGu05Wzl9NPy2 lhglTWr0ncXDkS+plrgFPFL83eliA0gxggKqMIICpgIBATCBmjCBkjELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFp bCBSU0EgMjAwMC44LjMwAgMFgUcwCQYFKw4DAhoFAKCCAWUwGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMDEwOTE5MDEzNDAwWjAjBgkqhkiG9w0BCQQxFgQU5mUkbRuN EG1VHLDeFizWGNSB01gwWAYJKoZIhvcNAQkPMUswSTAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC AIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUwgasGCSsGAQQB gjcQBDGBnTCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UE BxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZI hvcNAQEBBQAEgYCDu7IS4NWyU5mG3GcbZDZ4eqoFczXi2roh41kM7UGjsAF5kE1ARcobg+5Y99/z L7jjUI/x2H/1H/g2WplPIVyh4oXe3Pfi5iuzEmmF6yZCQg+/cXRcVNG11Cow8xPUBeImp1r6CYUh wACIl9QAM/K25o0FmgooHdlf5Q+VuPRbjAAAAAAAAA== ------=_NextPart_000_001D_01C14068.1A572620-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 17:55:54 2001 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9]) by hub.freebsd.org (Postfix) with ESMTP id 1AD1137B403 for ; Tue, 18 Sep 2001 17:55:45 -0700 (PDT) Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id SAA23681; Tue, 18 Sep 2001 18:25:55 -0700 (PDT) Date: Tue, 18 Sep 2001 18:25:52 -0700 (PDT) From: Julian Elischer To: Anuranjan Cc: "'Lars Eggert'" , "'Mike Saunders'" , freebsd-net@FreeBSD.ORG Subject: RE: kernel arp messages In-Reply-To: <001901c140a2$800511a0$f64545d8@ntt27f48otgmw8> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Sep 2001, Anuranjan wrote: > ifconfig_xl0="inet 209.74.92.209 netmask 255.255.255.0" > ifconfig_ep0="inet 209.74.87.1 netmask 255.255.255.0" > > the netmasks are for the same subnet ... that is the thing that results in > the kernel giving out these messages. If it's two different networks/subnets They are NOT for the same netmask... (92 vs 87) but maybe they are on the same wire? > that're in picture then you could try using different masks. > > -----Original Message----- > From: owner-freebsd-net@FreeBSD.ORG > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Lars Eggert > Sent: Tuesday, September 18, 2001 6:26 PM > To: Mike Saunders; freebsd-net@FreeBSD.ORG > Subject: RE: kernel arp messages > > > > I'm running a 3.4-RELEASE i386 machine with two network cards. The > > machine acts as a router between my LAN and my provider's network. ep0 > is > > the NIC connected to my LAN and xl0 is my provider's network. > > These ARP messages usually occur when people think they must hook two NICs > up to the same LAN. But your description sounds like they go out onto two > separate networks? Or do I misunderstand? Could you draw a picture maybe? > > Thanks, > Lars > -- > Lars Eggert Information Sciences Institute > http://www.isi.edu/larse/ University of Southern California > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 18: 1:32 2001 Delivered-To: freebsd-net@freebsd.org Received: from miles.method.cx (gateway.method.cx [216.221.97.178]) by hub.freebsd.org (Postfix) with ESMTP id BBEA137B427 for ; Tue, 18 Sep 2001 18:01:27 -0700 (PDT) Received: from schizo.method.cx (schizo.method.cx [10.0.0.2]) by miles.method.cx (Postfix) with ESMTP id AE2EB1B03F; Tue, 18 Sep 2001 20:01:26 -0500 (CDT) Date: Tue, 18 Sep 2001 20:02:16 -0500 (CDT) From: Mike Saunders To: Lars Eggert Cc: freebsd-net@freebsd.org Subject: RE: kernel arp messages In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks for all the replies gentlemen! I'll try to clear some things up here: On Tue, 18 Sep 2001, Lars Eggert wrote: > Date: Tue, 18 Sep 2001 17:31:24 -0800 > From: Lars Eggert > To: Mike Saunders , freebsd-net@freebsd.org > Subject: RE: kernel arp messages > > > Sep 18 15:01:54 router /kernel: arp: 209.74.87.1 is on lo0 but got reply > > from 00:60:08:35:57:4e on xl0 > > And this is *really* ugly! Are you proxy-arping? Someone is advertising > one of your local IP addresses. Actually Lars, If you notice the MAC, it's the same as: ep0: flags=8843 mtu 1500 inet 209.74.87.1 netmask 0xffffff00 broadcast 209.74.87.255 ether 00:60:08:35:57:4e So 209.74.87.1 is on ep0 which is on lo0 but gets caught at xl0, according to this machine. So maybe a picture will help | | | 209.74.92/24 | (xl0) FreeBSD Router (ep0) | 209.74.87/24 | switches This is what I believe to be the current set up. Now that I read the email mentioning the loop, it's possible that somebody has thrown in a hub connecting both networks. I know there's one in the closet. I'll have to go and check. Ideally, all I'm trying to do is route one class C into my provider's network. I just want a router, it happens to be running FreeBSD instead of IOS. I'll have to go take a look at the cabling setups though. Thanks for the tips everybody. -Mike method@method.cx > > Again, I think a picture of your setup would help. It sounds like you're > simply trying to set up a FreeBSD router between to networks, this should > not be so complicated. > > Lars > -- > Lars Eggert Information Sciences Institute > http://www.isi.edu/larse/ University of Southern California > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 18: 3:52 2001 Delivered-To: freebsd-net@freebsd.org Received: from miles.method.cx (gateway.method.cx [216.221.97.178]) by hub.freebsd.org (Postfix) with ESMTP id B59BA37B405 for ; Tue, 18 Sep 2001 18:03:46 -0700 (PDT) Received: from schizo.method.cx (schizo.method.cx [10.0.0.2]) by miles.method.cx (Postfix) with ESMTP id 524061B03F; Tue, 18 Sep 2001 20:03:45 -0500 (CDT) Date: Tue, 18 Sep 2001 20:04:35 -0500 (CDT) From: Mike Saunders To: Julian Elischer Cc: Anuranjan , 'Lars Eggert' , freebsd-net@FreeBSD.ORG Subject: RE: kernel arp messages In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Sep 2001, Julian Elischer wrote: > Date: Tue, 18 Sep 2001 18:25:52 -0700 (PDT) > From: Julian Elischer > To: Anuranjan > Cc: 'Lars Eggert' , 'Mike Saunders' , > freebsd-net@FreeBSD.ORG > Subject: RE: kernel arp messages > > > > On Tue, 18 Sep 2001, Anuranjan wrote: > > > ifconfig_xl0="inet 209.74.92.209 netmask 255.255.255.0" > > ifconfig_ep0="inet 209.74.87.1 netmask 255.255.255.0" > > > > the netmasks are for the same subnet ... that is the thing that results in > > the kernel giving out these messages. If it's two different networks/subnets > > They are NOT for the same netmask... > (92 vs 87) but maybe they are on the same wire? > No, they are not the same wire. They're 2 networks physically seperated by a freebsd machine with 2 NIC's acting as a router. Although as mentioned in my previous email, it's possible that there may be a hub bridging the networks. I need to go check that. -Mike Saunders > > > > that're in picture then you could try using different masks. > > > > > > > > > > -----Original Message----- > > From: owner-freebsd-net@FreeBSD.ORG > > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Lars Eggert > > Sent: Tuesday, September 18, 2001 6:26 PM > > To: Mike Saunders; freebsd-net@FreeBSD.ORG > > Subject: RE: kernel arp messages > > > > > > > I'm running a 3.4-RELEASE i386 machine with two network cards. The > > > machine acts as a router between my LAN and my provider's network. ep0 > > is > > > the NIC connected to my LAN and xl0 is my provider's network. > > > > These ARP messages usually occur when people think they must hook two NICs > > up to the same LAN. But your description sounds like they go out onto two > > separate networks? Or do I misunderstand? Could you draw a picture maybe? > > > > Thanks, > > Lars > > -- > > Lars Eggert Information Sciences Institute > > http://www.isi.edu/larse/ University of Southern California > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 18:31: 4 2001 Delivered-To: freebsd-net@freebsd.org Received: from taka.swcp.com (taka.swcp.com [198.59.115.12]) by hub.freebsd.org (Postfix) with ESMTP id E7E6237B40E for ; Tue, 18 Sep 2001 18:30:56 -0700 (PDT) Received: from argotsoft.com (argotsoft.com [198.59.115.127]) by taka.swcp.com (8.10.0.Beta12/8.10.0.Beta12) with ESMTP id f8J1W4K55659; Tue, 18 Sep 2001 19:32:04 -0600 (MDT) Received: from ATHABASCA (athabasca.argotsoft.com [192.168.3.104]) by argotsoft.com (8.11.3/8.11.3) with SMTP id f8J1UP038971; Tue, 18 Sep 2001 19:30:25 -0600 (MDT) Message-Id: <3.0.3.32.20010918193023.01463ec8@mail> X-Sender: msommer@mail X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 18 Sep 2001 19:30:23 -0600 To: francisv@dagupan.com, anu@nttmcl.com, method@method.cx, freebsd-net@FreeBSD.ORG From: "Mark J. Sommer" Subject: RE: kernel arp messages In-Reply-To: <10F29E27A956D511B0940050DA8D86A908F8F9@chat.dagupan.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have several client's I've setup with multiple gateways (office WAN, Internet Gateway). I think this thread is derailed. 4.3 Release and prior (as far as I know) have long supported this configuration. At 08:08 AM 9/19/2001 +0800, francisv@dagupan.com wrote: >Is it possible to specify a gateway for each NIC on the next release of >FreeBSD? > >> -----Original Message----- >> From: Anuranjan [mailto:anu@nttmcl.com] >> Sent: Wednesday, September 19, 2001 8:02 AM >> To: 'Mike Saunders'; freebsd-net@FreeBSD.ORG >> Subject: RE: kernel arp messages >> >> I recently came across the same prblem myself. You're facing it because of >> the same subnet mask on your cards. In freeBSD if you configure two cards >> on the same subnet the kernel gets confused as to which card is the >> gateway >> to the router. THe kernel seems to make this decision based on the fact >> that if you want to configure two cards on the same machine you want to >> use >> it as a gateway between two different networks/subnets. >> >> --A >> >> >> -----Original Message----- >> From: owner-freebsd-net@FreeBSD.ORG >> [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Mike Saunders >> Sent: Tuesday, September 18, 2001 4:45 PM >> To: freebsd-net@FreeBSD.ORG >> Subject: kernel arp messages >> >> >> Hello! >> I'm hoping somebody can help me with this problem. I'm about at my >> wit's end. The problem is that i'm receiving the following messages >> constantly, at the console, in the syslog, and to root's terminal. >> >> Sep 18 15:01:54 router /kernel: arp: 209.74.92.1 is on xl0 but got reply >> from 00 >> :00:a2:66:83:41 on ep0 >> Sep 18 15:01:54 router last message repeated 4 times >> Sep 18 15:01:54 router /kernel: arp: 209.74.87.1 is on lo0 but got reply >> from 00 >> :60:08:35:57:4e on xl0 >> Sep 18 15:01:55 router last message repeated 2 times >> Sep 18 15:01:55 router /kernel: arp: 209.74.87.193 is on ep0 but got reply >> from >> 00:50:da:c7:e7:68 on xl0 >> Sep 18 15:01:55 router /kernel: arp: 209.74.87.1 is on lo0 but got reply >> from 00 >> :60:08:35:57:4e on xl0 >> >> I'm running a 3.4-RELEASE i386 machine with two network cards. The >> machine acts as a router between my LAN and my provider's network. ep0 is >> the NIC connected to my LAN and xl0 is my provider's network. >> >> >> Here's my network configuration: >> >> bash# ifconfig ep0 >> ep0: flags=8843 mtu 1500 >> inet 209.74.87.1 netmask 0xffffff00 broadcast 209.74.87.255 >> ether 00:60:08:35:57:4e >> bash# ifconfig xl0 >> xl0: flags=8843 mtu 1500 >> inet 209.74.92.209 netmask 0xffffff00 broadcast 209.74.92.255 >> ether 00:50:da:c7:e3:1a >> media: 10baseT/UTP >> >> my /etc/rc.conf looks like this: >> >> ifconfig_xl0="inet 209.74.92.209 netmask 255.255.255.0" >> ifconfig_ep0="inet 209.74.87.1 netmask 255.255.255.0" >> hostname="router.cland-minot.com" >> gateway_enable="YES" >> defaultrouter="209.74.92.1" >> >> I tried to enable arpproxy_all="YES" in /etc/rc.conf, but that's >> not helping, I still got spammed by all the arp messages. With the new >> IIS exploit causing such increased traffic flow, the arp messages are >> making console useless by filling the screen as well as lagging the system >> horribly by churning the disk so much (It's only a pentium 60). I can't >> even log into the machine via ssh. The only way to get a shell on it is >> to pull the network lines and use the console. >> >> So, in short, besides redirecting console and syslog to /dev/null, >> what can I do to make these arp messages go away? >> >> Thanks! >> >> -Mike Saunders >> method@method.cx >> >> Network Administrator - cland-minot.com >> msaunders@cland-minot.com >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-net" in the body of the message >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-net" in the body of the message > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-net" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 18:35:50 2001 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9]) by hub.freebsd.org (Postfix) with ESMTP id E9AA937B401 for ; Tue, 18 Sep 2001 18:35:40 -0700 (PDT) Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id TAA23847; Tue, 18 Sep 2001 19:05:23 -0700 (PDT) Date: Tue, 18 Sep 2001 19:05:21 -0700 (PDT) From: Julian Elischer To: Mike Saunders Cc: Lars Eggert , freebsd-net@freebsd.org Subject: RE: kernel arp messages In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Sep 2001, Mike Saunders wrote: > Thanks for all the replies gentlemen! I'll try to clear some things up > here: > > On Tue, 18 Sep 2001, Lars Eggert wrote: > > > Date: Tue, 18 Sep 2001 17:31:24 -0800 > > From: Lars Eggert > > To: Mike Saunders , freebsd-net@freebsd.org > > Subject: RE: kernel arp messages > > > > > Sep 18 15:01:54 router /kernel: arp: 209.74.87.1 is on lo0 but got reply > > > from 00:60:08:35:57:4e on xl0 > > > > And this is *really* ugly! Are you proxy-arping? Someone is advertising > > one of your local IP addresses. > how did that address get on lo0? what is netstat -r (or ifconfig) showing? > Actually Lars, > If you notice the MAC, it's the same as: > > ep0: flags=8843 mtu 1500 > inet 209.74.87.1 netmask 0xffffff00 broadcast 209.74.87.255 > ether 00:60:08:35:57:4e > > So 209.74.87.1 is on ep0 which is on lo0 but gets caught at xl0, according > to this machine. ep0 is NOT "ON" lo0 What makes you say that strange thing? > > So maybe a picture will help > > | > | > | > 209.74.92/24 > | > (xl0) > FreeBSD Router > (ep0) > | > 209.74.87/24 > | > switches > > This is what I believe to be the current set up. Now that I read the > email mentioning the loop, it's possible that somebody has thrown in a hub > connecting both networks. I know there's one in the closet. I'll have to > go and check. that would be my guess. > > Ideally, all I'm trying to do is route one class C into my what is the link to the provider? > provider's network. I just want a router, it happens to be running > FreeBSD instead of IOS. > > I'll have to go take a look at the cabling setups though. Thanks for the > tips everybody. > > -Mike > method@method.cx > > > > > > Again, I think a picture of your setup would help. It sounds like you're > > simply trying to set up a FreeBSD router between to networks, this should > > not be so complicated. > > > > Lars > > -- > > Lars Eggert Information Sciences Institute > > http://www.isi.edu/larse/ University of Southern California > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 19:58:33 2001 Delivered-To: freebsd-net@freebsd.org Received: from samuel.interplex.ca (abi.ca [216.18.127.185]) by hub.freebsd.org (Postfix) with ESMTP id DAA1E37B40D for ; Tue, 18 Sep 2001 19:58:22 -0700 (PDT) Received: from there (deejay2@smart-x.ctlc.interplex.ca [209.71.202.73]) by samuel.interplex.ca (8.11.3/8.11.3) with SMTP id f8J32D202145 for ; Tue, 18 Sep 2001 23:02:15 -0400 (EDT) (envelope-from db@interplex.ca) Message-Id: <200109190302.f8J32D202145@samuel.interplex.ca> Content-Type: text/plain; charset="iso-8859-1" From: Dominic Blais To: freebsd-net@freebsd.org Subject: kernel arp messages (Take 2) ;)) Date: Tue, 18 Sep 2001 23:01:35 -0400 X-Mailer: KMail [version 1.3] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sep 13 08:26:40 samuel /kernel: arplookup 0.0.0.0 failed: host is not on local network I always get this message every 12 minutes... I use 2 NIC with VLAN on it.. All interfaces have an IP but some VLANS which are "down" . Where's the problem?? Thanks -- Dominic Blais Administrateur reseau Interplex telecom -=[ http://www.interplex.ca ]=- Email: db@interplex.ca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 19:59:58 2001 Delivered-To: freebsd-net@freebsd.org Received: from miles.method.cx (gateway.method.cx [216.221.97.178]) by hub.freebsd.org (Postfix) with ESMTP id 87E6C37B412 for ; Tue, 18 Sep 2001 19:59:52 -0700 (PDT) Received: from schizo.method.cx (schizo.method.cx [10.0.0.2]) by miles.method.cx (Postfix) with ESMTP id 8799C1B03F for ; Tue, 18 Sep 2001 21:59:51 -0500 (CDT) Date: Tue, 18 Sep 2001 22:00:42 -0500 (CDT) From: Mike Saunders To: freebsd-net@freebsd.org Subject: SOLVED - kernel arp messages In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Sep 2001, Julian Elischer wrote: > Date: Tue, 18 Sep 2001 19:05:21 -0700 (PDT) > From: Julian Elischer > To: Mike Saunders > Cc: Lars Eggert , freebsd-net@freebsd.org > Subject: RE: kernel arp messages > > > > > Date: Tue, 18 Sep 2001 17:31:24 -0800 > > > From: Lars Eggert > > > To: Mike Saunders , freebsd-net@freebsd.org > > > Subject: RE: kernel arp messages > > > > > > > Sep 18 15:01:54 router /kernel: arp: 209.74.87.1 is on lo0 but got reply > > > > from 00:60:08:35:57:4e on xl0 > > > > > > And this is *really* ugly! Are you proxy-arping? Someone is advertising > > > one of your local IP addresses. > > > > how did that address get on lo0? > what is netstat -r (or ifconfig) showing? That is a good question. I don't really know how, that's just what the kernel tells me. > > > Actually Lars, > > If you notice the MAC, it's the same as: > > > > ep0: flags=8843 mtu 1500 > > inet 209.74.87.1 netmask 0xffffff00 broadcast 209.74.87.255 > > ether 00:60:08:35:57:4e > > > > So 209.74.87.1 is on ep0 which is on lo0 but gets caught at xl0, according > > to this machine. > > > ep0 is NOT "ON" lo0 > What makes you say that strange thing? > > What I meant was "This is what the machine is thinking." I know that ep0 is not "on" lo0. > > > > > > So maybe a picture will help > > > > | > > | > > | > > 209.74.92/24 > > | > > (xl0) > > FreeBSD Router > > (ep0) > > | > > 209.74.87/24 > > | > > switches > > > > This is what I believe to be the current set up. Now that I read the > > email mentioning the loop, it's possible that somebody has thrown in a hub > > connecting both networks. I know there's one in the closet. I'll have to > > go and check. > > that would be my guess. > > > > > Ideally, all I'm trying to do is route one class C into my > > what is the link to the provider? > In return for a free T1 we do some co-location for our provider. There's an 8-port hub that sits between my external interface and the router. There's a few other machines and a bay networks access node plugged into this hub. turns out somebody plugged a patch cable from this hub (sitting on the provider's network) into our stack of switches. I believe it was Chris that nailed this one on the head. Thanks for the tips everybody. I've been looking at that for a long time, I don't know how I missed that cable, or how it got there. So in reality, the network setup looked like this. provider router |-----------\ Hub | | | 209.74.92/24 | | | (xl0) | FreeBSD Router | (ep0) | | | 209.74.87/24 | | / switches------/ Once again, thanks for the quick replies and the help. It's much appreciated. -Mike Saunders method@method.cx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 20:14:50 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail1.hub.org (webmail.hub.org [216.126.85.1]) by hub.freebsd.org (Postfix) with ESMTP id 6116737B40E; Tue, 18 Sep 2001 20:14:45 -0700 (PDT) Received: from localhost (scrappy@localhost) by mail1.hub.org (8.11.3/8.11.4) with ESMTP id f8J3Eof95774; Tue, 18 Sep 2001 23:14:51 -0400 (EDT) (envelope-from scrappy@hub.org) Date: Tue, 18 Sep 2001 23:14:50 -0400 (EDT) From: "Marc G. Fournier" To: Cc: Subject: Re: ipfw problems ... In-Reply-To: <20010918134410.P87162-100000@atelier.acadiau.ca> Message-ID: <20010918230726.M30377-100000@mail1.hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, with ipfw and dummynet to do bandwidth shaping as well as firewalling ... The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... I've got an /etc/fw.rules file that has ~1200 rules in it so far, and still have more that I want to put in, but today the machine locked up solid ... I ended up re-starting the machine with fw set to open, and loaded a few rules at a time ... got up to 747 rules before the machine pretty much ground to a halt, with the occasional keystroke going through ... ~900 or so of the rules are purely 'pass thru' rules ... we have two connections to the internet ... one that costs us nothing, and one that costs us quite dearly ... we want to allow all traffic that goes to sites on the 'costs us nothing' network to go through unimpeded, while that which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 rules are the ones that define those b-class networks that are on the 'costs us nothing' network ... I'm not seeing any errors on the console to indicate a problem, it just slowly grinds to a halt ... is there a setting in the kernel, or somewhere, that I should be setting to allow fur such a high number of rules, or is it just not possible to do more then a few hundred? :( Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 21: 6:19 2001 Delivered-To: freebsd-net@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id B3E8237B43A; Tue, 18 Sep 2001 21:06:07 -0700 (PDT) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id f8J45Z483525; Wed, 19 Sep 2001 00:05:35 -0400 (EDT) (envelope-from aschneid) Date: Wed, 19 Sep 2001 00:05:34 -0400 From: Anthony Schneider To: "Marc G. Fournier" Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: ipfw problems ... Message-ID: <20010919000534.A83486@mail.slc.edu> References: <20010918134410.P87162-100000@atelier.acadiau.ca> <20010918230726.M30377-100000@mail1.hub.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010918230726.M30377-100000@mail1.hub.org>; from scrappy@hub.org on Tue, Sep 18, 2001 at 11:14:50PM -0400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org it might have something to do with the prereleasenature of the machine. -Anthony. On Tue, Sep 18, 2001 at 11:14:50PM -0400, Marc G. Fournier wrote: > > I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, > with ipfw and dummynet to do bandwidth shaping as well as firewalling ... > > The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... > > I've got an /etc/fw.rules file that has ~1200 rules in it so far, and > still have more that I want to put in, but today the machine locked up > solid ... > > I ended up re-starting the machine with fw set to open, and loaded a few > rules at a time ... got up to 747 rules before the machine pretty much > ground to a halt, with the occasional keystroke going through ... > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > connections to the internet ... one that costs us nothing, and one that > costs us quite dearly ... we want to allow all traffic that goes to sites > on the 'costs us nothing' network to go through unimpeded, while that > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > rules are the ones that define those b-class networks that are on the > 'costs us nothing' network ... > > I'm not seeing any errors on the console to indicate a problem, it just > slowly grinds to a halt ... is there a setting in the kernel, or > somewhere, that I should be setting to allow fur such a high number of > rules, or is it just not possible to do more then a few hundred? :( > > Thanks > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 22:34:55 2001 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9]) by hub.freebsd.org (Postfix) with ESMTP id 3E70537B40F; Tue, 18 Sep 2001 22:34:47 -0700 (PDT) Received: from elischer.org (InterJet.elischer.org [192.168.1.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id XAA24697; Tue, 18 Sep 2001 23:09:21 -0700 (PDT) Message-ID: <3BA82BD0.67F490B4@elischer.org> Date: Tue, 18 Sep 2001 22:23:28 -0700 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: "Marc G. Fournier" Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: Re: ipfw problems ... References: <20010918230726.M30377-100000@mail1.hub.org> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Marc G. Fournier" wrote: > > I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, > with ipfw and dummynet to do bandwidth shaping as well as firewalling ... > > The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... > > I've got an /etc/fw.rules file that has ~1200 rules in it so far, and > still have more that I want to put in, but today the machine locked up > solid ... > > I ended up re-starting the machine with fw set to open, and loaded a few > rules at a time ... got up to 747 rules before the machine pretty much > ground to a halt, with the occasional keystroke going through ... > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > connections to the internet ... one that costs us nothing, and one that > costs us quite dearly ... we want to allow all traffic that goes to sites > on the 'costs us nothing' network to go through unimpeded, while that > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > rules are the ones that define those b-class networks that are on the > 'costs us nothing' network ... > > I'm not seeing any errors on the console to indicate a problem, it just > slowly grinds to a halt ... is there a setting in the kernel, or > somewhere, that I should be setting to allow fur such a high number of > rules, or is it just not possible to do more then a few hundred? :( > > Thanks IPFW is a linear search. you can however use 'skipto ' to good effect to get around this.. you can produce a decision tree by filtering left or right on one address bit (or something) so that each packet traverses a lot less that 747 rules. (probably about 10) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- +------------------------------------+ ______ _ __ | __--_|\ Julian Elischer | \ U \/ / hard at work in | / \ julian@elischer.org +------>x USA \ a very strange | ( OZ ) \___ ___ | country ! +- X_.---._/ presently in San Francisco \_/ \\ v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Sep 18 23: 9:21 2001 Delivered-To: freebsd-net@freebsd.org Received: from web14609.mail.yahoo.com (web14609.mail.yahoo.com [216.136.224.241]) by hub.freebsd.org (Postfix) with SMTP id E82D237B41D for ; Tue, 18 Sep 2001 23:09:18 -0700 (PDT) Message-ID: <20010919060918.63732.qmail@web14609.mail.yahoo.com> Received: from [66.156.15.127] by web14609.mail.yahoo.com via HTTP; Tue, 18 Sep 2001 23:09:18 PDT Date: Tue, 18 Sep 2001 23:09:18 -0700 (PDT) From: Jerry Murdock Subject: IPSEC Tunnels vs Dynamoic IPs To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can an IPSEC tunnel be established between two LANs when one side is using PPPoE/DSL with dynamic IP using either manual keys or IKE? IOW: LAN 1 (10.2.2.0/24) | FreeBSD Gateway(T1/Static IP) | | IPSEC Tunnel over Internet | | FreeBSD Gateway(PPPoE/Dynamic IP) | LAN 2 (10.1.1.0/24) I've looked at several resources and cant find anything on this, and would like a little advice before digging deeper. A simple "yes," "no," or "ARE YOU NUTS!?" would be adequate, but any pointers on a "yes" answer would be great. Thanks, Jerry __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 1: 0:36 2001 Delivered-To: freebsd-net@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id E9F7537B417; Wed, 19 Sep 2001 01:00:24 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 3836A1D14; Wed, 19 Sep 2001 09:59:52 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 43950552A; Wed, 19 Sep 2001 09:59:52 +0200 (CEST) Date: Wed, 19 Sep 2001 09:59:50 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: "Marc G. Fournier" Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: ipfw problems ... In-Reply-To: <20010918230726.M30377-100000@mail1.hub.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Sep 2001, Marc G. Fournier wrote: > > I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, > with ipfw and dummynet to do bandwidth shaping as well as firewalling ... > > The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... > > I've got an /etc/fw.rules file that has ~1200 rules in it so far, and > still have more that I want to put in, but today the machine locked up > solid ... > > I ended up re-starting the machine with fw set to open, and loaded a few > rules at a time ... got up to 747 rules before the machine pretty much > ground to a halt, with the occasional keystroke going through ... > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > connections to the internet ... one that costs us nothing, and one that > costs us quite dearly ... we want to allow all traffic that goes to sites > on the 'costs us nothing' network to go through unimpeded, while that > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > rules are the ones that define those b-class networks that are on the > 'costs us nothing' network ... With all respect, that looks like a flawed firewall design. Quoting Lance Spitzner's paper on firewall design (http://www.enteract.com/~lspitz) , every firewall having over 50 rules becomes unmanageable. I'd say that the threshold may be moved to 100..150 rules since sometimes it's necessary to split one policy rule into several filter rules, but your number IMHO is way too much. First, is there any specific reason for allowing only specific 900 subnets instead of the whole 'cost nothing' network? How big is this network? How would this increase the risk? Second, with that number of networks, it is probable that at least some of them have the same prefix; for example 10.10.0.0/16 10.11.0.0/16 can be matched with 10.10.0.0/15. This may bring down the number of rules. Continuing from previous point, if all class B networks are on the same network block (having, say 1024 class B networks) you may allow whole block and disallow only 124 subnets. That would bring the number of relevant rules down to 125. Third, take into account that since ipfw takes 'first matching rule wins' approach, you will get performance boost by moving more frequently used and more general rules "up" in the ruleset. For example, if you move the rule from position 700 to 200 packet will be matched only against 200 rules instead of 700. Fourth, if you have any "keep-state" rules, each of them effectively generates new "dynamic" rules. In order to improve performance with TCP connections you may try to switch to TCP flag-based approach (keywords "setup" and "established"). This will save you from additional growth of ruleset, but may open you to the TCP ACK scan (I haven't verified it) which exposes inside network topology. Fifth, you may try separating routers. For example, set up one machine for each uplink, and set each one with a ruleset relevant with the link it is connected to. You may then connect them to the internal network with a non-filtering router or just set the routing tables on each internal host appropriately. This should distribute the load and ease management. > I'm not seeing any errors on the console to indicate a problem, it just > slowly grinds to a halt ... is there a setting in the kernel, or > somewhere, that I should be setting to allow fur such a high number of > rules, or is it just not possible to do more then a few hundred? :( Well. A friend of mine gave up on a Linux router with ca 300 rules. Matching every of literally millions of packets traversing the router against a huge ruleset will bring every machine to it's knees. > Thanks Not at all. Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 1:18:52 2001 Delivered-To: freebsd-net@freebsd.org Received: from star.rila.bg (star.rila.bg [194.141.1.32]) by hub.freebsd.org (Postfix) with ESMTP id 249C237B411 for ; Wed, 19 Sep 2001 01:18:48 -0700 (PDT) Received: from star.rila.bg (vlady@localhost [127.0.0.1]) by star.rila.bg (8.11.4/8.11.4) with ESMTP id f8J8L0c09243 for ; Wed, 19 Sep 2001 11:21:00 +0300 (EEST) (envelope-from vlady@star.rila.bg) Message-Id: <200109190821.f8J8L0c09243@star.rila.bg> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.3 To: freebsd-net@freebsd.org From: "Vladimir Terziev" Subject: Problem with IPFW and NATD Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 19 Sep 2001 11:21:00 +0300 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I have a gateway machine which runs NATD (natd -unregistered_only -interface an0) and have IP packet filter IPFW with the following rules: ipfw add 100 allow ip from any to any via lo0 ipfw add 10002 skipto 20000 tcp from 192.168.15.2 to any 21 ipfw add 10003 skipto 20000 tcp from 192.168.15.2 to any 53,6667,6668 ipfw add 10004 skipto 20000 udp from 192.168.15.2 to any 53,4000 ipfw add 11000 deny ip from 192.168.15.0/24 to any ipfw add 20000 divert natd ip from any to any via an0 ipfw add 63000 allow ip from PUBLIC_IP to any ipfw add 64000 allow ip from any to PUBLIC_IP ipfw add 30001 allow tcp from any 21 to 192.168.15.2 established ipfw add 30002 allow tcp from any 53,6667,6668 to 192.168.15.2 established ipfw add 30003 allow udp from any 53,4000 to 192.168.15.2 ipfw add 65000 deny ip from any to any The gateway machine is FreeBSD 4.4-RC and has 2 interfaces (internal, and external - an0). I need only one of machines in the local network to have connectivity to "the rest of the world". I've read all the documentation about ipfw(8), divert(4) and natd(8). Regarding to it the above rules should provide what I want, but they don't !!! Does anybody have an idea why? regards, Vladimir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 1:33:55 2001 Delivered-To: freebsd-net@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 9326137B41E; Wed, 19 Sep 2001 01:33:49 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1098) id 6CAE081D01; Wed, 19 Sep 2001 03:33:49 -0500 (CDT) Date: Wed, 19 Sep 2001 03:33:49 -0500 From: Bill Fumerola To: Anthony Schneider , "Marc G. Fournier" Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: ipfw problems ... Message-ID: <20010919033349.X826@elvis.mu.org> References: <20010918134410.P87162-100000@atelier.acadiau.ca> <20010918230726.M30377-100000@mail1.hub.org> <20010919000534.A83486@mail.slc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010919000534.A83486@mail.slc.edu>; from aschneid@mail.slc.edu on Wed, Sep 19, 2001 at 12:05:34AM -0400 X-Operating-System: FreeBSD 4.4-FEARSOME-20010909 i386 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Sep 19, 2001 at 12:05:34AM -0400, Anthony Schneider wrote: > it might have something to do with the prereleasenature of the machine. > -Anthony. No it has nothing to do with -PRERELEASE. ipfw by any other name is ipfw. > On Tue, Sep 18, 2001 at 11:14:50PM -0400, Marc G. Fournier wrote: > > > > I ended up re-starting the machine with fw set to open, and loaded a few > > rules at a time ... got up to 747 rules before the machine pretty much > > ground to a halt, with the occasional keystroke going through ... > > > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > > connections to the internet ... one that costs us nothing, and one that > > costs us quite dearly ... we want to allow all traffic that goes to sites > > on the 'costs us nothing' network to go through unimpeded, while that > > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > > rules are the ones that define those b-class networks that are on the > > 'costs us nothing' network ... > > > > I'm not seeing any errors on the console to indicate a problem, it just > > slowly grinds to a halt ... is there a setting in the kernel, or > > somewhere, that I should be setting to allow fur such a high number of > > rules, or is it just not possible to do more then a few hundred? :( as others have noted, if your critical path (that is, the path that the bulk of your traffic takes) is 700 rules, your technique is flawed. I've also seen various suggestions (skipto, mostly) on how to shorten your ruleset list walking... in any case, to answer your question of what happens as more rules are added: http://people.freebsd.org/~billf/bsdcon2000/presentation/graphics/ has a few of the graphics I used in my presentation to show what happens to ipfw as you add more rules in the critical path. different types of rules are effected differently (and can be optimized differently, but thats a whole different story) but they all show the same curve of poorer performance. 'old {TCP,UDP}' is an ipfw similar to what 4.4-PRERELEASE would have. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 1:35:19 2001 Delivered-To: freebsd-net@freebsd.org Received: from web14608.mail.yahoo.com (web14608.mail.yahoo.com [216.136.224.88]) by hub.freebsd.org (Postfix) with SMTP id 3DEEE37B412 for ; Wed, 19 Sep 2001 01:35:15 -0700 (PDT) Message-ID: <20010919083515.69302.qmail@web14608.mail.yahoo.com> Received: from [66.156.8.163] by web14608.mail.yahoo.com via HTTP; Wed, 19 Sep 2001 01:35:15 PDT Date: Wed, 19 Sep 2001 01:35:15 -0700 (PDT) From: Jerry Murdock Subject: Re: IPSEC Tunnels vs Dynamoic IPs To: freebsd-net@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks, I know from an IPSEC perspective it is do-able. I've done it with several other products without problems. I'm hoping to get a FreeBSD specific answer. My real questions concern if and how gifconfig/gif and setkey/spdadd can manage a dynamic endpoint(0.0.0.0?). And if I should look toward isakmpd or racoon. From what I've read to-date if I want IKE, it would need to be via isakmpd. But I can live without IKE. If it's possible I'll solve it, but my hope is that someone who has done it with FreeBSD will at least come along and say yea or nay before I tear down my test sytems to knock it around. JM --- Jean-Francois Dive wrote: > > Hi, > > The simple answer is no, but in fact it is possible, following the IPSec > implementation. I am sorry but i am new to freeBSD but am pretty used to > IPSec with Cisco and other stuffs. > > So, what you need is to use wildcards network peer definition (still i > dont know the freeBSD IPSec implementation nor the way to configure it). > This will allow the remote Peer (dyn) to be allowed to start the IKE nego. > > The security point is that you cant avoid other people to try to connect > to IKE, but this is the way all remote client VPN gateways are configured, > so i dont think it is a big issue. > > Another point to pay attention too is to *not* NAT the traffic that is > encrypted, because you'll then hit a "proxy identities mismatch" error for > IKE nesociation. > > Hope that help, > > JeF > > On Tue, 18 Sep 2001, Jerry Murdock wrote: > > > Can an IPSEC tunnel be established between two LANs when one side is using > > PPPoE/DSL with dynamic IP using either manual keys or IKE? > > > > IOW: > > > > LAN 1 (10.2.2.0/24) > > | > > FreeBSD Gateway(T1/Static IP) > > | > > | > > IPSEC Tunnel over Internet > > | > > | > > FreeBSD Gateway(PPPoE/Dynamic IP) > > | > > LAN 2 (10.1.1.0/24) > > > > > > I've looked at several resources and cant find anything on this, and would > > like a little advice before digging deeper. > > > > A simple "yes," "no," or "ARE YOU NUTS!?" would be adequate, but any > > pointers on a "yes" answer would be great. > > > > Thanks, > > Jerry __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 4:33:46 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail10.bigmailbox.com (mail10.bigmailbox.com [209.132.220.41]) by hub.freebsd.org (Postfix) with ESMTP id 10EB337B40A for ; Wed, 19 Sep 2001 04:33:43 -0700 (PDT) Received: œby mail10.bigmailbox.com (8.8.7/8.8.7) id EAA20223; Wed, 19 Sep 2001 04:33:39 -0700 Date: Wed, 19 Sep 2001 04:33:39 -0700 Message-Id: <200109191133.EAA20223@mail10.bigmailbox.com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary X-Mailer: MIME-tools 4.104 (Entity 4.116) Mime-Version: 1.0 X-Originating-Ip: [200.229.133.210] From: "irado@nettaxi.com" To: freebsd-net@freebsd.org, jerry_murdock@yahoo.com Subject: RE: IPSEC Tunnels vs Dynamoic IPs Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org maybe not so specific, but as you asked for any kind of info : freeswan (look at freshmeat) can clarify something, besides it is linux-based. Also you can ask to http://groups.google.com, with something like [freebsd ipsec mobile ], where you can tightening your search replacing mobile with some other word. Ah, no brackets in the search box. >Date: Tue, 18 Sep 2001 23:09:18 -0700 (PDT) ished between two LANs when one side is using >PPPoE/DSL with dynamic IP using either manual keys or IKE? > >IOW: saudações, irado furioso com tudo linux user 179402 Padre Marcelo Rossi (vulgo O Mala, TeViNaTV) é mosca nova na mesma mer*¨&% de sempre. por favor, clique aqui: http://www.thehungersite.com e aqui também: http://cf6.uol.com.br/umminuto/ ------------------------------------------------------------ Nettaxi would like to ask for your help in donations to the RED CROSS today! http://www.nyredcross.org/donate/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 5: 6: 9 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail1.hub.org (webmail.hub.org [216.126.85.1]) by hub.freebsd.org (Postfix) with ESMTP id BA8E837B419; Wed, 19 Sep 2001 05:06:03 -0700 (PDT) Received: from localhost (scrappy@localhost) by mail1.hub.org (8.11.3/8.11.4) with ESMTP id f8JC5aE62218; Wed, 19 Sep 2001 08:05:36 -0400 (EDT) (envelope-from scrappy@hub.org) Date: Wed, 19 Sep 2001 08:05:36 -0400 (EDT) From: "Marc G. Fournier" To: Krzysztof Zaraska Cc: , Subject: Re: ipfw problems ... In-Reply-To: Message-ID: <20010919075409.G30377-100000@mail1.hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 19 Sep 2001, Krzysztof Zaraska wrote: > First, is there any specific reason for allowing only specific 900 subnets > instead of the whole 'cost nothing' network? How big is this network? How > would this increase the risk? CA*Net3 vs "commercial net" traffic ... > Second, with that number of networks, it is probable that at least some of > them have the same prefix; for example > 10.10.0.0/16 > 10.11.0.0/16 > can be matched with 10.10.0.0/15. This may bring down the number of rules. > Continuing from previous point, if all class B networks are on the same > network block (having, say 1024 class B networks) you may allow whole > block and disallow only 124 subnets. That would bring the number of > relevant rules down to 125. Actually, I've already done that :( Some areas, I've been able to get her down to /12 ... so imagine the number of rules if I *hadn't* done that ... > Third, take into account that since ipfw takes 'first matching rule > wins' approach, you will get performance boost by moving more > frequently used and more general rules "up" in the ruleset. For > example, if you move the rule from position 700 to 200 packet will be > matched only against 200 rules instead of 700. Thought about, but not possible ... unless I'm mis-understanding something ... these rules are the exceptions ... "if none of these b-class networks isn't matched, *then* shape the bandwidth for anything not in there" ... Is there someway of creating a 'group', similar to /etc/networks, where its one rule with many addresses in it? > Fourth, if you have any "keep-state" rules, each of them effectively > generates new "dynamic" rules. In order to improve performance with > TCP connections you may try to switch to TCP flag-based approach > (keywords "setup" and "established"). This will save you from > additional growth of ruleset, but may open you to the TCP ACK scan (I > haven't verified it) which exposes inside network topology. Not using any 'keep-state' rules ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 7: 4:33 2001 Delivered-To: freebsd-net@freebsd.org Received: from star.rila.bg (star.rila.bg [194.141.1.32]) by hub.freebsd.org (Postfix) with ESMTP id 3851037B416; Wed, 19 Sep 2001 07:04:27 -0700 (PDT) Received: from star.rila.bg (vlady@localhost [127.0.0.1]) by star.rila.bg (8.11.4/8.11.4) with ESMTP id f8JE6cc12197; Wed, 19 Sep 2001 17:06:39 +0300 (EEST) (envelope-from vlady@star.rila.bg) Message-Id: <200109191406.f8JE6cc12197@star.rila.bg> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.3 To: freebsd-net@freebsd.org Cc: freebsd-hackers@freebsd.org From: "Vladimir Terziev" Subject: Problem with IPFW and NATD (refined) !!! Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 19 Sep 2001 17:06:38 +0300 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry, but there is a rule number mistake in my previous e-mail with the same subject. I have a gateway machine which runs NATD (natd -unregistered_only -interface an0) and have IP packet filter IPFW with the following rules: ipfw add 100 allow ip from any to any via lo0 ipfw add 10002 skipto 20000 tcp from 192.168.15.2 to any 21 ipfw add 10003 skipto 20000 tcp from 192.168.15.2 to any 53,6667,6668 ipfw add 10004 skipto 20000 udp from 192.168.15.2 to any 53,4000 ipfw add 11000 deny ip from 192.168.15.0/24 to any ipfw add 20000 divert natd ip from any to any via an0 ipfw add 30000 allow ip from PUBLIC_IP to any ipfw add 30000 allow ip from any to PUBLIC_IP ipfw add 40001 allow tcp from any 21 to 192.168.15.2 established ipfw add 40002 allow tcp from any 53,6667,6668 to 192.168.15.2 established ipfw add 40003 allow udp from any 53,4000 to 192.168.15.2 ipfw add 65000 deny ip from any to any The gateway machine is FreeBSD 4.4-RC and has 2 interfaces (internal, and external - an0). I need only one of machines in the local network to have connectivity to "the rest of the world". I've read all the documentation about ipfw(8), divert(4) and natd(8). Regarding to it the above rules should provide what I want, but they don't !!! Does anybody have an idea why? regards, Vladimir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 7:10:57 2001 Delivered-To: freebsd-net@freebsd.org Received: from star.rila.bg (star.rila.bg [194.141.1.32]) by hub.freebsd.org (Postfix) with ESMTP id 3FA4837B403 for ; Wed, 19 Sep 2001 07:10:52 -0700 (PDT) Received: from star.rila.bg (vlady@localhost [127.0.0.1]) by star.rila.bg (8.11.4/8.11.4) with ESMTP id f8JED5c12298 for ; Wed, 19 Sep 2001 17:13:05 +0300 (EEST) (envelope-from vlady@star.rila.bg) Message-Id: <200109191413.f8JED5c12298@star.rila.bg> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.3 To: freebsd-net@freebsd.org From: "Vladimir Terziev" Subject: Problem with IPFW and NATD (refined) !!! Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 19 Sep 2001 17:13:05 +0300 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry, but there is a rule number mistake in my previous e-mail with the same subject. I have a gateway machine which runs NATD (natd -unregistered_only -interface an0) and have IP packet filter IPFW with the following rules: ipfw add 100 allow ip from any to any via lo0 ipfw add 10002 skipto 20000 tcp from 192.168.15.2 to any 21 ipfw add 10003 skipto 20000 tcp from 192.168.15.2 to any 53,6667,6668 ipfw add 10004 skipto 20000 udp from 192.168.15.2 to any 53,4000 ipfw add 11000 deny ip from 192.168.15.0/24 to any ipfw add 20000 divert natd ip from any to any via an0 ipfw add 31000 allow ip from PUBLIC_IP to any ipfw add 32000 allow ip from any to PUBLIC_IP ipfw add 40001 allow tcp from any 21 to 192.168.15.2 established ipfw add 40002 allow tcp from any 53,6667,6668 to 192.168.15.2 established ipfw add 40003 allow udp from any 53,4000 to 192.168.15.2 ipfw add 65000 deny ip from any to any The gateway machine is FreeBSD 4.4-RC and has 2 interfaces (internal, and external - an0). I need only one of machines in the local network to have connectivity to "the rest of the world". I've read all the documentation about ipfw(8), divert(4) and natd(8). Regarding to it the above rules should provide what I want, but they don't !!! Does anybody have an idea why? regards, Vladimir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 7:24:18 2001 Delivered-To: freebsd-net@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id CD65537B411; Wed, 19 Sep 2001 07:23:52 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f8JEMFA99360; Wed, 19 Sep 2001 17:22:15 +0300 (EEST) (envelope-from ru) Date: Wed, 19 Sep 2001 17:22:15 +0300 From: Ruslan Ermilov To: Vladimir Terziev Cc: freebsd-net@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: Problem with IPFW and NATD (refined) !!! Message-ID: <20010919172215.E66974@sunbay.com> References: <200109191406.f8JE6cc12197@star.rila.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109191406.f8JE6cc12197@star.rila.bg>; from vladimirt@rila.bg on Wed, Sep 19, 2001 at 05:06:38PM +0300 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [Please don't cross-post] You did not tell us what exactly does not work. DNS should work, and FTP should not as it requires data channel on a separate port. If that's the case, you may run natd(8) with the -punch_fw option. On Wed, Sep 19, 2001 at 05:06:38PM +0300, Vladimir Terziev wrote: > Sorry, but there is a rule number mistake in my previous e-mail with the same > subject. > > I have a gateway machine which runs NATD (natd -unregistered_only -interface > an0) and have IP packet filter IPFW with the following rules: > > > ipfw add 100 allow ip from any to any via lo0 > > ipfw add 10002 skipto 20000 tcp from 192.168.15.2 to any 21 > ipfw add 10003 skipto 20000 tcp from 192.168.15.2 to any 53,6667,6668 > ipfw add 10004 skipto 20000 udp from 192.168.15.2 to any 53,4000 > > ipfw add 11000 deny ip from 192.168.15.0/24 to any > > ipfw add 20000 divert natd ip from any to any via an0 > > ipfw add 30000 allow ip from PUBLIC_IP to any > ipfw add 30000 allow ip from any to PUBLIC_IP > > ipfw add 40001 allow tcp from any 21 to 192.168.15.2 established > ipfw add 40002 allow tcp from any 53,6667,6668 to 192.168.15.2 established > ipfw add 40003 allow udp from any 53,4000 to 192.168.15.2 > > ipfw add 65000 deny ip from any to any > > > The gateway machine is FreeBSD 4.4-RC and has 2 interfaces (internal, and > external - an0). I need only one of machines in the local network to have > connectivity to "the rest of the world". > > I've read all the documentation about ipfw(8), divert(4) and natd(8). > Regarding to it the above rules should provide what I want, but they don't !!! > > Does anybody have an idea why? > > regards, > Vladimir -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 7:25:14 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail1.hub.org (webmail.hub.org [216.126.85.1]) by hub.freebsd.org (Postfix) with ESMTP id 92E2237B40F for ; Wed, 19 Sep 2001 07:25:10 -0700 (PDT) Received: from localhost (scrappy@localhost) by mail1.hub.org (8.11.3/8.11.4) with ESMTP id f8JEPA916235 for ; Wed, 19 Sep 2001 10:25:10 -0400 (EDT) (envelope-from scrappy@hub.org) Date: Wed, 19 Sep 2001 10:24:53 -0400 (EDT) From: "Marc G. Fournier" To: Subject: ipfw: skipto changing value of where I want to skipto? Message-ID: <20010919102406.U30377-100000@mail1.hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org psychopompus# ipfw add 00661 skipto 00708 ip from any to 136.0.0.0/5 00661 skipto 56 ip from any to 136.0.0.0/5 why is the 00708 changing to 56? :( To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 9:28:49 2001 Delivered-To: freebsd-net@freebsd.org Received: from amsfep13-int.chello.nl (amsfep13-int.chello.nl [213.46.243.23]) by hub.freebsd.org (Postfix) with ESMTP id 9642137B41A for ; Wed, 19 Sep 2001 09:28:43 -0700 (PDT) Received: from mojojojo.chello.nl ([24.132.26.202]) by amsfep13-int.chello.nl (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with ESMTP id <20010919162531.OIPU18584.amsfep13-int.chello.nl@mojojojo.chello.nl>; Wed, 19 Sep 2001 18:25:31 +0200 Message-Id: <5.1.0.14.1.20010919182427.00a8a388@mail.chello.nl> X-Sender: mcrosland@mail.chello.nl X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 19 Sep 2001 18:29:09 +0200 To: Mike Saunders From: Mike Crosland Subject: Re: kernel arp messages Cc: freebsd-net@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi i recently had exactly this problem, and it turned out to be the way I'd connected the machine. It was cured when I connected the uplink cable directly the the outside interface instead of into the hub. Could this be a similar situation? Best Regards Mike At 18:45 18/09/2001 -0500, you wrote: >Hello! > I'm hoping somebody can help me with this problem. I'm about at my >wit's end. The problem is that i'm receiving the following messages >constantly, at the console, in the syslog, and to root's terminal. > >Sep 18 15:01:54 router /kernel: arp: 209.74.92.1 is on xl0 but got reply >from 00 >:00:a2:66:83:41 on ep0 >Sep 18 15:01:54 router last message repeated 4 times >Sep 18 15:01:54 router /kernel: arp: 209.74.87.1 is on lo0 but got reply >from 00 >:60:08:35:57:4e on xl0 >Sep 18 15:01:55 router last message repeated 2 times >Sep 18 15:01:55 router /kernel: arp: 209.74.87.193 is on ep0 but got reply >from >00:50:da:c7:e7:68 on xl0 >Sep 18 15:01:55 router /kernel: arp: 209.74.87.1 is on lo0 but got reply >from 00 >:60:08:35:57:4e on xl0 > >I'm running a 3.4-RELEASE i386 machine with two network cards. The >machine acts as a router between my LAN and my provider's network. ep0 is >the NIC connected to my LAN and xl0 is my provider's network. > > > Here's my network configuration: > >bash# ifconfig ep0 >ep0: flags=8843 mtu 1500 > inet 209.74.87.1 netmask 0xffffff00 broadcast 209.74.87.255 > ether 00:60:08:35:57:4e >bash# ifconfig xl0 >xl0: flags=8843 mtu 1500 > inet 209.74.92.209 netmask 0xffffff00 broadcast 209.74.92.255 > ether 00:50:da:c7:e3:1a > media: 10baseT/UTP > >my /etc/rc.conf looks like this: > >ifconfig_xl0="inet 209.74.92.209 netmask 255.255.255.0" >ifconfig_ep0="inet 209.74.87.1 netmask 255.255.255.0" >hostname="router.cland-minot.com" >gateway_enable="YES" >defaultrouter="209.74.92.1" > > I tried to enable arpproxy_all="YES" in /etc/rc.conf, but that's >not helping, I still got spammed by all the arp messages. With the new >IIS exploit causing such increased traffic flow, the arp messages are >making console useless by filling the screen as well as lagging the system >horribly by churning the disk so much (It's only a pentium 60). I can't >even log into the machine via ssh. The only way to get a shell on it is >to pull the network lines and use the console. > > So, in short, besides redirecting console and syslog to /dev/null, >what can I do to make these arp messages go away? > >Thanks! > >-Mike Saunders >method@method.cx > >Network Administrator - cland-minot.com >msaunders@cland-minot.com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 9:39:15 2001 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 331B037B40B for ; Wed, 19 Sep 2001 09:39:10 -0700 (PDT) Received: from hbo (hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with SMTP id f8JGd8C27356; Wed, 19 Sep 2001 09:39:08 -0700 (PDT) From: "Lars Eggert" To: "Jerry Murdock" , Subject: RE: IPSEC Tunnels vs Dynamoic IPs Date: Wed, 19 Sep 2001 09:39:08 -0800 MIME-Version: 1.0 Message-ID: X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_0009_01C140EE.EE0EDC70" In-reply-to: <20010919060918.63732.qmail@web14609.mail.yahoo.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0009_01C140EE.EE0EDC70 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit > Can an IPSEC tunnel be established between two LANs when one side is using > PPPoE/DSL with dynamic IP using either manual keys or IKE? ... > A simple "yes," "no," or "ARE YOU NUTS!?" would be adequate, but any > pointers on a "yes" answer would be great. Yes. :-) It should definitly work with manual keying, the only problem is that you then need to manually reykey when the dynamic IP end changes address. Not sure if this is a problem for the timescales you're looking at. Don't know if IKE supports this though, I have little experience with it, but I'd guess it does not (cannot, really). It may work if dynamic DNS names can be used with IKE. Anyone? Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California ------=_NextPart_000_0009_01C140EE.EE0EDC70 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF5jCCArUw ggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEPMA0GA1UEBBMGRWdnZXJ0 MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEcMBoGCSqGSIb3DQEJARYNbGFy c2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0AvLBsD78nxcUHeHkaMgl3b4 qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD11uZDy4CNNJUu3gKxKSb+zRV70O+lkwwf tuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcUSF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEA AaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIBBAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREE ETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQ A8zI7U2K1ZIAl11j0a1DKxnp3GtTvOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2 OhB+jeKEqY7IDAJE4/fI0e+d6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4 fdcOo1S34r4wggMpMIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEV MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0 ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5WjCB kjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQD Ex9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y 8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtU ihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJp dmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN AQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQfuIdjdBxtt88aU5FL4c3mONnt UPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe17BzX7xe21Yibt6KIGu05Wzl9NPy2 lhglTWr0ncXDkS+plrgFPFL83eliA0gxggKqMIICpgIBATCBmjCBkjELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFp bCBSU0EgMjAwMC44LjMwAgMFgUcwCQYFKw4DAhoFAKCCAWUwGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMDEwOTE5MTczOTA4WjAjBgkqhkiG9w0BCQQxFgQUu7qRuwXs 5mZof6NTtJyJKrd0W0swWAYJKoZIhvcNAQkPMUswSTAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC AIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUwgasGCSsGAQQB gjcQBDGBnTCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UE BxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZI hvcNAQEBBQAEgYCAsNzR++TlqoC53ctEdEKtDnbUk+t75WmHxiUkR0DD0pnEgE0ORinuZT8uEO+/ cW059to/iqRPdUvB91jz+0O2wNn9Nw2ZGEBdRVvusw7xuONYmc/pkYwrFrmuHXvyScYUFqxy+PTO h8ORr5h72F1dmJSuCJKAKWDBRxNPChi0owAAAAAAAA== ------=_NextPart_000_0009_01C140EE.EE0EDC70-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 10:37:59 2001 Delivered-To: freebsd-net@freebsd.org Received: from fepB.post.tele.dk (fepB.post.tele.dk [195.41.46.145]) by hub.freebsd.org (Postfix) with ESMTP id BACF037B401 for ; Wed, 19 Sep 2001 10:37:55 -0700 (PDT) Received: from arnold.neland.dk ([62.243.124.200]) by fepB.post.tele.dk (InterMail vM.4.01.03.21 201-229-121-121-20010307) with ESMTP id <20010919173754.FKDR25690.fepB.post.tele.dk@arnold.neland.dk>; Wed, 19 Sep 2001 19:37:54 +0200 Received: from localhost (localhost [127.0.0.1]) by arnold.neland.dk (8.11.5/8.11.5) with ESMTP id f8JHdDO34935; Wed, 19 Sep 2001 19:39:13 +0200 (CEST) (envelope-from leifn@neland.dk) Date: Wed, 19 Sep 2001 19:39:13 +0200 (CEST) From: Leif Neland To: "Marc G. Fournier" Cc: Subject: Re: ipfw problems ... In-Reply-To: <20010919075409.G30377-100000@mail1.hub.org> Message-ID: <20010919190035.S34253-100000@arnold.neland.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Third, take into account that since ipfw takes 'first matching rule > > wins' approach, you will get performance boost by moving more > > frequently used and more general rules "up" in the ruleset. For > > example, if you move the rule from position 700 to 200 packet will be > > matched only against 200 rules instead of 700. > > Thought about, but not possible ... unless I'm mis-understanding something > ... these rules are the exceptions ... "if none of these b-class networks > isn't matched, *then* shape the bandwidth for anything not in there" ... > Is the machine dying when *adding* the rules or when *using* the rules? If your first rule is "ipfw add 100 skipto 32768 ip from any to 1/1" you will have divided your rules, so networks from 0.0.0.0 to 127.255.255.255 will be handled by half of the rules, and the rest by the other half. So instead of traversing 700 rules, an unmatched packet will only traverse 350. Perhaps you could write a (perl?)script, which you feed a list of all the networks (B's?) and generates the proper rules. You could post that as a challenge to your local group of nerds, if you can find them... Also remember that the mask does not need to be "without holes", a mask of 255.127.255.0 is ok. But I guess you must either be a computer or autistic to be able to spot those masks... Another idea: is the routing mechanism better to sort by ip than ipfw? If so, you could route the expensive traffic to the shaper-machine. On top of that: is the routing information available from your uplinks? Perhaps you could get BGP or OSPF-routing information, saving you the trouble of maintaining the table. Also, what happens if you send "expensive" packets to the free uplink? Could that be used to having two default gateways with different metric? Or can this only shift the entire stream between the two gateways? Or you could patch ipfw to be able to use a hash-db :-) Leif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 11: 3:10 2001 Delivered-To: freebsd-net@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id B992337B407 for ; Wed, 19 Sep 2001 11:03:01 -0700 (PDT) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id TAA48602; Wed, 19 Sep 2001 19:53:45 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200109191753.TAA48602@info.iet.unipi.it> Subject: Re: ipfw: skipto changing value of where I want to skipto? In-Reply-To: <20010919102406.U30377-100000@mail1.hub.org> from "Marc G. Fournier" at "Sep 19, 2001 10:24:53 am" To: "Marc G. Fournier" Date: Wed, 19 Sep 2001 19:53:45 +0200 (CEST) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > psychopompus# ipfw add 00661 skipto 00708 ip from any to 136.0.0.0/5 > 00661 skipto 56 ip from any to 136.0.0.0/5 > > why is the 00708 changing to 56? :( because the leading 0's force strtol to believe that the number is octal, then the trailing 8 is considered illegal in the basis so the number is read as 0070 (octal) which is 56 decimal. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 11: 3:43 2001 Delivered-To: freebsd-net@freebsd.org Received: from boromir.vpop.net (dns1.vpop.net [206.117.147.2]) by hub.freebsd.org (Postfix) with ESMTP id 86CA537B413 for ; Wed, 19 Sep 2001 11:03:40 -0700 (PDT) Received: from localhost (ring.vpop.net [206.117.147.5]) by boromir.vpop.net (8.11.4/8.11.4) with ESMTP id f8JI3cC39699; Wed, 19 Sep 2001 11:03:38 -0700 (PDT) (envelope-from joe@vpop.net) Date: Wed, 19 Sep 2001 11:01:33 -0700 From: Joseph McDonald X-Mailer: The Bat! (v1.53bis) Business Reply-To: Joseph McDonald Organization: VPOP Technologies Inc. X-Priority: 3 (Normal) Message-ID: <141-2133282484.20010919110133@vpop.net> To: freebsd-net@freebsd.org Cc: mreimer@vpop.net Subject: fast ip filter MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Is there a utility that will allow me to inject an IP#/port# into a hash (or similiar structure) table that the kernel can consult to determine if it should drop an incoming connection? I am trying to stop the new worm that is out there. I have about 8000 and growing hosts that I need to block. I have tried ipfw but it *really* slows down the machine. For now I am just adding a route to 127.0.0.1 for the bad IP#'s, but what I really want is to just block them for port 80, not blackhole them for all services. thanks, -joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 11: 6:11 2001 Delivered-To: freebsd-net@freebsd.org Received: from renown.cnchost.com (renown.concentric.net [207.155.248.7]) by hub.freebsd.org (Postfix) with ESMTP id 521BC37B408 for ; Wed, 19 Sep 2001 11:06:08 -0700 (PDT) Received: from bitblocks.com (adsl-209-204-185-216.sonic.net [209.204.185.216]) by renown.cnchost.com id OAA10027; Wed, 19 Sep 2001 14:05:59 -0400 (EDT) [ConcentricHost SMTP Relay 1.14] Message-ID: <200109191805.OAA10027@renown.cnchost.com> To: Garrett Wollman Cc: "Matthew Luckie" , net@FreeBSD.ORG Subject: Re: arp X moved from Y to Z messages In-reply-to: Your message of "Tue, 18 Sep 2001 10:56:55 EDT." <200109181456.f8IEutZ50461@khavrinen.lcs.mit.edu> Date: Wed, 19 Sep 2001 11:05:53 -0700 From: Bakul Shah Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > The gateway's IP address actually refers to two different machines. > > Naturally the gateway is used quite a bit, and the syslog fills up with "arp > > X moved from Y to Z on fxp0" messages. > > That's really not the right way to do it, and probably doesn't balance > the load as well as you might think it would. The right way to do it > is to advertise a single *multicast* MAC address, allocated out of the > local MAC space (i.e., first two bits 11), and have both routers join > the group; then both will get all the packets and can decide which > ones to forward. This gives you automatic fail-over trivially. That is not valid according to the router requirements rfc (rfc1812), section 5.3.4: A router MUST NOT forward any packet which the router received as a Link Layer multicast unless the packet's destination address is an IP multicast address. A router SHOULD silently discard a packet that is received via a Link Layer broadcast but does not specify an IP multicast or IP broadcast destination address. When a router sends a packet as a Link Layer broadcast, the IP destination address MUST be a legal IP broadcast or IP multicast address. What Luckie does is clever but removing syslog messages seems like asking for trouble -- if two machines get the same IP address due to a mistake, tracking that down will be a bit more difficult. Redundancy should be handled by running the router discovery algorithm (e.g. routed) on each host and RIP or OSPF on the routers. Generally people use load balancing *between* routers and use a hefty enough router to handle all your local traffic on one net. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 12: 7:42 2001 Delivered-To: freebsd-net@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 5E1BF37B40A for ; Wed, 19 Sep 2001 12:07:40 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1098) id 0C87181D06; Wed, 19 Sep 2001 14:07:35 -0500 (CDT) Date: Wed, 19 Sep 2001 14:07:35 -0500 From: Bill Fumerola To: Leif Neland Cc: "Marc G. Fournier" , freebsd-net@freebsd.org Subject: Re: ipfw problems ... Message-ID: <20010919140735.Y826@elvis.mu.org> References: <20010919075409.G30377-100000@mail1.hub.org> <20010919190035.S34253-100000@arnold.neland.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010919190035.S34253-100000@arnold.neland.dk>; from leifn@neland.dk on Wed, Sep 19, 2001 at 07:39:13PM +0200 X-Operating-System: FreeBSD 4.4-FEARSOME-20010909 i386 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Sep 19, 2001 at 07:39:13PM +0200, Leif Neland wrote: > Or you could patch ipfw to be able to use a hash-db :-) skipto caches the pointer of the rule its skipping to the first time it uses that rule. not going to get a better hash hit then that... -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 12:34:41 2001 Delivered-To: freebsd-net@freebsd.org Received: from relay.wplus.net (relay.wplus.net [195.131.52.179]) by hub.freebsd.org (Postfix) with ESMTP id D61D237B41C for ; Wed, 19 Sep 2001 12:34:37 -0700 (PDT) Received: from relay1.wplus.net (smtp.wplus.net [195.131.52.143]) by relay.wplus.net (8.9.1/8.9.1/wplus.2) with ESMTP id XAA84738 for ; Wed, 19 Sep 2001 23:34:36 +0400 (MSD) X-Real-To: Received: from wplus.net (ip86-31.dialup.wplus.net [195.131.86.31]) by relay1.wplus.net (8.9.1/8.9.1/wplus.2) with ESMTP id XAA02103 for ; Wed, 19 Sep 2001 23:34:35 +0400 (MSD) Message-ID: <3BA8F37E.4B2EB92F@wplus.net> Date: Wed, 19 Sep 2001 23:35:26 +0400 From: Dmitry Samersoff Organization: We Are X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.9 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-net@FreeBSD.ORG Subject: Win32 to FreeBSD VPN References: <20010919060918.63732.qmail@web14609.mail.yahoo.com> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Does anybody have working VPN between Win32 client and FreeBSD server (PPTP or IPSec) if yes - which software you use. Could someone point me to really working free or commercial software to solve this problem? Thank you. -- Dmitry Samersoff dms@wplus.net, http://devnull.wplus.net ICQ: 3161705 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 12:37:45 2001 Delivered-To: freebsd-net@freebsd.org Received: from buffoon.automagic.org (buffoon.automagic.org [208.185.30.208]) by hub.freebsd.org (Postfix) with SMTP id 5E11237B419 for ; Wed, 19 Sep 2001 12:37:41 -0700 (PDT) Received: (qmail 8205 invoked by uid 1000); 19 Sep 2001 19:37:40 -0000 Date: Wed, 19 Sep 2001 15:37:40 -0400 From: Joe Abley To: freebsd-net@freebsd.org Subject: ipv6/gif/cisco syslog noise Message-ID: <20010919153739.K85635@buffoon.automagic.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I have a cosmetic difficulty in a v6-in-v4 tunnel set up between a 4.3-RELEASE box and a cisco router. The tunnel is configured like this: buffoon# ifconfig gif0 gif0: flags=8011 mtu 1280 inet6 fe80::2d0:b7ff:fe79:a0a7%gif0 --> :: prefixlen 64 scopeid 0x4 inet6 2001:438:1fff:ffff:8::32 --> 2001:438:1fff:ffff:8::31 prefixlen 126 v6-core6.iad1#sh run int tun7 Building configuration... Current configuration : 252 bytes ! interface Tunnel7 description v6-in-v4 tunnel to buffoon-gif0.automagic.org bandwidth 10000 no ip address ipv6 enable ipv6 address 2001:438:1FFF:FFFF:8::31/126 tunnel source Loopback0 tunnel destination 208.185.30.208 tunnel mode ipv6ip end Functionally, everything is working marvelously. However, the kernel is spitting out screeds of these: nd6_lookup: failed to add route for a neighbor(2001:0438:1fff:ffff:0008::0031), errno=17 Lots and lots of them :) Sep 10 11:14:02 buffoon /kernel: nd6_lookup: failed to add route for a neighbor(2001:0438:1fff:ffff:0008::0031), errno=17 Sep 10 11:14:02 buffoon last message repeated 14 times Sep 10 11:16:02 buffoon last message repeated 116 times Sep 10 11:23:03 buffoon last message repeated 73 times Sep 10 11:35:33 buffoon last message repeated 109 times Sep 10 11:46:03 buffoon last message repeated 344 times Sep 10 11:56:03 buffoon last message repeated 1302 times Sep 10 11:57:55 buffoon last message repeated 113 times I can ping ....:31 just fine from buffoon. It seems like I either need to turn something off on the FreeBSD box, or on on the cisco. I don't know anything much about icmp6 neighbour discovery, though, so I'm not sure exactly what. Does anybody happen to know a good way of suppressing these log messages? I'd appreciate a cc on reply, since I'm not subscribed to -net. Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 12:51: 9 2001 Delivered-To: freebsd-net@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id EF80237B415 for ; Wed, 19 Sep 2001 12:51:05 -0700 (PDT) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id VAA49173; Wed, 19 Sep 2001 21:41:41 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200109191941.VAA49173@info.iet.unipi.it> Subject: Re: ipfw problems ... In-Reply-To: <20010919140735.Y826@elvis.mu.org> from Bill Fumerola at "Sep 19, 2001 02:07:35 pm" To: Bill Fumerola Date: Wed, 19 Sep 2001 21:41:41 +0200 (CEST) Cc: Leif Neland , "Marc G. Fournier" , freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Wed, Sep 19, 2001 at 07:39:13PM +0200, Leif Neland wrote: > > > Or you could patch ipfw to be able to use a hash-db :-) > > skipto caches the pointer of the rule its skipping to the first time > it uses that rule. not going to get a better hash hit then that... not enough. The original message was asking for a rule of the form $addr in $set ... where $set is a potentially large set of addresses (or ports as well), which, when "compiled", creates a hash table where one can do the search on O(1) time. With the current syntax we still have to explode the set with individual rules (naive approach) or something resembling a trie (using skipto rules). cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone (510) 666 2927 . ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 12:59:27 2001 Delivered-To: freebsd-net@freebsd.org Received: from hirogen.kabelfoon.nl (hirogen.kabelfoon.nl [62.45.45.69]) by hub.freebsd.org (Postfix) with ESMTP id 74FBD37B401 for ; Wed, 19 Sep 2001 12:59:21 -0700 (PDT) Received: from ntpc (kf-pij-tg01-426.dial.kabelfoon.nl [62.45.89.172]) by hirogen.kabelfoon.nl (Postfix) with SMTP id 401577C45; Wed, 19 Sep 2001 21:59:13 +0200 (CEST) Reply-To: From: "Peter Blok" To: "'Dmitry Samersoff'" Cc: Subject: RE: Win32 to FreeBSD VPN Date: Wed, 19 Sep 2001 21:54:29 +0200 Message-ID: <000001c14144$e5d0ea20$8a02a8c0@ntpc> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3BA8F37E.4B2EB92F@wplus.net> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dmitry, I have W2K working with ipsec on FreeBSD. On FreeBSD racoon is doing the ISAKMP, out of the ports directory. On win2k the standard ipsec stuff. I also have PPTP running using netgraph on FreeBSD. There are plenty of examples how to set it up for PPTP. On windows 98 and W2k the standard PPTP stuff works fine. Regards, Peter Blok -----Original Message----- From: owner-freebsd-net@FreeBSD.ORG [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Dmitry Samersoff Sent: Wednesday, September 19, 2001 21:35 To: freebsd-net@FreeBSD.ORG Subject: Win32 to FreeBSD VPN Does anybody have working VPN between Win32 client and FreeBSD server (PPTP or IPSec) if yes - which software you use. Could someone point me to really working free or commercial software to solve this problem? Thank you. -- Dmitry Samersoff dms@wplus.net, http://devnull.wplus.net ICQ: 3161705 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 13: 4:58 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail.mahoroba.org (flets-f0106.kamome.or.jp [211.8.127.106]) by hub.freebsd.org (Postfix) with ESMTP id 1F28437B408 for ; Wed, 19 Sep 2001 13:04:53 -0700 (PDT) Received: from peace.mahoroba.org (IDENT:rHpdnrzqyF4tLtvmFedZDg1oCqjBQFrU4N4mqqVBx1g7/TesIX4mS3DnAXKzrMjD@peace.mahoroba.org [IPv6:2001:200:301:0:200:f8ff:fe05:3eae]) (user=ume mech=CRAM-MD5 bits=0) by mail.mahoroba.org (8.12.0/8.12.0/chaos) with ESMTP/inet6 id f8JK4fLl013298; Thu, 20 Sep 2001 05:04:43 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Thu, 20 Sep 2001 05:04:41 +0900 (JST) Message-Id: <20010920.050441.28824742.ume@mahoroba.org> To: jabley@automagic.org Cc: freebsd-net@freebsd.org Subject: Re: ipv6/gif/cisco syslog noise From: Hajimu UMEMOTO In-Reply-To: <20010919153739.K85635@buffoon.automagic.org> References: <20010919153739.K85635@buffoon.automagic.org> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, >>>>> On Wed, 19 Sep 2001 15:37:40 -0400 >>>>> Joe Abley said: jabley> I have a cosmetic difficulty in a v6-in-v4 tunnel set up between jabley> a 4.3-RELEASE box and a cisco router. jabley> The tunnel is configured like this: jabley> buffoon# ifconfig gif0 jabley> gif0: flags=8011 mtu 1280 jabley> inet6 fe80::2d0:b7ff:fe79:a0a7%gif0 --> :: prefixlen 64 scopeid 0x4 jabley> inet6 2001:438:1fff:ffff:8::32 --> 2001:438:1fff:ffff:8::31 prefixlen 126 It should be /128. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 13:13: 1 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail17.bigmailbox.com (mail17.bigmailbox.com [209.132.220.48]) by hub.freebsd.org (Postfix) with ESMTP id 7F77F37B40E for ; Wed, 19 Sep 2001 13:12:59 -0700 (PDT) Received: œby mail17.bigmailbox.com (8.8.7/8.8.7) id NAA27575; Wed, 19 Sep 2001 13:12:58 -0700 Date: Wed, 19 Sep 2001 13:12:58 -0700 Message-Id: <200109192012.NAA27575@mail17.bigmailbox.com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary X-Mailer: MIME-tools 4.104 (Entity 4.116) Mime-Version: 1.0 X-Originating-Ip: [200.229.133.210] From: "irado@nettaxi.com" To: freebsd-net@FreeBSD.ORG Subject: which book Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The complete FreeBSD (Walnut Creek) or the new FreeBSD Handbook, which one is adequate to acquire as my first one, in your opinion?? saudações, irado furioso com tudo linux user 179402 Padre Marcelo Rossi (vulgo O Mala, TeViNaTV) é mosca nova na mesma mer*¨&% de sempre. por favor, clique aqui: http://www.thehungersite.com e aqui também: http://cf6.uol.com.br/umminuto/ ------------------------------------------------------------ Nettaxi would like to ask for your help in donations to the RED CROSS today! http://www.nyredcross.org/donate/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 13:44:23 2001 Delivered-To: freebsd-net@freebsd.org Received: from buffoon.automagic.org (buffoon.automagic.org [208.185.30.208]) by hub.freebsd.org (Postfix) with SMTP id C7ABE37B411 for ; Wed, 19 Sep 2001 13:44:21 -0700 (PDT) Received: (qmail 36529 invoked by uid 1000); 19 Sep 2001 20:44:19 -0000 Date: Wed, 19 Sep 2001 16:44:18 -0400 From: Joe Abley To: Hajimu UMEMOTO Cc: freebsd-net@freebsd.org Subject: Re: ipv6/gif/cisco syslog noise Message-ID: <20010919164416.Q85635@buffoon.automagic.org> References: <20010919153739.K85635@buffoon.automagic.org> <20010920.050441.28824742.ume@mahoroba.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010920.050441.28824742.ume@mahoroba.org> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 20, 2001 at 05:04:41AM +0900, Hajimu UMEMOTO wrote: > jabley> The tunnel is configured like this: > > jabley> buffoon# ifconfig gif0 > jabley> gif0: flags=8011 mtu 1280 > jabley> inet6 fe80::2d0:b7ff:fe79:a0a7%gif0 --> :: prefixlen 64 scopeid 0x4 > jabley> inet6 2001:438:1fff:ffff:8::32 --> 2001:438:1fff:ffff:8::31 prefixlen 126 > > It should be /128. Problem solved. Thanks :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 15:45: 4 2001 Delivered-To: freebsd-net@freebsd.org Received: from mailout05.sul.t-online.de (mailout05.sul.t-online.com [194.25.134.82]) by hub.freebsd.org (Postfix) with ESMTP id 83E7637B437 for ; Wed, 19 Sep 2001 15:44:51 -0700 (PDT) Received: from fwd07.sul.t-online.de by mailout05.sul.t-online.de with smtp id 15jq5J-0007BW-03; Thu, 20 Sep 2001 00:44:49 +0200 Received: from frolic (520094253176-0001@[217.80.111.58]) by fmrl07.sul.t-online.com with esmtp id 15jq5H-0PCiwKC; Thu, 20 Sep 2001 00:44:47 +0200 Received: from broccoli (root@broccoli.no-support.loc [192.168.43.99]) by frolic (8.11.3/8.9.3) with ESMTP id f8JMghC24694; Thu, 20 Sep 2001 00:42:43 +0200 (CEST) (envelope-from bjoern@no-support.loc) From: Bjoern Fischer Received: (from bjoern@localhost) by broccoli (8.11.3/8.9.3) id f8JMgh002824; Thu, 20 Sep 2001 00:42:43 +0200 (CEST) (envelope-from bjoern@no-support.loc) Date: Thu, 20 Sep 2001 00:42:42 +0200 To: Jerry Murdock Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPSEC Tunnels vs Dynamoic IPs Message-ID: <20010920004242.B352@broccoli.no-support.loc> References: <20010919060918.63732.qmail@web14609.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.2.5i In-Reply-To: <20010919060918.63732.qmail@web14609.mail.yahoo.com>; from jerry_murdock@yahoo.com on Tue, Sep 18, 2001 at 11:09:18PM -0700 X-Sender: 520094253176-0001@t-dialin.net Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Sep 18, 2001 at 11:09:18PM -0700, Jerry Murdock wrote: > Can an IPSEC tunnel be established between two LANs when one side is using > PPPoE/DSL with dynamic IP using either manual keys or IKE? [...] > A simple "yes," "no," or "ARE YOU NUTS!?" would be adequate, but any > pointers on a "yes" answer would be great. This definitely works. You may have no luck w/ racoon, but the IKE from OpenBSD *does* work w/ dynamic IP addresses at one end. Bj=F6rn Fischer --=20 -----BEGIN GEEK CODE BLOCK----- GCS d--(+) s++: a- C+++(-) UB++++OSI++++$ P+++(-) L---(++) !E W- N+ o>+ K- !w !O !M !V PS++ PE- PGP++ t+++ !5 X++ tv- b+++ D++ G e+ h-- y+=20 ------END GEEK CODE BLOCK------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 18:13:51 2001 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9]) by hub.freebsd.org (Postfix) with ESMTP id 2768C37B40C for ; Wed, 19 Sep 2001 18:13:48 -0700 (PDT) Received: from elischer.org (InterJet.elischer.org [192.168.1.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id SAA28918; Wed, 19 Sep 2001 18:50:28 -0700 (PDT) Message-ID: <3BA90DAD.453BDFD4@elischer.org> Date: Wed, 19 Sep 2001 14:27:09 -0700 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Luigi Rizzo Cc: Bill Fumerola , Leif Neland , "Marc G. Fournier" , freebsd-net@FreeBSD.ORG Subject: Re: ipfw problems ... References: <200109191941.VAA49173@info.iet.unipi.it> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Luigi Rizzo wrote: > > > On Wed, Sep 19, 2001 at 07:39:13PM +0200, Leif Neland wrote: > > > > > Or you could patch ipfw to be able to use a hash-db :-) > > > > skipto caches the pointer of the rule its skipping to the first time > > it uses that rule. not going to get a better hash hit then that... > > not enough. The original message was asking for a rule of the form > > $addr in $set ... > > where $set is a potentially large set of addresses (or ports as well), > which, when "compiled", creates a hash table where one can do the search > on O(1) time. > > With the current syntax we still have to explode the set with individual > rules (naive approach) or something resembling a trie (using skipto rules). worst case for IPv4 is 32 rules... one per bit.. > > cheers > luigi > > ----------------------------------+----------------------------------------- > Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) > http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 > Phone (510) 666 2927 . > ----------------------------------+----------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- +------------------------------------+ ______ _ __ | __--_|\ Julian Elischer | \ U \/ / hard at work in | / \ julian@elischer.org +------>x USA \ a very strange | ( OZ ) \___ ___ | country ! +- X_.---._/ presently in San Francisco \_/ \\ v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 20: 4: 0 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id DCA2F37B410; Wed, 19 Sep 2001 20:03:45 -0700 (PDT) Received: from NDNM ([195.161.98.250]) by ns.morning.ru (8.11.5/8.11.5) with ESMTP id f8K33Zd24172; Thu, 20 Sep 2001 11:03:36 +0800 (KRAST) Date: Thu, 20 Sep 2001 11:03:57 +0800 From: Igor Podlesny X-Mailer: The Bat! (v1.53d) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <9419970505.20010920110357@morning.ru> To: "Marc G. Fournier" Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re[2]: ipfw problems ... In-Reply-To: <20010918230726.M30377-100000@mail1.hub.org> References: <20010918230726.M30377-100000@mail1.hub.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, > with ipfw and dummynet to do bandwidth shaping as well as firewalling ... > The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... > I've got an /etc/fw.rules file that has ~1200 rules in it so far, and > still have more that I want to put in, but today the machine locked up > solid ... > I ended up re-starting the machine with fw set to open, and loaded a few > rules at a time ... got up to 747 rules before the machine pretty much > ground to a halt, with the occasional keystroke going through ... > ~900 or so of the rules are purely 'pass thru' rules ... > we have two > connections to the internet ... May we know how exaclty your system is connected? Two connections usually mean two network interfaces and some specially set up routing policy, therefore the shaping could be easily done using these circumstances. So what is your situation? > one that costs us nothing, and one that > costs us quite dearly ... we want to allow all traffic that goes to sites > on the 'costs us nothing' network to go through unimpeded, while that > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > rules are the ones that define those b-class networks that are on the > 'costs us nothing' network ... > I'm not seeing any errors on the console to indicate a problem, it just > slowly grinds to a halt ... is there a setting in the kernel, or > somewhere, that I should be setting to allow fur such a high number of > rules, or is it just not possible to do more then a few hundred? :( > Thanks > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Sep 19 20:44:45 2001 Delivered-To: freebsd-net@freebsd.org Received: from opensrs.saignon.net (216-120-17-31.dsl.cust.tfb.com [216.120.17.31]) by hub.freebsd.org (Postfix) with ESMTP id B12A937B406 for ; Wed, 19 Sep 2001 20:44:43 -0700 (PDT) Received: from tsaignmobl (216-120-17-24.dsl.cust.tfb.com [216.120.17.24]) by opensrs.saignon.net (8.11.4/8.11.3) with SMTP id f8K3j0P68783 for ; Wed, 19 Sep 2001 20:45:00 -0700 (PDT) (envelope-from tony@saign.com) From: Tony Saign Reply-To: To: Subject: Nimda retaliation?? Date: Wed, 19 Sep 2001 20:44:38 -0700 Message-ID: <000001c14186$934c5180$fe01a8c0@tsaignmobl> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone used LaBrea successfully on a FreeBSD box? It's sounds very cool, basically it "traps" systems scanning your network (i.e. nimda or code red infected). -Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 1:49:44 2001 Delivered-To: freebsd-net@freebsd.org Received: from fepC.post.tele.dk (fepC.post.tele.dk [195.41.46.147]) by hub.freebsd.org (Postfix) with ESMTP id AF31D37B419 for ; Thu, 20 Sep 2001 01:49:40 -0700 (PDT) Received: from arnold.neland.dk ([62.243.124.200]) by fepC.post.tele.dk (InterMail vM.4.01.03.21 201-229-121-121-20010307) with ESMTP id <20010920084939.EUIO10378.fepC.post.tele.dk@arnold.neland.dk>; Thu, 20 Sep 2001 10:49:39 +0200 Received: from localhost (localhost [127.0.0.1]) by arnold.neland.dk (8.11.5/8.11.5) with ESMTP id f8K8pMO67535; Thu, 20 Sep 2001 10:51:23 +0200 (CEST) (envelope-from leifn@neland.dk) Date: Thu, 20 Sep 2001 10:51:22 +0200 (CEST) From: Leif Neland To: Bill Fumerola Cc: "Marc G. Fournier" , Subject: Re: ipfw problems ... In-Reply-To: <20010919140735.Y826@elvis.mu.org> Message-ID: <20010920104834.E67036-100000@arnold.neland.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 19 Sep 2001, Bill Fumerola wrote: > On Wed, Sep 19, 2001 at 07:39:13PM +0200, Leif Neland wrote: > > > Or you could patch ipfw to be able to use a hash-db :-) > > skipto caches the pointer of the rule its skipping to the first time > it uses that rule. not going to get a better hash hit then that... > > My idea is that you could have a rule like allow ip from any to hash cheapnets Then cheapnets was created like a sendmail map, containing netnumbers. Leif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 4: 6:53 2001 Delivered-To: freebsd-net@freebsd.org Received: from web11203.mail.yahoo.com (web11203.mail.yahoo.com [216.136.131.185]) by hub.freebsd.org (Postfix) with SMTP id BA3E037B40D for ; Thu, 20 Sep 2001 04:06:49 -0700 (PDT) Message-ID: <20010920110649.75508.qmail@web11203.mail.yahoo.com> Received: from [164.164.56.2] by web11203.mail.yahoo.com via HTTP; Thu, 20 Sep 2001 04:06:49 PDT Date: Thu, 20 Sep 2001 04:06:49 -0700 (PDT) From: deepika kakrania Subject: IP multicasting... To: freebsd-net@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I am studying FBSD 4.1 code for IP multicasting. I have a doubt here regarding IGMP QUERY messages. The code seems to handle the case 1) when it gets the General QUERY from Version 1 router.(where igmp_code is 0). In this case it only needs to check whether destination address of Query is all_hots_group is or not and that igmp_group field is Zero or not for validity purpose. 2)when it gets the GROUP SPECIFIC query from Version 2 router. ie. if(igmp->igmp_group.s_addr != 0 && !IN_MULTICAST(ntohl(igmp->igmp_group.s_addr))) . . But where is the handling of other case where a IGMPv2 router sends the GENERAL QUERY(igmp_group.s_addr = 0). In this case igmp_code is non-zero. In other words, where is the validity check for general Query message when it comes from IGMPV2 router?? Can anyone tell me where it's done? Thanks in advance. Regards, Deepika __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 4:44:16 2001 Delivered-To: freebsd-net@freebsd.org Received: from rhymer.cogsci.ed.ac.uk (rhymer.cogsci.ed.ac.uk [129.215.144.8]) by hub.freebsd.org (Postfix) with ESMTP id F280D37B409 for ; Thu, 20 Sep 2001 04:44:13 -0700 (PDT) Received: (from richard@localhost) by rhymer.cogsci.ed.ac.uk (8.9.3/8.9.3) id MAA14911 for freebsd-net@FreeBSD.ORG; Thu, 20 Sep 2001 12:44:12 +0100 (BST) Date: Thu, 20 Sep 2001 12:44:12 +0100 (BST) Message-Id: <200109201144.MAA14911@rhymer.cogsci.ed.ac.uk> From: Richard Tobin Subject: DHCP and multiple interfaces To: freebsd-net@FreeBSD.ORG Organization: just say no Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org /etc/rc.network takes care to gather up all the DHCP interfaces to pass to a single dhclient program. /etc/pccard_ether on the other hand expects to run a separate dhclient for each interface, carefully storing their pids in different files. I have a laptop with a built-in interface and a wireless card. dhclient runs for the built-in interface from /etc/rc.network, but when /etc/pccard_ether tries to run it for the wireless card it gets "can't bind to dhcp address: Address already in use". I can see why this happens, but clearly /etc/pccard_ether expects to be able to run multiple dhclients. How is this meant to work? -- Richard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 5:27:12 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail1.hub.org (webmail.hub.org [216.126.85.1]) by hub.freebsd.org (Postfix) with ESMTP id CF01F37B40D for ; Thu, 20 Sep 2001 05:27:07 -0700 (PDT) Received: from localhost (scrappy@localhost) by mail1.hub.org (8.11.3/8.11.4) with ESMTP id f8KCQuB27370; Thu, 20 Sep 2001 08:26:56 -0400 (EDT) (envelope-from scrappy@hub.org) Date: Thu, 20 Sep 2001 08:26:56 -0400 (EDT) From: "Marc G. Fournier" To: Leif Neland Cc: Subject: Re: ipfw problems ... In-Reply-To: <20010919190035.S34253-100000@arnold.neland.dk> Message-ID: <20010920081526.W30377-100000@mail1.hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Our network layout is such that our ipfw box is purely a pass-thru between our router and our network providers router: [our router] <--> [freebsd box running ipfw] <--> [network provider] / \ [CA*Net3] [Commercial] Our CA*Net3 link is something like 50Mb/s, while Commercial is only 12, so we don't want to restrict the traffic to CA*Net3 ... I spent all day yesterday going through the rules, and have it working with: psychopompus# ipfw show | grep skipto | wc -l 248 psychopompus# ipfw show | grep deny | wc -l 31 psychopompus# ipfw show | grep allow | wc -l 1043 psychopompus# And it works ... so now instead of processing >1k rules, it works out to be <100 or so ... On Wed, 19 Sep 2001, Leif Neland wrote: > > > > > Third, take into account that since ipfw takes 'first matching rule > > > wins' approach, you will get performance boost by moving more > > > frequently used and more general rules "up" in the ruleset. For > > > example, if you move the rule from position 700 to 200 packet will be > > > matched only against 200 rules instead of 700. > > > > Thought about, but not possible ... unless I'm mis-understanding something > > ... these rules are the exceptions ... "if none of these b-class networks > > isn't matched, *then* shape the bandwidth for anything not in there" ... > > > Is the machine dying when *adding* the rules or when *using* the rules? > > If your first rule is "ipfw add 100 skipto 32768 ip from any to 1/1" > you will have divided your rules, so networks from 0.0.0.0 to > 127.255.255.255 will be handled by half of the rules, and the rest by the > other half. So instead of traversing 700 rules, an unmatched packet will > only traverse 350. > > Perhaps you could write a (perl?)script, which you feed a list of all the > networks (B's?) and generates the proper rules. > > You could post that as a challenge to your local group of nerds, if you > can find them... > > Also remember that the mask does not need to be "without holes", a mask of > 255.127.255.0 is ok. > But I guess you must either be a computer or autistic to be able to spot > those masks... > > Another idea: is the routing mechanism better to sort by ip than ipfw? > If so, you could route the expensive traffic to the shaper-machine. > > On top of that: is the routing information available from your uplinks? > Perhaps you could get BGP or OSPF-routing information, saving you the > trouble of maintaining the table. > > Also, what happens if you send "expensive" packets to the free uplink? > > Could that be used to having two default gateways with different metric? > Or can this only shift the entire stream between the two gateways? > > > Or you could patch ipfw to be able to use a hash-db :-) > > > Leif > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 5:56:30 2001 Delivered-To: freebsd-net@freebsd.org Received: from web11204.mail.yahoo.com (web11204.mail.yahoo.com [216.136.131.186]) by hub.freebsd.org (Postfix) with SMTP id 3696437B40B for ; Thu, 20 Sep 2001 05:56:26 -0700 (PDT) Message-ID: <20010920125626.3257.qmail@web11204.mail.yahoo.com> Received: from [164.164.56.2] by web11204.mail.yahoo.com via HTTP; Thu, 20 Sep 2001 05:56:26 PDT Date: Thu, 20 Sep 2001 05:56:26 -0700 (PDT) From: deepika kakrania Subject: IP multicasting... To: freebsd-net@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I am studying FBSD 4.1 code for IP multicasting. I have a doubt here regarding IGMP QUERY messages. The code seems to handle the case 1) when it gets the General QUERY from Version 1 router.(where igmp_code is 0). In this case it only needs to check whether destination address of Query is all_hots_group is or not and that igmp_group field is Zero or not for validity purpose. 2)when it gets the GROUP SPECIFIC query from Version 2 router. ie. if(igmp->igmp_group.s_addr != 0 && !IN_MULTICAST(ntohl(igmp->igmp_group.s_addr))) . . But where is the handling of other case where a IGMPv2 router sends the GENERAL QUERY(igmp_group.s_addr = 0). In this case igmp_code is non-zero. In other words, where is the validity check for general Query message when it comes from IGMPV2 router?? Can anyone tell me where it's done? Thanks in advance. Regards, Deepika __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 8:21:25 2001 Delivered-To: freebsd-net@freebsd.org Received: from hetnet.nl (net047s.hetnet.nl [194.151.104.151]) by hub.freebsd.org (Postfix) with ESMTP id A5FCD37B420 for ; Thu, 20 Sep 2001 08:21:22 -0700 (PDT) Received: from wdegraafdp866 ([209.131.52.217]) by hetnet.nl with Microsoft SMTPSVC(5.5.1877.757.75); Thu, 20 Sep 2001 17:16:05 +0200 Message-ID: <000e01c141e7$e812edd0$d93483d1@inktomi.com> From: "Wilbert de Graaf" To: "deepika kakrania" Cc: References: <20010920110649.75508.qmail@web11203.mail.yahoo.com> Subject: Re: IP multicasting... Date: Thu, 20 Sep 2001 08:21:21 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Deepika, > But where is the handling of other case where a IGMPv2 > router sends the GENERAL QUERY(igmp_group.s_addr = 0). > In this case igmp_code is non-zero. In other words, > where is the validity check for general Query message > when it comes from IGMPV2 router?? > > Can anyone tell me where it's done? It's this line: if (igmp->igmp_group.s_addr != 0 && !IN_MULTICAST(ntohl(igmp->igmp_group.s_addr))) { ++igmpstat.igps_rcv_badqueries; m_freem(m); return; } This test gets executed when it's a v2 query (mtu != 0). The test stops further processing if the group address is NOT "0.0.0.0" or NOT a valid multicast address. Wilbert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 11:13: 7 2001 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9]) by hub.freebsd.org (Postfix) with ESMTP id DCAAB37B40B for ; Thu, 20 Sep 2001 11:13:02 -0700 (PDT) Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id LAA32471; Thu, 20 Sep 2001 11:57:48 -0700 (PDT) Date: Thu, 20 Sep 2001 11:57:46 -0700 (PDT) From: Julian Elischer To: "Marc G. Fournier" Cc: Leif Neland , freebsd-net@freebsd.org Subject: Re: ipfw problems ... In-Reply-To: <20010920081526.W30377-100000@mail1.hub.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org cool.. Now that you've done it by hand, could you write a script to automate the tree creation? (than we could commit it.. ) Actually Can you show me a sample? It seems to me that you should be able to get the number of filters processed on average to be much less than 100. On Thu, 20 Sep 2001, Marc G. Fournier wrote: > > Our network layout is such that our ipfw box is purely a pass-thru between > our router and our network providers router: > > [our router] <--> [freebsd box running ipfw] <--> [network provider] > / \ > [CA*Net3] [Commercial] > > Our CA*Net3 link is something like 50Mb/s, while Commercial is only 12, so > we don't want to restrict the traffic to CA*Net3 ... > > I spent all day yesterday going through the rules, and have it working > with: > > psychopompus# ipfw show | grep skipto | wc -l > 248 > psychopompus# ipfw show | grep deny | wc -l > 31 > psychopompus# ipfw show | grep allow | wc -l > 1043 > psychopompus# > > And it works ... so now instead of processing >1k rules, it works out to > be <100 or so ... > > > > On Wed, 19 Sep 2001, Leif Neland wrote: > > > > > > > > > Third, take into account that since ipfw takes 'first matching rule > > > > wins' approach, you will get performance boost by moving more > > > > frequently used and more general rules "up" in the ruleset. For > > > > example, if you move the rule from position 700 to 200 packet will be > > > > matched only against 200 rules instead of 700. > > > > > > Thought about, but not possible ... unless I'm mis-understanding something > > > ... these rules are the exceptions ... "if none of these b-class networks > > > isn't matched, *then* shape the bandwidth for anything not in there" ... > > > > > Is the machine dying when *adding* the rules or when *using* the rules? > > > > If your first rule is "ipfw add 100 skipto 32768 ip from any to 1/1" > > you will have divided your rules, so networks from 0.0.0.0 to > > 127.255.255.255 will be handled by half of the rules, and the rest by the > > other half. So instead of traversing 700 rules, an unmatched packet will > > only traverse 350. > > > > Perhaps you could write a (perl?)script, which you feed a list of all the > > networks (B's?) and generates the proper rules. > > > > You could post that as a challenge to your local group of nerds, if you > > can find them... > > > > Also remember that the mask does not need to be "without holes", a mask of > > 255.127.255.0 is ok. > > But I guess you must either be a computer or autistic to be able to spot > > those masks... > > > > Another idea: is the routing mechanism better to sort by ip than ipfw? > > If so, you could route the expensive traffic to the shaper-machine. > > > > On top of that: is the routing information available from your uplinks? > > Perhaps you could get BGP or OSPF-routing information, saving you the > > trouble of maintaining the table. > > > > Also, what happens if you send "expensive" packets to the free uplink? > > > > Could that be used to having two default gateways with different metric? > > Or can this only shift the entire stream between the two gateways? > > > > > > Or you could patch ipfw to be able to use a hash-db :-) > > > > > > Leif > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 16: 9: 6 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by hub.freebsd.org (Postfix) with ESMTP id 0A10C37B408 for ; Thu, 20 Sep 2001 16:09:02 -0700 (PDT) Received: from vicor-nb.com (dhcp122.vicor-nb.com [208.206.78.122]) by mail.vicor-nb.com (Postfix) with ESMTP id BF7661B219 for ; Thu, 20 Sep 2001 16:09:01 -0700 (PDT) Message-ID: <3BAA7716.823D0E1F@vicor-nb.com> Date: Thu, 20 Sep 2001 16:09:10 -0700 From: Julian Elischer Organization: VICOR X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: net@freebsd.org Subject: Gif devices in 4.4? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In 4.3 device gif 4 gave me 4 gif devices.. now in 4.4 it's pseudo_device gif but no matter what I do I don't get any gif devices... what is teh magic incantation to make them appear in ifconfig? (even gifconfig can't find them) ref1# gifconfig gif0 inet 10.1.1.1 10.2.3.4 gifconfig: interface gif0 does not exist ref1# ifconfig -a fxp0: flags=8843 mtu 1500 [...] inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8000 mtu 1500 ref1# cd /sys/compile/IPSEC ref1# ls -l gif* -rw-r--r-- 1 root wheel 15 Sep 20 15:56 gif.h ref1# cat gif.h #define NGIF 1 ref1# etc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 16:14:51 2001 Delivered-To: freebsd-net@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 3D0AC37B409 for ; Thu, 20 Sep 2001 16:14:47 -0700 (PDT) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f8KNEeR17421; Thu, 20 Sep 2001 16:14:40 -0700 Date: Thu, 20 Sep 2001 16:14:40 -0700 From: Brooks Davis To: Julian Elischer Cc: net@FreeBSD.ORG Subject: Re: Gif devices in 4.4? Message-ID: <20010920161440.A16697@Odin.AC.HMC.Edu> References: <3BAA7716.823D0E1F@vicor-nb.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gKMricLos+KVdGMg" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BAA7716.823D0E1F@vicor-nb.com>; from julian@vicor-nb.com on Thu, Sep 20, 2001 at 04:09:10PM -0700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --gKMricLos+KVdGMg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 20, 2001 at 04:09:10PM -0700, Julian Elischer wrote: >=20 > In 4.3 > device gif 4 > gave me 4 gif devices.. >=20 > now in 4.4 it's=20 > pseudo_device gif >=20 > but no matter what I do I don't get any gif devices... It's in UPDATING and the release notes, but if you use the gifconfig_gif# rc.conf variables they will be created. It you just want to create them on the fly do "ifconfig gif<#> create" or to get an arbitray new one "ifconfig gif create" (the new one's name will be printed to stdout). In current, there's also a new variable cloned_interfaces which can be used to create any clonable interfaces to be configured normaly. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --gKMricLos+KVdGMg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7qnhfXY6L6fI4GtQRAkeoAKCZrRCORPixvOl05KFAhNs64hG71gCeIEjV E+52cGJhKstTWVHjWyo5Pb8= =+yUQ -----END PGP SIGNATURE----- --gKMricLos+KVdGMg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 16:32:40 2001 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9]) by hub.freebsd.org (Postfix) with ESMTP id A94A937B407 for ; Thu, 20 Sep 2001 16:32:37 -0700 (PDT) Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id RAA33534; Thu, 20 Sep 2001 17:08:25 -0700 (PDT) Date: Thu, 20 Sep 2001 17:08:23 -0700 (PDT) From: Julian Elischer To: Brooks Davis Cc: Julian Elischer , net@FreeBSD.ORG Subject: Re: Gif devices in 4.4? In-Reply-To: <20010920161440.A16697@Odin.AC.HMC.Edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hmmmmm so what happenned to 4.4 being 4.3 compatible.... This is a bad breakage of POLA! All old gif scripts are now broken (grumble) I think whoever made this change needs to put big comments about how to do this in gif(4) and gifconfig(8) On Thu, 20 Sep 2001, Brooks Davis wrote: > On Thu, Sep 20, 2001 at 04:09:10PM -0700, Julian Elischer wrote: > > > > In 4.3 > > device gif 4 > > gave me 4 gif devices.. > > > > now in 4.4 it's > > pseudo_device gif > > > > but no matter what I do I don't get any gif devices... > > It's in UPDATING and the release notes, but if you use the > gifconfig_gif# rc.conf variables they will be created. It you just want > to create them on the fly do "ifconfig gif<#> create" or to get an > arbitray new one "ifconfig gif create" (the new one's name will be > printed to stdout). In current, there's also a new variable > cloned_interfaces which can be used to create any clonable interfaces to > be configured normaly. > > -- Brooks > > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 16:55:59 2001 Delivered-To: freebsd-net@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 21D9737B401 for ; Thu, 20 Sep 2001 16:55:55 -0700 (PDT) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f8KNtoF23992; Thu, 20 Sep 2001 16:55:50 -0700 Date: Thu, 20 Sep 2001 16:55:50 -0700 From: Brooks Davis To: Julian Elischer Cc: net@FreeBSD.ORG Subject: Re: Gif devices in 4.4? Message-ID: <20010920165550.A20647@Odin.AC.HMC.Edu> References: <20010920161440.A16697@Odin.AC.HMC.Edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from julian@elischer.org on Thu, Sep 20, 2001 at 05:08:23PM -0700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 20, 2001 at 05:08:23PM -0700, Julian Elischer wrote: > This is a bad breakage of POLA! It's been in stable for two months with only a few of people asking about it and non of them asking to have it removed or changed that I saw. It probalby would have been better to continue to clone the requested number of interfaces at runtime in -stable, but since we've released, it's a bit late. :-| > All old gif scripts are now broken (grumble) It was thought that most people were using the rc.conf interface which was fixed. The lack of serious complaints seemed bare that out. > I think whoever made this change needs to put big > comments about how to do this in gif(4) and gifconfig(8) How would this do (as the second paragraph in gif(8)): gif interfaces are allocated at runtime using interface cloning. This= is most easily done with the ifconfig(8) create command. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7qoIFXY6L6fI4GtQRAvyRAJoDPbcqdfZ1guSLoEZ8jILBncaswwCeK9Qd EM60tjxginwr4FXGCoYbyaY= =Qke+ -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 17:52:32 2001 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9]) by hub.freebsd.org (Postfix) with ESMTP id 073C837B413 for ; Thu, 20 Sep 2001 17:52:30 -0700 (PDT) Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id SAA33781; Thu, 20 Sep 2001 18:24:50 -0700 (PDT) Date: Thu, 20 Sep 2001 18:24:49 -0700 (PDT) From: Julian Elischer To: Brooks Davis Cc: net@FreeBSD.ORG Subject: Re: Gif devices in 4.4? In-Reply-To: <20010920165550.A20647@Odin.AC.HMC.Edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 20 Sep 2001, Brooks Davis wrote: > On Thu, Sep 20, 2001 at 05:08:23PM -0700, Julian Elischer wrote: > > This is a bad breakage of POLA! > > It's been in stable for two months with only a few of people asking > about it and non of them asking to have it removed or changed that I > saw. It probalby would have been better to continue to clone the > requested number of interfaces at runtime in -stable, but since we've > released, it's a bit late. :-| The sample in the daemon-news article no longer works.. > > > All old gif scripts are now broken (grumble) > > It was thought that most people were using the rc.conf interface which > was fixed. The lack of serious complaints seemed bare that out. > > > I think whoever made this change needs to put big > > comments about how to do this in gif(4) and gifconfig(8) > > How would this do (as the second paragraph in gif(8)): > > gif interfaces are allocated at runtime using interface cloning. This is > most easily done with the ifconfig(8) create command. there is no gif(8) but this could do with being in gif(4) (and in gifconfig(8)) > > -- Brooks > > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 22:14:45 2001 Delivered-To: freebsd-net@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id AED0C37B41E for ; Thu, 20 Sep 2001 22:14:41 -0700 (PDT) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f8L5Ece03182; Fri, 21 Sep 2001 00:14:38 -0500 (CDT) (envelope-from nick@rogness.net) Date: Fri, 21 Sep 2001 00:14:38 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Tony Saign Cc: freebsd-net@FreeBSD.ORG Subject: Re: Nimda retaliation?? In-Reply-To: <000001c14186$934c5180$fe01a8c0@tsaignmobl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 19 Sep 2001, Tony Saign wrote: > Has anyone used LaBrea successfully on a FreeBSD box? > Moved to freebsd-questions. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 23:44:20 2001 Delivered-To: freebsd-net@freebsd.org Received: from web11206.mail.yahoo.com (web11206.mail.yahoo.com [216.136.131.188]) by hub.freebsd.org (Postfix) with SMTP id EFB4437B419 for ; Thu, 20 Sep 2001 23:44:16 -0700 (PDT) Message-ID: <20010921064416.38298.qmail@web11206.mail.yahoo.com> Received: from [164.164.56.2] by web11206.mail.yahoo.com via HTTP; Thu, 20 Sep 2001 23:44:16 PDT Date: Thu, 20 Sep 2001 23:44:16 -0700 (PDT) From: deepika kakrania Subject: Re: IP multicasting... To: Wilbert de Graaf Cc: freebsd-net@FreeBSD.ORG In-Reply-To: <000e01c141e7$e812edd0$d93483d1@inktomi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, > > It's this line: > > if (igmp->igmp_group.s_addr != 0 && > !IN_MULTICAST(ntohl(igmp->igmp_group.s_addr))) { > ++igmpstat.igps_rcv_badqueries; > m_freem(m); > return; > } > > This test gets executed when it's a v2 query (mtu != > 0). The test stops > further processing if the group address is NOT > "0.0.0.0" or NOT a valid > multicast address. > I understand that above code gets excuted only if query is Version 2 type. But above test is only for Group-Specific query where igmp_group.s_addr != 0(it ^^^^^^^^^^^^^^ contains the group address being reported to). In this case we need to check whether given address is a valid multicast addredd is or not. But where is the validity check being done when query is Version 2 General query in which case igmp_group.s_addr SHOULD BE Zero and ip_dst.s_addr SHOULD be igmp_all_hosts_group. i.e., we need a validity check something like if (igmp->igmp_group.s_addr == 0 && ip->ip_dst.s_addr != igmp_all_hosts_group) { ++igmpstat.igps_rcv_badqueries; m_freem(m); return; } Don't we need this for V2 GENERAL query? Regards, Deepika __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Sep 20 23:52:14 2001 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9]) by hub.freebsd.org (Postfix) with ESMTP id C519337B416 for ; Thu, 20 Sep 2001 23:52:11 -0700 (PDT) Received: from elischer.org (InterJet.elischer.org [192.168.1.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id AAA34965 for ; Fri, 21 Sep 2001 00:21:42 -0700 (PDT) Message-ID: <3BAADF3F.D48189AD@elischer.org> Date: Thu, 20 Sep 2001 23:33:35 -0700 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: net@freebsd.org Subject: IPSEC question.. Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The sample docs and the daemon-news article get me part way started to making an encrypted tunnel using IPsec4 between two networks. However The are really quite confusing... Is there a SIMPLE description of what all the parts do? I have a gif tunnel going, but it's not clear to me how I make this tunnel start encrypting the damned data. I've fiddled with several commands (e.g. setkey) but tcpdump keeps showing plain encapsulated packets...no encryption.. -- +------------------------------------+ ______ _ __ | __--_|\ Julian Elischer | \ U \/ / hard at work in | / \ julian@elischer.org +------>x USA \ a very strange | ( OZ ) \___ ___ | country ! +- X_.---._/ presently in San Francisco \_/ \\ v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 0:46:50 2001 Delivered-To: freebsd-net@freebsd.org Received: from fgwmail5.fujitsu.co.jp (fgwmail5.fujitsu.co.jp [192.51.44.35]) by hub.freebsd.org (Postfix) with ESMTP id 59B8537B41C for ; Fri, 21 Sep 2001 00:46:47 -0700 (PDT) Received: from m7.gw.fujitsu.co.jp by fgwmail5.fujitsu.co.jp (8.9.3/3.7W-MX0108-Fujitsu Gateway) id QAA27101 for ; Fri, 21 Sep 2001 16:46:46 +0900 (JST) (envelope-from tsuchiya@flab.fujitsu.co.jp) From: tsuchiya@flab.fujitsu.co.jp Received: from const.kawasaki.flab.fujitsu.co.jp by m7.gw.fujitsu.co.jp (8.9.3/3.7W-0108-Fujitsu Domain Master) id QAA28913 for ; Fri, 21 Sep 2001 16:46:45 +0900 (envelope-from tsuchiya@flab.fujitsu.co.jp) Received: (from tsuchiya@localhost) by const.kawasaki.flab.fujitsu.co.jp (8.9.3+3.2W/3.5Wpl7) id QAA09541 for net@FreeBSD.org; Fri, 21 Sep 2001 16:46:56 +0900 Date: Fri, 21 Sep 2001 16:46:56 +0900 Message-Id: <200109210746.QAA09541@const.kawasaki.flab.fujitsu.co.jp> To: net@FreeBSD.org Subject: TCP performance question Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, we observed that TCP is somewhat slow with FreeBSD. Does anybody know this kind of behavior?: We have investigated the problem with simple program like: client server for(){ for(){ write(fd, buf, size); read (fd, buf, size); read (fd, buf, size); write(fd, buf, size); } } and we changed the size from 1 to 10000 byte and measured the time of read/write pair on the server. Usually the measured time is around or less than 1 msec, however it is always 100msec when the size is between 2049 and 2919 byte or between 4381 and 5839 byte or between 7301 and 8751 byte. 100 times slower. Then we measured each of write and read on the client, then we noticed that the write always finishes very quickly like 80usec, and the read is 1msec, and it gets 100msec in ranges above. So I thought there was some buffering with socket write, and I tried SO_OOBINLINE, and TCP_NODELAY, but they did not work on this problem. I checked with tcpdump and found there was no re-sending of packet. I did this between two FreeBSD4.2 machines and between FreeBSD4.1.1 and Solaris 8. Between two Solaris 8 machines, it did not happened. Is this a known problem? or I am doing something wrong? Thanks, Yoshi --- Yoshihiro Tsuchiya To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 1: 0: 1 2001 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 943A237B421 for ; Fri, 21 Sep 2001 00:59:56 -0700 (PDT) Received: (qmail 68964 invoked by uid 1000); 21 Sep 2001 07:59:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Sep 2001 07:59:56 -0000 Date: Fri, 21 Sep 2001 02:59:56 -0500 (CDT) From: Mike Silbersack To: Cc: Subject: Re: TCP performance question In-Reply-To: <200109210746.QAA09541@const.kawasaki.flab.fujitsu.co.jp> Message-ID: <20010921025715.U68923-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 21 Sep 2001 tsuchiya@flab.fujitsu.co.jp wrote: > and we changed the size from 1 to 10000 byte and measured the time of > read/write pair on the server. Usually the measured time is > around or less than 1 msec, however it is always 100msec when the size is > between 2049 and 2919 byte or between 4381 and 5839 byte or > between 7301 and 8751 byte. 100 times slower. Try disabling delayed ACKs and see how that affects your results. The default delay for delayed acks is 100ms. sysctl -w net.inet.tcp.delayed_ack=0 Actually, come to think of it, I think Jonathan Lemon fixed issues related to this with delayed acks sometime between 4.2 and 4.4. For this (and many other reasons), you should consider upgrading before you continue your performance tests. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 1:27:25 2001 Delivered-To: freebsd-net@freebsd.org Received: from day.anthologeek.net (day.anthologeek.net [212.43.217.20]) by hub.freebsd.org (Postfix) with ESMTP id E0FEC37B403 for ; Fri, 21 Sep 2001 01:27:18 -0700 (PDT) Received: by day.anthologeek.net (Postfix, from userid 1000) id 8BC2817126; Fri, 21 Sep 2001 10:26:45 +0200 (CEST) Date: Fri, 21 Sep 2001 10:26:45 +0200 From: Sameh Ghane To: freebsd-net@freebsd.org Subject: ipfilter and IPSec processing order Message-ID: <20010921102645.D77863@anthologeek.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i X-PGP-Keys: 0x1289F00D: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I use an IPSec tunnel (transport mode + gif) between two FreeBSD 4.3-p19 gateways, using ipfilter(v3.4.20 (264)) as packet filter. With no particular statement about IPSec, I get this message: Sep 21 10:10:24 fw ipmon[94]: 10:10:23.578447 fxp0 @0:80 b 213.41.X.Y -> 213.41.W.Z PR ipencap len 20 (104) OUT when I try to make my packets go out. Fine. I let protocol IP ENCAP (4) go through the firewall. Then, I get: Sep 21 10:13:40 fw ipmon[94]: 10:13:39.593013 fxp0 @0:90 b 213.41.W.Z -> 213.41.X.Y PR esp len 20 (136) IN when packets come back to the gateway. Fine. I let protocol ESP(50) go through the firewall. I can now ping the both ends of the tunnel. Because I explicitely allowed ICMP to go through ipf rules. Unfortunately, when I try to telnet the other side of the tunnel, on HTTP's port, using the private network adresses: Sep 21 10:15:43 fw ipmon[94]: 10:15:42.698858 fxp0 @0:91 b 192.168.202.17,80 -> 192.168.1.1,1259 PR tcp len 20 44 -AS IN responses are not allowed to come back. I even tried to put stateful rules for the private networks: pass out quick proto tcp from 192.168.0.0/17 to 192.168.128.0/17 keep state Unsuccessfully. So I am wondering, why is ipfilter seeing the packet twice: once encapsulated, once decaspulated ? I looked at freebsd-net, -security, and ipfilter mailing lists, with no success. NetBSD states that: « Since February 2001, on NetBSD-current, ipf(4)/IPsec interaction was clarified as below: ipf(4) looks at packets in native wire format only. ipf(4) looks at packets before IPsec processing on inbound, and after IPsec processing on outbound. » Is it done on FreeBSD ? Why can't it be done ( I read threads where people stated that packet filter and IPSec interaction was an unsolvable problem). And even if the packet goes twice through the packet filter, why can't I use stateful rules ? Hum !? Cheers, -- Sameh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 1:28: 2 2001 Delivered-To: freebsd-net@freebsd.org Received: from fgwmail7.fujitsu.co.jp (fgwmail7.fujitsu.co.jp [192.51.44.37]) by hub.freebsd.org (Postfix) with ESMTP id A788937B414 for ; Fri, 21 Sep 2001 01:27:58 -0700 (PDT) Received: from m2.gw.fujitsu.co.jp by fgwmail7.fujitsu.co.jp (8.9.3/3.7W-MX0108-Fujitsu Gateway) id RAA29630; Fri, 21 Sep 2001 17:27:53 +0900 (JST) (envelope-from tsuchiya@flab.fujitsu.co.jp) Received: from dm.kawasaki.flab.fujitsu.co.jp by m2.gw.fujitsu.co.jp (8.9.3/3.7W-0108-Fujitsu Domain Master) id RAA28971; Fri, 21 Sep 2001 17:27:52 +0900 (JST) (envelope-from tsuchiya@flab.fujitsu.co.jp) Received: from mailserv.kawasaki.flab.fujitsu.co.jp by dm.kawasaki.flab.fujitsu.co.jp (8.9.3/3.7W-010315-Fujitsu Labs. Kawasaki Domain Mail Master) id RAA10181; Fri, 21 Sep 2001 17:27:52 +0900 (JST) Received: from flab.fujitsu.co.jp (const.kawasaki.flab.fujitsu.co.jp [10.25.159.164]) by mailserv.kawasaki.flab.fujitsu.co.jp (8.8.8+Sun/8.8.8) with ESMTP id RAA23444; Fri, 21 Sep 2001 17:27:50 +0900 (JST) Message-ID: <3BAAFA13.8040708@flab.fujitsu.co.jp> Date: Fri, 21 Sep 2001 17:28:03 +0900 From: Tsuchiya Yoshihiro User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010727 X-Accept-Language: en-us MIME-Version: 1.0 To: Mike Silbersack Cc: net@FreeBSD.org Subject: Re: TCP performance question References: <20010921025715.U68923-100000@achilles.silby.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Silbersack wrote: >On Fri, 21 Sep 2001 tsuchiya@flab.fujitsu.co.jp wrote: > >>and we changed the size from 1 to 10000 byte and measured the time of >>read/write pair on the server. Usually the measured time is >>around or less than 1 msec, however it is always 100msec when the size is >>between 2049 and 2919 byte or between 4381 and 5839 byte or >>between 7301 and 8751 byte. 100 times slower. >> > >Try disabling delayed ACKs and see how that affects your results. The >default delay for delayed acks is 100ms. > >sysctl -w net.inet.tcp.delayed_ack=0 > I found a machine with FreeBSD4.3 and tried it, but it didn't work. Yoshi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 1:38: 9 2001 Delivered-To: freebsd-net@freebsd.org Received: from day.anthologeek.net (day.anthologeek.net [212.43.217.20]) by hub.freebsd.org (Postfix) with ESMTP id BFE2E37B411 for ; Fri, 21 Sep 2001 01:38:06 -0700 (PDT) Received: by day.anthologeek.net (Postfix, from userid 1000) id 77B4D171E8; Fri, 21 Sep 2001 10:37:33 +0200 (CEST) Date: Fri, 21 Sep 2001 10:37:33 +0200 From: Sameh Ghane To: Julian Elischer Cc: net@freebsd.org Subject: Re: IPSEC question.. Message-ID: <20010921103733.F77863@anthologeek.net> References: <3BAADF3F.D48189AD@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BAADF3F.D48189AD@elischer.org>; from julian@elischer.org on Thu, Sep 20, 2001 at 11:33:35PM -0700 X-PGP-Keys: 0x1289F00D: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Le (On) Thu, Sep 20, 2001 at 11:33:35PM -0700, Julian Elischer ecrivit (wrote): > The sample docs and the daemon-news > article get me part way started to making an encrypted > tunnel using IPsec4 between two networks. > However The are really quite confusing... > > Is there a SIMPLE description of what all the parts do? > > I have a gif tunnel going, but it's not clear to me how I make this tunnel > start encrypting the damned data. > > I've fiddled with several commands (e.g. setkey) but tcpdump keeps showing > plain encapsulated packets...no encryption.. Humm, which interface are you tcpdumping ? I chose to use gif, to encapsulate RFC1918 packets onto the Internet. Then I use IPSec, in transport mode, to encrypt traffic (using ESP after racoon IKE), between the two hosts with public IP address. So I can see encrypted packets only on the NIC interface, not on gif0. Cheers, -- Sameh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 1:47:14 2001 Delivered-To: freebsd-net@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 0C6CF37B414 for ; Fri, 21 Sep 2001 01:47:09 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8L8l6t18725; Fri, 21 Sep 2001 09:47:07 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8L8l3R32993; Fri, 21 Sep 2001 09:47:03 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Julian Elischer Cc: net@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: IPSEC question.. In-Reply-To: Message from Julian Elischer of "Thu, 20 Sep 2001 23:33:35 PDT." <3BAADF3F.D48189AD@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 21 Sep 2001 09:47:03 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > The sample docs and the daemon-news > article get me part way started to making an encrypted > tunnel using IPsec4 between two networks. > However The are really quite confusing... > > Is there a SIMPLE description of what all the parts do? > > I have a gif tunnel going, but it's not clear to me how I make this tunnel > start encrypting the damned data. > > I've fiddled with several commands (e.g. setkey) but tcpdump keeps showing > plain encapsulated packets...no encryption.. Once you've got the gif tunnel working, say with top addresses 10.0.0.1 and 10.0.0.2 and tunnel addresses 1.2.3.4 and 5.6.7.8, create an /etc/ipsec.conf that says: spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require; spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require; This is your setkey input. The ``ip4'' bit tells ipsec to only touch IP-in-IP traffic, so comms going from an internal LAN to an external gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be NAT'd). Only the gif-encapsulated traffic is encrypted. Then add this to /etc/rc.conf: ipsec_enable=YES ipsec_file=/etc/ipsec.conf Once this is done, arrange to have racoon running on each end and everything should work. Using a shared secret in /usr/local/etc/ racoon/psk.txt is the easiest: 1.2.3.4 akeythatnobodyisgoingtocrack and running racoon -F helps initially. > -- > +------------------------------------+ ______ _ __ > | __--_|\ Julian Elischer | \ U \/ / hard at work in > | / \ julian@elischer.org +------>x USA \ a very strange > | ( OZ ) \___ ___ | country ! > +- X_.---._/ presently in San Francisco \_/ \\ > v Good luck ! -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 1:57:12 2001 Delivered-To: freebsd-net@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 1470137B418 for ; Fri, 21 Sep 2001 01:57:06 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8L8v4t18747; Fri, 21 Sep 2001 09:57:04 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8L8v0R34477; Fri, 21 Sep 2001 09:57:00 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200109210857.f8L8v0R34477@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Sameh Ghane Cc: freebsd-net@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: ipfilter and IPSec processing order In-Reply-To: Message from Sameh Ghane of "Fri, 21 Sep 2001 10:26:45 +0200." <20010921102645.D77863@anthologeek.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Fri, 21 Sep 2001 09:56:58 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I can't answer your question specifically as I've never used = ipfilter, but it's certainly possible to use natd at the same time as = IPSEC... the vital thing is to ensure that no traffic is altered by = both engines. Using a gif tunnel (which you are already) and encrypting only ipencap = traffic in your spdadd/transport policy should mean that the nat = engine either sees regular traffic (that should be NATd) or ipencap = traffic (which shouldn't be NATd, and won't as the src address is the = gateway address). So the bit you may be missing is the ``ip4'' bit in the setkey spdadd = line.... > Hi, > = > I use an IPSec tunnel (transport mode + gif) between two FreeBSD 4.3-p1= 9 > gateways, using ipfilter(v3.4.20 (264)) as packet filter. > = > With no particular statement about IPSec, I get this message: > = > Sep 21 10:10:24 fw ipmon[94]: 10:10:23.578447 fxp0 @0:80 b 213.41.X.Y -= > > 213.41.W.Z PR ipencap len 20 (104) OUT = > when I try to make my packets go out. > = > Fine. I let protocol IP ENCAP (4) go through the firewall. > = > Then, I get: Sep 21 10:13:40 fw ipmon[94]: 10:13:39.593013 fxp0 @0:90 b= > 213.41.W.Z -> 213.41.X.Y PR esp len 20 (136) IN = > when packets come back to the gateway. > = > Fine. I let protocol ESP(50) go through the firewall. > = > I can now ping the both ends of the tunnel. Because I explicitely allow= ed ICMP > to go through ipf rules. Unfortunately, when I try to telnet the other = side of > the tunnel, on HTTP's port, using the private network adresses: > = > Sep 21 10:15:43 fw ipmon[94]: 10:15:42.698858 fxp0 @0:91 b 192.168.202.= 17,80 -> > 192.168.1.1,1259 PR tcp len 20 44 -AS IN = > = > responses are not allowed to come back. > = > I even tried to put stateful rules for the private networks: > = > pass out quick proto tcp from 192.168.0.0/17 to 192.168.128.0/17 keep= state > = > Unsuccessfully. > = > So I am wondering, why is ipfilter seeing the packet twice: once encaps= ulated, > once decaspulated ? > = > I looked at freebsd-net, -security, and ipfilter mailing lists, with no= success. > = > NetBSD states that: > =AB Since February 2001, on NetBSD-current, ipf(4)/IPsec interacti= on was > clarified as below: = > ipf(4) looks at packets in native wire format only. ipf(4) loo= ks at > packets before IPsec processing on inbound, and after IPsec processing = on > outbound. =BB > = > Is it done on FreeBSD ? Why can't it be done ( I read threads where peo= ple > stated that packet filter and IPSec interaction was an unsolvable probl= em). > = > And even if the packet goes twice through the packet filter, why can't = I use > stateful rules ? Hum !? > = > Cheers, > = > -- = > Sameh -- = Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 2: 5:52 2001 Delivered-To: freebsd-net@freebsd.org Received: from day.anthologeek.net (day.anthologeek.net [212.43.217.20]) by hub.freebsd.org (Postfix) with ESMTP id 24BE737B413 for ; Fri, 21 Sep 2001 02:05:48 -0700 (PDT) Received: by day.anthologeek.net (Postfix, from userid 1000) id 8835E17126; Fri, 21 Sep 2001 11:05:14 +0200 (CEST) Date: Fri, 21 Sep 2001 11:05:14 +0200 From: Sameh Ghane To: net@FreeBSD.ORG Subject: Re: IPSEC question.. Message-ID: <20010921110514.G77863@anthologeek.net> References: <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org>; from brian@freebsd-services.com on Fri, Sep 21, 2001 at 09:47:03AM +0100 X-PGP-Keys: 0x1289F00D: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Le (On) Fri, Sep 21, 2001 at 09:47:03AM +0100, Brian Somers ecrivit (wrote): > > spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require; > spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require; > > This is your setkey input. The ``ip4'' bit tells ipsec to only touch > IP-in-IP traffic, so comms going from an internal LAN to an external > gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be > NAT'd). Only the gif-encapsulated traffic is encrypted. Hum, looks great, but the man page for setkey says: « spdadd src_range dst_range upperspec policy ; upperspec Upper-layer protocol to be used. Currently tcp, udp and any can be specified. any stands for ``any protocol''. » And when I use 'ip4' instead of any/icmp/tcp/udp, it says: line #[where ip4]: Syntax error at [i]. (Funny error location, by the way). Is it a « new feature » with 4.4's shipped KAME's setkey ? -- Sameh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 2:17: 9 2001 Delivered-To: freebsd-net@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 38D6E37B40F for ; Fri, 21 Sep 2001 02:17:03 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8L9H1t18829; Fri, 21 Sep 2001 10:17:01 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8L9GvR34876; Fri, 21 Sep 2001 10:16:57 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200109210916.f8L9GvR34876@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Sameh Ghane Cc: net@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: IPSEC question.. In-Reply-To: Message from Sameh Ghane of "Fri, 21 Sep 2001 11:05:14 +0200." <20010921110514.G77863@anthologeek.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Fri, 21 Sep 2001 10:16:57 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Le (On) Fri, Sep 21, 2001 at 09:47:03AM +0100, Brian Somers ecrivit (wr= ote): > > = > > spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require= ; > > spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//requir= e; > > = > > This is your setkey input. The ``ip4'' bit tells ipsec to only touch= = > > IP-in-IP traffic, so comms going from an internal LAN to an external = > > gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be = > > NAT'd). Only the gif-encapsulated traffic is encrypted. > = > Hum, looks great, but the man page for setkey says: > = > =AB spdadd src_range dst_range upperspec policy ; > = > upperspec > Upper-layer protocol to be used. Currently tcp, udp and a= ny can > be specified. any stands for ``any protocol''. =BB > = > And when I use 'ip4' instead of any/icmp/tcp/udp, it says: = > line #[where ip4]: Syntax error at [i]. > = > (Funny error location, by the way). > = > Is it a =AB new feature =BB with 4.4's shipped KAME's setkey ? Yes, it was added by me specifically to permit NAT & IPSEC to work = together (although the KAME guys have made it better by now allowing = any protocols(5) value. The patch is very simple, so you may want to patch your system = (kernel support is already there, it's just a one-line userland = change). > -- = > Sameh Cheers. -- = Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! Index: token.l =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/usr.sbin/setkey/token.l,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- token.l 4 Jul 2000 16:22:05 -0000 1.3 +++ token.l 17 May 2001 15:30:49 -0000 1.4 @@ -200,6 +200,7 @@ /* upper layer protocols */ icmp { PREPROC; yylval.num =3D IPPROTO_ICMP; return(UP_PROTO); } icmp6 { PREPROC; yylval.num =3D IPPROTO_ICMPV6; return(UP_PROTO); } +ip4 { PREPROC; yylval.num =3D IPPROTO_IPV4; return(UP_PROTO); } tcp { PREPROC; yylval.num =3D IPPROTO_TCP; return(UP_PROTO); } udp { PREPROC; yylval.num =3D IPPROTO_UDP; return(UP_PROTO); } = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 2:25:14 2001 Delivered-To: freebsd-net@freebsd.org Received: from web11207.mail.yahoo.com (web11207.mail.yahoo.com [216.136.131.189]) by hub.freebsd.org (Postfix) with SMTP id C9A7937B410 for ; Fri, 21 Sep 2001 02:25:10 -0700 (PDT) Message-ID: <20010921092510.54909.qmail@web11207.mail.yahoo.com> Received: from [164.164.56.2] by web11207.mail.yahoo.com via HTTP; Fri, 21 Sep 2001 02:25:10 PDT Date: Fri, 21 Sep 2001 02:25:10 -0700 (PDT) From: deepika kakrania Subject: Re: IP multicasting... To: freebsd-net@FreeBSD.ORG In-Reply-To: <000e01c141e7$e812edd0$d93483d1@inktomi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, > > It's this line: > > if (igmp->igmp_group.s_addr != 0 && > !IN_MULTICAST(ntohl(igmp->igmp_group.s_addr))) { > ++igmpstat.igps_rcv_badqueries; > m_freem(m); > return; > } > > This test gets executed when it's a v2 query (mtu != > 0). The test stops > further processing if the group address is NOT > "0.0.0.0" or NOT a valid > multicast address. > I understand that above code gets excuted only if query is Version 2 type. But above test is only for Group-Specific query where igmp_group.s_addr != 0(it ^^^^^^^^^^^^^^ contains the group address being reported to). In this case we need to check whether given address is a valid multicast addredd is or not. But where is the validity check being done when query is Version 2 General query in which case igmp_group.s_addr SHOULD BE Zero and ip_dst.s_addr SHOULD be igmp_all_hosts_group. i.e., we need a validity check something like if (igmp->igmp_group.s_addr == 0 && ip->ip_dst.s_addr != igmp_all_hosts_group) { ++igmpstat.igps_rcv_badqueries; m_freem(m); return; } Don't we need this for V2 GENERAL query? Regards, Deepika __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 2:25:35 2001 Delivered-To: freebsd-net@freebsd.org Received: from web11208.mail.yahoo.com (web11208.mail.yahoo.com [216.136.131.190]) by hub.freebsd.org (Postfix) with SMTP id 8FFB337B506 for ; Fri, 21 Sep 2001 02:25:29 -0700 (PDT) Message-ID: <20010921092529.66742.qmail@web11208.mail.yahoo.com> Received: from [164.164.56.2] by web11208.mail.yahoo.com via HTTP; Fri, 21 Sep 2001 02:25:29 PDT Date: Fri, 21 Sep 2001 02:25:29 -0700 (PDT) From: deepika kakrania Subject: Re: IP multicasting... To: freebsd-net@FreeBSD.ORG In-Reply-To: <000e01c141e7$e812edd0$d93483d1@inktomi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, > > It's this line: > > if (igmp->igmp_group.s_addr != 0 && > !IN_MULTICAST(ntohl(igmp->igmp_group.s_addr))) { > ++igmpstat.igps_rcv_badqueries; > m_freem(m); > return; > } > > This test gets executed when it's a v2 query (mtu != > 0). The test stops > further processing if the group address is NOT > "0.0.0.0" or NOT a valid > multicast address. > I understand that above code gets excuted only if query is Version 2 type. But above test is only for Group-Specific query where igmp_group.s_addr != 0(it ^^^^^^^^^^^^^^ contains the group address being reported to). In this case we need to check whether given address is a valid multicast addredd is or not. But where is the validity check being done when query is Version 2 General query in which case igmp_group.s_addr SHOULD BE Zero and ip_dst.s_addr SHOULD be igmp_all_hosts_group. i.e., we need a validity check something like if (igmp->igmp_group.s_addr == 0 && ip->ip_dst.s_addr != igmp_all_hosts_group) { ++igmpstat.igps_rcv_badqueries; m_freem(m); return; } Don't we need this for V2 GENERAL query? Regards, Deepika __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 2:26:29 2001 Delivered-To: freebsd-net@freebsd.org Received: from web11205.mail.yahoo.com (web11205.mail.yahoo.com [216.136.131.187]) by hub.freebsd.org (Postfix) with SMTP id 2172837B407 for ; Fri, 21 Sep 2001 02:26:27 -0700 (PDT) Message-ID: <20010921092627.79091.qmail@web11205.mail.yahoo.com> Received: from [164.164.56.2] by web11205.mail.yahoo.com via HTTP; Fri, 21 Sep 2001 02:26:27 PDT Date: Fri, 21 Sep 2001 02:26:27 -0700 (PDT) From: deepika kakrania Subject: Re: IP multicasting... To: freebsd-net@FreeBSD.ORG In-Reply-To: <000e01c141e7$e812edd0$d93483d1@inktomi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, > > It's this line: > > if (igmp->igmp_group.s_addr != 0 && > !IN_MULTICAST(ntohl(igmp->igmp_group.s_addr))) { > ++igmpstat.igps_rcv_badqueries; > m_freem(m); > return; > } > > This test gets executed when it's a v2 query (mtu != > 0). The test stops > further processing if the group address is NOT > "0.0.0.0" or NOT a valid > multicast address. > I understand that above code gets excuted only if query is Version 2 type. But above test is only for Group-Specific query where igmp_group.s_addr != 0(it ^^^^^^^^^^^^^^ contains the group address being reported to). In this case we need to check whether given address is a valid multicast addredd is or not. But where is the validity check being done when query is Version 2 General query in which case igmp_group.s_addr SHOULD BE Zero and ip_dst.s_addr SHOULD be igmp_all_hosts_group. i.e., we need a validity check something like if (igmp->igmp_group.s_addr == 0 && ip->ip_dst.s_addr != igmp_all_hosts_group) { ++igmpstat.igps_rcv_badqueries; m_freem(m); return; } Don't we need this for V2 GENERAL query? Regards, Deepika __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 3: 3:18 2001 Delivered-To: freebsd-net@freebsd.org Received: from opensrs.saignon.net (216-120-17-31.dsl.cust.tfb.com [216.120.17.31]) by hub.freebsd.org (Postfix) with ESMTP id 4C34F37B421 for ; Fri, 21 Sep 2001 03:03:11 -0700 (PDT) Received: from tsaignmobl (216-120-17-24.dsl.cust.tfb.com [216.120.17.24]) by opensrs.saignon.net (8.11.4/8.11.3) with SMTP id f8L8rCP72480; Fri, 21 Sep 2001 01:53:16 -0700 (PDT) (envelope-from tony@saign.com) From: Tony Saign Reply-To: To: "'Tsuchiya Yoshihiro'" , "'Mike Silbersack'" Cc: Subject: RE: TCP performance question Date: Fri, 21 Sep 2001 01:52:50 -0700 Message-ID: <000301c1427a$cbdee3b0$3e01a8c0@tsaignmobl> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3BAAFA13.8040708@flab.fujitsu.co.jp> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just tried it on a 4.4-RELEASE box and it appears to work :) * -----Original Message----- * From: owner-freebsd-net@FreeBSD.ORG * [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Tsuchiya Yoshihiro * Sent: Friday, September 21, 2001 1:28 AM * To: Mike Silbersack * Cc: net@FreeBSD.ORG * Subject: Re: TCP performance question * * * Mike Silbersack wrote: * * >On Fri, 21 Sep 2001 tsuchiya@flab.fujitsu.co.jp wrote: * > * >>and we changed the size from 1 to 10000 byte and measured * the time of * >>read/write pair on the server. Usually the measured time is * >>around or less than 1 msec, however it is always 100msec * when the size is * >>between 2049 and 2919 byte or between 4381 and 5839 byte or * >>between 7301 and 8751 byte. 100 times slower. * >> * > * >Try disabling delayed ACKs and see how that affects your * results. The * >default delay for delayed acks is 100ms. * > * >sysctl -w net.inet.tcp.delayed_ack=0 * > * * I found a machine with FreeBSD4.3 and tried it, but it didn't work. * * Yoshi * * * * * * To Unsubscribe: send mail to majordomo@FreeBSD.org * with "unsubscribe freebsd-net" in the body of the message * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 3:17:21 2001 Delivered-To: freebsd-net@freebsd.org Received: from day.anthologeek.net (day.anthologeek.net [212.43.217.20]) by hub.freebsd.org (Postfix) with ESMTP id E0E3737B418 for ; Fri, 21 Sep 2001 03:17:18 -0700 (PDT) Received: by day.anthologeek.net (Postfix, from userid 1000) id 035AD171D4; Fri, 21 Sep 2001 12:16:45 +0200 (CEST) Date: Fri, 21 Sep 2001 12:16:45 +0200 From: Sameh Ghane To: freebsd-net@FreeBSD.ORG Subject: Re: ipfilter and IPSec processing order Message-ID: <20010921121645.K77863@anthologeek.net> References: <200109210857.f8L8v0R34477@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109210857.f8L8v0R34477@hak.lan.Awfulhak.org>; from brian@freebsd-services.com on Fri, Sep 21, 2001 at 09:56:58AM +0100 X-PGP-Keys: 0x1289F00D: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Le (On) Fri, Sep 21, 2001 at 09:56:58AM +0100, Brian Somers ecrivit (wrote): > Hi, > > I can't answer your question specifically as I've never used > ipfilter, but it's certainly possible to use natd at the same time as > IPSEC... the vital thing is to ensure that no traffic is altered by > both engines. Hum, do you use ipfw with filtering rules ? If so, what is the processing order between ipfw and ipsec ? > Using a gif tunnel (which you are already) and encrypting only ipencap > traffic in your spdadd/transport policy should mean that the nat > engine either sees regular traffic (that should be NATd) or ipencap > traffic (which shouldn't be NATd, and won't as the src address is the > gateway address). > > So the bit you may be missing is the ``ip4'' bit in the setkey spdadd > line.... Okay, I patched /usr/src/usr.sbin/setkey and /usr/include/net/pfkeyv2.h, and now only encapsulated traffic is encrypted/decrypted. Unfortunately, I still have ipf catching twice the IPsec packets (once encapsulated, once decapsulated). Grrr. Still trying to get rid of this. Cheers, -- Sameh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 7:34: 7 2001 Delivered-To: freebsd-net@freebsd.org Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp [202.249.10.124]) by hub.freebsd.org (Postfix) with ESMTP id 9F8DE37B410 for ; Fri, 21 Sep 2001 07:34:01 -0700 (PDT) Received: from localhost ([3ffe:501:100f:10c1:200:39ff:fe97:3f1e]) by shuttle.wide.toshiba.co.jp (8.9.1+3.1W/8.9.1) with ESMTP id XAA06091; Fri, 21 Sep 2001 23:34:54 +0900 (JST) Date: Fri, 21 Sep 2001 23:33:46 +0900 Message-ID: From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= To: Joe Abley Cc: freebsd-net@FreeBSD.ORG Subject: Re: ipv6/gif/cisco syslog noise In-Reply-To: <20010919164416.Q85635@buffoon.automagic.org> References: <20010919153739.K85635@buffoon.automagic.org> <20010920.050441.28824742.ume@mahoroba.org> <20010919164416.Q85635@buffoon.automagic.org> User-Agent: Wanderlust/2.6.0 (Twist And Shout-pre) Emacs/21.0 Mule/5.0 (SAKAKI) Organization: Research & Development Center, Toshiba Corp., Kawasaki, Japan. MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu") Content-Type: text/plain; charset=US-ASCII X-Dispatcher: imput version 980905(IM100) Lines: 26 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Wed, 19 Sep 2001 16:44:18 -0400, >>>>> Joe Abley said: jabley> The tunnel is configured like this: >> jabley> buffoon# ifconfig gif0 jabley> gif0: flags=8011 mtu 1280 jabley> inet6 fe80::2d0:b7ff:fe79:a0a7%gif0 --> :: prefixlen 64 scopeid 0x4 jabley> inet6 2001:438:1fff:ffff:8::32 --> 2001:438:1fff:ffff:8::31 prefixlen 126 >> >> It should be /128. > Problem solved. Thanks :) Out of curiosity, why did you use /126 in the former configuration? We're now discussing how the kernel should treat IPv6 global addresses on a p2p link, and we are interested in actual users' intentions. JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei@isl.rdc.toshiba.co.jp p.s. if I understand correctly, FreeBSD 4.4 kernel now rejects a prefix length smaller than 128 when the "destination" address on a p2p link is specified. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 8:10:37 2001 Delivered-To: freebsd-net@freebsd.org Received: from buffoon.automagic.org (buffoon.automagic.org [208.185.30.208]) by hub.freebsd.org (Postfix) with SMTP id E43D737B417 for ; Fri, 21 Sep 2001 08:10:33 -0700 (PDT) Received: (qmail 11240 invoked by uid 1000); 21 Sep 2001 15:10:30 -0000 Date: Fri, 21 Sep 2001 11:10:30 -0400 From: Joe Abley To: JINMEI Tatuya / ??????????? Cc: freebsd-net@FreeBSD.ORG Subject: Re: ipv6/gif/cisco syslog noise Message-ID: <20010921111029.H4205@buffoon.automagic.org> References: <20010919153739.K85635@buffoon.automagic.org> <20010920.050441.28824742.ume@mahoroba.org> <20010919164416.Q85635@buffoon.automagic.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Sep 21, 2001 at 11:33:46PM +0900, JINMEI Tatuya / ??????????? wrote: > >>>>> On Wed, 19 Sep 2001 16:44:18 -0400, > >>>>> Joe Abley said: > > jabley> The tunnel is configured like this: > >> > jabley> buffoon# ifconfig gif0 > jabley> gif0: flags=8011 mtu 1280 > jabley> inet6 fe80::2d0:b7ff:fe79:a0a7%gif0 --> :: prefixlen 64 scopeid 0x4 > jabley> inet6 2001:438:1fff:ffff:8::32 --> 2001:438:1fff:ffff:8::31 prefixlen 126 > >> > >> It should be /128. > > > Problem solved. Thanks :) > > Out of curiosity, why did you use /126 in the former configuration? > We're now discussing how the kernel should treat IPv6 global addresses > on a p2p link, and we are interested in actual users' intentions. I spend my waking hours arm-deep in cisco and Juniper routers, and those (and other) vendors frequently do not distinguish between ptp and (nb)ma networks in terms of addressing. In this case, on the cisco router which terminates the tunnel, defining the tunnel interface with a 126-bit netmask causes a /126 prefix to be distributed in the IGP, and this provides reachability information for both ends of the tunnel to other routers in the network. If the cisco interface had been numbered with a 128-bit netmask, a /128 prefix would have been distributed which would have provided reachability information for the cisco tunnel interface, but not the FreeBSD gif interface. Hence traffic sourced from the FreeBSD box using that gif interface address as a source address would not get replies routed correctly. My reason for using a 126-bit netmask on the FreeBSD router was mainly due to familiarity with the cisco/juniper way of doing things. I see that when I configure a gif interface with a 128-bit netmask and specify a destination, I get two host routes in the kernel (one for each end of the tunnel). This seems equally valid as far as propagation of the routes is concerned. The reason for allocating four addresses (a 126-bit prefix) to the point-to-point link stems from similar practice in IPv4, I think (it wasn't my decision; it's current policy in AS6461). Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 10:11:28 2001 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 6731D37B413 for ; Fri, 21 Sep 2001 10:11:25 -0700 (PDT) Received: (qmail 70515 invoked by uid 1000); 21 Sep 2001 17:11:24 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Sep 2001 17:11:24 -0000 Date: Fri, 21 Sep 2001 12:11:24 -0500 (CDT) From: Mike Silbersack To: Tsuchiya Yoshihiro Cc: Subject: Re: TCP performance question In-Reply-To: <3BAAFA13.8040708@flab.fujitsu.co.jp> Message-ID: <20010921121044.C70339-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 21 Sep 2001, Tsuchiya Yoshihiro wrote: > Mike Silbersack wrote: > > >Try disabling delayed ACKs and see how that affects your results. The > >default delay for delayed acks is 100ms. > > > >sysctl -w net.inet.tcp.delayed_ack=0 > > > > I found a machine with FreeBSD4.3 and tried it, but it didn't work. > > Yoshi What didn't work? Were you unable to disable delayed acks, or did disabling them have no effect? Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 11:27:47 2001 Delivered-To: freebsd-net@freebsd.org Received: from hetnet.nl (net047s.hetnet.nl [194.151.104.151]) by hub.freebsd.org (Postfix) with ESMTP id E2CC037B425 for ; Fri, 21 Sep 2001 11:27:43 -0700 (PDT) Received: from wdegraafdp866 ([209.131.52.217]) by hetnet.nl with Microsoft SMTPSVC(5.5.1877.757.75); Fri, 21 Sep 2001 20:22:25 +0200 Message-ID: <003301c142cb$1b924690$d93483d1@inktomi.com> From: "Wilbert de Graaf" To: "deepika kakrania" Cc: References: <20010921092510.54909.qmail@web11207.mail.yahoo.com> Subject: Re: IP multicasting... Date: Fri, 21 Sep 2001 11:27:43 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > But where is the validity check being done when query > is Version 2 General query in which case > igmp_group.s_addr SHOULD BE Zero and ip_dst.s_addr > SHOULD be igmp_all_hosts_group. > > i.e., we need a validity check something like > > if (igmp->igmp_group.s_addr == 0 && > ip->ip_dst.s_addr != igmp_all_hosts_group) { > > ++igmpstat.igps_rcv_badqueries; > m_freem(m); > return; > } > > Don't we need this for V2 GENERAL query? Yes, you're right. The IGMPv2 indeed says the dest-ip of a general query should be zero. This patch worked for me. *************** *** 245,251 **** * New router. Simply do the new validity check. */ ! if (igmp->igmp_group.s_addr != 0 && !IN_MULTICAST(ntohl(igmp->igmp_group.s_addr))) { ++igmpstat.igps_rcv_badqueries; m_freem(m); --- 245,252 ---- * New router. Simply do the new validity check. */ ! if (igmp->igmp_group.s_addr == 0 ? ! ip->ip_dst.s_addr != igmp_all_hosts_group : !IN_MULTICAST(ntohl(igmp->igmp_group.s_addr))) { ++igmpstat.igps_rcv_badqueries; m_freem(m); Wilbert Btw. If you're interested, I have a patch for IGMPv3 (http://home.hetnet.nl/~wilbertdg/igmpv3.html). It doesn't include that check either. I'll add the check to that patch later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 13:11:44 2001 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9]) by hub.freebsd.org (Postfix) with ESMTP id 0333537B407 for ; Fri, 21 Sep 2001 13:11:39 -0700 (PDT) Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id NAA37670; Fri, 21 Sep 2001 13:58:18 -0700 (PDT) Date: Fri, 21 Sep 2001 13:58:17 -0700 (PDT) From: Julian Elischer To: Brian Somers Cc: net@FreeBSD.ORG Subject: Re: IPSEC question.. In-Reply-To: <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 21 Sep 2001, Brian Somers wrote: > > The sample docs and the daemon-news > > article get me part way started to making an encrypted > > tunnel using IPsec4 between two networks. > > However The are really quite confusing... > > > > Is there a SIMPLE description of what all the parts do? > > > > I have a gif tunnel going, but it's not clear to me how I make this tunnel > > start encrypting the damned data. > > > > I've fiddled with several commands (e.g. setkey) but tcpdump keeps showing > > plain encapsulated packets...no encryption.. > > Once you've got the gif tunnel working, say with top addresses > 10.0.0.1 and 10.0.0.2 and tunnel addresses 1.2.3.4 and 5.6.7.8, > create an /etc/ipsec.conf that says: which are the 'top' addresses? outer or inner? i.e. (A)gif0:-------(B)ed0-------------ed0(C)--------gif0(D) > > spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require; > spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require; > ip4? I need to run this on 4.1.1 machines. > This is your setkey input. The ``ip4'' bit tells ipsec to only touch > IP-in-IP traffic, so comms going from an internal LAN to an external > gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be > NAT'd). Only the gif-encapsulated traffic is encrypted. > > Then add this to /etc/rc.conf: > > ipsec_enable=YES > ipsec_file=/etc/ipsec.conf > > Once this is done, arrange to have racoon running on each end and > everything should work. Using a shared secret in /usr/local/etc/ > racoon/psk.txt is the easiest: > > 1.2.3.4 akeythatnobodyisgoingtocrack > > and running racoon -F helps initially. > > > -- > > +------------------------------------+ ______ _ __ > > | __--_|\ Julian Elischer | \ U \/ / hard at work in > > | / \ julian@elischer.org +------>x USA \ a very strange > > | ( OZ ) \___ ___ | country ! > > +- X_.---._/ presently in San Francisco \_/ \\ > > v > > Good luck ! > -- > Brian > http://www.freebsd-services.com/ > Don't _EVER_ lose your sense of humour ! > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Sep 21 17:23:31 2001 Delivered-To: freebsd-net@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 531F037B414 for ; Fri, 21 Sep 2001 17:23:27 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8M0NPt33372; Sat, 22 Sep 2001 01:23:25 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8M0NIR46299; Sat, 22 Sep 2001 01:23:18 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200109220023.f8M0NIR46299@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Julian Elischer Cc: Brian Somers , net@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: IPSEC question.. In-Reply-To: Message from Julian Elischer of "Fri, 21 Sep 2001 13:58:17 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 22 Sep 2001 01:23:18 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Once you've got the gif tunnel working, say with top addresses > > 10.0.0.1 and 10.0.0.2 and tunnel addresses 1.2.3.4 and 5.6.7.8, > > create an /etc/ipsec.conf that says: > > > which are the 'top' addresses? outer or inner? > i.e. > > (A)gif0:-------(B)ed0-------------ed0(C)--------gif0(D) By ``top'' I mean the gif addresses. By tunnel addresses I mean the endpoint addresses. For my examples: gif0: flags=8051 mtu 1280 tunnel inet 1.2.3.4 --> 5.6.7.8 inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff > > spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require; > > spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require; > > > > ip4? > I need to run this on 4.1.1 machines. You're really better off applying the one-line fix to token.l to support the ip4 syntax. It removes many problems - especially if you intend to run NAT on your machines. You should have the kernel support in 4.1.1. -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Sep 22 6: 3: 5 2001 Delivered-To: freebsd-net@freebsd.org Received: from mmu.edu.my (ext-dns.mmu.edu.my [203.106.62.11]) by hub.freebsd.org (Postfix) with ESMTP id 7CC4337B408 for ; Sat, 22 Sep 2001 06:03:01 -0700 (PDT) Received: from venus.cyber.mmu.edu.my (venus.cyber.mmu.edu.my [203.106.62.12]) by mmu.edu.my (8.9.1b+Sun/8.9.1) with ESMTP id UAA12544 for ; Sat, 22 Sep 2001 20:59:15 +0800 (MYT) Received: from there ([10.100.99.40]) by venus.cyber.mmu.edu.my (8.8.8+Sun/8.8.8) with SMTP id UAA13854 for ; Sat, 22 Sep 2001 20:59:09 +0800 (SGT) Message-Id: <200109221259.UAA13854@venus.cyber.mmu.edu.my> Content-Type: text/plain; charset="iso-8859-1" From: nuzrin yaapar Reply-To: nuzrin@goose.net.my Organization: multimedia university To: freebsd-net@freebsd.org Subject: sendto: Too many levels of symbolic links Date: Sat, 22 Sep 2001 21:12:47 +0800 X-Mailer: KMail [version 1.3] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org what does that mesg means? whenever i got that mesg, connection seems to 'freeze' for around 30 seconds...before it return to normal behaviour again. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Sep 22 11:33:38 2001 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 643D437B426; Sat, 22 Sep 2001 11:33:11 -0700 (PDT) Received: from isi.edu (hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id f8MIXAC18233; Sat, 22 Sep 2001 11:33:10 -0700 (PDT) Message-ID: <3BACD963.1DC74B9B@isi.edu> Date: Sat, 22 Sep 2001 11:33:07 -0700 From: Lars Eggert Organization: USC Information Sciences Institute X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en, de MIME-Version: 1.0 To: net@freebsd.org, archie@freebsd.org Subject: VPN client with mpd Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms79C16414A75D04C35EB49ABF" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms79C16414A75D04C35EB49ABF Content-Type: multipart/mixed; boundary="------------716D8ABB5230B12782F76FCB" This is a multi-part message in MIME format. --------------716D8ABB5230B12782F76FCB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, I'm trying to set up a VPN client on my FreeBSD laptop, so I can tunnel through to work from home. I've played with both mpd and pptpclient from ports, and mpd seems more robust (pptpclient likes to sometimes start eating all CPU time). So I'd decided to to this with mpd; please let me know if this was the wrong choice from the start. Here's my setup: LAPTOP <-----> NAT <--...INTERNET...--> VPN-SERVER <-----> INTRANET I started with the examples under /usr/local/etc/mpd, slightly changing the defaults to what I thought were the correct values for my setup. I've created mpd.secret with the correct login/password mapping for LOGIN. Here's my mpd.conf: default: load vpn vpn: new -i ng1 vpn vpn set iface disable on-demand set iface addrs 192.168.1.1 192.168.2.1 set iface idle 0 set iface route 192.168.2.0/24 set bundle disable multilink set bundle authname set link yes acfcomp protocomp set link no pap set link yes chap # If remote machine is NT you need this.. # set link enable no-orig-auth set link keep-alive 10 75 set ipcp yes vjcomp set ipcp ranges 192.168.1.1/32 192.168.2.1/32 # If you wanted MPPE encryption and had ng_mppc(8)... set bundle enable compression set ccp yes mppc set ccp yes mpp-e40 set ccp yes mpp-e128 set bundle enable crypt-reqd set ccp yes mpp-stateless open And here's my mpd.links: vpn: set link type pptp set pptp peer set pptp enable originate incoming outcall mpd starts negotioating security parameters (as far as I can tell), but never succeeds. Attached is a log (VPN-SERVER.log) of the connection attempt. Anyone have any ideas on what I'm doing wrong? The VPN-SERVER I'm trying to connect to is a Windows RAS server, AFAIK. We also have some Cisco hardware VPN server for evaluation. Attempting to connect to that one is even worse, the negotiation terminates much earlier. I've attached a second log (CISCO-SERVER.log) of that connection attempt. I'd much rather get the tunnel to the Cisco working, since it's faster. Finally, I can connect to both the RAS and the Cisco server using Windows PPTP, and Macintosh NTS Tunnelbuilder. Heck, if the Mac can do it, so must FreeBSD! :-) Thanks, Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------716D8ABB5230B12782F76FCB Content-Type: text/plain; charset=us-ascii; name="VPN-SERVER.log" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="VPN-SERVER.log" Multi-link PPP for FreeBSD, by Archie L. Cobbs. Based on iij-ppp, by Toshiharu OHNO. mpd: pid 89780, version 3.2 (root@gohan13.freebsd.org 18:38 13-Sep-2001) [vpn] ppp node is "mpd89780-vpn" [vpn] using interface ng1 mpd: local IP address for PPTP is 0.0.0.0 [vpn] IFACE: Open event [vpn] IPCP: Open event [vpn] IPCP: state change Initial --> Starting [vpn] IPCP: LayerStart [vpn:vpn] [vpn] bundle: OPEN event in state CLOSED [vpn] opening link "vpn"... [vpn] link: OPEN event [vpn] LCP: Open event [vpn] LCP: state change Initial --> Starting [vpn] LCP: LayerStart [vpn] device: OPEN event in state DOWN pptp0: connecting to :1723 [vpn] device is now in state OPENING pptp0: connected to :1723 pptp0: attached to connection with :1723 pptp0-0: outgoing call connected at 64000 bps [vpn] PPTP call successful [vpn] device: UP event in state OPENING [vpn] device is now in state UP [vpn] link: UP event [vpn] link: origination is local [vpn] LCP: Up event [vpn] LCP: state change Starting --> Req-Sent [vpn] LCP: phase shift DEAD --> ESTABLISH [vpn] LCP: SendConfigReq #1 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM b3e88460 AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #2 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM b3e88460 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Request #0 link 0 (Req-Sent) AUTHPROTO CHAP MSOFTv2 MAGICNUM 00006eb8 PROTOCOMP ACFCOMP MP MRRU 1614 ENDPOINTDISC [LOCAL] 4a a3 dd 5f e0 3b 40 5d 93 4b 5a 6d b7 d3 f1 f3 00 00 00 00 [vpn] LCP: SendConfigRej #0 MP MRRU 1614 [vpn] LCP: rec'd Configure Ack #2 link 0 (Req-Sent) ACFCOMP PROTOCOMP MRU 1500 MAGICNUM b3e88460 AUTHPROTO CHAP MSOFT [vpn] LCP: state change Req-Sent --> Ack-Rcvd [vpn] LCP: rec'd Configure Request #1 link 0 (Ack-Rcvd) AUTHPROTO CHAP MSOFTv2 MAGICNUM 00006eb8 PROTOCOMP ACFCOMP ENDPOINTDISC [LOCAL] 4a a3 dd 5f e0 3b 40 5d 93 4b 5a 6d b7 d3 f1 f3 00 00 00 00 [vpn] LCP: SendConfigNak #1 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Request #2 link 0 (Ack-Rcvd) AUTHPROTO CHAP MSOFT MAGICNUM 00006eb8 PROTOCOMP ACFCOMP ENDPOINTDISC [LOCAL] 4a a3 dd 5f e0 3b 40 5d 93 4b 5a 6d b7 d3 f1 f3 00 00 00 00 [vpn] LCP: SendConfigAck #2 AUTHPROTO CHAP MSOFT MAGICNUM 00006eb8 PROTOCOMP ACFCOMP ENDPOINTDISC [LOCAL] 4a a3 dd 5f e0 3b 40 5d 93 4b 5a 6d b7 d3 f1 f3 00 00 00 00 [vpn] LCP: state change Ack-Rcvd --> Opened [vpn] LCP: phase shift ESTABLISH --> AUTHENTICATE [vpn] LCP: auth: peer wants CHAP, I want CHAP [vpn] CHAP: sending CHALLENGE [vpn] LCP: LayerUp pptp0: CID 0x00ba in SetLinkInfo not found [vpn] CHAP: rec'd CHALLENGE #124 Name: "" Using authname "" mpd: warning: line too long, truncated [vpn] CHAP: sending RESPONSE [vpn] CHAP: rec'd SUCCESS #124 [vpn] LCP: rec'd Configure Request #4 link 0 (Opened) AUTHPROTO CHAP MSOFTv2 MAGICNUM 00006f5c PROTOCOMP ACFCOMP MP MRRU 1614 ENDPOINTDISC [LOCAL] 4a a3 dd 5f e0 3b 40 5d 93 4b 5a 6d b7 d3 f1 f3 00 00 00 00 [vpn] LCP: LayerDown [vpn] LCP: SendConfigReq #3 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM b3e88460 AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigRej #4 MP MRRU 1614 [vpn] LCP: state change Opened --> Req-Sent [vpn] LCP: phase shift AUTHENTICATE --> ESTABLISH [vpn] LCP: rec'd Configure Reject #3 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #4 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM b3e88460 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Request #5 link 0 (Req-Sent) AUTHPROTO CHAP MSOFTv2 MAGICNUM 00006f5c PROTOCOMP ACFCOMP ENDPOINTDISC [LOCAL] 4a a3 dd 5f e0 3b 40 5d 93 4b 5a 6d b7 d3 f1 f3 00 00 00 00 [vpn] LCP: SendConfigNak #5 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #4 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #5 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM b3e88460 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Request #6 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT MAGICNUM 00006f5c PROTOCOMP ACFCOMP ENDPOINTDISC [LOCAL] 4a a3 dd 5f e0 3b 40 5d 93 4b 5a 6d b7 d3 f1 f3 00 00 00 00 [vpn] LCP: SendConfigAck #6 AUTHPROTO CHAP MSOFT MAGICNUM 00006f5c PROTOCOMP ACFCOMP ENDPOINTDISC [LOCAL] 4a a3 dd 5f e0 3b 40 5d 93 4b 5a 6d b7 d3 f1 f3 00 00 00 00 [vpn] LCP: state change Req-Sent --> Ack-Sent [vpn] LCP: rec'd Configure Reject #5 link 0 (Ack-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #6 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM b3e88460 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #6 link 0 (Ack-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #7 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM b3e88460 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #7 link 0 (Ack-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #8 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM b3e88460 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Terminate Request #7 link 0 (Ack-Sent) [vpn] LCP: state change Ack-Sent --> Req-Sent [vpn] LCP: SendTerminateAck #9 pptp0: CID 0x00ba in SetLinkInfo not found [vpn] LCP: rec'd Terminate Request #8 link 0 (Req-Sent) [vpn] LCP: SendTerminateAck #10 [vpn] LCP: SendConfigReq #11 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM b3e88460 AUTHPROTO CHAP MSOFT pptp0-0: peer call disconnected res=admin action err=none pptp0-0: killing channel [vpn] PPTP call terminated pptp0: closing connection with :1723 [vpn] device: DOWN event in state UP [vpn] device is now in state DOWN [vpn] link: DOWN event [vpn] LCP: Down event [vpn] LCP: state change Req-Sent --> Starting [vpn] LCP: phase shift ESTABLISH --> DEAD pptp0: invalid length 16 for type 4 pptp0: killing connection with :1723 [vpn] device: OPEN event in state DOWN [vpn] pausing 9 seconds before open [vpn] device is now in state DOWN [vpn] IPCP: Down event [vpn] IFACE: Close event [vpn] IPCP: Close event [vpn] IPCP: state change Starting --> Initial [vpn] IPCP: LayerFinish mpd: process 89780 terminated --------------716D8ABB5230B12782F76FCB Content-Type: text/plain; charset=us-ascii; name="CISCO-SERVER.log" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="CISCO-SERVER.log" Multi-link PPP for FreeBSD, by Archie L. Cobbs. Based on iij-ppp, by Toshiharu OHNO. mpd: pid 89796, version 3.2 (root@gohan13.freebsd.org 18:38 13-Sep-2001) [vpn] ppp node is "mpd89796-vpn" [vpn] using interface ng1 mpd: local IP address for PPTP is 0.0.0.0 [vpn] IFACE: Open event [vpn] IPCP: Open event [vpn] IPCP: state change Initial --> Starting [vpn] IPCP: LayerStart [vpn:vpn] [vpn] bundle: OPEN event in state CLOSED [vpn] opening link "vpn"... [vpn] link: OPEN event [vpn] LCP: Open event [vpn] LCP: state change Initial --> Starting [vpn] LCP: LayerStart [vpn] device: OPEN event in state DOWN pptp0: connecting to :1723 [vpn] device is now in state OPENING pptp0: connected to :1723 pptp0: attached to connection with :1723 pptp0-0: outgoing call connected at 10000000 bps [vpn] PPTP call successful [vpn] device: UP event in state OPENING [vpn] device is now in state UP [vpn] link: UP event [vpn] link: origination is local [vpn] LCP: Up event [vpn] LCP: state change Starting --> Req-Sent [vpn] LCP: phase shift DEAD --> ESTABLISH [vpn] LCP: SendConfigReq #1 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 91fdfc70 AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #2 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 91fdfc70 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #2 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #3 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 91fdfc70 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #3 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #4 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 91fdfc70 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #4 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #5 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 91fdfc70 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #5 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #6 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 91fdfc70 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #6 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #7 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 91fdfc70 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #7 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #8 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 91fdfc70 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #8 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #9 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 91fdfc70 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #9 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: SendConfigReq #10 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 91fdfc70 AUTHPROTO CHAP MSOFT [vpn] LCP: rec'd Configure Reject #10 link 0 (Req-Sent) AUTHPROTO CHAP MSOFT [vpn] LCP: not converging [vpn] LCP: parameter negotiation failed [vpn] LCP: state change Req-Sent --> Stopped [vpn] LCP: LayerFinish [vpn] device: CLOSE event in state UP pptp0-0: clearing call [vpn] device is now in state CLOSING [vpn] device: DOWN event in state CLOSING [vpn] device is now in state DOWN [vpn] link: DOWN event [vpn] LCP: Down event [vpn] LCP: state change Stopped --> Starting [vpn] LCP: phase shift ESTABLISH --> DEAD [vpn] LCP: LayerStart [vpn] device: OPEN event in state DOWN [vpn] pausing 7 seconds before open [vpn] device is now in state DOWN pptp0-0: peer call disconnected res=lost carrier err=none pptp0-0: killing channel pptp0: closing connection with :1723 [vpn] device: OPEN event in state DOWN [vpn] device is now in state DOWN pptp0: invalid length 16 for type 4 pptp0: killing connection with :1723 [vpn] IPCP: Down event [vpn] IFACE: Close event [vpn] IPCP: Close event [vpn] IPCP: state change Starting --> Initial [vpn] IPCP: LayerFinish mpd: process 89796 terminated --------------716D8ABB5230B12782F76FCB-- --------------ms79C16414A75D04C35EB49ABF Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIIEwYJKoZIhvcNAQcCoIIIBDCCCAACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BeYwggK1MIICHqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBa MFQxDzANBgNVBAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dl cnQxHDAaBgkqhkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBANALywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZ CcYg9dbmQ8uAjTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd0 5nhHFEhedHQv0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAa MBgCAQQEE0wydU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAM BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ 6dxrU7zlKxkQd1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3 yNHvnej5xtYXfrxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIID KTCCApKgAwIBAgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgT DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29u c3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIG A1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJz b25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1 OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh cGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNl czEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu 9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c 6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0R BCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8C AQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gN u4+5DWomKmKEH7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQ by5YuLYLwVBXtewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNI MYIB9TCCAfECAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUx EjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZp Y2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4z MAIDBYFHMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG 9w0BCQUxDxcNMDEwOTIyMTgzMzEwWjAjBgkqhkiG9w0BCQQxFgQUG3ZynO1S51Z8kP9VHLG0 +QQn7ZAwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYF Kw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYCh F5Xh3587XdHvLqhenHcsAF++zvKJRIrCBsFFqcNdmNTEHyN0/7UmOwOycMK10ybSMKBr6Cdc i4iVYQxfsAkdhXAuvu+vKv6+F0B65Me1+WQOPKHntxcs2yQSraNHoMr3U5zRErhUblEiyXv3 iHm/dfd6FyAUEvnDz4cq+ENF+A== --------------ms79C16414A75D04C35EB49ABF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Sep 22 13:35:57 2001 Delivered-To: freebsd-net@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id ABE3637B41A; Sat, 22 Sep 2001 13:35:51 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8MKZnt42998; Sat, 22 Sep 2001 21:35:49 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8MKZkR34433; Sat, 22 Sep 2001 21:35:46 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200109222035.f8MKZkR34433@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Lars Eggert Cc: net@FreeBSD.ORG, archie@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: VPN client with mpd In-Reply-To: Message from Lars Eggert of "Sat, 22 Sep 2001 11:33:07 PDT." <3BACD963.1DC74B9B@isi.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 22 Sep 2001 21:35:46 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Hi, > > I'm trying to set up a VPN client on my FreeBSD laptop, so I can tunnel > through to work from home. I've played with both mpd and pptpclient from > ports, and mpd seems more robust (pptpclient likes to sometimes start > eating all CPU time). So I'd decided to to this with mpd; please let me > know if this was the wrong choice from the start. > > Here's my setup: > > LAPTOP <-----> NAT <--...INTERNET...--> VPN-SERVER <-----> INTRANET > > I started with the examples under /usr/local/etc/mpd, slightly changing > the defaults to what I thought were the correct values for my setup. > I've created mpd.secret with the correct login/password mapping for > LOGIN. > > Here's my mpd.conf: > > default: > load vpn > > vpn: > new -i ng1 vpn vpn > set iface disable on-demand > set iface addrs 192.168.1.1 192.168.2.1 > set iface idle 0 > set iface route 192.168.2.0/24 > set bundle disable multilink > set bundle authname > set link yes acfcomp protocomp > set link no pap > set link yes chap ^^^^^^^^^^^^^^^^^ I'm no mpd expert, but I believe this makes mpd insist that the peer authenticates itself. Try removing it. [.....] -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message