From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 4 12:05:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0276316A4CE; Sun, 4 Jul 2004 12:05:00 +0000 (GMT) Received: from gw.pelleg.org (gw.pelleg.org [205.201.13.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C51D43D31; Sun, 4 Jul 2004 12:04:59 +0000 (GMT) (envelope-from daniel+bsd@pelleg.org) Received: from lank.here (lank.wburn [192.168.3.41]) by gw.pelleg.org (Postfix) with ESMTP id C0A045A53; Sun, 4 Jul 2004 08:04:56 -0400 (EDT) Received: by lank.here (Postfix, from userid 7675) id E6AE5509; Sun, 4 Jul 2004 08:04:53 -0400 (EDT) To: Barbish3@adelphia.net References: From: Dan Pelleg Date: Sun, 04 Jul 2004 08:04:53 -0400 In-Reply-To: (JJB's message of "Sun, 4 Jul 2004 07:50:25 -0400") Message-ID: User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.1 (Cuyahoga Valley, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-stable@freebsd.org cc: Rob cc: freebsd-ipfw@freebsd.org Subject: Re: IPFIREWALL_VERBOSE_LIMIT ignored by recent kernel/world? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2004 12:05:00 -0000 I have a patch for that in kern/46080. Note I haven't tested it in a while http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/46080 -- Dan Pelleg "JJB" writes: > Verbose limit is a sysctl knob now, you can display it to see > current setting or change it without a reboot. Check your > newsyslog.conf file to very the rotate trigger is the same as you > were using before. > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Rob > Sent: Sunday, July 04, 2004 12:37 AM > To: freebsd-stable@freebsd.org; freebsd-questions@freebsd.org > Subject: IPFIREWALL_VERBOSE_LIMIT ignored by recent kernel/world? > > > Hello, > > I have one PC with updated kernel/world from June 25th, and another > from June 10th, > all with sources for STABLE. > > Both PCs have a firewall. Neither of the two seems to obey the > verbose limit of 100, > that I put in the kernel configuration file. > > In the past, /var/log/secure used to rotate once a week or so, but > now it does in > less than 30 minutes due to the overwhelming amount of firewall > logs. > > The kernel configuration has following lines, related to the > firewall: > > options IPDIVERT > options IPFW2 # version 2 IPFW > options IPFIREWALL # firewall > options IPFIREWALL_VERBOSE # enable logging to > syslogd(8) > options IPFIREWALL_VERBOSE_LIMIT=100 # limit verbosity > options IPFIREWALL_DEFAULT_TO_ACCEPT # allow everything by > default > > and I have in /etc/make.conf: > > IPFW2=TRUE > > > Any idea what is going wrong here? > > Thanks, > Rob. > > From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 4 22:21:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1EB116A4CE for ; Sun, 4 Jul 2004 22:21:20 +0000 (GMT) Received: from pd3mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF91B43D41 for ; Sun, 4 Jul 2004 22:21:20 +0000 (GMT) (envelope-from sstahl@shaw.ca) Received: from pd3mr1so.prod.shaw.ca (pd3mr1so-ser.prod.shaw.ca [10.0.141.177])2003)) with ESMTP id <0I0C008HSM3KKJ@l-daemon> for freebsd-ipfw@freebsd.org; Sun, 04 Jul 2004 16:21:20 -0600 (MDT) Received: from pn2ml5so.prod.shaw.ca ([10.0.121.149]) by pd3mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0I0C00HI6M3KDPG0@pd3mr1so.prod.shaw.ca> for freebsd-ipfw@freebsd.org; Sun, 04 Jul 2004 16:21:20 -0600 (MDT) Received: from scott (S0106004005833f5a.ss.shawcable.net [24.78.99.46]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0I0C00N07M3G53@l-daemon> for freebsd-ipfw@freebsd.org; Sun, 04 Jul 2004 16:21:20 -0600 (MDT) Date: Sun, 04 Jul 2004 16:21:17 -0600 From: Scott Stahl To: "Freebsd-Ipfw@Freebsd. Org" Message-id: <0I0C00N09M3K53@l-daemon> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Mailer: Microsoft Outlook, Build 11.0.5207 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Thread-index: AcRiFTlb2hThcUkoQjqC633pVKo13A== Subject: Server FW Rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2004 22:21:21 -0000 I have a webserver that I would like to get a good set of firewall rules for. The only services that are running are http, https, ssh and ftp. I also have a trusted internal adaptor at 10.0.0.100 Thanks for your input, Scott. From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 4 22:59:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9384316A4CE for ; Sun, 4 Jul 2004 22:59:16 +0000 (GMT) Received: from loncoche.terra.com.br (loncoche.terra.com.br [200.154.55.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id E386943D2D for ; Sun, 4 Jul 2004 22:59:15 +0000 (GMT) (envelope-from ppj@netfilter.com.br) Received: from potosi.terra.com.br (potosi.terra.com.br [200.154.55.131]) by loncoche.terra.com.br (Postfix) with ESMTP id 0F002E7803B for ; Sun, 4 Jul 2004 19:59:14 -0300 (BRT) Received: from vilapnq0uu055v (c906192c.virtua.com.br [201.6.25.44]) (authenticated user ppaulojr) by potosi.terra.com.br (Postfix) with ESMTP id 876C437005C for ; Sun, 4 Jul 2004 19:59:13 -0300 (BRT) Message-ID: <000f01c4621a$8c4b18a0$2c1906c9@vilapnq0uu055v> From: "Pedro Paulo Jr" To: Date: Sun, 4 Jul 2004 19:59:22 -0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw string module X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2004 22:59:16 -0000 Hi, I was planning to use freebsd to avoid P2P in my network. The problem is = that every gpl solution for this uses de string module of iptables. There are something similar in IPFW? Thanks in advance, Pedro Paulo Jr From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 4 23:05:40 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1620916A4CE for ; Sun, 4 Jul 2004 23:05:40 +0000 (GMT) Received: from loncoche.terra.com.br (loncoche.terra.com.br [200.154.55.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AB4943D1D for ; Sun, 4 Jul 2004 23:05:39 +0000 (GMT) (envelope-from ppj@netfilter.com.br) Received: from estero.terra.com.br (estero.terra.com.br [200.154.55.138]) by loncoche.terra.com.br (Postfix) with ESMTP id DA8BAE78419 for ; Sun, 4 Jul 2004 20:05:38 -0300 (BRT) Received: from vilapnq0uu055v (c906192c.virtua.com.br [201.6.25.44]) (authenticated user ppaulojr) by estero.terra.com.br (Postfix) with ESMTP id 963C83C01B for ; Sun, 4 Jul 2004 20:05:38 -0300 (BRT) Message-ID: <001a01c4621b$71c2fe20$2c1906c9@vilapnq0uu055v> From: "Pedro Paulo Jr" To: Date: Sun, 4 Jul 2004 20:05:48 -0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re: Server FW Rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2004 23:05:40 -0000 ipfw add 10 allow all from 10.0.0.0/24 to any ipfw add 20 allow tcp from any to EXTERNAL_IP http ipfw add 30 allow tcp from any to EXTERNAL_IP https ipfw add 40 allow tcp from any to EXTERNAL_IP ssh ipfw add 50 allow tcp from any to EXTERNAL_IP ftp ipfe deny all from any to any -------------------------------------------------------------------------= ------------------------------ I have a webserver that I would like to get a good set of firewall rules for. The only services that are running are http, https, ssh and ftp. = I also have a trusted internal adaptor at 10.0.0.100 Thanks for your input, Scott. From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 4 23:45:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB98616A4CE for ; Sun, 4 Jul 2004 23:45:53 +0000 (GMT) Received: from pd2mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB69843D31 for ; Sun, 4 Jul 2004 23:45:53 +0000 (GMT) (envelope-from sstahl@shaw.ca) Received: from pd2mr7so.prod.shaw.ca (pd2mr7so-qfe3.prod.shaw.ca [10.0.141.10])2003)) with ESMTP id <0I0C001BHQ0HM3@l-daemon> for freebsd-ipfw@freebsd.org; Sun, 04 Jul 2004 17:45:53 -0600 (MDT) Received: from pn2ml5so.prod.shaw.ca ([10.0.121.149]) by pd2mr7so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0I0C000OMQ0HK1F0@pd2mr7so.prod.shaw.ca> for freebsd-ipfw@freebsd.org; Sun, 04 Jul 2004 17:45:53 -0600 (MDT) Received: from scott (S0106004005833f5a.ss.shawcable.net [24.78.99.46]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0I0C00D3RQ0DZ5@l-daemon> for freebsd-ipfw@freebsd.org; Sun, 04 Jul 2004 17:45:53 -0600 (MDT) Date: Sun, 04 Jul 2004 17:45:50 -0600 From: Scott Stahl In-reply-to: <001a01c4621b$71c2fe20$2c1906c9@vilapnq0uu055v> To: 'Pedro Paulo Jr' , freebsd-ipfw@freebsd.org Message-id: <0I0C00D3TQ0HZ5@l-daemon> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Mailer: Microsoft Outlook, Build 11.0.5207 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Thread-index: AcRiG23cm2yE/iJuS12sgKCg9/FNzwABVYUw Subject: RE: Server FW Rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2004 23:45:54 -0000 These rules don't seem to work. The internal 10.0.0.100 works though. If I issue a IPFW DISABLE FIREWALL all seems to work. Thanks, Scott. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Pedro Paulo Jr Sent: Sunday, July 04, 2004 5:06 PM To: freebsd-ipfw@freebsd.org Subject: Re: Server FW Rules ipfw add 10 allow all from 10.0.0.0/24 to any ipfw add 20 allow tcp from any to EXTERNAL_IP http ipfw add 30 allow tcp from any to EXTERNAL_IP https ipfw add 40 allow tcp from any to EXTERNAL_IP ssh ipfw add 50 allow tcp from any to EXTERNAL_IP ftp ipfe deny all from any to any ---------------------------------------------------------------------------- --------------------------- I have a webserver that I would like to get a good set of firewall rules for. The only services that are running are http, https, ssh and ftp. I also have a trusted internal adaptor at 10.0.0.100 Thanks for your input, Scott. _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 5 11:02:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4F2D16A4CE for ; Mon, 5 Jul 2004 11:02:13 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBE6B43D1D for ; Mon, 5 Jul 2004 11:02:13 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i65B2DiX055938 for ; Mon, 5 Jul 2004 11:02:13 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i65B2DtB055932 for ipfw@freebsd.org; Mon, 5 Jul 2004 11:02:13 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 5 Jul 2004 11:02:13 GMT Message-Id: <200407051102.i65B2DtB055932@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jul 2004 11:02:14 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work o [2004/03/14] kern/64240 ipfw IPFW tee terminates rule processing 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/03/09] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 12 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 7 17:01:32 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 673FE16A4CE; Wed, 7 Jul 2004 17:01:32 +0000 (GMT) Received: from makeworld.com (makeworld.com [198.92.228.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2C2843D48; Wed, 7 Jul 2004 17:01:31 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from racerx.makeworld.com (racerx@racerx.makeworld.com [198.92.228.34]) by makeworld.com (8.12.10/8.12.10) with ESMTP id i67H1NO2051387; Wed, 7 Jul 2004 12:01:24 -0500 (CDT) (envelope-from racerx@makeworld.com) From: Chris To: FreeBSD Questions Date: Wed, 7 Jul 2004 12:01:23 -0500 User-Agent: KMail/1.6.2 MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200407071201.23675.racerx@makeworld.com> X-makeworld.com-MailScanner-Information: Please contact the ISP for more information X-makeworld.com-MailScanner: Found to be clean X-MailScanner-From: racerx@makeworld.com cc: FreeBSD IPFW Subject: Turning off submission (587) port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: racerx@makeworld.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jul 2004 17:01:32 -0000 Folks, I would prefer to shut this port down if I can. I'm unsure if and how it can/do it. Other then that, would there be an effective ipfw rule that would block this? If the above needs recompiling sendmail, then I would certainly prefer the latter. -- Best regards, Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ClamAV virus dat updated: Wed Jul 7 2004 at 03:02:59 daily.cvd updated (version: 393, sigs: 1409, f-level: 2, builder: trog) From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 7 17:20:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9419716A4D9 for ; Wed, 7 Jul 2004 17:20:26 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7608043D49 for ; Wed, 7 Jul 2004 17:20:05 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i67HGxpU031699 for ; Wed, 7 Jul 2004 19:16:59 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i67HGwdn031691; Wed, 7 Jul 2004 19:16:58 +0200 (CEST) (envelope-from tw@wsf.at) Date: Wed, 7 Jul 2004 17:16:58 -0000 To: racerx@makeworld.com, FreeBSD Questions From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040707191658.fsp1zzlueog8cw@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: FreeBSD IPFW Subject: Re: Turning off submission (587) port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jul 2004 17:20:27 -0000 Chris schrieb: > Folks, > I would prefer to shut this port down if I can. I'm unsure if and how it > can/do it. Other then that, would there be an effective ipfw rule that would > block this? > > If the above needs recompiling sendmail, then I would certainly prefer the > latter. > AFAIK, it is sufficient to edit /etc/mail/sendmail.cf and comment or delete the follwoing line: O DaemonPortOptions=Port=587, Name=MSA, M=E and restart sendmail afterwards. regarding ipfw, reject tcp from any to me 587 would be an appropriate rule. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 7 17:23:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6933916A4CE; Wed, 7 Jul 2004 17:23:51 +0000 (GMT) Received: from horsey.gshapiro.net (horsey.gshapiro.net [64.105.95.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43B3D43D1F; Wed, 7 Jul 2004 17:23:51 +0000 (GMT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (localhost [127.0.0.1]) i67HNmW6022616 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Jul 2004 10:23:49 -0700 (PDT) Received: (from gshapiro@localhost)i67HNmPC022615; Wed, 7 Jul 2004 10:23:48 -0700 (PDT) Date: Wed, 7 Jul 2004 10:23:48 -0700 From: Gregory Neil Shapiro To: Chris Message-ID: <20040707172348.GU55246@horsey.gshapiro.net> References: <200407071201.23675.racerx@makeworld.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200407071201.23675.racerx@makeworld.com> User-Agent: Mutt/1.5.6i cc: FreeBSD IPFW cc: FreeBSD Questions Subject: Re: Turning off submission (587) port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jul 2004 17:23:51 -0000 > I would prefer to shut this port down if I can. I'm unsure if and how it > can/do it. Other then that, would there be an effective ipfw rule that would > block this? 1. cd /etc/mail/ 2. Edit `hostname`.mc (if it doesn't exist, "cd /etc/mail; make") 3. Add this next to one of the other FEATURE() lines: FEATURE(`no_default_msa') 4. Type: make install (will overwrite sendmail.cf so if you have customized that file by hand, you will lose those customizations) 5. Type: make restart From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 7 17:24:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D10AB16A4CE; Wed, 7 Jul 2004 17:24:21 +0000 (GMT) Received: from horsey.gshapiro.net (horsey.gshapiro.net [64.105.95.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A48A43D1F; Wed, 7 Jul 2004 17:24:21 +0000 (GMT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (localhost [127.0.0.1]) i67HOLOs022652 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Jul 2004 10:24:21 -0700 (PDT) Received: (from gshapiro@localhost)i67HOLRv022650; Wed, 7 Jul 2004 10:24:21 -0700 (PDT) Date: Wed, 7 Jul 2004 10:24:21 -0700 From: Gregory Neil Shapiro To: Thomas Wolf Message-ID: <20040707172421.GV55246@horsey.gshapiro.net> References: <20040707191658.fsp1zzlueog8cw@.mailhost.wsf.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040707191658.fsp1zzlueog8cw@.mailhost.wsf.at> User-Agent: Mutt/1.5.6i cc: FreeBSD IPFW cc: FreeBSD Questions Subject: Re: Turning off submission (587) port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jul 2004 17:24:22 -0000 > AFAIK, it is sufficient to edit /etc/mail/sendmail.cf and > comment or delete the follwoing line: > O DaemonPortOptions=Port=587, Name=MSA, M=E > and restart sendmail afterwards. Hand editing the sendmail.cf is a bad idea. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 7 17:28:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F93316A4CE for ; Wed, 7 Jul 2004 17:28:55 +0000 (GMT) Received: from web51909.mail.yahoo.com (web51909.mail.yahoo.com [206.190.39.52]) by mx1.FreeBSD.org (Postfix) with SMTP id AD6A843D31 for ; Wed, 7 Jul 2004 17:28:54 +0000 (GMT) (envelope-from chicoman341978@yahoo.com) Message-ID: <20040707172854.8442.qmail@web51909.mail.yahoo.com> Received: from [20.5.221.94] by web51909.mail.yahoo.com via HTTP; Wed, 07 Jul 2004 10:28:54 PDT Date: Wed, 7 Jul 2004 10:28:54 -0700 (PDT) From: Chico To: Gregory Neil Shapiro , Chris In-Reply-To: <20040707172348.GU55246@horsey.gshapiro.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: FreeBSD IPFW cc: FreeBSD Questions Subject: Re: Turning off submission (587) port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jul 2004 17:28:55 -0000 Gregory, Great reply... I like how you gave the exact instructions. Shawn --- Gregory Neil Shapiro wrote: > > I would prefer to shut this port down if I can. > I'm unsure if and how it > > can/do it. Other then that, would there be an > effective ipfw rule that would > > block this? > > 1. cd /etc/mail/ > 2. Edit `hostname`.mc (if it doesn't exist, "cd > /etc/mail; make") > 3. Add this next to one of the other FEATURE() > lines: FEATURE(`no_default_msa') > 4. Type: make install (will overwrite sendmail.cf > so if you have > customized that file by hand, you will lose those > customizations) > 5. Type: make restart > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 7 17:30:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5F7716A4CE; Wed, 7 Jul 2004 17:30:20 +0000 (GMT) Received: from makeworld.com (makeworld.com [198.92.228.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 600BF43D2F; Wed, 7 Jul 2004 17:30:20 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from racerx.makeworld.com (racerx@racerx.makeworld.com [198.92.228.34]) by makeworld.com (8.12.10/8.12.10) with ESMTP id i67HU78p052145; Wed, 7 Jul 2004 12:30:07 -0500 (CDT) (envelope-from racerx@makeworld.com) From: Chris To: FreeBSD IPFW Date: Wed, 7 Jul 2004 12:30:07 -0500 User-Agent: KMail/1.6.2 References: <20040707191658.fsp1zzlueog8cw@.mailhost.wsf.at> <20040707172421.GV55246@horsey.gshapiro.net> In-Reply-To: <20040707172421.GV55246@horsey.gshapiro.net> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200407071230.07186.racerx@makeworld.com> X-makeworld.com-MailScanner-Information: Please contact the ISP for more information X-makeworld.com-MailScanner: Found to be clean X-MailScanner-From: racerx@makeworld.com cc: FreeBSD Questions Subject: Re: Turning off submission (587) port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: racerx@makeworld.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jul 2004 17:30:20 -0000 On Wednesday 07 July 2004 12:24 pm, Gregory Neil Shapiro wrote: > > AFAIK, it is sufficient to edit /etc/mail/sendmail.cf and > > comment or delete the follwoing line: > > O DaemonPortOptions=Port=587, Name=MSA, M=E > > and restart sendmail afterwards. > > Hand editing the sendmail.cf is a bad idea. I agree - I ended up adding FEATURE(`no_default_msa') to my respected *.mc file. That did the trick. -- Best regards, Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ClamAV virus dat updated: Wed Jul 7 2004 at 03:02:59 daily.cvd updated (version: 393, sigs: 1409, f-level: 2, builder: trog) From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 8 15:38:07 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29EAD16A4CE for ; Thu, 8 Jul 2004 15:38:07 +0000 (GMT) Received: from mail.1wisp.com (uslec-66-255-6-131.cust.uslec.net [66.255.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E6FE43D48 for ; Thu, 8 Jul 2004 15:38:06 +0000 (GMT) (envelope-from tscrum@1wisp.com) Received: from wolf (69-166-70-88.atlsfl.adelphia.net [69.166.70.88]) (authenticated) by mail.1wisp.com (8.11.6/8.11.6) with ESMTP id i68Fc5R19845 for ; Thu, 8 Jul 2004 11:38:05 -0400 From: "Thomas S. Crum - 1WISP, Inc." To: "'FreeBSD IPFW'" Date: Thu, 8 Jul 2004 11:36:59 -0400 Message-ID: <002601c46501$904a7d30$0200a8c0@wolf> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0027_01C464E0.0938DD30" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2739.300 In-Reply-To: <20040707172854.8442.qmail@web51909.mail.yahoo.com> X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Dummynet Queue Weighting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 15:38:07 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0027_01C464E0.0938DD30 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable # SAMPLE CONFIG ipfw queue 1 ip from A to B ipfw queue 1 config weight 10 pipe 1 ipfw queue 2 ip from C to D ipfw queue 2 config weight 5 pipe 1 ipfw queue 3 ip from E to F ipfw queue 3 config weight 1 pipe 1 ipfw pipe 1 config bw 1000Kbit/s Question? When setting up queues as I have done above with different weights they = (the queues) will share the assigned pipe proportionate to their weight. For example if you had traffic on all three queues, the A&B(1), C&D(2), = and E&F(3); they would get 10/16, 5/16, and 1/16 of the pipe, respectively. But, what if A&B(1) had no traffic? It is my understanding that queue 2 = and 3 would still only get 5/16 and 1/16 of the pipe regardless. In this example, 3/8 or 375Kb/s total. Or would 2 and 3 share the whole pipe if queue 1 is inactive, which would make my questions moot? What I am trying to accomplish here is to give a greater amount of = bandwidth between 2 ip's when they are active. But they are hardly ever active = and therefore I want the rest of the network to use the whole pipe until = they become active. Any comments and particularly suggestions are appreciated. If I'm = entirely wrong with my presumptions mention that too. :) Best, =20 Thomas S. Crum Senior Technical Associate tscrum@aaawebsolution.com Toll-free: (800) 834-0626 =20 AAA Web Solution, Inc. 11924 W Forest Hill Boulevard Building 22 - Mailstop 200 Wellington, FL 33414 USA =20 Providing full-service website design, maintenance, hosting, and = marketing. No task is too small or enterprise too large for us to help you! =20 -------------------------------------------------------------------------= --- ------=_NextPart_000_0027_01C464E0.0938DD30-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 8 15:57:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E335116A4CE for ; Thu, 8 Jul 2004 15:57:16 +0000 (GMT) Received: from makeworld.com (makeworld.com [198.92.228.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7133943D5A for ; Thu, 8 Jul 2004 15:57:16 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from racerx.makeworld.com (racerx@racerx.makeworld.com [198.92.228.34]) by makeworld.com (8.12.10/8.12.10) with ESMTP id i68FvBEx025351 for ; Thu, 8 Jul 2004 10:57:12 -0500 (CDT) (envelope-from racerx@makeworld.com) From: Chris To: FreeBSD IPFW Date: Thu, 8 Jul 2004 10:57:11 -0500 User-Agent: KMail/1.6.2 MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200407081057.11657.racerx@makeworld.com> X-makeworld.com-MailScanner-Information: Please contact the ISP for more information X-makeworld.com-MailScanner: Found to be clean X-MailScanner-From: racerx@makeworld.com Subject: Blackhole issues when booting into a wm. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: racerx@makeworld.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 15:57:17 -0000 Can someone explain to me why when I add blackhole to my sysctl file, booting into a wm is slow as hell? As expected, when I comment out the tcp and udp blackhole lines, the system responds as normal. Some info - AMD 1.6 FBSD 5.2.1-RELEASE-p9 and FBSD 4.10 -- Best regards, Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ClamAV virus dat updated: Thu Jul 8 2004 at 03:02:52 daily.cvd updated (version: 398, sigs: 758, f-level: 2, builder: tomek) From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 8 18:48:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1DAC16A4CE for ; Thu, 8 Jul 2004 18:48:54 +0000 (GMT) Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4A9E43D53 for ; Thu, 8 Jul 2004 18:48:54 +0000 (GMT) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (localhost [127.0.0.1]) by whizzo.transsys.com (Postfix) with ESMTP id 7B9BB20F72; Thu, 8 Jul 2004 14:48:53 -0400 (EDT) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: "Thomas S. Crum - 1WISP, Inc." Organization: Serendipity Scheduling & Management X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" References: <002601c46501$904a7d30$0200a8c0@wolf> In-reply-to: Your message of "Thu, 08 Jul 2004 11:36:59 EDT." <002601c46501$904a7d30$0200a8c0@wolf> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 08 Jul 2004 14:48:53 -0400 Sender: louie@whizzo.transsys.com Message-Id: <20040708184853.7B9BB20F72@whizzo.transsys.com> cc: 'FreeBSD IPFW' Subject: Re: Dummynet Queue Weighting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 18:48:55 -0000 > # SAMPLE CONFIG > ipfw queue 1 ip from A to B > ipfw queue 1 config weight 10 pipe 1 > ipfw queue 2 ip from C to D > ipfw queue 2 config weight 5 pipe 1 > ipfw queue 3 ip from E to F > ipfw queue 3 config weight 1 pipe 1 > ipfw pipe 1 config bw 1000Kbit/s > > Question? > > When setting up queues as I have done above with different weights they (the > queues) will share the assigned pipe proportionate to their weight. > > For example if you had traffic on all three queues, the A&B(1), C&D(2), and > E&F(3); they would get 10/16, 5/16, and 1/16 of the pipe, respectively. > > But, what if A&B(1) had no traffic? It is my understanding that queue 2 and > 3 would still only get 5/16 and 1/16 of the pipe regardless. In this > example, 3/8 or 375Kb/s total. Or would 2 and 3 share the whole pipe if > queue 1 is inactive, which would make my questions moot? I use a similar configuration to prioritize VoIP traffic on my "upstream" network connection. I create a pipe with the bandwidth sized to the actual capacity of the network link and the multiple queues just as you did. The answer to your question is that idle queue do not consume capacity on the pipe they are associated with. I have queue with weights 100 (for VoIP), 20 (for interactive SSH, NTP) and 1 (everything else) and the "everything else" traffic can use the full capacity of the pipe with the other queues are idle. louie From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 8 21:15:25 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1475716A4D1 for ; Thu, 8 Jul 2004 21:15:25 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B43E43D49 for ; Thu, 8 Jul 2004 21:15:23 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i68LCGKX074140 for ; Thu, 8 Jul 2004 23:12:16 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i68LCFdn074132; Thu, 8 Jul 2004 23:12:16 +0200 (CEST) (envelope-from tw@wsf.at) Date: Thu, 8 Jul 2004 21:12:15 -0000 To: Gregory Neil Shapiro , Thomas Wolf From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040708231215.fsp0rn91py8gw0@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: FreeBSD IPFW cc: FreeBSD Questions Subject: Re: Turning off submission (587) port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 21:15:25 -0000 Gregory Neil Shapiro schrieb: > > AFAIK, it is sufficient to edit /etc/mail/sendmail.cf and > > comment or delete the follwoing line: > > O DaemonPortOptions=Port=587, Name=MSA, M=E > > and restart sendmail afterwards. > > Hand editing the sendmail.cf is a bad idea. You're right. Bad habit. Sorry for advising this. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 8 21:47:04 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3E1416A4CE for ; Thu, 8 Jul 2004 21:47:04 +0000 (GMT) Received: from itapoa.terra.com.br (itapoa.terra.com.br [200.154.55.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C11143D53 for ; Thu, 8 Jul 2004 21:47:04 +0000 (GMT) (envelope-from ppj@netfilter.com.br) Received: from cuenca.terra.com.br (cuenca.terra.com.br [200.154.55.130]) by itapoa.terra.com.br (Postfix) with ESMTP id C4FE6DD4498 for ; Thu, 8 Jul 2004 18:47:02 -0300 (BRT) Received: from vilapnq0uu055v (c906192c.virtua.com.br [201.6.25.44]) (authenticated user ppaulojr) by cuenca.terra.com.br (Postfix) with ESMTP id 8A4123C1F9 for ; Thu, 8 Jul 2004 18:47:02 -0300 (BRT) Message-ID: <002501c46535$19890a20$2c1906c9@vilapnq0uu055v> From: "Pedro Paulo Jr" To: Date: Thu, 8 Jul 2004 18:47:00 -0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Strings X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 21:47:04 -0000 Sorry for another post ... I was planning to use freebsd to avoid P2P in my network. The problem is = that every gpl solution for this uses de string module of iptables. There are something similar in IPFW? Thanks in advance, Pedro Paulo Jr From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 8 23:22:27 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB9D416A4CE for ; Thu, 8 Jul 2004 23:22:27 +0000 (GMT) Received: from mail2.dbitech.ca (radius.wavefire.com [64.141.13.252]) by mx1.FreeBSD.org (Postfix) with SMTP id 0202643D46 for ; Thu, 8 Jul 2004 23:22:26 +0000 (GMT) (envelope-from darcy@wavefire.com) Received: (qmail 12695 invoked from network); 8 Jul 2004 23:54:05 -0000 Received: from dbitech.wavefire.com (HELO ?64.141.15.253?) (darcy@64.141.15.253) by radius.wavefire.com with SMTP; 8 Jul 2004 23:54:05 -0000 From: Darcy Buskermolen Organization: Wavefire Technologies Corp. To: freebsd-ipfw@freebsd.org Date: Thu, 8 Jul 2004 16:22:24 -0700 User-Agent: KMail/1.6.2 References: <002501c46535$19890a20$2c1906c9@vilapnq0uu055v> In-Reply-To: <002501c46535$19890a20$2c1906c9@vilapnq0uu055v> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200407081622.24343.darcy@wavefire.com> Subject: Re: Strings X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 23:22:28 -0000 On July 8, 2004 02:47 pm, Pedro Paulo Jr wrote: > Sorry for another post ... > > I was planning to use freebsd to avoid P2P in my network. The problem is > that every gpl solution for this uses de string module of iptables. > > There are something similar in IPFW? ipfw is not a content firewall, if you are looking to do that perhaps you should look at something like hogwash. (based of the same code as snort) > > Thanks in advance, > > Pedro Paulo Jr > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" -- Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 9 08:19:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 492CE16A4CE for ; Fri, 9 Jul 2004 08:19:51 +0000 (GMT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E7A543D39 for ; Fri, 9 Jul 2004 08:19:50 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1BiqbF-000DWn-00; Fri, 09 Jul 2004 10:19:17 +0200 To: "Louis A. Mamakos" From: Ian FREISLICH In-Reply-To: Message from "Louis A. Mamakos" <20040708184853.7B9BB20F72@whizzo.transsys.com> Date: Fri, 09 Jul 2004 10:19:17 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: 'FreeBSD IPFW' cc: "Thomas S. Crum - 1WISP, Inc." Subject: Re: Dummynet Queue Weighting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 08:19:51 -0000 > > # SAMPLE CONFIG > > ipfw queue 1 ip from A to B > > ipfw queue 1 config weight 10 pipe 1 > > ipfw queue 2 ip from C to D > > ipfw queue 2 config weight 5 pipe 1 > > ipfw queue 3 ip from E to F > > ipfw queue 3 config weight 1 pipe 1 > > ipfw pipe 1 config bw 1000Kbit/s > > > > Question? > > > > When setting up queues as I have done above with different weights > > they (the queues) will share the assigned pipe proportionate to > > their weight. > > > > For example if you had traffic on all three queues, the A&B(1), > > C&D(2), and E&F(3); they would get 10/16, 5/16, and 1/16 of the > > pipe, respectively. > > > > But, what if A&B(1) had no traffic? It is my understanding that > > queue 2 and 3 would still only get 5/16 and 1/16 of the pipe > > regardless. In this example, 3/8 or 375Kb/s total. Or would 2 and > > 3 share the whole pipe if queue 1 is inactive, which would make my > > questions moot? > > The answer to your question is that idle queue do not consume capacity > on the pipe they are associated with. I have queue with weights 100 > (for VoIP), 20 (for interactive SSH, NTP) and 1 (everything else) and > the "everything else" traffic can use the full capacity of the pipe > with the other queues are idle. This raises another question: how do the idle queues get shared? Using the above sample configuration, if queue 2 is idle, does the pipe get shared between queue 1 and queue 3 in proportions 10/11 and 1/11 respectively or 10/16 and 1/16 respectivly with the remaining 5/16 shared evenly between them? Ian -- Ian Freislich From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 9 08:29:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24C7316A4D0 for ; Fri, 9 Jul 2004 08:29:26 +0000 (GMT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8F2743D1D for ; Fri, 9 Jul 2004 08:29:25 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1Biqks-000DYs-00; Fri, 09 Jul 2004 10:29:14 +0200 To: racerx@makeworld.com From: Ian FREISLICH In-Reply-To: Message from Chris <200407081057.11657.racerx@makeworld.com> Date: Fri, 09 Jul 2004 10:29:14 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: FreeBSD IPFW Subject: Re: Blackhole issues when booting into a wm. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 08:29:26 -0000 > Can someone explain to me why when I add blackhole to my sysctl file, booting > into a wm is slow as hell? As expected, when I comment out the tcp and udp > blackhole lines, the system responds as normal. > > Some info - > AMD 1.6 > FBSD 5.2.1-RELEASE-p9 and FBSD 4.10 The window manager (at least mine does) may be trying to resolve your machine's IP address. If you don't have a resolver listening then with blackhole turned on, your WM won't get any icmp port unreachable messages back and it will have to wait until the query times out before continuing. Maybe it's not trying to resolve, but trying to connect to some port that doesn't have a listner. Either way, you can use tcpdump on your loopback device to figure out what's going on. If that's too complicated, try adding an entry in /etc/hosts for your IP address and host name and see if that fixes it. Ian -- Ian Freislich From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 9 08:41:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E434816A4CE for ; Fri, 9 Jul 2004 08:41:09 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id D67FB43D55 for ; Fri, 9 Jul 2004 08:41:09 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i698f78M036106; Fri, 9 Jul 2004 01:41:07 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i698f7tk036105; Fri, 9 Jul 2004 01:41:07 -0700 (PDT) (envelope-from rizzo) Date: Fri, 9 Jul 2004 01:41:07 -0700 From: Luigi Rizzo To: Ian FREISLICH Message-ID: <20040709014107.A35991@xorpc.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from if@hetzner.co.za on Fri, Jul 09, 2004 at 10:19:17AM +0200 cc: 'FreeBSD IPFW' cc: "Thomas S. Crum - 1WISP, Inc." Subject: Re: Dummynet Queue Weighting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 08:41:10 -0000 On Fri, Jul 09, 2004 at 10:19:17AM +0200, Ian FREISLICH wrote: ... > > > But, what if A&B(1) had no traffic? It is my understanding that > > > queue 2 and 3 would still only get 5/16 and 1/16 of the pipe > > > regardless. In this example, 3/8 or 375Kb/s total. Or would 2 and > > > 3 share the whole pipe if queue 1 is inactive, which would make my > > > questions moot? > > > > The answer to your question is that idle queue do not consume capacity > > on the pipe they are associated with. I have queue with weights 100 > > (for VoIP), 20 (for interactive SSH, NTP) and 1 (everything else) and > > the "everything else" traffic can use the full capacity of the pipe > > with the other queues are idle. > > This raises another question: how do the idle queues get shared? the only thing that is shared is the total pipe's capacity, and it is shared by non-idle queues in proportion to their weights. That's as simple as that. No special cases. There is a copious literature on Proportional Share algorithms, if you google for WF2Q+ (which is the algorithm implemented in dummynet) you should come up with a lot of papers to answer your doubts. We are finishing up a tutorial paper on the topic for which i will post a URL in a week or two when it is ready. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 9 13:16:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AC3F16A4CE for ; Fri, 9 Jul 2004 13:16:13 +0000 (GMT) Received: from hearts.netfilter.com.br (hearts.netfilter.com.br [200.222.129.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFD2543D49 for ; Fri, 9 Jul 2004 13:16:12 +0000 (GMT) (envelope-from ppj@netfilter.com.br) Received: from localhost (localhost.netfilter.com.br [127.0.0.1]) by hearts.netfilter.com.br (Postfix) with ESMTP id E43BD575F2 for ; Fri, 9 Jul 2004 10:16:30 -0300 (BRT) Received: from hearts.netfilter.com.br ([127.0.0.1]) by localhost (hearts.netfilter.com.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06982-10 for ; Fri, 9 Jul 2004 10:16:21 -0300 (BRT) Received: from microppj (200-204-120-145.dsl.telesp.net.br [200.204.120.145]) by hearts.netfilter.com.br (Postfix) with ESMTP id 56858575E3 for ; Fri, 9 Jul 2004 10:16:20 -0300 (BRT) From: "Pedro Paulo de Magalhaes Oliveira Junior" To: Date: Fri, 9 Jul 2004 10:16:33 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2149 In-Reply-To: thread-index: AcRlrKpZ+PJYfaDFSVKdMFexO020egAChHNwAAAKgpA= Message-Id: <20040709131620.56858575E3@hearts.netfilter.com.br> X-Virus-Scanned: by amavisd-new at speedcomm.com.br Subject: RE: freebsd-ipfw Digest, Vol 67, Issue 3 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 13:16:13 -0000 Sorry for the wrong message... -----Original Message----- From: Pedro Paulo de Magalhaes Oliveira Junior = [mailto:ppj@netfilter.com.br] Sent: sexta-feira, 9 de julho de 2004 10:16 To: 'freebsd-ipfw@freebsd.org' Subject: RE: freebsd-ipfw Digest, Vol 67, Issue 3 No kit de adm precisa pedir ao Z=E9 para colocar um fazedor de blacklist = local e whitelist local -----Original Message----- From: owner-freebsd-ipfw@freebsd.org = [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of freebsd-ipfw-request@freebsd.org Sent: sexta-feira, 9 de julho de 2004 09:01 To: freebsd-ipfw@freebsd.org Subject: freebsd-ipfw Digest, Vol 67, Issue 3 Send freebsd-ipfw mailing list submissions to freebsd-ipfw@freebsd.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw or, via email, send a message with subject or body 'help' to freebsd-ipfw-request@freebsd.org You can reach the person managing the list at freebsd-ipfw-owner@freebsd.org When replying, please edit your Subject line so it is more specific than "Re: Contents of freebsd-ipfw digest..." Today's Topics: 1. Dummynet Queue Weighting (Thomas S. Crum - 1WISP, Inc.) 2. Blackhole issues when booting into a wm. (Chris) 3. Re: Dummynet Queue Weighting (Louis A. Mamakos) 4. Re: Turning off submission (587) port (Thomas Wolf) 5. Strings (Pedro Paulo Jr) 6. Re: Strings (Darcy Buskermolen) 7. Re: Dummynet Queue Weighting (Ian FREISLICH) 8. Re: Blackhole issues when booting into a wm. (Ian FREISLICH) 9. Re: Dummynet Queue Weighting (Luigi Rizzo) ---------------------------------------------------------------------- Message: 1 Date: Thu, 8 Jul 2004 11:36:59 -0400 From: "Thomas S. Crum - 1WISP, Inc." Subject: Dummynet Queue Weighting To: "'FreeBSD IPFW'" Message-ID: <002601c46501$904a7d30$0200a8c0@wolf> Content-Type: text/plain; charset=3D"us-ascii" # SAMPLE CONFIG ipfw queue 1 ip from A to B ipfw queue 1 config weight 10 pipe 1 ipfw queue 2 ip from C to D ipfw queue 2 config weight 5 pipe 1 ipfw queue 3 ip from E to F ipfw queue 3 config weight 1 pipe 1 ipfw pipe 1 config bw 1000Kbit/s Question? When setting up queues as I have done above with different weights they = (the queues) will share the assigned pipe proportionate to their weight. For example if you had traffic on all three queues, the A&B(1), C&D(2), = and E&F(3); they would get 10/16, 5/16, and 1/16 of the pipe, respectively. But, what if A&B(1) had no traffic? It is my understanding that queue 2 = and 3 would still only get 5/16 and 1/16 of the pipe regardless. In this example, 3/8 or 375Kb/s total. Or would 2 and 3 share the whole pipe if queue 1 is inactive, which would make my questions moot? What I am trying to accomplish here is to give a greater amount of = bandwidth between 2 ip's when they are active. But they are hardly ever active = and therefore I want the rest of the network to use the whole pipe until = they become active. Any comments and particularly suggestions are appreciated. If I'm = entirely wrong with my presumptions mention that too. :) Best, =20 Thomas S. Crum Senior Technical Associate tscrum@aaawebsolution.com Toll-free: (800) 834-0626 =20 AAA Web Solution, Inc. 11924 W Forest Hill Boulevard Building 22 - Mailstop 200 Wellington, FL 33414 USA =20 Providing full-service website design, maintenance, hosting, and = marketing. No task is too small or enterprise too large for us to help you! =20 -------------------------------------------------------------------------= --- ------------------------------ Message: 2 Date: Thu, 8 Jul 2004 10:57:11 -0500 From: Chris Subject: Blackhole issues when booting into a wm. To: FreeBSD IPFW Message-ID: <200407081057.11657.racerx@makeworld.com> Content-Type: text/plain; charset=3D"us-ascii" Can someone explain to me why when I add blackhole to my sysctl file, booting=20 into a wm is slow as hell? As expected, when I comment out the tcp and = udp=20 blackhole lines, the system responds as normal. Some info -=20 AMD 1.6 FBSD 5.2.1-RELEASE-p9 and FBSD 4.10 --=20 Best regards, Chris --=20 This message has been scanned for viruses and dangerous=20 content by MailScanner, and is believed to be clean. ClamAV virus dat updated: Thu Jul 8 2004 at 03:02:52 daily.cvd updated (version: 398, sigs: 758, f-level: 2, builder: tomek) ------------------------------ Message: 3 Date: Thu, 08 Jul 2004 14:48:53 -0400 From: "Louis A. Mamakos" Subject: Re: Dummynet Queue Weighting=20 To: "Thomas S. Crum - 1WISP, Inc." Cc: 'FreeBSD IPFW' Message-ID: <20040708184853.7B9BB20F72@whizzo.transsys.com> Content-Type: text/plain; charset=3Dus-ascii > # SAMPLE CONFIG > ipfw queue 1 ip from A to B > ipfw queue 1 config weight 10 pipe 1 > ipfw queue 2 ip from C to D > ipfw queue 2 config weight 5 pipe 1 > ipfw queue 3 ip from E to F > ipfw queue 3 config weight 1 pipe 1 > ipfw pipe 1 config bw 1000Kbit/s >=20 > Question? >=20 > When setting up queues as I have done above with different weights = they (the > queues) will share the assigned pipe proportionate to their weight. >=20 > For example if you had traffic on all three queues, the A&B(1), = C&D(2), and > E&F(3); they would get 10/16, 5/16, and 1/16 of the pipe, = respectively. >=20 > But, what if A&B(1) had no traffic? It is my understanding that queue = 2 and > 3 would still only get 5/16 and 1/16 of the pipe regardless. In this > example, 3/8 or 375Kb/s total. Or would 2 and 3 share the whole pipe = if > queue 1 is inactive, which would make my questions moot? I use a similar configuration to prioritize VoIP traffic on my "upstream" network connection. I create a pipe with the bandwidth sized to the actual capacity of the network link and the multiple queues just as you did. =20 The answer to your question is that idle queue do not consume capacity on the pipe they are associated with. I have queue with weights 100 (for VoIP), 20 (for interactive SSH, NTP) and 1 (everything else) and the "everything else" traffic can use the full capacity of the pipe with the other queues are idle. louie ------------------------------ Message: 4 Date: Thu, 8 Jul 2004 21:12:15 -0000 From: Thomas Wolf Subject: Re: Turning off submission (587) port To: Gregory Neil Shapiro , Thomas Wolf Cc: FreeBSD IPFW Message-ID: <20040708231215.fsp0rn91py8gw0@.mailhost.wsf.at> Content-Type: text/plain; charset=3Dus-ascii Gregory Neil Shapiro schrieb: > > AFAIK, it is sufficient to edit /etc/mail/sendmail.cf and > > comment or delete the follwoing line: > > O DaemonPortOptions=3DPort=3D587, Name=3DMSA, M=3DE > > and restart sendmail afterwards. >=20 > Hand editing the sendmail.cf is a bad idea. You're right. Bad habit. Sorry for advising this. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 ------------------------------ Message: 5 Date: Thu, 8 Jul 2004 18:47:00 -0300 From: "Pedro Paulo Jr" Subject: Strings To: Message-ID: <002501c46535$19890a20$2c1906c9@vilapnq0uu055v> Content-Type: text/plain; charset=3D"iso-8859-1" Sorry for another post ... I was planning to use freebsd to avoid P2P in my network. The problem is that every gpl solution for this uses de string module of iptables. There are something similar in IPFW? Thanks in advance, Pedro Paulo Jr ------------------------------ Message: 6 Date: Thu, 8 Jul 2004 16:22:24 -0700 From: Darcy Buskermolen Subject: Re: Strings To: freebsd-ipfw@freebsd.org Message-ID: <200407081622.24343.darcy@wavefire.com> Content-Type: text/plain; charset=3D"iso-8859-1" On July 8, 2004 02:47 pm, Pedro Paulo Jr wrote: > Sorry for another post ... > > I was planning to use freebsd to avoid P2P in my network. The problem = is > that every gpl solution for this uses de string module of iptables. > > There are something similar in IPFW? ipfw is not a content firewall, if you are looking to do that perhaps = you=20 should look at something like hogwash. (based of the same code as snort) > > Thanks in advance, > > Pedro Paulo Jr > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to = "freebsd-ipfw-unsubscribe@freebsd.org" --=20 Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com ------------------------------ Message: 7 Date: Fri, 09 Jul 2004 10:19:17 +0200 From: Ian FREISLICH Subject: Re: Dummynet Queue Weighting=20 To: "Louis A. Mamakos" Cc: 'FreeBSD IPFW' Message-ID: > > # SAMPLE CONFIG > > ipfw queue 1 ip from A to B > > ipfw queue 1 config weight 10 pipe 1 > > ipfw queue 2 ip from C to D > > ipfw queue 2 config weight 5 pipe 1 > > ipfw queue 3 ip from E to F > > ipfw queue 3 config weight 1 pipe 1 > > ipfw pipe 1 config bw 1000Kbit/s > > > > Question? > > > > When setting up queues as I have done above with different weights > > they (the queues) will share the assigned pipe proportionate to > > their weight. > > > > For example if you had traffic on all three queues, the A&B(1), > > C&D(2), and E&F(3); they would get 10/16, 5/16, and 1/16 of the > > pipe, respectively. > > > > But, what if A&B(1) had no traffic? It is my understanding that > > queue 2 and 3 would still only get 5/16 and 1/16 of the pipe > > regardless. In this example, 3/8 or 375Kb/s total. Or would 2 and > > 3 share the whole pipe if queue 1 is inactive, which would make my > > questions moot? > > The answer to your question is that idle queue do not consume capacity > on the pipe they are associated with. I have queue with weights 100 > (for VoIP), 20 (for interactive SSH, NTP) and 1 (everything else) and > the "everything else" traffic can use the full capacity of the pipe > with the other queues are idle. This raises another question: how do the idle queues get shared? Using the above sample configuration, if queue 2 is idle, does the pipe get shared between queue 1 and queue 3 in proportions 10/11 and 1/11 respectively or 10/16 and 1/16 respectivly with the remaining 5/16 shared evenly between them? Ian -- Ian Freislich ------------------------------ Message: 8 Date: Fri, 09 Jul 2004 10:29:14 +0200 From: Ian FREISLICH Subject: Re: Blackhole issues when booting into a wm.=20 To: racerx@makeworld.com Cc: FreeBSD IPFW Message-ID: > Can someone explain to me why when I add blackhole to my sysctl file, booting > into a wm is slow as hell? As expected, when I comment out the tcp and = udp > blackhole lines, the system responds as normal. >=20 > Some info -=20 > AMD 1.6 > FBSD 5.2.1-RELEASE-p9 and FBSD 4.10 The window manager (at least mine does) may be trying to resolve your machine's IP address. If you don't have a resolver listening then with blackhole turned on, your WM won't get any icmp port unreachable messages back and it will have to wait until the query times out before continuing. Maybe it's not trying to resolve, but trying to connect to some port that doesn't have a listner. Either way, you can use tcpdump on your loopback device to figure out what's going on. If that's too complicated, try adding an entry in /etc/hosts for your IP address and host name and see if that fixes it. Ian -- Ian Freislich ------------------------------ Message: 9 Date: Fri, 9 Jul 2004 01:41:07 -0700 From: Luigi Rizzo Subject: Re: Dummynet Queue Weighting To: Ian FREISLICH Cc: 'FreeBSD IPFW' Message-ID: <20040709014107.A35991@xorpc.icir.org> Content-Type: text/plain; charset=3Dus-ascii On Fri, Jul 09, 2004 at 10:19:17AM +0200, Ian FREISLICH wrote: ... > > > But, what if A&B(1) had no traffic? It is my understanding that > > > queue 2 and 3 would still only get 5/16 and 1/16 of the pipe > > > regardless. In this example, 3/8 or 375Kb/s total. Or would 2 and > > > 3 share the whole pipe if queue 1 is inactive, which would make my > > > questions moot? > > > > The answer to your question is that idle queue do not consume = capacity > > on the pipe they are associated with. I have queue with weights 100 > > (for VoIP), 20 (for interactive SSH, NTP) and 1 (everything else) = and > > the "everything else" traffic can use the full capacity of the pipe > > with the other queues are idle. >=20 > This raises another question: how do the idle queues get shared? the only thing that is shared is the total pipe's capacity, and it is shared by non-idle queues in proportion to their weights. That's as simple as that. No special cases. There is a copious literature on Proportional Share algorithms, if you google for WF2Q+ (which is the algorithm implemented in dummynet) you should come up with a lot of papers to answer your doubts. We are finishing up a tutorial paper on the topic for which i will post a URL in a week or two when it is ready. cheers luigi ------------------------------ _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" End of freebsd-ipfw Digest, Vol 67, Issue 3 ******************************************* From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 9 16:43:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 205EC16A4CE for ; Fri, 9 Jul 2004 16:43:55 +0000 (GMT) Received: from mbox.ibctech.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 317A643D53 for ; Fri, 9 Jul 2004 16:43:54 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 6093 invoked by uid 1002); 9 Jul 2004 16:44:34 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (clamscan: 0.73. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 0.988695 secs); 09 Jul 2004 16:44:34 -0000 Received: from unknown (HELO pearl.ibctech.ca) (127.0.0.1) by localhost.ibctech.ca with SMTP; 9 Jul 2004 16:44:33 -0000 Received: from 209.167.16.15 (SquirrelMail authenticated user steve@ibctech.ca); by pearl.ibctech.ca with HTTP; Fri, 9 Jul 2004 12:44:33 -0400 (EDT) Message-ID: <3743.209.167.16.15.1089391473.squirrel@209.167.16.15> Date: Fri, 9 Jul 2004 12:44:33 -0400 (EDT) From: "Steve Bertrand" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: IPFW fwd to remote address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 16:43:55 -0000 I am trying to set up a forward from one machine to another on a remote network across the Internet. I want to receive requests on one box on port 8080 and simply forward them to a remote machine on the same port. I have tried the following rules, to no avail. I have IPFIREWALL_FORWARD in my kernel (4.10), and # ipfw show reports the hits to the rule. # ipfw add 1000 fwd 216.209.x.x tcp from any to me 8080 # ipfw add 1000 fwd 216.209.x.x,8080 tcp from any to me 8080 # ipfw add 1000 fwd 216.209.x.x tcp from any to me 8080 # ipfw add 1000 fwd 216.209.x.x,8080 from any to any 8080 I can not see the packets going back out of the machine, nor does ipfw log anything at the other end. # tcpdump at the remote end does not pick up any traffic. Does this have something to do with the fact that I am going across the Internet, and it is trying to route the packets back to itself (I understand the dest does not get changed). If so, how could I re-write the packets so they will get delivered? Tks for any help on this Steve