From owner-freebsd-net@FreeBSD.ORG Sun Aug 29 04:28:13 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2974916A4CF; Sun, 29 Aug 2004 04:28:12 +0000 (GMT) Received: from ronno.pricegrabber.com (ronno.pricegrabber.com [64.156.13.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05AD843D45; Sun, 29 Aug 2004 04:28:12 +0000 (GMT) (envelope-from chrismcc@pricegrabber.com) Received: from [192.168.10.19] (wednesday.pricegrabber.com [192.168.10.19]) (authenticated bits=0)i7T4SBTp002576; Sat, 28 Aug 2004 21:28:11 -0700 From: Christopher McCrory To: freebsd-net@freebsd.org Content-Type: text/plain Message-Id: <1093753691.8153.24.camel@wednesday.pricegrabber.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Sat, 28 Aug 2004 21:28:11 -0700 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c on localhost X-Virus-Status: Clean cc: tackerman@freebsd.org Subject: em driver problem with intel pro 1000xf - force 100/full X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Aug 2004 04:28:13 -0000 Hello... I am trying to use an Intel Pro 1000xf (Multimode fiber/SC connector) card on a FreeBSD 4.10 system. The switch (not mine) I need to talk to is not configured for auto-negotiation, but forced to 100/full. It is a requirement on my side to be able to do this also. My (copper) Intel and broadcom NICs do this fine, but the 1000xf errors out. ix# ifconfig em0 media 100BaseTX mediaopt full-duplex ifconfig: SIOCSIFMEDIA: Device not configured ix# ifconfig em0 media 100BaseSX mediaopt full-duplex ifconfig: unknown media subtype: 100BaseSX ix# ifconfig em0 media 1000BaseSX mediaopt full-duplex ix# ifconfig em0 em0: flags=8846 mtu 1500 options=3 ether 00:07:e9:18:25:d5 media: Ethernet 1000baseSX (autoselect) status: no carrier ix# # 1000 != 100 em0@pci1:5:0: class=0x020000 card=0x11098086 chip=0x10098086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82544 PRO/1000 XF Gigabit Ethernet Controller (Fiber)' class = network subclass = ethernet Is forcing 100Mbps operation not supported by the card or not supported by the driver? clue stick? em_driver_version[] = "1.7.25"; Thanks p.s. freebsdnic@mailbox.intel.com from man page bounces with MX loops back to me -- Christopher McCrory "The guy that keeps the servers running" chrismcc@pricegrabber.com http://www.pricegrabber.com Let's face it, there's no Hollow Earth, no robots, and no 'mute rays.' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works. From owner-freebsd-net@FreeBSD.ORG Sun Aug 29 07:47:10 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50F9A16A4CE; Sun, 29 Aug 2004 07:47:10 +0000 (GMT) Received: from mx01.bos.ma.towardex.com (mx01.bos.ma.towardex.com [65.124.16.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32A2643D2F; Sun, 29 Aug 2004 07:47:10 +0000 (GMT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 879BD2FB25; Sun, 29 Aug 2004 03:46:56 -0400 (EDT) Date: Sun, 29 Aug 2004 03:46:56 -0400 From: James To: Christopher McCrory Message-ID: <20040829074656.GA93946@scylla.towardex.com> References: <1093753691.8153.24.camel@wednesday.pricegrabber.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1093753691.8153.24.camel@wednesday.pricegrabber.com> User-Agent: Mutt/1.4.1i cc: freebsd-net@freebsd.org cc: tackerman@freebsd.org Subject: Re: em driver problem with intel pro 1000xf - force 100/full X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Aug 2004 07:47:10 -0000 On Sat, Aug 28, 2004 at 09:28:11PM -0700, Christopher McCrory wrote: > Hello... > > I am trying to use an Intel Pro 1000xf (Multimode fiber/SC connector) > card on a FreeBSD 4.10 system. The switch (not mine) I need to talk to > is not configured for auto-negotiation, but forced to 100/full. It is a > requirement on my side to be able to do this also. My (copper) Intel and broadcom > NICs do this fine, but the 1000xf errors out. > > ix# ifconfig em0 media 100BaseTX mediaopt full-duplex > ifconfig: SIOCSIFMEDIA: Device not configured > ix# ifconfig em0 media 100BaseSX mediaopt full-duplex There is no such standard that calls for 100BaseSX. Try 100BaseFX and see if it works for ya... HTH, -J -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net From owner-freebsd-net@FreeBSD.ORG Sun Aug 29 13:02:11 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B6C116A4CE; Sun, 29 Aug 2004 13:02:11 +0000 (GMT) Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp [202.249.10.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id B572143D46; Sun, 29 Aug 2004 13:02:09 +0000 (GMT) (envelope-from jinmei@isl.rdc.toshiba.co.jp) Received: from ocean.jinmei.org (unknown [2001:200:0:8002:2c80:e593:6b4a:a116]) by shuttle.wide.toshiba.co.jp (Postfix) with ESMTP id 6BD6F1525D; Sun, 29 Aug 2004 22:02:07 +0900 (JST) Date: Sun, 29 Aug 2004 22:02:07 +0900 Message-ID: From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= To: Tilman Linneweh In-Reply-To: <200408271239.i7RCddX9057557@freefall.freebsd.org> References: <200408271239.i7RCddX9057557@freefall.freebsd.org> User-Agent: Wanderlust/2.10.1 (Watching The Wheels) Emacs/21.3 Mule/5.0 (SAKAKI) Organization: Research & Development Center, Toshiba Corp., Kawasaki, Japan. MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII cc: freebsd-net@FreeBSD.org cc: freebsd-bugs@FreeBSD.org Subject: Re: kern/44355: After deletion of an IPv6 alias, the route to the whole subnet is removed too. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Aug 2004 13:02:11 -0000 >>>>> On Fri, 27 Aug 2004 12:39:39 GMT, >>>>> Tilman Linneweh said: > Synopsis: After deletion of an IPv6 alias, the route to the whole subnet is removed too. > Responsible-Changed-From-To: freebsd-bugs->freebsd-net > Responsible-Changed-By: arved > Responsible-Changed-When: Fri Aug 27 12:38:53 GMT 2004 > Responsible-Changed-Why: > Old patches against IPv6, over to freebsd-net to decide if this PR is still > relevant > http://www.freebsd.org/cgi/query-pr.cgi?pr=44355 Hmm, this seems to be the same issue as that reported to the KAME project almost two years ago. The problem was then fixed there, but the fix does not seem to be merged to the FreeBSD repository. The attached diff below is a similar fix for 5.2.1R. It cannot be applied to 4.x directly, but I guess it's easy to modify. It would be nice if some committers could review the diff and (if appropriate) merge to the FreeBSD repository. Thanks, JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei@isl.rdc.toshiba.co.jp Index: in6.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/in6.c,v retrieving revision 1.40 diff -u -r1.40 in6.c --- in6.c 8 Nov 2003 23:36:32 -0000 1.40 +++ in6.c 29 Aug 2004 12:45:15 -0000 @@ -1,5 +1,5 @@ /* $FreeBSD: src/sys/netinet6/in6.c,v 1.40 2003/11/08 23:36:32 sam Exp $ */ -/* $KAME: in6.c,v 1.259 2002/01/21 11:37:50 keiichi Exp $ */ +/* $KAME: in6.c,v 1.334 2002/12/05 15:33:26 jinmei Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -579,6 +579,14 @@ */ if ((error = in6_update_ifa(ifp, ifra, ia)) != 0) return (error); + if ((ia = in6ifa_ifpwithaddr(ifp, &ifra->ifra_addr.sin6_addr)) + == NULL) { + /* + * this can happen when the user specify the 0 valid + * lifetime. + */ + break; + } /* * then, make the prefix on-link on the interface. @@ -617,6 +625,15 @@ ((ifra->ifra_flags & IN6_IFF_AUTOCONF) != 0); pr0.ndpr_vltime = ifra->ifra_lifetime.ia6t_vltime; pr0.ndpr_pltime = ifra->ifra_lifetime.ia6t_pltime; + if ((error = in6_init_prefix_ltimes(&pr0)) != 0) { + /* + * Validation for lifetimes should have been done, so + * this should always succeed. + */ + log(LOG_ERR, "in6_control: failed to initialize prefix" + " lifetimes\n"); + return (error); + } /* add the prefix if not yet. */ if ((pr = nd6_prefix_lookup(&pr0)) == NULL) { @@ -632,48 +649,40 @@ return (EINVAL); /* XXX panic here? */ } } - if ((ia = in6ifa_ifpwithaddr(ifp, &ifra->ifra_addr.sin6_addr)) - == NULL) { - /* XXX: this should not happen! */ - log(LOG_ERR, "in6_control: addition succeeded, but" - " no ifaddr\n"); - } else { - if ((ia->ia6_flags & IN6_IFF_AUTOCONF) != 0 && - ia->ia6_ndpr == NULL) { /* new autoconfed addr */ - ia->ia6_ndpr = pr; - pr->ndpr_refcnt++; - - /* - * If this is the first autoconf address from - * the prefix, create a temporary address - * as well (when specified). - */ - if (ip6_use_tempaddr && - pr->ndpr_refcnt == 1) { - int e; - if ((e = in6_tmpifadd(ia, 1)) != 0) { - log(LOG_NOTICE, "in6_control: " - "failed to create a " - "temporary address, " - "errno=%d\n", e); - } - } - } + + /* relate the address to the prefix */ + if (ia->ia6_ndpr == NULL) { + ia->ia6_ndpr = pr; + pr->ndpr_refcnt++; /* - * this might affect the status of autoconfigured - * addresses, that is, this address might make - * other addresses detached. + * If this is the first autoconf address from the + * prefix, create a temporary address as well + * (when required). */ - pfxlist_onlink_check(); + if ((ia->ia6_flags & IN6_IFF_AUTOCONF) && + ip6_use_tempaddr && pr->ndpr_refcnt == 1) { + int e; + if ((e = in6_tmpifadd(ia, 1)) != 0) { + log(LOG_NOTICE, "in6_control: failed " + "to create a temporary address, " + "errno=%d\n", e); + } + } } + + /* + * this might affect the status of autoconfigured addresses, + * that is, this address might make other addresses detached. + */ + pfxlist_onlink_check(); + break; } case SIOCDIFADDR_IN6: { - int i = 0; - struct nd_prefix pr0, *pr; + struct nd_prefix *pr; /* * If the address being deleted is the only one that owns @@ -683,37 +692,12 @@ * and the prefix management. We do this, however, to provide * as much backward compatibility as possible in terms of * the ioctl operation. + * Note that in6_purgeaddr() will decrement ndpr_refcnt. */ - bzero(&pr0, sizeof(pr0)); - pr0.ndpr_ifp = ifp; - pr0.ndpr_plen = in6_mask2len(&ia->ia_prefixmask.sin6_addr, - NULL); - if (pr0.ndpr_plen == 128) - goto purgeaddr; - pr0.ndpr_prefix = ia->ia_addr; - pr0.ndpr_mask = ia->ia_prefixmask.sin6_addr; - for (i = 0; i < 4; i++) { - pr0.ndpr_prefix.sin6_addr.s6_addr32[i] &= - ia->ia_prefixmask.sin6_addr.s6_addr32[i]; - } - /* - * The logic of the following condition is a bit complicated. - * We expire the prefix when - * 1. the address obeys autoconfiguration and it is the - * only owner of the associated prefix, or - * 2. the address does not obey autoconf and there is no - * other owner of the prefix. - */ - if ((pr = nd6_prefix_lookup(&pr0)) != NULL && - (((ia->ia6_flags & IN6_IFF_AUTOCONF) != 0 && - pr->ndpr_refcnt == 1) || - ((ia->ia6_flags & IN6_IFF_AUTOCONF) == 0 && - pr->ndpr_refcnt == 0))) { - pr->ndpr_expire = 1; /* XXX: just for expiration */ - } - - purgeaddr: + pr = ia->ia6_ndpr; in6_purgeaddr(&ia->ia_ifa); + if (pr && pr->ndpr_refcnt == 0) + prelist_remove(pr); break; } @@ -1177,24 +1161,26 @@ in6_prefix_remove_ifid(iilen, oia); } - /* - * When an autoconfigured address is being removed, release the - * reference to the base prefix. Also, since the release might - * affect the status of other (detached) addresses, call - * pfxlist_onlink_check(). + /* + * Release the reference to the base prefix. There should be a + * positive reference. */ - if ((oia->ia6_flags & IN6_IFF_AUTOCONF) != 0) { - if (oia->ia6_ndpr == NULL) { - nd6log((LOG_NOTICE, "in6_unlink_ifa: autoconf'ed address " - "%p has no prefix\n", oia)); - } else { - oia->ia6_ndpr->ndpr_refcnt--; - oia->ia6_flags &= ~IN6_IFF_AUTOCONF; - oia->ia6_ndpr = NULL; - } + if (oia->ia6_ndpr == NULL) { + nd6log((LOG_NOTICE, + "in6_unlink_ifa: autoconf'ed address " + "%p has no prefix\n", oia)); + } else { + oia->ia6_ndpr->ndpr_refcnt--; + oia->ia6_ndpr = NULL; + } + /* + * Also, if the address being removed is autoconf'ed, call + * pfxlist_onlink_check() since the release might affect the status of + * other (detached) addresses. + */ + if ((oia->ia6_flags & IN6_IFF_AUTOCONF)) pfxlist_onlink_check(); - } /* * release another refcnt for the link from in6_ifaddr. From owner-freebsd-net@FreeBSD.ORG Sun Aug 29 14:40:30 2004 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A336216A53B for ; Sun, 29 Aug 2004 14:40:30 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 825BC43D39 for ; Sun, 29 Aug 2004 14:40:30 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i7TEeUiB081958 for ; Sun, 29 Aug 2004 14:40:30 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7TEeUhW081957; Sun, 29 Aug 2004 14:40:30 GMT (envelope-from gnats) Date: Sun, 29 Aug 2004 14:40:30 GMT Message-Id: <200408291440.i7TEeUhW081957@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= Subject: Re: kern/44355: After deletion of an IPv6 alias, the route to the whole subnet is removed too. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Aug 2004 14:40:31 -0000 The following reply was made to PR kern/44355; it has been noted by GNATS. From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= To: Tilman Linneweh Cc: freebsd-bugs@FreeBSD.org, freebsd-net@FreeBSD.org Subject: Re: kern/44355: After deletion of an IPv6 alias, the route to the whole subnet is removed too. Date: Sun, 29 Aug 2004 22:02:07 +0900 >>>>> On Fri, 27 Aug 2004 12:39:39 GMT, >>>>> Tilman Linneweh said: > Synopsis: After deletion of an IPv6 alias, the route to the whole subnet is removed too. > Responsible-Changed-From-To: freebsd-bugs->freebsd-net > Responsible-Changed-By: arved > Responsible-Changed-When: Fri Aug 27 12:38:53 GMT 2004 > Responsible-Changed-Why: > Old patches against IPv6, over to freebsd-net to decide if this PR is still > relevant > http://www.freebsd.org/cgi/query-pr.cgi?pr=44355 Hmm, this seems to be the same issue as that reported to the KAME project almost two years ago. The problem was then fixed there, but the fix does not seem to be merged to the FreeBSD repository. The attached diff below is a similar fix for 5.2.1R. It cannot be applied to 4.x directly, but I guess it's easy to modify. It would be nice if some committers could review the diff and (if appropriate) merge to the FreeBSD repository. Thanks, JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei@isl.rdc.toshiba.co.jp Index: in6.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/in6.c,v retrieving revision 1.40 diff -u -r1.40 in6.c --- in6.c 8 Nov 2003 23:36:32 -0000 1.40 +++ in6.c 29 Aug 2004 12:45:15 -0000 @@ -1,5 +1,5 @@ /* $FreeBSD: src/sys/netinet6/in6.c,v 1.40 2003/11/08 23:36:32 sam Exp $ */ -/* $KAME: in6.c,v 1.259 2002/01/21 11:37:50 keiichi Exp $ */ +/* $KAME: in6.c,v 1.334 2002/12/05 15:33:26 jinmei Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -579,6 +579,14 @@ */ if ((error = in6_update_ifa(ifp, ifra, ia)) != 0) return (error); + if ((ia = in6ifa_ifpwithaddr(ifp, &ifra->ifra_addr.sin6_addr)) + == NULL) { + /* + * this can happen when the user specify the 0 valid + * lifetime. + */ + break; + } /* * then, make the prefix on-link on the interface. @@ -617,6 +625,15 @@ ((ifra->ifra_flags & IN6_IFF_AUTOCONF) != 0); pr0.ndpr_vltime = ifra->ifra_lifetime.ia6t_vltime; pr0.ndpr_pltime = ifra->ifra_lifetime.ia6t_pltime; + if ((error = in6_init_prefix_ltimes(&pr0)) != 0) { + /* + * Validation for lifetimes should have been done, so + * this should always succeed. + */ + log(LOG_ERR, "in6_control: failed to initialize prefix" + " lifetimes\n"); + return (error); + } /* add the prefix if not yet. */ if ((pr = nd6_prefix_lookup(&pr0)) == NULL) { @@ -632,48 +649,40 @@ return (EINVAL); /* XXX panic here? */ } } - if ((ia = in6ifa_ifpwithaddr(ifp, &ifra->ifra_addr.sin6_addr)) - == NULL) { - /* XXX: this should not happen! */ - log(LOG_ERR, "in6_control: addition succeeded, but" - " no ifaddr\n"); - } else { - if ((ia->ia6_flags & IN6_IFF_AUTOCONF) != 0 && - ia->ia6_ndpr == NULL) { /* new autoconfed addr */ - ia->ia6_ndpr = pr; - pr->ndpr_refcnt++; - - /* - * If this is the first autoconf address from - * the prefix, create a temporary address - * as well (when specified). - */ - if (ip6_use_tempaddr && - pr->ndpr_refcnt == 1) { - int e; - if ((e = in6_tmpifadd(ia, 1)) != 0) { - log(LOG_NOTICE, "in6_control: " - "failed to create a " - "temporary address, " - "errno=%d\n", e); - } - } - } + + /* relate the address to the prefix */ + if (ia->ia6_ndpr == NULL) { + ia->ia6_ndpr = pr; + pr->ndpr_refcnt++; /* - * this might affect the status of autoconfigured - * addresses, that is, this address might make - * other addresses detached. + * If this is the first autoconf address from the + * prefix, create a temporary address as well + * (when required). */ - pfxlist_onlink_check(); + if ((ia->ia6_flags & IN6_IFF_AUTOCONF) && + ip6_use_tempaddr && pr->ndpr_refcnt == 1) { + int e; + if ((e = in6_tmpifadd(ia, 1)) != 0) { + log(LOG_NOTICE, "in6_control: failed " + "to create a temporary address, " + "errno=%d\n", e); + } + } } + + /* + * this might affect the status of autoconfigured addresses, + * that is, this address might make other addresses detached. + */ + pfxlist_onlink_check(); + break; } case SIOCDIFADDR_IN6: { - int i = 0; - struct nd_prefix pr0, *pr; + struct nd_prefix *pr; /* * If the address being deleted is the only one that owns @@ -683,37 +692,12 @@ * and the prefix management. We do this, however, to provide * as much backward compatibility as possible in terms of * the ioctl operation. + * Note that in6_purgeaddr() will decrement ndpr_refcnt. */ - bzero(&pr0, sizeof(pr0)); - pr0.ndpr_ifp = ifp; - pr0.ndpr_plen = in6_mask2len(&ia->ia_prefixmask.sin6_addr, - NULL); - if (pr0.ndpr_plen == 128) - goto purgeaddr; - pr0.ndpr_prefix = ia->ia_addr; - pr0.ndpr_mask = ia->ia_prefixmask.sin6_addr; - for (i = 0; i < 4; i++) { - pr0.ndpr_prefix.sin6_addr.s6_addr32[i] &= - ia->ia_prefixmask.sin6_addr.s6_addr32[i]; - } - /* - * The logic of the following condition is a bit complicated. - * We expire the prefix when - * 1. the address obeys autoconfiguration and it is the - * only owner of the associated prefix, or - * 2. the address does not obey autoconf and there is no - * other owner of the prefix. - */ - if ((pr = nd6_prefix_lookup(&pr0)) != NULL && - (((ia->ia6_flags & IN6_IFF_AUTOCONF) != 0 && - pr->ndpr_refcnt == 1) || - ((ia->ia6_flags & IN6_IFF_AUTOCONF) == 0 && - pr->ndpr_refcnt == 0))) { - pr->ndpr_expire = 1; /* XXX: just for expiration */ - } - - purgeaddr: + pr = ia->ia6_ndpr; in6_purgeaddr(&ia->ia_ifa); + if (pr && pr->ndpr_refcnt == 0) + prelist_remove(pr); break; } @@ -1177,24 +1161,26 @@ in6_prefix_remove_ifid(iilen, oia); } - /* - * When an autoconfigured address is being removed, release the - * reference to the base prefix. Also, since the release might - * affect the status of other (detached) addresses, call - * pfxlist_onlink_check(). + /* + * Release the reference to the base prefix. There should be a + * positive reference. */ - if ((oia->ia6_flags & IN6_IFF_AUTOCONF) != 0) { - if (oia->ia6_ndpr == NULL) { - nd6log((LOG_NOTICE, "in6_unlink_ifa: autoconf'ed address " - "%p has no prefix\n", oia)); - } else { - oia->ia6_ndpr->ndpr_refcnt--; - oia->ia6_flags &= ~IN6_IFF_AUTOCONF; - oia->ia6_ndpr = NULL; - } + if (oia->ia6_ndpr == NULL) { + nd6log((LOG_NOTICE, + "in6_unlink_ifa: autoconf'ed address " + "%p has no prefix\n", oia)); + } else { + oia->ia6_ndpr->ndpr_refcnt--; + oia->ia6_ndpr = NULL; + } + /* + * Also, if the address being removed is autoconf'ed, call + * pfxlist_onlink_check() since the release might affect the status of + * other (detached) addresses. + */ + if ((oia->ia6_flags & IN6_IFF_AUTOCONF)) pfxlist_onlink_check(); - } /* * release another refcnt for the link from in6_ifaddr. From owner-freebsd-net@FreeBSD.ORG Sun Aug 29 17:44:56 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DACB16A4CE; Sun, 29 Aug 2004 17:44:56 +0000 (GMT) Received: from ronno.pricegrabber.com (ronno.pricegrabber.com [64.156.13.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 703D143D53; Sun, 29 Aug 2004 17:44:56 +0000 (GMT) (envelope-from chrismcc@pricegrabber.com) Received: from [192.168.10.19] (wednesday.pricegrabber.com [192.168.10.19]) (authenticated bits=0)i7THiuiM029162; Sun, 29 Aug 2004 10:44:56 -0700 From: Christopher McCrory To: James In-Reply-To: <20040829074656.GA93946@scylla.towardex.com> References: <1093753691.8153.24.camel@wednesday.pricegrabber.com> <20040829074656.GA93946@scylla.towardex.com> Content-Type: text/plain Message-Id: <1093801495.14384.1.camel@wednesday.pricegrabber.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Sun, 29 Aug 2004 10:44:56 -0700 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c on localhost X-Virus-Status: Clean cc: freebsd-net@freebsd.org cc: tackerman@freebsd.org Subject: Re: em driver problem with intel pro 1000xf - force 100/full X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Aug 2004 17:44:56 -0000 On Sun, 2004-08-29 at 00:46, James wrote: > On Sat, Aug 28, 2004 at 09:28:11PM -0700, Christopher McCrory wrote: > > Hello... > > > > I am trying to use an Intel Pro 1000xf (Multimode fiber/SC connector) > > card on a FreeBSD 4.10 system. The switch (not mine) I need to talk to > > is not configured for auto-negotiation, but forced to 100/full. It is a > > requirement on my side to be able to do this also. My (copper) Intel and broadcom > > NICs do this fine, but the 1000xf errors out. > > > > ix# ifconfig em0 media 100BaseTX mediaopt full-duplex > > ifconfig: SIOCSIFMEDIA: Device not configured > > ix# ifconfig em0 media 100BaseSX mediaopt full-duplex > > There is no such standard that calls for 100BaseSX. > > Try 100BaseFX and see if it works for ya... Thanks for replying. ix# ifconfig em0 media 100BaseFX mediaopt full-duplex ifconfig: SIOCSIFMEDIA: Device not configured :( > HTH, > -J -- Christopher McCrory "The guy that keeps the servers running" chrismcc@pricegrabber.com http://www.pricegrabber.com Let's face it, there's no Hollow Earth, no robots, and no 'mute rays.' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works. From owner-freebsd-net@FreeBSD.ORG Sun Aug 29 18:21:47 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BAB716A4CE; Sun, 29 Aug 2004 18:21:47 +0000 (GMT) Received: from mx01.bos.ma.towardex.com (mx01.bos.ma.towardex.com [65.124.16.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0CC843D5A; Sun, 29 Aug 2004 18:21:46 +0000 (GMT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 5CE9430184; Sun, 29 Aug 2004 14:21:46 -0400 (EDT) Date: Sun, 29 Aug 2004 14:21:46 -0400 From: James To: Christopher McCrory Message-ID: <20040829182146.GA77336@scylla.towardex.com> References: <1093753691.8153.24.camel@wednesday.pricegrabber.com> <20040829074656.GA93946@scylla.towardex.com> <1093801495.14384.1.camel@wednesday.pricegrabber.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1093801495.14384.1.camel@wednesday.pricegrabber.com> User-Agent: Mutt/1.4.1i cc: freebsd-net@freebsd.org cc: tackerman@freebsd.org cc: James Subject: Re: em driver problem with intel pro 1000xf - force 100/full X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Aug 2004 18:21:47 -0000 On Sun, Aug 29, 2004 at 10:44:56AM -0700, Christopher McCrory wrote: > On Sun, 2004-08-29 at 00:46, James wrote: > > On Sat, Aug 28, 2004 at 09:28:11PM -0700, Christopher McCrory wrote: > > > Hello... > > > > > > I am trying to use an Intel Pro 1000xf (Multimode fiber/SC connector) > > > card on a FreeBSD 4.10 system. The switch (not mine) I need to talk to > > > is not configured for auto-negotiation, but forced to 100/full. It is a > > > requirement on my side to be able to do this also. My (copper) Intel and broadcom > > > NICs do this fine, but the 1000xf errors out. > > > > > > ix# ifconfig em0 media 100BaseTX mediaopt full-duplex > > > ifconfig: SIOCSIFMEDIA: Device not configured > > > ix# ifconfig em0 media 100BaseSX mediaopt full-duplex > > > > There is no such standard that calls for 100BaseSX. > > > > Try 100BaseFX and see if it works for ya... > > Thanks for replying. > > ix# ifconfig em0 media 100BaseFX mediaopt full-duplex > ifconfig: SIOCSIFMEDIA: Device not configured try 100baseTX with exact case sensitivity. i.e. lower-case 'b' and upper-case 'TX'. from man 4 em: autoselect Enables auto-negotiation for speed and duplex. 10baseT/UTP Sets 10Mbps operation. Use the mediaopt option to select full-duplex mode. 100baseTX Sets 100Mbps operation. Use the mediaopt option to select full-duplex mode. 1000baseSX Sets 1000Mbps operation. Only full-duplex mode is supported at this speed. 1000baseTX Sets 1000Mbps operation. Only full-duplex mode is supported at this speed. The em driver supports the following media options: full-duplex Forces full-duplex operation half-duplex Forces half-duplex operation. Only use mediaopt to set the driver to full-duplex. If mediaopt is not specified, the driver defaults to half-duplex. If that doesn't work either, I am not sure if XF fiber intel gig-e cards are capable of 100Mbps. HTH, -J -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net From owner-freebsd-net@FreeBSD.ORG Mon Aug 30 05:31:28 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E477016A4CE for ; Mon, 30 Aug 2004 05:31:28 +0000 (GMT) Received: from orion.erdves.lt (ns2.lrtc.net [217.9.240.98]) by mx1.FreeBSD.org (Postfix) with SMTP id 934C143D31 for ; Mon, 30 Aug 2004 05:31:26 +0000 (GMT) (envelope-from dnr@freemail.lt) Received: (qmail 86144 invoked from network); 30 Aug 2004 05:31:24 -0000 Received: from p2p-241-242-ird.vln0.lrtc.net (HELO donatas) (217.9.241.242) by orion.erdves.lt with SMTP; 30 Aug 2004 05:31:24 -0000 Message-ID: <003501c48e52$95085430$9f90a8c0@donatas> From: "dnr" To: Date: Mon, 30 Aug 2004 08:31:20 +0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="windows-1257" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: FreeBSD 5.2.1 and IPFW (1) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 05:31:29 -0000 hello, i've noticed that IPFW2 on 5.2.1 system has 30% bigger system load than = IPFW1 on 4.10 (equivalent firewall configuration, consisting of ~10000 = rules). So, is it possible to use IPFW1 on FreeBSD 5.2.1? thanx in advance From owner-freebsd-net@FreeBSD.ORG Mon Aug 30 06:44:38 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40A7116A4CE for ; Mon, 30 Aug 2004 06:44:38 +0000 (GMT) Received: from pimout3-ext.prodigy.net (pimout3-ext.prodigy.net [207.115.63.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A83E43D3F for ; Mon, 30 Aug 2004 06:44:37 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (adsl-69-104-103-54.dsl.snfc21.pacbell.net [69.104.103.54])i7U6iZ3d125194; Mon, 30 Aug 2004 02:44:36 -0400 Message-ID: <4132CCD3.20409@elischer.org> Date: Sun, 29 Aug 2004 23:44:35 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4b) Gecko/20030524 X-Accept-Language: en, hu MIME-Version: 1.0 To: dnr References: <003501c48e52$95085430$9f90a8c0@donatas> In-Reply-To: <003501c48e52$95085430$9f90a8c0@donatas> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: FreeBSD 5.2.1 and IPFW (1) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 06:44:38 -0000 dnr wrote: > hello, > > i've noticed that IPFW2 on 5.2.1 system has 30% bigger system load than IPFW1 on 4.10 (equivalent firewall configuration, consisting of ~10000 rules). > So, is it possible to use IPFW1 on FreeBSD 5.2.1? > The ipfw 1 code was removed.. You would have to talk with your countryman luigi@freebsd.org who made the changed. > thanx in advance > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Mon Aug 30 07:29:58 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 433D116A4CE for ; Mon, 30 Aug 2004 07:29:58 +0000 (GMT) Received: from pimout1-ext.prodigy.net (pimout1-ext.prodigy.net [207.115.63.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id D97C643D5C for ; Mon, 30 Aug 2004 07:29:55 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (adsl-69-104-103-54.dsl.snfc21.pacbell.net [69.104.103.54])i7U7TqH9213042; Mon, 30 Aug 2004 03:29:52 -0400 Message-ID: <4132D770.1000601@elischer.org> Date: Mon, 30 Aug 2004 00:29:52 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4b) Gecko/20030524 X-Accept-Language: en, hu MIME-Version: 1.0 To: Julian Elischer References: <003501c48e52$95085430$9f90a8c0@donatas> <4132CCD3.20409@elischer.org> In-Reply-To: <4132CCD3.20409@elischer.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: dnr cc: freebsd-net@freebsd.org Subject: Re: FreeBSD 5.2.1 and IPFW (1) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 07:29:58 -0000 Julian Elischer wrote: > dnr wrote: > >> hello, >> >> i've noticed that IPFW2 on 5.2.1 system has 30% bigger system load >> than IPFW1 on 4.10 (equivalent firewall configuration, consisting of >> ~10000 rules). >> So, is it possible to use IPFW1 on FreeBSD 5.2.1? >> > > The ipfw 1 code was removed.. > You would have to talk with your countryman luigi@freebsd.org > who made the changed. oops I misread your address as ".it" not ".lt" sorry > >> thanx in advance >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Mon Aug 30 08:57:47 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0B5416A4CE; Mon, 30 Aug 2004 08:57:47 +0000 (GMT) Received: from mail.thekeelecentre.com (mail.thekeelecentre.com [217.206.238.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63CFC43D49; Mon, 30 Aug 2004 08:57:47 +0000 (GMT) (envelope-from richardtector@thekeelecentre.com) Received: from localhost (mail.thekeelecentre.com [217.206.238.156]) by mail.thekeelecentre.com (Postfix) with ESMTP id 8B9C458A7; Mon, 30 Aug 2004 09:41:13 +0100 (BST) Received: from webcacheB04a.cache.pol.co.uk (webcacheB04a.cache.pol.co.uk [195.92.168.166]) by webmail.thekeelecentre.com (IMP) with HTTP for ; Mon, 30 Aug 2004 09:41:12 +0100 Message-ID: <1093855272.4132e82884db1@webmail.thekeelecentre.com> Date: Mon, 30 Aug 2004 09:41:12 +0100 From: Richard Tector To: James References: <1093753691.8153.24.camel@wednesday.pricegrabber.com> <20040829074656.GA93946@scylla.towardex.com> <1093801495.14384.1.camel@wednesday.pricegrabber.com> <20040829182146.GA77336@scylla.towardex.com> In-Reply-To: <20040829182146.GA77336@scylla.towardex.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.4 / FreeBSD-4.9 X-Originating-IP: 195.92.168.166 X-Virus-Scanned: by amavisd-new at thekeelecentre.com cc: Christopher McCrory cc: freebsd-net@freebsd.org cc: tackerman@freebsd.org cc: James Subject: Re: em driver problem with intel pro 1000xf - force 100/full X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 08:57:48 -0000 > > If that doesn't work either, I am not sure if XF fiber intel gig-e cards are > capable of 100Mbps. > 1000baseSX cards can only operate at 1000Mbps, full duplex. The same was true for 10baseFL and 100baseFX fibre adapters. >From Intel's website: The Intel® PRO/1000 F Gigabit Server Adapter uses the 82543GC Ethernet controller chip labeled with an Intel® brand, SC fiber-based, 62.5/125um or 50/125um multimode, supports 32/64 bit at 33/66 MHz, and runs at 1000 Mbps. It must run in full duplex mode. The Intel® PRO/1000 XF Server Adapter uses the 82544 controller, fiber based as above and adds PCI-X support. End of Year 2001 Regards, Richard Tector ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From owner-freebsd-net@FreeBSD.ORG Mon Aug 30 11:02:04 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5668D16A4D6 for ; Mon, 30 Aug 2004 11:02:04 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D5E743D48 for ; Mon, 30 Aug 2004 11:02:04 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i7UB24e0033918 for ; Mon, 30 Aug 2004 11:02:04 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7UB23im033912 for freebsd-net@freebsd.org; Mon, 30 Aug 2004 11:02:03 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 30 Aug 2004 11:02:03 GMT Message-Id: <200408301102.i7UB23im033912@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-net@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 11:02:04 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/07/26] kern/41007 net overfull traffic on third and fourth adap o [2002/10/21] kern/44355 net After deletion of an IPv6 alias, the rout o [2003/10/14] kern/57985 net [patch] Missing splx in ether_output_fram 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2001/02/08] kern/24959 net proper TCP_NOPUSH/TCP_CORK compatibility o [2003/07/11] kern/54383 net NFS root configurations without dynamic p 2 problems total. From owner-freebsd-net@FreeBSD.ORG Mon Aug 30 16:58:05 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F006616A4CE; Mon, 30 Aug 2004 16:58:05 +0000 (GMT) Received: from ronno.pricegrabber.com (ronno.pricegrabber.com [64.156.13.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id C782943D46; Mon, 30 Aug 2004 16:58:03 +0000 (GMT) (envelope-from chrismcc@pricegrabber.com) Received: from [192.168.10.19] (wednesday.pricegrabber.com [192.168.10.19]) (authenticated bits=0)i7UGw3S3018338; Mon, 30 Aug 2004 09:58:03 -0700 From: Christopher McCrory To: Richard Tector In-Reply-To: <1093855272.4132e82884db1@webmail.thekeelecentre.com> References: <1093753691.8153.24.camel@wednesday.pricegrabber.com> <20040829074656.GA93946@scylla.towardex.com> <1093801495.14384.1.camel@wednesday.pricegrabber.com> <20040829182146.GA77336@scylla.towardex.com> <1093855272.4132e82884db1@webmail.thekeelecentre.com> Content-Type: text/plain; charset=utf-8 Message-Id: <1093885082.14384.10.camel@wednesday.pricegrabber.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Mon, 30 Aug 2004 09:58:03 -0700 Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c on localhost X-Virus-Status: Clean cc: freebsd-net@freebsd.org cc: tackerman@freebsd.org cc: James cc: James Subject: Re: em driver problem with intel pro 1000xf - force 100/full X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 16:58:06 -0000 On Mon, 2004-08-30 at 01:41, Richard Tector wrote: > > > > If that doesn't work either, I am not sure if XF fiber intel gig-e cards are > > capable of 100Mbps. > > > > 1000baseSX cards can only operate at 1000Mbps, full duplex. The same was true > for 10baseFL and 100baseFX fibre adapters. > > >From Intel's website: > The IntelĀ® PRO/1000 F Gigabit Server Adapter uses the 82543GC Ethernet > controller chip labeled with an IntelĀ® brand, SC fiber-based, 62.5/125um or > 50/125um multimode, supports 32/64 bit at 33/66 MHz, and runs at 1000 Mbps. > It must run in full duplex mode. > IIRC, 1000Mbps is full duplex only by spec. But it seems that it will auto-negotiate speeds, so presumably it will work at even 10Mbps/half. ? ? ? > The IntelĀ® PRO/1000 XF Server Adapter uses the 82544 controller, fiber based > as above and adds PCI-X support. End of Year 2001 > The specs from Intel's site also state "Fast Ethernet compatable" /me not liking first journey into fiber land > Regards, > > Richard Tector > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- Christopher McCrory "The guy that keeps the servers running" chrismcc@pricegrabber.com http://www.pricegrabber.com Let's face it, there's no Hollow Earth, no robots, and no 'mute rays.' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works. From owner-freebsd-net@FreeBSD.ORG Mon Aug 30 19:25:20 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EDBF16A4CE for ; Mon, 30 Aug 2004 19:25:20 +0000 (GMT) Received: from parrot.aev.net (host29-15.pool8174.interbusiness.it [81.74.15.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1367A43D3F for ; Mon, 30 Aug 2004 19:25:01 +0000 (GMT) (envelope-from ml@netfence.it) Received: from soth.ventu (adsl-186-24.37-151.net24.it [151.37.24.186]) (authenticated bits=128) by parrot.aev.net (8.13.1/8.13.1) with ESMTP id i7UJQeRs050576 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 30 Aug 2004 21:26:47 +0200 (CEST) (envelope-from ml@netfence.it) Received: from mailer (xanatar.ventu [10.1.2.6]) by soth.ventu (8.13.1/8.12.10) with SMTP id i7UJOt22026385 for ; Mon, 30 Aug 2004 21:24:55 +0200 (CEST) (envelope-from ml@netfence.it) Message-Id: <200408301924.i7UJOt22026385@soth.ventu> To: freebsd-net@freebsd.org Priority: Normal X-Mailer: Post Road Mailer for OS/2 (Green Edition Ver 3.0) Date: Mon, 30 Aug 2004 21:23:23 EST From: Andrea Venturoli X-Scanned-By: MIMEDefang 2.44 Subject: bridge + ip_alias --> SLOW!!! X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Andrea Venturoli List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 19:25:20 -0000 Hello, I've got a problem I cannot understand and hope someone can help me. I've got a machine which must firewall a whole class C subnet. The upstream router (100Mb/s fiber connection) is configured as xxx.xxx.xxx.254, so I've chosen xxx.xxx.xxx.1 for my box and bridge with the other xxx.xxx.xxx.* IPs (10Mb/s copper). (In all my tests I've setup the external NIC to 10Mb/s; I wouldn't do more anyway). ifconfig gives >fxp0: flags=8943 mtu 1500 > ether 00:02:b3:5e:5c:ca > media: Ethernet 10baseT/UTP > status: active >vr0: flags=8943 mtu 1500 > inet xxx.xxx.xxx.1 netmask 0xffffff00 broadcast xxx.xxx.xxx.255 > inet xxx.xxx.xxx.12 netmask 0xffffffff broadcast xxx.xxx.xxx.12 > ether 00:40:f4:77:5f:c8 > media: Ethernet 10baseT/UTP > status: active >fxp1: flags=8943 mtu 1500 > inet 192.168.106.1 netmask 0xffffff00 broadcast 192.168.106.255 > ether 00:02:b3:5e:61:d0 > media: Ethernet 100baseTX > status: active >vr1: flags=8802 mtu 1500 > ether 00:40:f4:77:61:c5 > media: Ethernet autoselect (none) > status: no carrier >lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 vr1 is currently not used, fxp1 serves a private network, fxp0 and vr0 are bridged with the following: cat /etc/sysctl.conf >net.link.ether.bridge=1 >net.link.ether.bridge_cfg=vr0,fxp0 >net.link.ether.bridge_ipfw=1 >net.link.ether.ipfw=1 Notice I gave no IP to fxp0, since, from what I could understand, it is not needed. uname -a gives: >FreeBSD zzzzzz 4.10-RELEASE-p2 FreeBSD 4.10-RELEASE-p2 #7: Tue Aug 24 16:45:56 C >EST 2004 root@zzzzzz:/usr/obj/usr/src/sys/ZZZZZZ i386 and we are using ipfw2: tail /usr/src/sys/i386/conf/ZZZZZZ >options IPFIREWALL >options IPFIREWALL_VERBOSE >options TCP_DROP_SYNFIN >options RANDOM_IP_ID >options IPDIVERT >options IPFW2 >options BRIDGE >options DUMMYNET As you can see vr0 also have an alias address (for reasons which are out of scope here) and with that the problem begin. I can achieve good speeds on the external side both ways (originating connections and working as a server) if I use xxx.xxx.xxx.1, but xxx.xxx.xxx.12 is MUCH MUCH slower! No difference can be noted on the internal net or the private net on fxp1. Just to give an idea, I tested with iperf and this are the results: internal net -> xxx.xxx.xxx.1 6.93 Mb/s internal net -> xxx.xxx.xxx.12 6.94 Mb/s internet -> xxx.xxx.xxx.1 237 Kb/s internet -> xxx.xxx.xxx.12 60.3 Kb/s So using the alias IP seems four times slower, but this is probably due to the bandwidth limit on the other side (I could only test from an ADSL): if I surf the web, choosing one of the two IPs as source, I get a much bigger gap. I tried with an "allow all" rule as the first in the ipfw chain, and got no improvement, so the firewall should (IMHO) not be the problem. I'm really lost, I cannot see any reason for this difference. Any hint? bye & Thanks av. From owner-freebsd-net@FreeBSD.ORG Tue Aug 31 06:10:57 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B91F116A4CF for ; Tue, 31 Aug 2004 06:10:57 +0000 (GMT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D09043D45 for ; Tue, 31 Aug 2004 06:10:57 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 378B5651F7; Tue, 31 Aug 2004 07:10:55 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 33171-07-2; Tue, 31 Aug 2004 07:10:54 +0100 (BST) Received: from empiric.dek.spc.org (adsl-64-171-187-220.dsl.snfc21.pacbell.net [64.171.187.220]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id DB42D651F4; Tue, 31 Aug 2004 07:10:53 +0100 (BST) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id 4B0EC62A0; Mon, 30 Aug 2004 23:10:50 -0700 (PDT) Date: Mon, 30 Aug 2004 23:10:50 -0700 From: Bruce M Simpson To: Val Polyakov Message-ID: <20040831061050.GB871@empiric.icir.org> Mail-Followup-To: Val Polyakov , freebsd-net@freebsd.org References: <20040830225401.Y6704@digital-security.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040830225401.Y6704@digital-security.org> cc: freebsd-net@freebsd.org Subject: Re: ip_proxy.h weirdness X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Aug 2004 06:10:57 -0000 (Followed up to -net) Hello, Please post questions regarding network development to freebsd-net@ in future. On Mon, Aug 30, 2004 at 10:56:40PM -0400, Val Polyakov wrote: > I think netinet/ip_proxy.h is broke. :) ... I think you're mistaken here. > #include > #include ... There are a whole bunch of requisite include files which you haven't included in your program. Please look at the ipf utilities in contrib for more information on this. Regards BMS From owner-freebsd-net@FreeBSD.ORG Wed Sep 1 19:00:49 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A30A416A4CE for ; Wed, 1 Sep 2004 19:00:49 +0000 (GMT) Received: from parrot.aev.net (host29-15.pool8174.interbusiness.it [81.74.15.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id F29EB43D46 for ; Wed, 1 Sep 2004 19:00:47 +0000 (GMT) (envelope-from ml@netfence.it) Received: from soth.ventu (adsl-246-23.37-151.net24.it [151.37.23.246]) (authenticated bits=128) by parrot.aev.net (8.13.1/8.13.1) with ESMTP id i81J2gnt050965 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 1 Sep 2004 21:02:49 +0200 (CEST) (envelope-from ml@netfence.it) Received: from mailer (xanatar.ventu [10.1.2.6]) by soth.ventu (8.13.1/8.12.10) with SMTP id i81J0StC095477 for ; Wed, 1 Sep 2004 21:00:28 +0200 (CEST) (envelope-from ml@netfence.it) Message-Id: <200409011900.i81J0StC095477@soth.ventu> To: Priority: Normal X-Mailer: Post Road Mailer for OS/2 (Green Edition Ver 3.0) Date: Wed, 1 Sep 2004 21:00:28 EST From: Andrea Venturoli X-Scanned-By: MIMEDefang 2.44 Subject: Re: bridge + ip_alias --> SLOW!!! X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Andrea Venturoli List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2004 19:00:49 -0000 ** Reply to note from "Chris Dionissopoulos[freemail]" Tue, 31 Aug 2004 07:01:11 +0300 > Andrea, > Try something like this as alternative configuration: Thank you very much for the answer. Unfortunately I didn't want to mess remotely with this kind of configuration, so I waited until I could get my hands physically on the machine today. As I was explaining the matter to my customer, she happened to notice that the alias IP is no longer needed (was some kind of subscription); just wish she had told me *before* :) Alas, the machines fares good now with only xxx.xxx.xxx.1 and I don't like to experiment with a production machine, if it works. Still I don't know if the problem was FreeBSD or lied elsewhere, but I can't think of anything else, so it could be a good candidate for investigations, if I (or anyone else) ever happen to have a similar configuration to play freely with. Thanks a lot really. bye av. From owner-freebsd-net@FreeBSD.ORG Thu Sep 2 16:56:47 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B27BB16A4CE for ; Thu, 2 Sep 2004 16:56:47 +0000 (GMT) Received: from altair.cifrid.net (altair.cifrid.net [195.136.117.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3857743D2D for ; Thu, 2 Sep 2004 16:56:47 +0000 (GMT) (envelope-from apm@acrux.cifrid.net) Received: from acrux.cifrid.net ([195.136.117.114]:62419 ident=exim) by altair.cifrid.net with esmtp (Exim 4.34) id 1C2ute-000Ng1-HZ for freebsd-net@freebsd.org; Thu, 02 Sep 2004 18:57:14 +0200 Received: from apm by acrux.cifrid.net with local (Exim 4.34) id 1C2ute-000Nfy-CL for freebsd-net@freebsd.org; Thu, 02 Sep 2004 18:57:14 +0200 Date: Thu, 2 Sep 2004 18:57:14 +0200 From: Artur Meski To: freebsd-net@freebsd.org Message-ID: <20040902165714.GA86645@acrux.cifrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: Artur Meski Subject: strange connection attempts with 182.5.5.8. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 16:56:47 -0000 Pound (http://www.apsis.ch/pound) is a http reverse proxy and load balancer. While I was playing with it, I ran into a weird thing. After pound forwards a connection to a backend, something like this occurs (truss output): connect(0x3,{ AF_INET 182.5.5.8:49087 },16) ERR#36 'Operation now in progress' Where does 182.5.5.8 come from? No one has ever made any connection (according to tcpdump) from this address. I installed pound on the second server and its behaviour is just the same. It happened to me only on FreeBSD. Tested with different FreeBSD installations. AOLserver with nsvhr module does very similiar thing, so I assume it's not pound specific and maybe a FreeBSD bug. What's going on? -- // WWW: apm.cifrid.net // PGP: finger apm@acrux.cifrid.net // From owner-freebsd-net@FreeBSD.ORG Thu Sep 2 17:42:48 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8ED9E16A4CE for ; Thu, 2 Sep 2004 17:42:48 +0000 (GMT) Received: from altair.cifrid.net (altair.cifrid.net [195.136.117.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E09143D49 for ; Thu, 2 Sep 2004 17:42:48 +0000 (GMT) (envelope-from apm@acrux.cifrid.net) Received: from acrux.cifrid.net ([195.136.117.114]:62876 ident=exim) by altair.cifrid.net with esmtp (Exim 4.34) id 1C2vcC-000PPI-Gf for freebsd-net@freebsd.org; Thu, 02 Sep 2004 19:43:16 +0200 Received: from apm by acrux.cifrid.net with local (Exim 4.34) id 1C2vcC-000PPF-Fb for freebsd-net@freebsd.org; Thu, 02 Sep 2004 19:43:16 +0200 Date: Thu, 2 Sep 2004 19:43:16 +0200 From: Artur Meski To: freebsd-net@freebsd.org Message-ID: <20040902174316.GB91794@acrux.cifrid.net> References: <20040902165714.GA86645@acrux.cifrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040902165714.GA86645@acrux.cifrid.net> Sender: Artur Meski Subject: Re: strange connection attempts with 182.5.5.8. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 17:42:48 -0000 I forgot to mention, that it's FreeBSD 5.2.1. On FreeBSD 4.10 this problem doesn't occur. -- // WWW: apm.cifrid.net // PGP: finger apm@acrux.cifrid.net // From owner-freebsd-net@FreeBSD.ORG Thu Sep 2 18:17:43 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0227616A4CE for ; Thu, 2 Sep 2004 18:17:43 +0000 (GMT) Received: from fritz.delphinium.net (pcp487354pcs.howard01.md.comcast.net [68.55.21.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0E2343D48 for ; Thu, 2 Sep 2004 18:17:42 +0000 (GMT) (envelope-from rip@bronzedragon.net) Message-ID: <413763C1.90208@bronzedragon.net> Date: Thu, 02 Sep 2004 14:17:37 -0400 From: rip User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5 X-Accept-Language: en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 18:17:43 -0000 Hello All; Here is the puzzle Config : 5.1-Release 3 xl interfaces xl0, xl1, xl2 I am trying to make a configuration to isolate the WiFi APs on a single segment. DHCP hands out 'good' addresses (10.0.0.x) to MACs it recognizes and 'bad' (10.99.0.x) when the MAC does not match and is taken from the common pool. I then will use ipfw to block the trespassers, but do a bit of data collection at the same time. I don't expect much bad traffic here since WEP will keep out the casual. Just a defense-in-depth thing. I have the upstream interface on xl2 no problem; I want to have 2 segments of 10.0.0.0/8 on xl0 and xl1 --pseudo commands)-- ifconfig xl2 inet 198.162.1.1 //upstream router ifconfig xl1 inet 10.0.0.254 netmask 255.0.0.0 // this box = default router + all wired machines ifconfig xl0 inet 10.?.?.? netmask 255.0.0.0 // Wifi AP segment + all wifi connections --ipfw-- deny ip from 10.99.0.0/16 to any in via xl0 // block trespassers ?? Is this possible? ?? What sort of ip address should xl0 have. When I gave it a 10.99.0.0 255.0.0.0 address, the netstat -rn said all 10 traffic was on xl0, whicj was not true. ?? Will the OS route traffic comming in on xl0 (with good ips) throug the stacks to xl1 and then on to xl0 for external traffic. ?? Will this act as a switch (mac specific) or a hub (broadcast mode). I have had problems with multiple interfaces if this type (xl). I found that I had to insure all interfaces were down as each one was configured. If another xl interface is up, an error message is returned about an existing file. Rip Toren From owner-freebsd-net@FreeBSD.ORG Thu Sep 2 18:30:13 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A690516A4CE for ; Thu, 2 Sep 2004 18:30:13 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D0D043D60 for ; Thu, 2 Sep 2004 18:30:12 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin02-en2 [10.13.10.147]) by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id i82IU7Yo007840; Thu, 2 Sep 2004 11:30:07 -0700 (PDT) Received: from [192.168.1.6] (pool-68-160-193-218.ny325.east.verizon.net [68.160.193.218]) (authenticated bits=0)i82IU5ki024039; Thu, 2 Sep 2004 11:30:06 -0700 (PDT) In-Reply-To: <413763C1.90208@bronzedragon.net> References: <413763C1.90208@bronzedragon.net> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <1B4160E2-FD0E-11D8-A54A-003065A20588@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Thu, 2 Sep 2004 14:30:03 -0400 To: rip X-Mailer: Apple Mail (2.619) cc: freebsd-net@freebsd.org Subject: Re: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 18:30:13 -0000 On Sep 2, 2004, at 2:17 PM, rip wrote: > I am trying to make a configuration to isolate the WiFi APs on a > single segment. DHCP hands out 'good' addresses (10.0.0.x) to MACs it > recognizes and 'bad' (10.99.0.x) when the MAC does not match and is > taken from the common pool. > I then will use ipfw to block the trespassers, but do a bit of data > collection at the same time. I don't expect much bad traffic here > since WEP will keep out the casual. Just a defense-in-depth thing. What you're trying to do work actually give you much benefit to security: someone who wants to break in doesn't have to pay attention to the DHCP lease you give them, they can just assign themselves a good 10.0.0.x address. The second problem you are having is that you can't have two NIC on the same subnet. The routing table needs interfaces to be unique so it doesn't have to guess which route should be used. -- -Chuck From owner-freebsd-net@FreeBSD.ORG Thu Sep 2 18:40:00 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9ADD16A4CE for ; Thu, 2 Sep 2004 18:40:00 +0000 (GMT) Received: from gollum.cambrium.nl (mx1.cambrium.nl [217.19.16.130]) by mx1.FreeBSD.org (Postfix) with SMTP id 112C343D4C for ; Thu, 2 Sep 2004 18:40:00 +0000 (GMT) (envelope-from MichelKempes@tweakdsl.nl) Received: (qmail 12958 invoked from network); 2 Sep 2004 18:36:03 -0000 Received: from wants.to.be.just.like.bilbo.nl (HELO 192.168.1.36) (217.19.24.4) by gollum.cambrium.nl with SMTP; 2 Sep 2004 18:36:03 -0000 From: Michel Kempes To: Charles Swiger , rip Date: Thu, 2 Sep 2004 20:39:59 +0200 User-Agent: KMail/1.5.4 References: <413763C1.90208@bronzedragon.net> <1B4160E2-FD0E-11D8-A54A-003065A20588@mac.com> In-Reply-To: <1B4160E2-FD0E-11D8-A54A-003065A20588@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200409022039.59406.MichelKempes@tweakdsl.nl> cc: freebsd-net@freebsd.org Subject: Re: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: MichelKempes@tweakdsl.FreeBSD.ORG List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 18:40:00 -0000 > The second problem you are having is that you can't have two NIC on the > same subnet. Well it is possible to do but it is kind of useless to put 2 nic interfaces on the same subnet, unless you can have 1 gbit incomming and 2 100 nic downstreaming it over the subnet but this will need a load balance setup. From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 02:04:56 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2553716A4CE for ; Fri, 3 Sep 2004 02:04:56 +0000 (GMT) Received: from web61308.mail.yahoo.com (web61308.mail.yahoo.com [216.155.196.151]) by mx1.FreeBSD.org (Postfix) with SMTP id B816343D3F for ; Fri, 3 Sep 2004 02:04:55 +0000 (GMT) (envelope-from cpumemhd@yahoo.com) Message-ID: <20040903020455.44375.qmail@web61308.mail.yahoo.com> Received: from [149.174.164.14] by web61308.mail.yahoo.com via HTTP; Thu, 02 Sep 2004 19:04:55 PDT Date: Thu, 2 Sep 2004 19:04:55 -0700 (PDT) From: cpu memhd To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: IPsec blues 5.2.1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 02:04:56 -0000 I know about the broken IPSEC problem so I have compiled kernel with FAST_IPSEC. The man pages say: "In general, the Fast IPsec implementation is intended to be compatible with the KAME IPsec implementation." Then, when reading 14.10 VPN over IPsec docs... http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html It mentions using racoon and modifing ${PREFIX}/etc/racoon/psk.txt. But this file does not exist. Do I still have to use racoon, how do I get this working? Another problem is the handbook example shows rc.conf configuration as: gifconfig_gif0="A.B.C.D W.X.Y.Z" ifconfig_gif0="inet 192.168.1.1 192.168.2.1 netmask 0xffffffff" static_routes="vpn" route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00" But shouldn't the two gateways be on the same subnet (192.168.1.x)? Also, I try to run setkey -D but I get an error "pfkey_open: Protocol not supported". Thanks. --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 06:29:23 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1C1C16A4CE for ; Fri, 3 Sep 2004 06:29:23 +0000 (GMT) Received: from mail.star-sw.com (mail.star-sw.com [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD81143D1F for ; Fri, 3 Sep 2004 06:29:22 +0000 (GMT) (envelope-from nkritsky@star-sw.com) Received: from ARGON.star-sw.com (argon.star-sw.com [217.195.82.10]) by mail.star-sw.com (8.12.11/8.12.11) with ESMTP id i836TIGM033275; Fri, 3 Sep 2004 10:29:18 +0400 (MSD) Received: from ibmka.star-sw.com ([192.168.32.230]) by ARGON.star-sw.com with Microsoft SMTPSVC(5.0.2195.5329); Fri, 3 Sep 2004 10:29:18 +0400 Date: Fri, 3 Sep 2004 10:29:18 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <2755213000.20040903102918@star-sw.com> To: rip In-reply-To: <413763C1.90208@bronzedragon.net> References: <413763C1.90208@bronzedragon.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 03 Sep 2004 06:29:18.0574 (UTC) FILETIME=[575C08E0:01C4917F] cc: freebsd-net@freebsd.org Subject: Re: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 06:29:24 -0000 Hello rip, Are you sure that you want only one subnet? In your case two different subnets on two interfaces IMHO look much better. If you are sure about one-subnet setup than you should try to set up a bridge(4) between them two NICs. Bridge in FreeBSD is supporting ipfw filtering, so you can still complete your security goals. Thursday, September 02, 2004, 10:17:37 PM, rip wrote: r> Hello All; r> Here is the puzzle r> ?? Is this possible? r> ?? What sort of ip address should xl0 have. When I gave it a 10.99.0.0 r> 255.0.0.0 address, the netstat -rn said all 10 traffic was on xl0, whicj r> was not true. r> ?? Will the OS route traffic comming in on xl0 (with good ips) throug r> the stacks to xl1 and then on to xl0 for external traffic. r> ?? Will this act as a switch (mac specific) or a hub (broadcast mode). -- Best regards, ; Nickolay A. Kritsky ; SysAdmin STAR Software LLC ; mailto:nkritsky@star-sw.com From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 10:53:42 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4875516A4CE for ; Fri, 3 Sep 2004 10:53:42 +0000 (GMT) Received: from fritz.delphinium.net (pcp487354pcs.howard01.md.comcast.net [68.55.21.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id D438943D2D for ; Fri, 3 Sep 2004 10:53:41 +0000 (GMT) (envelope-from rtoren@bronzedragon.net) Message-ID: <41384D4C.9030209@bronzedragon.net> Date: Fri, 03 Sep 2004 06:54:04 -0400 From: RRrp Toren User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Charles Swiger References: <413763C1.90208@bronzedragon.net> <1B4160E2-FD0E-11D8-A54A-003065A20588@mac.com> In-Reply-To: <1B4160E2-FD0E-11D8-A54A-003065A20588@mac.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 10:53:42 -0000 Charles Swiger wrote: > On Sep 2, 2004, at 2:17 PM, rip wrote: > >> I am trying to make a configuration to isolate the WiFi APs on a >> single segment. DHCP hands out 'good' addresses (10.0.0.x) to MACs it >> recognizes and 'bad' (10.99.0.x) when the MAC does not match and is >> taken from the common pool. >> I then will use ipfw to block the trespassers, but do a bit of data >> collection at the same time. I don't expect much bad traffic here >> since WEP will keep out the casual. Just a defense-in-depth thing. > > > What you're trying to do work actually give you much benefit to > security: someone who wants to break in doesn't have to pay attention to > the DHCP lease you give them, they can just assign themselves a good > 10.0.0.x address. I am not a believer in the idea that the only good solution is the 100% solution. I like the multi-layering of 80% solutions. The IP addresses here were picked for demonstration purposes. The actuals set can come from anywhere within the RFC 1918 network numbers. So picking a good IP the 1st time, in the blind, is like shooting a bullseye on the first shot in a pitchblack range you just stepped into. Then there are other layers that have to be bypassed. Sort of like Indiana Jones. There are many challenges to overcome, with only one attempt each. I am just asking about the technical feasability. > > The second problem you are having is that you can't have two NIC on the > same subnet. The routing table needs interfaces to be unique so it > doesn't have to guess which route should be used. > If this is a FreeBSD implementation restriction, then so be it. I have always thought routers could service a large subnet with multiple interfaces. And that FreeBSD could be configured as a router. Thanks for the info Rip From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 11:00:09 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D59A016A4CE for ; Fri, 3 Sep 2004 11:00:09 +0000 (GMT) Received: from fritz.delphinium.net (pcp487354pcs.howard01.md.comcast.net [68.55.21.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id B014E43D31 for ; Fri, 3 Sep 2004 11:00:09 +0000 (GMT) (envelope-from rtoren@bronzedragon.net) Message-ID: <41384ED0.4070103@bronzedragon.net> Date: Fri, 03 Sep 2004 07:00:32 -0400 From: RRrp Toren User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707 X-Accept-Language: en-us, en MIME-Version: 1.0 To: MichelKempes@tweakdsl.delphinium.net References: <413763C1.90208@bronzedragon.net> <1B4160E2-FD0E-11D8-A54A-003065A20588@mac.com> <200409022039.59406.MichelKempes@tweakdsl.nl> In-Reply-To: <200409022039.59406.MichelKempes@tweakdsl.nl> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 11:00:09 -0000 Michel Kempes wrote: >>The second problem you are having is that you can't have two NIC on the >>same subnet. > > > Well it is possible to do but it is kind of useless to put 2 nic interfaces on > the same subnet, unless you can have 1 gbit incomming and 2 100 nic > downstreaming it over the subnet but this will need a load balance setup. This probably is a terminology thing. "on the same subnet" and "servicing the same subnet" aren't the same thing, to me. I am not talking about electricly connecting both NICs to the same segment ("on the subnet"), but rather each NIC having in independant segment (physically), with machine IPs coming from the same subnet pool of addresses (but being unique, of course). Rip From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 11:05:16 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEF6816A4CE for ; Fri, 3 Sep 2004 11:05:16 +0000 (GMT) Received: from fritz.delphinium.net (pcp487354pcs.howard01.md.comcast.net [68.55.21.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9470D43D48 for ; Fri, 3 Sep 2004 11:05:16 +0000 (GMT) (envelope-from rtoren@bronzedragon.net) Message-ID: <41385003.1080904@bronzedragon.net> Date: Fri, 03 Sep 2004 07:05:39 -0400 From: RRrp Toren User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Nickolay A. Kritsky" References: <413763C1.90208@bronzedragon.net> <2755213000.20040903102918@star-sw.com> In-Reply-To: <2755213000.20040903102918@star-sw.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 11:05:16 -0000 Nickolay A. Kritsky wrote: > Hello rip, > > Are you sure that you want only one subnet? In your case two different > subnets on two interfaces IMHO look much better. If you are sure about > one-subnet setup than you should try to set up a bridge(4) between > them two NICs. Bridge in FreeBSD is supporting ipfw filtering, so > you can still complete your security goals. No, I am nor sure. I tried using 11.x.x.x on the xl0, but all routing out of the machine stopped along there somewhere. It may have been the xl drivers that don't seem to play well with multiple copies running. I have the outbound interface NATed, so using a live subnet number shouldn't be a problem. Or maybe just go to one of the other 1918 values. Thanks; I'll give that a try again today. Rip > > Thursday, September 02, 2004, 10:17:37 PM, rip wrote: > > r> Hello All; > r> Here is the puzzle > > r> ?? Is this possible? > r> ?? What sort of ip address should xl0 have. When I gave it a 10.99.0.0 > r> 255.0.0.0 address, the netstat -rn said all 10 traffic was on xl0, whicj > r> was not true. > r> ?? Will the OS route traffic comming in on xl0 (with good ips) throug > r> the stacks to xl1 and then on to xl0 for external traffic. > r> ?? Will this act as a switch (mac specific) or a hub (broadcast mode). > From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 12:15:06 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D179A16A4CE for ; Fri, 3 Sep 2004 12:15:06 +0000 (GMT) Received: from mail.net (custpop.ca.mci.com [142.77.1.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E2D443D3F for ; Fri, 3 Sep 2004 12:15:06 +0000 (GMT) (envelope-from kfl@xiphos.ca) Received: from [216.95.199.148] (account kfl@xiphos.ca HELO xiphos.ca) by mail.net (CommuniGate Pro SMTP 3.5.6) with ESMTP id 16890806; Fri, 03 Sep 2004 08:15:05 -0400 Message-ID: <41386333.8040809@xiphos.ca> Date: Fri, 03 Sep 2004 08:27:31 -0400 From: Karim Fodil-Lemelin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Thiago Pinto Damas References: <20040825172642.28596.qmail@gawab.com> In-Reply-To: <20040825172642.28596.qmail@gawab.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: IPCOMP on IPSEC X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 12:15:06 -0000 Actually I did, If you look in this mailing list archive you'll find a patch for it. I also proposed a patch for IPSEC (with IPCOMP) to work with a gif tunnel. http://groups.google.ca/groups?q=IPSEC+tunnel+kfl%40xiphos.ca&hl=en&lr=&ie=UTF-8&selm=1083615801.00042919.1083603002%4010.7.7.3&rnum=1 Karim. Thiago Pinto Damas wrote: > Hi, > I configured a tunnel between two FreeBSD machines with IPSEC, >for just using the IPCOMP (without ESP and AH), but the >performance wasn't good. > Has someone configured a tunnel for only compressing data? > Sorry for the bad english! > >Thiago >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 13:44:50 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6C5A16A4CF for ; Fri, 3 Sep 2004 13:44:50 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98D0043D45 for ; Fri, 3 Sep 2004 13:44:49 +0000 (GMT) (envelope-from nanog-list@nrg4u.com) Received: (qmail 10209 invoked from network); 3 Sep 2004 13:42:13 -0000 Received: from dotat.atdotat.at (HELO [62.48.0.47]) ([62.48.0.47]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 3 Sep 2004 13:42:13 -0000 Message-ID: <4138754D.70004@nrg4u.com> Date: Fri, 03 Sep 2004 15:44:45 +0200 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a1) Gecko/20040520 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-current@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Presentation on new things in Network Stack for 5.3 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 13:44:50 -0000 I've made a presentation today at SUNCON'04 in Zurich, Switzerland on the new things and changes in FreeBSD 5.3 Network Stack. You can find it here: http://people.freebsd.org/~andre/ It is fairly high-level and intended for server and system administrators as well as developers. If you write me emails please be aware that I only periodically look into my inbox till Monday. We are having fun and disucussing FreeBSD issues and new developments with a couple of guys that are here too: phk, mblapp, mlaier, pjd, and a couple more of whom I don't remember the login at the moment. PS: Linux guys where pretty much floored that FreeBSD 5.3 can route 1Mpps and they can't do much more than 100kpps. ;-) Yes, way to go! PPS: SUCON website and tracks can be found here: http://www.suug.ch/sucon/04/ -- Andre From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 13:45:56 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B37F16A4CF for ; Fri, 3 Sep 2004 13:45:56 +0000 (GMT) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F8E843D49 for ; Fri, 3 Sep 2004 13:45:55 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.12.11/8.12.11) with ESMTP id i83DjrBi050885 for ; Fri, 3 Sep 2004 09:45:54 -0400 (EDT) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.11/8.12.11/Submit) id i83Djr4P050884 for freebsd-net@freebsd.org; Fri, 3 Sep 2004 09:45:53 -0400 (EDT) (envelope-from bv) Date: Fri, 3 Sep 2004 09:45:43 -0400 From: Bill Vermillion To: freebsd-net@freebsd.org Message-ID: <20040903134543.GB50526@wjv.com> References: <413763C1.90208@bronzedragon.net> <2755213000.20040903102918@star-sw.com> <41385003.1080904@bronzedragon.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41385003.1080904@bronzedragon.net> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.6i Subject: Re: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bv@wjv.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 13:45:56 -0000 On Fri, Sep 03, 2004 at 07:05 , RRrp Toren moved his mouse, rebooted for the change to take effect, and then said: > Nickolay A. Kritsky wrote: > > >Hello rip, > > > >Are you sure that you want only one subnet? In your case two different > >subnets on two interfaces IMHO look much better. If you are sure about > >one-subnet setup than you should try to set up a bridge(4) between > >them two NICs. Bridge in FreeBSD is supporting ipfw filtering, so > >you can still complete your security goals. > No, I am nor sure. I tried using 11.x.x.x on the xl0, but all > routing out of the machine stopped along there somewhere. It > may have been the xl drivers that don't seem to play well with > multiple copies running. The 11.x.x.x network belongs to the Department of Defense. Be sure to use only number allocated for private use. Thats the complete 10.x.x.x, 17.16.x.x to 17.31.255.255 and 192.168.x.x. Using addresses outside the private address space can mislead you when routers take the date elsewhere. -- Bill Vermillion - bv @ wjv . com From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 13:58:18 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFE1316A4CF for ; Fri, 3 Sep 2004 13:58:18 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1369B43D60 for ; Fri, 3 Sep 2004 13:58:17 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 10336 invoked from network); 3 Sep 2004 13:55:41 -0000 Received: from dotat.atdotat.at (HELO [62.48.0.47]) ([62.48.0.47]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 3 Sep 2004 13:55:41 -0000 Message-ID: <41387876.4030401@freebsd.org> Date: Fri, 03 Sep 2004 15:58:14 +0200 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a1) Gecko/20040520 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-current@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Presentation on new things in Network Stack for 5.3 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 13:58:19 -0000 I've made a presentation today at SUNCON'04 in Zurich, Switzerland on the new things and changes in FreeBSD 5.3 Network Stack. You can find it here: http://people.freebsd.org/~andre/ It is fairly high-level and intended for server and system administrators as well as developers. If you write me emails please be aware that I only periodically look into my inbox till Monday. We are having fun and disucussing FreeBSD issues and new developments with a couple of guys that are here too: phk, mblapp, mlaier, pjd, and a couple more of whom I don't remember the login at the moment. PS: Linux guys where pretty much floored that FreeBSD 5.3 can route 1Mpps and they can't do much more than 100kpps. ;-) Yes, way to go! PPS: SUCON website and tracks can be found here: http://www.suug.ch/sucon/04/ -- Andre From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 18:26:39 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D909816A4CE for ; Fri, 3 Sep 2004 18:26:39 +0000 (GMT) Received: from mail.bitfreak.org (mail.bitfreak.org [65.75.198.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F25A43D45 for ; Fri, 3 Sep 2004 18:26:39 +0000 (GMT) (envelope-from dmp@bitfreak.org) Received: from speck.loki.lan (c-24-21-241-225.client.comcast.net [24.21.241.225]) by mail.bitfreak.org (Postfix) with ESMTP id E095D19F3A; Fri, 3 Sep 2004 11:26:38 -0700 (PDT) Received: from spud (d2.loki.lan [172.21.42.22]) by speck.loki.lan (Postfix) with ESMTP id AB6C917025; Fri, 3 Sep 2004 11:26:35 -0700 (PDT) From: "Darren Pilgrim" To: "'RRrp Toren'" , "'Charles Swiger'" Date: Fri, 3 Sep 2004 11:26:25 -0700 Message-ID: <000001c491e3$88c3bef0$162a15ac@spud> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-Reply-To: <41384D4C.9030209@bronzedragon.net> Importance: Normal cc: freebsd-net@freebsd.org Subject: RE: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 18:26:40 -0000 > From: RRrp Toren >=20 > The IP addresses here were picked for demonstration=20 > purposes. The actuals=20 > set can come from anywhere within the RFC 1918 network=20 > numbers. So picking a=20 > good IP the 1st time, in the blind, is like shooting a=20 > bullseye on the first=20 > shot in a pitchblack range you just stepped into. Then there=20 > are other layers=20 > that have to be bypassed. Sort of like Indiana Jones. There are many=20 > challenges to overcome, with only one attempt each. I am just=20 > asking about the=20 > technical feasability. The problem, then, was your example addresses were very poor. We all got sidetracked on explaining a problem that doesn't even exist. So let's back up a bit: What you want to do: - One interface for your wired network. Address space A. - One interface for your wireless network. A DHCP server hands out leases from address space B to those MACs it recognizes and from address space C to those it doesn't. Is that about right? > I have=20 > always thought routers could service a large subnet with=20 > multiple interfaces.=20 > And that FreeBSD could be configured as a router. Routers typically use virtual interfaces, VLANs and other tricks to separate address space from the physical interfaces. This is because you often need many separate interfaces and 100s of ports would cost disturbing amounts of money. =20 There is also the concept of preference (cost), where each route to a given destination is given a number that defines the order in which the interfaces are used. In normal operation, only the most preferred (lowest-cost) route will be used. I've never set FreeBSD up as anything more than a static router, so I don't know if this level of functionality is possible. It should be if you run a routing protocol. From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 19:55:40 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51E1D16A4CE for ; Fri, 3 Sep 2004 19:55:40 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23FDF43D41 for ; Fri, 3 Sep 2004 19:55:40 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id i83JtdH3005891; Fri, 3 Sep 2004 12:55:39 -0700 (PDT) Received: from [10.1.1.245] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0)i83JtbCv017492; Fri, 3 Sep 2004 12:55:37 -0700 (PDT) In-Reply-To: <41384D4C.9030209@bronzedragon.net> References: <413763C1.90208@bronzedragon.net> <1B4160E2-FD0E-11D8-A54A-003065A20588@mac.com> <41384D4C.9030209@bronzedragon.net> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <391BC614-FDE3-11D8-896C-003065ABFD92@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Fri, 3 Sep 2004 15:55:36 -0400 To: RRrp Toren X-Mailer: Apple Mail (2.619) cc: freebsd-net@freebsd.org Subject: Re: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 19:55:40 -0000 On Sep 3, 2004, at 6:54 AM, RRrp Toren wrote: >> What you're trying to do work actually give you much benefit to >> security: someone who wants to break in doesn't have to pay attention >> to the DHCP lease you give them, they can just assign themselves a >> good 10.0.0.x address. > I am not a believer in the idea that the only good solution is the > 100% solution. I like the multi-layering of 80% solutions. Tha's fine. There are plenty of cases where a perfect solution does not exist, but an OK solution is good enough to still be worthwhile. However... > The IP addresses here were picked for demonstration purposes. The > actuals set can come from anywhere within the RFC 1918 network > numbers. So picking a good IP the 1st time, in the blind, is like > shooting a bullseye on the first shot in a pitchblack range you just > stepped into. ...someone who can see the traffic going by using packet sniffing doesn't have to guess blindly. And it's not just spoofing IP addrs that is possible, it is entirely possible to spoof a valid MAC address, *IF* the bad guys can see 'em. >> The second problem you are having is that you can't have two NIC on >> the same subnet. The routing table needs interfaces to be unique so >> it doesn't have to guess which route should be used. > If this is a FreeBSD implementation restriction, then so be it. I > have always thought routers could service a large subnet with multiple > interfaces. And that FreeBSD could be configured as a router. A normal router, ie one using the standard routing table semantics, only has one interface per subnet, and each subnet ought to be disjoint. Many systems besides FreeBSD implement the same restriction but simply ignore a second NIC, or treat it and any IP configured on it the way they would handle configuring a virtual interface on the first NIC with a second IP. FreeBSD also supports more complicated routing protocols that support multiple redundant paths, dynamic routing, policy-based routing rather than having the destination be the only variable when making routing decisions, etc-- using software like gated, zebra, quagga, or even IPFW fwd statements. Few people have a complex network topology which needs to use such things, and static routing or RIPv1/2 serves most people just fine. -- -Chuck From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 22:21:43 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EDAD16A4CE for ; Fri, 3 Sep 2004 22:21:43 +0000 (GMT) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAD2643D55 for ; Fri, 3 Sep 2004 22:21:42 +0000 (GMT) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.11/8.12.8) with ESMTP id i83MLeRi069597 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 4 Sep 2004 02:21:40 +0400 (MSD) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.sick.ru (8.12.11/8.12.11/Submit) id i83MKw58069596; Sat, 4 Sep 2004 02:20:59 +0400 (MSD) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@freebsd.org using -f Date: Sat, 4 Sep 2004 02:20:58 +0400 From: Gleb Smirnoff To: Andrea Venturoli Message-ID: <20040903222058.GB69347@cell.sick.ru> Mail-Followup-To: Gleb Smirnoff , Andrea Venturoli , freebsd-net@freebsd.org References: <200408301924.i7UJOt22026385@soth.ventu> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200408301924.i7UJOt22026385@soth.ventu> User-Agent: Mutt/1.5.6i cc: freebsd-net@freebsd.org Subject: Re: bridge + ip_alias --> SLOW!!! X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 22:21:43 -0000 On Mon, Aug 30, 2004 at 09:23:23PM -0500, Andrea Venturoli wrote: A> Just to give an idea, I tested with iperf and this are the results: A> A> internal net -> xxx.xxx.xxx.1 6.93 Mb/s A> internal net -> xxx.xxx.xxx.12 6.94 Mb/s A> internet -> xxx.xxx.xxx.1 237 Kb/s A> internet -> xxx.xxx.xxx.12 60.3 Kb/s A> A> So using the alias IP seems four times slower, but this is probably due to the bandwidth limit on the other side (I A> could only test from an ADSL): if I surf the web, choosing one of the two IPs as source, I get a much bigger gap. A> A> I tried with an "allow all" rule as the first in the ipfw chain, and got no improvement, so the firewall should (IMHO) A> not be the problem. To check whether problem live in bridge(4), you can try ng_bridge(4) instead of it and see does this help. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 15:06:16 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0AA216A4CE for ; Sat, 4 Sep 2004 15:06:16 +0000 (GMT) Received: from digital-security.org (digital-security.org [216.254.116.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E08C43D1F for ; Sat, 4 Sep 2004 15:06:16 +0000 (GMT) (envelope-from vxp@digital-security.org) Received: from localhost.tmok.com ([127.0.0.1] helo=localhost ident=vxp) by digital-security.org with esmtp (Exim 4.41 (FreeBSD)) id 1C3ad3-0009hn-4u for freebsd-net@freebsd.org; Sat, 04 Sep 2004 09:30:57 -0400 Date: Sat, 4 Sep 2004 09:30:52 -0400 (EDT) From: vxp To: freebsd-net@freebsd.org Message-ID: <20040904093042.B37306@digital-security.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "digital-security.org", hasmessageblock similar future email. If you have any questions, see the administrator of that system for details.towouldscan ? [...] Content analysis details: (0.0 points, 3.0 required) pts rule name description -------------------------------------------------- Subject: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 15:06:17 -0000 Hi, I'm wondering if it'd be a good idea / worth it to modify the kernel a bit and add a few sysctl switches so the user would be able to choose what OS he wants the box to appear as, to a nmap scan ? It'd require, obviously, a few modifications to the networking code. Please elaborate on why you don't think its a good idea, if thats the case.. and feel free to give any comments/suggestions if you think it is a good idea as well. =) Val From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 15:19:17 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD62916A4CE for ; Sat, 4 Sep 2004 15:19:17 +0000 (GMT) Received: from ctb-mesg4.saix.net (ctb-mesg4.saix.net [196.25.240.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 430A443D1D for ; Sat, 4 Sep 2004 15:19:17 +0000 (GMT) (envelope-from karnaugh@karnaugh.za.net) Received: from karnaugh.za.net (ndn-ip-nas-1-p186.telkom-ipnet.co.za [155.239.192.186]) by ctb-mesg4.saix.net (Postfix) with ESMTP id 127BAB6FE; Sat, 4 Sep 2004 17:19:12 +0200 (SAST) Message-ID: <4139DCF0.7070008@karnaugh.za.net> Date: Sat, 04 Sep 2004 17:19:12 +0200 From: Colin Alston User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: vxp References: <20040904093042.B37306@digital-security.org> In-Reply-To: <20040904093042.B37306@digital-security.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 15:19:17 -0000 vxp wrote: >Hi, > >I'm wondering if it'd be a good idea / worth it to modify the kernel a bit >and add a few sysctl switches so the user would be able to choose what OS >he wants the box to appear as, to a nmap scan ? > >It'd require, obviously, a few modifications to the networking code. >Please elaborate on why you don't think its a good idea, if thats the >case.. and feel free to give any comments/suggestions if you think it is a >good idea as well. =) > >Val > > > What exactly is the point/benefit of such a change? -- Colin Alston About the use of language: "It is impossible to sharpen a pencil with a blunt axe. It is equally vain to try to do it with ten blunt axes instead." -- E.W.Dijkstra, 18th June 1975. (Perl did not exist at the time.) From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 15:24:48 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD5EA16A4CE for ; Sat, 4 Sep 2004 15:24:48 +0000 (GMT) Received: from digital-security.org (digital-security.org [216.254.116.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7390443D45 for ; Sat, 4 Sep 2004 15:24:48 +0000 (GMT) (envelope-from vxp@digital-security.org) Received: from localhost.tmok.com ([127.0.0.1] helo=localhost ident=vxp) by digital-security.org with esmtp (Exim 4.41 (FreeBSD)) id 1C3av2-0009kR-7X; Sat, 04 Sep 2004 09:49:29 -0400 Date: Sat, 4 Sep 2004 09:49:28 -0400 (EDT) From: vxp To: Colin Alston In-Reply-To: <4139DCF0.7070008@karnaugh.za.net> Message-ID: <20040904094619.H37469@digital-security.org> References: <20040904093042.B37306@digital-security.org> <4139DCF0.7070008@karnaugh.za.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "digital-security.org", hasmessageblock similar future email. If you have any questions, see the administrator of that system for details. Content preview: pretty much any sort of attack / intrusion attempt begins with information gathering on the machine. part of that, would be trying to figure out what OS runs on the machine. the moremachine, the more chances that his attempt will succeed. obviously, even with this change in place, you'd need to do some other things so as to prevent this for example: [...] Content analysis details: (0.0 points, 3.0 required) pts rule name description -------------------------------------------------- cc: freebsd-net@freebsd.org Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 15:24:48 -0000 pretty much any sort of attack / intrusion attempt begins with information gathering on the machine. part of that, would be trying to figure out what OS runs on the machine. the more (accurate) information a potential attacker can gather on the machine, the more chances that his attempt will succeed. obviously, even with this change in place, you'd need to do some other things so as to prevent this for example: $ telnet localhost 22 Trying ::1... Connected to localhost.digital-security.org Escape character is '^]'. SSH-1.99-OpenSSH_3.6.1p1 FreeBSD-20030924 ^^^^^^^^^ banners all over need to be changed but nevertheless, it'd be a step in the right direction in my opinion --Val On Sat, 4 Sep 2004, Colin Alston wrote: > vxp wrote: > > >Hi, > > > >I'm wondering if it'd be a good idea / worth it to modify the kernel a bit > >and add a few sysctl switches so the user would be able to choose what OS > >he wants the box to appear as, to a nmap scan ? > > > >It'd require, obviously, a few modifications to the networking code. > >Please elaborate on why you don't think its a good idea, if thats the > >case.. and feel free to give any comments/suggestions if you think it is a > >good idea as well. =) > > > >Val > > > > > > > What exactly is the point/benefit of such a change? > > -- > Colin Alston > > About the use of language: > "It is impossible to sharpen a pencil with a blunt axe. It is > equally vain to try to do it with ten blunt axes instead." > -- E.W.Dijkstra, 18th June 1975. (Perl did not exist at the time.) > > From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 15:38:54 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 529D516A4CE for ; Sat, 4 Sep 2004 15:38:54 +0000 (GMT) Received: from ctb-mesg6.saix.net (ctb-mesg6.saix.net [196.25.240.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id E086143D2F for ; Sat, 4 Sep 2004 15:38:53 +0000 (GMT) (envelope-from karnaugh@karnaugh.za.net) Received: from karnaugh.za.net (ndn-ip-nas-1-p186.telkom-ipnet.co.za [155.239.192.186]) by ctb-mesg6.saix.net (Postfix) with ESMTP id EC529173AC; Sat, 4 Sep 2004 17:38:48 +0200 (SAST) Message-ID: <4139E189.5080409@karnaugh.za.net> Date: Sat, 04 Sep 2004 17:38:49 +0200 From: Colin Alston User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: vxp References: <20040904093042.B37306@digital-security.org> <4139DCF0.7070008@karnaugh.za.net> <20040904094619.H37469@digital-security.org> In-Reply-To: <20040904094619.H37469@digital-security.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 15:38:54 -0000 vxp wrote: >pretty much any sort of attack / intrusion attempt begins with information >gathering on the machine. part of that, would be trying to figure out what >OS runs on the machine. the more (accurate) information a potential >attacker can gather on the machine, the more chances that his attempt will >succeed. obviously, even with this change in place, you'd need to do some >other things so as to prevent this for example: > >$ telnet localhost 22 >Trying ::1... >Connected to localhost.digital-security.org >Escape character is '^]'. >SSH-1.99-OpenSSH_3.6.1p1 FreeBSD-20030924 > ^^^^^^^^^ > banners all over need to be changed > >but nevertheless, it'd be a step in the right direction in my opinion > > A great man once said to me "Security by obscurity is, after all, no security at all." This is very much a step in the wrong direction. -- Colin Alston About the use of language: "It is impossible to sharpen a pencil with a blunt axe. It is equally vain to try to do it with ten blunt axes instead." -- E.W.Dijkstra, 18th June 1975. (Perl did not exist at the time.) From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 15:42:57 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 487F616A4CE for ; Sat, 4 Sep 2004 15:42:57 +0000 (GMT) Received: from digital-security.org (digital-security.org [216.254.116.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03C8D43D1F for ; Sat, 4 Sep 2004 15:42:57 +0000 (GMT) (envelope-from vxp@digital-security.org) Received: from localhost.tmok.com ([127.0.0.1] helo=localhost ident=vxp) by digital-security.org with esmtp (Exim 4.41 (FreeBSD)) id 1C3bCa-0009lU-OM; Sat, 04 Sep 2004 10:07:38 -0400 Date: Sat, 4 Sep 2004 10:07:36 -0400 (EDT) From: vxp To: Colin Alston In-Reply-To: <4139E189.5080409@karnaugh.za.net> Message-ID: <20040904100640.E37469@digital-security.org> References: <20040904093042.B37306@digital-security.org> <4139DCF0.7070008@karnaugh.za.net><4139E189.5080409@karnaugh.za.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "digital-security.org", hasmessageblock similar future email. If you have any questions, see the administrator of that system for details.security.Sat, 4 Sep 2004, Colin Alston wrote: [...] Content analysis details: (0.0 points, 3.0 required) pts rule name description -------------------------------------------------- cc: freebsd-net@freebsd.org Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 15:42:57 -0000 no. obscurity as the _only_ "security" is no security. there's nothing wrong with ADDING obscurity, however. =) --Val On Sat, 4 Sep 2004, Colin Alston wrote: > vxp wrote: > > >pretty much any sort of attack / intrusion attempt begins with information > >gathering on the machine. part of that, would be trying to figure out what > >OS runs on the machine. the more (accurate) information a potential > >attacker can gather on the machine, the more chances that his attempt will > >succeed. obviously, even with this change in place, you'd need to do some > >other things so as to prevent this for example: > > > >$ telnet localhost 22 > >Trying ::1... > >Connected to localhost.digital-security.org > >Escape character is '^]'. > >SSH-1.99-OpenSSH_3.6.1p1 FreeBSD-20030924 > > ^^^^^^^^^ > > banners all over need to be changed > > > >but nevertheless, it'd be a step in the right direction in my opinion > > > > > > A great man once said to me "Security by obscurity is, after all, no > security at all." > > This is very much a step in the wrong direction. > > -- > Colin Alston > > About the use of language: > "It is impossible to sharpen a pencil with a blunt axe. It is > equally vain to try to do it with ten blunt axes instead." > -- E.W.Dijkstra, 18th June 1975. (Perl did not exist at the time.) > > From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 17:50:30 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5AB116A4CE for ; Sat, 4 Sep 2004 17:50:30 +0000 (GMT) Received: from blacksheep.csh.rit.edu (blacksheep.csh.rit.edu [129.21.60.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B8B043D1D for ; Sat, 4 Sep 2004 17:50:30 +0000 (GMT) (envelope-from wxs@csh.rit.edu) Received: from fury.csh.rit.edu (fury.csh.rit.edu [IPv6:2001:470:1f00:135:a00:20ff:fe8d:5399]) by blacksheep.csh.rit.edu (Postfix) with ESMTP id 8547A90C0; Sat, 4 Sep 2004 13:50:29 -0400 (EDT) Received: by fury.csh.rit.edu (Postfix, from userid 44963) id 407F8147C; Sat, 4 Sep 2004 13:50:29 -0400 (EDT) Date: Sat, 4 Sep 2004 13:50:28 -0400 From: Wesley Shields To: vxp Message-ID: <20040904175028.GA25772@csh.rit.edu> References: <20040904093042.B37306@digital-security.org> <20040904100640.E37469@digital-security.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040904100640.E37469@digital-security.org> User-Agent: Mutt/1.5.3i cc: freebsd-net@freebsd.org cc: Colin Alston Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 17:50:31 -0000 On Sat, Sep 04, 2004 at 10:07:36AM -0400, vxp wrote: > no. obscurity as the _only_ "security" is no security. > there's nothing wrong with ADDING obscurity, however. =) > > --Val That is true, but the problem with these kinds of things is that users will think that with a simple flip of a sysctl they are secure, when in fact that are no more secure than before. If you are truely concerened with security there are many better things you can do to tighten your box down. With that said, this would certainly be a fun exercise. -- WXS From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 19:00:28 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9EDD16A4CE for ; Sat, 4 Sep 2004 19:00:28 +0000 (GMT) Received: from silver.he.iki.fi (helenius.fi [193.64.42.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id 474E943D2D for ; Sat, 4 Sep 2004 19:00:27 +0000 (GMT) (envelope-from pete@he.iki.fi) Received: from [193.64.42.134] (h86.vuokselantie10.fi [193.64.42.134]) by silver.he.iki.fi (8.12.10/8.11.4) with ESMTP id i84J05m1064087; Sat, 4 Sep 2004 22:00:05 +0300 (EEST) (envelope-from pete@he.iki.fi) Message-ID: <413A10B7.9010805@he.iki.fi> Date: Sat, 04 Sep 2004 22:00:07 +0300 From: Petri Helenius User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Colin Alston References: <20040904093042.B37306@digital-security.org> <4139DCF0.7070008@karnaugh.za.net> In-Reply-To: <4139DCF0.7070008@karnaugh.za.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: vxp Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 19:00:28 -0000 Colin Alston wrote: > > What exactly is the point/benefit of such a change? > On related note, it would be nice if the OS bundled dhclient would report OS version like it does on Windows and Linux. Would make some operations easier. Pete From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 19:03:54 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F28D16A4CE for ; Sat, 4 Sep 2004 19:03:54 +0000 (GMT) Received: from digital-security.org (digital-security.org [216.254.116.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FEAC43D2F for ; Sat, 4 Sep 2004 19:03:54 +0000 (GMT) (envelope-from vxp@digital-security.org) Received: from localhost.tmok.com ([127.0.0.1] helo=localhost ident=vxp) by digital-security.org with esmtp (Exim 4.41 (FreeBSD)) id 1C3eKz-0009u9-56; Sat, 04 Sep 2004 13:28:33 -0400 Date: Sat, 4 Sep 2004 13:28:28 -0400 (EDT) From: vxp To: Wesley Shields In-Reply-To: <20040904175028.GA25772@csh.rit.edu> Message-ID: <20040904132345.A38065@digital-security.org> References: <20040904093042.B37306@digital-security.org> <20040904175028.GA25772@csh.rit.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "digital-security.org", hasmessageblock similar future email. If you have any questions, see the administrator of that system for details.is true, but the problem with these kinds of things is that users > will think that with a simple flip of a sysctl they are secure, when in > fact that are no more secure than before. [...] Content analysis details: (0.3 points, 3.0 required) pts rule name description -------------------------------------------------- 0.3 AWL AWL: Auto-whitelist adjustment cc: freebsd-net@freebsd.org cc: Colin Alston Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 19:03:54 -0000 On Sat, 4 Sep 2004, Wesley Shields wrote: > > That is true, but the problem with these kinds of things is that users > will think that with a simple flip of a sysctl they are secure, when in > fact that are no more secure than before. that's also 100% true, however that's why documentation exists. there's even a security section within it.. we would probably want to add something like 'obscurity is great if it's only _one of_ the components in your security setup, not _the only_ component'. they might get the point. =) now, another question arises i could always code a parser for nmap fingerprints file, but i don't think that's a good idea to include something like that in the kernel.. what do you think? hardcode a few OS fingerprint choices, and call it a day ? in other words, what would you guys say be a _proper_ bsd-style thing to do, if this were to be done? --Val From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 19:22:10 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70C9F16A4CF for ; Sat, 4 Sep 2004 19:22:10 +0000 (GMT) Received: from fedex.is.co.za (fedex.is.co.za [196.4.160.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD6F743D49 for ; Sat, 4 Sep 2004 19:22:07 +0000 (GMT) (envelope-from karnaugh@karnaugh.za.net) Received: from karnaugh.za.net (c2-dbn-74.dial-up.net [196.39.33.74]) by fedex.is.co.za (Postfix) with ESMTP id E6982D75A; Sat, 4 Sep 2004 21:21:29 +0200 (SAST) Message-ID: <413A15DB.5010702@karnaugh.za.net> Date: Sat, 04 Sep 2004 21:22:03 +0200 From: Colin Alston User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: vxp References: <20040904093042.B37306@digital-security.org> <20040904100640.E37469@digital-security.org> <20040904175028.GA25772@csh.rit.edu> <20040904132345.A38065@digital-security.org> In-Reply-To: <20040904132345.A38065@digital-security.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: Wesley Shields Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 19:22:10 -0000 vxp wrote: >On Sat, 4 Sep 2004, Wesley Shields wrote: > > >>That is true, but the problem with these kinds of things is that users >>will think that with a simple flip of a sysctl they are secure, when in >>fact that are no more secure than before. >> >> > >that's also 100% true, however that's why documentation exists. there's >even a security section within it.. >we would probably want to add something like 'obscurity is great if it's >only _one of_ the components in your security setup, not _the only_ >component'. they might get the point. =) > >now, another question arises > >i could always code a parser for nmap fingerprints file, but i don't think >that's a good idea to include something like that in the kernel.. what do >you think? hardcode a few OS fingerprint choices, and call it a day ? > >in other words, what would you guys say be a _proper_ bsd-style thing to >do, if this were to be done? > > My point was if it provides no security, then there is no point to it at all. Most attackers are going to exploit things at a service level anyway. What is the point of changing the fingerprint? Change it to Windows and attract more attension? Or just so that people attempt the wrong attacks. I still dont see any use, or need to implement something of that nature(Given that more features can = more bugs). The point of the comment "Security by obscurity is no security at all" is that bugs and exploits should be FIXED and PATCHED not HIDDEN. Regards. -- Colin Alston About the use of language: "It is impossible to sharpen a pencil with a blunt axe. It is equally vain to try to do it with ten blunt axes instead." -- E.W.Dijkstra, 18th June 1975. (Perl did not exist at the time.) From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 19:29:22 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC69416A4D0 for ; Sat, 4 Sep 2004 19:29:22 +0000 (GMT) Received: from digital-security.org (digital-security.org [216.254.116.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6125443D1D for ; Sat, 4 Sep 2004 19:29:22 +0000 (GMT) (envelope-from vxp@digital-security.org) Received: from localhost.tmok.com ([127.0.0.1] helo=localhost ident=vxp) by digital-security.org with esmtp (Exim 4.41 (FreeBSD)) id 1C3ejb-0009vW-9v; Sat, 04 Sep 2004 13:53:58 -0400 Date: Sat, 4 Sep 2004 13:53:54 -0400 (EDT) From: vxp To: Colin Alston In-Reply-To: <413A15DB.5010702@karnaugh.za.net> Message-ID: <20040904135129.L38122@digital-security.org> References: <20040904093042.B37306@digital-security.org> <20040904175028.GA25772@csh.rit.edu> <413A15DB.5010702@karnaugh.za.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "digital-security.org", hasmessageblock similar future email. If you have any questions, see the administrator of that system for details.wasoh,about your system. that's an extremely important part of the attack. [...] Content analysis details: (0.2 points, 3.0 required) pts rule name description -------------------------------------------------- 0.2 AWL AWL: Auto-whitelist adjustment cc: freebsd-net@freebsd.org cc: Wesley Shields Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 19:29:23 -0000 On Sat, 4 Sep 2004, Colin Alston wrote: > My point was if it provides no security, then there is no point to it at > all. oh, but it does. it prevents them from gathering accurate information about your system. that's an extremely important part of the attack. > Most attackers are going to exploit things at a service level > anyway. What is the point of changing the fingerprint? ok, say your apache is vulnerable to whatever. an exploit for that apache under linux is one thing, under freebsd is another, under windows another, etc. the 'service level' won't work, if you got the OS wrong. there's very very few cross-platform vulnerabilities that share the _same_ exploit code on _all_ platforms. actually, there's not a 'few'. there's none. > Change it to > Windows and attract more attension? Or just so that people attempt the > wrong attacks. wrong attacks, yes. wrong attacks = no intrusion. From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 20:29:04 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99E1016A4CE for ; Sat, 4 Sep 2004 20:29:04 +0000 (GMT) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03A4F43D1D for ; Sat, 4 Sep 2004 20:29:04 +0000 (GMT) (envelope-from lukasz@bromirski.net) Received: from [192.168.0.244] (host-ip141-150.crowley.pl [62.111.150.141]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by r2d2.bromirski.net (Postfix) with ESMTP id A35421089B1 for ; Sat, 4 Sep 2004 22:43:01 +0200 (CEST) Message-ID: <413A258B.5030506@bromirski.net> Date: Sat, 04 Sep 2004 22:28:59 +0200 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Mozilla Thunderbird 0.8 (Windows/20040902) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <20040904093042.B37306@digital-security.org> <20040904175028.GA25772@csh.rit.edu> <413A15DB.5010702@karnaugh.za.net> <20040904135129.L38122@digital-security.org> In-Reply-To: <20040904135129.L38122@digital-security.org> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 20:29:04 -0000 vxp wrote: > oh, but it does. it prevents them from gathering accurate information > about your system. that's an extremely important part of the attack. Well, most of the automated trojans seen recently just connect and try to execute some specific code. You won't beat them with turning off timestamps, or selective-acks, or changing default window size for TCP. They won't even notice Your hacks... On the other hand, people that *really* want to get root on Your box, will fingerprinting Your box (if it really matters for them) by means of services running and it's typical role, not by "what TTL does it return? OH, it's 199, I won't even try to get in, as its propably some m4st4 inside...". This whole thing about network stack virtualization and ability to influence Your network stack to the point, where You're able to behave like other OS is very interesting, there's even good book about system fingerprinting and identification coming out by Michal Zalewski[1], but to real-world systems, what's the use of mimicking Linux or Cisco router, when You're running Postfix, Apache, Courier-IMAP, pure-ftpd and SSH on Your box, and the "I want Your disk-space" kid will try his SSH exploits with automated script whatever the fingerprint will be? [1]. http://www.oreilly.com/catalog/1593270461/ -- this space was intentionally left blank | £ukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net