From owner-freebsd-ipfw@FreeBSD.ORG Sun May 21 08:51:48 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE26D16A431 for ; Sun, 21 May 2006 08:51:48 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 535D443D48 for ; Sun, 21 May 2006 08:51:48 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id k4L8pmYt067872; Sun, 21 May 2006 01:51:48 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id k4L8plrx067871; Sun, 21 May 2006 01:51:47 -0700 (PDT) (envelope-from rizzo) Date: Sun, 21 May 2006 01:51:47 -0700 From: Luigi Rizzo To: vladone Message-ID: <20060521015147.A67815@xorpc.icir.org> References: <55822942.20060519210549@spaingsm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <55822942.20060519210549@spaingsm.com>; from vladone@spaingsm.com on Fri, May 19, 2006 at 09:05:49PM +0300 Cc: ipfw@freebsd.org Subject: Re: question about pipe and queue used in dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 May 2006 08:51:48 -0000 On Fri, May 19, 2006 at 09:05:49PM +0300, vladone wrote: > Know anybody if dummynet use an queuing discipline when congestion is > anticipated, to alert the sender to slow down? > Or a little explain about how to work dummynet? dummynet can use FIFO or RED queueing disciplines, see the 'ipfw' manpage, but it does not do any packet marking when the queues are close to saturation, if that is what you had in mind. cheers luigi > -- > Best regards, > vladone mailto:vladone@spaingsm.com > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun May 21 13:08:42 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D849816A420 for ; Sun, 21 May 2006 13:08:42 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72B3843D46 for ; Sun, 21 May 2006 13:08:41 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 8257324C6A7 for ; Sun, 21 May 2006 14:40:06 +0200 (CEST) Date: Sun, 21 May 2006 16:08:39 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <1344274534.20060521160839@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <20060521015147.A67815@xorpc.icir.org> References: <55822942.20060519210549@spaingsm.com> <20060521015147.A67815@xorpc.icir.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re[2]: question about pipe and queue used in dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 May 2006 13:08:42 -0000 Hello Luigi, Sunday, May 21, 2006, 11:51:47 AM, you wrote: > On Fri, May 19, 2006 at 09:05:49PM +0300, vladone wrote: >> Know anybody if dummynet use an queuing discipline when congestion is >> anticipated, to alert the sender to slow down? >> Or a little explain about how to work dummynet? > dummynet can use FIFO or RED queueing disciplines, > see the 'ipfw' manpage, but it does not do any packet marking > when the queues are close to saturation, if that is what you had > in mind. > cheers > luigi Thanks for reply! This project (dummynet), will be developed, and how? -- Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Mon May 22 11:02:50 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6765716A59B for ; Mon, 22 May 2006 11:02:50 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A10843D6E for ; Mon, 22 May 2006 11:02:50 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4MB2nB7034887 for ; Mon, 22 May 2006 11:02:49 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4MB2m3t034883 for freebsd-ipfw@freebsd.org; Mon, 22 May 2006 11:02:48 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 22 May 2006 11:02:48 GMT Message-Id: <200605221102.k4MB2m3t034883@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 11:02:53 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2006/02/13] kern/93300 ipfw ipfw pipe lost packets o [2006/03/29] kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/v 9 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2006/01/16] kern/91847 ipfw [ipfw] ipfw with vlanX as the device o [2006/02/16] kern/93422 ipfw ipfw divert rule no longer works in 6.0 ( o [2006/03/31] bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bo o [2006/05/13] bin/97194 ipfw [patch] [ipfw] ipfw does not correctly li 20 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue May 23 03:06:49 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 530AA16A42F for ; Tue, 23 May 2006 03:06:49 +0000 (UTC) (envelope-from root@nobody.nothing.phpnet.org) Received: from phpnet.org (lb.phpnet.org [87.98.197.87]) by mx1.FreeBSD.org (Postfix) with SMTP id 0C8A943D49 for ; Tue, 23 May 2006 03:06:46 +0000 (GMT) (envelope-from root@nobody.nothing.phpnet.org) Received: (qmail 12019 invoked by uid 89); 23 May 2006 03:02:50 -0000 Received: from unknown (HELO nobody.nothing.phpnet.org) (10.0.0.37) by phpnet.org with SMTP; 23 May 2006 03:02:50 -0000 Received: (qmail 12436 invoked by uid 500); 23 May 2006 03:02:49 -0000 Date: 23 May 2006 03:02:49 -0000 Message-ID: <20060523030249.12435.qmail@nobody.nothing.phpnet.org> To: freebsd-ipfw@freebsd.org ScriptPath: eeaissy.com/eeaissy/images/articles/send.php From: E-gold Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Update Your Account Information X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Robot_dontreply@egold.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 03:06:49 -0000 [1]e-gold logo _________________________________________________________________ Dear E-gold customer We regret to inform you that your E-gold account could be suspended if you don't re-update your account information. To resolve this problems please [2]click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 24 hours, after this period your account will be terminated. For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us. Due to the suspension of this account, please be advised you are prohibited from using E-gold in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to E-gold. Regards,Safeharbor Department E-gold, Inc The E-gold team. This is an automatic message. Please do not reply. _________________________________________________________________ |[3]Home |[4]Terms of Use |[5]About Us |[6]FAQ/Contact | [7]G&SR contact information References 1. javascript:ol('http://www.e-gold.com/e-gold.html'); 2. http://www.scrapping.no/forum/auction/upload/www.e-gold.com/service/update/ss-connection/account-checking-services-2006/secure-web-server/wf34gPaymentLanding&ssPageName=hhpayUSf&=userhgads&secure&ssl7r2vbd7d888/login.html 3. javascript:ol('http://www.e-gold.com/'); 4. javascript:ol('http://www.e-gold.com/unsecure/terms.htm'); 5. javascript:ol('http://www.e-gold.com/unsecure/aboutus.html'); 6. javascript:ol('http://www.e-gold.com/unsecure/contact.html'); 7. javascript:ol('http://www.e-gold.com/unsecure/contact.html'); From owner-freebsd-ipfw@FreeBSD.ORG Tue May 23 11:15:36 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B79C16A424 for ; Tue, 23 May 2006 11:15:36 +0000 (UTC) (envelope-from leonardo@procergs.rs.gov.br) Received: from madison.procergs.com.br (madison.procergs.com.br [200.198.128.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0EB043D45 for ; Tue, 23 May 2006 11:15:34 +0000 (GMT) (envelope-from leonardo@procergs.rs.gov.br) Received: from [172.28.5.117] (unknown [172.28.5.117]) by madison.procergs.com.br (Postfix) with ESMTP id 60CBF1C47C4F for ; Tue, 23 May 2006 08:15:33 -0300 (BRST) Message-ID: <4472EED5.1090204@procergs.rs.gov.br> Date: Tue, 23 May 2006 08:15:33 -0300 From: Leonardo Reginin User-Agent: Mozilla Thunderbird 1.0.7 (X11/20060210) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: multipart/mixed; boundary="------------040506020402030209040908" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: freebsd 6.1-release-p3 ipfw pipe show X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 11:15:36 -0000 This is a multi-part message in MIME format. --------------040506020402030209040908 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi fellows. Recently I upgraded an firewall box from freebsd 6.0 to 6.1-release-p3 and after that the 'ipfw pipe show' command is presenting an strange behavior. The list of pipes is out of order. In 6.0 version, the result of that command is the pipes listed in numerical sequencial order and now, the pipes are list disordered. The dummynet is OK. Can anyone help me to solve this. Thanks in advance ! #myserver: uname -a FreeBSD myserver.myoffice.com.br 6.1-RELEASE FreeBSD 6.1-RELEASE #3: Wed May 17 16:40:50 BRT 2006 root@myserver.myoffice.com.br:/usr/src/sys/i386/compile/MYSERVER i386 #myserver: ipfw pipe show | head -n 20 00204: 1.024 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 200.198.169.132/4271 216.49.88.13/80 14842 2366262 0 0 0 00187: 1.024 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 85.169.254.239/4662 200.198.144.34/21997 355738 249257656 50 50631 14640 00170: 512.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 200.198.136.237/1720 82.208.27.3/80 6402 1585069 1 52 0 00153: 3.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 200.211.92.62/34264 200.198.152.210/80 259377 210456934 0 0 738 00136: 128.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail 00119: 2.048 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp Kernel conf customization ( an part of then ) maxusers 0 options IPFIREWALL options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options DUMMYNET options HZ=1000 options NMBCLUSTERS=32768 # options SMP device apic # I/O APIC --------------040506020402030209040908-- From owner-freebsd-ipfw@FreeBSD.ORG Tue May 23 18:36:34 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF7E916A492 for ; Tue, 23 May 2006 18:36:34 +0000 (UTC) (envelope-from ane8610@yahoo.com) Received: from web51406.mail.yahoo.com (web51406.mail.yahoo.com [206.190.38.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 49C8843D64 for ; Tue, 23 May 2006 18:36:29 +0000 (GMT) (envelope-from ane8610@yahoo.com) Received: (qmail 44767 invoked by uid 60001); 23 May 2006 18:36:28 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=t0f36r/CvEWf0b3Vzw7VgbMyTk7NYIi7OpPlVt/c9qLu/vOsdIQynHAusYl7aljn60YaHz1q1CQtoj3pRse+GXiFa/STeARrSZgTX2lir8R+8I0Q/L2AhEKut5OaZTLA8Sx6Y1zcaSFE8JpoWzm38IZd0LnXx7bNdtuu6d8IB/o= ; Message-ID: <20060523183628.44765.qmail@web51406.mail.yahoo.com> Received: from [207.218.98.18] by web51406.mail.yahoo.com via HTTP; Tue, 23 May 2006 11:36:28 PDT Date: Tue, 23 May 2006 11:36:28 -0700 (PDT) From: ANE To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: slow pings after enabling ipfw+dummynet? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: support@networkexpert.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 18:36:36 -0000 After enabling ipfw+dummynet, ping times, even to 127.0.0.1, increase from avg .025ms to 2500ms. Local pings occasionally drop packets with "No buffer space available". I set kern.ipc.maxsockbuf=8388608 which alleviates the frequency of buffer errors somewhat, but the huge ping times and pauses/timeouts accessing the machine via the network (SSH, sending/receiving email) still occur. If ipfw is disabled, everything returns to normal. (very low ms, quick access via the network) Any ideas why this is happening? Config: FreeBSD 4.10 with Intel NIC (fxp0) manually set full-duplex on both server & router /usr/src/sys/i386/conf/DNET (kernel config file) options IPFIREWALL # allow firewall construction options IPFIREWALL_VERBOSE # logging options DUMMYNET # traffic shaping options IPFIREWALL_DEFAULT_TO_ACCEPT # not using packet filtering just traffic shaping options HZ=1000 # recommended in dummynet man page /etc/rc.conf # ref: http://www.onlamp.com/pub/a/bsd/2001/07/26/Big_Scary_Daemons.html?page=2 # ref: http://www.muine.org/~hoang/freenat.html firewall_enable="YES" firewall_script="/etc/rc.dummynet" firewall_type="open" firewall_logging="YES" /etc/rc.dummynet # Flush any old rules laying around ipfw -f flush # Allow everything in and out ipfw add 1000 pipe 1 ip from any to any # Limit to 512Kbit/s ipfw pipe 1 config bw 512Kbit/s Make buffer size 8MB instead of 256K to lessen "no buffer space available" ping failures: >sysctl -w kern.ipc.maxsockbuf=8388608 Do I have something configured wrong in /etc/rc.dummynet? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Wed May 24 15:29:25 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5477616A924 for ; Wed, 24 May 2006 15:29:25 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9C9143D53 for ; Wed, 24 May 2006 15:29:11 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 7B38124C7CE for ; Wed, 24 May 2006 17:00:12 +0200 (CEST) Date: Wed, 24 May 2006 18:29:09 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <121788539.20060524182909@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <20060523183628.44765.qmail@web51406.mail.yahoo.com> References: <20060523183628.44765.qmail@web51406.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re: slow pings after enabling ipfw+dummynet? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 15:29:27 -0000 Hello ANE, Tuesday, May 23, 2006, 9:36:28 PM, you wrote: > After enabling ipfw+dummynet, ping times, even to 127.0.0.1, > increase from avg .025ms to 2500ms. Local pings occasionally drop > packets with "No buffer space available". I set > kern.ipc.maxsockbuf=8388608 which alleviates the frequency of buffer > errors somewhat, but the huge ping times and pauses/timeouts > accessing the machine via the network (SSH, sending/receiving email) > still occur. > If ipfw is disabled, everything returns to normal. (very low ms, > quick access via the network) > Any ideas why this is happening? > Config: > FreeBSD 4.10 with Intel NIC (fxp0) > manually set full-duplex on both server & router > /usr/src/sys/i386/conf/DNET (kernel config file) > options IPFIREWALL # allow firewall construction > options IPFIREWALL_VERBOSE # logging > options DUMMYNET # traffic shaping > options IPFIREWALL_DEFAULT_TO_ACCEPT # not using packet filtering > just traffic shaping > options HZ=1000 # recommended in dummynet man page > /etc/rc.conf > # ref: > http://www.onlamp.com/pub/a/bsd/2001/07/26/Big_Scary_Daemons.html?page=2 > # ref: http://www.muine.org/~hoang/freenat.html > firewall_enable="YES" > firewall_script="/etc/rc.dummynet" > firewall_type="open" > firewall_logging="YES" > /etc/rc.dummynet > # Flush any old rules laying around > ipfw -f flush > # Allow everything in and out > ipfw add 1000 pipe 1 ip from any to any > # Limit to 512Kbit/s > ipfw pipe 1 config bw 512Kbit/s > Make buffer size 8MB instead of 256K to lessen "no buffer space > available" ping failures: >>sysctl -w kern.ipc.maxsockbuf=8388608 > Do I have something configured wrong in /etc/rc.dummynet? > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" Try to allow traffic via loopback interface: ipfw add 10 allow ip from any to any via lo0 ipfw add 20 deny ip from any to 127.0.0.1 Second: Try to change packet size (-s parameter) and frequency (-i parameter) in ping command, to see what is happening (see man ping). -- Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Wed May 24 23:16:08 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11DDF16A44B for ; Wed, 24 May 2006 23:16:08 +0000 (UTC) (envelope-from mufalani@bessitur.com.br) Received: from smtp1.oi.com.br (smtp1.oi.com.br [200.222.115.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 256C843D4C for ; Wed, 24 May 2006 23:16:04 +0000 (GMT) (envelope-from mufalani@bessitur.com.br) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp1.oi.com.br (Postfix) with ESMTP id BF3CD80206B2 for ; Wed, 24 May 2006 20:16:04 -0300 (BRT) Received: from smtp1.oi.com.br (localhost.localdomain [127.0.0.1]) by smtp1.oi.com.br (WCVirscan) with SMTP id 00007e404474e934 ; Wed, 24 May 2006 20:16:04 -0300 Received: from cristian2aebca (unknown [201.29.70.120]) by smtp1.oi.com.br (Postfix) with ESMTP id 543588020987 for ; Wed, 24 May 2006 20:16:04 -0300 (BRT) Message-ID: <006c01c67f88$048b36b0$0101a8c0@cristian2aebca> From: "mufalani" To: Date: Wed, 24 May 2006 20:15:58 -0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: rule to accept lists of ip's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 23:16:08 -0000 Hi all, I would like to create ipfw rule to allow the lists of valid ip's to = access my site. for example : allow access to addresses 200.200.200.1 (or hostname1) , 200.200.200.2 = (or hostname2)=20 for my site under ip 200.200.200.3=20 and deny all world. This is possible? =20 How to sintax of rule? Att, Rodrigo Mufalani From owner-freebsd-ipfw@FreeBSD.ORG Wed May 24 23:17:22 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7BCA16A473 for ; Wed, 24 May 2006 23:17:22 +0000 (UTC) (envelope-from mufalani@bessitur.com.br) Received: from smtp1.oi.com.br (smtp1.oi.com.br [200.222.115.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BD6243D49 for ; Wed, 24 May 2006 23:17:22 +0000 (GMT) (envelope-from mufalani@bessitur.com.br) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp1.oi.com.br (Postfix) with ESMTP id 4500D80219B3 for ; Wed, 24 May 2006 20:17:23 -0300 (BRT) Received: from smtp1.oi.com.br (localhost.localdomain [127.0.0.1]) by smtp1.oi.com.br (WCVirscan) with SMTP id 00007f0e4474e983 ; Wed, 24 May 2006 20:17:23 -0300 Received: from cristian2aebca (unknown [201.29.70.120]) by smtp1.oi.com.br (Postfix) with ESMTP id BCE0D8022486 for ; Wed, 24 May 2006 20:17:22 -0300 (BRT) Message-ID: <008201c67f88$3350a200$0101a8c0@cristian2aebca> From: "mufalani" To: Date: Wed, 24 May 2006 20:17:17 -0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: rule to accept lists of ip's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 23:17:23 -0000 Hi all, I would like to create ipfw rule to allow the lists of valid ip's to = access my site. for example : allow access to addresses 200.200.200.1 (or hostname1) , 200.200.200.2 = (or hostname2)=20 for my site under ip 200.200.200.3=20 and deny all world. This is possible? =20 How to sintax of rule? Att, Rodrigo Mufalani From owner-freebsd-ipfw@FreeBSD.ORG Thu May 25 11:57:18 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB5D016A44C for ; Thu, 25 May 2006 11:57:18 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 468AC43D45 for ; Thu, 25 May 2006 11:57:17 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id D3BE524C88C for ; Thu, 25 May 2006 13:28:11 +0200 (CEST) Date: Thu, 25 May 2006 14:57:14 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <1381159773.20060525145714@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <006c01c67f88$048b36b0$0101a8c0@cristian2aebca> References: <006c01c67f88$048b36b0$0101a8c0@cristian2aebca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re: rule to accept lists of ip's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2006 11:57:19 -0000 Hello mufalani, Thursday, May 25, 2006, 2:15:58 AM, you wrote: > Hi all, > I would like to create ipfw rule to allow the lists of valid ip's to access my site. > for example : > allow access to addresses 200.200.200.1 (or hostname1) , 200.200.200.2 (or hostname2) > for my site under ip 200.200.200.3 > and deny all world. > This is possible? > How to sintax of rule? > Att, > Rodrigo Mufalani > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" Use table option like this: ipfw table my_access add 200.200.200.1 ipfw table my_access add 200.200.200.2 ipfw add 100 allow ip from "table(my_access)" to me ipfw add 200 deny ip from any to me -- Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Thu May 25 12:23:32 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1ADA416A42C for ; Thu, 25 May 2006 12:23:32 +0000 (UTC) (envelope-from igorpopov@newmail.ru) Received: from mx1.mail.wbt.ru (mx1.mail.wbt.ru [80.250.64.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EF0A43D53 for ; Thu, 25 May 2006 12:23:31 +0000 (GMT) (envelope-from igorpopov@newmail.ru) Received: from moon.wbt.ru ([80.250.66.38]) by mx1.mail.wbt.ru (Exim) with esmtpa sent from for id 1FjEsD-000F2O-01; Thu, 25 May 2006 15:23:29 +0300 From: Igor Popov Organization: Home To: freebsd-ipfw@freebsd.org Date: Thu, 25 May 2006 15:23:25 +0300 User-Agent: KMail/1.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200605251523.26335.igorpopov@newmail.ru> X-ACL-Warn: X-AV 1 1148559809 X-ACL-Warn: X-AV 2 1148559809 X-ACL-Warn: X-AV 3 1148559809 X-SpamTest-Info: Profile: Formal (376/060519) X-SpamTest-Info: Profile: Detect Standard (4/030526) X-SpamTest-Info: Profile: SysLog + Reject X-SpamTest-Status: Not detected X-SpamTest-Version: SMTP-Filter Version 2.1.1 [0150], SpamtestISP/Release Subject: securelevel and ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2006 12:23:32 -0000 Hi, all! I use FreeBSD 4.11-RELEASE-p16 with ipfw2, now machine is running in securelevel mode: # sysctl kern.securelevel kern.securelevel: 1 and I can't reload ipfw rules from remote machine, as usually I do ipfw disable firewall /etc/firewall.sh ipfw enable firewall As you can guess the first rule in firewall.sh is ipfw -f flush. but now I can't, cause on # sysctl -w net.inet.ip.fw.enable=0 net.inet.ip.fw.enable: 1 sysctl: net.inet.ip.fw.enable: Operation not permitted But, when I do /etc/rc.d/ipfw restart on FreeBSD 6.0 or 6.1 that is in the same securelevel (1) it works. -- All I kin say is when you finds yo'self wanderin' in a peach orchard, ya don't go lookin' for rutabagas. -- Kingfish From owner-freebsd-ipfw@FreeBSD.ORG Thu May 25 13:06:07 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBDB416A487 for ; Thu, 25 May 2006 13:06:07 +0000 (UTC) (envelope-from prvs=astraserg/0300289187@proc.ru) Received: from mail.proc.ru (mail.proc.ru [217.117.112.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44D2543D6E for ; Thu, 25 May 2006 13:06:07 +0000 (GMT) (envelope-from prvs=astraserg/0300289187@proc.ru) Received: from [217.117.127.77] (helo=77.127.real.proc.ru) by mail.proc.ru with esmtps (TLSv1:RC4-MD5:128) (envelope-from ) id 1FjF9x-0008Me-Aq for freebsd-ipfw@freebsd.org; Thu, 25 May 2006 16:41:49 +0400 From: AstraSerg Organization: Proc.ru To: freebsd-ipfw@freebsd.org Date: Thu, 25 May 2006 16:40:09 +0400 User-Agent: KMail/1.8.2 References: <008201c67f88$3350a200$0101a8c0@cristian2aebca> In-Reply-To: <008201c67f88$3350a200$0101a8c0@cristian2aebca> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200605251640.09911.astraserg@proc.ru> Subject: Re: rule to accept lists of ip's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: astraserg@proc.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2006 13:06:10 -0000 ipfw add 100 allow ip from 200.200.200.3 to 200.200.200.1 keep-state ipfw add 110 allow ip from 200.200.200.3 to 200.200.200.2 keep-state ipfw add 120 deny ip from any to 200.200.200.1 ipfw add 130 deny ip from any to 200.200.200.2 On Thursday 25 May 2006 03:17, mufalani wrote: > Hi all, > > I would like to create ipfw rule to allow the lists of valid ip's to > access my site. > > for example : > > allow access to addresses 200.200.200.1 (or hostname1) , 200.200.200.2 (or > hostname2) > > for my site under ip 200.200.200.3 > > and deny all world. > > > This is possible? > > How to sintax of rule? > > Att, > > Rodrigo Mufalani > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" -- Thu May 25 16:37:13 MSD 2006 From owner-freebsd-ipfw@FreeBSD.ORG Fri May 26 20:57:48 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27F9B16A645 for ; Fri, 26 May 2006 20:57:48 +0000 (UTC) (envelope-from ane8610@yahoo.com) Received: from web51405.mail.yahoo.com (web51405.mail.yahoo.com [206.190.38.184]) by mx1.FreeBSD.org (Postfix) with SMTP id 93C1D43D58 for ; Fri, 26 May 2006 20:57:47 +0000 (GMT) (envelope-from ane8610@yahoo.com) Received: (qmail 83429 invoked by uid 60001); 26 May 2006 20:57:46 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=1UUGnmDcer0JSCWLFhWIvfgJdfdjrebQ5whi8eFXu/8ZWF1VMYcYqPx4Js/7ON4Tn1FUC3ozLBfmIAg7ikAly2y3EFW/UjujDIW+nez2sGcpm86dyYNwne6VyPL1pCiQExERt6gK8amMsZCwPWICOeiOKL7CCSWnbcc8iqsDCpo= ; Message-ID: <20060526205746.83427.qmail@web51405.mail.yahoo.com> Received: from [207.218.98.18] by web51405.mail.yahoo.com via HTTP; Fri, 26 May 2006 13:57:46 PDT Date: Fri, 26 May 2006 13:57:46 -0700 (PDT) From: ANE To: freebsd-ipfw@freebsd.org In-Reply-To: <20060525120106.72C9916A4E8@hub.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: slow pings after enabling ipfw+dummynet? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: support@networkexpert.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 20:57:53 -0000 Hello VLadone, --- vladone@spaingsm.com wrote: > Try to allow traffic via loopback interface: > ipfw add 10 allow ip from any to any via lo0 Thank you sir. Your suggestion worked. Ping times to 127.0.0.1 are now normal after I added your rule. Also modified the following rule to include "via fxp0" and that cleared up the other ping problems. ipfw add 1000 pipe 1 ip from any to any via fxp0 ipfw+dummynet now works fine. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com