From owner-freebsd-net Sun Feb 2 4:43:34 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D172037B401; Sun, 2 Feb 2003 04:43:30 -0800 (PST) Received: from myra.cc.metu.edu.tr (myra.cc.metu.edu.tr [144.122.199.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id E120943F43; Sun, 2 Feb 2003 04:43:27 -0800 (PST) (envelope-from eryol@metu.edu) Received: from metu.edu (yelken.cc.metu.edu.tr [144.122.3.235]) by myra.cc.metu.edu.tr (8.11.6/8.11.6) with ESMTP id h12Cgla06700; Sun, 2 Feb 2003 14:42:49 +0200 (EET) Message-ID: <3E3D126E.5090207@metu.edu> Date: Sun, 02 Feb 2003 14:43:26 +0200 From: Gokhan ERYOL Organization: Middle East Tech. University, Computer Center User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003 X-Accept-Language: en-us, en, tr MIME-Version: 1.0 To: Faried Nawaz Cc: freebsd-isp@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: pseudo-device gre and wccp/squid References: <20030201234923.GA83216@nilpotent.org> Content-Type: text/plain; charset=ISO-8859-9; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually, since "A gre(4) driver, which can encapsulate IP packets using GRE (RFC 1701) or minimal IP encapsulation for Mobile IP (RFC 2004), has been added", WCCP over GRE has not been working on FreeBSD Stable systems, because there is no WCCP support in new GRE driver. I tried the same things as you did. I e-mailed this situation several times to lists since 12/11/2002, but there is no action. Henrik Nordstom from squid-cache.org, said that adding WCCP support to an existing GRE module is in most cases trivial as the packet format is identical to plain IP over GRE except for the protocol type, and that GRE is only used in one direction (Router -> Proxy) not as a bidirectional tunnel. Regards Gokhan ERYOL Faried Nawaz wrote: >Hello, > >Is anyone using the gre pseudo-device with squid for WCCP? Try as I might >I can't get it to work for me. > >I'm using FreeBSD 4.7-STABLE, using ipfilter's ipnat to redirect packets. >I've done > >ifconfig gre0 create >ifconfig gre0 aaa.bbb.ccc.ddd fff.ggg.hhh.iii netmask 255.255.255.255 link0 up >ifconfig gre0 tunnel aaa.bbb.ccc.ddd fff.ggg.hhh.iii > >aaa.bbb.ccc.ddd is the web proxy's ip, fff.ggg.hhh.iii is the router's. > >ipnat.rules has > >rdr gre0 0.0.0.0/0 port 80 aaa.bbb.ccc.ddd port 8080 tcp > >ipfilter is set to pass through all traffic, and there are no firewall rules >defined. > >tcpdump on my ethernet interface shows gre packets coming in. > >04:07:39.093205 fff.ggg.hhh.iii > aaa.bbb.ccc.ddd: gre gre-proto-0x883E > >tcpdump on my gre0 interface shows incoming connections from the users, and >ipnat -l shows lots of redirects. > >proxy1# ipnat -l | head >List of active MAP/Redirect filters: >rdr gre0 0.0.0.0/0 port 80 -> aaa.bbb.ccc.ddd port 8080 tcp > >List of active sessions: >RDR aaa.bbb.ccc.ddd 8080 <- -> 207.44.178.61 80 [203.215.178.61 4122] >RDR aaa.bbb.ccc.ddd 8080 <- -> 205.188.250.25 80 [203.215.178.19 1612] >RDR aaa.bbb.ccc.ddd 8080 <- -> 66.51.99.157 80 [66.206.32.180 3769] >RDR aaa.bbb.ccc.ddd 8080 <- -> 64.94.89.238 80 [203.215.177.248 1172] >RDR aaa.bbb.ccc.ddd 8080 <- -> 207.46.104.20 80 [66.206.33.7 1601] >proxy1# > >However, none of them get to squid. > >Everything worked fine before the upgrade, but I was using the gre patch >from squid's web site to do the work. The new pseudo-device appears to >have WCCP-specific code in it, but it's not working. > >Does anyone have this working? Anyone at all? I'm willing to break >down and switch to ipfw if that'll help, but I can't upgrade my machines >to 4.7 (and higher) properly without a fix. Surely someone has used this >since the code was commited. > >(A hack would be to comment out all code related to the pseudo-device so >I can use the wccp-specific gre.c.) > > >Faried. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 7:53:35 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F95337B405 for ; Mon, 3 Feb 2003 07:53:34 -0800 (PST) Received: from mail.procreditbank.com (mail.procreditbank.com [212.95.179.198]) by mx1.FreeBSD.org (Postfix) with SMTP id D41E043F75 for ; Mon, 3 Feb 2003 07:53:30 -0800 (PST) (envelope-from i.tanusheff@procreditbank.com) Received: (qmail 33279 invoked from network); 3 Feb 2003 15:53:29 -0000 Received: from unknown (HELO itaush) (172.16.248.250) by proxy.procreditbank.bg with SMTP; 3 Feb 2003 15:53:29 -0000 Reply-To: From: "Ivailo Tanusheff" To: "FreeBSD Questions" Cc: "FreeBSD Net" Subject: NOCC problem Date: Mon, 3 Feb 2003 17:53:29 +0200 Organization: ProCredit Bank Message-ID: <05ec01c2cb9c$6528e1f0$faf810ac@sof.procreditbank.bg> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm wondering if anybody succeeded in running nocc on FreeBSD. I've encountered many problems and still can't make it run properly. May somebody help me deal with this? Thanks in advantage, Ivailo Tanusheff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 10:12:19 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F18EB37B401 for ; Mon, 3 Feb 2003 10:12:18 -0800 (PST) Received: from centaur.acm.jhu.edu (centaur.acm.jhu.edu [128.220.223.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64AEE43F43 for ; Mon, 3 Feb 2003 10:12:18 -0800 (PST) (envelope-from jflemer@acm.jhu.edu) Received: by centaur.acm.jhu.edu (Postfix, from userid 556) id 7461613E99; Mon, 3 Feb 2003 13:12:12 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by centaur.acm.jhu.edu (Postfix) with ESMTP id 73D6137DFE; Mon, 3 Feb 2003 13:12:12 -0500 (EST) Date: Mon, 3 Feb 2003 13:12:12 -0500 (EST) From: "James E. Flemer" Reply-To: "James E. Flemer" To: Cc: Subject: Re: MPD and Cisco PIX Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anyone trying to establish PPTP between FreeBSD and Cisco hardware should take a look at this: http://www.cs.rpi.edu/~flemej/fbsd-cisco-vpn/ It gives a brief description of what was necessary for me to use PPTP between FreeBSD and a 3000 series Cisco VPN concentrator. I would guess that connecting to a PIX would be very similar. The quick version is, you need to use mpd's "iface up-script" to re-address your tun interface and fix the routing table since Cisco send the wrong addrs in the PPP IPCP phase. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 10:56:14 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 206D537B401 for ; Mon, 3 Feb 2003 10:56:13 -0800 (PST) Received: from mailtoaster1.pipeline.ch (mailtoaster1.pipeline.ch [62.48.0.70]) by mx1.FreeBSD.org (Postfix) with SMTP id 7EEFB43FB8 for ; Mon, 3 Feb 2003 10:56:08 -0800 (PST) (envelope-from oppermann@pipeline.ch) Received: (qmail 62237 invoked from network); 3 Feb 2003 18:54:46 -0000 Received: from unknown (HELO pipeline.ch) ([62.48.0.53]) (envelope-sender ) by mailtoaster1.pipeline.ch (qmail-ldap-1.03) with SMTP for ; 3 Feb 2003 18:54:46 -0000 Message-ID: <3E3EBA9E.205CA244@pipeline.ch> Date: Mon, 03 Feb 2003 19:53:18 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "James E. Flemer" Cc: freebsd-net@freebsd.org, anthonyv@brainlink.com Subject: Re: MPD and Cisco PIX References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "James E. Flemer" wrote: > > Anyone trying to establish PPTP between FreeBSD and Cisco > hardware should take a look at this: > > http://www.cs.rpi.edu/~flemej/fbsd-cisco-vpn/ > > It gives a brief description of what was necessary for me > to use PPTP between FreeBSD and a 3000 series Cisco VPN > concentrator. I would guess that connecting to a PIX would > be very similar. The quick version is, you need to use > mpd's "iface up-script" to re-address your tun interface > and fix the routing table since Cisco send the wrong addrs > in the PPP IPCP phase. If the cisco is wrong, have you told cisco about this bug so that they have a chance to fix it? -- Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 11:29:27 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B7DC37B401 for ; Mon, 3 Feb 2003 11:29:25 -0800 (PST) Received: from centaur.acm.jhu.edu (centaur.acm.jhu.edu [128.220.223.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id A741243F85 for ; Mon, 3 Feb 2003 11:29:24 -0800 (PST) (envelope-from jflemer@acm.jhu.edu) Received: by centaur.acm.jhu.edu (Postfix, from userid 556) id 2717113E99; Mon, 3 Feb 2003 14:29:19 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by centaur.acm.jhu.edu (Postfix) with ESMTP id 267D737DFE; Mon, 3 Feb 2003 14:29:19 -0500 (EST) Date: Mon, 3 Feb 2003 14:29:19 -0500 (EST) From: "James E. Flemer" Reply-To: "James E. Flemer" To: Andre Oppermann Cc: , Subject: Re: MPD and Cisco PIX In-Reply-To: <3E3EBA9E.205CA244@pipeline.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 3 Feb 2003, Andre Oppermann wrote: > "James E. Flemer" wrote: > > > > Anyone trying to establish PPTP between FreeBSD and Cisco > > hardware should take a look at this: > > > > http://www.cs.rpi.edu/~flemej/fbsd-cisco-vpn/ > > > > It gives a brief description of what was necessary for me > > to use PPTP between FreeBSD and a 3000 series Cisco VPN > > concentrator. I would guess that connecting to a PIX would > > be very similar. The quick version is, you need to use > > mpd's "iface up-script" to re-address your tun interface > > and fix the routing table since Cisco send the wrong addrs > > in the PPP IPCP phase. > > If the cisco is wrong, have you told cisco about this bug so > that they have a chance to fix it? It depends on what you consider "wrong". It works for windows, but on FreeBSD it causes a routing conflict. The cisco sets the endpoint of the ppp link to the ip address that you connect to for the pptp negotiation. However once the pptp link is up, there is a new route added passing all packets for that destination over the tunnel; the tunnel is really just gre packets sent to the cisco tho. But now the route for the gre packets is *over the tunnel*. Do you see the problem. I explained this whole problem to someone at RPI who in turn "told cisco", but I do not think cisco is too concerned. They support most platforms with their (semi-proprietary) IPsec client, so supporting a hand full of bsd boxes using PPTP is probably not high on their list unfortunately. If they were concerned, then they'd just release a BSD version of the IPsec client, or release the source code for it. I spent several weeks with ethereal and isakmpd trying to get a IPsec tunnel to work, but the IPsec implementation[1] used by the 3000 concentrators uses XAuth (X-Auth) which does not seem to be supported by any IKE tools for BSD. If someone was determined to do so, I believe that isakmpd could be extended to work with Cisco IPsec implementations. I think that just XAuth and IKE Mode Config need to be implemented is isakmpd for this to work. (Perhaps work on this has already been done since I last checked ...) -James (sorry for the long url) [1] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/ipsecstd.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 14:55:32 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A810037B401; Mon, 3 Feb 2003 14:55:30 -0800 (PST) Received: from corbulon.video-collage.com (corbulon.video-collage.com [64.35.99.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16F7143FC1; Mon, 3 Feb 2003 14:55:23 -0800 (PST) (envelope-from mi+mx@aldan.algebra.com) Received: from mi.us.murex.com (250-217.customer.cloud9.net [168.100.250.217]) by corbulon.video-collage.com (8.12.7/8.12.7) with ESMTP id h13MtClp061350 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL); Mon, 3 Feb 2003 17:55:16 -0500 (EST) (envelope-from mi+mx@aldan.algebra.com) Content-Type: text/plain; charset="us-ascii" From: Mikhail Teterin Organization: Virtual Estates, Inc. To: questions@FreeBSD.org, net@FreeBSD.org Subject: sendmail and SSL-based relaying Date: Mon, 3 Feb 2003 17:55:37 -0500 User-Agent: KMail/1.4.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200302031755.37824.mi+mx@aldan.algebra.com> X-Scanned-By: MIMEDefang 2.21 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! I set things up once some time ago for one of my machines to relay e-mail from another -- based on SSL-certificate presented. I'm my own issuer. The setup was working for a while, but broke recently -- the relay-to-be now rejects relaying, even though it verifies the certificate Ok. Here are the relevant log messages: Feb 3 17:36:57 aldan sm-mta[6650]: STARTTLS=server, relay=centurion@corbulon.video-collage.com [64.35.99.179], version=TLSv1/SSLv3, verify=OK, cipher=EDH-RSA-DES-CBC3-SHA, bits=168/168 Feb 3 17:36:57 aldan sm-mta[6650]: STARTTLS=server, cert-subject=/C=US/ST=Massachusetts/L=Jamaica+20Plain/O=Video+20Collage,+20Inc./OU=Mail+20Server/CN=corbulon.video-collage.com/emailAddress=m, cert-issuer=/C=US/ST=Massachusetts/L=Jamaica+20Plain/O=Video+20Collage,+20Inc./OU=SSL+20Certificate+20Authority/CN=Video+20Collage+20CA/emai [...] Feb 3 17:49:24 aldan sm-mta[6699]: h13MnNBO006699: <-- RCPT To: Feb 3 17:49:24 aldan sm-mta[6699]: h13MnNBO006699: --- 550 5.7.1 ... Relaying denied The (my own) authority's certificate did not change in months, and neither did the the /etc/mail/access. What changed was the sendmail's version on both ends (sendmail-tls-8.12.7_2 on the sender, and 8.12.6 on the relay) and the .cf files, which were re-made from the old .mc ones. Any clues? Thanks! -mi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 15:37:53 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3E4337B401; Mon, 3 Feb 2003 15:37:52 -0800 (PST) Received: from horsey.gshapiro.net (horsey.gshapiro.net [64.105.95.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78D0443F75; Mon, 3 Feb 2003 15:37:52 -0800 (PST) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1]) by horsey.gshapiro.net (8.12.8/8.12.8) with ESMTP id h13NbZQV030003 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 3 Feb 2003 15:37:35 -0800 (PST) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.8/8.12.8/Submit) id h13NbXVO030000; Mon, 3 Feb 2003 15:37:33 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15934.64829.7599.255287@horsey.gshapiro.net> Date: Mon, 3 Feb 2003 15:37:33 -0800 From: Gregory Neil Shapiro To: Mikhail Teterin Cc: questions@FreeBSD.org, net@FreeBSD.org Subject: Re: sendmail and SSL-based relaying In-Reply-To: <200302031755.37824.mi+mx@aldan.algebra.com> References: <200302031755.37824.mi+mx@aldan.algebra.com> X-Mailer: VM 7.07 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org mi+mx> I set things up once some time ago for one of my machines to relay mi+mx> e-mail from another -- based on SSL-certificate presented. I'm my mi+mx> own issuer. The setup was working for a while, but broke recently -- mi+mx> the relay-to-be now rejects relaying, even though it verifies the mi+mx> certificate Ok. Does it actually verify it as ok or are you using the logging you gave to assume it is ok? It was just showing the subject and issuer, not the validity. The first thing I would check is to make sure the CA cert and user cert are not expired. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 21:28:26 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D79637B401 for ; Mon, 3 Feb 2003 21:28:08 -0800 (PST) Received: from aldan.algebra.com (aldan.algebra.com [216.254.65.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FBFB43F75 for ; Mon, 3 Feb 2003 21:28:06 -0800 (PST) (envelope-from mi@aldan.algebra.com) Received: from aldan.algebra.com (localhost [127.0.0.1]) by aldan.algebra.com (8.12.6/8.12.6) with ESMTP id h145RWiC000895 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 4 Feb 2003 00:27:33 -0500 (EST) (envelope-from mi@aldan.algebra.com) Received: by aldan.algebra.com (8.12.6/8.12.6/Submit) id h145RWeC000894 for net@FreeBSD.org; Tue, 4 Feb 2003 00:27:32 -0500 (EST) (envelope-from mi) From: Mikhail Teterin To: net@FreeBSD.org Subject: Does natd(8) really need to see _all_ packets? Date: Tue, 4 Feb 2003 00:27:30 -0500 User-Agent: KMail/1.5 X-Face: %UW#n0|w>ydeGt/b@1-.UFP=K^~-:0f#O:D7whJ5G_<5143Bb3kOIs9XpX+"V+~$adGP:J|SLieM31VIhqXeLBli" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This question bothered me for a while -- most of the traffic on my LAN is just that -- local. Yet my gw/firewall machine only has one interface -- with two IP addresses -- private and public on it. The DSL modem is plugged into the switch just like everything else. I doubt this is a unique setup. Recently I had to use NFS quite heavily (another machine's disk was small and slow -- 100baseTX at full duplex was much quicker. I saw the noticable CPU percentage eaten by natd -- needlessly, it was not doing anything to it. This was increasing the latency kernel-user-kernel and I have decided to improve my setup -- adapted from the "simple" clause of /etc/rc.firewall. Here is the result (don't laugh). It seems to work, and when natd is run with the -verbose flag, it only outputs the real stuff -- it is not bothered needlessly with a 10.0.1.100<->10.0.1.150 packets, for example. How can this be improved -- without an additional network card for pure hardware separation? What am I exposed to by not using separate cards (assuming the ISP has the decency to block extraneous RFC1918 packets)? I guess, I should explicitly list MAC-addresses on my LAN -- or use IPsec. Any other comments? Should I put this up as a sample somewhere? Could it be adopted for /etc/rc.firewall (if [ "$oif" = "$iif ] ....)? Thanks! -mi #define IF xl0 /* Interface */ #define IP 10.0.1.100 /* Local IP */ #define LN 10.0.1.0/24 /* Local Network */ #define OIP x.x.x.x /* Public IP */ #define REGULAR 55000 #define NATD 40000 #undef DHCP #define MULTICAST #define DENY deny log #if defined(NATD) && NATD > REGULAR # error "Need to skip over natd for local network" #endif -f flush # setup_loopback: add 100 pass all from any to any via lo0 add 200 DENY all from any to 127.0.0.0/8 add 300 DENY all from 127.0.0.0/8 to any # Stop spoofing # How? add skipto REGULAR all from LN to IP in add skipto REGULAR all from IP to LN out #define DRAFTMAN 30000 # Make sure let to our LAN through the private network check below: add skipto DRAFTMAN all from any to LN # Stop RFC1918 nets on the outside interface add DENY all from any to 10.0.0.0/8 add DENY all from any to 172.16.0.0/12 add DENY all from any to 192.168.0.0/16 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface add DRAFTMAN DENY all from any to 0.0.0.0/8 #ifndef DHCP add DENY all from any to 169.254.0.0/16 #endif add DENY all from any to 192.0.2.0/24 #ifndef MULTICAST add DENY all from any to 224.0.0.0/4 add DENY all from any to 240.0.0.0/4 #endif #ifdef NATD add NATD divert natd all from LN to not LN out add NATD divert natd all from not LN to OIP in # add NATD divert natd all from any to any #endif # Stop RFC1918 nets on the outside interface add skipto REGULAR all from LN to not IP add DENY all from 10.0.0.0/8 to any add DENY all from 172.16.0.0/12 to any add DENY all from 192.168.0.0/16 to any # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface add DENY all from 0.0.0.0/8 to any via ${oif} add DENY all from 169.254.0.0/16 to any via ${oif} add DENY all from 192.0.2.0/24 to any via ${oif} add DENY all from 224.0.0.0/4 to any via ${oif} add DENY all from 240.0.0.0/4 to any via ${oif} # Allow TCP through if setup succeeded add REGULAR pass tcp from any to any established # Allow IP fragments to pass through add pass all from any to any frag # Dangerous, needs narrowing down: add pass icmp from any to any # Allow the local net access to the rest of the world: add pass ip from LN to not IP add pass ip from OIP to not LN # Allow setup of incoming email add pass tcp from LN to IP 25 setup add pass log tcp from any to OIP auth setup add pass log tcp from any to any ssh setup add pass log tcp from LN to IP telnet setup # Allow ICQ packets back to us: add allow udp from 205.188.153.98/24 4000 to any # RPC, NTP, Samba: add allow udp from LN to IP # Allow access to our DNS add pass tcp from any to any 53 setup add pass udp from any to any 53 add pass udp from any 53 to any # Allow access to our WWW add pass tcp from any to IP http,https,8000,8015,8016 setup # Samba: add pass log tcp from LN to IP 138,139 setup # add pass log udp from LN to IP 137,138,139 add allow log tcp from 65.224.0.0/12 to OIP hylafax setup # Reject&Log all setup of incoming connections from the outside add deny log tcp from any to any in setup # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. add 60000 deny log ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 21:35:53 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45CA337B401 for ; Mon, 3 Feb 2003 21:35:52 -0800 (PST) Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B321F43FA3 for ; Mon, 3 Feb 2003 21:35:48 -0800 (PST) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 18fvon-000Izy-00 for net@freebsd.org; Tue, 04 Feb 2003 07:40:25 +0200 Received: from devco.net ([196.15.188.2] helo=Beastie) by mx1.dev.itouchnet.net with esmtp (Exim 3.35 #1) id 18fvoj-000Ize-00; Tue, 04 Feb 2003 07:40:23 +0200 Message-ID: <002801c2cc0e$dba94ff0$83ee35ca@Beastie> From: "Barry Irwin" To: "Mikhail Teterin" , References: <200302040027.30781@aldan> Subject: Re: Does natd(8) really need to see _all_ packets? Date: Tue, 4 Feb 2003 07:29:11 +0200 Organization: iTouch Labs MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 73028-1044337224-90859@unconfigured version $Name: REL_2_0_4 $ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org your best solution is to add a skipto before the divert rule. You can therefore skip any traffic from a private address to another private address. Anything not matched by the skipto rule gets fed to the divert socket. Regards. -- Barry Irwin bvi@itouchlabs.com Tel: +27214875178 Systems Administrator: Networks And Security iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Mikhail Teterin" To: Sent: Tuesday, February 04, 2003 7:27 AM Subject: Does natd(8) really need to see _all_ packets? > Hi! > > This question bothered me for a while -- most of the traffic on my LAN > is just that -- local. Yet my gw/firewall machine only has one interface > -- with two IP addresses -- private and public on it. > > The DSL modem is plugged into the switch just like everything else. > > I doubt this is a unique setup. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 21:41: 1 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2418E37B401 for ; Mon, 3 Feb 2003 21:41:00 -0800 (PST) Received: from corbulon.video-collage.com (corbulon.video-collage.com [64.35.99.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B84443F43 for ; Mon, 3 Feb 2003 21:40:59 -0800 (PST) (envelope-from mi@corbulon.video-collage.com) Received: from corbulon.video-collage.com (mi@localhost.video-collage.com [127.0.0.1]) by corbulon.video-collage.com (8.12.7/8.12.7) with ESMTP id h145evM3062765 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 4 Feb 2003 00:40:58 -0500 (EST) (envelope-from mi@corbulon.video-collage.com) Received: (from mi@localhost) by corbulon.video-collage.com (8.12.7/8.12.7/Submit) id h145evwa062764; Tue, 4 Feb 2003 00:40:57 -0500 (EST) (envelope-from mi) From: Mikhail Teterin Message-Id: <200302040540.h145evwa062764@corbulon.video-collage.com> Subject: Re: Does natd(8) really need to see _all_ packets? In-Reply-To: <002801c2cc0e$dba94ff0$83ee35ca@Beastie> To: Barry Irwin Date: Tue, 4 Feb 2003 00:40:56 -0500 (EST) Cc: net@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL100 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Scanned-By: MIMEDefang 2.21 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > your best solution is to add a skipto before the divert rule. Thank you, Barry, but is not that what I'm doing in the sample? > You can therefore skip any traffic from a private address to another > private address. Anything not matched by the skipto rule gets fed to > the divert socket. The trick was to figure out, what could be skipped, and what could not. I'm wondering, if I got that right -- it seems to work find, but does it leave something open? Before I can recommend it to others, I'd like to be more sure :-) -mi > ----- Original Message ----- > From: "Mikhail Teterin" > To: > Sent: Tuesday, February 04, 2003 7:27 AM > Subject: Does natd(8) really need to see _all_ packets? > > > > Hi! > > > > This question bothered me for a while -- most of the traffic on my > > LAN is just that -- local. Yet my gw/firewall machine only has one > > interface -- with two IP addresses -- private and public on it. > > > > The DSL modem is plugged into the switch just like everything else. > > > > I doubt this is a unique setup. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 22: 3:17 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DBAD37B401 for ; Mon, 3 Feb 2003 22:03:16 -0800 (PST) Received: from mail.dntcj.ro (courier.cluj.astral.ro [193.230.240.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D150643F79 for ; Mon, 3 Feb 2003 22:03:14 -0800 (PST) (envelope-from loman@cluj.astral.ro) Received: from Void.Cluj.Astral.Ro (Void.Cluj.Astral.Ro [194.105.28.75]) by mail.dntcj.ro with esmtp; Tue, 04 Feb 2003 07:55:45 +0200 Date: Tue, 4 Feb 2003 08:00:46 +0200 (EET) From: Emilian Ursu To: Mikhail Teterin Cc: Barry Irwin , net@FreeBSD.ORG Subject: Re: Does natd(8) really need to see _all_ packets? In-Reply-To: <200302040540.h145evwa062764@corbulon.video-collage.com> Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 4 Feb 2003, Mikhail Teterin wrote: > > your best solution is to add a skipto before the divert rule. > > Thank you, Barry, but is not that what I'm doing in the sample? > > > You can therefore skip any traffic from a private address to another > > private address. Anything not matched by the skipto rule gets fed to > > the divert socket. > > The trick was to figure out, what could be skipped, and what could not. > I'm wondering, if I got that right -- it seems to work find, but does it > leave something open? Before I can recommend it to others, I'd like to > be more sure :-) > see the example from man firewall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 22:32:38 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07D2B37B401 for ; Mon, 3 Feb 2003 22:32:37 -0800 (PST) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0066443FA3 for ; Mon, 3 Feb 2003 22:32:36 -0800 (PST) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.12.6/8.12.6) with ESMTP id h146WLTi003223; Tue, 4 Feb 2003 01:32:21 -0500 (EST) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.6/8.12.6/Submit) id h146WLq6003222; Tue, 4 Feb 2003 01:32:21 -0500 (EST) (envelope-from barney) Date: Tue, 4 Feb 2003 01:32:21 -0500 From: Barney Wolff To: Mikhail Teterin Cc: net@FreeBSD.ORG Subject: Re: Does natd(8) really need to see _all_ packets? Message-ID: <20030204063221.GA3032@pit.databus.com> References: <200302040027.30781@aldan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200302040027.30781@aldan> User-Agent: Mutt/1.4i X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 04, 2003 at 12:27:30AM -0500, Mikhail Teterin wrote: > > This question bothered me for a while -- most of the traffic on my LAN > is just that -- local. Yet my gw/firewall machine only has one interface > -- with two IP addresses -- private and public on it. > > The DSL modem is plugged into the switch just like everything else. > > I doubt this is a unique setup. > > ... > > # Stop spoofing > # How? You've pointed out for yourself the fatal problem with this setup. Get a cheap 10baseT card to talk to the dsl modem. Are you out of slots? If you insist on using only one nic, putting a "pass ip LN LN" right after the lo0/127 rules will minimize overhead for local traffic. If you need protection from the other hosts on your lan there are things running on your firewall that should not be there. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Feb 3 23:29:51 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 767DD37B401 for ; Mon, 3 Feb 2003 23:29:46 -0800 (PST) Received: from mail.procreditbank.com (mail.procreditbank.com [212.95.179.198]) by mx1.FreeBSD.org (Postfix) with SMTP id 4F99043F3F for ; Mon, 3 Feb 2003 23:29:44 -0800 (PST) (envelope-from i.tanusheff@procreditbank.com) Received: (qmail 2928 invoked from network); 4 Feb 2003 07:29:31 -0000 Received: from unknown (HELO itaush) (172.16.248.250) by proxy.procreditbank.bg with SMTP; 4 Feb 2003 07:29:31 -0000 Reply-To: From: "Ivailo Tanusheff" To: "FreeBSD Net" , "FreeBSD Questions" Subject: RE: NOCC problem Date: Tue, 4 Feb 2003 09:29:31 +0200 Organization: ProCredit Bank Message-ID: <06a501c2cc1f$28aca210$faf810ac@sof.procreditbank.bg> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_06A6_01C2CC2F.EC357210" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <20030204024935.BD1721CBCEA@mamacass.springsips.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_06A6_01C2CC2F.EC357210 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Hi, I had some problems in the beginning with my version of php - it just doesn't log in. But after downloading latest snapshot I receive other error message in the web browser: Warning: Couldn't open stream {} in /usr/local/www/nocc/class_local.php on line 37 Warning: Cannot add header information - headers already sent by (output started at /usr/local/www/nocc/class_local.php:37) in /usr/local/www/nocc/proxy.php on line 21 Warning: Cannot add header information - headers already sent by (output started at /usr/local/www/nocc/class_local.php:37) in /usr/local/www/nocc/proxy.php on line 22 Warning: Cannot add header information - headers already sent by (output started at /usr/local/www/nocc/class_local.php:37) in /usr/local/www/nocc/html/header.php on line 5 Fatal error: Call to undefined function: get_default_from_address() in /usr/local/www/nocc/html/header.php on line 11 I think that's because I'm not using IMAP at all. But I don't want to install it. Did you have similar problems? Best Regards, Ivailo Tanusheff -----Original Message----- From: Chris Craft [mailto:ccraft@netgenius.org] Sent: Tuesday, February 04, 2003 4:49 AM To: I.Tanusheff@procreditbank.com; FreeBSD Questions Subject: Re: NOCC problem On Monday 03 February 2003 08:53, Ivailo Tanusheff wrote: > Hi, > > I'm wondering if anybody succeeded in running nocc on FreeBSD. I've > encountered many problems and still can't make it run properly. May > somebody help me deal with this? > > > Thanks in advantage, > Ivailo Tanusheff What seems to be the trouble? I've installed NOCC successfully on Linux and FreeBSD. Regards, Chris. ------=_NextPart_000_06A6_01C2CC2F.EC357210 Content-Type: text/x-vcard; name="Ivailo Tanusheff.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="Ivailo Tanusheff.vcf" BEGIN:VCARD VERSION:2.1 N:Tanusheff;Ivailo FN:Ivailo Tanusheff ORG:ProCredit Bank TITLE:System administrator and Security advisor TEL;WORK;VOICE:359 2 9217161 EMAIL;PREF;INTERNET:I.Tanusheff@procreditbank.com REV:20020822T070308Z END:VCARD ------=_NextPart_000_06A6_01C2CC2F.EC357210-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Feb 4 0:24: 3 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38D1437B401 for ; Tue, 4 Feb 2003 00:24:02 -0800 (PST) Received: from smtp-relay.omnis.com (smtp-relay.omnis.com [216.239.128.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id DDDCE43F85 for ; Tue, 4 Feb 2003 00:24:01 -0800 (PST) (envelope-from wes@softweyr.com) Received: from [192.168.0.4] (66-75-151-22.san.rr.com [66.75.151.22]) by smtp-relay.omnis.com (Postfix) with ESMTP id 1F0C94334D; Tue, 4 Feb 2003 00:21:14 -0800 (PST) Subject: Re: Does natd(8) really need to see _all_ packets? From: Wes Peters To: Mikhail Teterin Cc: net@FreeBSD.org In-Reply-To: <200302040027.30781@aldan> References: <200302040027.30781@aldan> Content-Type: text/plain Organization: Softweyr LLC Message-Id: <1044321596.358.69.camel@zaphod.softweyr.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.0 Date: 04 Feb 2003 01:19:56 +0000 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 2003-02-04 at 05:27, Mikhail Teterin wrote: > Hi! > > This question bothered me for a while -- most of the traffic on my LAN > is just that -- local. Yet my gw/firewall machine only has one interface > -- with two IP addresses -- private and public on it. > > The DSL modem is plugged into the switch just like everything else. > > I doubt this is a unique setup. It may not be unique, but it's certainly not very bright. What resource are you trying to conserve here, a $4 network interface? If so, I can give you a handful of them; one of the local office supply stores was giving them away last December and I picked up several... -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Feb 4 2: 5:24 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE9A137B401; Tue, 4 Feb 2003 02:05:07 -0800 (PST) Received: from baraca.united.net.ua (ns.united.net.ua [193.111.8.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2782E43F85; Tue, 4 Feb 2003 02:05:06 -0800 (PST) (envelope-from sobomax@portaone.com) Received: from vega.vega.com (root@xDSL-2-2.united.net.ua [193.111.9.226]) by baraca.united.net.ua (8.12.6/8.12.6) with ESMTP id h14A4kPB048793; Tue, 4 Feb 2003 12:04:48 +0200 (EET) (envelope-from sobomax@portaone.com) Received: from portaone.com (big_brother.vega.com [192.168.1.1]) by vega.vega.com (8.12.6/8.12.5) with ESMTP id h14A53Uk031087; Tue, 4 Feb 2003 12:05:03 +0200 (EET) (envelope-from sobomax@portaone.com) Message-ID: <3E3F904B.70E91234@portaone.com> Date: Tue, 04 Feb 2003 12:04:59 +0200 From: Maxim Sobolev Organization: Porta Software Ltd X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en,uk,ru MIME-Version: 1.0 To: Alexandr Kovalenko Cc: sobomax@FreeBSD.ORG, Faried Nawaz , freebsd-isp@FreeBSD.ORG, freebsd-net@FreeBSD.ORG, Gokhan ERYOL , freebsd@freebsddiary.org.ua Subject: Re: Fwd: pseudo-device gre and wccp/squid References: <20030203185739.GA33669@nevermind.kiev.ua> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, It works here like a charm, but with ipfw(8), not ipfilter(8), so that it might be where the problem is. The setup is as follows: /etc/rc.firewall: [...] ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.0/28 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.16/30 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.28/30 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.32/29 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.48/30 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.52/30 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.68/30 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.72/30 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.76/30 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.80/29 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.100/30 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.160/29 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.168/29 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.208/29 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.232/30 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.236/30 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.240/30 to any 80 via gre0 in ${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.244/30 to any 80 via gre0 in [...] /etc/start_if.gre: ifconfig gre0 create ifconfig gre0 A.B.C.196 10.20.30.40 netmask 255.255.255.255 link1 tunnel A.B.C.196 A.B.C.197 up Here A.B.C.196 is address of host with squid running, A.B.C.197 is address of Cisco router. We use fake address for configuring other side of tunnel on FreeBSD (10.20.30.40) because gre driver has certain problems when source and destination tunnel addresses are on the same ethernet segment. This is irrelevant because tunnel in this case is unidirectional and packets are only transmitted from the router to FreeBSD. -Maxim Alexandr Kovalenko wrote: > > ----- Forwarded message from Faried Nawaz ----- > > Date: Sat, 1 Feb 2003 15:49:23 -0800 > From: Faried Nawaz > To: freebsd-isp@FreeBSD.ORG > Cc: freebsd-net@FreeBSD.ORG > Subject: pseudo-device gre and wccp/squid > > Hello, > > Is anyone using the gre pseudo-device with squid for WCCP? Try as I might > I can't get it to work for me. > > I'm using FreeBSD 4.7-STABLE, using ipfilter's ipnat to redirect packets. > I've done > > ifconfig gre0 create > ifconfig gre0 aaa.bbb.ccc.ddd fff.ggg.hhh.iii netmask 255.255.255.255 link0 up > ifconfig gre0 tunnel aaa.bbb.ccc.ddd fff.ggg.hhh.iii > > aaa.bbb.ccc.ddd is the web proxy's ip, fff.ggg.hhh.iii is the router's. > > ipnat.rules has > > rdr gre0 0.0.0.0/0 port 80 aaa.bbb.ccc.ddd port 8080 tcp > > ipfilter is set to pass through all traffic, and there are no firewall rules > defined. > > tcpdump on my ethernet interface shows gre packets coming in. > > 04:07:39.093205 fff.ggg.hhh.iii > aaa.bbb.ccc.ddd: gre gre-proto-0x883E > > tcpdump on my gre0 interface shows incoming connections from the users, and > ipnat -l shows lots of redirects. > > proxy1# ipnat -l | head > List of active MAP/Redirect filters: > rdr gre0 0.0.0.0/0 port 80 -> aaa.bbb.ccc.ddd port 8080 tcp > > List of active sessions: > RDR aaa.bbb.ccc.ddd 8080 <- -> 207.44.178.61 80 [203.215.178.61 4122] > RDR aaa.bbb.ccc.ddd 8080 <- -> 205.188.250.25 80 [203.215.178.19 1612] > RDR aaa.bbb.ccc.ddd 8080 <- -> 66.51.99.157 80 [66.206.32.180 3769] > RDR aaa.bbb.ccc.ddd 8080 <- -> 64.94.89.238 80 [203.215.177.248 1172] > RDR aaa.bbb.ccc.ddd 8080 <- -> 207.46.104.20 80 [66.206.33.7 1601] > proxy1# > > However, none of them get to squid. > > Everything worked fine before the upgrade, but I was using the gre patch > from squid's web site to do the work. The new pseudo-device appears to > have WCCP-specific code in it, but it's not working. > > Does anyone have this working? Anyone at all? I'm willing to break > down and switch to ipfw if that'll help, but I can't upgrade my machines > to 4.7 (and higher) properly without a fix. Surely someone has used this > since the code was commited. > > (A hack would be to comment out all code related to the pseudo-device so > I can use the wccp-specific gre.c.) > > Faried. > -- > The Great GNU has arrived, infidels, behold his wrath ! > "If a MOO runs on a port no one accesses, does it run?" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > ----- End forwarded message ----- > ----- Forwarded message from Gokhan ERYOL ----- > > Date: Sun, 02 Feb 2003 14:43:26 +0200 > From: Gokhan ERYOL > To: Faried Nawaz > Cc: freebsd-isp@FreeBSD.ORG, freebsd-net@FreeBSD.ORG > Subject: Re: pseudo-device gre and wccp/squid > > Actually, since "A gre(4) driver, which can encapsulate IP packets > using GRE (RFC 1701) or minimal IP encapsulation for Mobile IP (RFC > 2004), has been added", WCCP over GRE has not been working on FreeBSD > Stable systems, because there is no WCCP support in new GRE driver. I > tried the same things as you did. I e-mailed this situation several > times to lists since 12/11/2002, but there is no action. > > Henrik Nordstom from squid-cache.org, said that adding WCCP support to > an existing GRE module is in most cases trivial as the packet format is > identical to plain IP over GRE except for the protocol type, and that > GRE is only used in one direction (Router -> Proxy) not as a > bidirectional tunnel. > > Regards > Gokhan ERYOL > > Faried Nawaz wrote: > > >Hello, > > > >Is anyone using the gre pseudo-device with squid for WCCP? Try as I might > >I can't get it to work for me. > > > >I'm using FreeBSD 4.7-STABLE, using ipfilter's ipnat to redirect packets. > >I've done > > > >ifconfig gre0 create > >ifconfig gre0 aaa.bbb.ccc.ddd fff.ggg.hhh.iii netmask 255.255.255.255 link0 > >up > >ifconfig gre0 tunnel aaa.bbb.ccc.ddd fff.ggg.hhh.iii > > > >aaa.bbb.ccc.ddd is the web proxy's ip, fff.ggg.hhh.iii is the router's. > > > >ipnat.rules has > > > >rdr gre0 0.0.0.0/0 port 80 aaa.bbb.ccc.ddd port 8080 tcp > > > >ipfilter is set to pass through all traffic, and there are no firewall rules > >defined. > > > >tcpdump on my ethernet interface shows gre packets coming in. > > > >04:07:39.093205 fff.ggg.hhh.iii > aaa.bbb.ccc.ddd: gre gre-proto-0x883E > > > >tcpdump on my gre0 interface shows incoming connections from the users, and > >ipnat -l shows lots of redirects. > > > >proxy1# ipnat -l | head > >List of active MAP/Redirect filters: > >rdr gre0 0.0.0.0/0 port 80 -> aaa.bbb.ccc.ddd port 8080 tcp > > > >List of active sessions: > >RDR aaa.bbb.ccc.ddd 8080 <- -> 207.44.178.61 80 [203.215.178.61 > >4122] > >RDR aaa.bbb.ccc.ddd 8080 <- -> 205.188.250.25 80 [203.215.178.19 > >1612] > >RDR aaa.bbb.ccc.ddd 8080 <- -> 66.51.99.157 80 [66.206.32.180 3769] > >RDR aaa.bbb.ccc.ddd 8080 <- -> 64.94.89.238 80 [203.215.177.248 > >1172] > >RDR aaa.bbb.ccc.ddd 8080 <- -> 207.46.104.20 80 [66.206.33.7 1601] > >proxy1# > > > >However, none of them get to squid. > > > >Everything worked fine before the upgrade, but I was using the gre patch > >from squid's web site to do the work. The new pseudo-device appears to > >have WCCP-specific code in it, but it's not working. > > > >Does anyone have this working? Anyone at all? I'm willing to break > >down and switch to ipfw if that'll help, but I can't upgrade my machines > >to 4.7 (and higher) properly without a fix. Surely someone has used this > >since the code was commited. > > > >(A hack would be to comment out all code related to the pseudo-device so > >I can use the wccp-specific gre.c.) > > > > > >Faried. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > ----- End forwarded message ----- > > -- > NEVE-RIPE, will build world for food > Ukrainian FreeBSD User Group > http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Feb 4 6:53:33 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5514F37B401 for ; Tue, 4 Feb 2003 06:53:31 -0800 (PST) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5126443F43 for ; Tue, 4 Feb 2003 06:53:25 -0800 (PST) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (root@localhost) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Sunbay) with SMTP id h14ErDfQ023215 for ; Tue, 4 Feb 2003 16:53:13 +0200 (EET) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Sunbay) with ESMTP id h14ErCxQ023175 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 4 Feb 2003 16:53:12 +0200 (EET) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Submit) id h14EqqfB023009; Tue, 4 Feb 2003 16:52:52 +0200 (EET) Date: Tue, 4 Feb 2003 16:52:52 +0200 From: Ruslan Ermilov To: Emilian Ursu Cc: Mikhail Teterin , Barry Irwin , net@freebsd.org Subject: Re: Does natd(8) really need to see _all_ packets? Message-ID: <20030204145252.GC14893@sunbay.com> References: <200302040540.h145evwa062764@corbulon.video-collage.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8NvZYKFJsRX2Djef" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8NvZYKFJsRX2Djef Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 04, 2003 at 08:00:46AM +0200, Emilian Ursu wrote: >=20 >=20 > On Tue, 4 Feb 2003, Mikhail Teterin wrote: >=20 > > > your best solution is to add a skipto before the divert rule. > > > > Thank you, Barry, but is not that what I'm doing in the sample? > > > > > You can therefore skip any traffic from a private address to another > > > private address. Anything not matched by the skipto rule gets fed to > > > the divert socket. > > > > The trick was to figure out, what could be skipped, and what could not. > > I'm wondering, if I got that right -- it seems to work find, but does it > > leave something open? Before I can recommend it to others, I'd like to > > be more sure :-) > > >=20 > see the example from man firewall >=20 This still isn't perfect. In a situation with a single NIC serving both internal and external traffic, I've found the following solution to be the superior: use a distinct IP address (it's not even has to be bound to a local interface) that allows you to skip not only local->remote traffic, but reply packets, i.e. it allows you to differentiate whether incoming (external) packet is for de-natting or not. As opposed to the firewall(7) example, I usually implement a block with two "divert natd" rules (for outgoing local and incoming external packets), and "skipto" this block when appropriate. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --8NvZYKFJsRX2Djef Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+P9PDUkv4P6juNwoRAt7NAJ90cb0qGGHJyzd/qDoAsq3L4+hLhQCghx3S SuVMl1HnF91p1VaJ4SWq81U= =6YKH -----END PGP SIGNATURE----- --8NvZYKFJsRX2Djef-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Feb 4 7:33:20 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0739837B401 for ; Tue, 4 Feb 2003 07:33:20 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 7A22C43F75 for ; Tue, 4 Feb 2003 07:33:19 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 25252 invoked from network); 4 Feb 2003 15:33:18 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 4 Feb 2003 15:33:18 -0000 Message-ID: <3E3FDD3E.70609@tenebras.com> Date: Tue, 04 Feb 2003 07:33:18 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3a) Gecko/20021212 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mikhail Teterin Cc: net@FreeBSD.org Subject: Re: Does natd(8) really need to see _all_ packets? References: <200302040027.30781@aldan> In-Reply-To: <200302040027.30781@aldan> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mikhail Teterin wrote: > Does natd(8) really need to see _all_ packets? Not at all, as you've guessed. Subtleties abound with stateful rules, and side effects of using the divert mechanism, such as: after returning from natd packets don't know which interface they came in on. Matching rules therefore becomes tricky. I manage to do without skipto rules, your kilometrage may vary. Traffic that is destined to the host itself from the outside may be handled via rules that match before reaching the divert rule(s). Likewise, traffic that is between hosts on the local nets may be matched before nat'ing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Feb 4 8:42:17 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37F9637B401 for ; Tue, 4 Feb 2003 08:42:14 -0800 (PST) Received: from corbulon.video-collage.com (corbulon.video-collage.com [64.35.99.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7487343E4A for ; Tue, 4 Feb 2003 08:42:13 -0800 (PST) (envelope-from mi+mx@aldan.algebra.com) Received: from mi.us.murex.com (250-217.customer.cloud9.net [168.100.250.217]) by corbulon.video-collage.com (8.12.7/8.12.7) with ESMTP id h14Gg2M3065613 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL) for ; Tue, 4 Feb 2003 11:42:05 -0500 (EST) (envelope-from mi+mx@aldan.algebra.com) Content-Type: text/plain; charset="koi8-u" From: Mikhail Teterin Organization: Virtual Estates, Inc. To: net@FreeBSD.org Subject: Re: Does natd(8) really need to see _all_ packets? Date: Tue, 4 Feb 2003 11:42:28 -0500 User-Agent: KMail/1.4.3 References: <200302040027.30781@aldan> <1044321596.358.69.camel@zaphod.softweyr.com> In-Reply-To: <1044321596.358.69.camel@zaphod.softweyr.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200302041142.28554.mi+mx@aldan.algebra.com> X-Scanned-By: MIMEDefang 2.21 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday 03 February 2003 08:19 pm, Wes Peters wrote: = On Tue, 2003-02-04 at 05:27, Mikhail Teterin wrote: = > Hi! = > = > This question bothered me for a while -- most of the traffic on my = > LAN is just that -- local. Yet my gw/firewall machine only has one = > interface -- with two IP addresses -- private and public on it. = > = > The DSL modem is plugged into the switch just like everything else. = > = > I doubt this is a unique setup. = It may not be unique, but it's certainly not very bright. What = resource are you trying to conserve here, a $4 network interface? If = so, I can give you a handful of them; one of the local office supply = stores was giving them away last December and I picked up several... Using two cards, were one works fine is against aesthetics :-) That's my primary reason, although there are only two slots left in the machine, indeed. On Tuesday 04 February 2003 09:52 am, Ruslan Ermilov wrote: = This still isn't perfect. In a situation with a single NIC serving = both internal and external traffic, I've found the following solution = to be the superior: use a distinct IP address (it's not even has = to be bound to a local interface) that allows you to skip not only = local->remote traffic, but reply packets, i.e. it allows you to = differentiate whether incoming (external) packet is for de-natting or = not. Yes, I thought of this -- have the 10.0.1.100 to be local address, and the 10.0.1.1 be the gateway, and treat them differently. But I found, it is not needed -- the two divert rules I listed: add divert natd all from LN to not LN via IF out add divert natd all from not LN to OIP via IF in seem to remove all unnecessary interactions with natd. The simplest test is to kill the running natd, and start it with the -v option. It will list all packets in and out. If a packet leaves natd unchanged, the divert rules are inefficient. Would the following patch (untested) improve things in the mean time? --- /etc/rc.firewall Sun Mar 3 08:15:46 2002 +++ /etc/rc.firewall Tue Feb 4 11:40:25 2003 @@ -237,3 +237,4 @@ if [ -n "${natd_interface}" ]; then - ${fwcmd} add divert natd all from any to any via ${natd_interface} + ${fwcmd} add divert natd all from ${inet} to not ${inet} out + ${fwcmd} add divert natd all from not ${inet} to ${oif} in fi = As opposed to the firewall(7) example, I usually implement a block = with two "divert natd" rules (for outgoing local and incoming external = packets), and "skipto" this block when appropriate. I think, you are describing the same thing I do :-) On Tuesday 04 February 2003 01:32 am, Barney Wolff wrote: = > # Stop spoofing = > # How? = = You've pointed out for yourself the fatal problem with this setup. Get = a cheap 10baseT card to talk to the dsl modem. Are you out of slots? Almost. Also, see the beginning, where I anser the similar question to Wes. Since part of my LAN is wireless, I'm going to need to setup IPsec anyway, so spoofing will not be a big deal. It can also be frustrated (although, not stopped) by explicitly listing the LAN's MAC-addresses, can it not? Finally, since the LAN consists of the private network addresses, which are not allowed through ISPs routers from the outside, the only danger is another subscriber on the same segment of the ISPs network or a wireless LAN user nearby (who needs to defeat the WEP first, easy though it might be). I do realize the dangers, and will, probably, add a card eventually, but that may not be an option for others -- even $4 is plenty in Crimea, where ru is located, for example. So I wanted to refine the example, so it can be eventually used by others -- if not as an example of a firewall, than as an efficient NAT setup :-) = If you insist on using only one nic, putting a "pass ip LN LN" right = after the lo0/127 rules will minimize overhead for local traffic. Makes sense. Thank you! = If you need protection from the other hosts on your lan there are = things running on your firewall that should not be there. NFS and Samba are the only things, it seems. I only turn the servers on when I need them, however... Thanks once again, everyone! Yours, -mi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Feb 4 10:34:21 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 349AB37B40E for ; Tue, 4 Feb 2003 10:34:11 -0800 (PST) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id C57FC44141 for ; Tue, 4 Feb 2003 10:28:40 -0800 (PST) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.12.6/8.12.6) with ESMTP id h14ISVTi007754; Tue, 4 Feb 2003 13:28:31 -0500 (EST) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.6/8.12.6/Submit) id h14ISVNO007753; Tue, 4 Feb 2003 13:28:31 -0500 (EST) (envelope-from barney) Date: Tue, 4 Feb 2003 13:28:31 -0500 From: Barney Wolff To: Mikhail Teterin Cc: net@FreeBSD.ORG Subject: Re: Does natd(8) really need to see _all_ packets? Message-ID: <20030204182831.GA7315@pit.databus.com> References: <200302040027.30781@aldan> <1044321596.358.69.camel@zaphod.softweyr.com> <200302041142.28554.mi+mx@aldan.algebra.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200302041142.28554.mi+mx@aldan.algebra.com> User-Agent: Mutt/1.4i X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 04, 2003 at 11:42:28AM -0500, Mikhail Teterin wrote: > > Finally, since the LAN consists of the private network addresses, which > are not allowed through ISPs routers from the outside, the only danger > is another subscriber on the same segment of the ISPs network or a > wireless LAN user nearby (who needs to defeat the WEP first, easy though > it might be). Are you quite sure your ISP actually blocks RFC1918 addresses? I'd be surprised if that's so. Here in New York I've also observed that DSL sometimes "leaks" packets not intended for my site. I run the interface to my DSL modem in promiscuous mode just to catch things like that. Seems to happen at busy times of the day. If I were so inclined, I could build up a table of my neighbors' MACs, for use in spoofing attacks. This might or might not work, since I think my ISP does check source MAC on packets from subscribers, but would be worth a try. All in all, knowing that a packet came from "outside" is important. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Feb 4 15:44:29 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 606C437B405 for ; Tue, 4 Feb 2003 15:44:28 -0800 (PST) Received: from smtp-relay.omnis.com (smtp-relay.omnis.com [216.239.128.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF72D43F3F for ; Tue, 4 Feb 2003 15:44:27 -0800 (PST) (envelope-from wes@softweyr.com) Received: from [192.168.4.61] (corp-2.ipinc.com [199.245.188.2]) by smtp-relay.omnis.com (Postfix) with ESMTP id 84CDE42F80; Tue, 4 Feb 2003 15:44:22 -0800 (PST) Subject: Re: Does natd(8) really need to see _all_ packets? From: Wes Peters To: Mikhail Teterin Cc: net@FreeBSD.org In-Reply-To: <200302041142.28554.mi+mx@aldan.algebra.com> References: <200302040027.30781@aldan> <1044321596.358.69.camel@zaphod.softweyr.com> <200302041142.28554.mi+mx@aldan.algebra.com> Content-Type: text/plain Organization: Softweyr Message-Id: <1044402261.16309.8.camel@salty.rapid.stbernard.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.0 Date: 04 Feb 2003 15:44:21 -0800 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 2003-02-04 at 08:42, Mikhail Teterin wrote: > On Monday 03 February 2003 08:19 pm, Wes Peters wrote: > = On Tue, 2003-02-04 at 05:27, Mikhail Teterin wrote: > = > Hi! > = > > = > This question bothered me for a while -- most of the traffic on my > = > LAN is just that -- local. Yet my gw/firewall machine only has one > = > interface -- with two IP addresses -- private and public on it. > = > > = > The DSL modem is plugged into the switch just like everything else. > = > > = > I doubt this is a unique setup. > > = It may not be unique, but it's certainly not very bright. What > = resource are you trying to conserve here, a $4 network interface? If > = so, I can give you a handful of them; one of the local office supply > = stores was giving them away last December and I picked up several... > > Using two cards, were one works fine is against aesthetics :-) That's my > primary reason, although there are only two slots left in the machine, > indeed. OK, that's a completely acceptable answer, but I suspect we're going to differ strongly on the finer points of "works fine." I'm glad you've hit upon a solution that is acceptable. How 'bout writing it up for one of the online magazines? (Hint hint: Daemon News, for instance. ;^) It'll be good practice for writing the BSDCon paper you want to do as well, won't it? -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Feb 4 16: 3:52 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADE4D37B401 for ; Tue, 4 Feb 2003 16:03:50 -0800 (PST) Received: from corbulon.video-collage.com (corbulon.video-collage.com [64.35.99.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D7F843F43 for ; Tue, 4 Feb 2003 16:03:46 -0800 (PST) (envelope-from mi+mx@aldan.algebra.com) Received: from mi.us.murex.com (250-217.customer.cloud9.net [168.100.250.217]) by corbulon.video-collage.com (8.12.7/8.12.7) with ESMTP id h1503ZM3068084 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL); Tue, 4 Feb 2003 19:03:38 -0500 (EST) (envelope-from mi+mx@aldan.algebra.com) Content-Type: text/plain; charset="koi8-u" From: Mikhail Teterin Organization: Virtual Estates, Inc. To: Wes Peters Subject: Re: Does natd(8) really need to see _all_ packets? Date: Tue, 4 Feb 2003 19:04:02 -0500 User-Agent: KMail/1.4.3 Cc: net@FreeBSD.org References: <200302040027.30781@aldan> <200302041142.28554.mi+mx@aldan.algebra.com> <1044402261.16309.8.camel@salty.rapid.stbernard.com> In-Reply-To: <1044402261.16309.8.camel@salty.rapid.stbernard.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200302041903.03437.mi+mx@aldan.algebra.com> X-Scanned-By: MIMEDefang 2.21 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 04 February 2003 06:44 pm, Wes Peters wrote: = On Tue, 2003-02-04 at 08:42, Mikhail Teterin wrote: = > On Monday 03 February 2003 08:19 pm, Wes Peters wrote: = > = On Tue, 2003-02-04 at 05:27, Mikhail Teterin wrote: = > = > Hi! = > = > = > = > This question bothered me for a while -- most of the traffic on = > = > my LAN is just that -- local. Yet my gw/firewall machine only = > = > has one interface -- with two IP addresses -- private and public = > = > on it. = > = > = > = > The DSL modem is plugged into the switch just like everything = > = > else. = > = > = > = > I doubt this is a unique setup. = > = > = It may not be unique, but it's certainly not very bright. What = > = resource are you trying to conserve here, a $4 network interface? = > = If so, I can give you a handful of them; one of the local office = > = supply stores was giving them away last December and I picked up = > = several... = > = > Using two cards, were one works fine is against aesthetics :-) = > That's my primary reason, although there are only two slots left in = > the machine, indeed. = OK, that's a completely acceptable answer, but I suspect we're going = to differ strongly on the finer points of "works fine." The primary point is to provide the NAT service. A "REAL" firewall has to be a separate machine with readonly disks and what not. The appartment is not that big :-) "Works fine". = I'm glad you've hit upon a solution that is acceptable. How 'bout = writing it up for one of the online magazines? (Hint hint: Daemon = News, for instance. ;^) It'll be good practice for writing the BSDCon = paper you want to do as well, won't it? I'd rather improve the rc.firewall example script along the lines of the example I posted. That way, noone would need to search Daemon News to have an efficiently working NAT... Having to search the web-sites smacks of Linux :-) -mi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Feb 4 16:42:57 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C198A37B41E for ; Tue, 4 Feb 2003 16:42:55 -0800 (PST) Received: from feedback.avantgo.com (shadow.avantgo.com [64.157.226.66]) by mx1.FreeBSD.org (Postfix) with SMTP id 583FF43E4A for ; Tue, 4 Feb 2003 16:42:55 -0800 (PST) (envelope-from scott@avantgo.com) Received: (qmail 52268 invoked from network); 4 Feb 2003 16:33:25 -0000 Received: from river.avantgo.com (10.11.30.114) by feedback.avantgo.com with SMTP; 4 Feb 2003 16:33:25 -0000 Date: Tue, 4 Feb 2003 16:31:14 -0800 (PST) From: Scott Hess To: net@FreeBSD.org Subject: Re: Does natd(8) really need to see _all_ packets? In-Reply-To: <200302041903.03437.mi+mx@aldan.algebra.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 4 Feb 2003, Mikhail Teterin wrote: > On Tuesday 04 February 2003 06:44 pm, Wes Peters wrote: > = On Tue, 2003-02-04 at 08:42, Mikhail Teterin wrote: > = > Using two cards, were one works fine is against aesthetics :-) > = > That's my primary reason, although there are only two slots left in > = > the machine, indeed. > > = OK, that's a completely acceptable answer, but I suspect we're going > = to differ strongly on the finer points of "works fine." > > The primary point is to provide the NAT service. A "REAL" firewall has > to be a separate machine with readonly disks and what not. The > appartment is not that big :-) "Works fine". To my mind, a "REAL" firewall needs to sit between the internal and external LAN segments. Any box which doesn't occupy that position is not a firewall, real or otherwise, because packets can go around it. I used to run a NAT service of the type you describe, for the reasons you describe. This was back when Ethernet cards weren't essentially free in my neighborhood :-). But, eventually I decided that a firewall box which also runs services (email, http, etc) but which provides the only means for the packets to get from the external to internal Ethernet segments was better than nothing. Maybe someone could/would leverage an Apache exploit into root access on the firewall, and thence to full access to the internal net, but at least that provides _some_ bar they have to jump over! Later, scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Feb 4 20:30: 8 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7875F37B401 for ; Tue, 4 Feb 2003 20:30:07 -0800 (PST) Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAEEA43FAF for ; Tue, 4 Feb 2003 20:30:06 -0800 (PST) (envelope-from archie@dellroad.org) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id UAA82827; Tue, 4 Feb 2003 20:25:25 -0800 (PST) Received: from arch20m.dellroad.org (localhost [127.0.0.1]) by arch20m.dellroad.org (8.12.6/8.12.6) with ESMTP id h154OtjM055032; Tue, 4 Feb 2003 20:24:55 -0800 (PST) (envelope-from archie@arch20m.dellroad.org) Received: (from archie@localhost) by arch20m.dellroad.org (8.12.6/8.12.6/Submit) id h154OsTO055031; Tue, 4 Feb 2003 20:24:54 -0800 (PST) (envelope-from archie) From: Archie Cobbs Message-Id: <200302050424.h154OsTO055031@arch20m.dellroad.org> Subject: Re: MPD + NETGRAPH and BRIDGING In-Reply-To: <000c01c2c7db$ac766240$0301a8c0@undercover> To: Thomas Gielfeldt Date: Tue, 4 Feb 2003 20:24:54 -0800 (PST) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thomas Gielfeldt wrote: > Would it be possible to implement a feature in MPD which allows you to > create a node of type ng_ether instead of ng_iface to allow bridging the > client onto the network instead of routing it? You would have to implement bridging via PPP, which is different from what PPP normally does (routing) but there exist standards for doing it. Instead of using MPD, it might be simpler to bridge via UDP packets. E.g. combine ng_bridge with ng_ksocket. You could secure this via IPSec. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Feb 5 1:19:30 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAEAB37B405 for ; Wed, 5 Feb 2003 01:19:29 -0800 (PST) Received: from sunu007.rz.ruhr-uni-bochum.de (sunu007.rz.ruhr-uni-bochum.de [134.147.64.14]) by mx1.FreeBSD.org (Postfix) with SMTP id 4298443FC3 for ; Wed, 5 Feb 2003 01:19:28 -0800 (PST) (envelope-from jens.wiggers@ruhr-uni-bochum.de) Received: (qmail 15612 invoked by uid 82); 5 Feb 2003 09:19:21 -0000 Received: from jens.wiggers@ruhr-uni-bochum.de by mailhost with qmail-scanner-1.00 (uvscan: v4.1.40/v4245. . Clean. Processed in 0.468764 secs); 05 Feb 2003 09:19:22 -0000 Received: (qmail 15557 invoked from network); 5 Feb 2003 09:19:21 -0000 Received: from act6.etdv.ruhr-uni-bochum.de (134.147.40.121) by mailhost.rz.ruhr-uni-bochum.de with SMTP; 5 Feb 2003 09:19:21 -0000 From: "Jens Wiggers" To: , Subject: Correlation between CPU load and network usage Date: Wed, 5 Feb 2003 10:20:50 +0100 Message-ID: <000001c2ccf7$dfcdcc70$1d01a8c0@iis2> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm using two FreeBSD machines in an small switched network. One of them blows out tcp packets as fast as possible for five seconds. The other machine just receives the packets and does nothing else. What I see is that for short packets the senders CPU load is just 100 percent, but for larger packets the senders CPU load drops down rapidly. >From the applications point of view the data to send gets into the socket buffer and via tcp_output, ip_output and ether_output into the interface buffer. The rest of work is done by the interrupt handler of the network controller. Therefore the application returns from the socket send syscall and calls it again. So where is sparetime for the CPU in this cycle? Any help would be appreciated. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Feb 5 10:45:15 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C7B937B401 for ; Wed, 5 Feb 2003 10:45:14 -0800 (PST) Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A97043F3F for ; Wed, 5 Feb 2003 10:45:13 -0800 (PST) (envelope-from archie@dellroad.org) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id KAA88926; Wed, 5 Feb 2003 10:32:52 -0800 (PST) Received: from arch20m.dellroad.org (localhost [127.0.0.1]) by arch20m.dellroad.org (8.12.6/8.12.6) with ESMTP id h15IWMjM058447; Wed, 5 Feb 2003 10:32:22 -0800 (PST) (envelope-from archie@arch20m.dellroad.org) Received: (from archie@localhost) by arch20m.dellroad.org (8.12.6/8.12.6/Submit) id h15IWLCW058446; Wed, 5 Feb 2003 10:32:21 -0800 (PST) (envelope-from archie) From: Archie Cobbs Message-Id: <200302051832.h15IWLCW058446@arch20m.dellroad.org> Subject: Re: MPD + NETGRAPH and BRIDGING In-Reply-To: <5.2.0.9.0.20030205090111.00b35b28@mail.gielfeldt.dk> To: Thomas Date: Wed, 5 Feb 2003 10:32:21 -0800 (PST) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thomas wrote: > >Instead of using MPD, it might be simpler to bridge via UDP packets. > >E.g. combine ng_bridge with ng_ksocket. You could secure this via IPSec. > > Okay, thanks. But won't I still have to use MPD? You see the reason I'm > using MPD in the first place is to connect a windows client. I can see that > W2K and WXP can use IPSec, but it still uses PPP as far as I remember. But does Windows PPP support PPP bridging? I didn't think so. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Feb 5 12:11:29 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1B2537B401 for ; Wed, 5 Feb 2003 12:11:27 -0800 (PST) Received: from bofh.homeunix.net (port347.ds1-fa.adsl.cybercity.dk [212.242.188.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE64643F79 for ; Wed, 5 Feb 2003 12:11:26 -0800 (PST) (envelope-from ipwitch@bofh.homeunix.net) Received: from laptop.my.domain (laptop.my.domain [10.0.0.2]) by bofh.homeunix.net (8.12.6/8.12.6) with ESMTP id h15K8Bu0006407 for ; Wed, 5 Feb 2003 21:08:12 +0100 (CET) From: ipwitch Reply-To: ipwitch@bofh.homeunix.net To: freebsd-net@freebsd.org Subject: Support for Level-One "WPC-0100" Wireless pcmcia card. Date: Wed, 5 Feb 2003 21:09:50 +0100 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Description: clearsigned data Content-Disposition: inline Message-Id: <200302052109.50058.ipwitch@bofh.homeunix.net> X-AntiVirus: checked by AntiVir Milter 1.0.0.8; AVE 6.18.0.1; VDF 6.18.0.6 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org =2D----BEGIN PGP SIGNED MESSAGE----- Hi... Ive tried to get my Level-One "WPC-0100" Wireless pcmcia card to work on my freebsd(4.7) box, compiled the kernel with: device awi device an device ray device wi But it still dont show up in the booting process or ifconfig... pccardd dont have the card in the database...=20 Anyone managed to get this card to work? =2D --=20 public key: http://bofh.homeunix.net/public.asc =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iQCVAwUBPkFvjlHydoME146BAQGotQP8DwrhDQXjkY7x6wzzB5nTzZYHPvTSyNI7 GVCH6nbXmVMaMg8DggAv4qxXdktCpvc3T3VEi4AbUgoN5WrZ3T0vIkWTwuea7aZ3 6q7N/VMzHxjD41sMHn1M3Q3TNFNe5Hy7HsnmxYwstry3uDKYCKYHL3wy8vYsv81K U5vt89fBSaI=3D =3Dy+dq =2D----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Feb 5 14:52:45 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0429C37B407 for ; Wed, 5 Feb 2003 14:52:44 -0800 (PST) Received: from smtp020.tiscali.dk (smtp020.tiscali.dk [212.54.64.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2A8243F85 for ; Wed, 5 Feb 2003 14:52:37 -0800 (PST) (envelope-from thomas@gielfeldt.dk) Received: from undercover (213.237.34.52.adsl.suoe.worldonline.dk [213.237.34.52]) by smtp020.tiscali.dk (8.12.5/8.12.5) with SMTP id h15MqVR7011720; Wed, 5 Feb 2003 23:52:31 +0100 (MET) Message-ID: <001c01c2cd69$4ff10190$7f01000a@undercover> From: "Thomas Gielfeldt" To: "Archie Cobbs" Cc: References: <200302051832.h15IWLCW058446@arch20m.dellroad.org> Subject: Re: MPD + NETGRAPH and BRIDGING Date: Wed, 5 Feb 2003 23:52:51 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > >Instead of using MPD, it might be simpler to bridge via UDP packets. > > >E.g. combine ng_bridge with ng_ksocket. You could secure this via IPSec. > > > > Okay, thanks. But won't I still have to use MPD? You see the reason I'm > > using MPD in the first place is to connect a windows client. I can see that > > W2K and WXP can use IPSec, but it still uses PPP as far as I remember. > > But does Windows PPP support PPP bridging? I didn't think so. > I believe that is irrelevant. The tun-device simulates two nics connected as far as I understand. Only the endpoint on the freebsd machine needs to be bridged, not the one on the client side. At least I can see all traffic on a tcpdump on the tun-device, even broadcasts. I would want mpd to handle the tunneling traffic for me, and then instead of sending the data to/from the tun-device (ng0), it could send it to an ethernet device (eg. tap0). That way I could not assign an ip-address to the tap-device, but use it for bridging instead. But perhaps what I'm suggesting is a hack? /Thomas > -Archie > > __________________________________________________________________________ > Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Feb 5 16:15:11 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A20E537B401 for ; Wed, 5 Feb 2003 16:15:10 -0800 (PST) Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91B4343F85 for ; Wed, 5 Feb 2003 16:15:09 -0800 (PST) (envelope-from archie@dellroad.org) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id QAA91259; Wed, 5 Feb 2003 16:07:49 -0800 (PST) Received: from arch20m.dellroad.org (localhost [127.0.0.1]) by arch20m.dellroad.org (8.12.6/8.12.6) with ESMTP id h1607IjM059798; Wed, 5 Feb 2003 16:07:18 -0800 (PST) (envelope-from archie@arch20m.dellroad.org) Received: (from archie@localhost) by arch20m.dellroad.org (8.12.6/8.12.6/Submit) id h1607IpE059797; Wed, 5 Feb 2003 16:07:18 -0800 (PST) (envelope-from archie) From: Archie Cobbs Message-Id: <200302060007.h1607IpE059797@arch20m.dellroad.org> Subject: Re: MPD + NETGRAPH and BRIDGING In-Reply-To: <001c01c2cd69$4ff10190$7f01000a@undercover> To: Thomas Gielfeldt Date: Wed, 5 Feb 2003 16:07:18 -0800 (PST) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thomas Gielfeldt wrote: > > > W2K and WXP can use IPSec, but it still uses PPP as far as I remember. > > > > But does Windows PPP support PPP bridging? I didn't think so. > > I believe that is irrelevant. The tun-device simulates two nics connected as > far as I understand. Only the endpoint on the freebsd machine needs to be > bridged, not the one on the client side. At least I can see all traffic on a > tcpdump on the tun-device, even broadcasts. Maybe proxy-ARP is what you want then... ? > I would want mpd to handle the tunneling traffic for me, and then instead of > sending the data to/from the tun-device (ng0), it could send it to an > ethernet device (eg. tap0). That way I could not assign an ip-address to the > tap-device, but use it for bridging instead. I don't understand what you're trying to do. But in any case it doesn't sound like mpd does it without some hacking. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Feb 5 17:57:38 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9024737B401 for ; Wed, 5 Feb 2003 17:57:37 -0800 (PST) Received: from smarthost.microsoft.com (smarthost.microsoft.com [131.107.3.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6E8743FA3 for ; Wed, 5 Feb 2003 17:57:31 -0800 (PST) (envelope-from peterwu@canada.com) Received: from sha-peterwu-01.fareast.corp.microsoft.com ([157.60.68.94]) by smarthost.microsoft.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 5 Feb 2003 17:57:31 -0800 Received: from shapeterwu01 ([127.0.0.1]) by sha-peterwu-01.fareast.corp.microsoft.com with Microsoft SMTPSVC(6.0.2600.1106); Thu, 6 Feb 2003 09:56:46 +0800 Message-ID: <00f201c2cd83$00f2fed0$5e443c9d@fareast.corp.microsoft.com> From: "Peter Wu" To: Subject: Fw: system freezes when doing ppp Date: Thu, 6 Feb 2003 09:56:45 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-OriginalArrivalTime: 06 Feb 2003 01:56:46.0013 (UTC) FILETIME=[00F2FED0:01C2CD83] Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't know if this is the right list to ask this question. But, this problem is vital to me as I could not connect to Internet and work at all... PLEASE HELP!! Thank you! -- Cheers, Peter ----- Original Message ----- From: "Peter Wu" Newsgroups: comp.unix.bsd.freebsd.misc Sent: Wednesday, February 05, 2003 11:09 PM Subject: system freezes when doing ppp > I managed to load 5.0 on my laptop but encounter a problem that when I do > PPPoE, the connection seems established while the system freezes. I have > to turn off the power. Everything just freezes... > > I'm using the ppp.conf file that works perfectly since 4.4. What could I > miss? Thx. > > -- > Cheers, Peter > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Feb 5 22:54:34 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E5F437B401 for ; Wed, 5 Feb 2003 22:54:33 -0800 (PST) Received: from out1.mx.nwbl.wi.voyager.net (out1.mx.nwbl.wi.voyager.net [169.207.3.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D07443F93 for ; Wed, 5 Feb 2003 22:54:32 -0800 (PST) (envelope-from silby@silby.com) Received: from [10.1.1.6] (d168.as29.nwbl0.wi.voyager.net [169.207.73.170]) by out1.mx.nwbl.wi.voyager.net (Postfix) with ESMTP id B8471E7982; Thu, 6 Feb 2003 00:54:30 -0600 (CST) Date: Thu, 6 Feb 2003 01:02:56 -0600 (CST) From: Mike Silbersack To: Mikhail Teterin Cc: Wes Peters , "" Subject: Re: Does natd(8) really need to see _all_ packets? In-Reply-To: <200302041903.03437.mi+mx@aldan.algebra.com> Message-ID: <20030206010219.D33262-100000@patrocles.silby.com> References: <200302040027.30781@aldan> <200302041142.28554.mi+mx@aldan.algebra.com> <1044402261.16309.8.camel@salty.rapid.stbernard.com> <200302041903.03437.mi+mx@aldan.algebra.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 4 Feb 2003, Mikhail Teterin wrote: > = I'm glad you've hit upon a solution that is acceptable. How 'bout > = writing it up for one of the online magazines? (Hint hint: Daemon > = News, for instance. ;^) It'll be good practice for writing the BSDCon > = paper you want to do as well, won't it? > > I'd rather improve the rc.firewall example script along the lines of > the example I posted. That way, noone would need to search Daemon News > to have an efficiently working NAT... Having to search the web-sites > smacks of Linux :-) > > -mi Er, well, you could always write an article about the process of updating rc.firewall. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Feb 6 0:53:39 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD39837B401 for ; Thu, 6 Feb 2003 00:53:37 -0800 (PST) Received: from smtp010.tiscali.dk (smtp010.tiscali.dk [212.54.64.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 992E143FB1 for ; Thu, 6 Feb 2003 00:53:31 -0800 (PST) (envelope-from thomas@gielfeldt.dk) Received: from undercover (213.237.34.52.adsl.suoe.worldonline.dk [213.237.34.52]) by smtp010.tiscali.dk (8.12.5/8.12.5) with SMTP id h168rEYq014266; Thu, 6 Feb 2003 09:53:15 +0100 (MET) Message-ID: <000901c2cdbd$3d736180$ec7bfea9@undercover> From: "Thomas Gielfeldt" To: "Archie Cobbs" Cc: References: <200302060007.h1607IpE059797@arch20m.dellroad.org> Subject: Re: MPD + NETGRAPH and BRIDGING Date: Thu, 6 Feb 2003 09:53:37 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > > W2K and WXP can use IPSec, but it still uses PPP as far as I remember. > > > > > > But does Windows PPP support PPP bridging? I didn't think so. > > > > I believe that is irrelevant. The tun-device simulates two nics connected as > > far as I understand. Only the endpoint on the freebsd machine needs to be > > bridged, not the one on the client side. At least I can see all traffic on a > > tcpdump on the tun-device, even broadcasts. > > Maybe proxy-ARP is what you want then... ? > I'm already doing proxy-arp. > > I would want mpd to handle the tunneling traffic for me, and then instead of > > sending the data to/from the tun-device (ng0), it could send it to an > > ethernet device (eg. tap0). That way I could not assign an ip-address to the > > tap-device, but use it for bridging instead. > > I don't understand what you're trying to do. But in any case it doesn't > sound like mpd does it without some hacking. I just want to connect a windows client to the network behind my freebsd gateway, and make it a part of that network. And i would prefer it to be part of the network on an ethernet level rather than e.g. ip-level. But I think I don't want to bother anymore connecting a windows machine, and just stick with what I've (almost) got working. Which is bridging two freebsd-machines using openvpn + netgraph. I don't think that it will work without some hack to mpd either, and the reason I now don't want to bother with it anymore, is that I just realised it probably won't work on the windows client either, without some hacking in the ppp-client. I'm just going to let it be for now I think. But thanks for the responses, Archie. > > -Archie > > __________________________________________________________________________ > Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Feb 6 15: 1:38 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A96437B401 for ; Thu, 6 Feb 2003 15:01:37 -0800 (PST) Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91F0A43F93 for ; Thu, 6 Feb 2003 15:01:36 -0800 (PST) (envelope-from archie@dellroad.org) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id OAA98891; Thu, 6 Feb 2003 14:53:54 -0800 (PST) Received: from arch20m.dellroad.org (localhost [127.0.0.1]) by arch20m.dellroad.org (8.12.6/8.12.6) with ESMTP id h16MrMjM063322; Thu, 6 Feb 2003 14:53:22 -0800 (PST) (envelope-from archie@arch20m.dellroad.org) Received: (from archie@localhost) by arch20m.dellroad.org (8.12.6/8.12.6/Submit) id h16MrLYR063321; Thu, 6 Feb 2003 14:53:21 -0800 (PST) (envelope-from archie) From: Archie Cobbs Message-Id: <200302062253.h16MrLYR063321@arch20m.dellroad.org> Subject: Re: MPD + NETGRAPH and BRIDGING In-Reply-To: <000901c2cdbd$3d736180$ec7bfea9@undercover> To: Thomas Gielfeldt Date: Thu, 6 Feb 2003 14:53:21 -0800 (PST) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thomas Gielfeldt wrote: > I just want to connect a windows client to the network behind my freebsd > gateway, and make it a part of that network. And i would prefer it to be > part of the network on an ethernet level rather than e.g. ip-level. But I > think I don't want to bother anymore connecting a windows machine, and just > stick with what I've (almost) got working. Which is bridging two > freebsd-machines using openvpn + netgraph. > > I don't think that it will work without some hack to mpd either, and the > reason I now don't want to bother with it anymore, is that I just realised > it probably won't work on the windows client either, without some hacking in > the ppp-client. I'm just going to let it be for now I think. You're right, it won't work on the Windows side either because (normally) Windows doesn't know how to send Ethernet frames over a point-to-point link; it can only send IP frames. Cheers, -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Feb 7 5:10:27 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E74D537B405; Fri, 7 Feb 2003 05:10:25 -0800 (PST) Received: from sabre.velocet.net (sabre.velocet.net [216.138.209.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id E15AF43F85; Fri, 7 Feb 2003 05:10:24 -0800 (PST) (envelope-from dgilbert@velocet.ca) Received: from trooper.velocet.ca (trooper.velocet.net [216.138.242.2]) by sabre.velocet.net (Postfix) with ESMTP id A5F0C137F16; Fri, 7 Feb 2003 08:10:18 -0500 (EST) Received: by trooper.velocet.ca (Postfix, from userid 66) id 56C4474D00; Fri, 7 Feb 2003 08:10:18 -0500 (EST) Received: by canoe.velocet.net (Postfix, from userid 101) id 2F380567628; Thu, 6 Feb 2003 20:25:27 -0500 (EST) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15939.2823.45299.471388@canoe.velocet.net> Date: Thu, 6 Feb 2003 20:25:27 -0500 To: freebsd-current@freebsd.org, freebsd-net@freebsd.org Subject: Preferred Gigabit interfaces for -CURRENT X-Mailer: VM 7.07 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We're about to make the switch from 100M interfaces to GigE interfaces for our transit routers ... which are FreeBSD-5.0 based SMP (Athlon) boxes. Our current favorite card is the intel i82559-based fxp cards. They handle the load best on our testing of 100M cards. Remember that our load is large and small packets and that hardware checksums are not a win (although hardware vlans are). So... I need to know what GigE chipsets I should test. I recently tested Intel GigE cards ... with dismal results... less than half the packets-per-second on the (otherwise) same hardware. Small packets (as in DOS attacks) are a real concern here. I believe that someone here recomended Tigon III based cards ... but I was recently looking through 5.0-RELEASE's hardware notes and couldn't find any mention of Tigon III. A hint on where to buy the cards may be helpful _and_ I'd like to know if the choice might be different for -STABLE (as some of our routers run -STABLE). Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Feb 7 5:11: 4 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9673837B405 for ; Fri, 7 Feb 2003 05:11:03 -0800 (PST) Received: from loops.nilpotent.org (loops.nilpotent.org [12.17.163.70]) by mx1.FreeBSD.org (Postfix) with SMTP id 9BCA343FCB for ; Fri, 7 Feb 2003 05:11:02 -0800 (PST) (envelope-from silence@nilpotent.org) Received: (qmail 97497 invoked by uid 200); 7 Feb 2003 13:11:01 -0000 Date: Fri, 7 Feb 2003 05:11:01 -0800 From: Faried Nawaz To: sobomax@portaone.com Cc: never@nevermind.kiev.ua, sobomax@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG, freebsd-net@FreeBSD.ORG, eryol@metu.edu, freebsd@freebsddiary.org.ua Subject: Re: Fwd: pseudo-device gre and wccp/squid Message-ID: <20030207131101.GB97324@nilpotent.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.25i Organization: Integral Domains Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maxim, your solution worked. Yes, there appears to be a problem with ipnat/ipf's handling of incoming packets, somewhere. Here's my PR on it: http://www.freebsd.org/cgi/query-pr.cgi?pr=i386/47813 Thanks, Faried. -- The Great GNU has arrived, infidels, behold his wrath ! "If a MOO runs on a port no one accesses, does it run?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Feb 7 7: 7:28 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8054D37B401 for ; Fri, 7 Feb 2003 07:07:27 -0800 (PST) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B4F943F93 for ; Fri, 7 Feb 2003 07:07:27 -0800 (PST) (envelope-from lomion@mac.com) Received: from asmtp02.mac.com (asmtp02-qfe3 [10.13.10.66]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id h17F7PHl012104 for ; Fri, 7 Feb 2003 07:07:26 -0800 (PST) Received: from mac.com ([67.98.154.9]) by asmtp02.mac.com (Netscape Messaging Server 4.15) with ESMTP id H9Y20D00.OA2 for ; Fri, 7 Feb 2003 07:07:25 -0800 Date: Fri, 7 Feb 2003 10:07:23 -0500 Mime-Version: 1.0 (Apple Message framework v551) Content-Type: text/plain; charset=US-ASCII; format=fixed Subject: Bluetooth From: Larry Sica To: -net Content-Transfer-Encoding: 7bit Message-Id: X-Pgp-Rfc2646-Fix: 1 X-Mailer: Apple Mail (2.551) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, I have a dlink usb-bluetooth adapter, which works great on my powerbook btw heh. But I'd love to know if anyone has had any success with something like that on freebsd? I have a bluetooth capable pda and i want to set it up to dial-in to the freebsd-box and get out to the internet. Using my powerbook would turn off syncing while im dialed in.. I have seen some stuff on 5.0 about it, but can anyone let me know if it is realistically useable? - --Larry -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 (Build 349) Beta iQA/AwUBPkPLreeV8VtPCL3dEQLm2QCfbEYTjwNbwrHabil1vSITKR8zH5QAoLs+ 1nL8cXQb71p0kquuWwdenHsb =yVg4 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Feb 7 9:53: 2 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAF3A37B401 for ; Fri, 7 Feb 2003 09:53:00 -0800 (PST) Received: from scl8owa02.int.exodus.net (scl8out02.exodus.net [66.35.230.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EE0943FDD for ; Fri, 7 Feb 2003 09:52:50 -0800 (PST) (envelope-from Maksim.Yevmenkin@cw.com) Received: from scl8owa01.int.exodus.net ([66.35.230.241]) by scl8owa02.int.exodus.net with Microsoft SMTPSVC(5.0.2195.5329); Fri, 7 Feb 2003 09:52:50 -0800 Received: from exodus.net ([165.193.27.35]) by scl8owa01.int.exodus.net over TLS secured channel with Microsoft SMTPSVC(5.0.2195.5329); Fri, 7 Feb 2003 09:52:49 -0800 Message-ID: <3E43F1C5.8060209@exodus.net> Date: Fri, 07 Feb 2003 09:49:57 -0800 From: Maksim Yevmenkin User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021126 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Larry Sica Cc: -net Subject: Re: Bluetooth References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 07 Feb 2003 17:52:49.0724 (UTC) FILETIME=[BACC67C0:01C2CED1] Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Larry, > I have a dlink usb-bluetooth adapter, which works great on my powerbook > btw heh. But I'd love to know if anyone has had any success with > something like that on freebsd? I have a bluetooth capable pda and i > want to set it up to dial-in to the freebsd-box and get out to the > internet. Using my powerbook would turn off syncing while im dialed > in.. it might work. you need to do 1) find out USB vendor ID and device ID of your device 2) try to add these IDs to the list in ng_ubt.c under /sys/netgraph/bluetooth/drivers/ubt/ 3) rebuild and reinstall your kernel 3) and attach your USB device and see what happens > I have seen some stuff on 5.0 about it, but can anyone let me know if > it is realistically useable? sure. i'm using it all the time. the problem is that all userland stuff still not connected to the build. you will need to build it manually. is is located under /usr/src/usr.{s}bin/bluetooth. you also will need to download, build and install ports that implements SDP and RFCOMM. thanks, max To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Feb 7 10:19:43 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3249737B401 for ; Fri, 7 Feb 2003 10:19:42 -0800 (PST) Received: from smtpout.mac.com (A17-250-248-85.apple.com [17.250.248.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4E2043F3F for ; Fri, 7 Feb 2003 10:19:41 -0800 (PST) (envelope-from lomion@mac.com) Received: from asmtp02.mac.com (asmtp02-qfe3 [10.13.10.66]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id h17IJZHl001062 for ; Fri, 7 Feb 2003 10:19:36 -0800 (PST) Received: from mac.com ([67.98.154.9]) by asmtp02.mac.com (Netscape Messaging Server 4.15) with ESMTP id H9YAQZ00.GMD; Fri, 7 Feb 2003 10:16:11 -0800 Date: Fri, 7 Feb 2003 13:16:12 -0500 Subject: Re: Bluetooth Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v551) Cc: -net To: Maksim Yevmenkin From: Larry Sica In-Reply-To: <3E43F1C5.8060209@exodus.net> Message-Id: <3CFAB652-3AC8-11D7-8AC2-000393A335A2@mac.com> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.551) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maksim, On Friday, February 7, 2003, at 12:49 PM, Maksim Yevmenkin wrote: > Hello Larry, > >> I have a dlink usb-bluetooth adapter, which works great on my >> powerbook btw heh. But I'd love to know if anyone has had any >> success with something like that on freebsd? I have a bluetooth >> capable pda and i want to set it up to dial-in to the freebsd-box and >> get out to the internet. Using my powerbook would turn off syncing >> while im dialed in.. > > it might work. you need to do > > 1) find out USB vendor ID and device ID of your device > 2) try to add these IDs to the list in ng_ubt.c under > /sys/netgraph/bluetooth/drivers/ubt/ > 3) rebuild and reinstall your kernel > 3) and attach your USB device and see what happens > >> I have seen some stuff on 5.0 about it, but can anyone let me know if >> it is realistically useable? > > sure. i'm using it all the time. the problem is that all userland > stuff still not connected to the build. you will need to build > it manually. is is located under /usr/src/usr.{s}bin/bluetooth. > > you also will need to download, build and install ports that > implements SDP and RFCOMM. > > I will try this and let you know. thanks for the info --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Feb 7 23:53:54 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A2E137B401; Fri, 7 Feb 2003 23:53:52 -0800 (PST) Received: from smtp-relay.omnis.com (smtp-relay.omnis.com [216.239.128.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 069B443F75; Fri, 7 Feb 2003 23:53:52 -0800 (PST) (envelope-from wes@softweyr.com) Received: from foogate.softweyr.com (66-75-151-22.san.rr.com [66.75.151.22]) by smtp-relay.omnis.com (Postfix) with ESMTP id CCF1C4391F; Fri, 7 Feb 2003 23:50:14 -0800 (PST) From: Wes Peters Organization: Softweyr To: David Gilbert , freebsd-current@freebsd.org, freebsd-net@freebsd.org Subject: Re: Preferred Gigabit interfaces for -CURRENT Date: Sat, 8 Feb 2003 00:49:00 +0000 User-Agent: KMail/1.5 References: <15939.2823.45299.471388@canoe.velocet.net> In-Reply-To: <15939.2823.45299.471388@canoe.velocet.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200302080049.00472.wes@softweyr.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday 07 February 2003 01:25, David Gilbert wrote: > We're about to make the switch from 100M interfaces to GigE interfaces > for our transit routers ... which are FreeBSD-5.0 based SMP (Athlon) > boxes. Our current favorite card is the intel i82559-based fxp > cards. They handle the load best on our testing of 100M cards. > Remember that our load is large and small packets and that hardware > checksums are not a win (although hardware vlans are). > > So... I need to know what GigE chipsets I should test. I recently > tested Intel GigE cards ... with dismal results... less than half the > packets-per-second on the (otherwise) same hardware. Small packets > (as in DOS attacks) are a real concern here. Wow, this wasn't my experience at all. At my previous employer we used Intel EEPro 1000 Server cards with the em(4) driver on FreeBSD 4.5 with nary a hitch and excellent performance. This was on ServerWorks chipset motherboards with P-III and P4 processors. > I believe that someone here recomended Tigon III based cards ... but I > was recently looking through 5.0-RELEASE's hardware notes and couldn't > find any mention of Tigon III. The follow-on to the Tigon II is the Broadcom BCM570x supported by the bge(4) driver in FreeBSD. This is not what you want. They're certainly cheap to test with, though; the Netgear GA302T sells for under $40 at a few online retailers. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Feb 8 1: 9: 5 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7811937B401 for ; Sat, 8 Feb 2003 01:09:03 -0800 (PST) Received: from empire.explosive.mail.net (empire.explosive.mail.net [205.205.25.120]) by mx1.FreeBSD.org (Postfix) with SMTP id B68F243F93 for ; Sat, 8 Feb 2003 01:09:01 -0800 (PST) (envelope-from mykroft@explosive.mail.net) Received: (qmail 18764 invoked from network); 8 Feb 2003 09:06:45 -0000 Received: from ticking.explosive.mail.net (HELO ticking) (205.205.25.116) by empire.explosive.mail.net with SMTP; 8 Feb 2003 09:06:45 -0000 Message-ID: <002c01c2cf51$d7a76e50$7419cdcd@ticking> From: "Adam Maas" To: "Wes Peters" , "David Gilbert" , , References: <15939.2823.45299.471388@canoe.velocet.net> <200302080049.00472.wes@softweyr.com> Subject: Re: Preferred Gigabit interfaces for -CURRENT Date: Sat, 8 Feb 2003 04:09:52 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Likely part of the performance issue was due to the Chipset of the motherboard. Your typical 32bit 33MHz PCI bus is going to be marginal for routing GigE traffic, just due to bus bandwidth limitations, but it'll handle multiple 100BaseTX cards just fine. While a higher-end setup like a Serverworks chipset, with a 64bit, 66MHz bus will handle the traffic better. OF course, if you really want good routing performance on a*BSD platform, you should be looking at a Juniper M20 or M40. Adam ----- Original Message ----- From: "Wes Peters" To: "David Gilbert" ; ; Sent: Friday, February 07, 2003 7:49 PM Subject: Re: Preferred Gigabit interfaces for -CURRENT > On Friday 07 February 2003 01:25, David Gilbert wrote: > > We're about to make the switch from 100M interfaces to GigE interfaces > > for our transit routers ... which are FreeBSD-5.0 based SMP (Athlon) > > boxes. Our current favorite card is the intel i82559-based fxp > > cards. They handle the load best on our testing of 100M cards. > > Remember that our load is large and small packets and that hardware > > checksums are not a win (although hardware vlans are). > > > > So... I need to know what GigE chipsets I should test. I recently > > tested Intel GigE cards ... with dismal results... less than half the > > packets-per-second on the (otherwise) same hardware. Small packets > > (as in DOS attacks) are a real concern here. > > Wow, this wasn't my experience at all. At my previous employer we > used Intel EEPro 1000 Server cards with the em(4) driver on FreeBSD > 4.5 with nary a hitch and excellent performance. This was on > ServerWorks chipset motherboards with P-III and P4 processors. > > > I believe that someone here recomended Tigon III based cards ... but I > > was recently looking through 5.0-RELEASE's hardware notes and couldn't > > find any mention of Tigon III. > > The follow-on to the Tigon II is the Broadcom BCM570x supported by > the bge(4) driver in FreeBSD. This is not what you want. They're > certainly cheap to test with, though; the Netgear GA302T sells for > under $40 at a few online retailers. > > -- > > Where am I, and what am I doing in this handbasket? > > Wes Peters wes@softweyr.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-current" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Feb 8 9:23:53 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F098D37B401; Sat, 8 Feb 2003 09:23:51 -0800 (PST) Received: from heron.mail.pas.earthlink.net (heron.mail.pas.earthlink.net [207.217.120.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51CC843FAF; Sat, 8 Feb 2003 09:23:51 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from pool0350.cvx22-bradley.dialup.earthlink.net ([209.179.199.95] helo=mindspring.com) by heron.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 18hYhb-0003Uh-00; Sat, 08 Feb 2003 09:23:44 -0800 Message-ID: <3E453CC8.6A93E760@mindspring.com> Date: Sat, 08 Feb 2003 09:22:16 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Wes Peters Cc: David Gilbert , freebsd-current@freebsd.org, freebsd-net@freebsd.org Subject: Re: Preferred Gigabit interfaces for -CURRENT References: <15939.2823.45299.471388@canoe.velocet.net> <200302080049.00472.wes@softweyr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a4813ac735c79d3d5adebd8dcf060ffc28a2d4e88014a4647c350badd9bab72f9c350badd9bab72f9c Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Wes Peters wrote: > On Friday 07 February 2003 01:25, David Gilbert wrote: > > I believe that someone here recomended Tigon III based cards ... but I > > was recently looking through 5.0-RELEASE's hardware notes and couldn't > > find any mention of Tigon III. > > The follow-on to the Tigon II is the Broadcom BCM570x supported by > the bge(4) driver in FreeBSD. This is not what you want. They're > certainly cheap to test with, though; the Netgear GA302T sells for > under $40 at a few online retailers. I personally really like the Tigon III. It doesn't have the alignment issues that some of the cards do, so you get to avoid the m_pullup() (and the copy that happenes with it, in tcp_input()), since it can scatter/gather to an unaligned address. It's also the first card I'm aware of that does the full range of checksum offloading, without slowing the card down, which (finally!) lets you offload some of the network processing to the card (i.e. it does IP, TCP, and UDP). The card itself does interrupt coelescing in hardware, and you can adjust both the trigger and buffer thresholds from the driver. Using 64bit 66MHz slots, it's possible to keep two interfaces completely loaded, while retaining sufficient CPU and bus bandwidth to actually do other work (though, in general, you will want to tune your stack, and replace the mbuf allocator). About the only complaint I really have about it is that, unlike the Tigon II, now that Broadcomm got their grubby little hands on it, unlike Alteon, they are refusing to make the firmware sources available so people can do useful work in the context of the firmware. Actually, there are some really brilliant things you can do, if you can replace the firmware, that can take you up to theoretical max packets a second very easily and quickly. We were able to get in the neighborhood of 31,000 connections per second with the Tigon III, alll other things being equal, even before FreeBSD added the SYN cache and SYN cookie code. Is there a particular reason you don't like the card, or at least prefer the other card more? -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Feb 8 10:46:12 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B330237B401 for ; Sat, 8 Feb 2003 10:46:10 -0800 (PST) Received: from wall.polstra.com (wall-gw.polstra.com [206.213.73.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7897D43F3F for ; Sat, 8 Feb 2003 10:46:09 -0800 (PST) (envelope-from jdp@polstra.com) Received: from vashon.polstra.com (vashon.polstra.com [206.213.73.13]) by wall.polstra.com (8.12.3/8.12.3) with ESMTP id h18Ik4u5049867 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sat, 8 Feb 2003 10:46:05 -0800 (PST) (envelope-from jdp@vashon.polstra.com) Received: (from jdp@localhost) by vashon.polstra.com (8.12.5/8.12.5/Submit) id h18Ik48O090124; Sat, 8 Feb 2003 10:46:04 -0800 (PST) (envelope-from jdp) Date: Sat, 8 Feb 2003 10:46:04 -0800 (PST) Message-Id: <200302081846.h18Ik48O090124@vashon.polstra.com> To: net@freebsd.org From: John Polstra Cc: wes@softweyr.com Subject: Re: Preferred Gigabit interfaces for -CURRENT In-Reply-To: <200302080049.00472.wes@softweyr.com> References: <15939.2823.45299.471388@canoe.velocet.net> <200302080049.00472.wes@softweyr.com> Organization: Polstra & Co., Seattle, WA Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <200302080049.00472.wes@softweyr.com>, Wes Peters wrote: > On Friday 07 February 2003 01:25, David Gilbert wrote: > > > > So... I need to know what GigE chipsets I should test. I recently > > tested Intel GigE cards ... with dismal results... less than half the > > packets-per-second on the (otherwise) same hardware. Small packets > > (as in DOS attacks) are a real concern here. > > Wow, this wasn't my experience at all. At my previous employer we > used Intel EEPro 1000 Server cards with the em(4) driver on FreeBSD > 4.5 with nary a hitch and excellent performance. This was on > ServerWorks chipset motherboards with P-III and P4 processors. I think I may know why the two of you formed different impressions of the device's performance. Not too long ago, the em driver was updated. One of the changes made was to completely and unconditionally disable the chip's receive interrupt coalescing logic. I performed some very cursory performance tests using small packets and found that this change caused a 25% decrease in the maximum packet rate of the device on the hardware I was using (which was pretty high-end stuff with plenty of PCI bus bandwidth). I don't remember exactly when this change was made, but you can find out with "cvs annotate". Search for "RDTR". I don't know the official reason why this change was made, but I would guess it was a work-around for a chip bug. I can't think of any other possible motivation for taking such a performance hit. John -- John Polstra John D. Polstra & Co., Inc. Seattle, Washington USA "Disappointment is a good sign of basic intelligence." -- Chögyam Trungpa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Feb 8 12:34:58 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D6CC37B401; Sat, 8 Feb 2003 12:34:55 -0800 (PST) Received: from smtp-relay.omnis.com (smtp-relay.omnis.com [216.239.128.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E38B43FDF; Sat, 8 Feb 2003 12:34:55 -0800 (PST) (envelope-from wes@softweyr.com) Received: from foogate.softweyr.com (66-75-151-22.san.rr.com [66.75.151.22]) by smtp-relay.omnis.com (Postfix) with ESMTP id 2C65043192; Sat, 8 Feb 2003 12:33:41 -0800 (PST) From: Wes Peters Organization: Softweyr To: Terry Lambert Subject: Re: Preferred Gigabit interfaces for -CURRENT Date: Sat, 8 Feb 2003 13:32:29 +0000 User-Agent: KMail/1.5 Cc: David Gilbert , freebsd-current@freebsd.org, freebsd-net@freebsd.org References: <15939.2823.45299.471388@canoe.velocet.net> <200302080049.00472.wes@softweyr.com> <3E453CC8.6A93E760@mindspring.com> In-Reply-To: <3E453CC8.6A93E760@mindspring.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200302081332.29146.wes@softweyr.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Saturday 08 February 2003 17:22, Terry Lambert wrote: > Wes Peters wrote: > > On Friday 07 February 2003 01:25, David Gilbert wrote: > > > I believe that someone here recomended Tigon III based cards ... but I > > > was recently looking through 5.0-RELEASE's hardware notes and couldn't > > > find any mention of Tigon III. > > > > The follow-on to the Tigon II is the Broadcom BCM570x supported by > > the bge(4) driver in FreeBSD. This is not what you want. They're > > certainly cheap to test with, though; the Netgear GA302T sells for > > under $40 at a few online retailers. > > I personally really like the Tigon III. It doesn't have the > alignment issues that some of the cards do, so you get to avoid > the m_pullup() (and the copy that happenes with it, in tcp_input()), > since it can scatter/gather to an unaligned address. > > It's also the first card I'm aware of that does the full range of > checksum offloading, without slowing the card down, which (finally!) > lets you offload some of the network processing to the card (i.e. > it does IP, TCP, and UDP). > > The card itself does interrupt coelescing in hardware, and you can > adjust both the trigger and buffer thresholds from the driver. > > Using 64bit 66MHz slots, it's possible to keep two interfaces > completely loaded, while retaining sufficient CPU and bus > bandwidth to actually do other work (though, in general, you will > want to tune your stack, and replace the mbuf allocator). > > About the only complaint I really have about it is that, unlike > the Tigon II, now that Broadcomm got their grubby little hands on > it, unlike Alteon, they are refusing to make the firmware sources > available so people can do useful work in the context of the > firmware. Yeah, a prototype Xylan GigE switch blade was done with Tigon-II's and we did a bit of hacking in the firmware. They were pretty cool; we used the usual Xylan SPARC processors on the card only for bus and chassis management and did most of the cool packet stuff in the Tigon itself. > Actually, there are some really brilliant things you can do, if > you can replace the firmware, that can take you up to theoretical > max packets a second very easily and quickly. We were able to get > in the neighborhood of 31,000 connections per second with the Tigon > III, alll other things being equal, even before FreeBSD added the > SYN cache and SYN cookie code. > > Is there a particular reason you don't like the card, or at least > prefer the other card more? Our testing, which mostly comprised throwing a pair of cards into a system, turning on bridging and blasting it with a SmartBits, showed the Intels to be faster with less CPU load. The Intel cards were 2x the price, but still well within our rather permissive budget. When you're putting 4, 8, or even 16 GB DDR RAM into a box the cost of a pair of network cards isn't significant. ;^) If I were buying a card myself, I'd likely go with the NetGear because it's cheap and it works, but you well know I'm a cheapskate. Not having access to the doco suxxors. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Feb 8 19:20:52 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 463B137B401 for ; Sat, 8 Feb 2003 19:20:51 -0800 (PST) Received: from creme-brulee.marcuscom.com (rdu57-17-158.nc.rr.com [66.57.17.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54F3F43F85 for ; Sat, 8 Feb 2003 19:20:50 -0800 (PST) (envelope-from marcus@marcuscom.com) Received: from [192.168.1.4] (shumai.marcuscom.com [192.168.1.4]) by creme-brulee.marcuscom.com (8.12.6/8.12.6) with ESMTP id h193KeRA010286 for ; Sat, 8 Feb 2003 22:20:40 -0500 (EST) (envelope-from marcus@marcuscom.com) Subject: Programmatically obtaining interface hardware addrs From: Joe Marcus Clarke To: freebsd-net@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-MqNI1HJHKJlIofxkSvl8" Organization: MarcusCom, Inc. Message-Id: <1044760845.66333.35.camel@shumai.marcuscom.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 Date: 08 Feb 2003 22:20:46 -0500 X-Spam-Status: No, hits=-1.7 required=5.0 tests=AWL,NOSPAM_INC,PGP_SIGNATURE_2,SPAM_PHRASE_00_01 version=2.44 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=-MqNI1HJHKJlIofxkSvl8 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable What's the best (or easiest) way to programmatically obtain interfaces' hardware addresses (that is, without forking ifconfig ;-))? I'm looking at how ifconfig does it, and wondering if there's an easier way. It seems Linux has a nice SIOCGIFHWADDR ioctl to do this. Thanks. Joe --=20 PGP Key : http://www.marcuscom.com/pgp.asc --=-MqNI1HJHKJlIofxkSvl8 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA+RckNb2iPiv4Uz4cRAt76AJ4laNmrRU7QGqyEA/EjCfupCbeKugCePZHN ai5uo5wurJpaXuzOZ4tlxWM= =Hmsj -----END PGP SIGNATURE----- --=-MqNI1HJHKJlIofxkSvl8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Feb 8 23: 2:14 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDE2B37B401 for ; Sat, 8 Feb 2003 23:02:12 -0800 (PST) Received: from fatpipi.cirx.org (fatpipi.cirx.org [211.23.144.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id E12D243FA3 for ; Sat, 8 Feb 2003 23:02:11 -0800 (PST) (envelope-from clive@tongi.org) Received: from fatpipi.cirx.org.rose (nullmail@localhost.cirx.org [127.0.0.1]) by fatpipi.cirx.org (8.12.6/8.12.6) with SMTP id h1971vLx073603; Sun, 9 Feb 2003 15:01:58 +0800 (CST) (envelope-from clive@tongi.org) Received: (nullmailer pid 73601 invoked by uid 1000); Sun, 09 Feb 2003 07:01:57 -0000 Date: Sun, 9 Feb 2003 15:01:57 +0800 From: Clive Lin To: Archie Cobbs Cc: freebsd-net@freebsd.org Subject: mpd pptp in multi-homed environment Message-ID: <20030209070157.GB72785@fatpipi.cirx.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: FreeBSD i386 X-PGP-key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA008C03E User-Agent: Mutt/1.5.3i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Can I setup a pptp configuration which binds on 2 IPs? I'm setting up a box which has 2 up streams, and of course, 2 NICs with 2 public IPs. I consulted mpd stock documents and googled around, but still can not find a solution for setting up a multiple 'lines' pptp server AND binds on 2 IPs. The pptp configuration is a typical one which can accept multiple clients simultaneously. My mpd.links looks like: pptp1: ... set pptp self pub.lic.ip.1 ... ... (and pptp[23456789] are followed) pptp10: set pptp self pub.lic.ip.2 ... ... After mpd lunched, it only listens on pub.lic.ip.1. It looks like only the first "set pptp self ..." command is recognized. Here's the related part in the log: Feb 9 14:41:49 camera mpd: [pptp1] ppp node is "mpd16969-pptp1" Feb 9 14:41:49 camera mpd: mpd: local IP address for PPTP is pub.lic.ip.1 Feb 9 14:41:49 camera mpd: [pptp1] using interface ng0 Feb 9 14:41:49 camera mpd: [pptp2] ppp node is "mpd16969-pptp2" Feb 9 14:41:49 camera mpd: [pptp2] using interface ng1 Feb 9 14:41:49 camera mpd: [pptp3] ppp node is "mpd16969-pptp3" Feb 9 14:41:49 camera mpd: [pptp3] using interface ng2 There's nothing about pub.lic.ip.2 in the log. I know I can simply lunch 2 mpds with 2 configurations, one for pub.lic.ip.1 and another for pub.lic.ip.2. But this is too tricky and dirty, IMHO. Best regards, Clive To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message