Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to anothermachine not working?
On Fri, 28 Dec 2001, Crist J . Clark wrote: > On Fri, Dec 28, 2001 at 01:31:07PM -0800, Julian Elischer wrote: > > You need to > > correct the FAQ.. > > > > "The correct way to ensure that this does not happen is to also add > > a 'fwd' rule on the destination rule, forwarding the packet > > to localhost. This will override the destination machine's tendancy > > to throw the forwarded packet back" > > I'm having a hard time parsing that. if you send a packet somewhere it is not supposed to go, it will try discard it or forward it, UNLESS it has an ipfw fwd rule that makes it forward it to a local port. So you need a rule at the interception machine and a rule at the destination machine. > > > Also, in versions of FreeBSD before 4.6, > > 4.6? yes, it will miss 4.5 > > > packets matched while INCOMING > > could only be forwarded to the local host. > > Which is what I thought the original poster was doing? > > > Outgoing packets > > could be forwarded to an adjoining host. > > This was fixed while 4.5 was cooking and appeared in releases after that. > > So will this be in 4.5? No > > > The port number is only used for forwarding to the local host. > > Which is what the original poster was doing? > -- > "It's always funny until someone gets hurt. Then it's hilarious." > > Crist J. Clark | [EMAIL PROTECTED] >| [EMAIL PROTECTED] > http://people.freebsd.org/~cjc/| [EMAIL PROTECTED] > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
routing sort of
Hi People! I am currently working on implementing new protocol (ax.25) on FreeBSD. Now my problem is this. For device (SCC Card) there is no driver on FreebSD yet (I will do that after I finish ax.25)... SO my question is, would it be possible to put this card on another machine (running linux)and then route all packets that will come into card to another computer (freebsd), via com port or another ethernet card. Problem is that I need everything that will come from this card, without being proccesed by linux. Is this possible? And how can it be done? Andy ** * Aleksander Rozman - Andy * Fandoms: E2:EA, SAABer, Trekkie, Earthie * * [EMAIL PROTECTED] * Sentinel, BH 90210, True's Trooper, * *[EMAIL PROTECTED] * Heller's Angel, Questie, Legacy, PO5, * * Maribor, Slovenia (Europe) * Profiler, Buffy (Slayerete), Pretender* * ICQ-UIC: 4911125 * * PGP key available *http://www.atechnet.dhs.org/~andy/ * ** To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Panic in radix.c
First, let me start out by saying that I have hacked in Kame's NATPT functionality into this kernel, so it's entirely possible that is causing this, but I thought I'd ask anyway. Here's a stack trace from this panic: (above this is the trap, savecore and reboot) #17 0xc018b973 in rn_match (v_arg=0xc904326c, head=0xc0f33f80) at ../../net/radix.c:240 #18 0xc0192b96 in in_matroute (v_arg=0xc904326c, head=0xc0f33f80) at ../../netinet/in_rmx.c:151 #19 0xc018cdd6 in rtalloc1 (dst=0xc904326c, report=1, ignflags=0) at ../../net/route.c:135 #20 0xc018cd90 in rtalloc_ign (ro=0xc9043268, ignore=0) at ../../net/route.c:111 #21 0xc018cd39 in rtalloc (ro=0xc9043268) at ../../net/route.c:91 #22 0xc01a2365 in tcp_rtlookup (inp=0xc9043220) at ../../netinet/tcp_subr.c:1349 #23 0xc01a23e6 in tcp_gettaocache (inp=0xc9043220) at ../../netinet/tcp_subr.c:1443 #24 0xc019e464 in tcp_input (m=0xc07b1200, off0=20, proto=6) at ../../netinet/tcp_input.c:1117 #25 0xc0199b6d in ip_input (m=0xc07b1200) at ../../netinet/ip_input.c:862 #26 0xc0193b3a in transmit_event (pipe=0xc0f61200) at ../../netinet/ip_dummynet.c:431 #27 0xc0193d2b in ready_event (q=0xc0f8b180) at ../../netinet/ip_dummynet.c:566 #28 0xc0194b43 in dummynet_io (pipe_nr=1, dir=2, m=0xc07b1200, ifp=0x0, ro=0x0, dst=0x0, rule=0xc0ebd970, flags=0) at ../../netinet/ip_dummynet.c:1137 #29 0xc019972b in ip_input (m=0xc07b1200) at ../../netinet/ip_input.c:465 #30 0xc0199bcb in ipintr () at ../../netinet/ip_input.c:890 net/radix.c line 240 is this: if (t->rn_bmask & cp[t->rn_offset]) The trap was caused by cp being set to NULL. Unfortunately, I can't quite wrap my head around the logic in this routine. The input parameters are not NULL, so cp must have got that way somewhere in the loop. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: routing sort of
On Sat, 29 Dec 2001, Aleksander Rozman - Andy wrote: > > Hi People! > > I am currently working on implementing new protocol (ax.25) on > FreeBSD. Now my problem is this. For device (SCC Card) there is no > driver on FreebSD yet (I will do that after I finish ax.25)... SO my > question is, would it be possible to put this card on another machine > (running linux)and then route all packets that will come into card to > another computer (freebsd), via com port or another ethernet card. > Problem is that I need everything that will come from this card, > without being proccesed by linux. Is this possible? And how can it be > done? I am not up on Linux, but you would need the Linux machine to act like a transparent bridge, though I still think you would be missing some frames as the Linux machine would be processing the frames to do the forwarding between interfaces. Nick Rogness <[EMAIL PROTECTED]> - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: dummynet for IPv6?
hi all, here is another related question, is bridge and ip6_fw supported in FreeBSD? any information on it is highly appreciated! thanks in advance, - Original Message - From: "Guangrui Fu" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, December 27, 2001 8:32 PM Subject: dummynet for IPv6? > Hi All, > > Is there any implementation for ipv6 based dummynet? > > Another related question, I'm using dummynet for bandwidth control. I want > the bandwidth control can be applied to all ethernet packets(ip/icmp v4/v6). > If dummynet is ipv6-unawareness, how can I achieve this? Could anyone please > give some suggestion? > > Regards, > G. > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: m_reclaim and a protocol drain
On Wed, 26 Dec 2001, Randall Stewart wrote: > This comment facinates me. The reason we made SACK's in SCTP > revokeable is due to the potential DOS attack that someone > can supposedly lauch if you don't allow the stack to revoke. > > I can actually see the reason that Sally made the comments > and had us change it so that SACK's are revokeable. However > you argue to the contrary and I wonder which is correct. > > If you do not allow revoking it is the same as if a protocol > does not hold a drain() fucntion. A attacker could easily > stuff a lot of out-of-order segments at you and thus > fill up all your mbuf's or clusters (in my current testing > case). This would then yeild a DOS since you could no longer > receive any segments and leave you high and dry Heh, you nailed the reverse of the problem we've seen: Right now the easy way to cause exhaustion is to fill up _send_ buffers, via netkill. I guess if we solve that problem, out of order segments could be used for an attack too. Just FWIW, Mike "Silby" Silbersack To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
