Re: CARP as a module; followup thoughts
On 2009.04.21 23:16:58 -0600, Will Andrews wrote: > Hello, > > I've written a patch (against 8.0-CURRENT as of r191369) which makes > it possible to build, load, run, & unload CARP as a module, using the > GENERIC kernel. It can be obtained from: > > http://firepipe.net/patches/carp-as-module-20090421.diff I don't have any comments on the specific patch, but with my FreeBSD end-user hat, being able to have CARP in GENERIC would be really great. This would allow me to update my systems which use CARP with freebsd-update without manually compiling a kernel. So if the patch doesn't penalize the non-CARP case much, I think it would be great to have this functionality for now, even if it's not the way to go in the long run. -- Simon L. Nielsen ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: request for traffic generator tool for BSD
On 2009.08.07 16:38:12 +0530, Rajan (Algates) wrote: > I am looking for a open source traffic generator tools for freebsd boxes, If > any one using or can suggest any such tool, it would be really your help for > me. If you need something simple to send data very fast I would suggest looking at ng_source(4). Since it's kernel based it can achieve very high data rates, but it's less flexible in what you send than some of the useland generator programs. -- Simon L. Nielsen ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: [TEST] natd multipath patches
On 2004.06.20 21:47:10 +0200, Poul-Henning Kamp wrote: > If you have multiple xDSL lines or two modems to different ISPs or > cable and xDSL etc. then grab: > > http://phk.freebsd.org/misc/natd I think http://phk.freebsd.dk/misc/natd/ will work better :-). -- Simon L. Nielsen FreeBSD Documentation Team pgpn1XVvUuunR.pgp Description: PGP signature
Re: [FreeBSD 5.2] Bandwith and packet throttling
On 2004.08.15 21:53:49 +0200, Colin Alston wrote: > > >Thanks for the reply. The ICMP was more experiment than anything, I've > >sinced removed it. Here are the results of the show commands: > > > >cramster# ipfw show > >00050 14819576 8458459132 divert 8668 ip from any to any via dc0 > >00100 250 32470 allow ip from any to any via lo0 > >002000 0 deny ip from any to 127.0.0.0/8 > >003000 0 deny ip from 127.0.0.0/8 to any > >65000 44478701 31835950367 allow ip from any to any > >651000 0 pipe 1 ip from 10.0.0.8 to any > >652000 0 pipe 2 ip from any to 10.0.0.8 > >655350 0 deny ip from any to any > > > I think you're clearly being a bit silly here. > Remove rules 00200 and 00300 (I dont know why on this green earth you'd > deny loopback) Eh, that's not silly at all; that the default firewall rules from a stock /etc/rc.firewall on FreeBSD. Note rule 100 which allows loopback traffic. Rule 200/300 just makes sure nobody tries to spoof loopback traffic from a real network interface. [EMAIL PROTECTED]:~] sudo ipfw list | head -n 3 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any -- Simon L. Nielsen FreeBSD Documentation Team pgpq0FyWoZ7u4.pgp Description: PGP signature
Re: per-interface packet filters, design approach
On 2004.12.14 06:13:07 -0800, Bruce M Simpson wrote:
> What I'm really missing in IPFW is the ability to maintain one or more
> 'shadow rulesets'. These rulesets may not be the active rulesets, but
> I can manipulate them as tables, independently of the active ruleset(s),
> push rules into them, flush them, and then atomically switch them to be
> the active ruleset, using a single syscall.
Isn't that more or less sets you are talking about? Quoting ipfw(8):
Each rule belongs to one of 32 different sets , numbered 0 to 31. Set 31
is reserved for the default rule.
By default, rules are put in set 0, unless you use the set N attribute
when entering a new rule. Sets can be individually and atomically
enabled or disabled, so this mechanism permits an easy way to store mul-
tiple configurations of the firewall and quickly (and atomically) switch
between them. The command to enable/disable sets is
ipfw set [disable number ...] [enable number ...]
where multiple enable or disable sections can be specified. Command exe-
cution is atomic on all the sets specified in the command. By default,
all sets are enabled.
--
Simon L. Nielsen
pgpQ77yh1h0v9.pgp
Description: PGP signature
enc(4) (was: Re: gif(4) and bpf(4))
On 2005.01.26 02:33:54 +, Bruce M Simpson wrote: > On Tue, Jan 25, 2005 at 06:38:42PM +0100, Jeremie Le Hen wrote: > > Are you thinking about the enc(4) interface [1] [2] provided with OpenBSD ? > > Somewhat, although whilst enc(4) provides some of this functionality, its > role as far as I can see is mainly to provide a 'tapping point' for filtering > packets as they pass out of the system and into IPSEC (something I believe > we now handle using mbuf tags). I have been looking into porting enc(4) from OpenBSD and have some partial patches at this point. The point of enc(4) AFAIK is to allow packet filtering of IPsec traffic, basically the ipfw "ipsec" keyword more generic, and bpf tapping of traffic in and out of IPsec tunnels. It's not really related to FreeBSD's use of mbuf tags for IPsec handling, since those are not "visible" from userland. Anyone, please correct me if I'm wrong. -- Simon L. Nielsen pgprTsjHzT28l.pgp Description: PGP signature
Re: IPv6 for www.freebsd.org
On 2005.10.31 13:29:44 -0800, Doug Barton wrote: > As I mentioned in my previous post, I have been using earthlink's IPv6 > experiment to get an IPv6 connection at home. I am therefore trying to use > it as much as possible to see what works, and what breaks. FreeBSD makes it > fairly easy to do that, but it's fairly hard to get to the web site over v6. > Admittedly there is a list of v6-capable mirrors on the front page, and > they work fairly well. However, I think it would be nice to pick one or two > of those sites and add the record to www.freebsd.org. > > I have been simulating this in my hosts file using the first US mirror site, > and haven't run into any problems yet. I think it would be a step in the > right direction for us to support v6 for our site "out of the box." The mirrors are not exact mirrors of www.freebsd.org, so this is not possible. If you have pointed www.FreeBSD.org at a mirror that would explain the problems you noted elsewhere about www.freebsd.org returning the script code instead of executing the scripts. We do not expect the FreeBSD web mirrors to run the CGI scripts (though a few does). While IPv6 for www.FreeBSD.org would probably be nice, it does require that the real www.FreeBSD.org get IPv6 connectivity. -- Simon L. Nielsen pgpygqoUaYGXR.pgp Description: PGP signature
Re: Incompatibility between dummynet and PF rdr.
On 2006.07.08 13:24:41 -0400, Scott Ullrich wrote: > On 7/8/06, Andre Santos <[EMAIL PROTECTED]> wrote: > >Are there any known compatibility problems between dummynet and PF rdr > >rules? > >When I try to combine both, the packets seem to simply disappear. > [snip] > > I can confirm this behavior. Glad someone else noticed as it would > happen when we try to use dummynet traffic shaping + pf on pfSense. > Never really was a high priority to nail down exactly what combination > of dummynet + pf was breaking it. If anyone needs me to test > patches, just let me know. I also noticed problems when trying to use dummynet/ipfw and pf. I looked a bit at it and it seemed that packets, which got queued in dummynet, were not matched by pf's state engine when re-injected from dummynet. At least I saw a lot of denied packets which shouldn't have been denied on pflog. It wasn't very important for me to get this working, so I haven't looked more at it. -- Simon L. Nielsen pgpTaKwCHU5ZI.pgp Description: PGP signature
Re: strange limitation on rcmd()
On 2006.07.10 16:07:06 +0200, Iang wrote: > Brian Candler wrote: > > >Note that only root can bind to reserved ports. > > ... > > >This mechanism is only valid for trusted hosts, of course. If you allow a > >random person to put their own PC on the network, they can of course send > >packets from privileged ports (either by installing Unix with their own > >root > >password, or by installing DOS and sending packets which come from > >privileged ports) > > I gather that it is now possible to disable the > privileged ports thing on FreeBSD at least. > > (Thank heavens, I say :) Actually it is, but it would obviously be a stupid idea to do so any place where privileged ports are required... [EMAIL PROTECTED]:~] sysctl net.inet.ip.portrange.reservedhigh net.inet.ip.portrange.reservedlow net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.reservedlow: 0 -- Simon L. Nielsen pgphVtBZOxgO0.pgp Description: PGP signature
Re: possible patch for implementing split DNS
On 2006.08.25 15:08:13 -0700, Julian Elischer wrote: > Julian Elischer wrote: > > >I need some processes to look elsewhere for DNS information from > >where the rest of the system looks.. This patch seems to me a > >simple solution. We over-ride where the resolver looks for > >resolv.conf using an environment variable. This would allow me to > >reset this to an application specific config file that specifies a > >different server. > > > >Anyone got better ways fo doing this? Since a bunch of people have suggested other solutions I just wanted to add me 0.01$CURRENCY, FWIW. Other than missing update for some manual page (not sure where this should go) I don't see a problem adding this patch. "Normal" users should be able already get similar functionality already by simply preloading a custom patched libc, so I don't see a problem supporting this. This is clearly much simpler than setting up a full blown bind with split DNS. -- Simon L. Nielsen ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [fbsd] Re: possible patch for implementing split DNS
On 2006.08.29 11:01:48 +0200, Jeremie Le Hen wrote:
Hey,
> On Tue, Aug 29, 2006 at 10:50:02AM +0200, Simon L. Nielsen wrote:
> > On 2006.08.25 15:08:13 -0700, Julian Elischer wrote:
> > Since a bunch of people have suggested other solutions I just wanted
> > to add me 0.01$CURRENCY, FWIW.
> >
> > Other than missing update for some manual page (not sure where this
> > should go) I don't see a problem adding this patch. "Normal" users
> > should be able already get similar functionality already by simply
> > preloading a custom patched libc, so I don't see a problem supporting
> > this.
>
> I agree with this statement. If users really want to, they can
> compile their own libc. However, nectar@ has added the following
> comment in nsdispatch.c:
>
> % #if defined(_NSS_DEBUG) && defined(_NSS_SHOOT_FOOT)
> % /* NOTE WELL: THIS IS A SECURITY HOLE. This must only be built
> % * for debugging purposes and MUST NEVER be used in production.
> % */
> % path = getenv("NSSWITCH_CONF");
> % if (path == NULL)
> % #endif
> % path = _PATH_NS_CONF;
>
> We should remove this #if clause because of your argument. I'm not sure
> it is worth documenting it however.
Well, nsswitch is part of the user authentication framework (I think),
so I'm not entirely sure if exactly the same argument can be used
safely. I never really had a need to look at nsswitch, so I don't
know if it's used in contexts (other than set[ug]id) where overriding
nsswitch.conf can cause problems.
At least if that #if is removed it's probably required to add a
issetugid() check.
--
Simon L. Nielsen
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw keep-state problem
On 2003.01.29 21:34:50 +, Trent Nelson wrote: > If I had to take a wild guess, I'd say that the keep-state setup > rules added dynamically are expiring too quickly, and thus, subseq- > uent traffic is hitting the ``deny tcp from any to any established'' > rule. Yes this happens with ipfw1. You can use ipfw2 (which sends keep-alive for tcp connections) or increase the lifetime of dynamic rules. I'm using ipfw2 and it works fine - I had the same problem with ipfw1. -- Simon L. Nielsen msg08205/pgp0.pgp Description: PGP signature
Re: cant get out with two interfaces.
On 2003.02.24 10:39:08 -0400, Abel Alejandro wrote: > If I shutdown rl0 then I can access fxp0 from the outside, but if I ifconfig > rl0 up then > I am just allowed to access fxp0 within machines in the 196.12.X.0 network. > > rl0: flags=8802 mtu 1500 > inet 10.0.0.1 netmask 0xafc broadcast 255.255.255.3 This netmask looks very odd... -- Simon L. Nielsen pgp0.pgp Description: PGP signature
Re: limiting connections per IP w/FreeBSD ftpd?
On 2003.05.30 09:25:31 -0400, Andrew Gallatin wrote: > > At my company, some bonehead (not sure if it was maliciousness or just > a stupid customer), opened 60 simultaneous connections to our ftp > server and totally swamped our T1.This is the second or third time > this has happened recently. How about just restricting the bandwidth usage with ipfw/dummynet ? -- Simon L. Nielsen pgp0.pgp Description: PGP signature
Re: patches for ipsec packet filtering support in ipfw2
On 2003.06.19 21:33:33 +0300, Ari Suutari wrote: > Hi, > > > * Ari Suutari: > > > > > Here are two small patches (done on 5.1-RELEASE, but should be ok > > > for -current also) which add new "ipsec" flag to ipfw2. > > > > i did not receive any attachments. will this functionality be > > included into freebsd-5 in the future? > > Does the mailing list strip attachments ? Yes, and it has in fact recently been documented :-). http://www.freebsd.org/doc/en/books/handbook/eresources.html#ERESOURCES-MAILFILTERING Your code looks interesting, but since I don't have IPsec set up (yet) I can't really test it. If no committer picks it up right away, I would suggest submitting it as a PR to make sure it isn't forgotten. Then hopefolly one of the ipfw guru's will have look at it at some point. -- Simon L. Nielsen pgp0.pgp Description: PGP signature
