Re: unbound and (isc) dhcpd startup order

On Tue, Jun 16, 2020 at 08:18:59AM -0700, Rodney W. Grimes wrote: > ... Sometimes > that leads to duplicate IP information stored in various config files. > > When possible managing those configuraitons via ansible or other CM > system that can pull the data from dns and build the config files > m

Re: who uses this port?

On Thu, Nov 05, 2015 at 09:45:38AM +0200, Andriy Gapon wrote: > On 05/11/2015 09:20, Ben Woods wrote: > > On Wednesday, 4 November 2015, Andriy Gapon > > wrote: > > > > $ sockstat -l | fgrep 631 > > ?? ? ? tcp4 127.0.0.1:631 > >

Re: Problem with ipfw table add 0.0.0.0/8

On Sat, May 17, 2014 at 05:44:37PM +0400, Alexander V. Chernikov wrote: > On 13.05.2014 16:05, Dennis Yusupoff wrote: > > I think that universal table for all kind of data (ipv4, ipv6, ports, > > etc) is a bad idea by design. At least unless you haven't any ability to > It is not always "universal"

Re: strange ping response times...

CPU cache? Cx states? powerd? On Tue, Apr 10, 2012 at 03:40:27PM -0700, Julian Elischer wrote: > On 4/10/12 3:52 PM, Luigi Rizzo wrote: > > I noticed this first on a 10G interface, but now there seems > > to be a similar issue on the loopback. > > > > Apparently a ping -f has a much lower RTT than

Re: IPFW shows me Strangeness in fresh 8.2-RELEASE system

d > I've really never seen anything quite like this before. Do 8.x releases now > cause ethernet cards to listen for stuff they should not even be listening > for? > > Color me perplexed. > ___ > freebsd-net@freebsd.org mailing li

Re: DHCP client not getting IP address from Time Warner

Power-cycle your cable box, leaving it off for a few minutes. Cable co's seem to check the MAC, and take a while to forget the previous one. On Tue, Nov 03, 2009 at 07:47:14AM -0800, Ask Bjrn Hansen wrote: > Hi everyone, > > After years with Speakeasy at home I'm trying out Time Warner Cable >

Re: pppoa connection

e connections and the modem is configured > as a bridge. Unfortunately, my ISP doesn't support pppoe, only > pppoa. > > So, can I pull this off? -- Barney Wolff I never met a computer I didn't like. ___ freebsd-net@free

Re: pppoa connection

> > The question is, can I establish a pppoa connection from the > FreeBSD box to my ISP by sending packets over ethernet to the > DSL modem? > > Thanks, > Kim -- Barney Wolff I never met a computer I didn't like. ___ freebs

Re: blocking a string in a packet using ipfw

ctually, it should. I have over 60 addresses in an ipfw table with no observable trouble. But that rule is triggered only about 1 times a day (part of a spam blocker). -- Barney Wolff I never met a computer I didn't like. ___ free

[EMAIL PROTECTED]: Re: [e2e] Can we revive T/TCP ?]

found an error in the specific state transitions, of T/TCP although I have never seen the details. Bob Braden - End forwarded message - -- Barney Wolff http://www.databus.com/bwresume.pdf I never met a computer I didn't like. ___

Re: forwarding icmp redirects.

h the good behavior of widely used commercial routers. -- Barney Wolff http://www.databus.com/bwresume.pdf I never met a computer I didn't like. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To

Re: ifconfig_fxp0 with both DHCP and Link?

r cycle will also work - depends on whether the memory of the MAC is in the cable modem itself or at the other end.) -- Barney Wolff http://www.databus.com/bwresume.pdf I never met a computer I didn't like. ___ freebsd-net@freebsd.org mailing li

Re: wired and wireless network setup interactions

so will disable it's ability to accept wireless clients. I'd also like the > wireless network to be secure. Use the Belkin as a bridge rather than a router, by simply not using its WAN port, and do turn off its dhcp server. I do the same with a Netgear. -- Barne

Re: Testing Ethernet Ports

nternal. With a crossover cable (not required with gigabit nics) you can't tell, so if you try it use a switch and look at the lights. -- Barney Wolff http://www.databus.com/bwresume.pdf I never met a computer I didn't like. ___ freebsd-

Re: PPP-layer Echo

nd contains uninterpreted > data for use by the sender. The data may consist of any binary > value. The end of the field is indicated by the Length. > > But it seems wrong to modify the data field. It is wrong. Is the other end OS/2 or something derived from it? I rec

Re: Universal Client Gateway

dangerous - would you notice if such a client claimed to have the IP address of your Internet gateway, and thus captured everybody's traffic? -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. __

Re: modularization

. It's important to make a distinction between specification and implementation. Protocols should be designed and defined with clear boundaries between layers, but protocol handlers need not, and often should not, be implemented that way. -- Barney Wolff http://ww

Re: fooling nmap

ot the only OS fingerprinter around. Getting into spy-vs-spy with Fyodor is a waste of time. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROT

Re: Traceroute Anomaly

7;re blocking the UDP somewhere, presumably. tcpdump and/or adding logging to your firewall rules should tell you more. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. __

Re: [FreeBSD 5.2] Bandwith and packet throttling

man ipfw will point out that the first allow or deny that "hits" terminates rule processing. Perhaps you're more familiar with other firewalls, where this sensible design is not the normal case. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by con

Re: DHCP server over PPPoE server

ide will just ignore them. DHCP is not restricted to broadcast networks. In fact, the ietf-ppp(ext) working group is quite adamant that DHCP be used to get configuration data rather than adding new attributes to LCP/IPCP. -- Barney Wolff http://www.databus.com/bwresu

Re: allowing LAN the direct access to outside DNS with ipfw

n to originate from port > 53? > > What's the meaning of the "keep-state" clause in the rule above? I > thought, it "magically" allows DNS-responses to come back only, but that > does not work... Do ipfw show and see if the keep-state rule is ever trigge

Re: kern/56461: FreeBSD client rpc.lockd incompatible with Linux server rpc.lockd

On Fri, Jun 18, 2004 at 02:19:17PM -0700, Alfred Perlstein wrote: > * Barney Wolff <[EMAIL PROTECTED]> [040618 14:09] wrote: > > > > Pardon an ignorant question, but what happens to unfortunate people who > > have to talk to both Linux and non-quirky servers at the sam

Re: kern/56461: FreeBSD client rpc.lockd incompatible with Linux server rpc.lockd

h advisory locks. Pardon an ignorant question, but what happens to unfortunate people who have to talk to both Linux and non-quirky servers at the same time? Is there a way to detect what flavor of server you're talking to and adjust accordingly? That would be far better than a sysctl. --

Re: net.inet.ip.portrange.randomized=1 hurts

rval is 128, given the default 16384 range. That's far too short. The justified response to user complaints is "send patches" and I'm willing to try, if no-one else is working on it. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract o

Re: net.inet.ip.portrange.randomized=1 hurts

two systems have different ideas of MSL? -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman

Re: ia_netbroadcast

icient when the problem is to match an address with an addr/mask pair. For matching on equality, hashing is far better. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _

Re: [PATCH] First part of TCP-MD5 inbound verification

-intensive. Barney -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To u

Re: Fwd: [IPv4 fragmentation --> The Rose Attack]

at all. Per-protocol limits would simply cause the attackers to attack the other protocol. In truth, running NFS over UDP with 65k packets over the Internet is suicidal anyway. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in

Re: tricking myself w/ multihoming

175.254.1 rather than playing ipfw games. How is DNS working? Oh, and please do put some more secure rules in if you're really Internet connected. > Tcpdump on this box shows me the incoming packets coming to > 198.175.254.8, but I'm not seeing these replies to these packets

Re: tcpdump says errors. Netstat says no.

hecksums. As I recall, xl supports doing the checksums in the nic. If all the errors you're seeing are on xmit, it's because tcpdump is seeing the packets before the checksums are computed. At least that's what I remember from some years ago when I had a 3com nic. -- Barn

Re: Byte counters reset at ~4GB

, most readers (eg, netstat) probably shouldn't care, and those that do could sanity-check the result and repeat the read if necessary. What am I missing here? -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NY

Re: natd interface alias question

o specify separately which packets get diverted, in and out. I suspect the double nat has something to do with your problem. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area o

Re: unable to set ip address during/after PPP?

eUp: unable to set ip address > > I know that this _used_ to work so I´m really wondering what goes wrong. The usual cause of "File exists" here is a duplicate address on either end. I would not expect to be able to have >1 non-bundled links to/from the same address. -- Bar

Re: Bad loopback traffic not stopped by ipfw.

amount 1000 ip from any to 127.0.0.0/8 deny log logamount 1000 ip from 127.0.0.0/8 to any then see what ipfw says. Your ruleset does not block packets from 127 outbound. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or v

Re: unable to ping or connect to freebsd

from outside in. Why do you need to allow that? Or, unless your fbsd box is acting as a router, why do you need NAT? -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. __

Re: PPP+freeRadius problem.

dialin server. It does not mean the UDP port from/to which RADIUS requests are sent. The bug, if any, is in whatever is demanding that the attribute be present. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 

Re: NATD and available ports

ecide which internal machines & which external addresses go to which divert socket. Performance may well be an issue, depending on bandwidth. Perhaps one NAT box per 100 client boxes would not be overkill - is adding 1% to the h/w budget unreasonable? -- Barney Wolff http://www.databu

Re: IPENCAP Problem

robin DNS enabled and have > multiple A records for the website I'd suspect MTU issues rather than multiple A records. Try setting the MTU of the link to the Internet to 1400. If that works you can fine tune it. -- Barney Wolff http://www.

Re: Odd behaviour on em0 device in -stable ... I think ...

gets generated in > /var/log/messages: > > Jan 4 16:09:17 neptune /kernel: em0: Link is up 100 Mbps Full Duplex > > as if it brought the device down, and then back up again ... is that > normal? If by "normal" you meant do other people see the same, the answer is yes. --

Re: Odd behaviour on em0 device in -stable ... I think ...

the fxp's manage to send a gratuitous arp when taking on a new alias. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list

Re: net access failover

but that's usually not a big deal. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/li

Re: ipfw/natd/3 nic

e ipfw divert rule can have "via " to apply only to packets to/from the Internet, and you can have deny rules for packets flowing between your two internal nets. I don't see a need to run two natd's here. -- Barney Wolff http://www.databus.com/bwresume.pdf

Re: Controlling ports used by natd

quot; option is set, tries to open a socket on that port. Perhaps if the above option is set, it should bind port 0 and use the port the kernel assigns. If folks think that's a good idea, I could produce a patch to alias_db.c for evaluation.

Re: suffering from poor network performance...

net.inet.icmp.icmplim=0 . -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ne

Re: suffering from poor network performance...

Folks, see sysctl net.inet.icmp.icmplim for why you get packet loss on a flood ping. It has nothing to do with duplex, hub/switch or problems with equipment. Make it 0 to remove the limit, I believe. Barney ___ [EMAIL PROTECTED] mailing list http://list

Re: suffering from poor network performance...

On Tue, Dec 16, 2003 at 05:58:08PM -0500, Alex wrote: > First, I know very little about networking, especially performance > turning. I would really like to learn more but don't know where/how to > start effectively. You're seeing icmp rate-limiting. Don't worry abo

Re: Controlling ports used by natd

On Sun, Dec 14, 2003 at 02:41:00PM -0500, Charles Swiger wrote: > On Dec 12, 2003, at 7:19 PM, Barney Wolff wrote: > >I have a real philosophical problem with ceding ports to worms, viruses > >and trojans. Where will it stop? Portno is a finite resource. > > This is a resp

Re: Controlling ports used by natd

On Fri, Dec 12, 2003 at 08:18:11PM -0700, Brett Glass wrote: > At 07:18 PM 12/12/2003, Barney Wolff wrote: > > >In fact, your real problem is with lazy > >firewalls that can't tell UDP responses from requests. A stateless > >firewall is an ACL, not a firewall. Th

Re: Controlling ports used by natd

s not so easy, because malware is not likely to be so polite as to keep to fixed source ports. In fact, your real problem is with lazy firewalls that can't tell UDP responses from requests. A stateless firewall is an ACL, not a firewall. That works not so badly for TCP but is simply inadequa

Re: Controlling ports used by natd

On Fri, Dec 12, 2003 at 04:20:04PM -0700, Brett Glass wrote: > At 11:19 AM 12/12/2003, Barney Wolff wrote: > > >How is this problem confined to NAT? Seems to me that any system > >connecting to the Internet would have the same issue, if it's actually > >a problem at

Re: Controlling ports used by natd

On Fri, Dec 12, 2003 at 10:41:50AM -0700, Brett Glass wrote: > At 01:35 AM 12/12/2003, Barney Wolff wrote: > > >Oops, sorry for the confusion. How fancy a change is up to you, > >but changing ALIAS_PORT_BASE and ALIAS_PORT_MASK (and _EVEN) > >would let you confine the

Re: Controlling ports used by natd

On Fri, Dec 12, 2003 at 01:19:34AM -0700, Brett Glass wrote: > At 12:45 AM 12/12/2003, Barney Wolff wrote: > > >UTSL libpcap/alias_db.c > > I can find no such file in /usr/src/contrib/libpcap. I did find > one in /usr/src/lib/libalias. It seems to have in it a function >

Re: Controlling ports used by natd

le to avoid this problem. But > I can find no way to do this. Does one exist? UTSL libpcap/alias_db.c -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _

Re: Two ISP connections

On Thu, Dec 11, 2003 at 01:51:20PM -0500, Andrea Venturoli wrote: > ** Reply to note from Barney Wolff <[EMAIL PROTECTED]> Wed, 10 Dec 2003 20:39:28 > -0500 > > > > Things started from /usr/local/etc/rc.d get a hup signal when rc is finished > > with all the star

Re: Two ISP connections

On Thu, Dec 11, 2003 at 01:37:52AM -0500, Andrea Venturoli wrote: > ** Reply to note from Barney Wolff <[EMAIL PROTECTED]> Wed, 10 Dec 2003 11:39:00 > -0500 > > > > I don't know of anything published that does this, but it's easy to > > write a perl or s

Re: Two ISP connections

fancier than is reasonable, existing connections will be dropped at switchovers. I have a script that does similar things running here; email me if you want it. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in th

Re: Straw poll - All-interface broadcast/multicast

el or userland? Does it work at all? 2. How is "appropriate" defined - by administrator choice or by some inherent property of the interface hardware type? 3. How do other OS's do it, if at all? 4. How will this interact with IPv6? IPsec? Thanks, Barney -- Barney Wolff

Re: Telecom Italia, ADSL SMART & FreeBSD

the ISP's router's address (usually .1 on whatever net you're assigned to). -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mai

Re: iMac and FreeBSD performance problems

can play with tuning parameters at both ends. Receive window size, MTU, (local_)slowstart_flightsize, path_mtu_discovery. MTU is settable by ifconfig, others by sysctl. Send to /dev/null to eliminate disk issues. Swap cables. Swap ports. Good luck. -- Barney Wolff http://www.databus.com

Re: Thoughts on IPv6, was: Re: Help Broadcasting a UDP packet on the LAN:URGENT

On Thu, Oct 23, 2003 at 05:25:42PM -0400, Charles Swiger wrote: > On Thursday, October 23, 2003, at 03:43 PM, Barney Wolff wrote: > >My expectation is the same as yours, but I strongly believe that > >anyone doing a new design that deliberately ignores IPv6 is being very > >

Re: Help Broadcasting a UDP packet on the LAN:URGENT

this would be better accomplished at the link layer, not using IP at all, like ARP. If that were done, an interface using VLAN tagging should send the frame on each of its configured VLANs. "Physical" doesn't mean much when using VLANs. Among other things, the th

Re: Help Broadcasting a UDP packet on the LAN:URGENT

ly > understand the problem before we jump in, but I'm also pretty certain we > don't fully understand the problem, let alone the solution. ;^) Allowing packets to 255.255.255.255 out an interface, $1.98. Deciding which interfaces to send on, priceless. Barney -- Barney Wolff

Re: Help Broadcasting a UDP packet on the LAN:URGENT

Bruce M Simpson wrote pointing out AODV (RFC 3561) as an example of a routing protocol needing to send to 255.255.255.255 on multiple interfaces at once. I withdraw my scorn of kernel mods to facilitate this. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by con

Re: Help Broadcasting a UDP packet on the LAN:URGENT

hat and not clutter up the kernel. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-n

Re: Help Broadcasting a UDP packet on the LAN:URGENT

t doing that, on RELENG_5_1 and RELENG_4, does result in ping 255.255.255.255 sending ICMP packets out with that dest addr. I have not personally tested UDP on FreeBSD, but this hack used to work on Irix, which at least back then had a bsd-derived network stack, to enable bootp to work with no kernel m

Re: IPFW.

on setup, both ways. btw, "pass" means allow, did you mean "deny"? -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED]

Re: TCP window size issues

aved sender would be using congestion avoidance and limiting its transmit window so that packet drops should be rare, even with an oversize advertised window. What's surprising is that this sort of tweak is ever required, other than as a minor optimization. -- Barney Wolff

Re: Question about bridging code

n my own structs, and it compiled and worked correctly without changing a single line of the VJ code. That project would never have survived if every bug had caused a kernel panic. The code is still running in commercial service today. -- Barney Wolff http://www.databus.com/bwresume.pdf I&

Re: ADSL PPoA or RFC1483, any solutions ?

default route to the ISP router's addr. The dsl modem is acting as a bridge, not a router. The routing and firewalling is done by my fbsd system. Are you talking about running the phone line directly to the fbsd box with no dsl modem? -- Barney Wolff

Re: SPAM help

d headers. If the volume gets too high, procmail is your friend. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list http://lists

Re: bpf, ipfw and before-and-after

comprehension. Now if somebody wanted to add the ability to dump the complete packet to ipfw ... :) -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [E

Re: bpf, ipfw and before-and-after

On Wed, Aug 06, 2003 at 09:54:11AM +1000, Edwin Groothuis wrote: > On Tue, Aug 05, 2003 at 10:31:01AM -0400, Barney Wolff wrote: > > Seems to me that with ipfw logging and tcpdump packet selection this > > is largely a non-issue. We should be wary of adding complexity to > >

Re: Multiple Interfaces

x27;s intended for the case of two machines where one backs up the other, not two interfaces on one machine taking over for each other. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro a

Re: Strange dial-up related DNS problems

r guess, but perhaps the PPP negotiation is giving them something weird (eg, 127.0.0.1) as the nameserver address. Have a look at /etc/resolv.conf while they're connected and at the ppp log. Have you tried dig @server.ip some.host? Any internal firewall in place? What do its logs/stats

Re: broadcast udp packets ...

s explicitly designed to assign > a permanent address to an appliance that cannot know it's boot address > when configured and cannot really predict which of the 3 interfaces it > might receive an address from. I don't quite know why you need to reinvent bootp/dhcp,

Re: Performance improvement for NAT in IPFIREWALL

ut. If you have an enemy inside, nothing will help you. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.o

Re: Performance improvement for NAT in IPFIREWALL

rnel-userspace boundary for natd is inherent, apart from any code optimization that might be possible. But moving NAT into the kernel has great impact on kernel memory usage, which needs much more care than in user space. NATs can be DoS'd, and running out of kernel memory can be fatal.

Re: ipfw+natd/divert port mapping problem

t; outer NICs IP nr. When I did this the port mapping > stopped working. I'd put "via OUTER_INTERFACE" on the divert statement, and check routing, forwarding enabled. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contr

Re: broadcast udp packets ...

with an alias of 255.0.0.1/8. Told you it was sleazy. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list http://lists.freeb

Re: IPv6 and me....

ase, you're going > to see a lot more support for IPv6 from vendors, etc. On the other hand, > I can't tell you which ISPs in the US would provide IPv6 support... :-) There was a recent discussion of IPv6 ISPs on NANOG. Look at the nanog archives for messages listing t

Re: ADSL PPoA or RFC1483, any solutions ?

P address of the ISP's router as the default route. My ISP works that way. My Freebsd system's external Ethernet has address w.x.y.z/24 and my default route is w.x.y.1. If you don't get a static IP address, running dhclient on the Ethernet interface that talks to the DSL modem

Re: Choices for security

nally, if the problem is strictly http(s) requests, you can put an allow tcp established rule before the blocking rules, and take the hit only on setup packets. That doesn't stop an attacker using hping or equivalent, but does stop request bots. -- Barney Wolff http://www.databus.

Re: Cascading qmail servers

On Thu, May 29, 2003 at 12:14:34AM -0700, Wes Peters wrote: > On Wednesday 28 May 2003 08:00 am, Barney Wolff wrote: > > On Wed, May 28, 2003 at 07:45:10AM -0700, Wes Peters wrote: > > > > Don't assume that you can't create an alias for each user. When I > &g

Re: ipfw rules vs routes to localhost?

d both to kernel and user space? With SVR4 Streams, I'd probably use an ioctl to communicate. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL

Re: ipfw rules vs routes to localhost?

s a way to put custom code in the kernel that looks up the source IP addr in a hash table. But the hard part will be updating the table of banned IPs and informing the kernel. How often must the table change? -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available b

Re: [dab@BSDI.COM: Re: [e2e] TCP-SYN and delayed TCB allocation]

i boxes, and probably should not pick a victim at random. :) Regards, Barney -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list h

[dab@BSDI.COM: Re: [e2e] TCP-SYN and delayed TCB allocation]

oning to > ESTABLISHED)... As long as you don't ACK the data, you don't need to save it. Throw away the data and just ACK the SYN. The other side will have retained a copy of the data, and will have to retransmit it. Slow, but it will work. -David Borman ---

Re: Cascading qmail servers

correspondents use the sub-domains the problem is easier, but employees in large orgs move around so often it's impractical. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___

Re: Cascading qmail servers

rnet. And also I want to keep part of the e-mail accounts on the > main server for the whatever.com domain itself. Don't assume that you can't create an alias for each user. When I worked at a very large NY bank, with well over 100,000 employees, /etc/mail/aliases was that big, a

Re: route pointing to a gateway that's not on net

e default route, and put a permanent entry into the arp table with the gateway's actual mac address. That ought to work. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail

Re: IPFIREWALL, /dev/ipl and friends

< options APIC_IO # Symmetric (APIC) I/O IPFIREWALL and friends are for ipfw, not ipfilter (except IPSTEALTH). 5.0 uses devfs and creates pseudo-devices as needed. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in th

Re: Does natd(8) really need to see _all_ packets?

ink my ISP does check source MAC on packets from subscribers, but would be worth a try. All in all, knowing that a packet came from "outside" is important. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via

Re: Does natd(8) really need to see _all_ packets?

t of slots? If you insist on using only one nic, putting a "pass ip LN LN" right after the lo0/127 rules will minimize overhead for local traffic. If you need protection from the other hosts on your lan there are things running on your firewall that should not be there. -- Barney

Re: Need help dealing with (D)DoS attacks (desperately)

t rules, with the most heavily used addresses first. That way, many fewer rules should get interpreted for each packet. An even fancier scheme would use skipto and divide up your IP ranges in a binary search. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by cont

Re: passive mode ftp server, need stateful ipfw rule.

o do the job, as all the pieces necessary are in there. But beware - a server must cope with tricks such as asking for a nonexistent file that looks like the response to a PASV command, and so on. Firewall vendors sometimes actually do earn their money. -- Barney Wolff http://www.databus

Re: passive mode ftp server, need stateful ipfw rule.

t; > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe freebsd-net" in the body of the message > > > > > --- > Orville R. Weyrich, Jr PhD. KD7HJV > mailto:[E

Re: concurrent connections

i have a freebsd box acting as a IPFilter bridge for a class c subnet - is > there any way i can view how many concurrent connections this machine is > handling? -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or

Re: concurrent connections

netstat -n |grep EST |wc -l If that's too much overhead, steal from the netstat source. On Thu, Dec 05, 2002 at 04:18:54PM -0800, randall ehren wrote: > is there a simple way to measure the amount of concurrent network (tcp) > connections to a freebsd host? -- Barney Wolff

Re: SO_DONTROUTE, arp's, ipfw fwd, etc

better, not worse, because of the decreased chance for interesting bugs taking the whole complex down. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message

  1   2   >