Hi--
On Mar 13, 2013, at 8:21 AM, Matt Miller wrote:
> If we have a connection that has received a SYN and ip_output()
> returns, say, EHOSTUNREACH, is there anything that guarantees the
> connection would always eventually be dropped if the condition
> persists?
If the local TCP stack is unable
Hi--
On Feb 19, 2013, at 10:42 AM, Alex Yong wrote:
> I've been looking around in the IPv6 code recently and I noticed that
> time_second seems to be the clock of choice for calculating expiry times
> for prefixes, routers and addresses. Is there any specific reason it uses
> wall clock time and
On Apr 21, 2012, at 4:41 AM, Dmitry S. Kasterin wrote:
> The "DYNAMIC RULES" section gives the following recommendation:
> ipfw add check-state
> ipfw add deny tcp from any to any established
> ipfw add allow tcp from my-net to any setup keep-state
>
> Is the second rule
On Apr 9, 2012, at 3:27 PM, Randy Bush wrote:
>> Try "ipfw pipe show" instead
>
> thanks!
You're most welcome.
> now to figure out what all that means. especially worried about the
> queue length, as will be using varying delays in an experiment.
Well, you should look at your bandwidth-del
On Apr 9, 2012, at 12:33 PM, Randy Bush wrote:
>> dum0# ipfw 900 pipe 1 config queue 20 delay 10ms
>> remove the '900'
>> ipfw pipe 1 config queue 20 delay 10ms
>
> thanks! but ...
>
> sure, it's not really part of the programmitic sequence. but one can
> not see it's there!
>
> randy
>
On Mar 21, 2012, at 7:15 AM, Seyit Özgür wrote:
> Hello chris,
I'm Chuck, but no matter.
> Here i get tcpdump with X param..
>
> First look input errors.. its about 60 mbit/sec and much more packets can't
> process
>
> packets errs idrops bytespackets errs bytes colls
> 3
On Mar 15, 2012, at 1:17 PM, Seyit Özgür wrote:
> Thanks for quick reply.. but i don't use firewall. i tried to use PF..
> Packer filter stucks up to 100.000 syn packets flooding(on open port)..
> Without packet filter it handle much more syn flooding. Like 1Mpps can handle
> w/o interrupts that
On Mar 15, 2012, at 12:49 PM, Seyit Özgür wrote:
> Today we tried to see what happens Malformed syn packets on FreeBSD 9.0
> release..
>
> Those packets rise to CPU %100 and stucks..
>
> listening on ix0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 18:33:30.010215 IP vgn44-1-88-123-8
On Mar 14, 2012, at 4:05 PM, Adarsh Joshi wrote:
> Thank you for the quick replies.
>
> I am aware of the importance of the second bit. By invalid, I was wondering
> if that particular address is reserved or if it has any special meaning or
> purpose.
There isn't a special meaning for all-zeros
On Mar 14, 2012, at 3:32 PM, Adarsh Joshi wrote:
> I assigned a 00:00:00:00:00:00 MAC address to one of my interfaces on a
> machine and tried to ping the peer machine. The ping did go through fine.
>
> I can the see the request and reply packets on the packet capture. I am
> wondering if that i
On Mar 13, 2012, at 10:18 PM, hiren panchasara wrote:
>> What difference does it make when I have each (separately) in my rc.conf:
>>
>> 1) no network_interfaces at all
>> 2) network_interfaces="AUTO"
These two are the same.
>> 3) network_interfaces="em0"
This will configure em0 only, using ifc
On Feb 8, 2012, at 1:53 PM, Коньков Евгений wrote:
> some host on LAN can send packets to MAC address of FreeBSD server
>
> and server accept packets even if frame is not in its subnet and pass them
> further %-)
>
> details here
> http://www.freebsd.org/cgi/query-pr.cgi?pr=164914
Um, what were
Hi--
On Jan 26, 2012, at 9:24 AM, satish amara wrote:
> I have question regarding the size of the state table kept in FreeBSD for
> stateful packet inspection. Say we have a valid senario where we have
> stateful firewall rule for HTTP and we get lot of incoming new HTTP session
> and state table
Hi--
On Sep 26, 2011, at 9:53 AM, Martin Wilke wrote:
> Any other Idea what we can do to get a failover between both servers?
Multi datacenter failover is *hard*. You have to evaluate which parts are
static systems-- ie, display the same web images from all DCs, provide a
current UTC timestamp
On Aug 9, 2011, at 6:45 AM, Marek Salwerowicz wrote:
> W dniu 2011-08-09 15:26, Chuck Swiger pisze:
>> dummynet (or Altq, or whatever else you might be using) works fine with pure
>> routing config, yes-- you don't have to NAT traffic to do bandwidth control
>> on the
On Aug 9, 2011, at 6:15 AM, Marek Salwerowicz wrote:
>> It's not working because you configured natd to work against traffic flowing
>> via vr3, but traffic from your LAN is coming via vr0. While you can change
>> natd to run against all traffic, it's much better to avoid re-writing purely
>> i
On Aug 9, 2011, at 4:57 AM, Marek Salwerowicz wrote:
> Right now everything works from the Internet - if I do ssh to xx.yy.zz.170, I
> really can connect to host 192.168.0.10 etc.
>
> The problem is that when I want to connect from my 10.0.0.0/24 network (and
> even from router) to any DMZ host,
On Jul 12, 2011, at 12:26 PM, Paul Keusemann wrote:
> So, any other ideas on how to debug this?
Gather data with tcpdump. If you do it on one of the VPN endpoints, you ought
to see the VPN contents rather than just packets going by in the encrypted
tunnel.
> Anybody know how to get racoon to l
On Jul 7, 2011, at 4:45 AM, Paul Keusemann wrote:
> My setup is something like this:
> - My local network is a mix of AIX, HP-UX, Linux, FreeBSD and Solaris
> machines running various OS versions.
> - My gateway / firewall machine is running FreeBSD-8.1-RELEASE-p1 with ipfw,
> nat and racoon for
On Jul 6, 2011, at 5:50 PM, Kevin Oberman wrote:
[ ... ]
> Any modern Ethernet should be running full-duplex.
Sure. With a price point of ~$10 per port for unmanaged gigabit switches
nowadays, this is cheap enough that it's widely deployed even for SOHO and
small offices. Also, I don't believe
On Jul 6, 2011, at 12:27 PM, Kevin Oberman wrote:
> 1 in 10**6? That is totally excessive.
It's high for a switched LAN, but I'd imagine you remember collision rates on
hubs, which might well exceed 1% of the packets when the network is under load.
> The Ethernet spec requires no worse than 10**
On Jul 6, 2011, at 11:01 AM, Marek Salwerowicz wrote:
> The idea is to share the Internet connection to both networks, and block any
> traffic between them.
>
> I was trying to set up the firewall like this:
>
> #!/bin/sh
>
> cmd="ipfw -q"
>
> $cmd flush
>
> $cmd add 50 check-state
>
> $cmd
On Jul 4, 2011, at 6:32 PM, Charles Sprickman wrote:
> We're running a few 8.1-R servers with Broadcom bce interfaces (Dell R510)
> and I'm seeing occasional packet loss on them (enough that it trips nagios
> now and then). Cabling seems fine as neither the switch nor the sysctl info
> for the
On May 17, 2011, at 6:16 AM, Cole wrote:
> I was hoping to keep this clean, and use existing methods for hooking
> into the stream. Also the goal im working for is to be able to use
> this on a box doing routing to hopefully get some sort of compression
> working between 2 end points. So most of th
On May 13, 2011, at 1:07 PM, Ivan Voras wrote:
> I'm seeing an an unusual problem at a remote machine; this machine is
> the FreeBSD server, and the client is a probably Windows machine (but I
> don't know the details yet). Something happens which causes FreeBSD to
> send ACKs to the client, and th
On Apr 25, 2011, at 11:47 AM, fbsdm...@dnswatch.com wrote:
> I have a /24 with a prefix of 168.103.150.xxx with a gateway on this prefix
> (DSLmodem).
> I also have a /24 with a prefix of 75.160.109.xxx
> My question(s) is/are:
> 1) is it possible to route both of these across the same GW?
If thes
On Apr 7, 2011, at 8:02 AM, Marc G. Fournier wrote:
> Part of the recent thread I had about mounting nfs point to using nolockd to
> disable locking ... checking the mount_nfs man page, it lists 'lockd' as a
> deprecated option, but doesn't list 'nolockd' anywhere ...
Much as with gcc, if mount
On Apr 6, 2011, at 1:09 AM, per...@pluto.rain.com wrote:
>> People tend to take advantage of the resources they have; if you
>> have an EMC or NetApp filer handy, it's might well be reasonable
>> to use it ...
>
> s/reasonable/tempting/
>
> "When the only tool you have is a hammer, every problem
On Apr 5, 2011, at 1:01 AM, per...@pluto.rain.com wrote:
> Chuck Swiger wrote:
>
>> It's fairly common to scale up a mail infrastructure from one box
>> handling both SMTP and IMAP (or POP) to a SMTP-only box writing to
>> NFS-mounted user mailboxes, and have
Hi, Rick--
On Apr 4, 2011, at 5:24 PM, Rick Macklem wrote:
>> On Apr 4, 2011, at 11:09 AM, Marc G. Fournier wrote:
>> Be careful; multiple access from different processes even on a single
>> host can still run into locking issues against NFS filesystems, or
>> data corruption if locking isn't avai
On Apr 4, 2011, at 12:37 PM, Marc G. Fournier wrote:
> Okay, next question ... if lockd is running, should fcntl locks work? My
> read of the NFS_README.html above indicates to me that they should ... but if
> that is the case, then it comes back to why doesn't it?
If rpc.lockd was bug-free and
On Apr 4, 2011, at 11:09 AM, Marc G. Fournier wrote:
> 'k, based on someone else's recommendation, I add 'nolockd' to the mount
> entry,a nd postfix now appears to work ... since I can safely guarantee that
> only the one host will have access to these files, that doesn't pose a
> porblem for me
On Apr 4, 2011, at 12:14 PM, Marc G. Fournier wrote:
>> OK-- Cyrus IMAP uses a variant of maildir, so you're relatively safe even if
>> locking is not available.
>
> So, just to get this clear ...
>
> If I were to boot a diskless station using an NFS backend, then that instance
> would be prone
On Apr 4, 2011, at 11:58 AM, Marc G. Fournier wrote:
>> Be careful; multiple access from different processes even on a single host
>> can still run into locking issues against NFS filesystems, or data
>> corruption if locking isn't available. You're most at risk with local
>> delivery to an mbo
On Feb 18, 2011, at 1:12 PM, Oliver Lehmann wrote:
> that unfortunally requires QT for whatever reason (yeah KDE - but
> QT for a proxy??) I do not have this on my router of course :(
Most of this stuff uses subnet-local broadcasts to perform device discovery.
It would probably be a lot easier t
On Jan 18, 2011, at 6:14 AM, Axel Rau wrote:
> Am 18.01.2011 um 14:40 schrieb Artyom Viklenko:
>> Make sure DB2 got ICMP need-frag message and it not blocked.
>> Also, check sysctl variable 'net.inet.tcp.path_mtu_discovery'.
>
> Yes to both. So this is a bug in 8.1?
If DF is true and the packet e
On Jan 14, 2011, at 2:12 AM, Bruce Evans wrote:
>> On a good day, my MUA sends "Content-type: text/plain; format=flowed" and
>> should contain line breaks following the 80-character-per-line Usenet
>> conventions, which modern MUAs might well reassemble based upon the user's
>> window size. If i
On Jan 13, 2011, at 8:54 PM, Bruce Evans wrote:
>> To quote an earlier post:
>>
>> "Polling mode operation generally performs better when using older 100Mbs
>> ethernet NICs which do not support interrupt mitigation and various
>> capabilities like TSO4; gigabit ethernet NICs are smarter hardwar
On Jan 13, 2011, at 1:42 PM, Charles Owens wrote:
> This is very good news overall, in that we can certainly disable polling for
> igb. This begs the question, though, as to whether polling is recommended
> these days at all for em/igb NICs... or even in general. From other
> conversations we'
On Jan 7, 2011, at 4:26 PM, Boris Kochergin wrote:
> As everything else I can think of zero-pads them, this makes it a little
> annoying to grep for addresses, etc. Is this intentional? It is the case in
> 7.x through CURRENT and the fix is quite simple:
+1. MAC addresses should be displayed as
On Dec 13, 2010, at 11:54 AM, Gabor Radnai wrote:
> Realtek 8111 is not supported - that's the final conclusion? If so can this
> be made clear in re driver manual?
At least some people have reported the Realtek 8111 working for them.
This said, Realtek's older 10/100 NICs were infamous for bein
Hi, Rozhuk--
On Dec 7, 2010, at 11:19 AM, rozhuk...@gmail.com wrote:
> Hi!
>
> 1. ah->ar_hln - is depend from ar_hrd?
> Yes, and for ARPHRD_ETHER is 6 (ETHER_ADDR_LEN)
> For ARPHRD_IEEE1394 - sizeof(struct fw_hwaddr)
> ah->ar_hln ignored in ether_output: bcopy(ar_tha(ah), edst, ETHER_ADDR_LEN);
On Oct 28, 2010, at 11:39 PM, Коньков Евгений wrote:
> Здравствуйте, Chuck.
Um, greetings?
> Вы писали 28 октября 2010 г., 23:41:58:
>
> CS> On Oct 28, 2010, at 1:21 PM, Коньков Евгений wrote:
>>> [ ... ]
>
> CS> What is "sysctl kern.clockrate", and have you increased kern.hz
> CS> in /boot/l
On Oct 28, 2010, at 1:21 PM, Коньков Евгений wrote:
> [ ... ]
What is "sysctl kern.clockrate", and have you increased kern.hz in
/boot/loader.conf to at least 1000, if not 2000 or 4000?
Polling mode operation generally performs better when using older 100Mbs
ethernet NICs which do not support i
On Oct 12, 2010, at 8:30 AM, Tom Evans wrote:
>> Taking the '5.3. Master file example' in RFC1035, what is the A response
>> for 'ISI.EDU.' where the domain itself has no specific A RR? Would it
>> be that of VENERA.ISI.EDU, or that of the first A listed, ie A.ISI.EDU?
>
> That domain has an MX r
On Oct 12, 2010, at 9:30 AM, Tom Evans wrote:
[ ... ]
> Thats what I said wasn't it?
>
> Oh wait, I missed the words 'If we assume it doesn't have an MX record' :/
Yep. Perhaps we are in violent agreement...? :-)
--
-Chuck
___
freebsd-net@freebsd.o
Hi, Lev--
On Jul 26, 2010, at 10:14 PM, Lev Serebryakov wrote:
>I have huge losses ("netstat -s -p tcp" shows 4% of packets, but
> 35% of bytes are retransmitted) on my intenret connection, which is PPPoE over
> 100Mbit ehternet link.
This description means larger packets are having p
Hi, all--
On Apr 26, 2010, at 1:59 AM, Guido Falsi wrote:
> Regarding launchd, I don't know much about it, but I do like the rc
> system and having the boot sequence managed by scripts one can easily
> modify to taste. I'd rather not modify this system with some daemon
> performing obscure tasks b
Hi--
On Apr 6, 2010, at 8:32 AM, serena zanetta wrote:
> But first of all, I don't know how I can convert the IP_REMOTE, which is
> currently IP_REMOTE = "10.0.0.90", into a in_addr structure...
To convert a string to an IP address kept as an in_addr, you want inet_aton(),
used like so:
con
On Mar 26, 2010, at 3:08 AM, Giulio Ferro wrote:
> Outset:
> 1 NFS server (with lockd)
> 2 NFS client (with lockd)
>
> The clients serve several jails with apache, whose data (www) resides on the
> server
If you need file locking to work reliably, you pretty much have to give up on
using NFS +
Hi--
On Feb 16, 2010, at 2:09 PM, Martin Lopreiato wrote:
> note: if i use a configured address, my code works perfectly. so the
> error message i'm getting when trying to forge an ipv6 address does
> not seem to be related to a bug in my code.
You're not trying to send this traffic from a jail,
On Oct 30, 2009, at 4:46 PM, Sebastian Hyrwall wrote:
Is there any way to use /31's on ordinary ethernet links in 7.2?
"ifconfig addr dest-addr" does not work either. It keeps setting the
last ip as broadcast.
A /31 subnet is only defined for point-to-point network links, per:
http://www.
On Oct 30, 2009, at 3:37 PM, Chuck Swiger wrote:
ifconfig en0 inet 192.1.1.10 inet 192.1.1.2
Whoops-- copy-paste-typo; instead should be:
ifconfig en0 inet 192.1.1.10 192.1.1.11
--
-Chuck
___
freebsd-net@freebsd.org mailing list
http
On Oct 30, 2009, at 5:22 PM, Sebastian Hyrwall wrote:
A /31 subnet is only defined for point-to-point network links, per:
http://www.rfc-editor.org/rfc/rfc3021.txt
Ordinary ethernet links have BROADCAST flag set instead of
POINTOPOINT.
Well how do I set the POINTOPOINT flag and remove th
Hi--
On Jun 19, 2009, at 1:15 PM, Harti Brandt wrote:
CS>See figure 12-- I think you should be sending a RST back
I think this is too drastic. A segment is unacceptable only if it is
completly out of the window. Here part is in the window.
Well, perhaps you're right that it would be drast
Hi--
On Jun 19, 2009, at 10:44 AM, Harti Brandt wrote:
When the TCP is in SYN-SENT state (the user has called connect())
and the peer answers with an almost-lamp test packet which has SYN,
FIN, ACK and data larger than the window, TCP ACKs a window full of
data, drops the rest, but processe
On May 13, 2009, at 12:29 PM, Brett Glass wrote:
It has not been committed yet but I beleieve is ready to go in, you
can
find the code on the svn branch
http://svn.freebsd.org/viewvc/base/projects/l2filter/
How does one generate a diff between this code and, say, 7.1-RELEASE
or 7.2-RELEASE
On Feb 26, 2009, at 3:43 PM, Shawn Everett wrote:
Here's a weird one... I set up FreeBSD 5.2 to act as a router.
[ ... ]
Any suggestions would be appreciated.
Try upgrading to a supported version of the OS, first, then work on
debugging any deadlocks if they still reoccur.
Early 5.x ver
On Jan 16, 2009, at 3:50 AM, Eugene Perevyazko wrote:
On Fri, Jan 16, 2009 at 12:20:21PM +0300, Alexey Ivanov wrote:
Is there any command identical to:
iptables -A INPUT -p tcp -m tcp -dport 80 -j TARPIT
If no, does anyone ever tried to implement this feature?
I'm thinking on implement
On Dec 19, 2008, at 9:42 AM, richard lll wrote:
I am new to FreeBSD and I am developing a program that does heavy
use of UDP multicast over the LAN. This program is incurring 90-100
percent packet loss on FreeBSD. Packet loss occurs even when a I
send just 3 packets. When I send 1000 packets
On Oct 27, 2008, at 2:53 PM, Eitan Shefi wrote:
When I change the MTU to a value greater then 1500, for example 3000,
and then send "ping" with message size 2500, from one host to the
other,
the other host gets more then one ICMP packet, even thaw the message
that was send is match smaller the
Hi, all--
On Aug 6, 2008, at 11:50 AM, Bill Moran wrote:
It seems, however, that the packets would just go to local
network. Is
it possible to get packets to non-conflicting IP addresses (i.e. only
exist in either local network, or remote VPN'ed network) to go
through
the tun0 device?
An
On Jul 17, 2008, at 4:35 PM, Max Laier wrote:
David Mills' ntpd uses port 123 on both sides, true. Other NTP
implementations tend to use ephemeral ports; a quick histogram of 30
seconds or so of traffic to a stratum-2 NTP server suggests about
half
of the NTP traffic out there uses other port
On Jul 17, 2008, at 3:33 PM, Doug Barton wrote:
[ ... ]
About the ntp stuff, 2 questions. First, you did not make the same
changes in the NTP section in the second hunk as you did in the
first, is that intentional? Second, wouldn't it be better to
specify the port number (123) on both sides
David DeSimone wrote:
[ ... ]
Again, I did see these messages in my environment, but in my case, the
error was correct: The IP *was not* on the local network. The reason
being that we had multiple subnets configured on the same broadcast
domain, so the BSD box could indeed hear ARP for subnets
On Jun 27, 2008, at 3:01 PM, Freddie Cash wrote:
[ ... ]
If net.inet.ip.fw.one_pass is true, then you definitely want to
apply your
deny rules first, as once something matches a pipe rule, it's going
to be
passed. The tradeoff is that the accounting/fairness of traffic is
less
accurate but
On Jun 27, 2008, at 1:01 PM, Freddie Cash wrote:
Mainly, I'm wondering where to put the "ipfw queue" rules (the ones
that send the packets to dummynet), in relation to the packet
filtering rules, or if it even matters.
For instance, do the queue rules apply to all the rules in the set, or
only t
On May 4, 2008, at 6:32 AM, [EMAIL PROTECTED] wrote:
Can I port 4.4BSD-Lite's TCP/IP protocol stack soure code to my own
OS kernel which is GPL Licence?
Modern 2- or 3-clause BSD licenses are fully compatible with the GPL,
as are most "simple, permissive" licenses like the MIT/X11, Zlib, and
On Apr 8, 2008, at 11:10 AM, Martes G Wigglesworth wrote:
When fielding a newer, less resource rich system as access point/
router,
I noticed that after about five minutes of a client securing a good
connection, the ip address of the ath0 device dissappeared from the
routing table, and routed be
Hi--
On Feb 14, 2008, at 9:59 AM, Nerius Landys wrote:
Howdy folks. I have several computers behind a FreeBSD router (NAT
192.168.0.x using OpenBSD's PF) . One of those computers is a Windows
machine which is using software called "Cisco Systems VPN Client" to
connect
to some other computer
On Jan 22, 2008, at 1:44 PM, Stephen Clark wrote:
does anyone have a program that uses the divert socket to duplicate
an incoming packet so it can be
sent to another address.
Well, I assume you could start with the ipfw "tee" directive and /usr/
src/sbin/natd ...?
--
-Chuck
__
On Dec 10, 2007, at 11:35 PM, rihad wrote:
Pipes and queues are two different things; a pipe simulates a
network link, and a queue is used to hold packets which are
backlogged because they are arriving faster than the outbound link
(ie, a pipe) can transmit them.
So you mean queues are only
On Dec 10, 2007, at 8:56 AM, rihad wrote:
Hi,
I'm having a hard time to understand what pipe queues are with
respect to bandwidth limitation. ipfw(8) and dummynet(4) manuals
didn't help me much.
Pipes and queues are two different things; a pipe simulates a network
link, and a queue is us
On Oct 24, 2007, at 11:17 AM, Stephen Clark wrote:
I must be doing something wrong. I can't seem to get proxy arp to
work. Is there some
magic.
I have the following setup isp router 205.x.x.1 <-> 205.x.x.100/25
rl1 freebsd vr0 205.x.x.129/25
<-> 205.x.x.193/25
I'm not really sure what you
On Aug 13, 2007, at 12:19 PM, Jon Otterholm wrote:
This is a problem because some clients interpret this as an ip-
address conflict.
Are you sure that your router is issuing the ARPOP_REQUESTS?
Is the entry you've published already listed in "arp -a"?
Yes, the entry is already listed as an st
On Aug 13, 2007, at 7:34 AM, Jon Otterholm wrote:
I have a problem with proxy-arp entries.
If I add an arp-entry:
arp -s $hostip $routermac permanent pub only
the router sends an arp and replies to it's own arp like:
15:40:02.074419 arp who-has $hostip tell $hostip
15:40:02.074663 arp reply $
[ I'm not sure which email address I should use when you reply to
yourself using a different addy. :-) ]
On Jul 17, 2007, at 4:24 PM, Julian Elischer wrote:
Julian Elischer wrote:
I have been looking at the following snippet of packets (under
FreeBSD 6.1).
This makes IE7 fail (but not IE6)
On Jul 13, 2007, at 1:24 PM, Stephen Clark wrote:
Designers of gateways should be prepared for the fact that
successful
gateways will be copied and used in other situation and
installations. Gateways must be prepared to accept datagrams as
large as can be sent in the maximum packe
On Jul 13, 2007, at 12:27 PM, Bill Moran wrote:
I agree with others that MTU means "limit what I transmit". It
does not
mean "limit what someone else can transmit to me."
Interesting viewpoint. I disagree with it, but I can't quote any
standard
or otherwise to support my view. You didn'
On Jun 25, 2007, at 10:46 AM, John-Mark Gurney wrote:
It's not the correct behaviour if the only packet coming back is
an Ack of
the FIN (and a FIN) because in the real world, making IE7 throw an
error
screen is not an acceptable option. This is the sort of thing
that gets FreeBSD thrown out
On Jun 15, 2007, at 12:27 AM, Jeremie Le Hen wrote:
It appears nearly impossible to firewall a NFS server on FreeBSD.
Yes and no. It's quite easy to firewall NFS along with everything
else using a "default deny" ruleset. It's highly difficult to place
a restrictive firewall ruleset betwee
On May 25, 2007, at 12:34 PM, Andrei Manescu wrote:
If I want to put two public IP addresses, with different
subnetmasks (my ISP is changing some subnets and for two months I
will be able to use two public ip addresses) on the same interface
(xl0) my rc.conf shuld look like this:
ifconfig_
[EMAIL PROTECTED] wrote:
Hi,
I'm looking for a network testbench / simulator to stimulate known
networking conditions to test out a component for a product at work.
I was wondering if there was a network simulator available
(preferably open source) that's FreeBSD / Linux compatible wh
On Apr 24, 2007, at 11:55 AM, Alexandre DELAY wrote:
Why not, but my probem is that my NFS server must accept 300 clients.
Using a VPN for each client will probably use a lot of processor
ressources.
Moreover I'm not sure it is possible to get so much VPN connections
on a
server.
For 300 c
On Apr 24, 2007, at 11:19 AM, Alexandre DELAY wrote:
I am searching for a solution to my problem.
I have a fixed NFS server connected to Internet. Clients have
dynamic IP
addresses. How can I secure clients NFS connections?
Setup and use a VPN so that the clients appear to be on a trusted
Stefan Lambrev wrote:
I'm having very strange problem.
I have near 200 sockets reported by netstat -An, which are NOT reported
by sockstat and fstat.
All of them look like (output from netstat -An) :
ff0169282000 tcp4 0 0 192.168.13.12.4965
192.168.13.3.8080 FIN_WAIT_2
I'm
On Mar 20, 2007, at 3:31 PM, Jon Otterholm wrote:
Basically I have a admin-net where all routers and switches are
connected. On this net I have a nagios-machine for surveillance
(running
FreeBSD). Sometimes when my Nagios sends icmp-echo-replies to
equipment
on my admin-net my FreeBSD-router
On Feb 12, 2007, at 7:16 AM, Fernando Gont wrote:
Looking at FreeBSD's TCP implementation, I see that by default,
ephemeral ports are selected from the range 49152-65535. This means
that only 15K ports out of the available 65K port range are used
for ephemeral port selection.
You can chang
On Jan 16, 2007, at 10:40 AM, Randall Stewart wrote:
"reserved" means one "SHOULD NOT" use that port, where the phrase
in caps is defined in RFC-2119 (http://www.ietf.org/rfc/rfc2119.txt).
[ ...format-flowed quoting trimmed... ]
So let me see if I understand the statements above..
We are usin
On Jan 16, 2007, at 5:15 AM, Randall Stewart wrote:
So... I guess this really leads to a question..
What does "reserved" mean by IANA.
"reserved" means one "SHOULD NOT" use that port, where the phrase in
caps is defined in RFC-2119 (http://www.ietf.org/rfc/rfc2119.txt). And:
http://en.w
On Jan 12, 2007, at 2:13 PM, Bruce M. Simpson wrote:
Ricardo Nabinger Sanchez wrote:
But port 0 has special meaning to the kernel (ie, "give me some
random
port"). Also, it is a reserved one. Please check IANA:
http://www.iana.org/assignments/port-numbers
I'm afraid you'll have to
Fabrício Barros Cabral wrote:
Hello everybody!
I'm developing a network application which needs *to intercept* a packet
(not just *copy* a packet, like libpcap does), move this packet into my
application (userland), do some checking in the packet and according
with some heuristics, the applicati
On Dec 14, 2006, at 9:41 AM, Benjamin Adams wrote:
employees are killing the network with torrents. anyone know a
company where
I can get a box to monitor traffic and kill torrents. Thanks
PS Not looking to build a firewall this time.
If you plan to restrict network traffic, then you're look
On Dec 6, 2006, at 10:38 AM, Brett Glass wrote:
Is adding a hub or a bridge a topology change? I'd argue that it
wasn't.
Um. Adding a normal client machine to an existing hub or switch does
not constitute a topology change. Adding a new hub or bridge most
certainly would constitute a top
On Oct 18, 2006, at 9:33 AM, Brent Marsh wrote:
I've been working with FreeBSD machines on and off for several
years now. I
am looking to set up my first network. First for home, and second
for an
office environment. I want to make sure I follow 'industry
standards' so my
network will hav
On Oct 17, 2006, at 10:06 AM, Tobias P. Santos wrote:
We recently bought a Dell Server with 4GB RAM.
Then, we installed FreeBSD 6.1/i386 but it only detects 3.5GB of
RAM. So we recompiled the kernel with PAE option and now we have
4GB available.
It might be reasonable to simply live with ge
On Sep 12, 2006, at 5:56 AM, Andre Oppermann wrote:
Now I can't but do some nitpicking :-) In if_vlan.c, the "inenc"
variable is set to 0 or 1 depending on the branch taken in the
if-else clause. Then why to initialize it at its definition? I
think that the better style would be:
int i
On Aug 25, 2006, at 12:24 PM, Pat Lashley wrote:
I would be entirely happy if FreeBSD could do better than MacOS
with regard to
this matter, but my observation suggests that the dudes working
on this at
Apple have a working implementation which is becoming widely used
in userland
applicat
On Aug 24, 2006, at 6:29 PM, Pat Lashley wrote:
Mac OS X implements media sense where the hardware and driver
support
it. When the network media indicates that it has been connected,
the
autoconfiguration process begins again, and attempts to re-use the
previously assigned Link-Local addre
On Aug 24, 2006, at 3:10 PM, Fredrik Lindberg wrote:
Queries to 254.169.in-addr.arpa MUST return NXDOMAIN (or RCODE 3,
to choose a non-BIND specific term).
We're talking about mDNS here, not DNS. I would argue that because
mDNS is link-local it makes perfect sense to be able to resolve
254.169
1 - 100 of 186 matches
Mail list logo
