Is there a write-up anywhere about what variables are tuneable, where to
look to see if they need tuning and what the downsides/ramifications are?
I already discovered kern.ipc.maxsockbuf needs to be raised to accommodate
raising the various send and recv spaces. =)
Greets,
DocWilco
Hi all,
I'm working with a few others to get everything in gear for the network at
QuakeCon (www.quakecon.org). One part of that event is a huge Bring Your
Own Computer LAN with a 1250 PC capacity, for which we will provide a
number of servers running a ton of gameservers.
One problem we've h
At 13:36 9-4-2002 +0200, Dennis Pedersen wrote:
>Uhm okai, but where do i see the port number for the 2 natd processes? , kan
>i specify it somewhere or?
From natd(8):
-port | -p port
Read from and write to divert(4) port port, distinguishing
packets as
At 12:16 9-4-2002 +0200, Dennis Pedersen wrote:
>But uhm is there a 'simple' way of doing this? (as in just adding the IP of
>the other ends gif interface as destinatio in my routes?
>The setup today i an exact copy of (other IP's of course)
>www.freebsddiary.org/ipsec-tunnel.php
>This works just
At 14:20 8-4-2002 -0700, Lars Eggert wrote:
>There are no IPsec tunnel devices in KAME. IPsec defines "security
>associations" (SAs), which are not represented as devices in the routing
>table in KAME. Thus, you can't use routes to direct traffic into these
>tunnel mode SAs, you need to set up you
At 13:07 8-4-2002 -0500, Matthew wrote:
>check out this link... they were a great deal of help to me when i went
>to setup ipsec on freebsd...
>
>Best wishes
> Hytekblue
>
>http://www.x-itec.de/projects/tuts/ipsec-howto.txt
Unfortunately this howto, like any other mention of IPsec & tu
At 20:04 8-4-2002 +0200, Rogier R. Mulhuijzen wrote:
>My question is, can one get IPsec tunnel mode to work in BSD, and how is
>it done? I do not need a lengthy story, a few terse pointers would be
>quite enough.
Pardon me. I meant FreeBSD not BSD.
Doc
To Unsubscribe: sen
I've been following the KAME vs. OpenBSD IPsec thread somewhat, and I
gather that IPsec tunnel mode is not the same as using the gif interface
(which is IPIP).
My question is, can one get IPsec tunnel mode to work in BSD, and how is it
done? I do not need a lengthy story, a few terse pointers
>
>i'm still not able to ping other hosts on the LAN or the firewall (gateway).
>
>what have i forgotten?
Is the net.inet.ip.forwarding sysctl set to 1?
(gateway_enable="YES" in /etc/rc.conf to set on boot)
Doc
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd
With windows this would be a bit dodgy though. Even if it is stored in the
registry, I doubt it reflects runtime values. And thus you still don't know
whether or not the MTU setting is accepted from the DHCP server.
I would suggest using tcpdump or some other sniffing tool to see how large
th
At 09:53 5-3-2002 -0800, Julian Elischer wrote:
>The bpf node acts as a programmable packet filter, able to divert
>packets according to a program loaded into it using the normal
>bpf virtual machine.
>
>see
>man ng_bpf for more details.
What Julian means is, the bpf node is used to route some p
At 12:42 4-3-2002 +1100, Brendan Kosowski wrote:
>In situations where there are 2 routes in your routing table that apply to
>a given destination IP address, how do you give one route priority over
>the other ?
The one with the widest netmask is used.
So if you have both 10.0.0.0/8 and 10.42.69.
Hi all,
I plugged my RealPort card into my brand new IBM ThinkPad a few days ago
and found that it was not working. I knew it worked on my old notebook with
an older release of FreeBSD so I went digging.
At first I thought the fact that my PCMCIA controller doesn't like 0xd
as base addres
At 17:58 20-2-2002 +1100, Brendan Kosowski wrote:
>Hi,
>
>My ed0 interface has been set up using a typical LAN style IP address of
>192.168.1.100.
Can you supply the output of 'ifconfig' and 'netstat -rnf inet'?
Doc
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe fr
At 21:19 19-2-2002 +0100, Marcel de Vries wrote:
>I use mpd to setup a PPTP (gre encapsulation) connection between interface
>ep0 (public) and my Alcatel ADSL modem.
>Don't ask me why but it's the concept of a BIG telecom company we all love
>to hate in the Netherlands. KPN TELECOM.
>
>And most
At 02:48 19-2-2002 -0600, Nick Rogness wrote:
>On Sun, 17 Feb 2002, Zviratko wrote:
>
> >
>[SNIP]
> >
> > I will try that, but I guess default route has precedence over ipfw.
>
> Not in the case of ipfw fwd. The routing decision seems to be
> made before ipfw fwd changes the packe
At 22:25 14-2-2002 +0100, Rogier R. Mulhuijzen wrote:
SNIP
Oops, forgot a few rules at the end (bad copy/paste)
So here it is again.
tl0 is the interface on internal LAN
lnc0 is the interface on external LAN
#divert all http requests from internal network to quid
>>the reply was that keep-state and natd are very hard to use
>>together, and besides it is rather useless because natd is stateful
>>by itself.
>natd is stateful, but provides no protection for inbound IP traffic
>that is destined for the filtering host itself.
I have personally looked at natd
At 21:14 6-2-2002 -0800, Archie Cobbs wrote:
>Andrew Reilly writes:
> > Presumably this is simple pilot-error: I should either have put
> > all of the netgraph options into my kernel or none. But perhaps
> > this indicates an error with one kldload being taken too strongly,
> > and short-circuitin
At 12:07 2-2-2002 -0800, R.P. Aditya wrote:
>On Sat, Feb 02, 2002 at 08:32:49PM +0100, Rogier R. Mulhuijzen wrote:
> > ICMP is an IP protocol, if the very first rule in IPFW is 'allow ip from
> > any to any' then ICMP is allowed.
>
>uh, that might be ipfw-speak
>#>Server have not any filters. ipfw support is compiled in, but first rule
>#>is 'allow ip from any to any' and dump which you can see below was made
>#>on server.
>
> yeah, but icmp is it's own protocol, so you're probably filtering it
>and bpf will see it because it sees what comes in
(order of quoted mail slightly altered)
>I'm looking at making natd into a kernel option ("options IPNAT") and using
>a combination of sysctls and a front-end program to manage how nat operates,
>much like "options IPFIREWALL" and ipfw works today.
I've been kicking around the idea of making it
At 23:46 26-1-2002 +0100, Clemens Hermann wrote:
>Hi,
>
>Is there a way to get natd to reload the config-file without terminating?
>The only way I found is to stop natd and then start it again.
I am afraid that natd is extremely simple, and does not allow any control
after it has been started.
At 04:58 20-1-2002 -0600, [EMAIL PROTECTED] wrote:
>First off if this shows up as html, I apologize, I'm temporarily using a
>web based client. This email contains my configuration files so is kind of
>long but I hope this will give as much information as possible.
MIME-Version: 1.0
Content-Type:
Hi Florent,
You use:
struct opts {
int level;
int name;
int value;
} myopts;
myopts.level = SOL_SOCKET;
myopts.name = SO_REUSEPORT;
myopts.value = 1;
But socket options (on this level) are a predefined struct. Here's an
example from some co
>ret = NgSendMsg(cs, epath, NGM_KSOCKET_COOKIE, NGM_KSOCKET_SETOPT,
> (struct ng_ksocket_sockopt *)&myopts,
> sizeof(myopts)));
>
>return error 14 "Bad address".
Could it be that your path to the node is not correct? (missing a : maybe...?)
Doc
To Unsubs
the 'all' mode on one2many maybe?
Doc
At 14:58 15-1-2002 -0800, you wrote:
>ok..
>I'll see if I can come up with a way to hook multiple netgraph nodes to an
>ethernet node...
>(but since my daughter was born yesterday I'm a little deistracted at the
>moment :-)
>
>julian
>
>
>On Tue, 15
>Uh, nowhere? That is the required behavior. 255.255.255.255 is the
>_local_ broadcast address. It never crosses a router.
If you want broadcasts to work between all 4 10.* networks you will have to
bridge between them and make the netmask a little wider so that they're all
in the same IP subn
> > I've used bridging with tap devices plenty. Works fine for me.
>
>What bridging method do you use with tap device ?
>option BRIDGE in kernel method OR netgraph bridging method?
Netgraph bridging.
> > TAP devices don't actually work unless there's a process that has the
> /dev/ entry
> > op
At 07:39 3-1-2002 -0500, you wrote:
Hello:
I want to create pseudo ethernet devices to simulate many NICs on
a PC. In Solaris, we can do "ifconfig hme0:1 10.1.1.1 up"
hme0:2 etc to create logival interfaces. I am trying to do a similar
thing
on FreeBSD. But after searching the archives, I find
>As I said earlier, packets which route through ipfw/natd get unencrypted and
>make it to the remote subnet just fine.
>
>Looking at 'ipfw -a l' it seems that the ESP packets are being received
>_after_ being diverted to natd, but just
>not sent to the socket:
I'm no IPsec expert (still some
>I have used ng_eiface nodes impemented by Vitaly
>(available at http://www.riss-telecom.ru/~vitaly/) for interface1/2. I
>have set fxp0 in promiscuous mode.
Have you tried 'setautosrc 0' on the fxp0: node?
DocWilco
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe fr
> > > > Everybody is saying use 255.255.255.255 for an alias. Noone is giving
> > > > reasons why.
>
>Exactly. I never got a good answer to this when I first stumbled upon it,
>and I still haven't. All I know is that this is the way it needs to be done
>in order for things to work properly.
Ok
At 22:49 26-2-01 -0500, Matthew Emmerton wrote:
> > > do 'netmask 255.255.255.255' instead or 'netmask 0x' since this
>is
> > > an alias... for some reason otherwise services may not bind to the ip
> > > correctly
> >
> > Why would this be? The two are numerically equivalent.
He's sayin
At 01:06 27-2-01 +0100, Tobias Fredriksson wrote:
>On Mon, 26 Feb 2001, Drew J. Weaver wrote:
>
> > Say I have a main server Ip address of (This is completely made up)
> > 209.190.53.51, and I have 32 IP addresses blocked to it on 209.51.193.32-64
> > (or whatever, this is an example) woul
At 10:27 26-2-01 -0500, you wrote:
Say I have a main server Ip address of (This is completely
made up) 209.190.53.51, and I have 32 IP addresses blocked to it on
209.51.193.32-64 (or whatever, this is an example) would this alias line
still be valid for that? I've never done a server wher
> > I plan to design a netgraph as follows:
> >
> > iface1
> >/
> > fxp0 <-> bpf
> >\
> > iface2
>
>I forgot to add in my previous response that you'd have to do this like:
>
>fxp0: <--> bpf <--> bpf <--> interface0
> \\
>
At 18:07 22-2-01 -0500, Peter Brezny wrote:
>Hello,
>
>I've just added a second external interface to a machine. I'd like to not
>have to duplicate all the rules that involve outside interfaces.
>
>
>I've got rules like
>
> $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
>
>is it po
At 19:11 15-2-01 -0800, you wrote:
>Hello there,
>
> I am trying to set up a simple net work at home.
>Here is my exisiting setup:
>1) I have a DSL router which does NAT which everyone
>on the LAN connects to. The address for the DSL
>router is 1.2.3.1
Bad idea. For internal networks you shoul
> > I actually tried to set the ports on the 3COM switch up as trunk
> > ports, it didn't work right. Maybe 3COM is doing something entirely
> > different.
>Prolly. FEC is cisco-specific thingy, like ISL...
There's a IEEE standard these days for link aggregation. 802.3AD if I'm not
mistaken. W
At 23:42 6-2-01 -0800, Alfred Perlstein wrote:
>* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [010206 22:19] wrote:
> > Hi
> > Could you tell me how to implement the callback mechanism in FreeBSD?
>
>see the signal manpage for an example of how to specify a callback
>paramter.
When I read his question
Not your culpa at all. It was my patch and I made a dumb mistake.
*tries to hide face in shame*
DocWilco
At 12:07 5-2-01 -0800, you wrote:
>Ok, mea culpa
>
>I figured it out..
>Luigi.. does this fix it?
>
>
> (void)memcpy(&itaddr, ea->arp_tpa, sizeof (itaddr));
> TAILQ_
At 22:50 4-2-01 +, Brian Somers wrote:
> John Telford wrote:
> >
> > I'm putting a 4.2 R firewall in for a ppoe connection.
(sympatico)
> > Is there any workaround I can use so I don't have to reduce the
MTU on all
> > the internal stations ?
> > It's a mix of Windows 9x and Macs. And I've f
At 10:22 4-2-01 -0800, Julian Elischer wrote:
>John Telford wrote:
> >
> > I'm putting a 4.2 R firewall in for a ppoe connection. (sympatico)
> > Is there any workaround I can use so I don't have to reduce the MTU on all
> > the internal stations ?
> > It's a mix of Windows 9x and Macs. And I've
>ed0: port 0xd400-0xd41f irq 9 at device 9.0
>on pci0
>ed0: address 00:80:48:c6:1d:ec, type NE2000 (16 bit)
>pcn0: port 0xd000-0xd01f mem
>0xe700-0xe71f irq 9 at device 10.0 on pci0
>pcn0: Ethernet address: 00:20:78:b1:74:4a
>xl0: <3Com 3c900-TPO Etherlink XL> port 0xb800-0xb83f irq 1
At 14:26 3-2-01 -0800, Rich Wales wrote:
>I'm running -STABLE (cvsup'ed on 26jan2001) on a machine with the
>BRIDGE option, bridging between two PCI NICs (rl0 and xl0).
>
>I'm having ARP problems. Machines on the "rl0" card are unable to
>get a hardware address for the bridge. (For whatever reas
>ok I understand now...
>I thought you were saying that the netgraph code was acting differently
>to how I belive it should act.
Nope that was the legacy bridge.
> > Exactly if there's just one interface when netgraph bridging is on. Why?
> > Why just one interface? Now that my kernel is patche
> >I have a question about FreeBSD and I'm hoping you
> >can steer me in the right direction. We currently have a BSD box that is
> >acting as our firewall with a NT domain behind it. We want to set up VPN
> >solution where a client (running NT or Win2K) can access the internal NT
> >server thr
At 00:48 3-2-01 -0800, Julian Elischer wrote:
>"Rogier R. Mulhuijzen" wrote:
> >
> > I found this while experimenting with both "legacy" bridge and ng_bridge.
> > The bridging code doesn't check its activation everywhere so when I started
> > us
I found this while experimenting with both "legacy" bridge and ng_bridge.
The bridging code doesn't check its activation everywhere so when I started
using an ng_bridge node I started getting weird errors.
Patch is rather simple, can someone submit this?
DocWilco
>Date: Mon, 29 Jan 2
At 07:07 2-2-01 -0800, you wrote:
>Luigi Rizzo wrote:
> >
> > > There's one downside though. You can get statistics from the bridge
> node on
> > > packets and octects passed through the different parts of the bridge
> > > setyup, but it's not IP based. Also using that bridging code there's no
>
1) Is anyone working on the bridging code? I'm going to extend the
ng_bridge node with Spanning Tree Protocol and I wouldn't want to be
duplicating work. I checked in -current, but I thought I'd check on -net as
well. (And -arch because of my next question)
2) Where does one draw the line at h
> Use the ng_bridge node if you want to have precise control over which
interfaces are being bridged.
Another thing, be careful when you enable the netgraph node when you have
BRIDGE compiled into your kernel.
2 reasons:
1) if you have the bridging code activated you'll get broadcast loops
> > Moreover, concerning the bridge, I was wondering if
> > there is a way not to put a third interface in promiscous
> > mode. As this third nic exists only for management purposes
> > I don't want it to participate to the bridge in any way.
Use the ng_bridge node if you want to have precise c
>are there any recommandationions how to get IP-accounting to work on
>FreeBSD? I have switched from ipf to ipfw so now I need a new way do
>keep track of the IP-traffic passing my machine.
>I have a machine with 30 IP-aliases.
>The least thing I need is monthly summary of the full amount of
>IP-
55 matches
Mail list logo
