On Thu, Feb 10, 2011 at 5:23 PM, Joe Holden wrote:
> On 10/02/2011 15:56, Jeremy Chadwick wrote:
> There is 'ipfw-classifyd' which has been somewhat improved by the pfsense
> team in order to support pf - I don't have the exact url to hand, but IIRC
> it is hosted on googlecode somewhere.
>
> It d
On Fri, May 29, 2009 at 5:41 PM, Giulio Ferro wrote:
> As far as I know the natt patch hasn't been included in the source tree yet.
> This fact notwithstanding, is there a patch I can download and apply
> manually? I need it rather badly...
There sure is. bz@ sent this over for testing and we ar
On Tue, May 26, 2009 at 9:31 AM, Ermal Luçi wrote:
>> Perhaps mpd has grown hooks for this sort of thing?
> MPD has the hooks but you have to tweak the initialization. Take a
> look at mpd.script
Yes, it appears MPD should work. I have been trying to get MPD5 to
work with my 3G cards on 8 but it
On Tue, Apr 28, 2009 at 1:28 PM, Bjoern A. Zeeb
wrote:
> On Tue, 28 Apr 2009, Scott Ullrich wrote:
[snip]
> I have NAT-T on top of that. And I am currently doing the whatever
> you'll call it 'final pass', will send it back to Yvan once I am done
> with the last 2
On Tue, Apr 28, 2009 at 8:07 AM, VANHULLEBUS Yvan wrote:
> See recent archives, there is actually an issue with the patchset, as
> there are no more available bits in struct inp's flags.
> We're working on that to find and implement the best solution.
Hi,
Ermal Luci recently whipped the pfSense'
On Wed, Apr 15, 2009 at 3:12 AM, VANHULLEBUS Yvan wrote:
> Actually, not, because there are no bits left in inp_flags, so we are
> actually looking for another location to put them.
Sounds good and thanks for the information. We will be happy to test
the next patch when it's ready.
Thanks for
On Thu, Feb 26, 2009 at 10:11 AM, VANHULLEBUS Yvan wrote:
> On Tue, Feb 17, 2009 at 02:41:41PM +, Bjoern A. Zeeb wrote:
[snip]
>> We have about 3 months left to get that patch in for 8; ideally 6
>> weeks. Can you update the nat-t patch in a way as discussed here
>> before so that the extra a
On 8/21/08, Julian Elischer <[EMAIL PROTECTED]> wrote:
>
> Does anyone know whether the above mentionned bsd systems boot to a ram
> disk or keep their filesystem on teh flash/disk?
pfSense keeps the filesystem and m0n0wall runs out of a memory backed system.
Hope this helps,
Scott
On Wed, Jun 25, 2008 at 4:24 PM, Julian Elischer <[EMAIL PROTECTED]> wrote:
> do you have the ability to test this?
Absolutely. Is this the only thing from preventing it being merged into HEAD?
Scott
___
freebsd-net@freebsd.org mailing list
http://lis
On Wed, Jun 25, 2008 at 3:53 PM, Bjoern A. Zeeb
<[EMAIL PROTECTED]> wrote:
> if it would be that easy, it would have happened 2 years ago.
What can we as a community do to assist in making this easier and doable?
Scott
___
freebsd-net@freebsd.org mailin
On Wed, Jun 25, 2008 at 3:33 PM, Yuri Lukin <[EMAIL PROTECTED]> wrote:
> I believe the original author of the patch has one that should work with
> current:
>
> http://vanhu.free.fr/FreeBSD/
Even better.
Looks like http://vanhu.free.fr/FreeBSD/patch-natt-freebsd-HEAD-2008-03-19.diff
might be sem
On Wed, Jun 25, 2008 at 2:36 PM, Julian Elischer <[EMAIL PROTECTED]> wrote:
>
>
> where is the patch?
>
>
The version that we use in RELENG_7_0 is located here:
http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7_0/patch-natt-freebsd7-2008-03-11.diff?rev=1.1;content-type=text%2Fplain
On Tue, Jun 24, 2008 at 11:54 PM, Norberto Meijome <[EMAIL PROTECTED]> wrote:
> On Tue, 24 Jun 2008 22:01:46 -0500
> mgrooms <[EMAIL PROTECTED]> wrote:
>
>> Is anyone currently looking at the IPsec NAT-T patches? I posted a similar
>> question several months ago around the FAST_IPSEC + IPv6 integra
On 6/3/08, Jon Otterholm <[EMAIL PROTECTED]> wrote:
> Hi.
>
> Are there any plans to implement option carpdev to carp in FreeBSD?
>
> //Jon
See the freebsd-pf archives. Max has a patch ready for testing and
needs more wide-spread testing.
Scott
___
f
On 1/24/08, Alexandre Vieira <[EMAIL PROTECTED]> wrote:
> FYI
>
> http://www.freshports.org/net/relayd/
>
> kudos to kuriyama@
>
> --
> Alexandre Vieira - [EMAIL PROTECTED]
Yay! Thanks to everyone involved in bringing this over. I was about
to start porting this and you just saved me a lot of ti
On 11/15/07, Jack Vogel <[EMAIL PROTECTED]> wrote:
> Its IN the chipset, so if its AMD based you won't have it :)
Thanks for the clarification. I'll be sure to buy all Intel parts on
the next server :)
Scott
___
freebsd-net@freebsd.org mailing list
ht
On 11/15/07, Doug Ambrisko <[EMAIL PROTECTED]> wrote:
> Hmm, I forgot about the 2970 which are AMD based. Can you check the
> BIOS to see if there is an option to turn it on? I think this is an
> Intel feature. AMD might have something close? We have one 2970
> that we've played with a little b
On 11/15/07, Doug Ambrisko <[EMAIL PROTECTED]> wrote:
> FWIW, several of us should have motherboards that support it now.
> For example the Dell PE29XX/PE1950 line now has support if you upgrade
> old machines to a newer BIOS and then turn it on in the BIOS setup.
> I'm not sure what em(4) cards su
On 9/24/07, Christopher Cowart <[EMAIL PROTECTED]> wrote:
> On Sat, Aug 18, 2007 at 03:58:16PM -0400, Scott Ullrich wrote:
> How are you detecting when racoon gets wedged? I'd like to replicate
> that on our systems.
Our script is primitive at best but does seem to d
On 8/20/07, George V. Neville-Neil <[EMAIL PROTECTED]> wrote:
>
> Your raccoon config, if you could send it to me, would be helpful.
Not a problem. Look for an email from "Seth" in your inbox in the
next day or so (he is in europe on a different time schedule).
Thanks again for your help, Georg
On 8/20/07, VANHULLEBUS Yvan <[EMAIL PROTECTED]> wrote:
> I tracked down the problem a few years ago, on FreeBSD 4.11, with
> KAME's IPSec stack.
>
> But the problem was not really in the stack itself, but rather in
> socket processing (in other words: not in netkey/*, but in
> kern/uipc_socket2.c)
On 8/18/07, VANHULLEBUS Yvan <[EMAIL PROTECTED]> wrote:
[snip]
> It really looks like an old "known" (well, at least known by me...)
> problem with PFKey interface: it is quite impossible to set up more
> than 50-100 tunnels on a standard FreeBSD (and probably any other KAME
> based stack), because
Hello!
We are trying to track down a problem that involves a large number of
ipsec tunnels (in this case 80). Frequently racoon (ipsec-tools
0.7rc1 and also 0.6) will deadlock into the sbwait state or will enter
a 100% cpu usage state and will not recover without killing the
process and restartin
On 8/17/07, Scott Ullrich <[EMAIL PROTECTED]> wrote:
> Hello!
>
> We are trying to track down a problem that involves a large number of
> ipsec tunnels (in this case 80). Frequently racoon (ipsec-tools
> 0.7rc1 and also 0.6) will deadlock into the sbwait state or will ent
On 10/3/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Max Laier <[EMAIL PROTECTED]> wrote:
> On Tuesday 03 October 2006 01:40, [EMAIL PROTECTED] wrote:
> > Here is the article I read about patch for PF:
> > http://www.mail-archive.com/freebsd-pf@freebsd.org/msg01315.html
> > Where can I
On 18 Sep 2006 18:00:53 -, Larry Baird <[EMAIL PROTECTED]> wrote:
>From my testing on a new 6.x box I just set up, I was wondering if
this was the step that was being left out. Glad to hear it was something
easy.
Thanks for all of the help, I am now up and running after the
installworld.
On 9/18/06, Bjoern A. Zeeb <[EMAIL PROTECTED]> wrote:
On Mon, 18 Sep 2006, Scott Ullrich wrote:
> 1. Reinstalled kernel with NAT-T support
you need to re-install the includes/header files too (which is part of
installworld).
Okay, now that makes more sense. For the record, I
On 9/18/06, VANHULLEBUS Yvan <[EMAIL PROTECTED]> wrote:
By default, I have set the value of port's configuration to "kernel",
which is exactly "use it if supported".
I just checked ./configure --enable-natt=yes (which forces NAT-T
support) on a FreeBSD 6.1 without NAT-T patchset, and I got that:
On 9/17/06, VANHULLEBUS Yvan <[EMAIL PROTECTED]> wrote:
Make sure your ipsec-tools port have been recompiled after your system
has been patched / compiled / upgraded, and use
/usr/local/sbin/setkey.
FreeBSD's setkey does not (yet ?) support NAT-T extensions at all.
I tried both /sbin/setkey an
On 9/15/06, Larry Baird <[EMAIL PROTECTED]> wrote:
Just to be sure I understand the issue. You have a kernel built
with the FAST_IPSEC NAT-T patches but without the IPSEC_NAT_T option.
Your VPNs work but you are unable to dump your SAD entries.
No, I have it built with options IPSEC_NAT_T and
On 9/15/06, Larry Baird <[EMAIL PROTECTED]> wrote:
On Thu, Sep 14, 2006 at 09:43:38PM -0400, Scott Ullrich wrote:
> On 9/14/06, Larry Baird <[EMAIL PROTECTED]> wrote:
> > Please find attached two patches for adding FAST_IPSEC NAT-T support to
> > FreeBSD 6.x. Th
On 9/14/06, Larry Baird <[EMAIL PROTECTED]> wrote:
Please find attached two patches for adding FAST_IPSEC NAT-T support to
FreeBSD 6.x. The patch "freebsd6-fastipsec-natt.diff" is dependent
upon Yvan's IPSEC NAT-T patch "freebsd6-natt.diff" which can be found at
http://ipsec-tools.cvs.sourceforg
On 9/4/06, Bjoern A. Zeeb <[EMAIL PROTECTED]> wrote:
the patch only support kame ipsec. I guess that's the problem. Could
you try it building with kame ipsec instead of fast_ipsec and let us
know if that worked?
That may work okay but then would I loose HIFN support, etc?
Scott
___
On 9/4/06, Eric Masson <[EMAIL PROTECTED]> wrote:
Yvan's patch addresses NATT only with KAME stack.
He's been talking about work in progress regarding NATT support with
FAST_IPSEC on ipsec-tools-devel.
Thanks for the clarification. I look forward to when this works with
FAST_IPSEC as well :
On 9/4/06, Bjoern A. Zeeb <[EMAIL PROTECTED]> wrote:
Are you sure this is a clean RELENG_6_1 with the correct patch?
MD5 (freebsd6-natt.diff) = 5e7bb5a3203c8959928bf910d5498140
Yes it was a clean RELENG_6_1.
I compiled this on i386 and am64 just a few days ago and everything
was fine.
Perhap
On 9/4/06, Bjoern A. Zeeb <[EMAIL PROTECTED]> wrote:
It does apply and compile to RELENG_6_1 and RELENG_6 of some days ago
(unless you do not enable the option after applying the patch).
At least it did for me.
I am partly fine with the "does not work" (in all cases). I am
currently debugging thi
On 9/4/06, Norikatsu Shigemura <[EMAIL PROTECTED]> wrote:
I'm finding IPSec NAT-Traversal support patch for 6-stable and
7-current. But I could only find it for 6.0-R and 4-stable:-(.
Where is IPSec NAT-T support patch?
And why does IPSec NAT-T support be comitted
On 7/8/06, Andre Santos <[EMAIL PROTECTED]> wrote:
Are there any known compatibility problems between dummynet and PF rdr rules?
When I try to combine both, the packets seem to simply disappear.
[snip]
I can confirm this behavior. Glad someone else noticed as it would
happen when we try to us
On 6/16/06, Max Laier <[EMAIL PROTECTED]> wrote:
I think it should get a "device enc" on its own. Some people might consider
enc(4) to be a security problem so getting it with FAST_IPSEC automatically
isn't preferable.
You have to specifically create the enc0 interface (ifconfig enc0
create) b
On 6/16/06, Max Laier <[EMAIL PROTECTED]> wrote:
Think tunnel2tunnel or an SA for a local connection, then. Given, if you are
root you *might* have other means to obtain that information, but that is why
we have a switch to turn off bpf, kmem or the like.
Gotcha. Thanks for clarifying :)
Sco
On 6/16/06, Max Laier <[EMAIL PROTECTED]> wrote:
The issue is, if an attacker manages to get root on your box they are
automatically able to read your IPSEC traffic ending at that box. If you
don't have enc(4) compiled in, that would be more difficult to do. Same
reason you don't want SADB_FLUS
On 6/7/06, Sergey Matveychuk <[EMAIL PROTECTED]> wrote:
It was discussed in [EMAIL PROTECTED] Shortly, USB stack should be rewritten.
The patch can be found at
http://www.turbocat.net/~hselasky/usb4bsd/index.html
Interesting. Do you have an updated patch set for RELENG_6_1? If
not, I guess I
On 5/26/06, Jan Zorz <[EMAIL PROTECTED]> wrote:
> > On which interface you try to setup carp? Fiber, copper, which brand?
>
> em(4), copper. Does it matter?
Yup. For me works well on em (copper), but not at all on em (fiber).
Patch is on it's way... (somewhere).
/jan
Until they hit the tree
On 5/25/06, dima <[EMAIL PROTECTED]> wrote:
That's not true. I have several CARP deployments on 5.x. None of them either
adds this route or writes anything to logs.
I cannot speak for 5.X. I speak only for RELENG_6_X.
Looking back I cannot recall if this was the behavior that I saw when
we w
On 5/25/06, Marko Lerota <[EMAIL PROTECTED]> wrote:
> and such error in /var/log/messages:
> arp_rtrequest: bad gateway (!AF_LINK)
This behavior has been the case for as long as CARP has been in the
kernel. I have seen it ever since starting the pfSense project.
It appears to be harmless in
On 5/2/06, Iasen Kostov <[EMAIL PROTECTED]> wrote:
[snip]
Btw what is the status of the multi-session to the same
point PPTP NAT (e.g call ID tracking) ?
PF's NAT has the same problem. We have this come up quite often on
pfSense where someone wants to make multiple connections through the
fir
On 4/6/06, Nate Nielsen <[EMAIL PROTECTED]> wrote:
> A thousand apologies if announcing this here is inappropriate, but since
> it's related to FreeBSD's very own bsnmpd...
>
> bsnmp-regex is an SNMP module that allows one to create arbitrary
> counters from logs, program output or other text.
>
>
On 4/3/06, Sam Leffler <[EMAIL PROTECTED]> wrote:
> Eric W. Bates wrote:
> > I'm running pfsense (an embedded FreeBSD 6.1) on a wrap2C. I recently
> > added a Soekris vpn1411 and am now getting infrequent errors:
> >
> > hifn0: rndtest: ones interval 4 failed (382, 251-373)
> > hifn0: rndtest: one
2002 10:19
AMTo: 'Scott Ullrich'; 'John Angelmo';
[EMAIL PROTECTED]Subject: RE: "dynamic" ipfw
nice
project page, does it do anything?
-Original Message-From: Scott Ullrich
[mailto:[EMAIL PROTECTED]]Sent: Monday, May 20, 2002 5:23
Title: RE: "dynamic" ipfw
Check out http://www.bsdshell.com 's EtherFirewall project. It will allow you to maintain Mac addresses with your IPFW rules.
Now regarding the hostname to ip address conversion for firewall rules. I have a feeling it is translating the IP address at the time of
April 02, 2002 6:36 PM
> To: Scott Ullrich
> Cc: 'Barney Wolff'; [EMAIL PROTECTED]
> Subject: Re: HUT Project
>
>
> On Tue, Apr 02, 2002 at 12:00:30PM -0500, Scott Ullrich wrote:
> > The HUT Project includes FreeVRRPD. Since Sebastien hasn't
Title: RE: HUT Project
The HUT Project includes FreeVRRPD. Since Sebastien hasn't rung in here, I will try to clear the air.
Sebastien and I are currently rewriting FreeVRRPD to take care of the remaining RFC issues and to cleanup the ARP code. The new version will be completely RFC comp
52 matches
Mail list logo
