Re: if_ipsec

2012-06-08 Thread Stephen Clark
On 06/08/2012 01:31 PM, Eugene M. Zheganin wrote: Hi. I have an idea about new networking feature in FreeBSD. I guess everyone is having ideas from time to time, and lots of these idea having people think that they just had a decent idea. However, only ideas that are complemented by a working

force reassembly of fragmented packets

2011-09-24 Thread Stephen Clark
Hi List, I am using FreeBSD 6.3 and ipfilter as the FW. When I receive an out order fragment of a UDP packet ipfilter drop its. I have a bimap setup mapping an external routable address to a private address internal server also running FreeBSD 6.3. Is there some way to force FreeBSD to reassem

Re: ipv6, stateful config and non-default prefixlen

2011-03-20 Thread Stephen Clark
On 03/19/2011 04:34 AM, Eugene M. Zheganin wrote: Hi. On 18.03.2011 23:56, sth...@nethelp.no wrote: Are you using IA_PD or IA_NA on your DHCPv6 server? Since I didn't configure anything on a DHCPv6 server about PD, I assume I'm using NA. rtadvd can give you the default router. DHCPv6 IA_N

Re: Redirecting traffic with IPSec and pf doesn't work

2009-06-11 Thread Stephen Clark
Attila Nagy wrote: Hello, What I'm trying to accomplish is the following: - there are two machines, connected over the internet (let's call them A and B) - when A tries to connect to B:port, or B to A:port (via TCP, port is just a TCP port, in this case, 3306) the connection should be redirect

Re: FreeBSD 6.3 clear ethernet interface counter

2009-01-22 Thread Stephen Clark
Peter wrote: Hello, I googled and didn't find an answer on how to clear the interface stats that are displayed by netstat -ibndh could someone point in the right direction? Thanks, Steve -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety."

FreeBSD 6.3 clear ethernet interface counter

2009-01-22 Thread Stephen Clark
Hello, I googled and didn't find an answer on how to clear the interface stats that are displayed by netstat -ibndh could someone point in the right direction? Thanks, Steve -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin)

Re: NAT-T + ipsec integration

2008-12-12 Thread Stephen Clark
VANHULLEBUS Yvan wrote: On Fri, Dec 12, 2008 at 06:45:20PM +0200, Artyom Viklenko wrote: On Thursday 11 December 2008 14:39:58 VANHULLEBUS Yvan wrote: [] Actually, you can apply a patch to src/sys and recompile your kernel with IPSEC_NAT_T options. Patches are available here: http://people

Re: FreeBSD 6.3 gre and tracerouteo

2008-11-18 Thread Stephen Clark
David DeSimone wrote: Stephen Clark <[EMAIL PROTECTED]> wrote: switch (proto) { case IPPROTO_GRE: hlen += sizeof(struct gre_h); + + m->m_flags &= ~(M_DECRYPTED); + Are there security implications from removing this flag? That i

Re: FreeBSD 6.3 gre and tracerouteo

2008-11-18 Thread Stephen Clark
Bjoern A. Zeeb wrote: On Mon, 17 Nov 2008, Stephen Clark wrote: Hi, Bjoern A. Zeeb wrote: On Fri, 14 Nov 2008, Robert Noland wrote: Hi, Also just using gre's without the underlying ipsec tunnels seems to work properly. The reason for this to my knowledge is: http://www.kame.ne

Re: FreeBSD 6.3 gre and traceroute

2008-11-17 Thread Stephen Clark
Bjoern A. Zeeb wrote: On Fri, 14 Nov 2008, Robert Noland wrote: Hi, Also just using gre's without the underlying ipsec tunnels seems to work properly. The reason for this to my knowledge is: http://www.kame.net/dev/cvsweb2.cgi/kame/freebsd2/sys/netinet/ip_icmp.c#rev1.4 or looking at rece

Re: FreeBSD 6.3 gre and traceroute

2008-11-17 Thread Stephen Clark
Bjoern A. Zeeb wrote: On Fri, 14 Nov 2008, Robert Noland wrote: Hi, Also just using gre's without the underlying ipsec tunnels seems to work properly. The reason for this to my knowledge is: http://www.kame.net/dev/cvsweb2.cgi/kame/freebsd2/sys/netinet/ip_icmp.c#rev1.4 or looking at rece

Re: FreeBSD 6.3 gre and traceroute

2008-11-14 Thread Stephen Clark
Julian Elischer wrote: Stephen Clark wrote: Stephen Clark wrote: 10.0.129.1 FreeBSD workstation ^ | | ethernet | v 10.0.128.1 Freebsd FW "A" ^ | | gre / ipsec | v 192.168.3.1 FreeBSD FW "B" ^ | | ethernet | v 192.168.3.86 linux workstation Also just

Re: FreeBSD 6.3 gre and traceroute

2008-11-14 Thread Stephen Clark
Stephen Clark wrote: Robert Noland wrote: On Thu, 2008-11-13 at 07:48 -0500, Stephen Clark wrote: Julian Elischer wrote: Stephen Clark wrote: Julian Elischer wrote: you will need to define the setup and question better. thanks.. cleaning it up a bit more... 10.0.129.1 FreeBSD workstation

Re: FreeBSD 6.3 gre and traceroute

2008-11-13 Thread Stephen Clark
Robert Noland wrote: On Thu, 2008-11-13 at 07:48 -0500, Stephen Clark wrote: Julian Elischer wrote: Stephen Clark wrote: Julian Elischer wrote: you will need to define the setup and question better. thanks.. cleaning it up a bit more... 10.0.129.1 FreeBSD workstation ^ | | ethernet

Re: FreeBSD 6.3 gre and traceroute

2008-11-13 Thread Stephen Clark
Julian Elischer wrote: Stephen Clark wrote: Julian Elischer wrote: you will need to define the setup and question better. thanks.. cleaning it up a bit more... 10.0.129.1 FreeBSD workstation ^ | | ethernet | v 10.0.128.1 Freebsd FW "A" ^ | | gre / ipsec | v 192.168.3

Re: FreeBSD 6.3 gre and traceroute

2008-11-13 Thread Stephen Clark
Robert Noland wrote: On Wed, 2008-11-12 at 13:17 -0800, Julian Elischer wrote: Stephen Clark wrote: Julian Elischer wrote: you will need to define the setup and question better. thanks.. cleaning it up a bit more... 10.0.129.1 FreeBSD workstation ^ | | ethernet | v 10.0.128.1

Re: FreeBSD 6.3 gre and traceroute

2008-11-12 Thread Stephen Clark
Julian Elischer wrote: Stephen Clark wrote: Hi, When I run traceroute thru a gre it doesn't seem to decrement the ttl, so I get * * * for that hop. Can this be fixed? Thanks, Steve you will need to define the setup and question better. TTL is controlled by the IP stack which is unawa

FreeBSD 6.3 gre and traceroute

2008-11-12 Thread Stephen Clark
Hi, When I run traceroute thru a gre it doesn't seem to decrement the ttl, so I get * * * for that hop. Can this be fixed? Thanks, Steve -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as

Re: Tunneling issues

2008-07-09 Thread Stephen Clark
Mike Tancsa wrote: At 11:21 AM 7/9/2008, [EMAIL PROTECTED] wrote: I agree it should work. But it's not. With respect to the next two questions, yes and yes. Can you post some of the configs you are using for 3 of the sites so we can perhaps spot the problem(s) you are having ? I have a sim

6.3-p2 gre

2008-07-09 Thread Stephen Clark
Hello List, I am running ospf over a gre/vpn tunnel. When I run tcpdump on the gre interface ospf stops working. I see the following errors in the ospfd log. 2008/07/09 10:05:02 OSPF: *** sendmsg in ospf_write failed to 224.0.0.5, id 0, off 0, len 68, interface gre1, mtu 1412: Network is down 2

Re: kern/123796: FreeBSD 6.1+VPN+ipnat+ipf: port mapping does not work

2008-05-19 Thread Stephen Clark
[EMAIL PROTECTED] wrote: Old Synopsis: Port mapping does not work New Synopsis: FreeBSD 6.1+VPN+ipnat+ipf: port mapping does not work Responsible-Changed-From-To: gnats-admin->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Sun May 18 22:45:21 UTC 2008 Responsible-Changed-W

6.1 strange gre behavior

2008-02-15 Thread Stephen Clark
Hello List, Has anybody ever tried to use either ipf or ipfw to redirect packets coming off of a gre interface? When I try it I get the the packet repeated multiple times on the destination interface. I have tried it with both ipf and ipfw/natd with the same results. I have packets coming i

Re: duplicate packet using divert

2008-01-23 Thread Stephen Clark
Stephen Clark wrote: Chuck Swiger wrote: On Jan 22, 2008, at 1:44 PM, Stephen Clark wrote: does anyone have a program that uses the divert socket to duplicate an incoming packet so it can be sent to another address. Well, I assume you could start with the ipfw "tee" directive and

Re: duplicate packet using divert

2008-01-23 Thread Stephen Clark
Chuck Swiger wrote: On Jan 22, 2008, at 1:44 PM, Stephen Clark wrote: does anyone have a program that uses the divert socket to duplicate an incoming packet so it can be sent to another address. Well, I assume you could start with the ipfw "tee" directive and /usr/src

duplicate packet using divert

2008-01-22 Thread Stephen Clark
Hello List, does anyone have a program that uses the divert socket to duplicate an incoming packet so it can be sent to another address. Thanks, Steve -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of hi

Re: Deadlock in the routing code

2007-12-19 Thread Stephen Clark
Julian Elischer wrote: Maxime Henrion wrote: It appears that this patch fixed the problem. My gateway server now has a nearly two days uptime, whereas previously it would have probably crashed already. I'm attaching the final version of the patch here, since the last one had build-time erro

Re: Deadlock in the routing code

2007-12-13 Thread Stephen Clark
Maxime Henrion wrote: Replying to myself on this one, sorry about that. I said in my previous mail that I didn't know yet what process was holding the lock of the rtentry that the routed process is dealing with in rt_setgate(), and I just could verify that it is held by the swi1: net thread. S

Re: Pipe queues

2007-12-10 Thread Stephen Clark
Luigi Rizzo wrote: On Mon, Dec 10, 2007 at 11:22:33AM -0800, Chuck Swiger wrote: On Dec 10, 2007, at 8:56 AM, rihad wrote: Hi, I'm having a hard time to understand what pipe queues are with respect to bandwidth limitation. ipfw(8) and dummynet(4) manuals didn't help me much.

Re: proxy arp on 6.1

2007-10-25 Thread Stephen Clark
Peter Jeremy wrote: On Wed, Oct 24, 2007 at 02:17:37PM -0400, Stephen Clark wrote: I must be doing something wrong. I can't seem to get proxy arp to work. Is there some magic. I've been using proxy ARP on FreeBSD between 4.x and 6.2 without problems (though I think I s

Re: proxy arp on 6.1

2007-10-25 Thread Stephen Clark
Stephen Clark wrote: Hello List, I must be doing something wrong. I can't seem to get proxy arp to work. Is there some magic. I have the following setup isp router 205.x.x.1 <-> 205.x.x.100/25 rl1 freebsd vr0 205.x.x.129/25 <-> 205.x.x.193/25 arp -an (205.x.x.1) at 00:

proxy arp on 6.1

2007-10-24 Thread Stephen Clark
Hello List, I must be doing something wrong. I can't seem to get proxy arp to work. Is there some magic. I have the following setup isp router 205.x.x.1 <-> 205.x.x.100/25 rl1 freebsd vr0 205.x.x.129/25 <-> 205.x.x.193/25 arp -an (205.x.x.1) at 00:13:7f:5a:b5:50 on rl1 [ethernet] (205.x.x.19

Re: Dump kernel routing table

2007-10-19 Thread Stephen Clark
Netan wrote: Hello I am using the CURRENT release. I wish to dump the kernel routing table. I think there was a sysctl interface in 4.x FreeBSD release to print it from userspace. Is there a way to do it now ?.. Sunny ___ freebsd-net@freebsd.org mail

are DMZ's out of vogue

2007-10-03 Thread Stephen Clark
Hi List, Our in house network configuration is using FreeBSD for our firewall. We currently have it setup with 3 interfaces a public, private and DMZ. We our moving to a new facility and our network engineer says nobody is using DMZs any more and wants to just do NAT redirects from our FreeBSD

Re: FreeBSD nfe driver and IPMI cards

2007-09-12 Thread Stephen Clark
Pyun YongHyeon wrote: On Tue, Sep 11, 2007 at 03:01:53PM -0400, Robert Wojciechowski wrote: > Hello, > > > > I'm the FreeBSD nfe driver from > http://www.f.csce.kyushu-u.ac.jp/~shigeaki/software/freebsd-nfe.html > with FreeBSD 6-stable with good results for the most part. The only > issue

Re: 6.2 mtu now limits size of incomming packet

2007-07-21 Thread Stephen Clark
Artyom Viklenko wrote: Artem Belevich wrote: Here's one example where MTU!=MRU would be useful. Think of asymmetric bandwith-limited ADSL links. Lower MTU would allow lower TX latency for high priority packets when upstream is saturated, yet large MRU on the downstream would be great for do

Re: 6.2 mtu now limits size of incomming packet

2007-07-21 Thread Stephen Clark
Eli Dart wrote: see below... Julian Elischer wrote: Eli Dart wrote: Stephen Clark wrote: So was any decision reached on this issue - will FreeBSD changed to accept a packet on an interface that is larger than the mtu on that interface? If possible, I'd like t

Re: 6.2 mtu now limits size of incomming packet

2007-07-18 Thread Stephen Clark
Mike Karels wrote: A related change that should probably be discussed if we want to think more about asymmetry in maximum transmission unit is this one: revision 1.98 date: 2006/06/26 17:54:53; author: andre; state: Exp; lines: +2 -0 In syncache

Re: 6.2 mtu now limits size of incomming packet

2007-07-16 Thread Stephen Clark
Wes Peters wrote: On 7/16/07, Sten Daniel Soersdal <[EMAIL PROTECTED]> wrote: I guess it wouldn't hurt for the operating system to accept larger frames, as long as only the correctly sized frames are transmitted. There are alot of people, including myself, that assume a host can't receive a

Re: 6.2 mtu now limits size of incomming packet

2007-07-14 Thread Stephen Clark
Sten Daniel Soersdal wrote: Stephen Clark wrote: Sten Daniel Soersdal wrote: Stephen Clark wrote: Hello, Did something change in 6.2? If my mtu size on rl0 is 1280 it won't accept a larger incomming packet. kernel: rl0: discard oversize frame (ether type 800 flags

Re: 6.2 mtu now limits size of incomming packet

2007-07-13 Thread Stephen Clark
Chuck Swiger wrote: On Jul 13, 2007, at 12:27 PM, Bill Moran wrote: I agree with others that MTU means "limit what I transmit". It does not mean "limit what someone else can transmit to me." Interesting viewpoint. I disagree with it, but I can't quote any standard or otherwise

Re: 6.2 mtu now limits size of incomming packet

2007-07-13 Thread Stephen Clark
Bill Moran wrote: In response to Stephen Clark <[EMAIL PROTECTED]>: Bill Moran wrote: In response to Stephen Clark <[EMAIL PROTECTED]>: Sten Daniel Soersdal wrote: Stephen Clark wrote: Hello, Did something change in 6.2? If my mtu si

Re: 6.2 mtu now limits size of incomming packet

2007-07-13 Thread Stephen Clark
Bill Moran wrote: In response to Stephen Clark <[EMAIL PROTECTED]>: Sten Daniel Soersdal wrote: Stephen Clark wrote: Hello, Did something change in 6.2? If my mtu size on rl0 is 1280 it won't accept a larger incomming packet. kernel: rl0: discard oversize f

Re: 6.2 mtu now limits size of incomming packet

2007-07-13 Thread Stephen Clark
Sten Daniel Soersdal wrote: Stephen Clark wrote: Hello, Did something change in 6.2? If my mtu size on rl0 is 1280 it won't accept a larger incomming packet. kernel: rl0: discard oversize frame (ether type 800 flags 3 len 1514 > max 1294) That is what to be expected.

6.2 mtu now limits size of incomming packet

2007-07-12 Thread Stephen Clark
Hello, Did something change in 6.2? If my mtu size on rl0 is 1280 it won't accept a larger incomming packet. kernel: rl0: discard oversize frame (ether type 800 flags 3 len 1514 > max 1294) I don't think it worked this way in the past. Won't this affect pmtud? man page for ifconfig says mtu l

Re: TCP connection stalls on LAN

2007-02-24 Thread Stephen Clark
Jeremie Le Hen wrote: Hi, I'm running a quite recent -CURRENT. I don't understand what's happening. According to tcpdump(1) it seems the two peers both keep acknowledging the same segment for ever. (See the file attached.) The peer is a Linksys router that have worked correctly for a while.

Re: pmtud problem

2007-02-14 Thread Stephen Clark
Tom Judge wrote: Stephen Clark wrote: Hello List, We have a setup that looks like the following. pc <-ethernet-> freebsd 4.9 <-pppoe-> internet <-ethernet-> freebsd 6.1 on the freebsd box we have a gre tunnel with a mtu of 1420 feeding into a gif vpn tunnel with a mt

Re: pmtud problem

2007-02-14 Thread Stephen Clark
Alexander Motin wrote: Stephen Clark wrote: if the pc sends a packet of 1460 bytes with the DF bit set shouldn't the freebsd 4.9 system send back an icmp dest unreachable - fragmentation needed and DF bit set? Are you blocking icmp with a firewall filter? Good que

Re: pmtud problem

2007-02-13 Thread Stephen Clark
Eli Dart wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen Clark wrote: if the pc sends a packet of 1460 bytes with the DF bit set shouldn't the freebsd 4.9 system send back an icmp dest unreachable - fragmentation needed and DF bit set? Are you blocking icmp w

pmtud problem

2007-02-13 Thread Stephen Clark
Hello List, We have a setup that looks like the following. pc <-ethernet-> freebsd 4.9 <-pppoe-> internet <-ethernet-> freebsd 6.1 on the freebsd box we have a gre tunnel with a mtu of 1420 feeding into a gif vpn tunnel with a mtu of 1280 ( I know this dumb but it the default value when you cr

Re: Tee packets

2006-08-30 Thread Stephen Clark
Miroslav Lachman wrote: Stephen Clark wrote: Hello List, We have a monitoring app that receives udp packets from units in the field. We are in the process of increasing the number of units we have reporting and are seeing some performance issues with our current hardware. I would like

Tee packets

2006-08-30 Thread Stephen Clark
Hello List, We have a monitoring app that receives udp packets from units in the field. We are in the process of increasing the number of units we have reporting and are seeing some performance issues with our current hardware. I would like be able to somehow route a copy of each packet to ano

Re: [PATCH] Re: IP_MAX_MEMBERSHIPS story.

2006-05-17 Thread Stephen Clark
Bruce M Simpson wrote: On Sun, May 14, 2006 at 03:00:44PM +0100, Bruce M Simpson wrote: So I will be updating the patch in the next 24 hours. Given that it seems stable for values 2047 <= n <= 4095 with SOCK_DGRAM I am inclined to commit with the maximum raised to 4095 and lazy allocation in

Re: [PATCH] Re: IP_MAX_MEMBERSHIPS story.

2006-05-13 Thread Stephen Clark
Bruce M Simpson wrote: Hello, On Fri, May 12, 2006 at 02:12:27PM +0100, Bruce M Simpson wrote: Therefore, joining the same group 20 times on different interfaces would exceed IP_MAX_MEMBERSHIPS. Fixing this in any way would still break the ip_mroute_kmod ABI and as such is a HEAD change.

Re: IP_MAX_MEMBERSHIPS story.

2006-05-11 Thread Stephen Clark
Robert Watson wrote: On Tue, 9 May 2006, Bruce M Simpson wrote: On Tue, May 09, 2006 at 01:28:01PM +0100, Bruce M Simpson wrote: A user recently reported a problem with running into IP_MAX_MEMBERSHIPS on a system running FreeBSD with IPv4 forwarding enabled, and running the OSPF routi

4.9 losing mbuf with multicast traffic

2006-04-20 Thread Stephen Clark
Hi, I am experiencing a problem on FreeBSD 4.9, yes I know this is ancient history but I am stuck with it for the time being, that exhibits itself as the ipintrq.ifq_len slowly growing until it finally reaches ipintrq.ifq_maxlen and the network stop responding because there is no place to put