On Thu, 27 Feb 2003, CHOI Junho wrote:
> Final: What is a good math for calculating these values safely?
> kern.ipc.nmbclusters
> kern.ipc.nsfbufs
FWIW, The math you want should be in tuning(7).
-m
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of
Terry Lambert <[EMAIL PROTECTED]> writes:
> Mike Barcroft wrote:
> > Terry Lambert <[EMAIL PROTECTED]> writes:
> > > Tim Robbins wrote:
> > > > Is there a compelling reason why I shouldn't remove netns? That is, does
> > > > it serve a
believe that you're
local to the router.
(Not tested, although I recall doing something similar before.)
Alternately, using arp to assign a *fake* IP address which is on your
subnet to the ethernet address of the router, then add a default route to
that. Maybe the router will still pass the pa
On Sun, 23 Mar 2003, Hanspeter Roth wrote:
> in the office I'm sitting behind MS proxy or isa. For windows I have
> some proxy-client setup.
> Is it possible for Unix to get across MS proxy or isa?
> Where can I get information?
ISA is a big piece of software, with a lot of features that can be
di
(I removed the -questions CC, looks like this is moving to -net...)
On Sun, 23 Mar 2003, Aaron Daubman wrote:
> >From my experiences, I cannot get my PowerBook to connect to my FreeBSD
> 4-Stable (built 2 nights ago) HostAP, WinXP clients work fine.
I've only had experience with a couple APs in
.inet.tcp.keepidle: 14400
> net.inet.tcp.keepintvl: 150
> net.inet.tcp.always_keepalive: 1
These would have nothing to do with what you're seeing. Keepalive only
applies to established connections which are sitting idle. As you are
disconnecting and reconnect
On Wed, 26 Mar 2003, Wes Peters wrote:
> Yup, mac address filtering is even less useful than WEP. At least WEP
> takes *some* effort to crack. ;^)
It all takes ``some'' effort. That's the point, sort of like car
alarms that are easily bypassed... The burgler will usually choose to hit
the car p
On Tue, 3 Jun 2003, Shaun Jurrens wrote:
> I hate to say it, but I've had these for months starting at 4.6-stable
> and continuing up to at least the latest 4.7-RRELEASE-p* . I have one
> dual -current box that has exibited the same behaviour as well.
FWIW, I had similar issues (similar messages,
listen queue as the main
mechanism, with a syncache as backup. Hence, we're both going to be
defensive about our implementations.
If you want to arrange a syn-floodoff, I'd be interested in seeing the
results. :)
Mike "Silby" Silbersack
nything strange here, could you be more specific? All
the duplicate packets just look like syn-ack retransmissions.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
same in zebra (ip address 12.0.0.2/8, but I get the error, "File Exists"
which means that the route exists I guess.
---Mike
----
Mike Tancsa, tel +1 519 651 3400
Sentex Comm
.ifr_name);
if (ioctl(s, afp->af_aifaddr, afp->af_addreq) < 0)
Perror("ioctl (SIOCAIFADDR)");
}
---Mike
Mike Tancsa, tel +1 519
c) -- LAN2
| |
+ gif or gre tunnel --+
Now going to try 'options IPSEC_FILTERGIF' in the kernel config file.
Maybe I do something wrong with configuration?
Thanks,
Mike.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.
I don't see this on my 4.8 or 5.x systems. Are you running any custom
patches on that machine's kernel?
Alternately, can anyone else with a 4.7 or earlier machine replicate this
problem?
Thanks,
Mike "Silby" Silbersack
On Thu, 19 Jun 2003, Scot Loach wrote:
> If
On Wed, 25 Jun 2003, Shawn Ramsey wrote:
> > netstat -I xl0 -w 1
>input (xl0) output
> packets errs bytespackets errs bytes colls
> 6918228525822 5631 02770466 0
> 7317219262852 6041 02696855
On Wed, 25 Jun 2003, Shawn Ramsey wrote:
> I don't know offhand, it connects to another company, as its our internet
> connection. We will contact them and see if they can tell us what the stats
> (if any, I believe its a Cisco). The card is forced to 100BT/FD on our end,
> and im sure it is on the
On Sun, 29 Jun 2003, Orville R. Weyrich_Jr wrote:
> I checked the Apache Web site and found an article from 1998 that said
> that RSA had a patent on encryption needed for SSL in the USA.
> Somewhere I recall hearing that the patent had expired. Is this true?
I believe it expired in 2000,
http://
hieved just by optimizing natd. Heck, it might be as simple as
increasing the size of some hash tables or buffers.
Tell us how it goes. :)
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/list
ay I have 1000 win 9x boxes connected to the internet with routable IPs
and no firewall. How will placing them behind a NAT box make them less
secure?
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/l
it's done, and I'll look
into incorporating it.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
uld handle everything fine.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
more by doing those two things than by
us explaining the implementation to you.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_queue_drops: 0
p1003_1b.sigqueue_max: 0
I dont think is related to this issue.
These are all netgraph interfaces BTW.
Thanks,
---Mike
----
Mike Tancsa, tel +1 519 651 3400
Sentex
47&content-type=text/plain
And see how things go.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
You could try
playing with those parameters, but you'll probably end up causing other
problems in the process. :)
(Fair kernel memory management is an area we're still working on in
-current.)
Mike "Silby" Silbersack
___
[
emove the memory usage of the buffer cache, and some other memory
issues have already been fixed as the result of 5.x's UMA memory
allocator. Hopefully by 5.2 or 5.3 you will no longer need to tweak any
of these settings. (Very little of this work will be MFC'd to 4.x, due to
the size
firm that it is the problem you're running into. If that is
the case, please tell us so that we can transition to the political side
of the problem. :)
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
CP to determine what the problem is. If you've
figured out how to fix it, please post patches; we'll look into getting
them incorporated into 4.8-stable.
Thanks,
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists
u_short to a u_int, and see if that causes your
problems to go away.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
/underflow could cause random memory
corruption, so maybe the panic you're seeing comes about after a bunch of
memory has already been trashed.
So anyway, promote ui_ref to a u_int and retest. Tell us what happens.
Mike "Silby" Silbersack
__
ke a lot of measurement to really prove it.
Either way, I'm glad that the change resolved your problems.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe
pass the transparent redirect but
it doesn't. If I change rule #1 to:
1 skipto 65535 ip from any to any in via sis0
Things work as advertised. Any ideas?
---
Mike Wade ([EMAIL PROTECTED])
Blue Highway Labs, LLC.
___
[EMAIL PROTECTED] mailing list
On Sun, 3 Aug 2003, Andy Gilligan wrote:
> On Sun, Aug 03, 2003 at 01:31:23AM BST, Mike Wade wrote:
> > I'm running FreeBSD 4.8 RELEASE w/ IPFW2 support enabled. I'm running
> > into some weirdness with the mac address matching feature or perhaps it's
>
gt; <>< http://www.FreeBSD.org/~jhb/
So on 4.x, any SMP race is probably also a UP race, but we just don't see
it because UP can't preempt.
Well, I guess the spl() fix is probably going to be the quickest here
then, please send it to me
ng the problem in the cr functions.
John, can you give us a quick overview of how 4.x SMP works so that we can
determine the correct solution here? My main question is this: If CPU 1
is chugging along at a low SPL level and an interrupt comes in to CPU 2,
can it wrestle control away from the o
Hi, what is the config you are using to test this ? IPSEC ?
FAST_IPSEC ? type of keying ?
---Mike
On Thu, 21 Aug 2003 18:58:20 +0300, in sentex.lists.freebsd.net you
wrote:
>Hi there!
>
>It seems that ipcomp in the tunnel mode is still broken in at
>least 4.x (I cannot
, you pre-allocate the
buffers, then hand them over to the card's control. Once they're filled
with packet data, the NIC informs the OS, which replaces them with new
buffers.
A lot of our drivers have 128 (or some power of 2) receive buffers, hence
your mbuf usage.
Mike "Silby"
>I want to build a network as shown below.
> All devices is in my responsibity except the
> upsteam router. My question is
>
>If I will assign public IP address to all
>interfaces, is it neccessary that I must
>inform the upstream router's administrator
>to add my subnet in
> Vincent
Heh, Tor just proposed raising the number of kmap entries allocated in a
private thread. So, I think you'll see that change in soon enough.
BTW, I hope size doesn't change as your machine is running. :)
Mike "Silby" Silbersack
the information from a tcpdump, we have no hope
of determining what is going on.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
On Fri, 12 Sep 2003, The Jetman wrote:
> Mike: OKAY ! This is unknown territory for me, so I didn't know
> TCPDUMP could be a friend, but I gen'd a simple TCPDUMP session, monitoring
> a session via wi0 to my ISP's FTP server called (for the purps of this dump)
ging itself means nothing; such pings are
handled inside the kernel and never actually hit the network card.
Could you post the dmesg output of the machines along with what ifconfig
looks like on machine 2 when it's working and when it's not w
ing cloned routes
into a tcpstatcache, more?) You should probably check on the status of
those projects first and make sure that you won't interfere with their
integration.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.free
he same port, but I believe this to be a positive
change. Ports used by tcp listen sockets and udp sockets should be
protected as before, so that should be ok as well. Am I missing something
subtle?
Thanks,
Mike "Silby" Silbersackdiff -u -r /usr/src/sys.old/netinet/in_pcb.c /usr/src/sys/
-laddr-fport-faddr
tuple, so the connect will fail with EADDRINUSE.
So, it looks like I can't solve this so simply... looks like I'll have to
have the port lookup do IP comparisons as well.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED]
On Tue, 28 Oct 2003, Mike Silbersack wrote:
> It's very possible that bind will return a port which can't be used
> because it's already in use for that destination lport-laddr-fport-faddr
> tuple, so the connect will fail with EADDRINUSE.
>
> So, it looks lik
I think that Mini's idea of approaching it as an optimization
is the correct one.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
needs the 3WHS again and gives some delay. In the end this code is
> like the ICMP rate limiter code. It there to migitate a problem to
> manageable level, not to make it go away.
Ok, so the problem is that the sockbuf chain keeps getting longer, causing
the delay to grow as more fragments pile in.
round, is there any way to force the LQM_ECHO method through the
ppp.conf ? Has anyone else run into this ?
---Mike
Mike Tancsa, tel +1 519 651 3400
Sentex Communications,
ning a recent release of freebsd (4.8 or later should do),
you can recompile your kernel with IPFW2, which supports filtering by mac
addresses; see the ipfw manpage for more information.
IPFW2 is the default in 5.x, so you wouldn't need to recompile if you're
run
supported in 5.x
> (preferably 4.9, too, but that is not that important)
Under 5.x, you have the option of using Atheros based cards, which support
54 and should support 108. See the ath manpage for more information
and/or ask around on -current for people's experiences with those
On Sat, 20 Dec 2003, Bruce M Simpson wrote:
> On Fri, Dec 19, 2003 at 01:07:46PM -0600, Mike Silbersack wrote:
> > On Fri, 19 Dec 2003, freebsd_daemon wrote:
> > > Are there any suggestions for
> > > 1) a USB WLAN device which is supported by 4.9 and 5.x
>
at one could specify the ranges or lists for everything
> in one place?
The high range is really a "feature" added for ftpd's sake, if you take a
look back through the cvs history. There's no problem with the normal and
high ranges overlapping; -current uses
ng is another question entirely. I looked into ephemeral
port allocation a few months ago, and it's an absolute nightmare to
determine what combination of socket / bind / connect calls are necessary
to get the best possible behavior. Hence why I gave up and enhanced
time
ly, I'm not familiar with ipfw's internals at all, I do not
know how easy it would be to query it for allow / deny with just a few
bits of ip information.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.fre
On Tue, 23 Dec 2003, Brett Glass wrote:
> At 02:29 AM 12/23/2003, Mike Silbersack wrote:
>
> >I think that it might be best to keep choosing ports inside of libalias.
> >Adding yet another port range would just complicate the kernel more
> >without much benefit.
>
ago.
Is the new NIC sharing an irq with some other device?
Also, when you say that it hangs, is it hanging or crashing? If it's
actually hanging, then it may be useful to add DDB to your kernel and hit
ctrl-alt-esc to see if you can successfully break into the kernel
debugger during one of t
;more.naks = fp->more.rejs = lcp->cfg.fsm.maxreq
* 3;
fixes it for me. Does it actually work with anyone's implementation ?
If not, perhaps it would be best to just disable it until someone
fixes it.
---Mike
On Sun, 18 Jan 2004 01:10:57 +0100, in sentex.lists.fre
ow throughput; we'd need tcpdumps from both ends
to really determine if there's some suboptimal tcp interaction between w2k
and freebsd. (From a single side of the connection, we can't even be sure
if retransmissions are getting through, etc.)
Mike "Silby" Silbers
h 64K tcp
> buffers? Or is any dependency for mbufclusters value? (e.g. RAM size,
> kern.maxusers value or etc)
>
> p.s. RAM is 2G, Xeon 2.0G x 1 or 2 machines.
You probably need to bump up KVA_PAGES to fit in all the extra mbuf
clusters you're allocating.
Mike "Silby" Sil
eout (60 seconds).
...
This commit works around the W2K bug.
---
Of course, that doesn't account for other non-zero strange values. I
guess the timestamp code needs a lot of work. :(
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
ks for me.
Otherwise pppoe is pretty broken in that there is no link state
detection.
---Mike
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
w much better than apache-1.3.x in
> static file service?
thttpd using sendfile will certainly run circles around apache2, apache2
is still pre-fork. Under 4.x, you're going to have to tune the sfbufs by
trial and error, but doing so will be worth it.
Mike "Silby" Silbersack
eness :)
>
> Richard
I think that just ensuring proper capping of the timeout is good enough,
the other timestamp issue I was referring to is how it (incorrectly)
scales with hz. I think I'll take a look at both of these problems once I
catch up
eady coded it and it works nicely.
>
> --
> Andre
Doh! Well, I guess we'll just have to go with your implementation then.
:)
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
I asked google, it mostly
pointed me at comments in if_bge.c talking about jumbo frames :|
Thanks,
Mike
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
On Jan 22, "Brooks Davis" wrote:
> On Thu, Jan 22, 2004 at 05:12:06PM -0800, Mike Hunter wrote:
> >
> > I'm going to be trying to get gigabit throughput between my laptop (Dell
> > Latitude D800 running 5.2-release) and a shuttle box running FreeBSD 5.1
&
ackets for the purpose of
debugging this issue, I'd be happy to do so.
(Note that I have WEP and SSID hiding both enabled on the MR814v2; have
other people found SSID hiding to cause problems with FreeBSD clients?)
Thanks,
Mike "Silby" Silbersack
_
On Wed, 21 Jan 2004, Kenneth W Cochran wrote:
> Hello:
>
> Is there anything for FreeBSD that's analogous to Linux's
> "mii-diag" program? I'm (still) trying to troubleshoot
> a card's (mis)communication with a router.
Not at this time, alt
et.inet.icmp.icmplim="0"
Yet when I boot
% sysctl -a | grep icmpl
net.inet.icmp.icmplim: 200
net.inet.icmp.icmplim_output: 1
Doh! Would I need to recompile my kernel for some reason, or is
/boot/loader.conf not the right place. Is this something I really
shou
On Fri, 30 Jan 2004, Mike Hunter wrote:
> I'm interested in turning off the icmp response limit. In
> /boot/loader.conf I have the following:
/etc/sysctl.conf is what you are looking for. loader.conf is (mostly) for
tunable values which cannot be changed at runtime.
Mike "S
ss I'm looking for any other commands to see what the problem
might be. I'm getting ready to reverse the positions of the two computers
and run the tests again...hopefully the slow side will be the opposite and
I can write this off to a crappy laptop network adapter.
Also, `slurm` and
Yes, we have real fiber test gear, this is more of an experiment.)
Thanks,
Mike
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
On Jan 30, "Eli Dart" wrote:
> In reply to Mike Hunter <[EMAIL PROTECTED]> :
> > I switched the two pieces of hardware, and the photons still prefer going
> > uphill, so maybe there's a problem with the fiber after all. I'd still
> > appreciate any
And you might need to restart syslogd with a different start up param
so that it does not ignore messages from outside sources.
---Mike
On Tue, 3 Feb 2004 15:54:30 +, in sentex.lists.freebsd.net you
wrote:
>On Tue, Feb 03, 2004 at 03:38:19PM -, Edward Butler wrote:
>
ll. I'd still
> appreciate any hints on what to ask freebsd to help me figure it out.
> (Yes, we have real fiber test gear, this is more of an experiment.)
Looks like it was a fiber problem. Go freebsd!
Mike
___
[EMAIL PROTECTED] mailin
Brett Glass
Apparently OpenBSD has support for the USB Prism devices now, but it has
not been ported over here yet. I'm not aware of anyone working on doing
so either at this point in time.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED]
ot likely to
break much of anything in practice. TCP sequence numbers should be ok,
but there may be overflow if you go to something > 10000... I should check
one of these days.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http:
tches, looking at and committing them is on my to-do
list. I don't have any immediate plans to work on it, although I will
make sure to get it in before 5.3.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
until the weekend arrives as well. I'll be happy to
work with you on putting some resource limits into place.
I don't think we need to rush too much, this is rather bad as far as DoSes
go, in that it requires you to make a TCP connection first. As long as we
have it patched within a
sum for corrupting
packets seems to spell the end for 3Com 905 checksumming. I'll turn it
off in a few days.
Thanks for the good detective work.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/li
On Sun, 22 Feb 2004, David Burns wrote:
> Probably should have someone with more understanding of kernel drivers
> check whether it has any application outside my home office... :-)
>
> David
If you have a patch, I'd be glad to merge it into the driver (if it works
well,
nce this was
discovered, the value was reduced to 56K. I think that IPFilter was
updated and the value was changed back, but I don't recall exactly.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/
- or I just missed it.
>
> It's been fixed, look for log messages about using uma for reassembly
> queues.
>
> DES
> --
> Dag-Erling Smørgrav - [EMAIL PROTECTED]
But not MFC'd to 4.x or the security branches yet, that is being w
[ Off ]
TX encryption key: [ 1 ]
Encryption keys:[ ][ ][ ][ ]
---
Mike Wade ([EMAIL PROTECTED])
Blue Highway Labs, LLC.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
On Thu, 26 Feb 2004, Mike Wade wrote:
> Greetings,
>
> I'm experiencing a rather perplexing problem with 2 wireless nodes running
> FreeBSD 4.9-STABLE utilizing the wi(4) driver in IBSS mode. Periodically
> I'm unable to receive packets (transmitting packets is fine)
On Tue, 2 Mar 2004, Brad Knowles wrote:
> > What's difference (*currently*) beetwen FreeBSD+Zebra and Cisco routers?
> Support for VRRP? Support for various other routing protocols
> not covered by zebra/quagga -- at least not yet, if ever? Support
> for line cards and other devices that d
On Sat, 28 Feb 2004, Mike Wade wrote:
> On Thu, 26 Feb 2004, Mike Wade wrote:
>
> > Greetings,
> >
> > I'm experiencing a rather perplexing problem with 2 wireless nodes running
> > FreeBSD 4.9-STABLE utilizing the wi(4) driver in IBSS mode. Periodicall
the modest investment to setup
> something like that and keep it maintained. That way it's a bit more
> official than some random person running around and trying to put
> together the required coin.
>
> Just a thought
Personally I think this would be very beneficial. On many
. The transmit side of SACK is implemented.
>From what I recall about SACK, the implementation of part 1 would be
straightforward to verify and therefore easy to integrate. The send side
would, of course, require more attention, and it would be more likely to
get it if it could be reviewe
, it's all the new congestion control
schemes (FACK, Rate Halving, etc) that come shipped with most SACK
implementations that do the work and contain most of the complexity.
Mike "Silby" Silbersack
___
[EMAIL PROTECTED] mailing list
http:/
On Tue, 9 Mar 2004, Dag-Erling [iso-8859-1] Smørgrav wrote:
> Just for giggles, what kind of money are we talking here? I might be
> able to liberate funds for work that improves network performance in
> the high end.
that'd be cool, and i wish i could as well. with the non-profit status of
the
Hello,
It seems that the byte counters (derived from netstat -nbi) reset at
around 4 GB. Is there no way around this? It would be nice to be able to
see an accurate display of totals. It just seems pointless to even have
this, as 4 GB is just not that much anymore. I know this is a 32bit
limitatio
Brooks Davis said:
>
> Please read the archives of freebsd-net. This has been discussed
> many times. There are valid reasons for this, particularly the fact
> that 64-bit counters are much more expensive to update on 32-bit
> architectures. API breakage is also a problem. We're aware that 2^32
Max Laier said:
> There is now: pf comes with 64bit statistic counters. For now you can put
> them on one interface only, but in future version there will be more
> flexible statistics. Additionally there are many accounting programs out
> there which utilize various existing (32bit) counters or t
Max Laier said:
> Sure, you measure it ;) ... no, of course it is more expensive to update a
> 64bit counter on a 32bit arch, but the key (once again) is descision:
> While
> (almost) all of the pf counters are 64bit types you can configure it not
> to
> use the loginterface or whatsoever more. So
didn't work out that way.
>
> --
> Tomi
What you want is a stateful firewall, aka dynamic firewall rules.
Just use
ipfw add allow ip from yourip to any keep-state
And ipfw will do what you want.
This is described in the ipfw manpage, although it's perhaps not explained
as we
due to a
shortage in sfbufs. Maybe you should set up your testbed that creates
this load, then set up one additional test computer. Have that computer
tcpdump all of its traffic, hope that one of the dropped connections
happens to it, and see if you can find it in the dump.
Mike "Silby"
t;Rose Attack", it shouldn't
affect 4.8+ FreeBSD machines much at all. I'm actually puzzled that his
attack does anything at all, you can eat up a lot more memory using
fragrouter and some creative ipfw rules. :)
Mike "Silby" Silbersack
__
an entire mbuf cluster. However, under a high
bandwidth attack, this improvement would still not really help legitimate
hosts get through, so I haven't spent time implementing it.
Yeah, limits as you suggest are probably the only good way, IP
fragmentation was implemented in a way that just encoura
901 - 1000 of 1032 matches
Mail list logo
